eae1a415f673a4cb6d475e72af92125ef39f3c7542e7e64acb6a8107a1287720

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
03-05-2024 04:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eae1a415f673a4cb6d475e72af92125ef39f3c7542e7e64acb6a8107a1287720.exe
Size

125KB
MD5

1b4de1d81a4129e32c06be9d9dc6fbb6
SHA1

bc25b3ac5736276336e2ddc110a1ff63816fbcfa
SHA256

eae1a415f673a4cb6d475e72af92125ef39f3c7542e7e64acb6a8107a1287720
SHA512

fc6719b30802640c5b6ad0cae85bcc3ba0df74bbc36441b69c5440e82432236c557692ace7d1e94aaf0919feb5923369cf934f2ca7ada5d5b8195860644d8043
SSDEEP

3072:NEboFVlGAvwsgbpvYfMTc72L10fPsout:SBzsgbpvnTcyOPsoS

Score

9^/10

upx

Malware Config

Signatures

UPX dump on OEP (original entry point) 41 IoCs

resource	yara_rule
behavioral1/memory/2088-11-0x0000000000430000-0x0000000000485000-memory.dmp	UPX
behavioral1/memory/2088-9-0x0000000000430000-0x0000000000485000-memory.dmp	UPX
behavioral1/memory/2088-7-0x0000000000430000-0x0000000000485000-memory.dmp	UPX
behavioral1/memory/2088-5-0x0000000000430000-0x0000000000485000-memory.dmp	UPX
behavioral1/memory/2088-3-0x0000000000430000-0x0000000000485000-memory.dmp	UPX
behavioral1/memory/2088-2-0x0000000000430000-0x0000000000485000-memory.dmp	UPX
behavioral1/memory/2088-33-0x0000000000430000-0x0000000000485000-memory.dmp	UPX
behavioral1/memory/2088-32-0x0000000000430000-0x0000000000485000-memory.dmp	UPX
behavioral1/memory/2088-31-0x0000000000430000-0x0000000000485000-memory.dmp	UPX
behavioral1/memory/2088-29-0x0000000000430000-0x0000000000485000-memory.dmp	UPX
behavioral1/memory/2088-27-0x0000000000430000-0x0000000000485000-memory.dmp	UPX
behavioral1/memory/2088-25-0x0000000000430000-0x0000000000485000-memory.dmp	UPX
behavioral1/memory/2088-23-0x0000000000430000-0x0000000000485000-memory.dmp	UPX
behavioral1/memory/2088-21-0x0000000000430000-0x0000000000485000-memory.dmp	UPX
behavioral1/memory/2088-19-0x0000000000430000-0x0000000000485000-memory.dmp	UPX
behavioral1/memory/2088-15-0x0000000000430000-0x0000000000485000-memory.dmp	UPX
behavioral1/memory/2088-13-0x0000000000430000-0x0000000000485000-memory.dmp	UPX
behavioral1/memory/2464-70-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral1/memory/2088-17-0x0000000000430000-0x0000000000485000-memory.dmp	UPX
behavioral1/memory/2464-73-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral1/memory/2464-75-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral1/memory/2464-90-0x0000000000170000-0x00000000001C5000-memory.dmp	UPX
behavioral1/memory/2464-100-0x0000000000170000-0x00000000001C5000-memory.dmp	UPX
behavioral1/files/0x0007000000015ceb-121.dat	UPX
behavioral1/memory/2464-96-0x0000000000170000-0x00000000001C5000-memory.dmp	UPX
behavioral1/memory/2464-92-0x0000000000170000-0x00000000001C5000-memory.dmp	UPX
behavioral1/memory/2464-88-0x0000000000170000-0x00000000001C5000-memory.dmp	UPX
behavioral1/memory/2464-84-0x0000000000170000-0x00000000001C5000-memory.dmp	UPX
behavioral1/memory/2464-83-0x0000000000170000-0x00000000001C5000-memory.dmp	UPX
behavioral1/memory/2464-81-0x0000000000170000-0x00000000001C5000-memory.dmp	UPX
behavioral1/memory/2464-99-0x0000000000170000-0x00000000001C5000-memory.dmp	UPX
behavioral1/files/0x0009000000015cba-129.dat	UPX
behavioral1/memory/2464-94-0x0000000000170000-0x00000000001C5000-memory.dmp	UPX
behavioral1/memory/2464-86-0x0000000000170000-0x00000000001C5000-memory.dmp	UPX
behavioral1/memory/2464-78-0x0000000000170000-0x00000000001C5000-memory.dmp	UPX
behavioral1/memory/2464-77-0x0000000000170000-0x00000000001C5000-memory.dmp	UPX
behavioral1/files/0x0009000000015cba-173.dat	UPX
behavioral1/files/0x0009000000015cba-207.dat	UPX
behavioral1/files/0x0009000000015cba-250.dat	UPX
behavioral1/files/0x0009000000015cba-293.dat	UPX
behavioral1/files/0x0009000000015cba-336.dat	UPX

Deletes itself 1 IoCs

pid	Process
2464	svchost.exe

Executes dropped EXE 6 IoCs

pid	Process
2984	KVEIF.jpg
1584	KVEIF.jpg
2916	KVEIF.jpg
272	KVEIF.jpg
2144	KVEIF.jpg
2640	KVEIF.jpg

Loads dropped DLL 9 IoCs

pid	Process
2088	eae1a415f673a4cb6d475e72af92125ef39f3c7542e7e64acb6a8107a1287720.exe
2464	svchost.exe
2984	KVEIF.jpg
1584	KVEIF.jpg
2916	KVEIF.jpg
272	KVEIF.jpg
2144	KVEIF.jpg
2640	KVEIF.jpg
2120	dllhost.exe

UPX packed file 31 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2088-11-0x0000000000430000-0x0000000000485000-memory.dmp	upx
behavioral1/memory/2088-9-0x0000000000430000-0x0000000000485000-memory.dmp	upx
behavioral1/memory/2088-7-0x0000000000430000-0x0000000000485000-memory.dmp	upx
behavioral1/memory/2088-5-0x0000000000430000-0x0000000000485000-memory.dmp	upx
behavioral1/memory/2088-3-0x0000000000430000-0x0000000000485000-memory.dmp	upx
behavioral1/memory/2088-2-0x0000000000430000-0x0000000000485000-memory.dmp	upx
behavioral1/memory/2088-33-0x0000000000430000-0x0000000000485000-memory.dmp	upx
behavioral1/memory/2088-32-0x0000000000430000-0x0000000000485000-memory.dmp	upx
behavioral1/memory/2088-31-0x0000000000430000-0x0000000000485000-memory.dmp	upx
behavioral1/memory/2088-29-0x0000000000430000-0x0000000000485000-memory.dmp	upx
behavioral1/memory/2088-27-0x0000000000430000-0x0000000000485000-memory.dmp	upx
behavioral1/memory/2088-25-0x0000000000430000-0x0000000000485000-memory.dmp	upx
behavioral1/memory/2088-23-0x0000000000430000-0x0000000000485000-memory.dmp	upx
behavioral1/memory/2088-21-0x0000000000430000-0x0000000000485000-memory.dmp	upx
behavioral1/memory/2088-19-0x0000000000430000-0x0000000000485000-memory.dmp	upx
behavioral1/memory/2088-15-0x0000000000430000-0x0000000000485000-memory.dmp	upx
behavioral1/memory/2088-13-0x0000000000430000-0x0000000000485000-memory.dmp	upx
behavioral1/memory/2088-17-0x0000000000430000-0x0000000000485000-memory.dmp	upx
behavioral1/memory/2464-90-0x0000000000170000-0x00000000001C5000-memory.dmp	upx
behavioral1/memory/2464-100-0x0000000000170000-0x00000000001C5000-memory.dmp	upx
behavioral1/memory/2464-96-0x0000000000170000-0x00000000001C5000-memory.dmp	upx
behavioral1/memory/2464-92-0x0000000000170000-0x00000000001C5000-memory.dmp	upx
behavioral1/memory/2464-88-0x0000000000170000-0x00000000001C5000-memory.dmp	upx
behavioral1/memory/2464-84-0x0000000000170000-0x00000000001C5000-memory.dmp	upx
behavioral1/memory/2464-83-0x0000000000170000-0x00000000001C5000-memory.dmp	upx
behavioral1/memory/2464-81-0x0000000000170000-0x00000000001C5000-memory.dmp	upx
behavioral1/memory/2464-99-0x0000000000170000-0x00000000001C5000-memory.dmp	upx
behavioral1/memory/2464-94-0x0000000000170000-0x00000000001C5000-memory.dmp	upx
behavioral1/memory/2464-86-0x0000000000170000-0x00000000001C5000-memory.dmp	upx
behavioral1/memory/2464-78-0x0000000000170000-0x00000000001C5000-memory.dmp	upx
behavioral1/memory/2464-77-0x0000000000170000-0x00000000001C5000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\kernel64.dll	eae1a415f673a4cb6d475e72af92125ef39f3c7542e7e64acb6a8107a1287720.exe
File opened for modification	C:\Windows\SysWOW64\kernel64.dll	eae1a415f673a4cb6d475e72af92125ef39f3c7542e7e64acb6a8107a1287720.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2088 set thread context of 2464	2088	eae1a415f673a4cb6d475e72af92125ef39f3c7542e7e64acb6a8107a1287720.exe	28
PID 2640 set thread context of 2120	2640	KVEIF.jpg	43

Drops file in Program Files directory 29 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E17\KVEIF.jpg	eae1a415f673a4cb6d475e72af92125ef39f3c7542e7e64acb6a8107a1287720.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E17\1D11E17123.IMD	svchost.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E17\$$.tmp	svchost.exe
File created	C:\Program Files\Common Files\Microsoft\1D11E17\KVEIF.jpg	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft\1D11E17\KVEIF.jpg	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E17\FKC.WYA	KVEIF.jpg
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E17\FKC.WYA	KVEIF.jpg
File opened for modification	C:\Program Files\Common Files\Microsoft\1D11E17\KVEIF.jpg	dllhost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E17\FKC.WYA	svchost.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E17\KVEIFmain.ini	eae1a415f673a4cb6d475e72af92125ef39f3c7542e7e64acb6a8107a1287720.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E17\KVEIF.jpg	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E17\FKC.WYA	KVEIF.jpg
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E17\KVEIF.jpg	dllhost.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E17\ok.txt	eae1a415f673a4cb6d475e72af92125ef39f3c7542e7e64acb6a8107a1287720.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E17\FKC.WYA	KVEIF.jpg
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E17\1D11E17123.IMD	KVEIF.jpg
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E17\KVEIFs5.ini	dllhost.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E17\KVEIFss1.ini	eae1a415f673a4cb6d475e72af92125ef39f3c7542e7e64acb6a8107a1287720.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E17\KVEIF.jpg	eae1a415f673a4cb6d475e72af92125ef39f3c7542e7e64acb6a8107a1287720.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E17\KVEIFmain.ini	eae1a415f673a4cb6d475e72af92125ef39f3c7542e7e64acb6a8107a1287720.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E17\KVEIFs1.ini	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E17\FKC.WYA	KVEIF.jpg
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E17\FKC.WYA	eae1a415f673a4cb6d475e72af92125ef39f3c7542e7e64acb6a8107a1287720.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E17\FKC.WYA	KVEIF.jpg
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E17\KVEIFs5.ini	KVEIF.jpg
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E17\1D11E17123.IMD	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E17\$$.tmp	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E17\FKC.WYA	dllhost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E17\KVEIFs5.ini	svchost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\web\606C646364636479.tmp	eae1a415f673a4cb6d475e72af92125ef39f3c7542e7e64acb6a8107a1287720.exe
File opened for modification	C:\Windows\web\606C646364636479.tmp	eae1a415f673a4cb6d475e72af92125ef39f3c7542e7e64acb6a8107a1287720.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 6 IoCs

pid	Process
2984	KVEIF.jpg
1584	KVEIF.jpg
2916	KVEIF.jpg
272	KVEIF.jpg
2144	KVEIF.jpg
2640	KVEIF.jpg

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2088	eae1a415f673a4cb6d475e72af92125ef39f3c7542e7e64acb6a8107a1287720.exe
2088	eae1a415f673a4cb6d475e72af92125ef39f3c7542e7e64acb6a8107a1287720.exe
2088	eae1a415f673a4cb6d475e72af92125ef39f3c7542e7e64acb6a8107a1287720.exe
2088	eae1a415f673a4cb6d475e72af92125ef39f3c7542e7e64acb6a8107a1287720.exe
2464	svchost.exe
2464	svchost.exe
2464	svchost.exe
2464	svchost.exe
2464	svchost.exe
2464	svchost.exe
2464	svchost.exe
2464	svchost.exe
2464	svchost.exe
2464	svchost.exe
2464	svchost.exe
2464	svchost.exe
2464	svchost.exe
2464	svchost.exe
2464	svchost.exe
2464	svchost.exe
2464	svchost.exe
2464	svchost.exe
2464	svchost.exe
2464	svchost.exe
2464	svchost.exe
2464	svchost.exe
2464	svchost.exe
2464	svchost.exe
2464	svchost.exe
2984	KVEIF.jpg
2984	KVEIF.jpg
2984	KVEIF.jpg
2464	svchost.exe
2464	svchost.exe
2464	svchost.exe
2464	svchost.exe
2464	svchost.exe
2464	svchost.exe
2464	svchost.exe
2464	svchost.exe
2464	svchost.exe
2464	svchost.exe
1584	KVEIF.jpg
1584	KVEIF.jpg
1584	KVEIF.jpg
2464	svchost.exe
2464	svchost.exe
2464	svchost.exe
2464	svchost.exe
2464	svchost.exe
2464	svchost.exe
2464	svchost.exe
2464	svchost.exe
2464	svchost.exe
2464	svchost.exe
2464	svchost.exe
2916	KVEIF.jpg
2916	KVEIF.jpg
2916	KVEIF.jpg
2464	svchost.exe
2464	svchost.exe
2464	svchost.exe
2464	svchost.exe
2464	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2464	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2088	eae1a415f673a4cb6d475e72af92125ef39f3c7542e7e64acb6a8107a1287720.exe
Token: SeDebugPrivilege	2088	eae1a415f673a4cb6d475e72af92125ef39f3c7542e7e64acb6a8107a1287720.exe
Token: SeDebugPrivilege	2088	eae1a415f673a4cb6d475e72af92125ef39f3c7542e7e64acb6a8107a1287720.exe
Token: SeDebugPrivilege	2088	eae1a415f673a4cb6d475e72af92125ef39f3c7542e7e64acb6a8107a1287720.exe
Token: SeDebugPrivilege	2464	svchost.exe
Token: SeDebugPrivilege	2464	svchost.exe
Token: SeDebugPrivilege	2464	svchost.exe
Token: SeDebugPrivilege	2464	svchost.exe
Token: SeDebugPrivilege	2464	svchost.exe
Token: SeDebugPrivilege	2464	svchost.exe
Token: SeDebugPrivilege	2464	svchost.exe
Token: SeDebugPrivilege	2984	KVEIF.jpg
Token: SeDebugPrivilege	2984	KVEIF.jpg
Token: SeDebugPrivilege	2984	KVEIF.jpg
Token: SeDebugPrivilege	2464	svchost.exe
Token: SeDebugPrivilege	2464	svchost.exe
Token: SeDebugPrivilege	2464	svchost.exe
Token: SeDebugPrivilege	1584	KVEIF.jpg
Token: SeDebugPrivilege	1584	KVEIF.jpg
Token: SeDebugPrivilege	1584	KVEIF.jpg
Token: SeDebugPrivilege	2464	svchost.exe
Token: SeDebugPrivilege	2464	svchost.exe
Token: SeDebugPrivilege	2464	svchost.exe
Token: SeDebugPrivilege	2916	KVEIF.jpg
Token: SeDebugPrivilege	2916	KVEIF.jpg
Token: SeDebugPrivilege	2916	KVEIF.jpg
Token: SeDebugPrivilege	2464	svchost.exe
Token: SeDebugPrivilege	2464	svchost.exe
Token: SeDebugPrivilege	2464	svchost.exe
Token: SeDebugPrivilege	272	KVEIF.jpg
Token: SeDebugPrivilege	272	KVEIF.jpg
Token: SeDebugPrivilege	272	KVEIF.jpg
Token: SeDebugPrivilege	2464	svchost.exe
Token: SeDebugPrivilege	2464	svchost.exe
Token: SeDebugPrivilege	2464	svchost.exe
Token: SeDebugPrivilege	2144	KVEIF.jpg
Token: SeDebugPrivilege	2144	KVEIF.jpg
Token: SeDebugPrivilege	2144	KVEIF.jpg
Token: SeDebugPrivilege	2464	svchost.exe
Token: SeDebugPrivilege	2464	svchost.exe
Token: SeDebugPrivilege	2464	svchost.exe
Token: SeDebugPrivilege	2640	KVEIF.jpg
Token: SeDebugPrivilege	2640	KVEIF.jpg
Token: SeDebugPrivilege	2640	KVEIF.jpg
Token: SeDebugPrivilege	2120	dllhost.exe
Token: SeDebugPrivilege	2120	dllhost.exe
Token: SeDebugPrivilege	2120	dllhost.exe
Token: SeDebugPrivilege	2120	dllhost.exe
Token: SeDebugPrivilege	2120	dllhost.exe
Token: SeDebugPrivilege	2464	svchost.exe
Token: SeDebugPrivilege	2464	svchost.exe
Token: SeDebugPrivilege	2120	dllhost.exe
Token: SeDebugPrivilege	2120	dllhost.exe
Token: SeDebugPrivilege	2464	svchost.exe
Token: SeDebugPrivilege	2464	svchost.exe
Token: SeDebugPrivilege	2120	dllhost.exe
Token: SeDebugPrivilege	2120	dllhost.exe
Token: SeDebugPrivilege	2464	svchost.exe
Token: SeDebugPrivilege	2464	svchost.exe
Token: SeDebugPrivilege	2120	dllhost.exe
Token: SeDebugPrivilege	2120	dllhost.exe
Token: SeDebugPrivilege	2464	svchost.exe
Token: SeDebugPrivilege	2464	svchost.exe
Token: SeDebugPrivilege	2120	dllhost.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 2464	2088	eae1a415f673a4cb6d475e72af92125ef39f3c7542e7e64acb6a8107a1287720.exe	28
PID 2088 wrote to memory of 2464	2088	eae1a415f673a4cb6d475e72af92125ef39f3c7542e7e64acb6a8107a1287720.exe	28
PID 2088 wrote to memory of 2464	2088	eae1a415f673a4cb6d475e72af92125ef39f3c7542e7e64acb6a8107a1287720.exe	28
PID 2088 wrote to memory of 2464	2088	eae1a415f673a4cb6d475e72af92125ef39f3c7542e7e64acb6a8107a1287720.exe	28
PID 2088 wrote to memory of 2464	2088	eae1a415f673a4cb6d475e72af92125ef39f3c7542e7e64acb6a8107a1287720.exe	28
PID 2088 wrote to memory of 2464	2088	eae1a415f673a4cb6d475e72af92125ef39f3c7542e7e64acb6a8107a1287720.exe	28
PID 2660 wrote to memory of 2984	2660	cmd.exe	30
PID 2660 wrote to memory of 2984	2660	cmd.exe	30
PID 2660 wrote to memory of 2984	2660	cmd.exe	30
PID 2660 wrote to memory of 2984	2660	cmd.exe	30
PID 1516 wrote to memory of 1584	1516	cmd.exe	32
PID 1516 wrote to memory of 1584	1516	cmd.exe	32
PID 1516 wrote to memory of 1584	1516	cmd.exe	32
PID 1516 wrote to memory of 1584	1516	cmd.exe	32
PID 2904 wrote to memory of 2916	2904	cmd.exe	34
PID 2904 wrote to memory of 2916	2904	cmd.exe	34
PID 2904 wrote to memory of 2916	2904	cmd.exe	34
PID 2904 wrote to memory of 2916	2904	cmd.exe	34
PID 1244 wrote to memory of 272	1244	cmd.exe	37
PID 1244 wrote to memory of 272	1244	cmd.exe	37
PID 1244 wrote to memory of 272	1244	cmd.exe	37
PID 1244 wrote to memory of 272	1244	cmd.exe	37
PID 2940 wrote to memory of 2144	2940	cmd.exe	40
PID 2940 wrote to memory of 2144	2940	cmd.exe	40
PID 2940 wrote to memory of 2144	2940	cmd.exe	40
PID 2940 wrote to memory of 2144	2940	cmd.exe	40
PID 2736 wrote to memory of 2640	2736	cmd.exe	42
PID 2736 wrote to memory of 2640	2736	cmd.exe	42
PID 2736 wrote to memory of 2640	2736	cmd.exe	42
PID 2736 wrote to memory of 2640	2736	cmd.exe	42
PID 2640 wrote to memory of 2120	2640	KVEIF.jpg	43
PID 2640 wrote to memory of 2120	2640	KVEIF.jpg	43
PID 2640 wrote to memory of 2120	2640	KVEIF.jpg	43
PID 2640 wrote to memory of 2120	2640	KVEIF.jpg	43
PID 2640 wrote to memory of 2120	2640	KVEIF.jpg	43
PID 2640 wrote to memory of 2120	2640	KVEIF.jpg	43

C:\Users\Admin\AppData\Local\Temp\eae1a415f673a4cb6d475e72af92125ef39f3c7542e7e64acb6a8107a1287720.exe
"C:\Users\Admin\AppData\Local\Temp\eae1a415f673a4cb6d475e72af92125ef39f3c7542e7e64acb6a8107a1287720.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\System32\svchost.exe -EMBEDDING 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304430365D474A422F565840 0
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:2464

C:\Windows\system32\cmd.exe
cmd.exe /c call "C:\Program Files\Common Files\Microsoft\1D11E17\KVEIF.jpg" -3 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304430365D474A422F565840
1⤵
- Suspicious use of WriteProcessMemory
PID:2660
- C:\Program Files\Common Files\Microsoft\1D11E17\KVEIF.jpg
  "C:\Program Files\Common Files\Microsoft\1D11E17\KVEIF.jpg" -3 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304430365D474A422F565840
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2984

C:\Windows\system32\cmd.exe
cmd.exe /c call "C:\Program Files\Common Files\Microsoft\1D11E17\KVEIF.jpg" -3 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304430365D474A422F565840
1⤵
- Suspicious use of WriteProcessMemory
PID:1516
- C:\Program Files\Common Files\Microsoft\1D11E17\KVEIF.jpg
  "C:\Program Files\Common Files\Microsoft\1D11E17\KVEIF.jpg" -3 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304430365D474A422F565840
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1584

C:\Windows\system32\cmd.exe
cmd.exe /c call "C:\Program Files\Common Files\Microsoft\1D11E17\KVEIF.jpg" -3 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304430365D474A422F565840
1⤵
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Program Files\Common Files\Microsoft\1D11E17\KVEIF.jpg
  "C:\Program Files\Common Files\Microsoft\1D11E17\KVEIF.jpg" -3 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304430365D474A422F565840
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2916

C:\Windows\system32\cmd.exe
cmd.exe /c call "C:\Program Files\Common Files\Microsoft\1D11E17\KVEIF.jpg" -3 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304430365D474A422F565840
1⤵
- Suspicious use of WriteProcessMemory
PID:1244
- C:\Program Files\Common Files\Microsoft\1D11E17\KVEIF.jpg
  "C:\Program Files\Common Files\Microsoft\1D11E17\KVEIF.jpg" -3 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304430365D474A422F565840
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of AdjustPrivilegeToken
  PID:272

C:\Windows\system32\cmd.exe
cmd.exe /c call "C:\Program Files\Common Files\Microsoft\1D11E17\KVEIF.jpg" -3 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304430365D474A422F565840
1⤵
- Suspicious use of WriteProcessMemory
PID:2940
- C:\Program Files\Common Files\Microsoft\1D11E17\KVEIF.jpg
  "C:\Program Files\Common Files\Microsoft\1D11E17\KVEIF.jpg" -3 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304430365D474A422F565840
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of AdjustPrivilegeToken
  PID:2144

C:\Windows\system32\cmd.exe
cmd.exe /c call "C:\Program Files\Common Files\Microsoft\1D11E17\KVEIF.jpg" -3 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304430365D474A422F565840
1⤵
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Program Files\Common Files\Microsoft\1D11E17\KVEIF.jpg
  "C:\Program Files\Common Files\Microsoft\1D11E17\KVEIF.jpg" -3 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304430365D474A422F565840
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Windows\SysWOW64\dllhost.exe
    C:\Windows\System32\dllhost.exe -sys 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304430365D474A422F565840 0
    3⤵
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    PID:2120

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E17\$$.tmp

Filesize
126KB

MD5
86eb385ce8370c43b0930e1c16a300c7

SHA1
3ff14d6cf0ab1f86a88c6344b75b1c9e5d7030f2

SHA256
b63700ff46bfb911e649f7c8c2331119009a2826127f4ca42118ef5cb41b6468

SHA512
77b83d2de7e19a18edcc4b471b02dc4b122ec5cc7e6d40496701133a7c80c2a96ee451dab0dbf0adb4e0db7668d511e235833f1023cd0970a79f4aae029de7e3

Download Submit
C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E17\FKC.WYA

Filesize
108KB

MD5
f697e0c5c1d34f00d1700d6d549d4811

SHA1
f50a99377a7419185fc269bb4d12954ca42b8589

SHA256
1eacebb614305a9806113545be7b23cf14ce7e761ccf634510a7f1c0cfb6cd16

SHA512
d5f35672f208ebbe306beeb55dadde96aa330780e2ea84b45d3fa6af41369e357412d82978df74038f2d27dff4d06905fd0b4d852b0beef1bcfdd6a0849bc202

Download Submit
C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E17\KVEIF.jpg

Filesize
125KB

MD5
d8e05ed66da19715ad51dedd5cadefd7

SHA1
a788fc377ec8a9103039eb31192b5f23c4e71fdd

SHA256
45ff74dfbf67a99f97ddd6491e670b1a1cfb495e8d7a27cad051d78813c23707

SHA512
986aed8d96d427c511e30914db706cf929c5e4dfbe18188157ff5c1b0b262bae342b289695a2d7ba90f14424c8369b3c97fe4e9c17809039a90aa6ff24725ea4

Download Submit
C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E17\KVEIFmain.ini

Filesize
711B

MD5
5b85700764c7f8ed2db3d99aba090ff3

SHA1
89521db8d1abb29e082628efdd23c547fa54ef44

SHA256
ade5e3636e8684f5845c18666a04a6b22d7a0f2631ea268a1aec910857c42e24

SHA512
00600e12dc1067eba53760eedfc4f408e88053a87462d55f01478887a9b4095138d471cc186684f0c14f4c2559da978e0ef3f78341910ecf1ca8caac9f67a642

Download Submit
C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E17\KVEIFss1.ini

Filesize
22B

MD5
453d2fc74da6d001a4fdd6734163c7c7

SHA1
ee0df26826350e252bfc43d21041053df079ca10

SHA256
f04003dc50539b7d9bbf491ecdab32b96b997377d8928bf4273a584e38eac98c

SHA512
6449257622d018a5c964ce4c1a1ead4f03db5bca23d0263aee775f096ef3063bbb61d0b1223c1f956a4de3468d3c55dae781d5851ccebc7c62dfd6e9e3d5a434

Download Submit
C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E17\ok.txt

Filesize
104B

MD5
3454bd8b8b88ae2caf3ec20309d75e5d

SHA1
0d8355e199b9955d04d2be4be49854653ffa214b

SHA256
cfc48f814a68fb2f9bf88256888f87d0f7bbd6d8faff796b21a409bc756a6107

SHA512
5a4bf91a8cb42549bbe6a172ef536329dd6929abe6e5fc81209af5a66f93bbf437ea1b51e567ef5d9c320cafdcb88f27b95615ec887387241a1b031facdd18e5

Download Submit
C:\Program Files\Common Files\Microsoft\1D11E17\KVEIF.jpg

Filesize
125KB

MD5
f523746c6b06b4fe09aa222667f84a70

SHA1
a367a39727ea2b0f5af80ddc813b4d39962c79f4

SHA256
cbc42d62a9fa5a68f72bdf0e056b836292ab7664a2581b58d1b392a7c5545669

SHA512
12f966a894cabbcd1b6f0739f4878959d861b43f8b323932154720e12a54ac2bd263a27c183e085a981d62c83b9d5af5ff493d84326bdcf26376644cff872991

Download Submit
C:\Program Files\Common Files\Microsoft\1D11E17\KVEIF.jpg

Filesize
125KB

MD5
5a46ea9479d8c2f78dac7da510c9b741

SHA1
f097a42c780f67d3d92d7b1b7dc41b2ed6d1ef7f

SHA256
2c29c055a25d86e67889cca906e1b2763a8fdb43da2725a96f3881beb2fda2f0

SHA512
b1b237db16dcf57d2319b67e758a4d26509e36c8c795f09ebb1243d0796f0987d3f0f1c6c8777f783d5236561093d31f1d319bb763182fed2a79dba14e03b6f9

Download Submit
C:\Program Files\Common Files\Microsoft\1D11E17\KVEIF.jpg

Filesize
125KB

MD5
3235ee3c665a74ceb36d073a91643154

SHA1
e7a62cb67d91aceafcb42718dfba91f594f038c9

SHA256
128169706a4a6be2a18b5fbfd493527d731c04ac457252f4396ba577013bf7d0

SHA512
f8a73051c7434ee9bc4c3abecb0cfb674742a20768fefa6b3823eccbf51d131c5b75e6f64ed7d9100fe6fbfef3ad2b4f4843d1bce56d342336b66c224e3d33b9

Download Submit
C:\Program Files\Common Files\Microsoft\1D11E17\KVEIF.jpg

Filesize
125KB

MD5
8b1cca07246a0876fa7fc8777b782463

SHA1
083a4853b8c1584fa9e885c87c302b12c7e6564b

SHA256
f3d18d6fff3f241aadff4a4690a6e2dd994ef4c4d447b703f23c931b80637087

SHA512
6a23b080529d2df903300afd88d455bc872703df8fed57ed53e10e2e479103107a152104e954759c2ed10ef67b4821fe4854441e98b45cc7afea9df0734b72ad

Download Submit
C:\Program Files\Common Files\Microsoft\1D11E17\KVEIF.jpg

Filesize
125KB

MD5
38531b8ae02582b9ed8c9d5a298f1cff

SHA1
5cbd28e6773723b62e9e5791776f07f20e6ded69

SHA256
a7cc938f48adcebf9dcbe8f76cbe50017f0b31b261507c9556a151b1ace97284

SHA512
6840e0a5a19f2f5dafdaf9aca48082d223d85a9d2ce43e5650d684a046e1eb09f19a12d70cb3d24d2b02ca5ecd41d4832cc407df6ee120fdf2937b6e80e578cd

Download Submit
C:\Program Files\Common Files\Microsoft\1D11E17\KVEIF.jpg

Filesize
125KB

MD5
0e5663ef79ae59c24766e5401585204d

SHA1
282a367f3fd1dcddb89b99dff26b9bb4321f1970

SHA256
545e0f825dde22c2682b0b09d8c4a5bae131b10aabc2952fa3b7a112a962e6fa

SHA512
694d459638c107228db94502a132a87dd3b9e677254698bc8425181ce098caec39d8ce2468628813322d95b0b0eb030cadfda589e7a86eaf196713e0da4914f5

Download Submit
\Windows\SysWOW64\kernel64.dll

Filesize
1.1MB

MD5
9b98d47916ead4f69ef51b56b0c2323c

SHA1
290a80b4ded0efc0fd00816f373fcea81a521330

SHA256
96e0ae104c9662d0d20fdf59844c2d18334e5847b6c4fc7f8ce4b3b87f39887b

SHA512
68b67021f228d8d71df4deb0b6388558b2f935a6aa466a12199cd37ada47ee588ea407b278d190d3a498b0ef3f5f1a2573a469b7ea5561ab2e7055c45565fe94

Download Submit
memory/2088-32-0x0000000000430000-0x0000000000485000-memory.dmp

Filesize
340KB

Download
memory/2088-17-0x0000000000430000-0x0000000000485000-memory.dmp

Filesize
340KB

Download
memory/2088-19-0x0000000000430000-0x0000000000485000-memory.dmp

Filesize
340KB

Download
memory/2088-15-0x0000000000430000-0x0000000000485000-memory.dmp

Filesize
340KB

Download
memory/2088-13-0x0000000000430000-0x0000000000485000-memory.dmp

Filesize
340KB

Download
memory/2088-23-0x0000000000430000-0x0000000000485000-memory.dmp

Filesize
340KB

Download
memory/2088-25-0x0000000000430000-0x0000000000485000-memory.dmp

Filesize
340KB

Download
memory/2088-27-0x0000000000430000-0x0000000000485000-memory.dmp

Filesize
340KB

Download
memory/2088-29-0x0000000000430000-0x0000000000485000-memory.dmp

Filesize
340KB

Download
memory/2088-21-0x0000000000430000-0x0000000000485000-memory.dmp

Filesize
340KB

Download
memory/2088-11-0x0000000000430000-0x0000000000485000-memory.dmp

Filesize
340KB

Download
memory/2088-31-0x0000000000430000-0x0000000000485000-memory.dmp

Filesize
340KB

Download
memory/2088-33-0x0000000000430000-0x0000000000485000-memory.dmp

Filesize
340KB

Download
memory/2088-2-0x0000000000430000-0x0000000000485000-memory.dmp

Filesize
340KB

Download
memory/2088-3-0x0000000000430000-0x0000000000485000-memory.dmp

Filesize
340KB

Download
memory/2088-5-0x0000000000430000-0x0000000000485000-memory.dmp

Filesize
340KB

Download
memory/2088-7-0x0000000000430000-0x0000000000485000-memory.dmp

Filesize
340KB

Download
memory/2088-9-0x0000000000430000-0x0000000000485000-memory.dmp

Filesize
340KB

Download
memory/2464-73-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2464-96-0x0000000000170000-0x00000000001C5000-memory.dmp

Filesize
340KB

Download
memory/2464-92-0x0000000000170000-0x00000000001C5000-memory.dmp

Filesize
340KB

Download
memory/2464-88-0x0000000000170000-0x00000000001C5000-memory.dmp

Filesize
340KB

Download
memory/2464-84-0x0000000000170000-0x00000000001C5000-memory.dmp

Filesize
340KB

Download
memory/2464-83-0x0000000000170000-0x00000000001C5000-memory.dmp

Filesize
340KB

Download
memory/2464-81-0x0000000000170000-0x00000000001C5000-memory.dmp

Filesize
340KB

Download
memory/2464-99-0x0000000000170000-0x00000000001C5000-memory.dmp

Filesize
340KB

Download
memory/2464-100-0x0000000000170000-0x00000000001C5000-memory.dmp

Filesize
340KB

Download
memory/2464-94-0x0000000000170000-0x00000000001C5000-memory.dmp

Filesize
340KB

Download
memory/2464-86-0x0000000000170000-0x00000000001C5000-memory.dmp

Filesize
340KB

Download
memory/2464-78-0x0000000000170000-0x00000000001C5000-memory.dmp

Filesize
340KB

Download
memory/2464-77-0x0000000000170000-0x00000000001C5000-memory.dmp

Filesize
340KB

Download
memory/2464-90-0x0000000000170000-0x00000000001C5000-memory.dmp

Filesize
340KB

Download
memory/2464-74-0x0000000000020000-0x0000000000028000-memory.dmp

Filesize
32KB

Download
memory/2464-75-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2464-66-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2464-70-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2464-68-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download