Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
02-06-2024 01:23
Behavioral task
behavioral1
Sample
loader.exe
Resource
win7-20240419-en
General
-
Target
loader.exe
-
Size
365KB
-
MD5
cbd720ad4f7be1c099ec22f56ee61dd6
-
SHA1
9989030c7ea1756e1834c464688d418e773919fc
-
SHA256
20be105c4a33ebf77ef4db7e8b6ebbb39b156fe1dd16473a7255903f33b76846
-
SHA512
2ad87fdf5046be22eec58fe71326ab0bcc2a2ca019e1b5519ec1ecbdfbb83731a254c7f400ca48cacb9917da6c85d41a913aa0f8f5b21408a3f2d1e8895e9740
-
SSDEEP
6144:UsLqdufVUNDa4loZM3fsXtioRkts/cnnK6cMlibJksyVtGXTOMdRYspb8e1m+Fii:PFUNDamoZ1tlRk83MlibJksyVtGXTOMX
Malware Config
Extracted
umbral
https://discordapp.com/api/webhooks/1246463015998586960/d4v_qESsKe8s7VticwxHvyytkOUO321t7x3oNxoyCNYQuwczEVfPUDFWHLnPpAM4tNJ_
Signatures
-
Detect Umbral payload 2 IoCs
resource yara_rule behavioral1/files/0x000900000001344f-6.dat family_umbral behavioral1/memory/1980-11-0x0000000001360000-0x00000000013A0000-memory.dmp family_umbral -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2780 powershell.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts loader.exe -
Executes dropped EXE 6 IoCs
pid Process 1980 loader.exe 1508 icsys.icn.exe 1360 explorer.exe 2028 spoolsv.exe 2180 svchost.exe 2852 spoolsv.exe -
Loads dropped DLL 6 IoCs
pid Process 1732 loader.exe 1732 loader.exe 1508 icsys.icn.exe 1360 explorer.exe 2028 spoolsv.exe 2180 svchost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 6 ip-api.com -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe loader.exe File opened for modification \??\c:\windows\resources\themes\explorer.exe icsys.icn.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 568 schtasks.exe 2864 schtasks.exe 2460 schtasks.exe -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 748 wmic.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 860 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1732 loader.exe 1732 loader.exe 1732 loader.exe 1732 loader.exe 1732 loader.exe 1732 loader.exe 1732 loader.exe 1732 loader.exe 1732 loader.exe 1732 loader.exe 1732 loader.exe 1732 loader.exe 1732 loader.exe 1732 loader.exe 1732 loader.exe 1732 loader.exe 1980 loader.exe 2780 powershell.exe 2952 powershell.exe 2688 powershell.exe 1008 powershell.exe 1508 icsys.icn.exe 1508 icsys.icn.exe 1508 icsys.icn.exe 1508 icsys.icn.exe 1508 icsys.icn.exe 1508 icsys.icn.exe 1508 icsys.icn.exe 1508 icsys.icn.exe 1508 icsys.icn.exe 1508 icsys.icn.exe 1508 icsys.icn.exe 1508 icsys.icn.exe 1508 icsys.icn.exe 1508 icsys.icn.exe 1508 icsys.icn.exe 1508 icsys.icn.exe 1508 icsys.icn.exe 1360 explorer.exe 1360 explorer.exe 1360 explorer.exe 1360 explorer.exe 1360 explorer.exe 1360 explorer.exe 1360 explorer.exe 1360 explorer.exe 1360 explorer.exe 1360 explorer.exe 1360 explorer.exe 1360 explorer.exe 1360 explorer.exe 1360 explorer.exe 1360 explorer.exe 1360 explorer.exe 2180 svchost.exe 2180 svchost.exe 2180 svchost.exe 2180 svchost.exe 2180 svchost.exe 2180 svchost.exe 2180 svchost.exe 2180 svchost.exe 2180 svchost.exe 2180 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 1360 explorer.exe 2180 svchost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1980 loader.exe Token: SeIncreaseQuotaPrivilege 2880 wmic.exe Token: SeSecurityPrivilege 2880 wmic.exe Token: SeTakeOwnershipPrivilege 2880 wmic.exe Token: SeLoadDriverPrivilege 2880 wmic.exe Token: SeSystemProfilePrivilege 2880 wmic.exe Token: SeSystemtimePrivilege 2880 wmic.exe Token: SeProfSingleProcessPrivilege 2880 wmic.exe Token: SeIncBasePriorityPrivilege 2880 wmic.exe Token: SeCreatePagefilePrivilege 2880 wmic.exe Token: SeBackupPrivilege 2880 wmic.exe Token: SeRestorePrivilege 2880 wmic.exe Token: SeShutdownPrivilege 2880 wmic.exe Token: SeDebugPrivilege 2880 wmic.exe Token: SeSystemEnvironmentPrivilege 2880 wmic.exe Token: SeRemoteShutdownPrivilege 2880 wmic.exe Token: SeUndockPrivilege 2880 wmic.exe Token: SeManageVolumePrivilege 2880 wmic.exe Token: 33 2880 wmic.exe Token: 34 2880 wmic.exe Token: 35 2880 wmic.exe Token: SeIncreaseQuotaPrivilege 2880 wmic.exe Token: SeSecurityPrivilege 2880 wmic.exe Token: SeTakeOwnershipPrivilege 2880 wmic.exe Token: SeLoadDriverPrivilege 2880 wmic.exe Token: SeSystemProfilePrivilege 2880 wmic.exe Token: SeSystemtimePrivilege 2880 wmic.exe Token: SeProfSingleProcessPrivilege 2880 wmic.exe Token: SeIncBasePriorityPrivilege 2880 wmic.exe Token: SeCreatePagefilePrivilege 2880 wmic.exe Token: SeBackupPrivilege 2880 wmic.exe Token: SeRestorePrivilege 2880 wmic.exe Token: SeShutdownPrivilege 2880 wmic.exe Token: SeDebugPrivilege 2880 wmic.exe Token: SeSystemEnvironmentPrivilege 2880 wmic.exe Token: SeRemoteShutdownPrivilege 2880 wmic.exe Token: SeUndockPrivilege 2880 wmic.exe Token: SeManageVolumePrivilege 2880 wmic.exe Token: 33 2880 wmic.exe Token: 34 2880 wmic.exe Token: 35 2880 wmic.exe Token: SeDebugPrivilege 2780 powershell.exe Token: SeDebugPrivilege 2952 powershell.exe Token: SeDebugPrivilege 2688 powershell.exe Token: SeDebugPrivilege 1008 powershell.exe Token: SeIncreaseQuotaPrivilege 840 wmic.exe Token: SeSecurityPrivilege 840 wmic.exe Token: SeTakeOwnershipPrivilege 840 wmic.exe Token: SeLoadDriverPrivilege 840 wmic.exe Token: SeSystemProfilePrivilege 840 wmic.exe Token: SeSystemtimePrivilege 840 wmic.exe Token: SeProfSingleProcessPrivilege 840 wmic.exe Token: SeIncBasePriorityPrivilege 840 wmic.exe Token: SeCreatePagefilePrivilege 840 wmic.exe Token: SeBackupPrivilege 840 wmic.exe Token: SeRestorePrivilege 840 wmic.exe Token: SeShutdownPrivilege 840 wmic.exe Token: SeDebugPrivilege 840 wmic.exe Token: SeSystemEnvironmentPrivilege 840 wmic.exe Token: SeRemoteShutdownPrivilege 840 wmic.exe Token: SeUndockPrivilege 840 wmic.exe Token: SeManageVolumePrivilege 840 wmic.exe Token: 33 840 wmic.exe Token: 34 840 wmic.exe -
Suspicious use of FindShellTrayWindow 32 IoCs
pid Process 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe -
Suspicious use of SendNotifyMessage 32 IoCs
pid Process 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 1732 loader.exe 1732 loader.exe 1508 icsys.icn.exe 1508 icsys.icn.exe 1360 explorer.exe 1360 explorer.exe 2028 spoolsv.exe 2028 spoolsv.exe 2180 svchost.exe 2180 svchost.exe 2852 spoolsv.exe 2852 spoolsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1732 wrote to memory of 1980 1732 loader.exe 28 PID 1732 wrote to memory of 1980 1732 loader.exe 28 PID 1732 wrote to memory of 1980 1732 loader.exe 28 PID 1732 wrote to memory of 1980 1732 loader.exe 28 PID 1980 wrote to memory of 2880 1980 loader.exe 29 PID 1980 wrote to memory of 2880 1980 loader.exe 29 PID 1980 wrote to memory of 2880 1980 loader.exe 29 PID 1980 wrote to memory of 2544 1980 loader.exe 32 PID 1980 wrote to memory of 2544 1980 loader.exe 32 PID 1980 wrote to memory of 2544 1980 loader.exe 32 PID 1980 wrote to memory of 2780 1980 loader.exe 34 PID 1980 wrote to memory of 2780 1980 loader.exe 34 PID 1980 wrote to memory of 2780 1980 loader.exe 34 PID 1980 wrote to memory of 2952 1980 loader.exe 36 PID 1980 wrote to memory of 2952 1980 loader.exe 36 PID 1980 wrote to memory of 2952 1980 loader.exe 36 PID 1980 wrote to memory of 2688 1980 loader.exe 38 PID 1980 wrote to memory of 2688 1980 loader.exe 38 PID 1980 wrote to memory of 2688 1980 loader.exe 38 PID 1980 wrote to memory of 1008 1980 loader.exe 40 PID 1980 wrote to memory of 1008 1980 loader.exe 40 PID 1980 wrote to memory of 1008 1980 loader.exe 40 PID 1732 wrote to memory of 1508 1732 loader.exe 42 PID 1732 wrote to memory of 1508 1732 loader.exe 42 PID 1732 wrote to memory of 1508 1732 loader.exe 42 PID 1732 wrote to memory of 1508 1732 loader.exe 42 PID 1508 wrote to memory of 1360 1508 icsys.icn.exe 43 PID 1508 wrote to memory of 1360 1508 icsys.icn.exe 43 PID 1508 wrote to memory of 1360 1508 icsys.icn.exe 43 PID 1508 wrote to memory of 1360 1508 icsys.icn.exe 43 PID 1980 wrote to memory of 840 1980 loader.exe 44 PID 1980 wrote to memory of 840 1980 loader.exe 44 PID 1980 wrote to memory of 840 1980 loader.exe 44 PID 1360 wrote to memory of 2028 1360 explorer.exe 46 PID 1360 wrote to memory of 2028 1360 explorer.exe 46 PID 1360 wrote to memory of 2028 1360 explorer.exe 46 PID 1360 wrote to memory of 2028 1360 explorer.exe 46 PID 2028 wrote to memory of 2180 2028 spoolsv.exe 47 PID 2028 wrote to memory of 2180 2028 spoolsv.exe 47 PID 2028 wrote to memory of 2180 2028 spoolsv.exe 47 PID 2028 wrote to memory of 2180 2028 spoolsv.exe 47 PID 2180 wrote to memory of 2852 2180 svchost.exe 48 PID 2180 wrote to memory of 2852 2180 svchost.exe 48 PID 2180 wrote to memory of 2852 2180 svchost.exe 48 PID 2180 wrote to memory of 2852 2180 svchost.exe 48 PID 1360 wrote to memory of 764 1360 explorer.exe 49 PID 1360 wrote to memory of 764 1360 explorer.exe 49 PID 1360 wrote to memory of 764 1360 explorer.exe 49 PID 1360 wrote to memory of 764 1360 explorer.exe 49 PID 1980 wrote to memory of 688 1980 loader.exe 50 PID 1980 wrote to memory of 688 1980 loader.exe 50 PID 1980 wrote to memory of 688 1980 loader.exe 50 PID 2180 wrote to memory of 568 2180 svchost.exe 52 PID 2180 wrote to memory of 568 2180 svchost.exe 52 PID 2180 wrote to memory of 568 2180 svchost.exe 52 PID 2180 wrote to memory of 568 2180 svchost.exe 52 PID 1980 wrote to memory of 1432 1980 loader.exe 54 PID 1980 wrote to memory of 1432 1980 loader.exe 54 PID 1980 wrote to memory of 1432 1980 loader.exe 54 PID 1980 wrote to memory of 444 1980 loader.exe 57 PID 1980 wrote to memory of 444 1980 loader.exe 57 PID 1980 wrote to memory of 444 1980 loader.exe 57 PID 1980 wrote to memory of 748 1980 loader.exe 59 PID 1980 wrote to memory of 748 1980 loader.exe 59 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 2544 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1732 -
\??\c:\users\admin\appdata\local\temp\loader.exec:\users\admin\appdata\local\temp\loader.exe2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2880
-
-
C:\Windows\system32\attrib.exe"attrib.exe" +h +s "c:\users\admin\appdata\local\temp\loader.exe "3⤵
- Views/modifies file attributes
PID:2544
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'c:\users\admin\appdata\local\temp\loader.exe '3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2780
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 23⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2952
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2688
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1008
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption3⤵
- Suspicious use of AdjustPrivilegeToken
PID:840
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory3⤵PID:688
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid3⤵PID:1432
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER3⤵PID:444
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name3⤵
- Detects videocard installed
PID:748
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "c:\users\admin\appdata\local\temp\loader.exe " && pause3⤵PID:920
-
C:\Windows\system32\PING.EXEping localhost4⤵
- Runs ping.exe
PID:860
-
-
-
-
C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1508 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1360 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2028 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe5⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2180 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2852
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 01:25 /f6⤵
- Creates scheduled task(s)
PID:568
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 01:26 /f6⤵
- Creates scheduled task(s)
PID:2864
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 01:27 /f6⤵
- Creates scheduled task(s)
PID:2460
-
-
-
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe4⤵PID:764
-
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2904
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD596a54d676e2baa2553ade3750cec02f4
SHA169753b28186e40362ff98d4647a847e77ab6d697
SHA25643bafa793385ea82f193391a7fd9475963fe8522a4e78d4716e54af06f7b5c09
SHA512f5fc6d98335546e836677dc919c9f6ff403a480ab83dc3c437ad0f60fef66a25e6e5f2dc1f67a475e2e1989cfeabbaf3e0921322585db6b11fe62ec13b7ac0d4
-
Filesize
135KB
MD5afba798122a15e6aae67a6bdaf8e2e7e
SHA181735fd8afb767c6045e06788281dd9bc3085a59
SHA256a70b1ab1b6ea33dba6c3c3b09ef85b73724a5ba0b13474704d0190747188d868
SHA5129c34b3dc629395af94012ee50f1005ddbc4d169028f24593e6b1ef72a481ff906c5c91c1c961d7ee242597762f509cc43ab04e8c0f02649313a173b8e68629d1
-
Filesize
230KB
MD5d23ca81d16873706f5e26fbac64eaee9
SHA1c49585cbcc6e5286fba1c7a3fe582ea0e38ed5ee
SHA256007ae5e7086ce92765cb6f3877663b04146f14deba2edb9582d90d4451b443d7
SHA5124a7d4be3f7a1e27e9c925b57a5e53754f8f39ebabf479e041f620ef5271a7154fe57a407ff59f859f02f149bb60925e2f4e2c9c49f415fd42e780c7ea23922d4
-
Filesize
135KB
MD5b6c6d532091f6de047c1a68a4b69bf10
SHA101439b14f2158014ef0255092f4c11a136483889
SHA25639931e1f612c4cc3ddef588ce4a1d1c1543e85cf16959eb738ed39eb0b2b1a11
SHA512b652116e7a2ebe98cb8e43d024542fdb5c8daccf85dde4c00738eedd55d7a1195155ed4b4ea26fd8e91ce1bbef54c9cd224cd4606b2028168e82c0c2de45798d
-
Filesize
135KB
MD5edeb7cad4dbe346275bf15847a7f1e17
SHA140693dcb7121547f2fd538249949e5643117c0e4
SHA25657d0a4608d50845fadc0b78fa7b9268a334bf76ac55a17874ba2bda0cf874d45
SHA512be8cc6b127a5672949f3086b88496d5eef76b709bbb7dd919b55efe234f1fe6a93c5f0013d9415e4ddb1c5dd524d1c03df9f87888456ac2f8471c0ea1c04d5ab
-
Filesize
135KB
MD5206311e7229da01362389b3ec534aa21
SHA1adb9c05b7ca1a0a3f87f1c21d8b74d029db3eb17
SHA256caf34ea25cf7a68c3bc5dfb0235d27db0622c1a34dce85e85a931566f63c2455
SHA51255f522b8edd6f517e8401ec0cdd18f44f96c4ab3225c9d3625b46cf3a6050875e6107b632ed93a472468c4d881a7895206b3afc86d82f0dcc693a7c4c5112f62