7dd31d8600e2ae05b820e2053bfdce08628d54171d547aedafea2ccae26e02cd

Analysis

max time kernel
4s
max time network
24s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
06/01/2024, 07:39 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

45a85b57dde2b7cd47c5d03e27a68238.exe
Size

1.6MB
MD5

45a85b57dde2b7cd47c5d03e27a68238
SHA1

8586b249038788a920ec3091f4b039a4bfac5c20
SHA256

7dd31d8600e2ae05b820e2053bfdce08628d54171d547aedafea2ccae26e02cd
SHA512

47d3595551002111378fb1636273e3efb81f34f099777d77f1d1390c5bf753b24eac22a2b384384d9fb8cc5eb408dab00866169cca7816d080a569a4f2d64c72
SSDEEP

24576:Uuha5erQZb+md4wmaerQZb+md4wmWODOberQZb+md4wmM:bwerQZbd2+erQZbd2+berQZbd24

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	regedit.exe

Blocks application from running via registry modification 17 IoCs

Adds application to list of disallowed applications.

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\8 = "RavService.exe"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\11 = "KPFW32.EXE"	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\10 = "rfwcfg.exe"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\15 = "KAVStart.EXE"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "avp.exe"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "CCenter.exe"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\9 = "Rav.exe"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\13 = "KAVPFW.EXE"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\14 = "KAV32.EXE"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "RavMoD.exe"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 = "RavStub.exe"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 = "RavMon.exe"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\12 = "KPFW32X.EXE"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "RfwMain.exe"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "Rfwsrv.exe"	regedit.exe

Sets file execution options in registry 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rfwsrv.exe\Debugger = "D:\\RECYCLER\\????8.exe"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "D:\\RECYCLER\\????8.exe"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RfwMain.exe	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RfwMain.exe\Debugger = "D:\\RECYCLER\\????8.exe"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rfwsrv.exe	regedit.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Option.bat	45a85b57dde2b7cd47c5d03e27a68238.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\Help\HelpCat.exe	45a85b57dde2b7cd47c5d03e27a68238.exe
File opened for modification	C:\Windows\Help\HelpCat.exe	45a85b57dde2b7cd47c5d03e27a68238.exe
File created	C:\Windows\Sysinf.bat	45a85b57dde2b7cd47c5d03e27a68238.exe
File created	C:\Windows\regedt32.sys	45a85b57dde2b7cd47c5d03e27a68238.exe
File created	C:\Windows\system\KavUpda.exe	45a85b57dde2b7cd47c5d03e27a68238.exe
File opened for modification	C:\Windows\system\KavUpda.exe	45a85b57dde2b7cd47c5d03e27a68238.exe

Launches sc.exe 8 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1844	sc.exe
1916	sc.exe
432	sc.exe
2872	sc.exe
800	sc.exe
2756	sc.exe
2916	sc.exe
2444	sc.exe

Runs net.exe

Runs regedit.exe 1 IoCs

pid	Process
1984	regedit.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2476	45a85b57dde2b7cd47c5d03e27a68238.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2476 wrote to memory of 2384	2476	45a85b57dde2b7cd47c5d03e27a68238.exe	27
PID 2476 wrote to memory of 2384	2476	45a85b57dde2b7cd47c5d03e27a68238.exe	27
PID 2476 wrote to memory of 2384	2476	45a85b57dde2b7cd47c5d03e27a68238.exe	27
PID 2476 wrote to memory of 2384	2476	45a85b57dde2b7cd47c5d03e27a68238.exe	27
PID 2476 wrote to memory of 2776	2476	45a85b57dde2b7cd47c5d03e27a68238.exe	26
PID 2476 wrote to memory of 2776	2476	45a85b57dde2b7cd47c5d03e27a68238.exe	26
PID 2476 wrote to memory of 2776	2476	45a85b57dde2b7cd47c5d03e27a68238.exe	26
PID 2476 wrote to memory of 2776	2476	45a85b57dde2b7cd47c5d03e27a68238.exe	26
PID 2776 wrote to memory of 2676	2776	net.exe	25
PID 2776 wrote to memory of 2676	2776	net.exe	25
PID 2776 wrote to memory of 2676	2776	net.exe	25
PID 2776 wrote to memory of 2676	2776	net.exe	25
PID 2476 wrote to memory of 1728	2476	45a85b57dde2b7cd47c5d03e27a68238.exe	33
PID 2476 wrote to memory of 1728	2476	45a85b57dde2b7cd47c5d03e27a68238.exe	33
PID 2476 wrote to memory of 1728	2476	45a85b57dde2b7cd47c5d03e27a68238.exe	33
PID 2476 wrote to memory of 1728	2476	45a85b57dde2b7cd47c5d03e27a68238.exe	33
PID 2476 wrote to memory of 2964	2476	45a85b57dde2b7cd47c5d03e27a68238.exe	67
PID 2476 wrote to memory of 2964	2476	45a85b57dde2b7cd47c5d03e27a68238.exe	67
PID 2476 wrote to memory of 2964	2476	45a85b57dde2b7cd47c5d03e27a68238.exe	67
PID 2476 wrote to memory of 2964	2476	45a85b57dde2b7cd47c5d03e27a68238.exe	67
PID 2476 wrote to memory of 2836	2476	45a85b57dde2b7cd47c5d03e27a68238.exe	66
PID 2476 wrote to memory of 2836	2476	45a85b57dde2b7cd47c5d03e27a68238.exe	66
PID 2476 wrote to memory of 2836	2476	45a85b57dde2b7cd47c5d03e27a68238.exe	66
PID 2476 wrote to memory of 2836	2476	45a85b57dde2b7cd47c5d03e27a68238.exe	66
PID 2476 wrote to memory of 2760	2476	45a85b57dde2b7cd47c5d03e27a68238.exe	64
PID 2476 wrote to memory of 2760	2476	45a85b57dde2b7cd47c5d03e27a68238.exe	64
PID 2476 wrote to memory of 2760	2476	45a85b57dde2b7cd47c5d03e27a68238.exe	64
PID 2476 wrote to memory of 2760	2476	45a85b57dde2b7cd47c5d03e27a68238.exe	64
PID 2476 wrote to memory of 2928	2476	45a85b57dde2b7cd47c5d03e27a68238.exe	63
PID 2476 wrote to memory of 2928	2476	45a85b57dde2b7cd47c5d03e27a68238.exe	63
PID 2476 wrote to memory of 2928	2476	45a85b57dde2b7cd47c5d03e27a68238.exe	63
PID 2476 wrote to memory of 2928	2476	45a85b57dde2b7cd47c5d03e27a68238.exe	63
PID 2476 wrote to memory of 2816	2476	45a85b57dde2b7cd47c5d03e27a68238.exe	61
PID 2476 wrote to memory of 2816	2476	45a85b57dde2b7cd47c5d03e27a68238.exe	61
PID 2476 wrote to memory of 2816	2476	45a85b57dde2b7cd47c5d03e27a68238.exe	61
PID 2476 wrote to memory of 2816	2476	45a85b57dde2b7cd47c5d03e27a68238.exe	61
PID 2964 wrote to memory of 3048	2964	cmd.exe	58
PID 2964 wrote to memory of 3048	2964	cmd.exe	58
PID 2964 wrote to memory of 3048	2964	cmd.exe	58
PID 2964 wrote to memory of 3048	2964	cmd.exe	58
PID 2928 wrote to memory of 2692	2928	net.exe	59
PID 2928 wrote to memory of 2692	2928	net.exe	59
PID 2928 wrote to memory of 2692	2928	net.exe	59
PID 2928 wrote to memory of 2692	2928	net.exe	59
PID 2816 wrote to memory of 3044	2816	net.exe	57
PID 2816 wrote to memory of 3044	2816	net.exe	57
PID 2816 wrote to memory of 3044	2816	net.exe	57
PID 2816 wrote to memory of 3044	2816	net.exe	57
PID 2760 wrote to memory of 1204	2760	net.exe	56
PID 2760 wrote to memory of 1204	2760	net.exe	56
PID 2760 wrote to memory of 1204	2760	net.exe	56
PID 2760 wrote to memory of 1204	2760	net.exe	56
PID 2836 wrote to memory of 2292	2836	cmd.exe	55
PID 2836 wrote to memory of 2292	2836	cmd.exe	55
PID 2836 wrote to memory of 2292	2836	cmd.exe	55
PID 2836 wrote to memory of 2292	2836	cmd.exe	55
PID 2476 wrote to memory of 2572	2476	45a85b57dde2b7cd47c5d03e27a68238.exe	36
PID 2476 wrote to memory of 2572	2476	45a85b57dde2b7cd47c5d03e27a68238.exe	36
PID 2476 wrote to memory of 2572	2476	45a85b57dde2b7cd47c5d03e27a68238.exe	36
PID 2476 wrote to memory of 2572	2476	45a85b57dde2b7cd47c5d03e27a68238.exe	36
PID 2476 wrote to memory of 2540	2476	45a85b57dde2b7cd47c5d03e27a68238.exe	54
PID 2476 wrote to memory of 2540	2476	45a85b57dde2b7cd47c5d03e27a68238.exe	54
PID 2476 wrote to memory of 2540	2476	45a85b57dde2b7cd47c5d03e27a68238.exe	54
PID 2476 wrote to memory of 2540	2476	45a85b57dde2b7cd47c5d03e27a68238.exe	54

Views/modifies file attributes 1 TTPs 15 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2008	attrib.exe
976	attrib.exe
1248	attrib.exe
580	attrib.exe
2728	attrib.exe
752	attrib.exe
1536	attrib.exe
3060	attrib.exe
1816	attrib.exe
2180	attrib.exe
1524	attrib.exe
2052	attrib.exe
2768	attrib.exe
2756	attrib.exe
1796	attrib.exe

C:\Users\Admin\AppData\Local\Temp\45a85b57dde2b7cd47c5d03e27a68238.exe
"C:\Users\Admin\AppData\Local\Temp\45a85b57dde2b7cd47c5d03e27a68238.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2476
- C:\Windows\SysWOW64\net.exe
  net.exe start schedule /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2776
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\system32\Option.bat
  2⤵
  PID:2384
- C:\Windows\SysWOW64\At.exe
  At.exe 7:43:08 AM C:\Windows\Help\HelpCat.exe
  2⤵
  PID:1728
- C:\Windows\SysWOW64\net.exe
  net.exe stop srservice /y
  2⤵
  PID:2572
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop srservice /y
    3⤵
    PID:2892
- C:\Windows\SysWOW64\sc.exe
  C:\Windows\system32\sc.exe config srservice start= disabled
  2⤵
  - Launches sc.exe
  PID:2872
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\Windows\regedt32.sys
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Blocks application from running via registry modification
  - Sets file execution options in registry
  - Runs regedit.exe
  PID:1984
- C:\Windows\SysWOW64\sc.exe
  C:\Windows\system32\sc.exe config srservice start= disabled
  2⤵
  - Launches sc.exe
  PID:800
- C:\Windows\SysWOW64\sc.exe
  C:\Windows\system32\sc.exe config wscsvc start= disabled
  2⤵
  - Launches sc.exe
  PID:2756
- C:\Windows\SysWOW64\sc.exe
  C:\Windows\system32\sc.exe config SharedAccess start= disabled
  2⤵
  - Launches sc.exe
  PID:2916
- C:\Windows\SysWOW64\reg.exe
  C:\Windows\system32\reg.exe delete "hklm\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}" /f
  2⤵
  PID:2156
- C:\Windows\SysWOW64\reg.exe
  C:\Windows\system32\reg.exe delete "hklm\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}" /f
  2⤵
  PID:1996
- C:\Windows\SysWOW64\net.exe
  net.exe stop 360timeprot /y
  2⤵
  PID:2540
- C:\Windows\SysWOW64\net.exe
  net.exe stop wuauserv /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2816
- C:\Windows\SysWOW64\net.exe
  net.exe stop sharedaccess /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2928
- C:\Windows\SysWOW64\net.exe
  net.exe stop wscsvc /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2760
- C:\Windows\SysWOW64\cmd.exe
  cmd /c at 7:45:10 AM C:\Windows\Sysinf.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2836
- C:\Windows\SysWOW64\cmd.exe
  cmd /c at 7:42:10 AM C:\Windows\Sysinf.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2964
- C:\Windows\system\KavUpda.exe
  C:\Windows\system\KavUpda.exe
  2⤵
  PID:2484
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Windows\system32\Option.bat
    3⤵
    PID:1472
- - C:\Windows\SysWOW64\net.exe
    net.exe start schedule /y
    3⤵
    PID:1652
- - C:\Windows\SysWOW64\sc.exe
    C:\Windows\system32\sc.exe config srservice start= disabled
    3⤵
    - Launches sc.exe
    PID:2444
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d
    3⤵
    PID:560
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h -r F:\Autorun.inf\*.* /s /d
      4⤵
      Views/modifies file attributes
      PID:2180
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c rmdir F:\Autorun.inf /s /q
    3⤵
    PID:2116
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe delete "hklm\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}" /f
    3⤵
    PID:2344
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe delete "hklm\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}" /f
    3⤵
    PID:688
- - C:\Windows\SysWOW64\sc.exe
    C:\Windows\system32\sc.exe config srservice start= disabled
    3⤵
    - Launches sc.exe
    PID:1844
- - C:\Windows\SysWOW64\sc.exe
    C:\Windows\system32\sc.exe config wscsvc start= disabled
    3⤵
    - Launches sc.exe
    PID:1916
- - C:\Windows\SysWOW64\sc.exe
    C:\Windows\system32\sc.exe config SharedAccess start= disabled
    3⤵
    - Launches sc.exe
    PID:432
- - C:\Windows\SysWOW64\net.exe
    net.exe stop 360timeprot /y
    3⤵
    PID:1344
- - C:\Windows\SysWOW64\net.exe
    net.exe stop srservice /y
    3⤵
    PID:1960
- - C:\Windows\SysWOW64\net.exe
    net.exe stop wuauserv /y
    3⤵
    PID:2996
- - C:\Windows\SysWOW64\net.exe
    net.exe stop sharedaccess /y
    3⤵
    PID:2428
- - C:\Windows\SysWOW64\net.exe
    net.exe stop wscsvc /y
    3⤵
    PID:1520
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c at 7:45:15 AM C:\Windows\Sysinf.bat
    3⤵
    PID:2132
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c at 7:42:15 AM C:\Windows\Sysinf.bat
    3⤵
    PID:2520
- - C:\Windows\SysWOW64\At.exe
    At.exe 7:43:13 AM C:\Windows\Help\HelpCat.exe
    3⤵
    PID:2516
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d
    3⤵
    PID:2076
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h -r C:\Autorun.inf\*.* /s /d
      4⤵
      Views/modifies file attributes
      PID:2728
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c rmdir C:\Autorun.inf /s /q
    3⤵
    PID:2268
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c rmdir F:\Autorun.inf /s /q
    3⤵
    PID:2576
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d
    3⤵
    PID:2940
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h -r F:\Autorun.inf\*.* /s /d
      4⤵
      Views/modifies file attributes
      PID:2008
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d
    3⤵
    PID:2916
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h -r C:\Autorun.inf\*.* /s /d
      4⤵
      Views/modifies file attributes
      PID:752
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c rmdir C:\Autorun.inf /s /q
    3⤵
    PID:904
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c rmdir F:\Autorun.inf /s /q
    3⤵
    PID:484
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d
    3⤵
    PID:1788
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c rmdir C:\Autorun.inf /s /q
    3⤵
    PID:2800
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d
    3⤵
    PID:1644
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c rmdir F:\Autorun.inf /s /q
    3⤵
    PID:1284
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d
    3⤵
    PID:1364
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d
    3⤵
    PID:744
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h -r C:\Autorun.inf\*.* /s /d
      4⤵
      Views/modifies file attributes
      PID:1248
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c rmdir C:\Autorun.inf /s /q
    3⤵
    PID:1844
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d
    3⤵
    PID:1848
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h -r F:\Autorun.inf\*.* /s /d
      4⤵
      Views/modifies file attributes
      PID:1524
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c rmdir F:\Autorun.inf /s /q
    3⤵
    PID:3028
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d
    3⤵
    PID:804
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h -r C:\Autorun.inf\*.* /s /d
      4⤵
      Views/modifies file attributes
      PID:3060
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c rmdir C:\Autorun.inf /s /q
    3⤵
    PID:856
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c rmdir F:\Autorun.inf /s /q
    3⤵
    PID:1592
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d
    3⤵
    PID:2284
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d
    3⤵
    PID:2268
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h -r C:\Autorun.inf\*.* /s /d
      4⤵
      Views/modifies file attributes
      PID:2768
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c rmdir C:\Autorun.inf /s /q
    3⤵
    PID:1732
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d
    3⤵
    PID:2924
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h -r F:\Autorun.inf\*.* /s /d
      4⤵
      Views/modifies file attributes
      PID:2756
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c rmdir F:\Autorun.inf /s /q
    3⤵
    PID:2008
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c rmdir C:\Autorun.inf /s /q
    3⤵
    PID:2732
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d
    3⤵
    PID:2944
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d
    3⤵
    PID:868
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h -r F:\Autorun.inf\*.* /s /d
      4⤵
      Views/modifies file attributes
      PID:580
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c rmdir F:\Autorun.inf /s /q
    3⤵
    PID:976
- C:\Windows\SysWOW64\net.exe
  net.exe stop wscsvc /y
  2⤵
  PID:2312
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop wscsvc /y
    3⤵
    PID:2260
- C:\Windows\SysWOW64\net.exe
  net.exe stop 360timeprot /y
  2⤵
  PID:2184
- C:\Windows\SysWOW64\net.exe
  net.exe stop srservice /y
  2⤵
  PID:3008
- C:\Windows\SysWOW64\net.exe
  net.exe stop wuauserv /y
  2⤵
  PID:2040
- C:\Windows\SysWOW64\net.exe
  net.exe stop sharedaccess /y
  2⤵
  PID:1752

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start schedule /y
1⤵
PID:2676

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop 360timeprot /y
1⤵
PID:2672

C:\Windows\SysWOW64\at.exe
at 7:45:10 AM C:\Windows\Sysinf.bat
1⤵
PID:2292

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wscsvc /y
1⤵
PID:1204

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wuauserv /y
1⤵
PID:3044

C:\Windows\SysWOW64\at.exe
at 7:42:10 AM C:\Windows\Sysinf.bat
1⤵
PID:3048

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop sharedaccess /y
1⤵
PID:2692

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start schedule /y
1⤵
PID:976

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop 360timeprot /y
1⤵
PID:1496

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop srservice /y
1⤵
PID:2496

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop 360timeprot /y
1⤵
PID:3068

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wuauserv /y
1⤵
PID:1800

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop srservice /y
1⤵
PID:1776

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop sharedaccess /y
1⤵
PID:1860

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wuauserv /y
1⤵
PID:2360

C:\Windows\SysWOW64\at.exe
at 7:45:15 AM C:\Windows\Sysinf.bat
1⤵
PID:2392

C:\Windows\SysWOW64\at.exe
at 7:42:15 AM C:\Windows\Sysinf.bat
1⤵
PID:1768

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wscsvc /y
1⤵
PID:1608

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop sharedaccess /y
1⤵
PID:2888

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r F:\Autorun.inf\*.* /s /d
1⤵
- Views/modifies file attributes
PID:976

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r C:\Autorun.inf\*.* /s /d
1⤵
- Views/modifies file attributes
PID:1536

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r F:\Autorun.inf\*.* /s /d
1⤵
- Views/modifies file attributes
PID:1796

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r F:\Autorun.inf\*.* /s /d
1⤵
- Views/modifies file attributes
PID:2052

C:\Windows\system32\taskeng.exe
taskeng.exe {201C9FBD-370E-49C9-A034-35FF860F717C} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:2712

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r C:\Autorun.inf\*.* /s /d
1⤵
- Views/modifies file attributes
PID:1816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Option.bat

Filesize
82B

MD5
3f7fbd2eb34892646e93fd5e6e343512

SHA1
265ac1061b54f62350fb7a5f57e566454d013a66

SHA256
e75e8d9bfc7a2876d908305186c3656e9de2a4af7f6927ccc6d8c812645abbc7

SHA512
53d40eb2f05a23464fbf06193868e7cb30cf0df3da53586a75123fb2c37b29cdddda287ce134809d16a559d87fb20aee0e8add22d396fcb7a55f9a753739b140

Download Submit
C:\Windows\Sysinf.bat

Filesize
460B

MD5
7db3d565d6ddbe65a8b0e093910e7dcd

SHA1
d4804e6180c6e74ba79d3343f2f2ccb15e502f12

SHA256
a2778cb87fd88c7508ffd506a8ff8d58d0ffc02156f846956e5e99c6cb3d2f3f

SHA512
0b3d1d0f44feba9dd78903ff77fdeaea834d930990a86641fb2e4ce04da280d33f6bee0ae0b1320e4070cbe20824062e45b52e5cad797c5985d8e31dce1ef82b

Download Submit
C:\Windows\regedt32.sys

Filesize
2KB

MD5
e7d7ec66bd61fac3843c98650b0c68f6

SHA1
a15ae06e1be51038863650746368a71024539bac

SHA256
6475d5ecc14fea090774be55723d2d52b7ec7670527a7dbd61edf28c77944cb8

SHA512
ac9e9893f5a0af03957731445f63279085f164e9a968d706a99d13012e4459314a7ccc32dc48f62379d69e21a0953c13543c9ded38b5ad5fbc346aa442af1ae6

Download Submit
C:\Windows\system\KavUpda.exe

Filesize
13KB

MD5
dff535e15f425c0bc15949399db3201c

SHA1
8287f73a8754d809c825fcf5f21fc8ea24210d64

SHA256
b34c83b1c7ce54c17f94c46c17738bd4fe8482093c292fe4ed9a52035530f2cb

SHA512
5ec1018f67d7382e8c0946d87a068596c9b22b64d14b78328fa28517c08d843a0be90142570bc712cb5d67c36dab8d116d05480e8145189e1e8a4de4a6c1dc8c

Download Submit
C:\Windows\system\KavUpda.exe

Filesize
52KB

MD5
9007820475bbe428b894a43fc2926873

SHA1
4a777d52906ea0a32d86ef0cbd706832cd3d57f9

SHA256
c1e0568e7d3162f3a8a6e377563eaf96d36cdd8f763466010fef9df4dc7b8e40

SHA512
d476e5b7ac88ca168a64df41b75a91c7dd95a334ec1cd0568fc6d1116c2c6b4488ea466820a9b00d03e70eaacf36878bea6ec6d97c30a596897abcaf6507cdec

Download Submit
C:\Windows\system\KavUpda.exe

Filesize
46KB

MD5
984cceb391c29212519194ae7ac5671c

SHA1
710bce99cd29a0be19d745e6fc646f69501e3cf2

SHA256
c66b5237ca0390ee49fb744c6a802f3bfbd6bff33850ca6070b603486698655d

SHA512
7987bdaab6c559e5174186f8be7e57290cf97c5453c7a925b17f0511da1e54a25e9d2399ced82cae02e847cd85cd0ae5fb3302b5e8fd8a5fd888839a3d5defae

Download Submit
F:\Autorun.inf

Filesize
237B

MD5
94bcd02c5afd5918b4446345e7a5ded9

SHA1
79839238e84be225132e1382fae6333dfc4906a1

SHA256
5d9f41e4f886926dae2ed8a57807708110d3c6964ab462be21462bff0088d9a1

SHA512
149f6bd49fc3b62fa5f41666bfb3a58060514eec1b61c6aa1ac4c75417c840b028e701eb5533460eb00e2fee8543379564bc47d7477264771d81b99a0caab500

Download Submit
\Windows\system\KavUpda.exe

Filesize
34KB

MD5
615e4a8e8d5aef259168b013ce7543b0

SHA1
af9edf3afb8c938964cb7551b5b3aa4218073e9c

SHA256
3975734efac3d26557f624abfe720a48c2ffb3e30f9c3a0e1398222f1293cc44

SHA512
b7a6f465f0d618c92c8402a54b99e512d8c3ad3f39ff151cd0a9ff150c0eece4c4ae79c77799834fbc74575f79ee012c8da5177ca768d5a73accc096cbf6c32b

Download Submit
\Windows\system\KavUpda.exe

Filesize
57KB

MD5
609b4895a24a1714cd09454ec2b9455c

SHA1
96fafe79bd7a441677a468774e5f4453e65c3536

SHA256
96ebaff17524887fe55f76b69b637f8f11e6728bc7ebd87756b340681bbf14d4

SHA512
b9c38561d99111886dddd525e3657edaad37f1f2720923a2325346d361092870095951b7c53bee5bf50c931712fcee01bb1e37e848b88ca73ca0f549f51996fd

Download Submit
memory/2476-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.