xred | 95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe

Checks computer location settings 2 TTPs 27 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	._cache_synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	._cache_synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	._cache_synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	._cache_synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	._cache_synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	._cache_synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	._cache_synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	._cache_synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	._cache_synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	._cache_synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4n.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	._cache_synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	._cache_synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	._cache_synaptics.exe

Executes dropped EXE 64 IoCs

pid	Process
4156	95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4n.exe
1060	icsys.icn.exe
4544	explorer.exe
1720	spoolsv.exe
4956	svchost.exe
2264	spoolsv.exe
1156	Synaptics.exe
4116	._cache_Synaptics.exe
3484	._cache_synaptics.exe
3760	icsys.icn.exe
3616	explorer.exe
1468	Synaptics.exe
1436	._cache_Synaptics.exe
3820	._cache_synaptics.exe
3244	icsys.icn.exe
4100	explorer.exe
2308	Synaptics.exe
5004	._cache_Synaptics.exe
3428	._cache_synaptics.exe
4028	icsys.icn.exe
4260	explorer.exe
4736	Synaptics.exe
4232	._cache_Synaptics.exe
4520	._cache_synaptics.exe
1380	icsys.icn.exe
4656	explorer.exe
116	Synaptics.exe
4944	._cache_Synaptics.exe
4340	._cache_synaptics.exe
1332	icsys.icn.exe
4620	explorer.exe
2012	Synaptics.exe
3764	._cache_Synaptics.exe
4036	._cache_synaptics.exe
2624	icsys.icn.exe
1016	explorer.exe
3560	Synaptics.exe
3276	._cache_Synaptics.exe
2368	._cache_synaptics.exe
3680	icsys.icn.exe
1340	explorer.exe
1376	Synaptics.exe
684	._cache_Synaptics.exe
4452	._cache_synaptics.exe
1356	icsys.icn.exe
2276	explorer.exe
4788	Synaptics.exe
4548	._cache_Synaptics.exe
2756	._cache_synaptics.exe
4964	icsys.icn.exe
1856	explorer.exe
5172	Synaptics.exe
5240	._cache_Synaptics.exe
5420	._cache_synaptics.exe
5452	icsys.icn.exe
5516	explorer.exe
5860	Synaptics.exe
6036	._cache_Synaptics.exe
6120	._cache_synaptics.exe
2228	icsys.icn.exe
4424	explorer.exe
5224	Synaptics.exe
5688	._cache_Synaptics.exe
5704	._cache_synaptics.exe

Loads dropped DLL 48 IoCs

pid	Process
1468	Synaptics.exe
1468	Synaptics.exe
3820	._cache_synaptics.exe
3820	._cache_synaptics.exe
2308	Synaptics.exe
2308	Synaptics.exe
3428	._cache_synaptics.exe
3428	._cache_synaptics.exe
4736	Synaptics.exe
4736	Synaptics.exe
4520	._cache_synaptics.exe
4520	._cache_synaptics.exe
116	Synaptics.exe
116	Synaptics.exe
4340	._cache_synaptics.exe
4340	._cache_synaptics.exe
2012	Synaptics.exe
2012	Synaptics.exe
4036	._cache_synaptics.exe
4036	._cache_synaptics.exe
3560	Synaptics.exe
3560	Synaptics.exe
2368	._cache_synaptics.exe
2368	._cache_synaptics.exe
1376	Synaptics.exe
1376	Synaptics.exe
4452	._cache_synaptics.exe
4452	._cache_synaptics.exe
4788	Synaptics.exe
4788	Synaptics.exe
2756	._cache_synaptics.exe
2756	._cache_synaptics.exe
5172	Synaptics.exe
5172	Synaptics.exe
5420	._cache_synaptics.exe
5420	._cache_synaptics.exe
5860	Synaptics.exe
5860	Synaptics.exe
6120	._cache_synaptics.exe
6120	._cache_synaptics.exe
5224	Synaptics.exe
5224	Synaptics.exe
5704	._cache_synaptics.exe
5704	._cache_synaptics.exe
5460	Synaptics.exe
5460	Synaptics.exe
5244	._cache_synaptics.exe
5244	._cache_synaptics.exe

Adds Run key to start application 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4n.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4n.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe

Checks processor information in registry 2 TTPs 42 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 42 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE

Modifies registry class 27 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	._cache_synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	._cache_synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	._cache_synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4n.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	._cache_synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	._cache_synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	._cache_synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	._cache_synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	._cache_synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	._cache_synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	._cache_synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	._cache_synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	._cache_synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	._cache_synaptics.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1752	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1060	icsys.icn.exe
1060	icsys.icn.exe
4544	explorer.exe
4544	explorer.exe
4544	explorer.exe
4544	explorer.exe
4544	explorer.exe
4544	explorer.exe
4544	explorer.exe
4544	explorer.exe
4544	explorer.exe
4544	explorer.exe
4956	svchost.exe
4956	svchost.exe
4956	svchost.exe
4956	svchost.exe
4544	explorer.exe
4544	explorer.exe
4956	svchost.exe
4956	svchost.exe
4544	explorer.exe
4544	explorer.exe
4956	svchost.exe
4956	svchost.exe
4544	explorer.exe
4544	explorer.exe
4956	svchost.exe
4544	explorer.exe
4544	explorer.exe
4956	svchost.exe
4956	svchost.exe
4544	explorer.exe
4544	explorer.exe
4956	svchost.exe
4956	svchost.exe
4544	explorer.exe
4544	explorer.exe
4956	svchost.exe
4956	svchost.exe
4544	explorer.exe
4544	explorer.exe
4956	svchost.exe
4544	explorer.exe
4956	svchost.exe
4544	explorer.exe
4956	svchost.exe
4544	explorer.exe
4956	svchost.exe
4544	explorer.exe
4956	svchost.exe
4544	explorer.exe
4956	svchost.exe
4544	explorer.exe
4956	svchost.exe
4956	svchost.exe
4544	explorer.exe
4544	explorer.exe
4956	svchost.exe
4956	svchost.exe
4544	explorer.exe
4956	svchost.exe
4544	explorer.exe
4956	svchost.exe
4544	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4544	explorer.exe
4956	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSystemProfilePrivilege	3484	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	3484	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	3484	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	3484	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	3484	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	3484	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	3484	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	3484	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	3484	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	3484	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	3484	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	3484	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	3484	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	3484	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	3484	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	3484	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	3484	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	3484	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	3484	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	3484	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	3484	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	3484	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	3484	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	3484	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	3484	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	3484	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	3484	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	3484	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	3484	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	3484	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	3484	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	3484	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	3484	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	3484	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	3484	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	3484	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	3484	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	3484	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	3484	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	3484	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	3484	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	3484	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	3820	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	3820	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	3820	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	3820	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	3820	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	3820	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	3820	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	3820	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	3820	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	3820	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	3820	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	3820	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	3820	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	3820	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	3820	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	3820	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	3820	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	3820	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	3820	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	3820	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	3820	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	3820	._cache_synaptics.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1352	95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4N.exe
1352	95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4N.exe
1060	icsys.icn.exe
1060	icsys.icn.exe
4544	explorer.exe
4544	explorer.exe
1720	spoolsv.exe
1720	spoolsv.exe
4956	svchost.exe
4956	svchost.exe
2264	spoolsv.exe
2264	spoolsv.exe
4544	explorer.exe
4544	explorer.exe
4116	._cache_Synaptics.exe
4116	._cache_Synaptics.exe
1752	EXCEL.EXE
3760	icsys.icn.exe
3760	icsys.icn.exe
3616	explorer.exe
3616	explorer.exe
1752	EXCEL.EXE
1436	._cache_Synaptics.exe
1436	._cache_Synaptics.exe
1604	EXCEL.EXE
1604	EXCEL.EXE
1604	EXCEL.EXE
3244	icsys.icn.exe
3244	icsys.icn.exe
1604	EXCEL.EXE
4100	explorer.exe
4100	explorer.exe
5004	._cache_Synaptics.exe
5004	._cache_Synaptics.exe
1416	EXCEL.EXE
4028	icsys.icn.exe
4028	icsys.icn.exe
1416	EXCEL.EXE
4260	explorer.exe
4260	explorer.exe
4232	._cache_Synaptics.exe
4232	._cache_Synaptics.exe
4800	EXCEL.EXE
4800	EXCEL.EXE
1380	icsys.icn.exe
1380	icsys.icn.exe
4656	explorer.exe
4656	explorer.exe
4800	EXCEL.EXE
4800	EXCEL.EXE
4944	._cache_Synaptics.exe
4944	._cache_Synaptics.exe
1440	EXCEL.EXE
1440	EXCEL.EXE
1332	icsys.icn.exe
1332	icsys.icn.exe
4620	explorer.exe
4620	explorer.exe
1440	EXCEL.EXE
1440	EXCEL.EXE
3764	._cache_Synaptics.exe
3764	._cache_Synaptics.exe
408	EXCEL.EXE
2624	icsys.icn.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1352 wrote to memory of 4156	1352	95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4N.exe	82
PID 1352 wrote to memory of 4156	1352	95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4N.exe	82
PID 1352 wrote to memory of 4156	1352	95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4N.exe	82
PID 1352 wrote to memory of 1060	1352	95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4N.exe	83
PID 1352 wrote to memory of 1060	1352	95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4N.exe	83
PID 1352 wrote to memory of 1060	1352	95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4N.exe	83
PID 1060 wrote to memory of 4544	1060	icsys.icn.exe	84
PID 1060 wrote to memory of 4544	1060	icsys.icn.exe	84
PID 1060 wrote to memory of 4544	1060	icsys.icn.exe	84
PID 4544 wrote to memory of 1720	4544	explorer.exe	85
PID 4544 wrote to memory of 1720	4544	explorer.exe	85
PID 4544 wrote to memory of 1720	4544	explorer.exe	85
PID 1720 wrote to memory of 4956	1720	spoolsv.exe	86
PID 1720 wrote to memory of 4956	1720	spoolsv.exe	86
PID 1720 wrote to memory of 4956	1720	spoolsv.exe	86
PID 4956 wrote to memory of 2264	4956	svchost.exe	87
PID 4956 wrote to memory of 2264	4956	svchost.exe	87
PID 4956 wrote to memory of 2264	4956	svchost.exe	87
PID 4956 wrote to memory of 2572	4956	svchost.exe	88
PID 4956 wrote to memory of 2572	4956	svchost.exe	88
PID 4956 wrote to memory of 2572	4956	svchost.exe	88
PID 4156 wrote to memory of 1156	4156	95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4n.exe	90
PID 4156 wrote to memory of 1156	4156	95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4n.exe	90
PID 4156 wrote to memory of 1156	4156	95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4n.exe	90
PID 1156 wrote to memory of 4116	1156	Synaptics.exe	91
PID 1156 wrote to memory of 4116	1156	Synaptics.exe	91
PID 1156 wrote to memory of 4116	1156	Synaptics.exe	91
PID 4116 wrote to memory of 3484	4116	._cache_Synaptics.exe	93
PID 4116 wrote to memory of 3484	4116	._cache_Synaptics.exe	93
PID 4116 wrote to memory of 3484	4116	._cache_Synaptics.exe	93
PID 4116 wrote to memory of 3760	4116	._cache_Synaptics.exe	94
PID 4116 wrote to memory of 3760	4116	._cache_Synaptics.exe	94
PID 4116 wrote to memory of 3760	4116	._cache_Synaptics.exe	94
PID 3760 wrote to memory of 3616	3760	icsys.icn.exe	95
PID 3760 wrote to memory of 3616	3760	icsys.icn.exe	95
PID 3760 wrote to memory of 3616	3760	icsys.icn.exe	95
PID 3484 wrote to memory of 1468	3484	._cache_synaptics.exe	97
PID 3484 wrote to memory of 1468	3484	._cache_synaptics.exe	97
PID 3484 wrote to memory of 1468	3484	._cache_synaptics.exe	97
PID 1468 wrote to memory of 1436	1468	Synaptics.exe	100
PID 1468 wrote to memory of 1436	1468	Synaptics.exe	100
PID 1468 wrote to memory of 1436	1468	Synaptics.exe	100
PID 1436 wrote to memory of 3820	1436	._cache_Synaptics.exe	103
PID 1436 wrote to memory of 3820	1436	._cache_Synaptics.exe	103
PID 1436 wrote to memory of 3820	1436	._cache_Synaptics.exe	103
PID 1436 wrote to memory of 3244	1436	._cache_Synaptics.exe	104
PID 1436 wrote to memory of 3244	1436	._cache_Synaptics.exe	104
PID 1436 wrote to memory of 3244	1436	._cache_Synaptics.exe	104
PID 3244 wrote to memory of 4100	3244	icsys.icn.exe	106
PID 3244 wrote to memory of 4100	3244	icsys.icn.exe	106
PID 3244 wrote to memory of 4100	3244	icsys.icn.exe	106
PID 3820 wrote to memory of 2308	3820	._cache_synaptics.exe	107
PID 3820 wrote to memory of 2308	3820	._cache_synaptics.exe	107
PID 3820 wrote to memory of 2308	3820	._cache_synaptics.exe	107
PID 2308 wrote to memory of 5004	2308	Synaptics.exe	108
PID 2308 wrote to memory of 5004	2308	Synaptics.exe	108
PID 2308 wrote to memory of 5004	2308	Synaptics.exe	108
PID 5004 wrote to memory of 3428	5004	._cache_Synaptics.exe	110
PID 5004 wrote to memory of 3428	5004	._cache_Synaptics.exe	110
PID 5004 wrote to memory of 3428	5004	._cache_Synaptics.exe	110
PID 5004 wrote to memory of 4028	5004	._cache_Synaptics.exe	111
PID 5004 wrote to memory of 4028	5004	._cache_Synaptics.exe	111
PID 5004 wrote to memory of 4028	5004	._cache_Synaptics.exe	111
PID 4028 wrote to memory of 4260	4028	icsys.icn.exe	112

C:\Users\Admin\AppData\Local\Temp\95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4N.exe
"C:\Users\Admin\AppData\Local\Temp\95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1352
- \??\c:\users\admin\appdata\local\temp\95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4n.exe
  c:\users\admin\appdata\local\temp\95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4n.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4156
- - C:\ProgramData\Synaptics\Synaptics.exe
    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1156
  - - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4116
    - - \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3484
      - C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1436
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3820
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:5004
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3428
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4736
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4232
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4520
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:116
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4944
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4340
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3764
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4036
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3560
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        22⤵
        Executes dropped EXE
        
        PID:3276
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2368
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:684
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4452
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4788
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4548
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2756
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5172
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5240
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5420
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5860
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:6036
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        35⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:6120
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        36⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:5224
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5688
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        38⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5704
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        39⤵
        Checks computer location settings
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5460
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        40⤵
        System Location Discovery: System Language Discovery
        
        PID:5920
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        41⤵
        Checks computer location settings
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5244
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:5296
        
        C:\Users\Admin\AppData\Local\icsys.icn.exe
        
        C:\Users\Admin\AppData\Local\icsys.icn.exe
        41⤵
        System Location Discovery: System Language Discovery
        
        PID:5468
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:6104
        
        C:\Users\Admin\AppData\Local\icsys.icn.exe
        
        C:\Users\Admin\AppData\Local\icsys.icn.exe
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:5800
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        39⤵
        
        PID:5876
        
        C:\Users\Admin\AppData\Local\icsys.icn.exe
        
        C:\Users\Admin\AppData\Local\icsys.icn.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2228
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        36⤵
        Executes dropped EXE
        
        PID:4424
        
        C:\Users\Admin\AppData\Local\icsys.icn.exe
        
        C:\Users\Admin\AppData\Local\icsys.icn.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5452
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        33⤵
        Executes dropped EXE
        
        PID:5516
        
        C:\Users\Admin\AppData\Local\icsys.icn.exe
        
        C:\Users\Admin\AppData\Local\icsys.icn.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4964
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\icsys.icn.exe
        
        C:\Users\Admin\AppData\Local\icsys.icn.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1356
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\icsys.icn.exe
        
        C:\Users\Admin\AppData\Local\icsys.icn.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3680
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1340
        
        C:\Users\Admin\AppData\Local\icsys.icn.exe
        
        C:\Users\Admin\AppData\Local\icsys.icn.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2624
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        21⤵
        Executes dropped EXE
        
        PID:1016
        
        C:\Users\Admin\AppData\Local\icsys.icn.exe
        
        C:\Users\Admin\AppData\Local\icsys.icn.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1332
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4620
        
        C:\Users\Admin\AppData\Local\icsys.icn.exe
        
        C:\Users\Admin\AppData\Local\icsys.icn.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1380
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4656
        
        C:\Users\Admin\AppData\Local\icsys.icn.exe
        
        C:\Users\Admin\AppData\Local\icsys.icn.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4028
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4260
        
        C:\Users\Admin\AppData\Local\icsys.icn.exe
        
        C:\Users\Admin\AppData\Local\icsys.icn.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3244
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4100
    - - C:\Users\Admin\AppData\Local\icsys.icn.exe
        
        C:\Users\Admin\AppData\Local\icsys.icn.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3760
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3616
- C:\Users\Admin\AppData\Local\icsys.icn.exe
  C:\Users\Admin\AppData\Local\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1060
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Modifies WinLogon for persistence
    - Modifies visiblity of hidden/system files in Explorer
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4544
  - - \??\c:\windows\system\spoolsv.exe
      c:\windows\system\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1720
    - - \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        5⤵
        Modifies WinLogon for persistence
        Modifies visiblity of hidden/system files in Explorer
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4956
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2264
      - C:\Windows\SysWOW64\at.exe
        
        at 22:46 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2572
      - C:\Windows\SysWOW64\at.exe
        
        at 22:47 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3296

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1752

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:1604

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:1416

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:4800

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:1440

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:408

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:2508

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:1392

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:4632

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:5256

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:6052

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:5696

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:5472

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:5500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery