Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
111s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
22/11/2024, 15:05 UTC
Behavioral task
behavioral1
Sample
f227884cd69a338634b62d15306a2722c4e09e441bd6be2ace6f1b8025b91890N.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
f227884cd69a338634b62d15306a2722c4e09e441bd6be2ace6f1b8025b91890N.exe
Resource
win10v2004-20241007-en
General
-
Target
f227884cd69a338634b62d15306a2722c4e09e441bd6be2ace6f1b8025b91890N.exe
-
Size
1.7MB
-
MD5
59fdd620fc7cd0cdb4ea8347c8a64980
-
SHA1
15cd837855597e4b96531a041e412e6d417ee07a
-
SHA256
f227884cd69a338634b62d15306a2722c4e09e441bd6be2ace6f1b8025b91890
-
SHA512
780195acc367e86c774bc4be7d5bce81b0990ac081ee7507e9d66dbdc773b01a8d4cf78ac7f0119333f755bb1b21df0096a11f9206f8d01409f73de24d626e6c
-
SSDEEP
49152:LnsHyjtk2MYC5GDXY80D4YSbxIWvbqmmdtL4i96UM:Lnsmtk2auYRmbSIKSi9Q
Malware Config
Extracted
xred
xred.mooo.com
-
email
xredline1@gmail.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Signatures
-
Xred family
-
Executes dropped EXE 3 IoCs
pid Process 2072 ._cache_f227884cd69a338634b62d15306a2722c4e09e441bd6be2ace6f1b8025b91890N.exe 2816 Synaptics.exe 2652 ._cache_Synaptics.exe -
Loads dropped DLL 7 IoCs
pid Process 1308 f227884cd69a338634b62d15306a2722c4e09e441bd6be2ace6f1b8025b91890N.exe 1308 f227884cd69a338634b62d15306a2722c4e09e441bd6be2ace6f1b8025b91890N.exe 1308 f227884cd69a338634b62d15306a2722c4e09e441bd6be2ace6f1b8025b91890N.exe 1308 f227884cd69a338634b62d15306a2722c4e09e441bd6be2ace6f1b8025b91890N.exe 2816 Synaptics.exe 2816 Synaptics.exe 2816 Synaptics.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" f227884cd69a338634b62d15306a2722c4e09e441bd6be2ace6f1b8025b91890N.exe -
resource yara_rule behavioral1/files/0x00080000000120fe-4.dat upx behavioral1/memory/1308-20-0x00000000061B0000-0x0000000007823000-memory.dmp upx behavioral1/memory/2072-24-0x0000000000400000-0x0000000001A73000-memory.dmp upx behavioral1/memory/2072-31-0x0000000000400000-0x0000000001A73000-memory.dmp upx behavioral1/memory/2652-45-0x0000000000400000-0x0000000001A73000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_f227884cd69a338634b62d15306a2722c4e09e441bd6be2ace6f1b8025b91890N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EXCEL.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f227884cd69a338634b62d15306a2722c4e09e441bd6be2ace6f1b8025b91890N.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2780 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2780 EXCEL.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1308 wrote to memory of 2072 1308 f227884cd69a338634b62d15306a2722c4e09e441bd6be2ace6f1b8025b91890N.exe 29 PID 1308 wrote to memory of 2072 1308 f227884cd69a338634b62d15306a2722c4e09e441bd6be2ace6f1b8025b91890N.exe 29 PID 1308 wrote to memory of 2072 1308 f227884cd69a338634b62d15306a2722c4e09e441bd6be2ace6f1b8025b91890N.exe 29 PID 1308 wrote to memory of 2072 1308 f227884cd69a338634b62d15306a2722c4e09e441bd6be2ace6f1b8025b91890N.exe 29 PID 1308 wrote to memory of 2816 1308 f227884cd69a338634b62d15306a2722c4e09e441bd6be2ace6f1b8025b91890N.exe 30 PID 1308 wrote to memory of 2816 1308 f227884cd69a338634b62d15306a2722c4e09e441bd6be2ace6f1b8025b91890N.exe 30 PID 1308 wrote to memory of 2816 1308 f227884cd69a338634b62d15306a2722c4e09e441bd6be2ace6f1b8025b91890N.exe 30 PID 1308 wrote to memory of 2816 1308 f227884cd69a338634b62d15306a2722c4e09e441bd6be2ace6f1b8025b91890N.exe 30 PID 2816 wrote to memory of 2652 2816 Synaptics.exe 31 PID 2816 wrote to memory of 2652 2816 Synaptics.exe 31 PID 2816 wrote to memory of 2652 2816 Synaptics.exe 31 PID 2816 wrote to memory of 2652 2816 Synaptics.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\f227884cd69a338634b62d15306a2722c4e09e441bd6be2ace6f1b8025b91890N.exe"C:\Users\Admin\AppData\Local\Temp\f227884cd69a338634b62d15306a2722c4e09e441bd6be2ace6f1b8025b91890N.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Users\Admin\AppData\Local\Temp\._cache_f227884cd69a338634b62d15306a2722c4e09e441bd6be2ace6f1b8025b91890N.exe"C:\Users\Admin\AppData\Local\Temp\._cache_f227884cd69a338634b62d15306a2722c4e09e441bd6be2ace6f1b8025b91890N.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2072
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2652
-
-
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2780
Network
-
Remote address:8.8.8.8:53Requestxred.mooo.comIN AResponse
-
Remote address:8.8.8.8:53Requestfreedns.afraid.orgIN AResponsefreedns.afraid.orgIN A69.42.215.252
-
GEThttp://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978Synaptics.exeRemote address:69.42.215.252:80RequestGET /api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978 HTTP/1.1
User-Agent: MyApp
Host: freedns.afraid.org
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Fri, 22 Nov 2024 15:06:12 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Cache: MISS
-
Remote address:8.8.8.8:53Requestdocs.google.comIN AResponsedocs.google.comIN A142.250.187.206
-
Remote address:8.8.8.8:53Requestdocs.google.comIN A
-
Remote address:142.250.187.206:443RequestGET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
User-Agent: Synaptics.exe
Host: docs.google.com
Cache-Control: no-cache
ResponseHTTP/1.1 303 See Other
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Fri, 22 Nov 2024 15:07:20 GMT
Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
Strict-Transport-Security: max-age=31536000
Content-Security-Policy: script-src 'report-sample' 'nonce-WYCwry9ZUSKZ9rgtS14cKw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
Cross-Origin-Opener-Policy: same-origin
Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
Server: ESF
Content-Length: 0
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
-
Remote address:142.250.187.206:443RequestGET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
User-Agent: Synaptics.exe
Host: docs.google.com
Cache-Control: no-cache
Cookie: NID=519=wd2yjNX-nwMuJBwMVNhxujZkNsPBR0cGw94zhgUiGRwUgeaNYk_39JG_mBqbpzoG5b_mDRij1kmMwD88s6MLIW0NHU7t4xt8WX02Xjy7-a2DTOlijJoyl0yBv9lplJMx-X1FUBx1zb6GMJUYLoGIL5ZXowAbswK0maLEUsRZ5Q1-tDs
ResponseHTTP/1.1 303 See Other
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Fri, 22 Nov 2024 15:07:22 GMT
Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
Strict-Transport-Security: max-age=31536000
Content-Security-Policy: script-src 'report-sample' 'nonce-dGkH3TCGav44f_SYGvVVPg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
Cross-Origin-Opener-Policy: same-origin
Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
Server: ESF
Content-Length: 0
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
-
Remote address:142.250.187.206:443RequestGET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
User-Agent: Synaptics.exe
Host: docs.google.com
Cache-Control: no-cache
Cookie: NID=519=wd2yjNX-nwMuJBwMVNhxujZkNsPBR0cGw94zhgUiGRwUgeaNYk_39JG_mBqbpzoG5b_mDRij1kmMwD88s6MLIW0NHU7t4xt8WX02Xjy7-a2DTOlijJoyl0yBv9lplJMx-X1FUBx1zb6GMJUYLoGIL5ZXowAbswK0maLEUsRZ5Q1-tDs
ResponseHTTP/1.1 303 See Other
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Fri, 22 Nov 2024 15:07:22 GMT
Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
Strict-Transport-Security: max-age=31536000
Content-Security-Policy: script-src 'report-sample' 'nonce-14eTP1iTjFwEzUxAw_0UTg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
Cross-Origin-Opener-Policy: same-origin
Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
Server: ESF
Content-Length: 0
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
-
Remote address:8.8.8.8:53Requestc.pki.googIN AResponsec.pki.googIN CNAMEpki-goog.l.google.compki-goog.l.google.comIN A142.250.200.3
-
Remote address:142.250.200.3:80RequestGET /r/r1.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: c.pki.goog
ResponseHTTP/1.1 200 OK
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 854
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Fri, 22 Nov 2024 15:00:53 GMT
Expires: Fri, 22 Nov 2024 15:50:53 GMT
Cache-Control: public, max-age=3000
Age: 377
Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
Content-Type: application/pkix-crl
Vary: Accept-Encoding
-
Remote address:142.250.200.3:80RequestGET /wr2/oQ6nyr8F0m0.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: c.pki.goog
ResponseHTTP/1.1 200 OK
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 11681
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Fri, 22 Nov 2024 14:45:07 GMT
Expires: Fri, 22 Nov 2024 15:35:07 GMT
Cache-Control: public, max-age=3000
Age: 1333
Last-Modified: Fri, 22 Nov 2024 12:19:29 GMT
Content-Type: application/pkix-crl
Vary: Accept-Encoding
-
Remote address:8.8.8.8:53Requesto.pki.googIN AResponseo.pki.googIN CNAMEpki-goog.l.google.compki-goog.l.google.comIN A142.250.200.3
-
Remote address:8.8.8.8:53Requesto.pki.googIN A
-
GEThttp://o.pki.goog/wr2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEEGoFYJ0C3qQCbRh5xcgwPQ%3DSynaptics.exeRemote address:142.250.200.3:80RequestGET /wr2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEEGoFYJ0C3qQCbRh5xcgwPQ%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: o.pki.goog
ResponseHTTP/1.1 200 OK
Content-Length: 471
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Date: Fri, 22 Nov 2024 14:56:16 GMT
Cache-Control: public, max-age=14400
Content-Type: application/ocsp-response
Age: 667
-
Remote address:8.8.8.8:53Requestdrive.usercontent.google.comIN AResponsedrive.usercontent.google.comIN A142.250.179.225
-
GEThttps://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadSynaptics.exeRemote address:142.250.179.225:443RequestGET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
User-Agent: Synaptics.exe
Connection: Keep-Alive
Cache-Control: no-cache
Host: drive.usercontent.google.com
ResponseHTTP/1.1 404 Not Found
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Fri, 22 Nov 2024 15:07:21 GMT
P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
Content-Security-Policy: script-src 'report-sample' 'nonce-sCSDQBuyD6KyccBgk-FaFQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
Cross-Origin-Opener-Policy: same-origin
Content-Length: 1652
X-GUploader-UploadID: AFiumC4GYxXo47egGjodRnQG3g82udwcVulsuNob4F6qv0drXkTXsKe9eBSr98ULiVN85G1iOQ
Server: UploadServer
Set-Cookie: NID=519=wd2yjNX-nwMuJBwMVNhxujZkNsPBR0cGw94zhgUiGRwUgeaNYk_39JG_mBqbpzoG5b_mDRij1kmMwD88s6MLIW0NHU7t4xt8WX02Xjy7-a2DTOlijJoyl0yBv9lplJMx-X1FUBx1zb6GMJUYLoGIL5ZXowAbswK0maLEUsRZ5Q1-tDs; expires=Sat, 24-May-2025 15:07:21 GMT; path=/; domain=.google.com; HttpOnly
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Content-Security-Policy: sandbox allow-scripts
-
GEThttps://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadSynaptics.exeRemote address:142.250.179.225:443RequestGET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
User-Agent: Synaptics.exe
Host: drive.usercontent.google.com
Cache-Control: no-cache
Connection: Keep-Alive
Cookie: NID=519=wd2yjNX-nwMuJBwMVNhxujZkNsPBR0cGw94zhgUiGRwUgeaNYk_39JG_mBqbpzoG5b_mDRij1kmMwD88s6MLIW0NHU7t4xt8WX02Xjy7-a2DTOlijJoyl0yBv9lplJMx-X1FUBx1zb6GMJUYLoGIL5ZXowAbswK0maLEUsRZ5Q1-tDs
ResponseHTTP/1.1 404 Not Found
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Fri, 22 Nov 2024 15:07:22 GMT
Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
Content-Security-Policy: script-src 'report-sample' 'nonce-aZr8bX5TXMg7yV3BYH3O9w' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
Cross-Origin-Opener-Policy: same-origin
Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
Content-Length: 1652
X-GUploader-UploadID: AFiumC6UjE2_T-e-XwLu_MUbnW-gjru0-MQ1CjwYz48dq_Y68I3cqoW1SynbFqu9JSwSsLIxXSWVxFzpEw
Server: UploadServer
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Content-Security-Policy: sandbox allow-scripts
-
GEThttps://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadSynaptics.exeRemote address:142.250.179.225:443RequestGET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
User-Agent: Synaptics.exe
Host: drive.usercontent.google.com
Cache-Control: no-cache
Connection: Keep-Alive
Cookie: NID=519=wd2yjNX-nwMuJBwMVNhxujZkNsPBR0cGw94zhgUiGRwUgeaNYk_39JG_mBqbpzoG5b_mDRij1kmMwD88s6MLIW0NHU7t4xt8WX02Xjy7-a2DTOlijJoyl0yBv9lplJMx-X1FUBx1zb6GMJUYLoGIL5ZXowAbswK0maLEUsRZ5Q1-tDs
ResponseHTTP/1.1 404 Not Found
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Fri, 22 Nov 2024 15:07:22 GMT
Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
Content-Security-Policy: script-src 'report-sample' 'nonce-q7QdvrVSYIs9v2V-G1JSOg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
Cross-Origin-Opener-Policy: same-origin
Content-Length: 1652
X-GUploader-UploadID: AFiumC5S9veJOz80UXpKfo9q0jKz8umdEFA24IkXuvhbDOspPOBg-8TVuBJH6iaX3HSXBt9TJA
Server: UploadServer
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Content-Security-Policy: sandbox allow-scripts
-
Remote address:8.8.8.8:53Requestwww.microsoft.comIN AResponsewww.microsoft.comIN CNAMEwww.microsoft.com-c-3.edgekey.netwww.microsoft.com-c-3.edgekey.netIN CNAMEwww.microsoft.com-c-3.edgekey.net.globalredir.akadns.netwww.microsoft.com-c-3.edgekey.net.globalredir.akadns.netIN CNAMEe13678.dscb.akamaiedge.nete13678.dscb.akamaiedge.netIN A88.221.125.143
-
Remote address:88.221.125.143:80RequestGET /pkiops/crl/MicCodSigPCA2011_2011-07-08.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Mon, 03 Jun 2024 21:25:24 GMT
User-Agent: Microsoft-CryptoAPI/6.1
Host: www.microsoft.com
ResponseHTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-MD5: PjrtHAukbJio72s77Ag5mA==
Last-Modified: Thu, 31 Oct 2024 23:26:09 GMT
ETag: 0x8DCFA0366D6C4CA
x-ms-request-id: 07881189-401e-0066-0def-2b18ca000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
Date: Fri, 22 Nov 2024 15:07:52 GMT
Connection: keep-alive
TLS_version: UNKNOWN
ms-cv: CASMicrosoftCVf701151b.0
ms-cv-esi: CASMicrosoftCVf701151b.0
X-RTag: RT
-
Remote address:8.8.8.8:53Requestcrl.microsoft.comIN AResponsecrl.microsoft.comIN CNAMEcrl.www.ms.akadns.netcrl.www.ms.akadns.netIN CNAMEa1363.dscg.akamai.neta1363.dscg.akamai.netIN A2.22.242.90a1363.dscg.akamai.netIN A2.22.242.121
-
Remote address:2.22.242.90:80RequestGET /pki/crl/products/MicRooCerAut2011_2011_03_22.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Thu, 11 Jul 2024 01:45:51 GMT
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com
ResponseHTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-MD5: 8M9bF5Tsp81z+cAg2quO8g==
Last-Modified: Thu, 26 Sep 2024 02:21:11 GMT
ETag: 0x8DCDDD1E3AF2C76
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: 2f2eac58-a01e-0051-45c8-0fca66000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
Date: Fri, 22 Nov 2024 15:07:52 GMT
Connection: keep-alive
-
69.42.215.252:80http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978httpSynaptics.exe522 B 415 B 8 4
HTTP Request
GET http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978HTTP Response
200 -
142.250.187.206:443https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadtls, httpSynaptics.exe2.3kB 14.0kB 16 17
HTTP Request
GET https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadHTTP Response
303HTTP Request
GET https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadHTTP Response
303HTTP Request
GET https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadHTTP Response
303 -
911 B 14.6kB 12 15
HTTP Request
GET http://c.pki.goog/r/r1.crlHTTP Response
200HTTP Request
GET http://c.pki.goog/wr2/oQ6nyr8F0m0.crlHTTP Response
200 -
142.250.200.3:80http://o.pki.goog/wr2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEEGoFYJ0C3qQCbRh5xcgwPQ%3DhttpSynaptics.exe948 B 2.4kB 10 6
HTTP Request
GET http://o.pki.goog/wr2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEEGoFYJ0C3qQCbRh5xcgwPQ%3DHTTP Response
200 -
142.250.179.225:443https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadtls, httpSynaptics.exe2.6kB 15.1kB 19 24
HTTP Request
GET https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadHTTP Response
404HTTP Request
GET https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadHTTP Response
404HTTP Request
GET https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadHTTP Response
404 -
393 B 1.7kB 4 4
HTTP Request
GET http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crlHTTP Response
200 -
451 B 1.8kB 5 5
HTTP Request
GET http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crlHTTP Response
200
-
59 B 118 B 1 1
DNS Request
xred.mooo.com
-
64 B 80 B 1 1
DNS Request
freedns.afraid.org
DNS Response
69.42.215.252
-
122 B 77 B 2 1
DNS Request
docs.google.com
DNS Request
docs.google.com
DNS Response
142.250.187.206
-
56 B 107 B 1 1
DNS Request
c.pki.goog
DNS Response
142.250.200.3
-
112 B 107 B 2 1
DNS Request
o.pki.goog
DNS Request
o.pki.goog
DNS Response
142.250.200.3
-
74 B 90 B 1 1
DNS Request
drive.usercontent.google.com
DNS Response
142.250.179.225
-
63 B 230 B 1 1
DNS Request
www.microsoft.com
DNS Response
88.221.125.143
-
63 B 162 B 1 1
DNS Request
crl.microsoft.com
DNS Response
2.22.242.902.22.242.121
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.7MB
MD559fdd620fc7cd0cdb4ea8347c8a64980
SHA115cd837855597e4b96531a041e412e6d417ee07a
SHA256f227884cd69a338634b62d15306a2722c4e09e441bd6be2ace6f1b8025b91890
SHA512780195acc367e86c774bc4be7d5bce81b0990ac081ee7507e9d66dbdc773b01a8d4cf78ac7f0119333f755bb1b21df0096a11f9206f8d01409f73de24d626e6c
-
Filesize
17KB
MD5e566fc53051035e1e6fd0ed1823de0f9
SHA100bc96c48b98676ecd67e81a6f1d7754e4156044
SHA2568e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04
-
Filesize
22KB
MD5e8386b5a99af424521e550b5ff399339
SHA12aa6628c1f3ea28e8578f1e4933bfb733939ad1a
SHA256562464a421b3170d7ff36b923133654b5c9375f293f39e82c88e397cc60aa6e2
SHA51276d5ab1caa5909630b8229a3e4a29b573b4bfae8f1691f2bdf1be4a1177b59e472a990fd6718b5f193d09ee4b93e6b4ce15eba95557322f29ceb97faf15f78f6
-
\Users\Admin\AppData\Local\Temp\._cache_f227884cd69a338634b62d15306a2722c4e09e441bd6be2ace6f1b8025b91890N.exe
Filesize979KB
MD58ce50fc290bed7711d97b16d5ffb49f6
SHA159cdc83c4d5f32ca1d5bdc32fe6656fadb27a72f
SHA256023b628b690f5185604fc7218dc4e9842604c7bd9f2e2c065f9360255cb39e49
SHA512455905bf556e9629c4ad1eea48ab1c4aa471462f289a74fbe6a06071a58e8cad2a31b686bd39e62e2e15be9bab2e64ea6c52d829738519eb159ca59609fc1ef9