dc65671fbbea6f56e63ec4fe8c0f6282daa9509e684dc122a0227f8332457e21

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
07/06/2024, 08:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

dc65671fbbea6f56e63ec4fe8c0f6282daa9509e684dc122a0227f8332457e21.exe
Size

131KB
MD5

6ba738954d5108827fd392dadc007bd2
SHA1

e020de2f9100ec847eff4cfe54c97fdd6953e597
SHA256

dc65671fbbea6f56e63ec4fe8c0f6282daa9509e684dc122a0227f8332457e21
SHA512

d7f9a96c301f600130317aba372b2773e61ae02df3f40c9125a8bac7052069a85db5c3506f6cf186e0d5090fc9cf4e9863d0ee556e9283ded7cfaa19d1820d63
SSDEEP

3072:rEboFVlGAvwsgbpvYfMTc72L10fPsout6nn:4BzsgbpvnTcyOPsoS6nn

Score

9^/10

upx

Malware Config

Signatures

UPX dump on OEP (original entry point) 42 IoCs

resource	yara_rule
behavioral2/memory/4840-9-0x0000000002160000-0x00000000021B5000-memory.dmp	UPX
behavioral2/memory/4840-7-0x0000000002160000-0x00000000021B5000-memory.dmp	UPX
behavioral2/memory/4840-12-0x0000000002160000-0x00000000021B5000-memory.dmp	UPX
behavioral2/memory/4840-33-0x0000000002160000-0x00000000021B5000-memory.dmp	UPX
behavioral2/memory/4840-29-0x0000000002160000-0x00000000021B5000-memory.dmp	UPX
behavioral2/memory/4840-27-0x0000000002160000-0x00000000021B5000-memory.dmp	UPX
behavioral2/memory/4840-23-0x0000000002160000-0x00000000021B5000-memory.dmp	UPX
behavioral2/memory/4840-21-0x0000000002160000-0x00000000021B5000-memory.dmp	UPX
behavioral2/memory/4840-19-0x0000000002160000-0x00000000021B5000-memory.dmp	UPX
behavioral2/memory/4840-18-0x0000000002160000-0x00000000021B5000-memory.dmp	UPX
behavioral2/memory/4840-15-0x0000000002160000-0x00000000021B5000-memory.dmp	UPX
behavioral2/memory/4840-13-0x0000000002160000-0x00000000021B5000-memory.dmp	UPX
behavioral2/memory/4840-32-0x0000000002160000-0x00000000021B5000-memory.dmp	UPX
behavioral2/memory/4840-31-0x0000000002160000-0x00000000021B5000-memory.dmp	UPX
behavioral2/memory/4840-25-0x0000000002160000-0x00000000021B5000-memory.dmp	UPX
behavioral2/memory/4840-5-0x0000000002160000-0x00000000021B5000-memory.dmp	UPX
behavioral2/memory/4840-2-0x0000000002160000-0x00000000021B5000-memory.dmp	UPX
behavioral2/memory/4840-3-0x0000000002160000-0x00000000021B5000-memory.dmp	UPX
behavioral2/memory/2444-96-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral2/memory/2444-99-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral2/memory/2444-102-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral2/memory/2444-100-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral2/memory/2444-103-0x0000000003360000-0x00000000033B5000-memory.dmp	UPX
behavioral2/memory/2444-108-0x0000000003360000-0x00000000033B5000-memory.dmp	UPX
behavioral2/memory/2444-114-0x0000000003360000-0x00000000033B5000-memory.dmp	UPX
behavioral2/memory/2444-130-0x0000000003360000-0x00000000033B5000-memory.dmp	UPX
behavioral2/memory/2444-128-0x0000000003360000-0x00000000033B5000-memory.dmp	UPX
behavioral2/memory/2444-126-0x0000000003360000-0x00000000033B5000-memory.dmp	UPX
behavioral2/memory/2444-124-0x0000000003360000-0x00000000033B5000-memory.dmp	UPX
behavioral2/memory/2444-122-0x0000000003360000-0x00000000033B5000-memory.dmp	UPX
behavioral2/memory/2444-120-0x0000000003360000-0x00000000033B5000-memory.dmp	UPX
behavioral2/memory/2444-118-0x0000000003360000-0x00000000033B5000-memory.dmp	UPX
behavioral2/memory/2444-116-0x0000000003360000-0x00000000033B5000-memory.dmp	UPX
behavioral2/memory/2444-112-0x0000000003360000-0x00000000033B5000-memory.dmp	UPX
behavioral2/memory/2444-110-0x0000000003360000-0x00000000033B5000-memory.dmp	UPX
behavioral2/memory/2444-106-0x0000000003360000-0x00000000033B5000-memory.dmp	UPX
behavioral2/memory/2444-104-0x0000000003360000-0x00000000033B5000-memory.dmp	UPX
behavioral2/files/0x000700000002342e-147.dat	UPX
behavioral2/files/0x0009000000023428-156.dat	UPX
behavioral2/memory/4864-196-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral2/memory/2444-244-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral2/memory/4864-245-0x0000000000400000-0x000000000042D000-memory.dmp	UPX

Deletes itself 1 IoCs

pid	Process
2444	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
4184	KVEIF.jpg

Loads dropped DLL 4 IoCs

pid	Process
4840	dc65671fbbea6f56e63ec4fe8c0f6282daa9509e684dc122a0227f8332457e21.exe
2444	svchost.exe
4184	KVEIF.jpg
4864	svchost.exe

UPX packed file 33 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4840-9-0x0000000002160000-0x00000000021B5000-memory.dmp	upx
behavioral2/memory/4840-7-0x0000000002160000-0x00000000021B5000-memory.dmp	upx
behavioral2/memory/4840-12-0x0000000002160000-0x00000000021B5000-memory.dmp	upx
behavioral2/memory/4840-33-0x0000000002160000-0x00000000021B5000-memory.dmp	upx
behavioral2/memory/4840-29-0x0000000002160000-0x00000000021B5000-memory.dmp	upx
behavioral2/memory/4840-27-0x0000000002160000-0x00000000021B5000-memory.dmp	upx
behavioral2/memory/4840-23-0x0000000002160000-0x00000000021B5000-memory.dmp	upx
behavioral2/memory/4840-21-0x0000000002160000-0x00000000021B5000-memory.dmp	upx
behavioral2/memory/4840-19-0x0000000002160000-0x00000000021B5000-memory.dmp	upx
behavioral2/memory/4840-18-0x0000000002160000-0x00000000021B5000-memory.dmp	upx
behavioral2/memory/4840-15-0x0000000002160000-0x00000000021B5000-memory.dmp	upx
behavioral2/memory/4840-13-0x0000000002160000-0x00000000021B5000-memory.dmp	upx
behavioral2/memory/4840-32-0x0000000002160000-0x00000000021B5000-memory.dmp	upx
behavioral2/memory/4840-31-0x0000000002160000-0x00000000021B5000-memory.dmp	upx
behavioral2/memory/4840-25-0x0000000002160000-0x00000000021B5000-memory.dmp	upx
behavioral2/memory/4840-5-0x0000000002160000-0x00000000021B5000-memory.dmp	upx
behavioral2/memory/4840-2-0x0000000002160000-0x00000000021B5000-memory.dmp	upx
behavioral2/memory/4840-3-0x0000000002160000-0x00000000021B5000-memory.dmp	upx
behavioral2/memory/2444-103-0x0000000003360000-0x00000000033B5000-memory.dmp	upx
behavioral2/memory/2444-108-0x0000000003360000-0x00000000033B5000-memory.dmp	upx
behavioral2/memory/2444-114-0x0000000003360000-0x00000000033B5000-memory.dmp	upx
behavioral2/memory/2444-130-0x0000000003360000-0x00000000033B5000-memory.dmp	upx
behavioral2/memory/2444-128-0x0000000003360000-0x00000000033B5000-memory.dmp	upx
behavioral2/memory/2444-126-0x0000000003360000-0x00000000033B5000-memory.dmp	upx
behavioral2/memory/2444-124-0x0000000003360000-0x00000000033B5000-memory.dmp	upx
behavioral2/memory/2444-122-0x0000000003360000-0x00000000033B5000-memory.dmp	upx
behavioral2/memory/2444-120-0x0000000003360000-0x00000000033B5000-memory.dmp	upx
behavioral2/memory/2444-118-0x0000000003360000-0x00000000033B5000-memory.dmp	upx
behavioral2/memory/2444-116-0x0000000003360000-0x00000000033B5000-memory.dmp	upx
behavioral2/memory/2444-112-0x0000000003360000-0x00000000033B5000-memory.dmp	upx
behavioral2/memory/2444-110-0x0000000003360000-0x00000000033B5000-memory.dmp	upx
behavioral2/memory/2444-106-0x0000000003360000-0x00000000033B5000-memory.dmp	upx
behavioral2/memory/2444-104-0x0000000003360000-0x00000000033B5000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\kernel64.dll	dc65671fbbea6f56e63ec4fe8c0f6282daa9509e684dc122a0227f8332457e21.exe
File opened for modification	C:\Windows\SysWOW64\kernel64.dll	dc65671fbbea6f56e63ec4fe8c0f6282daa9509e684dc122a0227f8332457e21.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4840 set thread context of 2444	4840	dc65671fbbea6f56e63ec4fe8c0f6282daa9509e684dc122a0227f8332457e21.exe	83
PID 4184 set thread context of 4864	4184	KVEIF.jpg	92

Drops file in Program Files directory 23 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft\1D11D1C\KVEIF.jpg	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\FKC.WYA	svchost.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\KVEIFss1.ini	dc65671fbbea6f56e63ec4fe8c0f6282daa9509e684dc122a0227f8332457e21.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\KVEIF.jpg	dc65671fbbea6f56e63ec4fe8c0f6282daa9509e684dc122a0227f8332457e21.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\KVEIFmain.ini	dc65671fbbea6f56e63ec4fe8c0f6282daa9509e684dc122a0227f8332457e21.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\FKC.WYA	dc65671fbbea6f56e63ec4fe8c0f6282daa9509e684dc122a0227f8332457e21.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\1D11D1C123.IMD	svchost.exe
File created	C:\Program Files\Common Files\Microsoft\1D11D1C\KVEIF.jpg	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\KVEIFs5.ini	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\KVEIF.jpg	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\1D11D1C123.IMD	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\FKC.WYA	KVEIF.jpg
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\KVEIFs5.ini	svchost.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\KVEIF.jpg	dc65671fbbea6f56e63ec4fe8c0f6282daa9509e684dc122a0227f8332457e21.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\FKC.WYA	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft\1D11D1C\KVEIF.jpg	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\KVEIFs5.ini	KVEIF.jpg
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\ok.txt	dc65671fbbea6f56e63ec4fe8c0f6282daa9509e684dc122a0227f8332457e21.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\KVEIFmain.ini	dc65671fbbea6f56e63ec4fe8c0f6282daa9509e684dc122a0227f8332457e21.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\KVEIFs1.ini	svchost.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\$$.tmp	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\1D11D1C123.IMD	KVEIF.jpg
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\KVEIF.jpg	svchost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\web\606C646364636479.tmp	dc65671fbbea6f56e63ec4fe8c0f6282daa9509e684dc122a0227f8332457e21.exe
File created	C:\Windows\web\606C646364636479.tmp	dc65671fbbea6f56e63ec4fe8c0f6282daa9509e684dc122a0227f8332457e21.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4840	dc65671fbbea6f56e63ec4fe8c0f6282daa9509e684dc122a0227f8332457e21.exe
4840	dc65671fbbea6f56e63ec4fe8c0f6282daa9509e684dc122a0227f8332457e21.exe
4840	dc65671fbbea6f56e63ec4fe8c0f6282daa9509e684dc122a0227f8332457e21.exe
4840	dc65671fbbea6f56e63ec4fe8c0f6282daa9509e684dc122a0227f8332457e21.exe
4840	dc65671fbbea6f56e63ec4fe8c0f6282daa9509e684dc122a0227f8332457e21.exe
4840	dc65671fbbea6f56e63ec4fe8c0f6282daa9509e684dc122a0227f8332457e21.exe
4840	dc65671fbbea6f56e63ec4fe8c0f6282daa9509e684dc122a0227f8332457e21.exe
4840	dc65671fbbea6f56e63ec4fe8c0f6282daa9509e684dc122a0227f8332457e21.exe
2444	svchost.exe
2444	svchost.exe
2444	svchost.exe
2444	svchost.exe
2444	svchost.exe
2444	svchost.exe
2444	svchost.exe
2444	svchost.exe
2444	svchost.exe
2444	svchost.exe
2444	svchost.exe
2444	svchost.exe
2444	svchost.exe
2444	svchost.exe
2444	svchost.exe
2444	svchost.exe
2444	svchost.exe
2444	svchost.exe
2444	svchost.exe
2444	svchost.exe
2444	svchost.exe
2444	svchost.exe
2444	svchost.exe
2444	svchost.exe
2444	svchost.exe
2444	svchost.exe
2444	svchost.exe
2444	svchost.exe
2444	svchost.exe
2444	svchost.exe
2444	svchost.exe
2444	svchost.exe
2444	svchost.exe
2444	svchost.exe
2444	svchost.exe
2444	svchost.exe
2444	svchost.exe
2444	svchost.exe
2444	svchost.exe
2444	svchost.exe
2444	svchost.exe
2444	svchost.exe
2444	svchost.exe
2444	svchost.exe
2444	svchost.exe
2444	svchost.exe
2444	svchost.exe
2444	svchost.exe
2444	svchost.exe
2444	svchost.exe
4184	KVEIF.jpg
4184	KVEIF.jpg
4184	KVEIF.jpg
4184	KVEIF.jpg
4184	KVEIF.jpg
4184	KVEIF.jpg

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2444	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4840	dc65671fbbea6f56e63ec4fe8c0f6282daa9509e684dc122a0227f8332457e21.exe
Token: SeDebugPrivilege	4840	dc65671fbbea6f56e63ec4fe8c0f6282daa9509e684dc122a0227f8332457e21.exe
Token: SeDebugPrivilege	4840	dc65671fbbea6f56e63ec4fe8c0f6282daa9509e684dc122a0227f8332457e21.exe
Token: SeDebugPrivilege	4840	dc65671fbbea6f56e63ec4fe8c0f6282daa9509e684dc122a0227f8332457e21.exe
Token: SeDebugPrivilege	2444	svchost.exe
Token: SeDebugPrivilege	2444	svchost.exe
Token: SeDebugPrivilege	2444	svchost.exe
Token: SeDebugPrivilege	2444	svchost.exe
Token: SeDebugPrivilege	2444	svchost.exe
Token: SeDebugPrivilege	2444	svchost.exe
Token: SeDebugPrivilege	2444	svchost.exe
Token: SeDebugPrivilege	4184	KVEIF.jpg
Token: SeDebugPrivilege	4184	KVEIF.jpg
Token: SeDebugPrivilege	4184	KVEIF.jpg
Token: SeDebugPrivilege	4184	KVEIF.jpg
Token: SeDebugPrivilege	4864	svchost.exe
Token: SeDebugPrivilege	4864	svchost.exe
Token: SeDebugPrivilege	4864	svchost.exe
Token: SeDebugPrivilege	4864	svchost.exe
Token: SeDebugPrivilege	4864	svchost.exe
Token: SeDebugPrivilege	2444	svchost.exe
Token: SeDebugPrivilege	2444	svchost.exe
Token: SeDebugPrivilege	4864	svchost.exe
Token: SeDebugPrivilege	4864	svchost.exe
Token: SeDebugPrivilege	2444	svchost.exe
Token: SeDebugPrivilege	2444	svchost.exe
Token: SeDebugPrivilege	4864	svchost.exe
Token: SeDebugPrivilege	4864	svchost.exe
Token: SeDebugPrivilege	2444	svchost.exe
Token: SeDebugPrivilege	2444	svchost.exe
Token: SeDebugPrivilege	4864	svchost.exe
Token: SeDebugPrivilege	4864	svchost.exe
Token: SeDebugPrivilege	2444	svchost.exe
Token: SeDebugPrivilege	2444	svchost.exe
Token: SeDebugPrivilege	4864	svchost.exe
Token: SeDebugPrivilege	4864	svchost.exe
Token: SeDebugPrivilege	2444	svchost.exe
Token: SeDebugPrivilege	2444	svchost.exe
Token: SeDebugPrivilege	4864	svchost.exe
Token: SeDebugPrivilege	4864	svchost.exe
Token: SeDebugPrivilege	2444	svchost.exe
Token: SeDebugPrivilege	2444	svchost.exe
Token: SeDebugPrivilege	4864	svchost.exe
Token: SeDebugPrivilege	4864	svchost.exe
Token: SeDebugPrivilege	2444	svchost.exe
Token: SeDebugPrivilege	2444	svchost.exe
Token: SeDebugPrivilege	4864	svchost.exe
Token: SeDebugPrivilege	4864	svchost.exe
Token: SeDebugPrivilege	2444	svchost.exe
Token: SeDebugPrivilege	2444	svchost.exe
Token: SeDebugPrivilege	4864	svchost.exe
Token: SeDebugPrivilege	4864	svchost.exe
Token: SeDebugPrivilege	2444	svchost.exe
Token: SeDebugPrivilege	2444	svchost.exe
Token: SeDebugPrivilege	4864	svchost.exe
Token: SeDebugPrivilege	4864	svchost.exe
Token: SeDebugPrivilege	2444	svchost.exe
Token: SeDebugPrivilege	2444	svchost.exe
Token: SeDebugPrivilege	4864	svchost.exe
Token: SeDebugPrivilege	4864	svchost.exe
Token: SeDebugPrivilege	2444	svchost.exe
Token: SeDebugPrivilege	2444	svchost.exe
Token: SeDebugPrivilege	4864	svchost.exe
Token: SeDebugPrivilege	4864	svchost.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 4840 wrote to memory of 2444	4840	dc65671fbbea6f56e63ec4fe8c0f6282daa9509e684dc122a0227f8332457e21.exe	83
PID 4840 wrote to memory of 2444	4840	dc65671fbbea6f56e63ec4fe8c0f6282daa9509e684dc122a0227f8332457e21.exe	83
PID 4840 wrote to memory of 2444	4840	dc65671fbbea6f56e63ec4fe8c0f6282daa9509e684dc122a0227f8332457e21.exe	83
PID 4840 wrote to memory of 2444	4840	dc65671fbbea6f56e63ec4fe8c0f6282daa9509e684dc122a0227f8332457e21.exe	83
PID 4840 wrote to memory of 2444	4840	dc65671fbbea6f56e63ec4fe8c0f6282daa9509e684dc122a0227f8332457e21.exe	83
PID 1068 wrote to memory of 4184	1068	cmd.exe	88
PID 1068 wrote to memory of 4184	1068	cmd.exe	88
PID 1068 wrote to memory of 4184	1068	cmd.exe	88
PID 4184 wrote to memory of 4432	4184	KVEIF.jpg	89
PID 4184 wrote to memory of 4432	4184	KVEIF.jpg	89
PID 4184 wrote to memory of 4432	4184	KVEIF.jpg	89
PID 4184 wrote to memory of 4864	4184	KVEIF.jpg	92
PID 4184 wrote to memory of 4864	4184	KVEIF.jpg	92
PID 4184 wrote to memory of 4864	4184	KVEIF.jpg	92
PID 4184 wrote to memory of 4864	4184	KVEIF.jpg	92
PID 4184 wrote to memory of 4864	4184	KVEIF.jpg	92

C:\Users\Admin\AppData\Local\Temp\dc65671fbbea6f56e63ec4fe8c0f6282daa9509e684dc122a0227f8332457e21.exe
"C:\Users\Admin\AppData\Local\Temp\dc65671fbbea6f56e63ec4fe8c0f6282daa9509e684dc122a0227f8332457e21.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4840
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\System32\svchost.exe -EMBEDDING 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304530425D474A422F565840 0
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:2444

C:\Windows\system32\cmd.exe
cmd.exe /c call "C:\Program Files\Common Files\Microsoft\1D11D1C\KVEIF.jpg" -3 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304530425D474A422F565840
1⤵
- Suspicious use of WriteProcessMemory
PID:1068
- C:\Program Files\Common Files\Microsoft\1D11D1C\KVEIF.jpg
  "C:\Program Files\Common Files\Microsoft\1D11D1C\KVEIF.jpg" -3 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304530425D474A422F565840
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4184
- - C:\Windows\SysWOW64\svchost.exe
    C:\Windows\System32\svchost.exe -sys 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304530425D474A422F565840 0
    3⤵
    PID:4432
- - C:\Windows\SysWOW64\svchost.exe
    C:\Windows\System32\svchost.exe -sys 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304530425D474A422F565840 0
    3⤵
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    PID:4864

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\1D11D1C123.IMD

Filesize
132KB

MD5
ad7de622c5acaf13b5797e9f0d394fbd

SHA1
86650d237cd21f368d933f434549649fc6056f91

SHA256
cecf6dd02adcee497e426c430df301c1cc83bc0c7e352d839e5762f4b06b2924

SHA512
846efa153d9129177e21ce6d7be44e87af1e4f8f9647e847f78dd3fa20d87ab5ab452cde57619eac67b3f476baae253166ef269f0c849bb9fbd96e8c1fd31ac3

Download Submit
C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\KVEIF.jpg

Filesize
131KB

MD5
98d52f1fb7838a324f5e7c726d70ac02

SHA1
3157049c4d9e2fbcf8d4edc101ea8e1127fcce29

SHA256
466f1c7cea28768b14206ef0692805c9c13318b9c5f9748621d3906c9b567865

SHA512
2d67892862a35b4eff11c62fc4e965a7be81146f8a655204e843907b204e671d7293b9d99a99bfa772ca04757bbb442d1073a90dc74b7747421d75f423015f4d

Download Submit
C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\KVEIFss1.ini

Filesize
22B

MD5
a4ef93de80711124d4b7e080ccf42edb

SHA1
f4530f5e6d362781fa6dfa4982d25f3ad15dbf99

SHA256
9a09d2a2b23760cbc02ab362728b30783f943d90beebbdbd03c4e8b288492d24

SHA512
707c5a1a84a1cd490e3e0109c30b32724a69d27021653265bbd838065458e1eea20b470f145612f9ea5486711c47a59dcb515f9625829e63689a89af75901fa2

Download Submit
C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\ok.txt

Filesize
104B

MD5
ddb2eb98e214ab9235f913c7353e6aa6

SHA1
ee352c5a3badbe5a7e4b1f4b90360cbd42c25ac3

SHA256
f17f7c22b9a49c31aa4f21c9449c28a4cad00f906e5522a518842c6f9d492a5f

SHA512
ffc706c0e4aa911c325d5765367c0e43466fb3ad662f76461b565ecbe1df416b3ed8054da3ca0575c97a47f5ea336b11e17bcac77a168dcd94689d5d85d5d4d0

Download Submit
C:\Program Files\Common Files\Microsoft\1D11D1C\KVEIF.jpg

Filesize
131KB

MD5
64188056094393e0882ff4134b71668d

SHA1
632bc483782fa3918994288fd24847c863b8e616

SHA256
1cf5ebe0dbe106344f6ed80201a3efc244efb9f9dc88659d4b093b29f8422ee7

SHA512
c5def6992eb81c17164e099908e56d3e07e9262baaef0233cc21b947cea44f334497e98462a3b29c92aa2cc46209bd52c6b556116617226881b067aeaf3e596f

Download Submit
C:\Program Files\Common Files\microsoft shared\MSInfo\1D11D1C\KVEIFmain.ini

Filesize
1KB

MD5
af66c2f5a8af3a2150c72e4356f62ce4

SHA1
40c528c03c8b9e56447ddaef90e34a336497ce10

SHA256
86f8d15762c2847cf2dba42c80215710704ef6a42dc02030d5b719062138ece2

SHA512
0ea655bfc5e802223a8e7809b650ed54eea5073bd3b26f4a2926fa1743b5b9872ec1550a513b1e9323d76b38b8a76031709ed85ee53f47f1c653dab409dbd2bc

Download Submit
C:\Windows\SysWOW64\kernel64.dll

Filesize
625KB

MD5
eccf28d7e5ccec24119b88edd160f8f4

SHA1
98509587a3d37a20b56b50fd57f823a1691a034c

SHA256
820c83c0533cfce2928e29edeaf6c255bc19ac9718b25a5656d99ffac30a03d6

SHA512
c1c94bbb781625b2317f0a8178d3a10d891fb71bca8f82cd831c484e8ab125301b82a14fe2ff070dc99a496cc00234300fa5536401018c40d49d44ae89409670

Download Submit
C:\Windows\Web\606C646364636479.tmp

Filesize
108KB

MD5
f697e0c5c1d34f00d1700d6d549d4811

SHA1
f50a99377a7419185fc269bb4d12954ca42b8589

SHA256
1eacebb614305a9806113545be7b23cf14ce7e761ccf634510a7f1c0cfb6cd16

SHA512
d5f35672f208ebbe306beeb55dadde96aa330780e2ea84b45d3fa6af41369e357412d82978df74038f2d27dff4d06905fd0b4d852b0beef1bcfdd6a0849bc202

Download Submit
memory/2444-118-0x0000000003360000-0x00000000033B5000-memory.dmp

Filesize
340KB

Download
memory/2444-130-0x0000000003360000-0x00000000033B5000-memory.dmp

Filesize
340KB

Download
memory/2444-244-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2444-104-0x0000000003360000-0x00000000033B5000-memory.dmp

Filesize
340KB

Download
memory/2444-106-0x0000000003360000-0x00000000033B5000-memory.dmp

Filesize
340KB

Download
memory/2444-110-0x0000000003360000-0x00000000033B5000-memory.dmp

Filesize
340KB

Download
memory/2444-112-0x0000000003360000-0x00000000033B5000-memory.dmp

Filesize
340KB

Download
memory/2444-116-0x0000000003360000-0x00000000033B5000-memory.dmp

Filesize
340KB

Download
memory/2444-120-0x0000000003360000-0x00000000033B5000-memory.dmp

Filesize
340KB

Download
memory/2444-122-0x0000000003360000-0x00000000033B5000-memory.dmp

Filesize
340KB

Download
memory/2444-124-0x0000000003360000-0x00000000033B5000-memory.dmp

Filesize
340KB

Download
memory/2444-126-0x0000000003360000-0x00000000033B5000-memory.dmp

Filesize
340KB

Download
memory/2444-128-0x0000000003360000-0x00000000033B5000-memory.dmp

Filesize
340KB

Download
memory/2444-96-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2444-99-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2444-102-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2444-100-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2444-103-0x0000000003360000-0x00000000033B5000-memory.dmp

Filesize
340KB

Download
memory/2444-108-0x0000000003360000-0x00000000033B5000-memory.dmp

Filesize
340KB

Download
memory/2444-114-0x0000000003360000-0x00000000033B5000-memory.dmp

Filesize
340KB

Download
memory/4840-3-0x0000000002160000-0x00000000021B5000-memory.dmp

Filesize
340KB

Download
memory/4840-25-0x0000000002160000-0x00000000021B5000-memory.dmp

Filesize
340KB

Download
memory/4840-29-0x0000000002160000-0x00000000021B5000-memory.dmp

Filesize
340KB

Download
memory/4840-23-0x0000000002160000-0x00000000021B5000-memory.dmp

Filesize
340KB

Download
memory/4840-21-0x0000000002160000-0x00000000021B5000-memory.dmp

Filesize
340KB

Download
memory/4840-19-0x0000000002160000-0x00000000021B5000-memory.dmp

Filesize
340KB

Download
memory/4840-2-0x0000000002160000-0x00000000021B5000-memory.dmp

Filesize
340KB

Download
memory/4840-5-0x0000000002160000-0x00000000021B5000-memory.dmp

Filesize
340KB

Download
memory/4840-9-0x0000000002160000-0x00000000021B5000-memory.dmp

Filesize
340KB

Download
memory/4840-27-0x0000000002160000-0x00000000021B5000-memory.dmp

Filesize
340KB

Download
memory/4840-31-0x0000000002160000-0x00000000021B5000-memory.dmp

Filesize
340KB

Download
memory/4840-32-0x0000000002160000-0x00000000021B5000-memory.dmp

Filesize
340KB

Download
memory/4840-13-0x0000000002160000-0x00000000021B5000-memory.dmp

Filesize
340KB

Download
memory/4840-15-0x0000000002160000-0x00000000021B5000-memory.dmp

Filesize
340KB

Download
memory/4840-33-0x0000000002160000-0x00000000021B5000-memory.dmp

Filesize
340KB

Download
memory/4840-12-0x0000000002160000-0x00000000021B5000-memory.dmp

Filesize
340KB

Download
memory/4840-7-0x0000000002160000-0x00000000021B5000-memory.dmp

Filesize
340KB

Download
memory/4840-18-0x0000000002160000-0x00000000021B5000-memory.dmp

Filesize
340KB

Download
memory/4864-196-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4864-245-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download