File name:

SECUREBYTEGUI.exe

Full analysis: https://app.any.run/tasks/5e115bbf-895d-4945-b0fb-17054dfc57de
Verdict: Malicious activity
Threats:

A backdoor is a type of cybersecurity threat that allows attackers to secretly compromise a system and conduct malicious activities, such as stealing data and modifying files. Backdoors can be difficult to detect, as they often use legitimate system applications to evade defense mechanisms. Threat actors often utilize special malware, such as PlugX, to establish backdoors on target devices.

Malware Trends Tracker     >>>
Analysis date: January 10, 2025, 18:45:35
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
dyndns
xred
backdoor
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 8 sections
MD5:

5FA89257FFE3D63A516C62DA039D0750

SHA1:

B059C9C996CAD2BA4ABC6B60EE666C2E6F76FA7A

SHA256:

610FF05C8F1526B31828D9686E0253067A243F6A9699E5D5E5042D9093B91E67

SSDEEP:

98304:wr7ayGJ6kHOSJ7/6gW6gn6grDwKa7Qy6gaE:pigBg6gFgF

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • SECUREBYTEGUI.exe (PID: 748)

    • Connects to the CnC server

      • Synaptics.exe (PID: 3564)

    • XRED has been detected (YARA)

      • Synaptics.exe (PID: 3564)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • SECUREBYTEGUI.exe (PID: 748)
      • Synaptics.exe (PID: 3564)

    • Contacting a server suspected of hosting an CnC

      • Synaptics.exe (PID: 3564)

    • Executable content was dropped or overwritten

      • SECUREBYTEGUI.exe (PID: 748)

    • Executes application which crashes

      • ._cache_SECUREBYTEGUI.exe (PID: 4624)

    • There is functionality for communication over UDP network (YARA)

      • Synaptics.exe (PID: 3564)

    • There is functionality for taking screenshot (YARA)

      • Synaptics.exe (PID: 3564)

    • There is functionality for communication dyndns network (YARA)

      • Synaptics.exe (PID: 3564)

    • Checks Windows Trust Settings

      • Synaptics.exe (PID: 3564)

  • INFO

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 5588)

    • Reads the computer name

      • SECUREBYTEGUI.exe (PID: 748)
      • ._cache_SECUREBYTEGUI.exe (PID: 4624)
      • Synaptics.exe (PID: 3564)

    • Checks proxy server information

      • WerFault.exe (PID: 5588)
      • Synaptics.exe (PID: 3564)

    • Checks supported languages

      • ._cache_SECUREBYTEGUI.exe (PID: 4624)
      • SECUREBYTEGUI.exe (PID: 748)
      • Synaptics.exe (PID: 3564)

    • Process checks computer location settings

      • SECUREBYTEGUI.exe (PID: 748)

    • The sample compiled with turkish language support

      • SECUREBYTEGUI.exe (PID: 748)

    • Reads the machine GUID from the registry

      • ._cache_SECUREBYTEGUI.exe (PID: 4624)
      • Synaptics.exe (PID: 3564)

    • Reads the software policy settings

      • WerFault.exe (PID: 5588)
      • Synaptics.exe (PID: 3564)

    • Create files in a temporary directory

      • Synaptics.exe (PID: 3564)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Borland Delphi 7 (90.9)
.exe | Win32 EXE PECompact compressed (generic) (5.6)
.exe | Win32 Executable Delphi generic (1.9)
.exe | Win32 Executable (generic) (0.6)
.exe | Win16/32 Executable Delphi generic (0.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 629760
InitializedDataSize: 2529280
UninitializedDataSize: -
EntryPoint: 0x9ab80
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.4
ProductVersionNumber: 1.0.0.4
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Turkish
CharacterSet: Windows, Turkish
CompanyName: Synaptics
FileDescription: Synaptics Pointing Device Driver
FileVersion: 1.0.0.4
InternalName: -
LegalCopyright: -
LegalTrademarks: -
OriginalFileName: -
ProductName: Synaptics Pointing Device Driver
ProductVersion: 1.0.0.0
Comments: -
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
127
Monitored processes
5
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start securebytegui.exe ._cache_securebytegui.exe #XRED synaptics.exe werfault.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
748"C:\Users\admin\Desktop\SECUREBYTEGUI.exe" C:\Users\admin\Desktop\SECUREBYTEGUI.exe
explorer.exe
User:
admin
Company:
Synaptics
Integrity Level:
MEDIUM
Description:
Synaptics Pointing Device Driver
Exit code:
0
Version:
1.0.0.4
Modules
Images
c:\users\admin\desktop\securebytegui.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
4624"C:\Users\admin\Desktop\._cache_SECUREBYTEGUI.exe" C:\Users\admin\Desktop\._cache_SECUREBYTEGUI.exe
SECUREBYTEGUI.exe
User:
admin
Company:
DeepRET
Integrity Level:
MEDIUM
Description:
MD BYTE Obfuscator
Exit code:
3762504530
Version:
1.1.0.0
Modules
Images
c:\users\admin\desktop\._cache_securebytegui.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
3564"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdateC:\ProgramData\Synaptics\Synaptics.exe
SECUREBYTEGUI.exe
User:
admin
Company:
Synaptics
Integrity Level:
HIGH
Description:
Synaptics Pointing Device Driver
Version:
1.0.0.4
Modules
Images
c:\programdata\synaptics\synaptics.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
5588C:\WINDOWS\SysWOW64\WerFault.exe -u -p 4624 -s 1040C:\Windows\SysWOW64\WerFault.exe
._cache_SECUREBYTEGUI.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
Total events
10 550
Read events
10 545
Write events
5
Delete events
0

Modification events

(PID) Process:(748) SECUREBYTEGUI.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:(748) SECUREBYTEGUI.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Synaptics Pointing Device Driver
Value:
C:\ProgramData\Synaptics\Synaptics.exe
(PID) Process:(3564) Synaptics.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3564) Synaptics.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3564) Synaptics.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
4
Suspicious files
1
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
5588WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_._cache_SECUREBY_4b6fe172c7f36ad1b43de73913b32d9d4991a0dd_895aee00_684effec-6092-49c1-98ee-a65046920c15\Report.wer
MD5:
SHA256:
5588WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\._cache_SECUREBYTEGUI.exe.4624.dmp
MD5:
SHA256:
748SECUREBYTEGUI.exeC:\ProgramData\Synaptics\RCX619B.tmpexecutable
MD5:E5B9CE787214A4CB422AC0B8CDDAE50D
SHA256:06DB8A9AF01E79466A18EE6CC72B7649EE000BC19CB6DBBBC9B12212FB631C51
5588WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER6833.tmp.dmpbinary
MD5:548C043D27E6CF387D1EFB81FC08673B
SHA256:DE040CC094EBD399C227DD9A97EF15CC066ED9C5CA7E0BE185E9806A14C5C47B
748SECUREBYTEGUI.exeC:\Users\admin\Desktop\._cache_SECUREBYTEGUI.exeexecutable
MD5:E6DA7106C6B97B3D5015AA402DAA57EE
SHA256:7579295E68C78CC770AB66E5ADF53CBEB6C11A968158F79313F2A39F42FA19B3
5588WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER692E.tmp.WERInternalMetadata.xmlxml
MD5:2B377C5E2E893549ACBFBAC19BC31E5E
SHA256:8AA48BA2F6647C8C5ED0ADFF653865B5075A3F75D27A5EA5E5220878D59C0387
5588WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER695E.tmp.xmlxml
MD5:5B3072C3B0B90AB28E1AF7BE587FF379
SHA256:62765ED1B654D49467937EC179E448E0B219439082A578DF113E1F0A5EAE400E
3564Synaptics.exeC:\Users\admin\AppData\Local\Temp\gfS6FYK.inihtml
MD5:9E4753B7DE70D0E4902F1E6F054C8D49
SHA256:60525A734A7AD79461BA7B4E5CACA58AE1F1CA753C868EBB4F1C14081818D826
748SECUREBYTEGUI.exeC:\ProgramData\Synaptics\Synaptics.exeexecutable
MD5:5FA89257FFE3D63A516C62DA039D0750
SHA256:610FF05C8F1526B31828D9686E0253067A243F6A9699E5D5E5042D9093B91E67
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
22
DNS requests
10
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
303
108.177.96.84:443
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
unknown
3564
Synaptics.exe
GET
200
69.42.215.252:80
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
unknown
whitelisted
6060
svchost.exe
GET
200
23.48.23.146:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
303
108.177.96.84:443
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
unknown
6060
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
303
108.177.96.84:443
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
unknown
4008
RUXIMICS.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4008
RUXIMICS.exe
GET
200
23.48.23.146:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
404
216.58.206.33:443
https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
unknown
html
1.61 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6060
svchost.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4008
RUXIMICS.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
4008
RUXIMICS.exe
23.48.23.146:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
3564
Synaptics.exe
69.42.215.252:80
freedns.afraid.org
AWKNET
US
whitelisted
6060
svchost.exe
23.48.23.146:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2192
svchost.exe
224.0.0.252:5355
whitelisted
5588
WerFault.exe
20.42.73.29:443
watson.events.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.181.238
whitelisted
xred.mooo.com
whitelisted
crl.microsoft.com
  • 23.48.23.146
  • 23.48.23.147
  • 23.48.23.139
  • 23.48.23.137
  • 23.48.23.141
  • 23.48.23.143
  • 23.48.23.145
  • 23.48.23.140
  • 23.48.23.193
whitelisted
freedns.afraid.org
  • 69.42.215.252
whitelisted
watson.events.data.microsoft.com
  • 20.42.73.29
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
docs.google.com
  • 172.217.18.110
whitelisted
drive.usercontent.google.com
  • 216.58.206.33
whitelisted
self.events.data.microsoft.com
  • 52.182.143.215
whitelisted

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET INFO DYNAMIC_DNS Query to Abused Domain *.mooo.com
3 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
SECUREBYTEGUI.exe