Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

2654d11f2d...f7.exe

windows7-x64

10

2654d11f2d...f7.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    1s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/12/2023, 03:26 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2654d11f2d3ce974e432ad1c84bcd1f7.exe

  • Size

    4.5MB

  • MD5

    2654d11f2d3ce974e432ad1c84bcd1f7

  • SHA1

    053efdc46790dd1b49e93863df59c83c39342c8f

  • SHA256

    df52242510b70aa54d66b0626624066ece6f8bd5384aa4897778bddfae321c51

  • SHA512

    8b577ed49b7648d67ac7ad19cefdad52eb3665d42561e7b97034607ab1d0e7eb2d0fa22a3338717a2c19e12b9826c338e0f66fcdef3cc9ad6d105c95a0b00df7

  • SSDEEP

    98304:UvcNtBvoJc7I0r0fy0hqQRi69numaD09pJ6N5f1qlFBdWiBl5E1oz2tiuD:UkJtjr0fXRi65rwfCFTZteoz2B

Score
10/10
gluptebametasploitbackdoordropperevasionloadertrojan

Malware Config

Extracted

Family

metasploit

Version

windows/single_exec

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 15 IoCs
  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • GoLang User-Agent 3 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2654d11f2d3ce974e432ad1c84bcd1f7.exe
    "C:\Users\Admin\AppData\Local\Temp\2654d11f2d3ce974e432ad1c84bcd1f7.exe"
    1⤵
      PID:2732
      • C:\Users\Admin\AppData\Local\Temp\2654d11f2d3ce974e432ad1c84bcd1f7.exe
        "C:\Users\Admin\AppData\Local\Temp\2654d11f2d3ce974e432ad1c84bcd1f7.exe"
        2⤵
          PID:3192
          • C:\Windows\system32\cmd.exe
            C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
            3⤵
              PID:3620
            • C:\Windows\rss\csrss.exe
              C:\Windows\rss\csrss.exe /51-51
              3⤵
                PID:3704
                • C:\Windows\SYSTEM32\schtasks.exe
                  schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
                  4⤵
                  • Creates scheduled task(s)
                  PID:2892
                • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
                  C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
                  4⤵
                    PID:4292
            • C:\Windows\system32\netsh.exe
              netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
              1⤵
              • Modifies Windows Firewall
              PID:2396

            Network

            • flag-us
              DNS
              146.78.124.51.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              146.78.124.51.in-addr.arpa
              IN PTR
              Response
            • flag-us
              DNS
              146.78.124.51.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              146.78.124.51.in-addr.arpa
              IN PTR
            • flag-us
              DNS
              146.78.124.51.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              146.78.124.51.in-addr.arpa
              IN PTR
            • flag-us
              DNS
              194.178.17.96.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              194.178.17.96.in-addr.arpa
              IN PTR
              Response
              194.178.17.96.in-addr.arpa
              IN PTR
              a96-17-178-194deploystaticakamaitechnologiescom
            • flag-us
              DNS
              194.178.17.96.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              194.178.17.96.in-addr.arpa
              IN PTR
            • flag-us
              DNS
              22.177.190.20.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              22.177.190.20.in-addr.arpa
              IN PTR
              Response
            • flag-us
              DNS
              22.177.190.20.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              22.177.190.20.in-addr.arpa
              IN PTR
            • flag-us
              DNS
              humisnee.com
              Remote address:
              8.8.8.8:53
              Request
              humisnee.com
              IN A
              Response
              humisnee.com
              IN A
              37.48.65.150
            • flag-us
              DNS
              humisnee.com
              Remote address:
              8.8.8.8:53
              Request
              humisnee.com
              IN A
            • flag-us
              DNS
              241.154.82.20.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              241.154.82.20.in-addr.arpa
              IN PTR
              Response
            • flag-us
              DNS
              apps.identrust.com
              Remote address:
              8.8.8.8:53
              Request
              apps.identrust.com
              IN A
              Response
              apps.identrust.com
              IN CNAME
              identrust.edgesuite.net
              identrust.edgesuite.net
              IN CNAME
              a1952.dscq.akamai.net
              a1952.dscq.akamai.net
              IN A
              96.17.179.184
              a1952.dscq.akamai.net
              IN A
              96.17.179.205
            • flag-gb
              GET
              http://apps.identrust.com/roots/dstrootcax3.p7c
              Remote address:
              96.17.179.184:80
              Request
              GET /roots/dstrootcax3.p7c HTTP/1.1
              Connection: Keep-Alive
              Accept: */*
              User-Agent: Microsoft-CryptoAPI/10.0
              Host: apps.identrust.com
              Response
              HTTP/1.1 200 OK
              X-XSS-Protection: 1; mode=block
              X-Frame-Options: SAMEORIGIN
              X-Content-Type-Options: nosniff
              X-Robots-Tag: noindex
              Referrer-Policy: same-origin
              Last-Modified: Fri, 13 Oct 2023 16:28:31 GMT
              ETag: "37d-6079b8c0929c0"
              Accept-Ranges: bytes
              Content-Length: 893
              X-Content-Type-Options: nosniff
              X-Frame-Options: sameorigin
              Content-Type: application/pkcs7-mime
              Cache-Control: max-age=3600
              Expires: Tue, 02 Jan 2024 03:27:43 GMT
              Date: Tue, 02 Jan 2024 02:27:43 GMT
              Connection: keep-alive
            • flag-us
              DNS
              150.65.48.37.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              150.65.48.37.in-addr.arpa
              IN PTR
              Response
            • flag-us
              DNS
              55.36.223.20.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              55.36.223.20.in-addr.arpa
              IN PTR
              Response
            • flag-us
              DNS
              55.36.223.20.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              55.36.223.20.in-addr.arpa
              IN PTR
            • flag-us
              DNS
              184.179.17.96.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              184.179.17.96.in-addr.arpa
              IN PTR
              Response
              184.179.17.96.in-addr.arpa
              IN PTR
              a96-17-179-184deploystaticakamaitechnologiescom
            • flag-us
              DNS
              184.179.17.96.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              184.179.17.96.in-addr.arpa
              IN PTR
            • flag-us
              DNS
              26.165.165.52.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              26.165.165.52.in-addr.arpa
              IN PTR
              Response
            • flag-us
              DNS
              survey-smiles.com
              Remote address:
              8.8.8.8:53
              Request
              survey-smiles.com
              IN A
              Response
              survey-smiles.com
              IN A
              199.59.243.225
            • flag-us
              GET
              http://survey-smiles.com/
              Remote address:
              199.59.243.225:80
              Request
              GET / HTTP/1.1
              Host: survey-smiles.com
              User-Agent: Go-http-client/1.1
              Content-Type: application/x-www-form-urlencoded
              Accept-Encoding: gzip
              Response
              HTTP/1.1 200 OK
              date: Tue, 02 Jan 2024 02:27:43 GMT
              content-type: text/html; charset=utf-8
              content-length: 1021
              x-request-id: 07af5ee8-f46f-42cf-b5dd-457a664f0aeb
              cache-control: no-store, max-age=0
              accept-ch: sec-ch-prefers-color-scheme
              critical-ch: sec-ch-prefers-color-scheme
              vary: sec-ch-prefers-color-scheme
              x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_GSbXHjSyM4GBXh+TDdQi5Ch6arC3xeKj8KkRwOq4qrqrlRcvBA0AmkBJ57Iam4tUGtRHYm5e3uPQsAB9Z6SRbg==
              set-cookie: parking_session=07af5ee8-f46f-42cf-b5dd-457a664f0aeb; expires=Tue, 02 Jan 2024 02:42:43 GMT; path=/
            • flag-us
              DNS
              2.136.104.51.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              2.136.104.51.in-addr.arpa
              IN PTR
              Response
            • flag-us
              DNS
              ninhaine.com
              Remote address:
              8.8.8.8:53
              Request
              ninhaine.com
              IN TXT
              Response
            • flag-us
              DNS
              2makestorage.com
              Remote address:
              8.8.8.8:53
              Request
              2makestorage.com
              IN TXT
              Response
            • flag-us
              DNS
              nisdably.com
              Remote address:
              8.8.8.8:53
              Request
              nisdably.com
              IN TXT
              Response
              nisdably.com
              IN TXT
              .v=spf1 include:_incspfcheck.mailspike.net ?all
            • flag-us
              DNS
              nisdably.com
              Remote address:
              8.8.8.8:53
              Request
              nisdably.com
              IN TXT
            • flag-us
              DNS
              41.110.16.96.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              41.110.16.96.in-addr.arpa
              IN PTR
              Response
              41.110.16.96.in-addr.arpa
              IN PTR
              a96-16-110-41deploystaticakamaitechnologiescom
            • flag-us
              DNS
              fd2f3862-809e-4ce5-9f57-266912bfab68.ninhaine.com
              Remote address:
              8.8.8.8:53
              Request
              fd2f3862-809e-4ce5-9f57-266912bfab68.ninhaine.com
              IN TXT
              Response
            • flag-us
              DNS
              server5.ninhaine.com
              Remote address:
              8.8.8.8:53
              Request
              server5.ninhaine.com
              IN A
              Response
              server5.ninhaine.com
              IN A
              46.8.8.100
            • flag-us
              DNS
              100.8.8.46.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              100.8.8.46.in-addr.arpa
              IN PTR
              Response
            • flag-us
              DNS
              ww82.ninhaine.com
              Remote address:
              8.8.8.8:53
              Request
              ww82.ninhaine.com
              IN A
              Response
              ww82.ninhaine.com
              IN CNAME
              63214.bodis.com
              63214.bodis.com
              IN A
              199.59.243.225
            • flag-us
              GET
              http://ww82.ninhaine.com/
              Remote address:
              199.59.243.225:80
              Request
              GET / HTTP/1.1
              Host: ww82.ninhaine.com
              User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36
              Accept-Encoding: gzip
              Response
              HTTP/1.1 200 OK
              date: Tue, 02 Jan 2024 02:27:53 GMT
              content-type: text/html; charset=utf-8
              content-length: 1021
              x-request-id: 1e059022-aba2-4635-a4a2-84f6da0ccb87
              cache-control: no-store, max-age=0
              accept-ch: sec-ch-prefers-color-scheme
              critical-ch: sec-ch-prefers-color-scheme
              vary: sec-ch-prefers-color-scheme
              x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_PWYaEjx1WLab74ULRf6Jk7/LR73s9JiUTVCBBaovLQ9NfKj4K53i5rfcUyBtNPKTbRb0vLBnSDmDHwZzWPyBTA==
              set-cookie: parking_session=1e059022-aba2-4635-a4a2-84f6da0ccb87; expires=Tue, 02 Jan 2024 02:42:53 GMT; path=/
            • flag-us
              GET
              http://ww82.ninhaine.com/
              Remote address:
              199.59.243.225:80
              Request
              GET / HTTP/1.1
              Host: ww82.ninhaine.com
              User-Agent: Go-http-client/1.1
              Content-Type: application/x-www-form-urlencoded
              Accept-Encoding: gzip
              Response
              HTTP/1.1 200 OK
              date: Tue, 02 Jan 2024 02:27:53 GMT
              content-type: text/html; charset=utf-8
              content-length: 1021
              x-request-id: 8e5ac4e4-ac65-48c9-b9d4-7b1a4dcb0407
              cache-control: no-store, max-age=0
              accept-ch: sec-ch-prefers-color-scheme
              critical-ch: sec-ch-prefers-color-scheme
              vary: sec-ch-prefers-color-scheme
              x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_Tt/J9oqHpuqXX6un3Cskdko3ntgD1EOja6YOeQ+8B1Hpbe2+JoOhWbyNcOz/GR92FxtaOj/IK4FrDZpNw9TExw==
              set-cookie: parking_session=8e5ac4e4-ac65-48c9-b9d4-7b1a4dcb0407; expires=Tue, 02 Jan 2024 02:42:54 GMT; path=/
            • flag-us
              GET
              http://ww82.ninhaine.com/
              Remote address:
              199.59.243.225:80
              Request
              GET / HTTP/1.1
              Host: ww82.ninhaine.com
              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
              Accept-Encoding: gzip
              Response
              HTTP/1.1 200 OK
              date: Tue, 02 Jan 2024 02:27:54 GMT
              content-type: text/html; charset=utf-8
              content-length: 1021
              x-request-id: 1f92f8d8-a88c-4194-af7a-679b60193405
              cache-control: no-store, max-age=0
              accept-ch: sec-ch-prefers-color-scheme
              critical-ch: sec-ch-prefers-color-scheme
              vary: sec-ch-prefers-color-scheme
              x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_TDUdjfcxWl1FURLsvHoCBIoMp0OiyVALDBAlfrAwyJXHVUgRMl0wLRom46EO2ktAXItbS7oXeLAaWIfL5tOKUA==
              set-cookie: parking_session=1f92f8d8-a88c-4194-af7a-679b60193405; expires=Tue, 02 Jan 2024 02:42:54 GMT; path=/
            • flag-us
              GET
              http://ww82.ninhaine.com/
              Remote address:
              199.59.243.225:80
              Request
              GET / HTTP/1.1
              Host: ww82.ninhaine.com
              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0
              Accept-Encoding: gzip
              Response
              HTTP/1.1 200 OK
              date: Tue, 02 Jan 2024 02:27:55 GMT
              content-type: text/html; charset=utf-8
              content-length: 1021
              x-request-id: cdb9f3c4-c997-4c38-b530-fcd945edf9c7
              cache-control: no-store, max-age=0
              accept-ch: sec-ch-prefers-color-scheme
              critical-ch: sec-ch-prefers-color-scheme
              vary: sec-ch-prefers-color-scheme
              x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_htDALpAU8ATBQQbBTuEUy44ePN8i14k7e70foW+XnsyNOWQ0iMYtMW7o209pSdcxn3wsBlX8Ue5Rz0otAqVfnQ==
              set-cookie: parking_session=cdb9f3c4-c997-4c38-b530-fcd945edf9c7; expires=Tue, 02 Jan 2024 02:42:55 GMT; path=/
            • flag-us
              GET
              http://ww82.ninhaine.com/
              Remote address:
              199.59.243.225:80
              Request
              GET / HTTP/1.1
              Host: ww82.ninhaine.com
              User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:74.0) Gecko/20100101 Firefox/74.0
              Accept-Encoding: gzip
              Response
              HTTP/1.1 200 OK
              date: Tue, 02 Jan 2024 02:27:58 GMT
              content-type: text/html; charset=utf-8
              content-length: 1021
              x-request-id: 63577743-e456-4896-b673-4203e463b0e4
              cache-control: no-store, max-age=0
              accept-ch: sec-ch-prefers-color-scheme
              critical-ch: sec-ch-prefers-color-scheme
              vary: sec-ch-prefers-color-scheme
              x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_qGFGLRGCnJeqnntvS+yDMnQrbEfxyuJYPJKjOq82vqwlN5KmZ5DefutFYlyhBEcjcW2lCuf9AyV+GfLTq7ZL7g==
              set-cookie: parking_session=63577743-e456-4896-b673-4203e463b0e4; expires=Tue, 02 Jan 2024 02:42:58 GMT; path=/
            • flag-us
              GET
              http://ww82.ninhaine.com/
              Remote address:
              199.59.243.225:80
              Request
              GET / HTTP/1.1
              Host: ww82.ninhaine.com
              User-Agent: Go-http-client/1.1
              Content-Type: application/x-www-form-urlencoded
              Accept-Encoding: gzip
              Response
              HTTP/1.1 200 OK
              date: Tue, 02 Jan 2024 02:27:59 GMT
              content-type: text/html; charset=utf-8
              content-length: 1021
              x-request-id: 1c401e29-17e3-4bf5-99b9-d5b6f3060c83
              cache-control: no-store, max-age=0
              accept-ch: sec-ch-prefers-color-scheme
              critical-ch: sec-ch-prefers-color-scheme
              vary: sec-ch-prefers-color-scheme
              x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_Tt/J9oqHpuqXX6un3Cskdko3ntgD1EOja6YOeQ+8B1Hpbe2+JoOhWbyNcOz/GR92FxtaOj/IK4FrDZpNw9TExw==
              set-cookie: parking_session=1c401e29-17e3-4bf5-99b9-d5b6f3060c83; expires=Tue, 02 Jan 2024 02:42:59 GMT; path=/
            • flag-us
              GET
              http://ww82.ninhaine.com/
              Remote address:
              199.59.243.225:80
              Request
              GET / HTTP/1.1
              Host: ww82.ninhaine.com
              User-Agent: Go-http-client/1.1
              Content-Type: application/json; charset=UTF-8
              Accept-Encoding: gzip
              Response
              HTTP/1.1 200 OK
              date: Tue, 02 Jan 2024 02:27:48 GMT
              content-type: text/html; charset=utf-8
              content-length: 1021
              x-request-id: b91d2b4f-6018-4543-89f2-6e5915ee5a1b
              cache-control: no-store, max-age=0
              accept-ch: sec-ch-prefers-color-scheme
              critical-ch: sec-ch-prefers-color-scheme
              vary: sec-ch-prefers-color-scheme
              x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_Tt/J9oqHpuqXX6un3Cskdko3ntgD1EOja6YOeQ+8B1Hpbe2+JoOhWbyNcOz/GR92FxtaOj/IK4FrDZpNw9TExw==
              set-cookie: parking_session=b91d2b4f-6018-4543-89f2-6e5915ee5a1b; expires=Tue, 02 Jan 2024 02:42:48 GMT; path=/
            • flag-us
              GET
              http://ww82.ninhaine.com/
              Remote address:
              199.59.243.225:80
              Request
              GET / HTTP/1.1
              Host: ww82.ninhaine.com
              User-Agent: Go-http-client/1.1
              Content-Type: application/x-www-form-urlencoded
              Accept-Encoding: gzip
              Response
              HTTP/1.1 200 OK
              date: Tue, 02 Jan 2024 02:27:48 GMT
              content-type: text/html; charset=utf-8
              content-length: 1021
              x-request-id: 15dc2279-b3e1-4bbf-a423-dc980cca143d
              cache-control: no-store, max-age=0
              accept-ch: sec-ch-prefers-color-scheme
              critical-ch: sec-ch-prefers-color-scheme
              vary: sec-ch-prefers-color-scheme
              x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_Tt/J9oqHpuqXX6un3Cskdko3ntgD1EOja6YOeQ+8B1Hpbe2+JoOhWbyNcOz/GR92FxtaOj/IK4FrDZpNw9TExw==
              set-cookie: parking_session=15dc2279-b3e1-4bbf-a423-dc980cca143d; expires=Tue, 02 Jan 2024 02:42:48 GMT; path=/
            • flag-us
              GET
              http://ww82.ninhaine.com/
              Remote address:
              199.59.243.225:80
              Request
              GET / HTTP/1.1
              Host: ww82.ninhaine.com
              User-Agent: Go-http-client/1.1
              Content-Type: application/x-www-form-urlencoded
              Accept-Encoding: gzip
              Response
              HTTP/1.1 200 OK
              date: Tue, 02 Jan 2024 02:27:48 GMT
              content-type: text/html; charset=utf-8
              content-length: 1021
              x-request-id: ef116547-0865-4f4d-93a2-92400d9a2c7c
              cache-control: no-store, max-age=0
              accept-ch: sec-ch-prefers-color-scheme
              critical-ch: sec-ch-prefers-color-scheme
              vary: sec-ch-prefers-color-scheme
              x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_Tt/J9oqHpuqXX6un3Cskdko3ntgD1EOja6YOeQ+8B1Hpbe2+JoOhWbyNcOz/GR92FxtaOj/IK4FrDZpNw9TExw==
              set-cookie: parking_session=ef116547-0865-4f4d-93a2-92400d9a2c7c; expires=Tue, 02 Jan 2024 02:42:49 GMT; path=/
            • flag-us
              DNS
              9.228.82.20.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              9.228.82.20.in-addr.arpa
              IN PTR
              Response
            • flag-us
              DNS
              spolaect.info
              Remote address:
              8.8.8.8:53
              Request
              spolaect.info
              IN A
              Response
            • flag-us
              DNS
              171.39.242.20.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              171.39.242.20.in-addr.arpa
              IN PTR
              Response
            • flag-us
              DNS
              18.134.221.88.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              18.134.221.88.in-addr.arpa
              IN PTR
              Response
              18.134.221.88.in-addr.arpa
              IN PTR
              a88-221-134-18deploystaticakamaitechnologiescom
            • flag-us
              DNS
              240.221.184.93.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              240.221.184.93.in-addr.arpa
              IN PTR
              Response
            • flag-us
              DNS
              240.221.184.93.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              240.221.184.93.in-addr.arpa
              IN PTR
            • flag-us
              DNS
              11.227.111.52.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              11.227.111.52.in-addr.arpa
              IN PTR
              Response
            • flag-us
              DNS
              11.227.111.52.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              11.227.111.52.in-addr.arpa
              IN PTR
            • flag-us
              GET
              http://ww82.ninhaine.com/
              Remote address:
              199.59.243.225:80
              Request
              GET / HTTP/1.1
              Host: ww82.ninhaine.com
              User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.136 YaBrowser/20.2.4.143 Yowser/2.5 Safari/537.36
              Accept-Encoding: gzip
              Response
              HTTP/1.1 200 OK
              date: Tue, 02 Jan 2024 02:29:07 GMT
              content-type: text/html; charset=utf-8
              content-length: 1021
              x-request-id: ced10a91-5c6c-4c0d-98b5-e2858c1ff7fa
              cache-control: no-store, max-age=0
              accept-ch: sec-ch-prefers-color-scheme
              critical-ch: sec-ch-prefers-color-scheme
              vary: sec-ch-prefers-color-scheme
              x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_srrWA0ZeLNl4Lt25E2QL9dYWcyFGlmH2l4jeDfHZ/Ql9HpWHHeNnCpHzGoO4TApo9GLHN0QtoWTR/NIoLfGyiA==
              set-cookie: parking_session=ced10a91-5c6c-4c0d-98b5-e2858c1ff7fa; expires=Tue, 02 Jan 2024 02:44:07 GMT; path=/
            • flag-us
              DNS
              tse1.mm.bing.net
              Remote address:
              8.8.8.8:53
              Request
              tse1.mm.bing.net
              IN A
              Response
              tse1.mm.bing.net
              IN CNAME
              mm-mm.bing.net.trafficmanager.net
              mm-mm.bing.net.trafficmanager.net
              IN CNAME
              dual-a-0001.a-msedge.net
              dual-a-0001.a-msedge.net
              IN A
              204.79.197.200
              dual-a-0001.a-msedge.net
              IN A
              13.107.21.200
            • flag-us
              DNS
              tse1.mm.bing.net
              Remote address:
              8.8.8.8:53
              Request
              tse1.mm.bing.net
              IN A
              Response
              tse1.mm.bing.net
              IN CNAME
              mm-mm.bing.net.trafficmanager.net
              mm-mm.bing.net.trafficmanager.net
              IN CNAME
              dual-a-0001.a-msedge.net
              dual-a-0001.a-msedge.net
              IN A
              204.79.197.200
              dual-a-0001.a-msedge.net
              IN A
              13.107.21.200
            • flag-us
              DNS
              server5.2makestorage.com
              Remote address:
              8.8.8.8:53
              Request
              server5.2makestorage.com
              IN A
              Response
            • flag-us
              DNS
              server5.2makestorage.com
              Remote address:
              8.8.8.8:53
              Request
              server5.2makestorage.com
              IN A
              Response
            • 37.48.65.150:443
              humisnee.com
              tls
              1.6kB
               5.5kB
               16
              10
            • 96.17.179.184:80
              http://apps.identrust.com/roots/dstrootcax3.p7c
              http
              370 B
               1.6kB
               5
              4

              HTTP Request

              GET http://apps.identrust.com/roots/dstrootcax3.p7c

              HTTP Response

              200
            • 199.59.243.225:80
              http://survey-smiles.com/
              http
              429 B
               2.4kB
               6
              5

              HTTP Request

              GET http://survey-smiles.com/

              HTTP Response

              200
            • 96.16.110.41:443
              tls
              1.1kB
               997 B
               7
              6
            • 46.8.8.100:443
              server5.ninhaine.com
              tls
              830 B
               5.0kB
               10
              10
            • 46.8.8.100:443
              server5.ninhaine.com
              tls
              16.0kB
               7.6kB
               56
              54
            • 46.8.8.100:443
              server5.ninhaine.com
              tls
              830 B
               5.0kB
               10
              10
            • 199.59.243.225:80
              http://ww82.ninhaine.com/
              http
              2.0kB
               13.7kB
               23
              26

              HTTP Request

              GET http://ww82.ninhaine.com/

              HTTP Response

              200

              HTTP Request

              GET http://ww82.ninhaine.com/

              HTTP Response

              200

              HTTP Request

              GET http://ww82.ninhaine.com/

              HTTP Response

              200

              HTTP Request

              GET http://ww82.ninhaine.com/

              HTTP Response

              200

              HTTP Request

              GET http://ww82.ninhaine.com/

              HTTP Response

              200

              HTTP Request

              GET http://ww82.ninhaine.com/

              HTTP Response

              200
            • 199.59.243.225:80
              ww82.ninhaine.com
              242 B
               132 B
               5
              3
            • 199.59.243.225:80
              http://ww82.ninhaine.com/
              http
              991 B
               6.1kB
               12
              13

              HTTP Request

              GET http://ww82.ninhaine.com/

              HTTP Response

              200

              HTTP Request

              GET http://ww82.ninhaine.com/

              HTTP Response

              200

              HTTP Request

              GET http://ww82.ninhaine.com/

              HTTP Response

              200
            • 46.8.8.100:443
              server5.ninhaine.com
              tls
              2.1kB
               5.6kB
               17
              20
            • 199.59.243.225:80
              http://ww82.ninhaine.com/
              http
              550 B
               2.5kB
               7
              7

              HTTP Request

              GET http://ww82.ninhaine.com/

              HTTP Response

              200
            • 204.79.197.200:443
              tse1.mm.bing.net
              tls
              1.5kB
               8.2kB
               17
              13
            • 204.79.197.200:443
              tse1.mm.bing.net
              tls
              1.5kB
               8.2kB
               17
              13
            • 204.79.197.200:443
              tse1.mm.bing.net
              tls
              1.5kB
               8.2kB
               17
              13
            • 204.79.197.200:443
              tse1.mm.bing.net
              tls
              1.2kB
               8.2kB
               15
              13
            • 204.79.197.200:443
              tse1.mm.bing.net
              tls
              52.6kB
               1.4MB
               1047
              1045
            • 8.8.8.8:53
              146.78.124.51.in-addr.arpa
              dns
              216 B
               158 B
               3
              1

              DNS Request

              146.78.124.51.in-addr.arpa

              DNS Request

              146.78.124.51.in-addr.arpa

              DNS Request

              146.78.124.51.in-addr.arpa

            • 8.8.8.8:53
              194.178.17.96.in-addr.arpa
              dns
              144 B
               137 B
               2
              1

              DNS Request

              194.178.17.96.in-addr.arpa

              DNS Request

              194.178.17.96.in-addr.arpa

            • 8.8.8.8:53
              22.177.190.20.in-addr.arpa
              dns
              144 B
               158 B
               2
              1

              DNS Request

              22.177.190.20.in-addr.arpa

              DNS Request

              22.177.190.20.in-addr.arpa

            • 8.8.8.8:53
              humisnee.com
              dns
              116 B
               74 B
               2
              1

              DNS Request

              humisnee.com

              DNS Request

              humisnee.com

              DNS Response

              37.48.65.150

            • 8.8.8.8:53
              241.154.82.20.in-addr.arpa
              dns
              72 B
               158 B
               1
              1

              DNS Request

              241.154.82.20.in-addr.arpa

            • 8.8.8.8:53
              apps.identrust.com
              dns
              64 B
               165 B
               1
              1

              DNS Request

              apps.identrust.com

              DNS Response

              96.17.179.184
              96.17.179.205

            • 8.8.8.8:53
              150.65.48.37.in-addr.arpa
              dns
              71 B
               134 B
               1
              1

              DNS Request

              150.65.48.37.in-addr.arpa

            • 8.8.8.8:53
              55.36.223.20.in-addr.arpa
              dns
              142 B
               157 B
               2
              1

              DNS Request

              55.36.223.20.in-addr.arpa

              DNS Request

              55.36.223.20.in-addr.arpa

            • 8.8.8.8:53
              184.179.17.96.in-addr.arpa
              dns
              144 B
               137 B
               2
              1

              DNS Request

              184.179.17.96.in-addr.arpa

              DNS Request

              184.179.17.96.in-addr.arpa

            • 8.8.8.8:53
              26.165.165.52.in-addr.arpa
              dns
              72 B
               146 B
               1
              1

              DNS Request

              26.165.165.52.in-addr.arpa

            • 8.8.8.8:53
              survey-smiles.com
              dns
              63 B
               79 B
               1
              1

              DNS Request

              survey-smiles.com

              DNS Response

              199.59.243.225

            • 8.8.8.8:53
              2.136.104.51.in-addr.arpa
              dns
              71 B
               157 B
               1
              1

              DNS Request

              2.136.104.51.in-addr.arpa

            • 8.8.8.8:53
              ninhaine.com
              dns
              58 B
               58 B
               1
              1

              DNS Request

              ninhaine.com

            • 8.8.8.8:53
              2makestorage.com
              dns
              62 B
               135 B
               1
              1

              DNS Request

              2makestorage.com

            • 8.8.8.8:53
              nisdably.com
              dns
              116 B
               117 B
               2
              1

              DNS Request

              nisdably.com

              DNS Request

              nisdably.com

            • 8.8.8.8:53
              41.110.16.96.in-addr.arpa
              dns
              71 B
               135 B
               1
              1

              DNS Request

              41.110.16.96.in-addr.arpa

            • 8.8.8.8:53
              fd2f3862-809e-4ce5-9f57-266912bfab68.ninhaine.com
              dns
              95 B
               95 B
               1
              1

              DNS Request

              fd2f3862-809e-4ce5-9f57-266912bfab68.ninhaine.com

            • 8.8.8.8:53
              server5.ninhaine.com
              dns
              66 B
               82 B
               1
              1

              DNS Request

              server5.ninhaine.com

              DNS Response

              46.8.8.100

            • 8.8.8.8:53
              100.8.8.46.in-addr.arpa
              dns
              69 B
               129 B
               1
              1

              DNS Request

              100.8.8.46.in-addr.arpa

            • 8.8.8.8:53
              ww82.ninhaine.com
              dns
              63 B
               105 B
               1
              1

              DNS Request

              ww82.ninhaine.com

              DNS Response

              199.59.243.225

            • 8.8.8.8:53
              9.228.82.20.in-addr.arpa
              dns
              70 B
               156 B
               1
              1

              DNS Request

              9.228.82.20.in-addr.arpa

            • 8.8.8.8:53
              spolaect.info
              dns
              59 B
               138 B
               1
              1

              DNS Request

              spolaect.info

            • 8.8.8.8:53
              171.39.242.20.in-addr.arpa
              dns
              72 B
               158 B
               1
              1

              DNS Request

              171.39.242.20.in-addr.arpa

            • 8.8.8.8:53
              18.134.221.88.in-addr.arpa
              dns
              72 B
               137 B
               1
              1

              DNS Request

              18.134.221.88.in-addr.arpa

            • 8.8.8.8:53
              240.221.184.93.in-addr.arpa
              dns
              146 B
               144 B
               2
              1

              DNS Request

              240.221.184.93.in-addr.arpa

              DNS Request

              240.221.184.93.in-addr.arpa

            • 8.8.8.8:53
              11.227.111.52.in-addr.arpa
              dns
              144 B
               158 B
               2
              1

              DNS Request

              11.227.111.52.in-addr.arpa

              DNS Request

              11.227.111.52.in-addr.arpa

            • 8.8.8.8:53
              tse1.mm.bing.net
              dns
              124 B
               346 B
               2
              2

              DNS Request

              tse1.mm.bing.net

              DNS Request

              tse1.mm.bing.net

              DNS Response

              204.79.197.200
              13.107.21.200

              DNS Response

              204.79.197.200
              13.107.21.200

            • 8.8.8.8:53
              server5.2makestorage.com
              dns
              140 B
               286 B
               2
              2

              DNS Request

              server5.2makestorage.com

              DNS Request

              server5.2makestorage.com

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/2732-1-0x00000000012D0000-0x0000000001711000-memory.dmp

              Filesize

              4.3MB

              Download

            • memory/2732-2-0x0000000001720000-0x0000000002046000-memory.dmp

              Filesize

              9.1MB

              Download

            • memory/2732-3-0x0000000000400000-0x0000000000D41000-memory.dmp

              Filesize

              9.3MB

              Download

            • memory/2732-4-0x0000000000400000-0x0000000000D41000-memory.dmp

              Filesize

              9.3MB

              Download

            • memory/2732-6-0x0000000001720000-0x0000000002046000-memory.dmp

              Filesize

              9.1MB

              Download

            • memory/3192-7-0x00000000010D0000-0x0000000001510000-memory.dmp

              Filesize

              4.2MB

              Download

            • memory/3192-8-0x0000000000400000-0x0000000000D41000-memory.dmp

              Filesize

              9.3MB

              Download

            • memory/3192-17-0x0000000000400000-0x0000000000D41000-memory.dmp

              Filesize

              9.3MB

              Download

            • memory/3704-19-0x0000000001600000-0x0000000001B00000-memory.dmp

              Filesize

              5.0MB

              Download

            • memory/3704-20-0x0000000000400000-0x0000000000D41000-memory.dmp

              Filesize

              9.3MB

              Download

            • memory/3704-21-0x0000000000400000-0x0000000000D41000-memory.dmp

              Filesize

              9.3MB

              Download

            • memory/3704-27-0x0000000001600000-0x0000000001B00000-memory.dmp

              Filesize

              5.0MB

              Download

            • memory/3704-28-0x0000000000400000-0x0000000000D41000-memory.dmp

              Filesize

              9.3MB

              Download

            • memory/3704-29-0x0000000000400000-0x0000000000D41000-memory.dmp

              Filesize

              9.3MB

              Download

            • memory/3704-30-0x0000000000400000-0x0000000000D41000-memory.dmp

              Filesize

              9.3MB

              Download

            • memory/3704-31-0x0000000000400000-0x0000000000D41000-memory.dmp

              Filesize

              9.3MB

              Download

            • memory/3704-32-0x0000000000400000-0x0000000000D41000-memory.dmp

              Filesize

              9.3MB

              Download

            • memory/3704-33-0x0000000000400000-0x0000000000D41000-memory.dmp

              Filesize

              9.3MB

              Download

            • memory/3704-34-0x0000000000400000-0x0000000000D41000-memory.dmp

              Filesize

              9.3MB

              Download

            • memory/3704-35-0x0000000000400000-0x0000000000D41000-memory.dmp

              Filesize

              9.3MB

              Download

            • memory/3704-36-0x0000000000400000-0x0000000000D41000-memory.dmp

              Filesize

              9.3MB

              Download

            • memory/3704-37-0x0000000000400000-0x0000000000D41000-memory.dmp

              Filesize

              9.3MB

              Download

            • memory/3704-38-0x0000000000400000-0x0000000000D41000-memory.dmp

              Filesize

              9.3MB

              Download

            • memory/3704-39-0x0000000000400000-0x0000000000D41000-memory.dmp

              Filesize

              9.3MB

              Download

            • memory/3704-40-0x0000000000400000-0x0000000000D41000-memory.dmp

              Filesize

              9.3MB

              Download

            We care about your privacy.

            This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.