Analysis

  • max time kernel
    112s
  • max time network
    119s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-12-2024 01:28

General

  • Target

    a034946ee3c9065122f567f837fa67c6572cfea04cd54da13a2955db6a533649N.exe

  • Size

    753KB

  • MD5

    598eeea34796e03d22c7864c6a2c0960

  • SHA1

    96ec19164b595397ff0762a0e3cb2c4d9a5a6754

  • SHA256

    a034946ee3c9065122f567f837fa67c6572cfea04cd54da13a2955db6a533649

  • SHA512

    a4901743f8d597684ca4e80973aebb41c2baf2ba7654a411d5bd5644f0b0e98aecf25b2c995f4b51e31ac6066fb80baeb0ad36674438b147e4515c4ad85a1713

  • SSDEEP

    12288:aMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9Isr:ansJ39LyjbJkQFMhmC+6GD9X

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    xredline1@gmail.com

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Xred

    Xred is backdoor written in Delphi.

  • Xred family
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a034946ee3c9065122f567f837fa67c6572cfea04cd54da13a2955db6a533649N.exe
    "C:\Users\Admin\AppData\Local\Temp\a034946ee3c9065122f567f837fa67c6572cfea04cd54da13a2955db6a533649N.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4444
    • C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1972

Network

  • flag-us
    DNS
    196.249.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    196.249.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    86.49.80.91.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    86.49.80.91.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    14.160.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    14.160.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    xred.mooo.com
    Synaptics.exe
    Remote address:
    8.8.8.8:53
    Request
    xred.mooo.com
    IN A
    Response
  • flag-us
    DNS
    freedns.afraid.org
    Synaptics.exe
    Remote address:
    8.8.8.8:53
    Request
    freedns.afraid.org
    IN A
    Response
    freedns.afraid.org
    IN A
    69.42.215.252
  • flag-us
    DNS
    freedns.afraid.org
    Synaptics.exe
    Remote address:
    8.8.8.8:53
    Request
    freedns.afraid.org
    IN A
    Response
    freedns.afraid.org
    IN A
    69.42.215.252
  • flag-us
    GET
    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
    Synaptics.exe
    Remote address:
    69.42.215.252:80
    Request
    GET /api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978 HTTP/1.1
    User-Agent: MyApp
    Host: freedns.afraid.org
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Fri, 20 Dec 2024 01:28:51 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Vary: Accept-Encoding
    X-Cache: MISS
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    252.215.42.69.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    252.215.42.69.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    252.215.42.69.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    252.215.42.69.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    149.220.183.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    149.220.183.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    50.23.12.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    50.23.12.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    198.187.3.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    198.187.3.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    docs.google.com
    Synaptics.exe
    Remote address:
    8.8.8.8:53
    Request
    docs.google.com
    IN A
    Response
    docs.google.com
    IN A
    216.58.214.174
  • flag-fr
    GET
    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
    Synaptics.exe
    Remote address:
    216.58.214.174:443
    Request
    GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
    User-Agent: Synaptics.exe
    Host: docs.google.com
    Cache-Control: no-cache
    Response
    HTTP/1.1 303 See Other
    Content-Type: application/binary
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: Mon, 01 Jan 1990 00:00:00 GMT
    Date: Fri, 20 Dec 2024 01:29:49 GMT
    Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
    Strict-Transport-Security: max-age=31536000
    Cross-Origin-Opener-Policy: same-origin
    Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
    Content-Security-Policy: script-src 'report-sample' 'nonce-kSJpTdJZI0ALSXWB_gXbIw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
    Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
    Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    Server: ESF
    Content-Length: 0
    X-XSS-Protection: 0
    X-Frame-Options: SAMEORIGIN
    X-Content-Type-Options: nosniff
    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
  • flag-fr
    GET
    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
    Synaptics.exe
    Remote address:
    216.58.214.174:443
    Request
    GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
    User-Agent: Synaptics.exe
    Host: docs.google.com
    Cache-Control: no-cache
    Cookie: NID=520=p48hHale7n0DM2DlO0T0r8H6JaidxwODMsQgMyRv_MmrCkoE0Z5jcpBqVV3BwGrNG_epWzdF-Jy-qi7W2r0BKo3jpVLxDODRX1oXIOFKvCd14190XNDO9UcUu5gRH24H5PIOU2npY1Nz0ZpCERXQPisrCeTIRxLPzYGbQeNo3qVYz-Ns
    Response
    HTTP/1.1 303 See Other
    Content-Type: application/binary
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: Mon, 01 Jan 1990 00:00:00 GMT
    Date: Fri, 20 Dec 2024 01:29:50 GMT
    Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
    Strict-Transport-Security: max-age=31536000
    Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
    Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
    Content-Security-Policy: script-src 'report-sample' 'nonce-XeJnRUcxgeGk9Q5q4WME_Q' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
    Cross-Origin-Opener-Policy: same-origin
    Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    Server: ESF
    Content-Length: 0
    X-XSS-Protection: 0
    X-Frame-Options: SAMEORIGIN
    X-Content-Type-Options: nosniff
    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
  • flag-fr
    GET
    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
    Synaptics.exe
    Remote address:
    216.58.214.174:443
    Request
    GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
    User-Agent: Synaptics.exe
    Host: docs.google.com
    Cache-Control: no-cache
    Cookie: NID=520=p48hHale7n0DM2DlO0T0r8H6JaidxwODMsQgMyRv_MmrCkoE0Z5jcpBqVV3BwGrNG_epWzdF-Jy-qi7W2r0BKo3jpVLxDODRX1oXIOFKvCd14190XNDO9UcUu5gRH24H5PIOU2npY1Nz0ZpCERXQPisrCeTIRxLPzYGbQeNo3qVYz-Ns
    Response
    HTTP/1.1 303 See Other
    Content-Type: application/binary
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: Mon, 01 Jan 1990 00:00:00 GMT
    Date: Fri, 20 Dec 2024 01:29:50 GMT
    Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
    Strict-Transport-Security: max-age=31536000
    Content-Security-Policy: script-src 'report-sample' 'nonce-_hMUp-m5Be-c4pDPLTFLNg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
    Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
    Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
    Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    Cross-Origin-Opener-Policy: same-origin
    Server: ESF
    Content-Length: 0
    X-XSS-Protection: 0
    X-Frame-Options: SAMEORIGIN
    X-Content-Type-Options: nosniff
    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
  • flag-us
    DNS
    c.pki.goog
    Synaptics.exe
    Remote address:
    8.8.8.8:53
    Request
    c.pki.goog
    IN A
    Response
    c.pki.goog
    IN CNAME
    pki-goog.l.google.com
    pki-goog.l.google.com
    IN A
    142.250.179.67
  • flag-fr
    GET
    http://c.pki.goog/r/r1.crl
    Synaptics.exe
    Remote address:
    142.250.179.67:80
    Request
    GET /r/r1.crl HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/10.0
    Host: c.pki.goog
    Response
    HTTP/1.1 200 OK
    Accept-Ranges: bytes
    Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
    Cross-Origin-Resource-Policy: cross-origin
    Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
    Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
    Content-Length: 854
    X-Content-Type-Options: nosniff
    Server: sffe
    X-XSS-Protection: 0
    Date: Fri, 20 Dec 2024 00:58:52 GMT
    Expires: Fri, 20 Dec 2024 01:48:52 GMT
    Cache-Control: public, max-age=3000
    Age: 1857
    Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
    Content-Type: application/pkix-crl
    Vary: Accept-Encoding
  • flag-us
    DNS
    o.pki.goog
    Synaptics.exe
    Remote address:
    8.8.8.8:53
    Request
    o.pki.goog
    IN A
    Response
    o.pki.goog
    IN CNAME
    pki-goog.l.google.com
    pki-goog.l.google.com
    IN A
    142.250.179.67
  • flag-fr
    GET
    http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDIOoql8hHyJhDFZvyBCxik
    Synaptics.exe
    Remote address:
    142.250.179.67:80
    Request
    GET /wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDIOoql8hHyJhDFZvyBCxik HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/10.0
    Host: o.pki.goog
    Response
    HTTP/1.1 200 OK
    Server: ocsp_responder
    Content-Length: 472
    X-XSS-Protection: 0
    X-Frame-Options: SAMEORIGIN
    Date: Fri, 20 Dec 2024 01:23:53 GMT
    Cache-Control: public, max-age=14400
    Content-Type: application/ocsp-response
    Age: 356
  • flag-fr
    GET
    http://o.pki.goog/wr2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEHyJphBGwReeEkiNdM8lXYY%3D
    Synaptics.exe
    Remote address:
    142.250.179.67:80
    Request
    GET /wr2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEHyJphBGwReeEkiNdM8lXYY%3D HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/10.0
    Host: o.pki.goog
    Response
    HTTP/1.1 200 OK
    Server: ocsp_responder
    Content-Length: 471
    X-XSS-Protection: 0
    X-Frame-Options: SAMEORIGIN
    Date: Fri, 20 Dec 2024 01:06:25 GMT
    Cache-Control: public, max-age=14400
    Content-Type: application/ocsp-response
    Age: 1404
  • flag-us
    DNS
    67.179.250.142.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    67.179.250.142.in-addr.arpa
    IN PTR
    Response
    67.179.250.142.in-addr.arpa
    IN PTR
    par21s19-in-f31e100net
  • flag-us
    DNS
    174.214.58.216.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    174.214.58.216.in-addr.arpa
    IN PTR
    Response
    174.214.58.216.in-addr.arpa
    IN PTR
    par10s42-in-f141e100net
    174.214.58.216.in-addr.arpa
    IN PTR
    mad01s26-in-f174�I
    174.214.58.216.in-addr.arpa
    IN PTR
    mad01s26-in-f14�I
  • flag-us
    DNS
    drive.usercontent.google.com
    Synaptics.exe
    Remote address:
    8.8.8.8:53
    Request
    drive.usercontent.google.com
    IN A
    Response
    drive.usercontent.google.com
    IN A
    142.250.74.225
  • flag-fr
    GET
    https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
    Synaptics.exe
    Remote address:
    142.250.74.225:443
    Request
    GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
    User-Agent: Synaptics.exe
    Cache-Control: no-cache
    Host: drive.usercontent.google.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 404 Not Found
    X-GUploader-UploadID: AFiumC60L46RZa43_33YKgkVLZx0wW6qdgT19pwsm5Citaxkdqe-F_knUFI9nnRzm5O7YBdkf2my2QA
    Content-Type: text/html; charset=utf-8
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: Mon, 01 Jan 1990 00:00:00 GMT
    Date: Fri, 20 Dec 2024 01:29:49 GMT
    P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
    Content-Security-Policy: script-src 'report-sample' 'nonce-Gaawz-z-92sAAJz0axTmyg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
    Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
    Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
    Cross-Origin-Opener-Policy: same-origin
    Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    Content-Length: 1652
    Server: UploadServer
    Set-Cookie: NID=520=p48hHale7n0DM2DlO0T0r8H6JaidxwODMsQgMyRv_MmrCkoE0Z5jcpBqVV3BwGrNG_epWzdF-Jy-qi7W2r0BKo3jpVLxDODRX1oXIOFKvCd14190XNDO9UcUu5gRH24H5PIOU2npY1Nz0ZpCERXQPisrCeTIRxLPzYGbQeNo3qVYz-Ns; expires=Sat, 21-Jun-2025 01:29:49 GMT; path=/; domain=.google.com; HttpOnly
    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
    Content-Security-Policy: sandbox allow-scripts
  • flag-fr
    GET
    https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
    Synaptics.exe
    Remote address:
    142.250.74.225:443
    Request
    GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
    User-Agent: Synaptics.exe
    Cache-Control: no-cache
    Host: drive.usercontent.google.com
    Connection: Keep-Alive
    Cookie: NID=520=p48hHale7n0DM2DlO0T0r8H6JaidxwODMsQgMyRv_MmrCkoE0Z5jcpBqVV3BwGrNG_epWzdF-Jy-qi7W2r0BKo3jpVLxDODRX1oXIOFKvCd14190XNDO9UcUu5gRH24H5PIOU2npY1Nz0ZpCERXQPisrCeTIRxLPzYGbQeNo3qVYz-Ns
    Response
    HTTP/1.1 404 Not Found
    X-GUploader-UploadID: AFiumC7kuxtsQRhlGzzdfOtNGlGVYkkXiwRTorBTZIGuWWoiBXqvZo-dvWKstHK-zr2xYUdR5kceoV4
    Content-Type: text/html; charset=utf-8
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: Mon, 01 Jan 1990 00:00:00 GMT
    Date: Fri, 20 Dec 2024 01:29:50 GMT
    Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
    Content-Security-Policy: script-src 'report-sample' 'nonce-QgQik5pPqk-UUxVWl6mV-w' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
    Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    Cross-Origin-Opener-Policy: same-origin
    Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
    Content-Length: 1652
    Server: UploadServer
    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
    Content-Security-Policy: sandbox allow-scripts
  • flag-fr
    GET
    https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
    Synaptics.exe
    Remote address:
    142.250.74.225:443
    Request
    GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
    User-Agent: Synaptics.exe
    Cache-Control: no-cache
    Host: drive.usercontent.google.com
    Connection: Keep-Alive
    Cookie: NID=520=p48hHale7n0DM2DlO0T0r8H6JaidxwODMsQgMyRv_MmrCkoE0Z5jcpBqVV3BwGrNG_epWzdF-Jy-qi7W2r0BKo3jpVLxDODRX1oXIOFKvCd14190XNDO9UcUu5gRH24H5PIOU2npY1Nz0ZpCERXQPisrCeTIRxLPzYGbQeNo3qVYz-Ns
    Response
    HTTP/1.1 404 Not Found
    X-GUploader-UploadID: AFiumC5DSR4EFuYMMSz_vziFUVmMIUpzoSza1j2FhYQOYI61SEjqYDZVfTwDfyhaEBKpzw2eq7I9zp4
    Content-Type: text/html; charset=utf-8
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: Mon, 01 Jan 1990 00:00:00 GMT
    Date: Fri, 20 Dec 2024 01:29:50 GMT
    Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
    Content-Security-Policy: script-src 'report-sample' 'nonce-rhEJK5hsqtmvnmV5kpKVhw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
    Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
    Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    Cross-Origin-Opener-Policy: same-origin
    Content-Length: 1652
    Server: UploadServer
    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
    Content-Security-Policy: sandbox allow-scripts
  • flag-us
    DNS
    225.74.250.142.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    225.74.250.142.in-addr.arpa
    IN PTR
    Response
    225.74.250.142.in-addr.arpa
    IN PTR
    par10s40-in-f11e100net
  • flag-us
    DNS
    22.236.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    22.236.111.52.in-addr.arpa
    IN PTR
    Response
  • 69.42.215.252:80
    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
    http
    Synaptics.exe
    614 B
    455 B
    10
    5

    HTTP Request

    GET http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    HTTP Response

    200
  • 216.58.214.174:443
    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
    tls, http
    Synaptics.exe
    1.9kB
    11.3kB
    16
    14

    HTTP Request

    GET https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    HTTP Response

    303

    HTTP Request

    GET https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    HTTP Response

    303

    HTTP Request

    GET https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    HTTP Response

    303
  • 142.250.179.67:80
    http://c.pki.goog/r/r1.crl
    http
    Synaptics.exe
    303 B
    1.7kB
    4
    4

    HTTP Request

    GET http://c.pki.goog/r/r1.crl

    HTTP Response

    200
  • 142.250.179.67:80
    http://o.pki.goog/wr2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEHyJphBGwReeEkiNdM8lXYY%3D
    http
    Synaptics.exe
    738 B
    1.6kB
    6
    4

    HTTP Request

    GET http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDIOoql8hHyJhDFZvyBCxik

    HTTP Response

    200

    HTTP Request

    GET http://o.pki.goog/wr2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEHyJphBGwReeEkiNdM8lXYY%3D

    HTTP Response

    200
  • 142.250.74.225:443
    https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
    tls, http
    Synaptics.exe
    2.4kB
    14.7kB
    23
    21

    HTTP Request

    GET https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    HTTP Response

    404

    HTTP Request

    GET https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    HTTP Response

    404

    HTTP Request

    GET https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    HTTP Response

    404
  • 8.8.8.8:53
    196.249.167.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    196.249.167.52.in-addr.arpa

  • 8.8.8.8:53
    86.49.80.91.in-addr.arpa
    dns
    70 B
    145 B
    1
    1

    DNS Request

    86.49.80.91.in-addr.arpa

  • 8.8.8.8:53
    14.160.190.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    14.160.190.20.in-addr.arpa

  • 8.8.8.8:53
    xred.mooo.com
    dns
    Synaptics.exe
    59 B
    118 B
    1
    1

    DNS Request

    xred.mooo.com

  • 8.8.8.8:53
    freedns.afraid.org
    dns
    Synaptics.exe
    128 B
    160 B
    2
    2

    DNS Request

    freedns.afraid.org

    DNS Request

    freedns.afraid.org

    DNS Response

    69.42.215.252

    DNS Response

    69.42.215.252

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 224.0.0.251:5353
    114 B
    2
  • 8.8.8.8:53
    252.215.42.69.in-addr.arpa
    dns
    144 B
    144 B
    2
    2

    DNS Request

    252.215.42.69.in-addr.arpa

    DNS Request

    252.215.42.69.in-addr.arpa

  • 8.8.8.8:53
    149.220.183.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    149.220.183.52.in-addr.arpa

  • 8.8.8.8:53
    50.23.12.20.in-addr.arpa
    dns
    70 B
    156 B
    1
    1

    DNS Request

    50.23.12.20.in-addr.arpa

  • 8.8.8.8:53
    198.187.3.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    198.187.3.20.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    docs.google.com
    dns
    Synaptics.exe
    61 B
    77 B
    1
    1

    DNS Request

    docs.google.com

    DNS Response

    216.58.214.174

  • 8.8.8.8:53
    c.pki.goog
    dns
    Synaptics.exe
    56 B
    107 B
    1
    1

    DNS Request

    c.pki.goog

    DNS Response

    142.250.179.67

  • 8.8.8.8:53
    o.pki.goog
    dns
    Synaptics.exe
    56 B
    107 B
    1
    1

    DNS Request

    o.pki.goog

    DNS Response

    142.250.179.67

  • 8.8.8.8:53
    67.179.250.142.in-addr.arpa
    dns
    73 B
    111 B
    1
    1

    DNS Request

    67.179.250.142.in-addr.arpa

  • 8.8.8.8:53
    174.214.58.216.in-addr.arpa
    dns
    73 B
    173 B
    1
    1

    DNS Request

    174.214.58.216.in-addr.arpa

  • 8.8.8.8:53
    drive.usercontent.google.com
    dns
    Synaptics.exe
    74 B
    90 B
    1
    1

    DNS Request

    drive.usercontent.google.com

    DNS Response

    142.250.74.225

  • 8.8.8.8:53
    225.74.250.142.in-addr.arpa
    dns
    73 B
    111 B
    1
    1

    DNS Request

    225.74.250.142.in-addr.arpa

  • 8.8.8.8:53
    22.236.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    22.236.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Synaptics\Synaptics.exe

    Filesize

    753KB

    MD5

    598eeea34796e03d22c7864c6a2c0960

    SHA1

    96ec19164b595397ff0762a0e3cb2c4d9a5a6754

    SHA256

    a034946ee3c9065122f567f837fa67c6572cfea04cd54da13a2955db6a533649

    SHA512

    a4901743f8d597684ca4e80973aebb41c2baf2ba7654a411d5bd5644f0b0e98aecf25b2c995f4b51e31ac6066fb80baeb0ad36674438b147e4515c4ad85a1713

  • memory/1972-65-0x0000000001FC0000-0x0000000001FC1000-memory.dmp

    Filesize

    4KB

  • memory/1972-67-0x0000000001FC0000-0x0000000001FC1000-memory.dmp

    Filesize

    4KB

  • memory/1972-66-0x0000000000400000-0x00000000004C2000-memory.dmp

    Filesize

    776KB

  • memory/1972-75-0x0000000000400000-0x00000000004C2000-memory.dmp

    Filesize

    776KB

  • memory/1972-91-0x0000000000400000-0x00000000004C2000-memory.dmp

    Filesize

    776KB

  • memory/4444-0-0x0000000002470000-0x0000000002471000-memory.dmp

    Filesize

    4KB

  • memory/4444-64-0x0000000000400000-0x00000000004C2000-memory.dmp

    Filesize

    776KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.