xred | db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58

Analysis

max time kernel
150s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-11-2024 04:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe
Size

4.3MB
MD5

b7a4d863a1a6d888da7f711671807850
SHA1

4cf487090d23271c3c220f1f682ff2146c7d8312
SHA256

db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58
SHA512

0b5da66eae2060aa57c932d0f6f465867f78ffb25d47752f4df7ec564f9ba6d0478ef5cb702f82e70de18a7dc88e973fbece3c5fe091327d0eec9c01ae46a477
SSDEEP

98304:Rnsmtk2aEnsmtk2agkLjNNC7ed9aEbJcC:tLFLKvC7c9aEbeC

Score

10^/10

xred backdoor discovery evasion persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Executes dropped EXE 64 IoCs

Processes:

db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exeSynaptics.exe._cache_Synaptics.exe._cache_synaptics.exe icsys.icn.exeexplorer.exeSynaptics.exe._cache_Synaptics.exe._cache_synaptics.exe icsys.icn.exeexplorer.exeSynaptics.exe._cache_Synaptics.exe._cache_synaptics.exe icsys.icn.exeexplorer.exeSynaptics.exe._cache_Synaptics.exe._cache_synaptics.exe icsys.icn.exeexplorer.exeSynaptics.exe._cache_Synaptics.exe._cache_synaptics.exe icsys.icn.exeexplorer.exeSynaptics.exe._cache_Synaptics.exe._cache_synaptics.exe icsys.icn.exeexplorer.exeSynaptics.exe._cache_Synaptics.exe._cache_synaptics.exe icsys.icn.exeexplorer.exeSynaptics.exe._cache_Synaptics.exe._cache_synaptics.exe icsys.icn.exeexplorer.exeSynaptics.exe._cache_Synaptics.exe._cache_synaptics.exe icsys.icn.exeexplorer.exeSynaptics.exe._cache_Synaptics.exe._cache_synaptics.exe icsys.icn.exeexplorer.exeSynaptics.exe._cache_Synaptics.exe._cache_synaptics.exe icsys.icn.exeexplorer.exeSynaptics.exe._cache_Synaptics.exe._cache_synaptics.exe

pid	process
588	db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe
2268	icsys.icn.exe
2660	explorer.exe
2812	spoolsv.exe
2684	svchost.exe
2792	spoolsv.exe
2612	Synaptics.exe
672	._cache_Synaptics.exe
868	._cache_synaptics.exe
2608	icsys.icn.exe
952	explorer.exe
1720	Synaptics.exe
1964	._cache_Synaptics.exe
1612	._cache_synaptics.exe
1532	icsys.icn.exe
2544	explorer.exe
2184	Synaptics.exe
1004	._cache_Synaptics.exe
2244	._cache_synaptics.exe
2004	icsys.icn.exe
2524	explorer.exe
3068	Synaptics.exe
2596	._cache_Synaptics.exe
2976	._cache_synaptics.exe
1056	icsys.icn.exe
1736	explorer.exe
1716	Synaptics.exe
2860	._cache_Synaptics.exe
2092	._cache_synaptics.exe
584	icsys.icn.exe
2752	explorer.exe
1864	Synaptics.exe
400	._cache_Synaptics.exe
2984	._cache_synaptics.exe
1936	icsys.icn.exe
2460	explorer.exe
2804	Synaptics.exe
2820	._cache_Synaptics.exe
2424	._cache_synaptics.exe
2640	icsys.icn.exe
2236	explorer.exe
2708	Synaptics.exe
1792	._cache_Synaptics.exe
1600	._cache_synaptics.exe
1924	icsys.icn.exe
1956	explorer.exe
896	Synaptics.exe
1860	._cache_Synaptics.exe
2144	._cache_synaptics.exe
2692	icsys.icn.exe
572	explorer.exe
2580	Synaptics.exe
1752	._cache_Synaptics.exe
872	._cache_synaptics.exe
1444	icsys.icn.exe
892	explorer.exe
2796	Synaptics.exe
2464	._cache_Synaptics.exe
2740	._cache_synaptics.exe
1724	icsys.icn.exe
2756	explorer.exe
1096	Synaptics.exe
1648	._cache_Synaptics.exe
2764	._cache_synaptics.exe

Loads dropped DLL 64 IoCs

Processes:

db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exedb9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe Synaptics.exe._cache_Synaptics.exe._cache_synaptics.exe Synaptics.exe._cache_Synaptics.exe._cache_synaptics.exe Synaptics.exe._cache_Synaptics.exe._cache_synaptics.exe Synaptics.exe._cache_Synaptics.exe._cache_synaptics.exe Synaptics.exe._cache_Synaptics.exe._cache_synaptics.exe Synaptics.exe._cache_Synaptics.exe._cache_synaptics.exe Synaptics.exe

pid	process
2124	db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe
2124	db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe
2124	db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe
2268	icsys.icn.exe
2660	explorer.exe
2812	spoolsv.exe
2684	svchost.exe
588	db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe
588	db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe
588	db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe
2612	Synaptics.exe
2612	Synaptics.exe
672	._cache_Synaptics.exe
672	._cache_Synaptics.exe
672	._cache_Synaptics.exe
868	._cache_synaptics.exe
868	._cache_synaptics.exe
1720	Synaptics.exe
1720	Synaptics.exe
1720	Synaptics.exe
1964	._cache_Synaptics.exe
1964	._cache_Synaptics.exe
1612	._cache_synaptics.exe
1964	._cache_Synaptics.exe
1612	._cache_synaptics.exe
1612	._cache_synaptics.exe
2184	Synaptics.exe
2184	Synaptics.exe
2184	Synaptics.exe
1004	._cache_Synaptics.exe
1004	._cache_Synaptics.exe
2244	._cache_synaptics.exe
1004	._cache_Synaptics.exe
2244	._cache_synaptics.exe
2244	._cache_synaptics.exe
3068	Synaptics.exe
3068	Synaptics.exe
3068	Synaptics.exe
2596	._cache_Synaptics.exe
2596	._cache_Synaptics.exe
2976	._cache_synaptics.exe
2596	._cache_Synaptics.exe
2976	._cache_synaptics.exe
2976	._cache_synaptics.exe
1716	Synaptics.exe
1716	Synaptics.exe
1716	Synaptics.exe
2860	._cache_Synaptics.exe
2860	._cache_Synaptics.exe
2092	._cache_synaptics.exe
2860	._cache_Synaptics.exe
2092	._cache_synaptics.exe
2092	._cache_synaptics.exe
1864	Synaptics.exe
1864	Synaptics.exe
1864	Synaptics.exe
400	._cache_Synaptics.exe
400	._cache_Synaptics.exe
2984	._cache_synaptics.exe
400	._cache_Synaptics.exe
2984	._cache_synaptics.exe
2984	._cache_synaptics.exe
2804	Synaptics.exe
2804	Synaptics.exe

Adds Run key to start application 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

._cache_synaptics.exe ._cache_synaptics.exe ._cache_synaptics.exe ._cache_synaptics.exe ._cache_synaptics.exe ._cache_synaptics.exe ._cache_synaptics.exe ._cache_synaptics.exe ._cache_synaptics.exe ._cache_synaptics.exe ._cache_synaptics.exe ._cache_synaptics.exe explorer.exesvchost.exe._cache_synaptics.exe ._cache_synaptics.exe ._cache_synaptics.exe ._cache_synaptics.exe ._cache_synaptics.exe ._cache_synaptics.exe ._cache_synaptics.exe ._cache_synaptics.exe ._cache_synaptics.exe db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe ._cache_synaptics.exe ._cache_synaptics.exe ._cache_synaptics.exe ._cache_synaptics.exe ._cache_synaptics.exe ._cache_synaptics.exe ._cache_synaptics.exe ._cache_synaptics.exe ._cache_synaptics.exe ._cache_synaptics.exe ._cache_synaptics.exe ._cache_synaptics.exe ._cache_synaptics.exe ._cache_synaptics.exe ._cache_synaptics.exe ._cache_synaptics.exe ._cache_synaptics.exe ._cache_synaptics.exe ._cache_synaptics.exe ._cache_synaptics.exe ._cache_synaptics.exe ._cache_synaptics.exe ._cache_synaptics.exe ._cache_synaptics.exe ._cache_synaptics.exe ._cache_synaptics.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe

Drops file in System32 directory 2 IoCs

Processes:

explorer.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 52 IoCs

Processes:

._cache_Synaptics.exe._cache_Synaptics.exe._cache_Synaptics.exe._cache_Synaptics.exe._cache_Synaptics.exe._cache_Synaptics.exe._cache_Synaptics.exe._cache_Synaptics.exedb9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exeexplorer.exe._cache_Synaptics.exe._cache_Synaptics.exe._cache_Synaptics.exe._cache_Synaptics.exe._cache_Synaptics.exe._cache_Synaptics.exe._cache_Synaptics.exe._cache_Synaptics.exe._cache_Synaptics.exe._cache_Synaptics.exe._cache_Synaptics.exe._cache_Synaptics.exe._cache_Synaptics.exe._cache_Synaptics.exe._cache_Synaptics.exespoolsv.exe._cache_Synaptics.exe._cache_Synaptics.exe._cache_Synaptics.exe._cache_Synaptics.exe._cache_Synaptics.exe._cache_Synaptics.exe._cache_Synaptics.exe._cache_Synaptics.exe._cache_Synaptics.exe._cache_Synaptics.exe._cache_Synaptics.exe._cache_Synaptics.exeicsys.icn.exe._cache_Synaptics.exe._cache_Synaptics.exe._cache_Synaptics.exe._cache_Synaptics.exe._cache_Synaptics.exe._cache_Synaptics.exe._cache_Synaptics.exe._cache_Synaptics.exe._cache_Synaptics.exe._cache_Synaptics.exe._cache_Synaptics.exe._cache_Synaptics.exe

description	ioc	process
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

icsys.icn.exe._cache_Synaptics.exeexplorer.exeexplorer.exe._cache_Synaptics.exeEXCEL.EXE._cache_Synaptics.exeEXCEL.EXEEXCEL.EXESynaptics.exeEXCEL.EXEexplorer.exeicsys.icn.exeSynaptics.exeSynaptics.exe._cache_Synaptics.exeEXCEL.EXE._cache_synaptics.exe icsys.icn.exeSynaptics.exe._cache_Synaptics.exeEXCEL.EXEEXCEL.EXEicsys.icn.exeexplorer.exe._cache_Synaptics.exe._cache_synaptics.exe icsys.icn.exeicsys.icn.exe._cache_synaptics.exe icsys.icn.exeEXCEL.EXESynaptics.exeexplorer.exe._cache_synaptics.exe icsys.icn.exeicsys.icn.exe._cache_Synaptics.exeicsys.icn.exeSynaptics.exeexplorer.exeSynaptics.exeSynaptics.exe._cache_Synaptics.exe._cache_synaptics.exe Synaptics.exeexplorer.exe._cache_synaptics.exe ._cache_Synaptics.exe._cache_Synaptics.exe._cache_synaptics.exe icsys.icn.exeSynaptics.exe._cache_synaptics.exe Synaptics.exeEXCEL.EXE._cache_synaptics.exe icsys.icn.exe._cache_Synaptics.exeicsys.icn.exeicsys.icn.exeexplorer.exe._cache_synaptics.exe icsys.icn.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe

Enumerates system info in registry 2 TTPs 48 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEEXCEL.EXEEXCEL.EXEEXCEL.EXEEXCEL.EXEEXCEL.EXEEXCEL.EXEEXCEL.EXEEXCEL.EXEEXCEL.EXEEXCEL.EXEEXCEL.EXEEXCEL.EXEEXCEL.EXEEXCEL.EXEEXCEL.EXEEXCEL.EXEEXCEL.EXEEXCEL.EXEEXCEL.EXEEXCEL.EXEEXCEL.EXEEXCEL.EXEEXCEL.EXEEXCEL.EXEEXCEL.EXEEXCEL.EXEEXCEL.EXEEXCEL.EXEEXCEL.EXEEXCEL.EXEEXCEL.EXEEXCEL.EXEEXCEL.EXEEXCEL.EXEEXCEL.EXEEXCEL.EXEEXCEL.EXEEXCEL.EXEEXCEL.EXEEXCEL.EXEEXCEL.EXEEXCEL.EXEEXCEL.EXEEXCEL.EXEEXCEL.EXEEXCEL.EXEEXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

2620 schtasks.exe
6052 schtasks.exe
2400 schtasks.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1968 EXCEL.EXE

pid	process
2620	schtasks.exe
6052	schtasks.exe
2400	schtasks.exe

pid	process
1968	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exeicsys.icn.exeexplorer.exesvchost.exe

pid	process
2124	db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe
2124	db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe
2124	db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe
2124	db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe
2124	db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe
2124	db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe
2124	db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe
2124	db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe
2124	db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe
2124	db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe
2124	db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe
2124	db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe
2124	db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe
2124	db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe
2124	db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe
2124	db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe
2268	icsys.icn.exe
2268	icsys.icn.exe
2268	icsys.icn.exe
2268	icsys.icn.exe
2268	icsys.icn.exe
2268	icsys.icn.exe
2268	icsys.icn.exe
2268	icsys.icn.exe
2268	icsys.icn.exe
2268	icsys.icn.exe
2268	icsys.icn.exe
2268	icsys.icn.exe
2268	icsys.icn.exe
2268	icsys.icn.exe
2268	icsys.icn.exe
2268	icsys.icn.exe
2268	icsys.icn.exe
2660	explorer.exe
2660	explorer.exe
2660	explorer.exe
2660	explorer.exe
2660	explorer.exe
2660	explorer.exe
2660	explorer.exe
2660	explorer.exe
2660	explorer.exe
2660	explorer.exe
2660	explorer.exe
2660	explorer.exe
2660	explorer.exe
2660	explorer.exe
2660	explorer.exe
2660	explorer.exe
2684	svchost.exe
2684	svchost.exe
2684	svchost.exe
2684	svchost.exe
2684	svchost.exe
2684	svchost.exe
2684	svchost.exe
2684	svchost.exe
2684	svchost.exe
2684	svchost.exe
2684	svchost.exe
2684	svchost.exe
2684	svchost.exe
2684	svchost.exe
2684	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exesvchost.exe

pid process

2660 explorer.exe
2684 svchost.exe

pid	process
2660	explorer.exe
2684	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

._cache_synaptics.exe ._cache_synaptics.exe ._cache_synaptics.exe ._cache_synaptics.exe

description	pid	process
Token: SeSystemProfilePrivilege	868	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	868	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	868	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1612	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1612	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1612	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2244	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2244	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2244	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2244	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2244	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2244	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2244	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2244	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2244	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2244	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2244	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2244	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2244	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2244	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2244	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2244	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2244	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2244	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2244	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2244	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2244	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2244	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2244	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2244	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2244	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2244	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2244	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2244	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2244	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2244	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2244	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2244	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2244	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2244	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2244	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2244	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2976	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2976	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2976	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2976	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2976	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2976	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2976	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2976	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2976	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2976	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2976	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2976	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2976	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2976	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2976	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2976	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2976	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2976	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2976	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2976	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2976	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2976	._cache_synaptics.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe._cache_Synaptics.exeicsys.icn.exeEXCEL.EXEexplorer.exe._cache_Synaptics.exeEXCEL.EXEicsys.icn.exeexplorer.exe._cache_Synaptics.exeEXCEL.EXEicsys.icn.exeexplorer.exe._cache_Synaptics.exeEXCEL.EXEicsys.icn.exeexplorer.exe._cache_Synaptics.exeEXCEL.EXEicsys.icn.exeexplorer.exe._cache_Synaptics.exeEXCEL.EXEicsys.icn.exeexplorer.exe._cache_Synaptics.exeEXCEL.EXEicsys.icn.exeexplorer.exe._cache_Synaptics.exeEXCEL.EXE

pid	process
2124	db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe
2124	db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe
2268	icsys.icn.exe
2268	icsys.icn.exe
2660	explorer.exe
2660	explorer.exe
2812	spoolsv.exe
2812	spoolsv.exe
2684	svchost.exe
2684	svchost.exe
2792	spoolsv.exe
2792	spoolsv.exe
672	._cache_Synaptics.exe
672	._cache_Synaptics.exe
2608	icsys.icn.exe
1968	EXCEL.EXE
2608	icsys.icn.exe
952	explorer.exe
952	explorer.exe
1964	._cache_Synaptics.exe
1964	._cache_Synaptics.exe
1636	EXCEL.EXE
1532	icsys.icn.exe
1532	icsys.icn.exe
2544	explorer.exe
2544	explorer.exe
1004	._cache_Synaptics.exe
1004	._cache_Synaptics.exe
900	EXCEL.EXE
2004	icsys.icn.exe
2004	icsys.icn.exe
2524	explorer.exe
2524	explorer.exe
2596	._cache_Synaptics.exe
2596	._cache_Synaptics.exe
1344	EXCEL.EXE
1056	icsys.icn.exe
1056	icsys.icn.exe
1736	explorer.exe
1736	explorer.exe
2860	._cache_Synaptics.exe
2860	._cache_Synaptics.exe
2656	EXCEL.EXE
584	icsys.icn.exe
584	icsys.icn.exe
2752	explorer.exe
2752	explorer.exe
400	._cache_Synaptics.exe
400	._cache_Synaptics.exe
1812	EXCEL.EXE
1936	icsys.icn.exe
1936	icsys.icn.exe
2460	explorer.exe
2460	explorer.exe
2820	._cache_Synaptics.exe
2820	._cache_Synaptics.exe
2576	EXCEL.EXE
2640	icsys.icn.exe
2640	icsys.icn.exe
2236	explorer.exe
2236	explorer.exe
1792	._cache_Synaptics.exe
1792	._cache_Synaptics.exe
772	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 2124 wrote to memory of 588	2124	db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe	db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe
PID 2124 wrote to memory of 588	2124	db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe	db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe
PID 2124 wrote to memory of 588	2124	db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe	db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe
PID 2124 wrote to memory of 588	2124	db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe	db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe
PID 2124 wrote to memory of 2268	2124	db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe	icsys.icn.exe
PID 2124 wrote to memory of 2268	2124	db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe	icsys.icn.exe
PID 2124 wrote to memory of 2268	2124	db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe	icsys.icn.exe
PID 2124 wrote to memory of 2268	2124	db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe	icsys.icn.exe
PID 2268 wrote to memory of 2660	2268	icsys.icn.exe	explorer.exe
PID 2268 wrote to memory of 2660	2268	icsys.icn.exe	explorer.exe
PID 2268 wrote to memory of 2660	2268	icsys.icn.exe	explorer.exe
PID 2268 wrote to memory of 2660	2268	icsys.icn.exe	explorer.exe
PID 2660 wrote to memory of 2812	2660	explorer.exe	spoolsv.exe
PID 2660 wrote to memory of 2812	2660	explorer.exe	spoolsv.exe
PID 2660 wrote to memory of 2812	2660	explorer.exe	spoolsv.exe
PID 2660 wrote to memory of 2812	2660	explorer.exe	spoolsv.exe
PID 2812 wrote to memory of 2684	2812	spoolsv.exe	svchost.exe
PID 2812 wrote to memory of 2684	2812	spoolsv.exe	svchost.exe
PID 2812 wrote to memory of 2684	2812	spoolsv.exe	svchost.exe
PID 2812 wrote to memory of 2684	2812	spoolsv.exe	svchost.exe
PID 2684 wrote to memory of 2792	2684	svchost.exe	spoolsv.exe
PID 2684 wrote to memory of 2792	2684	svchost.exe	spoolsv.exe
PID 2684 wrote to memory of 2792	2684	svchost.exe	spoolsv.exe
PID 2684 wrote to memory of 2792	2684	svchost.exe	spoolsv.exe
PID 2660 wrote to memory of 2572	2660	explorer.exe	Explorer.exe
PID 2660 wrote to memory of 2572	2660	explorer.exe	Explorer.exe
PID 2660 wrote to memory of 2572	2660	explorer.exe	Explorer.exe
PID 2660 wrote to memory of 2572	2660	explorer.exe	Explorer.exe
PID 2684 wrote to memory of 2620	2684	svchost.exe	schtasks.exe
PID 2684 wrote to memory of 2620	2684	svchost.exe	schtasks.exe
PID 2684 wrote to memory of 2620	2684	svchost.exe	schtasks.exe
PID 2684 wrote to memory of 2620	2684	svchost.exe	schtasks.exe
PID 588 wrote to memory of 2612	588	db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe	Synaptics.exe
PID 588 wrote to memory of 2612	588	db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe	Synaptics.exe
PID 588 wrote to memory of 2612	588	db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe	Synaptics.exe
PID 588 wrote to memory of 2612	588	db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe	Synaptics.exe
PID 2612 wrote to memory of 672	2612	Synaptics.exe	._cache_Synaptics.exe
PID 2612 wrote to memory of 672	2612	Synaptics.exe	._cache_Synaptics.exe
PID 2612 wrote to memory of 672	2612	Synaptics.exe	._cache_Synaptics.exe
PID 2612 wrote to memory of 672	2612	Synaptics.exe	._cache_Synaptics.exe
PID 672 wrote to memory of 868	672	._cache_Synaptics.exe	._cache_synaptics.exe
PID 672 wrote to memory of 868	672	._cache_Synaptics.exe	._cache_synaptics.exe
PID 672 wrote to memory of 868	672	._cache_Synaptics.exe	._cache_synaptics.exe
PID 672 wrote to memory of 868	672	._cache_Synaptics.exe	._cache_synaptics.exe
PID 672 wrote to memory of 2608	672	._cache_Synaptics.exe	icsys.icn.exe
PID 672 wrote to memory of 2608	672	._cache_Synaptics.exe	icsys.icn.exe
PID 672 wrote to memory of 2608	672	._cache_Synaptics.exe	icsys.icn.exe
PID 672 wrote to memory of 2608	672	._cache_Synaptics.exe	icsys.icn.exe
PID 2608 wrote to memory of 952	2608	icsys.icn.exe	explorer.exe
PID 2608 wrote to memory of 952	2608	icsys.icn.exe	explorer.exe
PID 2608 wrote to memory of 952	2608	icsys.icn.exe	explorer.exe
PID 2608 wrote to memory of 952	2608	icsys.icn.exe	explorer.exe
PID 868 wrote to memory of 1720	868	._cache_synaptics.exe	Synaptics.exe
PID 868 wrote to memory of 1720	868	._cache_synaptics.exe	Synaptics.exe
PID 868 wrote to memory of 1720	868	._cache_synaptics.exe	Synaptics.exe
PID 868 wrote to memory of 1720	868	._cache_synaptics.exe	Synaptics.exe
PID 1720 wrote to memory of 1964	1720	Synaptics.exe	._cache_Synaptics.exe
PID 1720 wrote to memory of 1964	1720	Synaptics.exe	._cache_Synaptics.exe
PID 1720 wrote to memory of 1964	1720	Synaptics.exe	._cache_Synaptics.exe
PID 1720 wrote to memory of 1964	1720	Synaptics.exe	._cache_Synaptics.exe
PID 1964 wrote to memory of 1612	1964	._cache_Synaptics.exe	._cache_synaptics.exe
PID 1964 wrote to memory of 1612	1964	._cache_Synaptics.exe	._cache_synaptics.exe
PID 1964 wrote to memory of 1612	1964	._cache_Synaptics.exe	._cache_synaptics.exe
PID 1964 wrote to memory of 1612	1964	._cache_Synaptics.exe	._cache_synaptics.exe

C:\Users\Admin\AppData\Local\Temp\db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe
"C:\Users\Admin\AppData\Local\Temp\db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2124
- \??\c:\users\admin\appdata\local\temp\db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe
  c:\users\admin\appdata\local\temp\db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:588
- - C:\ProgramData\Synaptics\Synaptics.exe
    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:672
    - - \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:868
      - C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1964
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1612
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2184
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:1004
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:2244
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2596
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:2976
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:2860
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2092
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1864
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:400
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:2984
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        22⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:2820
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        23⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2424
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        24⤵
        Executes dropped EXE
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        25⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:1792
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        26⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1600
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        27⤵
        Executes dropped EXE
        
        PID:896
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        28⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1860
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        29⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2144
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        30⤵
        Executes dropped EXE
        
        PID:2580
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        31⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1752
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        32⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:872
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        33⤵
        Executes dropped EXE
        
        PID:2796
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        34⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2464
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        35⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2740
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        36⤵
        Executes dropped EXE
        
        PID:1096
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        37⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1648
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        38⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2764
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        39⤵
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        40⤵
        Drops file in Windows directory
        
        PID:1052
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        41⤵
        Adds Run key to start application
        
        PID:1364
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        42⤵
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        43⤵
        Drops file in Windows directory
        
        PID:1556
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        44⤵
        Adds Run key to start application
        
        PID:712
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        45⤵
        
        PID:3112
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        46⤵
        Drops file in Windows directory
        
        PID:3176
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        47⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3280
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:3548
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        49⤵
        Drops file in Windows directory
        
        PID:3612
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        50⤵
        Adds Run key to start application
        
        PID:3684
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        51⤵
        
        PID:3940
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        52⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4004
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        53⤵
        Adds Run key to start application
        
        PID:2088
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        54⤵
        System Location Discovery: System Language Discovery
        
        PID:3388
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        55⤵
        Drops file in Windows directory
        
        PID:3480
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        56⤵
        Adds Run key to start application
        
        PID:3532
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        57⤵
        
        PID:3876
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        58⤵
        Drops file in Windows directory
        
        PID:3900
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        59⤵
        Adds Run key to start application
        
        PID:4028
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        60⤵
        
        PID:3132
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        61⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1148
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        62⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3568
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        63⤵
        
        PID:3920
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        64⤵
        Drops file in Windows directory
        
        PID:3128
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        65⤵
        Adds Run key to start application
        
        PID:3992
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        66⤵
        
        PID:3608
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        67⤵
        Drops file in Windows directory
        
        PID:3580
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        68⤵
        Adds Run key to start application
        
        PID:3640
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        69⤵
        
        PID:3092
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        70⤵
        Drops file in Windows directory
        
        PID:3464
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        71⤵
        Adds Run key to start application
        
        PID:3396
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        73⤵
        Drops file in Windows directory
        
        PID:3084
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        74⤵
        Adds Run key to start application
        
        PID:3476
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        75⤵
        
        PID:3328
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        76⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3780
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        77⤵
        Adds Run key to start application
        
        PID:3292
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        78⤵
        
        PID:1408
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        79⤵
        Drops file in Windows directory
        
        PID:3468
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        80⤵
        Adds Run key to start application
        
        PID:780
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        81⤵
        
        PID:3952
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        82⤵
        Drops file in Windows directory
        
        PID:2356
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        83⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4100
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        84⤵
        
        PID:4320
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        85⤵
        Drops file in Windows directory
        
        PID:4384
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        86⤵
        Adds Run key to start application
        
        PID:4484
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        87⤵
        System Location Discovery: System Language Discovery
        
        PID:4696
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        88⤵
        Drops file in Windows directory
        
        PID:4760
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        89⤵
        Adds Run key to start application
        
        PID:4844
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        90⤵
        
        PID:5072
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        91⤵
        Drops file in Windows directory
        
        PID:4120
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        92⤵
        Adds Run key to start application
        
        PID:3892
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        93⤵
        
        PID:4564
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        94⤵
        Drops file in Windows directory
        
        PID:4628
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        95⤵
        Adds Run key to start application
        
        PID:4676
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        96⤵
        
        PID:5016
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        97⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4764
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        98⤵
        Adds Run key to start application
        
        PID:4172
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        99⤵
        System Location Discovery: System Language Discovery
        
        PID:4232
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        100⤵
        Drops file in Windows directory
        
        PID:4624
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        101⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4368
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        102⤵
        
        PID:4276
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        103⤵
        Drops file in Windows directory
        
        PID:4336
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        104⤵
        Adds Run key to start application
        
        PID:4544
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        105⤵
        
        PID:4788
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        106⤵
        Drops file in Windows directory
        
        PID:4944
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        107⤵
        Adds Run key to start application
        
        PID:5012
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        108⤵
        System Location Discovery: System Language Discovery
        
        PID:4572
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        109⤵
        Drops file in Windows directory
        
        PID:4264
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        110⤵
        Adds Run key to start application
        
        PID:4600
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        111⤵
        
        PID:4984
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        112⤵
        Drops file in Windows directory
        
        PID:3932
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        113⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4636
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        114⤵
        System Location Discovery: System Language Discovery
        
        PID:5040
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        115⤵
        Drops file in Windows directory
        
        PID:4456
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        116⤵
        Adds Run key to start application
        
        PID:4856
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        117⤵
        
        PID:5224
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        118⤵
        Drops file in Windows directory
        
        PID:5288
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        119⤵
        Adds Run key to start application
        
        PID:5392
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        120⤵
        
        PID:5620
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        121⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5680
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        122⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:5768
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        123⤵
        System Location Discovery: System Language Discovery
        
        PID:6000
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        124⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:6060
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        125⤵
        Adds Run key to start application
        
        PID:4576
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        126⤵
        
        PID:5492
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        127⤵
        Drops file in Windows directory
        
        PID:5256
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        128⤵
        Adds Run key to start application
        
        PID:5636
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        129⤵
        System Location Discovery: System Language Discovery
        
        PID:5684
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        130⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5940
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        131⤵
        Adds Run key to start application
        
        PID:4904
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        132⤵
        
        PID:5452
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        133⤵
        Drops file in Windows directory
        
        PID:5188
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        134⤵
        Adds Run key to start application
        
        PID:5740
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        135⤵
        System Location Discovery: System Language Discovery
        
        PID:5984
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        136⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5212
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        137⤵
        Adds Run key to start application
        
        PID:5400
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        138⤵
        
        PID:5884
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        139⤵
        Drops file in Windows directory
        
        PID:5268
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        140⤵
        Adds Run key to start application
        
        PID:5848
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        141⤵
        
        PID:5792
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        142⤵
        Drops file in Windows directory
        
        PID:5284
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        143⤵
        Adds Run key to start application
        
        PID:5156
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        144⤵
        System Location Discovery: System Language Discovery
        
        PID:5904
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        143⤵
        
        PID:5484
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        144⤵
        
        PID:5180
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        140⤵
        
        PID:5132
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        141⤵
        System Location Discovery: System Language Discovery
        
        PID:5552
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        137⤵
        System Location Discovery: System Language Discovery
        
        PID:5440
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        138⤵
        
        PID:5556
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        134⤵
        
        PID:5804
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        135⤵
        
        PID:5932
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        131⤵
        
        PID:5144
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        132⤵
        
        PID:6056
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        128⤵
        System Location Discovery: System Language Discovery
        
        PID:5648
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        129⤵
        
        PID:5624
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        125⤵
        System Location Discovery: System Language Discovery
        
        PID:5192
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        126⤵
        
        PID:5260
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        122⤵
        
        PID:5812
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        123⤵
        
        PID:5872
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        119⤵
        System Location Discovery: System Language Discovery
        
        PID:5432
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        120⤵
        
        PID:5528
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        116⤵
        
        PID:4888
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        117⤵
        
        PID:5152
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        113⤵
        
        PID:4604
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        114⤵
        
        PID:4224
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        110⤵
        
        PID:4308
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        111⤵
        
        PID:5116
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        107⤵
        
        PID:4408
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        108⤵
        
        PID:4636
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        104⤵
        
        PID:4292
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        105⤵
        System Location Discovery: System Language Discovery
        
        PID:4704
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        101⤵
        
        PID:4756
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        102⤵
        System Location Discovery: System Language Discovery
        
        PID:4740
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        98⤵
        System Location Discovery: System Language Discovery
        
        PID:5104
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        99⤵
        
        PID:4356
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        95⤵
        
        PID:4552
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        96⤵
        
        PID:4864
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        92⤵
        System Location Discovery: System Language Discovery
        
        PID:4280
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        93⤵
        
        PID:4404
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:4892
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        90⤵
        
        PID:4948
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        86⤵
        
        PID:4528
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        87⤵
        
        PID:4620
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        83⤵
        
        PID:4140
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        84⤵
        
        PID:4228
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        80⤵
        
        PID:3360
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        81⤵
        
        PID:2912
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        77⤵
        
        PID:3148
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        78⤵
        
        PID:1032
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        74⤵
        
        PID:3792
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        75⤵
        
        PID:3788
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        71⤵
        
        PID:3536
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        72⤵
        
        PID:3440
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        68⤵
        
        PID:3796
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        69⤵
        
        PID:3880
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        65⤵
        
        PID:3272
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        66⤵
        
        PID:3584
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        62⤵
        System Location Discovery: System Language Discovery
        
        PID:3772
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        63⤵
        System Location Discovery: System Language Discovery
        
        PID:3460
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        59⤵
        System Location Discovery: System Language Discovery
        
        PID:3980
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        60⤵
        
        PID:968
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        56⤵
        
        PID:3304
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        57⤵
        
        PID:3644
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        53⤵
        System Location Discovery: System Language Discovery
        
        PID:3120
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        54⤵
        
        PID:3260
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        50⤵
        System Location Discovery: System Language Discovery
        
        PID:3744
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        51⤵
        
        PID:3816
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        47⤵
        
        PID:3364
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        48⤵
        
        PID:3424
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        44⤵
        
        PID:2836
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        45⤵
        
        PID:1592
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        41⤵
        
        PID:2780
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:2472
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:2260
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        39⤵
        
        PID:2732
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        35⤵
        Executes dropped EXE
        
        PID:1724
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        36⤵
        Executes dropped EXE
        
        PID:2756
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        32⤵
        Executes dropped EXE
        
        PID:1444
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        33⤵
        Executes dropped EXE
        
        PID:892
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        29⤵
        Executes dropped EXE
        
        PID:2692
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        30⤵
        Executes dropped EXE
        
        PID:572
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        26⤵
        Executes dropped EXE
        
        PID:1924
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        27⤵
        Executes dropped EXE
        
        PID:1956
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2640
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        24⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2236
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        20⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1936
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2460
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:584
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        18⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2752
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        14⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1056
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1736
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2004
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        12⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2524
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1532
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2544
    - - C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2608
      - \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:952
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2268
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2660
  - - \??\c:\windows\resources\spoolsv.exe
      c:\windows\resources\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2812
    - - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2684
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2792
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 04:40 /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2620
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 04:41 /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6052
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 04:42 /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2400
  - - C:\Windows\Explorer.exe
      C:\Windows\Explorer.exe
      4⤵
      PID:2572

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1968

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:1636

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:900

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:1344

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:2656

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:1812

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:2576

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:772

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:636

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- Enumerates system info in registry
PID:1104

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:2224

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- Enumerates system info in registry
PID:1436

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- Enumerates system info in registry
PID:2040

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- Enumerates system info in registry
PID:2928

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- Enumerates system info in registry
PID:3184

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- Enumerates system info in registry
PID:3620

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- Enumerates system info in registry
PID:4012

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:3488

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- Enumerates system info in registry
PID:3948

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- Enumerates system info in registry
PID:3196

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- Enumerates system info in registry
PID:2504

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- Enumerates system info in registry
PID:3840

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:3800

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- Enumerates system info in registry
PID:1916

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:3552

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- Enumerates system info in registry
PID:3104

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- Enumerates system info in registry
PID:3372

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- Enumerates system info in registry
PID:4392

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- Enumerates system info in registry
PID:4772

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- Enumerates system info in registry
PID:4148

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- Enumerates system info in registry
PID:4516

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- Enumerates system info in registry
PID:5068

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- Enumerates system info in registry
PID:4656

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- Enumerates system info in registry
PID:4344

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:5112

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:4508

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- Enumerates system info in registry
PID:5000

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- Enumerates system info in registry
PID:4824

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- Enumerates system info in registry
PID:5296

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- Enumerates system info in registry
PID:5692

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- Enumerates system info in registry
PID:6068

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- Enumerates system info in registry
PID:5276

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- Enumerates system info in registry
PID:6016

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- Enumerates system info in registry
PID:5220

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- Enumerates system info in registry
PID:5216

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:5876

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- Enumerates system info in registry
PID:5244

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- Enumerates system info in registry
PID:6044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\RCXED9A.tmp

Filesize
753KB

MD5
8b05c30a8d841d3df9eb32124e9c5ea1

SHA1
55ddc13e4b9f103423e6873ecb1979b2fe44f075

SHA256
954f24d62118f2e1b3aa262779552799a056e744a6e11fdfaa8c9c88b00eead5

SHA512
7a1c8d42a5e770430c349e562876962a1338ce87076552ed2bfc35e291a166a64c9a7af23c892a2bb4395c6bd090bd21fc8857b803073caafb0239d068b5cba0

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

Filesize
3.4MB

MD5
449800c479e6ba5efb2f0c57b256ce1b

SHA1
1223be3de01e60c9068824d6d854a7480a6ec44d

SHA256
9e582555e818b2b675aa909ad93aabf653bc91d1ebed9bfa01ddf0023a9b6fa4

SHA512
aa5777f0d6ff71e167ea83b1de86928d020db3770185bcb14e6daf2106f69c0f6900c4238358631e7fea233d316f3d957b4fe6ef7e8f5949b477787d485b77fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\3fhkBmvE.xlsm

Filesize
23KB

MD5
3ac83ac634ec8a4a2a1f84eb1c28eb41

SHA1
f35a0b2c58d74fd5685100a039e36e5fddf0d946

SHA256
58e2d93c67dfc0025d0656596398918aa54a309b0e6f264164164721d5d579a6

SHA512
34692d167429c62ba14d468932c25dd532e79867c2271899ea90fffd11cd87d968dfbe80e05d610c36d67f4776415e4137929cf7c872a866301cf6e8c549993c

Download Submit
C:\Users\Admin\AppData\Local\Temp\3fhkBmvE.xlsm

Filesize
25KB

MD5
ed6a1242d646805b94a3d8779cb15bf8

SHA1
a8a1b276c712a404004d038119e44af78b87b9f6

SHA256
2da78da84edb3d20f48bb75204dc9a4ca4d88a41bfd389ba53387d49e53efeaa

SHA512
f6043eefb4d0f7f17c58115a05eda28df71146561dd6a2f7f8475f5b045af379b73d70d7ee38daabbd0f39443ceaf9a904629ac74e2acc83594d68b9eb495b1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\F835.tmp

Filesize
12KB

MD5
415b7820fe5b046810e0d33b3da31a7a

SHA1
157f40ce5e16a3ddb24405e437eb3454c15d44df

SHA256
25c3205cd56b194fc267c1f434d24bc63d37dcc2388612e118a26cf6fe11358a

SHA512
00672689fcae9821187922169fcf556d0340fe703648eda2db31033b1b10e33b37628d31db1b09e0dbedd563515fb0a961065b2ce59ec43dcffe0d19fb61e836

Download Submit
C:\Users\Admin\AppData\Local\Temp\auWGFjnO.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
285f29912123548705eeb4e476ef3e78

SHA1
ae94cb7d48ddd15c244053f69d3e882c4e53f680

SHA256
ec8f6bea562fe5ec901b41c1526c89b48c324764bf375ed62702591ea252a23c

SHA512
ae2adc2ceae0d86358f3930a11a74e62d1c8888cb2501b57ff223447fcc55a107c1324066593f1291a14c804a1c92f9d1ca8c741650913091c2c2c341feb269f

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
135KB

MD5
60cf568aa30adc6d07f340b8e8db97d9

SHA1
5a777f07a428647cf616e05cd2f839396adea5e0

SHA256
3743dda1e9ace1768a4dd5be0caade7f3c971866ebc4a25f4ca710c65f810199

SHA512
984b2908751ab17d9e772cd8554369424fd567e8653dca97d0356dbbca9d351f81b1098209f1dd1134c6147c1b761a812d0db29e21f69f0a999a46ea24f08224

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_._cache_synaptics.exe

Filesize
2.5MB

MD5
b99e894f2fa9db7fcdb472d1c9535fab

SHA1
3d21b76685f4c6e00224d2f33e3742821e7bfb8f

SHA256
e8ecf9c2476fe8768e505068789e8f672a510d9995fdc55890822bc120e0125a

SHA512
2a6a13deff84d1920e71178e3ab3df1ad835eb0cbb510a1bcc236e745a6e3239ddcf2c8f594a234f2c28ec828db0d07dcd41d2acd0d6c1c8c2fc46f4d2aa635e

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_synaptics.exe

Filesize
3.3MB

MD5
f85ab55410e57cd842da9384e476fea1

SHA1
3ad4a6f686b903790d99b0b5cae2f125ff6bef61

SHA256
f0dac82b9779f299d4fa1c6044339074e08657507a6515b2035cc44399e6fdd1

SHA512
5332ad58f14f9639700c4570745caf3e42afb8306067ebbdd16ec886f9444b4c79f75902db211c3c3454abd149d9bd9cf20e0730df558c8f92221d2745d71c4b

Download Submit
\Users\Admin\AppData\Local\Temp\db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe

Filesize
4.1MB

MD5
3a1ecb687c50e671d38df940a8e418da

SHA1
8034714e35450df479d842865d29c75f8e80ac59

SHA256
7c33dc883141eaad482330649cafd0a77a2ab1bc5d1f3e5faeef125b5bd09f21

SHA512
849b3d96dc085875271d08eac402fae061a242cd0960e651e4ba291c3deb0300ea720f763047468fac38118962720d1df9f20c1d0841ab4d104d21bc1bb8642c

Download Submit
\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
4d275db31c0f66bb9cb4fe2ad1ac4790

SHA1
e67e129af863d0fc2e628523dbb8ca3c5c86e951

SHA256
303df2dc2321ef3d2b03dc0ca2a76148fbb6df656e9181a03da59c0679c39310

SHA512
6bb6d07e650de0dbda87f9ab980da5866ca66a9c8e75b035fa46f21e49a74fc089314fc34b65b786cd8d1c1d2669afb6df0f625483562fa3186c5c2abcb76b0d

Download Submit
\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
b35500da2182f7686212ed6e22ce55ec

SHA1
a71b15a9c460b2213c5a8dfaa3b6bfcf5d18b4fd

SHA256
599ca3d60254b26c5019a9a0db4b9ffb5230a7ea5e64042921f80b09459b7c6e

SHA512
4bfbd5b2a116019b7a72e1751c209eeacd34dfeb4933f5924919079d966f39e239d7ad8d9f802070dff20a8c55ef65ca6ab3266c63f674fda6ba86928062f2e3

Download Submit
\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
ce91d663e8bb23fe1e1d97a6701a9e29

SHA1
2aa12aadb5bf1d63a5250a66efe586ce879e9714

SHA256
c97a82c2d676a378e5372d4ed0dd91e2d2ea7167494af58503a605f28a75175b

SHA512
be502447ab86ead45d3ad1d27d5ad2046fe9a019186385bd035575403c30d46bd86ad4ae4645982b99647cbcc314f269dccaa6ed808d43038a99293883801b1f

Download Submit
memory/400-286-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/400-276-0x0000000000290000-0x00000000002AF000-memory.dmp

Filesize
124KB

Download
memory/584-252-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/588-85-0x0000000000400000-0x0000000000825000-memory.dmp

Filesize
4.1MB

Download
memory/588-13-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/672-113-0x0000000001D10000-0x0000000001D2F000-memory.dmp

Filesize
124KB

Download
memory/672-130-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/712-644-0x0000000002060000-0x000000000207F000-memory.dmp

Filesize
124KB

Download
memory/712-684-0x0000000000400000-0x0000000000747000-memory.dmp

Filesize
3.3MB

Download
memory/868-134-0x0000000000400000-0x0000000000747000-memory.dmp

Filesize
3.3MB

Download
memory/872-468-0x0000000000400000-0x0000000000747000-memory.dmp

Filesize
3.3MB

Download
memory/872-429-0x00000000003E0000-0x00000000003FF000-memory.dmp

Filesize
124KB

Download
memory/892-462-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/896-363-0x0000000000820000-0x000000000083F000-memory.dmp

Filesize
124KB

Download
memory/896-398-0x0000000000400000-0x0000000000747000-memory.dmp

Filesize
3.3MB

Download
memory/952-128-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1004-198-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1004-186-0x00000000003E0000-0x00000000003FF000-memory.dmp

Filesize
124KB

Download
memory/1052-625-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1056-230-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1096-546-0x0000000001F00000-0x0000000001F1F000-memory.dmp

Filesize
124KB

Download
memory/1096-526-0x0000000005710000-0x000000000572F000-memory.dmp

Filesize
124KB

Download
memory/1096-525-0x0000000001F00000-0x0000000001F1F000-memory.dmp

Filesize
124KB

Download
memory/1096-545-0x0000000000400000-0x0000000000747000-memory.dmp

Filesize
3.3MB

Download
memory/1364-594-0x0000000000330000-0x000000000034F000-memory.dmp

Filesize
124KB

Download
memory/1364-632-0x0000000000400000-0x0000000000747000-memory.dmp

Filesize
3.3MB

Download
memory/1436-569-0x0000000000490000-0x0000000000590000-memory.dmp

Filesize
1024KB

Download
memory/1436-567-0x0000000000490000-0x0000000000590000-memory.dmp

Filesize
1024KB

Download
memory/1436-558-0x0000000000490000-0x0000000000590000-memory.dmp

Filesize
1024KB

Download
memory/1436-559-0x0000000000490000-0x0000000000590000-memory.dmp

Filesize
1024KB

Download
memory/1436-561-0x0000000000490000-0x0000000000590000-memory.dmp

Filesize
1024KB

Download
memory/1436-560-0x0000000000490000-0x0000000000590000-memory.dmp

Filesize
1024KB

Download
memory/1436-564-0x0000000000490000-0x0000000000590000-memory.dmp

Filesize
1024KB

Download
memory/1436-565-0x0000000000490000-0x0000000000590000-memory.dmp

Filesize
1024KB

Download
memory/1436-562-0x0000000000490000-0x0000000000590000-memory.dmp

Filesize
1024KB

Download
memory/1436-568-0x0000000000490000-0x0000000000590000-memory.dmp

Filesize
1024KB

Download
memory/1436-566-0x0000000000490000-0x0000000000590000-memory.dmp

Filesize
1024KB

Download
memory/1436-563-0x0000000000490000-0x0000000000590000-memory.dmp

Filesize
1024KB

Download
memory/1444-460-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1532-163-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1556-677-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1592-664-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1600-362-0x0000000000400000-0x0000000000747000-memory.dmp

Filesize
3.3MB

Download
memory/1600-322-0x0000000000800000-0x000000000081F000-memory.dmp

Filesize
124KB

Download
memory/1612-169-0x0000000000400000-0x0000000000747000-memory.dmp

Filesize
3.3MB

Download
memory/1648-578-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1648-541-0x0000000000310000-0x000000000032F000-memory.dmp

Filesize
124KB

Download
memory/1716-265-0x0000000000400000-0x0000000000825000-memory.dmp

Filesize
4.1MB

Download
memory/1716-235-0x00000000041B0000-0x00000000041CF000-memory.dmp

Filesize
124KB

Download
memory/1716-234-0x00000000003E0000-0x00000000003FF000-memory.dmp

Filesize
124KB

Download
memory/1720-138-0x00000000042C0000-0x00000000042DF000-memory.dmp

Filesize
124KB

Download
memory/1720-164-0x0000000000400000-0x0000000000825000-memory.dmp

Filesize
4.1MB

Download
memory/1724-517-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1736-229-0x00000000001C0000-0x00000000001D0000-memory.dmp

Filesize
64KB

Download
memory/1736-228-0x00000000001C0000-0x00000000001D0000-memory.dmp

Filesize
64KB

Download
memory/1736-231-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1736-227-0x00000000001C0000-0x00000000001D0000-memory.dmp

Filesize
64KB

Download
memory/1752-461-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1792-356-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1792-325-0x0000000000420000-0x000000000043F000-memory.dmp

Filesize
124KB

Download
memory/1864-284-0x0000000000400000-0x0000000000825000-memory.dmp

Filesize
4.1MB

Download
memory/1864-267-0x0000000000310000-0x000000000032F000-memory.dmp

Filesize
124KB

Download
memory/1924-355-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1936-283-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1956-354-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1964-165-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1968-118-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2004-196-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2088-814-0x0000000000850000-0x000000000086F000-memory.dmp

Filesize
124KB

Download
memory/2092-241-0x00000000002A0000-0x00000000002BF000-memory.dmp

Filesize
124KB

Download
memory/2092-266-0x0000000000400000-0x0000000000747000-memory.dmp

Filesize
3.3MB

Download
memory/2124-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2124-75-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2124-18-0x00000000005B0000-0x00000000005CF000-memory.dmp

Filesize
124KB

Download
memory/2144-416-0x0000000000400000-0x0000000000747000-memory.dmp

Filesize
3.3MB

Download
memory/2144-375-0x00000000002D0000-0x00000000002EF000-memory.dmp

Filesize
124KB

Download
memory/2184-174-0x0000000004470000-0x000000000448F000-memory.dmp

Filesize
124KB

Download
memory/2184-192-0x0000000000400000-0x0000000000825000-memory.dmp

Filesize
4.1MB

Download
memory/2244-211-0x0000000000400000-0x0000000000747000-memory.dmp

Filesize
3.3MB

Download
memory/2244-184-0x0000000000290000-0x00000000002AF000-memory.dmp

Filesize
124KB

Download
memory/2260-571-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2268-74-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2268-29-0x00000000002E0000-0x00000000002FF000-memory.dmp

Filesize
124KB

Download
memory/2424-294-0x0000000001F20000-0x0000000001F3F000-memory.dmp

Filesize
124KB

Download
memory/2424-308-0x0000000000400000-0x0000000000747000-memory.dmp

Filesize
3.3MB

Download
memory/2460-285-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2464-518-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2464-484-0x00000000003B0000-0x00000000003CF000-memory.dmp

Filesize
124KB

Download
memory/2524-197-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2544-162-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2580-447-0x0000000000400000-0x0000000000747000-memory.dmp

Filesize
3.3MB

Download
memory/2580-417-0x00000000002E0000-0x00000000002FF000-memory.dmp

Filesize
124KB

Download
memory/2596-220-0x0000000001E90000-0x0000000001EAF000-memory.dmp

Filesize
124KB

Download
memory/2596-232-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2608-129-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2612-93-0x0000000004230000-0x000000000424F000-memory.dmp

Filesize
124KB

Download
memory/2612-123-0x0000000000400000-0x0000000000825000-memory.dmp

Filesize
4.1MB

Download
memory/2636-610-0x0000000000400000-0x0000000000747000-memory.dmp

Filesize
3.3MB

Download
memory/2636-580-0x0000000000750000-0x000000000076F000-memory.dmp

Filesize
124KB

Download
memory/2640-305-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2640-301-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2660-485-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2684-527-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2684-67-0x0000000000280000-0x000000000029F000-memory.dmp

Filesize
124KB

Download
memory/2708-329-0x0000000000400000-0x0000000000825000-memory.dmp

Filesize
4.1MB

Download
memory/2708-309-0x0000000000830000-0x000000000084F000-memory.dmp

Filesize
124KB

Download
memory/2708-310-0x0000000004320000-0x000000000433F000-memory.dmp

Filesize
124KB

Download
memory/2716-651-0x0000000000400000-0x0000000000747000-memory.dmp

Filesize
3.3MB

Download
memory/2716-633-0x0000000004370000-0x000000000438F000-memory.dmp

Filesize
124KB

Download
memory/2732-573-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2740-524-0x0000000000400000-0x0000000000747000-memory.dmp

Filesize
3.3MB

Download
memory/2740-481-0x00000000008E0000-0x00000000008FF000-memory.dmp

Filesize
124KB

Download
memory/2752-251-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2756-516-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2764-579-0x0000000000400000-0x0000000000747000-memory.dmp

Filesize
3.3MB

Download
memory/2780-626-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2792-72-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2796-469-0x0000000000360000-0x000000000037F000-memory.dmp

Filesize
124KB

Download
memory/2796-501-0x0000000000400000-0x0000000000747000-memory.dmp

Filesize
3.3MB

Download
memory/2804-307-0x0000000000400000-0x0000000000825000-memory.dmp

Filesize
4.1MB

Download
memory/2804-288-0x00000000003A0000-0x00000000003BF000-memory.dmp

Filesize
124KB

Download
memory/2812-73-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2820-306-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2820-296-0x0000000000700000-0x000000000071F000-memory.dmp

Filesize
124KB

Download
memory/2836-678-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2976-233-0x0000000000400000-0x0000000000747000-memory.dmp

Filesize
3.3MB

Download
memory/2976-218-0x00000000002D0000-0x00000000002EF000-memory.dmp

Filesize
124KB

Download
memory/2984-287-0x0000000000400000-0x0000000000747000-memory.dmp

Filesize
3.3MB

Download
memory/2984-273-0x00000000003C0000-0x00000000003DF000-memory.dmp

Filesize
124KB

Download
memory/3068-226-0x0000000000400000-0x0000000000825000-memory.dmp

Filesize
4.1MB

Download
memory/3068-212-0x00000000003D0000-0x00000000003EF000-memory.dmp

Filesize
124KB

Download
memory/3112-685-0x00000000007C0000-0x00000000007DF000-memory.dmp

Filesize
124KB

Download
memory/3112-733-0x0000000000400000-0x0000000000747000-memory.dmp

Filesize
3.3MB

Download
memory/3176-712-0x0000000000320000-0x000000000033F000-memory.dmp

Filesize
124KB

Download
memory/3280-709-0x0000000000A10000-0x0000000000A2F000-memory.dmp

Filesize
124KB

Download
memory/3280-749-0x0000000000400000-0x0000000000747000-memory.dmp

Filesize
3.3MB

Download
memory/3364-734-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3548-750-0x0000000001F60000-0x0000000001F7F000-memory.dmp

Filesize
124KB

Download
memory/3548-769-0x0000000000400000-0x0000000000747000-memory.dmp

Filesize
3.3MB

Download
memory/3612-764-0x00000000002A0000-0x00000000002BF000-memory.dmp

Filesize
124KB

Download
memory/3684-761-0x00000000022B0000-0x00000000022CF000-memory.dmp

Filesize
124KB

Download
memory/3684-801-0x0000000000400000-0x0000000000747000-memory.dmp

Filesize
3.3MB

Download
memory/3744-783-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3816-782-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3940-802-0x0000000001EE0000-0x0000000001EFF000-memory.dmp

Filesize
124KB

Download