xred | db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2024 04:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe
Size

4.3MB
MD5

b7a4d863a1a6d888da7f711671807850
SHA1

4cf487090d23271c3c220f1f682ff2146c7d8312
SHA256

db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58
SHA512

0b5da66eae2060aa57c932d0f6f465867f78ffb25d47752f4df7ec564f9ba6d0478ef5cb702f82e70de18a7dc88e973fbece3c5fe091327d0eec9c01ae46a477
SSDEEP

98304:Rnsmtk2aEnsmtk2agkLjNNC7ed9aEbJcC:tLFLKvC7c9aEbeC

Score

10^/10

xred backdoor discovery evasion persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Checks computer location settings 2 TTPs 13 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

._cache_synaptics.exe Synaptics.exeSynaptics.exe._cache_synaptics.exe Synaptics.exe._cache_synaptics.exe db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe Synaptics.exe._cache_synaptics.exe ._cache_synaptics.exe Synaptics.exeSynaptics.exe._cache_synaptics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	._cache_synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	._cache_synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	._cache_synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	._cache_synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	._cache_synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	._cache_synaptics.exe

Executes dropped EXE 37 IoCs

Processes:

db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exeSynaptics.exe._cache_Synaptics.exe._cache_synaptics.exe icsys.icn.exeexplorer.exeSynaptics.exe._cache_Synaptics.exe._cache_synaptics.exe icsys.icn.exeexplorer.exeSynaptics.exe._cache_Synaptics.exe._cache_synaptics.exe icsys.icn.exeexplorer.exeSynaptics.exe._cache_Synaptics.exe._cache_synaptics.exe icsys.icn.exeexplorer.exeSynaptics.exe._cache_Synaptics.exe._cache_synaptics.exe icsys.icn.exeexplorer.exeSynaptics.exe._cache_Synaptics.exe._cache_synaptics.exe icsys.icn.exeexplorer.exeSynaptics.exe

pid	process
4280	db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe
940	icsys.icn.exe
1556	explorer.exe
4848	spoolsv.exe
3076	svchost.exe
1920	spoolsv.exe
4968	Synaptics.exe
3256	._cache_Synaptics.exe
2312	._cache_synaptics.exe
4544	icsys.icn.exe
1708	explorer.exe
4920	Synaptics.exe
3928	._cache_Synaptics.exe
5028	._cache_synaptics.exe
2416	icsys.icn.exe
3952	explorer.exe
1492	Synaptics.exe
960	._cache_Synaptics.exe
1724	._cache_synaptics.exe
2696	icsys.icn.exe
8	explorer.exe
2596	Synaptics.exe
432	._cache_Synaptics.exe
2740	._cache_synaptics.exe
3936	icsys.icn.exe
728	explorer.exe
4244	Synaptics.exe
4380	._cache_Synaptics.exe
4976	._cache_synaptics.exe
3456	icsys.icn.exe
3276	explorer.exe
2356	Synaptics.exe
3084	._cache_Synaptics.exe
4600	._cache_synaptics.exe
4960	icsys.icn.exe
4004	explorer.exe
2736	Synaptics.exe

Loads dropped DLL 20 IoCs

Processes:

Synaptics.exe._cache_synaptics.exe Synaptics.exe._cache_synaptics.exe Synaptics.exe._cache_synaptics.exe Synaptics.exe._cache_synaptics.exe Synaptics.exe._cache_synaptics.exe

pid	process
4920	Synaptics.exe
4920	Synaptics.exe
5028	._cache_synaptics.exe
5028	._cache_synaptics.exe
1492	Synaptics.exe
1492	Synaptics.exe
1724	._cache_synaptics.exe
1724	._cache_synaptics.exe
2596	Synaptics.exe
2596	Synaptics.exe
2740	._cache_synaptics.exe
2740	._cache_synaptics.exe
4244	Synaptics.exe
4244	Synaptics.exe
4976	._cache_synaptics.exe
4976	._cache_synaptics.exe
2356	Synaptics.exe
2356	Synaptics.exe
4600	._cache_synaptics.exe
4600	._cache_synaptics.exe

Adds Run key to start application 2 TTPs 11 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe._cache_synaptics.exe db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe ._cache_synaptics.exe ._cache_synaptics.exe ._cache_synaptics.exe ._cache_synaptics.exe ._cache_synaptics.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe

Drops file in System32 directory 2 IoCs

Processes:

svchost.exeexplorer.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe

Drops file in Windows directory 11 IoCs

Processes:

explorer.exespoolsv.exe._cache_Synaptics.exe._cache_Synaptics.exe._cache_Synaptics.exeicsys.icn.exe._cache_Synaptics.exe._cache_Synaptics.exe._cache_Synaptics.exedb9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe

description	ioc	process
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 38 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

spoolsv.exeexplorer.exeicsys.icn.exe._cache_Synaptics.exeicsys.icn.exeicsys.icn.exe._cache_synaptics.exe explorer.exe._cache_synaptics.exe Synaptics.exeexplorer.exe._cache_synaptics.exe Synaptics.exespoolsv.exeicsys.icn.exeexplorer.exeexplorer.exesvchost.exeSynaptics.exe._cache_Synaptics.exe._cache_synaptics.exe Synaptics.exeSynaptics.exe._cache_Synaptics.exeexplorer.exeicsys.icn.exe._cache_synaptics.exe explorer.exe._cache_Synaptics.exe._cache_synaptics.exe db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exedb9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe icsys.icn.exeSynaptics.exe._cache_Synaptics.exe._cache_Synaptics.exeSynaptics.exeicsys.icn.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe

Checks processor information in registry 2 TTPs 21 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEEXCEL.EXEEXCEL.EXEEXCEL.EXEEXCEL.EXEEXCEL.EXEEXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Enumerates system info in registry 2 TTPs 21 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEEXCEL.EXEEXCEL.EXEEXCEL.EXEEXCEL.EXEEXCEL.EXEEXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Modifies registry class 13 IoCs

Processes:

Synaptics.exe._cache_synaptics.exe ._cache_synaptics.exe Synaptics.exe._cache_synaptics.exe ._cache_synaptics.exe Synaptics.exe._cache_synaptics.exe Synaptics.exedb9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe Synaptics.exeSynaptics.exe._cache_synaptics.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	._cache_synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	._cache_synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	._cache_synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	._cache_synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	._cache_synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	._cache_synaptics.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1484 EXCEL.EXE

pid	process
1484	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exeicsys.icn.exe

pid	process
2864	db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe
2864	db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe
2864	db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe
2864	db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe
2864	db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe
2864	db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe
2864	db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe
2864	db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe
2864	db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe
2864	db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe
2864	db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe
2864	db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe
2864	db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe
2864	db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe
2864	db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe
2864	db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe
2864	db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe
2864	db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe
2864	db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe
2864	db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe
2864	db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe
2864	db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe
2864	db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe
2864	db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe
2864	db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe
2864	db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe
2864	db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe
2864	db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe
2864	db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe
2864	db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe
2864	db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe
2864	db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe
940	icsys.icn.exe
940	icsys.icn.exe
940	icsys.icn.exe
940	icsys.icn.exe
940	icsys.icn.exe
940	icsys.icn.exe
940	icsys.icn.exe
940	icsys.icn.exe
940	icsys.icn.exe
940	icsys.icn.exe
940	icsys.icn.exe
940	icsys.icn.exe
940	icsys.icn.exe
940	icsys.icn.exe
940	icsys.icn.exe
940	icsys.icn.exe
940	icsys.icn.exe
940	icsys.icn.exe
940	icsys.icn.exe
940	icsys.icn.exe
940	icsys.icn.exe
940	icsys.icn.exe
940	icsys.icn.exe
940	icsys.icn.exe
940	icsys.icn.exe
940	icsys.icn.exe
940	icsys.icn.exe
940	icsys.icn.exe
940	icsys.icn.exe
940	icsys.icn.exe
940	icsys.icn.exe
940	icsys.icn.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exesvchost.exe

pid process

1556 explorer.exe
3076 svchost.exe

pid	process
1556	explorer.exe
3076	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

._cache_synaptics.exe ._cache_synaptics.exe ._cache_synaptics.exe ._cache_synaptics.exe

description	pid	process
Token: SeSystemProfilePrivilege	2312	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2312	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2312	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2312	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2312	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2312	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2312	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2312	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2312	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2312	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2312	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2312	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2312	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2312	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2312	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2312	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2312	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2312	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2312	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2312	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2312	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2312	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2312	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2312	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2312	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2312	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2312	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2312	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2312	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	5028	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	5028	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	5028	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	5028	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	5028	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	5028	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	5028	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	5028	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	5028	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	5028	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	5028	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	5028	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	5028	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	5028	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	5028	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	5028	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	5028	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	5028	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	5028	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	5028	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	5028	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	5028	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	5028	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	5028	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1724	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1724	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1724	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1724	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1724	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1724	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1724	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1724	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1724	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2740	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2740	._cache_synaptics.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe._cache_Synaptics.exeEXCEL.EXEicsys.icn.exeexplorer.exe._cache_Synaptics.exeEXCEL.EXEicsys.icn.exeexplorer.exe._cache_Synaptics.exeEXCEL.EXEicsys.icn.exeexplorer.exe._cache_Synaptics.exeEXCEL.EXEicsys.icn.exeexplorer.exe._cache_Synaptics.exeEXCEL.EXEicsys.icn.exeexplorer.exe._cache_Synaptics.exeEXCEL.EXE

pid	process
2864	db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe
2864	db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe
940	icsys.icn.exe
940	icsys.icn.exe
1556	explorer.exe
1556	explorer.exe
4848	spoolsv.exe
4848	spoolsv.exe
3076	svchost.exe
3076	svchost.exe
1920	spoolsv.exe
1920	spoolsv.exe
3256	._cache_Synaptics.exe
3256	._cache_Synaptics.exe
1484	EXCEL.EXE
4544	icsys.icn.exe
4544	icsys.icn.exe
1484	EXCEL.EXE
1708	explorer.exe
1708	explorer.exe
3928	._cache_Synaptics.exe
3928	._cache_Synaptics.exe
1048	EXCEL.EXE
1048	EXCEL.EXE
1048	EXCEL.EXE
1048	EXCEL.EXE
1048	EXCEL.EXE
1048	EXCEL.EXE
2416	icsys.icn.exe
2416	icsys.icn.exe
3952	explorer.exe
3952	explorer.exe
960	._cache_Synaptics.exe
960	._cache_Synaptics.exe
1152	EXCEL.EXE
2696	icsys.icn.exe
2696	icsys.icn.exe
1152	EXCEL.EXE
8	explorer.exe
8	explorer.exe
432	._cache_Synaptics.exe
432	._cache_Synaptics.exe
1288	EXCEL.EXE
1288	EXCEL.EXE
1288	EXCEL.EXE
3936	icsys.icn.exe
3936	icsys.icn.exe
728	explorer.exe
1288	EXCEL.EXE
728	explorer.exe
4380	._cache_Synaptics.exe
4380	._cache_Synaptics.exe
5088	EXCEL.EXE
5088	EXCEL.EXE
3456	icsys.icn.exe
3456	icsys.icn.exe
3276	explorer.exe
3276	explorer.exe
5088	EXCEL.EXE
5088	EXCEL.EXE
3084	._cache_Synaptics.exe
3084	._cache_Synaptics.exe
408	EXCEL.EXE
408	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exedb9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe Synaptics.exe._cache_Synaptics.exeicsys.icn.exe._cache_synaptics.exe Synaptics.exe._cache_Synaptics.exeicsys.icn.exe._cache_synaptics.exe Synaptics.exe._cache_Synaptics.exeicsys.icn.exe._cache_synaptics.exe

description	pid	process	target process
PID 2864 wrote to memory of 4280	2864	db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe	db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe
PID 2864 wrote to memory of 4280	2864	db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe	db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe
PID 2864 wrote to memory of 4280	2864	db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe	db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe
PID 2864 wrote to memory of 940	2864	db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe	icsys.icn.exe
PID 2864 wrote to memory of 940	2864	db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe	icsys.icn.exe
PID 2864 wrote to memory of 940	2864	db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe	icsys.icn.exe
PID 940 wrote to memory of 1556	940	icsys.icn.exe	explorer.exe
PID 940 wrote to memory of 1556	940	icsys.icn.exe	explorer.exe
PID 940 wrote to memory of 1556	940	icsys.icn.exe	explorer.exe
PID 1556 wrote to memory of 4848	1556	explorer.exe	spoolsv.exe
PID 1556 wrote to memory of 4848	1556	explorer.exe	spoolsv.exe
PID 1556 wrote to memory of 4848	1556	explorer.exe	spoolsv.exe
PID 4848 wrote to memory of 3076	4848	spoolsv.exe	svchost.exe
PID 4848 wrote to memory of 3076	4848	spoolsv.exe	svchost.exe
PID 4848 wrote to memory of 3076	4848	spoolsv.exe	svchost.exe
PID 3076 wrote to memory of 1920	3076	svchost.exe	spoolsv.exe
PID 3076 wrote to memory of 1920	3076	svchost.exe	spoolsv.exe
PID 3076 wrote to memory of 1920	3076	svchost.exe	spoolsv.exe
PID 4280 wrote to memory of 4968	4280	db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe	Synaptics.exe
PID 4280 wrote to memory of 4968	4280	db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe	Synaptics.exe
PID 4280 wrote to memory of 4968	4280	db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe	Synaptics.exe
PID 4968 wrote to memory of 3256	4968	Synaptics.exe	._cache_Synaptics.exe
PID 4968 wrote to memory of 3256	4968	Synaptics.exe	._cache_Synaptics.exe
PID 4968 wrote to memory of 3256	4968	Synaptics.exe	._cache_Synaptics.exe
PID 3256 wrote to memory of 2312	3256	._cache_Synaptics.exe	._cache_synaptics.exe
PID 3256 wrote to memory of 2312	3256	._cache_Synaptics.exe	._cache_synaptics.exe
PID 3256 wrote to memory of 2312	3256	._cache_Synaptics.exe	._cache_synaptics.exe
PID 3256 wrote to memory of 4544	3256	._cache_Synaptics.exe	icsys.icn.exe
PID 3256 wrote to memory of 4544	3256	._cache_Synaptics.exe	icsys.icn.exe
PID 3256 wrote to memory of 4544	3256	._cache_Synaptics.exe	icsys.icn.exe
PID 4544 wrote to memory of 1708	4544	icsys.icn.exe	explorer.exe
PID 4544 wrote to memory of 1708	4544	icsys.icn.exe	explorer.exe
PID 4544 wrote to memory of 1708	4544	icsys.icn.exe	explorer.exe
PID 2312 wrote to memory of 4920	2312	._cache_synaptics.exe	Synaptics.exe
PID 2312 wrote to memory of 4920	2312	._cache_synaptics.exe	Synaptics.exe
PID 2312 wrote to memory of 4920	2312	._cache_synaptics.exe	Synaptics.exe
PID 4920 wrote to memory of 3928	4920	Synaptics.exe	._cache_Synaptics.exe
PID 4920 wrote to memory of 3928	4920	Synaptics.exe	._cache_Synaptics.exe
PID 4920 wrote to memory of 3928	4920	Synaptics.exe	._cache_Synaptics.exe
PID 3928 wrote to memory of 5028	3928	._cache_Synaptics.exe	._cache_synaptics.exe
PID 3928 wrote to memory of 5028	3928	._cache_Synaptics.exe	._cache_synaptics.exe
PID 3928 wrote to memory of 5028	3928	._cache_Synaptics.exe	._cache_synaptics.exe
PID 3928 wrote to memory of 2416	3928	._cache_Synaptics.exe	icsys.icn.exe
PID 3928 wrote to memory of 2416	3928	._cache_Synaptics.exe	icsys.icn.exe
PID 3928 wrote to memory of 2416	3928	._cache_Synaptics.exe	icsys.icn.exe
PID 2416 wrote to memory of 3952	2416	icsys.icn.exe	explorer.exe
PID 2416 wrote to memory of 3952	2416	icsys.icn.exe	explorer.exe
PID 2416 wrote to memory of 3952	2416	icsys.icn.exe	explorer.exe
PID 5028 wrote to memory of 1492	5028	._cache_synaptics.exe	Synaptics.exe
PID 5028 wrote to memory of 1492	5028	._cache_synaptics.exe	Synaptics.exe
PID 5028 wrote to memory of 1492	5028	._cache_synaptics.exe	Synaptics.exe
PID 1492 wrote to memory of 960	1492	Synaptics.exe	._cache_Synaptics.exe
PID 1492 wrote to memory of 960	1492	Synaptics.exe	._cache_Synaptics.exe
PID 1492 wrote to memory of 960	1492	Synaptics.exe	._cache_Synaptics.exe
PID 960 wrote to memory of 1724	960	._cache_Synaptics.exe	._cache_synaptics.exe
PID 960 wrote to memory of 1724	960	._cache_Synaptics.exe	._cache_synaptics.exe
PID 960 wrote to memory of 1724	960	._cache_Synaptics.exe	._cache_synaptics.exe
PID 960 wrote to memory of 2696	960	._cache_Synaptics.exe	icsys.icn.exe
PID 960 wrote to memory of 2696	960	._cache_Synaptics.exe	icsys.icn.exe
PID 960 wrote to memory of 2696	960	._cache_Synaptics.exe	icsys.icn.exe
PID 2696 wrote to memory of 8	2696	icsys.icn.exe	explorer.exe
PID 2696 wrote to memory of 8	2696	icsys.icn.exe	explorer.exe
PID 2696 wrote to memory of 8	2696	icsys.icn.exe	explorer.exe
PID 1724 wrote to memory of 2596	1724	._cache_synaptics.exe	Synaptics.exe

C:\Users\Admin\AppData\Local\Temp\db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe
"C:\Users\Admin\AppData\Local\Temp\db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2864
- \??\c:\users\admin\appdata\local\temp\db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe
  c:\users\admin\appdata\local\temp\db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4280
- - C:\ProgramData\Synaptics\Synaptics.exe
    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4968
  - - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3256
    - - \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2312
      - C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4920
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3928
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5028
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        10⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:960
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1724
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2596
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        13⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:432
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2740
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4244
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        16⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4380
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4976
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        19⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3084
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4600
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2736
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4960
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4004
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3456
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3276
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3936
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:728
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:8
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2416
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3952
    - - C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4544
      - \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1708
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:940
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1556
  - - \??\c:\windows\resources\spoolsv.exe
      c:\windows\resources\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4848
    - - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3076
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1920

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1484

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:1048

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:1152

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:1288

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:5088

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:408

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:3628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\RCXAFA9.tmp

Filesize
753KB

MD5
8b05c30a8d841d3df9eb32124e9c5ea1

SHA1
55ddc13e4b9f103423e6873ecb1979b2fe44f075

SHA256
954f24d62118f2e1b3aa262779552799a056e744a6e11fdfaa8c9c88b00eead5

SHA512
7a1c8d42a5e770430c349e562876962a1338ce87076552ed2bfc35e291a166a64c9a7af23c892a2bb4395c6bd090bd21fc8857b803073caafb0239d068b5cba0

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
3.3MB

MD5
000e7267ce4e7243bbe1549d0a582682

SHA1
2db09af2e42c62682aebf16fb25b1582fa72d332

SHA256
1cbed926e71bf00e89ea7b56f35072e2383184fcfccfdb1d33c7324f75ca3019

SHA512
b2022299a0c70e46ed85c3ef5ab81422dfb0ed0e516dda87299f159d91a72edd7f7103a840588e5b346c7ce6887482031da37524e1633d3e20d1109a70d7d681

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
3.3MB

MD5
1699eecbe139449bfaf422e02a591a49

SHA1
e24755e62e3731a33ff6f6bc3efbb3902d1b7608

SHA256
592b3203e96af3446ad4f0f9a3229a09b6a728fce7ec1e0dd7dd4ee747084136

SHA512
10fab3107576c45523e58c390e1d26fc165eb009f54abb385d4cd7d1e43e738de539d743a8cd3ebb3b73e57fc8a0e40f433f522f39d6ff6496887cba31d5cfb2

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
3.9MB

MD5
a0850fea631c36019aa04caca313bd7d

SHA1
8b0a3c4c18d45edb2df0ff7d62032a3e4245ec4b

SHA256
1cad100ad460642372584a93abc306d301002bca6f4051a31b634a9c532faca5

SHA512
f560aaa54c8e4470f79afd3de1f23d7c9e58632e56b3590886cc3d58c3d101b3a938302f654925f0eb98060282955e2c3d44bef71aeafa5359a299e418decdfe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\2F21505F-DC1F-4B4A-A69F-D3C54971E917

Filesize
176KB

MD5
e2c7c0bf257d13c6e2f9af1b23f04695

SHA1
f50b3870832e0afa41d0d128c91f408181b1cce7

SHA256
082c28bac3d01ae402cc62afe446ab26e6292e452d73b387376eb49ee961820a

SHA512
bbdf3fe79313efabee8fef5e763bd66a11824a522bd4b5d8ff58810786da3c5d962ec365b667f374c5a1aecec1d0a570149eaabe5f534ed51f702a859dcfa9ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal

Filesize
12KB

MD5
295435fdf026d65b136871a6452a8192

SHA1
a67709a4c0914b614bf38bf07f4e7b22ee5a570b

SHA256
dc5b724f21dc39fc515e4c1b000ca1d3700684162fb2d75eefbef9b29b9954fa

SHA512
4d1e16a04e4e15b7c45249c3a89311b2b82eb31b49d13d90c2f6c3fa467c8fbdd77d8dcd9cb912e8d9bf5072b10f8bb737894aa409b28fb147e8a6ced572e4ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
76c2406dcdd797c8aaf38a9d9029a007

SHA1
135f0ac6d8307df71d94b3979dd848f0f592073a

SHA256
a2ce8032004814053b041d3617a45b252af1478922bef8cc5ef4e5b5054f4584

SHA512
55415167ce03f7c4ba3dbe67d5d2c0544895370f6fe83966a8ea39b5859a5aaa77d105be7799a0eedf5c7eff600036704d162dad91ef02695b161f4f293ca42a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
e0fc617cd21a9ea4449b793479fac415

SHA1
2613a31cc394a7c9959c3472f6e2fd587a058fd1

SHA256
f11690448c71d4fedf0cbc4aba5ad48f225cf227bb721462e546aa9e270f514b

SHA512
217a817079f95fdf3f75b4152a8a5a5b1263aebdce6f051826035f1ddffe57361764fc1d6f9d49cf57768f62d87d9c78fbe820feb3eb0be1d5277c6602d7a96b

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_._cache_synaptics.exe

Filesize
2.5MB

MD5
b99e894f2fa9db7fcdb472d1c9535fab

SHA1
3d21b76685f4c6e00224d2f33e3742821e7bfb8f

SHA256
e8ecf9c2476fe8768e505068789e8f672a510d9995fdc55890822bc120e0125a

SHA512
2a6a13deff84d1920e71178e3ab3df1ad835eb0cbb510a1bcc236e745a6e3239ddcf2c8f594a234f2c28ec828db0d07dcd41d2acd0d6c1c8c2fc46f4d2aa635e

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

Filesize
3.4MB

MD5
449800c479e6ba5efb2f0c57b256ce1b

SHA1
1223be3de01e60c9068824d6d854a7480a6ec44d

SHA256
9e582555e818b2b675aa909ad93aabf653bc91d1ebed9bfa01ddf0023a9b6fa4

SHA512
aa5777f0d6ff71e167ea83b1de86928d020db3770185bcb14e6daf2106f69c0f6900c4238358631e7fea233d316f3d957b4fe6ef7e8f5949b477787d485b77fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\A7C75E00

Filesize
27KB

MD5
ef0383efb49725504aa156349c01e8a0

SHA1
7a9f5c7a08f2fe8dd9b9fbf400b69348ae473f2f

SHA256
ca9388820e438e9fbece0794b69abdfdedbef36b22d825717e1fa6460604ca91

SHA512
91af6d90dea1247fbfd6ebfe32a14797f5bfbb8a1d8662039484bfe13555fe2383c74f9292f179b670580fae0714fe6bee895200ad427d2fb8d065d4ed8cd9bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\db9a0b0c3b7a105d8d914d3c3a7cd2f26e375d44b05cec24d00c5aae6a932b58.exe

Filesize
4.1MB

MD5
3a1ecb687c50e671d38df940a8e418da

SHA1
8034714e35450df479d842865d29c75f8e80ac59

SHA256
7c33dc883141eaad482330649cafd0a77a2ab1bc5d1f3e5faeef125b5bd09f21

SHA512
849b3d96dc085875271d08eac402fae061a242cd0960e651e4ba291c3deb0300ea720f763047468fac38118962720d1df9f20c1d0841ab4d104d21bc1bb8642c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tthr4HTh.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
4d275db31c0f66bb9cb4fe2ad1ac4790

SHA1
e67e129af863d0fc2e628523dbb8ca3c5c86e951

SHA256
303df2dc2321ef3d2b03dc0ca2a76148fbb6df656e9181a03da59c0679c39310

SHA512
6bb6d07e650de0dbda87f9ab980da5866ca66a9c8e75b035fa46f21e49a74fc089314fc34b65b786cd8d1c1d2669afb6df0f625483562fa3186c5c2abcb76b0d

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
b35500da2182f7686212ed6e22ce55ec

SHA1
a71b15a9c460b2213c5a8dfaa3b6bfcf5d18b4fd

SHA256
599ca3d60254b26c5019a9a0db4b9ffb5230a7ea5e64042921f80b09459b7c6e

SHA512
4bfbd5b2a116019b7a72e1751c209eeacd34dfeb4933f5924919079d966f39e239d7ad8d9f802070dff20a8c55ef65ca6ab3266c63f674fda6ba86928062f2e3

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe

Filesize
3.3MB

MD5
f85ab55410e57cd842da9384e476fea1

SHA1
3ad4a6f686b903790d99b0b5cae2f125ff6bef61

SHA256
f0dac82b9779f299d4fa1c6044339074e08657507a6515b2035cc44399e6fdd1

SHA512
5332ad58f14f9639700c4570745caf3e42afb8306067ebbdd16ec886f9444b4c79f75902db211c3c3454abd149d9bd9cf20e0730df558c8f92221d2745d71c4b

Download Submit
\??\c:\windows\resources\spoolsv.exe

Filesize
135KB

MD5
7a8fb4a306a9a057e68139cc8cf4325b

SHA1
0acd6b32508d53d7a24cf5568a6e253fb7cdb97e

SHA256
0d0180820a2129a957a90b617bb70a1531d289da169eecd1ec1b9e3caacbfe1c

SHA512
1fa3558ed7c2980e1052769f8962c5fe7849d8ddfa5080ba66a60a38b9ccd1ef0910b56c0b4b77c49cb72e2e6511cad324e55d24b4b71aef3ad72f1a2803b48a

Download Submit
\??\c:\windows\resources\svchost.exe

Filesize
135KB

MD5
98c13c210efbe77375b03c98de739207

SHA1
e2884d8e62b1ca582fe8c9fd75e6e24597933350

SHA256
5d81eac73e91253cb031354d9b61ee00977b847d3be0f0d380868c6b24410345

SHA512
01bbaba192bd72f39e21d3b6045555c79431179f3a6bea33c1ac0f0f032ca56b5ce90f8341c660755cd0ec207790e53714c236772f6ca31d11674d195e6309ed

Download Submit
\??\c:\windows\resources\themes\explorer.exe

Filesize
135KB

MD5
5172ba16655db0a6c57a7763a0472784

SHA1
a56b1b5c6e87ea7931b326ec27af6e0431fe7171

SHA256
d934b2a7436f20bc1fa23c049e0f65e86fae151a843b96624eb8388d6eea8919

SHA512
83d471c79fc755c373ec4b773f0e3394e32e5796d9b0aecddef17121812369776de1a4e4cb826a1af6c3d7573c7e1a2c337d50af78a3ae2462e2b973dbfc9be8

Download Submit
memory/8-450-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/432-558-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/728-556-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/940-106-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/960-452-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1484-185-0x00007FF83C3F0000-0x00007FF83C400000-memory.dmp

Filesize
64KB

Download
memory/1484-200-0x00007FF839DA0000-0x00007FF839DB0000-memory.dmp

Filesize
64KB

Download
memory/1484-183-0x00007FF83C3F0000-0x00007FF83C400000-memory.dmp

Filesize
64KB

Download
memory/1484-184-0x00007FF83C3F0000-0x00007FF83C400000-memory.dmp

Filesize
64KB

Download
memory/1484-192-0x00007FF839DA0000-0x00007FF839DB0000-memory.dmp

Filesize
64KB

Download
memory/1484-186-0x00007FF83C3F0000-0x00007FF83C400000-memory.dmp

Filesize
64KB

Download
memory/1484-187-0x00007FF83C3F0000-0x00007FF83C400000-memory.dmp

Filesize
64KB

Download
memory/1492-453-0x0000000000400000-0x0000000000747000-memory.dmp

Filesize
3.3MB

Download
memory/1492-420-0x0000000002460000-0x000000000247F000-memory.dmp

Filesize
124KB

Download
memory/1492-419-0x0000000002460000-0x000000000247F000-memory.dmp

Filesize
124KB

Download
memory/1556-862-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1708-204-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1708-208-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1724-523-0x0000000000400000-0x0000000000747000-memory.dmp

Filesize
3.3MB

Download
memory/1724-438-0x0000000002690000-0x00000000026AF000-memory.dmp

Filesize
124KB

Download
memory/1724-439-0x0000000002690000-0x00000000026AF000-memory.dmp

Filesize
124KB

Download
memory/1920-56-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2312-278-0x0000000000400000-0x0000000000747000-memory.dmp

Filesize
3.3MB

Download
memory/2356-719-0x0000000002450000-0x000000000246F000-memory.dmp

Filesize
124KB

Download
memory/2356-718-0x0000000002450000-0x000000000246F000-memory.dmp

Filesize
124KB

Download
memory/2356-745-0x0000000000400000-0x0000000000747000-memory.dmp

Filesize
3.3MB

Download
memory/2416-344-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2596-557-0x0000000000400000-0x0000000000747000-memory.dmp

Filesize
3.3MB

Download
memory/2696-451-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2736-859-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2740-545-0x00000000025B0000-0x00000000025CF000-memory.dmp

Filesize
124KB

Download
memory/2740-625-0x0000000000400000-0x0000000000747000-memory.dmp

Filesize
3.3MB

Download
memory/2740-546-0x00000000025B0000-0x00000000025CF000-memory.dmp

Filesize
124KB

Download
memory/2864-105-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2864-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3076-864-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3084-743-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3256-210-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3256-177-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3276-649-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3456-648-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3928-345-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3936-559-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3952-343-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4004-744-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4244-651-0x0000000000400000-0x0000000000747000-memory.dmp

Filesize
3.3MB

Download
memory/4244-626-0x0000000004010000-0x000000000402F000-memory.dmp

Filesize
124KB

Download
memory/4280-9-0x00000000025C0000-0x00000000025C1000-memory.dmp

Filesize
4KB

Download
memory/4280-116-0x0000000000400000-0x0000000000825000-memory.dmp

Filesize
4.1MB

Download
memory/4380-650-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4544-197-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4544-209-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4600-733-0x0000000000890000-0x00000000008AF000-memory.dmp

Filesize
124KB

Download
memory/4600-734-0x0000000000890000-0x00000000008AF000-memory.dmp

Filesize
124KB

Download
memory/4600-810-0x0000000000400000-0x0000000000747000-memory.dmp

Filesize
3.3MB

Download
memory/4848-86-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4920-347-0x0000000000400000-0x0000000000747000-memory.dmp

Filesize
3.3MB

Download
memory/4920-283-0x00000000025E0000-0x00000000025FF000-memory.dmp

Filesize
124KB

Download
memory/4920-282-0x00000000025E0000-0x00000000025FF000-memory.dmp

Filesize
124KB

Download
memory/4960-742-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4968-211-0x0000000000400000-0x0000000000825000-memory.dmp

Filesize
4.1MB

Download
memory/4976-640-0x0000000002510000-0x000000000252F000-memory.dmp

Filesize
124KB

Download
memory/4976-717-0x0000000000400000-0x0000000000747000-memory.dmp

Filesize
3.3MB

Download
memory/5028-314-0x0000000002410000-0x000000000242F000-memory.dmp

Filesize
124KB

Download
memory/5028-313-0x0000000002410000-0x000000000242F000-memory.dmp

Filesize
124KB

Download
memory/5028-416-0x0000000000400000-0x0000000000747000-memory.dmp

Filesize
3.3MB

Download