Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
23/04/2024, 01:29
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
9b35289f5857b54db6a02145a2888d2401faf6fb386534591f2981b3ad15b60f.exe
Resource
win7-20240221-en
windows7-x64
14 signatures
150 seconds
Behavioral task
behavioral2
Sample
9b35289f5857b54db6a02145a2888d2401faf6fb386534591f2981b3ad15b60f.exe
Resource
win10v2004-20240412-en
windows10-2004-x64
13 signatures
150 seconds
General
-
Target
9b35289f5857b54db6a02145a2888d2401faf6fb386534591f2981b3ad15b60f.exe
-
Size
131KB
-
MD5
71232e209a8bd13a367ba87201c497da
-
SHA1
d55bfea33f81033f9c90c230af77b6a47c4c9f7f
-
SHA256
9b35289f5857b54db6a02145a2888d2401faf6fb386534591f2981b3ad15b60f
-
SHA512
ad339be648dcf101764e00d5e1dd9733324fd031ae902793de610c9eb74f352c3443b8b11fab0d64175c49146d7b8467bd65d23b4ce590e0dd070ec038d104f6
-
SSDEEP
3072:fEboFVlGAvwsgbpvYfMTc72L10fPsout6nn:cBzsgbpvnTcyOPsoS6nn
Score
9/10
Malware Config
Signatures
-
UPX dump on OEP (original entry point) 40 IoCs
resource yara_rule behavioral1/memory/2804-13-0x0000000001C70000-0x0000000001CC5000-memory.dmp UPX behavioral1/memory/2804-11-0x0000000001C70000-0x0000000001CC5000-memory.dmp UPX behavioral1/memory/2804-17-0x0000000001C70000-0x0000000001CC5000-memory.dmp UPX behavioral1/memory/2804-32-0x0000000001C70000-0x0000000001CC5000-memory.dmp UPX behavioral1/memory/2804-33-0x0000000001C70000-0x0000000001CC5000-memory.dmp UPX behavioral1/memory/2804-31-0x0000000001C70000-0x0000000001CC5000-memory.dmp UPX behavioral1/memory/2804-27-0x0000000001C70000-0x0000000001CC5000-memory.dmp UPX behavioral1/memory/2804-25-0x0000000001C70000-0x0000000001CC5000-memory.dmp UPX behavioral1/memory/2804-23-0x0000000001C70000-0x0000000001CC5000-memory.dmp UPX behavioral1/memory/2804-21-0x0000000001C70000-0x0000000001CC5000-memory.dmp UPX behavioral1/memory/2804-19-0x0000000001C70000-0x0000000001CC5000-memory.dmp UPX behavioral1/memory/2804-15-0x0000000001C70000-0x0000000001CC5000-memory.dmp UPX behavioral1/memory/2624-70-0x0000000000400000-0x000000000042D000-memory.dmp UPX behavioral1/memory/2624-73-0x0000000000400000-0x000000000042D000-memory.dmp UPX behavioral1/memory/2624-75-0x0000000000400000-0x000000000042D000-memory.dmp UPX behavioral1/memory/2624-74-0x0000000000400000-0x000000000042D000-memory.dmp UPX behavioral1/memory/2624-78-0x0000000000180000-0x00000000001D5000-memory.dmp UPX behavioral1/memory/2624-84-0x0000000000180000-0x00000000001D5000-memory.dmp UPX behavioral1/memory/2624-92-0x0000000000180000-0x00000000001D5000-memory.dmp UPX behavioral1/memory/2624-100-0x0000000000180000-0x00000000001D5000-memory.dmp UPX behavioral1/memory/2624-98-0x0000000000180000-0x00000000001D5000-memory.dmp UPX behavioral1/files/0x000900000001560a-123.dat UPX behavioral1/memory/2624-96-0x0000000000180000-0x00000000001D5000-memory.dmp UPX behavioral1/memory/2624-94-0x0000000000180000-0x00000000001D5000-memory.dmp UPX behavioral1/memory/2624-90-0x0000000000180000-0x00000000001D5000-memory.dmp UPX behavioral1/memory/2624-88-0x0000000000180000-0x00000000001D5000-memory.dmp UPX behavioral1/memory/2624-86-0x0000000000180000-0x00000000001D5000-memory.dmp UPX behavioral1/files/0x0006000000016283-129.dat UPX behavioral1/memory/2624-82-0x0000000000180000-0x00000000001D5000-memory.dmp UPX behavioral1/memory/2624-80-0x0000000000180000-0x00000000001D5000-memory.dmp UPX behavioral1/memory/2624-77-0x0000000000180000-0x00000000001D5000-memory.dmp UPX behavioral1/memory/2804-9-0x0000000001C70000-0x0000000001CC5000-memory.dmp UPX behavioral1/memory/2804-7-0x0000000001C70000-0x0000000001CC5000-memory.dmp UPX behavioral1/memory/2804-5-0x0000000001C70000-0x0000000001CC5000-memory.dmp UPX behavioral1/memory/2804-3-0x0000000001C70000-0x0000000001CC5000-memory.dmp UPX behavioral1/memory/2804-2-0x0000000001C70000-0x0000000001CC5000-memory.dmp UPX behavioral1/files/0x0006000000016283-175.dat UPX behavioral1/memory/2400-217-0x0000000000400000-0x000000000042D000-memory.dmp UPX behavioral1/memory/2624-263-0x0000000000400000-0x000000000042D000-memory.dmp UPX behavioral1/memory/2400-266-0x0000000000400000-0x000000000042D000-memory.dmp UPX -
Deletes itself 1 IoCs
pid Process 2624 svchost.exe -
Executes dropped EXE 2 IoCs
pid Process 1412 KVEIF.jpg 2012 KVEIF.jpg -
Loads dropped DLL 5 IoCs
pid Process 2804 9b35289f5857b54db6a02145a2888d2401faf6fb386534591f2981b3ad15b60f.exe 2624 svchost.exe 1412 KVEIF.jpg 2012 KVEIF.jpg 2400 svchost.exe -
resource yara_rule behavioral1/memory/2804-13-0x0000000001C70000-0x0000000001CC5000-memory.dmp upx behavioral1/memory/2804-11-0x0000000001C70000-0x0000000001CC5000-memory.dmp upx behavioral1/memory/2804-17-0x0000000001C70000-0x0000000001CC5000-memory.dmp upx behavioral1/memory/2804-29-0x0000000001C70000-0x0000000001CC5000-memory.dmp upx behavioral1/memory/2804-32-0x0000000001C70000-0x0000000001CC5000-memory.dmp upx behavioral1/memory/2804-33-0x0000000001C70000-0x0000000001CC5000-memory.dmp upx behavioral1/memory/2804-31-0x0000000001C70000-0x0000000001CC5000-memory.dmp upx behavioral1/memory/2804-27-0x0000000001C70000-0x0000000001CC5000-memory.dmp upx behavioral1/memory/2804-25-0x0000000001C70000-0x0000000001CC5000-memory.dmp upx behavioral1/memory/2804-23-0x0000000001C70000-0x0000000001CC5000-memory.dmp upx behavioral1/memory/2804-21-0x0000000001C70000-0x0000000001CC5000-memory.dmp upx behavioral1/memory/2804-19-0x0000000001C70000-0x0000000001CC5000-memory.dmp upx behavioral1/memory/2804-15-0x0000000001C70000-0x0000000001CC5000-memory.dmp upx behavioral1/memory/2624-78-0x0000000000180000-0x00000000001D5000-memory.dmp upx behavioral1/memory/2624-84-0x0000000000180000-0x00000000001D5000-memory.dmp upx behavioral1/memory/2624-92-0x0000000000180000-0x00000000001D5000-memory.dmp upx behavioral1/memory/2624-100-0x0000000000180000-0x00000000001D5000-memory.dmp upx behavioral1/memory/2624-98-0x0000000000180000-0x00000000001D5000-memory.dmp upx behavioral1/memory/2624-96-0x0000000000180000-0x00000000001D5000-memory.dmp upx behavioral1/memory/2624-94-0x0000000000180000-0x00000000001D5000-memory.dmp upx behavioral1/memory/2624-90-0x0000000000180000-0x00000000001D5000-memory.dmp upx behavioral1/memory/2624-88-0x0000000000180000-0x00000000001D5000-memory.dmp upx behavioral1/memory/2624-86-0x0000000000180000-0x00000000001D5000-memory.dmp upx behavioral1/memory/2624-82-0x0000000000180000-0x00000000001D5000-memory.dmp upx behavioral1/memory/2624-80-0x0000000000180000-0x00000000001D5000-memory.dmp upx behavioral1/memory/2624-77-0x0000000000180000-0x00000000001D5000-memory.dmp upx behavioral1/memory/2804-9-0x0000000001C70000-0x0000000001CC5000-memory.dmp upx behavioral1/memory/2804-7-0x0000000001C70000-0x0000000001CC5000-memory.dmp upx behavioral1/memory/2804-5-0x0000000001C70000-0x0000000001CC5000-memory.dmp upx behavioral1/memory/2804-3-0x0000000001C70000-0x0000000001CC5000-memory.dmp upx behavioral1/memory/2804-2-0x0000000001C70000-0x0000000001CC5000-memory.dmp upx -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\kernel64.dll 9b35289f5857b54db6a02145a2888d2401faf6fb386534591f2981b3ad15b60f.exe File opened for modification C:\Windows\SysWOW64\kernel64.dll 9b35289f5857b54db6a02145a2888d2401faf6fb386534591f2981b3ad15b60f.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2804 set thread context of 2624 2804 9b35289f5857b54db6a02145a2888d2401faf6fb386534591f2981b3ad15b60f.exe 28 PID 2012 set thread context of 2400 2012 KVEIF.jpg 33 -
Drops file in Program Files directory 25 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E18\FKC.WYA svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft\1D11E18\KVEIF.jpg svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E18\KVEIFs5.ini svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E18\KVEIF.jpg 9b35289f5857b54db6a02145a2888d2401faf6fb386534591f2981b3ad15b60f.exe File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E18\FKC.WYA 9b35289f5857b54db6a02145a2888d2401faf6fb386534591f2981b3ad15b60f.exe File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E18\1D11E18123.IMD svchost.exe File created C:\Program Files\Common Files\Microsoft\1D11E18\KVEIF.jpg svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E18\FKC.WYA KVEIF.jpg File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E18\KVEIFmain.ini 9b35289f5857b54db6a02145a2888d2401faf6fb386534591f2981b3ad15b60f.exe File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E18\KVEIFs5.ini svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E18\KVEIFs5.ini KVEIF.jpg File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E18\ok.txt 9b35289f5857b54db6a02145a2888d2401faf6fb386534591f2981b3ad15b60f.exe File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E18\KVEIFmain.ini 9b35289f5857b54db6a02145a2888d2401faf6fb386534591f2981b3ad15b60f.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E18\KVEIF.jpg svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E18\FKC.WYA svchost.exe File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E18\KVEIFs1.ini svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E18\KVEIF.jpg svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E18\1D11E18123.IMD svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft\1D11E18\KVEIF.jpg svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E18\FKC.WYA KVEIF.jpg File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E18\KVEIFss1.ini 9b35289f5857b54db6a02145a2888d2401faf6fb386534591f2981b3ad15b60f.exe File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E18\KVEIF.jpg 9b35289f5857b54db6a02145a2888d2401faf6fb386534591f2981b3ad15b60f.exe File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E18\$$.tmp svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E18\$$.tmp svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E18\1D11E18123.IMD KVEIF.jpg -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\web\606C646364636479.tmp 9b35289f5857b54db6a02145a2888d2401faf6fb386534591f2981b3ad15b60f.exe File opened for modification C:\Windows\web\606C646364636479.tmp 9b35289f5857b54db6a02145a2888d2401faf6fb386534591f2981b3ad15b60f.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 2 IoCs
pid Process 1412 KVEIF.jpg 2012 KVEIF.jpg -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2804 9b35289f5857b54db6a02145a2888d2401faf6fb386534591f2981b3ad15b60f.exe 2804 9b35289f5857b54db6a02145a2888d2401faf6fb386534591f2981b3ad15b60f.exe 2804 9b35289f5857b54db6a02145a2888d2401faf6fb386534591f2981b3ad15b60f.exe 2804 9b35289f5857b54db6a02145a2888d2401faf6fb386534591f2981b3ad15b60f.exe 2624 svchost.exe 2624 svchost.exe 2624 svchost.exe 2624 svchost.exe 2624 svchost.exe 2624 svchost.exe 2624 svchost.exe 2624 svchost.exe 2624 svchost.exe 2624 svchost.exe 2624 svchost.exe 2624 svchost.exe 2624 svchost.exe 2624 svchost.exe 2624 svchost.exe 2624 svchost.exe 2624 svchost.exe 2624 svchost.exe 2624 svchost.exe 2624 svchost.exe 2624 svchost.exe 2624 svchost.exe 2624 svchost.exe 2624 svchost.exe 2624 svchost.exe 1412 KVEIF.jpg 1412 KVEIF.jpg 1412 KVEIF.jpg 2624 svchost.exe 2624 svchost.exe 2624 svchost.exe 2624 svchost.exe 2624 svchost.exe 2624 svchost.exe 2624 svchost.exe 2624 svchost.exe 2624 svchost.exe 2624 svchost.exe 2624 svchost.exe 2012 KVEIF.jpg 2012 KVEIF.jpg 2012 KVEIF.jpg 2400 svchost.exe 2400 svchost.exe 2400 svchost.exe 2400 svchost.exe 2400 svchost.exe 2400 svchost.exe 2400 svchost.exe 2624 svchost.exe 2400 svchost.exe 2624 svchost.exe 2624 svchost.exe 2624 svchost.exe 2624 svchost.exe 2624 svchost.exe 2400 svchost.exe 2624 svchost.exe 2400 svchost.exe 2400 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2624 svchost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2804 9b35289f5857b54db6a02145a2888d2401faf6fb386534591f2981b3ad15b60f.exe Token: SeDebugPrivilege 2804 9b35289f5857b54db6a02145a2888d2401faf6fb386534591f2981b3ad15b60f.exe Token: SeDebugPrivilege 2804 9b35289f5857b54db6a02145a2888d2401faf6fb386534591f2981b3ad15b60f.exe Token: SeDebugPrivilege 2804 9b35289f5857b54db6a02145a2888d2401faf6fb386534591f2981b3ad15b60f.exe Token: SeDebugPrivilege 2624 svchost.exe Token: SeDebugPrivilege 2624 svchost.exe Token: SeDebugPrivilege 2624 svchost.exe Token: SeDebugPrivilege 2624 svchost.exe Token: SeDebugPrivilege 2624 svchost.exe Token: SeDebugPrivilege 2624 svchost.exe Token: SeDebugPrivilege 2624 svchost.exe Token: SeDebugPrivilege 1412 KVEIF.jpg Token: SeDebugPrivilege 1412 KVEIF.jpg Token: SeDebugPrivilege 1412 KVEIF.jpg Token: SeDebugPrivilege 2624 svchost.exe Token: SeDebugPrivilege 2624 svchost.exe Token: SeDebugPrivilege 2624 svchost.exe Token: SeDebugPrivilege 2012 KVEIF.jpg Token: SeDebugPrivilege 2012 KVEIF.jpg Token: SeDebugPrivilege 2012 KVEIF.jpg Token: SeDebugPrivilege 2400 svchost.exe Token: SeDebugPrivilege 2400 svchost.exe Token: SeDebugPrivilege 2400 svchost.exe Token: SeDebugPrivilege 2400 svchost.exe Token: SeDebugPrivilege 2400 svchost.exe Token: SeDebugPrivilege 2624 svchost.exe Token: SeDebugPrivilege 2624 svchost.exe Token: SeDebugPrivilege 2400 svchost.exe Token: SeDebugPrivilege 2400 svchost.exe Token: SeDebugPrivilege 2624 svchost.exe Token: SeDebugPrivilege 2624 svchost.exe Token: SeDebugPrivilege 2400 svchost.exe Token: SeDebugPrivilege 2400 svchost.exe Token: SeDebugPrivilege 2624 svchost.exe Token: SeDebugPrivilege 2624 svchost.exe Token: SeDebugPrivilege 2400 svchost.exe Token: SeDebugPrivilege 2400 svchost.exe Token: SeDebugPrivilege 2624 svchost.exe Token: SeDebugPrivilege 2624 svchost.exe Token: SeDebugPrivilege 2400 svchost.exe Token: SeDebugPrivilege 2400 svchost.exe Token: SeDebugPrivilege 2624 svchost.exe Token: SeDebugPrivilege 2624 svchost.exe Token: SeDebugPrivilege 2400 svchost.exe Token: SeDebugPrivilege 2400 svchost.exe Token: SeDebugPrivilege 2624 svchost.exe Token: SeDebugPrivilege 2624 svchost.exe Token: SeDebugPrivilege 2400 svchost.exe Token: SeDebugPrivilege 2400 svchost.exe Token: SeDebugPrivilege 2624 svchost.exe Token: SeDebugPrivilege 2624 svchost.exe Token: SeDebugPrivilege 2400 svchost.exe Token: SeDebugPrivilege 2400 svchost.exe Token: SeDebugPrivilege 2624 svchost.exe Token: SeDebugPrivilege 2624 svchost.exe Token: SeDebugPrivilege 2400 svchost.exe Token: SeDebugPrivilege 2400 svchost.exe Token: SeDebugPrivilege 2624 svchost.exe Token: SeDebugPrivilege 2624 svchost.exe Token: SeDebugPrivilege 2400 svchost.exe Token: SeDebugPrivilege 2400 svchost.exe Token: SeDebugPrivilege 2624 svchost.exe Token: SeDebugPrivilege 2624 svchost.exe Token: SeDebugPrivilege 2400 svchost.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2804 wrote to memory of 2624 2804 9b35289f5857b54db6a02145a2888d2401faf6fb386534591f2981b3ad15b60f.exe 28 PID 2804 wrote to memory of 2624 2804 9b35289f5857b54db6a02145a2888d2401faf6fb386534591f2981b3ad15b60f.exe 28 PID 2804 wrote to memory of 2624 2804 9b35289f5857b54db6a02145a2888d2401faf6fb386534591f2981b3ad15b60f.exe 28 PID 2804 wrote to memory of 2624 2804 9b35289f5857b54db6a02145a2888d2401faf6fb386534591f2981b3ad15b60f.exe 28 PID 2804 wrote to memory of 2624 2804 9b35289f5857b54db6a02145a2888d2401faf6fb386534591f2981b3ad15b60f.exe 28 PID 2804 wrote to memory of 2624 2804 9b35289f5857b54db6a02145a2888d2401faf6fb386534591f2981b3ad15b60f.exe 28 PID 904 wrote to memory of 1412 904 cmd.exe 30 PID 904 wrote to memory of 1412 904 cmd.exe 30 PID 904 wrote to memory of 1412 904 cmd.exe 30 PID 904 wrote to memory of 1412 904 cmd.exe 30 PID 2136 wrote to memory of 2012 2136 cmd.exe 32 PID 2136 wrote to memory of 2012 2136 cmd.exe 32 PID 2136 wrote to memory of 2012 2136 cmd.exe 32 PID 2136 wrote to memory of 2012 2136 cmd.exe 32 PID 2012 wrote to memory of 2400 2012 KVEIF.jpg 33 PID 2012 wrote to memory of 2400 2012 KVEIF.jpg 33 PID 2012 wrote to memory of 2400 2012 KVEIF.jpg 33 PID 2012 wrote to memory of 2400 2012 KVEIF.jpg 33 PID 2012 wrote to memory of 2400 2012 KVEIF.jpg 33 PID 2012 wrote to memory of 2400 2012 KVEIF.jpg 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\9b35289f5857b54db6a02145a2888d2401faf6fb386534591f2981b3ad15b60f.exe"C:\Users\Admin\AppData\Local\Temp\9b35289f5857b54db6a02145a2888d2401faf6fb386534591f2981b3ad15b60f.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\System32\svchost.exe -EMBEDDING 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304430395D474A422F565840 02⤵
- Deletes itself
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2624
-
-
C:\Windows\system32\cmd.execmd.exe /c call "C:\Program Files\Common Files\Microsoft\1D11E18\KVEIF.jpg" -3 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304430395D474A422F5658401⤵
- Suspicious use of WriteProcessMemory
PID:904 -
C:\Program Files\Common Files\Microsoft\1D11E18\KVEIF.jpg"C:\Program Files\Common Files\Microsoft\1D11E18\KVEIF.jpg" -3 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304430395D474A422F5658402⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1412
-
-
C:\Windows\system32\cmd.execmd.exe /c call "C:\Program Files\Common Files\Microsoft\1D11E18\KVEIF.jpg" -3 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304430395D474A422F5658401⤵
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Program Files\Common Files\Microsoft\1D11E18\KVEIF.jpg"C:\Program Files\Common Files\Microsoft\1D11E18\KVEIF.jpg" -3 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304430395D474A422F5658402⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\System32\svchost.exe -sys 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304430395D474A422F565840 03⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2400
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
132KB
MD5fe28203bf6ce7ebd24b5d13044764832
SHA151e30f8b377b01bdb894e3bcbcdf0b1e392973f6
SHA2560d577a106c5e873d59aebb27a4cf231ba0b20cf3a8a0e0219a42020e25e8a8d4
SHA512a180f309eab20a6307dc30da3b0467ef74cf3d2d250e1091a136c9f7a0349647fa18236106a5d9a543020254026c2db4bdeea4d4708402f587814012ee649a75
-
Filesize
131KB
MD59c87adf72823e3cf75ecccfaceed5dd4
SHA161adbbf3c700465c4eda7d63627e931c0c0a40cc
SHA256c7f7988ad8be6fd3ccdd1ca59b8fd86a82224cec2394973049983cb4d0e17cc6
SHA5123a1903b9848a6886b3d4cd26ace6b57d7f31fd74217d7a1093bebd8798580adefb7f7dcde2eab1e266be635ccd504677d4fac6d529c8f9fa767668c9b919fe4e
-
Filesize
108KB
MD5f697e0c5c1d34f00d1700d6d549d4811
SHA1f50a99377a7419185fc269bb4d12954ca42b8589
SHA2561eacebb614305a9806113545be7b23cf14ce7e761ccf634510a7f1c0cfb6cd16
SHA512d5f35672f208ebbe306beeb55dadde96aa330780e2ea84b45d3fa6af41369e357412d82978df74038f2d27dff4d06905fd0b4d852b0beef1bcfdd6a0849bc202
-
Filesize
711B
MD55b85700764c7f8ed2db3d99aba090ff3
SHA189521db8d1abb29e082628efdd23c547fa54ef44
SHA256ade5e3636e8684f5845c18666a04a6b22d7a0f2631ea268a1aec910857c42e24
SHA51200600e12dc1067eba53760eedfc4f408e88053a87462d55f01478887a9b4095138d471cc186684f0c14f4c2559da978e0ef3f78341910ecf1ca8caac9f67a642
-
Filesize
22B
MD5a4ef93de80711124d4b7e080ccf42edb
SHA1f4530f5e6d362781fa6dfa4982d25f3ad15dbf99
SHA2569a09d2a2b23760cbc02ab362728b30783f943d90beebbdbd03c4e8b288492d24
SHA512707c5a1a84a1cd490e3e0109c30b32724a69d27021653265bbd838065458e1eea20b470f145612f9ea5486711c47a59dcb515f9625829e63689a89af75901fa2
-
Filesize
104B
MD50ae2ba60c5fd7308ed491989b86cc66c
SHA1ce6c5ea2190892b24f5a551ba0f1bf5aec7909de
SHA2566c20b467066eace9e4e5f76524682581d3f4a6df4a388c001b958009baceba1e
SHA5126279c48d3181a8bfa3bbda0620b9620a11474cc1c36aa5dfecd7a8f0ba6712e3853a314400be417a6835cffe48a1b7c26733c62e470889cf6fe3d5c59355194b
-
Filesize
131KB
MD57c608adef6e40b73f9380ce59fbaad5f
SHA17f0bc4c7ae6da6708b4aa0e53112631b05237a3f
SHA256071622d761bbf5581f2c4d71c22f5adbd9539a1997554de5362857d49d15f715
SHA5127af724a6fd3dee99aa3391054866b38e58498a1d822cbf2988f5495b9d8b859b72cffc360eddfee71f0a9ead25450305b0c387005a689b1bd4c7caa2741b386e
-
Filesize
131KB
MD5d106e842f761aac6af588fb764f0b0fc
SHA159c173fa0b98c9eee77549bc2202547c7b4056ce
SHA256841884e7398a36749bf8d340718e2a9823feb73d8b368bb074c89ef704f5de9a
SHA5125a7e03c88b19f69092ca1c55d21f41d7a448119197d5defa2af15a7c1e0aba715dfe14fa72c13daf2d420423394e3eaa336843f803bd9eaa30d008cbb6943929
-
Filesize
448KB
MD5795d98ec6feeb73c2939695b839f4c5a
SHA1839c99c261f986dbf59ccf50bebba92f89a04a24
SHA256b06aba3b67e493111584aa44636655ef31536f961942c111ee8acf4cf706649a
SHA51285f67db7fa89068c5fdce5afdfd38c2e0d0ddca0e5adc931295fd7a4189946e181dc14a8cd07f434c6eb03e0fccd199a13abfe9966c06eaf1b7f539f14b5e36e
-
Filesize
512KB
MD59d7bcbf56ac5b72277fdf1d4954f7087
SHA11839e1055c0304c58fae8783bc746d3bac829855
SHA256d5396df696f61ecad6cb535f6abf709b57dd04a5a02b27f6a93d57154c88b2b1
SHA512f2e50d936e77dd7867f4b73bc7cc2946a2072b806abdbe9d710ece813641d4cbb68d26153ff77b9141f3e4c9bb393b2562a8f45c1e44d443a8973acb5a581ba9
