| File name: | 0ff7a7f348c9403e673ab17b7847645f5320e04bf469556dbbd518cca17e93a3 |
| Full analysis: | https://app.any.run/tasks/16c46a6a-195d-425d-a304-71e226e723bb |
| Verdict: | Malicious activity |
| Threats: | A backdoor is a type of cybersecurity threat that allows attackers to secretly compromise a system and conduct malicious activities, such as stealing data and modifying files. Backdoors can be difficult to detect, as they often use legitimate system applications to evade defense mechanisms. Threat actors often utilize special malware, such as PlugX, to establish backdoors on target devices. |
| Analysis date: | April 12, 2025, 02:28:53 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, 8 sections |
| MD5: | 907F9C91B244D64558C8521CAD9545AE |
| SHA1: | DA3213FD010F6DEFBFC2A63BDA0A60F122F8C2A0 |
| SHA256: | 0FF7A7F348C9403E673AB17B7847645F5320E04BF469556DBBD518CCA17E93A3 |
| SSDEEP: | 24576:O3HzLnqOaNMCFJ6kPvOxrcg0i7uF2ils:O3HzLnqOaNMCFJ6kPvO1cg0i7vils |
MALICIOUS
Executing a file with an untrusted certificate
- ._cache_0ff7a7f348c9403e673ab17b7847645f5320e04bf469556dbbd518cca17e93a3.exe (PID: 6660)
XRED mutex has been found
- 0ff7a7f348c9403e673ab17b7847645f5320e04bf469556dbbd518cca17e93a3.exe (PID: 5552)
- Synaptics.exe (PID: 1228)
Changes the autorun value in the registry
- 0ff7a7f348c9403e673ab17b7847645f5320e04bf469556dbbd518cca17e93a3.exe (PID: 5552)
XRED has been detected (YARA)
- Synaptics.exe (PID: 1228)
SUSPICIOUS
Reads security settings of Internet Explorer
- 0ff7a7f348c9403e673ab17b7847645f5320e04bf469556dbbd518cca17e93a3.exe (PID: 5552)
- Synaptics.exe (PID: 1228)
Executable content was dropped or overwritten
- 0ff7a7f348c9403e673ab17b7847645f5320e04bf469556dbbd518cca17e93a3.exe (PID: 5552)
There is functionality for taking screenshot (YARA)
- Synaptics.exe (PID: 1228)
There is functionality for communication dyndns network (YARA)
- Synaptics.exe (PID: 1228)
There is functionality for communication over UDP network (YARA)
- Synaptics.exe (PID: 1228)
INFO
Checks supported languages
- 0ff7a7f348c9403e673ab17b7847645f5320e04bf469556dbbd518cca17e93a3.exe (PID: 5552)
- Synaptics.exe (PID: 1228)
Reads the computer name
- 0ff7a7f348c9403e673ab17b7847645f5320e04bf469556dbbd518cca17e93a3.exe (PID: 5552)
- Synaptics.exe (PID: 1228)
The sample compiled with turkish language support
- 0ff7a7f348c9403e673ab17b7847645f5320e04bf469556dbbd518cca17e93a3.exe (PID: 5552)
Creates files in the program directory
- 0ff7a7f348c9403e673ab17b7847645f5320e04bf469556dbbd518cca17e93a3.exe (PID: 5552)
- Synaptics.exe (PID: 1228)
Process checks computer location settings
- 0ff7a7f348c9403e673ab17b7847645f5320e04bf469556dbbd518cca17e93a3.exe (PID: 5552)
Checks proxy server information
- Synaptics.exe (PID: 1228)
- slui.exe (PID: 6712)
Compiled with Borland Delphi (YARA)
- conhost.exe (PID: 7052)
- Synaptics.exe (PID: 1228)
- slui.exe (PID: 6712)
Reads the machine GUID from the registry
- Synaptics.exe (PID: 1228)
Create files in a temporary directory
- Synaptics.exe (PID: 1228)
Reads the software policy settings
- Synaptics.exe (PID: 1228)
- slui.exe (PID: 6712)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable (generic) (52.9) |
|---|---|---|
| .exe | | | Generic Win/DOS Executable (23.5) |
| .exe | | | DOS Executable Generic (23.5) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2025:04:22 23:35:21+00:00 |
| ImageFileCharacteristics: | Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi |
| PEType: | PE32 |
| LinkerVersion: | 2.25 |
| CodeSize: | 629760 |
| InitializedDataSize: | 175104 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x9ab80 |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 1.0.0.4 |
| ProductVersionNumber: | 1.0.0.4 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Turkish |
| CharacterSet: | Windows, Turkish |
| CompanyName: | CRACK BY RETRIX |
| FileDescription: | SS CRACK RETRIX |
| FileVersion: | 1.1.1.1 |
| InternalName: | - |
| LegalCopyright: | - |
| LegalTrademarks: | - |
| OriginalFileName: | - |
| ProductName: | SS CRACK RETRIX |
| ProductVersion: | 1.0.0.0 |
| Comments: | Modified by an unpaid evaluation copy of Resource Tuner 2. http://www.heaventools.com |
Total processes
130
Monitored processes
6
Malicious processes
2
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1228 | "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate | C:\ProgramData\Synaptics\Synaptics.exe | 0ff7a7f348c9403e673ab17b7847645f5320e04bf469556dbbd518cca17e93a3.exe | ||||||||||||
User: admin Company: CRACK BY RETRIX Integrity Level: HIGH Description: SS CRACK RETRIX Version: 1.1.1.1 Modules
| |||||||||||||||
| 2196 | C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache | C:\Windows\System32\svchost.exe | services.exe | ||||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5552 | "C:\Users\admin\Desktop\0ff7a7f348c9403e673ab17b7847645f5320e04bf469556dbbd518cca17e93a3.exe" | C:\Users\admin\Desktop\0ff7a7f348c9403e673ab17b7847645f5320e04bf469556dbbd518cca17e93a3.exe | explorer.exe | ||||||||||||
User: admin Company: CRACK BY RETRIX Integrity Level: MEDIUM Description: SS CRACK RETRIX Exit code: 0 Version: 1.1.1.1 Modules
| |||||||||||||||
| 6660 | "C:\Users\admin\Desktop\._cache_0ff7a7f348c9403e673ab17b7847645f5320e04bf469556dbbd518cca17e93a3.exe" | C:\Users\admin\Desktop\._cache_0ff7a7f348c9403e673ab17b7847645f5320e04bf469556dbbd518cca17e93a3.exe | — | 0ff7a7f348c9403e673ab17b7847645f5320e04bf469556dbbd518cca17e93a3.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 3221225781 Modules
| |||||||||||||||
| 6712 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7052 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | ._cache_0ff7a7f348c9403e673ab17b7847645f5320e04bf469556dbbd518cca17e93a3.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
7 840
Read events
7 834
Write events
6
Delete events
0
Modification events
| (PID) Process: | (5552) 0ff7a7f348c9403e673ab17b7847645f5320e04bf469556dbbd518cca17e93a3.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer |
| Operation: | write | Name: | SlowContextMenuEntries |
Value: 6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000 | |||
| (PID) Process: | (5552) 0ff7a7f348c9403e673ab17b7847645f5320e04bf469556dbbd518cca17e93a3.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
| Operation: | write | Name: | SS CRACK RETRIX |
Value: C:\ProgramData\Synaptics\Synaptics.exe | |||
| (PID) Process: | (5552) 0ff7a7f348c9403e673ab17b7847645f5320e04bf469556dbbd518cca17e93a3.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer |
| Operation: | write | Name: | SlowContextMenuEntries |
Value: 6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A7803901000060B81DB4E48ED2119906E49FADC173CA7D000000 | |||
| (PID) Process: | (1228) Synaptics.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
| Operation: | write | Name: | CachePrefix |
Value: | |||
| (PID) Process: | (1228) Synaptics.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
| Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
| (PID) Process: | (1228) Synaptics.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
| Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
Executable files
4
Suspicious files
0
Text files
1
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 5552 | 0ff7a7f348c9403e673ab17b7847645f5320e04bf469556dbbd518cca17e93a3.exe | C:\ProgramData\Synaptics\Synaptics.exe | executable | |
MD5:907F9C91B244D64558C8521CAD9545AE | SHA256:0FF7A7F348C9403E673AB17B7847645F5320E04BF469556DBBD518CCA17E93A3 | |||
| 5552 | 0ff7a7f348c9403e673ab17b7847645f5320e04bf469556dbbd518cca17e93a3.exe | C:\Users\admin\Desktop\._cache_0ff7a7f348c9403e673ab17b7847645f5320e04bf469556dbbd518cca17e93a3.exe | executable | |
MD5:0E20BFFF0E17B23201C1EE8859A4E12A | SHA256:075E7AC339E22A77101D227B139A2010B2E97126BB90A6C96CBDEC887443DA0C | |||
| 1228 | Synaptics.exe | C:\Users\admin\AppData\Local\Temp\ntEtePh.ini | html | |
MD5:3332A0390C2EED838230ACB88FF707E4 | SHA256:4E9117FC540F386A35AD56858F32BA8D34D4C0B6B5F75758ABEC7A03B34A0DD5 | |||
| 5552 | 0ff7a7f348c9403e673ab17b7847645f5320e04bf469556dbbd518cca17e93a3.exe | C:\ProgramData\Synaptics\RCXBF3B.tmp | executable | |
MD5:B4114FFA9D8445E81CF9FC67F78CAF3E | SHA256:9C3D456AAB6FB999A180948F00D173ED116B51471D2ED3B26030ED3501BD4B8D | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
26
DNS requests
8
Threats
8
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
— | — | GET | 303 | 74.125.143.84:443 | https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download | unknown | — | — | — |
— | — | GET | 303 | 74.125.143.84:443 | https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download | unknown | — | — | — |
— | — | GET | 303 | 74.125.143.84:443 | https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download | unknown | — | — | — |
— | — | GET | 404 | 142.250.186.33:443 | https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download | unknown | html | 1.61 Kb | whitelisted |
— | — | GET | 404 | 142.250.186.33:443 | https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download | unknown | html | 1.61 Kb | whitelisted |
— | — | GET | 404 | 142.250.186.33:443 | https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download | unknown | html | 1.61 Kb | whitelisted |
— | — | POST | 500 | 40.91.76.224:443 | https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail | unknown | xml | 512 b | whitelisted |
— | — | POST | 500 | 40.91.76.224:443 | https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail | unknown | xml | 512 b | whitelisted |
2104 | svchost.exe | GET | 200 | 23.216.77.6:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
6652 | RUXIMICS.exe | GET | 200 | 23.216.77.6:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
6652 | RUXIMICS.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
2104 | svchost.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
2104 | svchost.exe | 23.216.77.6:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
6652 | RUXIMICS.exe | 23.216.77.6:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
1228 | Synaptics.exe | 69.42.215.252:80 | freedns.afraid.org | AWKNET | US | whitelisted |
2196 | svchost.exe | 224.0.0.252:5355 | — | — | — | whitelisted |
2196 | svchost.exe | 224.0.0.251:5353 | — | — | — | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
xred.mooo.com |
| whitelisted |
freedns.afraid.org |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
activation-v2.sls.microsoft.com |
| whitelisted |
docs.google.com |
| whitelisted |
drive.usercontent.google.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2196 | svchost.exe | Potentially Bad Traffic | ET DYN_DNS DYNAMIC_DNS Query to Abused Domain *.mooo.com |
— | — | A Network Trojan was detected | ET HUNTING Suspicious User-Agent Containing .exe |
— | — | A Network Trojan was detected | ET MALWARE Snake Keylogger Payload Request (GET) |
— | — | A Network Trojan was detected | ET HUNTING Suspicious User-Agent Containing .exe |
— | — | A Network Trojan was detected | ET HUNTING Suspicious User-Agent Containing .exe |
— | — | A Network Trojan was detected | ET HUNTING Suspicious User-Agent Containing .exe |
— | — | A Network Trojan was detected | ET HUNTING Suspicious User-Agent Containing .exe |
— | — | A Network Trojan was detected | ET HUNTING Suspicious User-Agent Containing .exe |