27ad5312cf6162584d7945371b41f58fdf7b7f6b1e4442b3270ade1e6ea60b06

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10/06/2024, 19:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

27ad5312cf6162584d7945371b41f58fdf7b7f6b1e4442b3270ade1e6ea60b06.exe
Size

133KB
MD5

af40dc9a3a1a31ae075055513699f59d
SHA1

b0908039be8570e29138042ff98382576e064b41
SHA256

27ad5312cf6162584d7945371b41f58fdf7b7f6b1e4442b3270ade1e6ea60b06
SHA512

3b328fb4cc36afd819f586125bef674f9b609834508d12ebdebdd6dfec7725b8adf95cb67a267b4399e5e7cb5c168d31468983975a4f1747e680cca9a5a76518
SSDEEP

3072:pEboFVlGAvwsgbpvYfMTc72L10fPsout6nnn:eBzsgbpvnTcyOPsoS6nnn

Score

9^/10

upx

Malware Config

Signatures

UPX dump on OEP (original entry point) 42 IoCs

resource	yara_rule
behavioral2/memory/428-11-0x0000000000590000-0x00000000005E5000-memory.dmp	UPX
behavioral2/memory/428-5-0x0000000000590000-0x00000000005E5000-memory.dmp	UPX
behavioral2/memory/428-33-0x0000000000590000-0x00000000005E5000-memory.dmp	UPX
behavioral2/memory/428-27-0x0000000000590000-0x00000000005E5000-memory.dmp	UPX
behavioral2/memory/428-23-0x0000000000590000-0x00000000005E5000-memory.dmp	UPX
behavioral2/memory/428-19-0x0000000000590000-0x00000000005E5000-memory.dmp	UPX
behavioral2/memory/428-17-0x0000000000590000-0x00000000005E5000-memory.dmp	UPX
behavioral2/memory/428-15-0x0000000000590000-0x00000000005E5000-memory.dmp	UPX
behavioral2/memory/428-14-0x0000000000590000-0x00000000005E5000-memory.dmp	UPX
behavioral2/memory/428-32-0x0000000000590000-0x00000000005E5000-memory.dmp	UPX
behavioral2/memory/428-31-0x0000000000590000-0x00000000005E5000-memory.dmp	UPX
behavioral2/memory/428-29-0x0000000000590000-0x00000000005E5000-memory.dmp	UPX
behavioral2/memory/428-9-0x0000000000590000-0x00000000005E5000-memory.dmp	UPX
behavioral2/memory/428-25-0x0000000000590000-0x00000000005E5000-memory.dmp	UPX
behavioral2/memory/428-7-0x0000000000590000-0x00000000005E5000-memory.dmp	UPX
behavioral2/memory/428-21-0x0000000000590000-0x00000000005E5000-memory.dmp	UPX
behavioral2/memory/428-4-0x0000000000590000-0x00000000005E5000-memory.dmp	UPX
behavioral2/memory/428-2-0x0000000000590000-0x00000000005E5000-memory.dmp	UPX
behavioral2/memory/2500-97-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral2/memory/2500-100-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral2/memory/2500-101-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral2/memory/2500-102-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral2/memory/2500-113-0x0000000003240000-0x0000000003295000-memory.dmp	UPX
behavioral2/memory/2500-115-0x0000000003240000-0x0000000003295000-memory.dmp	UPX
behavioral2/memory/2500-129-0x0000000003240000-0x0000000003295000-memory.dmp	UPX
behavioral2/memory/2500-131-0x0000000003240000-0x0000000003295000-memory.dmp	UPX
behavioral2/memory/2500-127-0x0000000003240000-0x0000000003295000-memory.dmp	UPX
behavioral2/memory/2500-125-0x0000000003240000-0x0000000003295000-memory.dmp	UPX
behavioral2/memory/2500-123-0x0000000003240000-0x0000000003295000-memory.dmp	UPX
behavioral2/memory/2500-121-0x0000000003240000-0x0000000003295000-memory.dmp	UPX
behavioral2/memory/2500-119-0x0000000003240000-0x0000000003295000-memory.dmp	UPX
behavioral2/memory/2500-117-0x0000000003240000-0x0000000003295000-memory.dmp	UPX
behavioral2/memory/2500-111-0x0000000003240000-0x0000000003295000-memory.dmp	UPX
behavioral2/memory/2500-109-0x0000000003240000-0x0000000003295000-memory.dmp	UPX
behavioral2/memory/2500-105-0x0000000003240000-0x0000000003295000-memory.dmp	UPX
behavioral2/memory/2500-107-0x0000000003240000-0x0000000003295000-memory.dmp	UPX
behavioral2/memory/2500-104-0x0000000003240000-0x0000000003295000-memory.dmp	UPX
behavioral2/files/0x0002000000022a46-149.dat	UPX
behavioral2/files/0x0003000000022a46-157.dat	UPX
behavioral2/memory/5064-197-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral2/memory/2500-246-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral2/memory/5064-247-0x0000000000400000-0x000000000042D000-memory.dmp	UPX

Deletes itself 1 IoCs

pid	Process
2500	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
1188	KVEIF.jpg

Loads dropped DLL 4 IoCs

pid	Process
428	27ad5312cf6162584d7945371b41f58fdf7b7f6b1e4442b3270ade1e6ea60b06.exe
2500	svchost.exe
1188	KVEIF.jpg
5064	svchost.exe

UPX packed file 33 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/428-11-0x0000000000590000-0x00000000005E5000-memory.dmp	upx
behavioral2/memory/428-5-0x0000000000590000-0x00000000005E5000-memory.dmp	upx
behavioral2/memory/428-33-0x0000000000590000-0x00000000005E5000-memory.dmp	upx
behavioral2/memory/428-27-0x0000000000590000-0x00000000005E5000-memory.dmp	upx
behavioral2/memory/428-23-0x0000000000590000-0x00000000005E5000-memory.dmp	upx
behavioral2/memory/428-19-0x0000000000590000-0x00000000005E5000-memory.dmp	upx
behavioral2/memory/428-17-0x0000000000590000-0x00000000005E5000-memory.dmp	upx
behavioral2/memory/428-15-0x0000000000590000-0x00000000005E5000-memory.dmp	upx
behavioral2/memory/428-14-0x0000000000590000-0x00000000005E5000-memory.dmp	upx
behavioral2/memory/428-32-0x0000000000590000-0x00000000005E5000-memory.dmp	upx
behavioral2/memory/428-31-0x0000000000590000-0x00000000005E5000-memory.dmp	upx
behavioral2/memory/428-29-0x0000000000590000-0x00000000005E5000-memory.dmp	upx
behavioral2/memory/428-9-0x0000000000590000-0x00000000005E5000-memory.dmp	upx
behavioral2/memory/428-25-0x0000000000590000-0x00000000005E5000-memory.dmp	upx
behavioral2/memory/428-7-0x0000000000590000-0x00000000005E5000-memory.dmp	upx
behavioral2/memory/428-21-0x0000000000590000-0x00000000005E5000-memory.dmp	upx
behavioral2/memory/428-4-0x0000000000590000-0x00000000005E5000-memory.dmp	upx
behavioral2/memory/428-2-0x0000000000590000-0x00000000005E5000-memory.dmp	upx
behavioral2/memory/2500-113-0x0000000003240000-0x0000000003295000-memory.dmp	upx
behavioral2/memory/2500-115-0x0000000003240000-0x0000000003295000-memory.dmp	upx
behavioral2/memory/2500-129-0x0000000003240000-0x0000000003295000-memory.dmp	upx
behavioral2/memory/2500-131-0x0000000003240000-0x0000000003295000-memory.dmp	upx
behavioral2/memory/2500-127-0x0000000003240000-0x0000000003295000-memory.dmp	upx
behavioral2/memory/2500-125-0x0000000003240000-0x0000000003295000-memory.dmp	upx
behavioral2/memory/2500-123-0x0000000003240000-0x0000000003295000-memory.dmp	upx
behavioral2/memory/2500-121-0x0000000003240000-0x0000000003295000-memory.dmp	upx
behavioral2/memory/2500-119-0x0000000003240000-0x0000000003295000-memory.dmp	upx
behavioral2/memory/2500-117-0x0000000003240000-0x0000000003295000-memory.dmp	upx
behavioral2/memory/2500-111-0x0000000003240000-0x0000000003295000-memory.dmp	upx
behavioral2/memory/2500-109-0x0000000003240000-0x0000000003295000-memory.dmp	upx
behavioral2/memory/2500-105-0x0000000003240000-0x0000000003295000-memory.dmp	upx
behavioral2/memory/2500-107-0x0000000003240000-0x0000000003295000-memory.dmp	upx
behavioral2/memory/2500-104-0x0000000003240000-0x0000000003295000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\kernel64.dll	27ad5312cf6162584d7945371b41f58fdf7b7f6b1e4442b3270ade1e6ea60b06.exe
File opened for modification	C:\Windows\SysWOW64\kernel64.dll	27ad5312cf6162584d7945371b41f58fdf7b7f6b1e4442b3270ade1e6ea60b06.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 428 set thread context of 2500	428	27ad5312cf6162584d7945371b41f58fdf7b7f6b1e4442b3270ade1e6ea60b06.exe	93
PID 1188 set thread context of 5064	1188	KVEIF.jpg	97

Drops file in Program Files directory 23 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\1D11D1B123.IMD	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\1D11D1B123.IMD	svchost.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\$$.tmp	svchost.exe
File created	C:\Program Files\Common Files\Microsoft\1D11D1B\KVEIF.jpg	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\KVEIFs5.ini	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\KVEIF.jpg	27ad5312cf6162584d7945371b41f58fdf7b7f6b1e4442b3270ade1e6ea60b06.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\KVEIFmain.ini	27ad5312cf6162584d7945371b41f58fdf7b7f6b1e4442b3270ade1e6ea60b06.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\KVEIF.jpg	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\KVEIF.jpg	svchost.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\KVEIFs5.ini	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\KVEIFmain.ini	27ad5312cf6162584d7945371b41f58fdf7b7f6b1e4442b3270ade1e6ea60b06.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\KVEIFs1.ini	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\1D11D1B123.IMD	KVEIF.jpg
File opened for modification	C:\Program Files\Common Files\Microsoft\1D11D1B\KVEIF.jpg	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\FKC.WYA	KVEIF.jpg
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\KVEIF.jpg	27ad5312cf6162584d7945371b41f58fdf7b7f6b1e4442b3270ade1e6ea60b06.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\FKC.WYA	27ad5312cf6162584d7945371b41f58fdf7b7f6b1e4442b3270ade1e6ea60b06.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\FKC.WYA	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\FKC.WYA	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft\1D11D1B\KVEIF.jpg	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\KVEIFs5.ini	KVEIF.jpg
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\ok.txt	27ad5312cf6162584d7945371b41f58fdf7b7f6b1e4442b3270ade1e6ea60b06.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\KVEIFss1.ini	27ad5312cf6162584d7945371b41f58fdf7b7f6b1e4442b3270ade1e6ea60b06.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\web\606C646364636479.tmp	27ad5312cf6162584d7945371b41f58fdf7b7f6b1e4442b3270ade1e6ea60b06.exe
File opened for modification	C:\Windows\web\606C646364636479.tmp	27ad5312cf6162584d7945371b41f58fdf7b7f6b1e4442b3270ade1e6ea60b06.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
428	27ad5312cf6162584d7945371b41f58fdf7b7f6b1e4442b3270ade1e6ea60b06.exe
428	27ad5312cf6162584d7945371b41f58fdf7b7f6b1e4442b3270ade1e6ea60b06.exe
428	27ad5312cf6162584d7945371b41f58fdf7b7f6b1e4442b3270ade1e6ea60b06.exe
428	27ad5312cf6162584d7945371b41f58fdf7b7f6b1e4442b3270ade1e6ea60b06.exe
428	27ad5312cf6162584d7945371b41f58fdf7b7f6b1e4442b3270ade1e6ea60b06.exe
428	27ad5312cf6162584d7945371b41f58fdf7b7f6b1e4442b3270ade1e6ea60b06.exe
428	27ad5312cf6162584d7945371b41f58fdf7b7f6b1e4442b3270ade1e6ea60b06.exe
428	27ad5312cf6162584d7945371b41f58fdf7b7f6b1e4442b3270ade1e6ea60b06.exe
2500	svchost.exe
2500	svchost.exe
2500	svchost.exe
2500	svchost.exe
2500	svchost.exe
2500	svchost.exe
2500	svchost.exe
2500	svchost.exe
2500	svchost.exe
2500	svchost.exe
2500	svchost.exe
2500	svchost.exe
2500	svchost.exe
2500	svchost.exe
2500	svchost.exe
2500	svchost.exe
2500	svchost.exe
2500	svchost.exe
2500	svchost.exe
2500	svchost.exe
2500	svchost.exe
2500	svchost.exe
2500	svchost.exe
2500	svchost.exe
2500	svchost.exe
2500	svchost.exe
2500	svchost.exe
2500	svchost.exe
2500	svchost.exe
2500	svchost.exe
2500	svchost.exe
2500	svchost.exe
2500	svchost.exe
2500	svchost.exe
2500	svchost.exe
2500	svchost.exe
2500	svchost.exe
2500	svchost.exe
2500	svchost.exe
2500	svchost.exe
2500	svchost.exe
2500	svchost.exe
2500	svchost.exe
2500	svchost.exe
2500	svchost.exe
2500	svchost.exe
2500	svchost.exe
2500	svchost.exe
2500	svchost.exe
2500	svchost.exe
1188	KVEIF.jpg
1188	KVEIF.jpg
1188	KVEIF.jpg
1188	KVEIF.jpg
1188	KVEIF.jpg
1188	KVEIF.jpg

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2500	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	428	27ad5312cf6162584d7945371b41f58fdf7b7f6b1e4442b3270ade1e6ea60b06.exe
Token: SeDebugPrivilege	428	27ad5312cf6162584d7945371b41f58fdf7b7f6b1e4442b3270ade1e6ea60b06.exe
Token: SeDebugPrivilege	428	27ad5312cf6162584d7945371b41f58fdf7b7f6b1e4442b3270ade1e6ea60b06.exe
Token: SeDebugPrivilege	428	27ad5312cf6162584d7945371b41f58fdf7b7f6b1e4442b3270ade1e6ea60b06.exe
Token: SeDebugPrivilege	428	27ad5312cf6162584d7945371b41f58fdf7b7f6b1e4442b3270ade1e6ea60b06.exe
Token: SeDebugPrivilege	2500	svchost.exe
Token: SeDebugPrivilege	2500	svchost.exe
Token: SeDebugPrivilege	2500	svchost.exe
Token: SeDebugPrivilege	2500	svchost.exe
Token: SeDebugPrivilege	2500	svchost.exe
Token: SeDebugPrivilege	2500	svchost.exe
Token: SeDebugPrivilege	2500	svchost.exe
Token: SeDebugPrivilege	1188	KVEIF.jpg
Token: SeDebugPrivilege	1188	KVEIF.jpg
Token: SeDebugPrivilege	1188	KVEIF.jpg
Token: SeDebugPrivilege	1188	KVEIF.jpg
Token: SeDebugPrivilege	5064	svchost.exe
Token: SeDebugPrivilege	5064	svchost.exe
Token: SeDebugPrivilege	5064	svchost.exe
Token: SeDebugPrivilege	5064	svchost.exe
Token: SeDebugPrivilege	5064	svchost.exe
Token: SeDebugPrivilege	2500	svchost.exe
Token: SeDebugPrivilege	2500	svchost.exe
Token: SeDebugPrivilege	5064	svchost.exe
Token: SeDebugPrivilege	5064	svchost.exe
Token: SeDebugPrivilege	2500	svchost.exe
Token: SeDebugPrivilege	2500	svchost.exe
Token: SeDebugPrivilege	5064	svchost.exe
Token: SeDebugPrivilege	5064	svchost.exe
Token: SeDebugPrivilege	2500	svchost.exe
Token: SeDebugPrivilege	2500	svchost.exe
Token: SeDebugPrivilege	5064	svchost.exe
Token: SeDebugPrivilege	5064	svchost.exe
Token: SeDebugPrivilege	2500	svchost.exe
Token: SeDebugPrivilege	2500	svchost.exe
Token: SeDebugPrivilege	5064	svchost.exe
Token: SeDebugPrivilege	5064	svchost.exe
Token: SeDebugPrivilege	2500	svchost.exe
Token: SeDebugPrivilege	2500	svchost.exe
Token: SeDebugPrivilege	5064	svchost.exe
Token: SeDebugPrivilege	5064	svchost.exe
Token: SeDebugPrivilege	2500	svchost.exe
Token: SeDebugPrivilege	2500	svchost.exe
Token: SeDebugPrivilege	5064	svchost.exe
Token: SeDebugPrivilege	5064	svchost.exe
Token: SeDebugPrivilege	2500	svchost.exe
Token: SeDebugPrivilege	2500	svchost.exe
Token: SeDebugPrivilege	5064	svchost.exe
Token: SeDebugPrivilege	5064	svchost.exe
Token: SeDebugPrivilege	2500	svchost.exe
Token: SeDebugPrivilege	2500	svchost.exe
Token: SeDebugPrivilege	5064	svchost.exe
Token: SeDebugPrivilege	5064	svchost.exe
Token: SeDebugPrivilege	2500	svchost.exe
Token: SeDebugPrivilege	2500	svchost.exe
Token: SeDebugPrivilege	5064	svchost.exe
Token: SeDebugPrivilege	5064	svchost.exe
Token: SeDebugPrivilege	2500	svchost.exe
Token: SeDebugPrivilege	2500	svchost.exe
Token: SeDebugPrivilege	5064	svchost.exe
Token: SeDebugPrivilege	5064	svchost.exe
Token: SeDebugPrivilege	2500	svchost.exe
Token: SeDebugPrivilege	2500	svchost.exe
Token: SeDebugPrivilege	5064	svchost.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 428 wrote to memory of 2500	428	27ad5312cf6162584d7945371b41f58fdf7b7f6b1e4442b3270ade1e6ea60b06.exe	93
PID 428 wrote to memory of 2500	428	27ad5312cf6162584d7945371b41f58fdf7b7f6b1e4442b3270ade1e6ea60b06.exe	93
PID 428 wrote to memory of 2500	428	27ad5312cf6162584d7945371b41f58fdf7b7f6b1e4442b3270ade1e6ea60b06.exe	93
PID 428 wrote to memory of 2500	428	27ad5312cf6162584d7945371b41f58fdf7b7f6b1e4442b3270ade1e6ea60b06.exe	93
PID 428 wrote to memory of 2500	428	27ad5312cf6162584d7945371b41f58fdf7b7f6b1e4442b3270ade1e6ea60b06.exe	93
PID 3104 wrote to memory of 1188	3104	cmd.exe	95
PID 3104 wrote to memory of 1188	3104	cmd.exe	95
PID 3104 wrote to memory of 1188	3104	cmd.exe	95
PID 1188 wrote to memory of 5064	1188	KVEIF.jpg	97
PID 1188 wrote to memory of 5064	1188	KVEIF.jpg	97
PID 1188 wrote to memory of 5064	1188	KVEIF.jpg	97
PID 1188 wrote to memory of 5064	1188	KVEIF.jpg	97
PID 1188 wrote to memory of 5064	1188	KVEIF.jpg	97

C:\Users\Admin\AppData\Local\Temp\27ad5312cf6162584d7945371b41f58fdf7b7f6b1e4442b3270ade1e6ea60b06.exe
"C:\Users\Admin\AppData\Local\Temp\27ad5312cf6162584d7945371b41f58fdf7b7f6b1e4442b3270ade1e6ea60b06.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:428
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\System32\svchost.exe -EMBEDDING 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304530435D474A422F565840 0
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:2500

C:\Windows\system32\cmd.exe
cmd.exe /c call "C:\Program Files\Common Files\Microsoft\1D11D1B\KVEIF.jpg" -3 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304530435D474A422F565840
1⤵
- Suspicious use of WriteProcessMemory
PID:3104
- C:\Program Files\Common Files\Microsoft\1D11D1B\KVEIF.jpg
  "C:\Program Files\Common Files\Microsoft\1D11D1B\KVEIF.jpg" -3 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304530435D474A422F565840
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1188
- - C:\Windows\SysWOW64\svchost.exe
    C:\Windows\System32\svchost.exe -sys 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304530435D474A422F565840 0
    3⤵
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    PID:5064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1280,i,1697479186275492802,18058102846092193784,262144 --variations-seed-version --mojo-platform-channel-handle=3744 /prefetch:8
1⤵
PID:2928

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\1D11D1B123.IMD

Filesize
134KB

MD5
9d8f9a800d098680f6eb2acda7997fe2

SHA1
d10a98d65663f653c34259e2ee249b61f4aeef6b

SHA256
e8bead5eba032afbf605f0b2453b79a6985f4f83c456e703accf03e0fbb8b90f

SHA512
2c45ffce83e0d51fbadb2bd8c2cc1502ca63998c8ef0c0d90150428ff887a30dcb798ce2d2d6c897b859f9c2c87656e7f12c063329bddab85940ca2aa17b2fed

Download Submit
C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\KVEIFss1.ini

Filesize
22B

MD5
930acf89790980bda3854f8bd8dc44d6

SHA1
4033478772bd5b31cdbf85187ad30eb03a560f33

SHA256
34158e7ba9674f6eb03866767791fb29663241342a304cbc1286bdaf049269a6

SHA512
87752859deee77287cf49d0f54f92dee94f49b2ef3c4fd76ee0b573f1cd73b3b9b472ce4f83e8ae11a8b71aa1c0a802c72b87f7fd940a6b3ddce4d85ab68b7b8

Download Submit
C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\ok.txt

Filesize
104B

MD5
fef0d9258ff61429dee6277ff87c5cb0

SHA1
93899b606264d8aa0632267d5af96e8c39cdd3e2

SHA256
ef6352f95906dc9211a68d6263c89839fce5eba21c1f667c08b6ac140396ca50

SHA512
09161f6db3e4fe2322a67e888462701bd1cba7dc853745eded89e14c364cd056995b4dcb4b3ae66c1cce2b19455d4e047cfe4d3356e9439eea6e06a104d98342

Download Submit
C:\Program Files\Common Files\Microsoft\1D11D1B\KVEIF.jpg

Filesize
133KB

MD5
972f57937b4b32f68cf12026aedd409b

SHA1
8a78bab73dc5e8dfa5e845129a53482522778af8

SHA256
7747739e817ff023d38398e476b4add276756c9f746a2ebdab896659451b66e9

SHA512
e5e8f76e4902c38318e6a2459958d5a62529fbc48dd25cc23b07a047559101f097a37e4861fc93d7c5b40ca97abaa85b4a4df48a11687232d05e5edb2372b79f

Download Submit
C:\Program Files\Common Files\microsoft shared\MSInfo\1D11D1B\1D11D1B123.IMD

Filesize
133KB

MD5
844f2f5f1732a4a127ffd6dd56182a46

SHA1
69674c661469b3ba4274d87d85e1f60269ec22bc

SHA256
3bba16ecf897bc6ef06fefeed0fd5e1d8c6cb28ef6aeb446cee94c7106bd1f39

SHA512
5ed7f79022676aa127c714dcfa7e6b332f88bcf7066e8e051f073165d0486c303edd8e86361fe275f51354fd3f99beea252fe996c06c5d89c84c2558a6a06f58

Download Submit
C:\Program Files\Common Files\microsoft shared\MSInfo\1D11D1B\KVEIFmain.ini

Filesize
630B

MD5
672e3deef0d418a5be4928e315868e6b

SHA1
55111d1d19db99b745b478d8e6dc74a06c68461e

SHA256
ca368b80840563839f3c0bd8d7dffb34073a8ba64899a0b4f53764753699d0f3

SHA512
5b23cec6d4034522f88888372d01c1e92533f9ab1e9f167c617ef629c0e39ccd0efce6412ee118a111ce5fe6e4c0ec04e6b45754637691e9f711c4e0dbdd8a5d

Download Submit
C:\Program Files\Common Files\microsoft shared\MSInfo\1D11D1B\KVEIFmain.ini

Filesize
1KB

MD5
652bce77a941f7d590e2fd494f1cdaa7

SHA1
d7b567c892d84b0178a601c7900e980c6f5f578e

SHA256
3ed5731d74a509240e581b0a44f4f07eb4e9a3cf4025e00db70b4c2c0cfab582

SHA512
6ce7eb03bcfcbf9ccd8c611e47f9f150b1a88b09fcb964439f324630b82b633a76f8e00878fbedf8b6f9702c926cb3009e1799a002ffed77e0201d4bebb129a4

Download Submit
C:\Windows\SysWOW64\kernel64.dll

Filesize
625KB

MD5
eccf28d7e5ccec24119b88edd160f8f4

SHA1
98509587a3d37a20b56b50fd57f823a1691a034c

SHA256
820c83c0533cfce2928e29edeaf6c255bc19ac9718b25a5656d99ffac30a03d6

SHA512
c1c94bbb781625b2317f0a8178d3a10d891fb71bca8f82cd831c484e8ab125301b82a14fe2ff070dc99a496cc00234300fa5536401018c40d49d44ae89409670

Download Submit
C:\Windows\Web\606C646364636479.tmp

Filesize
108KB

MD5
f697e0c5c1d34f00d1700d6d549d4811

SHA1
f50a99377a7419185fc269bb4d12954ca42b8589

SHA256
1eacebb614305a9806113545be7b23cf14ce7e761ccf634510a7f1c0cfb6cd16

SHA512
d5f35672f208ebbe306beeb55dadde96aa330780e2ea84b45d3fa6af41369e357412d82978df74038f2d27dff4d06905fd0b4d852b0beef1bcfdd6a0849bc202

Download Submit
memory/428-29-0x0000000000590000-0x00000000005E5000-memory.dmp

Filesize
340KB

Download
memory/428-2-0x0000000000590000-0x00000000005E5000-memory.dmp

Filesize
340KB

Download
memory/428-31-0x0000000000590000-0x00000000005E5000-memory.dmp

Filesize
340KB

Download
memory/428-14-0x0000000000590000-0x00000000005E5000-memory.dmp

Filesize
340KB

Download
memory/428-9-0x0000000000590000-0x00000000005E5000-memory.dmp

Filesize
340KB

Download
memory/428-25-0x0000000000590000-0x00000000005E5000-memory.dmp

Filesize
340KB

Download
memory/428-7-0x0000000000590000-0x00000000005E5000-memory.dmp

Filesize
340KB

Download
memory/428-21-0x0000000000590000-0x00000000005E5000-memory.dmp

Filesize
340KB

Download
memory/428-4-0x0000000000590000-0x00000000005E5000-memory.dmp

Filesize
340KB

Download
memory/428-32-0x0000000000590000-0x00000000005E5000-memory.dmp

Filesize
340KB

Download
memory/428-15-0x0000000000590000-0x00000000005E5000-memory.dmp

Filesize
340KB

Download
memory/428-17-0x0000000000590000-0x00000000005E5000-memory.dmp

Filesize
340KB

Download
memory/428-19-0x0000000000590000-0x00000000005E5000-memory.dmp

Filesize
340KB

Download
memory/428-23-0x0000000000590000-0x00000000005E5000-memory.dmp

Filesize
340KB

Download
memory/428-27-0x0000000000590000-0x00000000005E5000-memory.dmp

Filesize
340KB

Download
memory/428-11-0x0000000000590000-0x00000000005E5000-memory.dmp

Filesize
340KB

Download
memory/428-33-0x0000000000590000-0x00000000005E5000-memory.dmp

Filesize
340KB

Download
memory/428-5-0x0000000000590000-0x00000000005E5000-memory.dmp

Filesize
340KB

Download
memory/2500-101-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2500-111-0x0000000003240000-0x0000000003295000-memory.dmp

Filesize
340KB

Download
memory/2500-131-0x0000000003240000-0x0000000003295000-memory.dmp

Filesize
340KB

Download
memory/2500-115-0x0000000003240000-0x0000000003295000-memory.dmp

Filesize
340KB

Download
memory/2500-113-0x0000000003240000-0x0000000003295000-memory.dmp

Filesize
340KB

Download
memory/2500-127-0x0000000003240000-0x0000000003295000-memory.dmp

Filesize
340KB

Download
memory/2500-125-0x0000000003240000-0x0000000003295000-memory.dmp

Filesize
340KB

Download
memory/2500-123-0x0000000003240000-0x0000000003295000-memory.dmp

Filesize
340KB

Download
memory/2500-121-0x0000000003240000-0x0000000003295000-memory.dmp

Filesize
340KB

Download
memory/2500-119-0x0000000003240000-0x0000000003295000-memory.dmp

Filesize
340KB

Download
memory/2500-117-0x0000000003240000-0x0000000003295000-memory.dmp

Filesize
340KB

Download
memory/2500-129-0x0000000003240000-0x0000000003295000-memory.dmp

Filesize
340KB

Download
memory/2500-109-0x0000000003240000-0x0000000003295000-memory.dmp

Filesize
340KB

Download
memory/2500-105-0x0000000003240000-0x0000000003295000-memory.dmp

Filesize
340KB

Download
memory/2500-107-0x0000000003240000-0x0000000003295000-memory.dmp

Filesize
340KB

Download
memory/2500-104-0x0000000003240000-0x0000000003295000-memory.dmp

Filesize
340KB

Download
memory/2500-102-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2500-100-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2500-97-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2500-246-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/5064-197-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/5064-247-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download