Analysis

  • max time kernel
    150s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-12-2024 00:00

General

  • Target

    JaffaCakes118_526698c9029eb0fc44bb98b434b004f54ce239a84d1f21e776d87381b62a2de3.exe

  • Size

    4.4MB

  • MD5

    e8b0090bafd4bbbbedba76ed83d27c21

  • SHA1

    6614977c2de9096b837f072aa942866fe9b0af58

  • SHA256

    526698c9029eb0fc44bb98b434b004f54ce239a84d1f21e776d87381b62a2de3

  • SHA512

    541b39478b92dfb0f4753e037d3f87b90dc5b420a2dcb0d189f45efabcc5979af48a6fe856577229be490e4e001c4f0f7dad0c26ca9ff63665fbe04d43ab809b

  • SSDEEP

    98304:vGjMEhVl9iA6ibKOTtWF465Lag1AacZA7BEVsAB6bTuYmdjAFtr:ejMEvl9iwbdtWF4eLJ1Aaje+AAuYmdjq

Malware Config

Extracted

Family

metasploit

Version

windows/single_exec

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

  • Glupteba family
  • Glupteba payload 21 IoCs
  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

  • Metasploit family
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Manipulates WinMonFS driver. 1 IoCs

    Roottkits write to WinMonFS to hide directories/files from being detected.

  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 2 IoCs
  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • Program crash 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • GoLang User-Agent 6 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_526698c9029eb0fc44bb98b434b004f54ce239a84d1f21e776d87381b62a2de3.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_526698c9029eb0fc44bb98b434b004f54ce239a84d1f21e776d87381b62a2de3.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2492
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2492 -s 332
      2⤵
      • Program crash
      PID:212
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2492 -s 340
      2⤵
      • Program crash
      PID:4544
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2492 -s 340
      2⤵
      • Program crash
      PID:5028
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2492 -s 604
      2⤵
      • Program crash
      PID:3192
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2492 -s 696
      2⤵
      • Program crash
      PID:4612
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2492 -s 696
      2⤵
      • Program crash
      PID:5000
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2492 -s 724
      2⤵
      • Program crash
      PID:4296
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2492 -s 752
      2⤵
      • Program crash
      PID:3720
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2492 -s 728
      2⤵
      • Program crash
      PID:4004
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2492 -s 708
      2⤵
      • Program crash
      PID:2628
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2492 -s 796
      2⤵
      • Program crash
      PID:220
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2492 -s 796
      2⤵
      • Program crash
      PID:4212
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2492 -s 620
      2⤵
      • Program crash
      PID:1248
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2492 -s 888
      2⤵
      • Program crash
      PID:2192
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2492 -s 900
      2⤵
      • Program crash
      PID:4784
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2492 -s 616
      2⤵
      • Program crash
      PID:2176
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2492 -s 784
      2⤵
      • Program crash
      PID:3832
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2492 -s 780
      2⤵
      • Program crash
      PID:2760
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2492 -s 884
      2⤵
      • Program crash
      PID:3552
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2492 -s 800
      2⤵
      • Program crash
      PID:2208
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2492 -s 736
      2⤵
      • Program crash
      PID:552
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_526698c9029eb0fc44bb98b434b004f54ce239a84d1f21e776d87381b62a2de3.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_526698c9029eb0fc44bb98b434b004f54ce239a84d1f21e776d87381b62a2de3.exe"
      2⤵
      • Adds Run key to start application
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:912
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 296
        3⤵
        • Program crash
        PID:3048
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 304
        3⤵
        • Program crash
        PID:4576
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 304
        3⤵
        • Program crash
        PID:3716
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 628
        3⤵
        • Program crash
        PID:4976
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 628
        3⤵
        • Program crash
        PID:4208
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 628
        3⤵
        • Program crash
        PID:1744
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 628
        3⤵
        • Program crash
        PID:4316
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 724
        3⤵
        • Program crash
        PID:3120
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 708
        3⤵
        • Program crash
        PID:5044
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 608
        3⤵
        • Program crash
        PID:1420
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 712
        3⤵
        • Program crash
        PID:1632
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 804
        3⤵
        • Program crash
        PID:3612
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 848
        3⤵
        • Program crash
        PID:4620
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 920
        3⤵
        • Program crash
        PID:4644
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 936
        3⤵
        • Program crash
        PID:2940
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 860
        3⤵
        • Program crash
        PID:312
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 1436
        3⤵
        • Program crash
        PID:4028
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 1428
        3⤵
        • Program crash
        PID:212
      • C:\Windows\system32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2348
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          PID:464
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 1464
        3⤵
        • Program crash
        PID:3868
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 1460
        3⤵
        • Program crash
        PID:372
      • C:\Windows\rss\csrss.exe
        C:\Windows\rss\csrss.exe /51-51
        3⤵
        • Executes dropped EXE
        • Manipulates WinMonFS driver.
        • System Location Discovery: System Language Discovery
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1428
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 332
          4⤵
          • Program crash
          PID:4004
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 340
          4⤵
          • Program crash
          PID:2628
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 360
          4⤵
          • Program crash
          PID:220
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 664
          4⤵
          • Program crash
          PID:3420
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 664
          4⤵
          • Program crash
          PID:1528
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 664
          4⤵
          • Program crash
          PID:1060
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 664
          4⤵
          • Program crash
          PID:3196
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 728
          4⤵
          • Program crash
          PID:2144
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 752
          4⤵
          • Program crash
          PID:4648
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 616
          4⤵
          • Program crash
          PID:744
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 740
          4⤵
          • Program crash
          PID:2208
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 768
          4⤵
          • Program crash
          PID:1452
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
          4⤵
          • Scheduled Task/Job: Scheduled Task
          PID:4280
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 744
          4⤵
          • Program crash
          PID:3444
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 896
          4⤵
          • Program crash
          PID:2764
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 932
          4⤵
          • Program crash
          PID:3972
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 968
          4⤵
          • Program crash
          PID:3096
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 980
          4⤵
          • Program crash
          PID:2360
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 968
          4⤵
          • Program crash
          PID:1744
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 1512
          4⤵
          • Program crash
          PID:5108
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 1524
          4⤵
          • Program crash
          PID:2580
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 1616
          4⤵
          • Program crash
          PID:3544
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 1632
          4⤵
          • Program crash
          PID:452
        • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
          C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:2940
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 1628
          4⤵
          • Program crash
          PID:804
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 1460
          4⤵
            PID:2052
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 1504
            4⤵
              PID:4008
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 1456
              4⤵
                PID:5028
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 1460
                4⤵
                  PID:744
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 1712
                  4⤵
                    PID:3128
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2492 -ip 2492
              1⤵
                PID:1724
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2492 -ip 2492
                1⤵
                  PID:4196
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2492 -ip 2492
                  1⤵
                    PID:4884
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2492 -ip 2492
                    1⤵
                      PID:2672
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2492 -ip 2492
                      1⤵
                        PID:1376
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2492 -ip 2492
                        1⤵
                          PID:372
                        • C:\Windows\SysWOW64\WerFault.exe
                          C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2492 -ip 2492
                          1⤵
                            PID:1124
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2492 -ip 2492
                            1⤵
                              PID:4676
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2492 -ip 2492
                              1⤵
                                PID:4060
                              • C:\Windows\SysWOW64\WerFault.exe
                                C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2492 -ip 2492
                                1⤵
                                  PID:3764
                                • C:\Windows\SysWOW64\WerFault.exe
                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2492 -ip 2492
                                  1⤵
                                    PID:1708
                                  • C:\Windows\SysWOW64\WerFault.exe
                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2492 -ip 2492
                                    1⤵
                                      PID:1712
                                    • C:\Windows\SysWOW64\WerFault.exe
                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2492 -ip 2492
                                      1⤵
                                        PID:4860
                                      • C:\Windows\SysWOW64\WerFault.exe
                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2492 -ip 2492
                                        1⤵
                                          PID:5080
                                        • C:\Windows\SysWOW64\WerFault.exe
                                          C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2492 -ip 2492
                                          1⤵
                                            PID:4416
                                          • C:\Windows\SysWOW64\WerFault.exe
                                            C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2492 -ip 2492
                                            1⤵
                                              PID:4568
                                            • C:\Windows\SysWOW64\WerFault.exe
                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2492 -ip 2492
                                              1⤵
                                                PID:4944
                                              • C:\Windows\SysWOW64\WerFault.exe
                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2492 -ip 2492
                                                1⤵
                                                  PID:1584
                                                • C:\Windows\SysWOW64\WerFault.exe
                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2492 -ip 2492
                                                  1⤵
                                                    PID:660
                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2492 -ip 2492
                                                    1⤵
                                                      PID:4852
                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2492 -ip 2492
                                                      1⤵
                                                        PID:2744
                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 912 -ip 912
                                                        1⤵
                                                          PID:768
                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                          C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 912 -ip 912
                                                          1⤵
                                                            PID:4424
                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                            C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 912 -ip 912
                                                            1⤵
                                                              PID:2764
                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 912 -ip 912
                                                              1⤵
                                                                PID:4524
                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 912 -ip 912
                                                                1⤵
                                                                  PID:2560
                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 912 -ip 912
                                                                  1⤵
                                                                    PID:4988
                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 912 -ip 912
                                                                    1⤵
                                                                      PID:2088
                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 912 -ip 912
                                                                      1⤵
                                                                        PID:2320
                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 912 -ip 912
                                                                        1⤵
                                                                          PID:4960
                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                          C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 912 -ip 912
                                                                          1⤵
                                                                            PID:1960
                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                            C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 912 -ip 912
                                                                            1⤵
                                                                              PID:3524
                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 912 -ip 912
                                                                              1⤵
                                                                                PID:1560
                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 912 -ip 912
                                                                                1⤵
                                                                                  PID:1728
                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 912 -ip 912
                                                                                  1⤵
                                                                                    PID:3904
                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 912 -ip 912
                                                                                    1⤵
                                                                                      PID:3792
                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 912 -ip 912
                                                                                      1⤵
                                                                                        PID:3564
                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 912 -ip 912
                                                                                        1⤵
                                                                                          PID:868
                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                          C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 912 -ip 912
                                                                                          1⤵
                                                                                            PID:832
                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                            C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 912 -ip 912
                                                                                            1⤵
                                                                                              PID:408
                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 912 -ip 912
                                                                                              1⤵
                                                                                                PID:1376
                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1428 -ip 1428
                                                                                                1⤵
                                                                                                  PID:3536
                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1428 -ip 1428
                                                                                                  1⤵
                                                                                                    PID:3764
                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1428 -ip 1428
                                                                                                    1⤵
                                                                                                      PID:1708
                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1428 -ip 1428
                                                                                                      1⤵
                                                                                                        PID:4112
                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1428 -ip 1428
                                                                                                        1⤵
                                                                                                          PID:4444
                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                          C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1428 -ip 1428
                                                                                                          1⤵
                                                                                                            PID:3776
                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                            C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1428 -ip 1428
                                                                                                            1⤵
                                                                                                              PID:4784
                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1428 -ip 1428
                                                                                                              1⤵
                                                                                                                PID:928
                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1428 -ip 1428
                                                                                                                1⤵
                                                                                                                  PID:3980
                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1428 -ip 1428
                                                                                                                  1⤵
                                                                                                                    PID:3496
                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1428 -ip 1428
                                                                                                                    1⤵
                                                                                                                      PID:3680
                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1428 -ip 1428
                                                                                                                      1⤵
                                                                                                                        PID:552
                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1428 -ip 1428
                                                                                                                        1⤵
                                                                                                                          PID:2276
                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1428 -ip 1428
                                                                                                                          1⤵
                                                                                                                            PID:4576
                                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                            C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1428 -ip 1428
                                                                                                                            1⤵
                                                                                                                              PID:1700
                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1428 -ip 1428
                                                                                                                              1⤵
                                                                                                                                PID:1836
                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1428 -ip 1428
                                                                                                                                1⤵
                                                                                                                                  PID:1948
                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1428 -ip 1428
                                                                                                                                  1⤵
                                                                                                                                    PID:428
                                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1428 -ip 1428
                                                                                                                                    1⤵
                                                                                                                                      PID:3120
                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1428 -ip 1428
                                                                                                                                      1⤵
                                                                                                                                        PID:3464
                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1428 -ip 1428
                                                                                                                                        1⤵
                                                                                                                                          PID:4656
                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1428 -ip 1428
                                                                                                                                          1⤵
                                                                                                                                            PID:1660
                                                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                            C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1428 -ip 1428
                                                                                                                                            1⤵
                                                                                                                                              PID:3304
                                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1428 -ip 1428
                                                                                                                                              1⤵
                                                                                                                                                PID:4176
                                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1428 -ip 1428
                                                                                                                                                1⤵
                                                                                                                                                  PID:1576
                                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1428 -ip 1428
                                                                                                                                                  1⤵
                                                                                                                                                    PID:4544
                                                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1428 -ip 1428
                                                                                                                                                    1⤵
                                                                                                                                                      PID:3552
                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1428 -ip 1428
                                                                                                                                                      1⤵
                                                                                                                                                        PID:384

                                                                                                                                                      Network

                                                                                                                                                      • flag-us
                                                                                                                                                        DNS
                                                                                                                                                        13.86.106.20.in-addr.arpa
                                                                                                                                                        Remote address:
                                                                                                                                                        8.8.8.8:53
                                                                                                                                                        Request
                                                                                                                                                        13.86.106.20.in-addr.arpa
                                                                                                                                                        IN PTR
                                                                                                                                                        Response
                                                                                                                                                      • flag-us
                                                                                                                                                        DNS
                                                                                                                                                        136.32.126.40.in-addr.arpa
                                                                                                                                                        Remote address:
                                                                                                                                                        8.8.8.8:53
                                                                                                                                                        Request
                                                                                                                                                        136.32.126.40.in-addr.arpa
                                                                                                                                                        IN PTR
                                                                                                                                                        Response
                                                                                                                                                      • flag-us
                                                                                                                                                        DNS
                                                                                                                                                        95.221.229.192.in-addr.arpa
                                                                                                                                                        Remote address:
                                                                                                                                                        8.8.8.8:53
                                                                                                                                                        Request
                                                                                                                                                        95.221.229.192.in-addr.arpa
                                                                                                                                                        IN PTR
                                                                                                                                                        Response
                                                                                                                                                      • flag-us
                                                                                                                                                        DNS
                                                                                                                                                        154.239.44.20.in-addr.arpa
                                                                                                                                                        Remote address:
                                                                                                                                                        8.8.8.8:53
                                                                                                                                                        Request
                                                                                                                                                        154.239.44.20.in-addr.arpa
                                                                                                                                                        IN PTR
                                                                                                                                                        Response
                                                                                                                                                      • flag-us
                                                                                                                                                        DNS
                                                                                                                                                        humisnee.com
                                                                                                                                                        JaffaCakes118_526698c9029eb0fc44bb98b434b004f54ce239a84d1f21e776d87381b62a2de3.exe
                                                                                                                                                        Remote address:
                                                                                                                                                        8.8.8.8:53
                                                                                                                                                        Request
                                                                                                                                                        humisnee.com
                                                                                                                                                        IN A
                                                                                                                                                        Response
                                                                                                                                                        humisnee.com
                                                                                                                                                        IN A
                                                                                                                                                        37.48.65.149
                                                                                                                                                      • flag-us
                                                                                                                                                        DNS
                                                                                                                                                        survey-smiles.com
                                                                                                                                                        JaffaCakes118_526698c9029eb0fc44bb98b434b004f54ce239a84d1f21e776d87381b62a2de3.exe
                                                                                                                                                        Remote address:
                                                                                                                                                        8.8.8.8:53
                                                                                                                                                        Request
                                                                                                                                                        survey-smiles.com
                                                                                                                                                        IN A
                                                                                                                                                        Response
                                                                                                                                                        survey-smiles.com
                                                                                                                                                        IN A
                                                                                                                                                        199.59.243.227
                                                                                                                                                      • flag-us
                                                                                                                                                        GET
                                                                                                                                                        http://survey-smiles.com/
                                                                                                                                                        JaffaCakes118_526698c9029eb0fc44bb98b434b004f54ce239a84d1f21e776d87381b62a2de3.exe
                                                                                                                                                        Remote address:
                                                                                                                                                        199.59.243.227:80
                                                                                                                                                        Request
                                                                                                                                                        GET / HTTP/1.1
                                                                                                                                                        Host: survey-smiles.com
                                                                                                                                                        User-Agent: Go-http-client/1.1
                                                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                                                        Accept-Encoding: gzip
                                                                                                                                                        Response
                                                                                                                                                        HTTP/1.1 200 OK
                                                                                                                                                        date: Fri, 27 Dec 2024 00:00:20 GMT
                                                                                                                                                        content-type: text/html; charset=utf-8
                                                                                                                                                        content-length: 1054
                                                                                                                                                        x-request-id: e69ddbba-6d86-4c57-be7f-c4188c78febb
                                                                                                                                                        cache-control: no-store, max-age=0
                                                                                                                                                        accept-ch: sec-ch-prefers-color-scheme
                                                                                                                                                        critical-ch: sec-ch-prefers-color-scheme
                                                                                                                                                        vary: sec-ch-prefers-color-scheme
                                                                                                                                                        x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_GSbXHjSyM4GBXh+TDdQi5Ch6arC3xeKj8KkRwOq4qrqrlRcvBA0AmkBJ57Iam4tUGtRHYm5e3uPQsAB9Z6SRbg==
                                                                                                                                                        set-cookie: parking_session=e69ddbba-6d86-4c57-be7f-c4188c78febb; expires=Fri, 27 Dec 2024 00:15:21 GMT; path=/
                                                                                                                                                      • flag-us
                                                                                                                                                        DNS
                                                                                                                                                        149.65.48.37.in-addr.arpa
                                                                                                                                                        Remote address:
                                                                                                                                                        8.8.8.8:53
                                                                                                                                                        Request
                                                                                                                                                        149.65.48.37.in-addr.arpa
                                                                                                                                                        IN PTR
                                                                                                                                                        Response
                                                                                                                                                      • flag-us
                                                                                                                                                        DNS
                                                                                                                                                        227.243.59.199.in-addr.arpa
                                                                                                                                                        Remote address:
                                                                                                                                                        8.8.8.8:53
                                                                                                                                                        Request
                                                                                                                                                        227.243.59.199.in-addr.arpa
                                                                                                                                                        IN PTR
                                                                                                                                                        Response
                                                                                                                                                      • flag-us
                                                                                                                                                        DNS
                                                                                                                                                        ninhaine.com
                                                                                                                                                        csrss.exe
                                                                                                                                                        Remote address:
                                                                                                                                                        8.8.8.8:53
                                                                                                                                                        Request
                                                                                                                                                        ninhaine.com
                                                                                                                                                        IN TXT
                                                                                                                                                        Response
                                                                                                                                                      • flag-us
                                                                                                                                                        DNS
                                                                                                                                                        2makestorage.com
                                                                                                                                                        csrss.exe
                                                                                                                                                        Remote address:
                                                                                                                                                        8.8.8.8:53
                                                                                                                                                        Request
                                                                                                                                                        2makestorage.com
                                                                                                                                                        IN TXT
                                                                                                                                                        Response
                                                                                                                                                      • flag-us
                                                                                                                                                        DNS
                                                                                                                                                        2makestorage.com
                                                                                                                                                        csrss.exe
                                                                                                                                                        Remote address:
                                                                                                                                                        8.8.8.8:53
                                                                                                                                                        Request
                                                                                                                                                        2makestorage.com
                                                                                                                                                        IN TXT
                                                                                                                                                      • flag-us
                                                                                                                                                        DNS
                                                                                                                                                        nisdably.com
                                                                                                                                                        csrss.exe
                                                                                                                                                        Remote address:
                                                                                                                                                        8.8.8.8:53
                                                                                                                                                        Request
                                                                                                                                                        nisdably.com
                                                                                                                                                        IN TXT
                                                                                                                                                        Response
                                                                                                                                                        nisdably.com
                                                                                                                                                        IN TXT
                                                                                                                                                        .v=spf1 include:_incspfcheck.mailspike.net ?all
                                                                                                                                                      • flag-us
                                                                                                                                                        DNS
                                                                                                                                                        39dbf1c9-00f7-4017-81ad-15747890045a.ninhaine.com
                                                                                                                                                        csrss.exe
                                                                                                                                                        Remote address:
                                                                                                                                                        8.8.8.8:53
                                                                                                                                                        Request
                                                                                                                                                        39dbf1c9-00f7-4017-81ad-15747890045a.ninhaine.com
                                                                                                                                                        IN TXT
                                                                                                                                                        Response
                                                                                                                                                      • flag-us
                                                                                                                                                        DNS
                                                                                                                                                        server5.ninhaine.com
                                                                                                                                                        csrss.exe
                                                                                                                                                        Remote address:
                                                                                                                                                        8.8.8.8:53
                                                                                                                                                        Request
                                                                                                                                                        server5.ninhaine.com
                                                                                                                                                        IN A
                                                                                                                                                        Response
                                                                                                                                                        server5.ninhaine.com
                                                                                                                                                        IN A
                                                                                                                                                        46.8.9.145
                                                                                                                                                      • flag-us
                                                                                                                                                        DNS
                                                                                                                                                        145.9.8.46.in-addr.arpa
                                                                                                                                                        Remote address:
                                                                                                                                                        8.8.8.8:53
                                                                                                                                                        Request
                                                                                                                                                        145.9.8.46.in-addr.arpa
                                                                                                                                                        IN PTR
                                                                                                                                                        Response
                                                                                                                                                      • flag-us
                                                                                                                                                        DNS
                                                                                                                                                        ww82.ninhaine.com
                                                                                                                                                        csrss.exe
                                                                                                                                                        Remote address:
                                                                                                                                                        8.8.8.8:53
                                                                                                                                                        Request
                                                                                                                                                        ww82.ninhaine.com
                                                                                                                                                        IN A
                                                                                                                                                        Response
                                                                                                                                                        ww82.ninhaine.com
                                                                                                                                                        IN CNAME
                                                                                                                                                        63214.bodis.com
                                                                                                                                                        63214.bodis.com
                                                                                                                                                        IN A
                                                                                                                                                        199.59.243.227
                                                                                                                                                      • flag-us
                                                                                                                                                        DNS
                                                                                                                                                        ww53.ninhaine.com
                                                                                                                                                        csrss.exe
                                                                                                                                                        Remote address:
                                                                                                                                                        8.8.8.8:53
                                                                                                                                                        Request
                                                                                                                                                        ww53.ninhaine.com
                                                                                                                                                        IN A
                                                                                                                                                        Response
                                                                                                                                                        ww53.ninhaine.com
                                                                                                                                                        IN CNAME
                                                                                                                                                        g87442272.c.giantpanda.com
                                                                                                                                                        g87442272.c.giantpanda.com
                                                                                                                                                        IN A
                                                                                                                                                        172.104.251.198
                                                                                                                                                        g87442272.c.giantpanda.com
                                                                                                                                                        IN A
                                                                                                                                                        172.104.149.86
                                                                                                                                                        g87442272.c.giantpanda.com
                                                                                                                                                        IN A
                                                                                                                                                        139.162.181.76
                                                                                                                                                      • flag-us
                                                                                                                                                        GET
                                                                                                                                                        http://ww82.ninhaine.com/
                                                                                                                                                        csrss.exe
                                                                                                                                                        Remote address:
                                                                                                                                                        199.59.243.227:80
                                                                                                                                                        Request
                                                                                                                                                        GET / HTTP/1.1
                                                                                                                                                        Host: ww82.ninhaine.com
                                                                                                                                                        User-Agent: Go-http-client/1.1
                                                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                                                        Accept-Encoding: gzip
                                                                                                                                                        Response
                                                                                                                                                        HTTP/1.1 200 OK
                                                                                                                                                        date: Fri, 27 Dec 2024 00:00:30 GMT
                                                                                                                                                        content-type: text/html; charset=utf-8
                                                                                                                                                        content-length: 1054
                                                                                                                                                        x-request-id: 3850da07-2ee3-4783-a911-cbd63d27ae66
                                                                                                                                                        cache-control: no-store, max-age=0
                                                                                                                                                        accept-ch: sec-ch-prefers-color-scheme
                                                                                                                                                        critical-ch: sec-ch-prefers-color-scheme
                                                                                                                                                        vary: sec-ch-prefers-color-scheme
                                                                                                                                                        x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_Tt/J9oqHpuqXX6un3Cskdko3ntgD1EOja6YOeQ+8B1Hpbe2+JoOhWbyNcOz/GR92FxtaOj/IK4FrDZpNw9TExw==
                                                                                                                                                        set-cookie: parking_session=3850da07-2ee3-4783-a911-cbd63d27ae66; expires=Fri, 27 Dec 2024 00:15:31 GMT; path=/
                                                                                                                                                      • flag-us
                                                                                                                                                        GET
                                                                                                                                                        http://ww82.ninhaine.com/
                                                                                                                                                        csrss.exe
                                                                                                                                                        Remote address:
                                                                                                                                                        199.59.243.227:80
                                                                                                                                                        Request
                                                                                                                                                        GET / HTTP/1.1
                                                                                                                                                        Host: ww82.ninhaine.com
                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0 Waterfox/56.2.14
                                                                                                                                                        Accept-Encoding: gzip
                                                                                                                                                        Response
                                                                                                                                                        HTTP/1.1 200 OK
                                                                                                                                                        date: Fri, 27 Dec 2024 00:00:35 GMT
                                                                                                                                                        content-type: text/html; charset=utf-8
                                                                                                                                                        content-length: 1054
                                                                                                                                                        x-request-id: 9a7143bd-827b-4d51-9ca1-6f56d44af7c9
                                                                                                                                                        cache-control: no-store, max-age=0
                                                                                                                                                        accept-ch: sec-ch-prefers-color-scheme
                                                                                                                                                        critical-ch: sec-ch-prefers-color-scheme
                                                                                                                                                        vary: sec-ch-prefers-color-scheme
                                                                                                                                                        x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_ejMXHwXvX7+aVx6NPJH5ipT/oHvgZg1ybBIuGiWiqhwH+P67oGvjrYbzo0bFbk0y7/updtU3k0oKdt48FMS8yg==
                                                                                                                                                        set-cookie: parking_session=9a7143bd-827b-4d51-9ca1-6f56d44af7c9; expires=Fri, 27 Dec 2024 00:15:35 GMT; path=/
                                                                                                                                                      • flag-de
                                                                                                                                                        GET
                                                                                                                                                        http://ww53.ninhaine.com/
                                                                                                                                                        csrss.exe
                                                                                                                                                        Remote address:
                                                                                                                                                        172.104.251.198:80
                                                                                                                                                        Request
                                                                                                                                                        GET / HTTP/1.1
                                                                                                                                                        Host: ww53.ninhaine.com
                                                                                                                                                        User-Agent: Go-http-client/1.1
                                                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                                                        Accept-Encoding: gzip
                                                                                                                                                        Response
                                                                                                                                                        HTTP/1.1 200 OK
                                                                                                                                                        Server: openresty/1.27.1.1
                                                                                                                                                        Date: Fri, 27 Dec 2024 00:00:31 GMT
                                                                                                                                                        Content-Type: text/html
                                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                                        Connection: keep-alive
                                                                                                                                                        Vary: Accept-Encoding
                                                                                                                                                        Set-Cookie: session_id=8a02c2d05f4109ad3b764853e057b974; Path=/; HttpOnly; Max-Age=86400; Expires=Friday, 27-Dec-2024 00:00:31 GMT
                                                                                                                                                        Content-Encoding: gzip
                                                                                                                                                      • flag-de
                                                                                                                                                        GET
                                                                                                                                                        http://ww53.ninhaine.com/
                                                                                                                                                        csrss.exe
                                                                                                                                                        Remote address:
                                                                                                                                                        172.104.251.198:80
                                                                                                                                                        Request
                                                                                                                                                        GET / HTTP/1.1
                                                                                                                                                        Host: ww53.ninhaine.com
                                                                                                                                                        User-Agent: Go-http-client/1.1
                                                                                                                                                        Content-Type: application/json; charset=UTF-8
                                                                                                                                                        Accept-Encoding: gzip
                                                                                                                                                        Response
                                                                                                                                                        HTTP/1.1 200 OK
                                                                                                                                                        Server: openresty/1.27.1.1
                                                                                                                                                        Date: Fri, 27 Dec 2024 00:00:31 GMT
                                                                                                                                                        Content-Type: text/html
                                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                                        Connection: keep-alive
                                                                                                                                                        Vary: Accept-Encoding
                                                                                                                                                        Set-Cookie: session_id=3a3d24e561d1ea48d4d327875ee13326; Path=/; HttpOnly; Max-Age=86400; Expires=Friday, 27-Dec-2024 00:00:31 GMT
                                                                                                                                                        Content-Encoding: gzip
                                                                                                                                                      • flag-us
                                                                                                                                                        DNS
                                                                                                                                                        198.251.104.172.in-addr.arpa
                                                                                                                                                        Remote address:
                                                                                                                                                        8.8.8.8:53
                                                                                                                                                        Request
                                                                                                                                                        198.251.104.172.in-addr.arpa
                                                                                                                                                        IN PTR
                                                                                                                                                        Response
                                                                                                                                                        198.251.104.172.in-addr.arpa
                                                                                                                                                        IN PTR
                                                                                                                                                        172-104-251-198iplinodeusercontentcom
                                                                                                                                                      • flag-us
                                                                                                                                                        DNS
                                                                                                                                                        spolaect.info
                                                                                                                                                        csrss.exe
                                                                                                                                                        Remote address:
                                                                                                                                                        8.8.8.8:53
                                                                                                                                                        Request
                                                                                                                                                        spolaect.info
                                                                                                                                                        IN A
                                                                                                                                                        Response
                                                                                                                                                      • flag-us
                                                                                                                                                        DNS
                                                                                                                                                        50.23.12.20.in-addr.arpa
                                                                                                                                                        Remote address:
                                                                                                                                                        8.8.8.8:53
                                                                                                                                                        Request
                                                                                                                                                        50.23.12.20.in-addr.arpa
                                                                                                                                                        IN PTR
                                                                                                                                                        Response
                                                                                                                                                      • flag-us
                                                                                                                                                        DNS
                                                                                                                                                        171.39.242.20.in-addr.arpa
                                                                                                                                                        Remote address:
                                                                                                                                                        8.8.8.8:53
                                                                                                                                                        Request
                                                                                                                                                        171.39.242.20.in-addr.arpa
                                                                                                                                                        IN PTR
                                                                                                                                                        Response
                                                                                                                                                      • flag-us
                                                                                                                                                        DNS
                                                                                                                                                        107.12.20.2.in-addr.arpa
                                                                                                                                                        Remote address:
                                                                                                                                                        8.8.8.8:53
                                                                                                                                                        Request
                                                                                                                                                        107.12.20.2.in-addr.arpa
                                                                                                                                                        IN PTR
                                                                                                                                                        Response
                                                                                                                                                        107.12.20.2.in-addr.arpa
                                                                                                                                                        IN PTR
                                                                                                                                                        a2-20-12-107deploystaticakamaitechnologiescom
                                                                                                                                                      • flag-de
                                                                                                                                                        GET
                                                                                                                                                        http://ww53.ninhaine.com/
                                                                                                                                                        csrss.exe
                                                                                                                                                        Remote address:
                                                                                                                                                        172.104.251.198:80
                                                                                                                                                        Request
                                                                                                                                                        GET / HTTP/1.1
                                                                                                                                                        Host: ww53.ninhaine.com
                                                                                                                                                        User-Agent: Go-http-client/1.1
                                                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                                                        Accept-Encoding: gzip
                                                                                                                                                        Response
                                                                                                                                                        HTTP/1.1 200 OK
                                                                                                                                                        Server: openresty/1.27.1.1
                                                                                                                                                        Date: Fri, 27 Dec 2024 00:00:41 GMT
                                                                                                                                                        Content-Type: text/html
                                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                                        Connection: keep-alive
                                                                                                                                                        Vary: Accept-Encoding
                                                                                                                                                        Set-Cookie: session_id=8d684c08579dadc444751a0124e06b23; Path=/; HttpOnly; Max-Age=86400; Expires=Friday, 27-Dec-2024 00:00:41 GMT
                                                                                                                                                        Content-Encoding: gzip
                                                                                                                                                      • flag-de
                                                                                                                                                        GET
                                                                                                                                                        http://ww53.ninhaine.com/
                                                                                                                                                        csrss.exe
                                                                                                                                                        Remote address:
                                                                                                                                                        172.104.251.198:80
                                                                                                                                                        Request
                                                                                                                                                        GET / HTTP/1.1
                                                                                                                                                        Host: ww53.ninhaine.com
                                                                                                                                                        User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:74.0) Gecko/20100101 Firefox/74.0
                                                                                                                                                        Accept-Encoding: gzip
                                                                                                                                                        Response
                                                                                                                                                        HTTP/1.1 200 OK
                                                                                                                                                        Server: openresty/1.27.1.1
                                                                                                                                                        Date: Fri, 27 Dec 2024 00:00:42 GMT
                                                                                                                                                        Content-Type: text/html
                                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                                        Connection: keep-alive
                                                                                                                                                        Vary: Accept-Encoding
                                                                                                                                                        Set-Cookie: session_id=f12382b9d8faf519db36eb6070b35fde; Path=/; HttpOnly; Max-Age=86400; Expires=Friday, 27-Dec-2024 00:00:42 GMT
                                                                                                                                                        Content-Encoding: gzip
                                                                                                                                                      • flag-de
                                                                                                                                                        GET
                                                                                                                                                        http://ww53.ninhaine.com/
                                                                                                                                                        csrss.exe
                                                                                                                                                        Remote address:
                                                                                                                                                        172.104.251.198:80
                                                                                                                                                        Request
                                                                                                                                                        GET / HTTP/1.1
                                                                                                                                                        Host: ww53.ninhaine.com
                                                                                                                                                        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36
                                                                                                                                                        Accept-Encoding: gzip
                                                                                                                                                        Response
                                                                                                                                                        HTTP/1.1 200 OK
                                                                                                                                                        Server: openresty/1.27.1.1
                                                                                                                                                        Date: Fri, 27 Dec 2024 00:00:48 GMT
                                                                                                                                                        Content-Type: text/html
                                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                                        Connection: keep-alive
                                                                                                                                                        Vary: Accept-Encoding
                                                                                                                                                        Set-Cookie: session_id=c77ff42ff0ef0a58676c02e72576c579; Path=/; HttpOnly; Max-Age=86400; Expires=Friday, 27-Dec-2024 00:00:48 GMT
                                                                                                                                                        Content-Encoding: gzip
                                                                                                                                                      • flag-us
                                                                                                                                                        GET
                                                                                                                                                        http://ww82.ninhaine.com/
                                                                                                                                                        csrss.exe
                                                                                                                                                        Remote address:
                                                                                                                                                        199.59.243.227:80
                                                                                                                                                        Request
                                                                                                                                                        GET / HTTP/1.1
                                                                                                                                                        Host: ww82.ninhaine.com
                                                                                                                                                        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 Safari/537.36
                                                                                                                                                        Accept-Encoding: gzip
                                                                                                                                                        Response
                                                                                                                                                        HTTP/1.1 200 OK
                                                                                                                                                        date: Fri, 27 Dec 2024 00:00:54 GMT
                                                                                                                                                        content-type: text/html; charset=utf-8
                                                                                                                                                        content-length: 1054
                                                                                                                                                        x-request-id: 4fa68281-5a93-4009-ba76-1f488c5ec556
                                                                                                                                                        cache-control: no-store, max-age=0
                                                                                                                                                        accept-ch: sec-ch-prefers-color-scheme
                                                                                                                                                        critical-ch: sec-ch-prefers-color-scheme
                                                                                                                                                        vary: sec-ch-prefers-color-scheme
                                                                                                                                                        x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_rMdlG4llKTVStELUNxzB/mmJKkI6ZNoCSC0wBMfjFwiJFX+ro9hXjIQENE6s0AhnqTMupVKBZ7wH6GwQ8mMBbg==
                                                                                                                                                        set-cookie: parking_session=4fa68281-5a93-4009-ba76-1f488c5ec556; expires=Fri, 27 Dec 2024 00:15:54 GMT; path=/
                                                                                                                                                      • flag-de
                                                                                                                                                        GET
                                                                                                                                                        http://ww53.ninhaine.com/
                                                                                                                                                        csrss.exe
                                                                                                                                                        Remote address:
                                                                                                                                                        172.104.251.198:80
                                                                                                                                                        Request
                                                                                                                                                        GET / HTTP/1.1
                                                                                                                                                        Host: ww53.ninhaine.com
                                                                                                                                                        User-Agent: Go-http-client/1.1
                                                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                                                        Accept-Encoding: gzip
                                                                                                                                                        Response
                                                                                                                                                        HTTP/1.1 200 OK
                                                                                                                                                        Server: openresty/1.27.1.1
                                                                                                                                                        Date: Fri, 27 Dec 2024 00:01:00 GMT
                                                                                                                                                        Content-Type: text/html
                                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                                        Connection: keep-alive
                                                                                                                                                        Vary: Accept-Encoding
                                                                                                                                                        Set-Cookie: session_id=19307797cff519c4e51d4df2526b74f9; Path=/; HttpOnly; Max-Age=86400; Expires=Friday, 27-Dec-2024 00:01:00 GMT
                                                                                                                                                        Content-Encoding: gzip
                                                                                                                                                      • flag-us
                                                                                                                                                        DNS
                                                                                                                                                        31.243.111.52.in-addr.arpa
                                                                                                                                                        Remote address:
                                                                                                                                                        8.8.8.8:53
                                                                                                                                                        Request
                                                                                                                                                        31.243.111.52.in-addr.arpa
                                                                                                                                                        IN PTR
                                                                                                                                                        Response
                                                                                                                                                      • flag-de
                                                                                                                                                        GET
                                                                                                                                                        http://ww53.ninhaine.com/
                                                                                                                                                        csrss.exe
                                                                                                                                                        Remote address:
                                                                                                                                                        172.104.251.198:80
                                                                                                                                                        Request
                                                                                                                                                        GET / HTTP/1.1
                                                                                                                                                        Host: ww53.ninhaine.com
                                                                                                                                                        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1.2 Safari/605.1.15
                                                                                                                                                        Accept-Encoding: gzip
                                                                                                                                                        Response
                                                                                                                                                        HTTP/1.1 200 OK
                                                                                                                                                        Server: openresty/1.27.1.1
                                                                                                                                                        Date: Fri, 27 Dec 2024 00:02:12 GMT
                                                                                                                                                        Content-Type: text/html
                                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                                        Connection: keep-alive
                                                                                                                                                        Vary: Accept-Encoding
                                                                                                                                                        Set-Cookie: session_id=4c1447abfad10cd9ea9fed4e7d9638fb; Path=/; HttpOnly; Max-Age=86400; Expires=Friday, 27-Dec-2024 00:02:12 GMT
                                                                                                                                                        Content-Encoding: gzip
                                                                                                                                                      • 37.48.65.149:443
                                                                                                                                                        humisnee.com
                                                                                                                                                        tls
                                                                                                                                                        JaffaCakes118_526698c9029eb0fc44bb98b434b004f54ce239a84d1f21e776d87381b62a2de3.exe
                                                                                                                                                        1.4kB
                                                                                                                                                        3.8kB
                                                                                                                                                        13
                                                                                                                                                        10
                                                                                                                                                      • 199.59.243.227:80
                                                                                                                                                        http://survey-smiles.com/
                                                                                                                                                        http
                                                                                                                                                        JaffaCakes118_526698c9029eb0fc44bb98b434b004f54ce239a84d1f21e776d87381b62a2de3.exe
                                                                                                                                                        533 B
                                                                                                                                                        2.3kB
                                                                                                                                                        8
                                                                                                                                                        5

                                                                                                                                                        HTTP Request

                                                                                                                                                        GET http://survey-smiles.com/

                                                                                                                                                        HTTP Response

                                                                                                                                                        200
                                                                                                                                                      • 46.8.9.145:443
                                                                                                                                                        server5.ninhaine.com
                                                                                                                                                        tls
                                                                                                                                                        csrss.exe
                                                                                                                                                        16.8kB
                                                                                                                                                        5.7kB
                                                                                                                                                        54
                                                                                                                                                        44
                                                                                                                                                      • 46.8.9.145:443
                                                                                                                                                        server5.ninhaine.com
                                                                                                                                                        tls
                                                                                                                                                        csrss.exe
                                                                                                                                                        876 B
                                                                                                                                                        3.5kB
                                                                                                                                                        11
                                                                                                                                                        8
                                                                                                                                                      • 46.8.9.145:443
                                                                                                                                                        server5.ninhaine.com
                                                                                                                                                        tls
                                                                                                                                                        csrss.exe
                                                                                                                                                        934 B
                                                                                                                                                        3.6kB
                                                                                                                                                        12
                                                                                                                                                        9
                                                                                                                                                      • 199.59.243.227:80
                                                                                                                                                        http://ww82.ninhaine.com/
                                                                                                                                                        http
                                                                                                                                                        csrss.exe
                                                                                                                                                        788 B
                                                                                                                                                        4.6kB
                                                                                                                                                        10
                                                                                                                                                        10

                                                                                                                                                        HTTP Request

                                                                                                                                                        GET http://ww82.ninhaine.com/

                                                                                                                                                        HTTP Response

                                                                                                                                                        200

                                                                                                                                                        HTTP Request

                                                                                                                                                        GET http://ww82.ninhaine.com/

                                                                                                                                                        HTTP Response

                                                                                                                                                        200
                                                                                                                                                      • 172.104.251.198:80
                                                                                                                                                        http://ww53.ninhaine.com/
                                                                                                                                                        http
                                                                                                                                                        csrss.exe
                                                                                                                                                        423 B
                                                                                                                                                        1.5kB
                                                                                                                                                        6
                                                                                                                                                        5

                                                                                                                                                        HTTP Request

                                                                                                                                                        GET http://ww53.ninhaine.com/

                                                                                                                                                        HTTP Response

                                                                                                                                                        200
                                                                                                                                                      • 172.104.251.198:80
                                                                                                                                                        http://ww53.ninhaine.com/
                                                                                                                                                        http
                                                                                                                                                        csrss.exe
                                                                                                                                                        421 B
                                                                                                                                                        1.5kB
                                                                                                                                                        6
                                                                                                                                                        5

                                                                                                                                                        HTTP Request

                                                                                                                                                        GET http://ww53.ninhaine.com/

                                                                                                                                                        HTTP Response

                                                                                                                                                        200
                                                                                                                                                      • 172.104.251.198:80
                                                                                                                                                        http://ww53.ninhaine.com/
                                                                                                                                                        http
                                                                                                                                                        csrss.exe
                                                                                                                                                        711 B
                                                                                                                                                        2.8kB
                                                                                                                                                        9
                                                                                                                                                        6

                                                                                                                                                        HTTP Request

                                                                                                                                                        GET http://ww53.ninhaine.com/

                                                                                                                                                        HTTP Response

                                                                                                                                                        200

                                                                                                                                                        HTTP Request

                                                                                                                                                        GET http://ww53.ninhaine.com/

                                                                                                                                                        HTTP Response

                                                                                                                                                        200
                                                                                                                                                      • 172.104.251.198:80
                                                                                                                                                        http://ww53.ninhaine.com/
                                                                                                                                                        http
                                                                                                                                                        csrss.exe
                                                                                                                                                        477 B
                                                                                                                                                        1.5kB
                                                                                                                                                        6
                                                                                                                                                        5

                                                                                                                                                        HTTP Request

                                                                                                                                                        GET http://ww53.ninhaine.com/

                                                                                                                                                        HTTP Response

                                                                                                                                                        200
                                                                                                                                                      • 199.59.243.227:80
                                                                                                                                                        http://ww82.ninhaine.com/
                                                                                                                                                        http
                                                                                                                                                        csrss.exe
                                                                                                                                                        529 B
                                                                                                                                                        2.4kB
                                                                                                                                                        7
                                                                                                                                                        7

                                                                                                                                                        HTTP Request

                                                                                                                                                        GET http://ww82.ninhaine.com/

                                                                                                                                                        HTTP Response

                                                                                                                                                        200
                                                                                                                                                      • 172.104.251.198:80
                                                                                                                                                        http://ww53.ninhaine.com/
                                                                                                                                                        http
                                                                                                                                                        csrss.exe
                                                                                                                                                        423 B
                                                                                                                                                        1.5kB
                                                                                                                                                        6
                                                                                                                                                        5

                                                                                                                                                        HTTP Request

                                                                                                                                                        GET http://ww53.ninhaine.com/

                                                                                                                                                        HTTP Response

                                                                                                                                                        200
                                                                                                                                                      • 46.8.9.145:443
                                                                                                                                                        server5.ninhaine.com
                                                                                                                                                        tls
                                                                                                                                                        csrss.exe
                                                                                                                                                        2.1kB
                                                                                                                                                        4.1kB
                                                                                                                                                        17
                                                                                                                                                        16
                                                                                                                                                      • 172.104.251.198:80
                                                                                                                                                        http://ww53.ninhaine.com/
                                                                                                                                                        http
                                                                                                                                                        csrss.exe
                                                                                                                                                        475 B
                                                                                                                                                        1.5kB
                                                                                                                                                        6
                                                                                                                                                        5

                                                                                                                                                        HTTP Request

                                                                                                                                                        GET http://ww53.ninhaine.com/

                                                                                                                                                        HTTP Response

                                                                                                                                                        200
                                                                                                                                                      • 8.8.8.8:53
                                                                                                                                                        13.86.106.20.in-addr.arpa
                                                                                                                                                        dns
                                                                                                                                                        71 B
                                                                                                                                                        157 B
                                                                                                                                                        1
                                                                                                                                                        1

                                                                                                                                                        DNS Request

                                                                                                                                                        13.86.106.20.in-addr.arpa

                                                                                                                                                      • 8.8.8.8:53
                                                                                                                                                        136.32.126.40.in-addr.arpa
                                                                                                                                                        dns
                                                                                                                                                        72 B
                                                                                                                                                        158 B
                                                                                                                                                        1
                                                                                                                                                        1

                                                                                                                                                        DNS Request

                                                                                                                                                        136.32.126.40.in-addr.arpa

                                                                                                                                                      • 8.8.8.8:53
                                                                                                                                                        95.221.229.192.in-addr.arpa
                                                                                                                                                        dns
                                                                                                                                                        73 B
                                                                                                                                                        144 B
                                                                                                                                                        1
                                                                                                                                                        1

                                                                                                                                                        DNS Request

                                                                                                                                                        95.221.229.192.in-addr.arpa

                                                                                                                                                      • 8.8.8.8:53
                                                                                                                                                        154.239.44.20.in-addr.arpa
                                                                                                                                                        dns
                                                                                                                                                        72 B
                                                                                                                                                        158 B
                                                                                                                                                        1
                                                                                                                                                        1

                                                                                                                                                        DNS Request

                                                                                                                                                        154.239.44.20.in-addr.arpa

                                                                                                                                                      • 8.8.8.8:53
                                                                                                                                                        humisnee.com
                                                                                                                                                        dns
                                                                                                                                                        JaffaCakes118_526698c9029eb0fc44bb98b434b004f54ce239a84d1f21e776d87381b62a2de3.exe
                                                                                                                                                        58 B
                                                                                                                                                        74 B
                                                                                                                                                        1
                                                                                                                                                        1

                                                                                                                                                        DNS Request

                                                                                                                                                        humisnee.com

                                                                                                                                                        DNS Response

                                                                                                                                                        37.48.65.149

                                                                                                                                                      • 8.8.8.8:53
                                                                                                                                                        survey-smiles.com
                                                                                                                                                        dns
                                                                                                                                                        JaffaCakes118_526698c9029eb0fc44bb98b434b004f54ce239a84d1f21e776d87381b62a2de3.exe
                                                                                                                                                        63 B
                                                                                                                                                        79 B
                                                                                                                                                        1
                                                                                                                                                        1

                                                                                                                                                        DNS Request

                                                                                                                                                        survey-smiles.com

                                                                                                                                                        DNS Response

                                                                                                                                                        199.59.243.227

                                                                                                                                                      • 8.8.8.8:53
                                                                                                                                                        149.65.48.37.in-addr.arpa
                                                                                                                                                        dns
                                                                                                                                                        71 B
                                                                                                                                                        134 B
                                                                                                                                                        1
                                                                                                                                                        1

                                                                                                                                                        DNS Request

                                                                                                                                                        149.65.48.37.in-addr.arpa

                                                                                                                                                      • 8.8.8.8:53
                                                                                                                                                        227.243.59.199.in-addr.arpa
                                                                                                                                                        dns
                                                                                                                                                        73 B
                                                                                                                                                        131 B
                                                                                                                                                        1
                                                                                                                                                        1

                                                                                                                                                        DNS Request

                                                                                                                                                        227.243.59.199.in-addr.arpa

                                                                                                                                                      • 8.8.8.8:53
                                                                                                                                                        ninhaine.com
                                                                                                                                                        dns
                                                                                                                                                        csrss.exe
                                                                                                                                                        58 B
                                                                                                                                                        58 B
                                                                                                                                                        1
                                                                                                                                                        1

                                                                                                                                                        DNS Request

                                                                                                                                                        ninhaine.com

                                                                                                                                                      • 8.8.8.8:53
                                                                                                                                                        2makestorage.com
                                                                                                                                                        dns
                                                                                                                                                        csrss.exe
                                                                                                                                                        124 B
                                                                                                                                                        135 B
                                                                                                                                                        2
                                                                                                                                                        1

                                                                                                                                                        DNS Request

                                                                                                                                                        2makestorage.com

                                                                                                                                                        DNS Request

                                                                                                                                                        2makestorage.com

                                                                                                                                                      • 8.8.8.8:53
                                                                                                                                                        nisdably.com
                                                                                                                                                        dns
                                                                                                                                                        csrss.exe
                                                                                                                                                        58 B
                                                                                                                                                        117 B
                                                                                                                                                        1
                                                                                                                                                        1

                                                                                                                                                        DNS Request

                                                                                                                                                        nisdably.com

                                                                                                                                                      • 8.8.8.8:53
                                                                                                                                                        39dbf1c9-00f7-4017-81ad-15747890045a.ninhaine.com
                                                                                                                                                        dns
                                                                                                                                                        csrss.exe
                                                                                                                                                        95 B
                                                                                                                                                        95 B
                                                                                                                                                        1
                                                                                                                                                        1

                                                                                                                                                        DNS Request

                                                                                                                                                        39dbf1c9-00f7-4017-81ad-15747890045a.ninhaine.com

                                                                                                                                                      • 8.8.8.8:53
                                                                                                                                                        server5.ninhaine.com
                                                                                                                                                        dns
                                                                                                                                                        csrss.exe
                                                                                                                                                        66 B
                                                                                                                                                        82 B
                                                                                                                                                        1
                                                                                                                                                        1

                                                                                                                                                        DNS Request

                                                                                                                                                        server5.ninhaine.com

                                                                                                                                                        DNS Response

                                                                                                                                                        46.8.9.145

                                                                                                                                                      • 8.8.8.8:53
                                                                                                                                                        145.9.8.46.in-addr.arpa
                                                                                                                                                        dns
                                                                                                                                                        69 B
                                                                                                                                                        129 B
                                                                                                                                                        1
                                                                                                                                                        1

                                                                                                                                                        DNS Request

                                                                                                                                                        145.9.8.46.in-addr.arpa

                                                                                                                                                      • 8.8.8.8:53
                                                                                                                                                        ww82.ninhaine.com
                                                                                                                                                        dns
                                                                                                                                                        csrss.exe
                                                                                                                                                        63 B
                                                                                                                                                        105 B
                                                                                                                                                        1
                                                                                                                                                        1

                                                                                                                                                        DNS Request

                                                                                                                                                        ww82.ninhaine.com

                                                                                                                                                        DNS Response

                                                                                                                                                        199.59.243.227

                                                                                                                                                      • 8.8.8.8:53
                                                                                                                                                        ww53.ninhaine.com
                                                                                                                                                        dns
                                                                                                                                                        csrss.exe
                                                                                                                                                        63 B
                                                                                                                                                        148 B
                                                                                                                                                        1
                                                                                                                                                        1

                                                                                                                                                        DNS Request

                                                                                                                                                        ww53.ninhaine.com

                                                                                                                                                        DNS Response

                                                                                                                                                        172.104.251.198
                                                                                                                                                        172.104.149.86
                                                                                                                                                        139.162.181.76

                                                                                                                                                      • 8.8.8.8:53
                                                                                                                                                        198.251.104.172.in-addr.arpa
                                                                                                                                                        dns
                                                                                                                                                        74 B
                                                                                                                                                        128 B
                                                                                                                                                        1
                                                                                                                                                        1

                                                                                                                                                        DNS Request

                                                                                                                                                        198.251.104.172.in-addr.arpa

                                                                                                                                                      • 8.8.8.8:53
                                                                                                                                                        spolaect.info
                                                                                                                                                        dns
                                                                                                                                                        csrss.exe
                                                                                                                                                        59 B
                                                                                                                                                        138 B
                                                                                                                                                        1
                                                                                                                                                        1

                                                                                                                                                        DNS Request

                                                                                                                                                        spolaect.info

                                                                                                                                                      • 8.8.8.8:53
                                                                                                                                                        50.23.12.20.in-addr.arpa
                                                                                                                                                        dns
                                                                                                                                                        70 B
                                                                                                                                                        156 B
                                                                                                                                                        1
                                                                                                                                                        1

                                                                                                                                                        DNS Request

                                                                                                                                                        50.23.12.20.in-addr.arpa

                                                                                                                                                      • 8.8.8.8:53
                                                                                                                                                        171.39.242.20.in-addr.arpa
                                                                                                                                                        dns
                                                                                                                                                        72 B
                                                                                                                                                        158 B
                                                                                                                                                        1
                                                                                                                                                        1

                                                                                                                                                        DNS Request

                                                                                                                                                        171.39.242.20.in-addr.arpa

                                                                                                                                                      • 8.8.8.8:53
                                                                                                                                                        107.12.20.2.in-addr.arpa
                                                                                                                                                        dns
                                                                                                                                                        70 B
                                                                                                                                                        133 B
                                                                                                                                                        1
                                                                                                                                                        1

                                                                                                                                                        DNS Request

                                                                                                                                                        107.12.20.2.in-addr.arpa

                                                                                                                                                      • 8.8.8.8:53
                                                                                                                                                        31.243.111.52.in-addr.arpa
                                                                                                                                                        dns
                                                                                                                                                        72 B
                                                                                                                                                        158 B
                                                                                                                                                        1
                                                                                                                                                        1

                                                                                                                                                        DNS Request

                                                                                                                                                        31.243.111.52.in-addr.arpa

                                                                                                                                                      MITRE ATT&CK Enterprise v15

                                                                                                                                                      Replay Monitor

                                                                                                                                                      Loading Replay Monitor...

                                                                                                                                                      Downloads

                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

                                                                                                                                                        Filesize

                                                                                                                                                        281KB

                                                                                                                                                        MD5

                                                                                                                                                        d98e33b66343e7c96158444127a117f6

                                                                                                                                                        SHA1

                                                                                                                                                        bb716c5509a2bf345c6c1152f6e3e1452d39d50d

                                                                                                                                                        SHA256

                                                                                                                                                        5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

                                                                                                                                                        SHA512

                                                                                                                                                        705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

                                                                                                                                                      • C:\Windows\rss\csrss.exe

                                                                                                                                                        Filesize

                                                                                                                                                        4.4MB

                                                                                                                                                        MD5

                                                                                                                                                        e8b0090bafd4bbbbedba76ed83d27c21

                                                                                                                                                        SHA1

                                                                                                                                                        6614977c2de9096b837f072aa942866fe9b0af58

                                                                                                                                                        SHA256

                                                                                                                                                        526698c9029eb0fc44bb98b434b004f54ce239a84d1f21e776d87381b62a2de3

                                                                                                                                                        SHA512

                                                                                                                                                        541b39478b92dfb0f4753e037d3f87b90dc5b420a2dcb0d189f45efabcc5979af48a6fe856577229be490e4e001c4f0f7dad0c26ca9ff63665fbe04d43ab809b

                                                                                                                                                      • memory/912-8-0x0000000000400000-0x0000000002583000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        33.5MB

                                                                                                                                                      • memory/912-9-0x0000000000400000-0x0000000002583000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        33.5MB

                                                                                                                                                      • memory/912-18-0x0000000000400000-0x0000000002583000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        33.5MB

                                                                                                                                                      • memory/912-10-0x0000000000400000-0x0000000002583000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        33.5MB

                                                                                                                                                      • memory/1428-36-0x0000000000400000-0x0000000002583000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        33.5MB

                                                                                                                                                      • memory/1428-27-0x0000000000400000-0x0000000002583000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        33.5MB

                                                                                                                                                      • memory/1428-25-0x0000000000400000-0x0000000002583000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        33.5MB

                                                                                                                                                      • memory/1428-35-0x0000000000400000-0x0000000002583000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        33.5MB

                                                                                                                                                      • memory/1428-34-0x0000000000400000-0x0000000002583000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        33.5MB

                                                                                                                                                      • memory/1428-26-0x0000000000400000-0x0000000002583000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        33.5MB

                                                                                                                                                      • memory/1428-33-0x0000000000400000-0x0000000002583000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        33.5MB

                                                                                                                                                      • memory/1428-32-0x0000000000400000-0x0000000002583000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        33.5MB

                                                                                                                                                      • memory/1428-19-0x0000000000400000-0x0000000002583000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        33.5MB

                                                                                                                                                      • memory/1428-31-0x0000000000400000-0x0000000002583000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        33.5MB

                                                                                                                                                      • memory/1428-28-0x0000000000400000-0x0000000002583000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        33.5MB

                                                                                                                                                      • memory/1428-29-0x0000000000400000-0x0000000002583000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        33.5MB

                                                                                                                                                      • memory/1428-30-0x0000000000400000-0x0000000002583000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        33.5MB

                                                                                                                                                      • memory/2492-1-0x00000000029E0000-0x0000000002E22000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        4.3MB

                                                                                                                                                      • memory/2492-6-0x0000000002E30000-0x0000000003757000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        9.2MB

                                                                                                                                                      • memory/2492-5-0x0000000000400000-0x0000000002583000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        33.5MB

                                                                                                                                                      • memory/2492-2-0x0000000002E30000-0x0000000003757000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        9.2MB

                                                                                                                                                      • memory/2492-3-0x0000000000400000-0x0000000000D42000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        9.3MB

                                                                                                                                                      • memory/2492-7-0x0000000000400000-0x0000000000D42000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        9.3MB

                                                                                                                                                      We care about your privacy.

                                                                                                                                                      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.