 Hello, Didier Stevens here, Senior Handler at the InternetStorm Center. This weekend we were informed of an issue with Season Tunnel Tools Process Explorer and VirusTotal, that the integration no longer worked. So this weekend we have Sunday, the 20th December 2020. And when I start Process Explorer, I go to Options, VirusTotal, Check, VirusTotal. Then the hashes of all these samples are submitted. And as you can see, for all the hashes it returns unknown. While this is a default install of Windows 10, so most of these executables should be known. So now I'm going to show you with Fiddler how I looked deeper into this. I start Fiddler, I start Process Explorer. Going here to the VMware Tools Demand Exe. Right-clicking, Check VirusTotal has submitted. It will appear here the query. Unknown. And here we have the query. To VirusTotal, Partners Season Tunnels, double-click. Here you have the JSON request with the hash, the SHA1. And here the JSON answer. It's not found, this hash is not found. While if we look this hash directly up in VirusTotal, this SHA1 hash, then of course it is found. So this is how I set up my virtual machine so that I could be able to inspect the HTTPS request of Process Explorer. Cannot just use Wireshark because then you will see the encrypted communication and you want the clear text communication. So you can do that with an intercepting proxy like Fiddler. So I do the installation of Fiddler, I start Fiddler. Then here in the Tools Options, I go to HTTPS and I enable decryption. So I agree. I agree to install the root certificate. That's what I'm doing here and it has been added. Now if we also look into Options, Connections, you can see that Fiddler is licensing on port 8888. And so Fiddler is doing this interception for WinInit. Now Process Explorer if you would try now to run Process Explorer and intercept you would not see anything. And that's because Process Explorer is not using WinInit but WinHttp. So we need to set up the WinHttp proxy to .2 Fiddler. So I'm running a command line as administrator. Netshell WinHttp set proxy 127 001 8888. Like this, then I can take Process Explorer here. Let's start Process Explorer. Here we are. I take Fiddler. I press Ctrl X here to clear everything. And then here, check virus total. Yes, we agree. Our submitted unknown and so here we have our request.