Malware Analysis Report

2025-04-13 21:02

Sample ID 250103-bd1gbasqcy
Target dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa
SHA256 dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa
Tags
xred backdoor discovery macro persistence evasion
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa

Threat Level: Known bad

The file dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa was found to be: Known bad.

Malicious Activity Summary

xred backdoor discovery macro persistence evasion

Modifies visiblity of hidden/system files in Explorer

Xred family

Xred

Suspicious Office macro

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: AddClipboardFormatListener

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-03 01:02

Signatures

Xred family

xred

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-03 01:02

Reported

2025-01-03 01:05

Platform

win7-20241010-en

Max time kernel

142s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe"

Signatures

Xred

backdoor xred

Xred family

xred

Suspicious Office macro

macro
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Users\Admin\AppData\Local\Temp\dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe C:\Users\Admin\AppData\Local\Temp\._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe N/A
File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Synaptics\Synaptics.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe  N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2828 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe C:\Users\Admin\AppData\Local\Temp\._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe
PID 2828 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe C:\Users\Admin\AppData\Local\Temp\._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe
PID 2828 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe C:\Users\Admin\AppData\Local\Temp\._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe
PID 2828 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe C:\Users\Admin\AppData\Local\Temp\._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe
PID 3008 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe \??\c:\users\admin\appdata\local\temp\._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe 
PID 3008 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe \??\c:\users\admin\appdata\local\temp\._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe 
PID 3008 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe \??\c:\users\admin\appdata\local\temp\._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe 
PID 3008 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe \??\c:\users\admin\appdata\local\temp\._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe 
PID 2828 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 2828 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 2828 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 2828 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 1944 wrote to memory of 828 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 1944 wrote to memory of 828 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 1944 wrote to memory of 828 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 1944 wrote to memory of 828 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 828 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe 
PID 828 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe 
PID 828 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe 
PID 828 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe 

Processes

C:\Users\Admin\AppData\Local\Temp\dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe

"C:\Users\Admin\AppData\Local\Temp\dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe"

C:\Users\Admin\AppData\Local\Temp\._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe"

\??\c:\users\admin\appdata\local\temp\._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe 

c:\users\admin\appdata\local\temp\._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe 

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

\??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe 

c:\users\admin\appdata\local\temp\._cache_synaptics.exe  InjUpdate

Network

Country Destination Domain Proto
US 8.8.8.8:53 xred.mooo.com udp
US 8.8.8.8:53 gtccheats.shop udp
US 8.8.8.8:53 gtccheats.shop udp
US 156.67.75.88:443 gtccheats.shop tcp
US 156.67.75.88:443 gtccheats.shop tcp
US 8.8.8.8:53 freedns.afraid.org udp
US 69.42.215.252:80 freedns.afraid.org tcp
US 8.8.8.8:53 docs.google.com udp
FR 216.58.214.174:443 docs.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
FR 142.250.179.67:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
FR 142.250.179.67:80 o.pki.goog tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
FR 142.250.74.225:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 95.100.245.144:80 www.microsoft.com tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 88.221.134.83:80 crl.microsoft.com tcp

Files

memory/2828-0-0x00000000001B0000-0x00000000001B1000-memory.dmp

\Users\Admin\AppData\Local\Temp\._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe

MD5 391ae2a331ac042af3375a8bec61c542
SHA1 2b4ac01d34886e81d492e9b5ce8e0c3867378241
SHA256 ab3c3cfc26b066a0118eb29d96751d60f078dbd432b6f2faa6ecdf5b14b8d96e
SHA512 c4bd6e66c0a220b2a5e0f4684c85d0a201d9b6ba54fd7a64d47bf3d1851b3d361b3c18f1917c34f68239c47ee31cb414dc4bc3607f8167116ca0b7bfa251ccb5

memory/2828-5-0x00000000042B0000-0x00000000042CF000-memory.dmp

C:\ProgramData\Synaptics\Synaptics.exe

MD5 955b5c84e9db2eba7f71d15229611e54
SHA1 803fb7d591b378efb2f33f3f4596b41d488edb34
SHA256 dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa
SHA512 318626a5488ddeecc6af91ad37aa30c9811057c41bc39a7de76a4de2bbf5de3dadfafdfbf367b2ec7ecbeb9886e8ca28429179cf754b5bd0b4b2bca6b72dc516

\Users\Admin\AppData\Local\Temp\._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe 

MD5 d440e40758c321682e212e61e6bf297e
SHA1 ad0e6fd020d5619a76789e7dc4c51503aa51c854
SHA256 03afa67e7c0bebf918c799b844b7ef8f9eb7f982caf6de5f62710e92484cc104
SHA512 7456186ef64e682cd6e90bb3598e1c90bd17cc0f0616dbb113c596496a8603973930eca7c5e9b4b5dc12f69456b234b90e500ae60e8cc5a9abb3ff7f4ee5b0bc

memory/2828-36-0x0000000000400000-0x0000000000690000-memory.dmp

memory/2932-39-0x00000000009A0000-0x0000000000B50000-memory.dmp

memory/1944-45-0x00000000042A0000-0x00000000042BF000-memory.dmp

memory/2932-46-0x00000000003D0000-0x00000000003EA000-memory.dmp

C:\Windows\Resources\Themes\icsys.icn.exe

MD5 b2b0f7ed52405ce562cdf3fc98642fc4
SHA1 ea849492e1f78495de05274e86166d949f3c5d52
SHA256 99540984de3d492d34879a243e04d9ed1c64babe9f41fbaab6ab60bab54083a7
SHA512 e63923a1db48345a393f2ae786e54ddc6cd1657d33b6f72df13a5034a17d127671d88ddf6f71e5b97ee3ec597fd966ce450d872db6b7bdf3d181b8c9010caa01

memory/2624-60-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/1768-59-0x00000000000E0000-0x0000000000290000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GubKff35.xlsm

MD5 e566fc53051035e1e6fd0ed1823de0f9
SHA1 00bc96c48b98676ecd67e81a6f1d7754e4156044
SHA256 8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512 a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

C:\Users\Admin\AppData\Local\Temp\GubKff35.xlsm

MD5 1659047ccd57bc438c71a0974475c299
SHA1 36e09a2d4bd671b4775a1cab6707f2571a8caa71
SHA256 86cfb13a1e329955b5f37c7b9e2d529b0ec6715ea2b29cd0c83adfb33a1aaa02
SHA512 c1be34510dbdd648d0c93b2f46164fd20cd8777ebf834780cb8ecf2b2f8e9298c4c60e57320fb60d70f191a11d05b0b2a29f773b689d29e2dc3366ba080ae61c

memory/2624-101-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/3008-102-0x0000000000400000-0x000000000041F000-memory.dmp

memory/828-103-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1944-104-0x0000000000400000-0x0000000000690000-memory.dmp

memory/1944-139-0x0000000000400000-0x0000000000690000-memory.dmp

memory/1944-141-0x00000000042A0000-0x00000000042BF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-03 01:02

Reported

2025-01-03 01:05

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A

Xred

backdoor xred

Xred family

xred

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\ProgramData\Synaptics\Synaptics.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Users\Admin\AppData\Local\Temp\dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe C:\Users\Admin\AppData\Local\Temp\._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe N/A
File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Windows\Resources\Themes\icsys.icn.exe N/A
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\resources\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Resources\Themes\icsys.icn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\resources\themes\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Synaptics\Synaptics.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Resources\Themes\icsys.icn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\resources\themes\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\resources\spoolsv.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\ProgramData\Synaptics\Synaptics.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe  N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 632 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe C:\Users\Admin\AppData\Local\Temp\._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe
PID 632 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe C:\Users\Admin\AppData\Local\Temp\._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe
PID 632 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe C:\Users\Admin\AppData\Local\Temp\._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe
PID 632 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 632 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 632 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 4764 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe \??\c:\users\admin\appdata\local\temp\._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe 
PID 4764 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe \??\c:\users\admin\appdata\local\temp\._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe 
PID 4548 wrote to memory of 1144 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 4548 wrote to memory of 1144 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 4548 wrote to memory of 1144 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 1144 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe 
PID 1144 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe 
PID 4764 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe C:\Windows\Resources\Themes\icsys.icn.exe
PID 4764 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe C:\Windows\Resources\Themes\icsys.icn.exe
PID 4764 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe C:\Windows\Resources\Themes\icsys.icn.exe
PID 1680 wrote to memory of 4916 N/A C:\Windows\Resources\Themes\icsys.icn.exe \??\c:\windows\resources\themes\explorer.exe
PID 1680 wrote to memory of 4916 N/A C:\Windows\Resources\Themes\icsys.icn.exe \??\c:\windows\resources\themes\explorer.exe
PID 1680 wrote to memory of 4916 N/A C:\Windows\Resources\Themes\icsys.icn.exe \??\c:\windows\resources\themes\explorer.exe
PID 4916 wrote to memory of 3512 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 4916 wrote to memory of 3512 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 4916 wrote to memory of 3512 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 3512 wrote to memory of 4836 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 3512 wrote to memory of 4836 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 3512 wrote to memory of 4836 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 4836 wrote to memory of 4068 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 4836 wrote to memory of 4068 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 4836 wrote to memory of 4068 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 1144 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Windows\Resources\Themes\icsys.icn.exe
PID 1144 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Windows\Resources\Themes\icsys.icn.exe
PID 1144 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Windows\Resources\Themes\icsys.icn.exe
PID 2068 wrote to memory of 1992 N/A C:\Windows\Resources\Themes\icsys.icn.exe \??\c:\windows\resources\themes\explorer.exe
PID 2068 wrote to memory of 1992 N/A C:\Windows\Resources\Themes\icsys.icn.exe \??\c:\windows\resources\themes\explorer.exe
PID 2068 wrote to memory of 1992 N/A C:\Windows\Resources\Themes\icsys.icn.exe \??\c:\windows\resources\themes\explorer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe

"C:\Users\Admin\AppData\Local\Temp\dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe"

C:\Users\Admin\AppData\Local\Temp\._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe"

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

\??\c:\users\admin\appdata\local\temp\._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe 

c:\users\admin\appdata\local\temp\._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe 

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

\??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe 

c:\users\admin\appdata\local\temp\._cache_synaptics.exe  InjUpdate

C:\Windows\Resources\Themes\icsys.icn.exe

C:\Windows\Resources\Themes\icsys.icn.exe

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

C:\Windows\Resources\Themes\icsys.icn.exe

C:\Windows\Resources\Themes\icsys.icn.exe

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 gtccheats.shop udp
US 156.67.75.88:443 gtccheats.shop tcp
US 8.8.8.8:53 85.49.80.91.in-addr.arpa udp
US 156.67.75.88:443 gtccheats.shop tcp
US 8.8.8.8:53 88.75.67.156.in-addr.arpa udp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 xred.mooo.com udp
US 8.8.8.8:53 freedns.afraid.org udp
US 69.42.215.252:80 freedns.afraid.org tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 252.215.42.69.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 63.141.182.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 docs.google.com udp
FR 216.58.214.174:443 docs.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
FR 142.250.179.67:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
US 8.8.8.8:53 174.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 67.179.250.142.in-addr.arpa udp
FR 142.250.179.67:80 o.pki.goog tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
FR 142.250.74.225:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 225.74.250.142.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/632-0-0x0000000002630000-0x0000000002631000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe

MD5 391ae2a331ac042af3375a8bec61c542
SHA1 2b4ac01d34886e81d492e9b5ce8e0c3867378241
SHA256 ab3c3cfc26b066a0118eb29d96751d60f078dbd432b6f2faa6ecdf5b14b8d96e
SHA512 c4bd6e66c0a220b2a5e0f4684c85d0a201d9b6ba54fd7a64d47bf3d1851b3d361b3c18f1917c34f68239c47ee31cb414dc4bc3607f8167116ca0b7bfa251ccb5

memory/4764-60-0x0000000000400000-0x000000000041F000-memory.dmp

C:\ProgramData\Synaptics\Synaptics.exe

MD5 955b5c84e9db2eba7f71d15229611e54
SHA1 803fb7d591b378efb2f33f3f4596b41d488edb34
SHA256 dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa
SHA512 318626a5488ddeecc6af91ad37aa30c9811057c41bc39a7de76a4de2bbf5de3dadfafdfbf367b2ec7ecbeb9886e8ca28429179cf754b5bd0b4b2bca6b72dc516

memory/632-133-0x0000000000400000-0x0000000000690000-memory.dmp

memory/4548-134-0x00000000022E0000-0x00000000022E1000-memory.dmp

\??\c:\users\admin\appdata\local\temp\._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe 

MD5 d440e40758c321682e212e61e6bf297e
SHA1 ad0e6fd020d5619a76789e7dc4c51503aa51c854
SHA256 03afa67e7c0bebf918c799b844b7ef8f9eb7f982caf6de5f62710e92484cc104
SHA512 7456186ef64e682cd6e90bb3598e1c90bd17cc0f0616dbb113c596496a8603973930eca7c5e9b4b5dc12f69456b234b90e500ae60e8cc5a9abb3ff7f4ee5b0bc

memory/672-196-0x000001DCD2290000-0x000001DCD2440000-memory.dmp

memory/672-197-0x000001DCD2810000-0x000001DCD282A000-memory.dmp

memory/1144-201-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Windows\Resources\Themes\icsys.icn.exe

MD5 b2b0f7ed52405ce562cdf3fc98642fc4
SHA1 ea849492e1f78495de05274e86166d949f3c5d52
SHA256 99540984de3d492d34879a243e04d9ed1c64babe9f41fbaab6ab60bab54083a7
SHA512 e63923a1db48345a393f2ae786e54ddc6cd1657d33b6f72df13a5034a17d127671d88ddf6f71e5b97ee3ec597fd966ce450d872db6b7bdf3d181b8c9010caa01

memory/3848-207-0x00007FF845D30000-0x00007FF845D40000-memory.dmp

memory/3848-211-0x00007FF845D30000-0x00007FF845D40000-memory.dmp

memory/3848-210-0x00007FF845D30000-0x00007FF845D40000-memory.dmp

memory/3848-212-0x00007FF843660000-0x00007FF843670000-memory.dmp

memory/3848-209-0x00007FF845D30000-0x00007FF845D40000-memory.dmp

memory/3848-208-0x00007FF845D30000-0x00007FF845D40000-memory.dmp

memory/3848-217-0x00007FF843660000-0x00007FF843670000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LLZ3UmW8.xlsm

MD5 e566fc53051035e1e6fd0ed1823de0f9
SHA1 00bc96c48b98676ecd67e81a6f1d7754e4156044
SHA256 8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512 a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

C:\Windows\Resources\Themes\explorer.exe

MD5 68a42b15f0ab89f3c39a0ec47795f483
SHA1 ab075899b447d233ce4b263956414baba183dec9
SHA256 f20e051792addb4f7f2325777b2c3673b5ae828619329d31e6387667e394bfb2
SHA512 7b3af64c4fe15b0205fd810714ebd948f34e36f8fe26ca4ef9f11b8185f41b60f4c0d9d2822786e3914925456a6fbabd40483e807abbc87635a08911fb9a479a

C:\Windows\Resources\spoolsv.exe

MD5 bd1d1f414bf4e81a3692effa9d4e7043
SHA1 d60b5ceea252e8eddb5918be9fab8a7fc76a893a
SHA256 ed86bc3270b626487256aea938588e0024aa4d4cc461dd45c360f6a3fcecc50d
SHA512 b30ecb900f7b8b7f42e9acc1edc8a0a9bda2b005d13bab695a710952f95dd68d935a5f32348951242b9f359061789a6cdd52d8677c7a32d764d9714a03e37cfc

memory/4548-250-0x00000000022E0000-0x00000000022E1000-memory.dmp

C:\Windows\Resources\svchost.exe

MD5 ccb6d445ec8d7fea637916d1c3ecf147
SHA1 f058c1d4b2a111a0ba941e2f5e78836b6123400c
SHA256 34ed03ad2f71ee7f4098e1027efc66062a7e9e476be6d9f6102cbd6dcc7f65a2
SHA512 a192cc6e6f7107c2b1d3a821c1ec76122ec2dba041bdceaa9842ce58c3a96d4b8424d97222e1f47cd28ffa0cca2d77ac53b17a341e6f8002fe3f8ea2ee6c1183

memory/4068-267-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1680-269-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3512-268-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4764-270-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4548-271-0x0000000000400000-0x0000000000690000-memory.dmp

memory/1992-283-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2068-284-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1144-285-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4548-314-0x0000000000400000-0x0000000000690000-memory.dmp

memory/4916-316-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4836-317-0x0000000000400000-0x000000000041F000-memory.dmp