Analysis Overview
SHA256
457a62394c53eba3c5ef6d569230487c17aaabc837a4a9361670b1c2ee9f5c34
Threat Level: Known bad
The file 457a62394c53eba3c5ef6d569230487c17aaabc837a4a9361670b1c2ee9f5c34.exe was found to be: Known bad.
Malicious Activity Summary
Xworm family
Xred family
Xworm
Xred
Detect Xworm Payload
Loads dropped DLL
Executes dropped EXE
Checks computer location settings
Adds Run key to start application
Looks up external IP address via web service
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Uses Task Scheduler COM API
Suspicious behavior: EnumeratesProcesses
Checks processor information in registry
Scheduled Task/Job: Scheduled Task
Modifies registry class
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Enumerates system info in registry
Suspicious behavior: AddClipboardFormatListener
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-03 03:26
Signatures
Xred family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-03 03:26
Reported
2025-01-03 03:29
Platform
win7-20240903-en
Max time kernel
141s
Max time network
149s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xred
Xred family
Xworm
Xworm family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\._cache_457a62394c53eba3c5ef6d569230487c17aaabc837a4a9361670b1c2ee9f5c34.exe | N/A |
| N/A | N/A | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Fulloptionnew_by elegance.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\._cache_svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\svchost.exe | N/A |
Loads dropped DLL
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" | C:\Users\Admin\AppData\Local\Temp\457a62394c53eba3c5ef6d569230487c17aaabc837a4a9361670b1c2ee9f5c34.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\svchost.exe" | C:\Users\Admin\AppData\Local\Temp\._cache_svchost.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\457a62394c53eba3c5ef6d569230487c17aaabc837a4a9361670b1c2ee9f5c34.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\._cache_svchost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\._cache_svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\._cache_svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\svchost.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\._cache_svchost.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\457a62394c53eba3c5ef6d569230487c17aaabc837a4a9361670b1c2ee9f5c34.exe
"C:\Users\Admin\AppData\Local\Temp\457a62394c53eba3c5ef6d569230487c17aaabc837a4a9361670b1c2ee9f5c34.exe"
C:\Users\Admin\AppData\Local\Temp\._cache_457a62394c53eba3c5ef6d569230487c17aaabc837a4a9361670b1c2ee9f5c34.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_457a62394c53eba3c5ef6d569230487c17aaabc837a4a9361670b1c2ee9f5c34.exe"
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
C:\Users\Admin\AppData\Roaming\Fulloptionnew_by elegance.exe
"C:\Users\Admin\AppData\Roaming\Fulloptionnew_by elegance.exe"
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
C:\Users\Admin\AppData\Local\Temp\._cache_svchost.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_svchost.exe"
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\svchost.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {2FB4EE14-A790-4046-B9CB-7317EB1152D1} S-1-5-21-3533259084-2542256011-65585152-1000:XPAJOTIY\Admin:Interactive:[1]
C:\Users\Admin\svchost.exe
C:\Users\Admin\svchost.exe
C:\Users\Admin\svchost.exe
C:\Users\Admin\svchost.exe
C:\Users\Admin\svchost.exe
C:\Users\Admin\svchost.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | xred.mooo.com | udp |
| US | 8.8.8.8:53 | freedns.afraid.org | udp |
| US | 69.42.215.252:80 | freedns.afraid.org | tcp |
| TH | 45.141.26.134:7000 | tcp | |
| US | 8.8.8.8:53 | docs.google.com | udp |
| FR | 216.58.214.174:443 | docs.google.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| FR | 142.250.179.67:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| FR | 142.250.179.67:80 | o.pki.goog | tcp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| FR | 142.250.74.225:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 88.221.134.83:80 | crl.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| GB | 95.100.245.144:80 | www.microsoft.com | tcp |
Files
memory/2888-0-0x0000000000220000-0x0000000000221000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\._cache_457a62394c53eba3c5ef6d569230487c17aaabc837a4a9361670b1c2ee9f5c34.exe
| MD5 | adc3667c6060dfdcb6f41bd2b01c31a3 |
| SHA1 | 54c39168b2d76c54f62f9ba266754581ff599d2d |
| SHA256 | bab41ee900b96a6c768996d935ba44c391c14003c30a278a8ac1e32ebe49a1a6 |
| SHA512 | f57a33b28854855eb00ebdd3b0bc8b644bfbacbad9eb2a66364a662640d237202613ff43348cf405c28f6045855d97ca6928da4fc88906ec47bce2282530d726 |
C:\ProgramData\Synaptics\Synaptics.exe
| MD5 | 100620cd1016f9b7aed030b8eced2afd |
| SHA1 | f98f52d52fa58ea5d9b179d28422109958e1b3e2 |
| SHA256 | 457a62394c53eba3c5ef6d569230487c17aaabc837a4a9361670b1c2ee9f5c34 |
| SHA512 | b092244989f027692ee5cc4475611469c8ead213dde075493a6f6a5d3b81371d428958617c58a6c16dbadf75cb878fe279c0140f1629a169392e5f14e6c0f08d |
memory/2704-25-0x0000000000860000-0x0000000000D2A000-memory.dmp
memory/2888-26-0x0000000000400000-0x00000000009BF000-memory.dmp
memory/1920-37-0x0000000000350000-0x000000000081A000-memory.dmp
C:\Users\Admin\AppData\Roaming\Fulloptionnew_by elegance.exe
| MD5 | 15dc7dde51858f43e9845f72213c042d |
| SHA1 | b38343e5a2237127be195c758cbd7a403e876a7e |
| SHA256 | f71edea8c4ae6c4c3a44f352e9d6cb89124fea7c7fc48e1585bb11d7bbefd74b |
| SHA512 | 322ed64c448e3ad02d83b2c48a2927230647073ffd020aceb4868de8e783b57446a7274099cdf58cf4bf02a125284990b5bc8be20bed548fd7c34354bcf37182 |
C:\Users\Admin\AppData\Roaming\svchost.exe
| MD5 | 9f3ee8aef394f4fdb98ead98ec6c1f9b |
| SHA1 | c84a6c4f0a9d0060eacf0a4d5cd46d3955bec846 |
| SHA256 | 3a6bbe08bb25bb2612f38d254f484e51f69182b3d0fa876660887ed57575a361 |
| SHA512 | e5f7a6494c0d53388314dcf8cac5016d7ec7936f1ca91ae4af936749ac164dbd11046dd56e704e03b609e74b9a8698d235c2ca82e9587d610d028f3fa047ead8 |
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/3032-60-0x0000000000D40000-0x0000000000D50000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\._cache_svchost.exe
| MD5 | 5390ed74a0c3c880fdd6d0e2d135bfe1 |
| SHA1 | 0dbe542e0fe98e17e877f2e5d1dd6dc252943f41 |
| SHA256 | 48ca5393cc5f72125e9677a9833e86b4bd65aa4a9c167c6171a2d38359b100d9 |
| SHA512 | 54699e0c3dba1d2df00aca934264fbf728bc2185024d577f3ce2325a9a04467e5b52d15e5f3a5689fe839afa48175765d55f941879076de8012f4bb84fab9cd7 |
memory/2916-57-0x0000000000400000-0x00000000004CC000-memory.dmp
memory/2240-61-0x000000005FFF0000-0x0000000060000000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\qlDuBQDT.xlsm
| MD5 | e566fc53051035e1e6fd0ed1823de0f9 |
| SHA1 | 00bc96c48b98676ecd67e81a6f1d7754e4156044 |
| SHA256 | 8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15 |
| SHA512 | a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04 |
memory/2232-85-0x0000000000B80000-0x0000000000B90000-memory.dmp
memory/2756-86-0x0000000000400000-0x00000000009BF000-memory.dmp
memory/2756-87-0x0000000000400000-0x00000000009BF000-memory.dmp
memory/2744-122-0x0000000000C50000-0x0000000000C60000-memory.dmp
memory/2756-123-0x0000000000400000-0x00000000009BF000-memory.dmp
memory/1444-130-0x0000000000EF0000-0x0000000000F00000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-03 03:26
Reported
2025-01-03 03:29
Platform
win10v2004-20241007-en
Max time kernel
141s
Max time network
151s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xred
Xred family
Xworm
Xworm family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\._cache_svchost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\457a62394c53eba3c5ef6d569230487c17aaabc837a4a9361670b1c2ee9f5c34.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\._cache_457a62394c53eba3c5ef6d569230487c17aaabc837a4a9361670b1c2ee9f5c34.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\._cache_457a62394c53eba3c5ef6d569230487c17aaabc837a4a9361670b1c2ee9f5c34.exe | N/A |
| N/A | N/A | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Fulloptionnew_by elegance.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Fulloptionnew_by elegance.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\._cache_svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\._cache_svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\svchost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" | C:\Users\Admin\AppData\Local\Temp\457a62394c53eba3c5ef6d569230487c17aaabc837a4a9361670b1c2ee9f5c34.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\svchost.exe" | C:\Users\Admin\AppData\Local\Temp\._cache_svchost.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\457a62394c53eba3c5ef6d569230487c17aaabc837a4a9361670b1c2ee9f5c34.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\AppData\Local\Temp\457a62394c53eba3c5ef6d569230487c17aaabc837a4a9361670b1c2ee9f5c34.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\._cache_svchost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\._cache_svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\._cache_svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\._cache_svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\svchost.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\._cache_svchost.exe | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\457a62394c53eba3c5ef6d569230487c17aaabc837a4a9361670b1c2ee9f5c34.exe
"C:\Users\Admin\AppData\Local\Temp\457a62394c53eba3c5ef6d569230487c17aaabc837a4a9361670b1c2ee9f5c34.exe"
C:\Users\Admin\AppData\Local\Temp\._cache_457a62394c53eba3c5ef6d569230487c17aaabc837a4a9361670b1c2ee9f5c34.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_457a62394c53eba3c5ef6d569230487c17aaabc837a4a9361670b1c2ee9f5c34.exe"
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\Users\Admin\AppData\Roaming\Fulloptionnew_by elegance.exe
"C:\Users\Admin\AppData\Roaming\Fulloptionnew_by elegance.exe"
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
C:\Users\Admin\AppData\Roaming\Fulloptionnew_by elegance.exe
"C:\Users\Admin\AppData\Roaming\Fulloptionnew_by elegance.exe"
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
C:\Users\Admin\AppData\Local\Temp\._cache_svchost.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_svchost.exe"
C:\Users\Admin\AppData\Local\Temp\._cache_svchost.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_svchost.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\svchost.exe"
C:\Users\Admin\svchost.exe
C:\Users\Admin\svchost.exe
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
C:\Users\Admin\svchost.exe
C:\Users\Admin\svchost.exe
C:\Users\Admin\svchost.exe
C:\Users\Admin\svchost.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| TH | 45.141.26.134:7000 | tcp | |
| US | 8.8.8.8:53 | 134.26.141.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.89.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xred.mooo.com | udp |
| US | 8.8.8.8:53 | freedns.afraid.org | udp |
| US | 69.42.215.252:80 | freedns.afraid.org | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 252.215.42.69.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.179.89.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | docs.google.com | udp |
| FR | 216.58.214.174:443 | docs.google.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| FR | 142.250.179.67:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| FR | 142.250.179.67:80 | o.pki.goog | tcp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| FR | 142.250.74.225:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | 67.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 174.214.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 225.74.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 60.153.16.2.in-addr.arpa | udp |
Files
memory/4852-0-0x0000000000CC0000-0x0000000000CC1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\._cache_457a62394c53eba3c5ef6d569230487c17aaabc837a4a9361670b1c2ee9f5c34.exe
| MD5 | adc3667c6060dfdcb6f41bd2b01c31a3 |
| SHA1 | 54c39168b2d76c54f62f9ba266754581ff599d2d |
| SHA256 | bab41ee900b96a6c768996d935ba44c391c14003c30a278a8ac1e32ebe49a1a6 |
| SHA512 | f57a33b28854855eb00ebdd3b0bc8b644bfbacbad9eb2a66364a662640d237202613ff43348cf405c28f6045855d97ca6928da4fc88906ec47bce2282530d726 |
memory/1636-61-0x00007FFF76453000-0x00007FFF76455000-memory.dmp
C:\ProgramData\Synaptics\Synaptics.exe
| MD5 | 100620cd1016f9b7aed030b8eced2afd |
| SHA1 | f98f52d52fa58ea5d9b179d28422109958e1b3e2 |
| SHA256 | 457a62394c53eba3c5ef6d569230487c17aaabc837a4a9361670b1c2ee9f5c34 |
| SHA512 | b092244989f027692ee5cc4475611469c8ead213dde075493a6f6a5d3b81371d428958617c58a6c16dbadf75cb878fe279c0140f1629a169392e5f14e6c0f08d |
memory/1636-71-0x00000000002E0000-0x00000000007AA000-memory.dmp
memory/4852-131-0x0000000000400000-0x00000000009BF000-memory.dmp
C:\Users\Admin\AppData\Roaming\Fulloptionnew_by elegance.exe
| MD5 | 15dc7dde51858f43e9845f72213c042d |
| SHA1 | b38343e5a2237127be195c758cbd7a403e876a7e |
| SHA256 | f71edea8c4ae6c4c3a44f352e9d6cb89124fea7c7fc48e1585bb11d7bbefd74b |
| SHA512 | 322ed64c448e3ad02d83b2c48a2927230647073ffd020aceb4868de8e783b57446a7274099cdf58cf4bf02a125284990b5bc8be20bed548fd7c34354bcf37182 |
C:\Users\Admin\AppData\Roaming\svchost.exe
| MD5 | 9f3ee8aef394f4fdb98ead98ec6c1f9b |
| SHA1 | c84a6c4f0a9d0060eacf0a4d5cd46d3955bec846 |
| SHA256 | 3a6bbe08bb25bb2612f38d254f484e51f69182b3d0fa876660887ed57575a361 |
| SHA512 | e5f7a6494c0d53388314dcf8cac5016d7ec7936f1ca91ae4af936749ac164dbd11046dd56e704e03b609e74b9a8698d235c2ca82e9587d610d028f3fa047ead8 |
C:\Users\Admin\AppData\Local\Temp\._cache_svchost.exe
| MD5 | 5390ed74a0c3c880fdd6d0e2d135bfe1 |
| SHA1 | 0dbe542e0fe98e17e877f2e5d1dd6dc252943f41 |
| SHA256 | 48ca5393cc5f72125e9677a9833e86b4bd65aa4a9c167c6171a2d38359b100d9 |
| SHA512 | 54699e0c3dba1d2df00aca934264fbf728bc2185024d577f3ce2325a9a04467e5b52d15e5f3a5689fe839afa48175765d55f941879076de8012f4bb84fab9cd7 |
memory/2396-268-0x0000000000400000-0x00000000004CC000-memory.dmp
memory/3212-269-0x0000000000CF0000-0x0000000000D00000-memory.dmp
memory/4908-271-0x0000000000400000-0x00000000004CC000-memory.dmp
memory/4128-274-0x0000000000400000-0x00000000009BF000-memory.dmp
memory/4228-278-0x00007FFF550B0000-0x00007FFF550C0000-memory.dmp
memory/4228-280-0x00007FFF550B0000-0x00007FFF550C0000-memory.dmp
memory/4228-279-0x00007FFF550B0000-0x00007FFF550C0000-memory.dmp
memory/4228-281-0x00007FFF550B0000-0x00007FFF550C0000-memory.dmp
memory/4228-282-0x00007FFF550B0000-0x00007FFF550C0000-memory.dmp
memory/4228-283-0x00007FFF53020000-0x00007FFF53030000-memory.dmp
memory/4228-284-0x00007FFF53020000-0x00007FFF53030000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fNjfg1sA.xlsm
| MD5 | e566fc53051035e1e6fd0ed1823de0f9 |
| SHA1 | 00bc96c48b98676ecd67e81a6f1d7754e4156044 |
| SHA256 | 8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15 |
| SHA512 | a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04 |
memory/4128-307-0x0000000000400000-0x00000000009BF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7FF75E00
| MD5 | a5440ced2d5cfd587c97b88c26baa99c |
| SHA1 | e6186207e3cf7e7c43f89036ed207a82f9f609c4 |
| SHA256 | d9040fc44ebc4bf5798c334d1e83622fd2616602a54c57510c742ad617184024 |
| SHA512 | f22a9e1400bc0d2b20d5afd49a9fa225846df534d9edf2c9570abfe628310c6049a0fe4d5b1249d709d2b3faac6716cfde6aaa9cc4f0aa67697ac7dc318d4df9 |
memory/4128-335-0x0000000000400000-0x00000000009BF000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.log
| MD5 | 2ff39f6c7249774be85fd60a8f9a245e |
| SHA1 | 684ff36b31aedc1e587c8496c02722c6698c1c4e |
| SHA256 | e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced |
| SHA512 | 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1 |
memory/4128-365-0x0000000000400000-0x00000000009BF000-memory.dmp