Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25-12-2024 14:53
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe
-
Size
4.1MB
-
MD5
4347d1e8d835af022da5509bf3c17266
-
SHA1
4ab23c1a468cee9f4059559df3b4d05474076d2e
-
SHA256
d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38
-
SHA512
8ab13c820c36cb62f425a08a3f7af0d8c88a7aea86653a4c630fa031e00e7516e89f0374797c4249ee061e81fce382d904cc6a05c000ad8bb7d5136020d157d9
-
SSDEEP
98304:ym00TdmKgb6GMZr9Fbw3WF6/w6nn8ZBybm6pg:jPpmjOUGdyaN
Malware Config
Signatures
-
Glupteba family
-
Glupteba payload 20 IoCs
resource yara_rule behavioral1/memory/2228-2-0x0000000004F40000-0x00000000057B7000-memory.dmp family_glupteba behavioral1/memory/2228-3-0x0000000000400000-0x0000000000C91000-memory.dmp family_glupteba behavioral1/memory/2228-8-0x0000000000400000-0x0000000000C91000-memory.dmp family_glupteba behavioral1/memory/2228-7-0x0000000004F40000-0x00000000057B7000-memory.dmp family_glupteba behavioral1/memory/2228-4-0x0000000000400000-0x0000000003013000-memory.dmp family_glupteba behavioral1/memory/2672-29-0x0000000000400000-0x0000000003013000-memory.dmp family_glupteba behavioral1/memory/2620-66-0x0000000000400000-0x0000000003013000-memory.dmp family_glupteba behavioral1/memory/2620-70-0x0000000000400000-0x0000000003013000-memory.dmp family_glupteba behavioral1/memory/2620-71-0x0000000000400000-0x0000000003013000-memory.dmp family_glupteba behavioral1/memory/2620-101-0x0000000000400000-0x0000000003013000-memory.dmp family_glupteba behavioral1/memory/2620-102-0x0000000000400000-0x0000000003013000-memory.dmp family_glupteba behavioral1/memory/2620-103-0x0000000000400000-0x0000000003013000-memory.dmp family_glupteba behavioral1/memory/2620-104-0x0000000000400000-0x0000000003013000-memory.dmp family_glupteba behavioral1/memory/2620-105-0x0000000000400000-0x0000000003013000-memory.dmp family_glupteba behavioral1/memory/2620-106-0x0000000000400000-0x0000000003013000-memory.dmp family_glupteba behavioral1/memory/2620-107-0x0000000000400000-0x0000000003013000-memory.dmp family_glupteba behavioral1/memory/2620-108-0x0000000000400000-0x0000000003013000-memory.dmp family_glupteba behavioral1/memory/2620-109-0x0000000000400000-0x0000000003013000-memory.dmp family_glupteba behavioral1/memory/2620-110-0x0000000000400000-0x0000000003013000-memory.dmp family_glupteba behavioral1/memory/2620-111-0x0000000000400000-0x0000000003013000-memory.dmp family_glupteba -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe = "0" JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe -
Modifies boot configuration data using bcdedit 14 IoCs
pid Process 1488 bcdedit.exe 648 bcdedit.exe 944 bcdedit.exe 852 bcdedit.exe 1328 bcdedit.exe 752 bcdedit.exe 1648 bcdedit.exe 2500 bcdedit.exe 2272 bcdedit.exe 1468 bcdedit.exe 972 bcdedit.exe 1940 bcdedit.exe 2156 bcdedit.exe 556 bcdedit.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\Winmon.sys csrss.exe -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2804 netsh.exe -
Possible attempt to disable PatchGuard 2 TTPs
Rootkits can use kernel patching to embed themselves in an operating system.
-
Executes dropped EXE 4 IoCs
pid Process 2620 csrss.exe 1244 patch.exe 2116 injector.exe 864 dsefix.exe -
Loads dropped DLL 13 IoCs
pid Process 2672 JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe 2672 JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe 840 Process not Found 1244 patch.exe 1244 patch.exe 1244 patch.exe 1244 patch.exe 1244 patch.exe 2620 csrss.exe 1244 patch.exe 1244 patch.exe 1244 patch.exe 2620 csrss.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe = "0" JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Manipulates WinMon driver. 1 IoCs
Roottkits write to WinMon to hide PIDs from being detected.
description ioc Process File opened for modification \??\WinMon csrss.exe -
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
description ioc Process File opened for modification \??\WinMonFS csrss.exe -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\Logs\CBS\CbsPersist_20241225145336.cab makecab.exe File opened for modification C:\Windows\rss JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe File created C:\Windows\rss\csrss.exe JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time" JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-22 = "Cape Verde Standard Time" JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time" JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time" JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time" JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-582 = "North Asia East Standard Time" JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-552 = "North Asia Standard Time" JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 patch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 patch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 csrss.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 patch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 patch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 patch.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1716 schtasks.exe 2188 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2228 JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe 2672 JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe 2672 JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe 2672 JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe 2672 JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe 2672 JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe 2116 injector.exe 2116 injector.exe 2116 injector.exe 2116 injector.exe 2116 injector.exe 2116 injector.exe 2116 injector.exe 2116 injector.exe 2116 injector.exe 2116 injector.exe 2116 injector.exe 2116 injector.exe 2116 injector.exe 2116 injector.exe 2116 injector.exe 2116 injector.exe 2116 injector.exe 2116 injector.exe 2116 injector.exe 2116 injector.exe 2116 injector.exe 2116 injector.exe 2116 injector.exe 2116 injector.exe 2116 injector.exe 2116 injector.exe 2116 injector.exe 2116 injector.exe 2116 injector.exe 2116 injector.exe 2116 injector.exe 2620 csrss.exe 2116 injector.exe 2116 injector.exe 2116 injector.exe 2620 csrss.exe 2116 injector.exe 2116 injector.exe 2116 injector.exe 2116 injector.exe 2116 injector.exe 2116 injector.exe 2116 injector.exe 2116 injector.exe 2116 injector.exe 2116 injector.exe 2116 injector.exe 2116 injector.exe 2116 injector.exe 2116 injector.exe 2116 injector.exe 2116 injector.exe 2116 injector.exe 2116 injector.exe 2116 injector.exe 2116 injector.exe 2116 injector.exe 2116 injector.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 472 Process not Found -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2228 JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe Token: SeImpersonatePrivilege 2228 JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe Token: SeSystemEnvironmentPrivilege 2620 csrss.exe -
Suspicious use of WriteProcessMemory 62 IoCs
description pid Process procid_target PID 2672 wrote to memory of 2740 2672 JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe 36 PID 2672 wrote to memory of 2740 2672 JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe 36 PID 2672 wrote to memory of 2740 2672 JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe 36 PID 2672 wrote to memory of 2740 2672 JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe 36 PID 2740 wrote to memory of 2804 2740 cmd.exe 38 PID 2740 wrote to memory of 2804 2740 cmd.exe 38 PID 2740 wrote to memory of 2804 2740 cmd.exe 38 PID 2672 wrote to memory of 2620 2672 JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe 39 PID 2672 wrote to memory of 2620 2672 JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe 39 PID 2672 wrote to memory of 2620 2672 JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe 39 PID 2672 wrote to memory of 2620 2672 JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe 39 PID 2620 wrote to memory of 2116 2620 csrss.exe 46 PID 2620 wrote to memory of 2116 2620 csrss.exe 46 PID 2620 wrote to memory of 2116 2620 csrss.exe 46 PID 2620 wrote to memory of 2116 2620 csrss.exe 46 PID 1244 wrote to memory of 1488 1244 patch.exe 49 PID 1244 wrote to memory of 1488 1244 patch.exe 49 PID 1244 wrote to memory of 1488 1244 patch.exe 49 PID 1244 wrote to memory of 648 1244 patch.exe 51 PID 1244 wrote to memory of 648 1244 patch.exe 51 PID 1244 wrote to memory of 648 1244 patch.exe 51 PID 1244 wrote to memory of 944 1244 patch.exe 53 PID 1244 wrote to memory of 944 1244 patch.exe 53 PID 1244 wrote to memory of 944 1244 patch.exe 53 PID 1244 wrote to memory of 852 1244 patch.exe 55 PID 1244 wrote to memory of 852 1244 patch.exe 55 PID 1244 wrote to memory of 852 1244 patch.exe 55 PID 1244 wrote to memory of 1328 1244 patch.exe 57 PID 1244 wrote to memory of 1328 1244 patch.exe 57 PID 1244 wrote to memory of 1328 1244 patch.exe 57 PID 1244 wrote to memory of 752 1244 patch.exe 59 PID 1244 wrote to memory of 752 1244 patch.exe 59 PID 1244 wrote to memory of 752 1244 patch.exe 59 PID 1244 wrote to memory of 1648 1244 patch.exe 61 PID 1244 wrote to memory of 1648 1244 patch.exe 61 PID 1244 wrote to memory of 1648 1244 patch.exe 61 PID 1244 wrote to memory of 2500 1244 patch.exe 63 PID 1244 wrote to memory of 2500 1244 patch.exe 63 PID 1244 wrote to memory of 2500 1244 patch.exe 63 PID 1244 wrote to memory of 2272 1244 patch.exe 65 PID 1244 wrote to memory of 2272 1244 patch.exe 65 PID 1244 wrote to memory of 2272 1244 patch.exe 65 PID 1244 wrote to memory of 1468 1244 patch.exe 67 PID 1244 wrote to memory of 1468 1244 patch.exe 67 PID 1244 wrote to memory of 1468 1244 patch.exe 67 PID 1244 wrote to memory of 972 1244 patch.exe 69 PID 1244 wrote to memory of 972 1244 patch.exe 69 PID 1244 wrote to memory of 972 1244 patch.exe 69 PID 1244 wrote to memory of 1940 1244 patch.exe 71 PID 1244 wrote to memory of 1940 1244 patch.exe 71 PID 1244 wrote to memory of 1940 1244 patch.exe 71 PID 1244 wrote to memory of 2156 1244 patch.exe 73 PID 1244 wrote to memory of 2156 1244 patch.exe 73 PID 1244 wrote to memory of 2156 1244 patch.exe 73 PID 2620 wrote to memory of 556 2620 csrss.exe 75 PID 2620 wrote to memory of 556 2620 csrss.exe 75 PID 2620 wrote to memory of 556 2620 csrss.exe 75 PID 2620 wrote to memory of 556 2620 csrss.exe 75 PID 2620 wrote to memory of 864 2620 csrss.exe 77 PID 2620 wrote to memory of 864 2620 csrss.exe 77 PID 2620 wrote to memory of 864 2620 csrss.exe 77 PID 2620 wrote to memory of 864 2620 csrss.exe 77 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2228 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe"2⤵
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- Modifies data under HKEY_USERS
PID:2804
-
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Manipulates WinMon driver.
- Manipulates WinMonFS driver.
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Scheduled Task/Job: Scheduled Task
PID:1716
-
-
C:\Windows\system32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵PID:2756
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER5⤵
- Modifies boot configuration data using bcdedit
PID:1488
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:5⤵
- Modifies boot configuration data using bcdedit
PID:648
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:5⤵
- Modifies boot configuration data using bcdedit
PID:944
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows5⤵
- Modifies boot configuration data using bcdedit
PID:852
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe5⤵
- Modifies boot configuration data using bcdedit
PID:1328
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe5⤵
- Modifies boot configuration data using bcdedit
PID:752
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 05⤵
- Modifies boot configuration data using bcdedit
PID:1648
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn5⤵
- Modifies boot configuration data using bcdedit
PID:2500
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 15⤵
- Modifies boot configuration data using bcdedit
PID:2272
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}5⤵
- Modifies boot configuration data using bcdedit
PID:1468
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast5⤵
- Modifies boot configuration data using bcdedit
PID:972
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -timeout 05⤵
- Modifies boot configuration data using bcdedit
PID:1940
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}5⤵
- Modifies boot configuration data using bcdedit
PID:2156
-
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2116
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\Sysnative\bcdedit.exe /v4⤵
- Modifies boot configuration data using bcdedit
PID:556
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exeC:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe4⤵
- Executes dropped EXE
PID:864
-
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Scheduled Task/Job: Scheduled Task
PID:2188
-
-
-
-
C:\Windows\system32\makecab.exe"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20241225145336.log C:\Windows\Logs\CBS\CbsPersist_20241225145336.cab1⤵
- Drops file in Windows directory
PID:2708
Network
-
DNS66e7b432-6c9c-4a4f-b24e-c0458cb199f8.uuid.dg2sz7pxs7llf2t25fsbutlvvrjij4pmojugn75cmxnvoshmju6dzcad.onioncsrss.exeRemote address:8.8.8.8:53Request66e7b432-6c9c-4a4f-b24e-c0458cb199f8.uuid.dg2sz7pxs7llf2t25fsbutlvvrjij4pmojugn75cmxnvoshmju6dzcad.onionIN TXTResponse
-
Remote address:8.8.8.8:53Requestmsdl.microsoft.comIN AResponsemsdl.microsoft.comIN CNAMEmsdl.microsoft.akadns.netmsdl.microsoft.akadns.netIN CNAMEmsdl-microsoft-com.a-0016.a-msedge.netmsdl-microsoft-com.a-0016.a-msedge.netIN CNAMEa-0016.a-msedge.neta-0016.a-msedge.netIN A204.79.197.219
-
Remote address:204.79.197.219:443RequestGET /download/symbols/index2.txt HTTP/1.1
Accept-Encoding: gzip
User-Agent: Microsoft-Symbol-Server/10.0.10586.567
Host: msdl.microsoft.com
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 404 Not Found
Strict-Transport-Security: includeSubDomains
X-MSEdge-Ref: Ref A: C728C45AE7074F7AB553D4C6BB89E3B5 Ref B: LON04EDGE0814 Ref C: 2024-12-25T14:53:52Z
Date: Wed, 25 Dec 2024 14:53:52 GMT
Content-Length: 0
-
GEThttps://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/AAF33CF37E194E98957768CF9C02DE8E2/ntkrnlmp.pdbpatch.exeRemote address:204.79.197.219:443RequestGET /download/symbols/ntkrnlmp.pdb/AAF33CF37E194E98957768CF9C02DE8E2/ntkrnlmp.pdb HTTP/1.1
Accept-Encoding: gzip
User-Agent: Microsoft-Symbol-Server/10.0.10586.567
Host: msdl.microsoft.com
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 302 Found
X-Cache: TCP_MISS
Strict-Transport-Security: includeSubDomains
X-MSEdge-Ref: Ref A: 4B45FB80BF29412F917EA06390442201 Ref B: LON04EDGE0814 Ref C: 2024-12-25T14:53:52Z
Date: Wed, 25 Dec 2024 14:53:52 GMT
Content-Length: 0
-
GEThttps://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/AAF33CF37E194E98957768CF9C02DE8E2/ntkrnlmp.pdbpatch.exeRemote address:204.79.197.219:443RequestGET /download/symbols/ntkrnlmp.pdb/AAF33CF37E194E98957768CF9C02DE8E2/ntkrnlmp.pdb HTTP/1.1
Accept-Encoding: gzip
User-Agent: Microsoft-Symbol-Server/10.0.10586.567
Host: msdl.microsoft.com
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 302 Found
X-Cache: TCP_HIT
Strict-Transport-Security: includeSubDomains
X-MSEdge-Ref: Ref A: 6D7D9DA090B94FAB88A7FB18C1313B4E Ref B: LON04EDGE0814 Ref C: 2024-12-25T14:54:02Z
Date: Wed, 25 Dec 2024 14:54:02 GMT
Content-Length: 0
-
Remote address:204.79.197.219:443RequestGET /download/symbols/index2.txt HTTP/1.1
Accept-Encoding: gzip
User-Agent: Microsoft-Symbol-Server/10.0.10586.567
Host: msdl.microsoft.com
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 404 Not Found
Strict-Transport-Security: includeSubDomains
X-MSEdge-Ref: Ref A: 21AAB382768F4D40A12C763CF4119AB7 Ref B: LON04EDGE0814 Ref C: 2024-12-25T14:54:14Z
Date: Wed, 25 Dec 2024 14:54:13 GMT
Content-Length: 0
-
GEThttps://msdl.microsoft.com/download/symbols/winload_prod.pdb/768283CA443847FB8822F9DB1F36ECC51/winload_prod.pdbpatch.exeRemote address:204.79.197.219:443RequestGET /download/symbols/winload_prod.pdb/768283CA443847FB8822F9DB1F36ECC51/winload_prod.pdb HTTP/1.1
Accept-Encoding: gzip
User-Agent: Microsoft-Symbol-Server/10.0.10586.567
Host: msdl.microsoft.com
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 302 Found
X-Cache: TCP_MISS
Strict-Transport-Security: includeSubDomains
X-MSEdge-Ref: Ref A: 4012AB27DFFF49448EE9FC7CD4A37A66 Ref B: LON04EDGE0814 Ref C: 2024-12-25T14:54:14Z
Date: Wed, 25 Dec 2024 14:54:14 GMT
Content-Length: 0
-
GEThttps://msdl.microsoft.com/download/symbols/winload_prod.pdb/768283CA443847FB8822F9DB1F36ECC51/winload_prod.pdbpatch.exeRemote address:204.79.197.219:443RequestGET /download/symbols/winload_prod.pdb/768283CA443847FB8822F9DB1F36ECC51/winload_prod.pdb HTTP/1.1
Accept-Encoding: gzip
User-Agent: Microsoft-Symbol-Server/10.0.10586.567
Host: msdl.microsoft.com
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 302 Found
X-Cache: TCP_HIT
Strict-Transport-Security: includeSubDomains
X-MSEdge-Ref: Ref A: 7BDB70401E724A9F88D2AB4546F50D69 Ref B: LON04EDGE0814 Ref C: 2024-12-25T14:54:15Z
Date: Wed, 25 Dec 2024 14:54:15 GMT
Content-Length: 0
-
Remote address:8.8.8.8:53Requestvsblobprodscussu5shard30.blob.core.windows.netIN AResponsevsblobprodscussu5shard30.blob.core.windows.netIN CNAMEblob.sat09prdstrz08a.store.core.windows.netblob.sat09prdstrz08a.store.core.windows.netIN CNAMEblob.sat09prdstrz08a.trafficmanager.netblob.sat09prdstrz08a.trafficmanager.netIN A20.150.70.36blob.sat09prdstrz08a.trafficmanager.netIN A20.150.79.68blob.sat09prdstrz08a.trafficmanager.netIN A20.150.38.228
-
GEThttps://vsblobprodscussu5shard30.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/532FE4B89C0696BBB1F353A7F1CAFE02D477AF8648ED3B34046FF47FBB7FF1EC00.blob?sv=2019-07-07&sr=b&sig=f1ii7NDyMbksXg6lvH9tIndZisxMIjWfIx0Gt4whJrY%3D&skoid=4866d8d7-57cb-4216-997d-bade18bdbe68&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-12-25T12%3A05%3A05Z&ske=2024-12-27T13%3A05%3A05Z&sks=b&skv=2019-07-07&se=2024-12-26T15%3A19%3A29Z&sp=r&rscl=x-e2eid-f25dc17f-f3ec45b2-8ada7075-3285e531-session-205ff6fb-1edd4d75-ae8582df-ede12da0patch.exeRemote address:20.150.70.36:443RequestGET /b-4712e0edc5a240eabf23330d7df68e77/532FE4B89C0696BBB1F353A7F1CAFE02D477AF8648ED3B34046FF47FBB7FF1EC00.blob?sv=2019-07-07&sr=b&sig=f1ii7NDyMbksXg6lvH9tIndZisxMIjWfIx0Gt4whJrY%3D&skoid=4866d8d7-57cb-4216-997d-bade18bdbe68&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-12-25T12%3A05%3A05Z&ske=2024-12-27T13%3A05%3A05Z&sks=b&skv=2019-07-07&se=2024-12-26T15%3A19%3A29Z&sp=r&rscl=x-e2eid-f25dc17f-f3ec45b2-8ada7075-3285e531-session-205ff6fb-1edd4d75-ae8582df-ede12da0 HTTP/1.1
Accept-Encoding: gzip
User-Agent: Microsoft-Symbol-Server/10.0.10586.567
Connection: Keep-Alive
Cache-Control: no-cache
Host: vsblobprodscussu5shard30.blob.core.windows.net
ResponseHTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-Language: x-e2eid-f25dc17f-f3ec45b2-8ada7075-3285e531-session-205ff6fb-1edd4d75-ae8582df-ede12da0
Last-Modified: Mon, 12 Jun 2017 21:34:21 GMT
Accept-Ranges: bytes
ETag: "0x8D4B1DACA398C54"
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: 7461382c-001e-003d-58dc-5659b4000000
x-ms-version: 2019-07-07
x-ms-creation-time: Fri, 05 May 2017 08:24:14 GMT
x-ms-lease-status: unlocked
x-ms-lease-state: available
x-ms-blob-type: BlockBlob
x-ms-server-encrypted: true
Access-Control-Expose-Headers: Content-Length
Access-Control-Allow-Origin: *
Date: Wed, 25 Dec 2024 14:53:53 GMT
-
GEThttps://vsblobprodscussu5shard30.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/532FE4B89C0696BBB1F353A7F1CAFE02D477AF8648ED3B34046FF47FBB7FF1EC00.blob?sv=2019-07-07&sr=b&sig=f1ii7NDyMbksXg6lvH9tIndZisxMIjWfIx0Gt4whJrY%3D&skoid=4866d8d7-57cb-4216-997d-bade18bdbe68&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-12-25T12%3A05%3A05Z&ske=2024-12-27T13%3A05%3A05Z&sks=b&skv=2019-07-07&se=2024-12-26T15%3A19%3A29Z&sp=r&rscl=x-e2eid-f25dc17f-f3ec45b2-8ada7075-3285e531-session-205ff6fb-1edd4d75-ae8582df-ede12da0patch.exeRemote address:20.150.70.36:443RequestGET /b-4712e0edc5a240eabf23330d7df68e77/532FE4B89C0696BBB1F353A7F1CAFE02D477AF8648ED3B34046FF47FBB7FF1EC00.blob?sv=2019-07-07&sr=b&sig=f1ii7NDyMbksXg6lvH9tIndZisxMIjWfIx0Gt4whJrY%3D&skoid=4866d8d7-57cb-4216-997d-bade18bdbe68&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-12-25T12%3A05%3A05Z&ske=2024-12-27T13%3A05%3A05Z&sks=b&skv=2019-07-07&se=2024-12-26T15%3A19%3A29Z&sp=r&rscl=x-e2eid-f25dc17f-f3ec45b2-8ada7075-3285e531-session-205ff6fb-1edd4d75-ae8582df-ede12da0 HTTP/1.1
Accept-Encoding: gzip
User-Agent: Microsoft-Symbol-Server/10.0.10586.567
Connection: Keep-Alive
Cache-Control: no-cache
Host: vsblobprodscussu5shard30.blob.core.windows.net
ResponseHTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-Language: x-e2eid-f25dc17f-f3ec45b2-8ada7075-3285e531-session-205ff6fb-1edd4d75-ae8582df-ede12da0
Last-Modified: Mon, 12 Jun 2017 21:34:21 GMT
Accept-Ranges: bytes
ETag: "0x8D4B1DACA398C54"
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: 74614843-001e-003d-31dc-5659b4000000
x-ms-version: 2019-07-07
x-ms-creation-time: Fri, 05 May 2017 08:24:14 GMT
x-ms-lease-status: unlocked
x-ms-lease-state: available
x-ms-blob-type: BlockBlob
x-ms-server-encrypted: true
Access-Control-Expose-Headers: Content-Length
Access-Control-Allow-Origin: *
Date: Wed, 25 Dec 2024 14:54:02 GMT
-
Remote address:8.8.8.8:53Requestvsblobprodscussu5shard20.blob.core.windows.netIN AResponsevsblobprodscussu5shard20.blob.core.windows.netIN CNAMEblob.sat09prdstrz08a.store.core.windows.netblob.sat09prdstrz08a.store.core.windows.netIN CNAMEblob.sat09prdstrz08a.trafficmanager.netblob.sat09prdstrz08a.trafficmanager.netIN A20.150.38.228blob.sat09prdstrz08a.trafficmanager.netIN A20.150.79.68blob.sat09prdstrz08a.trafficmanager.netIN A20.150.70.36
-
GEThttps://vsblobprodscussu5shard20.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/13DA6A038B00D25FB112C12EFB833E142050BFD31BF99A3458E647A3C6B0BCCD00.blob?sv=2019-07-07&sr=b&sig=4oBr6COqQ1%2FRoPO8nTNyv01vSA5i9dELuorMq1OT9b0%3D&skoid=4866d8d7-57cb-4216-997d-bade18bdbe68&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-12-25T10%3A06%3A11Z&ske=2024-12-27T11%3A06%3A11Z&sks=b&skv=2019-07-07&se=2024-12-26T15%3A04%3A39Z&sp=r&rscl=x-e2eid-082bd611-87614cfd-bbeafdff-21d73f3a-session-51f2194f-7e7a409e-ace650d5-c9cb9b59patch.exeRemote address:20.150.38.228:443RequestGET /b-4712e0edc5a240eabf23330d7df68e77/13DA6A038B00D25FB112C12EFB833E142050BFD31BF99A3458E647A3C6B0BCCD00.blob?sv=2019-07-07&sr=b&sig=4oBr6COqQ1%2FRoPO8nTNyv01vSA5i9dELuorMq1OT9b0%3D&skoid=4866d8d7-57cb-4216-997d-bade18bdbe68&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-12-25T10%3A06%3A11Z&ske=2024-12-27T11%3A06%3A11Z&sks=b&skv=2019-07-07&se=2024-12-26T15%3A04%3A39Z&sp=r&rscl=x-e2eid-082bd611-87614cfd-bbeafdff-21d73f3a-session-51f2194f-7e7a409e-ace650d5-c9cb9b59 HTTP/1.1
Accept-Encoding: gzip
User-Agent: Microsoft-Symbol-Server/10.0.10586.567
Connection: Keep-Alive
Cache-Control: no-cache
Host: vsblobprodscussu5shard20.blob.core.windows.net
ResponseHTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-Language: x-e2eid-082bd611-87614cfd-bbeafdff-21d73f3a-session-51f2194f-7e7a409e-ace650d5-c9cb9b59
Last-Modified: Fri, 02 Feb 2024 04:23:06 GMT
Accept-Ranges: bytes
ETag: "0x8DC23A6A7A80D5E"
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: ec9fd06e-f01e-007c-54dc-5678f7000000
x-ms-version: 2019-07-07
x-ms-creation-time: Fri, 02 Feb 2024 04:23:06 GMT
x-ms-lease-status: unlocked
x-ms-lease-state: available
x-ms-blob-type: BlockBlob
x-ms-server-encrypted: true
Access-Control-Expose-Headers: Content-Length
Access-Control-Allow-Origin: *
Date: Wed, 25 Dec 2024 14:54:14 GMT
-
GEThttps://vsblobprodscussu5shard20.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/13DA6A038B00D25FB112C12EFB833E142050BFD31BF99A3458E647A3C6B0BCCD00.blob?sv=2019-07-07&sr=b&sig=4oBr6COqQ1%2FRoPO8nTNyv01vSA5i9dELuorMq1OT9b0%3D&skoid=4866d8d7-57cb-4216-997d-bade18bdbe68&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-12-25T10%3A06%3A11Z&ske=2024-12-27T11%3A06%3A11Z&sks=b&skv=2019-07-07&se=2024-12-26T15%3A04%3A39Z&sp=r&rscl=x-e2eid-082bd611-87614cfd-bbeafdff-21d73f3a-session-51f2194f-7e7a409e-ace650d5-c9cb9b59patch.exeRemote address:20.150.38.228:443RequestGET /b-4712e0edc5a240eabf23330d7df68e77/13DA6A038B00D25FB112C12EFB833E142050BFD31BF99A3458E647A3C6B0BCCD00.blob?sv=2019-07-07&sr=b&sig=4oBr6COqQ1%2FRoPO8nTNyv01vSA5i9dELuorMq1OT9b0%3D&skoid=4866d8d7-57cb-4216-997d-bade18bdbe68&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-12-25T10%3A06%3A11Z&ske=2024-12-27T11%3A06%3A11Z&sks=b&skv=2019-07-07&se=2024-12-26T15%3A04%3A39Z&sp=r&rscl=x-e2eid-082bd611-87614cfd-bbeafdff-21d73f3a-session-51f2194f-7e7a409e-ace650d5-c9cb9b59 HTTP/1.1
Accept-Encoding: gzip
User-Agent: Microsoft-Symbol-Server/10.0.10586.567
Connection: Keep-Alive
Cache-Control: no-cache
Host: vsblobprodscussu5shard20.blob.core.windows.net
ResponseHTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-Language: x-e2eid-082bd611-87614cfd-bbeafdff-21d73f3a-session-51f2194f-7e7a409e-ace650d5-c9cb9b59
Last-Modified: Fri, 02 Feb 2024 04:23:06 GMT
Accept-Ranges: bytes
ETag: "0x8DC23A6A7A80D5E"
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: ec9fd270-f01e-007c-26dc-5678f7000000
x-ms-version: 2019-07-07
x-ms-creation-time: Fri, 02 Feb 2024 04:23:06 GMT
x-ms-lease-status: unlocked
x-ms-lease-state: available
x-ms-blob-type: BlockBlob
x-ms-server-encrypted: true
Access-Control-Expose-Headers: Content-Length
Access-Control-Allow-Origin: *
Date: Wed, 25 Dec 2024 14:54:15 GMT
-
Remote address:8.8.8.8:53Requestcrl.microsoft.comIN AResponsecrl.microsoft.comIN CNAMEcrl.www.ms.akadns.netcrl.www.ms.akadns.netIN CNAMEa1363.dscg.akamai.neta1363.dscg.akamai.netIN A2.19.252.157a1363.dscg.akamai.netIN A2.19.252.143
-
Remote address:2.19.252.157:80RequestGET /pki/crl/products/MicRooCerAut2011_2011_03_22.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Thu, 11 Jul 2024 01:45:51 GMT
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com
ResponseHTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-MD5: +oTkvMkqpdtzWrUHEQQM3g==
Last-Modified: Thu, 12 Dec 2024 00:06:56 GMT
ETag: 0x8DD1A40E476D877
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: 4de8ec0b-c01e-0047-3936-4c3cb1000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
Date: Wed, 25 Dec 2024 14:54:23 GMT
Connection: keep-alive
-
Remote address:8.8.8.8:53Requestwww.microsoft.comIN AResponsewww.microsoft.comIN CNAMEwww.microsoft.com-c-3.edgekey.netwww.microsoft.com-c-3.edgekey.netIN CNAMEwww.microsoft.com-c-3.edgekey.net.globalredir.akadns.netwww.microsoft.com-c-3.edgekey.net.globalredir.akadns.netIN CNAMEe13678.dscb.akamaiedge.nete13678.dscb.akamaiedge.netIN A184.25.193.234
-
Remote address:184.25.193.234:80RequestGET /pkiops/crl/MicCodSigPCA2011_2011-07-08.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Sun, 18 Aug 2024 00:23:49 GMT
User-Agent: Microsoft-CryptoAPI/6.1
Host: www.microsoft.com
ResponseHTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-MD5: PjrtHAukbJio72s77Ag5mA==
Last-Modified: Thu, 31 Oct 2024 23:26:09 GMT
ETag: 0x8DCFA0366D6C4CA
x-ms-request-id: ca00f663-501e-0037-2bf2-2b8546000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
Date: Wed, 25 Dec 2024 14:54:23 GMT
Connection: keep-alive
TLS_version: UNKNOWN
ms-cv: CASMicrosoftCV80aab0ea.0
ms-cv-esi: CASMicrosoftCV80aab0ea.0
X-RTag: RT
-
Remote address:8.8.8.8:53Requestcdn.discordapp.comIN AResponsecdn.discordapp.comIN A162.159.129.233cdn.discordapp.comIN A162.159.130.233cdn.discordapp.comIN A162.159.135.233cdn.discordapp.comIN A162.159.133.233cdn.discordapp.comIN A162.159.134.233
-
Remote address:8.8.8.8:53Requeststun4.l.google.comIN AResponsestun4.l.google.comIN A74.125.250.129
-
Remote address:8.8.8.8:53Requestblockchain.infoIN AResponseblockchain.infoIN A104.16.236.243blockchain.infoIN A104.16.237.243
-
Remote address:8.8.8.8:53Requestserver16.statscreate.orgIN AResponse
-
204.79.197.219:443https://msdl.microsoft.com/download/symbols/winload_prod.pdb/768283CA443847FB8822F9DB1F36ECC51/winload_prod.pdbtls, httppatch.exe2.9kB 10.8kB 18 21
HTTP Request
GET https://msdl.microsoft.com/download/symbols/index2.txtHTTP Response
404HTTP Request
GET https://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/AAF33CF37E194E98957768CF9C02DE8E2/ntkrnlmp.pdbHTTP Response
302HTTP Request
GET https://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/AAF33CF37E194E98957768CF9C02DE8E2/ntkrnlmp.pdbHTTP Response
302HTTP Request
GET https://msdl.microsoft.com/download/symbols/index2.txtHTTP Response
404HTTP Request
GET https://msdl.microsoft.com/download/symbols/winload_prod.pdb/768283CA443847FB8822F9DB1F36ECC51/winload_prod.pdbHTTP Response
302HTTP Request
GET https://msdl.microsoft.com/download/symbols/winload_prod.pdb/768283CA443847FB8822F9DB1F36ECC51/winload_prod.pdbHTTP Response
302 -
20.150.70.36:443https://vsblobprodscussu5shard30.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/532FE4B89C0696BBB1F353A7F1CAFE02D477AF8648ED3B34046FF47FBB7FF1EC00.blob?sv=2019-07-07&sr=b&sig=f1ii7NDyMbksXg6lvH9tIndZisxMIjWfIx0Gt4whJrY%3D&skoid=4866d8d7-57cb-4216-997d-bade18bdbe68&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-12-25T12%3A05%3A05Z&ske=2024-12-27T13%3A05%3A05Z&sks=b&skv=2019-07-07&se=2024-12-26T15%3A19%3A29Z&sp=r&rscl=x-e2eid-f25dc17f-f3ec45b2-8ada7075-3285e531-session-205ff6fb-1edd4d75-ae8582df-ede12da0tls, httppatch.exe349.3kB 18.1MB 7306 13001
HTTP Request
GET https://vsblobprodscussu5shard30.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/532FE4B89C0696BBB1F353A7F1CAFE02D477AF8648ED3B34046FF47FBB7FF1EC00.blob?sv=2019-07-07&sr=b&sig=f1ii7NDyMbksXg6lvH9tIndZisxMIjWfIx0Gt4whJrY%3D&skoid=4866d8d7-57cb-4216-997d-bade18bdbe68&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-12-25T12%3A05%3A05Z&ske=2024-12-27T13%3A05%3A05Z&sks=b&skv=2019-07-07&se=2024-12-26T15%3A19%3A29Z&sp=r&rscl=x-e2eid-f25dc17f-f3ec45b2-8ada7075-3285e531-session-205ff6fb-1edd4d75-ae8582df-ede12da0HTTP Response
200HTTP Request
GET https://vsblobprodscussu5shard30.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/532FE4B89C0696BBB1F353A7F1CAFE02D477AF8648ED3B34046FF47FBB7FF1EC00.blob?sv=2019-07-07&sr=b&sig=f1ii7NDyMbksXg6lvH9tIndZisxMIjWfIx0Gt4whJrY%3D&skoid=4866d8d7-57cb-4216-997d-bade18bdbe68&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-12-25T12%3A05%3A05Z&ske=2024-12-27T13%3A05%3A05Z&sks=b&skv=2019-07-07&se=2024-12-26T15%3A19%3A29Z&sp=r&rscl=x-e2eid-f25dc17f-f3ec45b2-8ada7075-3285e531-session-205ff6fb-1edd4d75-ae8582df-ede12da0HTTP Response
200 -
20.150.38.228:443https://vsblobprodscussu5shard20.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/13DA6A038B00D25FB112C12EFB833E142050BFD31BF99A3458E647A3C6B0BCCD00.blob?sv=2019-07-07&sr=b&sig=4oBr6COqQ1%2FRoPO8nTNyv01vSA5i9dELuorMq1OT9b0%3D&skoid=4866d8d7-57cb-4216-997d-bade18bdbe68&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-12-25T10%3A06%3A11Z&ske=2024-12-27T11%3A06%3A11Z&sks=b&skv=2019-07-07&se=2024-12-26T15%3A04%3A39Z&sp=r&rscl=x-e2eid-082bd611-87614cfd-bbeafdff-21d73f3a-session-51f2194f-7e7a409e-ace650d5-c9cb9b59tls, httppatch.exe27.8kB 1.1MB 530 756
HTTP Request
GET https://vsblobprodscussu5shard20.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/13DA6A038B00D25FB112C12EFB833E142050BFD31BF99A3458E647A3C6B0BCCD00.blob?sv=2019-07-07&sr=b&sig=4oBr6COqQ1%2FRoPO8nTNyv01vSA5i9dELuorMq1OT9b0%3D&skoid=4866d8d7-57cb-4216-997d-bade18bdbe68&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-12-25T10%3A06%3A11Z&ske=2024-12-27T11%3A06%3A11Z&sks=b&skv=2019-07-07&se=2024-12-26T15%3A04%3A39Z&sp=r&rscl=x-e2eid-082bd611-87614cfd-bbeafdff-21d73f3a-session-51f2194f-7e7a409e-ace650d5-c9cb9b59HTTP Response
200HTTP Request
GET https://vsblobprodscussu5shard20.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/13DA6A038B00D25FB112C12EFB833E142050BFD31BF99A3458E647A3C6B0BCCD00.blob?sv=2019-07-07&sr=b&sig=4oBr6COqQ1%2FRoPO8nTNyv01vSA5i9dELuorMq1OT9b0%3D&skoid=4866d8d7-57cb-4216-997d-bade18bdbe68&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-12-25T10%3A06%3A11Z&ske=2024-12-27T11%3A06%3A11Z&sks=b&skv=2019-07-07&se=2024-12-26T15%3A04%3A39Z&sp=r&rscl=x-e2eid-082bd611-87614cfd-bbeafdff-21d73f3a-session-51f2194f-7e7a409e-ace650d5-c9cb9b59HTTP Response
200 -
451 B 1.7kB 5 5
HTTP Request
GET http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crlHTTP Response
200 -
393 B 1.7kB 4 4
HTTP Request
GET http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crlHTTP Response
200 -
-
1.2kB 5.4kB 13 15
-
-
-
1.3kB 12.7kB 15 19
-
8.8.8.8:5366e7b432-6c9c-4a4f-b24e-c0458cb199f8.uuid.dg2sz7pxs7llf2t25fsbutlvvrjij4pmojugn75cmxnvoshmju6dzcad.oniondnscsrss.exe150 B 225 B 1 1
DNS Request
66e7b432-6c9c-4a4f-b24e-c0458cb199f8.uuid.dg2sz7pxs7llf2t25fsbutlvvrjij4pmojugn75cmxnvoshmju6dzcad.onion
-
64 B 182 B 1 1
DNS Request
msdl.microsoft.com
DNS Response
204.79.197.219
-
92 B 231 B 1 1
DNS Request
vsblobprodscussu5shard30.blob.core.windows.net
DNS Response
20.150.70.3620.150.79.6820.150.38.228
-
92 B 231 B 1 1
DNS Request
vsblobprodscussu5shard20.blob.core.windows.net
DNS Response
20.150.38.22820.150.79.6820.150.70.36
-
63 B 162 B 1 1
DNS Request
crl.microsoft.com
DNS Response
2.19.252.1572.19.252.143
-
63 B 230 B 1 1
DNS Request
www.microsoft.com
DNS Response
184.25.193.234
-
64 B 144 B 1 1
DNS Request
cdn.discordapp.com
DNS Response
162.159.129.233162.159.130.233162.159.135.233162.159.133.233162.159.134.233
-
64 B 80 B 1 1
DNS Request
stun4.l.google.com
DNS Response
74.125.250.129
-
48 B 60 B 1 1
-
61 B 93 B 1 1
DNS Request
blockchain.info
DNS Response
104.16.236.243104.16.237.243
-
70 B 152 B 1 1
DNS Request
server16.statscreate.org
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
2Modify Registry
4Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error
Filesize8.3MB
MD5fd2727132edd0b59fa33733daa11d9ef
SHA163e36198d90c4c2b9b09dd6786b82aba5f03d29a
SHA2563a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e
SHA5123e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e
-
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error
Filesize492KB
MD5fafbf2197151d5ce947872a4b0bcbe16
SHA1a86eaa2dd9fc6d36fcfb41df7ead8d1166aea020
SHA256feb122b7916a1e62a7a6ae8d25ea48a2efc86f6e6384f5526e18ffbfc5f5ff71
SHA512acbd49a111704d001a4ae44d1a071d566452f92311c5c0099d57548eddc9b3393224792c602022df5c3dd19b0a1fb4eff965bf038c8783ae109336699f9d13f6
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
Filesize
5.3MB
MD51afff8d5352aecef2ecd47ffa02d7f7d
SHA18b115b84efdb3a1b87f750d35822b2609e665bef
SHA256c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb
-
Filesize
94KB
MD5d98e78fd57db58a11f880b45bb659767
SHA1ab70c0d3bd9103c07632eeecee9f51d198ed0e76
SHA256414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0
SHA512aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831
-
Filesize
1.7MB
MD513aaafe14eb60d6a718230e82c671d57
SHA1e039dd924d12f264521b8e689426fb7ca95a0a7b
SHA256f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3
SHA512ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3
-
Filesize
1.5MB
MD5f0616fa8bc54ece07e3107057f74e4db
SHA1b33995c4f9a004b7d806c4bb36040ee844781fca
SHA2566e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026
SHA51215242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c
-
Filesize
591KB
MD5e2f68dc7fbd6e0bf031ca3809a739346
SHA19c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA51226256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579
-
Filesize
163KB
MD55c399d34d8dc01741269ff1f1aca7554
SHA1e0ceed500d3cef5558f3f55d33ba9c3a709e8f55
SHA256e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f
SHA5128ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d
-
Filesize
4.1MB
MD54347d1e8d835af022da5509bf3c17266
SHA14ab23c1a468cee9f4059559df3b4d05474076d2e
SHA256d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38
SHA5128ab13c820c36cb62f425a08a3f7af0d8c88a7aea86653a4c630fa031e00e7516e89f0374797c4249ee061e81fce382d904cc6a05c000ad8bb7d5136020d157d9