chinese_generic_botnet | de8c1aa37dd523e0699a10be71185f7a8ac1cde972d04107068f49250ef7317e | Triage

Analysis

max time kernel
146s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23/12/2022, 23:19 UTC

Sharing

Report Analysis Logs

General

Target

file.exe
Size

1.1MB
MD5

be689578752179e22bf915dbcf4f7520
SHA1

e798e703bfb90707a2872b51da73f32af566aedb
SHA256

de8c1aa37dd523e0699a10be71185f7a8ac1cde972d04107068f49250ef7317e
SHA512

89c95b387e566dfaf3f6a4ab60ee6e24d2574dd3802458e4d8f15e4c44136ac54c5b3a53addc1d28748656320050ee735fa2e8e5c57cdfb53fbdddc6eb586da8
SSDEEP

12288:0MSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9VO25nQopSchf:0nsJ39LyjbJkQFMhmC+6GD9t1pSa

Score

10^/10

chinese_generic_botnet botnet persistence

Malware Config

Signatures

Generic Chinese Botnet
A botnet originating from China which is currently unnamed publicly.
botnet chinese_generic_botnet

Chinese Botnet payload 1 IoCs

resource	yara_rule
behavioral2/memory/4752-138-0x0000000010000000-0x0000000010018000-memory.dmp	unk_chinese_botnet

Executes dropped EXE 2 IoCs

pid	Process
4752	._cache_file.exe
852	Synaptics.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	file.exe

Adds Run key to start application 2 TTPs 2 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	file.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Imsossm.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\._cache_file.exe"	._cache_file.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\B:	._cache_file.exe
File opened (read-only)	\??\E:	._cache_file.exe
File opened (read-only)	\??\K:	._cache_file.exe
File opened (read-only)	\??\W:	._cache_file.exe
File opened (read-only)	\??\Z:	._cache_file.exe
File opened (read-only)	\??\Y:	._cache_file.exe
File opened (read-only)	\??\F:	._cache_file.exe
File opened (read-only)	\??\L:	._cache_file.exe
File opened (read-only)	\??\R:	._cache_file.exe
File opened (read-only)	\??\S:	._cache_file.exe
File opened (read-only)	\??\V:	._cache_file.exe
File opened (read-only)	\??\X:	._cache_file.exe
File opened (read-only)	\??\I:	._cache_file.exe
File opened (read-only)	\??\J:	._cache_file.exe
File opened (read-only)	\??\O:	._cache_file.exe
File opened (read-only)	\??\T:	._cache_file.exe
File opened (read-only)	\??\U:	._cache_file.exe
File opened (read-only)	\??\G:	._cache_file.exe
File opened (read-only)	\??\H:	._cache_file.exe
File opened (read-only)	\??\M:	._cache_file.exe
File opened (read-only)	\??\N:	._cache_file.exe
File opened (read-only)	\??\P:	._cache_file.exe
File opened (read-only)	\??\Q:	._cache_file.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	._cache_file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	._cache_file.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	file.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1416	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4752	._cache_file.exe
4752	._cache_file.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1416	EXCEL.EXE
1416	EXCEL.EXE
1416	EXCEL.EXE
1416	EXCEL.EXE
1416	EXCEL.EXE
1416	EXCEL.EXE

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5056 wrote to memory of 4752	5056	file.exe	83
PID 5056 wrote to memory of 4752	5056	file.exe	83
PID 5056 wrote to memory of 4752	5056	file.exe	83
PID 5056 wrote to memory of 852	5056	file.exe	84
PID 5056 wrote to memory of 852	5056	file.exe	84
PID 5056 wrote to memory of 852	5056	file.exe	84

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5056
- C:\Users\Admin\AppData\Local\Temp\._cache_file.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_file.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Enumerates connected drives
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:4752
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  PID:852

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1416

Network

DNS

xred.mooo.com

Synaptics.exe

Remote address:

8.8.8.8:53

Request

xred.mooo.com

IN A

Response
DNS

freedns.afraid.org

Synaptics.exe

Remote address:

8.8.8.8:53

Request

freedns.afraid.org

IN A

Response

freedns.afraid.org

IN A

69.42.215.252
GET

http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

Synaptics.exe

Remote address:

69.42.215.252:80

Request

GET /api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978 HTTP/1.1
User-Agent: MyApp
Host: freedns.afraid.org
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Fri, 23 Dec 2022 23:19:33 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Cache: MISS
DNS

docs.google.com

Synaptics.exe

Remote address:

8.8.8.8:53

Request

docs.google.com

IN A

Response

docs.google.com

IN A

142.250.179.206
GET

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

Synaptics.exe

Remote address:

142.250.179.206:443

Request

GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
User-Agent: Synaptics.exe
Host: docs.google.com
Cache-Control: no-cache

Response

HTTP/1.1 302 Found

Content-Type: application/binary
Location: https://accounts.google.com/ServiceLogin?service=wise&passive=1209600&continue=https://docs.google.com/uc?id%3D0BxsMXGfPIZfSVlVsOGlEVGxuZVk%26export%3Ddownload&followup=https://docs.google.com/uc?id%3D0BxsMXGfPIZfSVlVsOGlEVGxuZVk%26export%3Ddownload
Strict-Transport-Security: max-age=31536000
Content-Security-Policy: script-src 'report-sample' 'nonce-6CRo5jiZ_VOQ8xkf8nfC3w' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-platform=*, ch-ua-platform-version=*
Report-To: {"group":"DriveUntrustedContentHttp","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/DriveUntrustedContentHttp/external"}]}
Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
Cross-Origin-Opener-Policy: same-origin; report-to="DriveUntrustedContentHttp"
Date: Fri, 23 Dec 2022 23:20:34 GMT
Server: ESF
Content-Length: 0
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
GET

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

Synaptics.exe

Remote address:

142.250.179.206:443

Request

GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
User-Agent: Synaptics.exe
Host: docs.google.com
Cache-Control: no-cache

Response

HTTP/1.1 302 Found

Content-Type: application/binary
Location: https://accounts.google.com/ServiceLogin?service=wise&passive=1209600&continue=https://docs.google.com/uc?id%3D0BxsMXGfPIZfSVlVsOGlEVGxuZVk%26export%3Ddownload&followup=https://docs.google.com/uc?id%3D0BxsMXGfPIZfSVlVsOGlEVGxuZVk%26export%3Ddownload
Strict-Transport-Security: max-age=31536000
Content-Security-Policy: script-src 'report-sample' 'nonce-iw42qJJ9qon2QalhbLT_HQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-platform=*, ch-ua-platform-version=*
Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
Cross-Origin-Opener-Policy: same-origin
Date: Fri, 23 Dec 2022 23:20:34 GMT
Server: ESF
Content-Length: 0
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
GET

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

Synaptics.exe

Remote address:

142.250.179.206:443

Request

GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
User-Agent: Synaptics.exe
Host: docs.google.com
Cache-Control: no-cache

Response

HTTP/1.1 302 Found

Content-Type: application/binary
Location: https://accounts.google.com/ServiceLogin?service=wise&passive=1209600&continue=https://docs.google.com/uc?id%3D0BxsMXGfPIZfSVlVsOGlEVGxuZVk%26export%3Ddownload&followup=https://docs.google.com/uc?id%3D0BxsMXGfPIZfSVlVsOGlEVGxuZVk%26export%3Ddownload
Strict-Transport-Security: max-age=31536000
Cross-Origin-Opener-Policy: same-origin
Content-Security-Policy: script-src 'report-sample' 'nonce-lB-c2CR-jpkwNw5OyQF4rQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-platform=*, ch-ua-platform-version=*
Date: Fri, 23 Dec 2022 23:20:35 GMT
Server: ESF
Content-Length: 0
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
DNS

accounts.google.com

Synaptics.exe

Remote address:

8.8.8.8:53

Request

accounts.google.com

IN A

Response

accounts.google.com

IN A

172.217.168.237
GET

https://accounts.google.com/ServiceLogin?service=wise&passive=1209600&continue=https://docs.google.com/uc?id%3D0BxsMXGfPIZfSVlVsOGlEVGxuZVk%26export%3Ddownload&followup=https://docs.google.com/uc?id%3D0BxsMXGfPIZfSVlVsOGlEVGxuZVk%26export%3Ddownload

Synaptics.exe

Remote address:

172.217.168.237:443

Request

GET /ServiceLogin?service=wise&passive=1209600&continue=https://docs.google.com/uc?id%3D0BxsMXGfPIZfSVlVsOGlEVGxuZVk%26export%3Ddownload&followup=https://docs.google.com/uc?id%3D0BxsMXGfPIZfSVlVsOGlEVGxuZVk%26export%3Ddownload HTTP/1.1
User-Agent: Synaptics.exe
Cache-Control: no-cache
Host: accounts.google.com
Connection: Keep-Alive

Response

HTTP/1.1 302 Moved Temporarily

Content-Type: text/html; charset=UTF-8
X-Frame-Options: DENY
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Fri, 23 Dec 2022 23:20:34 GMT
Location: https://accounts.google.com/v3/signin/identifier?dsh=S1426493874%3A1671837634529134&continue=https%3A%2F%2Fdocs.google.com%2Fuc%3Fid%3D0BxsMXGfPIZfSVlVsOGlEVGxuZVk%26export%3Ddownload&followup=https%3A%2F%2Fdocs.google.com%2Fuc%3Fid%3D0BxsMXGfPIZfSVlVsOGlEVGxuZVk%26export%3Ddownload&passive=1209600&service=wise&flowName=WebLiteSignIn&flowEntry=ServiceLogin&ifkv=AeAAQh6wkcTpcseJ2NuSM2f3dWyAfyIblyeiuOD-rMaj_IVkf33ukaza2ufFjSHRyLELVHja517lqw
Strict-Transport-Security: max-age=31536000; includeSubDomains
Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="coop_gse_qebhlk"
Content-Security-Policy: script-src 'report-sample' 'nonce-siU9M5sqKQM8t4LPsLBVcg' 'unsafe-inline' 'unsafe-eval';object-src 'none';base-uri 'self';report-uri /cspreport
Content-Security-Policy: require-trusted-types-for 'script';report-uri /cspreport
Report-To: {"group":"coop_gse_qebhlk","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gse_qebhlk"}]}
Content-Length: 652
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Server: GSE
Set-Cookie: __Host-GAPS=1:xMxrtUMgf11HkcMFHLa6jWlLBN_Yhg:H7c-AdeN_ljAWQDy;Path=/;Expires=Sun, 22-Dec-2024 23:20:34 GMT;Secure;HttpOnly;Priority=HIGH
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
GET

https://accounts.google.com/v3/signin/identifier?dsh=S1426493874%3A1671837634529134&continue=https%3A%2F%2Fdocs.google.com%2Fuc%3Fid%3D0BxsMXGfPIZfSVlVsOGlEVGxuZVk%26export%3Ddownload&followup=https%3A%2F%2Fdocs.google.com%2Fuc%3Fid%3D0BxsMXGfPIZfSVlVsOGlEVGxuZVk%26export%3Ddownload&passive=1209600&service=wise&flowName=WebLiteSignIn&flowEntry=ServiceLogin&ifkv=AeAAQh6wkcTpcseJ2NuSM2f3dWyAfyIblyeiuOD-rMaj_IVkf33ukaza2ufFjSHRyLELVHja517lqw

Synaptics.exe

Remote address:

172.217.168.237:443

Request

GET /v3/signin/identifier?dsh=S1426493874%3A1671837634529134&continue=https%3A%2F%2Fdocs.google.com%2Fuc%3Fid%3D0BxsMXGfPIZfSVlVsOGlEVGxuZVk%26export%3Ddownload&followup=https%3A%2F%2Fdocs.google.com%2Fuc%3Fid%3D0BxsMXGfPIZfSVlVsOGlEVGxuZVk%26export%3Ddownload&passive=1209600&service=wise&flowName=WebLiteSignIn&flowEntry=ServiceLogin&ifkv=AeAAQh6wkcTpcseJ2NuSM2f3dWyAfyIblyeiuOD-rMaj_IVkf33ukaza2ufFjSHRyLELVHja517lqw HTTP/1.1
User-Agent: Synaptics.exe
Cache-Control: no-cache
Host: accounts.google.com
Connection: Keep-Alive
Cookie: __Host-GAPS=1:xMxrtUMgf11HkcMFHLa6jWlLBN_Yhg:H7c-AdeN_ljAWQDy

Response

HTTP/1.1 200 OK

Content-Type: text/html; charset=utf-8
X-Frame-Options: DENY
x-auto-login: realm=com.google&args=service%3Dwise%26continue%3Dhttps://docs.google.com/uc?id%253D0BxsMXGfPIZfSVlVsOGlEVGxuZVk%2526export%253Ddownload
Link: <https://www.google.com/intl/en-US/drive/>; rel="canonical"
x-ua-compatible: IE=edge
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Fri, 23 Dec 2022 23:20:34 GMT
Strict-Transport-Security: max-age=31536000; includeSubDomains
Content-Security-Policy: require-trusted-types-for 'script';report-uri /v3/signin/_/AccountsSignInUi/cspreport
Content-Security-Policy: script-src 'report-sample' 'nonce-HJSpfBpOFDaAc835Fc8qDQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /v3/signin/_/AccountsSignInUi/cspreport;worker-src 'self'
Report-To: {"group":"AccountsSignInUi","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/AccountsSignInUi/external"}]}
Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-platform=*, ch-ua-platform-version=*
Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="AccountsSignInUi"
Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
Cross-Origin-Resource-Policy: same-site
Server: ESF
X-XSS-Protection: 0
X-Content-Type-Options: nosniff
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
Accept-Ranges: none
Vary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site,Accept-Encoding
Transfer-Encoding: chunked
GET

https://accounts.google.com/ServiceLogin?service=wise&passive=1209600&continue=https://docs.google.com/uc?id%3D0BxsMXGfPIZfSVlVsOGlEVGxuZVk%26export%3Ddownload&followup=https://docs.google.com/uc?id%3D0BxsMXGfPIZfSVlVsOGlEVGxuZVk%26export%3Ddownload

Synaptics.exe

Remote address:

172.217.168.237:443

Request

GET /ServiceLogin?service=wise&passive=1209600&continue=https://docs.google.com/uc?id%3D0BxsMXGfPIZfSVlVsOGlEVGxuZVk%26export%3Ddownload&followup=https://docs.google.com/uc?id%3D0BxsMXGfPIZfSVlVsOGlEVGxuZVk%26export%3Ddownload HTTP/1.1
User-Agent: Synaptics.exe
Cache-Control: no-cache
Host: accounts.google.com
Connection: Keep-Alive
Cookie: __Host-GAPS=1:xMxrtUMgf11HkcMFHLa6jWlLBN_Yhg:H7c-AdeN_ljAWQDy

Response

HTTP/1.1 302 Moved Temporarily

Content-Type: text/html; charset=UTF-8
X-Frame-Options: DENY
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Fri, 23 Dec 2022 23:20:34 GMT
Location: https://accounts.google.com/v3/signin/identifier?dsh=S-1291780961%3A1671837634909897&continue=https%3A%2F%2Fdocs.google.com%2Fuc%3Fid%3D0BxsMXGfPIZfSVlVsOGlEVGxuZVk%26export%3Ddownload&followup=https%3A%2F%2Fdocs.google.com%2Fuc%3Fid%3D0BxsMXGfPIZfSVlVsOGlEVGxuZVk%26export%3Ddownload&passive=1209600&service=wise&flowName=WebLiteSignIn&flowEntry=ServiceLogin&ifkv=AeAAQh7ChTZ-3hnjDtPRczqu5Y2FJI8pt42dDOAU_uzTcRVGr_WnKS79U8wQlTjzFSbMS_7Wzexl9A
Strict-Transport-Security: max-age=31536000; includeSubDomains
Content-Security-Policy: script-src 'report-sample' 'nonce-2foDQ86Z4_vFmNnTnjLHwQ' 'unsafe-inline' 'unsafe-eval';object-src 'none';base-uri 'self';report-uri /cspreport
Content-Security-Policy: require-trusted-types-for 'script';report-uri /cspreport
Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="coop_gse_qebhlk"
Report-To: {"group":"coop_gse_qebhlk","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gse_qebhlk"}]}
Content-Length: 653
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Server: GSE
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
GET

https://accounts.google.com/v3/signin/identifier?dsh=S-1291780961%3A1671837634909897&continue=https%3A%2F%2Fdocs.google.com%2Fuc%3Fid%3D0BxsMXGfPIZfSVlVsOGlEVGxuZVk%26export%3Ddownload&followup=https%3A%2F%2Fdocs.google.com%2Fuc%3Fid%3D0BxsMXGfPIZfSVlVsOGlEVGxuZVk%26export%3Ddownload&passive=1209600&service=wise&flowName=WebLiteSignIn&flowEntry=ServiceLogin&ifkv=AeAAQh7ChTZ-3hnjDtPRczqu5Y2FJI8pt42dDOAU_uzTcRVGr_WnKS79U8wQlTjzFSbMS_7Wzexl9A

Synaptics.exe

Remote address:

172.217.168.237:443

Request

GET /v3/signin/identifier?dsh=S-1291780961%3A1671837634909897&continue=https%3A%2F%2Fdocs.google.com%2Fuc%3Fid%3D0BxsMXGfPIZfSVlVsOGlEVGxuZVk%26export%3Ddownload&followup=https%3A%2F%2Fdocs.google.com%2Fuc%3Fid%3D0BxsMXGfPIZfSVlVsOGlEVGxuZVk%26export%3Ddownload&passive=1209600&service=wise&flowName=WebLiteSignIn&flowEntry=ServiceLogin&ifkv=AeAAQh7ChTZ-3hnjDtPRczqu5Y2FJI8pt42dDOAU_uzTcRVGr_WnKS79U8wQlTjzFSbMS_7Wzexl9A HTTP/1.1
User-Agent: Synaptics.exe
Cache-Control: no-cache
Host: accounts.google.com
Connection: Keep-Alive
Cookie: __Host-GAPS=1:xMxrtUMgf11HkcMFHLa6jWlLBN_Yhg:H7c-AdeN_ljAWQDy

Response

HTTP/1.1 200 OK

Content-Type: text/html; charset=utf-8
X-Frame-Options: DENY
x-auto-login: realm=com.google&args=service%3Dwise%26continue%3Dhttps://docs.google.com/uc?id%253D0BxsMXGfPIZfSVlVsOGlEVGxuZVk%2526export%253Ddownload
Link: <https://www.google.com/intl/en-US/drive/>; rel="canonical"
x-ua-compatible: IE=edge
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Fri, 23 Dec 2022 23:20:34 GMT
Strict-Transport-Security: max-age=31536000; includeSubDomains
Content-Security-Policy: script-src 'report-sample' 'nonce-05xGttXVW1wB7VnH_i42Mw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /v3/signin/_/AccountsSignInUi/cspreport;worker-src 'self'
Content-Security-Policy: require-trusted-types-for 'script';report-uri /v3/signin/_/AccountsSignInUi/cspreport
Cross-Origin-Resource-Policy: same-site
Cross-Origin-Opener-Policy-Report-Only: same-origin
Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-platform=*, ch-ua-platform-version=*
Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
Server: ESF
X-XSS-Protection: 0
X-Content-Type-Options: nosniff
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
Accept-Ranges: none
Vary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site,Accept-Encoding
Transfer-Encoding: chunked
GET

https://accounts.google.com/ServiceLogin?service=wise&passive=1209600&continue=https://docs.google.com/uc?id%3D0BxsMXGfPIZfSVlVsOGlEVGxuZVk%26export%3Ddownload&followup=https://docs.google.com/uc?id%3D0BxsMXGfPIZfSVlVsOGlEVGxuZVk%26export%3Ddownload

Synaptics.exe

Remote address:

172.217.168.237:443

Request

GET /ServiceLogin?service=wise&passive=1209600&continue=https://docs.google.com/uc?id%3D0BxsMXGfPIZfSVlVsOGlEVGxuZVk%26export%3Ddownload&followup=https://docs.google.com/uc?id%3D0BxsMXGfPIZfSVlVsOGlEVGxuZVk%26export%3Ddownload HTTP/1.1
User-Agent: Synaptics.exe
Cache-Control: no-cache
Host: accounts.google.com
Connection: Keep-Alive
Cookie: __Host-GAPS=1:xMxrtUMgf11HkcMFHLa6jWlLBN_Yhg:H7c-AdeN_ljAWQDy

Response

HTTP/1.1 302 Moved Temporarily

Content-Type: text/html; charset=UTF-8
X-Frame-Options: DENY
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Fri, 23 Dec 2022 23:20:35 GMT
Location: https://accounts.google.com/v3/signin/identifier?dsh=S167995933%3A1671837635236983&continue=https%3A%2F%2Fdocs.google.com%2Fuc%3Fid%3D0BxsMXGfPIZfSVlVsOGlEVGxuZVk%26export%3Ddownload&followup=https%3A%2F%2Fdocs.google.com%2Fuc%3Fid%3D0BxsMXGfPIZfSVlVsOGlEVGxuZVk%26export%3Ddownload&passive=1209600&service=wise&flowName=WebLiteSignIn&flowEntry=ServiceLogin&ifkv=AeAAQh7Q9xg7Z2g4euCZvZiX3JetIc5dyPv_c-ReEbdM83k5-E3K1BLZf02PPrLUALE74R1ylM8a
Strict-Transport-Security: max-age=31536000; includeSubDomains
Content-Security-Policy: require-trusted-types-for 'script';report-uri /cspreport
Content-Security-Policy: script-src 'report-sample' 'nonce-waKuwZCbkNVhqeC2VN50Qw' 'unsafe-inline' 'unsafe-eval';object-src 'none';base-uri 'self';report-uri /cspreport
Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="coop_gse_qebhlk"
Report-To: {"group":"coop_gse_qebhlk","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gse_qebhlk"}]}
Content-Length: 649
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Server: GSE
Set-Cookie: __Host-GAPS=1:Ozow3yMApRGECTCLyoNM7Sf2T7hFmw:XyLStCVvfocYqUns;Path=/;Expires=Sun, 22-Dec-2024 23:20:35 GMT;Secure;HttpOnly;Priority=HIGH
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
GET

https://accounts.google.com/v3/signin/identifier?dsh=S167995933%3A1671837635236983&continue=https%3A%2F%2Fdocs.google.com%2Fuc%3Fid%3D0BxsMXGfPIZfSVlVsOGlEVGxuZVk%26export%3Ddownload&followup=https%3A%2F%2Fdocs.google.com%2Fuc%3Fid%3D0BxsMXGfPIZfSVlVsOGlEVGxuZVk%26export%3Ddownload&passive=1209600&service=wise&flowName=WebLiteSignIn&flowEntry=ServiceLogin&ifkv=AeAAQh7Q9xg7Z2g4euCZvZiX3JetIc5dyPv_c-ReEbdM83k5-E3K1BLZf02PPrLUALE74R1ylM8a

Synaptics.exe

Remote address:

172.217.168.237:443

Request

GET /v3/signin/identifier?dsh=S167995933%3A1671837635236983&continue=https%3A%2F%2Fdocs.google.com%2Fuc%3Fid%3D0BxsMXGfPIZfSVlVsOGlEVGxuZVk%26export%3Ddownload&followup=https%3A%2F%2Fdocs.google.com%2Fuc%3Fid%3D0BxsMXGfPIZfSVlVsOGlEVGxuZVk%26export%3Ddownload&passive=1209600&service=wise&flowName=WebLiteSignIn&flowEntry=ServiceLogin&ifkv=AeAAQh7Q9xg7Z2g4euCZvZiX3JetIc5dyPv_c-ReEbdM83k5-E3K1BLZf02PPrLUALE74R1ylM8a HTTP/1.1
User-Agent: Synaptics.exe
Cache-Control: no-cache
Host: accounts.google.com
Connection: Keep-Alive
Cookie: __Host-GAPS=1:Ozow3yMApRGECTCLyoNM7Sf2T7hFmw:XyLStCVvfocYqUns

Response

HTTP/1.1 200 OK

Content-Type: text/html; charset=utf-8
X-Frame-Options: DENY
x-auto-login: realm=com.google&args=service%3Dwise%26continue%3Dhttps://docs.google.com/uc?id%253D0BxsMXGfPIZfSVlVsOGlEVGxuZVk%2526export%253Ddownload
Link: <https://www.google.com/intl/en-US/drive/>; rel="canonical"
x-ua-compatible: IE=edge
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Fri, 23 Dec 2022 23:20:35 GMT
Strict-Transport-Security: max-age=31536000; includeSubDomains
Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-platform=*, ch-ua-platform-version=*
Content-Security-Policy: script-src 'report-sample' 'nonce-BpT4uEyPQSHy_0DCG7nOeA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /v3/signin/_/AccountsSignInUi/cspreport;worker-src 'self'
Content-Security-Policy: require-trusted-types-for 'script';report-uri /v3/signin/_/AccountsSignInUi/cspreport
Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
Cross-Origin-Opener-Policy-Report-Only: same-origin
Cross-Origin-Resource-Policy: same-site
Server: ESF
X-XSS-Protection: 0
X-Content-Type-Options: nosniff
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
Accept-Ranges: none
Vary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site,Accept-Encoding
Transfer-Encoding: chunked

106.52.15.123:80

._cache_file.exe

260 B
200 B
5
5
47.93.60.63:80

http

._cache_file.exe

1.1kB
420 B
11
10
69.42.215.252:80

http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

http

Synaptics.exe

706 B
415 B
12
4

HTTP Request

GET http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

HTTP Response

200
52.178.17.2:443

322 B
7
104.80.225.205:443

322 B
7
67.24.27.254:80

322 B
7
67.24.27.254:80

322 B
7
67.24.27.254:80

322 B
7
52.109.12.20:443

322 B
7
142.250.179.206:443

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

tls, http

Synaptics.exe

1.6kB
12.1kB
19
17

HTTP Request

GET https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

HTTP Response

302

HTTP Request

GET https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

HTTP Response

302

HTTP Request

GET https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

HTTP Response

302
172.217.168.237:443

https://accounts.google.com/v3/signin/identifier?dsh=S167995933%3A1671837635236983&continue=https%3A%2F%2Fdocs.google.com%2Fuc%3Fid%3D0BxsMXGfPIZfSVlVsOGlEVGxuZVk%26export%3Ddownload&followup=https%3A%2F%2Fdocs.google.com%2Fuc%3Fid%3D0BxsMXGfPIZfSVlVsOGlEVGxuZVk%26export%3Ddownload&passive=1209600&service=wise&flowName=WebLiteSignIn&flowEntry=ServiceLogin&ifkv=AeAAQh7Q9xg7Z2g4euCZvZiX3JetIc5dyPv_c-ReEbdM83k5-E3K1BLZf02PPrLUALE74R1ylM8a

tls, http

Synaptics.exe

21.2kB
475.9kB
386
384

HTTP Request

GET https://accounts.google.com/ServiceLogin?service=wise&passive=1209600&continue=https://docs.google.com/uc?id%3D0BxsMXGfPIZfSVlVsOGlEVGxuZVk%26export%3Ddownload&followup=https://docs.google.com/uc?id%3D0BxsMXGfPIZfSVlVsOGlEVGxuZVk%26export%3Ddownload

HTTP Response

302

HTTP Request

GET https://accounts.google.com/v3/signin/identifier?dsh=S1426493874%3A1671837634529134&continue=https%3A%2F%2Fdocs.google.com%2Fuc%3Fid%3D0BxsMXGfPIZfSVlVsOGlEVGxuZVk%26export%3Ddownload&followup=https%3A%2F%2Fdocs.google.com%2Fuc%3Fid%3D0BxsMXGfPIZfSVlVsOGlEVGxuZVk%26export%3Ddownload&passive=1209600&service=wise&flowName=WebLiteSignIn&flowEntry=ServiceLogin&ifkv=AeAAQh6wkcTpcseJ2NuSM2f3dWyAfyIblyeiuOD-rMaj_IVkf33ukaza2ufFjSHRyLELVHja517lqw

HTTP Response

200

HTTP Request

GET https://accounts.google.com/ServiceLogin?service=wise&passive=1209600&continue=https://docs.google.com/uc?id%3D0BxsMXGfPIZfSVlVsOGlEVGxuZVk%26export%3Ddownload&followup=https://docs.google.com/uc?id%3D0BxsMXGfPIZfSVlVsOGlEVGxuZVk%26export%3Ddownload

HTTP Response

302

HTTP Request

GET https://accounts.google.com/v3/signin/identifier?dsh=S-1291780961%3A1671837634909897&continue=https%3A%2F%2Fdocs.google.com%2Fuc%3Fid%3D0BxsMXGfPIZfSVlVsOGlEVGxuZVk%26export%3Ddownload&followup=https%3A%2F%2Fdocs.google.com%2Fuc%3Fid%3D0BxsMXGfPIZfSVlVsOGlEVGxuZVk%26export%3Ddownload&passive=1209600&service=wise&flowName=WebLiteSignIn&flowEntry=ServiceLogin&ifkv=AeAAQh7ChTZ-3hnjDtPRczqu5Y2FJI8pt42dDOAU_uzTcRVGr_WnKS79U8wQlTjzFSbMS_7Wzexl9A

HTTP Response

200

HTTP Request

GET https://accounts.google.com/ServiceLogin?service=wise&passive=1209600&continue=https://docs.google.com/uc?id%3D0BxsMXGfPIZfSVlVsOGlEVGxuZVk%26export%3Ddownload&followup=https://docs.google.com/uc?id%3D0BxsMXGfPIZfSVlVsOGlEVGxuZVk%26export%3Ddownload

HTTP Response

302

HTTP Request

GET https://accounts.google.com/v3/signin/identifier?dsh=S167995933%3A1671837635236983&continue=https%3A%2F%2Fdocs.google.com%2Fuc%3Fid%3D0BxsMXGfPIZfSVlVsOGlEVGxuZVk%26export%3Ddownload&followup=https%3A%2F%2Fdocs.google.com%2Fuc%3Fid%3D0BxsMXGfPIZfSVlVsOGlEVGxuZVk%26export%3Ddownload&passive=1209600&service=wise&flowName=WebLiteSignIn&flowEntry=ServiceLogin&ifkv=AeAAQh7Q9xg7Z2g4euCZvZiX3JetIc5dyPv_c-ReEbdM83k5-E3K1BLZf02PPrLUALE74R1ylM8a

HTTP Response

200

8.8.8.8:53

xred.mooo.com

dns

Synaptics.exe

59 B
118 B
1
1

DNS Request

xred.mooo.com
8.8.8.8:53

freedns.afraid.org

dns

Synaptics.exe

64 B
80 B
1
1

DNS Request

freedns.afraid.org

DNS Response

69.42.215.252
224.0.0.251:5353

114 B
2
8.8.8.8:53

docs.google.com

dns

Synaptics.exe

61 B
77 B
1
1

DNS Request

docs.google.com

DNS Response

142.250.179.206
8.8.8.8:53

accounts.google.com

dns

Synaptics.exe

65 B
81 B
1
1

DNS Request

accounts.google.com

DNS Response

172.217.168.237

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
754KB

MD5
310a7ff41f6633132e6c2bc25e51e567

SHA1
5f687df8cc3185ed68d77d0e05502c2eb308c5c8

SHA256
d1425edf482717cb64db2a36357866045b0c6306d919296591ffc9bc45d680ab

SHA512
ee9b3114cb37e52793bccdf20a27158f5def67ed9c7d8eb772e1deaf5d5f9a0030e847dea40bb320637f29508f1be2a49c3095460a6fd3afbc3bca196f642980

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
754KB

MD5
310a7ff41f6633132e6c2bc25e51e567

SHA1
5f687df8cc3185ed68d77d0e05502c2eb308c5c8

SHA256
d1425edf482717cb64db2a36357866045b0c6306d919296591ffc9bc45d680ab

SHA512
ee9b3114cb37e52793bccdf20a27158f5def67ed9c7d8eb772e1deaf5d5f9a0030e847dea40bb320637f29508f1be2a49c3095460a6fd3afbc3bca196f642980

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_file.exe

Filesize
400KB

MD5
20beeb0a82adcce3a58372804acc46be

SHA1
c579d9017d2c8298fe075ff5c05963901330e72a

SHA256
d1aaa7e7d31bf648c57f0c721d6f6ee2b17395b4e09d9d89a4f6dbd5dd706a8e

SHA512
7636912ba6323063cefb7fac5a6cff9e44a474e452a4d5d4f77ef88968266de184c68112e3667585e02e811781f51ee020e61ce820e3f9a38dcfdf30e6d522bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_file.exe

Filesize
400KB

MD5
20beeb0a82adcce3a58372804acc46be

SHA1
c579d9017d2c8298fe075ff5c05963901330e72a

SHA256
d1aaa7e7d31bf648c57f0c721d6f6ee2b17395b4e09d9d89a4f6dbd5dd706a8e

SHA512
7636912ba6323063cefb7fac5a6cff9e44a474e452a4d5d4f77ef88968266de184c68112e3667585e02e811781f51ee020e61ce820e3f9a38dcfdf30e6d522bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\btVGFDHT.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
memory/1416-143-0x00007FF975EB0000-0x00007FF975EC0000-memory.dmp

Filesize
64KB

Download
memory/1416-141-0x00007FF975EB0000-0x00007FF975EC0000-memory.dmp

Filesize
64KB

Download
memory/1416-142-0x00007FF975EB0000-0x00007FF975EC0000-memory.dmp

Filesize
64KB

Download
memory/1416-144-0x00007FF975EB0000-0x00007FF975EC0000-memory.dmp

Filesize
64KB

Download
memory/1416-145-0x00007FF975EB0000-0x00007FF975EC0000-memory.dmp

Filesize
64KB

Download
memory/1416-146-0x00007FF973C90000-0x00007FF973CA0000-memory.dmp

Filesize
64KB

Download
memory/1416-147-0x00007FF973C90000-0x00007FF973CA0000-memory.dmp

Filesize
64KB

Download
memory/4752-138-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download