Malware Analysis Report

2025-04-13 21:02

Sample ID 250103-d2216axpcz
Target 43555b4a8bd82abd7e7b1f279b4f31afb5a230ce4246be6fda4fdd5e7263c780.exe
SHA256 43555b4a8bd82abd7e7b1f279b4f31afb5a230ce4246be6fda4fdd5e7263c780
Tags
xred backdoor discovery persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

43555b4a8bd82abd7e7b1f279b4f31afb5a230ce4246be6fda4fdd5e7263c780

Threat Level: Known bad

The file 43555b4a8bd82abd7e7b1f279b4f31afb5a230ce4246be6fda4fdd5e7263c780.exe was found to be: Known bad.

Malicious Activity Summary

xred backdoor discovery persistence

Xred

Xred family

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Modifies registry class

Checks processor information in registry

Enumerates system info in registry

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: AddClipboardFormatListener

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-03 03:31

Signatures

Xred family

xred

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-03 03:31

Reported

2025-01-03 03:33

Platform

win10v2004-20241007-en

Max time kernel

146s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\43555b4a8bd82abd7e7b1f279b4f31afb5a230ce4246be6fda4fdd5e7263c780.exe"

Signatures

Xred

backdoor xred

Xred family

xred

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\43555b4a8bd82abd7e7b1f279b4f31afb5a230ce4246be6fda4fdd5e7263c780.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\ProgramData\Synaptics\Synaptics.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Users\Admin\AppData\Local\Temp\43555b4a8bd82abd7e7b1f279b4f31afb5a230ce4246be6fda4fdd5e7263c780.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\._cache_43555b4a8bd82abd7e7b1f279b4f31afb5a230ce4246be6fda4fdd5e7263c780.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\DirectX\WebSetup C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A
File opened for modification C:\Windows\SysWOW64\directx\websetup\SETB2A6.tmp C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A
File created C:\Windows\SysWOW64\directx\websetup\SETB2A6.tmp C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A
File opened for modification C:\Windows\SysWOW64\directx\websetup\dsetup.dll C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A
File opened for modification C:\Windows\SysWOW64\directx\websetup\SETB2B7.tmp C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A
File created C:\Windows\SysWOW64\directx\websetup\SETB2B7.tmp C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A
File opened for modification C:\Windows\SysWOW64\directx\websetup\dsetup32.dll C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Logs\DirectX.log C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A
File opened for modification C:\Windows\security\logs\scecomp.log C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\43555b4a8bd82abd7e7b1f279b4f31afb5a230ce4246be6fda4fdd5e7263c780.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\._cache_43555b4a8bd82abd7e7b1f279b4f31afb5a230ce4246be6fda4fdd5e7263c780.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Synaptics\Synaptics.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\43555b4a8bd82abd7e7b1f279b4f31afb5a230ce4246be6fda4fdd5e7263c780.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\ProgramData\Synaptics\Synaptics.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4688 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Local\Temp\43555b4a8bd82abd7e7b1f279b4f31afb5a230ce4246be6fda4fdd5e7263c780.exe C:\Users\Admin\AppData\Local\Temp\._cache_43555b4a8bd82abd7e7b1f279b4f31afb5a230ce4246be6fda4fdd5e7263c780.exe
PID 4688 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Local\Temp\43555b4a8bd82abd7e7b1f279b4f31afb5a230ce4246be6fda4fdd5e7263c780.exe C:\Users\Admin\AppData\Local\Temp\._cache_43555b4a8bd82abd7e7b1f279b4f31afb5a230ce4246be6fda4fdd5e7263c780.exe
PID 4688 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Local\Temp\43555b4a8bd82abd7e7b1f279b4f31afb5a230ce4246be6fda4fdd5e7263c780.exe C:\Users\Admin\AppData\Local\Temp\._cache_43555b4a8bd82abd7e7b1f279b4f31afb5a230ce4246be6fda4fdd5e7263c780.exe
PID 3576 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\._cache_43555b4a8bd82abd7e7b1f279b4f31afb5a230ce4246be6fda4fdd5e7263c780.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
PID 3576 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\._cache_43555b4a8bd82abd7e7b1f279b4f31afb5a230ce4246be6fda4fdd5e7263c780.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
PID 3576 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\._cache_43555b4a8bd82abd7e7b1f279b4f31afb5a230ce4246be6fda4fdd5e7263c780.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
PID 4688 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\43555b4a8bd82abd7e7b1f279b4f31afb5a230ce4246be6fda4fdd5e7263c780.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 4688 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\43555b4a8bd82abd7e7b1f279b4f31afb5a230ce4246be6fda4fdd5e7263c780.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 4688 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\43555b4a8bd82abd7e7b1f279b4f31afb5a230ce4246be6fda4fdd5e7263c780.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 1720 wrote to memory of 5012 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 1720 wrote to memory of 5012 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 1720 wrote to memory of 5012 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

Processes

C:\Users\Admin\AppData\Local\Temp\43555b4a8bd82abd7e7b1f279b4f31afb5a230ce4246be6fda4fdd5e7263c780.exe

"C:\Users\Admin\AppData\Local\Temp\43555b4a8bd82abd7e7b1f279b4f31afb5a230ce4246be6fda4fdd5e7263c780.exe"

C:\Users\Admin\AppData\Local\Temp\._cache_43555b4a8bd82abd7e7b1f279b4f31afb5a230ce4246be6fda4fdd5e7263c780.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_43555b4a8bd82abd7e7b1f279b4f31afb5a230ce4246be6fda4fdd5e7263c780.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 240.76.109.52.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 xred.mooo.com udp
US 8.8.8.8:53 freedns.afraid.org udp
US 69.42.215.252:80 freedns.afraid.org tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 252.215.42.69.in-addr.arpa udp
US 8.8.8.8:53 2.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 167.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 docs.google.com udp
FR 216.58.214.174:443 docs.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
FR 142.250.179.67:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
FR 142.250.179.67:80 o.pki.goog tcp
US 8.8.8.8:53 174.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 67.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 drive.usercontent.google.com udp
FR 142.250.74.225:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 225.74.250.142.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 60.153.16.2.in-addr.arpa udp

Files

memory/4688-0-0x00000000022A0000-0x00000000022A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\._cache_43555b4a8bd82abd7e7b1f279b4f31afb5a230ce4246be6fda4fdd5e7263c780.exe

MD5 fd6057b33e15a553ddc5d9873723ce8f
SHA1 f90efb623b5abea70af63c470daa8674444fb1df
SHA256 111aeddc6a6dbf64b28cb565aa12af9ee3cc0a56ce31e4da0068cf6b474c3288
SHA512 d894630c9a4bdb767e9f16d1b701acbdf011e721768ba0dc7a24e6d82a4d062a7ca253b1b334edba38c06187104351203a92c017838bdd9f13905cde30f7d94d

C:\ProgramData\Synaptics\Synaptics.exe

MD5 eaba5b2c3b6607177112ec5f26438ba3
SHA1 d0572bad54faca6af612763c6835feb160a3dcd2
SHA256 43555b4a8bd82abd7e7b1f279b4f31afb5a230ce4246be6fda4fdd5e7263c780
SHA512 b767a6f167a0153628ae0bdb468eef4d4311e48a58ff4774843ee36321c48823a24be5c9d0d399800a19733a46ead5109cd54e728e6a260107212647a5f60d9c

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe

MD5 eaa6b5ee297982a6a396354814006761
SHA1 780bf9a61c080a335e8712c5544fcbf9c7bdcd72
SHA256 d298fd82a39b2385a742ba1992466e081bea0f49e19ece6b2c87c7c262e1fcee
SHA512 ebdc887b6b334b7560f85ab2ebd29dc1f3a2dedac7f70042594f2a9bc128b6fca0a0e7704318ed69b7acf097e962533b3ce07713ef80e8acfe09374c13302999

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.inf

MD5 ad8982eaa02c7ad4d7cdcbc248caa941
SHA1 4ccd8e038d73a5361d754c7598ed238fc040d16b
SHA256 d63c35e9b43eb0f28ffc28f61c9c9a306da9c9de3386770a7eb19faa44dbfc00
SHA512 5c805d78bafff06c36b5df6286709ddf2d36808280f92e62dc4c285edd9176195a764d5cf0bb000da53ca8bbf66ddd61d852e4259e3113f6529e2d7bdbdd6e28

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dsetup.dll

MD5 0a23038ea472ffc938366ef4099d6635
SHA1 6499d741776dc4a446c22ea11085842155b34176
SHA256 8f2c455c9271290dcde2f68589cf825f9134beecb7e8b7e2ecbcabeab792280a
SHA512 dcc1c2ea86fd3a7870cd0369fa42f63d493895c546dcdd492ee19079a0d0696d689bbfe7b686d4fa549841896a54e673fc4581b80783d7aa255dfad765b9dc88

C:\Windows\SysWOW64\directx\websetup\dsetup32.dll

MD5 7672509436485121135c2a0e30b9e9ff
SHA1 f557022a9f42fe1303078093e389f21fb693c959
SHA256 d7ea3cf1b9b639010005e503877026597a743d1068ae6a453ce77cc202796fea
SHA512 e46ff68c4a532017f8ab15b1e46565508f6285b72c7a1cbe964ed5e75320c8e14587d01fee61b3966f43636bfe74cebd21f7665b4a726281e771cf9230e69863

memory/4688-143-0x0000000000400000-0x0000000000509000-memory.dmp

memory/1720-256-0x0000000000400000-0x0000000000509000-memory.dmp

memory/2760-258-0x00007FFD160B0000-0x00007FFD160C0000-memory.dmp

memory/2760-257-0x00007FFD160B0000-0x00007FFD160C0000-memory.dmp

memory/2760-259-0x00007FFD160B0000-0x00007FFD160C0000-memory.dmp

memory/2760-260-0x00007FFD160B0000-0x00007FFD160C0000-memory.dmp

memory/2760-261-0x00007FFD160B0000-0x00007FFD160C0000-memory.dmp

memory/2760-262-0x00007FFD138B0000-0x00007FFD138C0000-memory.dmp

memory/2760-263-0x00007FFD138B0000-0x00007FFD138C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\lnM5YcZ5.xlsm

MD5 e566fc53051035e1e6fd0ed1823de0f9
SHA1 00bc96c48b98676ecd67e81a6f1d7754e4156044
SHA256 8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512 a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

C:\Users\Admin\AppData\Local\Temp\48E75E00

MD5 38384152a6dd16d31582dabe1b052734
SHA1 9cccafee84c92a11e5ac1074da2884849538ad2b
SHA256 d6d0153a92fb0db225f1d1d789a8d949cbb96318d4e6f92fbfd6d74dd4d131db
SHA512 72d04e61d93020ee3cd18a6cb64c7e7652c263b5bc65b1a6e91cec67a045317bccf3200b9d456613956f3ae453e14c8220fd9e8bf0d9b8a544a5c34f9566807c

memory/1720-310-0x0000000000400000-0x0000000000509000-memory.dmp

memory/1720-341-0x0000000000400000-0x0000000000509000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-03 03:31

Reported

2025-01-03 03:33

Platform

win7-20240729-en

Max time kernel

148s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\43555b4a8bd82abd7e7b1f279b4f31afb5a230ce4246be6fda4fdd5e7263c780.exe"

Signatures

Xred

backdoor xred

Xred family

xred

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Users\Admin\AppData\Local\Temp\43555b4a8bd82abd7e7b1f279b4f31afb5a230ce4246be6fda4fdd5e7263c780.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\._cache_43555b4a8bd82abd7e7b1f279b4f31afb5a230ce4246be6fda4fdd5e7263c780.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\directx\websetup\SET6F56.tmp C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A
File created C:\Windows\SysWOW64\directx\websetup\SET6F56.tmp C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A
File opened for modification C:\Windows\SysWOW64\directx\websetup\dsetup.dll C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A
File opened for modification C:\Windows\SysWOW64\directx\websetup\SET6F57.tmp C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A
File created C:\Windows\SysWOW64\directx\websetup\SET6F57.tmp C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A
File opened for modification C:\Windows\SysWOW64\directx\websetup\dsetup32.dll C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A
File opened for modification C:\Windows\SysWOW64\DirectX\WebSetup C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Logs\DirectX.log C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A
File opened for modification C:\Windows\INF\setupapi.app.log C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A
File opened for modification C:\Windows\security\logs\scecomp.log C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Synaptics\Synaptics.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\43555b4a8bd82abd7e7b1f279b4f31afb5a230ce4246be6fda4fdd5e7263c780.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\._cache_43555b4a8bd82abd7e7b1f279b4f31afb5a230ce4246be6fda4fdd5e7263c780.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2324 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\43555b4a8bd82abd7e7b1f279b4f31afb5a230ce4246be6fda4fdd5e7263c780.exe C:\Users\Admin\AppData\Local\Temp\._cache_43555b4a8bd82abd7e7b1f279b4f31afb5a230ce4246be6fda4fdd5e7263c780.exe
PID 2324 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\43555b4a8bd82abd7e7b1f279b4f31afb5a230ce4246be6fda4fdd5e7263c780.exe C:\Users\Admin\AppData\Local\Temp\._cache_43555b4a8bd82abd7e7b1f279b4f31afb5a230ce4246be6fda4fdd5e7263c780.exe
PID 2324 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\43555b4a8bd82abd7e7b1f279b4f31afb5a230ce4246be6fda4fdd5e7263c780.exe C:\Users\Admin\AppData\Local\Temp\._cache_43555b4a8bd82abd7e7b1f279b4f31afb5a230ce4246be6fda4fdd5e7263c780.exe
PID 2324 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\43555b4a8bd82abd7e7b1f279b4f31afb5a230ce4246be6fda4fdd5e7263c780.exe C:\Users\Admin\AppData\Local\Temp\._cache_43555b4a8bd82abd7e7b1f279b4f31afb5a230ce4246be6fda4fdd5e7263c780.exe
PID 2324 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\43555b4a8bd82abd7e7b1f279b4f31afb5a230ce4246be6fda4fdd5e7263c780.exe C:\Users\Admin\AppData\Local\Temp\._cache_43555b4a8bd82abd7e7b1f279b4f31afb5a230ce4246be6fda4fdd5e7263c780.exe
PID 2324 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\43555b4a8bd82abd7e7b1f279b4f31afb5a230ce4246be6fda4fdd5e7263c780.exe C:\Users\Admin\AppData\Local\Temp\._cache_43555b4a8bd82abd7e7b1f279b4f31afb5a230ce4246be6fda4fdd5e7263c780.exe
PID 2324 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\43555b4a8bd82abd7e7b1f279b4f31afb5a230ce4246be6fda4fdd5e7263c780.exe C:\Users\Admin\AppData\Local\Temp\._cache_43555b4a8bd82abd7e7b1f279b4f31afb5a230ce4246be6fda4fdd5e7263c780.exe
PID 1760 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\._cache_43555b4a8bd82abd7e7b1f279b4f31afb5a230ce4246be6fda4fdd5e7263c780.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
PID 1760 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\._cache_43555b4a8bd82abd7e7b1f279b4f31afb5a230ce4246be6fda4fdd5e7263c780.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
PID 1760 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\._cache_43555b4a8bd82abd7e7b1f279b4f31afb5a230ce4246be6fda4fdd5e7263c780.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
PID 1760 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\._cache_43555b4a8bd82abd7e7b1f279b4f31afb5a230ce4246be6fda4fdd5e7263c780.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
PID 1760 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\._cache_43555b4a8bd82abd7e7b1f279b4f31afb5a230ce4246be6fda4fdd5e7263c780.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
PID 1760 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\._cache_43555b4a8bd82abd7e7b1f279b4f31afb5a230ce4246be6fda4fdd5e7263c780.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
PID 1760 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\._cache_43555b4a8bd82abd7e7b1f279b4f31afb5a230ce4246be6fda4fdd5e7263c780.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
PID 2324 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\43555b4a8bd82abd7e7b1f279b4f31afb5a230ce4246be6fda4fdd5e7263c780.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 2324 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\43555b4a8bd82abd7e7b1f279b4f31afb5a230ce4246be6fda4fdd5e7263c780.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 2324 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\43555b4a8bd82abd7e7b1f279b4f31afb5a230ce4246be6fda4fdd5e7263c780.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 2324 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\43555b4a8bd82abd7e7b1f279b4f31afb5a230ce4246be6fda4fdd5e7263c780.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 2672 wrote to memory of 2276 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 2672 wrote to memory of 2276 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 2672 wrote to memory of 2276 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 2672 wrote to memory of 2276 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 2672 wrote to memory of 2276 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 2672 wrote to memory of 2276 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 2672 wrote to memory of 2276 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

Processes

C:\Users\Admin\AppData\Local\Temp\43555b4a8bd82abd7e7b1f279b4f31afb5a230ce4246be6fda4fdd5e7263c780.exe

"C:\Users\Admin\AppData\Local\Temp\43555b4a8bd82abd7e7b1f279b4f31afb5a230ce4246be6fda4fdd5e7263c780.exe"

C:\Users\Admin\AppData\Local\Temp\._cache_43555b4a8bd82abd7e7b1f279b4f31afb5a230ce4246be6fda4fdd5e7263c780.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_43555b4a8bd82abd7e7b1f279b4f31afb5a230ce4246be6fda4fdd5e7263c780.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 xred.mooo.com udp
US 8.8.8.8:53 freedns.afraid.org udp
US 69.42.215.252:80 freedns.afraid.org tcp
US 8.8.8.8:53 docs.google.com udp
FR 216.58.214.174:443 docs.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
FR 142.250.179.67:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
FR 142.250.179.67:80 o.pki.goog tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
FR 142.250.74.225:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 23.192.26.94:80 www.microsoft.com tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 88.221.134.83:80 crl.microsoft.com tcp

Files

\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

MD5 fd6057b33e15a553ddc5d9873723ce8f
SHA1 f90efb623b5abea70af63c470daa8674444fb1df
SHA256 111aeddc6a6dbf64b28cb565aa12af9ee3cc0a56ce31e4da0068cf6b474c3288
SHA512 d894630c9a4bdb767e9f16d1b701acbdf011e721768ba0dc7a24e6d82a4d062a7ca253b1b334edba38c06187104351203a92c017838bdd9f13905cde30f7d94d

\ProgramData\Synaptics\Synaptics.exe

MD5 eaba5b2c3b6607177112ec5f26438ba3
SHA1 d0572bad54faca6af612763c6835feb160a3dcd2
SHA256 43555b4a8bd82abd7e7b1f279b4f31afb5a230ce4246be6fda4fdd5e7263c780
SHA512 b767a6f167a0153628ae0bdb468eef4d4311e48a58ff4774843ee36321c48823a24be5c9d0d399800a19733a46ead5109cd54e728e6a260107212647a5f60d9c

memory/2324-71-0x0000000000400000-0x0000000000509000-memory.dmp

\Windows\SysWOW64\directx\websetup\dsetup32.dll

MD5 7672509436485121135c2a0e30b9e9ff
SHA1 f557022a9f42fe1303078093e389f21fb693c959
SHA256 d7ea3cf1b9b639010005e503877026597a743d1068ae6a453ce77cc202796fea
SHA512 e46ff68c4a532017f8ab15b1e46565508f6285b72c7a1cbe964ed5e75320c8e14587d01fee61b3966f43636bfe74cebd21f7665b4a726281e771cf9230e69863

\Windows\SysWOW64\directx\websetup\dsetup.dll

MD5 0a23038ea472ffc938366ef4099d6635
SHA1 6499d741776dc4a446c22ea11085842155b34176
SHA256 8f2c455c9271290dcde2f68589cf825f9134beecb7e8b7e2ecbcabeab792280a
SHA512 dcc1c2ea86fd3a7870cd0369fa42f63d493895c546dcdd492ee19079a0d0696d689bbfe7b686d4fa549841896a54e673fc4581b80783d7aa255dfad765b9dc88

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.inf

MD5 ad8982eaa02c7ad4d7cdcbc248caa941
SHA1 4ccd8e038d73a5361d754c7598ed238fc040d16b
SHA256 d63c35e9b43eb0f28ffc28f61c9c9a306da9c9de3386770a7eb19faa44dbfc00
SHA512 5c805d78bafff06c36b5df6286709ddf2d36808280f92e62dc4c285edd9176195a764d5cf0bb000da53ca8bbf66ddd61d852e4259e3113f6529e2d7bdbdd6e28

\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe

MD5 eaa6b5ee297982a6a396354814006761
SHA1 780bf9a61c080a335e8712c5544fcbf9c7bdcd72
SHA256 d298fd82a39b2385a742ba1992466e081bea0f49e19ece6b2c87c7c262e1fcee
SHA512 ebdc887b6b334b7560f85ab2ebd29dc1f3a2dedac7f70042594f2a9bc128b6fca0a0e7704318ed69b7acf097e962533b3ce07713ef80e8acfe09374c13302999

memory/2324-0-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2672-110-0x0000000000400000-0x0000000000509000-memory.dmp

memory/1156-111-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vWiHt94w.xlsm

MD5 e566fc53051035e1e6fd0ed1823de0f9
SHA1 00bc96c48b98676ecd67e81a6f1d7754e4156044
SHA256 8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512 a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

C:\Users\Admin\AppData\Local\Temp\vWiHt94w.xlsm

MD5 3eeec37bd0204be2fc6701841599a947
SHA1 f7d9e628b99dbd8b6641ea460efe62d911311186
SHA256 cd571742af5929f96a84fe0be98e1935e17d3ad202099da0db93daf3210ac6fb
SHA512 7c84a07cca6675330de4442f28f0493b0e872727bea6a97dee721c02d77ddf673c15b9564ff873477b1b68de3a41fd63555aec2bd6e3af66723ddf1c4df40c7f

memory/2672-154-0x0000000000400000-0x0000000000509000-memory.dmp

memory/2672-155-0x0000000000400000-0x0000000000509000-memory.dmp

memory/2672-189-0x0000000000400000-0x0000000000509000-memory.dmp