Analysis
-
max time kernel
322s -
max time network
324s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
15-04-2024 16:39
Static task
static1
Behavioral task
behavioral1
Sample
Velonity.exe
Resource
win7-20240221-en
General
-
Target
Velonity.exe
-
Size
1.2MB
-
MD5
acfe7dcbe9723382722bcdf52bbb73e8
-
SHA1
b60644750f40d2ee4052c8e6dd588ad99288bc6f
-
SHA256
455784b6d8edafa34ac88e20d2ca34a8e26d6ae8c89fc77875c856feab347ef3
-
SHA512
841e20a08f6c59c3162a3fd4e6d44276c0025c7cc75261e481c21a4b4df629c5d603c4bda3d6f927ac24186d4a3fd162ec5e2d05c97528b37e8cf9efc4d530cb
-
SSDEEP
24576:vDM2Ny922wrKSFocmJgYV1lJ544YcRgbJhf1foTh9ZCLzAxy+7:rzeEWSFoDg45gbJ30h9ZJy
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1226889417617309827/aGM_hNDP-J3NT9u8SNSCocRMlBp_FCEGgjkp6sBXd1GO8FD5GFf_AHKBNovo138ckADt
Signatures
-
Detect Umbral payload 4 IoCs
resource yara_rule behavioral2/memory/3008-1-0x00000000005E0000-0x00000000009B8000-memory.dmp family_umbral behavioral2/memory/3008-108-0x00000000005E0000-0x00000000009B8000-memory.dmp family_umbral behavioral2/memory/3008-148-0x00000000005E0000-0x00000000009B8000-memory.dmp family_umbral behavioral2/memory/3008-152-0x00000000005E0000-0x00000000009B8000-memory.dmp family_umbral -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts Velonity.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 33 discord.com 34 discord.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 12 ip-api.com -
Drops file in System32 directory 11 IoCs
description ioc Process File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat svchost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 3008 Velonity.exe 3008 Velonity.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 3376 wmic.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings mspaint.exe Key created \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings mspaint.exe Key created \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings mspaint.exe Key created \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings mspaint.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 4524 PING.EXE -
Suspicious behavior: EnumeratesProcesses 41 IoCs
pid Process 3008 Velonity.exe 4000 powershell.exe 4000 powershell.exe 1836 powershell.exe 1836 powershell.exe 1976 powershell.exe 1976 powershell.exe 4740 powershell.exe 4740 powershell.exe 4904 powershell.exe 4904 powershell.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 4564 mspaint.exe 4564 mspaint.exe 2928 mspaint.exe 2928 mspaint.exe 4020 mspaint.exe 4020 mspaint.exe 3348 mspaint.exe 3348 mspaint.exe 5064 mspaint.exe 5064 mspaint.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 5088 OpenWith.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3008 Velonity.exe Token: SeIncreaseQuotaPrivilege 4132 wmic.exe Token: SeSecurityPrivilege 4132 wmic.exe Token: SeTakeOwnershipPrivilege 4132 wmic.exe Token: SeLoadDriverPrivilege 4132 wmic.exe Token: SeSystemProfilePrivilege 4132 wmic.exe Token: SeSystemtimePrivilege 4132 wmic.exe Token: SeProfSingleProcessPrivilege 4132 wmic.exe Token: SeIncBasePriorityPrivilege 4132 wmic.exe Token: SeCreatePagefilePrivilege 4132 wmic.exe Token: SeBackupPrivilege 4132 wmic.exe Token: SeRestorePrivilege 4132 wmic.exe Token: SeShutdownPrivilege 4132 wmic.exe Token: SeDebugPrivilege 4132 wmic.exe Token: SeSystemEnvironmentPrivilege 4132 wmic.exe Token: SeRemoteShutdownPrivilege 4132 wmic.exe Token: SeUndockPrivilege 4132 wmic.exe Token: SeManageVolumePrivilege 4132 wmic.exe Token: 33 4132 wmic.exe Token: 34 4132 wmic.exe Token: 35 4132 wmic.exe Token: 36 4132 wmic.exe Token: SeIncreaseQuotaPrivilege 4132 wmic.exe Token: SeSecurityPrivilege 4132 wmic.exe Token: SeTakeOwnershipPrivilege 4132 wmic.exe Token: SeLoadDriverPrivilege 4132 wmic.exe Token: SeSystemProfilePrivilege 4132 wmic.exe Token: SeSystemtimePrivilege 4132 wmic.exe Token: SeProfSingleProcessPrivilege 4132 wmic.exe Token: SeIncBasePriorityPrivilege 4132 wmic.exe Token: SeCreatePagefilePrivilege 4132 wmic.exe Token: SeBackupPrivilege 4132 wmic.exe Token: SeRestorePrivilege 4132 wmic.exe Token: SeShutdownPrivilege 4132 wmic.exe Token: SeDebugPrivilege 4132 wmic.exe Token: SeSystemEnvironmentPrivilege 4132 wmic.exe Token: SeRemoteShutdownPrivilege 4132 wmic.exe Token: SeUndockPrivilege 4132 wmic.exe Token: SeManageVolumePrivilege 4132 wmic.exe Token: 33 4132 wmic.exe Token: 34 4132 wmic.exe Token: 35 4132 wmic.exe Token: 36 4132 wmic.exe Token: SeDebugPrivilege 4000 powershell.exe Token: SeDebugPrivilege 1836 powershell.exe Token: SeDebugPrivilege 1976 powershell.exe Token: SeDebugPrivilege 4740 powershell.exe Token: SeIncreaseQuotaPrivilege 4588 wmic.exe Token: SeSecurityPrivilege 4588 wmic.exe Token: SeTakeOwnershipPrivilege 4588 wmic.exe Token: SeLoadDriverPrivilege 4588 wmic.exe Token: SeSystemProfilePrivilege 4588 wmic.exe Token: SeSystemtimePrivilege 4588 wmic.exe Token: SeProfSingleProcessPrivilege 4588 wmic.exe Token: SeIncBasePriorityPrivilege 4588 wmic.exe Token: SeCreatePagefilePrivilege 4588 wmic.exe Token: SeBackupPrivilege 4588 wmic.exe Token: SeRestorePrivilege 4588 wmic.exe Token: SeShutdownPrivilege 4588 wmic.exe Token: SeDebugPrivilege 4588 wmic.exe Token: SeSystemEnvironmentPrivilege 4588 wmic.exe Token: SeRemoteShutdownPrivilege 4588 wmic.exe Token: SeUndockPrivilege 4588 wmic.exe Token: SeManageVolumePrivilege 4588 wmic.exe -
Suspicious use of FindShellTrayWindow 46 IoCs
pid Process 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe -
Suspicious use of SendNotifyMessage 46 IoCs
pid Process 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe -
Suspicious use of SetWindowsHookEx 14 IoCs
pid Process 3008 Velonity.exe 548 OpenWith.exe 4564 mspaint.exe 4564 mspaint.exe 4564 mspaint.exe 4564 mspaint.exe 2928 mspaint.exe 1200 OpenWith.exe 4020 mspaint.exe 5088 OpenWith.exe 3348 mspaint.exe 960 OpenWith.exe 5064 mspaint.exe 1304 OpenWith.exe -
Suspicious use of WriteProcessMemory 39 IoCs
description pid Process procid_target PID 3008 wrote to memory of 4132 3008 Velonity.exe 89 PID 3008 wrote to memory of 4132 3008 Velonity.exe 89 PID 3008 wrote to memory of 4132 3008 Velonity.exe 89 PID 3008 wrote to memory of 116 3008 Velonity.exe 92 PID 3008 wrote to memory of 116 3008 Velonity.exe 92 PID 3008 wrote to memory of 116 3008 Velonity.exe 92 PID 3008 wrote to memory of 4000 3008 Velonity.exe 94 PID 3008 wrote to memory of 4000 3008 Velonity.exe 94 PID 3008 wrote to memory of 4000 3008 Velonity.exe 94 PID 3008 wrote to memory of 1836 3008 Velonity.exe 98 PID 3008 wrote to memory of 1836 3008 Velonity.exe 98 PID 3008 wrote to memory of 1836 3008 Velonity.exe 98 PID 3008 wrote to memory of 1976 3008 Velonity.exe 100 PID 3008 wrote to memory of 1976 3008 Velonity.exe 100 PID 3008 wrote to memory of 1976 3008 Velonity.exe 100 PID 3008 wrote to memory of 4740 3008 Velonity.exe 103 PID 3008 wrote to memory of 4740 3008 Velonity.exe 103 PID 3008 wrote to memory of 4740 3008 Velonity.exe 103 PID 3008 wrote to memory of 4588 3008 Velonity.exe 105 PID 3008 wrote to memory of 4588 3008 Velonity.exe 105 PID 3008 wrote to memory of 4588 3008 Velonity.exe 105 PID 3008 wrote to memory of 3268 3008 Velonity.exe 107 PID 3008 wrote to memory of 3268 3008 Velonity.exe 107 PID 3008 wrote to memory of 3268 3008 Velonity.exe 107 PID 3008 wrote to memory of 2940 3008 Velonity.exe 109 PID 3008 wrote to memory of 2940 3008 Velonity.exe 109 PID 3008 wrote to memory of 2940 3008 Velonity.exe 109 PID 3008 wrote to memory of 4904 3008 Velonity.exe 111 PID 3008 wrote to memory of 4904 3008 Velonity.exe 111 PID 3008 wrote to memory of 4904 3008 Velonity.exe 111 PID 3008 wrote to memory of 3376 3008 Velonity.exe 113 PID 3008 wrote to memory of 3376 3008 Velonity.exe 113 PID 3008 wrote to memory of 3376 3008 Velonity.exe 113 PID 3008 wrote to memory of 4504 3008 Velonity.exe 118 PID 3008 wrote to memory of 4504 3008 Velonity.exe 118 PID 3008 wrote to memory of 4504 3008 Velonity.exe 118 PID 4504 wrote to memory of 4524 4504 cmd.exe 120 PID 4504 wrote to memory of 4524 4504 cmd.exe 120 PID 4504 wrote to memory of 4524 4504 cmd.exe 120 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 116 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Velonity.exe"C:\Users\Admin\AppData\Local\Temp\Velonity.exe"1⤵
- Drops file in Drivers directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4132
-
-
C:\Windows\SysWOW64\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Velonity.exe"2⤵
- Views/modifies file attributes
PID:116
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Velonity.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4000
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 22⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1836
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1976
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4740
-
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic.exe" os get Caption2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4588
-
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory2⤵PID:3268
-
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵PID:2940
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4904
-
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_VideoController get name2⤵
- Detects videocard installed
PID:3376
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Velonity.exe" && pause2⤵
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Windows\SysWOW64\PING.EXEping localhost3⤵
- Runs ping.exe
PID:4524
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2820
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2388
-
C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\Documents\UnpublishReceive.xml"1⤵PID:1912
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:548
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Pictures\HideImport.emf"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4564
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService1⤵PID:4308
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Pictures\UninstallInitialize.jpeg" /ForceBootstrapPaint3D1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2928
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc1⤵
- Drops file in System32 directory
PID:1260
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:1200
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Pictures\UninstallInitialize.jpeg" /ForceBootstrapPaint3D1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4020
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5088
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Pictures\My Wallpaper.jpg" /ForceBootstrapPaint3D1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3348
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:960
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Pictures\My Wallpaper.jpg" /ForceBootstrapPaint3D1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5064
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:1304
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
15KB
MD5039a0f485a27f3da46e06e116b2fadae
SHA16708021966927b6d3084498f22d0eb5bef81fa3b
SHA2564de3413e00889168f1b4d32c364d6f3feb5503c3b51e8857f1bc8498bfbf8aaa
SHA51231c868e77bd6ab47d2712aed356220f07b577634e65bc7777a770f86360f990ad69567b1b91aebd22013854d1393fb52833e22b1c08016fcf1ab82e84a95eb9e
-
Filesize
18KB
MD5933e836bbe8e6623b77d44e629605204
SHA1f108a43faa9043e4169975cd2e97fab5eb99d045
SHA256061aa58ad1eb62d12f22d348fa1b5d7a25928527d6ad25e330fd2bf06822f0e6
SHA512f0a840ffe48955d631591d20d9f8d8f5602e6ae5339e076c3bbe7c64adb6b8b98b6e27349fb725b62fe94aced6c3c6b5eb8e8bf719ac7658cbaf752c897bc8a2
-
Filesize
17KB
MD57e0f5f0e2596a71acaf983de8cbb3b07
SHA1216f43cae9847f101f30819fad1c69285ac82620
SHA25645603eb3612478771a8ce9c4af691a4d366ed0142a6d37bab8d948b8eb411ea6
SHA512da13b775dba1bd650708a931bf07fb5c58b7726396032132262b3039ef5fe10b3d32b9a3b758164610edfede230be30c330635904ad78655042e1d77d41e98fd
-
Filesize
18KB
MD5f526f17767918f2c002351d4ed3ff9c9
SHA17cf3ff3b0349ea45c76f7491b8707bb63eb25822
SHA256c9cc9ab85286546161364ff753bcc2738c7b89208bd214346b7fdf38516fa4ea
SHA5129400467b3ec89b9afc2c6a806e409ce8e3be7a7f9389007b729a0fd2b3f75c6b2de596012f9e6c8cf490249ea3783c1ff6df7439dda3ce58d79e2558283c1080
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82