14569ab042b336a29fbac0ee7222a9ba1b4ebe742879d9a342dd196fd85170b3

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
30/04/2024, 19:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

14569ab042b336a29fbac0ee7222a9ba1b4ebe742879d9a342dd196fd85170b3.exe
Size

125KB
MD5

1aec0af3c8aa8999cbf8c97466dfaafd
SHA1

605fff9343cbbf187c60a1460f09c004bba3fbd1
SHA256

14569ab042b336a29fbac0ee7222a9ba1b4ebe742879d9a342dd196fd85170b3
SHA512

210dac696a85ff18b9baf1d6b8aaded8c90b45f06cf8cea927dad7ae2cb85dfcb115c9bb4a9809d94f269aec4372b6ef1ab662a349aad457f114a0d84d439f93
SSDEEP

3072:ZEboFVlGAvwsgbpvYfMTc72L10fPsout:OBzsgbpvnTcyOPsoS

Score

9^/10

upx

Malware Config

Signatures

UPX dump on OEP (original entry point) 42 IoCs

resource	yara_rule
behavioral2/memory/2272-7-0x0000000002180000-0x00000000021D5000-memory.dmp	UPX
behavioral2/memory/2272-29-0x0000000002180000-0x00000000021D5000-memory.dmp	UPX
behavioral2/memory/2272-27-0x0000000002180000-0x00000000021D5000-memory.dmp	UPX
behavioral2/memory/2272-33-0x0000000002180000-0x00000000021D5000-memory.dmp	UPX
behavioral2/memory/2272-32-0x0000000002180000-0x00000000021D5000-memory.dmp	UPX
behavioral2/memory/2272-31-0x0000000002180000-0x00000000021D5000-memory.dmp	UPX
behavioral2/memory/2272-23-0x0000000002180000-0x00000000021D5000-memory.dmp	UPX
behavioral2/memory/2272-21-0x0000000002180000-0x00000000021D5000-memory.dmp	UPX
behavioral2/memory/2272-19-0x0000000002180000-0x00000000021D5000-memory.dmp	UPX
behavioral2/memory/2272-17-0x0000000002180000-0x00000000021D5000-memory.dmp	UPX
behavioral2/memory/2272-15-0x0000000002180000-0x00000000021D5000-memory.dmp	UPX
behavioral2/memory/2272-13-0x0000000002180000-0x00000000021D5000-memory.dmp	UPX
behavioral2/memory/2272-11-0x0000000002180000-0x00000000021D5000-memory.dmp	UPX
behavioral2/memory/2272-26-0x0000000002180000-0x00000000021D5000-memory.dmp	UPX
behavioral2/memory/2272-9-0x0000000002180000-0x00000000021D5000-memory.dmp	UPX
behavioral2/memory/2272-3-0x0000000002180000-0x00000000021D5000-memory.dmp	UPX
behavioral2/memory/2272-2-0x0000000002180000-0x00000000021D5000-memory.dmp	UPX
behavioral2/memory/2272-5-0x0000000002180000-0x00000000021D5000-memory.dmp	UPX
behavioral2/memory/636-96-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral2/memory/636-99-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral2/memory/636-100-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral2/memory/636-101-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral2/memory/636-110-0x0000000003330000-0x0000000003385000-memory.dmp	UPX
behavioral2/memory/636-114-0x0000000003330000-0x0000000003385000-memory.dmp	UPX
behavioral2/memory/636-130-0x0000000003330000-0x0000000003385000-memory.dmp	UPX
behavioral2/memory/636-128-0x0000000003330000-0x0000000003385000-memory.dmp	UPX
behavioral2/memory/636-127-0x0000000003330000-0x0000000003385000-memory.dmp	UPX
behavioral2/memory/636-124-0x0000000003330000-0x0000000003385000-memory.dmp	UPX
behavioral2/memory/636-123-0x0000000003330000-0x0000000003385000-memory.dmp	UPX
behavioral2/memory/636-120-0x0000000003330000-0x0000000003385000-memory.dmp	UPX
behavioral2/memory/636-118-0x0000000003330000-0x0000000003385000-memory.dmp	UPX
behavioral2/memory/636-116-0x0000000003330000-0x0000000003385000-memory.dmp	UPX
behavioral2/memory/636-112-0x0000000003330000-0x0000000003385000-memory.dmp	UPX
behavioral2/memory/636-108-0x0000000003330000-0x0000000003385000-memory.dmp	UPX
behavioral2/memory/636-106-0x0000000003330000-0x0000000003385000-memory.dmp	UPX
behavioral2/memory/636-104-0x0000000003330000-0x0000000003385000-memory.dmp	UPX
behavioral2/memory/636-103-0x0000000003330000-0x0000000003385000-memory.dmp	UPX
behavioral2/files/0x000a000000023b69-147.dat	UPX
behavioral2/files/0x000c000000023b62-156.dat	UPX
behavioral2/memory/3988-195-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral2/memory/636-244-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral2/memory/3988-245-0x0000000000400000-0x000000000042D000-memory.dmp	UPX

Deletes itself 1 IoCs

pid	Process
636	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
4548	KVEIF.jpg

Loads dropped DLL 4 IoCs

pid	Process
2272	14569ab042b336a29fbac0ee7222a9ba1b4ebe742879d9a342dd196fd85170b3.exe
636	svchost.exe
4548	KVEIF.jpg
3988	svchost.exe

UPX packed file 33 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2272-7-0x0000000002180000-0x00000000021D5000-memory.dmp	upx
behavioral2/memory/2272-29-0x0000000002180000-0x00000000021D5000-memory.dmp	upx
behavioral2/memory/2272-27-0x0000000002180000-0x00000000021D5000-memory.dmp	upx
behavioral2/memory/2272-33-0x0000000002180000-0x00000000021D5000-memory.dmp	upx
behavioral2/memory/2272-32-0x0000000002180000-0x00000000021D5000-memory.dmp	upx
behavioral2/memory/2272-31-0x0000000002180000-0x00000000021D5000-memory.dmp	upx
behavioral2/memory/2272-23-0x0000000002180000-0x00000000021D5000-memory.dmp	upx
behavioral2/memory/2272-21-0x0000000002180000-0x00000000021D5000-memory.dmp	upx
behavioral2/memory/2272-19-0x0000000002180000-0x00000000021D5000-memory.dmp	upx
behavioral2/memory/2272-17-0x0000000002180000-0x00000000021D5000-memory.dmp	upx
behavioral2/memory/2272-15-0x0000000002180000-0x00000000021D5000-memory.dmp	upx
behavioral2/memory/2272-13-0x0000000002180000-0x00000000021D5000-memory.dmp	upx
behavioral2/memory/2272-11-0x0000000002180000-0x00000000021D5000-memory.dmp	upx
behavioral2/memory/2272-26-0x0000000002180000-0x00000000021D5000-memory.dmp	upx
behavioral2/memory/2272-9-0x0000000002180000-0x00000000021D5000-memory.dmp	upx
behavioral2/memory/2272-3-0x0000000002180000-0x00000000021D5000-memory.dmp	upx
behavioral2/memory/2272-2-0x0000000002180000-0x00000000021D5000-memory.dmp	upx
behavioral2/memory/2272-5-0x0000000002180000-0x00000000021D5000-memory.dmp	upx
behavioral2/memory/636-110-0x0000000003330000-0x0000000003385000-memory.dmp	upx
behavioral2/memory/636-114-0x0000000003330000-0x0000000003385000-memory.dmp	upx
behavioral2/memory/636-130-0x0000000003330000-0x0000000003385000-memory.dmp	upx
behavioral2/memory/636-128-0x0000000003330000-0x0000000003385000-memory.dmp	upx
behavioral2/memory/636-127-0x0000000003330000-0x0000000003385000-memory.dmp	upx
behavioral2/memory/636-124-0x0000000003330000-0x0000000003385000-memory.dmp	upx
behavioral2/memory/636-123-0x0000000003330000-0x0000000003385000-memory.dmp	upx
behavioral2/memory/636-120-0x0000000003330000-0x0000000003385000-memory.dmp	upx
behavioral2/memory/636-118-0x0000000003330000-0x0000000003385000-memory.dmp	upx
behavioral2/memory/636-116-0x0000000003330000-0x0000000003385000-memory.dmp	upx
behavioral2/memory/636-112-0x0000000003330000-0x0000000003385000-memory.dmp	upx
behavioral2/memory/636-108-0x0000000003330000-0x0000000003385000-memory.dmp	upx
behavioral2/memory/636-106-0x0000000003330000-0x0000000003385000-memory.dmp	upx
behavioral2/memory/636-104-0x0000000003330000-0x0000000003385000-memory.dmp	upx
behavioral2/memory/636-103-0x0000000003330000-0x0000000003385000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\kernel64.dll	14569ab042b336a29fbac0ee7222a9ba1b4ebe742879d9a342dd196fd85170b3.exe
File opened for modification	C:\Windows\SysWOW64\kernel64.dll	14569ab042b336a29fbac0ee7222a9ba1b4ebe742879d9a342dd196fd85170b3.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2272 set thread context of 636	2272	14569ab042b336a29fbac0ee7222a9ba1b4ebe742879d9a342dd196fd85170b3.exe	83
PID 4548 set thread context of 3988	4548	KVEIF.jpg	89

Drops file in Program Files directory 23 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E17\KVEIF.jpg	svchost.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E17\KVEIFs5.ini	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E17\KVEIF.jpg	svchost.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E17\ok.txt	14569ab042b336a29fbac0ee7222a9ba1b4ebe742879d9a342dd196fd85170b3.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E17\KVEIFmain.ini	14569ab042b336a29fbac0ee7222a9ba1b4ebe742879d9a342dd196fd85170b3.exe
File opened for modification	C:\Program Files\Common Files\Microsoft\1D11E17\KVEIF.jpg	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E17\FKC.WYA	KVEIF.jpg
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E17\KVEIFs1.ini	svchost.exe
File created	C:\Program Files\Common Files\Microsoft\1D11E17\KVEIF.jpg	svchost.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E17\$$.tmp	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E17\FKC.WYA	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft\1D11E17\KVEIF.jpg	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E17\KVEIFs5.ini	KVEIF.jpg
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E17\KVEIFss1.ini	14569ab042b336a29fbac0ee7222a9ba1b4ebe742879d9a342dd196fd85170b3.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E17\KVEIFmain.ini	14569ab042b336a29fbac0ee7222a9ba1b4ebe742879d9a342dd196fd85170b3.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E17\FKC.WYA	14569ab042b336a29fbac0ee7222a9ba1b4ebe742879d9a342dd196fd85170b3.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E17\FKC.WYA	svchost.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E17\1D11E17123.IMD	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E17\1D11E17123.IMD	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E17\1D11E17123.IMD	KVEIF.jpg
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E17\KVEIFs5.ini	svchost.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E17\KVEIF.jpg	14569ab042b336a29fbac0ee7222a9ba1b4ebe742879d9a342dd196fd85170b3.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E17\KVEIF.jpg	14569ab042b336a29fbac0ee7222a9ba1b4ebe742879d9a342dd196fd85170b3.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\web\606C646364636479.tmp	14569ab042b336a29fbac0ee7222a9ba1b4ebe742879d9a342dd196fd85170b3.exe
File opened for modification	C:\Windows\web\606C646364636479.tmp	14569ab042b336a29fbac0ee7222a9ba1b4ebe742879d9a342dd196fd85170b3.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2272	14569ab042b336a29fbac0ee7222a9ba1b4ebe742879d9a342dd196fd85170b3.exe
2272	14569ab042b336a29fbac0ee7222a9ba1b4ebe742879d9a342dd196fd85170b3.exe
2272	14569ab042b336a29fbac0ee7222a9ba1b4ebe742879d9a342dd196fd85170b3.exe
2272	14569ab042b336a29fbac0ee7222a9ba1b4ebe742879d9a342dd196fd85170b3.exe
2272	14569ab042b336a29fbac0ee7222a9ba1b4ebe742879d9a342dd196fd85170b3.exe
2272	14569ab042b336a29fbac0ee7222a9ba1b4ebe742879d9a342dd196fd85170b3.exe
2272	14569ab042b336a29fbac0ee7222a9ba1b4ebe742879d9a342dd196fd85170b3.exe
2272	14569ab042b336a29fbac0ee7222a9ba1b4ebe742879d9a342dd196fd85170b3.exe
636	svchost.exe
636	svchost.exe
636	svchost.exe
636	svchost.exe
636	svchost.exe
636	svchost.exe
636	svchost.exe
636	svchost.exe
636	svchost.exe
636	svchost.exe
636	svchost.exe
636	svchost.exe
636	svchost.exe
636	svchost.exe
636	svchost.exe
636	svchost.exe
636	svchost.exe
636	svchost.exe
636	svchost.exe
636	svchost.exe
636	svchost.exe
636	svchost.exe
636	svchost.exe
636	svchost.exe
636	svchost.exe
636	svchost.exe
636	svchost.exe
636	svchost.exe
636	svchost.exe
636	svchost.exe
636	svchost.exe
636	svchost.exe
636	svchost.exe
636	svchost.exe
636	svchost.exe
636	svchost.exe
636	svchost.exe
636	svchost.exe
636	svchost.exe
636	svchost.exe
636	svchost.exe
636	svchost.exe
636	svchost.exe
636	svchost.exe
636	svchost.exe
636	svchost.exe
636	svchost.exe
636	svchost.exe
636	svchost.exe
636	svchost.exe
4548	KVEIF.jpg
4548	KVEIF.jpg
4548	KVEIF.jpg
4548	KVEIF.jpg
4548	KVEIF.jpg
4548	KVEIF.jpg

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
636	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2272	14569ab042b336a29fbac0ee7222a9ba1b4ebe742879d9a342dd196fd85170b3.exe
Token: SeDebugPrivilege	2272	14569ab042b336a29fbac0ee7222a9ba1b4ebe742879d9a342dd196fd85170b3.exe
Token: SeDebugPrivilege	2272	14569ab042b336a29fbac0ee7222a9ba1b4ebe742879d9a342dd196fd85170b3.exe
Token: SeDebugPrivilege	2272	14569ab042b336a29fbac0ee7222a9ba1b4ebe742879d9a342dd196fd85170b3.exe
Token: SeDebugPrivilege	636	svchost.exe
Token: SeDebugPrivilege	636	svchost.exe
Token: SeDebugPrivilege	636	svchost.exe
Token: SeDebugPrivilege	636	svchost.exe
Token: SeDebugPrivilege	636	svchost.exe
Token: SeDebugPrivilege	636	svchost.exe
Token: SeDebugPrivilege	636	svchost.exe
Token: SeDebugPrivilege	4548	KVEIF.jpg
Token: SeDebugPrivilege	4548	KVEIF.jpg
Token: SeDebugPrivilege	4548	KVEIF.jpg
Token: SeDebugPrivilege	3988	svchost.exe
Token: SeDebugPrivilege	3988	svchost.exe
Token: SeDebugPrivilege	3988	svchost.exe
Token: SeDebugPrivilege	3988	svchost.exe
Token: SeDebugPrivilege	3988	svchost.exe
Token: SeDebugPrivilege	636	svchost.exe
Token: SeDebugPrivilege	636	svchost.exe
Token: SeDebugPrivilege	3988	svchost.exe
Token: SeDebugPrivilege	3988	svchost.exe
Token: SeDebugPrivilege	636	svchost.exe
Token: SeDebugPrivilege	636	svchost.exe
Token: SeDebugPrivilege	3988	svchost.exe
Token: SeDebugPrivilege	3988	svchost.exe
Token: SeDebugPrivilege	636	svchost.exe
Token: SeDebugPrivilege	636	svchost.exe
Token: SeDebugPrivilege	3988	svchost.exe
Token: SeDebugPrivilege	3988	svchost.exe
Token: SeDebugPrivilege	636	svchost.exe
Token: SeDebugPrivilege	636	svchost.exe
Token: SeDebugPrivilege	3988	svchost.exe
Token: SeDebugPrivilege	3988	svchost.exe
Token: SeDebugPrivilege	636	svchost.exe
Token: SeDebugPrivilege	636	svchost.exe
Token: SeDebugPrivilege	3988	svchost.exe
Token: SeDebugPrivilege	3988	svchost.exe
Token: SeDebugPrivilege	636	svchost.exe
Token: SeDebugPrivilege	636	svchost.exe
Token: SeDebugPrivilege	3988	svchost.exe
Token: SeDebugPrivilege	3988	svchost.exe
Token: SeDebugPrivilege	636	svchost.exe
Token: SeDebugPrivilege	636	svchost.exe
Token: SeDebugPrivilege	3988	svchost.exe
Token: SeDebugPrivilege	3988	svchost.exe
Token: SeDebugPrivilege	636	svchost.exe
Token: SeDebugPrivilege	636	svchost.exe
Token: SeDebugPrivilege	3988	svchost.exe
Token: SeDebugPrivilege	3988	svchost.exe
Token: SeDebugPrivilege	636	svchost.exe
Token: SeDebugPrivilege	636	svchost.exe
Token: SeDebugPrivilege	3988	svchost.exe
Token: SeDebugPrivilege	3988	svchost.exe
Token: SeDebugPrivilege	636	svchost.exe
Token: SeDebugPrivilege	636	svchost.exe
Token: SeDebugPrivilege	3988	svchost.exe
Token: SeDebugPrivilege	3988	svchost.exe
Token: SeDebugPrivilege	636	svchost.exe
Token: SeDebugPrivilege	636	svchost.exe
Token: SeDebugPrivilege	3988	svchost.exe
Token: SeDebugPrivilege	3988	svchost.exe
Token: SeDebugPrivilege	636	svchost.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 636	2272	14569ab042b336a29fbac0ee7222a9ba1b4ebe742879d9a342dd196fd85170b3.exe	83
PID 2272 wrote to memory of 636	2272	14569ab042b336a29fbac0ee7222a9ba1b4ebe742879d9a342dd196fd85170b3.exe	83
PID 2272 wrote to memory of 636	2272	14569ab042b336a29fbac0ee7222a9ba1b4ebe742879d9a342dd196fd85170b3.exe	83
PID 2272 wrote to memory of 636	2272	14569ab042b336a29fbac0ee7222a9ba1b4ebe742879d9a342dd196fd85170b3.exe	83
PID 2272 wrote to memory of 636	2272	14569ab042b336a29fbac0ee7222a9ba1b4ebe742879d9a342dd196fd85170b3.exe	83
PID 2304 wrote to memory of 4548	2304	cmd.exe	88
PID 2304 wrote to memory of 4548	2304	cmd.exe	88
PID 2304 wrote to memory of 4548	2304	cmd.exe	88
PID 4548 wrote to memory of 3988	4548	KVEIF.jpg	89
PID 4548 wrote to memory of 3988	4548	KVEIF.jpg	89
PID 4548 wrote to memory of 3988	4548	KVEIF.jpg	89
PID 4548 wrote to memory of 3988	4548	KVEIF.jpg	89
PID 4548 wrote to memory of 3988	4548	KVEIF.jpg	89

C:\Users\Admin\AppData\Local\Temp\14569ab042b336a29fbac0ee7222a9ba1b4ebe742879d9a342dd196fd85170b3.exe
"C:\Users\Admin\AppData\Local\Temp\14569ab042b336a29fbac0ee7222a9ba1b4ebe742879d9a342dd196fd85170b3.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\System32\svchost.exe -EMBEDDING 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304430365D474A422F565840 0
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:636

C:\Windows\system32\cmd.exe
cmd.exe /c call "C:\Program Files\Common Files\Microsoft\1D11E17\KVEIF.jpg" -3 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304430365D474A422F565840
1⤵
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Program Files\Common Files\Microsoft\1D11E17\KVEIF.jpg
  "C:\Program Files\Common Files\Microsoft\1D11E17\KVEIF.jpg" -3 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304430365D474A422F565840
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4548
- - C:\Windows\SysWOW64\svchost.exe
    C:\Windows\System32\svchost.exe -sys 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304430365D474A422F565840 0
    3⤵
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    PID:3988

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E17\1D11E17123.IMD

Filesize
126KB

MD5
91d1993516f5f4329db48c45509fca9a

SHA1
5e063562386629c9503ff30a27ee2a74de66b567

SHA256
805943c05541b41d8bf16a03f740ff9ab4d5e7017a535ea1bb2588f5c60869bf

SHA512
07d890985ef200a2e010cb8b314bee75f3c9ce7bcd60bea77e153c912f9fd5e1f6fa82d9a5bba61ab890c9d55b02a229971d31fc4d8ba22df437cf50df35e4ce

Download Submit
C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E17\KVEIF.jpg

Filesize
125KB

MD5
1c1c22ca1d77215ad2338704aef4f15d

SHA1
75e32ff4eaa92289aacaf7bed6553d978a7072e9

SHA256
499fc793592112273bb254dd8d288604658fb69e31c84d3f93138e459d6279a2

SHA512
d0745359844ac0202be90179d41b2fcd189acd80601037744fdc381f11dd23ab66b8e782759cb7062c73d03628c4c45ee0663398ec1dfa90da2ea65d2a57b2fa

Download Submit
C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E17\KVEIFss1.ini

Filesize
22B

MD5
453d2fc74da6d001a4fdd6734163c7c7

SHA1
ee0df26826350e252bfc43d21041053df079ca10

SHA256
f04003dc50539b7d9bbf491ecdab32b96b997377d8928bf4273a584e38eac98c

SHA512
6449257622d018a5c964ce4c1a1ead4f03db5bca23d0263aee775f096ef3063bbb61d0b1223c1f956a4de3468d3c55dae781d5851ccebc7c62dfd6e9e3d5a434

Download Submit
C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E17\ok.txt

Filesize
104B

MD5
58ac6380bdb855f55d904c5714357894

SHA1
b58e3f71480a8b795818580af6ba424f8e06a776

SHA256
b80817ea434f3234260a63638a726c9420c9a6cd2d47449290c062720087d937

SHA512
508953a89ffa34b5a3bca4654f7f0a32322d95bf444ddedfd9a8098d8dca3f340358af76423d5cb6d3d6087eee53777ea84c34aef84dae6bc8cd7e9e3845d793

Download Submit
C:\Program Files\Common Files\Microsoft\1D11E17\KVEIF.jpg

Filesize
125KB

MD5
91ec5623f2e6c3f3825c7ff4239e6827

SHA1
3f70a042d6d34b45e8f2ab907da4528e8d370006

SHA256
ee030d47cbdbd4556fbc437c73814e47906afdf07a9b17165ed2a72638dd08be

SHA512
258abb3a14a270b9dae78ece1101c09192cb27d57c1f29b8dbe05b0f8d06930483be71de69b622e324c5c8e3140c2932439209dcb8833cc234c6e40e859480f3

Download Submit
C:\Program Files\Common Files\microsoft shared\MSInfo\1D11E17\KVEIFmain.ini

Filesize
1KB

MD5
73c1b293720a3fabbfc3967ef29be1c0

SHA1
1e6b4f392e1048bc65a4d4de5e41471aba3c269f

SHA256
db10a0430d85afd40c888e180c703f50be5e9faebe80972a84b7bfdbb3986837

SHA512
f91eaafc448732204e39fea0d1273a1ab35806d2bfdb2edc55c0d44d1aa1c5bff4516931d7ff102d60633ec77b0aefe06f7ca39dd77b2be87a3e4f156f8abadb

Download Submit
C:\Program Files\Common Files\microsoft shared\MSInfo\1D11E17\KVEIFmain.ini

Filesize
1KB

MD5
f3a0f74935fe789e895c09ef004e42a2

SHA1
8c031b889808cd36b5626a3e2edefac383e1b5dc

SHA256
c4ab18c90d8189eef6d04747d5d6dd8adef30cbbdf7a03339748258a21ba6c56

SHA512
63a3715bbd4d414de26dd98735d4bd2f4ec5febd241e464643cade16751b890d6fcc0e1d380ec94e33d4d625dc2042cafdb5a473ec0d38a980c07d88ebf56200

Download Submit
C:\Windows\SysWOW64\kernel64.dll

Filesize
625KB

MD5
eccf28d7e5ccec24119b88edd160f8f4

SHA1
98509587a3d37a20b56b50fd57f823a1691a034c

SHA256
820c83c0533cfce2928e29edeaf6c255bc19ac9718b25a5656d99ffac30a03d6

SHA512
c1c94bbb781625b2317f0a8178d3a10d891fb71bca8f82cd831c484e8ab125301b82a14fe2ff070dc99a496cc00234300fa5536401018c40d49d44ae89409670

Download Submit
C:\Windows\Web\606C646364636479.tmp

Filesize
108KB

MD5
f697e0c5c1d34f00d1700d6d549d4811

SHA1
f50a99377a7419185fc269bb4d12954ca42b8589

SHA256
1eacebb614305a9806113545be7b23cf14ce7e761ccf634510a7f1c0cfb6cd16

SHA512
d5f35672f208ebbe306beeb55dadde96aa330780e2ea84b45d3fa6af41369e357412d82978df74038f2d27dff4d06905fd0b4d852b0beef1bcfdd6a0849bc202

Download Submit
memory/636-118-0x0000000003330000-0x0000000003385000-memory.dmp

Filesize
340KB

Download
memory/636-116-0x0000000003330000-0x0000000003385000-memory.dmp

Filesize
340KB

Download
memory/636-244-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/636-103-0x0000000003330000-0x0000000003385000-memory.dmp

Filesize
340KB

Download
memory/636-104-0x0000000003330000-0x0000000003385000-memory.dmp

Filesize
340KB

Download
memory/636-106-0x0000000003330000-0x0000000003385000-memory.dmp

Filesize
340KB

Download
memory/636-108-0x0000000003330000-0x0000000003385000-memory.dmp

Filesize
340KB

Download
memory/636-112-0x0000000003330000-0x0000000003385000-memory.dmp

Filesize
340KB

Download
memory/636-120-0x0000000003330000-0x0000000003385000-memory.dmp

Filesize
340KB

Download
memory/636-123-0x0000000003330000-0x0000000003385000-memory.dmp

Filesize
340KB

Download
memory/636-124-0x0000000003330000-0x0000000003385000-memory.dmp

Filesize
340KB

Download
memory/636-127-0x0000000003330000-0x0000000003385000-memory.dmp

Filesize
340KB

Download
memory/636-128-0x0000000003330000-0x0000000003385000-memory.dmp

Filesize
340KB

Download
memory/636-96-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/636-99-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/636-100-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/636-101-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/636-110-0x0000000003330000-0x0000000003385000-memory.dmp

Filesize
340KB

Download
memory/636-114-0x0000000003330000-0x0000000003385000-memory.dmp

Filesize
340KB

Download
memory/636-130-0x0000000003330000-0x0000000003385000-memory.dmp

Filesize
340KB

Download
memory/2272-9-0x0000000002180000-0x00000000021D5000-memory.dmp

Filesize
340KB

Download
memory/2272-32-0x0000000002180000-0x00000000021D5000-memory.dmp

Filesize
340KB

Download
memory/2272-23-0x0000000002180000-0x00000000021D5000-memory.dmp

Filesize
340KB

Download
memory/2272-21-0x0000000002180000-0x00000000021D5000-memory.dmp

Filesize
340KB

Download
memory/2272-19-0x0000000002180000-0x00000000021D5000-memory.dmp

Filesize
340KB

Download
memory/2272-5-0x0000000002180000-0x00000000021D5000-memory.dmp

Filesize
340KB

Download
memory/2272-2-0x0000000002180000-0x00000000021D5000-memory.dmp

Filesize
340KB

Download
memory/2272-7-0x0000000002180000-0x00000000021D5000-memory.dmp

Filesize
340KB

Download
memory/2272-3-0x0000000002180000-0x00000000021D5000-memory.dmp

Filesize
340KB

Download
memory/2272-17-0x0000000002180000-0x00000000021D5000-memory.dmp

Filesize
340KB

Download
memory/2272-11-0x0000000002180000-0x00000000021D5000-memory.dmp

Filesize
340KB

Download
memory/2272-26-0x0000000002180000-0x00000000021D5000-memory.dmp

Filesize
340KB

Download
memory/2272-31-0x0000000002180000-0x00000000021D5000-memory.dmp

Filesize
340KB

Download
memory/2272-13-0x0000000002180000-0x00000000021D5000-memory.dmp

Filesize
340KB

Download
memory/2272-33-0x0000000002180000-0x00000000021D5000-memory.dmp

Filesize
340KB

Download
memory/2272-27-0x0000000002180000-0x00000000021D5000-memory.dmp

Filesize
340KB

Download
memory/2272-29-0x0000000002180000-0x00000000021D5000-memory.dmp

Filesize
340KB

Download
memory/2272-15-0x0000000002180000-0x00000000021D5000-memory.dmp

Filesize
340KB

Download
memory/3988-195-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3988-245-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download