Malware Analysis Report

2025-04-13 21:02

Sample ID 250103-e9sm5azldx
Target db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe
SHA256 db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85
Tags
upx xred backdoor discovery persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85

Threat Level: Known bad

The file db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe was found to be: Known bad.

Malicious Activity Summary

upx xred backdoor discovery persistence

Xred family

Xred

Downloads MZ/PE file

Checks computer location settings

Executes dropped EXE

Drops startup file

Loads dropped DLL

Adds Run key to start application

Drops desktop.ini file(s)

UPX packed file

Drops file in Program Files directory

Drops file in Windows directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Modifies Internet Explorer settings

Enumerates system info in registry

Suspicious use of SetWindowsHookEx

Modifies data under HKEY_USERS

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: AddClipboardFormatListener

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-03 04:38

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-03 04:38

Reported

2025-01-03 04:39

Platform

win7-20240903-en

Max time kernel

9s

Max time network

10s

Command Line

"C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe"

Signatures

Xred

backdoor xred

Xred family

xred

Downloads MZ/PE file

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\clxa.exe C:\Program Files (x86)\4.exe N/A
File created C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\__tmp_rar_sfx_access_check_259426948 C:\Program Files (x86)\4.exe N/A
File created C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bykcxw.exe C:\Program Files (x86)\4.exe N/A
File created C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cghqi.exe C:\Program Files (x86)\4.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\cbas.lnk C:\Windows\wic.exe N/A
File created C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cbas.lnk C:\Windows\wic.exe N/A
File opened for modification C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bykcxw.exe C:\Program Files (x86)\4.exe N/A
File opened for modification C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cghqi.exe C:\Program Files (x86)\4.exe N/A
File created C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\clxa.exe C:\Program Files (x86)\4.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Program Files (x86)\1.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\wic.exe C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe N/A
File created C:\Windows\cbas.exe C:\Windows\wic.exe N/A
File created C:\Windows\msslac.dll C:\Windows\wic.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\._cache_2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\wic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Synaptics\Synaptics.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\shutdown.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\._cache_1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\._cache_2.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\shutdown.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\shutdown.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2784 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe C:\Program Files (x86)\1.exe
PID 2784 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe C:\Program Files (x86)\1.exe
PID 2784 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe C:\Program Files (x86)\1.exe
PID 2784 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe C:\Program Files (x86)\1.exe
PID 3044 wrote to memory of 2704 N/A C:\Program Files (x86)\1.exe C:\Users\Admin\AppData\Local\Temp\._cache_1.exe
PID 3044 wrote to memory of 2704 N/A C:\Program Files (x86)\1.exe C:\Users\Admin\AppData\Local\Temp\._cache_1.exe
PID 3044 wrote to memory of 2704 N/A C:\Program Files (x86)\1.exe C:\Users\Admin\AppData\Local\Temp\._cache_1.exe
PID 3044 wrote to memory of 2704 N/A C:\Program Files (x86)\1.exe C:\Users\Admin\AppData\Local\Temp\._cache_1.exe
PID 3044 wrote to memory of 2616 N/A C:\Program Files (x86)\1.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 3044 wrote to memory of 2616 N/A C:\Program Files (x86)\1.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 3044 wrote to memory of 2616 N/A C:\Program Files (x86)\1.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 3044 wrote to memory of 2616 N/A C:\Program Files (x86)\1.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 2616 wrote to memory of 2452 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 2616 wrote to memory of 2452 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 2616 wrote to memory of 2452 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 2616 wrote to memory of 2452 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 2784 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe C:\Program Files (x86)\2.exe
PID 2784 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe C:\Program Files (x86)\2.exe
PID 2784 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe C:\Program Files (x86)\2.exe
PID 2784 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe C:\Program Files (x86)\2.exe
PID 372 wrote to memory of 1752 N/A C:\Program Files (x86)\2.exe C:\Users\Admin\AppData\Local\Temp\._cache_2.exe
PID 372 wrote to memory of 1752 N/A C:\Program Files (x86)\2.exe C:\Users\Admin\AppData\Local\Temp\._cache_2.exe
PID 372 wrote to memory of 1752 N/A C:\Program Files (x86)\2.exe C:\Users\Admin\AppData\Local\Temp\._cache_2.exe
PID 372 wrote to memory of 1752 N/A C:\Program Files (x86)\2.exe C:\Users\Admin\AppData\Local\Temp\._cache_2.exe
PID 2784 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe C:\Program Files (x86)\3.exe
PID 2784 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe C:\Program Files (x86)\3.exe
PID 2784 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe C:\Program Files (x86)\3.exe
PID 2784 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe C:\Program Files (x86)\3.exe
PID 2784 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe C:\Program Files (x86)\4.exe
PID 2784 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe C:\Program Files (x86)\4.exe
PID 2784 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe C:\Program Files (x86)\4.exe
PID 2784 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe C:\Program Files (x86)\4.exe
PID 2784 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe C:\Windows\wic.exe
PID 2784 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe C:\Windows\wic.exe
PID 2784 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe C:\Windows\wic.exe
PID 2784 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe C:\Windows\wic.exe
PID 2320 wrote to memory of 1572 N/A C:\Windows\wic.exe C:\Windows\SysWOW64\cmd.exe
PID 2320 wrote to memory of 1572 N/A C:\Windows\wic.exe C:\Windows\SysWOW64\cmd.exe
PID 2320 wrote to memory of 1572 N/A C:\Windows\wic.exe C:\Windows\SysWOW64\cmd.exe
PID 2320 wrote to memory of 1572 N/A C:\Windows\wic.exe C:\Windows\SysWOW64\cmd.exe
PID 1572 wrote to memory of 832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\shutdown.exe
PID 1572 wrote to memory of 832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\shutdown.exe
PID 1572 wrote to memory of 832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\shutdown.exe
PID 1572 wrote to memory of 832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\shutdown.exe

Processes

C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe

"C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe"

C:\Program Files (x86)\1.exe

"C:\Program Files (x86)\1.exe" 0

C:\Users\Admin\AppData\Local\Temp\._cache_1.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_1.exe" 0

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

C:\Program Files (x86)\2.exe

"C:\Program Files (x86)\2.exe" 0

C:\Users\Admin\AppData\Local\Temp\._cache_2.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_2.exe" 0

C:\Program Files (x86)\3.exe

"C:\Program Files (x86)\3.exe" 0

C:\Program Files (x86)\4.exe

"C:\Program Files (x86)\4.exe" 0

C:\Windows\wic.exe

"C:\Windows\wic.exe" 0

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "shutdown /r /t 0"

C:\Windows\SysWOW64\shutdown.exe

shutdown /r /t 0

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x1

Network

Country Destination Domain Proto
US 8.8.8.8:53 bruplong.oss-accelerate.aliyuncs.com udp
GB 8.208.41.52:80 bruplong.oss-accelerate.aliyuncs.com tcp
US 8.8.8.8:53 xred.mooo.com udp
GB 8.208.41.52:80 bruplong.oss-accelerate.aliyuncs.com tcp
US 8.8.8.8:53 freedns.afraid.org udp
US 69.42.215.252:80 freedns.afraid.org tcp

Files

memory/2784-0-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Program Files (x86)\1.exe

MD5 d026cfe00b08da14b0a8b7f8860887d7
SHA1 08ef96351067f151c19b9cc21605ea018fb43a18
SHA256 e261d309f30de33a1ba0aa43604db15f3326c6c8c5b291bdd52f18ea361fe3dd
SHA512 4ef560ff8c6a9a143b9365884c0c999a1fbf5ee638f170ad96add2b8b56933038d573cb31f45724a7f1a7b6a35cd2557344bd55c746fc9e9da38ecd3bdd6361d

memory/3044-15-0x0000000000220000-0x0000000000221000-memory.dmp

memory/3044-37-0x0000000004050000-0x00000000040F4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\._cache_1.exe

MD5 aed710082d6986c6dceed09d3a5edcc6
SHA1 02456d21cef29be4cb63004aea6aa225a90fd882
SHA256 5cbe5888cd034b95b14f4ad7c63f84f9c9bc605558c5cc484e26c13f1978399e
SHA512 4bccab62e816e296becd7318ff76d8fefa1f1cd25bdfcfb092c4424f3cc37e9edb46c90dae78d364c4406c954eaf75a6e18b7499d51b164d1ddf0136e4f52050

memory/2704-38-0x0000000000400000-0x00000000004A4000-memory.dmp

memory/3044-47-0x0000000000400000-0x00000000004D1000-memory.dmp

memory/2452-62-0x0000000000400000-0x00000000004A4000-memory.dmp

memory/2616-61-0x0000000004080000-0x0000000004124000-memory.dmp

memory/2616-60-0x0000000004080000-0x0000000004124000-memory.dmp

memory/2996-63-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mePIPkR7.xlsm

MD5 e566fc53051035e1e6fd0ed1823de0f9
SHA1 00bc96c48b98676ecd67e81a6f1d7754e4156044
SHA256 8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512 a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

C:\Users\Admin\AppData\Local\Temp\mePIPkR7.xlsm

MD5 ac586fec0f75e58cad5868d4fbe7194c
SHA1 b315d91889aa2d0016979199d9d91aedba61f7a5
SHA256 7e5ca61cc0f2c6543e2de3bdff606f7a7cae86a57402e2f1abd26b4e5e5250dc
SHA512 7f82029392bf58d801a03ec16d7915ec159c8403988b60809ab713bb05a4692d1c5b12079b752518fe2a708daed6dfd228876b17ba92d83e6c9b0df1eb17114b

C:\Program Files (x86)\2.exe

MD5 85a57509db3e9dfa7b4e451b8243220d
SHA1 ee21f93372218959f8b3dcefaa2c680d857e9e52
SHA256 fcd8d4592cf92fb9f9235a2774cdc8aff4265d4015269fb7aa995182f8ce26e1
SHA512 104615f2366e06cbba58a87f2e01d6806c1871c29af8277e06fcdb385f4ae6beb37c3bafd861c320a01303a287a68ae9b5d8640f29a39c21fe38ad9803ebe00d

C:\Users\Admin\AppData\Local\Temp\._cache_2.exe

MD5 b7176450aebb9572b34e875984456ac1
SHA1 5d9d1824c5c235dcfc82e6e3af48b63d70016393
SHA256 f78dcb1b389c99240befde490f8c74d9c9487f54e1f523397aa056072003a4c2
SHA512 4c9aba9b92972312c87d2b875246b22dafcb49a0f519291fba823ce57dd9282e25489a7cddf7dfb432caa921602db6266b0e625aae780845824f91cf48d8f85d

memory/372-128-0x0000000000400000-0x0000000000874000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/328-144-0x0000000000400000-0x000000000040C000-memory.dmp

C:\Program Files (x86)\3.exe

MD5 1edb88f9ee745eaaee2cbd8219318eb0
SHA1 6561c12d51090972b6f866f38f8ed281c5c83313
SHA256 0ac1125284e2600d3714c0226f800f4d8d9aa291fa299bb1d33b7d8984b5e1c0
SHA512 a2a20a70c9e1db729f716706796027a5c9002ad000e75c0dced3ece6f26d76ee0803acc31d3a116266e711ec6a16d33c0668412238dfe0f128f3a841232ff4c5

memory/2784-142-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2784-137-0x00000000034D0000-0x00000000034DC000-memory.dmp

C:\Program Files (x86)\4.exe

MD5 39e7be73c7531ac895f75834fdc1bcd6
SHA1 646b88b488cf673c38b56fe7748c70b31bb29fc3
SHA256 a176e32335d81e69906f1c062e62247e97b8863f2c6148a36713e5bed5d16195
SHA512 e5c34ef2d309ef2071495a359999b9f8dbeb6d7db1daa67e82494d71b0f1e888d0958b5a503cb3b0e505b70f26cfefe362d6301599143bedb40a19fdb60ef072

C:\Windows\wic.exe

MD5 6ad65b03e75bc5509ba3104510178ee6
SHA1 dba73f97938d2dab4bf8fb8076b363db82ad3a16
SHA256 4d74eb72321c5137ed364541deef19ddc30593fff62abab2a3d17a0bad7bd5c6
SHA512 976c7aba50e17271f6aea4ab80e7bc89e68727164d98d99566e0752b4989d716a849b0cc53f0321a53dce6086ef4cab1604aae8456ce76bfeacf185137aa8ba8

memory/2784-177-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2704-192-0x0000000000400000-0x00000000004A4000-memory.dmp

memory/2616-190-0x0000000000400000-0x00000000004D1000-memory.dmp

memory/2452-189-0x0000000000400000-0x00000000004A4000-memory.dmp

memory/328-187-0x0000000000400000-0x000000000040C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-03 04:38

Reported

2025-01-03 04:41

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe"

Signatures

Xred

backdoor xred

Xred family

xred

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\ProgramData\Synaptics\Synaptics.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\2.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bykcxw.exe C:\Program Files (x86)\4.exe N/A
File created C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cghqi.exe C:\Program Files (x86)\4.exe N/A
File opened for modification C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cghqi.exe C:\Program Files (x86)\4.exe N/A
File created C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\clxa.exe C:\Program Files (x86)\4.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\cbas.lnk C:\Windows\wic.exe N/A
File created C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cbas.lnk C:\Windows\wic.exe N/A
File created C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\__tmp_rar_sfx_access_check_240623250 C:\Program Files (x86)\4.exe N/A
File created C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bykcxw.exe C:\Program Files (x86)\4.exe N/A
File opened for modification C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\clxa.exe C:\Program Files (x86)\4.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Program Files (x86)\1.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini C:\Windows\system32\LogonUI.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\wic.exe C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe N/A
File created C:\Windows\cbas.exe C:\Windows\wic.exe N/A
File created C:\Windows\msslac.dll C:\Windows\wic.exe N/A
File created C:\Windows\rescache\_merged\2229298842\2241486462.pri C:\Windows\system32\LogonUI.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\._cache_1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\._cache_2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\wic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Synaptics\Synaptics.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\shutdown.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{f9c79713-0000-0000-0000-d01200000000} C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{f9c79713-0000-0000-0000-d01200000000}\MaxCapacity = "14116" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{f9c79713-0000-0000-0000-d01200000000}\NukeOnDelete = "0" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "5" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\TelemetrySalt = "0" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket C:\Windows\system32\LogonUI.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{40DD6E20-7C17-11CE-A804-00AA003CA9F6} {000214FC-0000-0000-C000-000000000046} 0xFFFF = 01000000000000002f8f6d8d995ddb01 C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\shell32.dll,-50176 = "File Operation" C:\Windows\system32\LogonUI.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Program Files (x86)\1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\ProgramData\Synaptics\Synaptics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Program Files (x86)\2.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\shutdown.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\shutdown.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\LogonUI.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\LogonUI.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4712 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe C:\Program Files (x86)\1.exe
PID 4712 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe C:\Program Files (x86)\1.exe
PID 4712 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe C:\Program Files (x86)\1.exe
PID 4900 wrote to memory of 436 N/A C:\Program Files (x86)\1.exe C:\Users\Admin\AppData\Local\Temp\._cache_1.exe
PID 4900 wrote to memory of 436 N/A C:\Program Files (x86)\1.exe C:\Users\Admin\AppData\Local\Temp\._cache_1.exe
PID 4900 wrote to memory of 436 N/A C:\Program Files (x86)\1.exe C:\Users\Admin\AppData\Local\Temp\._cache_1.exe
PID 4900 wrote to memory of 4492 N/A C:\Program Files (x86)\1.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 4900 wrote to memory of 4492 N/A C:\Program Files (x86)\1.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 4900 wrote to memory of 4492 N/A C:\Program Files (x86)\1.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 4712 wrote to memory of 3772 N/A C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe C:\Program Files (x86)\2.exe
PID 4712 wrote to memory of 3772 N/A C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe C:\Program Files (x86)\2.exe
PID 4712 wrote to memory of 3772 N/A C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe C:\Program Files (x86)\2.exe
PID 4492 wrote to memory of 1004 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 4492 wrote to memory of 1004 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 4492 wrote to memory of 1004 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 3772 wrote to memory of 3632 N/A C:\Program Files (x86)\2.exe C:\Users\Admin\AppData\Local\Temp\._cache_2.exe
PID 3772 wrote to memory of 3632 N/A C:\Program Files (x86)\2.exe C:\Users\Admin\AppData\Local\Temp\._cache_2.exe
PID 3772 wrote to memory of 3632 N/A C:\Program Files (x86)\2.exe C:\Users\Admin\AppData\Local\Temp\._cache_2.exe
PID 4712 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe C:\Program Files (x86)\3.exe
PID 4712 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe C:\Program Files (x86)\3.exe
PID 4712 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe C:\Program Files (x86)\3.exe
PID 4712 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe C:\Program Files (x86)\4.exe
PID 4712 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe C:\Program Files (x86)\4.exe
PID 4712 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe C:\Program Files (x86)\4.exe
PID 4712 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe C:\Windows\wic.exe
PID 4712 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe C:\Windows\wic.exe
PID 4712 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe C:\Windows\wic.exe
PID 4052 wrote to memory of 2912 N/A C:\Windows\wic.exe C:\Windows\SysWOW64\cmd.exe
PID 4052 wrote to memory of 2912 N/A C:\Windows\wic.exe C:\Windows\SysWOW64\cmd.exe
PID 4052 wrote to memory of 2912 N/A C:\Windows\wic.exe C:\Windows\SysWOW64\cmd.exe
PID 2912 wrote to memory of 3156 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\shutdown.exe
PID 2912 wrote to memory of 3156 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\shutdown.exe
PID 2912 wrote to memory of 3156 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\shutdown.exe

Processes

C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe

"C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe"

C:\Program Files (x86)\1.exe

"C:\Program Files (x86)\1.exe" 0

C:\Users\Admin\AppData\Local\Temp\._cache_1.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_1.exe" 0

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Program Files (x86)\2.exe

"C:\Program Files (x86)\2.exe" 0

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Users\Admin\AppData\Local\Temp\._cache_2.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_2.exe" 0

C:\Program Files (x86)\3.exe

"C:\Program Files (x86)\3.exe" 0

C:\Program Files (x86)\4.exe

"C:\Program Files (x86)\4.exe" 0

C:\Windows\wic.exe

"C:\Windows\wic.exe" 0

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "shutdown /r /t 0"

C:\Windows\SysWOW64\shutdown.exe

shutdown /r /t 0

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x4 /state0:0xa39ac055 /state1:0x41c64e6d

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 134.130.81.91.in-addr.arpa udp
US 8.8.8.8:53 bruplong.oss-accelerate.aliyuncs.com udp
GB 8.208.41.52:80 bruplong.oss-accelerate.aliyuncs.com tcp
US 8.8.8.8:53 52.41.208.8.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
GB 8.208.41.52:80 bruplong.oss-accelerate.aliyuncs.com tcp
US 8.8.8.8:53 xred.mooo.com udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
IE 52.109.76.243:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 243.76.109.52.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 86.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 20.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/4712-0-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Program Files (x86)\1.exe

MD5 d026cfe00b08da14b0a8b7f8860887d7
SHA1 08ef96351067f151c19b9cc21605ea018fb43a18
SHA256 e261d309f30de33a1ba0aa43604db15f3326c6c8c5b291bdd52f18ea361fe3dd
SHA512 4ef560ff8c6a9a143b9365884c0c999a1fbf5ee638f170ad96add2b8b56933038d573cb31f45724a7f1a7b6a35cd2557344bd55c746fc9e9da38ecd3bdd6361d

memory/4900-17-0x0000000002260000-0x0000000002261000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\._cache_1.exe

MD5 aed710082d6986c6dceed09d3a5edcc6
SHA1 02456d21cef29be4cb63004aea6aa225a90fd882
SHA256 5cbe5888cd034b95b14f4ad7c63f84f9c9bc605558c5cc484e26c13f1978399e
SHA512 4bccab62e816e296becd7318ff76d8fefa1f1cd25bdfcfb092c4424f3cc37e9edb46c90dae78d364c4406c954eaf75a6e18b7499d51b164d1ddf0136e4f52050

memory/436-55-0x0000000000400000-0x00000000004A4000-memory.dmp

memory/4900-119-0x0000000000400000-0x00000000004D1000-memory.dmp

C:\Program Files (x86)\2.exe

MD5 85a57509db3e9dfa7b4e451b8243220d
SHA1 ee21f93372218959f8b3dcefaa2c680d857e9e52
SHA256 fcd8d4592cf92fb9f9235a2774cdc8aff4265d4015269fb7aa995182f8ce26e1
SHA512 104615f2366e06cbba58a87f2e01d6806c1871c29af8277e06fcdb385f4ae6beb37c3bafd861c320a01303a287a68ae9b5d8640f29a39c21fe38ad9803ebe00d

memory/1004-169-0x0000000000400000-0x00000000004A4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\._cache_2.exe

MD5 b7176450aebb9572b34e875984456ac1
SHA1 5d9d1824c5c235dcfc82e6e3af48b63d70016393
SHA256 f78dcb1b389c99240befde490f8c74d9c9487f54e1f523397aa056072003a4c2
SHA512 4c9aba9b92972312c87d2b875246b22dafcb49a0f519291fba823ce57dd9282e25489a7cddf7dfb432caa921602db6266b0e625aae780845824f91cf48d8f85d

memory/4400-222-0x00007FFB3C7D0000-0x00007FFB3C7E0000-memory.dmp

memory/4400-221-0x00007FFB3C7D0000-0x00007FFB3C7E0000-memory.dmp

memory/4400-220-0x00007FFB3C7D0000-0x00007FFB3C7E0000-memory.dmp

memory/4400-219-0x00007FFB3C7D0000-0x00007FFB3C7E0000-memory.dmp

memory/4400-218-0x00007FFB3C7D0000-0x00007FFB3C7E0000-memory.dmp

memory/4400-223-0x00007FFB39FD0000-0x00007FFB39FE0000-memory.dmp

memory/4400-231-0x00007FFB39FD0000-0x00007FFB39FE0000-memory.dmp

memory/3772-234-0x0000000000400000-0x0000000000874000-memory.dmp

C:\Program Files (x86)\3.exe

MD5 1edb88f9ee745eaaee2cbd8219318eb0
SHA1 6561c12d51090972b6f866f38f8ed281c5c83313
SHA256 0ac1125284e2600d3714c0226f800f4d8d9aa291fa299bb1d33b7d8984b5e1c0
SHA512 a2a20a70c9e1db729f716706796027a5c9002ad000e75c0dced3ece6f26d76ee0803acc31d3a116266e711ec6a16d33c0668412238dfe0f128f3a841232ff4c5

memory/60-247-0x0000000000400000-0x000000000040C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\w1rtKyBH.xlsm

MD5 e566fc53051035e1e6fd0ed1823de0f9
SHA1 00bc96c48b98676ecd67e81a6f1d7754e4156044
SHA256 8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512 a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

C:\Program Files (x86)\4.exe

MD5 39e7be73c7531ac895f75834fdc1bcd6
SHA1 646b88b488cf673c38b56fe7748c70b31bb29fc3
SHA256 a176e32335d81e69906f1c062e62247e97b8863f2c6148a36713e5bed5d16195
SHA512 e5c34ef2d309ef2071495a359999b9f8dbeb6d7db1daa67e82494d71b0f1e888d0958b5a503cb3b0e505b70f26cfefe362d6301599143bedb40a19fdb60ef072

C:\Users\Admin\AppData\Local\Temp\D0A75E00

MD5 ddbfb6f54e9027f95b5a56313ee5a66c
SHA1 60ba07d718d7881ab1f846a63dded10b4436f93c
SHA256 7f0a9f4ec3924e815f180d28027e88e916f4a40acdbff39290d6c2285ae8fb97
SHA512 d0e1ccfd5c753a0fabed126242cc47feca0f8901ef51b47362714f7d2d127f3481feb4d0ff3446798e47b54d746b659649c56c5b69b14e4803e8c6c49261999f

C:\Windows\wic.exe

MD5 6ad65b03e75bc5509ba3104510178ee6
SHA1 dba73f97938d2dab4bf8fb8076b363db82ad3a16
SHA256 4d74eb72321c5137ed364541deef19ddc30593fff62abab2a3d17a0bad7bd5c6
SHA512 976c7aba50e17271f6aea4ab80e7bc89e68727164d98d99566e0752b4989d716a849b0cc53f0321a53dce6086ef4cab1604aae8456ce76bfeacf185137aa8ba8

memory/4712-322-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1004-335-0x0000000000400000-0x00000000004A4000-memory.dmp

memory/436-337-0x0000000000400000-0x00000000004A4000-memory.dmp

memory/60-340-0x0000000000400000-0x000000000040C000-memory.dmp

memory/4492-341-0x0000000000400000-0x00000000004D1000-memory.dmp

C:\ProgramData\Microsoft\Windows\SystemData\S-1-5-21-3227495264-2217614367-4027411560-1000\ReadOnly\LockScreen_O\LockScreen___1280_0720_notdimmed.jpg

MD5 c89510a520601efe72caff55feec32ea
SHA1 87c5ee03ae56503fba1cc9c1e092182880d49795
SHA256 5d988846715f45d37dde32eb39cbb5815e1a0f8d966f5dfe94491fe6c83f762d
SHA512 7af7cb61dfe2d145f77a9fb9691f94a26ede47270c96acc397f6a99f1c68d3b796818a62f2e492ad16e7b14bd1fe3bed5e20d51d29489e1003977274b489bf2e