Malware Analysis Report

2025-01-06 10:59

Sample ID 240603-fc6zxsbh2v
Target e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1
SHA256 e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1
Tags
xred backdoor discovery evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1

Threat Level: Known bad

The file e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1 was found to be: Known bad.

Malicious Activity Summary

xred backdoor discovery evasion persistence

Xred

Modifies visiblity of hidden/system files in Explorer

Xred family

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Suspicious behavior: GetForegroundWindowSpam

Modifies registry class

Scheduled Task/Job: Scheduled Task

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 04:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 04:44

Reported

2024-06-03 04:47

Platform

win7-20240215-en

Max time kernel

150s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A

Xred

backdoor xred

Xred family

xred

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Users\Admin\AppData\Local\Temp\e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe C:\Users\Admin\AppData\Local\Temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe N/A
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Windows\Resources\Themes\icsys.icn.exe N/A
File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\resources\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Synaptics\Synaptics.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Resources\Themes\icsys.icn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-8UUQN.tmp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Resources\Themes\icsys.icn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-PDRRS.tmp\._cache_synaptics.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\resources\themes\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe  N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\resources\themes\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\users\admin\appdata\local\temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe  N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1724 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe C:\Users\Admin\AppData\Local\Temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe
PID 1724 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe C:\Users\Admin\AppData\Local\Temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe
PID 1724 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe C:\Users\Admin\AppData\Local\Temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe
PID 1724 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe C:\Users\Admin\AppData\Local\Temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe
PID 2976 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe \??\c:\users\admin\appdata\local\temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe 
PID 2976 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe \??\c:\users\admin\appdata\local\temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe 
PID 2976 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe \??\c:\users\admin\appdata\local\temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe 
PID 2976 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe \??\c:\users\admin\appdata\local\temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe 
PID 2976 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe \??\c:\users\admin\appdata\local\temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe 
PID 2976 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe \??\c:\users\admin\appdata\local\temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe 
PID 2976 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe \??\c:\users\admin\appdata\local\temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe 
PID 1724 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 1724 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 1724 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 1724 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 2200 wrote to memory of 2428 N/A \??\c:\users\admin\appdata\local\temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe  C:\Users\Admin\AppData\Local\Temp\is-8UUQN.tmp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.tmp
PID 2200 wrote to memory of 2428 N/A \??\c:\users\admin\appdata\local\temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe  C:\Users\Admin\AppData\Local\Temp\is-8UUQN.tmp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.tmp
PID 2200 wrote to memory of 2428 N/A \??\c:\users\admin\appdata\local\temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe  C:\Users\Admin\AppData\Local\Temp\is-8UUQN.tmp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.tmp
PID 2200 wrote to memory of 2428 N/A \??\c:\users\admin\appdata\local\temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe  C:\Users\Admin\AppData\Local\Temp\is-8UUQN.tmp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.tmp
PID 2200 wrote to memory of 2428 N/A \??\c:\users\admin\appdata\local\temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe  C:\Users\Admin\AppData\Local\Temp\is-8UUQN.tmp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.tmp
PID 2200 wrote to memory of 2428 N/A \??\c:\users\admin\appdata\local\temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe  C:\Users\Admin\AppData\Local\Temp\is-8UUQN.tmp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.tmp
PID 2200 wrote to memory of 2428 N/A \??\c:\users\admin\appdata\local\temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe  C:\Users\Admin\AppData\Local\Temp\is-8UUQN.tmp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.tmp
PID 2976 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe C:\Windows\Resources\Themes\icsys.icn.exe
PID 2976 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe C:\Windows\Resources\Themes\icsys.icn.exe
PID 2976 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe C:\Windows\Resources\Themes\icsys.icn.exe
PID 2976 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe C:\Windows\Resources\Themes\icsys.icn.exe
PID 2760 wrote to memory of 2416 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 2760 wrote to memory of 2416 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 2760 wrote to memory of 2416 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 2760 wrote to memory of 2416 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 2848 wrote to memory of 1596 N/A C:\Windows\Resources\Themes\icsys.icn.exe \??\c:\windows\resources\themes\explorer.exe
PID 2848 wrote to memory of 1596 N/A C:\Windows\Resources\Themes\icsys.icn.exe \??\c:\windows\resources\themes\explorer.exe
PID 2848 wrote to memory of 1596 N/A C:\Windows\Resources\Themes\icsys.icn.exe \??\c:\windows\resources\themes\explorer.exe
PID 2848 wrote to memory of 1596 N/A C:\Windows\Resources\Themes\icsys.icn.exe \??\c:\windows\resources\themes\explorer.exe
PID 2416 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe 
PID 2416 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe 
PID 2416 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe 
PID 2416 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe 
PID 2416 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe 
PID 2416 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe 
PID 2416 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe 
PID 1596 wrote to memory of 2712 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 1596 wrote to memory of 2712 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 1596 wrote to memory of 2712 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 1596 wrote to memory of 2712 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2712 wrote to memory of 1892 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2712 wrote to memory of 1892 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2712 wrote to memory of 1892 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2712 wrote to memory of 1892 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 1892 wrote to memory of 1612 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 1892 wrote to memory of 1612 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 1892 wrote to memory of 1612 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 1892 wrote to memory of 1612 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 1596 wrote to memory of 1532 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 1596 wrote to memory of 1532 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 1596 wrote to memory of 1532 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 1596 wrote to memory of 1532 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2596 wrote to memory of 1260 N/A \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe  C:\Users\Admin\AppData\Local\Temp\is-PDRRS.tmp\._cache_synaptics.tmp
PID 2596 wrote to memory of 1260 N/A \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe  C:\Users\Admin\AppData\Local\Temp\is-PDRRS.tmp\._cache_synaptics.tmp
PID 2596 wrote to memory of 1260 N/A \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe  C:\Users\Admin\AppData\Local\Temp\is-PDRRS.tmp\._cache_synaptics.tmp
PID 2596 wrote to memory of 1260 N/A \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe  C:\Users\Admin\AppData\Local\Temp\is-PDRRS.tmp\._cache_synaptics.tmp
PID 2596 wrote to memory of 1260 N/A \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe  C:\Users\Admin\AppData\Local\Temp\is-PDRRS.tmp\._cache_synaptics.tmp
PID 2596 wrote to memory of 1260 N/A \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe  C:\Users\Admin\AppData\Local\Temp\is-PDRRS.tmp\._cache_synaptics.tmp
PID 2596 wrote to memory of 1260 N/A \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe  C:\Users\Admin\AppData\Local\Temp\is-PDRRS.tmp\._cache_synaptics.tmp

Processes

C:\Users\Admin\AppData\Local\Temp\e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe

"C:\Users\Admin\AppData\Local\Temp\e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe"

C:\Users\Admin\AppData\Local\Temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe"

\??\c:\users\admin\appdata\local\temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe 

c:\users\admin\appdata\local\temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe 

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\is-8UUQN.tmp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.tmp

"C:\Users\Admin\AppData\Local\Temp\is-8UUQN.tmp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.tmp" /SL5="$7011E,779776,0,c:\users\admin\appdata\local\temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe "

C:\Windows\Resources\Themes\icsys.icn.exe

C:\Windows\Resources\Themes\icsys.icn.exe

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

\??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe 

c:\users\admin\appdata\local\temp\._cache_synaptics.exe  InjUpdate

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 04:46 /f

C:\Users\Admin\AppData\Local\Temp\is-PDRRS.tmp\._cache_synaptics.tmp

"C:\Users\Admin\AppData\Local\Temp\is-PDRRS.tmp\._cache_synaptics.tmp" /SL5="$1023E,779776,0,c:\users\admin\appdata\local\temp\._cache_synaptics.exe " InjUpdate

C:\Windows\Resources\Themes\icsys.icn.exe

C:\Windows\Resources\Themes\icsys.icn.exe

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 04:47 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 04:48 /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 xred.mooo.com udp
US 8.8.8.8:53 freedns.afraid.org udp
US 69.42.215.252:80 freedns.afraid.org tcp
US 8.8.8.8:53 docs.google.com udp
GB 142.250.200.14:443 docs.google.com tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 142.250.179.225:443 drive.usercontent.google.com tcp

Files

memory/1724-0-0x0000000000230000-0x0000000000231000-memory.dmp

\Users\Admin\AppData\Local\Temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe

MD5 90844acba37cce66801450041d1c4fe2
SHA1 22c8df52e2b64181e70cf255f71a8f14d40b9300
SHA256 6c32359f4df5788d43d501cad9b32897722585ea7dc76ba9bc28c7c1e26788ac
SHA512 b284f25af7812949510b7176b136b0b0ff9503c230d268c80664ba6d7eafec1939be5bf0f199acab399f82c925b554604a1ba80e287e02a6a695ea80431eb461

memory/1724-6-0x0000000004240000-0x000000000425F000-memory.dmp

memory/2976-9-0x0000000000400000-0x000000000041F000-memory.dmp

C:\ProgramData\Synaptics\Synaptics.exe

MD5 08f66e65fc813fd7771ccb0ac7220ff6
SHA1 aa91200d6ff18743f536c155998e2f01ba8c502c
SHA256 e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1
SHA512 7852dc5f3da3637f4b9170ffa1e50ab3301040e139db3d0ae196faa3fe35fc31f732ed3850f872593fcbb9d202e8ead58a05d6c11a5b0e20529bc17af9710a3d

\Users\Admin\AppData\Local\Temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe 

MD5 594d0d0326346edeacee732fd26d8354
SHA1 c35a1954263148b7d3b8a116bff124c0dea4694b
SHA256 65e134d41455262e5f1b4d9fd6db3d8e3ca891a1e93fc312bd525c1e853d665a
SHA512 cc23ae817a2282d5b7cc00e8a4a6e42a5ffca6e3cb391fcc67b708685dc6109563013de1bdd2e965342fa415002db016a19acbe9a59622ba52c5a5d411cfe5ac

memory/2200-29-0x0000000000400000-0x00000000004CC000-memory.dmp

memory/1724-40-0x0000000000400000-0x000000000070D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-8UUQN.tmp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.tmp

MD5 8040f870cd42eccafccc09e53583c279
SHA1 0b325929c7b21fea97cb4cb1be827af7285fcfaf
SHA256 c2cbe6d07a350d84d9296102f42203d167a1363bd7b9e875238c719c51aa3afe
SHA512 064817fc706051a3d6a1011a7f101d640929c12c79de571b1d46242db4e7375803300b77a9519e861415a8f4a5097dcf9a039568f6d3f45ecdc42bec95747e43

\Windows\Resources\Themes\icsys.icn.exe

MD5 2669b01d2d03b294374b0ec3705e0000
SHA1 b70e311c3be4ba997e87e1efbe9b2ee7a3608eec
SHA256 e4d7c007eda2f4bec99482e39526428641981040cc9c46515a9d0e7c4887cf06
SHA512 eb14d06476db5a491938092502198198dcd6417ae199f526b745cb24607d0cc9f1090d143baf623cb7655a16c313ef129490ea8321c9da3372258b84a68e95c1

memory/2848-67-0x00000000002A0000-0x00000000002BF000-memory.dmp

\Windows\Resources\Themes\explorer.exe

MD5 d283cbae4667c932d65f0219a3282894
SHA1 90a1723c1770a51a27777d936f3be664a7ffc744
SHA256 de25630854297765a2d54a3b08480c0407a650c2fffa8a1931f9da744574a004
SHA512 eb1634e021c710aa2da79a5282acccbfba1c9daa08fed25d21fa93175cc063a5d9e5017bbbfdf3e887646cb6908d50095c95fdba2c5b5e7f78036d608c7c5b40

\Windows\Resources\spoolsv.exe

MD5 e8a06208a9d0fb4ca815e5f77f9c73d4
SHA1 0797b52e054d631ecf81eb505d4e60faa704fc98
SHA256 1e2b3221f20257184b8281d896279db37a31d23bdaa00540aa79b7e8adcf0991
SHA512 04203c34960d52398c288302f2e6347b8ac0d20cd04f12538c80514da70cd78b26ef68a7a5f8d10bf6a46e16af45e39cb04d23c6aa6c246bae1782e7f2abb107

\??\c:\windows\resources\svchost.exe

MD5 60c8c49bb66638810ad9c12b30d11bfa
SHA1 3a3e975f14369fe956f5a1690aa5873c7d6645ba
SHA256 f018849bfc342ad110cad29c68775df3444c6efdf1b63b2a201235dcae47c3a3
SHA512 38e543d0d6b36b81011f8be344134b932303cadc471b9817d1ca112d2519b1886be6cf1e786fefeedcb674c020d0cc9514052003d7e12c60c72aee7d63703c98

memory/2712-118-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2848-119-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1960-134-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2392-135-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2416-136-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2832-137-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2976-120-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1612-117-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1612-115-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D8vnrqUk.xlsm

MD5 e566fc53051035e1e6fd0ed1823de0f9
SHA1 00bc96c48b98676ecd67e81a6f1d7754e4156044
SHA256 8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512 a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

memory/1892-111-0x0000000000280000-0x000000000029F000-memory.dmp

memory/2712-103-0x00000000002F0000-0x000000000030F000-memory.dmp

memory/2596-97-0x0000000000400000-0x00000000004CC000-memory.dmp

memory/2712-92-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2200-157-0x0000000000400000-0x00000000004CC000-memory.dmp

memory/2760-158-0x0000000000400000-0x000000000070D000-memory.dmp

memory/2428-159-0x0000000000400000-0x0000000000707000-memory.dmp

memory/2596-160-0x0000000000400000-0x00000000004CC000-memory.dmp

memory/1260-161-0x0000000000400000-0x0000000000707000-memory.dmp

memory/2760-163-0x0000000000400000-0x000000000070D000-memory.dmp

memory/2760-184-0x0000000000400000-0x000000000070D000-memory.dmp

memory/2760-217-0x0000000000400000-0x000000000070D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 04:44

Reported

2024-06-03 04:47

Platform

win10v2004-20240226-en

Max time kernel

151s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A

Xred

backdoor xred

Xred family

xred

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\ProgramData\Synaptics\Synaptics.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Users\Admin\AppData\Local\Temp\e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe C:\Users\Admin\AppData\Local\Temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe N/A
File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Windows\Resources\Themes\icsys.icn.exe N/A
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Resources\Themes\icsys.icn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\users\admin\appdata\local\temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe  N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Resources\Themes\icsys.icn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-PCH7F.tmp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe  N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Synaptics\Synaptics.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\resources\themes\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-I3C3J.tmp\._cache_synaptics.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\resources\svchost.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\ProgramData\Synaptics\Synaptics.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4848 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe C:\Users\Admin\AppData\Local\Temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe
PID 4848 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe C:\Users\Admin\AppData\Local\Temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe
PID 4848 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe C:\Users\Admin\AppData\Local\Temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe
PID 4848 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 4848 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 4848 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 4220 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe \??\c:\users\admin\appdata\local\temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe 
PID 4220 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe \??\c:\users\admin\appdata\local\temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe 
PID 4220 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe \??\c:\users\admin\appdata\local\temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe 
PID 3360 wrote to memory of 1752 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 3360 wrote to memory of 1752 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 3360 wrote to memory of 1752 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 4072 wrote to memory of 2380 N/A \??\c:\users\admin\appdata\local\temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe  C:\Users\Admin\AppData\Local\Temp\is-PCH7F.tmp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.tmp
PID 4072 wrote to memory of 2380 N/A \??\c:\users\admin\appdata\local\temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe  C:\Users\Admin\AppData\Local\Temp\is-PCH7F.tmp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.tmp
PID 4072 wrote to memory of 2380 N/A \??\c:\users\admin\appdata\local\temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe  C:\Users\Admin\AppData\Local\Temp\is-PCH7F.tmp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.tmp
PID 4220 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Local\Temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe C:\Windows\Resources\Themes\icsys.icn.exe
PID 4220 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Local\Temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe C:\Windows\Resources\Themes\icsys.icn.exe
PID 4220 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Local\Temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe C:\Windows\Resources\Themes\icsys.icn.exe
PID 3140 wrote to memory of 4388 N/A C:\Windows\Resources\Themes\icsys.icn.exe \??\c:\windows\resources\themes\explorer.exe
PID 3140 wrote to memory of 4388 N/A C:\Windows\Resources\Themes\icsys.icn.exe \??\c:\windows\resources\themes\explorer.exe
PID 3140 wrote to memory of 4388 N/A C:\Windows\Resources\Themes\icsys.icn.exe \??\c:\windows\resources\themes\explorer.exe
PID 4388 wrote to memory of 4356 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 4388 wrote to memory of 4356 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 4388 wrote to memory of 4356 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 1752 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe 
PID 1752 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe 
PID 1752 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe 
PID 4356 wrote to memory of 2524 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 4356 wrote to memory of 2524 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 4356 wrote to memory of 2524 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2524 wrote to memory of 5052 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2524 wrote to memory of 5052 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2524 wrote to memory of 5052 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 1068 wrote to memory of 3200 N/A \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe  C:\Users\Admin\AppData\Local\Temp\is-I3C3J.tmp\._cache_synaptics.tmp
PID 1068 wrote to memory of 3200 N/A \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe  C:\Users\Admin\AppData\Local\Temp\is-I3C3J.tmp\._cache_synaptics.tmp
PID 1068 wrote to memory of 3200 N/A \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe  C:\Users\Admin\AppData\Local\Temp\is-I3C3J.tmp\._cache_synaptics.tmp
PID 1752 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Windows\Resources\Themes\icsys.icn.exe
PID 1752 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Windows\Resources\Themes\icsys.icn.exe
PID 1752 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Windows\Resources\Themes\icsys.icn.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe

"C:\Users\Admin\AppData\Local\Temp\e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe"

C:\Users\Admin\AppData\Local\Temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe"

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

\??\c:\users\admin\appdata\local\temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe 

c:\users\admin\appdata\local\temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe 

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\is-PCH7F.tmp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.tmp

"C:\Users\Admin\AppData\Local\Temp\is-PCH7F.tmp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.tmp" /SL5="$40058,779776,0,c:\users\admin\appdata\local\temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe "

C:\Windows\Resources\Themes\icsys.icn.exe

C:\Windows\Resources\Themes\icsys.icn.exe

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe 

c:\users\admin\appdata\local\temp\._cache_synaptics.exe  InjUpdate

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

C:\Users\Admin\AppData\Local\Temp\is-I3C3J.tmp\._cache_synaptics.tmp

"C:\Users\Admin\AppData\Local\Temp\is-I3C3J.tmp\._cache_synaptics.tmp" /SL5="$2027E,779776,0,c:\users\admin\appdata\local\temp\._cache_synaptics.exe " InjUpdate

C:\Windows\Resources\Themes\icsys.icn.exe

C:\Windows\Resources\Themes\icsys.icn.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3748 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 23.44.234.16:80 tcp
US 8.8.8.8:53 xred.mooo.com udp
US 8.8.8.8:53 freedns.afraid.org udp
US 69.42.215.252:80 freedns.afraid.org tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 252.215.42.69.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 docs.google.com udp
GB 142.250.200.14:443 docs.google.com tcp
US 8.8.8.8:53 14.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 142.250.179.225:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 225.179.250.142.in-addr.arpa udp

Files

memory/4848-0-0x0000000000820000-0x0000000000821000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe

MD5 90844acba37cce66801450041d1c4fe2
SHA1 22c8df52e2b64181e70cf255f71a8f14d40b9300
SHA256 6c32359f4df5788d43d501cad9b32897722585ea7dc76ba9bc28c7c1e26788ac
SHA512 b284f25af7812949510b7176b136b0b0ff9503c230d268c80664ba6d7eafec1939be5bf0f199acab399f82c925b554604a1ba80e287e02a6a695ea80431eb461

memory/4848-51-0x0000000000400000-0x000000000070D000-memory.dmp

memory/4220-65-0x0000000000400000-0x000000000041F000-memory.dmp

C:\ProgramData\Synaptics\Synaptics.exe

MD5 08f66e65fc813fd7771ccb0ac7220ff6
SHA1 aa91200d6ff18743f536c155998e2f01ba8c502c
SHA256 e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1
SHA512 7852dc5f3da3637f4b9170ffa1e50ab3301040e139db3d0ae196faa3fe35fc31f732ed3850f872593fcbb9d202e8ead58a05d6c11a5b0e20529bc17af9710a3d

memory/4848-133-0x0000000000400000-0x000000000070D000-memory.dmp

memory/3360-134-0x0000000002360000-0x0000000002361000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.exe 

MD5 594d0d0326346edeacee732fd26d8354
SHA1 c35a1954263148b7d3b8a116bff124c0dea4694b
SHA256 65e134d41455262e5f1b4d9fd6db3d8e3ca891a1e93fc312bd525c1e853d665a
SHA512 cc23ae817a2282d5b7cc00e8a4a6e42a5ffca6e3cb391fcc67b708685dc6109563013de1bdd2e965342fa415002db016a19acbe9a59622ba52c5a5d411cfe5ac

memory/4072-190-0x0000000000400000-0x00000000004CC000-memory.dmp

memory/1752-203-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-PCH7F.tmp\._cache_e01919eb67455c95885c97e32d1d4f5ac771ce497667d771749abfc98c84ddf1.tmp

MD5 8040f870cd42eccafccc09e53583c279
SHA1 0b325929c7b21fea97cb4cb1be827af7285fcfaf
SHA256 c2cbe6d07a350d84d9296102f42203d167a1363bd7b9e875238c719c51aa3afe
SHA512 064817fc706051a3d6a1011a7f101d640929c12c79de571b1d46242db4e7375803300b77a9519e861415a8f4a5097dcf9a039568f6d3f45ecdc42bec95747e43

C:\Windows\Resources\Themes\icsys.icn.exe

MD5 2669b01d2d03b294374b0ec3705e0000
SHA1 b70e311c3be4ba997e87e1efbe9b2ee7a3608eec
SHA256 e4d7c007eda2f4bec99482e39526428641981040cc9c46515a9d0e7c4887cf06
SHA512 eb14d06476db5a491938092502198198dcd6417ae199f526b745cb24607d0cc9f1090d143baf623cb7655a16c313ef129490ea8321c9da3372258b84a68e95c1

C:\Windows\Resources\Themes\explorer.exe

MD5 dfe996c1d1044dce8836f16f9e44e2db
SHA1 3f3568c4eefe63f2923efff831bb115e59284f30
SHA256 99d46418afbcc68aa7c043cb4c5bdd9fe70390eb22669049535ebe6774d08a2a
SHA512 7df266329eee109b70fc575fc4d94f5643c28fea1e82d535ca5e19f75e6b8c40dab063d52b136c60af4307329555c1a7401aab36e68c743fff458a5a4f927b56

C:\Windows\Resources\spoolsv.exe

MD5 0e7852a621c8d453b90f61bfd15ed1b9
SHA1 47b0008d233d61c45e7144003fcefd9e7b4b498a
SHA256 9f0b2e2e5f17235e8f936bd07ee726f7fd6d29c4bcc25aca3384f9a3e62f305d
SHA512 b35d2e83df487ab3446f0f0ca87c6e31b570f029ca22360a54b5755e7a366272cbafa72244b5229278dd3cf1398a48534596d9d839e77aef206a2c0a0d9d6e7d

memory/1068-238-0x0000000000400000-0x00000000004CC000-memory.dmp

C:\Windows\Resources\svchost.exe

MD5 c4483989fd0deb21a7ed94682f307f4e
SHA1 2d2c4fdb51397d1ca43c57b05cabbb40e2ca6793
SHA256 50fb3d27d45290e06617ce8c87110caee0f122e122555c7f6c62ce6db7669d70
SHA512 ea62b818fab829fda29d498a88aa0d72aaa0586a08807ddf214d8c26a572a99c0cd8fb2e793c36a898cbddd190c2bf009ec97235ee01007a56143f62a034b81e

memory/5052-258-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3140-261-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4220-263-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4356-262-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1752-260-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3504-259-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3360-264-0x0000000000400000-0x000000000070D000-memory.dmp

memory/2380-266-0x0000000000400000-0x0000000000707000-memory.dmp

memory/3360-267-0x0000000002360000-0x0000000002361000-memory.dmp

memory/4072-265-0x0000000000400000-0x00000000004CC000-memory.dmp

memory/1068-268-0x0000000000400000-0x00000000004CC000-memory.dmp

memory/3200-269-0x0000000000400000-0x0000000000707000-memory.dmp

memory/3360-270-0x0000000000400000-0x000000000070D000-memory.dmp

memory/3360-314-0x0000000000400000-0x000000000070D000-memory.dmp