Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
01/01/2025, 16:32 UTC
Behavioral task
behavioral1
Sample
98d15d74b36ebb0709c4a2f476088a5889fa548029dc90e7e0a070b1f36c4e56N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
98d15d74b36ebb0709c4a2f476088a5889fa548029dc90e7e0a070b1f36c4e56N.exe
Resource
win10v2004-20241007-en
General
-
Target
98d15d74b36ebb0709c4a2f476088a5889fa548029dc90e7e0a070b1f36c4e56N.exe
-
Size
793KB
-
MD5
1951df1cc3262a172ce0bd85cc390d00
-
SHA1
e88411f0b9155eec15712630de1a45b654f52eb3
-
SHA256
98d15d74b36ebb0709c4a2f476088a5889fa548029dc90e7e0a070b1f36c4e56
-
SHA512
e06061133c6e987fc53fc1cfb3ddf5394a8d13d8635221bb98dc177f4c794ac3cb3adcbed810d47f6e212cd6082b44021ae9dbe0c113a1bff31a7cda9347aad1
-
SSDEEP
12288:mMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9TuQj:mnsJ39LyjbJkQFMhmC+6GD9ig
Malware Config
Extracted
xred
xred.mooo.com
-
email
xredline1@gmail.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Signatures
-
Xred family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 98d15d74b36ebb0709c4a2f476088a5889fa548029dc90e7e0a070b1f36c4e56N.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation Synaptics.exe -
Executes dropped EXE 3 IoCs
pid Process 4672 ._cache_98d15d74b36ebb0709c4a2f476088a5889fa548029dc90e7e0a070b1f36c4e56N.exe 672 Synaptics.exe 1816 ._cache_Synaptics.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" 98d15d74b36ebb0709c4a2f476088a5889fa548029dc90e7e0a070b1f36c4e56N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 39 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_98d15d74b36ebb0709c4a2f476088a5889fa548029dc90e7e0a070b1f36c4e56N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 98d15d74b36ebb0709c4a2f476088a5889fa548029dc90e7e0a070b1f36c4e56N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 98d15d74b36ebb0709c4a2f476088a5889fa548029dc90e7e0a070b1f36c4e56N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Synaptics.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2132 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 4672 ._cache_98d15d74b36ebb0709c4a2f476088a5889fa548029dc90e7e0a070b1f36c4e56N.exe 1816 ._cache_Synaptics.exe 2132 EXCEL.EXE 2132 EXCEL.EXE 2132 EXCEL.EXE 2132 EXCEL.EXE 2132 EXCEL.EXE 2132 EXCEL.EXE 2132 EXCEL.EXE 2132 EXCEL.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 920 wrote to memory of 4672 920 98d15d74b36ebb0709c4a2f476088a5889fa548029dc90e7e0a070b1f36c4e56N.exe 82 PID 920 wrote to memory of 4672 920 98d15d74b36ebb0709c4a2f476088a5889fa548029dc90e7e0a070b1f36c4e56N.exe 82 PID 920 wrote to memory of 4672 920 98d15d74b36ebb0709c4a2f476088a5889fa548029dc90e7e0a070b1f36c4e56N.exe 82 PID 920 wrote to memory of 672 920 98d15d74b36ebb0709c4a2f476088a5889fa548029dc90e7e0a070b1f36c4e56N.exe 83 PID 920 wrote to memory of 672 920 98d15d74b36ebb0709c4a2f476088a5889fa548029dc90e7e0a070b1f36c4e56N.exe 83 PID 920 wrote to memory of 672 920 98d15d74b36ebb0709c4a2f476088a5889fa548029dc90e7e0a070b1f36c4e56N.exe 83 PID 672 wrote to memory of 1816 672 Synaptics.exe 84 PID 672 wrote to memory of 1816 672 Synaptics.exe 84 PID 672 wrote to memory of 1816 672 Synaptics.exe 84 PID 1816 wrote to memory of 4856 1816 ._cache_Synaptics.exe 90 PID 1816 wrote to memory of 4856 1816 ._cache_Synaptics.exe 90 PID 1816 wrote to memory of 4856 1816 ._cache_Synaptics.exe 90 PID 4672 wrote to memory of 2828 4672 ._cache_98d15d74b36ebb0709c4a2f476088a5889fa548029dc90e7e0a070b1f36c4e56N.exe 92 PID 4672 wrote to memory of 2828 4672 ._cache_98d15d74b36ebb0709c4a2f476088a5889fa548029dc90e7e0a070b1f36c4e56N.exe 92 PID 4672 wrote to memory of 2828 4672 ._cache_98d15d74b36ebb0709c4a2f476088a5889fa548029dc90e7e0a070b1f36c4e56N.exe 92 PID 4672 wrote to memory of 1808 4672 ._cache_98d15d74b36ebb0709c4a2f476088a5889fa548029dc90e7e0a070b1f36c4e56N.exe 100 PID 4672 wrote to memory of 1808 4672 ._cache_98d15d74b36ebb0709c4a2f476088a5889fa548029dc90e7e0a070b1f36c4e56N.exe 100 PID 4672 wrote to memory of 1808 4672 ._cache_98d15d74b36ebb0709c4a2f476088a5889fa548029dc90e7e0a070b1f36c4e56N.exe 100 PID 4672 wrote to memory of 1188 4672 ._cache_98d15d74b36ebb0709c4a2f476088a5889fa548029dc90e7e0a070b1f36c4e56N.exe 102 PID 4672 wrote to memory of 1188 4672 ._cache_98d15d74b36ebb0709c4a2f476088a5889fa548029dc90e7e0a070b1f36c4e56N.exe 102 PID 4672 wrote to memory of 1188 4672 ._cache_98d15d74b36ebb0709c4a2f476088a5889fa548029dc90e7e0a070b1f36c4e56N.exe 102 PID 1816 wrote to memory of 540 1816 ._cache_Synaptics.exe 103 PID 1816 wrote to memory of 540 1816 ._cache_Synaptics.exe 103 PID 1816 wrote to memory of 540 1816 ._cache_Synaptics.exe 103 PID 1816 wrote to memory of 884 1816 ._cache_Synaptics.exe 108 PID 1816 wrote to memory of 884 1816 ._cache_Synaptics.exe 108 PID 1816 wrote to memory of 884 1816 ._cache_Synaptics.exe 108 PID 4672 wrote to memory of 4588 4672 ._cache_98d15d74b36ebb0709c4a2f476088a5889fa548029dc90e7e0a070b1f36c4e56N.exe 110 PID 4672 wrote to memory of 4588 4672 ._cache_98d15d74b36ebb0709c4a2f476088a5889fa548029dc90e7e0a070b1f36c4e56N.exe 110 PID 4672 wrote to memory of 4588 4672 ._cache_98d15d74b36ebb0709c4a2f476088a5889fa548029dc90e7e0a070b1f36c4e56N.exe 110 PID 1816 wrote to memory of 4160 1816 ._cache_Synaptics.exe 112 PID 1816 wrote to memory of 4160 1816 ._cache_Synaptics.exe 112 PID 1816 wrote to memory of 4160 1816 ._cache_Synaptics.exe 112 PID 4672 wrote to memory of 3900 4672 ._cache_98d15d74b36ebb0709c4a2f476088a5889fa548029dc90e7e0a070b1f36c4e56N.exe 113 PID 4672 wrote to memory of 3900 4672 ._cache_98d15d74b36ebb0709c4a2f476088a5889fa548029dc90e7e0a070b1f36c4e56N.exe 113 PID 4672 wrote to memory of 3900 4672 ._cache_98d15d74b36ebb0709c4a2f476088a5889fa548029dc90e7e0a070b1f36c4e56N.exe 113 PID 1816 wrote to memory of 4452 1816 ._cache_Synaptics.exe 116 PID 1816 wrote to memory of 4452 1816 ._cache_Synaptics.exe 116 PID 1816 wrote to memory of 4452 1816 ._cache_Synaptics.exe 116 PID 4672 wrote to memory of 2604 4672 ._cache_98d15d74b36ebb0709c4a2f476088a5889fa548029dc90e7e0a070b1f36c4e56N.exe 117 PID 4672 wrote to memory of 2604 4672 ._cache_98d15d74b36ebb0709c4a2f476088a5889fa548029dc90e7e0a070b1f36c4e56N.exe 117 PID 4672 wrote to memory of 2604 4672 ._cache_98d15d74b36ebb0709c4a2f476088a5889fa548029dc90e7e0a070b1f36c4e56N.exe 117 PID 1816 wrote to memory of 4040 1816 ._cache_Synaptics.exe 120 PID 1816 wrote to memory of 4040 1816 ._cache_Synaptics.exe 120 PID 1816 wrote to memory of 4040 1816 ._cache_Synaptics.exe 120 PID 4672 wrote to memory of 5060 4672 ._cache_98d15d74b36ebb0709c4a2f476088a5889fa548029dc90e7e0a070b1f36c4e56N.exe 121 PID 4672 wrote to memory of 5060 4672 ._cache_98d15d74b36ebb0709c4a2f476088a5889fa548029dc90e7e0a070b1f36c4e56N.exe 121 PID 4672 wrote to memory of 5060 4672 ._cache_98d15d74b36ebb0709c4a2f476088a5889fa548029dc90e7e0a070b1f36c4e56N.exe 121 PID 1816 wrote to memory of 2840 1816 ._cache_Synaptics.exe 124 PID 1816 wrote to memory of 2840 1816 ._cache_Synaptics.exe 124 PID 1816 wrote to memory of 2840 1816 ._cache_Synaptics.exe 124 PID 4672 wrote to memory of 4464 4672 ._cache_98d15d74b36ebb0709c4a2f476088a5889fa548029dc90e7e0a070b1f36c4e56N.exe 125 PID 4672 wrote to memory of 4464 4672 ._cache_98d15d74b36ebb0709c4a2f476088a5889fa548029dc90e7e0a070b1f36c4e56N.exe 125 PID 4672 wrote to memory of 4464 4672 ._cache_98d15d74b36ebb0709c4a2f476088a5889fa548029dc90e7e0a070b1f36c4e56N.exe 125 PID 1816 wrote to memory of 2588 1816 ._cache_Synaptics.exe 128 PID 1816 wrote to memory of 2588 1816 ._cache_Synaptics.exe 128 PID 1816 wrote to memory of 2588 1816 ._cache_Synaptics.exe 128 PID 4672 wrote to memory of 4712 4672 ._cache_98d15d74b36ebb0709c4a2f476088a5889fa548029dc90e7e0a070b1f36c4e56N.exe 129 PID 4672 wrote to memory of 4712 4672 ._cache_98d15d74b36ebb0709c4a2f476088a5889fa548029dc90e7e0a070b1f36c4e56N.exe 129 PID 4672 wrote to memory of 4712 4672 ._cache_98d15d74b36ebb0709c4a2f476088a5889fa548029dc90e7e0a070b1f36c4e56N.exe 129 PID 1816 wrote to memory of 216 1816 ._cache_Synaptics.exe 132 PID 1816 wrote to memory of 216 1816 ._cache_Synaptics.exe 132 PID 1816 wrote to memory of 216 1816 ._cache_Synaptics.exe 132 PID 4672 wrote to memory of 1444 4672 ._cache_98d15d74b36ebb0709c4a2f476088a5889fa548029dc90e7e0a070b1f36c4e56N.exe 133
Processes
-
C:\Users\Admin\AppData\Local\Temp\98d15d74b36ebb0709c4a2f476088a5889fa548029dc90e7e0a070b1f36c4e56N.exe"C:\Users\Admin\AppData\Local\Temp\98d15d74b36ebb0709c4a2f476088a5889fa548029dc90e7e0a070b1f36c4e56N.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:920 -
C:\Users\Admin\AppData\Local\Temp\._cache_98d15d74b36ebb0709c4a2f476088a5889fa548029dc90e7e0a070b1f36c4e56N.exe"C:\Users\Admin\AppData\Local\Temp\._cache_98d15d74b36ebb0709c4a2f476088a5889fa548029dc90e7e0a070b1f36c4e56N.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4672 -
C:\Windows\SysWOW64\cmd.execmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d3⤵
- System Location Discovery: System Language Discovery
PID:2828
-
-
C:\Windows\SysWOW64\cmd.execmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d3⤵
- System Location Discovery: System Language Discovery
PID:1808
-
-
C:\Windows\SysWOW64\cmd.execmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d3⤵
- System Location Discovery: System Language Discovery
PID:1188
-
-
C:\Windows\SysWOW64\cmd.execmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d3⤵
- System Location Discovery: System Language Discovery
PID:4588
-
-
C:\Windows\SysWOW64\cmd.execmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d3⤵
- System Location Discovery: System Language Discovery
PID:3900
-
-
C:\Windows\SysWOW64\cmd.execmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d3⤵
- System Location Discovery: System Language Discovery
PID:2604
-
-
C:\Windows\SysWOW64\cmd.execmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d3⤵
- System Location Discovery: System Language Discovery
PID:5060
-
-
C:\Windows\SysWOW64\cmd.execmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d3⤵
- System Location Discovery: System Language Discovery
PID:4464
-
-
C:\Windows\SysWOW64\cmd.execmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d3⤵
- System Location Discovery: System Language Discovery
PID:4712
-
-
C:\Windows\SysWOW64\cmd.execmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d3⤵
- System Location Discovery: System Language Discovery
PID:1444
-
-
C:\Windows\SysWOW64\cmd.execmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d3⤵
- System Location Discovery: System Language Discovery
PID:5080
-
-
C:\Windows\SysWOW64\cmd.execmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d3⤵
- System Location Discovery: System Language Discovery
PID:1100
-
-
C:\Windows\SysWOW64\cmd.execmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d3⤵
- System Location Discovery: System Language Discovery
PID:1792
-
-
C:\Windows\SysWOW64\cmd.execmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d3⤵
- System Location Discovery: System Language Discovery
PID:1728
-
-
C:\Windows\SysWOW64\cmd.execmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d3⤵
- System Location Discovery: System Language Discovery
PID:4952
-
-
C:\Windows\SysWOW64\cmd.execmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d3⤵
- System Location Discovery: System Language Discovery
PID:4140
-
-
C:\Windows\SysWOW64\cmd.execmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d3⤵
- System Location Discovery: System Language Discovery
PID:4408
-
-
C:\Windows\SysWOW64\cmd.execmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d3⤵
- System Location Discovery: System Language Discovery
PID:4948
-
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:672 -
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\SysWOW64\cmd.execmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d4⤵
- System Location Discovery: System Language Discovery
PID:4856
-
-
C:\Windows\SysWOW64\cmd.execmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d4⤵
- System Location Discovery: System Language Discovery
PID:540
-
-
C:\Windows\SysWOW64\cmd.execmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d4⤵
- System Location Discovery: System Language Discovery
PID:884
-
-
C:\Windows\SysWOW64\cmd.execmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d4⤵
- System Location Discovery: System Language Discovery
PID:4160
-
-
C:\Windows\SysWOW64\cmd.execmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d4⤵
- System Location Discovery: System Language Discovery
PID:4452
-
-
C:\Windows\SysWOW64\cmd.execmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d4⤵
- System Location Discovery: System Language Discovery
PID:4040
-
-
C:\Windows\SysWOW64\cmd.execmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d4⤵
- System Location Discovery: System Language Discovery
PID:2840
-
-
C:\Windows\SysWOW64\cmd.execmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d4⤵
- System Location Discovery: System Language Discovery
PID:2588
-
-
C:\Windows\SysWOW64\cmd.execmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d4⤵
- System Location Discovery: System Language Discovery
PID:216
-
-
C:\Windows\SysWOW64\cmd.execmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d4⤵
- System Location Discovery: System Language Discovery
PID:1736
-
-
C:\Windows\SysWOW64\cmd.execmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d4⤵
- System Location Discovery: System Language Discovery
PID:3240
-
-
C:\Windows\SysWOW64\cmd.execmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d4⤵
- System Location Discovery: System Language Discovery
PID:4616
-
-
C:\Windows\SysWOW64\cmd.execmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d4⤵
- System Location Discovery: System Language Discovery
PID:4972
-
-
C:\Windows\SysWOW64\cmd.execmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d4⤵
- System Location Discovery: System Language Discovery
PID:1544
-
-
C:\Windows\SysWOW64\cmd.execmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d4⤵
- System Location Discovery: System Language Discovery
PID:3456
-
-
C:\Windows\SysWOW64\cmd.execmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d4⤵
- System Location Discovery: System Language Discovery
PID:2544
-
-
C:\Windows\SysWOW64\cmd.execmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d4⤵
- System Location Discovery: System Language Discovery
PID:1928
-
-
-
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2132
Network
-
Remote address:8.8.8.8:53Request241.150.49.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request88.210.23.2.in-addr.arpaIN PTRResponse88.210.23.2.in-addr.arpaIN PTRa2-23-210-88deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request133.32.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request240.76.109.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestxred.mooo.comIN AResponse
-
Remote address:8.8.8.8:53Requestfreedns.afraid.orgIN AResponsefreedns.afraid.orgIN A69.42.215.252
-
GEThttp://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978Synaptics.exeRemote address:69.42.215.252:80RequestGET /api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978 HTTP/1.1
User-Agent: MyApp
Host: freedns.afraid.org
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Wed, 01 Jan 2025 16:32:53 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Cache: MISS
-
Remote address:8.8.8.8:53Request196.249.167.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request252.215.42.69.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request252.215.42.69.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request49.192.11.51.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request197.87.175.4.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request171.39.242.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request92.12.20.2.in-addr.arpaIN PTRResponse92.12.20.2.in-addr.arpaIN PTRa2-20-12-92deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request172.214.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestdocs.google.comIN AResponsedocs.google.comIN A216.58.214.174
-
Remote address:216.58.214.174:443RequestGET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
User-Agent: Synaptics.exe
Host: docs.google.com
Cache-Control: no-cache
ResponseHTTP/1.1 303 See Other
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Wed, 01 Jan 2025 16:33:52 GMT
Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
Strict-Transport-Security: max-age=31536000
Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
Content-Security-Policy: script-src 'report-sample' 'nonce-ElzVfNHDWgAcoJdgWfX5xw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
Cross-Origin-Opener-Policy: same-origin
Server: ESF
Content-Length: 0
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
-
Remote address:216.58.214.174:443RequestGET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
User-Agent: Synaptics.exe
Host: docs.google.com
Cache-Control: no-cache
Cookie: NID=520=J7i5n7HM2s8Q07qOtwCoMb2hcFceZckYBb4gF9M2jEm4sd5BCdxs92T50otl8_23_ccmSmHt0SPPQX1EWbi-kYUxuyZXbYNTW3t4iJhmHSlHkR1z7KX_lr-oDl775RwJj5ZFcWy91d8zF0xlPaBOEgzCLlhz2hnpEMBzCpAgRZDG150
ResponseHTTP/1.1 303 See Other
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Wed, 01 Jan 2025 16:33:53 GMT
Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
Strict-Transport-Security: max-age=31536000
Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
Content-Security-Policy: script-src 'report-sample' 'nonce-1Nfnc7eDlAOKrHu7EcyHSg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
Cross-Origin-Opener-Policy: same-origin
Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
Server: ESF
Content-Length: 0
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
-
Remote address:216.58.214.174:443RequestGET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
User-Agent: Synaptics.exe
Host: docs.google.com
Cache-Control: no-cache
Cookie: NID=520=J7i5n7HM2s8Q07qOtwCoMb2hcFceZckYBb4gF9M2jEm4sd5BCdxs92T50otl8_23_ccmSmHt0SPPQX1EWbi-kYUxuyZXbYNTW3t4iJhmHSlHkR1z7KX_lr-oDl775RwJj5ZFcWy91d8zF0xlPaBOEgzCLlhz2hnpEMBzCpAgRZDG150
ResponseHTTP/1.1 303 See Other
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Wed, 01 Jan 2025 16:33:54 GMT
Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
Strict-Transport-Security: max-age=31536000
Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
Content-Security-Policy: script-src 'report-sample' 'nonce-iwdJI-4NRqPcuvIccx2MPw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
Cross-Origin-Opener-Policy: same-origin
Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
Server: ESF
Content-Length: 0
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
-
Remote address:8.8.8.8:53Requestc.pki.googIN AResponsec.pki.googIN CNAMEpki-goog.l.google.compki-goog.l.google.comIN A142.250.179.67
-
Remote address:142.250.179.67:80RequestGET /r/r1.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: c.pki.goog
ResponseHTTP/1.1 200 OK
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 854
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Wed, 01 Jan 2025 16:27:48 GMT
Expires: Wed, 01 Jan 2025 17:17:48 GMT
Cache-Control: public, max-age=3000
Age: 364
Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
Content-Type: application/pkix-crl
Vary: Accept-Encoding
-
Remote address:8.8.8.8:53Requesto.pki.googIN AResponseo.pki.googIN CNAMEpki-goog.l.google.compki-goog.l.google.comIN A142.250.179.67
-
GEThttp://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQD8Elu9WzbqaxI7ClVJiEyfSynaptics.exeRemote address:142.250.179.67:80RequestGET /wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQD8Elu9WzbqaxI7ClVJiEyf HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: o.pki.goog
ResponseHTTP/1.1 200 OK
Content-Length: 472
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Date: Wed, 01 Jan 2025 16:28:31 GMT
Cache-Control: public, max-age=14400
Content-Type: application/ocsp-response
Age: 321
-
GEThttp://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDkqhDvrMuENxBpWocUnIUCSynaptics.exeRemote address:142.250.179.67:80RequestGET /wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDkqhDvrMuENxBpWocUnIUC HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: o.pki.goog
ResponseHTTP/1.1 200 OK
Content-Length: 472
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Date: Wed, 01 Jan 2025 15:34:20 GMT
Cache-Control: public, max-age=14400
Content-Type: application/ocsp-response
Age: 3572
-
Remote address:8.8.8.8:53Requestdrive.usercontent.google.comIN AResponsedrive.usercontent.google.comIN A142.250.74.225
-
GEThttps://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadSynaptics.exeRemote address:142.250.74.225:443RequestGET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
User-Agent: Synaptics.exe
Cache-Control: no-cache
Host: drive.usercontent.google.com
Connection: Keep-Alive
ResponseHTTP/1.1 404 Not Found
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Wed, 01 Jan 2025 16:33:53 GMT
P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
Content-Security-Policy: script-src 'report-sample' 'nonce-v6B-Ocu60H_SqJAPZpwgTA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
Cross-Origin-Opener-Policy: same-origin
Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
Content-Length: 1652
Server: UploadServer
Set-Cookie: NID=520=J7i5n7HM2s8Q07qOtwCoMb2hcFceZckYBb4gF9M2jEm4sd5BCdxs92T50otl8_23_ccmSmHt0SPPQX1EWbi-kYUxuyZXbYNTW3t4iJhmHSlHkR1z7KX_lr-oDl775RwJj5ZFcWy91d8zF0xlPaBOEgzCLlhz2hnpEMBzCpAgRZDG150; expires=Thu, 03-Jul-2025 16:33:53 GMT; path=/; domain=.google.com; HttpOnly
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Content-Security-Policy: sandbox allow-scripts
-
GEThttps://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadSynaptics.exeRemote address:142.250.74.225:443RequestGET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
User-Agent: Synaptics.exe
Cache-Control: no-cache
Host: drive.usercontent.google.com
Connection: Keep-Alive
Cookie: NID=520=J7i5n7HM2s8Q07qOtwCoMb2hcFceZckYBb4gF9M2jEm4sd5BCdxs92T50otl8_23_ccmSmHt0SPPQX1EWbi-kYUxuyZXbYNTW3t4iJhmHSlHkR1z7KX_lr-oDl775RwJj5ZFcWy91d8zF0xlPaBOEgzCLlhz2hnpEMBzCpAgRZDG150
ResponseHTTP/1.1 404 Not Found
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Wed, 01 Jan 2025 16:33:53 GMT
Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
Content-Security-Policy: script-src 'report-sample' 'nonce-e167fJ8mLyZbsRpVX3cCig' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
Cross-Origin-Opener-Policy: same-origin
Content-Length: 1652
Server: UploadServer
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Content-Security-Policy: sandbox allow-scripts
-
GEThttps://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadSynaptics.exeRemote address:142.250.74.225:443RequestGET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
User-Agent: Synaptics.exe
Cache-Control: no-cache
Host: drive.usercontent.google.com
Connection: Keep-Alive
Cookie: NID=520=J7i5n7HM2s8Q07qOtwCoMb2hcFceZckYBb4gF9M2jEm4sd5BCdxs92T50otl8_23_ccmSmHt0SPPQX1EWbi-kYUxuyZXbYNTW3t4iJhmHSlHkR1z7KX_lr-oDl775RwJj5ZFcWy91d8zF0xlPaBOEgzCLlhz2hnpEMBzCpAgRZDG150
ResponseHTTP/1.1 404 Not Found
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Wed, 01 Jan 2025 16:33:54 GMT
Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
Cross-Origin-Opener-Policy: same-origin
Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
Content-Security-Policy: script-src 'report-sample' 'nonce-3bLA6ZvTtRTWhMvu32CaEA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
Content-Length: 1652
Server: UploadServer
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Content-Security-Policy: sandbox allow-scripts
-
Remote address:8.8.8.8:53Request67.179.250.142.in-addr.arpaIN PTRResponse67.179.250.142.in-addr.arpaIN PTRpar21s19-in-f31e100net
-
Remote address:8.8.8.8:53Request174.214.58.216.in-addr.arpaIN PTRResponse174.214.58.216.in-addr.arpaIN PTRmad01s26-in-f141e100net174.214.58.216.in-addr.arpaIN PTRpar10s42-in-f14�I174.214.58.216.in-addr.arpaIN PTRmad01s26-in-f174�I
-
Remote address:8.8.8.8:53Request225.74.250.142.in-addr.arpaIN PTRResponse225.74.250.142.in-addr.arpaIN PTRpar10s40-in-f11e100net
-
Remote address:8.8.8.8:53Request30.243.111.52.in-addr.arpaIN PTRResponse
-
69.42.215.252:80http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978httpSynaptics.exe430 B 415 B 6 4
HTTP Request
GET http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978HTTP Response
200 -
216.58.214.174:443https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadtls, httpSynaptics.exe2.7kB 11.3kB 18 14
HTTP Request
GET https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadHTTP Response
303HTTP Request
GET https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadHTTP Response
303HTTP Request
GET https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadHTTP Response
303 -
303 B 1.7kB 4 4
HTTP Request
GET http://c.pki.goog/r/r1.crlHTTP Response
200 -
142.250.179.67:80http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDkqhDvrMuENxBpWocUnIUChttpSynaptics.exe736 B 1.6kB 6 4
HTTP Request
GET http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQD8Elu9WzbqaxI7ClVJiEyfHTTP Response
200HTTP Request
GET http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDkqhDvrMuENxBpWocUnIUCHTTP Response
200 -
142.250.74.225:443https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadtls, httpSynaptics.exe2.6kB 14.7kB 24 21
HTTP Request
GET https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadHTTP Response
404HTTP Request
GET https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadHTTP Response
404HTTP Request
GET https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadHTTP Response
404
-
72 B 158 B 1 1
DNS Request
241.150.49.20.in-addr.arpa
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
88.210.23.2.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
133.32.126.40.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
240.76.109.52.in-addr.arpa
-
59 B 118 B 1 1
DNS Request
xred.mooo.com
-
64 B 80 B 1 1
DNS Request
freedns.afraid.org
DNS Response
69.42.215.252
-
73 B 147 B 1 1
DNS Request
196.249.167.52.in-addr.arpa
-
57 B 1
-
144 B 144 B 2 2
DNS Request
252.215.42.69.in-addr.arpa
DNS Request
252.215.42.69.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
49.192.11.51.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
197.87.175.4.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
171.39.242.20.in-addr.arpa
-
69 B 131 B 1 1
DNS Request
92.12.20.2.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.214.232.199.in-addr.arpa
-
61 B 77 B 1 1
DNS Request
docs.google.com
DNS Response
216.58.214.174
-
56 B 107 B 1 1
DNS Request
c.pki.goog
DNS Response
142.250.179.67
-
56 B 107 B 1 1
DNS Request
o.pki.goog
DNS Response
142.250.179.67
-
74 B 90 B 1 1
DNS Request
drive.usercontent.google.com
DNS Response
142.250.74.225
-
73 B 111 B 1 1
DNS Request
67.179.250.142.in-addr.arpa
-
73 B 173 B 1 1
DNS Request
174.214.58.216.in-addr.arpa
-
73 B 111 B 1 1
DNS Request
225.74.250.142.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
30.243.111.52.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
793KB
MD51951df1cc3262a172ce0bd85cc390d00
SHA1e88411f0b9155eec15712630de1a45b654f52eb3
SHA25698d15d74b36ebb0709c4a2f476088a5889fa548029dc90e7e0a070b1f36c4e56
SHA512e06061133c6e987fc53fc1cfb3ddf5394a8d13d8635221bb98dc177f4c794ac3cb3adcbed810d47f6e212cd6082b44021ae9dbe0c113a1bff31a7cda9347aad1
-
C:\Users\Admin\AppData\Local\Temp\._cache_98d15d74b36ebb0709c4a2f476088a5889fa548029dc90e7e0a070b1f36c4e56N.exe
Filesize40KB
MD583db3f55c5a97402b73de7fb23b77add
SHA17812537505190566cfc04c4708404e25c0750b4d
SHA256af7120cdf209e98bfe63bbc98c176b57987976ab671ab25c5f71d3e72a13a168
SHA512eee63a61b3e86ed029c2ab29bf477e3cc56c956321b29c7a36e947a9441c28bd46ebe629e3955b2339d494cc9cc905581e52af838d088c15b48fdcc557caa916
-
Filesize
17KB
MD5e566fc53051035e1e6fd0ed1823de0f9
SHA100bc96c48b98676ecd67e81a6f1d7754e4156044
SHA2568e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04
-
Filesize
22KB
MD58f29bfad5cda71d6ace828951ed0a43d
SHA17e8578a126a38a236cacd939f7ee2c6336f364a7
SHA256e2849a9d1255ba6abc7a5b2f02288b545ead79caf1b1df3c973e83019bc3a099
SHA512c399abd5096f4b953d46e9bd2c0de603c127d104b36c723d10b15f45c0a047c9a5427d0699fe5bf171f3a4a174d1191bb931509dfb3c0f4109a57974153cdef6