Analysis
-
max time kernel
112s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-12-2024 01:28
Behavioral task
behavioral1
Sample
a034946ee3c9065122f567f837fa67c6572cfea04cd54da13a2955db6a533649N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
a034946ee3c9065122f567f837fa67c6572cfea04cd54da13a2955db6a533649N.exe
Resource
win10v2004-20241007-en
General
-
Target
a034946ee3c9065122f567f837fa67c6572cfea04cd54da13a2955db6a533649N.exe
-
Size
753KB
-
MD5
598eeea34796e03d22c7864c6a2c0960
-
SHA1
96ec19164b595397ff0762a0e3cb2c4d9a5a6754
-
SHA256
a034946ee3c9065122f567f837fa67c6572cfea04cd54da13a2955db6a533649
-
SHA512
a4901743f8d597684ca4e80973aebb41c2baf2ba7654a411d5bd5644f0b0e98aecf25b2c995f4b51e31ac6066fb80baeb0ad36674438b147e4515c4ad85a1713
-
SSDEEP
12288:aMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9Isr:ansJ39LyjbJkQFMhmC+6GD9X
Malware Config
Extracted
xred
xred.mooo.com
-
email
xredline1@gmail.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Signatures
-
Xred family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation a034946ee3c9065122f567f837fa67c6572cfea04cd54da13a2955db6a533649N.exe -
Executes dropped EXE 1 IoCs
pid Process 1972 Synaptics.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" a034946ee3c9065122f567f837fa67c6572cfea04cd54da13a2955db6a533649N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a034946ee3c9065122f567f837fa67c6572cfea04cd54da13a2955db6a533649N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Synaptics.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ a034946ee3c9065122f567f837fa67c6572cfea04cd54da13a2955db6a533649N.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4444 wrote to memory of 1972 4444 a034946ee3c9065122f567f837fa67c6572cfea04cd54da13a2955db6a533649N.exe 83 PID 4444 wrote to memory of 1972 4444 a034946ee3c9065122f567f837fa67c6572cfea04cd54da13a2955db6a533649N.exe 83 PID 4444 wrote to memory of 1972 4444 a034946ee3c9065122f567f837fa67c6572cfea04cd54da13a2955db6a533649N.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\a034946ee3c9065122f567f837fa67c6572cfea04cd54da13a2955db6a533649N.exe"C:\Users\Admin\AppData\Local\Temp\a034946ee3c9065122f567f837fa67c6572cfea04cd54da13a2955db6a533649N.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4444 -
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1972
-
Network
-
Remote address:8.8.8.8:53Request196.249.167.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request86.49.80.91.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request14.160.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestxred.mooo.comIN AResponse
-
Remote address:8.8.8.8:53Requestfreedns.afraid.orgIN AResponsefreedns.afraid.orgIN A69.42.215.252
-
Remote address:8.8.8.8:53Requestfreedns.afraid.orgIN AResponsefreedns.afraid.orgIN A69.42.215.252
-
GEThttp://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978Synaptics.exeRemote address:69.42.215.252:80RequestGET /api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978 HTTP/1.1
User-Agent: MyApp
Host: freedns.afraid.org
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Fri, 20 Dec 2024 01:28:51 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Cache: MISS
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request252.215.42.69.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request252.215.42.69.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request149.220.183.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request50.23.12.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request198.187.3.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.210.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestdocs.google.comIN AResponsedocs.google.comIN A216.58.214.174
-
Remote address:216.58.214.174:443RequestGET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
User-Agent: Synaptics.exe
Host: docs.google.com
Cache-Control: no-cache
ResponseHTTP/1.1 303 See Other
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Fri, 20 Dec 2024 01:29:49 GMT
Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
Strict-Transport-Security: max-age=31536000
Cross-Origin-Opener-Policy: same-origin
Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
Content-Security-Policy: script-src 'report-sample' 'nonce-kSJpTdJZI0ALSXWB_gXbIw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
Server: ESF
Content-Length: 0
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
-
Remote address:216.58.214.174:443RequestGET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
User-Agent: Synaptics.exe
Host: docs.google.com
Cache-Control: no-cache
Cookie: NID=520=p48hHale7n0DM2DlO0T0r8H6JaidxwODMsQgMyRv_MmrCkoE0Z5jcpBqVV3BwGrNG_epWzdF-Jy-qi7W2r0BKo3jpVLxDODRX1oXIOFKvCd14190XNDO9UcUu5gRH24H5PIOU2npY1Nz0ZpCERXQPisrCeTIRxLPzYGbQeNo3qVYz-Ns
ResponseHTTP/1.1 303 See Other
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Fri, 20 Dec 2024 01:29:50 GMT
Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
Strict-Transport-Security: max-age=31536000
Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
Content-Security-Policy: script-src 'report-sample' 'nonce-XeJnRUcxgeGk9Q5q4WME_Q' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
Cross-Origin-Opener-Policy: same-origin
Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
Server: ESF
Content-Length: 0
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
-
Remote address:216.58.214.174:443RequestGET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
User-Agent: Synaptics.exe
Host: docs.google.com
Cache-Control: no-cache
Cookie: NID=520=p48hHale7n0DM2DlO0T0r8H6JaidxwODMsQgMyRv_MmrCkoE0Z5jcpBqVV3BwGrNG_epWzdF-Jy-qi7W2r0BKo3jpVLxDODRX1oXIOFKvCd14190XNDO9UcUu5gRH24H5PIOU2npY1Nz0ZpCERXQPisrCeTIRxLPzYGbQeNo3qVYz-Ns
ResponseHTTP/1.1 303 See Other
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Fri, 20 Dec 2024 01:29:50 GMT
Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
Strict-Transport-Security: max-age=31536000
Content-Security-Policy: script-src 'report-sample' 'nonce-_hMUp-m5Be-c4pDPLTFLNg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
Cross-Origin-Opener-Policy: same-origin
Server: ESF
Content-Length: 0
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
-
Remote address:8.8.8.8:53Requestc.pki.googIN AResponsec.pki.googIN CNAMEpki-goog.l.google.compki-goog.l.google.comIN A142.250.179.67
-
Remote address:142.250.179.67:80RequestGET /r/r1.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: c.pki.goog
ResponseHTTP/1.1 200 OK
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 854
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Fri, 20 Dec 2024 00:58:52 GMT
Expires: Fri, 20 Dec 2024 01:48:52 GMT
Cache-Control: public, max-age=3000
Age: 1857
Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
Content-Type: application/pkix-crl
Vary: Accept-Encoding
-
Remote address:8.8.8.8:53Requesto.pki.googIN AResponseo.pki.googIN CNAMEpki-goog.l.google.compki-goog.l.google.comIN A142.250.179.67
-
GEThttp://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDIOoql8hHyJhDFZvyBCxikSynaptics.exeRemote address:142.250.179.67:80RequestGET /wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDIOoql8hHyJhDFZvyBCxik HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: o.pki.goog
ResponseHTTP/1.1 200 OK
Content-Length: 472
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Date: Fri, 20 Dec 2024 01:23:53 GMT
Cache-Control: public, max-age=14400
Content-Type: application/ocsp-response
Age: 356
-
GEThttp://o.pki.goog/wr2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEHyJphBGwReeEkiNdM8lXYY%3DSynaptics.exeRemote address:142.250.179.67:80RequestGET /wr2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEHyJphBGwReeEkiNdM8lXYY%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: o.pki.goog
ResponseHTTP/1.1 200 OK
Content-Length: 471
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Date: Fri, 20 Dec 2024 01:06:25 GMT
Cache-Control: public, max-age=14400
Content-Type: application/ocsp-response
Age: 1404
-
Remote address:8.8.8.8:53Request67.179.250.142.in-addr.arpaIN PTRResponse67.179.250.142.in-addr.arpaIN PTRpar21s19-in-f31e100net
-
Remote address:8.8.8.8:53Request174.214.58.216.in-addr.arpaIN PTRResponse174.214.58.216.in-addr.arpaIN PTRpar10s42-in-f141e100net174.214.58.216.in-addr.arpaIN PTRmad01s26-in-f174�I174.214.58.216.in-addr.arpaIN PTRmad01s26-in-f14�I
-
Remote address:8.8.8.8:53Requestdrive.usercontent.google.comIN AResponsedrive.usercontent.google.comIN A142.250.74.225
-
GEThttps://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadSynaptics.exeRemote address:142.250.74.225:443RequestGET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
User-Agent: Synaptics.exe
Cache-Control: no-cache
Host: drive.usercontent.google.com
Connection: Keep-Alive
ResponseHTTP/1.1 404 Not Found
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Fri, 20 Dec 2024 01:29:49 GMT
P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
Content-Security-Policy: script-src 'report-sample' 'nonce-Gaawz-z-92sAAJz0axTmyg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
Cross-Origin-Opener-Policy: same-origin
Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
Content-Length: 1652
Server: UploadServer
Set-Cookie: NID=520=p48hHale7n0DM2DlO0T0r8H6JaidxwODMsQgMyRv_MmrCkoE0Z5jcpBqVV3BwGrNG_epWzdF-Jy-qi7W2r0BKo3jpVLxDODRX1oXIOFKvCd14190XNDO9UcUu5gRH24H5PIOU2npY1Nz0ZpCERXQPisrCeTIRxLPzYGbQeNo3qVYz-Ns; expires=Sat, 21-Jun-2025 01:29:49 GMT; path=/; domain=.google.com; HttpOnly
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Content-Security-Policy: sandbox allow-scripts
-
GEThttps://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadSynaptics.exeRemote address:142.250.74.225:443RequestGET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
User-Agent: Synaptics.exe
Cache-Control: no-cache
Host: drive.usercontent.google.com
Connection: Keep-Alive
Cookie: NID=520=p48hHale7n0DM2DlO0T0r8H6JaidxwODMsQgMyRv_MmrCkoE0Z5jcpBqVV3BwGrNG_epWzdF-Jy-qi7W2r0BKo3jpVLxDODRX1oXIOFKvCd14190XNDO9UcUu5gRH24H5PIOU2npY1Nz0ZpCERXQPisrCeTIRxLPzYGbQeNo3qVYz-Ns
ResponseHTTP/1.1 404 Not Found
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Fri, 20 Dec 2024 01:29:50 GMT
Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
Content-Security-Policy: script-src 'report-sample' 'nonce-QgQik5pPqk-UUxVWl6mV-w' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
Cross-Origin-Opener-Policy: same-origin
Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
Content-Length: 1652
Server: UploadServer
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Content-Security-Policy: sandbox allow-scripts
-
GEThttps://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadSynaptics.exeRemote address:142.250.74.225:443RequestGET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
User-Agent: Synaptics.exe
Cache-Control: no-cache
Host: drive.usercontent.google.com
Connection: Keep-Alive
Cookie: NID=520=p48hHale7n0DM2DlO0T0r8H6JaidxwODMsQgMyRv_MmrCkoE0Z5jcpBqVV3BwGrNG_epWzdF-Jy-qi7W2r0BKo3jpVLxDODRX1oXIOFKvCd14190XNDO9UcUu5gRH24H5PIOU2npY1Nz0ZpCERXQPisrCeTIRxLPzYGbQeNo3qVYz-Ns
ResponseHTTP/1.1 404 Not Found
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Fri, 20 Dec 2024 01:29:50 GMT
Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
Content-Security-Policy: script-src 'report-sample' 'nonce-rhEJK5hsqtmvnmV5kpKVhw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
Cross-Origin-Opener-Policy: same-origin
Content-Length: 1652
Server: UploadServer
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Content-Security-Policy: sandbox allow-scripts
-
Remote address:8.8.8.8:53Request225.74.250.142.in-addr.arpaIN PTRResponse225.74.250.142.in-addr.arpaIN PTRpar10s40-in-f11e100net
-
Remote address:8.8.8.8:53Request22.236.111.52.in-addr.arpaIN PTRResponse
-
69.42.215.252:80http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978httpSynaptics.exe614 B 455 B 10 5
HTTP Request
GET http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978HTTP Response
200 -
216.58.214.174:443https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadtls, httpSynaptics.exe1.9kB 11.3kB 16 14
HTTP Request
GET https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadHTTP Response
303HTTP Request
GET https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadHTTP Response
303HTTP Request
GET https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadHTTP Response
303 -
303 B 1.7kB 4 4
HTTP Request
GET http://c.pki.goog/r/r1.crlHTTP Response
200 -
142.250.179.67:80http://o.pki.goog/wr2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEHyJphBGwReeEkiNdM8lXYY%3DhttpSynaptics.exe738 B 1.6kB 6 4
HTTP Request
GET http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDIOoql8hHyJhDFZvyBCxikHTTP Response
200HTTP Request
GET http://o.pki.goog/wr2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEHyJphBGwReeEkiNdM8lXYY%3DHTTP Response
200 -
142.250.74.225:443https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadtls, httpSynaptics.exe2.4kB 14.7kB 23 21
HTTP Request
GET https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadHTTP Response
404HTTP Request
GET https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadHTTP Response
404HTTP Request
GET https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadHTTP Response
404
-
73 B 147 B 1 1
DNS Request
196.249.167.52.in-addr.arpa
-
70 B 145 B 1 1
DNS Request
86.49.80.91.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
14.160.190.20.in-addr.arpa
-
59 B 118 B 1 1
DNS Request
xred.mooo.com
-
128 B 160 B 2 2
DNS Request
freedns.afraid.org
DNS Request
freedns.afraid.org
DNS Response
69.42.215.252
DNS Response
69.42.215.252
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
114 B 2
-
144 B 144 B 2 2
DNS Request
252.215.42.69.in-addr.arpa
DNS Request
252.215.42.69.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
149.220.183.52.in-addr.arpa
-
70 B 156 B 1 1
DNS Request
50.23.12.20.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
198.187.3.20.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.210.232.199.in-addr.arpa
-
61 B 77 B 1 1
DNS Request
docs.google.com
DNS Response
216.58.214.174
-
56 B 107 B 1 1
DNS Request
c.pki.goog
DNS Response
142.250.179.67
-
56 B 107 B 1 1
DNS Request
o.pki.goog
DNS Response
142.250.179.67
-
73 B 111 B 1 1
DNS Request
67.179.250.142.in-addr.arpa
-
73 B 173 B 1 1
DNS Request
174.214.58.216.in-addr.arpa
-
74 B 90 B 1 1
DNS Request
drive.usercontent.google.com
DNS Response
142.250.74.225
-
73 B 111 B 1 1
DNS Request
225.74.250.142.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
22.236.111.52.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
753KB
MD5598eeea34796e03d22c7864c6a2c0960
SHA196ec19164b595397ff0762a0e3cb2c4d9a5a6754
SHA256a034946ee3c9065122f567f837fa67c6572cfea04cd54da13a2955db6a533649
SHA512a4901743f8d597684ca4e80973aebb41c2baf2ba7654a411d5bd5644f0b0e98aecf25b2c995f4b51e31ac6066fb80baeb0ad36674438b147e4515c4ad85a1713