fbdce45f0b7cb4eb8a32e94c24edf601b24eb918d121dc71cb79f7723d884a63

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 10:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fbdce45f0b7cb4eb8a32e94c24edf601b24eb918d121dc71cb79f7723d884a63.exe
Size

126KB
MD5

23e1e2c4c41b247c150a3fbc7a131c60
SHA1

c888293ab19b27e3a56cea2bd2265ce8356e9649
SHA256

fbdce45f0b7cb4eb8a32e94c24edf601b24eb918d121dc71cb79f7723d884a63
SHA512

14f19e6fcad04cd285ca21d2bed5fdca907a3bbb1164cf27c204c16d515a1261648f23d5dabd14756a73039bee84581054946dbb954a497a74b4325402630ba6
SSDEEP

3072:WEboFVlGAvwsgbpvYfMTc72L10fPsout6S:lBzsgbpvnTcyOPsoS6S

Score

9^/10

upx

Malware Config

Signatures

UPX dump on OEP (original entry point) 42 IoCs

resource	yara_rule
behavioral2/memory/2968-13-0x0000000000580000-0x00000000005D5000-memory.dmp	UPX
behavioral2/memory/2968-31-0x0000000000580000-0x00000000005D5000-memory.dmp	UPX
behavioral2/memory/2968-27-0x0000000000580000-0x00000000005D5000-memory.dmp	UPX
behavioral2/memory/2968-33-0x0000000000580000-0x00000000005D5000-memory.dmp	UPX
behavioral2/memory/2968-32-0x0000000000580000-0x00000000005D5000-memory.dmp	UPX
behavioral2/memory/2968-23-0x0000000000580000-0x00000000005D5000-memory.dmp	UPX
behavioral2/memory/2968-19-0x0000000000580000-0x00000000005D5000-memory.dmp	UPX
behavioral2/memory/2968-15-0x0000000000580000-0x00000000005D5000-memory.dmp	UPX
behavioral2/memory/2968-29-0x0000000000580000-0x00000000005D5000-memory.dmp	UPX
behavioral2/memory/2968-11-0x0000000000580000-0x00000000005D5000-memory.dmp	UPX
behavioral2/memory/2968-25-0x0000000000580000-0x00000000005D5000-memory.dmp	UPX
behavioral2/memory/2968-9-0x0000000000580000-0x00000000005D5000-memory.dmp	UPX
behavioral2/memory/2968-21-0x0000000000580000-0x00000000005D5000-memory.dmp	UPX
behavioral2/memory/2968-17-0x0000000000580000-0x00000000005D5000-memory.dmp	UPX
behavioral2/memory/2968-2-0x0000000000580000-0x00000000005D5000-memory.dmp	UPX
behavioral2/memory/2968-7-0x0000000000580000-0x00000000005D5000-memory.dmp	UPX
behavioral2/memory/2968-5-0x0000000000580000-0x00000000005D5000-memory.dmp	UPX
behavioral2/memory/2968-3-0x0000000000580000-0x00000000005D5000-memory.dmp	UPX
behavioral2/memory/4948-97-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral2/memory/4948-100-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral2/memory/4948-102-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral2/memory/4948-101-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral2/memory/4948-115-0x00000000031A0000-0x00000000031F5000-memory.dmp	UPX
behavioral2/memory/4948-131-0x00000000031A0000-0x00000000031F5000-memory.dmp	UPX
behavioral2/memory/4948-129-0x00000000031A0000-0x00000000031F5000-memory.dmp	UPX
behavioral2/memory/4948-127-0x00000000031A0000-0x00000000031F5000-memory.dmp	UPX
behavioral2/memory/4948-125-0x00000000031A0000-0x00000000031F5000-memory.dmp	UPX
behavioral2/memory/4948-123-0x00000000031A0000-0x00000000031F5000-memory.dmp	UPX
behavioral2/memory/4948-121-0x00000000031A0000-0x00000000031F5000-memory.dmp	UPX
behavioral2/memory/4948-119-0x00000000031A0000-0x00000000031F5000-memory.dmp	UPX
behavioral2/memory/4948-117-0x00000000031A0000-0x00000000031F5000-memory.dmp	UPX
behavioral2/memory/4948-113-0x00000000031A0000-0x00000000031F5000-memory.dmp	UPX
behavioral2/memory/4948-111-0x00000000031A0000-0x00000000031F5000-memory.dmp	UPX
behavioral2/memory/4948-109-0x00000000031A0000-0x00000000031F5000-memory.dmp	UPX
behavioral2/memory/4948-107-0x00000000031A0000-0x00000000031F5000-memory.dmp	UPX
behavioral2/memory/4948-105-0x00000000031A0000-0x00000000031F5000-memory.dmp	UPX
behavioral2/memory/4948-104-0x00000000031A0000-0x00000000031F5000-memory.dmp	UPX
behavioral2/files/0x0003000000022982-149.dat	UPX
behavioral2/files/0x0004000000022982-157.dat	UPX
behavioral2/memory/3124-196-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral2/memory/4948-245-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral2/memory/3124-246-0x0000000000400000-0x000000000042D000-memory.dmp	UPX

Deletes itself 1 IoCs

pid	Process
4948	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
8	KVEIF.jpg

Loads dropped DLL 4 IoCs

pid	Process
2968	fbdce45f0b7cb4eb8a32e94c24edf601b24eb918d121dc71cb79f7723d884a63.exe
4948	svchost.exe
8	KVEIF.jpg
3124	svchost.exe

UPX packed file 33 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2968-13-0x0000000000580000-0x00000000005D5000-memory.dmp	upx
behavioral2/memory/2968-31-0x0000000000580000-0x00000000005D5000-memory.dmp	upx
behavioral2/memory/2968-27-0x0000000000580000-0x00000000005D5000-memory.dmp	upx
behavioral2/memory/2968-33-0x0000000000580000-0x00000000005D5000-memory.dmp	upx
behavioral2/memory/2968-32-0x0000000000580000-0x00000000005D5000-memory.dmp	upx
behavioral2/memory/2968-23-0x0000000000580000-0x00000000005D5000-memory.dmp	upx
behavioral2/memory/2968-19-0x0000000000580000-0x00000000005D5000-memory.dmp	upx
behavioral2/memory/2968-15-0x0000000000580000-0x00000000005D5000-memory.dmp	upx
behavioral2/memory/2968-29-0x0000000000580000-0x00000000005D5000-memory.dmp	upx
behavioral2/memory/2968-11-0x0000000000580000-0x00000000005D5000-memory.dmp	upx
behavioral2/memory/2968-25-0x0000000000580000-0x00000000005D5000-memory.dmp	upx
behavioral2/memory/2968-9-0x0000000000580000-0x00000000005D5000-memory.dmp	upx
behavioral2/memory/2968-21-0x0000000000580000-0x00000000005D5000-memory.dmp	upx
behavioral2/memory/2968-17-0x0000000000580000-0x00000000005D5000-memory.dmp	upx
behavioral2/memory/2968-2-0x0000000000580000-0x00000000005D5000-memory.dmp	upx
behavioral2/memory/2968-7-0x0000000000580000-0x00000000005D5000-memory.dmp	upx
behavioral2/memory/2968-5-0x0000000000580000-0x00000000005D5000-memory.dmp	upx
behavioral2/memory/2968-3-0x0000000000580000-0x00000000005D5000-memory.dmp	upx
behavioral2/memory/4948-115-0x00000000031A0000-0x00000000031F5000-memory.dmp	upx
behavioral2/memory/4948-131-0x00000000031A0000-0x00000000031F5000-memory.dmp	upx
behavioral2/memory/4948-129-0x00000000031A0000-0x00000000031F5000-memory.dmp	upx
behavioral2/memory/4948-127-0x00000000031A0000-0x00000000031F5000-memory.dmp	upx
behavioral2/memory/4948-125-0x00000000031A0000-0x00000000031F5000-memory.dmp	upx
behavioral2/memory/4948-123-0x00000000031A0000-0x00000000031F5000-memory.dmp	upx
behavioral2/memory/4948-121-0x00000000031A0000-0x00000000031F5000-memory.dmp	upx
behavioral2/memory/4948-119-0x00000000031A0000-0x00000000031F5000-memory.dmp	upx
behavioral2/memory/4948-117-0x00000000031A0000-0x00000000031F5000-memory.dmp	upx
behavioral2/memory/4948-113-0x00000000031A0000-0x00000000031F5000-memory.dmp	upx
behavioral2/memory/4948-111-0x00000000031A0000-0x00000000031F5000-memory.dmp	upx
behavioral2/memory/4948-109-0x00000000031A0000-0x00000000031F5000-memory.dmp	upx
behavioral2/memory/4948-107-0x00000000031A0000-0x00000000031F5000-memory.dmp	upx
behavioral2/memory/4948-105-0x00000000031A0000-0x00000000031F5000-memory.dmp	upx
behavioral2/memory/4948-104-0x00000000031A0000-0x00000000031F5000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\kernel64.dll	fbdce45f0b7cb4eb8a32e94c24edf601b24eb918d121dc71cb79f7723d884a63.exe
File opened for modification	C:\Windows\SysWOW64\kernel64.dll	fbdce45f0b7cb4eb8a32e94c24edf601b24eb918d121dc71cb79f7723d884a63.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2968 set thread context of 4948	2968	fbdce45f0b7cb4eb8a32e94c24edf601b24eb918d121dc71cb79f7723d884a63.exe	87
PID 8 set thread context of 3124	8	KVEIF.jpg	90

Drops file in Program Files directory 23 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1E\FKC.WYA	fbdce45f0b7cb4eb8a32e94c24edf601b24eb918d121dc71cb79f7723d884a63.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1E\1D11D1E123.IMD	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1E\FKC.WYA	KVEIF.jpg
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1E\1D11D1E123.IMD	KVEIF.jpg
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1E\KVEIFs5.ini	svchost.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1E\KVEIF.jpg	fbdce45f0b7cb4eb8a32e94c24edf601b24eb918d121dc71cb79f7723d884a63.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1E\FKC.WYA	svchost.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1E\1D11D1E123.IMD	svchost.exe
File created	C:\Program Files\Common Files\Microsoft\1D11D1E\KVEIF.jpg	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1E\KVEIFs5.ini	KVEIF.jpg
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1E\ok.txt	fbdce45f0b7cb4eb8a32e94c24edf601b24eb918d121dc71cb79f7723d884a63.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1E\KVEIF.jpg	fbdce45f0b7cb4eb8a32e94c24edf601b24eb918d121dc71cb79f7723d884a63.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1E\KVEIFmain.ini	fbdce45f0b7cb4eb8a32e94c24edf601b24eb918d121dc71cb79f7723d884a63.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1E\KVEIFs1.ini	svchost.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1E\$$.tmp	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1E\FKC.WYA	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1E\KVEIFs5.ini	svchost.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1E\KVEIFss1.ini	fbdce45f0b7cb4eb8a32e94c24edf601b24eb918d121dc71cb79f7723d884a63.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1E\KVEIF.jpg	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft\1D11D1E\KVEIF.jpg	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1E\KVEIF.jpg	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft\1D11D1E\KVEIF.jpg	svchost.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1E\KVEIFmain.ini	fbdce45f0b7cb4eb8a32e94c24edf601b24eb918d121dc71cb79f7723d884a63.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\web\606C646364636479.tmp	fbdce45f0b7cb4eb8a32e94c24edf601b24eb918d121dc71cb79f7723d884a63.exe
File opened for modification	C:\Windows\web\606C646364636479.tmp	fbdce45f0b7cb4eb8a32e94c24edf601b24eb918d121dc71cb79f7723d884a63.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2968	fbdce45f0b7cb4eb8a32e94c24edf601b24eb918d121dc71cb79f7723d884a63.exe
2968	fbdce45f0b7cb4eb8a32e94c24edf601b24eb918d121dc71cb79f7723d884a63.exe
2968	fbdce45f0b7cb4eb8a32e94c24edf601b24eb918d121dc71cb79f7723d884a63.exe
2968	fbdce45f0b7cb4eb8a32e94c24edf601b24eb918d121dc71cb79f7723d884a63.exe
2968	fbdce45f0b7cb4eb8a32e94c24edf601b24eb918d121dc71cb79f7723d884a63.exe
2968	fbdce45f0b7cb4eb8a32e94c24edf601b24eb918d121dc71cb79f7723d884a63.exe
2968	fbdce45f0b7cb4eb8a32e94c24edf601b24eb918d121dc71cb79f7723d884a63.exe
2968	fbdce45f0b7cb4eb8a32e94c24edf601b24eb918d121dc71cb79f7723d884a63.exe
4948	svchost.exe
4948	svchost.exe
4948	svchost.exe
4948	svchost.exe
4948	svchost.exe
4948	svchost.exe
4948	svchost.exe
4948	svchost.exe
4948	svchost.exe
4948	svchost.exe
4948	svchost.exe
4948	svchost.exe
4948	svchost.exe
4948	svchost.exe
4948	svchost.exe
4948	svchost.exe
4948	svchost.exe
4948	svchost.exe
4948	svchost.exe
4948	svchost.exe
4948	svchost.exe
4948	svchost.exe
4948	svchost.exe
4948	svchost.exe
4948	svchost.exe
4948	svchost.exe
4948	svchost.exe
4948	svchost.exe
4948	svchost.exe
4948	svchost.exe
4948	svchost.exe
4948	svchost.exe
4948	svchost.exe
4948	svchost.exe
4948	svchost.exe
4948	svchost.exe
4948	svchost.exe
4948	svchost.exe
4948	svchost.exe
4948	svchost.exe
4948	svchost.exe
4948	svchost.exe
4948	svchost.exe
4948	svchost.exe
4948	svchost.exe
4948	svchost.exe
4948	svchost.exe
4948	svchost.exe
4948	svchost.exe
4948	svchost.exe
8	KVEIF.jpg
8	KVEIF.jpg
8	KVEIF.jpg
8	KVEIF.jpg
8	KVEIF.jpg
8	KVEIF.jpg

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4948	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2968	fbdce45f0b7cb4eb8a32e94c24edf601b24eb918d121dc71cb79f7723d884a63.exe
Token: SeDebugPrivilege	2968	fbdce45f0b7cb4eb8a32e94c24edf601b24eb918d121dc71cb79f7723d884a63.exe
Token: SeDebugPrivilege	2968	fbdce45f0b7cb4eb8a32e94c24edf601b24eb918d121dc71cb79f7723d884a63.exe
Token: SeDebugPrivilege	2968	fbdce45f0b7cb4eb8a32e94c24edf601b24eb918d121dc71cb79f7723d884a63.exe
Token: SeDebugPrivilege	2968	fbdce45f0b7cb4eb8a32e94c24edf601b24eb918d121dc71cb79f7723d884a63.exe
Token: SeDebugPrivilege	4948	svchost.exe
Token: SeDebugPrivilege	4948	svchost.exe
Token: SeDebugPrivilege	4948	svchost.exe
Token: SeDebugPrivilege	4948	svchost.exe
Token: SeDebugPrivilege	4948	svchost.exe
Token: SeDebugPrivilege	4948	svchost.exe
Token: SeDebugPrivilege	4948	svchost.exe
Token: SeDebugPrivilege	8	KVEIF.jpg
Token: SeDebugPrivilege	8	KVEIF.jpg
Token: SeDebugPrivilege	8	KVEIF.jpg
Token: SeDebugPrivilege	3124	svchost.exe
Token: SeDebugPrivilege	3124	svchost.exe
Token: SeDebugPrivilege	3124	svchost.exe
Token: SeDebugPrivilege	3124	svchost.exe
Token: SeDebugPrivilege	3124	svchost.exe
Token: SeDebugPrivilege	4948	svchost.exe
Token: SeDebugPrivilege	4948	svchost.exe
Token: SeDebugPrivilege	3124	svchost.exe
Token: SeDebugPrivilege	3124	svchost.exe
Token: SeDebugPrivilege	4948	svchost.exe
Token: SeDebugPrivilege	4948	svchost.exe
Token: SeDebugPrivilege	3124	svchost.exe
Token: SeDebugPrivilege	3124	svchost.exe
Token: SeDebugPrivilege	4948	svchost.exe
Token: SeDebugPrivilege	4948	svchost.exe
Token: SeDebugPrivilege	3124	svchost.exe
Token: SeDebugPrivilege	3124	svchost.exe
Token: SeDebugPrivilege	4948	svchost.exe
Token: SeDebugPrivilege	4948	svchost.exe
Token: SeDebugPrivilege	3124	svchost.exe
Token: SeDebugPrivilege	3124	svchost.exe
Token: SeDebugPrivilege	4948	svchost.exe
Token: SeDebugPrivilege	4948	svchost.exe
Token: SeDebugPrivilege	3124	svchost.exe
Token: SeDebugPrivilege	3124	svchost.exe
Token: SeDebugPrivilege	4948	svchost.exe
Token: SeDebugPrivilege	4948	svchost.exe
Token: SeDebugPrivilege	3124	svchost.exe
Token: SeDebugPrivilege	3124	svchost.exe
Token: SeDebugPrivilege	4948	svchost.exe
Token: SeDebugPrivilege	4948	svchost.exe
Token: SeDebugPrivilege	3124	svchost.exe
Token: SeDebugPrivilege	3124	svchost.exe
Token: SeDebugPrivilege	4948	svchost.exe
Token: SeDebugPrivilege	4948	svchost.exe
Token: SeDebugPrivilege	3124	svchost.exe
Token: SeDebugPrivilege	3124	svchost.exe
Token: SeDebugPrivilege	4948	svchost.exe
Token: SeDebugPrivilege	4948	svchost.exe
Token: SeDebugPrivilege	3124	svchost.exe
Token: SeDebugPrivilege	3124	svchost.exe
Token: SeDebugPrivilege	4948	svchost.exe
Token: SeDebugPrivilege	4948	svchost.exe
Token: SeDebugPrivilege	3124	svchost.exe
Token: SeDebugPrivilege	3124	svchost.exe
Token: SeDebugPrivilege	4948	svchost.exe
Token: SeDebugPrivilege	4948	svchost.exe
Token: SeDebugPrivilege	3124	svchost.exe
Token: SeDebugPrivilege	3124	svchost.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2968 wrote to memory of 4948	2968	fbdce45f0b7cb4eb8a32e94c24edf601b24eb918d121dc71cb79f7723d884a63.exe	87
PID 2968 wrote to memory of 4948	2968	fbdce45f0b7cb4eb8a32e94c24edf601b24eb918d121dc71cb79f7723d884a63.exe	87
PID 2968 wrote to memory of 4948	2968	fbdce45f0b7cb4eb8a32e94c24edf601b24eb918d121dc71cb79f7723d884a63.exe	87
PID 2968 wrote to memory of 4948	2968	fbdce45f0b7cb4eb8a32e94c24edf601b24eb918d121dc71cb79f7723d884a63.exe	87
PID 2968 wrote to memory of 4948	2968	fbdce45f0b7cb4eb8a32e94c24edf601b24eb918d121dc71cb79f7723d884a63.exe	87
PID 1508 wrote to memory of 8	1508	cmd.exe	89
PID 1508 wrote to memory of 8	1508	cmd.exe	89
PID 1508 wrote to memory of 8	1508	cmd.exe	89
PID 8 wrote to memory of 3124	8	KVEIF.jpg	90
PID 8 wrote to memory of 3124	8	KVEIF.jpg	90
PID 8 wrote to memory of 3124	8	KVEIF.jpg	90
PID 8 wrote to memory of 3124	8	KVEIF.jpg	90
PID 8 wrote to memory of 3124	8	KVEIF.jpg	90

C:\Users\Admin\AppData\Local\Temp\fbdce45f0b7cb4eb8a32e94c24edf601b24eb918d121dc71cb79f7723d884a63.exe
"C:\Users\Admin\AppData\Local\Temp\fbdce45f0b7cb4eb8a32e94c24edf601b24eb918d121dc71cb79f7723d884a63.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2968
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\System32\svchost.exe -EMBEDDING 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304530445D474A422F565840 0
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:4948

C:\Windows\system32\cmd.exe
cmd.exe /c call "C:\Program Files\Common Files\Microsoft\1D11D1E\KVEIF.jpg" -3 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304530445D474A422F565840
1⤵
- Suspicious use of WriteProcessMemory
PID:1508
- C:\Program Files\Common Files\Microsoft\1D11D1E\KVEIF.jpg
  "C:\Program Files\Common Files\Microsoft\1D11D1E\KVEIF.jpg" -3 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304530445D474A422F565840
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:8
- - C:\Windows\SysWOW64\svchost.exe
    C:\Windows\System32\svchost.exe -sys 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304530445D474A422F565840 0
    3⤵
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    PID:3124

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1E\1D11D1E123.IMD

Filesize
127KB

MD5
d6f7177311aa1fa19c886c420f075a39

SHA1
b8a035793ce0a742ad22a78cbd0ad8b5d6f14cf1

SHA256
25253ea0d1f265bef8bc68f98ad859fe79b1606f36d63bb7bb77b483abd20f9e

SHA512
8876ae9b863d5d48d8b8cce37ef63d450cf5738c4998621f962e85f65709262f8059ec4ef12d39c22390d88a35741d55599766e1f001ba8b01d0aa3afb6973d3

Download Submit
C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1E\KVEIFss1.ini

Filesize
22B

MD5
2056c975629bc764596c2ba68ab3c6da

SHA1
35e3da93ce68d24c687e8c972f8fa2b903be75b8

SHA256
8485a6ec9ad79a1ed2331a428944711c4064f0c607017dae51c7e7f65fe70ff7

SHA512
c4d4932e81956578e505ac454d964ccd1d7d123e8393d532db15ba42e456ceff8394baba021e8ae7ae2f9aef0e51840aecef12252cf9c6766e8b247eb08e86ae

Download Submit
C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1E\ok.txt

Filesize
104B

MD5
3071c3233e41b5d0563d8cf18ddf7258

SHA1
9252331f19c64fecdeeccc1955ecdbdd711891c5

SHA256
68417fc3a54e285447a44b8b85d5c4914a29f2b841108277b117c6857c9b0eec

SHA512
f0c2c937c036be7826596c0e0ae5f5907984dce251320507250a1fcf7ce4ae248cfacf0256e81ba3e59a5c9e6e4c46489d53e7ab64c8ac2efc2251c3c83c1913

Download Submit
C:\Program Files\Common Files\Microsoft\1D11D1E\KVEIF.jpg

Filesize
126KB

MD5
254b1f7767db964b9929fe47b976f74b

SHA1
c7ecda5046083f63001899df2e278f3bfc1e486e

SHA256
2ca563ab24dd2b2200c1f61bfc3a0889c90f0da267eb32a3d6a58433d8cd5c44

SHA512
6ebb2370755d2a26b9b85e1302cda75699bb2fc903f09ade6054c01b7d866188b94aa717335299937bdc0cf8ee930e80a6f4a6fe1b2ee5973712f4101921b43d

Download Submit
C:\Program Files\Common Files\microsoft shared\MSInfo\1D11D1E\1D11D1E123.IMD

Filesize
126KB

MD5
7c6d45545b51ebb9156840aef0be74e4

SHA1
eb09feac904cb940a73f28e4d523adf78764ed71

SHA256
7cb01050c79205c0d30274ea438f60242d1416401c4c6efacf6548094c00646c

SHA512
48bb6737edc5ffb396676d2249fe969dc9259c90d635247b8a4593039b02dfe64f5ab757b516355cb30ce5c2daf8e2799036835f8d004658846210b92fde63fb

Download Submit
C:\Program Files\Common Files\microsoft shared\MSInfo\1D11D1E\KVEIFmain.ini

Filesize
1KB

MD5
de5e42d8779e73d0e9ad0e26baf98044

SHA1
0c6346fc1f5b1158cad3606759c4c08fa0c90262

SHA256
75865a57ae5285034d324963b62b1028e260fc8a7cb8b5af70ff553ed8967644

SHA512
045547935db37cad73297abcba843839253d2f5965f12880d72ada98e646e7d2b90c696b02d2099804b2dd36afcc57b497ad7c20e713d0e61a1766791f911052

Download Submit
C:\Program Files\Common Files\microsoft shared\MSInfo\1D11D1E\KVEIFmain.ini

Filesize
1KB

MD5
a4bef1701913e10b9502b7a1269740e6

SHA1
760835e3423b96ed239741041e624e9f953f8e12

SHA256
46c32edf7f20501db5ebd5e1088982263b5da69f74e1804a3a67ff2940d42882

SHA512
4feb4b4a9fbacba71059f5bc8343d158761cad043b7dddbb4564868e8b9f409b8a0261efbfd832cdeb66fd91d58e00558afbbc32dd0c77e7962c972896412810

Download Submit
C:\Windows\SysWOW64\kernel64.dll

Filesize
625KB

MD5
eccf28d7e5ccec24119b88edd160f8f4

SHA1
98509587a3d37a20b56b50fd57f823a1691a034c

SHA256
820c83c0533cfce2928e29edeaf6c255bc19ac9718b25a5656d99ffac30a03d6

SHA512
c1c94bbb781625b2317f0a8178d3a10d891fb71bca8f82cd831c484e8ab125301b82a14fe2ff070dc99a496cc00234300fa5536401018c40d49d44ae89409670

Download Submit
C:\Windows\Web\606C646364636479.tmp

Filesize
108KB

MD5
f697e0c5c1d34f00d1700d6d549d4811

SHA1
f50a99377a7419185fc269bb4d12954ca42b8589

SHA256
1eacebb614305a9806113545be7b23cf14ce7e761ccf634510a7f1c0cfb6cd16

SHA512
d5f35672f208ebbe306beeb55dadde96aa330780e2ea84b45d3fa6af41369e357412d82978df74038f2d27dff4d06905fd0b4d852b0beef1bcfdd6a0849bc202

Download Submit
memory/2968-19-0x0000000000580000-0x00000000005D5000-memory.dmp

Filesize
340KB

Download
memory/2968-3-0x0000000000580000-0x00000000005D5000-memory.dmp

Filesize
340KB

Download
memory/2968-25-0x0000000000580000-0x00000000005D5000-memory.dmp

Filesize
340KB

Download
memory/2968-9-0x0000000000580000-0x00000000005D5000-memory.dmp

Filesize
340KB

Download
memory/2968-21-0x0000000000580000-0x00000000005D5000-memory.dmp

Filesize
340KB

Download
memory/2968-17-0x0000000000580000-0x00000000005D5000-memory.dmp

Filesize
340KB

Download
memory/2968-2-0x0000000000580000-0x00000000005D5000-memory.dmp

Filesize
340KB

Download
memory/2968-7-0x0000000000580000-0x00000000005D5000-memory.dmp

Filesize
340KB

Download
memory/2968-5-0x0000000000580000-0x00000000005D5000-memory.dmp

Filesize
340KB

Download
memory/2968-11-0x0000000000580000-0x00000000005D5000-memory.dmp

Filesize
340KB

Download
memory/2968-29-0x0000000000580000-0x00000000005D5000-memory.dmp

Filesize
340KB

Download
memory/2968-15-0x0000000000580000-0x00000000005D5000-memory.dmp

Filesize
340KB

Download
memory/2968-23-0x0000000000580000-0x00000000005D5000-memory.dmp

Filesize
340KB

Download
memory/2968-31-0x0000000000580000-0x00000000005D5000-memory.dmp

Filesize
340KB

Download
memory/2968-27-0x0000000000580000-0x00000000005D5000-memory.dmp

Filesize
340KB

Download
memory/2968-13-0x0000000000580000-0x00000000005D5000-memory.dmp

Filesize
340KB

Download
memory/2968-32-0x0000000000580000-0x00000000005D5000-memory.dmp

Filesize
340KB

Download
memory/2968-33-0x0000000000580000-0x00000000005D5000-memory.dmp

Filesize
340KB

Download
memory/3124-196-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3124-246-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4948-102-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4948-129-0x00000000031A0000-0x00000000031F5000-memory.dmp

Filesize
340KB

Download
memory/4948-127-0x00000000031A0000-0x00000000031F5000-memory.dmp

Filesize
340KB

Download
memory/4948-125-0x00000000031A0000-0x00000000031F5000-memory.dmp

Filesize
340KB

Download
memory/4948-123-0x00000000031A0000-0x00000000031F5000-memory.dmp

Filesize
340KB

Download
memory/4948-121-0x00000000031A0000-0x00000000031F5000-memory.dmp

Filesize
340KB

Download
memory/4948-119-0x00000000031A0000-0x00000000031F5000-memory.dmp

Filesize
340KB

Download
memory/4948-117-0x00000000031A0000-0x00000000031F5000-memory.dmp

Filesize
340KB

Download
memory/4948-113-0x00000000031A0000-0x00000000031F5000-memory.dmp

Filesize
340KB

Download
memory/4948-111-0x00000000031A0000-0x00000000031F5000-memory.dmp

Filesize
340KB

Download
memory/4948-109-0x00000000031A0000-0x00000000031F5000-memory.dmp

Filesize
340KB

Download
memory/4948-107-0x00000000031A0000-0x00000000031F5000-memory.dmp

Filesize
340KB

Download
memory/4948-105-0x00000000031A0000-0x00000000031F5000-memory.dmp

Filesize
340KB

Download
memory/4948-104-0x00000000031A0000-0x00000000031F5000-memory.dmp

Filesize
340KB

Download
memory/4948-131-0x00000000031A0000-0x00000000031F5000-memory.dmp

Filesize
340KB

Download
memory/4948-115-0x00000000031A0000-0x00000000031F5000-memory.dmp

Filesize
340KB

Download
memory/4948-101-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4948-100-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4948-245-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4948-97-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download