Malware Analysis Report

2025-04-13 21:02

Sample ID 250103-fbxd4aspel
Target db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe
SHA256 db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85
Tags
upx xred backdoor discovery macro persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85

Threat Level: Known bad

The file db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe was found to be: Known bad.

Malicious Activity Summary

upx xred backdoor discovery macro persistence

Xred

Xred family

Suspicious Office macro

Downloads MZ/PE file

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Drops startup file

Drops desktop.ini file(s)

Adds Run key to start application

UPX packed file

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of SetWindowsHookEx

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Modifies Internet Explorer settings

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

Suspicious behavior: AddClipboardFormatListener

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-03 04:42

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-03 04:42

Reported

2025-01-03 04:42

Platform

win7-20240903-en

Max time kernel

9s

Max time network

10s

Command Line

"C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe"

Signatures

Xred

backdoor xred

Xred family

xred

Downloads MZ/PE file

Suspicious Office macro

macro
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cghqi.exe C:\Program Files (x86)\4.exe N/A
File opened for modification C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cghqi.exe C:\Program Files (x86)\4.exe N/A
File created C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\clxa.exe C:\Program Files (x86)\4.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\cbas.lnk C:\Windows\wic.exe N/A
File created C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\__tmp_rar_sfx_access_check_259456541 C:\Program Files (x86)\4.exe N/A
File created C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bykcxw.exe C:\Program Files (x86)\4.exe N/A
File opened for modification C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bykcxw.exe C:\Program Files (x86)\4.exe N/A
File opened for modification C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\clxa.exe C:\Program Files (x86)\4.exe N/A
File created C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cbas.lnk C:\Windows\wic.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Program Files (x86)\1.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\msslac.dll C:\Windows\wic.exe N/A
File created C:\Windows\wic.exe C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe N/A
File created C:\Windows\cbas.exe C:\Windows\wic.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\wic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\._cache_1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Synaptics\Synaptics.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\._cache_2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\shutdown.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\._cache_2.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\shutdown.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\shutdown.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2112 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe C:\Program Files (x86)\1.exe
PID 2112 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe C:\Program Files (x86)\1.exe
PID 2112 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe C:\Program Files (x86)\1.exe
PID 2112 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe C:\Program Files (x86)\1.exe
PID 2932 wrote to memory of 2712 N/A C:\Program Files (x86)\1.exe C:\Users\Admin\AppData\Local\Temp\._cache_1.exe
PID 2932 wrote to memory of 2712 N/A C:\Program Files (x86)\1.exe C:\Users\Admin\AppData\Local\Temp\._cache_1.exe
PID 2932 wrote to memory of 2712 N/A C:\Program Files (x86)\1.exe C:\Users\Admin\AppData\Local\Temp\._cache_1.exe
PID 2932 wrote to memory of 2712 N/A C:\Program Files (x86)\1.exe C:\Users\Admin\AppData\Local\Temp\._cache_1.exe
PID 2932 wrote to memory of 2068 N/A C:\Program Files (x86)\1.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 2932 wrote to memory of 2068 N/A C:\Program Files (x86)\1.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 2932 wrote to memory of 2068 N/A C:\Program Files (x86)\1.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 2932 wrote to memory of 2068 N/A C:\Program Files (x86)\1.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 2112 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe C:\Program Files (x86)\2.exe
PID 2112 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe C:\Program Files (x86)\2.exe
PID 2112 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe C:\Program Files (x86)\2.exe
PID 2112 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe C:\Program Files (x86)\2.exe
PID 2068 wrote to memory of 1988 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 2068 wrote to memory of 1988 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 2068 wrote to memory of 1988 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 2068 wrote to memory of 1988 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 576 wrote to memory of 1664 N/A C:\Program Files (x86)\2.exe C:\Users\Admin\AppData\Local\Temp\._cache_2.exe
PID 576 wrote to memory of 1664 N/A C:\Program Files (x86)\2.exe C:\Users\Admin\AppData\Local\Temp\._cache_2.exe
PID 576 wrote to memory of 1664 N/A C:\Program Files (x86)\2.exe C:\Users\Admin\AppData\Local\Temp\._cache_2.exe
PID 576 wrote to memory of 1664 N/A C:\Program Files (x86)\2.exe C:\Users\Admin\AppData\Local\Temp\._cache_2.exe
PID 2112 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe C:\Program Files (x86)\3.exe
PID 2112 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe C:\Program Files (x86)\3.exe
PID 2112 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe C:\Program Files (x86)\3.exe
PID 2112 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe C:\Program Files (x86)\3.exe
PID 2112 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe C:\Program Files (x86)\4.exe
PID 2112 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe C:\Program Files (x86)\4.exe
PID 2112 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe C:\Program Files (x86)\4.exe
PID 2112 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe C:\Program Files (x86)\4.exe
PID 2112 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe C:\Windows\wic.exe
PID 2112 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe C:\Windows\wic.exe
PID 2112 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe C:\Windows\wic.exe
PID 2112 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe C:\Windows\wic.exe
PID 896 wrote to memory of 2840 N/A C:\Windows\wic.exe C:\Windows\SysWOW64\cmd.exe
PID 896 wrote to memory of 2840 N/A C:\Windows\wic.exe C:\Windows\SysWOW64\cmd.exe
PID 896 wrote to memory of 2840 N/A C:\Windows\wic.exe C:\Windows\SysWOW64\cmd.exe
PID 896 wrote to memory of 2840 N/A C:\Windows\wic.exe C:\Windows\SysWOW64\cmd.exe
PID 2840 wrote to memory of 2700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\shutdown.exe
PID 2840 wrote to memory of 2700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\shutdown.exe
PID 2840 wrote to memory of 2700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\shutdown.exe
PID 2840 wrote to memory of 2700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\shutdown.exe

Processes

C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe

"C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe"

C:\Program Files (x86)\1.exe

"C:\Program Files (x86)\1.exe" 0

C:\Users\Admin\AppData\Local\Temp\._cache_1.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_1.exe" 0

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Program Files (x86)\2.exe

"C:\Program Files (x86)\2.exe" 0

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_2.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_2.exe" 0

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

C:\Program Files (x86)\3.exe

"C:\Program Files (x86)\3.exe" 0

C:\Program Files (x86)\4.exe

"C:\Program Files (x86)\4.exe" 0

C:\Windows\wic.exe

"C:\Windows\wic.exe" 0

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "shutdown /r /t 0"

C:\Windows\SysWOW64\shutdown.exe

shutdown /r /t 0

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x1

Network

Country Destination Domain Proto
US 8.8.8.8:53 bruplong.oss-accelerate.aliyuncs.com udp
GB 8.208.41.52:80 bruplong.oss-accelerate.aliyuncs.com tcp
US 8.8.8.8:53 xred.mooo.com udp
GB 8.208.41.52:80 bruplong.oss-accelerate.aliyuncs.com tcp

Files

memory/2112-0-0x0000000000400000-0x0000000000408000-memory.dmp

\Program Files (x86)\1.exe

MD5 d026cfe00b08da14b0a8b7f8860887d7
SHA1 08ef96351067f151c19b9cc21605ea018fb43a18
SHA256 e261d309f30de33a1ba0aa43604db15f3326c6c8c5b291bdd52f18ea361fe3dd
SHA512 4ef560ff8c6a9a143b9365884c0c999a1fbf5ee638f170ad96add2b8b56933038d573cb31f45724a7f1a7b6a35cd2557344bd55c746fc9e9da38ecd3bdd6361d

memory/2932-15-0x0000000000220000-0x0000000000221000-memory.dmp

\Users\Admin\AppData\Local\Temp\._cache_1.exe

MD5 aed710082d6986c6dceed09d3a5edcc6
SHA1 02456d21cef29be4cb63004aea6aa225a90fd882
SHA256 5cbe5888cd034b95b14f4ad7c63f84f9c9bc605558c5cc484e26c13f1978399e
SHA512 4bccab62e816e296becd7318ff76d8fefa1f1cd25bdfcfb092c4424f3cc37e9edb46c90dae78d364c4406c954eaf75a6e18b7499d51b164d1ddf0136e4f52050

memory/2932-27-0x0000000004000000-0x00000000040A4000-memory.dmp

memory/2932-37-0x0000000004000000-0x00000000040A4000-memory.dmp

memory/2932-47-0x0000000000400000-0x00000000004D1000-memory.dmp

C:\Program Files (x86)\2.exe

MD5 85a57509db3e9dfa7b4e451b8243220d
SHA1 ee21f93372218959f8b3dcefaa2c680d857e9e52
SHA256 fcd8d4592cf92fb9f9235a2774cdc8aff4265d4015269fb7aa995182f8ce26e1
SHA512 104615f2366e06cbba58a87f2e01d6806c1871c29af8277e06fcdb385f4ae6beb37c3bafd861c320a01303a287a68ae9b5d8640f29a39c21fe38ad9803ebe00d

memory/1988-78-0x0000000000400000-0x00000000004A4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\._cache_2.exe

MD5 b7176450aebb9572b34e875984456ac1
SHA1 5d9d1824c5c235dcfc82e6e3af48b63d70016393
SHA256 f78dcb1b389c99240befde490f8c74d9c9487f54e1f523397aa056072003a4c2
SHA512 4c9aba9b92972312c87d2b875246b22dafcb49a0f519291fba823ce57dd9282e25489a7cddf7dfb432caa921602db6266b0e625aae780845824f91cf48d8f85d

C:\Program Files (x86)\3.exe

MD5 1edb88f9ee745eaaee2cbd8219318eb0
SHA1 6561c12d51090972b6f866f38f8ed281c5c83313
SHA256 0ac1125284e2600d3714c0226f800f4d8d9aa291fa299bb1d33b7d8984b5e1c0
SHA512 a2a20a70c9e1db729f716706796027a5c9002ad000e75c0dced3ece6f26d76ee0803acc31d3a116266e711ec6a16d33c0668412238dfe0f128f3a841232ff4c5

memory/812-99-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/1704-97-0x0000000000400000-0x000000000040C000-memory.dmp

memory/2112-96-0x0000000003090000-0x000000000309C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ughWqWjh.xlsm

MD5 e566fc53051035e1e6fd0ed1823de0f9
SHA1 00bc96c48b98676ecd67e81a6f1d7754e4156044
SHA256 8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512 a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

memory/576-82-0x0000000000400000-0x0000000000874000-memory.dmp

memory/2068-77-0x0000000004120000-0x00000000041C4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ughWqWjh.xlsm

MD5 48304f418dc31d7da21164c9348c4447
SHA1 94d36451bb536a154f7a49c7d2b5f444d19ca1fd
SHA256 bf04d6775e419ea58119cc9156b43bc310f165053b9835099abdd5cc2183ddf0
SHA512 1642f59c27aa6da6b59d104b481761d65f4c1fce8b1ff7670fc517994cba3aa94d0688d70ef1e28af5368d48ff5707b9de0799bcc29d3347f815e65cf4aa974f

C:\Users\Admin\AppData\Local\Temp\ughWqWjh.xlsm

MD5 cc822b71bdbb94eb1947e7c7657abc24
SHA1 a327c0fb98be5a90073ef98e613e21f62365720b
SHA256 e235ab1e2b2422cd03bab3ec7b64b5efcc3873b9dee6d70e30835200856fff43
SHA512 16a8a8c74e79a107642bb3f2cac28827973cfc8f5cbdc941239c1782d7e72faef9a2ecdd57cc20eeb5fbe43d415779d9d12b0815257e90127e410c72fb8691f3

C:\Program Files (x86)\4.exe

MD5 39e7be73c7531ac895f75834fdc1bcd6
SHA1 646b88b488cf673c38b56fe7748c70b31bb29fc3
SHA256 a176e32335d81e69906f1c062e62247e97b8863f2c6148a36713e5bed5d16195
SHA512 e5c34ef2d309ef2071495a359999b9f8dbeb6d7db1daa67e82494d71b0f1e888d0958b5a503cb3b0e505b70f26cfefe362d6301599143bedb40a19fdb60ef072

C:\Users\Admin\AppData\Local\Temp\ughWqWjh.xlsm

MD5 3cc7f22220491d8bcbae53366374b3fd
SHA1 dd4a52a445ed5ff1c2e49d5173a252206c6ff241
SHA256 0f2b38d29ee7bcefd71826178015c0eba1d6c5227c7142ef7f93ca20340799a9
SHA512 5741a69349651bfc68b07024eace4bbcb1d1c98a127c2af92017ec05496eff7b9611a8b4ebb24d1b54a2e2f1cc0d57602d0fc8c41006aa6f8b075dea7ac967d2

memory/2112-180-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ughWqWjh.xlsm

MD5 a1f3be91f832b24975f7a8b2a701bc13
SHA1 7c5afa2db5f41079a7ddfd91d3c4a34c44ae0e6d
SHA256 843658c5c8d32b6a683e0d754ab472c11171e06f1ecc2cf79d4d651fcaa816f4
SHA512 f2245768fd65bab2e57ef441f0cf201357f7ef398f95e0b7ba02741530489a524aa9c264c5e2fbba2bd905b6eb86063e6f341dfe8b19bf1d72daa80fd316ec3b

C:\Users\Admin\Downloads\~$SaveRedo.xlsx

MD5 ff09371174f7c701e75f357a187c06e8
SHA1 57f9a638fd652922d7eb23236c80055a91724503
SHA256 e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8
SHA512 e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

C:\Windows\wic.exe

MD5 6ad65b03e75bc5509ba3104510178ee6
SHA1 dba73f97938d2dab4bf8fb8076b363db82ad3a16
SHA256 4d74eb72321c5137ed364541deef19ddc30593fff62abab2a3d17a0bad7bd5c6
SHA512 976c7aba50e17271f6aea4ab80e7bc89e68727164d98d99566e0752b4989d716a849b0cc53f0321a53dce6086ef4cab1604aae8456ce76bfeacf185137aa8ba8

memory/2112-212-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1988-224-0x0000000000400000-0x00000000004A4000-memory.dmp

memory/2712-227-0x0000000000400000-0x00000000004A4000-memory.dmp

memory/2068-225-0x0000000000400000-0x00000000004D1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-03 04:42

Reported

2025-01-03 04:45

Platform

win10v2004-20241007-en

Max time kernel

131s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe"

Signatures

Xred

backdoor xred

Xred family

xred

Downloads MZ/PE file

Suspicious Office macro

macro
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\ProgramData\Synaptics\Synaptics.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cbas.lnk C:\Windows\wic.exe N/A
File created C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cghqi.exe C:\Program Files (x86)\4.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\cbas.lnk C:\Windows\wic.exe N/A
File opened for modification C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bykcxw.exe C:\Program Files (x86)\4.exe N/A
File opened for modification C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cghqi.exe C:\Program Files (x86)\4.exe N/A
File created C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\clxa.exe C:\Program Files (x86)\4.exe N/A
File opened for modification C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\clxa.exe C:\Program Files (x86)\4.exe N/A
File created C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\__tmp_rar_sfx_access_check_240620046 C:\Program Files (x86)\4.exe N/A
File created C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bykcxw.exe C:\Program Files (x86)\4.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Program Files (x86)\1.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini C:\Windows\system32\LogonUI.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\wic.exe C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe N/A
File created C:\Windows\cbas.exe C:\Windows\wic.exe N/A
File created C:\Windows\msslac.dll C:\Windows\wic.exe N/A
File created C:\Windows\rescache\_merged\2229298842\3177373409.pri C:\Windows\system32\LogonUI.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\wic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\shutdown.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Synaptics\Synaptics.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\._cache_2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\._cache_1.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{40DD6E20-7C17-11CE-A804-00AA003CA9F6} {000214FC-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000f4dff5109a5ddb01 C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket C:\Windows\system32\LogonUI.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\shell32.dll,-50176 = "File Operation" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\TelemetrySalt = "2" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{62c5c1e3-0000-0000-0000-d01200000000} C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{62c5c1e3-0000-0000-0000-d01200000000}\MaxCapacity = "14116" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{62c5c1e3-0000-0000-0000-d01200000000}\NukeOnDelete = "0" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "226" C:\Windows\system32\LogonUI.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Program Files (x86)\1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\ProgramData\Synaptics\Synaptics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Program Files (x86)\2.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\shutdown.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\shutdown.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\LogonUI.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\LogonUI.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2228 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe C:\Program Files (x86)\1.exe
PID 2228 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe C:\Program Files (x86)\1.exe
PID 2228 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe C:\Program Files (x86)\1.exe
PID 4416 wrote to memory of 3804 N/A C:\Program Files (x86)\1.exe C:\Users\Admin\AppData\Local\Temp\._cache_1.exe
PID 4416 wrote to memory of 3804 N/A C:\Program Files (x86)\1.exe C:\Users\Admin\AppData\Local\Temp\._cache_1.exe
PID 4416 wrote to memory of 3804 N/A C:\Program Files (x86)\1.exe C:\Users\Admin\AppData\Local\Temp\._cache_1.exe
PID 4416 wrote to memory of 1136 N/A C:\Program Files (x86)\1.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 4416 wrote to memory of 1136 N/A C:\Program Files (x86)\1.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 4416 wrote to memory of 1136 N/A C:\Program Files (x86)\1.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 2228 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe C:\Program Files (x86)\2.exe
PID 2228 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe C:\Program Files (x86)\2.exe
PID 2228 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe C:\Program Files (x86)\2.exe
PID 1136 wrote to memory of 3756 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 1136 wrote to memory of 3756 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 1136 wrote to memory of 3756 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 2228 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe C:\Program Files (x86)\3.exe
PID 2228 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe C:\Program Files (x86)\3.exe
PID 2228 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe C:\Program Files (x86)\3.exe
PID 1764 wrote to memory of 2592 N/A C:\Program Files (x86)\2.exe C:\Users\Admin\AppData\Local\Temp\._cache_2.exe
PID 1764 wrote to memory of 2592 N/A C:\Program Files (x86)\2.exe C:\Users\Admin\AppData\Local\Temp\._cache_2.exe
PID 1764 wrote to memory of 2592 N/A C:\Program Files (x86)\2.exe C:\Users\Admin\AppData\Local\Temp\._cache_2.exe
PID 2228 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe C:\Program Files (x86)\4.exe
PID 2228 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe C:\Program Files (x86)\4.exe
PID 2228 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe C:\Program Files (x86)\4.exe
PID 2228 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe C:\Windows\wic.exe
PID 2228 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe C:\Windows\wic.exe
PID 2228 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe C:\Windows\wic.exe
PID 2352 wrote to memory of 4220 N/A C:\Windows\wic.exe C:\Windows\SysWOW64\cmd.exe
PID 2352 wrote to memory of 4220 N/A C:\Windows\wic.exe C:\Windows\SysWOW64\cmd.exe
PID 2352 wrote to memory of 4220 N/A C:\Windows\wic.exe C:\Windows\SysWOW64\cmd.exe
PID 4220 wrote to memory of 2244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\shutdown.exe
PID 4220 wrote to memory of 2244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\shutdown.exe
PID 4220 wrote to memory of 2244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\shutdown.exe

Processes

C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe

"C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe"

C:\Program Files (x86)\1.exe

"C:\Program Files (x86)\1.exe" 0

C:\Users\Admin\AppData\Local\Temp\._cache_1.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_1.exe" 0

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Program Files (x86)\2.exe

"C:\Program Files (x86)\2.exe" 0

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Program Files (x86)\3.exe

"C:\Program Files (x86)\3.exe" 0

C:\Users\Admin\AppData\Local\Temp\._cache_2.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_2.exe" 0

C:\Program Files (x86)\4.exe

"C:\Program Files (x86)\4.exe" 0

C:\Windows\wic.exe

"C:\Windows\wic.exe" 0

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "shutdown /r /t 0"

C:\Windows\SysWOW64\shutdown.exe

shutdown /r /t 0

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x4 /state0:0xa398c855 /state1:0x41c64e6d

Network

Country Destination Domain Proto
US 8.8.8.8:53 bruplong.oss-accelerate.aliyuncs.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
GB 8.208.41.52:80 bruplong.oss-accelerate.aliyuncs.com tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 52.41.208.8.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 240.76.109.52.in-addr.arpa udp
GB 8.208.41.52:80 bruplong.oss-accelerate.aliyuncs.com tcp
US 8.8.8.8:53 xred.mooo.com udp
US 8.8.8.8:53 freedns.afraid.org udp
US 69.42.215.252:80 freedns.afraid.org tcp
US 8.8.8.8:53 11.179.89.13.in-addr.arpa udp
US 8.8.8.8:53 252.215.42.69.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 85.49.80.91.in-addr.arpa udp

Files

memory/2228-0-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Program Files (x86)\1.exe

MD5 d026cfe00b08da14b0a8b7f8860887d7
SHA1 08ef96351067f151c19b9cc21605ea018fb43a18
SHA256 e261d309f30de33a1ba0aa43604db15f3326c6c8c5b291bdd52f18ea361fe3dd
SHA512 4ef560ff8c6a9a143b9365884c0c999a1fbf5ee638f170ad96add2b8b56933038d573cb31f45724a7f1a7b6a35cd2557344bd55c746fc9e9da38ecd3bdd6361d

memory/4416-17-0x00000000007E0000-0x00000000007E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\._cache_1.exe

MD5 aed710082d6986c6dceed09d3a5edcc6
SHA1 02456d21cef29be4cb63004aea6aa225a90fd882
SHA256 5cbe5888cd034b95b14f4ad7c63f84f9c9bc605558c5cc484e26c13f1978399e
SHA512 4bccab62e816e296becd7318ff76d8fefa1f1cd25bdfcfb092c4424f3cc37e9edb46c90dae78d364c4406c954eaf75a6e18b7499d51b164d1ddf0136e4f52050

memory/3804-54-0x0000000000400000-0x00000000004A4000-memory.dmp

memory/4416-119-0x0000000000400000-0x00000000004D1000-memory.dmp

C:\Program Files (x86)\2.exe

MD5 85a57509db3e9dfa7b4e451b8243220d
SHA1 ee21f93372218959f8b3dcefaa2c680d857e9e52
SHA256 fcd8d4592cf92fb9f9235a2774cdc8aff4265d4015269fb7aa995182f8ce26e1
SHA512 104615f2366e06cbba58a87f2e01d6806c1871c29af8277e06fcdb385f4ae6beb37c3bafd861c320a01303a287a68ae9b5d8640f29a39c21fe38ad9803ebe00d

C:\Users\Admin\AppData\Local\Temp\._cache_2.exe

MD5 b7176450aebb9572b34e875984456ac1
SHA1 5d9d1824c5c235dcfc82e6e3af48b63d70016393
SHA256 f78dcb1b389c99240befde490f8c74d9c9487f54e1f523397aa056072003a4c2
SHA512 4c9aba9b92972312c87d2b875246b22dafcb49a0f519291fba823ce57dd9282e25489a7cddf7dfb432caa921602db6266b0e625aae780845824f91cf48d8f85d

memory/4996-219-0x00007FFC5CC30000-0x00007FFC5CC40000-memory.dmp

memory/4996-218-0x00007FFC5CC30000-0x00007FFC5CC40000-memory.dmp

memory/4996-220-0x00007FFC5CC30000-0x00007FFC5CC40000-memory.dmp

memory/4996-221-0x00007FFC5CC30000-0x00007FFC5CC40000-memory.dmp

memory/4996-217-0x00007FFC5CC30000-0x00007FFC5CC40000-memory.dmp

memory/4996-222-0x00007FFC5A2D0000-0x00007FFC5A2E0000-memory.dmp

C:\Program Files (x86)\3.exe

MD5 1edb88f9ee745eaaee2cbd8219318eb0
SHA1 6561c12d51090972b6f866f38f8ed281c5c83313
SHA256 0ac1125284e2600d3714c0226f800f4d8d9aa291fa299bb1d33b7d8984b5e1c0
SHA512 a2a20a70c9e1db729f716706796027a5c9002ad000e75c0dced3ece6f26d76ee0803acc31d3a116266e711ec6a16d33c0668412238dfe0f128f3a841232ff4c5

memory/3172-241-0x0000000000400000-0x000000000040C000-memory.dmp

memory/4996-242-0x00007FFC5A2D0000-0x00007FFC5A2E0000-memory.dmp

memory/1764-245-0x0000000000400000-0x0000000000874000-memory.dmp

C:\Program Files (x86)\4.exe

MD5 39e7be73c7531ac895f75834fdc1bcd6
SHA1 646b88b488cf673c38b56fe7748c70b31bb29fc3
SHA256 a176e32335d81e69906f1c062e62247e97b8863f2c6148a36713e5bed5d16195
SHA512 e5c34ef2d309ef2071495a359999b9f8dbeb6d7db1daa67e82494d71b0f1e888d0958b5a503cb3b0e505b70f26cfefe362d6301599143bedb40a19fdb60ef072

C:\Users\Admin\AppData\Local\Temp\4BIfRNA7.xlsm

MD5 e566fc53051035e1e6fd0ed1823de0f9
SHA1 00bc96c48b98676ecd67e81a6f1d7754e4156044
SHA256 8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512 a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

C:\Windows\wic.exe

MD5 6ad65b03e75bc5509ba3104510178ee6
SHA1 dba73f97938d2dab4bf8fb8076b363db82ad3a16
SHA256 4d74eb72321c5137ed364541deef19ddc30593fff62abab2a3d17a0bad7bd5c6
SHA512 976c7aba50e17271f6aea4ab80e7bc89e68727164d98d99566e0752b4989d716a849b0cc53f0321a53dce6086ef4cab1604aae8456ce76bfeacf185137aa8ba8

C:\Users\Admin\AppData\Local\Temp\4BIfRNA7.xlsm

MD5 58b0de28ac77d18f3bf0269806e556f4
SHA1 a172df9cd00a58a5b5aaaf588d8f6b8b94bae590
SHA256 c1f35354d4b9e4ad563c4caa910cb9cb9ae9b5614a52fa4ac1e3a4118212b8c8
SHA512 17d8d889c646f73824c21b956e7bf8ac79ee11408ee3402fd08498e04175a0d327d3926819d3e49f764402dbe087382f9dade6f068af42e4a1e99a8afe086816

memory/2228-322-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3172-338-0x0000000000400000-0x000000000040C000-memory.dmp

memory/1136-341-0x0000000000400000-0x00000000004D1000-memory.dmp

memory/3756-340-0x0000000000400000-0x00000000004A4000-memory.dmp

memory/3804-336-0x0000000000400000-0x00000000004A4000-memory.dmp

C:\ProgramData\Microsoft\Windows\SystemData\S-1-5-21-4089630652-1596403869-279772308-1000\ReadOnly\LockScreen_O\LockScreen___1280_0720_notdimmed.jpg

MD5 fe90d5da49104eda6b8356126c4a325a
SHA1 54cfba4587bf9aef30d5131de0badf053f666a1b
SHA256 770f2e38bfaa00f4796511f4d38fc76259a764ed60d7c256ba03b2cc25d58576
SHA512 b557a3e6364fec76223107995dd8b9cce6d06c6f67efa288c91b01919d84f9d25b316753d902c77db321e6081295a1023d5d06f7fb27980bfb27a4b1fe6a584f