eb78bb21aebc3bbea96e589c71c198bc3b4c625009e7ea064266c9dd0713669c

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05/06/2024, 10:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5079312b00cdb29097b2e9f54ee44d90_NeikiAnalytics.exe
Size

133KB
MD5

5079312b00cdb29097b2e9f54ee44d90
SHA1

ee5c5830b06cf7e1890960b44ee0b83566e801b1
SHA256

eb78bb21aebc3bbea96e589c71c198bc3b4c625009e7ea064266c9dd0713669c
SHA512

7054d49152d45bfa24e69d442a0f0d0334878e3484b405ca67e37c715cda6d2545990698be6d7d47944c5809112a68ac64af9f3252a3b73b95d24ef33b8ef74c
SSDEEP

3072:VEboFVlGAvwsgbpvYfMTc72L10fPsout6nnn:KBzsgbpvnTcyOPsoS6nnn

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2848	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
1860	KVEIF.jpg
1500	KVEIF.jpg
2928	KVEIF.jpg
1620	KVEIF.jpg

Loads dropped DLL 7 IoCs

pid	Process
2380	5079312b00cdb29097b2e9f54ee44d90_NeikiAnalytics.exe
2848	svchost.exe
1860	KVEIF.jpg
1500	KVEIF.jpg
2928	KVEIF.jpg
1620	KVEIF.jpg
1704	dllhost.exe

UPX packed file 31 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2380-13-0x00000000002E0000-0x0000000000335000-memory.dmp	upx
behavioral1/memory/2380-11-0x00000000002E0000-0x0000000000335000-memory.dmp	upx
behavioral1/memory/2380-9-0x00000000002E0000-0x0000000000335000-memory.dmp	upx
behavioral1/memory/2380-7-0x00000000002E0000-0x0000000000335000-memory.dmp	upx
behavioral1/memory/2380-5-0x00000000002E0000-0x0000000000335000-memory.dmp	upx
behavioral1/memory/2380-3-0x00000000002E0000-0x0000000000335000-memory.dmp	upx
behavioral1/memory/2380-2-0x00000000002E0000-0x0000000000335000-memory.dmp	upx
behavioral1/memory/2380-25-0x00000000002E0000-0x0000000000335000-memory.dmp	upx
behavioral1/memory/2380-29-0x00000000002E0000-0x0000000000335000-memory.dmp	upx
behavioral1/memory/2380-23-0x00000000002E0000-0x0000000000335000-memory.dmp	upx
behavioral1/memory/2380-22-0x00000000002E0000-0x0000000000335000-memory.dmp	upx
behavioral1/memory/2380-19-0x00000000002E0000-0x0000000000335000-memory.dmp	upx
behavioral1/memory/2380-18-0x00000000002E0000-0x0000000000335000-memory.dmp	upx
behavioral1/memory/2380-31-0x00000000002E0000-0x0000000000335000-memory.dmp	upx
behavioral1/memory/2380-33-0x00000000002E0000-0x0000000000335000-memory.dmp	upx
behavioral1/memory/2380-32-0x00000000002E0000-0x0000000000335000-memory.dmp	upx
behavioral1/memory/2380-15-0x00000000002E0000-0x0000000000335000-memory.dmp	upx
behavioral1/memory/2380-27-0x00000000002E0000-0x0000000000335000-memory.dmp	upx
behavioral1/memory/2848-77-0x00000000000F0000-0x0000000000145000-memory.dmp	upx
behavioral1/memory/2848-79-0x00000000000F0000-0x0000000000145000-memory.dmp	upx
behavioral1/memory/2848-94-0x00000000000F0000-0x0000000000145000-memory.dmp	upx
behavioral1/memory/2848-100-0x00000000000F0000-0x0000000000145000-memory.dmp	upx
behavioral1/memory/2848-98-0x00000000000F0000-0x0000000000145000-memory.dmp	upx
behavioral1/memory/2848-96-0x00000000000F0000-0x0000000000145000-memory.dmp	upx
behavioral1/memory/2848-92-0x00000000000F0000-0x0000000000145000-memory.dmp	upx
behavioral1/memory/2848-88-0x00000000000F0000-0x0000000000145000-memory.dmp	upx
behavioral1/memory/2848-90-0x00000000000F0000-0x0000000000145000-memory.dmp	upx
behavioral1/memory/2848-86-0x00000000000F0000-0x0000000000145000-memory.dmp	upx
behavioral1/memory/2848-84-0x00000000000F0000-0x0000000000145000-memory.dmp	upx
behavioral1/memory/2848-82-0x00000000000F0000-0x0000000000145000-memory.dmp	upx
behavioral1/memory/2848-80-0x00000000000F0000-0x0000000000145000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\kernel64.dll	5079312b00cdb29097b2e9f54ee44d90_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\kernel64.dll	5079312b00cdb29097b2e9f54ee44d90_NeikiAnalytics.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2380 set thread context of 2848	2380	5079312b00cdb29097b2e9f54ee44d90_NeikiAnalytics.exe	28
PID 1620 set thread context of 1704	1620	KVEIF.jpg	38

Drops file in Program Files directory 27 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\KVEIF.jpg	5079312b00cdb29097b2e9f54ee44d90_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\KVEIF.jpg	5079312b00cdb29097b2e9f54ee44d90_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\KVEIFmain.ini	5079312b00cdb29097b2e9f54ee44d90_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\KVEIF.jpg	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft\1D11D1C\KVEIF.jpg	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\1D11D1C123.IMD	KVEIF.jpg
File opened for modification	C:\Program Files\Common Files\Microsoft\1D11D1C\KVEIF.jpg	dllhost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\FKC.WYA	KVEIF.jpg
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\FKC.WYA	KVEIF.jpg
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\$$.tmp	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\KVEIF.jpg	dllhost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\KVEIFs5.ini	KVEIF.jpg
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\KVEIFmain.ini	5079312b00cdb29097b2e9f54ee44d90_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\FKC.WYA	5079312b00cdb29097b2e9f54ee44d90_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\FKC.WYA	KVEIF.jpg
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\FKC.WYA	dllhost.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\ok.txt	5079312b00cdb29097b2e9f54ee44d90_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\Microsoft\1D11D1C\KVEIF.jpg	svchost.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\1D11D1C123.IMD	svchost.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\$$.tmp	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\FKC.WYA	svchost.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\KVEIFs1.ini	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\1D11D1C123.IMD	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\FKC.WYA	KVEIF.jpg
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\KVEIFs5.ini	dllhost.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\KVEIFss1.ini	5079312b00cdb29097b2e9f54ee44d90_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\KVEIFs5.ini	svchost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\web\606C646364636479.tmp	5079312b00cdb29097b2e9f54ee44d90_NeikiAnalytics.exe
File opened for modification	C:\Windows\web\606C646364636479.tmp	5079312b00cdb29097b2e9f54ee44d90_NeikiAnalytics.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 4 IoCs

pid	Process
1860	KVEIF.jpg
1500	KVEIF.jpg
2928	KVEIF.jpg
1620	KVEIF.jpg

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2380	5079312b00cdb29097b2e9f54ee44d90_NeikiAnalytics.exe
2380	5079312b00cdb29097b2e9f54ee44d90_NeikiAnalytics.exe
2380	5079312b00cdb29097b2e9f54ee44d90_NeikiAnalytics.exe
2380	5079312b00cdb29097b2e9f54ee44d90_NeikiAnalytics.exe
2848	svchost.exe
2848	svchost.exe
2848	svchost.exe
2848	svchost.exe
2848	svchost.exe
2848	svchost.exe
2848	svchost.exe
2848	svchost.exe
2848	svchost.exe
2848	svchost.exe
2848	svchost.exe
2848	svchost.exe
2848	svchost.exe
2848	svchost.exe
2848	svchost.exe
2848	svchost.exe
2848	svchost.exe
2848	svchost.exe
2848	svchost.exe
2848	svchost.exe
2848	svchost.exe
2848	svchost.exe
2848	svchost.exe
2848	svchost.exe
2848	svchost.exe
1860	KVEIF.jpg
1860	KVEIF.jpg
1860	KVEIF.jpg
2848	svchost.exe
2848	svchost.exe
2848	svchost.exe
2848	svchost.exe
2848	svchost.exe
2848	svchost.exe
2848	svchost.exe
2848	svchost.exe
2848	svchost.exe
2848	svchost.exe
2848	svchost.exe
1500	KVEIF.jpg
1500	KVEIF.jpg
1500	KVEIF.jpg
2848	svchost.exe
2848	svchost.exe
2848	svchost.exe
2848	svchost.exe
2848	svchost.exe
2848	svchost.exe
2848	svchost.exe
2848	svchost.exe
2848	svchost.exe
2848	svchost.exe
2928	KVEIF.jpg
2928	KVEIF.jpg
2928	KVEIF.jpg
2848	svchost.exe
2848	svchost.exe
2848	svchost.exe
2848	svchost.exe
2848	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2848	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2380	5079312b00cdb29097b2e9f54ee44d90_NeikiAnalytics.exe
Token: SeDebugPrivilege	2380	5079312b00cdb29097b2e9f54ee44d90_NeikiAnalytics.exe
Token: SeDebugPrivilege	2380	5079312b00cdb29097b2e9f54ee44d90_NeikiAnalytics.exe
Token: SeDebugPrivilege	2380	5079312b00cdb29097b2e9f54ee44d90_NeikiAnalytics.exe
Token: SeDebugPrivilege	2848	svchost.exe
Token: SeDebugPrivilege	2848	svchost.exe
Token: SeDebugPrivilege	2848	svchost.exe
Token: SeDebugPrivilege	2848	svchost.exe
Token: SeDebugPrivilege	2848	svchost.exe
Token: SeDebugPrivilege	2848	svchost.exe
Token: SeDebugPrivilege	2848	svchost.exe
Token: SeDebugPrivilege	1860	KVEIF.jpg
Token: SeDebugPrivilege	1860	KVEIF.jpg
Token: SeDebugPrivilege	1860	KVEIF.jpg
Token: SeDebugPrivilege	2848	svchost.exe
Token: SeDebugPrivilege	2848	svchost.exe
Token: SeDebugPrivilege	2848	svchost.exe
Token: SeDebugPrivilege	1500	KVEIF.jpg
Token: SeDebugPrivilege	1500	KVEIF.jpg
Token: SeDebugPrivilege	1500	KVEIF.jpg
Token: SeDebugPrivilege	2848	svchost.exe
Token: SeDebugPrivilege	2848	svchost.exe
Token: SeDebugPrivilege	2848	svchost.exe
Token: SeDebugPrivilege	2928	KVEIF.jpg
Token: SeDebugPrivilege	2928	KVEIF.jpg
Token: SeDebugPrivilege	2928	KVEIF.jpg
Token: SeDebugPrivilege	2848	svchost.exe
Token: SeDebugPrivilege	2848	svchost.exe
Token: SeDebugPrivilege	2848	svchost.exe
Token: SeDebugPrivilege	1620	KVEIF.jpg
Token: SeDebugPrivilege	1620	KVEIF.jpg
Token: SeDebugPrivilege	1620	KVEIF.jpg
Token: SeDebugPrivilege	1704	dllhost.exe
Token: SeDebugPrivilege	1704	dllhost.exe
Token: SeDebugPrivilege	1704	dllhost.exe
Token: SeDebugPrivilege	1704	dllhost.exe
Token: SeDebugPrivilege	1704	dllhost.exe
Token: SeDebugPrivilege	2848	svchost.exe
Token: SeDebugPrivilege	2848	svchost.exe
Token: SeDebugPrivilege	1704	dllhost.exe
Token: SeDebugPrivilege	1704	dllhost.exe
Token: SeDebugPrivilege	2848	svchost.exe
Token: SeDebugPrivilege	2848	svchost.exe
Token: SeDebugPrivilege	1704	dllhost.exe
Token: SeDebugPrivilege	1704	dllhost.exe
Token: SeDebugPrivilege	2848	svchost.exe
Token: SeDebugPrivilege	2848	svchost.exe
Token: SeDebugPrivilege	1704	dllhost.exe
Token: SeDebugPrivilege	1704	dllhost.exe
Token: SeDebugPrivilege	2848	svchost.exe
Token: SeDebugPrivilege	2848	svchost.exe
Token: SeDebugPrivilege	1704	dllhost.exe
Token: SeDebugPrivilege	1704	dllhost.exe
Token: SeDebugPrivilege	2848	svchost.exe
Token: SeDebugPrivilege	2848	svchost.exe
Token: SeDebugPrivilege	1704	dllhost.exe
Token: SeDebugPrivilege	1704	dllhost.exe
Token: SeDebugPrivilege	2848	svchost.exe
Token: SeDebugPrivilege	2848	svchost.exe
Token: SeDebugPrivilege	1704	dllhost.exe
Token: SeDebugPrivilege	1704	dllhost.exe
Token: SeDebugPrivilege	2848	svchost.exe
Token: SeDebugPrivilege	2848	svchost.exe
Token: SeDebugPrivilege	1704	dllhost.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 2848	2380	5079312b00cdb29097b2e9f54ee44d90_NeikiAnalytics.exe	28
PID 2380 wrote to memory of 2848	2380	5079312b00cdb29097b2e9f54ee44d90_NeikiAnalytics.exe	28
PID 2380 wrote to memory of 2848	2380	5079312b00cdb29097b2e9f54ee44d90_NeikiAnalytics.exe	28
PID 2380 wrote to memory of 2848	2380	5079312b00cdb29097b2e9f54ee44d90_NeikiAnalytics.exe	28
PID 2380 wrote to memory of 2848	2380	5079312b00cdb29097b2e9f54ee44d90_NeikiAnalytics.exe	28
PID 2380 wrote to memory of 2848	2380	5079312b00cdb29097b2e9f54ee44d90_NeikiAnalytics.exe	28
PID 2320 wrote to memory of 1860	2320	cmd.exe	30
PID 2320 wrote to memory of 1860	2320	cmd.exe	30
PID 2320 wrote to memory of 1860	2320	cmd.exe	30
PID 2320 wrote to memory of 1860	2320	cmd.exe	30
PID 2216 wrote to memory of 1500	2216	cmd.exe	32
PID 2216 wrote to memory of 1500	2216	cmd.exe	32
PID 2216 wrote to memory of 1500	2216	cmd.exe	32
PID 2216 wrote to memory of 1500	2216	cmd.exe	32
PID 3032 wrote to memory of 2928	3032	cmd.exe	34
PID 3032 wrote to memory of 2928	3032	cmd.exe	34
PID 3032 wrote to memory of 2928	3032	cmd.exe	34
PID 3032 wrote to memory of 2928	3032	cmd.exe	34
PID 1748 wrote to memory of 1620	1748	cmd.exe	37
PID 1748 wrote to memory of 1620	1748	cmd.exe	37
PID 1748 wrote to memory of 1620	1748	cmd.exe	37
PID 1748 wrote to memory of 1620	1748	cmd.exe	37
PID 1620 wrote to memory of 1704	1620	KVEIF.jpg	38
PID 1620 wrote to memory of 1704	1620	KVEIF.jpg	38
PID 1620 wrote to memory of 1704	1620	KVEIF.jpg	38
PID 1620 wrote to memory of 1704	1620	KVEIF.jpg	38
PID 1620 wrote to memory of 1704	1620	KVEIF.jpg	38
PID 1620 wrote to memory of 1704	1620	KVEIF.jpg	38

C:\Users\Admin\AppData\Local\Temp\5079312b00cdb29097b2e9f54ee44d90_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5079312b00cdb29097b2e9f54ee44d90_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\System32\svchost.exe -EMBEDDING 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304530425D474A422F565840 0
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:2848

C:\Windows\system32\cmd.exe
cmd.exe /c call "C:\Program Files\Common Files\Microsoft\1D11D1C\KVEIF.jpg" -3 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304530425D474A422F565840
1⤵
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Program Files\Common Files\Microsoft\1D11D1C\KVEIF.jpg
  "C:\Program Files\Common Files\Microsoft\1D11D1C\KVEIF.jpg" -3 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304530425D474A422F565840
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1860

C:\Windows\system32\cmd.exe
cmd.exe /c call "C:\Program Files\Common Files\Microsoft\1D11D1C\KVEIF.jpg" -3 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304530425D474A422F565840
1⤵
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Program Files\Common Files\Microsoft\1D11D1C\KVEIF.jpg
  "C:\Program Files\Common Files\Microsoft\1D11D1C\KVEIF.jpg" -3 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304530425D474A422F565840
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1500

C:\Windows\system32\cmd.exe
cmd.exe /c call "C:\Program Files\Common Files\Microsoft\1D11D1C\KVEIF.jpg" -3 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304530425D474A422F565840
1⤵
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Program Files\Common Files\Microsoft\1D11D1C\KVEIF.jpg
  "C:\Program Files\Common Files\Microsoft\1D11D1C\KVEIF.jpg" -3 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304530425D474A422F565840
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2928

C:\Windows\system32\cmd.exe
cmd.exe /c call "C:\Program Files\Common Files\Microsoft\1D11D1C\KVEIF.jpg" -3 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304530425D474A422F565840
1⤵
- Suspicious use of WriteProcessMemory
PID:1748
- C:\Program Files\Common Files\Microsoft\1D11D1C\KVEIF.jpg
  "C:\Program Files\Common Files\Microsoft\1D11D1C\KVEIF.jpg" -3 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304530425D474A422F565840
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1620
- - C:\Windows\SysWOW64\dllhost.exe
    C:\Windows\System32\dllhost.exe -sys 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304530425D474A422F565840 0
    3⤵
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    PID:1704

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\$$.tmp

Filesize
134KB

MD5
e40ecdd901ad7bcf2c8bb9e9687eff5e

SHA1
d5253c5c28a2f5771e93c77e4e758ee00bae157b

SHA256
b7e15f9114c0a10f50bf1daf06957e35e900fd9ce017d2475daaef5e2921ccd8

SHA512
a5f197021e5877ff451b30311ceb550117d15ac70a0cceb039d2f66354e9642af6a76a9c52a42d98d9c79d897d64e6cda5d5a27440cff40f9e927bcf65dc064c

Download Submit
C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\FKC.WYA

Filesize
108KB

MD5
f697e0c5c1d34f00d1700d6d549d4811

SHA1
f50a99377a7419185fc269bb4d12954ca42b8589

SHA256
1eacebb614305a9806113545be7b23cf14ce7e761ccf634510a7f1c0cfb6cd16

SHA512
d5f35672f208ebbe306beeb55dadde96aa330780e2ea84b45d3fa6af41369e357412d82978df74038f2d27dff4d06905fd0b4d852b0beef1bcfdd6a0849bc202

Download Submit
C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\KVEIF.jpg

Filesize
133KB

MD5
116a612c5b36abd279f45e9355de01f8

SHA1
ca63b16c21538788445556806d23e19c18133fdc

SHA256
36caab5d21712823d1b4aea5010ccf7d4671b5de7bb28762c9f318a644146494

SHA512
791fad332b05fd0ace37e132a53a3be216dcbf658bd25ec05e671a768d6bdb53a9be8d9e316c04a0841480dfecfcc77a1544b146f981a8383a3e9598d223c41b

Download Submit
C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\KVEIFmain.ini

Filesize
711B

MD5
5b85700764c7f8ed2db3d99aba090ff3

SHA1
89521db8d1abb29e082628efdd23c547fa54ef44

SHA256
ade5e3636e8684f5845c18666a04a6b22d7a0f2631ea268a1aec910857c42e24

SHA512
00600e12dc1067eba53760eedfc4f408e88053a87462d55f01478887a9b4095138d471cc186684f0c14f4c2559da978e0ef3f78341910ecf1ca8caac9f67a642

Download Submit
C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\KVEIFss1.ini

Filesize
22B

MD5
930acf89790980bda3854f8bd8dc44d6

SHA1
4033478772bd5b31cdbf85187ad30eb03a560f33

SHA256
34158e7ba9674f6eb03866767791fb29663241342a304cbc1286bdaf049269a6

SHA512
87752859deee77287cf49d0f54f92dee94f49b2ef3c4fd76ee0b573f1cd73b3b9b472ce4f83e8ae11a8b71aa1c0a802c72b87f7fd940a6b3ddce4d85ab68b7b8

Download Submit
C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\ok.txt

Filesize
87B

MD5
046a70db3a724fe8817d08378c9eab52

SHA1
af83311519d0731ca12b184e40b20061668e007f

SHA256
7ddc9e48ffba377caff7161be91d0c50ab91264a5e4fc980300bcf5e673a1ebf

SHA512
1aca2a1c0f3e6023a83da6dbc0a3917a7399b0430a32630f776fbadced82e35ab010796a30b4b881aa02ee5329f38f87b24cea69b7ce303b3814ec0ae9a9f2e8

Download Submit
C:\Program Files\Common Files\Microsoft\1D11D1C\KVEIF.jpg

Filesize
133KB

MD5
666a46f42be1b2d9067bb9bd9a1b86aa

SHA1
0c4d598dbc525c2f8a06bb52fdbe08f99438c6fc

SHA256
ca5c7c6cd248ff6a20eff50b387af7fa508db51e11ed64b344262dd3c08301ca

SHA512
c522edbae6065a4d5061bc8765765d9ec99c0bdcacb1e08638593c23093263deb2239ba031b7aded0a6d11b5e81ac637901b0e631599b91479678630b0a1eb00

Download Submit
C:\Program Files\Common Files\Microsoft\1D11D1C\KVEIF.jpg

Filesize
133KB

MD5
8f9028cfafb340d0b2b2bef1e1732d23

SHA1
aa23d445b460e6a98cc91b56889d62054d67c3cf

SHA256
4d2d6b1979b2d4ba3e0f907b624540a89f14457fecaca7f93a3704d03d8e958f

SHA512
428c7404d9440d29db623191ac00af7286aaaec1809d5930a4cceb8f33a4452cc0f9eb7fd7bb2a3f45e8f7e92180502e795a80740b799c67b7c0d58e97110a9b

Download Submit
C:\Program Files\Common Files\Microsoft\1D11D1C\KVEIF.jpg

Filesize
133KB

MD5
f2b436e6641bf850ed0b431a68e56062

SHA1
818eb0d81574717e22e21c6e52a2f6ff52311bec

SHA256
0ab130d177283be048c3515d7c41f8bca307eae1d8266a0eac167b7f763e2693

SHA512
81f9d4e97dba67697e21a0e70d06890e4c7392af929f532cbfee749c77bd43e4262129e70396b87bf6c0fd705ccbeb59e71eeb51ed0e6aca49fa891e5bf36ac3

Download Submit
C:\Program Files\Common Files\Microsoft\1D11D1C\KVEIF.jpg

Filesize
133KB

MD5
04be076ab4118c2c69d7a9c5568ad970

SHA1
e4a8a4506bd10ce97697a2a6baa7d89bcf6b8179

SHA256
44d5355ebc199533cbfe0bed98690f554514cf561b195f862d166bbc26a69ebb

SHA512
14e7003bb45d800ab32bafd8a9c51e1d6defaf0cf3e1c2697afad0e25a92c8b8e5da11edac2a99a95ba87ade5cdbe552aeea0b434877049e55e01b188596d8b3

Download Submit
\Windows\SysWOW64\kernel64.dll

Filesize
1.1MB

MD5
9b98d47916ead4f69ef51b56b0c2323c

SHA1
290a80b4ded0efc0fd00816f373fcea81a521330

SHA256
96e0ae104c9662d0d20fdf59844c2d18334e5847b6c4fc7f8ce4b3b87f39887b

SHA512
68b67021f228d8d71df4deb0b6388558b2f935a6aa466a12199cd37ada47ee588ea407b278d190d3a498b0ef3f5f1a2573a469b7ea5561ab2e7055c45565fe94

Download Submit
memory/2380-23-0x00000000002E0000-0x0000000000335000-memory.dmp

Filesize
340KB

Download
memory/2380-32-0x00000000002E0000-0x0000000000335000-memory.dmp

Filesize
340KB

Download
memory/2380-29-0x00000000002E0000-0x0000000000335000-memory.dmp

Filesize
340KB

Download
memory/2380-2-0x00000000002E0000-0x0000000000335000-memory.dmp

Filesize
340KB

Download
memory/2380-22-0x00000000002E0000-0x0000000000335000-memory.dmp

Filesize
340KB

Download
memory/2380-19-0x00000000002E0000-0x0000000000335000-memory.dmp

Filesize
340KB

Download
memory/2380-18-0x00000000002E0000-0x0000000000335000-memory.dmp

Filesize
340KB

Download
memory/2380-31-0x00000000002E0000-0x0000000000335000-memory.dmp

Filesize
340KB

Download
memory/2380-33-0x00000000002E0000-0x0000000000335000-memory.dmp

Filesize
340KB

Download
memory/2380-25-0x00000000002E0000-0x0000000000335000-memory.dmp

Filesize
340KB

Download
memory/2380-15-0x00000000002E0000-0x0000000000335000-memory.dmp

Filesize
340KB

Download
memory/2380-27-0x00000000002E0000-0x0000000000335000-memory.dmp

Filesize
340KB

Download
memory/2380-3-0x00000000002E0000-0x0000000000335000-memory.dmp

Filesize
340KB

Download
memory/2380-5-0x00000000002E0000-0x0000000000335000-memory.dmp

Filesize
340KB

Download
memory/2380-7-0x00000000002E0000-0x0000000000335000-memory.dmp

Filesize
340KB

Download
memory/2380-9-0x00000000002E0000-0x0000000000335000-memory.dmp

Filesize
340KB

Download
memory/2380-11-0x00000000002E0000-0x0000000000335000-memory.dmp

Filesize
340KB

Download
memory/2380-13-0x00000000002E0000-0x0000000000335000-memory.dmp

Filesize
340KB

Download
memory/2848-74-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2848-79-0x00000000000F0000-0x0000000000145000-memory.dmp

Filesize
340KB

Download
memory/2848-94-0x00000000000F0000-0x0000000000145000-memory.dmp

Filesize
340KB

Download
memory/2848-100-0x00000000000F0000-0x0000000000145000-memory.dmp

Filesize
340KB

Download
memory/2848-98-0x00000000000F0000-0x0000000000145000-memory.dmp

Filesize
340KB

Download
memory/2848-96-0x00000000000F0000-0x0000000000145000-memory.dmp

Filesize
340KB

Download
memory/2848-92-0x00000000000F0000-0x0000000000145000-memory.dmp

Filesize
340KB

Download
memory/2848-88-0x00000000000F0000-0x0000000000145000-memory.dmp

Filesize
340KB

Download
memory/2848-90-0x00000000000F0000-0x0000000000145000-memory.dmp

Filesize
340KB

Download
memory/2848-86-0x00000000000F0000-0x0000000000145000-memory.dmp

Filesize
340KB

Download
memory/2848-84-0x00000000000F0000-0x0000000000145000-memory.dmp

Filesize
340KB

Download
memory/2848-77-0x00000000000F0000-0x0000000000145000-memory.dmp

Filesize
340KB

Download
memory/2848-66-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2848-82-0x00000000000F0000-0x0000000000145000-memory.dmp

Filesize
340KB

Download
memory/2848-80-0x00000000000F0000-0x0000000000145000-memory.dmp

Filesize
340KB

Download
memory/2848-166-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2848-68-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2848-75-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2848-73-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2848-70-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2848-335-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download