Overview
overview
10Static
static
10AntiPubs D...er.exe
windows7-x64
10AntiPubs D...er.exe
windows10-2004-x64
10AntiPubs D...er.exe
windows7-x64
3AntiPubs D...er.exe
windows10-2004-x64
3AntiPubs D...ol.dll
windows7-x64
1AntiPubs D...ol.dll
windows10-2004-x64
1AntiPubs D...er.dll
windows7-x64
1AntiPubs D...er.dll
windows10-2004-x64
1AntiPubs D...rk.dll
windows7-x64
1AntiPubs D...rk.dll
windows10-2004-x64
1AntiPubs D...ib.dll
windows7-x64
1AntiPubs D...ib.dll
windows10-2004-x64
1AntiPubs D...on.dll
windows7-x64
1AntiPubs D...on.dll
windows10-2004-x64
1AntiPubs D...er.exe
windows7-x64
10AntiPubs D...er.exe
windows10-2004-x64
10AntiPubs D...F6.dll
windows7-x64
1AntiPubs D...F6.dll
windows10-2004-x64
1AntiPubs D...nq.dll
windows7-x64
1AntiPubs D...nq.dll
windows10-2004-x64
1AntiPubs D...te.dll
windows7-x64
1AntiPubs D...te.dll
windows10-2004-x64
1AntiPubs D...te.exe
windows7-x64
10AntiPubs D...te.exe
windows10-2004-x64
10AntiPubs D...ar.dll
windows7-x64
1AntiPubs D...ar.dll
windows10-2004-x64
1AntiPubs D...er.exe
windows7-x64
3AntiPubs D...er.exe
windows10-2004-x64
3AntiPubs D...op.dll
windows7-x64
1AntiPubs D...op.dll
windows10-2004-x64
1AntiPubs D...op.dll
windows7-x64
3AntiPubs D...op.dll
windows10-2004-x64
3Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2024 12:23
Behavioral task
behavioral1
Sample
AntiPubs Dork Searcher EZ/._cache_Searcher.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
AntiPubs Dork Searcher EZ/._cache_Searcher.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
AntiPubs Dork Searcher EZ/._cache_searcher.exe
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
AntiPubs Dork Searcher EZ/._cache_searcher.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
AntiPubs Dork Searcher EZ/Control.dll
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
AntiPubs Dork Searcher EZ/Control.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
AntiPubs Dork Searcher EZ/EntityFramework.SqlServer.dll
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
AntiPubs Dork Searcher EZ/EntityFramework.SqlServer.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
AntiPubs Dork Searcher EZ/EntityFramework.dll
Resource
win7-20241023-en
Behavioral task
behavioral10
Sample
AntiPubs Dork Searcher EZ/EntityFramework.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
AntiPubs Dork Searcher EZ/Interop.WMPLib.dll
Resource
win7-20241010-en
Behavioral task
behavioral12
Sample
AntiPubs Dork Searcher EZ/Interop.WMPLib.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
AntiPubs Dork Searcher EZ/Newtonsoft.Json.dll
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
AntiPubs Dork Searcher EZ/Newtonsoft.Json.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
AntiPubs Dork Searcher EZ/Searcher.exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
AntiPubs Dork Searcher EZ/Searcher.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
AntiPubs Dork Searcher EZ/System.Data.SQLite.EF6.dll
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
AntiPubs Dork Searcher EZ/System.Data.SQLite.EF6.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
AntiPubs Dork Searcher EZ/System.Data.SQLite.Linq.dll
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
AntiPubs Dork Searcher EZ/System.Data.SQLite.Linq.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
AntiPubs Dork Searcher EZ/System.Data.SQLite.dll
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
AntiPubs Dork Searcher EZ/System.Data.SQLite.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
AntiPubs Dork Searcher EZ/Update.exe
Resource
win7-20241010-en
Behavioral task
behavioral24
Sample
AntiPubs Dork Searcher EZ/Update.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
AntiPubs Dork Searcher EZ/War.dll
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
AntiPubs Dork Searcher EZ/War.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
AntiPubs Dork Searcher EZ/searcher.exe
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
AntiPubs Dork Searcher EZ/searcher.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral29
Sample
AntiPubs Dork Searcher EZ/x64/SQLite.Interop.dll
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
AntiPubs Dork Searcher EZ/x64/SQLite.Interop.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral31
Sample
AntiPubs Dork Searcher EZ/x86/SQLite.Interop.dll
Resource
win7-20240903-en
Behavioral task
behavioral32
Sample
AntiPubs Dork Searcher EZ/x86/SQLite.Interop.dll
Resource
win10v2004-20241007-en
General
-
Target
AntiPubs Dork Searcher EZ/Searcher.exe
-
Size
7.7MB
-
MD5
89b8241a6504c5f75684558cf8262c92
-
SHA1
f2572052d0905be7c6df457564f7815419f4a225
-
SHA256
2d1ce8a3c009c75c31057b02b0fabe91e479ce28d42ac146301e7b7a5944c9de
-
SHA512
5a05c1d3eb88279329c0a93bd5473732be9d48a0d96527be70d6df04b53d3b386a1282f427e2485d8e1ea34815f38f5e74801b4dcbf6eaaa21c6519a0cecc34b
-
SSDEEP
98304:Tnsmtk2aDyldpqU5s+h9oK4MtPSXDjLWdNo/v5LlCKly37gjA1tCJa8IRku6FmlC:rLKyldD5smuMQDfUi/vXgIa8IRkZI2N
Malware Config
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Xred family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation Searcher.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation Synaptics.exe -
Executes dropped EXE 12 IoCs
pid Process 3808 ._cache_Searcher.exe 964 Synaptics.exe 2260 ._cache_searcher.exe 2872 ._cache_Synaptics.exe 3772 icsys.icn.exe 856 explorer.exe 2376 spoolsv.exe 3880 svchost.exe 2160 ._cache_synaptics.exe 3764 spoolsv.exe 2956 icsys.icn.exe 2360 explorer.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" Searcher.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe ._cache_Searcher.exe File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe ._cache_Synaptics.exe File opened for modification \??\c:\windows\resources\themes\explorer.exe icsys.icn.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Searcher.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_searcher.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icsys.icn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_Searcher.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icsys.icn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Searcher.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Synaptics.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3768 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3808 ._cache_Searcher.exe 3808 ._cache_Searcher.exe 3808 ._cache_Searcher.exe 3808 ._cache_Searcher.exe 3808 ._cache_Searcher.exe 3808 ._cache_Searcher.exe 3808 ._cache_Searcher.exe 3808 ._cache_Searcher.exe 3808 ._cache_Searcher.exe 3808 ._cache_Searcher.exe 3808 ._cache_Searcher.exe 3808 ._cache_Searcher.exe 3808 ._cache_Searcher.exe 3808 ._cache_Searcher.exe 3808 ._cache_Searcher.exe 3808 ._cache_Searcher.exe 3808 ._cache_Searcher.exe 3808 ._cache_Searcher.exe 3808 ._cache_Searcher.exe 3808 ._cache_Searcher.exe 3808 ._cache_Searcher.exe 3808 ._cache_Searcher.exe 3808 ._cache_Searcher.exe 3808 ._cache_Searcher.exe 3808 ._cache_Searcher.exe 3808 ._cache_Searcher.exe 3808 ._cache_Searcher.exe 3808 ._cache_Searcher.exe 3808 ._cache_Searcher.exe 3808 ._cache_Searcher.exe 3808 ._cache_Searcher.exe 3808 ._cache_Searcher.exe 2872 ._cache_Synaptics.exe 2872 ._cache_Synaptics.exe 2872 ._cache_Synaptics.exe 2872 ._cache_Synaptics.exe 2872 ._cache_Synaptics.exe 2872 ._cache_Synaptics.exe 2872 ._cache_Synaptics.exe 2872 ._cache_Synaptics.exe 2872 ._cache_Synaptics.exe 2872 ._cache_Synaptics.exe 2872 ._cache_Synaptics.exe 2872 ._cache_Synaptics.exe 2872 ._cache_Synaptics.exe 2872 ._cache_Synaptics.exe 2872 ._cache_Synaptics.exe 2872 ._cache_Synaptics.exe 2872 ._cache_Synaptics.exe 2872 ._cache_Synaptics.exe 2872 ._cache_Synaptics.exe 2872 ._cache_Synaptics.exe 2872 ._cache_Synaptics.exe 2872 ._cache_Synaptics.exe 2872 ._cache_Synaptics.exe 2872 ._cache_Synaptics.exe 2872 ._cache_Synaptics.exe 2872 ._cache_Synaptics.exe 2872 ._cache_Synaptics.exe 2872 ._cache_Synaptics.exe 2872 ._cache_Synaptics.exe 2872 ._cache_Synaptics.exe 2872 ._cache_Synaptics.exe 2872 ._cache_Synaptics.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 856 explorer.exe 3880 svchost.exe -
Suspicious use of SetWindowsHookEx 26 IoCs
pid Process 3808 ._cache_Searcher.exe 3808 ._cache_Searcher.exe 2872 ._cache_Synaptics.exe 2872 ._cache_Synaptics.exe 3772 icsys.icn.exe 3768 EXCEL.EXE 3772 icsys.icn.exe 3768 EXCEL.EXE 856 explorer.exe 856 explorer.exe 2376 spoolsv.exe 2376 spoolsv.exe 3880 svchost.exe 3880 svchost.exe 3764 spoolsv.exe 3764 spoolsv.exe 3768 EXCEL.EXE 3768 EXCEL.EXE 2956 icsys.icn.exe 2956 icsys.icn.exe 2360 explorer.exe 2360 explorer.exe 3768 EXCEL.EXE 3768 EXCEL.EXE 3768 EXCEL.EXE 3768 EXCEL.EXE -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 4228 wrote to memory of 3808 4228 Searcher.exe 81 PID 4228 wrote to memory of 3808 4228 Searcher.exe 81 PID 4228 wrote to memory of 3808 4228 Searcher.exe 81 PID 4228 wrote to memory of 964 4228 Searcher.exe 82 PID 4228 wrote to memory of 964 4228 Searcher.exe 82 PID 4228 wrote to memory of 964 4228 Searcher.exe 82 PID 3808 wrote to memory of 2260 3808 ._cache_Searcher.exe 83 PID 3808 wrote to memory of 2260 3808 ._cache_Searcher.exe 83 PID 3808 wrote to memory of 2260 3808 ._cache_Searcher.exe 83 PID 964 wrote to memory of 2872 964 Synaptics.exe 84 PID 964 wrote to memory of 2872 964 Synaptics.exe 84 PID 964 wrote to memory of 2872 964 Synaptics.exe 84 PID 3808 wrote to memory of 3772 3808 ._cache_Searcher.exe 86 PID 3808 wrote to memory of 3772 3808 ._cache_Searcher.exe 86 PID 3808 wrote to memory of 3772 3808 ._cache_Searcher.exe 86 PID 3772 wrote to memory of 856 3772 icsys.icn.exe 87 PID 3772 wrote to memory of 856 3772 icsys.icn.exe 87 PID 3772 wrote to memory of 856 3772 icsys.icn.exe 87 PID 856 wrote to memory of 2376 856 explorer.exe 89 PID 856 wrote to memory of 2376 856 explorer.exe 89 PID 856 wrote to memory of 2376 856 explorer.exe 89 PID 2376 wrote to memory of 3880 2376 spoolsv.exe 91 PID 2376 wrote to memory of 3880 2376 spoolsv.exe 91 PID 2376 wrote to memory of 3880 2376 spoolsv.exe 91 PID 2872 wrote to memory of 2160 2872 ._cache_Synaptics.exe 90 PID 2872 wrote to memory of 2160 2872 ._cache_Synaptics.exe 90 PID 2872 wrote to memory of 2160 2872 ._cache_Synaptics.exe 90 PID 3880 wrote to memory of 3764 3880 svchost.exe 92 PID 3880 wrote to memory of 3764 3880 svchost.exe 92 PID 3880 wrote to memory of 3764 3880 svchost.exe 92 PID 2872 wrote to memory of 2956 2872 ._cache_Synaptics.exe 93 PID 2872 wrote to memory of 2956 2872 ._cache_Synaptics.exe 93 PID 2872 wrote to memory of 2956 2872 ._cache_Synaptics.exe 93 PID 2956 wrote to memory of 2360 2956 icsys.icn.exe 94 PID 2956 wrote to memory of 2360 2956 icsys.icn.exe 94 PID 2956 wrote to memory of 2360 2956 icsys.icn.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\AntiPubs Dork Searcher EZ\Searcher.exe"C:\Users\Admin\AppData\Local\Temp\AntiPubs Dork Searcher EZ\Searcher.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4228 -
C:\Users\Admin\AppData\Local\Temp\AntiPubs Dork Searcher EZ\._cache_Searcher.exe"C:\Users\Admin\AppData\Local\Temp\AntiPubs Dork Searcher EZ\._cache_Searcher.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3808 -
\??\c:\users\admin\appdata\local\temp\antipubs dork searcher ez\._cache_searcher.exe"c:\users\admin\appdata\local\temp\antipubs dork searcher ez\._cache_searcher.exe "3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2260
-
-
C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3772 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:856 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2376 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe6⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3880 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3764
-
-
-
-
-
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Users\Admin\AppData\Local\Temp\AntiPubs Dork Searcher EZ\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\AntiPubs Dork Searcher EZ\._cache_Synaptics.exe" InjUpdate3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2872 -
\??\c:\users\admin\appdata\local\temp\antipubs dork searcher ez\._cache_synaptics.exe"c:\users\admin\appdata\local\temp\antipubs dork searcher ez\._cache_synaptics.exe " InjUpdate4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2160
-
-
C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2956 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2360
-
-
-
-
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3768
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7.7MB
MD589b8241a6504c5f75684558cf8262c92
SHA1f2572052d0905be7c6df457564f7815419f4a225
SHA2562d1ce8a3c009c75c31057b02b0fabe91e479ce28d42ac146301e7b7a5944c9de
SHA5125a05c1d3eb88279329c0a93bd5473732be9d48a0d96527be70d6df04b53d3b386a1282f427e2485d8e1ea34815f38f5e74801b4dcbf6eaaa21c6519a0cecc34b
-
Filesize
23KB
MD5bdcd3acc065755e008ffe1f5e6b812b2
SHA13ee4a4f12d0849318f769d50c8d7055019c599bb
SHA25642410bd8a3196420ac4f8aa517c33515046656e4825861fdafbc5ede50fee367
SHA51219c2f77a3ce43838e397d8877e2fe4f1697b87965ba5804d4c1c4d8f2f8495acae5a0600dc8fb4f9fc2de0ae0abb8c789d37c59529ee6d4d9df33eed12616666
-
Filesize
17KB
MD5e566fc53051035e1e6fd0ed1823de0f9
SHA100bc96c48b98676ecd67e81a6f1d7754e4156044
SHA2568e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04
-
Filesize
7.0MB
MD515eb4b61e2e64ac84925535dc5ffe8de
SHA1b95491efa58261ca585878238fa24d98fae41287
SHA2563b28aaf3dd8ea9623ab80e4f567e65b8bb5db686b129f27f6d9bc0907f2ed289
SHA512489751c78f8aded9a4b77eada0cccedab4d0faf50443607e17d81f65856ff77ad2842cb2ba5002e377c48fff441d86d38f74273367353fc2572a80ff980c14b5
-
Filesize
135KB
MD5bb38812e659c3d728f409ba8206da43e
SHA1231777c045c807c20eb964c5a8714e1de9e4302b
SHA2569eee738a0be74282659e61da2764f358cd5db063019bab247d513b5b63af748f
SHA51291854244be2838e0efa5f3566ce3a4518484ab71fff5f06b86ef0b1309cb9e8dc988d63b0d35e54a6c7515b0c1cea9b95bbdfd469415459a46c58e96ed42a2fc
-
Filesize
6.8MB
MD5d4b43b2ce490d8786ccde6debcad2251
SHA1e88d0c6b5c336ee7c03e145532a6ce44db28af90
SHA2563aad4931bc76e1d654e5fe3fc6a1a10277b0d66190a8547782a3d7fa117ccc27
SHA5128bff940911e750f06c76c724b92de0753f4089d92f95e5d3d3659de3869a91908c6de25e480a0101d8149fcc881b71f585c39a2e9206393bb89f1f5e43bdda46
-
Filesize
135KB
MD5af014d16e34af7f302232f13d0c2b534
SHA18ba1390688670150a391c7892a157257aa7b054d
SHA2568984498291e3135313b6ce89c01edb4c6717adab0b2391c29279b4a86fc23ad2
SHA5121d8eb2ac6814e4b80ae6f71e07f77d77755019297b7ebd0d3b29a3a32b9f855e24c7c9c033414534bb2ca2a385dd86994eab10c49225121c5c9a636fa5f66fbe
-
Filesize
135KB
MD5f96267254ec37b90dd7e09426ef906d8
SHA176ffdfa7a87c5f9b9a99596bdd72694f94d38c5c
SHA256a375095db88ab000ddb43901abd56d4027b8a3b40021df32523f87535abbb720
SHA51252845f27a431a7287ff6732c53c15b47be06207310240d36c0e1f7c0bb543d9a212154ac4c479e591b49328704a53733f00c711c6c5f4268a34615716b0bcbfe
-
Filesize
135KB
MD599584567aa503d0ea882aa77df98ab45
SHA1ed43e2ce88867cd076787c84d0937132a7f3e666
SHA256eb8cfcc9ba03704e2250036ea53e54010e06179064994c68f3f69eeff9315862
SHA512474b3783323ca502cc2f46027e9f51516e7b4686a6a6467de303bd642be1bf7a6585260dccbb12a807819e647901e341734c0ea71e88bf830cbd6f915722eb28