Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

67f9319df9...dN.exe

windows7-x64

10

67f9319df9...dN.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    25/11/2024, 19:15 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    67f9319df91221722d1f4ba0e2bebecc87a00dbbc13703d9fa728e58abe7e1edN.exe

  • Size

    1.2MB

  • MD5

    b01019338cf3b3f4cf0649714f1ce510

  • SHA1

    fd14d401700f0cd2605b2fa737be6ed3be18bb90

  • SHA256

    67f9319df91221722d1f4ba0e2bebecc87a00dbbc13703d9fa728e58abe7e1ed

  • SHA512

    587f3fbe215e454bceb6c5e1e6a36fb3db7b46c718eccfa4cb10b697496600fd9ff85915ffdcd9b1618c95184d58e583114c76662a313cb826e781dbbba809ae

  • SSDEEP

    12288:LMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9L6XH02xXd4F2xXd4f2xXP:LnsJ39LyjbJkQFMhmC+6GD924O4YP1

Score
10/10
xredbackdoordiscoverymacropersistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    xredline1@gmail.com

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Xred

    Xred is backdoor written in Delphi.

    backdoorxred
  • Xred family
    xred
  • Suspicious Office macro 2 IoCs

    Office document equipped with macros.

    macro
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\67f9319df91221722d1f4ba0e2bebecc87a00dbbc13703d9fa728e58abe7e1edN.exe
    "C:\Users\Admin\AppData\Local\Temp\67f9319df91221722d1f4ba0e2bebecc87a00dbbc13703d9fa728e58abe7e1edN.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1884
    • C:\Users\Admin\AppData\Local\Temp\._cache_67f9319df91221722d1f4ba0e2bebecc87a00dbbc13703d9fa728e58abe7e1edN.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_67f9319df91221722d1f4ba0e2bebecc87a00dbbc13703d9fa728e58abe7e1edN.exe"
      2⤵
      • Executes dropped EXE
      PID:2804
    • C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1720
      • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        3⤵
        • Executes dropped EXE
        PID:2564
  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
    1⤵
    • System Location Discovery: System Language Discovery
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:1212

Network

  • flag-us
    DNS
    xred.mooo.com
    Synaptics.exe
    Remote address:
    8.8.8.8:53
    Request
    xred.mooo.com
    IN A
    Response
  • flag-us
    DNS
    freedns.afraid.org
    Synaptics.exe
    Remote address:
    8.8.8.8:53
    Request
    freedns.afraid.org
    IN A
    Response
    freedns.afraid.org
    IN A
    69.42.215.252
  • flag-us
    GET
    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
    Synaptics.exe
    Remote address:
    69.42.215.252:80
    Request
    GET /api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978 HTTP/1.1
    User-Agent: MyApp
    Host: freedns.afraid.org
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Mon, 25 Nov 2024 19:16:20 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Vary: Accept-Encoding
    X-Cache: MISS
  • flag-us
    DNS
    docs.google.com
    Synaptics.exe
    Remote address:
    8.8.8.8:53
    Request
    docs.google.com
    IN A
    Response
    docs.google.com
    IN A
    142.250.187.206
  • flag-gb
    GET
    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
    Synaptics.exe
    Remote address:
    142.250.187.206:443
    Request
    GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
    User-Agent: Synaptics.exe
    Host: docs.google.com
    Cache-Control: no-cache
    Response
    HTTP/1.1 303 See Other
    Content-Type: application/binary
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: Mon, 01 Jan 1990 00:00:00 GMT
    Date: Mon, 25 Nov 2024 19:17:17 GMT
    Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
    Strict-Transport-Security: max-age=31536000
    Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
    Content-Security-Policy: script-src 'report-sample' 'nonce-qQhJ_1T7qJ0jD0BZ0mWoRg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
    Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
    Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    Cross-Origin-Opener-Policy: same-origin
    Server: ESF
    Content-Length: 0
    X-XSS-Protection: 0
    X-Frame-Options: SAMEORIGIN
    X-Content-Type-Options: nosniff
    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
  • flag-gb
    GET
    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
    Synaptics.exe
    Remote address:
    142.250.187.206:443
    Request
    GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
    User-Agent: Synaptics.exe
    Host: docs.google.com
    Cache-Control: no-cache
    Cookie: NID=519=OaYjnRTw9h2k-CbIs9EmtGGDPsrJ0Jl8lN8qQV_2g0SsIebUvuwbjhJgAPSEy0AvdjtENx4TXObYOiQFODSy5PBYUP9d1LJbU12jMVl-x2mHf4f9e-LP2AQTsDaiin7cuix391hzUowsoEksszrluEVuNgwaXqZOLa9JsnSOeJlxEjCW
    Response
    HTTP/1.1 303 See Other
    Content-Type: application/binary
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: Mon, 01 Jan 1990 00:00:00 GMT
    Date: Mon, 25 Nov 2024 19:17:18 GMT
    Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
    Strict-Transport-Security: max-age=31536000
    Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
    Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
    Content-Security-Policy: script-src 'report-sample' 'nonce-lHDyVvSQlWpgC9WaRA-YOA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
    Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    Cross-Origin-Opener-Policy: same-origin
    Server: ESF
    Content-Length: 0
    X-XSS-Protection: 0
    X-Frame-Options: SAMEORIGIN
    X-Content-Type-Options: nosniff
    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
  • flag-gb
    GET
    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
    Synaptics.exe
    Remote address:
    142.250.187.206:443
    Request
    GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
    User-Agent: Synaptics.exe
    Host: docs.google.com
    Cache-Control: no-cache
    Cookie: NID=519=OaYjnRTw9h2k-CbIs9EmtGGDPsrJ0Jl8lN8qQV_2g0SsIebUvuwbjhJgAPSEy0AvdjtENx4TXObYOiQFODSy5PBYUP9d1LJbU12jMVl-x2mHf4f9e-LP2AQTsDaiin7cuix391hzUowsoEksszrluEVuNgwaXqZOLa9JsnSOeJlxEjCW
    Response
    HTTP/1.1 303 See Other
    Content-Type: application/binary
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: Mon, 01 Jan 1990 00:00:00 GMT
    Date: Mon, 25 Nov 2024 19:17:18 GMT
    Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
    Strict-Transport-Security: max-age=31536000
    Content-Security-Policy: script-src 'report-sample' 'nonce-EZywpwZ1Y7W6t5vhDEk0_g' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
    Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
    Cross-Origin-Opener-Policy: same-origin
    Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
    Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    Server: ESF
    Content-Length: 0
    X-XSS-Protection: 0
    X-Frame-Options: SAMEORIGIN
    X-Content-Type-Options: nosniff
    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
  • flag-us
    DNS
    c.pki.goog
    Synaptics.exe
    Remote address:
    8.8.8.8:53
    Request
    c.pki.goog
    IN A
    Response
    c.pki.goog
    IN CNAME
    pki-goog.l.google.com
    pki-goog.l.google.com
    IN A
    142.250.200.3
  • flag-gb
    GET
    http://c.pki.goog/r/r1.crl
    Synaptics.exe
    Remote address:
    142.250.200.3:80
    Request
    GET /r/r1.crl HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: c.pki.goog
    Response
    HTTP/1.1 200 OK
    Accept-Ranges: bytes
    Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
    Cross-Origin-Resource-Policy: cross-origin
    Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
    Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
    Content-Length: 854
    X-Content-Type-Options: nosniff
    Server: sffe
    X-XSS-Protection: 0
    Date: Mon, 25 Nov 2024 18:37:15 GMT
    Expires: Mon, 25 Nov 2024 19:27:15 GMT
    Cache-Control: public, max-age=3000
    Age: 2402
    Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
    Content-Type: application/pkix-crl
    Vary: Accept-Encoding
  • flag-us
    DNS
    o.pki.goog
    Synaptics.exe
    Remote address:
    8.8.8.8:53
    Request
    o.pki.goog
    IN A
    Response
    o.pki.goog
    IN CNAME
    pki-goog.l.google.com
    pki-goog.l.google.com
    IN A
    142.250.200.3
  • flag-gb
    GET
    http://o.pki.goog/wr2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEEGoFYJ0C3qQCbRh5xcgwPQ%3D
    Synaptics.exe
    Remote address:
    142.250.200.3:80
    Request
    GET /wr2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEEGoFYJ0C3qQCbRh5xcgwPQ%3D HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: o.pki.goog
    Response
    HTTP/1.1 200 OK
    Server: ocsp_responder
    Content-Length: 471
    X-XSS-Protection: 0
    X-Frame-Options: SAMEORIGIN
    Date: Mon, 25 Nov 2024 19:11:49 GMT
    Cache-Control: public, max-age=14400
    Content-Type: application/ocsp-response
    Age: 328
  • flag-gb
    GET
    http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDHA1yyGqTiRQmAB36tPEBH
    Synaptics.exe
    Remote address:
    142.250.200.3:80
    Request
    GET /wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDHA1yyGqTiRQmAB36tPEBH HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: o.pki.goog
    Response
    HTTP/1.1 200 OK
    Server: ocsp_responder
    Content-Length: 472
    X-XSS-Protection: 0
    X-Frame-Options: SAMEORIGIN
    Date: Mon, 25 Nov 2024 18:30:35 GMT
    Cache-Control: public, max-age=14400
    Content-Type: application/ocsp-response
    Age: 2803
  • flag-us
    DNS
    drive.usercontent.google.com
    Synaptics.exe
    Remote address:
    8.8.8.8:53
    Request
    drive.usercontent.google.com
    IN A
    Response
    drive.usercontent.google.com
    IN A
    142.250.179.225
  • flag-gb
    GET
    https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
    Synaptics.exe
    Remote address:
    142.250.179.225:443
    Request
    GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
    User-Agent: Synaptics.exe
    Connection: Keep-Alive
    Cache-Control: no-cache
    Host: drive.usercontent.google.com
    Response
    HTTP/1.1 404 Not Found
    Content-Type: text/html; charset=utf-8
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: Mon, 01 Jan 1990 00:00:00 GMT
    Date: Mon, 25 Nov 2024 19:17:18 GMT
    P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
    Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    Content-Security-Policy: script-src 'report-sample' 'nonce-s7hQ4RsPyji0M7JJZN9dRg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
    Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
    Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
    Cross-Origin-Opener-Policy: same-origin
    Content-Length: 1652
    X-GUploader-UploadID: AFiumC61KgN-PeqY6i0JpkQpaIVMZz_npMx8Nu1Q2n67W0Qvv6dNVTt0ymVpDUovDBXZUeiDWe35z8UXYA
    Server: UploadServer
    Set-Cookie: NID=519=OaYjnRTw9h2k-CbIs9EmtGGDPsrJ0Jl8lN8qQV_2g0SsIebUvuwbjhJgAPSEy0AvdjtENx4TXObYOiQFODSy5PBYUP9d1LJbU12jMVl-x2mHf4f9e-LP2AQTsDaiin7cuix391hzUowsoEksszrluEVuNgwaXqZOLa9JsnSOeJlxEjCW; expires=Tue, 27-May-2025 19:17:18 GMT; path=/; domain=.google.com; HttpOnly
    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
    Content-Security-Policy: sandbox allow-scripts
  • flag-gb
    GET
    https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
    Synaptics.exe
    Remote address:
    142.250.179.225:443
    Request
    GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
    User-Agent: Synaptics.exe
    Host: drive.usercontent.google.com
    Cache-Control: no-cache
    Connection: Keep-Alive
    Cookie: NID=519=OaYjnRTw9h2k-CbIs9EmtGGDPsrJ0Jl8lN8qQV_2g0SsIebUvuwbjhJgAPSEy0AvdjtENx4TXObYOiQFODSy5PBYUP9d1LJbU12jMVl-x2mHf4f9e-LP2AQTsDaiin7cuix391hzUowsoEksszrluEVuNgwaXqZOLa9JsnSOeJlxEjCW
    Response
    HTTP/1.1 404 Not Found
    Content-Type: text/html; charset=utf-8
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: Mon, 01 Jan 1990 00:00:00 GMT
    Date: Mon, 25 Nov 2024 19:17:18 GMT
    Content-Security-Policy: script-src 'report-sample' 'nonce-EEQPoBIklTSKFF8ZgG9s6A' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
    Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
    Cross-Origin-Opener-Policy: same-origin
    Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
    Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    Content-Length: 1652
    X-GUploader-UploadID: AFiumC43W9UMDwt1M3s75hJPVUUPYDqLoc_htYfZW_hHjKUIg9TyXSaRfpvSngDwRCVOX0uI0iVPL36udA
    Server: UploadServer
    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
    Content-Security-Policy: sandbox allow-scripts
  • flag-gb
    GET
    https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
    Synaptics.exe
    Remote address:
    142.250.179.225:443
    Request
    GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
    User-Agent: Synaptics.exe
    Host: drive.usercontent.google.com
    Cache-Control: no-cache
    Connection: Keep-Alive
    Cookie: NID=519=OaYjnRTw9h2k-CbIs9EmtGGDPsrJ0Jl8lN8qQV_2g0SsIebUvuwbjhJgAPSEy0AvdjtENx4TXObYOiQFODSy5PBYUP9d1LJbU12jMVl-x2mHf4f9e-LP2AQTsDaiin7cuix391hzUowsoEksszrluEVuNgwaXqZOLa9JsnSOeJlxEjCW
    Response
    HTTP/1.1 404 Not Found
    Content-Type: text/html; charset=utf-8
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: Mon, 01 Jan 1990 00:00:00 GMT
    Date: Mon, 25 Nov 2024 19:17:18 GMT
    Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
    Content-Security-Policy: script-src 'report-sample' 'nonce-0LLXNY205tmdILhzqJvZiA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
    Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
    Cross-Origin-Opener-Policy: same-origin
    Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    Content-Length: 1652
    X-GUploader-UploadID: AFiumC46Ec51CcaYf6p8yOl1cme4DKjq2MHfaVIEgErmNSl1UkZLdUDBaSrmdpWQgd1EwyZrt7Av1R6Ong
    Server: UploadServer
    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
    Content-Security-Policy: sandbox allow-scripts
  • flag-us
    DNS
    www.microsoft.com
    Remote address:
    8.8.8.8:53
    Request
    www.microsoft.com
    IN A
    Response
    www.microsoft.com
    IN CNAME
    www.microsoft.com-c-3.edgekey.net
    www.microsoft.com-c-3.edgekey.net
    IN CNAME
    www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net
    www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net
    IN CNAME
    e13678.dscb.akamaiedge.net
    e13678.dscb.akamaiedge.net
    IN A
    23.192.22.93
  • flag-us
    GET
    http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl
    Remote address:
    23.192.22.93:80
    Request
    GET /pkiops/crl/MicCodSigPCA2011_2011-07-08.crl HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    If-Modified-Since: Mon, 03 Jun 2024 21:25:24 GMT
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: www.microsoft.com
    Response
    HTTP/1.1 200 OK
    Content-Length: 1078
    Content-Type: application/octet-stream
    Content-MD5: PjrtHAukbJio72s77Ag5mA==
    Last-Modified: Thu, 31 Oct 2024 23:26:09 GMT
    ETag: 0x8DCFA0366D6C4CA
    x-ms-request-id: 05a633fe-d01e-0029-2bf2-2b699e000000
    x-ms-version: 2009-09-19
    x-ms-lease-status: unlocked
    x-ms-blob-type: BlockBlob
    Date: Mon, 25 Nov 2024 19:17:48 GMT
    Connection: keep-alive
    TLS_version: UNKNOWN
    ms-cv: CASMicrosoftCV29740219.0
    ms-cv-esi: CASMicrosoftCV29740219.0
    X-RTag: RT
  • flag-us
    DNS
    crl.microsoft.com
    Remote address:
    8.8.8.8:53
    Request
    crl.microsoft.com
    IN A
    Response
    crl.microsoft.com
    IN CNAME
    crl.www.ms.akadns.net
    crl.www.ms.akadns.net
    IN CNAME
    a1363.dscg.akamai.net
    a1363.dscg.akamai.net
    IN A
    88.221.134.146
    a1363.dscg.akamai.net
    IN A
    88.221.134.83
  • flag-gb
    GET
    http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
    Remote address:
    88.221.134.146:80
    Request
    GET /pki/crl/products/MicRooCerAut2011_2011_03_22.crl HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    If-Modified-Since: Thu, 11 Jul 2024 01:45:51 GMT
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: crl.microsoft.com
    Response
    HTTP/1.1 200 OK
    Content-Length: 1036
    Content-Type: application/octet-stream
    Content-MD5: 8M9bF5Tsp81z+cAg2quO8g==
    Last-Modified: Thu, 26 Sep 2024 02:21:11 GMT
    ETag: 0x8DCDDD1E3AF2C76
    Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
    x-ms-request-id: 8b44f4f2-401e-0014-5ac7-0f1f85000000
    x-ms-version: 2009-09-19
    x-ms-lease-status: unlocked
    x-ms-blob-type: BlockBlob
    Date: Mon, 25 Nov 2024 19:17:48 GMT
    Connection: keep-alive
  • 69.42.215.252:80
    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
    http
    Synaptics.exe
    430 B
     415 B
     6
    4

    HTTP Request

    GET http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    HTTP Response

    200
  • 142.250.187.206:443
    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
    tls, http
    Synaptics.exe
    1.8kB
     12.6kB
     14
    16

    HTTP Request

    GET https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    HTTP Response

    303

    HTTP Request

    GET https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    HTTP Response

    303

    HTTP Request

    GET https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    HTTP Response

    303
  • 142.250.200.3:80
    http://c.pki.goog/r/r1.crl
    http
    Synaptics.exe
    302 B
     1.7kB
     4
    4

    HTTP Request

    GET http://c.pki.goog/r/r1.crl

    HTTP Response

    200
  • 142.250.200.3:80
    http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDHA1yyGqTiRQmAB36tPEBH
    http
    Synaptics.exe
    840 B
     3.1kB
     8
    6

    HTTP Request

    GET http://o.pki.goog/wr2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEEGoFYJ0C3qQCbRh5xcgwPQ%3D

    HTTP Response

    200

    HTTP Request

    GET http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDHA1yyGqTiRQmAB36tPEBH

    HTTP Response

    200
  • 142.250.179.225:443
    https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
    tls, http
    Synaptics.exe
    2.0kB
     14.5kB
     14
    21

    HTTP Request

    GET https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    HTTP Response

    404

    HTTP Request

    GET https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    HTTP Response

    404

    HTTP Request

    GET https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    HTTP Response

    404
  • 23.192.22.93:80
    http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl
    http
    393 B
     1.7kB
     4
    4

    HTTP Request

    GET http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl

    HTTP Response

    200
  • 88.221.134.146:80
    http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
    http
    399 B
     1.7kB
     4
    4

    HTTP Request

    GET http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl

    HTTP Response

    200
  • 8.8.8.8:53
    xred.mooo.com
    dns
    Synaptics.exe
    59 B
     118 B
     1
    1

    DNS Request

    xred.mooo.com

  • 8.8.8.8:53
    freedns.afraid.org
    dns
    Synaptics.exe
    64 B
     80 B
     1
    1

    DNS Request

    freedns.afraid.org

    DNS Response

    69.42.215.252

  • 8.8.8.8:53
    docs.google.com
    dns
    Synaptics.exe
    61 B
     77 B
     1
    1

    DNS Request

    docs.google.com

    DNS Response

    142.250.187.206

  • 8.8.8.8:53
    c.pki.goog
    dns
    Synaptics.exe
    56 B
     107 B
     1
    1

    DNS Request

    c.pki.goog

    DNS Response

    142.250.200.3

  • 8.8.8.8:53
    o.pki.goog
    dns
    Synaptics.exe
    56 B
     107 B
     1
    1

    DNS Request

    o.pki.goog

    DNS Response

    142.250.200.3

  • 8.8.8.8:53
    drive.usercontent.google.com
    dns
    Synaptics.exe
    74 B
     90 B
     1
    1

    DNS Request

    drive.usercontent.google.com

    DNS Response

    142.250.179.225

  • 8.8.8.8:53
    www.microsoft.com
    dns
    63 B
     230 B
     1
    1

    DNS Request

    www.microsoft.com

    DNS Response

    23.192.22.93

  • 8.8.8.8:53
    crl.microsoft.com
    dns
    63 B
     162 B
     1
    1

    DNS Request

    crl.microsoft.com

    DNS Response

    88.221.134.146
    88.221.134.83

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Synaptics\Synaptics.exe
    Filesize

    1.2MB

    MD5

    b01019338cf3b3f4cf0649714f1ce510

    SHA1

    fd14d401700f0cd2605b2fa737be6ed3be18bb90

    SHA256

    67f9319df91221722d1f4ba0e2bebecc87a00dbbc13703d9fa728e58abe7e1ed

    SHA512

    587f3fbe215e454bceb6c5e1e6a36fb3db7b46c718eccfa4cb10b697496600fd9ff85915ffdcd9b1618c95184d58e583114c76662a313cb826e781dbbba809ae

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\GOmSZreS.xlsm
    Filesize

    23KB

    MD5

    3396e99d5282b47f354fd2c39019eaaf

    SHA1

    0282d7ee213f25103ca4f113bb3579d475d0f1ef

    SHA256

    013396adfc7161bfbc0c8599199a7219bae329b421238d8c5403abfbd9bb7ed8

    SHA512

    2104725a82937f83991c1c4ac9d5d3e96e99f30a11eb46ff1a62a4dbb81312045e8896957120a66c29b9f275c8759aec17df22a1cc10ce22e61e01fe06d693cf

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\GOmSZreS.xlsm
    Filesize

    28KB

    MD5

    e0f829efc249434374791f526a0f5d03

    SHA1

    4a5aa60b10d0cccea43b70bdb52f71ddef6ddbc4

    SHA256

    bdd2a80a6893a23f0d4d60669ba34b10b35498f891be194b0a6f386c651861b9

    SHA512

    c61dcbd545d1030e49885f53a41a4ce48402b1d7d49192a9c60449ea49349f5300cbf1df9978e9e03ab3a528e19262dd33bd6c00532b2e71073c3c0c93a781c4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\GOmSZreS.xlsm
    Filesize

    24KB

    MD5

    215ed4a57365b7df864971144d79bbf5

    SHA1

    8def99279b2d25ddbe6cc142344c7f4e2ea829bc

    SHA256

    3ee38d30cf7bfa9a10ccfc960fb7bb67d0e52a23b64f4634614ddf58ccd17eea

    SHA512

    3dfd5910d248ef85e774cd6b4bc92f1cf33f0733ff5034421d9ae8e5b03d31ca26b22847c774ef462dc5f9514309379e8cabb162d446d0439648b2ebc1ddde80

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\GOmSZreS.xlsm
    Filesize

    17KB

    MD5

    e566fc53051035e1e6fd0ed1823de0f9

    SHA1

    00bc96c48b98676ecd67e81a6f1d7754e4156044

    SHA256

    8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

    SHA512

    a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\GOmSZreS.xlsm
    Filesize

    28KB

    MD5

    d380f853096c86fe3f30145abc33e7a0

    SHA1

    40d78223efaac680b0144e63841b3f0c07da3636

    SHA256

    f851787ad0351d52ffbf748635daf4a13557c18d00f6dc88bd3409ce2c83d5cb

    SHA512

    2d2537d0f38f865501ec4a2cfd86d38dc99847a5d4a6f0655e686232769b2c6d424d285738f3bc6206daf84244ae1bcc12ffc9e3c59a0438a9f33b8222cb0b0f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\config.cfg
    Filesize

    156B

    MD5

    fe085b3458dd3a7d99893b02bd50a774

    SHA1

    335dda65691d5c47a627c9a43436ffb1c40e2e52

    SHA256

    e21c7eeca30f927c6701cefd93528cba4e8bc3efd4a2ae5422a40e48ebcca62b

    SHA512

    f21bbb03271c70ae6c2c9b880368fc4f9389939a5e1c575a1b0d5f81803b2df84774f5d13a0877d4a9f622355969040f5afaada00f6b3c1d33bb438ed301a658

    Download Submit

  • C:\Users\Admin\Downloads\~$InitializePop.xlsx
    Filesize

    165B

    MD5

    ff09371174f7c701e75f357a187c06e8

    SHA1

    57f9a638fd652922d7eb23236c80055a91724503

    SHA256

    e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

    SHA512

    e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

    Download Submit

  • \Users\Admin\AppData\Local\Temp\._cache_67f9319df91221722d1f4ba0e2bebecc87a00dbbc13703d9fa728e58abe7e1edN.exe
    Filesize

    495KB

    MD5

    1060abe43d8543e6e0054809a66df602

    SHA1

    4ac3cf1e994d25c44d0f8a40e6e5d02bbda21390

    SHA256

    d94396429f54d074cd866f634381810935c4026b86a09fdfc9b7a8806de3cd5b

    SHA512

    a95b511f2b4fd6afaaeac7cbe9e423bbe086afb48922ae30c6e5a0401f6702f6f7ccea999569a7f5436beb6a53eb533d26973e2ee2c8bd73520dd061b2231ccf

    Download Submit

  • memory/1212-47-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1720-44-0x0000000000400000-0x000000000053E000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/1720-127-0x0000000000400000-0x000000000053E000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/1720-128-0x0000000000400000-0x000000000053E000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/1720-162-0x0000000000400000-0x000000000053E000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/1884-0-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1884-28-0x0000000000400000-0x000000000053E000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2564-42-0x0000000000290000-0x0000000000310000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2804-31-0x0000000000F60000-0x0000000000FE0000-memory.dmp

    Filesize

    512KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.