asyncrat | 66fccea15a5cf5c0893f0529156e3d59fbd88f992366a03606346cc35047f769

Analysis

max time kernel
115s
max time network
116s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 05:02 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

66fccea15a5cf5c0893f0529156e3d59fbd88f992366a03606346cc35047f769N.exe
Size

9.7MB
MD5

fc76cc73d03473b15ebd3c8d10178690
SHA1

1b80580e5e4a48546d1fae6a606731ed767370b1
SHA256

66fccea15a5cf5c0893f0529156e3d59fbd88f992366a03606346cc35047f769
SHA512

2b5305a28a9db127d971b1511de7ac43c94eccdeb65b51fad1ad15f7250903db5564a999c6c6948a0f0dbdf4326b12d5bfa4d7d4a801d5420e95e8cefa960e12
SSDEEP

49152:GX4ccCjDJiYu7sCJK0G6cfE11tCn+Tql12W88EDH9wm1n77BdEde9SW+iIiJHbQp:G6UZu5G6cf6M+Nb8ETBjwS

Score

10^/10

asyncrat venomrat xred default backdoor discovery macro persistence rat

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
xredline1@gmail.com
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

104.219.215.160:4449

104.219.215.160:8008

Mutex

jjzxklegwjqz

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

1
UQv2DMhdVoXHuJUYFZFAWRvUfc2gTA59

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

VenomRAT 6 IoCs

Detects VenomRAT.

rat

resource	yara_rule
behavioral1/files/0x000b000000012280-19.dat	VenomRAT
behavioral1/files/0x0008000000015f25-125.dat	VenomRAT
behavioral1/memory/236-138-0x00000000009B0000-0x00000000009C8000-memory.dmp	VenomRAT
behavioral1/memory/2660-330-0x0000000000400000-0x00000000004D6000-memory.dmp	VenomRAT
behavioral1/memory/2660-334-0x0000000000400000-0x00000000004D6000-memory.dmp	VenomRAT
behavioral1/memory/2660-374-0x0000000000400000-0x00000000004D6000-memory.dmp	VenomRAT

Venomrat family
venomrat
Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x0008000000015f25-125.dat	family_asyncrat

Suspicious Office macro 1 IoCs

Office document equipped with macros.

macro

resource
behavioral1/files/0x000500000001a4d5-271.dat

Executes dropped EXE 5 IoCs

pid	Process
1656	lshss.exe
2780	._cache_lshss.exe
2660	Synaptics.exe
236	._cache_Synaptics.exe
2304	vs_setup_bootstrapper.exe

Loads dropped DLL 36 IoCs

pid	Process
1736	66fccea15a5cf5c0893f0529156e3d59fbd88f992366a03606346cc35047f769N.exe
1736	66fccea15a5cf5c0893f0529156e3d59fbd88f992366a03606346cc35047f769N.exe
1656	lshss.exe
1656	lshss.exe
1656	lshss.exe
1656	lshss.exe
2660	Synaptics.exe
2660	Synaptics.exe
2780	._cache_lshss.exe
2304	vs_setup_bootstrapper.exe
2304	vs_setup_bootstrapper.exe
2304	vs_setup_bootstrapper.exe
2304	vs_setup_bootstrapper.exe
2304	vs_setup_bootstrapper.exe
2304	vs_setup_bootstrapper.exe
2304	vs_setup_bootstrapper.exe
2304	vs_setup_bootstrapper.exe
2304	vs_setup_bootstrapper.exe
2304	vs_setup_bootstrapper.exe
2304	vs_setup_bootstrapper.exe
2304	vs_setup_bootstrapper.exe
2304	vs_setup_bootstrapper.exe
2304	vs_setup_bootstrapper.exe
2304	vs_setup_bootstrapper.exe
2304	vs_setup_bootstrapper.exe
2304	vs_setup_bootstrapper.exe
2304	vs_setup_bootstrapper.exe
2304	vs_setup_bootstrapper.exe
2304	vs_setup_bootstrapper.exe
2304	vs_setup_bootstrapper.exe
2304	vs_setup_bootstrapper.exe
2304	vs_setup_bootstrapper.exe
2304	vs_setup_bootstrapper.exe
2304	vs_setup_bootstrapper.exe
2304	vs_setup_bootstrapper.exe
2304	vs_setup_bootstrapper.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	lshss.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1736 set thread context of 1656	1736	66fccea15a5cf5c0893f0529156e3d59fbd88f992366a03606346cc35047f769N.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	getmac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	66fccea15a5cf5c0893f0529156e3d59fbd88f992366a03606346cc35047f769N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lshss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_lshss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vs_setup_bootstrapper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	vs_setup_bootstrapper.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	vs_setup_bootstrapper.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	vs_setup_bootstrapper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	vs_setup_bootstrapper.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1688	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1736	66fccea15a5cf5c0893f0529156e3d59fbd88f992366a03606346cc35047f769N.exe
236	._cache_Synaptics.exe
236	._cache_Synaptics.exe
236	._cache_Synaptics.exe
236	._cache_Synaptics.exe
236	._cache_Synaptics.exe
236	._cache_Synaptics.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1736	66fccea15a5cf5c0893f0529156e3d59fbd88f992366a03606346cc35047f769N.exe
Token: SeDebugPrivilege	236	._cache_Synaptics.exe
Token: SeDebugPrivilege	2304	vs_setup_bootstrapper.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1688	EXCEL.EXE
236	._cache_Synaptics.exe

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 1776	1736	66fccea15a5cf5c0893f0529156e3d59fbd88f992366a03606346cc35047f769N.exe	30
PID 1736 wrote to memory of 1776	1736	66fccea15a5cf5c0893f0529156e3d59fbd88f992366a03606346cc35047f769N.exe	30
PID 1736 wrote to memory of 1776	1736	66fccea15a5cf5c0893f0529156e3d59fbd88f992366a03606346cc35047f769N.exe	30
PID 1736 wrote to memory of 1776	1736	66fccea15a5cf5c0893f0529156e3d59fbd88f992366a03606346cc35047f769N.exe	30
PID 1776 wrote to memory of 2324	1776	csc.exe	32
PID 1776 wrote to memory of 2324	1776	csc.exe	32
PID 1776 wrote to memory of 2324	1776	csc.exe	32
PID 1776 wrote to memory of 2324	1776	csc.exe	32
PID 1736 wrote to memory of 1656	1736	66fccea15a5cf5c0893f0529156e3d59fbd88f992366a03606346cc35047f769N.exe	33
PID 1736 wrote to memory of 1656	1736	66fccea15a5cf5c0893f0529156e3d59fbd88f992366a03606346cc35047f769N.exe	33
PID 1736 wrote to memory of 1656	1736	66fccea15a5cf5c0893f0529156e3d59fbd88f992366a03606346cc35047f769N.exe	33
PID 1736 wrote to memory of 1656	1736	66fccea15a5cf5c0893f0529156e3d59fbd88f992366a03606346cc35047f769N.exe	33
PID 1736 wrote to memory of 1656	1736	66fccea15a5cf5c0893f0529156e3d59fbd88f992366a03606346cc35047f769N.exe	33
PID 1736 wrote to memory of 1656	1736	66fccea15a5cf5c0893f0529156e3d59fbd88f992366a03606346cc35047f769N.exe	33
PID 1736 wrote to memory of 1656	1736	66fccea15a5cf5c0893f0529156e3d59fbd88f992366a03606346cc35047f769N.exe	33
PID 1736 wrote to memory of 1656	1736	66fccea15a5cf5c0893f0529156e3d59fbd88f992366a03606346cc35047f769N.exe	33
PID 1736 wrote to memory of 1656	1736	66fccea15a5cf5c0893f0529156e3d59fbd88f992366a03606346cc35047f769N.exe	33
PID 1736 wrote to memory of 1656	1736	66fccea15a5cf5c0893f0529156e3d59fbd88f992366a03606346cc35047f769N.exe	33
PID 1736 wrote to memory of 1656	1736	66fccea15a5cf5c0893f0529156e3d59fbd88f992366a03606346cc35047f769N.exe	33
PID 1736 wrote to memory of 1656	1736	66fccea15a5cf5c0893f0529156e3d59fbd88f992366a03606346cc35047f769N.exe	33
PID 1656 wrote to memory of 2780	1656	lshss.exe	34
PID 1656 wrote to memory of 2780	1656	lshss.exe	34
PID 1656 wrote to memory of 2780	1656	lshss.exe	34
PID 1656 wrote to memory of 2780	1656	lshss.exe	34
PID 1656 wrote to memory of 2780	1656	lshss.exe	34
PID 1656 wrote to memory of 2780	1656	lshss.exe	34
PID 1656 wrote to memory of 2780	1656	lshss.exe	34
PID 1736 wrote to memory of 2828	1736	66fccea15a5cf5c0893f0529156e3d59fbd88f992366a03606346cc35047f769N.exe	35
PID 1736 wrote to memory of 2828	1736	66fccea15a5cf5c0893f0529156e3d59fbd88f992366a03606346cc35047f769N.exe	35
PID 1736 wrote to memory of 2828	1736	66fccea15a5cf5c0893f0529156e3d59fbd88f992366a03606346cc35047f769N.exe	35
PID 1736 wrote to memory of 2828	1736	66fccea15a5cf5c0893f0529156e3d59fbd88f992366a03606346cc35047f769N.exe	35
PID 1656 wrote to memory of 2660	1656	lshss.exe	36
PID 1656 wrote to memory of 2660	1656	lshss.exe	36
PID 1656 wrote to memory of 2660	1656	lshss.exe	36
PID 1656 wrote to memory of 2660	1656	lshss.exe	36
PID 2660 wrote to memory of 236	2660	Synaptics.exe	37
PID 2660 wrote to memory of 236	2660	Synaptics.exe	37
PID 2660 wrote to memory of 236	2660	Synaptics.exe	37
PID 2660 wrote to memory of 236	2660	Synaptics.exe	37
PID 2780 wrote to memory of 2304	2780	._cache_lshss.exe	38
PID 2780 wrote to memory of 2304	2780	._cache_lshss.exe	38
PID 2780 wrote to memory of 2304	2780	._cache_lshss.exe	38
PID 2780 wrote to memory of 2304	2780	._cache_lshss.exe	38
PID 2780 wrote to memory of 2304	2780	._cache_lshss.exe	38
PID 2780 wrote to memory of 2304	2780	._cache_lshss.exe	38
PID 2780 wrote to memory of 2304	2780	._cache_lshss.exe	38
PID 2304 wrote to memory of 2224	2304	vs_setup_bootstrapper.exe	40
PID 2304 wrote to memory of 2224	2304	vs_setup_bootstrapper.exe	40
PID 2304 wrote to memory of 2224	2304	vs_setup_bootstrapper.exe	40
PID 2304 wrote to memory of 2224	2304	vs_setup_bootstrapper.exe	40

C:\Users\Admin\AppData\Local\Temp\66fccea15a5cf5c0893f0529156e3d59fbd88f992366a03606346cc35047f769N.exe
"C:\Users\Admin\AppData\Local\Temp\66fccea15a5cf5c0893f0529156e3d59fbd88f992366a03606346cc35047f769N.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yssyzge1.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1776
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA526.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA525.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2324
- C:\Users\Admin\AppData\Roaming\lshss.exe
  C:\Users\Admin\AppData\Roaming\lshss.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1656
- - C:\Users\Admin\AppData\Local\Temp\._cache_lshss.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_lshss.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2780
  - - C:\Users\Admin\AppData\Local\Temp\8d369432279d267a045e822efa64\vs_bootstrapper_d15\vs_setup_bootstrapper.exe
      "C:\Users\Admin\AppData\Local\Temp\8d369432279d267a045e822efa64\vs_bootstrapper_d15\vs_setup_bootstrapper.exe" --env "_SFX_CAB_EXE_PACKAGE:C:\Users\Admin\AppData\Local\Temp\._cache_lshss.exe _SFX_CAB_EXE_ORIGINALWORKINGDIR:C:\Users\Admin\AppData\Local\Temp"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2304
    - - C:\Windows\SysWOW64\getmac.exe
        
        "getmac"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2224
- - C:\ProgramData\Synaptics\Synaptics.exe
    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2660
  - - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:236
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
  dw20.exe -x -s 524
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2828

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1688

Network

DNS

xred.mooo.com

Synaptics.exe

Remote address:

8.8.8.8:53

Request

xred.mooo.com

IN A

Response
DNS

az700632.vo.msecnd.net

vs_setup_bootstrapper.exe

Remote address:

8.8.8.8:53

Request

az700632.vo.msecnd.net

IN A

Response

az700632.vo.msecnd.net

IN CNAME

az700632-pme.azureedge.net

az700632-pme.azureedge.net

IN CNAME

az700632-pme.ec.azureedge.net

az700632-pme.ec.azureedge.net

IN CNAME

cs9.wpc.v0cdn.net

cs9.wpc.v0cdn.net

IN A

152.199.19.161
DNS

az667904.vo.msecnd.net

vs_setup_bootstrapper.exe

Remote address:

8.8.8.8:53

Request

az667904.vo.msecnd.net

IN A

Response

az667904.vo.msecnd.net

IN CNAME

az667904-pme.azureedge.net

az667904-pme.azureedge.net

IN CNAME

az667904-pme.ec.azureedge.net

az667904-pme.ec.azureedge.net

IN CNAME

cs9.wpc.v0cdn.net

cs9.wpc.v0cdn.net

IN A

152.199.19.161
DNS

freedns.afraid.org

Synaptics.exe

Remote address:

8.8.8.8:53

Request

freedns.afraid.org

IN A

Response

freedns.afraid.org

IN A

69.42.215.252
GET

http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

Synaptics.exe

Remote address:

69.42.215.252:80

Request

GET /api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978 HTTP/1.1
User-Agent: MyApp
Host: freedns.afraid.org
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sun, 22 Dec 2024 05:02:38 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Cache: MISS
DNS

vortex.data.microsoft.com

vs_setup_bootstrapper.exe

Remote address:

8.8.8.8:53

Request

vortex.data.microsoft.com

IN A

Response

vortex.data.microsoft.com

IN CNAME

asimov.vortex.data.trafficmanager.net

asimov.vortex.data.trafficmanager.net

IN CNAME

onedscolprdcus08.centralus.cloudapp.azure.com

onedscolprdcus08.centralus.cloudapp.azure.com

IN A

104.208.16.88
DNS

docs.google.com

Synaptics.exe

Remote address:

8.8.8.8:53

Request

docs.google.com

IN A

Response

docs.google.com

IN A

216.58.214.174
GET

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

Synaptics.exe

Remote address:

216.58.214.174:443

Request

GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
User-Agent: Synaptics.exe
Host: docs.google.com
Cache-Control: no-cache

Response

HTTP/1.1 303 See Other

Content-Type: application/binary
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Sun, 22 Dec 2024 05:03:33 GMT
Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
Strict-Transport-Security: max-age=31536000
Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
Content-Security-Policy: script-src 'report-sample' 'nonce-Qm2_4FVhmJtjdfKayvozkQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
Cross-Origin-Opener-Policy: same-origin
Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
Server: ESF
Content-Length: 0
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
GET

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

Synaptics.exe

Remote address:

216.58.214.174:443

Request

GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
User-Agent: Synaptics.exe
Host: docs.google.com
Cache-Control: no-cache
Cookie: NID=520=TUvGKiow0zcBdTOr2ZaQ6_XNGKC11J4faqwye2RFOO4ciCUJYEjiaNVW86fKTS9TkZZVhJAksLBEQMRq0vmfAcfd5Yyl-yWz9DPbGHTr1oIG5D9PTf_nWHtdOxbtzpLIccivN3iJ-O9OaTC4sHoxPaAjXFJJaz23c6NzYPEL3aA8Thg

Response

HTTP/1.1 303 See Other

Content-Type: application/binary
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Sun, 22 Dec 2024 05:03:34 GMT
Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
Strict-Transport-Security: max-age=31536000
Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
Content-Security-Policy: script-src 'report-sample' 'nonce-n-SAEBygsX10XaotAfTEyA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
Cross-Origin-Opener-Policy: same-origin
Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
Server: ESF
Content-Length: 0
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
GET

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

Synaptics.exe

Remote address:

216.58.214.174:443

Request

GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
User-Agent: Synaptics.exe
Host: docs.google.com
Cache-Control: no-cache
Cookie: NID=520=TUvGKiow0zcBdTOr2ZaQ6_XNGKC11J4faqwye2RFOO4ciCUJYEjiaNVW86fKTS9TkZZVhJAksLBEQMRq0vmfAcfd5Yyl-yWz9DPbGHTr1oIG5D9PTf_nWHtdOxbtzpLIccivN3iJ-O9OaTC4sHoxPaAjXFJJaz23c6NzYPEL3aA8Thg

Response

HTTP/1.1 303 See Other

Content-Type: application/binary
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Sun, 22 Dec 2024 05:03:35 GMT
Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
Strict-Transport-Security: max-age=31536000
Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
Content-Security-Policy: script-src 'report-sample' 'nonce-GRW6yrMqP1NWru9YpOpbsQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
Cross-Origin-Opener-Policy: same-origin
Server: ESF
Content-Length: 0
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
DNS

c.pki.goog

Synaptics.exe

Remote address:

8.8.8.8:53

Request

c.pki.goog

IN A

Response

c.pki.goog

IN CNAME

pki-goog.l.google.com

pki-goog.l.google.com

IN A

142.250.179.67
GET

http://c.pki.goog/r/r1.crl

Synaptics.exe

Remote address:

142.250.179.67:80

Request

GET /r/r1.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: c.pki.goog

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 854
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Sun, 22 Dec 2024 04:37:54 GMT
Expires: Sun, 22 Dec 2024 05:27:54 GMT
Cache-Control: public, max-age=3000
Age: 1539
Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
Content-Type: application/pkix-crl
Vary: Accept-Encoding
DNS

o.pki.goog

Synaptics.exe

Remote address:

8.8.8.8:53

Request

o.pki.goog

IN A

Response

o.pki.goog

IN CNAME

pki-goog.l.google.com

pki-goog.l.google.com

IN A

142.250.179.67
GET

http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQD8Elu9WzbqaxI7ClVJiEyf

Synaptics.exe

Remote address:

142.250.179.67:80

Request

GET /wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQD8Elu9WzbqaxI7ClVJiEyf HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: o.pki.goog

Response

HTTP/1.1 200 OK

Server: ocsp_responder
Content-Length: 472
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Date: Sun, 22 Dec 2024 04:28:23 GMT
Cache-Control: public, max-age=14400
Content-Type: application/ocsp-response
Age: 2110
GET

http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDkqhDvrMuENxBpWocUnIUC

Synaptics.exe

Remote address:

142.250.179.67:80

Request

GET /wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDkqhDvrMuENxBpWocUnIUC HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: o.pki.goog

Response

HTTP/1.1 200 OK

Server: ocsp_responder
Content-Length: 472
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Date: Sun, 22 Dec 2024 04:26:47 GMT
Cache-Control: public, max-age=14400
Content-Type: application/ocsp-response
Age: 2207
DNS

drive.usercontent.google.com

Synaptics.exe

Remote address:

8.8.8.8:53

Request

drive.usercontent.google.com

IN A

Response

drive.usercontent.google.com

IN A

142.250.74.225
GET

https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

Synaptics.exe

Remote address:

142.250.74.225:443

Request

GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
User-Agent: Synaptics.exe
Connection: Keep-Alive
Cache-Control: no-cache
Host: drive.usercontent.google.com

Response

HTTP/1.1 404 Not Found

X-GUploader-UploadID: AFiumC4wMHpg2LZhJALHLUz89vWbBvsyBMCaLmLRqeEu9h3BBh4vrNvkpvB2P9qjjKvAisp3
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Sun, 22 Dec 2024 05:03:34 GMT
P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
Content-Security-Policy: script-src 'report-sample' 'nonce-bHLztKfJqy5O_sIAOLcDYQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
Cross-Origin-Opener-Policy: same-origin
Content-Length: 1652
Server: UploadServer
Set-Cookie: NID=520=TUvGKiow0zcBdTOr2ZaQ6_XNGKC11J4faqwye2RFOO4ciCUJYEjiaNVW86fKTS9TkZZVhJAksLBEQMRq0vmfAcfd5Yyl-yWz9DPbGHTr1oIG5D9PTf_nWHtdOxbtzpLIccivN3iJ-O9OaTC4sHoxPaAjXFJJaz23c6NzYPEL3aA8Thg; expires=Mon, 23-Jun-2025 05:03:34 GMT; path=/; domain=.google.com; HttpOnly
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Content-Security-Policy: sandbox allow-scripts
GET

https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

Synaptics.exe

Remote address:

142.250.74.225:443

Request

GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
User-Agent: Synaptics.exe
Host: drive.usercontent.google.com
Cache-Control: no-cache
Connection: Keep-Alive
Cookie: NID=520=TUvGKiow0zcBdTOr2ZaQ6_XNGKC11J4faqwye2RFOO4ciCUJYEjiaNVW86fKTS9TkZZVhJAksLBEQMRq0vmfAcfd5Yyl-yWz9DPbGHTr1oIG5D9PTf_nWHtdOxbtzpLIccivN3iJ-O9OaTC4sHoxPaAjXFJJaz23c6NzYPEL3aA8Thg

Response

HTTP/1.1 404 Not Found

X-GUploader-UploadID: AFiumC6RcPinn3LTG9gV-yn_HHibQodBKayC08kZm4qsY9f863_J858gKmnHC3_MlvEgQ8xaozzEHzA
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Sun, 22 Dec 2024 05:03:34 GMT
Cross-Origin-Opener-Policy: same-origin
Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
Content-Security-Policy: script-src 'report-sample' 'nonce-TRPNAgd8MrK8dDIMxBiSKw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
Content-Length: 1652
Server: UploadServer
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Content-Security-Policy: sandbox allow-scripts
GET

https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

Synaptics.exe

Remote address:

142.250.74.225:443

Request

GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
User-Agent: Synaptics.exe
Host: drive.usercontent.google.com
Cache-Control: no-cache
Connection: Keep-Alive
Cookie: NID=520=TUvGKiow0zcBdTOr2ZaQ6_XNGKC11J4faqwye2RFOO4ciCUJYEjiaNVW86fKTS9TkZZVhJAksLBEQMRq0vmfAcfd5Yyl-yWz9DPbGHTr1oIG5D9PTf_nWHtdOxbtzpLIccivN3iJ-O9OaTC4sHoxPaAjXFJJaz23c6NzYPEL3aA8Thg

Response

HTTP/1.1 404 Not Found

X-GUploader-UploadID: AFiumC7V6JdzypEfSl90qokkBpEmpjsooPmmxz-Xa7X_-1_BPRs2_pWotiJDJkU0XIP76pdX0CC-298
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Sun, 22 Dec 2024 05:03:35 GMT
Cross-Origin-Opener-Policy: same-origin
Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
Content-Security-Policy: script-src 'report-sample' 'nonce-fbDSNrKPa4sDZtn--sU0Xg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
Content-Length: 1652
Server: UploadServer
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Content-Security-Policy: sandbox allow-scripts
DNS

www.microsoft.com

Remote address:

8.8.8.8:53

Request

www.microsoft.com

IN A

Response

www.microsoft.com

IN CNAME

www.microsoft.com-c-3.edgekey.net

www.microsoft.com-c-3.edgekey.net

IN CNAME

www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net

www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net

IN CNAME

e13678.dscb.akamaiedge.net

e13678.dscb.akamaiedge.net

IN A

92.123.241.137
GET

http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl

Remote address:

92.123.241.137:80

Request

GET /pkiops/crl/MicCodSigPCA2011_2011-07-08.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Sun, 18 Aug 2024 00:23:49 GMT
User-Agent: Microsoft-CryptoAPI/6.1
Host: www.microsoft.com

Response

HTTP/1.1 200 OK

Content-Length: 1078
Content-Type: application/octet-stream
Content-MD5: PjrtHAukbJio72s77Ag5mA==
Last-Modified: Thu, 31 Oct 2024 23:26:09 GMT
ETag: 0x8DCFA0366D6C4CA
x-ms-request-id: a2c4a816-201e-002d-0cee-2be499000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
Date: Sun, 22 Dec 2024 05:04:04 GMT
Connection: keep-alive
TLS_version: UNKNOWN
ms-cv: CASMicrosoftCVfb23d3cb.0
ms-cv-esi: CASMicrosoftCVfb23d3cb.0
X-RTag: RT

104.219.215.160:8008

._cache_Synaptics.exe

152 B
3
152.199.19.161:443

az700632.vo.msecnd.net

tls

vs_setup_bootstrapper.exe

356 B
219 B
5
5
152.199.19.161:443

az667904.vo.msecnd.net

tls

vs_setup_bootstrapper.exe

356 B
219 B
5
5
152.199.19.161:443

az667904.vo.msecnd.net

tls

vs_setup_bootstrapper.exe

356 B
219 B
5
5
152.199.19.161:443

az667904.vo.msecnd.net

tls

vs_setup_bootstrapper.exe

356 B
219 B
5
5
152.199.19.161:443

az700632.vo.msecnd.net

tls

vs_setup_bootstrapper.exe

356 B
219 B
5
5
152.199.19.161:443

az667904.vo.msecnd.net

tls

vs_setup_bootstrapper.exe

356 B
219 B
5
5
69.42.215.252:80

http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

http

Synaptics.exe

430 B
415 B
6
4

HTTP Request

GET http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

HTTP Response

200
104.219.215.160:4449

._cache_Synaptics.exe

152 B
3
104.208.16.88:443

vortex.data.microsoft.com

tls

vs_setup_bootstrapper.exe

267 B
92 B
3
2
104.208.16.88:443

vortex.data.microsoft.com

tls

vs_setup_bootstrapper.exe

267 B
92 B
3
2
104.219.215.160:8008

._cache_Synaptics.exe

152 B
3
216.58.214.174:443

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

tls, http

Synaptics.exe

1.9kB
14.0kB
15
17

HTTP Request

GET https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

HTTP Response

303

HTTP Request

GET https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

HTTP Response

303

HTTP Request

GET https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

HTTP Response

303
142.250.179.67:80

http://c.pki.goog/r/r1.crl

http

Synaptics.exe

302 B
1.7kB
4
4

HTTP Request

GET http://c.pki.goog/r/r1.crl

HTTP Response

200
142.250.179.67:80

http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDkqhDvrMuENxBpWocUnIUC

http

Synaptics.exe

734 B
1.6kB
6
4

HTTP Request

GET http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQD8Elu9WzbqaxI7ClVJiEyf

HTTP Response

200

HTTP Request

GET http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDkqhDvrMuENxBpWocUnIUC

HTTP Response

200
142.250.74.225:443

https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

tls, http

Synaptics.exe

2.0kB
14.5kB
14
21

HTTP Request

GET https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

HTTP Response

404

HTTP Request

GET https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

HTTP Response

404

HTTP Request

GET https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

HTTP Response

404
104.219.215.160:8008

._cache_Synaptics.exe

152 B
3
92.123.241.137:80

http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl

http

393 B
1.7kB
4
4

HTTP Request

GET http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl

HTTP Response

200
104.219.215.160:8008

._cache_Synaptics.exe

152 B
3

8.8.8.8:53

xred.mooo.com

dns

Synaptics.exe

59 B
118 B
1
1

DNS Request

xred.mooo.com
8.8.8.8:53

az700632.vo.msecnd.net

dns

vs_setup_bootstrapper.exe

68 B
179 B
1
1

DNS Request

az700632.vo.msecnd.net

DNS Response

152.199.19.161
8.8.8.8:53

az667904.vo.msecnd.net

dns

vs_setup_bootstrapper.exe

68 B
179 B
1
1

DNS Request

az667904.vo.msecnd.net

DNS Response

152.199.19.161
8.8.8.8:53

freedns.afraid.org

dns

Synaptics.exe

64 B
80 B
1
1

DNS Request

freedns.afraid.org

DNS Response

69.42.215.252
8.8.8.8:53

vortex.data.microsoft.com

dns

vs_setup_bootstrapper.exe

71 B
194 B
1
1

DNS Request

vortex.data.microsoft.com

DNS Response

104.208.16.88
8.8.8.8:53

docs.google.com

dns

Synaptics.exe

61 B
77 B
1
1

DNS Request

docs.google.com

DNS Response

216.58.214.174
8.8.8.8:53

c.pki.goog

dns

Synaptics.exe

56 B
107 B
1
1

DNS Request

c.pki.goog

DNS Response

142.250.179.67
8.8.8.8:53

o.pki.goog

dns

Synaptics.exe

56 B
107 B
1
1

DNS Request

o.pki.goog

DNS Response

142.250.179.67
8.8.8.8:53

drive.usercontent.google.com

dns

Synaptics.exe

74 B
90 B
1
1

DNS Request

drive.usercontent.google.com

DNS Response

142.250.74.225
8.8.8.8:53

www.microsoft.com

dns

63 B
230 B
1
1

DNS Request

www.microsoft.com

DNS Response

92.123.241.137

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\VisualStudio\Packages\_bootstrapper\vs_setup_bootstrapper_202412220502303076.json

Filesize
162B

MD5
ad891c3b02a02419dc60db8c273a8315

SHA1
141a08ca0e25d56bdb35fc71e1c767667079114a

SHA256
186c4b16ee009564819730b358dbdbb0792fc27e602698c5f0a16e20104647c7

SHA512
64cdaf1d6d1b4072e24f3926f91103abf946ff044cda34a9070586c2d2927bcdfc53381c955e447a38965ee426373259759025f97b715158afc429080956196f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\VSApplicationInsights\vstelAIF-312cbd79-9dbb-4c48-a7da-3cc2a931cb70\20241222050304_c3cb4263ac924d4d8bb218cc8b1dca58.trn

Filesize
6KB

MD5
31f0789fa1b466c0294379c3c4d0833b

SHA1
cb21f882705649592a948c16a0feca6ef1da1ae8

SHA256
7816ffbb1a4cc402316a8db22c3fb4e2d4a0fc7c0e42ab94e090071ef1587d85

SHA512
264dfa0e5f43a2282abb577a86d48cb16c21846050b5c39cc2e76d8e62392dd543701b477e8102adf00c629884504d8533a83828fc5eab7c852bb5b5c98f41ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

Filesize
74KB

MD5
8ce78f483110d74e5eff82f76e78a0b0

SHA1
ea39826209a5084b5cfbf4a89366856fd330b72d

SHA256
7a573f3735077c7a97662456d8c5f5001559bc6dd2356ff6e4ef92f5e8a9acad

SHA512
69654e33c7ccf5300b92c1e8d4e713671fb0676f01f02e93e500aa62ccd94a96aa6fc2ec9e928b1e8498c7950fa606ba2480bd63a11c379f949d247ff8dc399d

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_lshss.exe

Filesize
4.2MB

MD5
508eaf83c6a24782ccd2b6213a3675e9

SHA1
8be90c9786bfc34ed0e7e5b1614be4a8848bf040

SHA256
bd8ed33822c22b49ace81b7b69bc2d2089cd950a432298a5194007e6b750abf0

SHA512
60f1fe5c3a478c7c68778f3573335cd54fee36de21927418d2dd8bfe82fc9ab9cb5bb9e0251d622a99c073451b04b15c05c3732ffe6dacbfc4dfd612fa71f238

Download Submit
C:\Users\Admin\AppData\Local\Temp\8d369432279d267a045e822efa64\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.Download.dll

Filesize
307KB

MD5
8533bebaa025a397f10e588324494e97

SHA1
93c30a4bb46c59451bf4b02662bc282f1984ed6c

SHA256
1675c894fb208e6412e017854b835144a2fe55a8ebbde1f2b4b14bfe4cfbc821

SHA512
cb12809a3a7590d50f900197ef2752e181ee9d1f6d163293e78a754de4952e7405a7c70ff94c12659502134be64968741f04e8ad804c9d62b61c36ea237bf5f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\8d369432279d267a045e822efa64\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.dll

Filesize
1.4MB

MD5
2a001dc022ee695ebd293494fc9febd4

SHA1
d5426adbc98ac17e468e3bd7e97c8b8f3ccc6624

SHA256
ba2a7ce28aeaa0e052b196006cd24e8672fe4dfefb56485f203ef1a614e67d0b

SHA512
95ee5863bb8fcf6b0959e41040f5d29d508b35f782a6f40f83723291f9e295cf179254ff5e79bcea4046884ffcb07b415d53f4b37d2ac1695db899e5063ca959

Download Submit
C:\Users\Admin\AppData\Local\Temp\8d369432279d267a045e822efa64\vs_bootstrapper_d15\Microsoft.VisualStudio.Telemetry.dll

Filesize
989KB

MD5
812e35d00498b49bdb36b1c5c832b601

SHA1
6754bd78dd97fe0cf8a4a4d4e9e3850a6c296336

SHA256
181c4de1cf0721243d58ebbce905ab3c2c255ec70455a9b59420d6bcbe5e5aa9

SHA512
248166bc45fefc6ad43a4262b9d47174ba06f997addb6da6d6b799e3bd04891ee50f95171670e01f33fa1374b4874bf80a12dd2eac401fb9c7feb916555be096

Download Submit
C:\Users\Admin\AppData\Local\Temp\8d369432279d267a045e822efa64\vs_bootstrapper_d15\System.Runtime.CompilerServices.Unsafe.dll

Filesize
17KB

MD5
c610e828b54001574d86dd2ed730e392

SHA1
180a7baafbc820a838bbaca434032d9d33cceebe

SHA256
37768488e8ef45729bc7d9a2677633c6450042975bb96516e186da6cb9cd0dcf

SHA512
441610d2b9f841d25494d7c82222d07e1d443b0da07f0cf735c25ec82f6cce99a3f3236872aec38cc4df779e615d22469666066ccefed7fe75982eefada46396

Download Submit
C:\Users\Admin\AppData\Local\Temp\8d369432279d267a045e822efa64\vs_bootstrapper_d15\vs_setup_bootstrapper.exe.config

Filesize
3KB

MD5
6e70f080f0a5f3f052eeb0ce6703dc4d

SHA1
fd5fde5247508b4c4583a75ca020af6e140e23ba

SHA256
7314eb4bf1be5d751eb7a7939921972b7b34b58ce7aac743c82bbdded66f9236

SHA512
1c2f824255bb24ca02e9687ee7367eec4398ee5b84b448edfe00751122bce2ee07afb35a1824649b149b7160c3cb57d2eae2a3f93388a3d998494c129be5709c

Download Submit
C:\Users\Admin\AppData\Local\Temp\BNV5xme8.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\BNV5xme8.xlsm

Filesize
21KB

MD5
b0c38b05c1a67ceb5b87a0b23597f46d

SHA1
b229fd11758569bc1e2eb5ff7ce0b8f057338d8e

SHA256
0c6e3ae8a9f4644036a5df74ab2ad87c764f3e409387f94ef9637e5e0647699e

SHA512
5b714819c5b4d63fe2c906abb9eaaeb21b4dfe7e725b6e8fd85a6b581d4ce91b7210f0c2ee0be1dbfbf05a78367d1584a44211ad46ef37943f4628aa73ca7a8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\BNV5xme8.xlsm

Filesize
25KB

MD5
f22b94cba2caebee84f84e2f595c3f74

SHA1
929337b36a10ad242b9ceb9772630559c6ecbbe8

SHA256
91d204a8663624121c902017bb44004a79dd994039ff913221dc799c7618dd59

SHA512
b7e0e30141724b6917e4bff3c6653826a84fbcb2dd58afbb6e50a5f3decfec5b9be98e3c080280e873bb1162404be60409f795e8abc7403c1fa2cc1245948d9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\BNV5xme8.xlsm

Filesize
23KB

MD5
f8bb3dc03f9d648dc0769c43e982f62a

SHA1
8d3dce2f0dabfe10c437a89bf85d5aadda0cafaa

SHA256
49e2da7cbba19c0d329a1d0cb43c3bf5a1b94b031fa4eaa75e4ef20689a5e3ec

SHA512
b9d2e3d5b7389064bdc101ab9f554592d2ea8c45ff227c649787e0c0de4c5c75c46e9b007e07c06998a53bc5943cdbc48eda13c77cb75a9e4d5e33de54ab43fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\BNV5xme8.xlsm

Filesize
21KB

MD5
5c77cfbf25337599f7d9a319387e781e

SHA1
ab9b456e6d5e884af5c1efcb79c2b03b7b4717cc

SHA256
c17a279f88d75fc70c7a2210cc5ac5cd8507665b0305d2808bd82ee09a1c4cf3

SHA512
a2bfa4bdd5217a2415161a0fd4f47045135359276bdda531dcdaa10cf4d0d9993132db3aa96475b3ed2ceb6ac3f9b9297cf4a097d1e4ce2b386fbb4c99449723

Download Submit
C:\Users\Admin\AppData\Local\Temp\BNV5xme8.xlsm

Filesize
26KB

MD5
e6b2c303d570fd2536dec1c2e2a326e5

SHA1
37d85f6dc0d4dc71e71288bd3ca3b6586254754d

SHA256
897b8b1932755868dd85779e3fe9c36d485c5b45e472632cac61817bf78b806b

SHA512
f61a1a3328d1544c18d499841bd1d39cbac8f0ae1acc423f2256d318b4656f63a4a4fefa7016a643f607b36028cf0bc7f6c198fc5e3a7b58f9c049f0ed4ceb48

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA526.tmp

Filesize
1KB

MD5
36df715a64ca4212addd9517fb6b2f3e

SHA1
8ccaf8b7c40adce558c4ed0d1e2f8c58ab79da3b

SHA256
46fce2be5798e4da4628e27215321212c219a2a02992c3b1c1b4329425addb57

SHA512
eb7d45d9c01c09f9c91633f2beb08ef00fe80e87107cf5002d93a5156d6ad2d2665d8d31ec0afc486b2ba8cac60c6da2dccd6f4eb027ae418fb31231280d6780

Download Submit
C:\Users\Admin\AppData\Local\Temp\yssyzge1.dll

Filesize
5KB

MD5
12535261a959e92e22ad75c69505b149

SHA1
8a5fd58fd188ea118dd140732019f51551415137

SHA256
44f5f484c616333f354c1db9e4744c6e29a0f71743aa83dbc817d0310b55e475

SHA512
fea8a94282fbdc0a511094e7090148efa195bce70f2df998658f6c12d1f50f1345763d851c6f0fce68af952c48c81daa40ba6d0df5676ce9489a5ed67e93c872

Download Submit
C:\Users\Admin\Desktop\~$OpenBackup.xlsx

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCA525.tmp

Filesize
652B

MD5
d8e0bfc14e2c193eeb6dc0da56993ab6

SHA1
ead05f7740c1901c2b260a190867fcd8e22dc572

SHA256
295f6d74d6e5f4039ebb5081e9b4224bebfe0d75bc18d8fe24e763b9fa08ad2e

SHA512
9dc4a10c4e90d9e2754d39759553c08174bc24cbaa5a3ae7c6a9b9bf25fbb468f4684ebd03911f202918a9c1af9e34da3e514c06db03817a30b0457f1e27df6d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yssyzge1.0.cs

Filesize
4KB

MD5
b63430207638c1a36b9b27002e0da3da

SHA1
54356082f32c71498c4ac5f85f4588e0d1c57ad0

SHA256
fa125ed8e48d596788a8ad5589bc996b918de3fc27008bea888b9e1b5efa2193

SHA512
29ea956fb37628dac43693d5f234698510923d562ab22e53131b1919f788ed5fd3116ed501be79554e47113d795b06f5ad255c7dfee2bb9e021eb0ab14e9b737

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yssyzge1.cmdline

Filesize
206B

MD5
6db9f86a4cdc7f808b88cf689bc2a78d

SHA1
f632028c8b0312f81db5a2ed5bf6d7b0de863430

SHA256
7b9408cdd6f6d818f8d48a74284f85628fb3b91916cf03125073c1dcf1d0bcb3

SHA512
28fb587b8d00c23e7d57d4e077f7533e66f8589ef9a2eb9b09e71c20c613966e1cdde2a7ccb8e5d4940ac8f2fde7066eea443a0377d58e04b93bc677ba95a0c2

Download Submit
\Users\Admin\AppData\Local\Temp\8d369432279d267a045e822efa64\vs_bootstrapper_d15\Microsoft.C2RSignatureReader.Interop.dll

Filesize
19KB

MD5
3374eab90af5842f1f07c1f60e74441f

SHA1
5c7f58d46e19713e785351ae0f17086071b9a881

SHA256
f1ae5d2c81ebb819706682b0b7ce311eb19162f1ec51fdffee2f469e283f68c5

SHA512
0d66a8ebebb6d2df8772089cb829ac038a929d7ba3ef82c5ea221f972777279929b982504b612931d4e52ea44ac6d12c48c06e07d26ae7942125e0020bd84c4b

Download Submit
\Users\Admin\AppData\Local\Temp\8d369432279d267a045e822efa64\vs_bootstrapper_d15\Microsoft.C2RSignatureReader.Native.dll

Filesize
115KB

MD5
49ddd4d8c73e5bce6ca296524f4ad7dc

SHA1
962778dac5a91ecbaa717495939ef1296ecd9bd0

SHA256
6d4f14a228a1c02fcc9eb8004828ba83a4a582359438af979d096b8c12b27319

SHA512
f544be13f34da6a79db960e3ece66c47a5ae7db98485d52afad19e49a661640801f0d159afc0ad735b7af27df30906c71ab65ca2bc85209985db7f35bf812b09

Download Submit
\Users\Admin\AppData\Local\Temp\8d369432279d267a045e822efa64\vs_bootstrapper_d15\Microsoft.VisualStudio.RemoteControl.dll

Filesize
46KB

MD5
355c1a112bc0f859b374a4b1c811c1e7

SHA1
b9a58bb26f334d517ab777b6226fef86a67eb4dd

SHA256
cc52e19735d6152702672feb5911c8ba77f60fdc73df5ed0d601b37415f3a7ed

SHA512
f1e858f97dabeb8e9648d1eb753d6fcd9e2bab378259c02b3e031652e87c29fbabfc48d209983f7074dfc256afd42fa1d8184805534037771a71db517fe16c8b

Download Submit
\Users\Admin\AppData\Local\Temp\8d369432279d267a045e822efa64\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.Common.dll

Filesize
580KB

MD5
04775edbc8687663870e4236d0ee1ebe

SHA1
e508a323371be598aaabb6a7142258f1197f7e00

SHA256
a34e047e3957f51b993bd1f2819a37f67545f6b49f335575d8ca819dece3cd67

SHA512
9ff5b16797651c9ef4af4fb5d9d38c8f25d2e996770db7289bba12ad468b028074393f7fbd10ad0a1fc4601196d17b10086ffcb53edf28c60ddfe0dbb28adc44

Download Submit
\Users\Admin\AppData\Local\Temp\8d369432279d267a045e822efa64\vs_bootstrapper_d15\Microsoft.VisualStudio.Utilities.Internal.dll

Filesize
60KB

MD5
bbe6955b4695866de27bb1c1822a25ed

SHA1
adfa2f33e22fd852bf20f396ab8b908e772c1d5a

SHA256
b6f38af430ff17e9ce5721affdbb361cc8a35f7f4a81a1a03c7a4710ea2da124

SHA512
14c1ea1dcf6e3e98e79eed2fd2f5d79eeed48ae52992309ed8e68e0c3d62d3d761b3f103093d6ca8e48cff945a1f42e80eccf7b43eae828c5413edf47aab8864

Download Submit
\Users\Admin\AppData\Local\Temp\8d369432279d267a045e822efa64\vs_bootstrapper_d15\Newtonsoft.Json.dll

Filesize
705KB

MD5
dc926df28065a5d355ad64107f7302a8

SHA1
3dd6bb9c69726eaa05cf198f5e0b7c14e03cda4c

SHA256
5ef06959f1d3355c4f15fbcc2aad17a31740dbdc74284bfd2dca6a7d651bc14d

SHA512
8745575c9099ab6a046098814c8135a1b85e61d8d73c6aaf9f41f04206624f0b625e1a4c73e1fb6f430d625080b7a8dada5119dc98a79a13f4807899b10a591e

Download Submit
\Users\Admin\AppData\Local\Temp\8d369432279d267a045e822efa64\vs_bootstrapper_d15\System.Memory.dll

Filesize
138KB

MD5
f09441a1ee47fb3e6571a3a448e05baf

SHA1
3c5c5df5f8f8db3f0a35c5ed8d357313a54e3cde

SHA256
bf3fb84664f4097f1a8a9bc71a51dcf8cf1a905d4080a4d290da1730866e856f

SHA512
0199ae0633bccfeaefbb5aed20832a4379c7ad73461d41a9da3d6dc044093cc319670e67c4efbf830308cbd9a48fb40d4a6c7e472dcc42eb745c6ba813e8e7c6

Download Submit
\Users\Admin\AppData\Local\Temp\8d369432279d267a045e822efa64\vs_bootstrapper_d15\vs_setup_bootstrapper.exe

Filesize
403KB

MD5
2fba884456524b453b0ddc8c422e3013

SHA1
b9e83827457f790e0b89895e1a30ea1b84866c0d

SHA256
9d19fe12134339923d815c4ba0d195d5cb55215427cdfffec7d7da821f416272

SHA512
b0ac2a5ebb5b7e56680e66aa5574bc5f343f879b7698a59286a925c3746357a67bdcc4d20d2394e99195b759542065772708f8c07b471ab862fbf83a1c1100f9

Download Submit
\Users\Admin\AppData\Roaming\lshss.exe

Filesize
832KB

MD5
bcbb6fd8c5fa588ff1b0299a719cd63b

SHA1
b2808e5b00ffeae5022b97ec78fc6368497c5adf

SHA256
4b7606c7138380ca54e9f6517b6415c3833d7162d18ede2024866f6a6fb41149

SHA512
a3edb6586f0b3d3ad088da1f7b1cddea118dd6a7ed7421960b9a172d75450e9e7d4f169b40441669e2109bbade2170dd1c861d4a8f01711159c2baf4f5d5dafd

Download Submit
memory/236-138-0x00000000009B0000-0x00000000009C8000-memory.dmp

Filesize
96KB

Download
memory/1656-34-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1656-36-0x0000000000400000-0x00000000008FE000-memory.dmp

Filesize
5.0MB

Download
memory/1656-25-0x0000000000400000-0x00000000008FE000-memory.dmp

Filesize
5.0MB

Download
memory/1656-26-0x0000000000400000-0x00000000008FE000-memory.dmp

Filesize
5.0MB

Download
memory/1656-32-0x0000000000400000-0x00000000008FE000-memory.dmp

Filesize
5.0MB

Download
memory/1656-67-0x0000000000400000-0x00000000008FE000-memory.dmp

Filesize
5.0MB

Download
memory/1656-39-0x0000000000400000-0x00000000008FE000-memory.dmp

Filesize
5.0MB

Download
memory/1656-38-0x0000000000400000-0x00000000008FE000-memory.dmp

Filesize
5.0MB

Download
memory/1656-27-0x0000000000400000-0x00000000008FE000-memory.dmp

Filesize
5.0MB

Download
memory/1656-31-0x0000000000400000-0x00000000008FE000-memory.dmp

Filesize
5.0MB

Download
memory/1656-28-0x0000000000400000-0x00000000008FE000-memory.dmp

Filesize
5.0MB

Download
memory/1656-30-0x0000000000400000-0x00000000008FE000-memory.dmp

Filesize
5.0MB

Download
memory/1688-325-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1688-230-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1736-1-0x00000000749E0000-0x0000000074F8B000-memory.dmp

Filesize
5.7MB

Download
memory/1736-333-0x00000000749E0000-0x0000000074F8B000-memory.dmp

Filesize
5.7MB

Download
memory/1736-0-0x00000000749E1000-0x00000000749E2000-memory.dmp

Filesize
4KB

Download
memory/1736-326-0x00000000749E0000-0x0000000074F8B000-memory.dmp

Filesize
5.7MB

Download
memory/1736-2-0x00000000749E0000-0x0000000074F8B000-memory.dmp

Filesize
5.7MB

Download
memory/1776-16-0x00000000749E0000-0x0000000074F8B000-memory.dmp

Filesize
5.7MB

Download
memory/1776-9-0x00000000749E0000-0x0000000074F8B000-memory.dmp

Filesize
5.7MB

Download
memory/2304-250-0x0000000004240000-0x0000000004250000-memory.dmp

Filesize
64KB

Download
memory/2304-229-0x0000000000A00000-0x0000000000A08000-memory.dmp

Filesize
32KB

Download
memory/2304-207-0x0000000000610000-0x0000000000618000-memory.dmp

Filesize
32KB

Download
memory/2304-195-0x0000000004800000-0x000000000496A000-memory.dmp

Filesize
1.4MB

Download
memory/2304-211-0x0000000000720000-0x0000000000770000-memory.dmp

Filesize
320KB

Download
memory/2304-203-0x0000000004E10000-0x0000000004F0C000-memory.dmp

Filesize
1008KB

Download
memory/2304-199-0x0000000004B90000-0x0000000004C24000-memory.dmp

Filesize
592KB

Download
memory/2304-328-0x0000000005470000-0x000000000547A000-memory.dmp

Filesize
40KB

Download
memory/2304-327-0x0000000005470000-0x000000000547A000-memory.dmp

Filesize
40KB

Download
memory/2304-191-0x0000000000AB0000-0x0000000000B18000-memory.dmp

Filesize
416KB

Download
memory/2304-215-0x00000000052E0000-0x0000000005392000-memory.dmp

Filesize
712KB

Download
memory/2304-225-0x00000000051F0000-0x0000000005216000-memory.dmp

Filesize
152KB

Download
memory/2304-332-0x0000000005470000-0x000000000547A000-memory.dmp

Filesize
40KB

Download
memory/2304-331-0x0000000005470000-0x000000000547A000-memory.dmp

Filesize
40KB

Download
memory/2304-221-0x00000000009E0000-0x00000000009F4000-memory.dmp

Filesize
80KB

Download
memory/2660-334-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/2660-330-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/2660-374-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.