xred | 95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4

Analysis

max time kernel
150s
max time network
145s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
20-01-2025 07:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4.exe
Size

3.6MB
MD5

575b18de3bde4f0bac81569918c71040
SHA1

fedcaebb7ac62e2cc2f792a6efd7b5feadfd387c
SHA256

95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4
SHA512

c131d03c17da866ffbb97c56c1fd0798f12ed60c17253f6fdabbb77eadd3650b18d20ad6e16e938219e54899b32c412006d0a2ff2a5aecf4cf572df00d0df6fb
SSDEEP

49152:/YZnsHyjtk2MYC5GD/YKnsHyjtk2MYC5GDsYS1Q+09xqoWh5GisYxMGyN0F:QZnsmtk2a/Knsmtk2aGS6bRWTGZYaG8Q

Score

10^/10

xred backdoor discovery evasion persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe

Executes dropped EXE 64 IoCs

pid	Process
2180	95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4.exe
2812	icsys.icn.exe
3008	explorer.exe
2772	spoolsv.exe
1700	svchost.exe
2284	spoolsv.exe
1952	Synaptics.exe
1256	._cache_Synaptics.exe
1944	._cache_synaptics.exe
1040	icsys.icn.exe
896	explorer.exe
340	Synaptics.exe
1500	._cache_Synaptics.exe
984	._cache_synaptics.exe
1056	icsys.icn.exe
1488	explorer.exe
1984	Synaptics.exe
2832	._cache_Synaptics.exe
1872	._cache_synaptics.exe
2768	icsys.icn.exe
1520	explorer.exe
2288	Synaptics.exe
2840	._cache_Synaptics.exe
3024	._cache_synaptics.exe
1760	icsys.icn.exe
2380	explorer.exe
2888	Synaptics.exe
800	._cache_Synaptics.exe
1884	._cache_synaptics.exe
872	icsys.icn.exe
1572	explorer.exe
1400	Synaptics.exe
1748	._cache_Synaptics.exe
2816	._cache_synaptics.exe
1880	icsys.icn.exe
1896	explorer.exe
3052	Synaptics.exe
1496	._cache_Synaptics.exe
1992	._cache_synaptics.exe
1796	icsys.icn.exe
2452	explorer.exe
2248	Synaptics.exe
1680	._cache_Synaptics.exe
2260	._cache_synaptics.exe
884	icsys.icn.exe
2456	explorer.exe
3000	Synaptics.exe
2844	._cache_Synaptics.exe
2120	._cache_synaptics.exe
1608	icsys.icn.exe
3044	explorer.exe
2308	Synaptics.exe
2528	._cache_Synaptics.exe
1244	._cache_synaptics.exe
1716	icsys.icn.exe
3064	explorer.exe
2460	Synaptics.exe
3036	._cache_Synaptics.exe
2864	._cache_synaptics.exe
1416	icsys.icn.exe
1240	explorer.exe
2236	Synaptics.exe
2152	._cache_Synaptics.exe
2376	._cache_synaptics.exe

Loads dropped DLL 64 IoCs

pid	Process
1156	95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4.exe
1156	95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4.exe
1156	95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4.exe
1156	95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4.exe
2812	icsys.icn.exe
2812	icsys.icn.exe
3008	explorer.exe
3008	explorer.exe
2772	spoolsv.exe
2772	spoolsv.exe
1700	svchost.exe
1700	svchost.exe
2180	95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4.exe
2180	95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4.exe
2180	95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4.exe
1952	Synaptics.exe
1952	Synaptics.exe
1952	Synaptics.exe
1256	._cache_Synaptics.exe
1256	._cache_Synaptics.exe
1256	._cache_Synaptics.exe
1256	._cache_Synaptics.exe
1040	icsys.icn.exe
1944	._cache_synaptics.exe
1944	._cache_synaptics.exe
340	Synaptics.exe
340	Synaptics.exe
340	Synaptics.exe
340	Synaptics.exe
1500	._cache_Synaptics.exe
1500	._cache_Synaptics.exe
984	._cache_synaptics.exe
1500	._cache_Synaptics.exe
1500	._cache_Synaptics.exe
1056	icsys.icn.exe
984	._cache_synaptics.exe
984	._cache_synaptics.exe
1984	Synaptics.exe
1984	Synaptics.exe
1984	Synaptics.exe
1984	Synaptics.exe
2832	._cache_Synaptics.exe
2832	._cache_Synaptics.exe
1872	._cache_synaptics.exe
2832	._cache_Synaptics.exe
2832	._cache_Synaptics.exe
2768	icsys.icn.exe
1872	._cache_synaptics.exe
1872	._cache_synaptics.exe
2288	Synaptics.exe
2288	Synaptics.exe
2288	Synaptics.exe
2288	Synaptics.exe
2840	._cache_Synaptics.exe
2840	._cache_Synaptics.exe
3024	._cache_synaptics.exe
2840	._cache_Synaptics.exe
2840	._cache_Synaptics.exe
1760	icsys.icn.exe
3024	._cache_synaptics.exe
3024	._cache_synaptics.exe
3024	._cache_synaptics.exe
2888	Synaptics.exe
2888	Synaptics.exe

Adds Run key to start application 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe

Enumerates system info in registry 2 TTPs 18 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1848	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2812	icsys.icn.exe
3008	explorer.exe
3008	explorer.exe
3008	explorer.exe
3008	explorer.exe
1944	._cache_synaptics.exe
3008	explorer.exe
1700	svchost.exe
1700	svchost.exe
1944	._cache_synaptics.exe
1944	._cache_synaptics.exe
1944	._cache_synaptics.exe
1944	._cache_synaptics.exe
1944	._cache_synaptics.exe
1944	._cache_synaptics.exe
1944	._cache_synaptics.exe
1944	._cache_synaptics.exe
1944	._cache_synaptics.exe
1944	._cache_synaptics.exe
1944	._cache_synaptics.exe
1944	._cache_synaptics.exe
1944	._cache_synaptics.exe
1944	._cache_synaptics.exe
1944	._cache_synaptics.exe
1944	._cache_synaptics.exe
1944	._cache_synaptics.exe
1944	._cache_synaptics.exe
1944	._cache_synaptics.exe
1944	._cache_synaptics.exe
1944	._cache_synaptics.exe
1944	._cache_synaptics.exe
1944	._cache_synaptics.exe
1944	._cache_synaptics.exe
1944	._cache_synaptics.exe
1944	._cache_synaptics.exe
1944	._cache_synaptics.exe
1944	._cache_synaptics.exe
1944	._cache_synaptics.exe
1944	._cache_synaptics.exe
1944	._cache_synaptics.exe
1944	._cache_synaptics.exe
1944	._cache_synaptics.exe
1944	._cache_synaptics.exe
1944	._cache_synaptics.exe
1944	._cache_synaptics.exe
1944	._cache_synaptics.exe
1944	._cache_synaptics.exe
1944	._cache_synaptics.exe
1944	._cache_synaptics.exe
1944	._cache_synaptics.exe
1944	._cache_synaptics.exe
1944	._cache_synaptics.exe
1944	._cache_synaptics.exe
1944	._cache_synaptics.exe
1944	._cache_synaptics.exe
1944	._cache_synaptics.exe
1944	._cache_synaptics.exe
1944	._cache_synaptics.exe
1944	._cache_synaptics.exe
1944	._cache_synaptics.exe
1944	._cache_synaptics.exe
1944	._cache_synaptics.exe
1944	._cache_synaptics.exe
1944	._cache_synaptics.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3008	explorer.exe
1700	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSystemProfilePrivilege	1944	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1944	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1944	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1944	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1944	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1944	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1944	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1944	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1944	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1944	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1944	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1944	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1944	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1944	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1944	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1944	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1944	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1944	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1944	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1944	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1944	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1944	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1944	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1944	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1944	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1944	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1944	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1944	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1944	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1944	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1944	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1944	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1944	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1944	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1944	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1944	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1944	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1944	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1944	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1944	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1944	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1944	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1944	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1944	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1944	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1944	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1944	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1944	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1944	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1944	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1944	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1944	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1944	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1944	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1944	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1944	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1944	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1944	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1944	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1944	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1944	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1944	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1944	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1944	._cache_synaptics.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1156	95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4.exe
1156	95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4.exe
2812	icsys.icn.exe
2812	icsys.icn.exe
3008	explorer.exe
3008	explorer.exe
2772	spoolsv.exe
2772	spoolsv.exe
1700	svchost.exe
1700	svchost.exe
2284	spoolsv.exe
2284	spoolsv.exe
3008	explorer.exe
3008	explorer.exe
1256	._cache_Synaptics.exe
1256	._cache_Synaptics.exe
1848	EXCEL.EXE
1040	icsys.icn.exe
1040	icsys.icn.exe
896	explorer.exe
896	explorer.exe
1500	._cache_Synaptics.exe
1676	EXCEL.EXE
1500	._cache_Synaptics.exe
1056	icsys.icn.exe
1056	icsys.icn.exe
1488	explorer.exe
1488	explorer.exe
2832	._cache_Synaptics.exe
2832	._cache_Synaptics.exe
3020	EXCEL.EXE
2768	icsys.icn.exe
2768	icsys.icn.exe
1520	explorer.exe
1520	explorer.exe
2840	._cache_Synaptics.exe
2840	._cache_Synaptics.exe
2420	EXCEL.EXE
1760	icsys.icn.exe
1760	icsys.icn.exe
2380	explorer.exe
2380	explorer.exe
800	._cache_Synaptics.exe
800	._cache_Synaptics.exe
1068	EXCEL.EXE
872	icsys.icn.exe
872	icsys.icn.exe
1572	explorer.exe
1572	explorer.exe
1748	._cache_Synaptics.exe
1748	._cache_Synaptics.exe
2608	EXCEL.EXE
1880	icsys.icn.exe
1880	icsys.icn.exe
1896	explorer.exe
1896	explorer.exe
1496	._cache_Synaptics.exe
1496	._cache_Synaptics.exe
2900	EXCEL.EXE
1796	icsys.icn.exe
1796	icsys.icn.exe
2452	explorer.exe
2452	explorer.exe
1680	._cache_Synaptics.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1156 wrote to memory of 2180	1156	95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4.exe	30
PID 1156 wrote to memory of 2180	1156	95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4.exe	30
PID 1156 wrote to memory of 2180	1156	95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4.exe	30
PID 1156 wrote to memory of 2180	1156	95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4.exe	30
PID 1156 wrote to memory of 2812	1156	95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4.exe	31
PID 1156 wrote to memory of 2812	1156	95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4.exe	31
PID 1156 wrote to memory of 2812	1156	95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4.exe	31
PID 1156 wrote to memory of 2812	1156	95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4.exe	31
PID 2812 wrote to memory of 3008	2812	icsys.icn.exe	32
PID 2812 wrote to memory of 3008	2812	icsys.icn.exe	32
PID 2812 wrote to memory of 3008	2812	icsys.icn.exe	32
PID 2812 wrote to memory of 3008	2812	icsys.icn.exe	32
PID 3008 wrote to memory of 2772	3008	explorer.exe	33
PID 3008 wrote to memory of 2772	3008	explorer.exe	33
PID 3008 wrote to memory of 2772	3008	explorer.exe	33
PID 3008 wrote to memory of 2772	3008	explorer.exe	33
PID 2772 wrote to memory of 1700	2772	spoolsv.exe	34
PID 2772 wrote to memory of 1700	2772	spoolsv.exe	34
PID 2772 wrote to memory of 1700	2772	spoolsv.exe	34
PID 2772 wrote to memory of 1700	2772	spoolsv.exe	34
PID 1700 wrote to memory of 2284	1700	svchost.exe	35
PID 1700 wrote to memory of 2284	1700	svchost.exe	35
PID 1700 wrote to memory of 2284	1700	svchost.exe	35
PID 1700 wrote to memory of 2284	1700	svchost.exe	35
PID 2180 wrote to memory of 1952	2180	95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4.exe	36
PID 2180 wrote to memory of 1952	2180	95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4.exe	36
PID 2180 wrote to memory of 1952	2180	95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4.exe	36
PID 2180 wrote to memory of 1952	2180	95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4.exe	36
PID 1700 wrote to memory of 1948	1700	svchost.exe	37
PID 1700 wrote to memory of 1948	1700	svchost.exe	37
PID 1700 wrote to memory of 1948	1700	svchost.exe	37
PID 1700 wrote to memory of 1948	1700	svchost.exe	37
PID 1952 wrote to memory of 1256	1952	Synaptics.exe	38
PID 1952 wrote to memory of 1256	1952	Synaptics.exe	38
PID 1952 wrote to memory of 1256	1952	Synaptics.exe	38
PID 1952 wrote to memory of 1256	1952	Synaptics.exe	38
PID 1256 wrote to memory of 1944	1256	._cache_Synaptics.exe	41
PID 1256 wrote to memory of 1944	1256	._cache_Synaptics.exe	41
PID 1256 wrote to memory of 1944	1256	._cache_Synaptics.exe	41
PID 1256 wrote to memory of 1944	1256	._cache_Synaptics.exe	41
PID 1256 wrote to memory of 1040	1256	._cache_Synaptics.exe	42
PID 1256 wrote to memory of 1040	1256	._cache_Synaptics.exe	42
PID 1256 wrote to memory of 1040	1256	._cache_Synaptics.exe	42
PID 1256 wrote to memory of 1040	1256	._cache_Synaptics.exe	42
PID 1040 wrote to memory of 896	1040	icsys.icn.exe	43
PID 1040 wrote to memory of 896	1040	icsys.icn.exe	43
PID 1040 wrote to memory of 896	1040	icsys.icn.exe	43
PID 1040 wrote to memory of 896	1040	icsys.icn.exe	43
PID 1944 wrote to memory of 340	1944	._cache_synaptics.exe	44
PID 1944 wrote to memory of 340	1944	._cache_synaptics.exe	44
PID 1944 wrote to memory of 340	1944	._cache_synaptics.exe	44
PID 1944 wrote to memory of 340	1944	._cache_synaptics.exe	44
PID 340 wrote to memory of 1500	340	Synaptics.exe	45
PID 340 wrote to memory of 1500	340	Synaptics.exe	45
PID 340 wrote to memory of 1500	340	Synaptics.exe	45
PID 340 wrote to memory of 1500	340	Synaptics.exe	45
PID 1500 wrote to memory of 984	1500	._cache_Synaptics.exe	47
PID 1500 wrote to memory of 984	1500	._cache_Synaptics.exe	47
PID 1500 wrote to memory of 984	1500	._cache_Synaptics.exe	47
PID 1500 wrote to memory of 984	1500	._cache_Synaptics.exe	47
PID 1500 wrote to memory of 1056	1500	._cache_Synaptics.exe	48
PID 1500 wrote to memory of 1056	1500	._cache_Synaptics.exe	48
PID 1500 wrote to memory of 1056	1500	._cache_Synaptics.exe	48
PID 1500 wrote to memory of 1056	1500	._cache_Synaptics.exe	48

C:\Users\Admin\AppData\Local\Temp\95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4.exe
"C:\Users\Admin\AppData\Local\Temp\95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1156
- \??\c:\users\admin\appdata\local\temp\95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4.exe
  c:\users\admin\appdata\local\temp\95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\ProgramData\Synaptics\Synaptics.exe
    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1952
  - - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1256
    - - \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1944
      - C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:340
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1500
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:984
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2832
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1872
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2840
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3024
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:800
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        17⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1884
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1748
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        20⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2816
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        21⤵
        Executes dropped EXE
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        22⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1496
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        23⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1992
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        24⤵
        Executes dropped EXE
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1680
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        26⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2260
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        28⤵
        Executes dropped EXE
        
        PID:2844
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        29⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2120
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        30⤵
        Executes dropped EXE
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2528
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        32⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1244
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2460
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        34⤵
        Executes dropped EXE
        
        PID:3036
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        35⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2864
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2152
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        38⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2376
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        39⤵
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        40⤵
        System Location Discovery: System Language Discovery
        
        PID:1696
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        41⤵
        Adds Run key to start application
        
        PID:2860
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:556
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        43⤵
        System Location Discovery: System Language Discovery
        
        PID:756
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        44⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2044
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        45⤵
        System Location Discovery: System Language Discovery
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:1504
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        47⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1864
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:3152
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        49⤵
        System Location Discovery: System Language Discovery
        
        PID:3216
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        50⤵
        Adds Run key to start application
        
        PID:3316
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        51⤵
        System Location Discovery: System Language Discovery
        
        PID:3580
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        52⤵
        System Location Discovery: System Language Discovery
        
        PID:3648
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        53⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3748
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        54⤵
        
        PID:4008
        
        C:\Users\Admin\AppData\Local\icsys.icn.exe
        
        C:\Users\Admin\AppData\Local\icsys.icn.exe
        53⤵
        
        PID:3800
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        54⤵
        
        PID:3872
        
        C:\Users\Admin\AppData\Local\icsys.icn.exe
        
        C:\Users\Admin\AppData\Local\icsys.icn.exe
        50⤵
        
        PID:3368
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        51⤵
        System Location Discovery: System Language Discovery
        
        PID:3424
        
        C:\Users\Admin\AppData\Local\icsys.icn.exe
        
        C:\Users\Admin\AppData\Local\icsys.icn.exe
        47⤵
        
        PID:2328
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        48⤵
        
        PID:576
        
        C:\Users\Admin\AppData\Local\icsys.icn.exe
        
        C:\Users\Admin\AppData\Local\icsys.icn.exe
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:1064
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        45⤵
        System Location Discovery: System Language Discovery
        
        PID:1864
        
        C:\Users\Admin\AppData\Local\icsys.icn.exe
        
        C:\Users\Admin\AppData\Local\icsys.icn.exe
        41⤵
        
        PID:1852
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        42⤵
        
        PID:2580
        
        C:\Users\Admin\AppData\Local\icsys.icn.exe
        
        C:\Users\Admin\AppData\Local\icsys.icn.exe
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:2332
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        39⤵
        System Location Discovery: System Language Discovery
        
        PID:676
        
        C:\Users\Admin\AppData\Local\icsys.icn.exe
        
        C:\Users\Admin\AppData\Local\icsys.icn.exe
        35⤵
        Executes dropped EXE
        
        PID:1416
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1240
        
        C:\Users\Admin\AppData\Local\icsys.icn.exe
        
        C:\Users\Admin\AppData\Local\icsys.icn.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1716
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        33⤵
        Executes dropped EXE
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\icsys.icn.exe
        
        C:\Users\Admin\AppData\Local\icsys.icn.exe
        29⤵
        Executes dropped EXE
        
        PID:1608
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\icsys.icn.exe
        
        C:\Users\Admin\AppData\Local\icsys.icn.exe
        26⤵
        Executes dropped EXE
        
        PID:884
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\icsys.icn.exe
        
        C:\Users\Admin\AppData\Local\icsys.icn.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1796
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        24⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2452
        
        C:\Users\Admin\AppData\Local\icsys.icn.exe
        
        C:\Users\Admin\AppData\Local\icsys.icn.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1880
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1896
        
        C:\Users\Admin\AppData\Local\icsys.icn.exe
        
        C:\Users\Admin\AppData\Local\icsys.icn.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:872
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\icsys.icn.exe
        
        C:\Users\Admin\AppData\Local\icsys.icn.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1760
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\icsys.icn.exe
        
        C:\Users\Admin\AppData\Local\icsys.icn.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2768
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        12⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1520
        
        C:\Users\Admin\AppData\Local\icsys.icn.exe
        
        C:\Users\Admin\AppData\Local\icsys.icn.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1056
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1488
    - - C:\Users\Admin\AppData\Local\icsys.icn.exe
        
        C:\Users\Admin\AppData\Local\icsys.icn.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1040
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:896
- C:\Users\Admin\AppData\Local\icsys.icn.exe
  C:\Users\Admin\AppData\Local\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2812
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Modifies WinLogon for persistence
    - Modifies visiblity of hidden/system files in Explorer
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3008
  - - \??\c:\windows\system\spoolsv.exe
      c:\windows\system\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2772
    - - \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        5⤵
        Modifies WinLogon for persistence
        Modifies visiblity of hidden/system files in Explorer
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1700
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2284
      - C:\Windows\SysWOW64\at.exe
        
        at 07:10 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        6⤵
        
        PID:1948
      - C:\Windows\SysWOW64\at.exe
        
        at 07:11 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        6⤵
        
        PID:3652
      - C:\Windows\SysWOW64\at.exe
        
        at 07:12 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3220

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1848

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:1676

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:3020

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:2420

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:1068

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:2608

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:2900

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:2352

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:2980

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:2536

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:2604

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- Enumerates system info in registry
PID:2804

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:2000

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:2300

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- Enumerates system info in registry
PID:1556

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:3228

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- Enumerates system info in registry
PID:3664

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:4068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\RCX96F2.tmp

Filesize
753KB

MD5
ceab064b6d1d8ba57444371889936da1

SHA1
ed748ba18c6dadf05e9a6aa008443d055375e71e

SHA256
6e0d8597ac91fcebce2757d5ccdff21f256c857b7a3ab06d7da3113ac24c6b3b

SHA512
c65afe84060cdf24a8ebca454eca6aa0eb73cb5898c6106dec490f2c37cbac6173d3ea5302812787ff137fea219b4d7506b68f193b4709aff03a46157fc82b24

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_._cache_synaptics.exe

Filesize
1.7MB

MD5
bc95b2206dd7637fe20a16798c406745

SHA1
e77612a366109cd0359917b9a177aa114ba7ca83

SHA256
09b41d9c265effd7b2bc78cbaee81c3e977c718ddcedcb506f69ffa178eb5a74

SHA512
1d081aea628f10327649404114fa571cc87b053ae195a90ff5d4d59c21c8a932d716a32ea252aac324fa0c39bdab8c46bcc9fe85dccc7dc7312d1d22fb4f6540

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_synaptics.exe

Filesize
2.4MB

MD5
6aea658a809df0b4e0f2b52204fa1e31

SHA1
a1819c28ce05dd8521d74dae1375ad9699791dc0

SHA256
ea4087068126db22d789769a45831897cdd3060ea0d7f6368f515b479dde1208

SHA512
9ed22b45fdbb4d17fce304d578b3387bfdf1fdca353c2011249987f25d264f443a3b6d1099449fb558f9821c634c2c0a4b5b16dda2c7a1b25076acb4d93c20d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\XKFkBDCM.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\a1n1jaXR.xlsm

Filesize
23KB

MD5
319c3e9cad5768382d91bf281416a5d1

SHA1
6e88f2a3de6bb470c4f84a251f3d8bab345290db

SHA256
d8a5aca3e9bee0f4bf08b089cf204e89f7b432f90834c9f00cc9f876b2455c48

SHA512
01e46927e1770fd288e4ec70003d2240f719ff6063bbdf89ed9628f74a4101ad9d1e09acf237ffccde8d8331c676d6058c6929dc9811827c6b20bf997cf0a272

Download Submit
C:\Users\Admin\AppData\Local\Temp\a1n1jaXR.xlsm

Filesize
28KB

MD5
3940adc3446d3ed1984e7e68fdfa04d5

SHA1
f4c0d767f26513c3e145ed0405a2e6077ef7435f

SHA256
85b9b5b200c17c55b7704dbd70e71b9b4f471e26b7c0862ccd987633e8d90fda

SHA512
f12f51d56986cd39917023f751872204213b4605b9fd8f4bc368060a142f8320e410642909ebe935e0d8b5500a9829f947cc7dff8960d5ba81bf1db40ac91c7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a1n1jaXR.xlsm

Filesize
29KB

MD5
7d9f2e176bae0e8bccfaf732c421ce62

SHA1
f5782e6bd9e30d4a0c552212db7324c47766e474

SHA256
7cb6085b877e4529fb054a6f059f25219686adc5aeccd2781fe758d45b7edcc5

SHA512
8938b5a07af6fafd7ffb8de890e48d3e936bc9f49ad0e01e7f99c10181ea5ee44e6e586a4e201ecb4824c2b2a3f9bdac48418a7d3dfbd7820f0ec4ba05f5037b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a1n1jaXR.xlsm

Filesize
26KB

MD5
e669d0d593e59c8b6e295845d80d5501

SHA1
db06495ee2397524b6977d0b53f0e5c7eae9f06d

SHA256
03191a38630b44cf575941fa7cc20d8005053c655036627d356d7b66b389a3d2

SHA512
828858e100aa4cb28b8204b3a9900c638a2d7212454f0b1edfaad3947279f7d917dfbc58dc3080c2081892f409acb6e415a89bdeff91548fa771647e5c77c025

Download Submit
C:\Users\Admin\AppData\Local\Temp\a1n1jaXR.xlsm

Filesize
29KB

MD5
326917567b3386427602c92aa6fae767

SHA1
58855f637604865721b6d25b5e85b906e2f88721

SHA256
a3ccdeeea457099ab2f2f562941507586c5b16da80e0ed5f4542bd7d32e6c8a3

SHA512
16f58da5be111c33b2c43d812fc63c9f2f445527b31dbd810835f3513b9bfecc2c9369218229b4287c93b3d75659d29dcb781e52105b521480f921ee9be8fa8c

Download Submit
C:\Users\Admin\AppData\Local\icsys.icn.exe

Filesize
206KB

MD5
bd7b5016453c5b3414a4eb30747f0f5e

SHA1
f143f1bdaaafe645607024424dc8d8178ca89868

SHA256
a3a6970b431c34714ee58bccf9668115194262a7e39f19a58fd8d94249568aae

SHA512
82af27b4408c84bca5bad2737da410cb64f691131a603aad4aa4029d8b76194077118bd5147208d8a952248e0077de8db6c74aba247abefc6a1eadb2f0fbd139

Download Submit
C:\Users\Admin\AppData\Local\icsys.icn.exe

Filesize
206KB

MD5
3343be9774d2c669a6cd6f1296ebeae8

SHA1
cf675b229c99320d12201e2a1a3d7d32d26c8485

SHA256
efc65b4655e6adef136bf0413e6fe45f70fe990528887fac719f9a03e945a0e2

SHA512
f9048d3b02ed7ee56d48c9aa21e5ef2e7bfe1ae6a7517741238fc765568024de65fe82ac94e19e7ef8ac17666407462ed664be059db6b5f5c734f6f8780c14b1

Download Submit
C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
206KB

MD5
640874120925ef1c721c4c1d05d2eec2

SHA1
d2d39b8044b00eb8da07ea935bbbab78cb47e132

SHA256
6e31e9a4400d31c989991851f884ecb60423bf46d612e4e76bc1640bfd3e5e1a

SHA512
67000aced61276e2a789aa1886e717bd9b619b403021f151f6f3e219eacfb3a70397d4a8233e8b27402faf492eea2ce20049399d15ba258bdeaffd2e4a4bee1e

Download Submit
C:\Users\Admin\Desktop\~$SyncHide.xlsx

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
\??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe

Filesize
2.6MB

MD5
ffa2e235448687e2b7e37bb8a99f38c9

SHA1
153b873d572fb6bc8794f7aeec9c208d50182489

SHA256
e6edb39132b26125704af6d10cd43f9153cadafa9e8692b809749ef0bb973161

SHA512
32d3829bb1d0e0ac21b7cc3d3d3f0e71a5944ebccbdbe7837b0f8608a91859865cad7b26469ff230a2c7720d2f19784ae51cc62cc27c86553d01451cb72d792b

Download Submit
\Users\Admin\AppData\Local\Temp\95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4.exe

Filesize
3.4MB

MD5
b7de67b0a46cb2b9323b251d34d34708

SHA1
993564e1f3bde5422da5b8e74711868725e2c9df

SHA256
4c3a7ee11791b181152ba80fc0c29eef05f6a6617aff56ef0edbb4919fde9581

SHA512
b407a869cc5b5e86afff7bbfb24ee4c060cd4600d2fc5ef88de3c804299edcf63a0376209a6f2a9175da659608c12ddf0cea5225106646b83dbda10103fdf25f

Download Submit
\Windows\system\explorer.exe

Filesize
206KB

MD5
d497d3b809081be4453371fc27ccbc01

SHA1
09db0b80333305cc955cb0ff44bb54d7b6b4beed

SHA256
b005566868b9cbbfc7625d96a0c92564ddd443ae88bd20d308e2574dc6f2c5a5

SHA512
ba3fad2d4b8a281c5f4780dc51544dd5d0e4f170c6ddf5d22e4da6aff140b0282b7d66eddd1c6b099a8239e727b7ac8ba5779f30553de38e9e69217bcf3344bc

Download Submit
\Windows\system\spoolsv.exe

Filesize
206KB

MD5
aab0bba378cd7ab1a93be9d88cc6ff85

SHA1
5c7e1219c1764a67d0c30189b241dc8a5ee5cb0e

SHA256
bcc4bcf4073cd159287ee8ff3ae8eac2249b61ec466694d97247d0bc3eef999e

SHA512
a7a81242eff7986a5efa08f7c365ee893aedfae8432d4d99b44754c512b29e54614b756c75f44ddf522c6ddd688dd625ce1f15a90f38696294edc573328f7830

Download Submit
\Windows\system\svchost.exe

Filesize
206KB

MD5
a51caca9ecce10aba5af422f736e0a79

SHA1
21db5c7af44185932250e3420ce3dcc686f26365

SHA256
cc88ceef834da3e9dc8094fd93f811946ba3392c10661c2174f67f28e30f7f13

SHA512
e5d303ebd8a853c2b92e529d6993b5cc116fcdffaabc7d423fbfad8a98c919f41c3352404a7d788b635ae96ee8e892b3b74d631a65e7f127432258897561e3ac

Download Submit
memory/340-182-0x0000000004280000-0x00000000042C1000-memory.dmp

Filesize
260KB

Download
memory/340-179-0x00000000003B0000-0x00000000003F1000-memory.dmp

Filesize
260KB

Download
memory/340-200-0x0000000000400000-0x0000000000767000-memory.dmp

Filesize
3.4MB

Download
memory/556-798-0x0000000000400000-0x0000000000677000-memory.dmp

Filesize
2.5MB

Download
memory/800-334-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/800-316-0x0000000003140000-0x0000000003181000-memory.dmp

Filesize
260KB

Download
memory/872-320-0x00000000003B0000-0x00000000003F1000-memory.dmp

Filesize
260KB

Download
memory/872-335-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/884-472-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/884-458-0x00000000025A0000-0x00000000025E1000-memory.dmp

Filesize
260KB

Download
memory/896-169-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/984-198-0x00000000003A0000-0x00000000003E1000-memory.dmp

Filesize
260KB

Download
memory/984-232-0x0000000000400000-0x0000000000677000-memory.dmp

Filesize
2.5MB

Download
memory/1040-171-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1040-170-0x0000000002C30000-0x0000000002C71000-memory.dmp

Filesize
260KB

Download
memory/1040-152-0x0000000002C30000-0x0000000002C71000-memory.dmp

Filesize
260KB

Download
memory/1056-225-0x0000000002510000-0x0000000002551000-memory.dmp

Filesize
260KB

Download
memory/1056-230-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1156-106-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1156-22-0x0000000002820000-0x0000000002861000-memory.dmp

Filesize
260KB

Download
memory/1156-23-0x0000000002820000-0x0000000002861000-memory.dmp

Filesize
260KB

Download
memory/1156-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1244-596-0x0000000000400000-0x0000000000677000-memory.dmp

Filesize
2.5MB

Download
memory/1244-554-0x00000000028E0000-0x0000000002921000-memory.dmp

Filesize
260KB

Download
memory/1256-172-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1256-119-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1400-344-0x00000000041C0000-0x0000000004201000-memory.dmp

Filesize
260KB

Download
memory/1400-367-0x0000000000400000-0x0000000000677000-memory.dmp

Filesize
2.5MB

Download
memory/1400-343-0x00000000020B0000-0x00000000020F1000-memory.dmp

Filesize
260KB

Download
memory/1488-229-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1496-427-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1496-407-0x0000000003250000-0x0000000003291000-memory.dmp

Filesize
260KB

Download
memory/1496-408-0x0000000003250000-0x0000000003291000-memory.dmp

Filesize
260KB

Download
memory/1500-185-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1500-208-0x0000000002880000-0x00000000028C1000-memory.dmp

Filesize
260KB

Download
memory/1500-231-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1500-203-0x0000000002880000-0x00000000028C1000-memory.dmp

Filesize
260KB

Download
memory/1520-252-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1572-336-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1608-531-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1608-505-0x0000000001F10000-0x0000000001F51000-memory.dmp

Filesize
260KB

Download
memory/1680-452-0x0000000002660000-0x00000000026A1000-memory.dmp

Filesize
260KB

Download
memory/1680-453-0x0000000002660000-0x00000000026A1000-memory.dmp

Filesize
260KB

Download
memory/1680-475-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1700-483-0x00000000026D0000-0x0000000002711000-memory.dmp

Filesize
260KB

Download
memory/1700-481-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1716-563-0x00000000005E0000-0x0000000000621000-memory.dmp

Filesize
260KB

Download
memory/1748-382-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1748-360-0x00000000030D0000-0x0000000003111000-memory.dmp

Filesize
260KB

Download
memory/1748-361-0x00000000030D0000-0x0000000003111000-memory.dmp

Filesize
260KB

Download
memory/1760-289-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1760-285-0x0000000001D60000-0x0000000001DA1000-memory.dmp

Filesize
260KB

Download
memory/1768-854-0x0000000000400000-0x0000000000677000-memory.dmp

Filesize
2.5MB

Download
memory/1796-412-0x0000000002AD0000-0x0000000002B11000-memory.dmp

Filesize
260KB

Download
memory/1796-417-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1848-126-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1864-871-0x0000000000400000-0x0000000000677000-memory.dmp

Filesize
2.5MB

Download
memory/1872-255-0x0000000000400000-0x0000000000677000-memory.dmp

Filesize
2.5MB

Download
memory/1880-366-0x0000000000550000-0x0000000000591000-memory.dmp

Filesize
260KB

Download
memory/1880-381-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1884-311-0x0000000000810000-0x0000000000851000-memory.dmp

Filesize
260KB

Download
memory/1884-342-0x0000000000400000-0x0000000000677000-memory.dmp

Filesize
2.5MB

Download
memory/1896-373-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1944-177-0x0000000000400000-0x0000000000677000-memory.dmp

Filesize
2.5MB

Download
memory/1952-150-0x0000000000400000-0x0000000000767000-memory.dmp

Filesize
3.4MB

Download
memory/1952-118-0x00000000042D0000-0x0000000004311000-memory.dmp

Filesize
260KB

Download
memory/1984-233-0x0000000004280000-0x00000000042C1000-memory.dmp

Filesize
260KB

Download
memory/1984-244-0x0000000000400000-0x0000000000767000-memory.dmp

Filesize
3.4MB

Download
memory/1992-402-0x0000000002A20000-0x0000000002A61000-memory.dmp

Filesize
260KB

Download
memory/1992-433-0x0000000000400000-0x0000000000677000-memory.dmp

Filesize
2.5MB

Download
memory/2044-825-0x0000000000400000-0x0000000000677000-memory.dmp

Filesize
2.5MB

Download
memory/2120-538-0x0000000000400000-0x0000000000677000-memory.dmp

Filesize
2.5MB

Download
memory/2120-494-0x00000000003B0000-0x00000000003F1000-memory.dmp

Filesize
260KB

Download
memory/2180-99-0x0000000000400000-0x0000000000767000-memory.dmp

Filesize
3.4MB

Download
memory/2180-71-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2180-13-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2236-683-0x0000000000400000-0x0000000000677000-memory.dmp

Filesize
2.5MB

Download
memory/2248-436-0x0000000004360000-0x00000000043A1000-memory.dmp

Filesize
260KB

Download
memory/2248-459-0x0000000000400000-0x0000000000677000-memory.dmp

Filesize
2.5MB

Download
memory/2248-434-0x00000000006C0000-0x0000000000701000-memory.dmp

Filesize
260KB

Download
memory/2248-435-0x0000000004360000-0x00000000043A1000-memory.dmp

Filesize
260KB

Download
memory/2260-480-0x0000000000400000-0x0000000000677000-memory.dmp

Filesize
2.5MB

Download
memory/2260-447-0x00000000020C0000-0x0000000002101000-memory.dmp

Filesize
260KB

Download
memory/2284-98-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2288-256-0x0000000004280000-0x00000000042C1000-memory.dmp

Filesize
260KB

Download
memory/2288-257-0x0000000004280000-0x00000000042C1000-memory.dmp

Filesize
260KB

Download
memory/2288-275-0x0000000000400000-0x0000000000767000-memory.dmp

Filesize
3.4MB

Download
memory/2308-540-0x0000000004190000-0x00000000041D1000-memory.dmp

Filesize
260KB

Download
memory/2308-541-0x0000000004190000-0x00000000041D1000-memory.dmp

Filesize
260KB

Download
memory/2308-539-0x0000000000680000-0x00000000006C1000-memory.dmp

Filesize
260KB

Download
memory/2308-581-0x0000000000400000-0x0000000000677000-memory.dmp

Filesize
2.5MB

Download
memory/2376-710-0x0000000000400000-0x0000000000677000-memory.dmp

Filesize
2.5MB

Download
memory/2380-290-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2456-473-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2460-628-0x0000000000400000-0x0000000000677000-memory.dmp

Filesize
2.5MB

Download
memory/2464-742-0x0000000000400000-0x0000000000677000-memory.dmp

Filesize
2.5MB

Download
memory/2528-558-0x00000000030C0000-0x0000000003101000-memory.dmp

Filesize
260KB

Download
memory/2528-542-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2768-254-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2768-248-0x00000000004C0000-0x0000000000501000-memory.dmp

Filesize
260KB

Download
memory/2772-78-0x0000000003170000-0x00000000031B1000-memory.dmp

Filesize
260KB

Download
memory/2772-100-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2812-37-0x0000000003240000-0x0000000003281000-memory.dmp

Filesize
260KB

Download
memory/2812-105-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2816-355-0x0000000002040000-0x0000000002081000-memory.dmp

Filesize
260KB

Download
memory/2816-388-0x0000000000400000-0x0000000000677000-memory.dmp

Filesize
2.5MB

Download
memory/2832-240-0x0000000002700000-0x0000000002741000-memory.dmp

Filesize
260KB

Download
memory/2832-253-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2840-291-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2844-499-0x0000000002690000-0x00000000026D1000-memory.dmp

Filesize
260KB

Download
memory/2844-500-0x0000000002690000-0x00000000026D1000-memory.dmp

Filesize
260KB

Download
memory/2860-769-0x0000000000400000-0x0000000000677000-memory.dmp

Filesize
2.5MB

Download
memory/2864-655-0x0000000000400000-0x0000000000677000-memory.dmp

Filesize
2.5MB

Download
memory/2888-300-0x0000000004180000-0x00000000041C1000-memory.dmp

Filesize
260KB

Download
memory/2888-321-0x0000000000400000-0x0000000000677000-memory.dmp

Filesize
2.5MB

Download
memory/2888-298-0x0000000000810000-0x0000000000851000-memory.dmp

Filesize
260KB

Download
memory/2888-299-0x0000000004180000-0x00000000041C1000-memory.dmp

Filesize
260KB

Download
memory/3000-508-0x0000000000400000-0x0000000000677000-memory.dmp

Filesize
2.5MB

Download
memory/3000-482-0x00000000041C0000-0x0000000004201000-memory.dmp

Filesize
260KB

Download
memory/3008-49-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3008-63-0x0000000001DD0000-0x0000000001E11000-memory.dmp

Filesize
260KB

Download
memory/3008-454-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3024-297-0x0000000000400000-0x0000000000677000-memory.dmp

Filesize
2.5MB

Download
memory/3044-532-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3052-389-0x0000000000780000-0x00000000007C1000-memory.dmp

Filesize
260KB

Download
memory/3052-391-0x00000000042D0000-0x0000000004311000-memory.dmp

Filesize
260KB

Download
memory/3052-390-0x00000000042D0000-0x0000000004311000-memory.dmp

Filesize
260KB

Download
memory/3052-416-0x0000000000400000-0x0000000000677000-memory.dmp

Filesize
2.5MB

Download
memory/3152-899-0x0000000000400000-0x0000000000677000-memory.dmp

Filesize
2.5MB

Download
memory/3316-928-0x0000000000400000-0x0000000000677000-memory.dmp

Filesize
2.5MB

Download
memory/3580-957-0x0000000000400000-0x0000000000677000-memory.dmp

Filesize
2.5MB

Download
memory/3748-984-0x0000000000400000-0x0000000000677000-memory.dmp

Filesize
2.5MB

Download
memory/4008-1067-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/4008-1101-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/4068-1066-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download