xred | 803eeaf99884b5eafd59fc360edf3a3ec1171701030362120d11a952ed0201e9

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18-12-2024 00:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

803eeaf99884b5eafd59fc360edf3a3ec1171701030362120d11a952ed0201e9.exe
Size

2.0MB
MD5

93d1d1c97e14653712e616df83ba0c59
SHA1

eb79dddb3b8bd6ad2af731aa07fce9ea7e9fd760
SHA256

803eeaf99884b5eafd59fc360edf3a3ec1171701030362120d11a952ed0201e9
SHA512

18d22d2f02876fcab989b5208c20f29fa72fa358e9d34c4112b9c4fd543a6fda2cd35ed2d41d8ddc548587e5b24ba61146b7ce373ca41495490793ddbbb7dd74
SSDEEP

49152:PnsHyjtk2MYC5GDafnsHyjtk2MYC5GDL3Svfe41Yq:Pnsmtk2alnsmtk2aXvfl1p

Score

10^/10

xred backdoor discovery evasion persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Executes dropped EXE 34 IoCs

pid	Process
2816	._cache_803eeaf99884b5eafd59fc360edf3a3ec1171701030362120d11a952ed0201e9.exe
2748	Synaptics.exe
2548	._cache_803eeaf99884b5eafd59fc360edf3a3ec1171701030362120d11a952ed0201e9.exe
2724	._cache_Synaptics.exe
2360	._cache_synaptics.exe
276	Synaptics.exe
2116	._cache_Synaptics.exe
2768	._cache_synaptics.exe
1916	icsys.icn.exe
1832	explorer.exe
928	spoolsv.exe
1692	svchost.exe
2220	Synaptics.exe
1952	spoolsv.exe
2692	._cache_Synaptics.exe
2784	._cache_synaptics.exe
2800	icsys.icn.exe
1888	explorer.exe
2080	Synaptics.exe
1436	._cache_Synaptics.exe
2384	._cache_synaptics.exe
644	icsys.icn.exe
2124	explorer.exe
1652	Synaptics.exe
2372	._cache_Synaptics.exe
1980	._cache_synaptics.exe
1448	icsys.icn.exe
2448	explorer.exe
2580	Synaptics.exe
2320	._cache_Synaptics.exe
2920	._cache_synaptics.exe
2040	icsys.icn.exe
2536	explorer.exe
2104	Synaptics.exe

Loads dropped DLL 64 IoCs

pid	Process
1668	803eeaf99884b5eafd59fc360edf3a3ec1171701030362120d11a952ed0201e9.exe
1668	803eeaf99884b5eafd59fc360edf3a3ec1171701030362120d11a952ed0201e9.exe
1668	803eeaf99884b5eafd59fc360edf3a3ec1171701030362120d11a952ed0201e9.exe
2816	._cache_803eeaf99884b5eafd59fc360edf3a3ec1171701030362120d11a952ed0201e9.exe
2816	._cache_803eeaf99884b5eafd59fc360edf3a3ec1171701030362120d11a952ed0201e9.exe
2748	Synaptics.exe
2748	Synaptics.exe
2724	._cache_Synaptics.exe
2724	._cache_Synaptics.exe
2360	._cache_synaptics.exe
2360	._cache_synaptics.exe
2360	._cache_synaptics.exe
276	Synaptics.exe
276	Synaptics.exe
276	Synaptics.exe
2116	._cache_Synaptics.exe
2116	._cache_Synaptics.exe
2768	._cache_synaptics.exe
2116	._cache_Synaptics.exe
1916	icsys.icn.exe
1832	explorer.exe
928	spoolsv.exe
2768	._cache_synaptics.exe
2768	._cache_synaptics.exe
2768	._cache_synaptics.exe
1692	svchost.exe
2220	Synaptics.exe
2220	Synaptics.exe
2220	Synaptics.exe
2692	._cache_Synaptics.exe
2692	._cache_Synaptics.exe
2784	._cache_synaptics.exe
2692	._cache_Synaptics.exe
2784	._cache_synaptics.exe
2784	._cache_synaptics.exe
2784	._cache_synaptics.exe
2080	Synaptics.exe
2080	Synaptics.exe
2080	Synaptics.exe
1436	._cache_Synaptics.exe
1436	._cache_Synaptics.exe
2384	._cache_synaptics.exe
1436	._cache_Synaptics.exe
2384	._cache_synaptics.exe
2384	._cache_synaptics.exe
2384	._cache_synaptics.exe
1652	Synaptics.exe
1652	Synaptics.exe
1652	Synaptics.exe
2372	._cache_Synaptics.exe
2372	._cache_Synaptics.exe
1980	._cache_synaptics.exe
2372	._cache_Synaptics.exe
1980	._cache_synaptics.exe
1980	._cache_synaptics.exe
1980	._cache_synaptics.exe
2580	Synaptics.exe
2580	Synaptics.exe
2580	Synaptics.exe
2320	._cache_Synaptics.exe
2320	._cache_Synaptics.exe
2920	._cache_synaptics.exe
2320	._cache_Synaptics.exe
2920	._cache_synaptics.exe

Adds Run key to start application 2 TTPs 11 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	803eeaf99884b5eafd59fc360edf3a3ec1171701030362120d11a952ed0201e9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_803eeaf99884b5eafd59fc360edf3a3ec1171701030362120d11a952ed0201e9.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 45 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_803eeaf99884b5eafd59fc360edf3a3ec1171701030362120d11a952ed0201e9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_803eeaf99884b5eafd59fc360edf3a3ec1171701030362120d11a952ed0201e9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	803eeaf99884b5eafd59fc360edf3a3ec1171701030362120d11a952ed0201e9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe

Enumerates system info in registry 2 TTPs 7 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2744	schtasks.exe
880	schtasks.exe
1564	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3000	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2816	._cache_803eeaf99884b5eafd59fc360edf3a3ec1171701030362120d11a952ed0201e9.exe
2816	._cache_803eeaf99884b5eafd59fc360edf3a3ec1171701030362120d11a952ed0201e9.exe
2816	._cache_803eeaf99884b5eafd59fc360edf3a3ec1171701030362120d11a952ed0201e9.exe
2816	._cache_803eeaf99884b5eafd59fc360edf3a3ec1171701030362120d11a952ed0201e9.exe
2816	._cache_803eeaf99884b5eafd59fc360edf3a3ec1171701030362120d11a952ed0201e9.exe
2816	._cache_803eeaf99884b5eafd59fc360edf3a3ec1171701030362120d11a952ed0201e9.exe
2816	._cache_803eeaf99884b5eafd59fc360edf3a3ec1171701030362120d11a952ed0201e9.exe
2816	._cache_803eeaf99884b5eafd59fc360edf3a3ec1171701030362120d11a952ed0201e9.exe
2816	._cache_803eeaf99884b5eafd59fc360edf3a3ec1171701030362120d11a952ed0201e9.exe
2816	._cache_803eeaf99884b5eafd59fc360edf3a3ec1171701030362120d11a952ed0201e9.exe
2816	._cache_803eeaf99884b5eafd59fc360edf3a3ec1171701030362120d11a952ed0201e9.exe
2816	._cache_803eeaf99884b5eafd59fc360edf3a3ec1171701030362120d11a952ed0201e9.exe
2816	._cache_803eeaf99884b5eafd59fc360edf3a3ec1171701030362120d11a952ed0201e9.exe
2816	._cache_803eeaf99884b5eafd59fc360edf3a3ec1171701030362120d11a952ed0201e9.exe
2816	._cache_803eeaf99884b5eafd59fc360edf3a3ec1171701030362120d11a952ed0201e9.exe
2816	._cache_803eeaf99884b5eafd59fc360edf3a3ec1171701030362120d11a952ed0201e9.exe
2724	._cache_Synaptics.exe
2724	._cache_Synaptics.exe
2724	._cache_Synaptics.exe
2724	._cache_Synaptics.exe
2724	._cache_Synaptics.exe
2724	._cache_Synaptics.exe
2724	._cache_Synaptics.exe
2724	._cache_Synaptics.exe
2724	._cache_Synaptics.exe
2724	._cache_Synaptics.exe
2724	._cache_Synaptics.exe
2724	._cache_Synaptics.exe
2724	._cache_Synaptics.exe
2724	._cache_Synaptics.exe
2724	._cache_Synaptics.exe
2724	._cache_Synaptics.exe
2360	._cache_synaptics.exe
2360	._cache_synaptics.exe
2360	._cache_synaptics.exe
2360	._cache_synaptics.exe
2116	._cache_Synaptics.exe
2116	._cache_Synaptics.exe
2116	._cache_Synaptics.exe
2116	._cache_Synaptics.exe
2116	._cache_Synaptics.exe
2116	._cache_Synaptics.exe
2116	._cache_Synaptics.exe
2116	._cache_Synaptics.exe
2116	._cache_Synaptics.exe
2116	._cache_Synaptics.exe
2116	._cache_Synaptics.exe
2116	._cache_Synaptics.exe
2116	._cache_Synaptics.exe
2116	._cache_Synaptics.exe
2116	._cache_Synaptics.exe
2116	._cache_Synaptics.exe
1916	icsys.icn.exe
1916	icsys.icn.exe
1916	icsys.icn.exe
1916	icsys.icn.exe
1916	icsys.icn.exe
1916	icsys.icn.exe
1916	icsys.icn.exe
1916	icsys.icn.exe
1916	icsys.icn.exe
1916	icsys.icn.exe
1916	icsys.icn.exe
1916	icsys.icn.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1832	explorer.exe
1692	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSystemProfilePrivilege	2360	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2360	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2360	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2360	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2768	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2768	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2768	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2768	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2768	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2768	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2768	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2784	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2784	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2784	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2784	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2784	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2784	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2784	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2784	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2784	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2784	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2784	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2384	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2384	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2384	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2384	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2384	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2384	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1980	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1980	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1980	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1980	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1980	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1980	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1980	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1980	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1980	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2920	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2920	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2920	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2920	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2920	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2920	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2920	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2920	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2920	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2920	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2920	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2920	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2920	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2920	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2920	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2920	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2920	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2920	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2920	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2920	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2920	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2920	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2920	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2920	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2920	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2920	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2920	._cache_synaptics.exe

Suspicious use of SetWindowsHookEx 47 IoCs

pid	Process
2816	._cache_803eeaf99884b5eafd59fc360edf3a3ec1171701030362120d11a952ed0201e9.exe
2816	._cache_803eeaf99884b5eafd59fc360edf3a3ec1171701030362120d11a952ed0201e9.exe
2724	._cache_Synaptics.exe
2724	._cache_Synaptics.exe
3000	EXCEL.EXE
2116	._cache_Synaptics.exe
2116	._cache_Synaptics.exe
1036	EXCEL.EXE
1916	icsys.icn.exe
1916	icsys.icn.exe
1832	explorer.exe
1832	explorer.exe
928	spoolsv.exe
928	spoolsv.exe
1692	svchost.exe
1692	svchost.exe
1952	spoolsv.exe
1952	spoolsv.exe
2692	._cache_Synaptics.exe
2692	._cache_Synaptics.exe
2708	EXCEL.EXE
2800	icsys.icn.exe
2800	icsys.icn.exe
1888	explorer.exe
1888	explorer.exe
1436	._cache_Synaptics.exe
1436	._cache_Synaptics.exe
1192	EXCEL.EXE
644	icsys.icn.exe
644	icsys.icn.exe
2124	explorer.exe
2124	explorer.exe
2372	._cache_Synaptics.exe
2372	._cache_Synaptics.exe
3044	EXCEL.EXE
1448	icsys.icn.exe
1448	icsys.icn.exe
2448	explorer.exe
2448	explorer.exe
2320	._cache_Synaptics.exe
2320	._cache_Synaptics.exe
2992	EXCEL.EXE
2040	icsys.icn.exe
2040	icsys.icn.exe
2536	explorer.exe
2536	explorer.exe
1720	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1668 wrote to memory of 2816	1668	803eeaf99884b5eafd59fc360edf3a3ec1171701030362120d11a952ed0201e9.exe	31
PID 1668 wrote to memory of 2816	1668	803eeaf99884b5eafd59fc360edf3a3ec1171701030362120d11a952ed0201e9.exe	31
PID 1668 wrote to memory of 2816	1668	803eeaf99884b5eafd59fc360edf3a3ec1171701030362120d11a952ed0201e9.exe	31
PID 1668 wrote to memory of 2816	1668	803eeaf99884b5eafd59fc360edf3a3ec1171701030362120d11a952ed0201e9.exe	31
PID 1668 wrote to memory of 2748	1668	803eeaf99884b5eafd59fc360edf3a3ec1171701030362120d11a952ed0201e9.exe	32
PID 1668 wrote to memory of 2748	1668	803eeaf99884b5eafd59fc360edf3a3ec1171701030362120d11a952ed0201e9.exe	32
PID 1668 wrote to memory of 2748	1668	803eeaf99884b5eafd59fc360edf3a3ec1171701030362120d11a952ed0201e9.exe	32
PID 1668 wrote to memory of 2748	1668	803eeaf99884b5eafd59fc360edf3a3ec1171701030362120d11a952ed0201e9.exe	32
PID 2816 wrote to memory of 2548	2816	._cache_803eeaf99884b5eafd59fc360edf3a3ec1171701030362120d11a952ed0201e9.exe	33
PID 2816 wrote to memory of 2548	2816	._cache_803eeaf99884b5eafd59fc360edf3a3ec1171701030362120d11a952ed0201e9.exe	33
PID 2816 wrote to memory of 2548	2816	._cache_803eeaf99884b5eafd59fc360edf3a3ec1171701030362120d11a952ed0201e9.exe	33
PID 2816 wrote to memory of 2548	2816	._cache_803eeaf99884b5eafd59fc360edf3a3ec1171701030362120d11a952ed0201e9.exe	33
PID 2748 wrote to memory of 2724	2748	Synaptics.exe	34
PID 2748 wrote to memory of 2724	2748	Synaptics.exe	34
PID 2748 wrote to memory of 2724	2748	Synaptics.exe	34
PID 2748 wrote to memory of 2724	2748	Synaptics.exe	34
PID 2724 wrote to memory of 2360	2724	._cache_Synaptics.exe	36
PID 2724 wrote to memory of 2360	2724	._cache_Synaptics.exe	36
PID 2724 wrote to memory of 2360	2724	._cache_Synaptics.exe	36
PID 2724 wrote to memory of 2360	2724	._cache_Synaptics.exe	36
PID 2360 wrote to memory of 276	2360	._cache_synaptics.exe	37
PID 2360 wrote to memory of 276	2360	._cache_synaptics.exe	37
PID 2360 wrote to memory of 276	2360	._cache_synaptics.exe	37
PID 2360 wrote to memory of 276	2360	._cache_synaptics.exe	37
PID 276 wrote to memory of 2116	276	Synaptics.exe	38
PID 276 wrote to memory of 2116	276	Synaptics.exe	38
PID 276 wrote to memory of 2116	276	Synaptics.exe	38
PID 276 wrote to memory of 2116	276	Synaptics.exe	38
PID 2116 wrote to memory of 2768	2116	._cache_Synaptics.exe	40
PID 2116 wrote to memory of 2768	2116	._cache_Synaptics.exe	40
PID 2116 wrote to memory of 2768	2116	._cache_Synaptics.exe	40
PID 2116 wrote to memory of 2768	2116	._cache_Synaptics.exe	40
PID 2116 wrote to memory of 1916	2116	._cache_Synaptics.exe	41
PID 2116 wrote to memory of 1916	2116	._cache_Synaptics.exe	41
PID 2116 wrote to memory of 1916	2116	._cache_Synaptics.exe	41
PID 2116 wrote to memory of 1916	2116	._cache_Synaptics.exe	41
PID 1916 wrote to memory of 1832	1916	icsys.icn.exe	42
PID 1916 wrote to memory of 1832	1916	icsys.icn.exe	42
PID 1916 wrote to memory of 1832	1916	icsys.icn.exe	42
PID 1916 wrote to memory of 1832	1916	icsys.icn.exe	42
PID 1832 wrote to memory of 928	1832	explorer.exe	43
PID 1832 wrote to memory of 928	1832	explorer.exe	43
PID 1832 wrote to memory of 928	1832	explorer.exe	43
PID 1832 wrote to memory of 928	1832	explorer.exe	43
PID 928 wrote to memory of 1692	928	spoolsv.exe	44
PID 928 wrote to memory of 1692	928	spoolsv.exe	44
PID 928 wrote to memory of 1692	928	spoolsv.exe	44
PID 928 wrote to memory of 1692	928	spoolsv.exe	44
PID 2768 wrote to memory of 2220	2768	._cache_synaptics.exe	45
PID 2768 wrote to memory of 2220	2768	._cache_synaptics.exe	45
PID 2768 wrote to memory of 2220	2768	._cache_synaptics.exe	45
PID 2768 wrote to memory of 2220	2768	._cache_synaptics.exe	45
PID 1692 wrote to memory of 1952	1692	svchost.exe	46
PID 1692 wrote to memory of 1952	1692	svchost.exe	46
PID 1692 wrote to memory of 1952	1692	svchost.exe	46
PID 1692 wrote to memory of 1952	1692	svchost.exe	46
PID 1832 wrote to memory of 1624	1832	explorer.exe	47
PID 1832 wrote to memory of 1624	1832	explorer.exe	47
PID 1832 wrote to memory of 1624	1832	explorer.exe	47
PID 1832 wrote to memory of 1624	1832	explorer.exe	47
PID 1692 wrote to memory of 880	1692	svchost.exe	48
PID 1692 wrote to memory of 880	1692	svchost.exe	48
PID 1692 wrote to memory of 880	1692	svchost.exe	48
PID 1692 wrote to memory of 880	1692	svchost.exe	48

C:\Users\Admin\AppData\Local\Temp\803eeaf99884b5eafd59fc360edf3a3ec1171701030362120d11a952ed0201e9.exe
"C:\Users\Admin\AppData\Local\Temp\803eeaf99884b5eafd59fc360edf3a3ec1171701030362120d11a952ed0201e9.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Users\Admin\AppData\Local\Temp\._cache_803eeaf99884b5eafd59fc360edf3a3ec1171701030362120d11a952ed0201e9.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_803eeaf99884b5eafd59fc360edf3a3ec1171701030362120d11a952ed0201e9.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2816
- - \??\c:\users\admin\appdata\local\temp\._cache_803eeaf99884b5eafd59fc360edf3a3ec1171701030362120d11a952ed0201e9.exe
    c:\users\admin\appdata\local\temp\._cache_803eeaf99884b5eafd59fc360edf3a3ec1171701030362120d11a952ed0201e9.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2548
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2724
  - - \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
      c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2360
    - - C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:276
      - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2116
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2220
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2692
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2784
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1436
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2384
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2372
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1980
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2580
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2320
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2920
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2104
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2040
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2536
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1448
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2448
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:644
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2124
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2800
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1888
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1916
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1832
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:928
        
        \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        10⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1692
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1952
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 00:31 /f
        11⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:880
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 00:32 /f
        11⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1564
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 00:33 /f
        11⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2744
        
        C:\Windows\Explorer.exe
        
        C:\Windows\Explorer.exe
        9⤵
        
        PID:1624

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3000

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:1036

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:2708

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:1192

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:3044

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:2992

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:1720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\RCXEB78.tmp

Filesize
753KB

MD5
96c16a4ab83a5cad16d12fa6081ecefd

SHA1
f267cbf5190ceb1c0e0e1286ab8631ef9e4d55fa

SHA256
f3a9d17da0c3a9d5860786bff5624b205f7013f8d29bbc105e71d30ad5f528bf

SHA512
5ca1f9649c72679e8387b28a1ee2056e08c9e98d42b124c79060615a46544e32d342395f44661b191607c61db4b41057487e881b093bf1e7e2474b18f71d56f0

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
2.0MB

MD5
93d1d1c97e14653712e616df83ba0c59

SHA1
eb79dddb3b8bd6ad2af731aa07fce9ea7e9fd760

SHA256
803eeaf99884b5eafd59fc360edf3a3ec1171701030362120d11a952ed0201e9

SHA512
18d22d2f02876fcab989b5208c20f29fa72fa358e9d34c4112b9c4fd543a6fda2cd35ed2d41d8ddc548587e5b24ba61146b7ce373ca41495490793ddbbb7dd74

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_803eeaf99884b5eafd59fc360edf3a3ec1171701030362120d11a952ed0201e9.exe

Filesize
1.2MB

MD5
796eed038e49be83dc11994ef41330b0

SHA1
6abb7c3a1bbe2dd5e93d068faee89a549357e241

SHA256
eb977f1baa133248915590e1a9de9eb0f523d08fa9015da05cb4703bd821cd9f

SHA512
a8e6c7dfa9fbb910ed682d7d0256c4cc86c5bead9b40d945bad8d9c6ad7c243c7199102e8d8fbbf6abbd386759b8ccd2f18d32b1ae919c2eb9879a2c1c8772d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bnt6qBQj.xlsm

Filesize
23KB

MD5
7998936cda150a818835c41103e7ff09

SHA1
d73b83506aa37129044b0d604f95410a75c37b0a

SHA256
1e3ae18e2ed1e709fdad6f2496f9c964ad9c7032bf7bd5e745d24c52484b478a

SHA512
381bdaa3084354c854ca1ded815a3beff6e9481418462fa7148a2976eb69b599244d5045a0455b3a7f1af6673f0a2630295dc165a16de944e21fbec25f9b5e3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bnt6qBQj.xlsm

Filesize
25KB

MD5
623dcb2bac3f7f567ba7ffd8f00e86ec

SHA1
9ce1def34b5ff8f9936a9c83813cc19436f90a0d

SHA256
2846ccbbc8ad64c45e32449db2f20cf93be3f3981801d817c23a668f3a0a3d59

SHA512
39a6efa3104336022a932bb7d1531479e7e1342907c197e5acaa9a42cfe2f034efd2487c1f87019fae2bce71390915ec7200868134aa074c9221b45e97ac171f

Download Submit
C:\Users\Admin\AppData\Local\Temp\w89ycHey.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
ed04b2affce46890338cc7db6288fab5

SHA1
f1f4e9b331a22502e887609dc78bb2bfb7327bf3

SHA256
edda62108aeed915427fa552e3adf8d09125458e164422b911fc00186aaf4e31

SHA512
cb53ae2fc6ba115d8bcd9718d98de55373658797f494d1130e663fdd33759e180569265e1c281269f695745e7fde073f003f7674d1fcfe1552030087451d0555

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
bdbb0343d5ce8618b4f6b1c7de2966d6

SHA1
610d9cd3932598b9eb72a891b562a22ed9133052

SHA256
9fbbc2ae078b4e026cf351323b25a5cfecf109ed0f11382b83d18bb22346ffa0

SHA512
8f880712854ed099f8535b5c87173bbfcf80a91d6c1416c8258e03c14c328b0d5cd2447299cf9b2a3c74931067844e57de5f1c2ba7ed241e92a7572b53a21119

Download Submit
\??\c:\windows\resources\svchost.exe

Filesize
135KB

MD5
57089ced44bf0ae5ed63526a5d9443f2

SHA1
65be602abfd58d4eb21e80ba7e21b1504e2b3f85

SHA256
f5cf6f3280a2fe9723efe2c5f7828e340955ca583b3d8dc75d8eb3143e2f1f2c

SHA512
fbc31be1bd65004aefd05ccde1902761db4d88f63b111b0e838d6888e3b96db997afe88f47704199e72f5b5e8020f32b2e03d6c41ee4b09a14e989a753293639

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_._cache_synaptics.exe

Filesize
364KB

MD5
38f18ebb5b81b4481b732f68d2b9fe90

SHA1
eae6a3ea6b5b8ac5ccafcc6dd0bbdbb07d6ee6c0

SHA256
a27bef270abb8e0649358d89a004573b45156c7a2bb520fb62cfe1f50300145b

SHA512
9c38a92d015f8524b28d5b99c83f6923f2505cd65817e11b8079201148f0299cb38646bdbb8fb5f64c97b178507cf8a851c3edb38fb442f0caebfdc0482c2749

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_803eeaf99884b5eafd59fc360edf3a3ec1171701030362120d11a952ed0201e9.exe

Filesize
1.1MB

MD5
1ed783cd8aa28a57cc404e304bdb980b

SHA1
5a701bf0ff1d75ba49af96f8f0fcce045dba6d12

SHA256
dcee609154e98ee26ddb3d559c39ec35bc6f4b2aff448bc44ecd234a3931f30f

SHA512
39d24d74cebc7c5bad82765dbe690de43943d60686c5ae2cb81b5f5b5ff6db1aed3d55aa0e0149aa1deaa8acfe896334716b0c5c5bf17d25c316211ab43b14ea

Download Submit
\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
6e9b6f3654b4e2087925fadbe862202b

SHA1
5c85219e12f5f24aba021a79b5411ff21b160b9e

SHA256
b14622a684dcd8762c4d9f4f52eb91f5714039cc3fcb65bcff7b7b6fa91b615e

SHA512
fad4d64efa44bbbbf558929c3c47fa751836d6b63fc49bdff22a06f33f560895551c378a5023cacd2d6997deb0d936bdd6189f5a928bdb4a5076f4666696f7ca

Download Submit
memory/276-96-0x00000000003E0000-0x00000000003FF000-memory.dmp

Filesize
124KB

Download
memory/276-131-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/644-273-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/928-189-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/928-162-0x0000000000310000-0x000000000032F000-memory.dmp

Filesize
124KB

Download
memory/1436-276-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1436-266-0x00000000003D0000-0x00000000003EF000-memory.dmp

Filesize
124KB

Download
memory/1448-348-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1448-327-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1652-328-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/1652-292-0x0000000000310000-0x000000000032F000-memory.dmp

Filesize
124KB

Download
memory/1668-28-0x0000000000400000-0x00000000005FB000-memory.dmp

Filesize
2.0MB

Download
memory/1668-17-0x0000000003EA0000-0x0000000003EBF000-memory.dmp

Filesize
124KB

Download
memory/1668-30-0x0000000003EA0000-0x0000000003EBF000-memory.dmp

Filesize
124KB

Download
memory/1668-0-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/1692-177-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1692-470-0x0000000000420000-0x000000000043F000-memory.dmp

Filesize
124KB

Download
memory/1692-469-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1832-468-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1888-233-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1916-191-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1916-130-0x0000000002530000-0x000000000254F000-memory.dmp

Filesize
124KB

Download
memory/1952-184-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1952-188-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1980-349-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/2040-378-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2080-240-0x00000000006F0000-0x000000000070F000-memory.dmp

Filesize
124KB

Download
memory/2080-274-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/2104-463-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2104-464-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2104-500-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2116-190-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2116-120-0x0000000001EF0000-0x0000000001F0F000-memory.dmp

Filesize
124KB

Download
memory/2124-275-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2220-218-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/2220-187-0x0000000002090000-0x00000000020AF000-memory.dmp

Filesize
124KB

Download
memory/2320-395-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2360-93-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/2372-342-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2372-326-0x0000000000320000-0x000000000033F000-memory.dmp

Filesize
124KB

Download
memory/2384-291-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/2448-341-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2536-396-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2548-73-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/2580-350-0x0000000004000000-0x000000000401F000-memory.dmp

Filesize
124KB

Download
memory/2580-397-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/2692-232-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2692-198-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2724-69-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2748-72-0x0000000000400000-0x00000000005FB000-memory.dmp

Filesize
2.0MB

Download
memory/2748-51-0x0000000003FD0000-0x0000000003FEF000-memory.dmp

Filesize
124KB

Download
memory/2768-172-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/2784-239-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/2800-231-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2800-216-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2816-84-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2816-18-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2920-411-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/3000-70-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download