Resubmissions
13/02/2022, 03:26
220213-dy59eafben 1025/06/2021, 19:08
210625-fml1gypkn6 819/06/2021, 15:14
210619-d3391n953n 10Analysis
-
max time kernel
114s -
max time network
39s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
25/06/2021, 19:08
Static task
static1
Behavioral task
behavioral1
Sample
Tray.exe
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Tray.exe
Resource
win10v20210408
windows10_x64
0 signatures
0 seconds
General
-
Target
Tray.exe
-
Size
321KB
-
MD5
6585cb51ff21007fb9ef936e96c58982
-
SHA1
7a3d5563460b9935fe84879ee14fabfc7c664825
-
SHA256
e07b0cd7eca5bc70b07ea786c3ef4da28036c901effa2193a93caf945cb2b334
-
SHA512
523c7b3ed0907a473eac04c8cb8642eeea1d3a223069f876a7e0bc18075d59f9903319f6b2e3c2fa262158f04c4ad3637568dd9b0558732c8a574ffe566efc7d
Malware Config
Signatures
-
Drops file in Drivers directory 9 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt Tray.exe File opened for modification C:\Windows\SysWOW64\drivers\gm.dls Tray.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\qwavedrv.sys.mui Tray.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui Tray.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\bfe.dll.mui Tray.exe File opened for modification C:\Windows\SysWOW64\drivers\wimmount.sys Tray.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\tcpip.sys.mui Tray.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\scfilter.sys.mui Tray.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\pacer.sys.mui Tray.exe -
Drops startup file 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini Tray.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_8.0.7601.17514_none_da0c2f9edf5b1353\desktop.ini Tray.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..ini-accessoriesuser_31bf3856ad364e35_6.1.7600.16385_none_7ff91f5d2dd6c770\Desktop.ini Tray.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini Tray.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini Tray.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini Tray.exe File opened for modification C:\Windows\Globalization\MCT\MCT-AU\Wallpaper\desktop.ini Tray.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini Tray.exe File opened for modification C:\Users\Public\Documents\desktop.ini Tray.exe File opened for modification C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\desktop.ini Tray.exe File opened for modification C:\Windows\Globalization\MCT\MCT-US\Wallpaper\desktop.ini Tray.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini Tray.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini Tray.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini Tray.exe File opened for modification C:\Windows\Media\Characters\Desktop.ini Tray.exe File opened for modification C:\Windows\Media\Heritage\Desktop.ini Tray.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini Tray.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BQE06QBJ\desktop.ini Tray.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini Tray.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini Tray.exe File opened for modification C:\Windows\Globalization\MCT\MCT-US\Link\desktop.ini Tray.exe File opened for modification C:\Windows\Media\Festival\Desktop.ini Tray.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini Tray.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-musicsamples_31bf3856ad364e35_6.1.7600.16385_none_06495209cbd8e93b\desktop.ini Tray.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..ndthemes-characters_31bf3856ad364e35_6.1.7600.16385_none_08da32b0fdad9220\Desktop.ini Tray.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini Tray.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini Tray.exe File opened for modification C:\Users\Public\desktop.ini Tray.exe File opened for modification C:\Windows\assembly\Desktop.ini Tray.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ehome-samplemedia_31bf3856ad364e35_6.1.7600.16385_none_b6b9b223710b3802\desktop.ini Tray.exe File opened for modification C:\Users\Admin\Documents\desktop.ini Tray.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini Tray.exe File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini Tray.exe File opened for modification C:\Windows\Media\Garden\Desktop.ini Tray.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini Tray.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini Tray.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-2513283230-931923277-594887482-1000\desktop.ini Tray.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SLC8MVWU\desktop.ini Tray.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini Tray.exe File opened for modification C:\Users\Public\Downloads\desktop.ini Tray.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..ktopini-accessories_31bf3856ad364e35_6.1.7600.16385_none_480c0d8bd31ae43f\Desktop.ini Tray.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-shell-wallpaper-nature_31bf3856ad364e35_6.1.7600.16385_none_d5909570704a09c0\Desktop.ini Tray.exe File opened for modification C:\Users\Public\Desktop\desktop.ini Tray.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_8.0.7600.16385_none_add5a10aa4d614d5\desktop.ini Tray.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-quirky_31bf3856ad364e35_6.1.7600.16385_none_e55404efe49bb9cb\Desktop.ini Tray.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..ini-systemtoolsuser_31bf3856ad364e35_6.1.7600.16385_none_7ca09f65fd387e58\Desktop.ini Tray.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini Tray.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\93PHUZFG\desktop.ini Tray.exe File opened for modification C:\Windows\Media\Sonata\Desktop.ini Tray.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-shell-soundthemes-raga_31bf3856ad364e35_6.1.7600.16385_none_2fe300bf8e73cdbd\Desktop.ini Tray.exe File opened for modification C:\Windows\Fonts\desktop.ini Tray.exe File opened for modification C:\Windows\Media\Cityscape\Desktop.ini Tray.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-shell-sounds_31bf3856ad364e35_6.1.7600.16385_none_73076dd9cf3a9dce\Desktop.ini Tray.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..ini-maintenanceuser_31bf3856ad364e35_6.1.7600.16385_none_61fc91b36f901b87\Desktop.ini Tray.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini Tray.exe File opened for modification C:\Users\Public\Music\desktop.ini Tray.exe File opened for modification C:\Windows\Media\Raga\Desktop.ini Tray.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-m..-us-links-component_31bf3856ad364e35_6.1.7601.17514_none_b325aa489d61d3a5\desktop.ini Tray.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-garden_31bf3856ad364e35_6.1.7600.16385_none_f7a4bf1e15863e21\Desktop.ini Tray.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..undthemes-cityscape_31bf3856ad364e35_6.1.7600.16385_none_5b48f43248490503\Desktop.ini Tray.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_f35f9773adf74c06\Desktop.ini Tray.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini Tray.exe File opened for modification C:\Windows\Globalization\MCT\MCT-GB\Link\desktop.ini Tray.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..oundthemes-heritage_31bf3856ad364e35_6.1.7600.16385_none_5872c0830d0c4747\Desktop.ini Tray.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..allpaper-characters_31bf3856ad364e35_6.1.7600.16385_none_bde0eaed84920a21\Desktop.ini Tray.exe -
Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\62AXOPQ5\desktop.ini Tray.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\mdmusrf.inf_amd64_neutral_439e7d1dcac00aca\mdmusrf.inf Tray.exe File opened for modification C:\Windows\SysWOW64\en-US\comctl32.dll.mui Tray.exe File opened for modification C:\Windows\SysWOW64\winsta.dll Tray.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Win8IP-Microsoft-Windows-DownlevelApisets-Windows-WinIP-Package~31bf3856ad364e35~amd64~en-US~7.1.7601.16492.cat Tray.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\mdmati.inf_amd64_neutral_ded8f26cdee953c3\mdmati.PNF Tray.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnep00a.inf_amd64_neutral_92a4c727cdf4c2f7\Amd64\EP0NGXUM.GPD Tray.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnep00b.inf_amd64_neutral_2e6b718b2b177506\Amd64\EP0NGX7C.GPD Tray.exe File opened for modification C:\Windows\SysWOW64\spp\tokens\ppdlic\msmpeg2vdec-ppdlic.xrm-ms Tray.exe File opened for modification C:\Windows\SysWOW64\C_20285.NLS Tray.exe File opened for modification C:\Windows\System32\DriverStore\en-US\hal.inf_loc Tray.exe File opened for modification C:\Windows\SysWOW64\en-US\connect.dll.mui Tray.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-OpticalMediaDisc-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat Tray.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\mdmbr004.inf_amd64_neutral_ccf1bc353e588fe1\BrUsbSIb.sys Tray.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnca00c.inf_amd64_neutral_510c36849918ce92\Amd64\CNBBR318.DLL Tray.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prngt002.inf_amd64_neutral_df2060d80de9ff13\Amd64\GS5000.GPD Tray.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prngt004.inf_amd64_neutral_f5bf8a7ba9dfff55\Amd64\GS1302E3.PPD Tray.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnkm005.inf_amd64_neutral_c03c9e328608873e\Amd64\KOP5650U.PPD Tray.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\wiasa002.inf_amd64_neutral_6429a42f1243419a\SA6240.icc Tray.exe File opened for modification C:\Windows\SysWOW64\winmm.dll Tray.exe File opened for modification C:\Windows\SysWOW64\mscandui.dll Tray.exe File opened for modification C:\Windows\System32\DriverStore\en-US\msmouse.inf_loc Tray.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\igdlh.inf_amd64_neutral_54a12b57f547d08e\igd10umd32.dll Tray.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prngt003.inf_amd64_neutral_8c9aae54a5673a35\Amd64\GSC420D6.GPD Tray.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prngt004.inf_amd64_neutral_f5bf8a7ba9dfff55\Amd64\GS4221E3.PPD Tray.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnrc005.inf_amd64_neutral_31e08a1c2f933124\Amd64\RIA6000.GPD Tray.exe File opened for modification C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-WAS-ConfigurationAPI-DL.man Tray.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-RasRip-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat Tray.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\faxca003.inf_amd64_neutral_5b8c7c1dda79bef4\CNHF1LM.DLL Tray.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\mdmarn.inf_amd64_neutral_fa693d8797766f49\mdmarn.inf Tray.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnep00l.inf_amd64_neutral_f1fa021d2221e2c7\Amd64\EP0LVP11.GPD Tray.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnin004.inf_amd64_neutral_c8902ae660ab1360\Amd64\IF3202E3.PPD Tray.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms002.inf_amd64_neutral_d834e48846616289\Amd64\FXSDRV.DLL Tray.exe File opened for modification C:\Windows\SysWOW64\wimgapi.dll Tray.exe File opened for modification C:\Windows\SysWOW64\NlsData004b.dll Tray.exe File opened for modification C:\Windows\SysWOW64\MSDvbNP.ax Tray.exe File opened for modification C:\Windows\SysWOW64\en-US\iac25_32.ax.mui Tray.exe File opened for modification C:\Windows\SysWOW64\d3dramp.dll Tray.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-ICM-Package~31bf3856ad364e35~amd64~~6.1.7600.16385.cat Tray.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\bthpan.inf_amd64_neutral_024281c0e4e954e2\bthpan.PNF Tray.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnca00x.inf_amd64_neutral_eb0842aa932d01ee\Amd64\CNBBLP1.GPD Tray.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\wiabr004.inf_amd64_neutral_b1d90b3749c5e6a6\Brmf3wia.dll Tray.exe File opened for modification C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll Tray.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Win8IP-Microsoft-Windows-DownlevelApisets-Com-WinIP-Package~31bf3856ad364e35~amd64~fr-FR~7.1.7601.16492.cat Tray.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\faxca003.inf_amd64_neutral_5b8c7c1dda79bef4\faxca003.PNF Tray.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnbr002.inf_amd64_neutral_db1d8c9efda9b3c0\Amd64\brio06ac.bcm Tray.exe File opened for modification C:\Windows\SysWOW64\samcli.dll Tray.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\iscsi.inf_amd64_neutral_2ef24e9270d8b2a9\iscsi.PNF Tray.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\mdmnis2u.inf_amd64_neutral_de46607a02fe2552\mdmnis2u.inf Tray.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Win8IP-Microsoft-Windows-Graphics-Package~31bf3856ad364e35~amd64~nl-NL~7.1.7601.16492.cat Tray.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Win8IP-Microsoft-Windows-DownlevelApisets-Shell-WinIP-Package~31bf3856ad364e35~amd64~he-IL~7.1.7601.16492.cat Tray.exe File opened for modification C:\Windows\SysWOW64\Dism\TransmogProvider.dll Tray.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\mdmarch.inf_amd64_neutral_4261401e3170ebfb\mdmarch.PNF Tray.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnbr004.inf_amd64_neutral_a78e168d6944619a\prnbr004.inf Tray.exe File opened for modification C:\Windows\SysWOW64\migwiz\dlmanifests\nfs-servercore-DL.man Tray.exe File opened for modification C:\Windows\System32\catroot2\edb.log Tray.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\arcsas.inf_amd64_neutral_c763887719bed95d\arcsas.inf Tray.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnrc007.inf_amd64_neutral_2df575afa0f7d35f\Amd64\RI1332E3.PPD Tray.exe File opened for modification C:\Windows\SysWOW64\en-US\perfdisk.dll.mui Tray.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnbr002.cat Tray.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnca00x.inf_amd64_neutral_eb0842aa932d01ee\Amd64\CNBJ3.INI Tray.exe File opened for modification C:\Windows\SysWOW64\en-US\console.dll.mui Tray.exe File opened for modification C:\Windows\SysWOW64\InstallShield\setupdir\0011\_setup.dll Tray.exe File opened for modification C:\Windows\SysWOW64\dmocx.dll Tray.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\winsxs\Manifests\x86_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_ar-sa_585df4a7092d7807.manifest Tray.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-i..l-keyboard-0000046c_31bf3856ad364e35_6.1.7600.16385_none_63b79e90a408fe50\KBDNSO.DLL Tray.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-ie-imagesupport_31bf3856ad364e35_11.2.9600.16428_none_c42d405e4fbf3c1d\imgutil.dll Tray.exe File opened for modification C:\Windows\winsxs\amd64_wcf-m_svc_mod_svc_perf_ini_31bf3856ad364e35_6.1.7600.16385_none_d698f187a664cc02\_ServiceModelServicePerfCounters_D.ini Tray.exe File opened for modification C:\Windows\winsxs\wow64_microsoft.windows.powershell.v3.common_31bf3856ad364e35_7.2.7601.16406_none_b9b179cff84db116\structureTaskExecution.xsd Tray.exe File opened for modification C:\Windows\winsxs\Manifests\wow64_microsoft-windows-i..iccontent.resources_31bf3856ad364e35_6.1.7600.16385_en-us_109a36a676b3571a.manifest Tray.exe File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-appid.resources_31bf3856ad364e35_6.1.7600.16385_en-us_9c7424fcfaec8d6b_appidapi.dll.mui_b6af37bb Tray.exe File opened for modification C:\Windows\winsxs\Manifests\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_6.1.7600.16385_da-dk_793bb4aa96902fa7.manifest Tray.exe File opened for modification C:\Windows\winsxs\Manifests\amd64_microsoft-windows-tcpip-adm_31bf3856ad364e35_6.1.7600.16385_none_8efe707fa1acdc48.manifest Tray.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-tcpip_31bf3856ad364e35_6.1.7601.17514_none_ca00459dda59f6f4\netiougc.exe Tray.exe File opened for modification C:\Windows\winsxs\Manifests\amd64_microsoft-windows-rasifmon_31bf3856ad364e35_6.1.7600.16385_none_26c4bb7a06df867e.manifest Tray.exe File opened for modification C:\Windows\winsxs\Manifests\amd64_microsoft-windows-i..ionstatic.resources_31bf3856ad364e35_6.1.7600.16385_en-us_881b3b1870ca2a00.manifest Tray.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-l2na.resources_31bf3856ad364e35_6.1.7600.16385_en-us_a62167de39951d5f\l2nacp.dll.mui Tray.exe File opened for modification C:\Windows\winsxs\Manifests\x86_netfx35cdf-cdf_wf_target_files_31bf3856ad364e35_6.1.7600.16385_none_6c39a732d1f6259e.manifest Tray.exe File opened for modification C:\Windows\winsxs\Manifests\amd64_microsoft-windows-n..e_iassvcs.resources_31bf3856ad364e35_6.1.7600.16385_en-us_4cbef44aac3babb4.manifest Tray.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-t..cesclient.resources_31bf3856ad364e35_6.1.7601.17514_en-us_d2c3ba2684bde870\mstsc.exe.mui Tray.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationUI.dll Tray.exe File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-i..i_initiator_service_31bf3856ad364e35_6.1.7601.17514_none_42ee5aff60183c81_iscsium.dll_edf4260f Tray.exe File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7601.17514_none_124dc839a586a988_lpk.dll_ebdc1de9 Tray.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-d2d.resources_31bf3856ad364e35_7.1.7601.16492_pt-pt_e93415d358c6c7f8\d2d1.dll.mui Tray.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ie-feeds-platform_31bf3856ad364e35_8.0.7601.17514_none_d8c6d6f2c817e75c\msfeeds.dll Tray.exe File opened for modification C:\Windows\winsxs\Manifests\amd64_microsoft-windows-s..mponent-sku-starter_31bf3856ad364e35_6.1.7600.16385_none_4822cbe075c7e066.manifest Tray.exe File opened for modification C:\Windows\Fonts\ARIALNB.TTF Tray.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Net.NetworkInformation.dll Tray.exe File opened for modification C:\Windows\winsxs\Manifests\amd64_microsoft-windows-o..ediadisc-style-push_31bf3856ad364e35_6.1.7600.16385_none_cc073ae540855a07.manifest Tray.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..soundthemes-savanna_31bf3856ad364e35_6.1.7600.16385_none_8501e89d0b011992\Windows Feed Discovered.wav Tray.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ncdprop_31bf3856ad364e35_6.1.7600.16385_none_afaaadda29b44241\NcdProp.dll Tray.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-ie-iexpress.resources_31bf3856ad364e35_8.0.7600.16385_en-us_3e16230dfd28c743\iexpress.exe.mui Tray.exe File opened for modification C:\Windows\winsxs\amd64_prnep00g.inf_31bf3856ad364e35_6.1.7600.16385_none_afdac3e7463477e2\Amd64\EP0NCJ8D.CMB Tray.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.In#\08d77067bceade0839fda4c78a304038\Microsoft.Office.InfoPath.Client.Internal.Host.ni.dll Tray.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\Accessibility\b03641c39929ad202f0c3a9a64b93d86\Accessibility.ni.dll Tray.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-classic_31bf3856ad364e35_6.1.7600.16385_none_ed4ee0602861ae33\hcblack.theme Tray.exe File opened for modification C:\Windows\winsxs\msil_microsoft.mediacenter.sports_31bf3856ad364e35_6.1.7601.17514_none_e7db1fde0e47a515\Microsoft.MediaCenter.Sports.dll Tray.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-efs-rekeywiz_31bf3856ad364e35_6.1.7600.16385_none_07c100a06d2b74c6\rekeywiz.exe Tray.exe File opened for modification C:\Windows\winsxs\amd64_wiaca00e.inf_31bf3856ad364e35_6.1.7600.16385_none_9bdaf7e8cb1745bc\wiaca00e.inf Tray.exe File opened for modification C:\Windows\winsxs\Manifests\amd64_microsoft-windows-u..oyment-languagepack_31bf3856ad364e35_7.1.7601.16492_th-th_fc3f476fe729599b.manifest Tray.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-gadgets-clock_31bf3856ad364e35_6.1.7600.16385_none_d7244b05e242e449\flower_dot.png Tray.exe File opened for modification C:\Windows\winsxs\Manifests\x86_microsoft-windows-sqlliteoledb-feature_31bf3856ad364e35_6.1.7600.16385_none_42d7a5e35f2edce8.manifest Tray.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-w..lity-base.resources_31bf3856ad364e35_6.1.7600.16385_en-us_25eb4cc738631809\hform.xsl Tray.exe File opened for modification C:\Windows\winsxs\x86_netfx-aspnet_webadmin_wizard_res_b03f5f7f11d50a3a_6.1.7600.16385_none_7a09d4299f1192f7\wizardProviderInfo.ascx.resx Tray.exe File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-htmlhelp.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1b97e2a0cf19a74b_hh.exe.mui_2744e397 Tray.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_tr-tr_7060e0eb6369be78.manifest Tray.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_4db0b909695af8f9\(144DPI)notConnectedStateIcon.png Tray.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-getuname_31bf3856ad364e35_6.1.7600.16385_none_2d337ee8fae2ead3\getuname.dll Tray.exe File opened for modification C:\Windows\winsxs\amd64_ntprint.inf_31bf3856ad364e35_6.1.7601.17514_none_9926a270d1526b79\Amd64\P6DISP.GPD Tray.exe File opened for modification C:\Windows\winsxs\Manifests\wow64_microsoft-windows-m..epc-defaultlocation_31bf3856ad364e35_6.1.7601.17514_none_c31b1ef89283c51c.manifest Tray.exe File opened for modification C:\Windows\winsxs\Manifests\amd64_microsoft-windows-propsys.resources_31bf3856ad364e35_7.0.7600.16385_en-us_6d3e07200f2ae7de.manifest Tray.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-font-fms.resources_31bf3856ad364e35_6.1.7600.16385_sv-se_eda9df32202cdb55\fms.dll.mui Tray.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-winsock-legacy-afd_31bf3856ad364e35_6.1.7600.16385_none_477be503cda35f27\msafd.dll Tray.exe File opened for modification C:\Windows\winsxs\amd64_prnnr004.inf_31bf3856ad364e35_6.1.7600.16385_none_ba2d2131f8a32d84\prnnr004.inf Tray.exe File opened for modification C:\Windows\Fonts\PER_____.TTF Tray.exe File opened for modification C:\Windows\inf\hal.PNF Tray.exe File opened for modification C:\Windows\ShellNew\MSPUB.PUB Tray.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-i..onal-codepage-28591_31bf3856ad364e35_6.1.7600.16385_none_5574b4954550ec70\C_28591.NLS Tray.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-rasbase.resources_31bf3856ad364e35_6.1.7600.16385_en-us_ba0c82eccf526351\ndptsp.tsp.mui Tray.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_ro-ro_0577819b021e44a4.manifest Tray.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\401-2.htm Tray.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-remoteassistance-diag_31bf3856ad364e35_6.1.7600.16385_none_0f7601a1f6f55d23\msrahc.dll Tray.exe File opened for modification C:\Windows\winsxs\Manifests\x86_microsoft-windows-c..snapindll.resources_31bf3856ad364e35_6.1.7600.16385_en-us_fc03c42205c641c5.manifest Tray.exe File opened for modification C:\Windows\winsxs\Manifests\amd64_microsoft-windows-printing-xpsprint_31bf3856ad364e35_7.1.7601.16492_none_fae139ccb3141872.manifest Tray.exe File opened for modification C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-DownlevelApisets-WinIP-Package~31bf3856ad364e35~amd64~bg-BG~7.1.7601.16492.cat Tray.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-font-truetype-irisupc_31bf3856ad364e35_6.1.7600.16385_none_2449677664faf8df\upcib.ttf Tray.exe File opened for modification C:\Windows\winsxs\FileMaps\$$_ime_imekr8_dicts_2ff7cb9394decb12.cdf-ms Tray.exe File opened for modification C:\Windows\winsxs\Manifests\amd64_microsoft-windows-mmcex-regentries_31bf3856ad364e35_6.1.7600.16385_none_4eb099682938c424.manifest Tray.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1504 taskmgr.exe -
Suspicious use of FindShellTrayWindow 38 IoCs
pid Process 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe -
Suspicious use of SendNotifyMessage 38 IoCs
pid Process 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Tray.exe"C:\Users\Admin\AppData\Local\Temp\Tray.exe"1⤵
- Drops file in Drivers directory
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Windows directory
PID:1084
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1504