xred | 2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6

Analysis

max time kernel
55s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-11-2024 20:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe
Size

7.4MB
MD5

7f22390ed7858a4530c0a47efe2b215e
SHA1

454afba3978700599c0862094c2ac50292188d89
SHA256

2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6
SHA512

caf8cdcbcb7ca057016dd026d5d8fcced7d967c507dde5c79538281548a7c4aea004ff42870bbaff53899ada806fa39f77bfa30e5bc0efb3c36ba3362996b77d
SSDEEP

98304:rnsmtk2aUnsmtk2aansmtk2aensmtk2aGs+MQnPLeMNCvYaPhJTcYaxYEDzuWqbD:TLHLhL/LrsvyeMjguYax7z+bi+R

Score

10^/10

xred backdoor discovery evasion persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Checks computer location settings 2 TTPs 46 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

._cache_synaptics.exe ._cache_synaptics.exe ._cache_synaptics.exe ._cache_synaptics.exe Synaptics.exe._cache_synaptics.exe ._cache_synaptics.exe ._cache_synaptics.exe ._cache_synaptics.exe ._cache_synaptics.exe Synaptics.exe._cache_synaptics.exe Synaptics.exeSynaptics.exeSynaptics.exe._cache_synaptics.exe Synaptics.exeSynaptics.exeSynaptics.exeSynaptics.exe._cache_synaptics.exe ._cache_synaptics.exe Synaptics.exe._cache_synaptics.exe Synaptics.exe._cache_synaptics.exe Synaptics.exe._cache_synaptics.exe Synaptics.exeSynaptics.exeSynaptics.exe2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe ._cache_synaptics.exe ._cache_synaptics.exe ._cache_synaptics.exe Synaptics.exeSynaptics.exeSynaptics.exe._cache_synaptics.exe Synaptics.exe._cache_synaptics.exe Synaptics.exeSynaptics.exe._cache_synaptics.exe Synaptics.exeSynaptics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	._cache_synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	._cache_synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	._cache_synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	._cache_synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	._cache_synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	._cache_synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	._cache_synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	._cache_synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	._cache_synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	._cache_synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	._cache_synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	._cache_synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	._cache_synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	._cache_synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	._cache_synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	._cache_synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	._cache_synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	._cache_synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	._cache_synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	._cache_synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	._cache_synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	._cache_synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Synaptics.exe

Executes dropped EXE 64 IoCs

Processes:

2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exeSynaptics.exe._cache_Synaptics.exe._cache_synaptics.exe icsys.icn.exeexplorer.exeSynaptics.exe._cache_Synaptics.exe._cache_synaptics.exe icsys.icn.exeexplorer.exeSynaptics.exe._cache_Synaptics.exe._cache_synaptics.exe icsys.icn.exeexplorer.exeSynaptics.exe._cache_Synaptics.exe._cache_synaptics.exe icsys.icn.exeexplorer.exeSynaptics.exe._cache_Synaptics.exe._cache_synaptics.exe icsys.icn.exeexplorer.exeSynaptics.exe._cache_Synaptics.exe._cache_synaptics.exe icsys.icn.exeexplorer.exeSynaptics.exe._cache_Synaptics.exe._cache_synaptics.exe icsys.icn.exeexplorer.exeSynaptics.exe._cache_Synaptics.exe._cache_synaptics.exe icsys.icn.exeexplorer.exeSynaptics.exe._cache_Synaptics.exe._cache_synaptics.exe icsys.icn.exeexplorer.exeSynaptics.exe._cache_Synaptics.exe._cache_synaptics.exe icsys.icn.exeexplorer.exeSynaptics.exe._cache_Synaptics.exe._cache_synaptics.exe icsys.icn.exeexplorer.exeSynaptics.exe._cache_Synaptics.exe._cache_synaptics.exe

pid	process
3424	2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe
4156	icsys.icn.exe
3532	explorer.exe
3044	spoolsv.exe
3980	svchost.exe
4124	spoolsv.exe
3668	Synaptics.exe
1152	._cache_Synaptics.exe
1376	._cache_synaptics.exe
2788	icsys.icn.exe
3832	explorer.exe
2876	Synaptics.exe
3880	._cache_Synaptics.exe
2976	._cache_synaptics.exe
4804	icsys.icn.exe
4996	explorer.exe
636	Synaptics.exe
812	._cache_Synaptics.exe
1196	._cache_synaptics.exe
2624	icsys.icn.exe
392	explorer.exe
3572	Synaptics.exe
2916	._cache_Synaptics.exe
2680	._cache_synaptics.exe
5024	icsys.icn.exe
4424	explorer.exe
4592	Synaptics.exe
2988	._cache_Synaptics.exe
552	._cache_synaptics.exe
2308	icsys.icn.exe
1860	explorer.exe
4080	Synaptics.exe
4356	._cache_Synaptics.exe
1280	._cache_synaptics.exe
1160	icsys.icn.exe
460	explorer.exe
3936	Synaptics.exe
3080	._cache_Synaptics.exe
828	._cache_synaptics.exe
3968	icsys.icn.exe
3552	explorer.exe
3624	Synaptics.exe
3356	._cache_Synaptics.exe
1924	._cache_synaptics.exe
2968	icsys.icn.exe
4780	explorer.exe
5268	Synaptics.exe
5340	._cache_Synaptics.exe
5488	._cache_synaptics.exe
5520	icsys.icn.exe
5596	explorer.exe
5948	Synaptics.exe
6020	._cache_Synaptics.exe
2032	._cache_synaptics.exe
5128	icsys.icn.exe
5180	explorer.exe
5612	Synaptics.exe
5272	._cache_Synaptics.exe
5864	._cache_synaptics.exe
5808	icsys.icn.exe
5932	explorer.exe
1420	Synaptics.exe
5388	._cache_Synaptics.exe
5712	._cache_synaptics.exe

Loads dropped DLL 64 IoCs

Processes:

Synaptics.exe._cache_synaptics.exe Synaptics.exe._cache_synaptics.exe Synaptics.exe._cache_synaptics.exe Synaptics.exe._cache_synaptics.exe Synaptics.exe._cache_synaptics.exe Synaptics.exe._cache_synaptics.exe Synaptics.exe._cache_synaptics.exe Synaptics.exe._cache_synaptics.exe Synaptics.exe._cache_synaptics.exe Synaptics.exe._cache_synaptics.exe Synaptics.exe._cache_synaptics.exe Synaptics.exe._cache_synaptics.exe Synaptics.exe._cache_synaptics.exe Synaptics.exe._cache_synaptics.exe Synaptics.exe._cache_synaptics.exe Synaptics.exe._cache_synaptics.exe

pid	process
2876	Synaptics.exe
2876	Synaptics.exe
2976	._cache_synaptics.exe
2976	._cache_synaptics.exe
636	Synaptics.exe
636	Synaptics.exe
1196	._cache_synaptics.exe
1196	._cache_synaptics.exe
3572	Synaptics.exe
3572	Synaptics.exe
2680	._cache_synaptics.exe
2680	._cache_synaptics.exe
4592	Synaptics.exe
4592	Synaptics.exe
552	._cache_synaptics.exe
552	._cache_synaptics.exe
4080	Synaptics.exe
4080	Synaptics.exe
1280	._cache_synaptics.exe
1280	._cache_synaptics.exe
3936	Synaptics.exe
3936	Synaptics.exe
828	._cache_synaptics.exe
828	._cache_synaptics.exe
3624	Synaptics.exe
3624	Synaptics.exe
1924	._cache_synaptics.exe
1924	._cache_synaptics.exe
5268	Synaptics.exe
5268	Synaptics.exe
5488	._cache_synaptics.exe
5488	._cache_synaptics.exe
5948	Synaptics.exe
5948	Synaptics.exe
2032	._cache_synaptics.exe
2032	._cache_synaptics.exe
5612	Synaptics.exe
5612	Synaptics.exe
5864	._cache_synaptics.exe
5864	._cache_synaptics.exe
1420	Synaptics.exe
1420	Synaptics.exe
5712	._cache_synaptics.exe
5712	._cache_synaptics.exe
4140	Synaptics.exe
4140	Synaptics.exe
5832	._cache_synaptics.exe
5832	._cache_synaptics.exe
3212	Synaptics.exe
3212	Synaptics.exe
5188	._cache_synaptics.exe
5188	._cache_synaptics.exe
4376	Synaptics.exe
4376	Synaptics.exe
2952	._cache_synaptics.exe
2952	._cache_synaptics.exe
5320	Synaptics.exe
5320	Synaptics.exe
5576	._cache_synaptics.exe
5576	._cache_synaptics.exe
6268	Synaptics.exe
6268	Synaptics.exe
6496	._cache_synaptics.exe
6496	._cache_synaptics.exe

Adds Run key to start application 2 TTPs 27 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

._cache_synaptics.exe ._cache_synaptics.exe explorer.exe._cache_synaptics.exe ._cache_synaptics.exe ._cache_synaptics.exe svchost.exe._cache_synaptics.exe ._cache_synaptics.exe ._cache_synaptics.exe ._cache_synaptics.exe ._cache_synaptics.exe ._cache_synaptics.exe 2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe ._cache_synaptics.exe ._cache_synaptics.exe ._cache_synaptics.exe ._cache_synaptics.exe ._cache_synaptics.exe ._cache_synaptics.exe ._cache_synaptics.exe ._cache_synaptics.exe ._cache_synaptics.exe ._cache_synaptics.exe ._cache_synaptics.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe

Drops file in System32 directory 2 IoCs

Processes:

explorer.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 27 IoCs

Processes:

._cache_Synaptics.exe2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe._cache_Synaptics.exe._cache_Synaptics.exe._cache_Synaptics.exe._cache_Synaptics.exeexplorer.exe._cache_Synaptics.exe._cache_Synaptics.exe._cache_Synaptics.exeicsys.icn.exe._cache_Synaptics.exe._cache_Synaptics.exe._cache_Synaptics.exespoolsv.exe._cache_Synaptics.exe._cache_Synaptics.exe._cache_Synaptics.exe._cache_Synaptics.exe._cache_Synaptics.exe._cache_Synaptics.exe._cache_Synaptics.exe._cache_Synaptics.exe._cache_Synaptics.exe._cache_Synaptics.exe._cache_Synaptics.exe._cache_Synaptics.exe

description	ioc	process
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Synaptics.exeexplorer.exeSynaptics.exe._cache_synaptics.exe ._cache_Synaptics.exeicsys.icn.exe._cache_Synaptics.exeSynaptics.exe._cache_Synaptics.exe._cache_Synaptics.exeSynaptics.exeexplorer.exe._cache_synaptics.exe icsys.icn.exe._cache_synaptics.exe ._cache_synaptics.exe ._cache_Synaptics.exeexplorer.exeSynaptics.exeexplorer.exe._cache_Synaptics.exeSynaptics.exeicsys.icn.exe._cache_Synaptics.exe._cache_synaptics.exe 2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe._cache_synaptics.exe icsys.icn.exeicsys.icn.exeicsys.icn.exe._cache_synaptics.exe icsys.icn.exe._cache_synaptics.exe ._cache_Synaptics.exe._cache_synaptics.exe ._cache_synaptics.exe Synaptics.exespoolsv.exe._cache_Synaptics.exe._cache_synaptics.exe ._cache_synaptics.exe icsys.icn.exe._cache_Synaptics.exeexplorer.exe._cache_Synaptics.exeSynaptics.exeicsys.icn.exe._cache_synaptics.exe Synaptics.exe._cache_synaptics.exe explorer.exeexplorer.exe._cache_Synaptics.exeicsys.icn.exeSynaptics.exeexplorer.exeSynaptics.exeexplorer.exeicsys.icn.exeicsys.icn.exeexplorer.exe._cache_synaptics.exe ._cache_synaptics.exe icsys.icn.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEEXCEL.EXEEXCEL.EXEEXCEL.EXEEXCEL.EXEEXCEL.EXEEXCEL.EXEEXCEL.EXEEXCEL.EXEEXCEL.EXEEXCEL.EXEEXCEL.EXEEXCEL.EXEEXCEL.EXEEXCEL.EXEEXCEL.EXEEXCEL.EXEEXCEL.EXEEXCEL.EXEEXCEL.EXEEXCEL.EXEEXCEL.EXEEXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 64 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Modifies registry class 46 IoCs

Processes:

Synaptics.exe._cache_synaptics.exe Synaptics.exeSynaptics.exeSynaptics.exe2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe ._cache_synaptics.exe Synaptics.exeSynaptics.exe._cache_synaptics.exe ._cache_synaptics.exe ._cache_synaptics.exe Synaptics.exe._cache_synaptics.exe ._cache_synaptics.exe ._cache_synaptics.exe Synaptics.exe._cache_synaptics.exe Synaptics.exeSynaptics.exe._cache_synaptics.exe ._cache_synaptics.exe ._cache_synaptics.exe ._cache_synaptics.exe ._cache_synaptics.exe Synaptics.exeSynaptics.exe._cache_synaptics.exe Synaptics.exe._cache_synaptics.exe Synaptics.exe._cache_synaptics.exe Synaptics.exe._cache_synaptics.exe ._cache_synaptics.exe Synaptics.exeSynaptics.exeSynaptics.exeSynaptics.exeSynaptics.exe._cache_synaptics.exe Synaptics.exe._cache_synaptics.exe Synaptics.exeSynaptics.exe._cache_synaptics.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	._cache_synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	._cache_synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	._cache_synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	._cache_synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	._cache_synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	._cache_synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	._cache_synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	._cache_synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	._cache_synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	._cache_synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	._cache_synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	._cache_synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	._cache_synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	._cache_synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	._cache_synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	._cache_synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	._cache_synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	._cache_synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	._cache_synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	._cache_synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	._cache_synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	._cache_synaptics.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

4184 EXCEL.EXE

pid	process
4184	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exeicsys.icn.exe

pid	process
4456	2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe
4456	2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe
4456	2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe
4456	2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe
4456	2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe
4456	2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe
4456	2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe
4456	2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe
4456	2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe
4456	2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe
4456	2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe
4456	2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe
4456	2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe
4456	2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe
4456	2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe
4456	2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe
4456	2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe
4456	2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe
4456	2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe
4456	2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe
4456	2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe
4456	2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe
4456	2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe
4456	2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe
4456	2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe
4456	2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe
4456	2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe
4456	2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe
4456	2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe
4456	2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe
4456	2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe
4456	2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe
4156	icsys.icn.exe
4156	icsys.icn.exe
4156	icsys.icn.exe
4156	icsys.icn.exe
4156	icsys.icn.exe
4156	icsys.icn.exe
4156	icsys.icn.exe
4156	icsys.icn.exe
4156	icsys.icn.exe
4156	icsys.icn.exe
4156	icsys.icn.exe
4156	icsys.icn.exe
4156	icsys.icn.exe
4156	icsys.icn.exe
4156	icsys.icn.exe
4156	icsys.icn.exe
4156	icsys.icn.exe
4156	icsys.icn.exe
4156	icsys.icn.exe
4156	icsys.icn.exe
4156	icsys.icn.exe
4156	icsys.icn.exe
4156	icsys.icn.exe
4156	icsys.icn.exe
4156	icsys.icn.exe
4156	icsys.icn.exe
4156	icsys.icn.exe
4156	icsys.icn.exe
4156	icsys.icn.exe
4156	icsys.icn.exe
4156	icsys.icn.exe
4156	icsys.icn.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exesvchost.exe

pid process

3532 explorer.exe
3980 svchost.exe

pid	process
3532	explorer.exe
3980	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

._cache_synaptics.exe ._cache_synaptics.exe

description	pid	process
Token: SeSystemProfilePrivilege	1376	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1376	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1376	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1376	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1376	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1376	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1376	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1376	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1376	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1376	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1376	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1376	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1376	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1376	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1376	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1376	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1376	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1376	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1376	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1376	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1376	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1376	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1376	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1376	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1376	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1376	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1376	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1376	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1376	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2976	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2976	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2976	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2976	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2976	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2976	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2976	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2976	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2976	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2976	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2976	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2976	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2976	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2976	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2976	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2976	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2976	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2976	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2976	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2976	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2976	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2976	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2976	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2976	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2976	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2976	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2976	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2976	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2976	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2976	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2976	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2976	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2976	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2976	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2976	._cache_synaptics.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe._cache_Synaptics.exeEXCEL.EXEicsys.icn.exeexplorer.exe._cache_Synaptics.exeEXCEL.EXEicsys.icn.exeexplorer.exe._cache_Synaptics.exeEXCEL.EXEicsys.icn.exeexplorer.exe._cache_Synaptics.exeEXCEL.EXEicsys.icn.exeexplorer.exe._cache_Synaptics.exeEXCEL.EXEicsys.icn.exeexplorer.exe._cache_Synaptics.exe

pid	process
4456	2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe
4456	2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe
4156	icsys.icn.exe
4156	icsys.icn.exe
3532	explorer.exe
3532	explorer.exe
3044	spoolsv.exe
3044	spoolsv.exe
3980	svchost.exe
3980	svchost.exe
4124	spoolsv.exe
4124	spoolsv.exe
1152	._cache_Synaptics.exe
1152	._cache_Synaptics.exe
4184	EXCEL.EXE
2788	icsys.icn.exe
2788	icsys.icn.exe
4184	EXCEL.EXE
3832	explorer.exe
3832	explorer.exe
3880	._cache_Synaptics.exe
3880	._cache_Synaptics.exe
2216	EXCEL.EXE
2216	EXCEL.EXE
2216	EXCEL.EXE
2216	EXCEL.EXE
2216	EXCEL.EXE
2216	EXCEL.EXE
4804	icsys.icn.exe
4804	icsys.icn.exe
4996	explorer.exe
4996	explorer.exe
812	._cache_Synaptics.exe
812	._cache_Synaptics.exe
904	EXCEL.EXE
904	EXCEL.EXE
2624	icsys.icn.exe
2624	icsys.icn.exe
392	explorer.exe
392	explorer.exe
904	EXCEL.EXE
904	EXCEL.EXE
2916	._cache_Synaptics.exe
2916	._cache_Synaptics.exe
3440	EXCEL.EXE
3440	EXCEL.EXE
3440	EXCEL.EXE
3440	EXCEL.EXE
5024	icsys.icn.exe
5024	icsys.icn.exe
4424	explorer.exe
4424	explorer.exe
2988	._cache_Synaptics.exe
2988	._cache_Synaptics.exe
2604	EXCEL.EXE
2604	EXCEL.EXE
2604	EXCEL.EXE
2604	EXCEL.EXE
2308	icsys.icn.exe
2308	icsys.icn.exe
1860	explorer.exe
1860	explorer.exe
4356	._cache_Synaptics.exe
4356	._cache_Synaptics.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exe2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe Synaptics.exe._cache_Synaptics.exeicsys.icn.exe._cache_synaptics.exe Synaptics.exe._cache_Synaptics.exeicsys.icn.exe._cache_synaptics.exe Synaptics.exe._cache_Synaptics.exeicsys.icn.exe._cache_synaptics.exe

description	pid	process	target process
PID 4456 wrote to memory of 3424	4456	2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe	2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe
PID 4456 wrote to memory of 3424	4456	2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe	2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe
PID 4456 wrote to memory of 3424	4456	2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe	2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe
PID 4456 wrote to memory of 4156	4456	2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe	icsys.icn.exe
PID 4456 wrote to memory of 4156	4456	2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe	icsys.icn.exe
PID 4456 wrote to memory of 4156	4456	2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe	icsys.icn.exe
PID 4156 wrote to memory of 3532	4156	icsys.icn.exe	explorer.exe
PID 4156 wrote to memory of 3532	4156	icsys.icn.exe	explorer.exe
PID 4156 wrote to memory of 3532	4156	icsys.icn.exe	explorer.exe
PID 3532 wrote to memory of 3044	3532	explorer.exe	spoolsv.exe
PID 3532 wrote to memory of 3044	3532	explorer.exe	spoolsv.exe
PID 3532 wrote to memory of 3044	3532	explorer.exe	spoolsv.exe
PID 3044 wrote to memory of 3980	3044	spoolsv.exe	svchost.exe
PID 3044 wrote to memory of 3980	3044	spoolsv.exe	svchost.exe
PID 3044 wrote to memory of 3980	3044	spoolsv.exe	svchost.exe
PID 3980 wrote to memory of 4124	3980	svchost.exe	spoolsv.exe
PID 3980 wrote to memory of 4124	3980	svchost.exe	spoolsv.exe
PID 3980 wrote to memory of 4124	3980	svchost.exe	spoolsv.exe
PID 3424 wrote to memory of 3668	3424	2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe	Synaptics.exe
PID 3424 wrote to memory of 3668	3424	2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe	Synaptics.exe
PID 3424 wrote to memory of 3668	3424	2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe	Synaptics.exe
PID 3668 wrote to memory of 1152	3668	Synaptics.exe	._cache_Synaptics.exe
PID 3668 wrote to memory of 1152	3668	Synaptics.exe	._cache_Synaptics.exe
PID 3668 wrote to memory of 1152	3668	Synaptics.exe	._cache_Synaptics.exe
PID 1152 wrote to memory of 1376	1152	._cache_Synaptics.exe	._cache_synaptics.exe
PID 1152 wrote to memory of 1376	1152	._cache_Synaptics.exe	._cache_synaptics.exe
PID 1152 wrote to memory of 1376	1152	._cache_Synaptics.exe	._cache_synaptics.exe
PID 1152 wrote to memory of 2788	1152	._cache_Synaptics.exe	icsys.icn.exe
PID 1152 wrote to memory of 2788	1152	._cache_Synaptics.exe	icsys.icn.exe
PID 1152 wrote to memory of 2788	1152	._cache_Synaptics.exe	icsys.icn.exe
PID 2788 wrote to memory of 3832	2788	icsys.icn.exe	explorer.exe
PID 2788 wrote to memory of 3832	2788	icsys.icn.exe	explorer.exe
PID 2788 wrote to memory of 3832	2788	icsys.icn.exe	explorer.exe
PID 1376 wrote to memory of 2876	1376	._cache_synaptics.exe	Synaptics.exe
PID 1376 wrote to memory of 2876	1376	._cache_synaptics.exe	Synaptics.exe
PID 1376 wrote to memory of 2876	1376	._cache_synaptics.exe	Synaptics.exe
PID 2876 wrote to memory of 3880	2876	Synaptics.exe	._cache_Synaptics.exe
PID 2876 wrote to memory of 3880	2876	Synaptics.exe	._cache_Synaptics.exe
PID 2876 wrote to memory of 3880	2876	Synaptics.exe	._cache_Synaptics.exe
PID 3880 wrote to memory of 2976	3880	._cache_Synaptics.exe	._cache_synaptics.exe
PID 3880 wrote to memory of 2976	3880	._cache_Synaptics.exe	._cache_synaptics.exe
PID 3880 wrote to memory of 2976	3880	._cache_Synaptics.exe	._cache_synaptics.exe
PID 3880 wrote to memory of 4804	3880	._cache_Synaptics.exe	icsys.icn.exe
PID 3880 wrote to memory of 4804	3880	._cache_Synaptics.exe	icsys.icn.exe
PID 3880 wrote to memory of 4804	3880	._cache_Synaptics.exe	icsys.icn.exe
PID 4804 wrote to memory of 4996	4804	icsys.icn.exe	explorer.exe
PID 4804 wrote to memory of 4996	4804	icsys.icn.exe	explorer.exe
PID 4804 wrote to memory of 4996	4804	icsys.icn.exe	explorer.exe
PID 2976 wrote to memory of 636	2976	._cache_synaptics.exe	Synaptics.exe
PID 2976 wrote to memory of 636	2976	._cache_synaptics.exe	Synaptics.exe
PID 2976 wrote to memory of 636	2976	._cache_synaptics.exe	Synaptics.exe
PID 636 wrote to memory of 812	636	Synaptics.exe	._cache_Synaptics.exe
PID 636 wrote to memory of 812	636	Synaptics.exe	._cache_Synaptics.exe
PID 636 wrote to memory of 812	636	Synaptics.exe	._cache_Synaptics.exe
PID 812 wrote to memory of 1196	812	._cache_Synaptics.exe	._cache_synaptics.exe
PID 812 wrote to memory of 1196	812	._cache_Synaptics.exe	._cache_synaptics.exe
PID 812 wrote to memory of 1196	812	._cache_Synaptics.exe	._cache_synaptics.exe
PID 812 wrote to memory of 2624	812	._cache_Synaptics.exe	icsys.icn.exe
PID 812 wrote to memory of 2624	812	._cache_Synaptics.exe	icsys.icn.exe
PID 812 wrote to memory of 2624	812	._cache_Synaptics.exe	icsys.icn.exe
PID 2624 wrote to memory of 392	2624	icsys.icn.exe	explorer.exe
PID 2624 wrote to memory of 392	2624	icsys.icn.exe	explorer.exe
PID 2624 wrote to memory of 392	2624	icsys.icn.exe	explorer.exe
PID 1196 wrote to memory of 3572	1196	._cache_synaptics.exe	Synaptics.exe

C:\Users\Admin\AppData\Local\Temp\2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe
"C:\Users\Admin\AppData\Local\Temp\2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4456
- \??\c:\users\admin\appdata\local\temp\2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe
  c:\users\admin\appdata\local\temp\2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3424
- - C:\ProgramData\Synaptics\Synaptics.exe
    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3668
  - - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1152
    - - \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1376
      - C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3880
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2976
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:636
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        10⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:812
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1196
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3572
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        13⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2916
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:2680
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4592
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        16⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:2988
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:552
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4080
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        19⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4356
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1280
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:3936
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        22⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3080
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:828
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3624
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        25⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3356
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:1924
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:5268
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        28⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:5340
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5488
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:5948
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        31⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:6020
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2032
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:5612
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        34⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:5272
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        35⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5864
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        36⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1420
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        37⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:5388
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        38⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:5712
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        39⤵
        Checks computer location settings
        Loads dropped DLL
        Modifies registry class
        
        PID:4140
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        40⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5900
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        41⤵
        Checks computer location settings
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5832
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        42⤵
        Checks computer location settings
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3212
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        43⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5820
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        44⤵
        Checks computer location settings
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5188
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        45⤵
        Checks computer location settings
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4376
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        46⤵
        Drops file in Windows directory
        
        PID:5928
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        47⤵
        Checks computer location settings
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2952
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        48⤵
        Checks computer location settings
        Loads dropped DLL
        Modifies registry class
        
        PID:5320
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        49⤵
        Drops file in Windows directory
        
        PID:4676
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        50⤵
        Checks computer location settings
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:5576
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        51⤵
        Checks computer location settings
        Loads dropped DLL
        Modifies registry class
        
        PID:6268
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        52⤵
        Drops file in Windows directory
        
        PID:6328
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        53⤵
        Checks computer location settings
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:6496
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        54⤵
        Checks computer location settings
        Modifies registry class
        
        PID:6924
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        55⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:6984
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        56⤵
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:7132
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        57⤵
        Checks computer location settings
        Modifies registry class
        
        PID:6288
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        58⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:6644
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        59⤵
        Checks computer location settings
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6788
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        60⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6248
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        61⤵
        Drops file in Windows directory
        
        PID:5164
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        62⤵
        Checks computer location settings
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6492
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        63⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6996
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        64⤵
        Drops file in Windows directory
        
        PID:740
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        65⤵
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:6148
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        66⤵
        Checks computer location settings
        Modifies registry class
        
        PID:6632
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        67⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:7028
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        68⤵
        Checks computer location settings
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1932
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        69⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6860
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        70⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3364
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:3664
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        72⤵
        
        PID:6176
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        73⤵
        
        PID:6256
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        74⤵
        
        PID:6332
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        75⤵
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        76⤵
        
        PID:5660
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        77⤵
        
        PID:1992
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        78⤵
        
        PID:6620
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        79⤵
        
        PID:6504
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        80⤵
        
        PID:5484
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        81⤵
        
        PID:7156
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        82⤵
        
        PID:3024
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        83⤵
        
        PID:5848
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        84⤵
        
        PID:7300
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        85⤵
        
        PID:7376
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        86⤵
        
        PID:7500
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        87⤵
        
        PID:7952
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        88⤵
        
        PID:8016
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        89⤵
        
        PID:8164
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        90⤵
        
        PID:7644
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        91⤵
        
        PID:7312
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        92⤵
        
        PID:7804
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        93⤵
        
        PID:7208
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        94⤵
        
        PID:7308
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        95⤵
        
        PID:7416
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        96⤵
        
        PID:8072
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        97⤵
        
        PID:8004
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        98⤵
        
        PID:4672
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        99⤵
        
        PID:8064
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        100⤵
        
        PID:6412
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        101⤵
        
        PID:6888
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        102⤵
        
        PID:6692
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        103⤵
        
        PID:4712
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        104⤵
        
        PID:5616
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        105⤵
        
        PID:7860
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        106⤵
        
        PID:7576
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        107⤵
        
        PID:7368
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        108⤵
        
        PID:8076
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        109⤵
        
        PID:2144
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        110⤵
        
        PID:8088
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        111⤵
        
        PID:7676
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        112⤵
        
        PID:7924
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        113⤵
        
        PID:8000
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        114⤵
        
        PID:8336
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        115⤵
        
        PID:8396
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        116⤵
        
        PID:8508
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        117⤵
        
        PID:8940
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        118⤵
        
        PID:9036
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        119⤵
        
        PID:9136
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        120⤵
        
        PID:3524
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        121⤵
        
        PID:8656
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        122⤵
        
        PID:8824
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        123⤵
        
        PID:8300
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        124⤵
        
        PID:7184
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        125⤵
        
        PID:8532
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        126⤵
        
        PID:9004
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        127⤵
        
        PID:8264
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        128⤵
        
        PID:8284
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        129⤵
        
        PID:8988
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        130⤵
        
        PID:8216
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        131⤵
        
        PID:8248
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        132⤵
        
        PID:8912
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        133⤵
        
        PID:8960
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        134⤵
        
        PID:8668
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        135⤵
        
        PID:8292
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        136⤵
        
        PID:9108
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        137⤵
        
        PID:8536
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        138⤵
        
        PID:8660
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        139⤵
        
        PID:1976
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        140⤵
        
        PID:9032
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        141⤵
        
        PID:9360
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        142⤵
        
        PID:9440
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        143⤵
        
        PID:9564
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        144⤵
        
        PID:10012
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        145⤵
        
        PID:10156
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        146⤵
        
        PID:6280
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        147⤵
        
        PID:9712
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        148⤵
        
        PID:9880
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        149⤵
        
        PID:9972
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        150⤵
        
        PID:9508
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        151⤵
        
        PID:1392
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        152⤵
        
        PID:9280
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        153⤵
        
        PID:9356
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        154⤵
        
        PID:10044
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        155⤵
        
        PID:1372
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        156⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        157⤵
        
        PID:5968
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        158⤵
        
        PID:9768
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        159⤵
        
        PID:1156
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        160⤵
        
        PID:9872
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        161⤵
        
        PID:9292
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        162⤵
        
        PID:9560
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        163⤵
        
        PID:5100
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        164⤵
        
        PID:9288
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        165⤵
        
        PID:10288
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        166⤵
        
        PID:10400
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        167⤵
        
        PID:10504
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        168⤵
        
        PID:10944
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        169⤵
        
        PID:11048
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        170⤵
        
        PID:11204
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        171⤵
        
        PID:10348
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        172⤵
        
        PID:10564
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        173⤵
        
        PID:10720
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        173⤵
        
        PID:10752
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        174⤵
        
        PID:10840
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        170⤵
        
        PID:11232
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        171⤵
        
        PID:10244
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        167⤵
        
        PID:10584
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        168⤵
        
        PID:10700
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        164⤵
        
        PID:3396
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        165⤵
        
        PID:10252
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        161⤵
        
        PID:9040
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        162⤵
        
        PID:8268
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        158⤵
        
        PID:9652
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        159⤵
        
        PID:9264
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        155⤵
        
        PID:2116
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        156⤵
        
        PID:920
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        152⤵
        
        PID:8428
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        153⤵
        
        PID:9600
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        149⤵
        
        PID:9676
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        150⤵
        
        PID:10212
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        146⤵
        
        PID:9256
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        147⤵
        
        PID:9320
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        143⤵
        
        PID:9636
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        144⤵
        
        PID:9708
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        140⤵
        
        PID:1100
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        141⤵
        
        PID:9080
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        137⤵
        
        PID:1740
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        138⤵
        
        PID:8356
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        134⤵
        
        PID:9104
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        135⤵
        
        PID:8996
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        131⤵
        
        PID:8324
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        132⤵
        
        PID:8888
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        128⤵
        
        PID:8348
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        129⤵
        
        PID:8340
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        125⤵
        
        PID:5192
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        126⤵
        
        PID:8768
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        122⤵
        
        PID:8884
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        123⤵
        
        PID:8924
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        119⤵
        
        PID:9212
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        120⤵
        
        PID:7316
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        116⤵
        
        PID:8572
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        117⤵
        
        PID:8644
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        113⤵
        
        PID:8152
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        114⤵
        
        PID:4128
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        110⤵
        
        PID:7292
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        111⤵
        
        PID:7612
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        107⤵
        
        PID:7580
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        108⤵
        
        PID:7532
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        104⤵
        
        PID:7016
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        105⤵
        
        PID:7912
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        101⤵
        
        PID:4836
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        102⤵
        
        PID:7788
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        98⤵
        
        PID:7336
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        99⤵
        
        PID:7340
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        95⤵
        
        PID:7216
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        96⤵
        
        PID:7380
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        92⤵
        
        PID:7836
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        93⤵
        
        PID:7900
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        89⤵
        
        PID:4512
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        90⤵
        
        PID:5332
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        86⤵
        
        PID:7556
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        87⤵
        
        PID:7628
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        83⤵
        
        PID:7020
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        84⤵
        
        PID:3704
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        80⤵
        
        PID:5684
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        81⤵
        
        PID:688
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        77⤵
        
        PID:6756
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        78⤵
        
        PID:6052
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        74⤵
        
        PID:6244
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        75⤵
        
        PID:868
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:7148
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        72⤵
        
        PID:6716
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:6368
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        69⤵
        
        PID:6396
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        65⤵
        System Location Discovery: System Language Discovery
        
        PID:6864
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:6372
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        62⤵
        
        PID:7136
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        63⤵
        
        PID:6688
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        59⤵
        
        PID:6824
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        60⤵
        
        PID:6896
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        56⤵
        System Location Discovery: System Language Discovery
        
        PID:5048
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        57⤵
        
        PID:6004
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        53⤵
        System Location Discovery: System Language Discovery
        
        PID:6528
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        54⤵
        
        PID:6592
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        50⤵
        
        PID:4372
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        51⤵
        System Location Discovery: System Language Discovery
        
        PID:5588
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        47⤵
        System Location Discovery: System Language Discovery
        
        PID:5988
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        48⤵
        
        PID:6024
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        44⤵
        
        PID:6000
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        45⤵
        System Location Discovery: System Language Discovery
        
        PID:5260
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        41⤵
        
        PID:5396
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        42⤵
        
        PID:6068
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        38⤵
        
        PID:5876
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        39⤵
        System Location Discovery: System Language Discovery
        
        PID:5672
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5808
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5932
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5128
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5180
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        29⤵
        Executes dropped EXE
        
        PID:5520
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5596
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2968
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        27⤵
        Executes dropped EXE
        
        PID:4780
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3968
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3552
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        20⤵
        Executes dropped EXE
        
        PID:1160
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        21⤵
        Executes dropped EXE
        
        PID:460
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2308
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        18⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1860
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        14⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5024
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4424
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2624
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        12⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:392
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4804
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4996
    - - C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2788
      - \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3832
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4156
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3532
  - - \??\c:\windows\resources\spoolsv.exe
      c:\windows\resources\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3044
    - - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3980
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4124

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4184

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:2216

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:904

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:3440

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:2604

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:508

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:4432

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:2416

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:5356

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:6032

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:5640

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:5404

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:5840

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:5860

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:5300

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:5216

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:6340

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:7000

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:6544

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:5220

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:5512

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:7040

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:6540

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
PID:6508

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
PID:6532

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
PID:6676

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
PID:6336

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
PID:7388

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
PID:8032

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
PID:7364

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
PID:7272

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
PID:7176

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
PID:1572

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
PID:7992

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
PID:7604

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
PID:4204

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
PID:1192

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
PID:8408

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
PID:9044

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
PID:8752

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
PID:8392

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
PID:8288

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
PID:8260

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
PID:8236

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
PID:8456

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
PID:8684

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
PID:9452

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
PID:10168

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
PID:9864

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
PID:404

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
PID:9480

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
PID:8652

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
PID:9500

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
PID:9372

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
PID:10416

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
PID:11060

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
PID:10604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\RCXDCC3.tmp

Filesize
753KB

MD5
fa8edbd6e03d01deb62bbf344208d55a

SHA1
f95af0a9b1b6445d0dbd6f01c99a38db25668e55

SHA256
7684cda0a8808227e5387cbddc50a3bd70cb96ba97c7f7d00b5291cf8798810c

SHA512
ff78d5da0fe3f19eb141cc3a508f8067a8432096db75ee6afb95cff75c6e3f95cf764c7c12e05d717d0cf93859613749acf1ec3949130c179c8c25dc828138cd

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
1.6MB

MD5
95e0c9339e9226c035564ffb9d4e279d

SHA1
736af2d428934f46365064512a606f053f0d4973

SHA256
753c35a0892a94068a1340215a2c1fe9ca030944c321f50dbfb388ca08b87d14

SHA512
73cd15dd6b78ddb9fdd29fd310832afbdd07ac17d813d4216ca3fc6336e326a75dfec8e3157d83f70e3483a0bbba170b2b5af6d20a2a4dcce2b860f69d2bcfc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\D33BDAC0-AF94-4869-BA3F-58EADE1382DD

Filesize
174KB

MD5
2f2888a3eadd40492b8d01837ca439e0

SHA1
c66f738c3fc9b33478137b5af97309b5a8538bcb

SHA256
15c25269d9ac589aff6505ef0835222c471c242fa24681ff07316849a8e7b586

SHA512
1b7c16a1b31d72e8efbd3a4439f47a7507eb9bde755a9386a3ce415d08e5a5118ee58d6dc0ccca68d8cb8b8f07b1eae5571d8ea7beccc6fbb1be0c418a10befd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
11KB

MD5
d005093487baeedf73885b9fe34f11cc

SHA1
da337105e1ce90106f49f9a8d8fff6ad58a10f48

SHA256
5958ce4c501e5104f7c08857fea228ac0247ae8829224676b8ea9629008547a3

SHA512
03d49f313779cfff25e30116469e8454ef34e8c71388ddac03904123eade65adff6d08519bd3052d2d62080ea162175f8686571775effffd3017aaf21b37a8bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal

Filesize
12KB

MD5
591740c7b93759cb6a2ba258c07669f3

SHA1
4d76c4a2de6e8bb8ad25eedc70f4a1ec74588548

SHA256
d80a856ede9744d6cb853f6c9411f80f901c47821142768334185be6c4b4bde0

SHA512
3781b57d02eb2e870e53ac46ed442d04aa176514f29639050f09d2e0c0128c9c5731f38042555aaa26b69763ed71f2e0970b135a56f91b8e459aa368d11c2a97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal

Filesize
16KB

MD5
8ffb117c7f465444c44b14ee1b1abd06

SHA1
c52635dda6a9eba9ad61a46bfd7c5770c745263f

SHA256
ff9d8d15869bcec134f005892506ae10316cf7eef4179f4d94208d09fc838ead

SHA512
31267275284ee7aa7c7190328249404d370d1086699a71be3d90a674642bea0c6fe452df63bc156dd55956c179dc33bd7be447993fe305f6c714867422e81371

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
427c29ad8f0a5d819e0155d2a88978c5

SHA1
1f9d9808d0ed3e11ef6465a9257699b96c1c8fed

SHA256
5ab344fb6ec571219e19101d223c0b38406fe5cf05a99265db59ab20c215c7fb

SHA512
ec1a052139e9aef523c8a8a057cff555757c64efddf8ecb896b9ee557d2486c113127a374487e209140d94ac573d8c9ae693d7a3d643f4c02fb8168cf79f3080

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
e9de6b27c29e9987e33eb0971a321ab4

SHA1
2d16eeeba5d9aba371bd2401beba939a86bfd572

SHA256
1710fd072589d2363697e6898a24c34f16936d14144f9036da399f47ea8b2ca0

SHA512
0420d2e32087e481a39a7d5f05366ef6a0a0c45a9c6dd60cdf0049adb5634c5cad9f7fc55cb1e0bbc5538605b485ccd6f769cc7663f982ec1f78ebfdd063783b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\9208E52C.tmp

Filesize
13KB

MD5
3133c3020620f03bba8c574e986018b7

SHA1
0227485eb52e818317b992961983f31d89e329fd

SHA256
b732ed5cbf1bdd2b7cf8c5cb11545bd2c75652f92353459b843a676248434639

SHA512
dfa2cdd4e2201aa8b8ee80f5d80e02b94c67e647280841ce5b1332f09cf97bfa22b4f1653208302c5faa050e5d1719bfa380066a6733fba7b26417d7b9efd2bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_._cache_synaptics.exe

Filesize
5.6MB

MD5
2bacc3ededd8d4c9164636c254003d80

SHA1
9365d4d983e780457c6cb88a471da905451c2544

SHA256
2a3e2080974f6538aceeaf49d0cc4d76fb3489ecbf4e6abe1c44389e0792048a

SHA512
c43efcd678c4d82d8c32791def5247e3ae39ec6a3174c1e7eabbb8f1b701a644ee9bea79f78b1bd70c032c166ece10a7185b0d85757f1fc952fd5e2c4b406d37

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

Filesize
6.5MB

MD5
488236e9415ba14cf0d4f6f6cf3ecf02

SHA1
a3133b5ed21616d3f085160c5ed528e42435b282

SHA256
fa8adb5486017da922021929491a79981aa795ec8035833671f7314d72cfaf82

SHA512
cf8de55534766904fd4f50f5597abcb04b3f7597f76beed8ba76464fbf15edceef7321bd70ece0b9489297fc452128fc7d97ac31572560a24b5aaadc146461b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe

Filesize
7.2MB

MD5
a84197ddd69756226f704feb5feaf460

SHA1
e9e46b2167f4a6402355635eb492791cc33bce31

SHA256
7daa0dc7461847842fad8c8a3a00810909d92f910335e9a2946c52539199e2da

SHA512
55e81454e5e2f93034eae60154e64e11afb0907d6026fa10db4a1b4424c77618bcfa3aeb4caf2f603de8f79571e6dd4aba406d9f3ce76f0d53895a471896e219

Download Submit
C:\Users\Admin\AppData\Local\Temp\8BD75E00

Filesize
26KB

MD5
554f05e62314d7dd5babf7717f5d5b1a

SHA1
d8d3dc6d71cfea885feb33bdc037f5cf5f0e26f5

SHA256
a4f95ae5c59bbd9081e8edef0d468dc52196217aa21a62daecf806a019908480

SHA512
b906931f6f45fa1ea1953d4c956d536ee7d70fa8e7e427f5d7c0e2d7bc0891e8a2baea3c13d2851483809016946277e8b353bc30f1c5bb79b1f15f019edca703

Download Submit
C:\Users\Admin\AppData\Local\Temp\gZPDmdDN.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
62495e194a09c4905ad21c39996e2a68

SHA1
0749f3905fae6412b29e141c0b50f17ff3cd3bde

SHA256
7253a9d9c53e517543efc1fcd072187ca01f74903a23d59cb561305bebb4eaa3

SHA512
3c97bf4705671d8d6c5885784a0bfe3b0eeabc27ca985f671ff4a87f62c8b4c9c17f0ca1b310db117510f72bc7f308ce2b3c87ee9bbce85d8fb4b859e31f6f50

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
8b64a7673cdacd00b76b33a9dba42fb9

SHA1
550eb1a302b3df9f7802e49440f8943085cb8bf0

SHA256
4031174b8022db4444bfe0de64d3f5be5dcc0d9d7789487c75648c4829f2f0cc

SHA512
237c6410414f163af0bb20199eb90867d0594731dbd08e5f0a72a2d12def2b417da91e200bb429b6d8658c8b19303b3535b47e3f0fb29c245f8c9831c2450521

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
d7b144e1ca443d4fe8e548b71a841cdd

SHA1
407e999d3e9b8c77decffb7077713058119a67b1

SHA256
0e9b11f0cd609c4e1ecccf6ae9bf918f666213c8e4504e23bc12b7180bd1e7d6

SHA512
9ad2a569700060c6ec847880ca0f8bd942f5f4eb7e7699e1a2cc9921d99d54c55b84c8a9065b8580f93fb7ead1e3061a3281ee0fcdf4de02e3891f4663e6723e

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
52ceb8d7c2d8bc594f03ff59143831c8

SHA1
59bfb9ec4a770ce4f6ade8e864afb6a6a1f3533b

SHA256
7dfce0b9401dfe38b45bbf8f150dcda458cf02b990b2ae8b71c2160729888668

SHA512
9763f9e12397155a1786bd0ac3dec9d318712f3762349dc5479a3ba4997fc379fbec1288904b07c627d18eb4257f348cb85bdc8f59d0e6c5bf0999cd31f04e05

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
135KB

MD5
c991637845d5aa369fbc39813a842968

SHA1
a92c5d8a16e9d1a2a00a4d4205bde6ea6dc484fd

SHA256
6c35a7124cdd7b1fccb04c72d824f7aec6d690e21c2114e80aed842119722bd7

SHA512
bcb5099d474821ee2559d32aae68b657c6c3b88ce20dd39d93eaca94626796ddc55bbbdccd6ddce3b8dbfa523890732595f9a53173c796b111784cacd88791c5

Download Submit
\??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe

Filesize
6.4MB

MD5
97a975e3a9338a232aac8f61a093f86e

SHA1
f31de05c6106b3851f75de4a201a08283412a3be

SHA256
6f24d73282da8d60ca86e4f6a4e2c0f4071e13cee22da09270b92ae5cd0cebc8

SHA512
5a272c2056c7ef7aebebd8ec094e7e14a62f4479935447701eac93b359935933ba72a6ebb5415cffd0ce7d43f0833ec0ab32af70493911dfe70911af13def2e3

Download Submit
memory/392-468-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/460-774-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/552-745-0x0000000000400000-0x0000000000A67000-memory.dmp

Filesize
6.4MB

Download
memory/552-665-0x0000000002940000-0x000000000295F000-memory.dmp

Filesize
124KB

Download
memory/552-666-0x0000000002940000-0x000000000295F000-memory.dmp

Filesize
124KB

Download
memory/636-473-0x0000000000400000-0x0000000000A67000-memory.dmp

Filesize
6.4MB

Download
memory/636-436-0x0000000004340000-0x000000000435F000-memory.dmp

Filesize
124KB

Download
memory/636-437-0x0000000004340000-0x000000000435F000-memory.dmp

Filesize
124KB

Download
memory/812-470-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/828-858-0x0000000004300000-0x000000000431F000-memory.dmp

Filesize
124KB

Download
memory/828-859-0x0000000004300000-0x000000000431F000-memory.dmp

Filesize
124KB

Download
memory/828-936-0x0000000000400000-0x0000000000A67000-memory.dmp

Filesize
6.4MB

Download
memory/1152-211-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1152-179-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1160-776-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1196-542-0x0000000000400000-0x0000000000A67000-memory.dmp

Filesize
6.4MB

Download
memory/1196-455-0x0000000004300000-0x000000000431F000-memory.dmp

Filesize
124KB

Download
memory/1196-456-0x0000000004300000-0x000000000431F000-memory.dmp

Filesize
124KB

Download
memory/1280-843-0x0000000000400000-0x0000000000A67000-memory.dmp

Filesize
6.4MB

Download
memory/1280-766-0x00000000042F0000-0x000000000430F000-memory.dmp

Filesize
124KB

Download
memory/1280-765-0x00000000042F0000-0x000000000430F000-memory.dmp

Filesize
124KB

Download
memory/1376-279-0x0000000000400000-0x0000000000A67000-memory.dmp

Filesize
6.4MB

Download
memory/1420-1339-0x0000000002670000-0x000000000268F000-memory.dmp

Filesize
124KB

Download
memory/1420-1338-0x0000000002670000-0x000000000268F000-memory.dmp

Filesize
124KB

Download
memory/1860-687-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1924-952-0x00000000028A0000-0x00000000028BF000-memory.dmp

Filesize
124KB

Download
memory/1924-951-0x00000000028A0000-0x00000000028BF000-memory.dmp

Filesize
124KB

Download
memory/2032-1141-0x00000000029B0000-0x00000000029CF000-memory.dmp

Filesize
124KB

Download
memory/2032-1142-0x00000000029B0000-0x00000000029CF000-memory.dmp

Filesize
124KB

Download
memory/2308-686-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2624-469-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2680-650-0x0000000000400000-0x0000000000A67000-memory.dmp

Filesize
6.4MB

Download
memory/2680-567-0x0000000002CD0000-0x0000000002CEF000-memory.dmp

Filesize
124KB

Download
memory/2680-566-0x0000000002CD0000-0x0000000002CEF000-memory.dmp

Filesize
124KB

Download
memory/2788-198-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2788-210-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2876-282-0x0000000004330000-0x000000000434F000-memory.dmp

Filesize
124KB

Download
memory/2876-283-0x0000000004330000-0x000000000434F000-memory.dmp

Filesize
124KB

Download
memory/2876-363-0x0000000000400000-0x0000000000A67000-memory.dmp

Filesize
6.4MB

Download
memory/2916-581-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2968-962-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2976-332-0x0000000002730000-0x000000000274F000-memory.dmp

Filesize
124KB

Download
memory/2976-333-0x0000000002730000-0x000000000274F000-memory.dmp

Filesize
124KB

Download
memory/2976-433-0x0000000000400000-0x0000000000A67000-memory.dmp

Filesize
6.4MB

Download
memory/2988-688-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3044-87-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3080-868-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3356-963-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3424-118-0x0000000000400000-0x0000000000B45000-memory.dmp

Filesize
7.3MB

Download
memory/3424-9-0x00000000028E0000-0x00000000028E1000-memory.dmp

Filesize
4KB

Download
memory/3532-1240-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3552-867-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3572-578-0x0000000000400000-0x0000000000A67000-memory.dmp

Filesize
6.4MB

Download
memory/3572-546-0x0000000004330000-0x000000000434F000-memory.dmp

Filesize
124KB

Download
memory/3572-579-0x0000000004330000-0x000000000434F000-memory.dmp

Filesize
124KB

Download
memory/3572-547-0x0000000004330000-0x000000000434F000-memory.dmp

Filesize
124KB

Download
memory/3624-937-0x0000000002970000-0x000000000298F000-memory.dmp

Filesize
124KB

Download
memory/3668-208-0x0000000000400000-0x0000000000B45000-memory.dmp

Filesize
7.3MB

Download
memory/3832-209-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3880-364-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3936-844-0x0000000002970000-0x000000000298F000-memory.dmp

Filesize
124KB

Download
memory/3936-870-0x0000000000400000-0x0000000000A67000-memory.dmp

Filesize
6.4MB

Download
memory/3968-869-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3980-1337-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4080-775-0x0000000000400000-0x0000000000A67000-memory.dmp

Filesize
6.4MB

Download
memory/4080-746-0x0000000002670000-0x000000000268F000-memory.dmp

Filesize
124KB

Download
memory/4080-747-0x0000000002670000-0x000000000268F000-memory.dmp

Filesize
124KB

Download
memory/4124-48-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4124-56-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4140-1433-0x0000000004330000-0x000000000434F000-memory.dmp

Filesize
124KB

Download
memory/4140-1434-0x0000000004330000-0x000000000434F000-memory.dmp

Filesize
124KB

Download
memory/4156-106-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4184-185-0x00007FFC0C470000-0x00007FFC0C480000-memory.dmp

Filesize
64KB

Download
memory/4184-199-0x00007FFC0A200000-0x00007FFC0A210000-memory.dmp

Filesize
64KB

Download
memory/4184-186-0x00007FFC0C470000-0x00007FFC0C480000-memory.dmp

Filesize
64KB

Download
memory/4184-195-0x00007FFC0A200000-0x00007FFC0A210000-memory.dmp

Filesize
64KB

Download
memory/4184-184-0x00007FFC0C470000-0x00007FFC0C480000-memory.dmp

Filesize
64KB

Download
memory/4184-188-0x00007FFC0C470000-0x00007FFC0C480000-memory.dmp

Filesize
64KB

Download
memory/4184-187-0x00007FFC0C470000-0x00007FFC0C480000-memory.dmp

Filesize
64KB

Download
memory/4356-777-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4424-577-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4456-107-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4456-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4592-651-0x0000000004330000-0x000000000434F000-memory.dmp

Filesize
124KB

Download
memory/4592-676-0x0000000000400000-0x0000000000A67000-memory.dmp

Filesize
6.4MB

Download
memory/4780-961-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4804-361-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4996-362-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5024-580-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5128-1152-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5180-1151-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5188-1545-0x0000000002CF0000-0x0000000002D0F000-memory.dmp

Filesize
124KB

Download
memory/5188-1544-0x0000000002CF0000-0x0000000002D0F000-memory.dmp

Filesize
124KB

Download
memory/5260-1555-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5272-1248-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5388-1364-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5396-1459-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5488-1046-0x00000000029B0000-0x00000000029CF000-memory.dmp

Filesize
124KB

Download
memory/5488-1047-0x00000000029B0000-0x00000000029CF000-memory.dmp

Filesize
124KB

Download
memory/5520-1055-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5596-1054-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5672-1363-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5712-1354-0x0000000002730000-0x000000000274F000-memory.dmp

Filesize
124KB

Download
memory/5712-1355-0x0000000002730000-0x000000000274F000-memory.dmp

Filesize
124KB

Download
memory/5808-1249-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5820-1553-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5832-1450-0x0000000002720000-0x000000000273F000-memory.dmp

Filesize
124KB

Download
memory/5832-1449-0x0000000002720000-0x000000000273F000-memory.dmp

Filesize
124KB

Download
memory/5864-1238-0x0000000002930000-0x000000000294F000-memory.dmp

Filesize
124KB

Download
memory/5864-1237-0x0000000002930000-0x000000000294F000-memory.dmp

Filesize
124KB

Download
memory/5876-1365-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5900-1460-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5932-1247-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5948-1126-0x0000000004330000-0x000000000434F000-memory.dmp

Filesize
124KB

Download
memory/5948-1127-0x0000000004330000-0x000000000434F000-memory.dmp

Filesize
124KB

Download
memory/6000-1554-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/6020-1153-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/6068-1458-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download