Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    23/12/2024, 13:58 UTC

General

  • Target

    JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe

  • Size

    4.1MB

  • MD5

    008125769572e242cceb203923c0e4b9

  • SHA1

    003bbe8acc6e56f581f60abf2f57fd3a62b9110b

  • SHA256

    b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9

  • SHA512

    26bddc1e4c17a4c327d3b94ae24146a6ed0c9f1e1f87d1fb97fa2bd6cf2b5051edab8f5ffc182cd981aa48414872033f1a854c451ac1149652b34130f56a5d27

  • SSDEEP

    49152:eE+O2B5SstDYqZxVPtpkEwA7Qrnl/tx8+SxZSsAFXhDl23F7LaG/eLHz6fwEpDNU:eEd2+PoZk/AyFxRLzRDQ2SHpIYKCau6

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

  • Glupteba family
  • Glupteba payload 19 IoCs
  • Windows security bypass 2 TTPs 7 IoCs
  • Modifies boot configuration data using bcdedit 14 IoCs
  • Drops file in Drivers directory 1 IoCs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Possible attempt to disable PatchGuard 2 TTPs

    Rootkits can use kernel patching to embed themselves in an operating system.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 13 IoCs
  • Windows security modification 2 TTPs 7 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Manipulates WinMon driver. 1 IoCs

    Roottkits write to WinMon to hide PIDs from being detected.

  • Manipulates WinMonFS driver. 1 IoCs

    Roottkits write to WinMonFS to hide directories/files from being detected.

  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 3 IoCs
  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies system certificate store 2 TTPs 7 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 62 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1724
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe"
      2⤵
      • Windows security bypass
      • Loads dropped DLL
      • Windows security modification
      • Adds Run key to start application
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2772
      • C:\Windows\system32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2832
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          • Modifies data under HKEY_USERS
          PID:2752
      • C:\Windows\rss\csrss.exe
        C:\Windows\rss\csrss.exe
        3⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Manipulates WinMon driver.
        • Manipulates WinMonFS driver.
        • System Location Discovery: System Language Discovery
        • Modifies system certificate store
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2612
        • C:\Windows\system32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
          4⤵
          • Scheduled Task/Job: Scheduled Task
          PID:1248
        • C:\Windows\system32\schtasks.exe
          schtasks /delete /tn ScheduledUpdate /f
          4⤵
            PID:2960
          • C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
            "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Modifies system certificate store
            • Suspicious use of WriteProcessMemory
            PID:1452
            • C:\Windows\system32\bcdedit.exe
              C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
              5⤵
              • Modifies boot configuration data using bcdedit
              PID:1916
            • C:\Windows\system32\bcdedit.exe
              C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
              5⤵
              • Modifies boot configuration data using bcdedit
              PID:836
            • C:\Windows\system32\bcdedit.exe
              C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
              5⤵
              • Modifies boot configuration data using bcdedit
              PID:1888
            • C:\Windows\system32\bcdedit.exe
              C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
              5⤵
              • Modifies boot configuration data using bcdedit
              PID:1896
            • C:\Windows\system32\bcdedit.exe
              C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
              5⤵
              • Modifies boot configuration data using bcdedit
              PID:908
            • C:\Windows\system32\bcdedit.exe
              C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
              5⤵
              • Modifies boot configuration data using bcdedit
              PID:1276
            • C:\Windows\system32\bcdedit.exe
              C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
              5⤵
              • Modifies boot configuration data using bcdedit
              PID:2464
            • C:\Windows\system32\bcdedit.exe
              C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
              5⤵
              • Modifies boot configuration data using bcdedit
              PID:3048
            • C:\Windows\system32\bcdedit.exe
              C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
              5⤵
              • Modifies boot configuration data using bcdedit
              PID:2544
            • C:\Windows\system32\bcdedit.exe
              C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
              5⤵
              • Modifies boot configuration data using bcdedit
              PID:2556
            • C:\Windows\system32\bcdedit.exe
              C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
              5⤵
              • Modifies boot configuration data using bcdedit
              PID:1484
            • C:\Windows\system32\bcdedit.exe
              C:\Windows\system32\bcdedit.exe -timeout 0
              5⤵
              • Modifies boot configuration data using bcdedit
              PID:1288
            • C:\Windows\system32\bcdedit.exe
              C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
              5⤵
              • Modifies boot configuration data using bcdedit
              PID:1088
          • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
            C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:1324
          • C:\Windows\system32\bcdedit.exe
            C:\Windows\Sysnative\bcdedit.exe /v
            4⤵
            • Modifies boot configuration data using bcdedit
            PID:1664
          • C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
            C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
            4⤵
            • Executes dropped EXE
            PID:1924
          • C:\Windows\system32\schtasks.exe
            schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
            4⤵
            • Scheduled Task/Job: Scheduled Task
            PID:696
    • C:\Windows\system32\makecab.exe
      "C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20241223135851.log C:\Windows\Logs\CBS\CbsPersist_20241223135851.cab
      1⤵
      • Drops file in Windows directory
      PID:1424

    Network

    • flag-us
      DNS
      76611da0-fcc7-4649-bc48-1658ce309b32.uuid.dg2sz7pxs7llf2t25fsbutlvvrjij4pmojugn75cmxnvoshmju6dzcad.onion
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      76611da0-fcc7-4649-bc48-1658ce309b32.uuid.dg2sz7pxs7llf2t25fsbutlvvrjij4pmojugn75cmxnvoshmju6dzcad.onion
      IN TXT
      Response
    • flag-us
      DNS
      msdl.microsoft.com
      patch.exe
      Remote address:
      8.8.8.8:53
      Request
      msdl.microsoft.com
      IN A
      Response
      msdl.microsoft.com
      IN CNAME
      msdl.microsoft.akadns.net
      msdl.microsoft.akadns.net
      IN CNAME
      msdl-microsoft-com.a-0016.a-msedge.net
      msdl-microsoft-com.a-0016.a-msedge.net
      IN CNAME
      a-0016.a-msedge.net
      a-0016.a-msedge.net
      IN A
      204.79.197.219
    • flag-us
      GET
      https://msdl.microsoft.com/download/symbols/index2.txt
      patch.exe
      Remote address:
      204.79.197.219:443
      Request
      GET /download/symbols/index2.txt HTTP/1.1
      Accept-Encoding: gzip
      User-Agent: Microsoft-Symbol-Server/10.0.10586.567
      Host: msdl.microsoft.com
      Connection: Keep-Alive
      Cache-Control: no-cache
      Response
      HTTP/1.1 404 Not Found
      X-Cache: TCP_HIT
      Strict-Transport-Security: includeSubDomains
      X-MSEdge-Ref: Ref A: 99CBFD55ED644B868E98D2A6A81D799B Ref B: LON04EDGE0814 Ref C: 2024-12-23T13:59:09Z
      Date: Mon, 23 Dec 2024 13:59:08 GMT
      Content-Length: 0
    • flag-us
      GET
      https://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/AAF33CF37E194E98957768CF9C02DE8E2/ntkrnlmp.pdb
      patch.exe
      Remote address:
      204.79.197.219:443
      Request
      GET /download/symbols/ntkrnlmp.pdb/AAF33CF37E194E98957768CF9C02DE8E2/ntkrnlmp.pdb HTTP/1.1
      Accept-Encoding: gzip
      User-Agent: Microsoft-Symbol-Server/10.0.10586.567
      Host: msdl.microsoft.com
      Connection: Keep-Alive
      Cache-Control: no-cache
      Response
      HTTP/1.1 302 Found
      Location: https://vsblobprodscussu5shard30.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/532FE4B89C0696BBB1F353A7F1CAFE02D477AF8648ED3B34046FF47FBB7FF1EC00.blob?sv=2019-07-07&sr=b&sig=txl4S7679r4YGhnxcEXTVbSbFBYtin6eoObzGpszFPE%3D&skoid=4866d8d7-57cb-4216-997d-bade18bdbe68&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-12-23T09%3A24%3A11Z&ske=2024-12-25T10%3A24%3A11Z&sks=b&skv=2019-07-07&se=2024-12-24T14%3A19%3A30Z&sp=r&rscl=x-e2eid-1dc01477-bbb54c35-8768c0dd-c32f2c9e-session-66a0bbd4-3327490a-be498c32-8683bc9d
      X-Cache: TCP_MISS
      Strict-Transport-Security: includeSubDomains
      X-MSEdge-Ref: Ref A: 9182CCD01615475FAC4AB5D393F25A16 Ref B: LON04EDGE0814 Ref C: 2024-12-23T13:59:09Z
      Date: Mon, 23 Dec 2024 13:59:08 GMT
      Content-Length: 0
    • flag-us
      GET
      https://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/AAF33CF37E194E98957768CF9C02DE8E2/ntkrnlmp.pdb
      patch.exe
      Remote address:
      204.79.197.219:443
      Request
      GET /download/symbols/ntkrnlmp.pdb/AAF33CF37E194E98957768CF9C02DE8E2/ntkrnlmp.pdb HTTP/1.1
      Accept-Encoding: gzip
      User-Agent: Microsoft-Symbol-Server/10.0.10586.567
      Host: msdl.microsoft.com
      Connection: Keep-Alive
      Cache-Control: no-cache
      Response
      HTTP/1.1 302 Found
      Location: https://vsblobprodscussu5shard30.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/532FE4B89C0696BBB1F353A7F1CAFE02D477AF8648ED3B34046FF47FBB7FF1EC00.blob?sv=2019-07-07&sr=b&sig=txl4S7679r4YGhnxcEXTVbSbFBYtin6eoObzGpszFPE%3D&skoid=4866d8d7-57cb-4216-997d-bade18bdbe68&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-12-23T09%3A24%3A11Z&ske=2024-12-25T10%3A24%3A11Z&sks=b&skv=2019-07-07&se=2024-12-24T14%3A19%3A30Z&sp=r&rscl=x-e2eid-1dc01477-bbb54c35-8768c0dd-c32f2c9e-session-66a0bbd4-3327490a-be498c32-8683bc9d
      X-Cache: TCP_HIT
      Strict-Transport-Security: includeSubDomains
      X-MSEdge-Ref: Ref A: 8AF5A3216510484985A2D9EAEF0C1803 Ref B: LON04EDGE0814 Ref C: 2024-12-23T13:59:19Z
      Date: Mon, 23 Dec 2024 13:59:19 GMT
      Content-Length: 0
    • flag-us
      GET
      https://msdl.microsoft.com/download/symbols/index2.txt
      patch.exe
      Remote address:
      204.79.197.219:443
      Request
      GET /download/symbols/index2.txt HTTP/1.1
      Accept-Encoding: gzip
      User-Agent: Microsoft-Symbol-Server/10.0.10586.567
      Host: msdl.microsoft.com
      Connection: Keep-Alive
      Cache-Control: no-cache
      Response
      HTTP/1.1 404 Not Found
      X-Cache: TCP_HIT
      Strict-Transport-Security: includeSubDomains
      X-MSEdge-Ref: Ref A: 1B71249D144A42C4A18B556D625EF67B Ref B: LON04EDGE0814 Ref C: 2024-12-23T13:59:30Z
      Date: Mon, 23 Dec 2024 13:59:29 GMT
      Content-Length: 0
    • flag-us
      GET
      https://msdl.microsoft.com/download/symbols/winload_prod.pdb/768283CA443847FB8822F9DB1F36ECC51/winload_prod.pdb
      patch.exe
      Remote address:
      204.79.197.219:443
      Request
      GET /download/symbols/winload_prod.pdb/768283CA443847FB8822F9DB1F36ECC51/winload_prod.pdb HTTP/1.1
      Accept-Encoding: gzip
      User-Agent: Microsoft-Symbol-Server/10.0.10586.567
      Host: msdl.microsoft.com
      Connection: Keep-Alive
      Cache-Control: no-cache
      Response
      HTTP/1.1 302 Found
      Location: https://vsblobprodscussu5shard20.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/13DA6A038B00D25FB112C12EFB833E142050BFD31BF99A3458E647A3C6B0BCCD00.blob?sv=2019-07-07&sr=b&sig=sK6OHu17cXFM24Gx9Ke%2FCIgCBKXrBSFPiK81N69YqF4%3D&skoid=4866d8d7-57cb-4216-997d-bade18bdbe68&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-12-23T10%3A06%3A11Z&ske=2024-12-25T11%3A06%3A11Z&sks=b&skv=2019-07-07&se=2024-12-24T14%3A04%3A39Z&sp=r&rscl=x-e2eid-95e1ee86-aaf845d6-b524b1b8-f60d8a2e-session-66a0483c-3327490a-be498c32-8683bc9d
      X-Cache: TCP_MISS
      Strict-Transport-Security: includeSubDomains
      X-MSEdge-Ref: Ref A: D20C3422CC154B99B9142D4C6A3AB83F Ref B: LON04EDGE0814 Ref C: 2024-12-23T13:59:30Z
      Date: Mon, 23 Dec 2024 13:59:29 GMT
      Content-Length: 0
    • flag-us
      GET
      https://msdl.microsoft.com/download/symbols/winload_prod.pdb/768283CA443847FB8822F9DB1F36ECC51/winload_prod.pdb
      patch.exe
      Remote address:
      204.79.197.219:443
      Request
      GET /download/symbols/winload_prod.pdb/768283CA443847FB8822F9DB1F36ECC51/winload_prod.pdb HTTP/1.1
      Accept-Encoding: gzip
      User-Agent: Microsoft-Symbol-Server/10.0.10586.567
      Host: msdl.microsoft.com
      Connection: Keep-Alive
      Cache-Control: no-cache
      Response
      HTTP/1.1 302 Found
      Location: https://vsblobprodscussu5shard20.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/13DA6A038B00D25FB112C12EFB833E142050BFD31BF99A3458E647A3C6B0BCCD00.blob?sv=2019-07-07&sr=b&sig=sK6OHu17cXFM24Gx9Ke%2FCIgCBKXrBSFPiK81N69YqF4%3D&skoid=4866d8d7-57cb-4216-997d-bade18bdbe68&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-12-23T10%3A06%3A11Z&ske=2024-12-25T11%3A06%3A11Z&sks=b&skv=2019-07-07&se=2024-12-24T14%3A04%3A39Z&sp=r&rscl=x-e2eid-95e1ee86-aaf845d6-b524b1b8-f60d8a2e-session-66a0483c-3327490a-be498c32-8683bc9d
      X-Cache: TCP_HIT
      Strict-Transport-Security: includeSubDomains
      X-MSEdge-Ref: Ref A: 959DF252C0BE4286ADAE0055A1EA9F66 Ref B: LON04EDGE0814 Ref C: 2024-12-23T13:59:32Z
      Date: Mon, 23 Dec 2024 13:59:31 GMT
      Content-Length: 0
    • flag-us
      DNS
      vsblobprodscussu5shard30.blob.core.windows.net
      patch.exe
      Remote address:
      8.8.8.8:53
      Request
      vsblobprodscussu5shard30.blob.core.windows.net
      IN A
      Response
      vsblobprodscussu5shard30.blob.core.windows.net
      IN CNAME
      blob.sat09prdstrz08a.store.core.windows.net
      blob.sat09prdstrz08a.store.core.windows.net
      IN CNAME
      blob.sat09prdstrz08a.trafficmanager.net
      blob.sat09prdstrz08a.trafficmanager.net
      IN A
      20.150.38.228
      blob.sat09prdstrz08a.trafficmanager.net
      IN A
      20.150.79.68
      blob.sat09prdstrz08a.trafficmanager.net
      IN A
      20.150.70.36
    • flag-us
      GET
      https://vsblobprodscussu5shard30.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/532FE4B89C0696BBB1F353A7F1CAFE02D477AF8648ED3B34046FF47FBB7FF1EC00.blob?sv=2019-07-07&sr=b&sig=txl4S7679r4YGhnxcEXTVbSbFBYtin6eoObzGpszFPE%3D&skoid=4866d8d7-57cb-4216-997d-bade18bdbe68&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-12-23T09%3A24%3A11Z&ske=2024-12-25T10%3A24%3A11Z&sks=b&skv=2019-07-07&se=2024-12-24T14%3A19%3A30Z&sp=r&rscl=x-e2eid-1dc01477-bbb54c35-8768c0dd-c32f2c9e-session-66a0bbd4-3327490a-be498c32-8683bc9d
      patch.exe
      Remote address:
      20.150.38.228:443
      Request
      GET /b-4712e0edc5a240eabf23330d7df68e77/532FE4B89C0696BBB1F353A7F1CAFE02D477AF8648ED3B34046FF47FBB7FF1EC00.blob?sv=2019-07-07&sr=b&sig=txl4S7679r4YGhnxcEXTVbSbFBYtin6eoObzGpszFPE%3D&skoid=4866d8d7-57cb-4216-997d-bade18bdbe68&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-12-23T09%3A24%3A11Z&ske=2024-12-25T10%3A24%3A11Z&sks=b&skv=2019-07-07&se=2024-12-24T14%3A19%3A30Z&sp=r&rscl=x-e2eid-1dc01477-bbb54c35-8768c0dd-c32f2c9e-session-66a0bbd4-3327490a-be498c32-8683bc9d HTTP/1.1
      Accept-Encoding: gzip
      User-Agent: Microsoft-Symbol-Server/10.0.10586.567
      Connection: Keep-Alive
      Cache-Control: no-cache
      Host: vsblobprodscussu5shard30.blob.core.windows.net
      Response
      HTTP/1.1 200 OK
      Content-Length: 8752128
      Content-Type: application/octet-stream
      Content-Language: x-e2eid-1dc01477-bbb54c35-8768c0dd-c32f2c9e-session-66a0bbd4-3327490a-be498c32-8683bc9d
      Last-Modified: Mon, 12 Jun 2017 21:34:21 GMT
      Accept-Ranges: bytes
      ETag: "0x8D4B1DACA398C54"
      Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
      x-ms-request-id: ef93b483-a01e-003c-3842-557fcf000000
      x-ms-version: 2019-07-07
      x-ms-creation-time: Fri, 05 May 2017 08:24:14 GMT
      x-ms-lease-status: unlocked
      x-ms-lease-state: available
      x-ms-blob-type: BlockBlob
      x-ms-server-encrypted: true
      Access-Control-Expose-Headers: Content-Length
      Access-Control-Allow-Origin: *
      Date: Mon, 23 Dec 2024 13:59:09 GMT
    • flag-us
      GET
      https://vsblobprodscussu5shard30.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/532FE4B89C0696BBB1F353A7F1CAFE02D477AF8648ED3B34046FF47FBB7FF1EC00.blob?sv=2019-07-07&sr=b&sig=txl4S7679r4YGhnxcEXTVbSbFBYtin6eoObzGpszFPE%3D&skoid=4866d8d7-57cb-4216-997d-bade18bdbe68&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-12-23T09%3A24%3A11Z&ske=2024-12-25T10%3A24%3A11Z&sks=b&skv=2019-07-07&se=2024-12-24T14%3A19%3A30Z&sp=r&rscl=x-e2eid-1dc01477-bbb54c35-8768c0dd-c32f2c9e-session-66a0bbd4-3327490a-be498c32-8683bc9d
      patch.exe
      Remote address:
      20.150.38.228:443
      Request
      GET /b-4712e0edc5a240eabf23330d7df68e77/532FE4B89C0696BBB1F353A7F1CAFE02D477AF8648ED3B34046FF47FBB7FF1EC00.blob?sv=2019-07-07&sr=b&sig=txl4S7679r4YGhnxcEXTVbSbFBYtin6eoObzGpszFPE%3D&skoid=4866d8d7-57cb-4216-997d-bade18bdbe68&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-12-23T09%3A24%3A11Z&ske=2024-12-25T10%3A24%3A11Z&sks=b&skv=2019-07-07&se=2024-12-24T14%3A19%3A30Z&sp=r&rscl=x-e2eid-1dc01477-bbb54c35-8768c0dd-c32f2c9e-session-66a0bbd4-3327490a-be498c32-8683bc9d HTTP/1.1
      Accept-Encoding: gzip
      User-Agent: Microsoft-Symbol-Server/10.0.10586.567
      Connection: Keep-Alive
      Cache-Control: no-cache
      Host: vsblobprodscussu5shard30.blob.core.windows.net
      Response
      HTTP/1.1 200 OK
      Content-Length: 8752128
      Content-Type: application/octet-stream
      Content-Language: x-e2eid-1dc01477-bbb54c35-8768c0dd-c32f2c9e-session-66a0bbd4-3327490a-be498c32-8683bc9d
      Last-Modified: Mon, 12 Jun 2017 21:34:21 GMT
      Accept-Ranges: bytes
      ETag: "0x8D4B1DACA398C54"
      Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
      x-ms-request-id: ef93c1c0-a01e-003c-2842-557fcf000000
      x-ms-version: 2019-07-07
      x-ms-creation-time: Fri, 05 May 2017 08:24:14 GMT
      x-ms-lease-status: unlocked
      x-ms-lease-state: available
      x-ms-blob-type: BlockBlob
      x-ms-server-encrypted: true
      Access-Control-Expose-Headers: Content-Length
      Access-Control-Allow-Origin: *
      Date: Mon, 23 Dec 2024 13:59:19 GMT
    • flag-us
      DNS
      vsblobprodscussu5shard20.blob.core.windows.net
      patch.exe
      Remote address:
      8.8.8.8:53
      Request
      vsblobprodscussu5shard20.blob.core.windows.net
      IN A
      Response
      vsblobprodscussu5shard20.blob.core.windows.net
      IN CNAME
      blob.sat09prdstrz08a.store.core.windows.net
      blob.sat09prdstrz08a.store.core.windows.net
      IN CNAME
      blob.sat09prdstrz08a.trafficmanager.net
      blob.sat09prdstrz08a.trafficmanager.net
      IN A
      20.150.38.228
      blob.sat09prdstrz08a.trafficmanager.net
      IN A
      20.150.70.36
      blob.sat09prdstrz08a.trafficmanager.net
      IN A
      20.150.79.68
    • flag-us
      GET
      https://vsblobprodscussu5shard20.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/13DA6A038B00D25FB112C12EFB833E142050BFD31BF99A3458E647A3C6B0BCCD00.blob?sv=2019-07-07&sr=b&sig=sK6OHu17cXFM24Gx9Ke%2FCIgCBKXrBSFPiK81N69YqF4%3D&skoid=4866d8d7-57cb-4216-997d-bade18bdbe68&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-12-23T10%3A06%3A11Z&ske=2024-12-25T11%3A06%3A11Z&sks=b&skv=2019-07-07&se=2024-12-24T14%3A04%3A39Z&sp=r&rscl=x-e2eid-95e1ee86-aaf845d6-b524b1b8-f60d8a2e-session-66a0483c-3327490a-be498c32-8683bc9d
      patch.exe
      Remote address:
      20.150.38.228:443
      Request
      GET /b-4712e0edc5a240eabf23330d7df68e77/13DA6A038B00D25FB112C12EFB833E142050BFD31BF99A3458E647A3C6B0BCCD00.blob?sv=2019-07-07&sr=b&sig=sK6OHu17cXFM24Gx9Ke%2FCIgCBKXrBSFPiK81N69YqF4%3D&skoid=4866d8d7-57cb-4216-997d-bade18bdbe68&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-12-23T10%3A06%3A11Z&ske=2024-12-25T11%3A06%3A11Z&sks=b&skv=2019-07-07&se=2024-12-24T14%3A04%3A39Z&sp=r&rscl=x-e2eid-95e1ee86-aaf845d6-b524b1b8-f60d8a2e-session-66a0483c-3327490a-be498c32-8683bc9d HTTP/1.1
      Accept-Encoding: gzip
      User-Agent: Microsoft-Symbol-Server/10.0.10586.567
      Connection: Keep-Alive
      Cache-Control: no-cache
      Host: vsblobprodscussu5shard20.blob.core.windows.net
      Response
      HTTP/1.1 200 OK
      Content-Length: 503808
      Content-Type: application/octet-stream
      Content-Language: x-e2eid-95e1ee86-aaf845d6-b524b1b8-f60d8a2e-session-66a0483c-3327490a-be498c32-8683bc9d
      Last-Modified: Fri, 02 Feb 2024 04:23:06 GMT
      Accept-Ranges: bytes
      ETag: "0x8DC23A6A7A80D5E"
      Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
      x-ms-request-id: b351b99b-c01e-0005-6142-5584d3000000
      x-ms-version: 2019-07-07
      x-ms-creation-time: Fri, 02 Feb 2024 04:23:06 GMT
      x-ms-lease-status: unlocked
      x-ms-lease-state: available
      x-ms-blob-type: BlockBlob
      x-ms-server-encrypted: true
      Access-Control-Expose-Headers: Content-Length
      Access-Control-Allow-Origin: *
      Date: Mon, 23 Dec 2024 13:59:31 GMT
    • flag-us
      GET
      https://vsblobprodscussu5shard20.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/13DA6A038B00D25FB112C12EFB833E142050BFD31BF99A3458E647A3C6B0BCCD00.blob?sv=2019-07-07&sr=b&sig=sK6OHu17cXFM24Gx9Ke%2FCIgCBKXrBSFPiK81N69YqF4%3D&skoid=4866d8d7-57cb-4216-997d-bade18bdbe68&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-12-23T10%3A06%3A11Z&ske=2024-12-25T11%3A06%3A11Z&sks=b&skv=2019-07-07&se=2024-12-24T14%3A04%3A39Z&sp=r&rscl=x-e2eid-95e1ee86-aaf845d6-b524b1b8-f60d8a2e-session-66a0483c-3327490a-be498c32-8683bc9d
      patch.exe
      Remote address:
      20.150.38.228:443
      Request
      GET /b-4712e0edc5a240eabf23330d7df68e77/13DA6A038B00D25FB112C12EFB833E142050BFD31BF99A3458E647A3C6B0BCCD00.blob?sv=2019-07-07&sr=b&sig=sK6OHu17cXFM24Gx9Ke%2FCIgCBKXrBSFPiK81N69YqF4%3D&skoid=4866d8d7-57cb-4216-997d-bade18bdbe68&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-12-23T10%3A06%3A11Z&ske=2024-12-25T11%3A06%3A11Z&sks=b&skv=2019-07-07&se=2024-12-24T14%3A04%3A39Z&sp=r&rscl=x-e2eid-95e1ee86-aaf845d6-b524b1b8-f60d8a2e-session-66a0483c-3327490a-be498c32-8683bc9d HTTP/1.1
      Accept-Encoding: gzip
      User-Agent: Microsoft-Symbol-Server/10.0.10586.567
      Connection: Keep-Alive
      Cache-Control: no-cache
      Host: vsblobprodscussu5shard20.blob.core.windows.net
      Response
      HTTP/1.1 200 OK
      Content-Length: 503808
      Content-Type: application/octet-stream
      Content-Language: x-e2eid-95e1ee86-aaf845d6-b524b1b8-f60d8a2e-session-66a0483c-3327490a-be498c32-8683bc9d
      Last-Modified: Fri, 02 Feb 2024 04:23:06 GMT
      Accept-Ranges: bytes
      ETag: "0x8DC23A6A7A80D5E"
      Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
      x-ms-request-id: b351bc44-c01e-0005-5642-5584d3000000
      x-ms-version: 2019-07-07
      x-ms-creation-time: Fri, 02 Feb 2024 04:23:06 GMT
      x-ms-lease-status: unlocked
      x-ms-lease-state: available
      x-ms-blob-type: BlockBlob
      x-ms-server-encrypted: true
      Access-Control-Expose-Headers: Content-Length
      Access-Control-Allow-Origin: *
      Date: Mon, 23 Dec 2024 13:59:32 GMT
    • flag-us
      DNS
      crl.microsoft.com
      Remote address:
      8.8.8.8:53
      Request
      crl.microsoft.com
      IN A
      Response
      crl.microsoft.com
      IN CNAME
      crl.www.ms.akadns.net
      crl.www.ms.akadns.net
      IN CNAME
      a1363.dscg.akamai.net
      a1363.dscg.akamai.net
      IN A
      2.19.252.143
      a1363.dscg.akamai.net
      IN A
      2.19.252.157
    • flag-gb
      GET
      http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
      Remote address:
      2.19.252.143:80
      Request
      GET /pki/crl/products/MicRooCerAut2011_2011_03_22.crl HTTP/1.1
      Connection: Keep-Alive
      Accept: */*
      If-Modified-Since: Wed, 01 May 2024 09:28:59 GMT
      User-Agent: Microsoft-CryptoAPI/6.1
      Host: crl.microsoft.com
      Response
      HTTP/1.1 200 OK
      Content-Length: 1036
      Content-Type: application/octet-stream
      Content-MD5: +oTkvMkqpdtzWrUHEQQM3g==
      Last-Modified: Thu, 12 Dec 2024 00:06:56 GMT
      ETag: 0x8DD1A40E476D877
      Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
      x-ms-request-id: 346168ca-101e-0054-5d36-4c18bd000000
      x-ms-version: 2009-09-19
      x-ms-lease-status: unlocked
      x-ms-blob-type: BlockBlob
      Date: Mon, 23 Dec 2024 13:59:39 GMT
      Connection: keep-alive
    • flag-us
      DNS
      www.microsoft.com
      Remote address:
      8.8.8.8:53
      Request
      www.microsoft.com
      IN A
      Response
      www.microsoft.com
      IN CNAME
      www.microsoft.com-c-3.edgekey.net
      www.microsoft.com-c-3.edgekey.net
      IN CNAME
      www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net
      www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net
      IN CNAME
      e13678.dscb.akamaiedge.net
      e13678.dscb.akamaiedge.net
      IN A
      95.100.245.144
    • flag-gb
      GET
      http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl
      Remote address:
      95.100.245.144:80
      Request
      GET /pkiops/crl/MicCodSigPCA2011_2011-07-08.crl HTTP/1.1
      Connection: Keep-Alive
      Accept: */*
      If-Modified-Since: Mon, 03 Jun 2024 21:25:24 GMT
      User-Agent: Microsoft-CryptoAPI/6.1
      Host: www.microsoft.com
      Response
      HTTP/1.1 200 OK
      Content-Length: 1078
      Content-Type: application/octet-stream
      Content-MD5: PjrtHAukbJio72s77Ag5mA==
      Last-Modified: Thu, 31 Oct 2024 23:26:09 GMT
      ETag: 0x8DCFA0366D6C4CA
      x-ms-request-id: e4f947ba-101e-006b-4fef-2bd01e000000
      x-ms-version: 2009-09-19
      x-ms-lease-status: unlocked
      x-ms-blob-type: BlockBlob
      X-EdgeConnect-Origin-MEX-Latency: 111
      Date: Mon, 23 Dec 2024 13:59:39 GMT
      Connection: keep-alive
      TLS_version: UNKNOWN
      ms-cv: CASMicrosoftCV18b09cd1.0
      ms-cv-esi: CASMicrosoftCV18b09cd1.0
      X-RTag: RT
    • flag-us
      DNS
      stun.stunprotocol.org
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      stun.stunprotocol.org
      IN A
      Response
      stun.stunprotocol.org
      IN A
      127.0.0.1
    • flag-us
      DNS
      cdn.discordapp.com
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      cdn.discordapp.com
      IN A
      Response
      cdn.discordapp.com
      IN A
      162.159.134.233
      cdn.discordapp.com
      IN A
      162.159.130.233
      cdn.discordapp.com
      IN A
      162.159.129.233
      cdn.discordapp.com
      IN A
      162.159.135.233
      cdn.discordapp.com
      IN A
      162.159.133.233
    • flag-us
      DNS
      stun.sipgate.net
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      stun.sipgate.net
      IN A
      Response
      stun.sipgate.net
      IN CNAME
      stun.sipgate.cloud
      stun.sipgate.cloud
      IN CNAME
      a6adcb4b9bf816abe.awsglobalaccelerator.com
      a6adcb4b9bf816abe.awsglobalaccelerator.com
      IN A
      15.197.250.192
      a6adcb4b9bf816abe.awsglobalaccelerator.com
      IN A
      3.33.249.248
    • flag-us
      DNS
      blockchain.info
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      blockchain.info
      IN A
      Response
      blockchain.info
      IN A
      104.16.237.243
      blockchain.info
      IN A
      104.16.236.243
    • flag-us
      DNS
      server6.statscreate.org
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      server6.statscreate.org
      IN A
      Response
    • 204.79.197.219:443
      https://msdl.microsoft.com/download/symbols/winload_prod.pdb/768283CA443847FB8822F9DB1F36ECC51/winload_prod.pdb
      tls, http
      patch.exe
      2.8kB
      10.8kB
      17
      21

      HTTP Request

      GET https://msdl.microsoft.com/download/symbols/index2.txt

      HTTP Response

      404

      HTTP Request

      GET https://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/AAF33CF37E194E98957768CF9C02DE8E2/ntkrnlmp.pdb

      HTTP Response

      302

      HTTP Request

      GET https://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/AAF33CF37E194E98957768CF9C02DE8E2/ntkrnlmp.pdb

      HTTP Response

      302

      HTTP Request

      GET https://msdl.microsoft.com/download/symbols/index2.txt

      HTTP Response

      404

      HTTP Request

      GET https://msdl.microsoft.com/download/symbols/winload_prod.pdb/768283CA443847FB8822F9DB1F36ECC51/winload_prod.pdb

      HTTP Response

      302

      HTTP Request

      GET https://msdl.microsoft.com/download/symbols/winload_prod.pdb/768283CA443847FB8822F9DB1F36ECC51/winload_prod.pdb

      HTTP Response

      302
    • 20.150.38.228:443
      https://vsblobprodscussu5shard30.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/532FE4B89C0696BBB1F353A7F1CAFE02D477AF8648ED3B34046FF47FBB7FF1EC00.blob?sv=2019-07-07&sr=b&sig=txl4S7679r4YGhnxcEXTVbSbFBYtin6eoObzGpszFPE%3D&skoid=4866d8d7-57cb-4216-997d-bade18bdbe68&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-12-23T09%3A24%3A11Z&ske=2024-12-25T10%3A24%3A11Z&sks=b&skv=2019-07-07&se=2024-12-24T14%3A19%3A30Z&sp=r&rscl=x-e2eid-1dc01477-bbb54c35-8768c0dd-c32f2c9e-session-66a0bbd4-3327490a-be498c32-8683bc9d
      tls, http
      patch.exe
      335.5kB
      18.1MB
      7094
      13003

      HTTP Request

      GET https://vsblobprodscussu5shard30.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/532FE4B89C0696BBB1F353A7F1CAFE02D477AF8648ED3B34046FF47FBB7FF1EC00.blob?sv=2019-07-07&sr=b&sig=txl4S7679r4YGhnxcEXTVbSbFBYtin6eoObzGpszFPE%3D&skoid=4866d8d7-57cb-4216-997d-bade18bdbe68&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-12-23T09%3A24%3A11Z&ske=2024-12-25T10%3A24%3A11Z&sks=b&skv=2019-07-07&se=2024-12-24T14%3A19%3A30Z&sp=r&rscl=x-e2eid-1dc01477-bbb54c35-8768c0dd-c32f2c9e-session-66a0bbd4-3327490a-be498c32-8683bc9d

      HTTP Response

      200

      HTTP Request

      GET https://vsblobprodscussu5shard30.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/532FE4B89C0696BBB1F353A7F1CAFE02D477AF8648ED3B34046FF47FBB7FF1EC00.blob?sv=2019-07-07&sr=b&sig=txl4S7679r4YGhnxcEXTVbSbFBYtin6eoObzGpszFPE%3D&skoid=4866d8d7-57cb-4216-997d-bade18bdbe68&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-12-23T09%3A24%3A11Z&ske=2024-12-25T10%3A24%3A11Z&sks=b&skv=2019-07-07&se=2024-12-24T14%3A19%3A30Z&sp=r&rscl=x-e2eid-1dc01477-bbb54c35-8768c0dd-c32f2c9e-session-66a0bbd4-3327490a-be498c32-8683bc9d

      HTTP Response

      200
    • 20.150.38.228:443
      https://vsblobprodscussu5shard20.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/13DA6A038B00D25FB112C12EFB833E142050BFD31BF99A3458E647A3C6B0BCCD00.blob?sv=2019-07-07&sr=b&sig=sK6OHu17cXFM24Gx9Ke%2FCIgCBKXrBSFPiK81N69YqF4%3D&skoid=4866d8d7-57cb-4216-997d-bade18bdbe68&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-12-23T10%3A06%3A11Z&ske=2024-12-25T11%3A06%3A11Z&sks=b&skv=2019-07-07&se=2024-12-24T14%3A04%3A39Z&sp=r&rscl=x-e2eid-95e1ee86-aaf845d6-b524b1b8-f60d8a2e-session-66a0483c-3327490a-be498c32-8683bc9d
      tls, http
      patch.exe
      27.5kB
      1.1MB
      524
      756

      HTTP Request

      GET https://vsblobprodscussu5shard20.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/13DA6A038B00D25FB112C12EFB833E142050BFD31BF99A3458E647A3C6B0BCCD00.blob?sv=2019-07-07&sr=b&sig=sK6OHu17cXFM24Gx9Ke%2FCIgCBKXrBSFPiK81N69YqF4%3D&skoid=4866d8d7-57cb-4216-997d-bade18bdbe68&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-12-23T10%3A06%3A11Z&ske=2024-12-25T11%3A06%3A11Z&sks=b&skv=2019-07-07&se=2024-12-24T14%3A04%3A39Z&sp=r&rscl=x-e2eid-95e1ee86-aaf845d6-b524b1b8-f60d8a2e-session-66a0483c-3327490a-be498c32-8683bc9d

      HTTP Response

      200

      HTTP Request

      GET https://vsblobprodscussu5shard20.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/13DA6A038B00D25FB112C12EFB833E142050BFD31BF99A3458E647A3C6B0BCCD00.blob?sv=2019-07-07&sr=b&sig=sK6OHu17cXFM24Gx9Ke%2FCIgCBKXrBSFPiK81N69YqF4%3D&skoid=4866d8d7-57cb-4216-997d-bade18bdbe68&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-12-23T10%3A06%3A11Z&ske=2024-12-25T11%3A06%3A11Z&sks=b&skv=2019-07-07&se=2024-12-24T14%3A04%3A39Z&sp=r&rscl=x-e2eid-95e1ee86-aaf845d6-b524b1b8-f60d8a2e-session-66a0483c-3327490a-be498c32-8683bc9d

      HTTP Response

      200
    • 2.19.252.143:80
      http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
      http
      399 B
      1.7kB
      4
      4

      HTTP Request

      GET http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl

      HTTP Response

      200
    • 95.100.245.144:80
      http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl
      http
      393 B
      1.8kB
      4
      4

      HTTP Request

      GET http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl

      HTTP Response

      200
    • 162.159.134.233:443
      cdn.discordapp.com
      tls
      csrss.exe
      1.2kB
      5.5kB
      14
      15
    • 127.0.0.1:31464
      csrss.exe
    • 127.0.0.1:31464
      csrss.exe
    • 127.0.0.1:31464
      csrss.exe
    • 104.16.237.243:443
      blockchain.info
      tls
      csrss.exe
      1.3kB
      12.8kB
      15
      21
    • 8.8.8.8:53
      76611da0-fcc7-4649-bc48-1658ce309b32.uuid.dg2sz7pxs7llf2t25fsbutlvvrjij4pmojugn75cmxnvoshmju6dzcad.onion
      dns
      csrss.exe
      150 B
      225 B
      1
      1

      DNS Request

      76611da0-fcc7-4649-bc48-1658ce309b32.uuid.dg2sz7pxs7llf2t25fsbutlvvrjij4pmojugn75cmxnvoshmju6dzcad.onion

    • 8.8.8.8:53
      msdl.microsoft.com
      dns
      patch.exe
      64 B
      182 B
      1
      1

      DNS Request

      msdl.microsoft.com

      DNS Response

      204.79.197.219

    • 8.8.8.8:53
      vsblobprodscussu5shard30.blob.core.windows.net
      dns
      patch.exe
      92 B
      231 B
      1
      1

      DNS Request

      vsblobprodscussu5shard30.blob.core.windows.net

      DNS Response

      20.150.38.228
      20.150.79.68
      20.150.70.36

    • 8.8.8.8:53
      vsblobprodscussu5shard20.blob.core.windows.net
      dns
      patch.exe
      92 B
      231 B
      1
      1

      DNS Request

      vsblobprodscussu5shard20.blob.core.windows.net

      DNS Response

      20.150.38.228
      20.150.70.36
      20.150.79.68

    • 8.8.8.8:53
      crl.microsoft.com
      dns
      63 B
      162 B
      1
      1

      DNS Request

      crl.microsoft.com

      DNS Response

      2.19.252.143
      2.19.252.157

    • 8.8.8.8:53
      www.microsoft.com
      dns
      63 B
      230 B
      1
      1

      DNS Request

      www.microsoft.com

      DNS Response

      95.100.245.144

    • 8.8.8.8:53
      stun.stunprotocol.org
      dns
      csrss.exe
      67 B
      83 B
      1
      1

      DNS Request

      stun.stunprotocol.org

      DNS Response

      127.0.0.1

    • 8.8.8.8:53
      cdn.discordapp.com
      dns
      csrss.exe
      64 B
      144 B
      1
      1

      DNS Request

      cdn.discordapp.com

      DNS Response

      162.159.134.233
      162.159.130.233
      162.159.129.233
      162.159.135.233
      162.159.133.233

    • 127.0.0.1:3478
      csrss.exe
    • 8.8.8.8:53
      stun.sipgate.net
      dns
      csrss.exe
      62 B
      182 B
      1
      1

      DNS Request

      stun.sipgate.net

      DNS Response

      15.197.250.192
      3.33.249.248

    • 15.197.250.192:3478
      stun.sipgate.net
      csrss.exe
      48 B
      124 B
      1
      1
    • 8.8.8.8:53
      blockchain.info
      dns
      csrss.exe
      61 B
      93 B
      1
      1

      DNS Request

      blockchain.info

      DNS Response

      104.16.237.243
      104.16.236.243

    • 8.8.8.8:53
      server6.statscreate.org
      dns
      csrss.exe
      69 B
      151 B
      1
      1

      DNS Request

      server6.statscreate.org

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

      Filesize

      8.3MB

      MD5

      fd2727132edd0b59fa33733daa11d9ef

      SHA1

      63e36198d90c4c2b9b09dd6786b82aba5f03d29a

      SHA256

      3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e

      SHA512

      3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e

    • C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

      Filesize

      492KB

      MD5

      fafbf2197151d5ce947872a4b0bcbe16

      SHA1

      a86eaa2dd9fc6d36fcfb41df7ead8d1166aea020

      SHA256

      feb122b7916a1e62a7a6ae8d25ea48a2efc86f6e6384f5526e18ffbfc5f5ff71

      SHA512

      acbd49a111704d001a4ae44d1a071d566452f92311c5c0099d57548eddc9b3393224792c602022df5c3dd19b0a1fb4eff965bf038c8783ae109336699f9d13f6

    • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

      Filesize

      281KB

      MD5

      d98e33b66343e7c96158444127a117f6

      SHA1

      bb716c5509a2bf345c6c1152f6e3e1452d39d50d

      SHA256

      5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

      SHA512

      705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

    • C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

      Filesize

      5.3MB

      MD5

      1afff8d5352aecef2ecd47ffa02d7f7d

      SHA1

      8b115b84efdb3a1b87f750d35822b2609e665bef

      SHA256

      c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1

      SHA512

      e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

    • C:\Users\Admin\AppData\Local\Temp\osloader.exe

      Filesize

      591KB

      MD5

      e2f68dc7fbd6e0bf031ca3809a739346

      SHA1

      9c35494898e65c8a62887f28e04c0359ab6f63f5

      SHA256

      b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

      SHA512

      26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

    • \Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

      Filesize

      94KB

      MD5

      d98e78fd57db58a11f880b45bb659767

      SHA1

      ab70c0d3bd9103c07632eeecee9f51d198ed0e76

      SHA256

      414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0

      SHA512

      aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831

    • \Users\Admin\AppData\Local\Temp\csrss\patch.exe

      Filesize

      1.7MB

      MD5

      13aaafe14eb60d6a718230e82c671d57

      SHA1

      e039dd924d12f264521b8e689426fb7ca95a0a7b

      SHA256

      f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3

      SHA512

      ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

    • \Users\Admin\AppData\Local\Temp\dbghelp.dll

      Filesize

      1.5MB

      MD5

      f0616fa8bc54ece07e3107057f74e4db

      SHA1

      b33995c4f9a004b7d806c4bb36040ee844781fca

      SHA256

      6e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026

      SHA512

      15242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c

    • \Users\Admin\AppData\Local\Temp\symsrv.dll

      Filesize

      163KB

      MD5

      5c399d34d8dc01741269ff1f1aca7554

      SHA1

      e0ceed500d3cef5558f3f55d33ba9c3a709e8f55

      SHA256

      e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f

      SHA512

      8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

    • \Windows\rss\csrss.exe

      Filesize

      4.1MB

      MD5

      008125769572e242cceb203923c0e4b9

      SHA1

      003bbe8acc6e56f581f60abf2f57fd3a62b9110b

      SHA256

      b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9

      SHA512

      26bddc1e4c17a4c327d3b94ae24146a6ed0c9f1e1f87d1fb97fa2bd6cf2b5051edab8f5ffc182cd981aa48414872033f1a854c451ac1149652b34130f56a5d27

    • memory/1452-36-0x0000000140000000-0x00000001405E8000-memory.dmp

      Filesize

      5.9MB

    • memory/1452-50-0x0000000140000000-0x00000001405E8000-memory.dmp

      Filesize

      5.9MB

    • memory/1724-3-0x0000000000400000-0x0000000000C91000-memory.dmp

      Filesize

      8.6MB

    • memory/1724-0-0x00000000032C0000-0x00000000036A9000-memory.dmp

      Filesize

      3.9MB

    • memory/1724-5-0x0000000000400000-0x0000000003002000-memory.dmp

      Filesize

      44.0MB

    • memory/1724-7-0x00000000032C0000-0x00000000036A9000-memory.dmp

      Filesize

      3.9MB

    • memory/1724-8-0x0000000000400000-0x0000000000C91000-memory.dmp

      Filesize

      8.6MB

    • memory/1724-1-0x00000000032C0000-0x00000000036A9000-memory.dmp

      Filesize

      3.9MB

    • memory/1724-6-0x0000000004DD0000-0x0000000005647000-memory.dmp

      Filesize

      8.5MB

    • memory/1724-2-0x0000000004DD0000-0x0000000005647000-memory.dmp

      Filesize

      8.5MB

    • memory/2612-108-0x0000000000400000-0x0000000003002000-memory.dmp

      Filesize

      44.0MB

    • memory/2612-104-0x0000000000400000-0x0000000003002000-memory.dmp

      Filesize

      44.0MB

    • memory/2612-17-0x00000000033E0000-0x00000000037C9000-memory.dmp

      Filesize

      3.9MB

    • memory/2612-80-0x0000000000400000-0x0000000003002000-memory.dmp

      Filesize

      44.0MB

    • memory/2612-70-0x0000000000400000-0x0000000003002000-memory.dmp

      Filesize

      44.0MB

    • memory/2612-101-0x0000000000400000-0x0000000003002000-memory.dmp

      Filesize

      44.0MB

    • memory/2612-66-0x0000000000400000-0x0000000003002000-memory.dmp

      Filesize

      44.0MB

    • memory/2612-102-0x0000000000400000-0x0000000003002000-memory.dmp

      Filesize

      44.0MB

    • memory/2612-103-0x0000000000400000-0x0000000003002000-memory.dmp

      Filesize

      44.0MB

    • memory/2612-111-0x0000000000400000-0x0000000003002000-memory.dmp

      Filesize

      44.0MB

    • memory/2612-105-0x0000000000400000-0x0000000003002000-memory.dmp

      Filesize

      44.0MB

    • memory/2612-106-0x0000000000400000-0x0000000003002000-memory.dmp

      Filesize

      44.0MB

    • memory/2612-107-0x0000000000400000-0x0000000003002000-memory.dmp

      Filesize

      44.0MB

    • memory/2612-110-0x0000000000400000-0x0000000003002000-memory.dmp

      Filesize

      44.0MB

    • memory/2612-109-0x0000000000400000-0x0000000003002000-memory.dmp

      Filesize

      44.0MB

    • memory/2772-18-0x0000000000400000-0x0000000003002000-memory.dmp

      Filesize

      44.0MB

    • memory/2772-4-0x0000000003550000-0x0000000003939000-memory.dmp

      Filesize

      3.9MB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.