eae1a415f673a4cb6d475e72af92125ef39f3c7542e7e64acb6a8107a1287720

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
03/05/2024, 04:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eae1a415f673a4cb6d475e72af92125ef39f3c7542e7e64acb6a8107a1287720.exe
Size

125KB
MD5

1b4de1d81a4129e32c06be9d9dc6fbb6
SHA1

bc25b3ac5736276336e2ddc110a1ff63816fbcfa
SHA256

eae1a415f673a4cb6d475e72af92125ef39f3c7542e7e64acb6a8107a1287720
SHA512

fc6719b30802640c5b6ad0cae85bcc3ba0df74bbc36441b69c5440e82432236c557692ace7d1e94aaf0919feb5923369cf934f2ca7ada5d5b8195860644d8043
SSDEEP

3072:NEboFVlGAvwsgbpvYfMTc72L10fPsout:SBzsgbpvnTcyOPsoS

Score

9^/10

upx

Malware Config

Signatures

UPX dump on OEP (original entry point) 42 IoCs

resource	yara_rule
behavioral2/memory/3532-5-0x00000000005A0000-0x00000000005F5000-memory.dmp	UPX
behavioral2/memory/3532-3-0x00000000005A0000-0x00000000005F5000-memory.dmp	UPX
behavioral2/memory/3532-13-0x00000000005A0000-0x00000000005F5000-memory.dmp	UPX
behavioral2/memory/3532-33-0x00000000005A0000-0x00000000005F5000-memory.dmp	UPX
behavioral2/memory/3532-32-0x00000000005A0000-0x00000000005F5000-memory.dmp	UPX
behavioral2/memory/3532-31-0x00000000005A0000-0x00000000005F5000-memory.dmp	UPX
behavioral2/memory/3532-29-0x00000000005A0000-0x00000000005F5000-memory.dmp	UPX
behavioral2/memory/3532-27-0x00000000005A0000-0x00000000005F5000-memory.dmp	UPX
behavioral2/memory/3532-25-0x00000000005A0000-0x00000000005F5000-memory.dmp	UPX
behavioral2/memory/3532-23-0x00000000005A0000-0x00000000005F5000-memory.dmp	UPX
behavioral2/memory/3532-19-0x00000000005A0000-0x00000000005F5000-memory.dmp	UPX
behavioral2/memory/3532-15-0x00000000005A0000-0x00000000005F5000-memory.dmp	UPX
behavioral2/memory/3532-21-0x00000000005A0000-0x00000000005F5000-memory.dmp	UPX
behavioral2/memory/3532-17-0x00000000005A0000-0x00000000005F5000-memory.dmp	UPX
behavioral2/memory/3532-9-0x00000000005A0000-0x00000000005F5000-memory.dmp	UPX
behavioral2/memory/3532-2-0x00000000005A0000-0x00000000005F5000-memory.dmp	UPX
behavioral2/memory/3532-11-0x00000000005A0000-0x00000000005F5000-memory.dmp	UPX
behavioral2/memory/3532-7-0x00000000005A0000-0x00000000005F5000-memory.dmp	UPX
behavioral2/memory/2224-96-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral2/memory/2224-99-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral2/memory/2224-101-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral2/memory/2224-100-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral2/memory/2224-108-0x00000000024A0000-0x00000000024F5000-memory.dmp	UPX
behavioral2/memory/2224-106-0x00000000024A0000-0x00000000024F5000-memory.dmp	UPX
behavioral2/memory/2224-114-0x00000000024A0000-0x00000000024F5000-memory.dmp	UPX
behavioral2/memory/2224-112-0x00000000024A0000-0x00000000024F5000-memory.dmp	UPX
behavioral2/memory/2224-110-0x00000000024A0000-0x00000000024F5000-memory.dmp	UPX
behavioral2/memory/2224-104-0x00000000024A0000-0x00000000024F5000-memory.dmp	UPX
behavioral2/memory/2224-103-0x00000000024A0000-0x00000000024F5000-memory.dmp	UPX
behavioral2/memory/2224-116-0x00000000024A0000-0x00000000024F5000-memory.dmp	UPX
behavioral2/memory/2224-122-0x00000000024A0000-0x00000000024F5000-memory.dmp	UPX
behavioral2/memory/2224-128-0x00000000024A0000-0x00000000024F5000-memory.dmp	UPX
behavioral2/memory/2224-126-0x00000000024A0000-0x00000000024F5000-memory.dmp	UPX
behavioral2/memory/2224-124-0x00000000024A0000-0x00000000024F5000-memory.dmp	UPX
behavioral2/memory/2224-120-0x00000000024A0000-0x00000000024F5000-memory.dmp	UPX
behavioral2/memory/2224-118-0x00000000024A0000-0x00000000024F5000-memory.dmp	UPX
behavioral2/memory/2224-130-0x00000000024A0000-0x00000000024F5000-memory.dmp	UPX
behavioral2/files/0x0007000000023447-147.dat	UPX
behavioral2/files/0x0008000000023441-156.dat	UPX
behavioral2/memory/3760-198-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral2/memory/2224-242-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral2/memory/3760-246-0x0000000000400000-0x000000000042D000-memory.dmp	UPX

Deletes itself 1 IoCs

pid	Process
2224	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
4688	KVEIF.jpg

Loads dropped DLL 4 IoCs

pid	Process
3532	eae1a415f673a4cb6d475e72af92125ef39f3c7542e7e64acb6a8107a1287720.exe
2224	svchost.exe
4688	KVEIF.jpg
3760	svchost.exe

UPX packed file 33 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3532-5-0x00000000005A0000-0x00000000005F5000-memory.dmp	upx
behavioral2/memory/3532-3-0x00000000005A0000-0x00000000005F5000-memory.dmp	upx
behavioral2/memory/3532-13-0x00000000005A0000-0x00000000005F5000-memory.dmp	upx
behavioral2/memory/3532-33-0x00000000005A0000-0x00000000005F5000-memory.dmp	upx
behavioral2/memory/3532-32-0x00000000005A0000-0x00000000005F5000-memory.dmp	upx
behavioral2/memory/3532-31-0x00000000005A0000-0x00000000005F5000-memory.dmp	upx
behavioral2/memory/3532-29-0x00000000005A0000-0x00000000005F5000-memory.dmp	upx
behavioral2/memory/3532-27-0x00000000005A0000-0x00000000005F5000-memory.dmp	upx
behavioral2/memory/3532-25-0x00000000005A0000-0x00000000005F5000-memory.dmp	upx
behavioral2/memory/3532-23-0x00000000005A0000-0x00000000005F5000-memory.dmp	upx
behavioral2/memory/3532-19-0x00000000005A0000-0x00000000005F5000-memory.dmp	upx
behavioral2/memory/3532-15-0x00000000005A0000-0x00000000005F5000-memory.dmp	upx
behavioral2/memory/3532-21-0x00000000005A0000-0x00000000005F5000-memory.dmp	upx
behavioral2/memory/3532-17-0x00000000005A0000-0x00000000005F5000-memory.dmp	upx
behavioral2/memory/3532-9-0x00000000005A0000-0x00000000005F5000-memory.dmp	upx
behavioral2/memory/3532-2-0x00000000005A0000-0x00000000005F5000-memory.dmp	upx
behavioral2/memory/3532-11-0x00000000005A0000-0x00000000005F5000-memory.dmp	upx
behavioral2/memory/3532-7-0x00000000005A0000-0x00000000005F5000-memory.dmp	upx
behavioral2/memory/2224-108-0x00000000024A0000-0x00000000024F5000-memory.dmp	upx
behavioral2/memory/2224-106-0x00000000024A0000-0x00000000024F5000-memory.dmp	upx
behavioral2/memory/2224-114-0x00000000024A0000-0x00000000024F5000-memory.dmp	upx
behavioral2/memory/2224-112-0x00000000024A0000-0x00000000024F5000-memory.dmp	upx
behavioral2/memory/2224-110-0x00000000024A0000-0x00000000024F5000-memory.dmp	upx
behavioral2/memory/2224-104-0x00000000024A0000-0x00000000024F5000-memory.dmp	upx
behavioral2/memory/2224-103-0x00000000024A0000-0x00000000024F5000-memory.dmp	upx
behavioral2/memory/2224-116-0x00000000024A0000-0x00000000024F5000-memory.dmp	upx
behavioral2/memory/2224-122-0x00000000024A0000-0x00000000024F5000-memory.dmp	upx
behavioral2/memory/2224-128-0x00000000024A0000-0x00000000024F5000-memory.dmp	upx
behavioral2/memory/2224-126-0x00000000024A0000-0x00000000024F5000-memory.dmp	upx
behavioral2/memory/2224-124-0x00000000024A0000-0x00000000024F5000-memory.dmp	upx
behavioral2/memory/2224-120-0x00000000024A0000-0x00000000024F5000-memory.dmp	upx
behavioral2/memory/2224-118-0x00000000024A0000-0x00000000024F5000-memory.dmp	upx
behavioral2/memory/2224-130-0x00000000024A0000-0x00000000024F5000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\kernel64.dll	eae1a415f673a4cb6d475e72af92125ef39f3c7542e7e64acb6a8107a1287720.exe
File opened for modification	C:\Windows\SysWOW64\kernel64.dll	eae1a415f673a4cb6d475e72af92125ef39f3c7542e7e64acb6a8107a1287720.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3532 set thread context of 2224	3532	eae1a415f673a4cb6d475e72af92125ef39f3c7542e7e64acb6a8107a1287720.exe	86
PID 4688 set thread context of 3760	4688	KVEIF.jpg	95

Drops file in Program Files directory 23 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E17\ok.txt	eae1a415f673a4cb6d475e72af92125ef39f3c7542e7e64acb6a8107a1287720.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E17\KVEIFss1.ini	eae1a415f673a4cb6d475e72af92125ef39f3c7542e7e64acb6a8107a1287720.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E17\FKC.WYA	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E17\1D11E17123.IMD	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft\1D11E17\KVEIF.jpg	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E17\FKC.WYA	KVEIF.jpg
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E17\FKC.WYA	svchost.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E17\KVEIFs5.ini	svchost.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E17\KVEIFmain.ini	eae1a415f673a4cb6d475e72af92125ef39f3c7542e7e64acb6a8107a1287720.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E17\KVEIFmain.ini	eae1a415f673a4cb6d475e72af92125ef39f3c7542e7e64acb6a8107a1287720.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E17\KVEIFs1.ini	svchost.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E17\1D11E17123.IMD	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E17\1D11E17123.IMD	KVEIF.jpg
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E17\KVEIF.jpg	eae1a415f673a4cb6d475e72af92125ef39f3c7542e7e64acb6a8107a1287720.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E17\FKC.WYA	eae1a415f673a4cb6d475e72af92125ef39f3c7542e7e64acb6a8107a1287720.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E17\$$.tmp	svchost.exe
File created	C:\Program Files\Common Files\Microsoft\1D11E17\KVEIF.jpg	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E17\KVEIF.jpg	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E17\KVEIFs1.ini	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft\1D11E17\KVEIF.jpg	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E17\KVEIF.jpg	eae1a415f673a4cb6d475e72af92125ef39f3c7542e7e64acb6a8107a1287720.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E17\KVEIF.jpg	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E17\KVEIFs5.ini	KVEIF.jpg

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\web\606C646364636479.tmp	eae1a415f673a4cb6d475e72af92125ef39f3c7542e7e64acb6a8107a1287720.exe
File opened for modification	C:\Windows\web\606C646364636479.tmp	eae1a415f673a4cb6d475e72af92125ef39f3c7542e7e64acb6a8107a1287720.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3532	eae1a415f673a4cb6d475e72af92125ef39f3c7542e7e64acb6a8107a1287720.exe
3532	eae1a415f673a4cb6d475e72af92125ef39f3c7542e7e64acb6a8107a1287720.exe
3532	eae1a415f673a4cb6d475e72af92125ef39f3c7542e7e64acb6a8107a1287720.exe
3532	eae1a415f673a4cb6d475e72af92125ef39f3c7542e7e64acb6a8107a1287720.exe
3532	eae1a415f673a4cb6d475e72af92125ef39f3c7542e7e64acb6a8107a1287720.exe
3532	eae1a415f673a4cb6d475e72af92125ef39f3c7542e7e64acb6a8107a1287720.exe
3532	eae1a415f673a4cb6d475e72af92125ef39f3c7542e7e64acb6a8107a1287720.exe
3532	eae1a415f673a4cb6d475e72af92125ef39f3c7542e7e64acb6a8107a1287720.exe
2224	svchost.exe
2224	svchost.exe
2224	svchost.exe
2224	svchost.exe
2224	svchost.exe
2224	svchost.exe
2224	svchost.exe
2224	svchost.exe
2224	svchost.exe
2224	svchost.exe
2224	svchost.exe
2224	svchost.exe
2224	svchost.exe
2224	svchost.exe
2224	svchost.exe
2224	svchost.exe
2224	svchost.exe
2224	svchost.exe
2224	svchost.exe
2224	svchost.exe
2224	svchost.exe
2224	svchost.exe
2224	svchost.exe
2224	svchost.exe
2224	svchost.exe
2224	svchost.exe
2224	svchost.exe
2224	svchost.exe
2224	svchost.exe
2224	svchost.exe
2224	svchost.exe
2224	svchost.exe
2224	svchost.exe
2224	svchost.exe
2224	svchost.exe
2224	svchost.exe
2224	svchost.exe
2224	svchost.exe
2224	svchost.exe
2224	svchost.exe
2224	svchost.exe
2224	svchost.exe
2224	svchost.exe
2224	svchost.exe
2224	svchost.exe
2224	svchost.exe
2224	svchost.exe
2224	svchost.exe
2224	svchost.exe
2224	svchost.exe
4688	KVEIF.jpg
4688	KVEIF.jpg
4688	KVEIF.jpg
4688	KVEIF.jpg
4688	KVEIF.jpg
4688	KVEIF.jpg

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2224	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3532	eae1a415f673a4cb6d475e72af92125ef39f3c7542e7e64acb6a8107a1287720.exe
Token: SeDebugPrivilege	3532	eae1a415f673a4cb6d475e72af92125ef39f3c7542e7e64acb6a8107a1287720.exe
Token: SeDebugPrivilege	3532	eae1a415f673a4cb6d475e72af92125ef39f3c7542e7e64acb6a8107a1287720.exe
Token: SeDebugPrivilege	3532	eae1a415f673a4cb6d475e72af92125ef39f3c7542e7e64acb6a8107a1287720.exe
Token: SeDebugPrivilege	2224	svchost.exe
Token: SeDebugPrivilege	2224	svchost.exe
Token: SeDebugPrivilege	2224	svchost.exe
Token: SeDebugPrivilege	2224	svchost.exe
Token: SeDebugPrivilege	2224	svchost.exe
Token: SeDebugPrivilege	2224	svchost.exe
Token: SeDebugPrivilege	2224	svchost.exe
Token: SeDebugPrivilege	4688	KVEIF.jpg
Token: SeDebugPrivilege	4688	KVEIF.jpg
Token: SeDebugPrivilege	4688	KVEIF.jpg
Token: SeDebugPrivilege	4688	KVEIF.jpg
Token: SeDebugPrivilege	2224	svchost.exe
Token: SeDebugPrivilege	2224	svchost.exe
Token: SeDebugPrivilege	4688	KVEIF.jpg
Token: SeDebugPrivilege	2224	svchost.exe
Token: SeDebugPrivilege	2224	svchost.exe
Token: SeDebugPrivilege	4688	KVEIF.jpg
Token: SeDebugPrivilege	4688	KVEIF.jpg
Token: SeDebugPrivilege	3760	svchost.exe
Token: SeDebugPrivilege	3760	svchost.exe
Token: SeDebugPrivilege	3760	svchost.exe
Token: SeDebugPrivilege	2224	svchost.exe
Token: SeDebugPrivilege	2224	svchost.exe
Token: SeDebugPrivilege	3760	svchost.exe
Token: SeDebugPrivilege	3760	svchost.exe
Token: SeDebugPrivilege	2224	svchost.exe
Token: SeDebugPrivilege	2224	svchost.exe
Token: SeDebugPrivilege	3760	svchost.exe
Token: SeDebugPrivilege	3760	svchost.exe
Token: SeDebugPrivilege	2224	svchost.exe
Token: SeDebugPrivilege	2224	svchost.exe
Token: SeDebugPrivilege	3760	svchost.exe
Token: SeDebugPrivilege	3760	svchost.exe
Token: SeDebugPrivilege	2224	svchost.exe
Token: SeDebugPrivilege	2224	svchost.exe
Token: SeDebugPrivilege	3760	svchost.exe
Token: SeDebugPrivilege	3760	svchost.exe
Token: SeDebugPrivilege	2224	svchost.exe
Token: SeDebugPrivilege	2224	svchost.exe
Token: SeDebugPrivilege	3760	svchost.exe
Token: SeDebugPrivilege	3760	svchost.exe
Token: SeDebugPrivilege	2224	svchost.exe
Token: SeDebugPrivilege	2224	svchost.exe
Token: SeDebugPrivilege	3760	svchost.exe
Token: SeDebugPrivilege	3760	svchost.exe
Token: SeDebugPrivilege	2224	svchost.exe
Token: SeDebugPrivilege	2224	svchost.exe
Token: SeDebugPrivilege	3760	svchost.exe
Token: SeDebugPrivilege	3760	svchost.exe
Token: SeDebugPrivilege	2224	svchost.exe
Token: SeDebugPrivilege	2224	svchost.exe
Token: SeDebugPrivilege	3760	svchost.exe
Token: SeDebugPrivilege	3760	svchost.exe
Token: SeDebugPrivilege	2224	svchost.exe
Token: SeDebugPrivilege	2224	svchost.exe
Token: SeDebugPrivilege	3760	svchost.exe
Token: SeDebugPrivilege	3760	svchost.exe
Token: SeDebugPrivilege	2224	svchost.exe
Token: SeDebugPrivilege	2224	svchost.exe
Token: SeDebugPrivilege	3760	svchost.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 3532 wrote to memory of 2224	3532	eae1a415f673a4cb6d475e72af92125ef39f3c7542e7e64acb6a8107a1287720.exe	86
PID 3532 wrote to memory of 2224	3532	eae1a415f673a4cb6d475e72af92125ef39f3c7542e7e64acb6a8107a1287720.exe	86
PID 3532 wrote to memory of 2224	3532	eae1a415f673a4cb6d475e72af92125ef39f3c7542e7e64acb6a8107a1287720.exe	86
PID 3532 wrote to memory of 2224	3532	eae1a415f673a4cb6d475e72af92125ef39f3c7542e7e64acb6a8107a1287720.exe	86
PID 3532 wrote to memory of 2224	3532	eae1a415f673a4cb6d475e72af92125ef39f3c7542e7e64acb6a8107a1287720.exe	86
PID 588 wrote to memory of 4688	588	cmd.exe	88
PID 588 wrote to memory of 4688	588	cmd.exe	88
PID 588 wrote to memory of 4688	588	cmd.exe	88
PID 4688 wrote to memory of 544	4688	KVEIF.jpg	89
PID 4688 wrote to memory of 544	4688	KVEIF.jpg	89
PID 4688 wrote to memory of 544	4688	KVEIF.jpg	89
PID 4688 wrote to memory of 4528	4688	KVEIF.jpg	91
PID 4688 wrote to memory of 4528	4688	KVEIF.jpg	91
PID 4688 wrote to memory of 4528	4688	KVEIF.jpg	91
PID 4688 wrote to memory of 3704	4688	KVEIF.jpg	94
PID 4688 wrote to memory of 3704	4688	KVEIF.jpg	94
PID 4688 wrote to memory of 3704	4688	KVEIF.jpg	94
PID 4688 wrote to memory of 3760	4688	KVEIF.jpg	95
PID 4688 wrote to memory of 3760	4688	KVEIF.jpg	95
PID 4688 wrote to memory of 3760	4688	KVEIF.jpg	95
PID 4688 wrote to memory of 3760	4688	KVEIF.jpg	95
PID 4688 wrote to memory of 3760	4688	KVEIF.jpg	95

C:\Users\Admin\AppData\Local\Temp\eae1a415f673a4cb6d475e72af92125ef39f3c7542e7e64acb6a8107a1287720.exe
"C:\Users\Admin\AppData\Local\Temp\eae1a415f673a4cb6d475e72af92125ef39f3c7542e7e64acb6a8107a1287720.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3532
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\System32\svchost.exe -EMBEDDING 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304430365D474A422F565840 0
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:2224

C:\Windows\system32\cmd.exe
cmd.exe /c call "C:\Program Files\Common Files\Microsoft\1D11E17\KVEIF.jpg" -3 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304430365D474A422F565840
1⤵
- Suspicious use of WriteProcessMemory
PID:588
- C:\Program Files\Common Files\Microsoft\1D11E17\KVEIF.jpg
  "C:\Program Files\Common Files\Microsoft\1D11E17\KVEIF.jpg" -3 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304430365D474A422F565840
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4688
- - C:\Windows\SysWOW64\svchost.exe
    C:\Windows\System32\svchost.exe -sys 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304430365D474A422F565840 0
    3⤵
    PID:544
- - C:\Windows\SysWOW64\svchost.exe
    C:\Windows\System32\svchost.exe -sys 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304430365D474A422F565840 0
    3⤵
    PID:4528
- - C:\Windows\SysWOW64\svchost.exe
    C:\Windows\System32\svchost.exe -sys 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304430365D474A422F565840 0
    3⤵
    PID:3704
- - C:\Windows\SysWOW64\svchost.exe
    C:\Windows\System32\svchost.exe -sys 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304430365D474A422F565840 0
    3⤵
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    PID:3760

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E17\1D11E17123.IMD

Filesize
126KB

MD5
e0062a9ae9671c2cdf04b803c52fdfdc

SHA1
fb0b630cc3eda86de189d6368635944fc71744d8

SHA256
537158fbbbd5bfa7d74d428ef87b87f6c836f2693498303b4b0f15ac54ee967a

SHA512
401c6eb325d5743217e2774f353bfff5b096242e39269516599e42ee918db98d42bd9f75debb3690b484d088839c60c6b9d67f0ffb5bcfc0397508ffc3e0c512

Download Submit
C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E17\KVEIF.jpg

Filesize
125KB

MD5
4eaf09e0f857de619e9662361d4ca5f6

SHA1
363f46e3071c0bb8491c74dabadc21bc2b0b51fd

SHA256
3f5f5b9adb7de33cfb7a40ee5137e2a2cb6d1876ffb92f1d99d4f04ac5eaa17a

SHA512
6e705404495abb5edcfe3d04605d2af2bdca95ffedf67d0ac7f253c633881b15913409813d09f9adaf1b7115ab1513339113f9bf3ea2794cf0bdc1ee922beb85

Download Submit
C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E17\KVEIFss1.ini

Filesize
22B

MD5
453d2fc74da6d001a4fdd6734163c7c7

SHA1
ee0df26826350e252bfc43d21041053df079ca10

SHA256
f04003dc50539b7d9bbf491ecdab32b96b997377d8928bf4273a584e38eac98c

SHA512
6449257622d018a5c964ce4c1a1ead4f03db5bca23d0263aee775f096ef3063bbb61d0b1223c1f956a4de3468d3c55dae781d5851ccebc7c62dfd6e9e3d5a434

Download Submit
C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11E17\ok.txt

Filesize
104B

MD5
3454bd8b8b88ae2caf3ec20309d75e5d

SHA1
0d8355e199b9955d04d2be4be49854653ffa214b

SHA256
cfc48f814a68fb2f9bf88256888f87d0f7bbd6d8faff796b21a409bc756a6107

SHA512
5a4bf91a8cb42549bbe6a172ef536329dd6929abe6e5fc81209af5a66f93bbf437ea1b51e567ef5d9c320cafdcb88f27b95615ec887387241a1b031facdd18e5

Download Submit
C:\Program Files\Common Files\Microsoft\1D11E17\KVEIF.jpg

Filesize
125KB

MD5
896d378d3f27be3e3a5a02761d857e9b

SHA1
dff06c0f188dd905cd85c50f13bd25c901616a10

SHA256
35fe25341066bd12b4be428d2f0dfee96c4063ad690613c4778f80e0a23d0e04

SHA512
7cd5d11b8b34044e601ae6e9d7f5a509497d32035f12251067842e0b3bf86734ccb28d48e014aa3fda431da271711b7dc5e0ea46d2ca1ab70db2933734f2ec44

Download Submit
C:\Program Files\Common Files\microsoft shared\MSInfo\1D11E17\KVEIFmain.ini

Filesize
1KB

MD5
58faca082b427b880821f066fa2da81a

SHA1
e4066d8fec54b32667a9e7dc5759cc0a55afb3a4

SHA256
dcb15ed6f0905a6b25381ec0b014b763358dcd508cc43235d0664a639e8493e9

SHA512
a96fd07ea3ab7980a89f869076e8d86407d79d4178cfc1a8a33416f537ea186a705a6aaa879606e27a7e01994373ac6b83af691a1acb66ba5c90388ef7927078

Download Submit
C:\Windows\SysWOW64\kernel64.dll

Filesize
625KB

MD5
eccf28d7e5ccec24119b88edd160f8f4

SHA1
98509587a3d37a20b56b50fd57f823a1691a034c

SHA256
820c83c0533cfce2928e29edeaf6c255bc19ac9718b25a5656d99ffac30a03d6

SHA512
c1c94bbb781625b2317f0a8178d3a10d891fb71bca8f82cd831c484e8ab125301b82a14fe2ff070dc99a496cc00234300fa5536401018c40d49d44ae89409670

Download Submit
C:\Windows\Web\606C646364636479.tmp

Filesize
108KB

MD5
f697e0c5c1d34f00d1700d6d549d4811

SHA1
f50a99377a7419185fc269bb4d12954ca42b8589

SHA256
1eacebb614305a9806113545be7b23cf14ce7e761ccf634510a7f1c0cfb6cd16

SHA512
d5f35672f208ebbe306beeb55dadde96aa330780e2ea84b45d3fa6af41369e357412d82978df74038f2d27dff4d06905fd0b4d852b0beef1bcfdd6a0849bc202

Download Submit
memory/2224-100-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2224-120-0x00000000024A0000-0x00000000024F5000-memory.dmp

Filesize
340KB

Download
memory/2224-242-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2224-193-0x0000000002B50000-0x0000000002B51000-memory.dmp

Filesize
4KB

Download
memory/2224-130-0x00000000024A0000-0x00000000024F5000-memory.dmp

Filesize
340KB

Download
memory/2224-118-0x00000000024A0000-0x00000000024F5000-memory.dmp

Filesize
340KB

Download
memory/2224-124-0x00000000024A0000-0x00000000024F5000-memory.dmp

Filesize
340KB

Download
memory/2224-126-0x00000000024A0000-0x00000000024F5000-memory.dmp

Filesize
340KB

Download
memory/2224-128-0x00000000024A0000-0x00000000024F5000-memory.dmp

Filesize
340KB

Download
memory/2224-122-0x00000000024A0000-0x00000000024F5000-memory.dmp

Filesize
340KB

Download
memory/2224-116-0x00000000024A0000-0x00000000024F5000-memory.dmp

Filesize
340KB

Download
memory/2224-103-0x00000000024A0000-0x00000000024F5000-memory.dmp

Filesize
340KB

Download
memory/2224-104-0x00000000024A0000-0x00000000024F5000-memory.dmp

Filesize
340KB

Download
memory/2224-96-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2224-99-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2224-101-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2224-110-0x00000000024A0000-0x00000000024F5000-memory.dmp

Filesize
340KB

Download
memory/2224-108-0x00000000024A0000-0x00000000024F5000-memory.dmp

Filesize
340KB

Download
memory/2224-106-0x00000000024A0000-0x00000000024F5000-memory.dmp

Filesize
340KB

Download
memory/2224-114-0x00000000024A0000-0x00000000024F5000-memory.dmp

Filesize
340KB

Download
memory/2224-112-0x00000000024A0000-0x00000000024F5000-memory.dmp

Filesize
340KB

Download
memory/3532-25-0x00000000005A0000-0x00000000005F5000-memory.dmp

Filesize
340KB

Download
memory/3532-29-0x00000000005A0000-0x00000000005F5000-memory.dmp

Filesize
340KB

Download
memory/3532-27-0x00000000005A0000-0x00000000005F5000-memory.dmp

Filesize
340KB

Download
memory/3532-7-0x00000000005A0000-0x00000000005F5000-memory.dmp

Filesize
340KB

Download
memory/3532-11-0x00000000005A0000-0x00000000005F5000-memory.dmp

Filesize
340KB

Download
memory/3532-2-0x00000000005A0000-0x00000000005F5000-memory.dmp

Filesize
340KB

Download
memory/3532-31-0x00000000005A0000-0x00000000005F5000-memory.dmp

Filesize
340KB

Download
memory/3532-32-0x00000000005A0000-0x00000000005F5000-memory.dmp

Filesize
340KB

Download
memory/3532-17-0x00000000005A0000-0x00000000005F5000-memory.dmp

Filesize
340KB

Download
memory/3532-9-0x00000000005A0000-0x00000000005F5000-memory.dmp

Filesize
340KB

Download
memory/3532-15-0x00000000005A0000-0x00000000005F5000-memory.dmp

Filesize
340KB

Download
memory/3532-21-0x00000000005A0000-0x00000000005F5000-memory.dmp

Filesize
340KB

Download
memory/3532-5-0x00000000005A0000-0x00000000005F5000-memory.dmp

Filesize
340KB

Download
memory/3532-33-0x00000000005A0000-0x00000000005F5000-memory.dmp

Filesize
340KB

Download
memory/3532-13-0x00000000005A0000-0x00000000005F5000-memory.dmp

Filesize
340KB

Download
memory/3532-3-0x00000000005A0000-0x00000000005F5000-memory.dmp

Filesize
340KB

Download
memory/3532-19-0x00000000005A0000-0x00000000005F5000-memory.dmp

Filesize
340KB

Download
memory/3532-23-0x00000000005A0000-0x00000000005F5000-memory.dmp

Filesize
340KB

Download
memory/3760-198-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3760-246-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download