1b9f8b91b079500e2a046fd2a18cc5638963383fca34c3ff51eb42db0a004cac

Analysis

max time kernel
147s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
15/01/2024, 01:32 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5bc96210e5b1a0e452facc9c0a26f18e.exe
Size

1.2MB
MD5

5bc96210e5b1a0e452facc9c0a26f18e
SHA1

be85c3be9a441a0229ab6623607ba91631f63e35
SHA256

1b9f8b91b079500e2a046fd2a18cc5638963383fca34c3ff51eb42db0a004cac
SHA512

1e18833d66db16ab4c115d9e62fead08e25cd985a03d2e2af187e2c6dfea9b3f5fbaed86f8bc1d8e4eb0f4377436a6176e1ed411de884566ba992bf7266c4831
SSDEEP

24576:UuhaaerQZb+md4wmAM6erQZb+md4wmAMC:bDerQZbd2ierQZbd2q

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	regedit.exe

Blocks application from running via registry modification 17 IoCs

Adds application to list of disallowed applications.

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 = "RavMon.exe"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\11 = "KPFW32.EXE"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\12 = "KPFW32X.EXE"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\13 = "KAVPFW.EXE"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\14 = "KAV32.EXE"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "CCenter.exe"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "avp.exe"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "RfwMain.exe"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "Rfwsrv.exe"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\8 = "RavService.exe"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "RavMoD.exe"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\10 = "rfwcfg.exe"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\15 = "KAVStart.EXE"	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\9 = "Rav.exe"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 = "RavStub.exe"	regedit.exe

Sets file execution options in registry 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMoD.exe	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMoD.exe\Debugger = "D:\\RECYCLER\\????8.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe\Debugger = "D:\\RECYCLER\\????8.exe"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RfwMain.exe\Debugger = "D:\\RECYCLER\\????8.exe"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe\Debugger = "D:\\RECYCLER\\????8.exe"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.EXE	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.EXE\Debugger = "D:\\RECYCLER\\????8.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "D:\\RECYCLER\\????8.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "D:\\RECYCLER\\????8.exe"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe\Debugger = "D:\\RECYCLER\\????8.exe"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RfwMain.exe	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rfwsrv.exe	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rfwsrv.exe\Debugger = "D:\\RECYCLER\\????8.exe"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe\Debugger = "D:\\RECYCLER\\????8.exe"	regedit.exe

Executes dropped EXE 1 IoCs

pid	Process
736	KavUpda.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\Autorun.inf	KavUpda.exe
File opened for modification	C:\Autorun.inf	KavUpda.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Option.bat	5bc96210e5b1a0e452facc9c0a26f18e.exe
File opened for modification	C:\Windows\SysWOW64\Option.bat	KavUpda.exe

Drops file in Program Files directory 38 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	5bc96210e5b1a0e452facc9c0a26f18e.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	5bc96210e5b1a0e452facc9c0a26f18e.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	5bc96210e5b1a0e452facc9c0a26f18e.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	5bc96210e5b1a0e452facc9c0a26f18e.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	5bc96210e5b1a0e452facc9c0a26f18e.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	5bc96210e5b1a0e452facc9c0a26f18e.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\createdump.exe	5bc96210e5b1a0e452facc9c0a26f18e.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	5bc96210e5b1a0e452facc9c0a26f18e.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	5bc96210e5b1a0e452facc9c0a26f18e.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	5bc96210e5b1a0e452facc9c0a26f18e.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	5bc96210e5b1a0e452facc9c0a26f18e.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	5bc96210e5b1a0e452facc9c0a26f18e.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	5bc96210e5b1a0e452facc9c0a26f18e.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	5bc96210e5b1a0e452facc9c0a26f18e.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	5bc96210e5b1a0e452facc9c0a26f18e.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	5bc96210e5b1a0e452facc9c0a26f18e.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	5bc96210e5b1a0e452facc9c0a26f18e.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	5bc96210e5b1a0e452facc9c0a26f18e.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	5bc96210e5b1a0e452facc9c0a26f18e.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	5bc96210e5b1a0e452facc9c0a26f18e.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	5bc96210e5b1a0e452facc9c0a26f18e.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	5bc96210e5b1a0e452facc9c0a26f18e.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	5bc96210e5b1a0e452facc9c0a26f18e.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	5bc96210e5b1a0e452facc9c0a26f18e.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	5bc96210e5b1a0e452facc9c0a26f18e.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	5bc96210e5b1a0e452facc9c0a26f18e.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	5bc96210e5b1a0e452facc9c0a26f18e.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	5bc96210e5b1a0e452facc9c0a26f18e.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	5bc96210e5b1a0e452facc9c0a26f18e.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	5bc96210e5b1a0e452facc9c0a26f18e.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	5bc96210e5b1a0e452facc9c0a26f18e.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	5bc96210e5b1a0e452facc9c0a26f18e.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	5bc96210e5b1a0e452facc9c0a26f18e.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	5bc96210e5b1a0e452facc9c0a26f18e.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	5bc96210e5b1a0e452facc9c0a26f18e.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	5bc96210e5b1a0e452facc9c0a26f18e.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\createdump.exe	5bc96210e5b1a0e452facc9c0a26f18e.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	5bc96210e5b1a0e452facc9c0a26f18e.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system\KavUpda.exe	5bc96210e5b1a0e452facc9c0a26f18e.exe
File created	C:\Windows\Sysinf.bat	5bc96210e5b1a0e452facc9c0a26f18e.exe
File created	C:\Windows\regedt32.sys	5bc96210e5b1a0e452facc9c0a26f18e.exe
File opened for modification	C:\Windows\system\KavUpda.exe	KavUpda.exe
File opened for modification	C:\Windows\Sysinf.bat	KavUpda.exe
File opened for modification	C:\Windows\regedt32.sys	KavUpda.exe
File created	C:\Windows\regedt32.sys	KavUpda.exe
File created	C:\Windows\system\KavUpda.exe	5bc96210e5b1a0e452facc9c0a26f18e.exe
File created	C:\Windows\Help\HelpCat.exe	5bc96210e5b1a0e452facc9c0a26f18e.exe
File opened for modification	C:\Windows\Help\HelpCat.exe	5bc96210e5b1a0e452facc9c0a26f18e.exe

Launches sc.exe 8 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1272	sc.exe
2720	sc.exe
2512	sc.exe
4512	sc.exe
968	sc.exe
2724	sc.exe
3772	sc.exe
744	sc.exe

Runs net.exe

Runs regedit.exe 1 IoCs

pid	Process
4276	regedit.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe
Token: SeIncBasePriorityPrivilege	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe
Token: 33	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe
Token: SeIncBasePriorityPrivilege	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe
Token: 33	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe
Token: SeIncBasePriorityPrivilege	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe
Token: 33	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe
Token: SeIncBasePriorityPrivilege	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe
Token: 33	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe
Token: SeIncBasePriorityPrivilege	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe
Token: 33	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe
Token: SeIncBasePriorityPrivilege	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe
Token: 33	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe
Token: SeIncBasePriorityPrivilege	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe
Token: 33	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe
Token: SeIncBasePriorityPrivilege	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe
Token: 33	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe
Token: SeIncBasePriorityPrivilege	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe
Token: 33	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe
Token: SeIncBasePriorityPrivilege	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe
Token: 33	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe
Token: SeIncBasePriorityPrivilege	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe
Token: 33	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe
Token: SeIncBasePriorityPrivilege	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe
Token: 33	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe
Token: SeIncBasePriorityPrivilege	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe
Token: 33	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe
Token: SeIncBasePriorityPrivilege	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe
Token: 33	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe
Token: SeIncBasePriorityPrivilege	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe
Token: 33	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe
Token: SeIncBasePriorityPrivilege	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe
Token: 33	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe
Token: SeIncBasePriorityPrivilege	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe
Token: 33	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe
Token: SeIncBasePriorityPrivilege	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe
Token: 33	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe
Token: SeIncBasePriorityPrivilege	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe
Token: 33	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe
Token: SeIncBasePriorityPrivilege	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe
Token: 33	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe
Token: SeIncBasePriorityPrivilege	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe
Token: 33	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe
Token: SeIncBasePriorityPrivilege	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe
Token: 33	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe
Token: SeIncBasePriorityPrivilege	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe
Token: 33	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe
Token: SeIncBasePriorityPrivilege	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe
Token: 33	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe
Token: SeIncBasePriorityPrivilege	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe
Token: 33	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe
Token: SeIncBasePriorityPrivilege	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe
Token: 33	736	KavUpda.exe
Token: SeIncBasePriorityPrivilege	736	KavUpda.exe
Token: 33	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe
Token: SeIncBasePriorityPrivilege	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe
Token: 33	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe
Token: SeIncBasePriorityPrivilege	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe
Token: 33	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe
Token: SeIncBasePriorityPrivilege	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe
Token: 33	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe
Token: SeIncBasePriorityPrivilege	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe
Token: 33	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe
Token: SeIncBasePriorityPrivilege	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4864	5bc96210e5b1a0e452facc9c0a26f18e.exe
736	KavUpda.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4864 wrote to memory of 2200	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe	28
PID 4864 wrote to memory of 2200	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe	28
PID 4864 wrote to memory of 2200	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe	28
PID 4864 wrote to memory of 5008	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe	26
PID 4864 wrote to memory of 5008	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe	26
PID 4864 wrote to memory of 5008	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe	26
PID 5008 wrote to memory of 736	5008	net.exe	136
PID 5008 wrote to memory of 736	5008	net.exe	136
PID 5008 wrote to memory of 736	5008	net.exe	136
PID 4864 wrote to memory of 2652	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe	135
PID 4864 wrote to memory of 2652	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe	135
PID 4864 wrote to memory of 2652	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe	135
PID 4864 wrote to memory of 4844	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe	161
PID 4864 wrote to memory of 4844	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe	161
PID 4864 wrote to memory of 4844	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe	161
PID 4864 wrote to memory of 4596	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe	133
PID 4864 wrote to memory of 4596	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe	133
PID 4864 wrote to memory of 4596	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe	133
PID 4864 wrote to memory of 372	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe	131
PID 4864 wrote to memory of 372	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe	131
PID 4864 wrote to memory of 372	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe	131
PID 4864 wrote to memory of 4944	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe	130
PID 4864 wrote to memory of 4944	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe	130
PID 4864 wrote to memory of 4944	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe	130
PID 4864 wrote to memory of 964	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe	128
PID 4864 wrote to memory of 964	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe	128
PID 4864 wrote to memory of 964	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe	128
PID 4864 wrote to memory of 2068	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe	125
PID 4864 wrote to memory of 2068	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe	125
PID 4864 wrote to memory of 2068	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe	125
PID 4864 wrote to memory of 2044	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe	123
PID 4864 wrote to memory of 2044	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe	123
PID 4864 wrote to memory of 2044	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe	123
PID 4864 wrote to memory of 3772	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe	175
PID 4864 wrote to memory of 3772	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe	175
PID 4864 wrote to memory of 3772	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe	175
PID 4864 wrote to memory of 4512	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe	100
PID 4864 wrote to memory of 4512	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe	100
PID 4864 wrote to memory of 4512	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe	100
PID 4864 wrote to memory of 2724	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe	117
PID 4864 wrote to memory of 2724	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe	117
PID 4864 wrote to memory of 2724	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe	117
PID 4864 wrote to memory of 968	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe	103
PID 4864 wrote to memory of 968	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe	103
PID 4864 wrote to memory of 968	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe	103
PID 4864 wrote to memory of 4276	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe	102
PID 4864 wrote to memory of 4276	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe	102
PID 4864 wrote to memory of 4276	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe	102
PID 4944 wrote to memory of 3644	4944	net.exe	105
PID 4944 wrote to memory of 3644	4944	net.exe	105
PID 4944 wrote to memory of 3644	4944	net.exe	105
PID 4596 wrote to memory of 2316	4596	cmd.exe	115
PID 4596 wrote to memory of 2316	4596	cmd.exe	115
PID 4596 wrote to memory of 2316	4596	cmd.exe	115
PID 372 wrote to memory of 2556	372	net.exe	113
PID 372 wrote to memory of 2556	372	net.exe	113
PID 372 wrote to memory of 2556	372	net.exe	113
PID 4864 wrote to memory of 3700	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe	114
PID 4864 wrote to memory of 3700	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe	114
PID 4864 wrote to memory of 3700	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe	114
PID 964 wrote to memory of 1800	964	net.exe	111
PID 964 wrote to memory of 1800	964	net.exe	111
PID 964 wrote to memory of 1800	964	net.exe	111
PID 4864 wrote to memory of 220	4864	5bc96210e5b1a0e452facc9c0a26f18e.exe	112

Views/modifies file attributes 1 TTPs 16 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1764	attrib.exe
3392	attrib.exe
1020	attrib.exe
4572	attrib.exe
3292	attrib.exe
1324	attrib.exe
1852	attrib.exe
3308	attrib.exe
4400	attrib.exe
3268	attrib.exe
2052	attrib.exe
3420	attrib.exe
2352	attrib.exe
3544	attrib.exe
1964	attrib.exe
1776	attrib.exe

C:\Users\Admin\AppData\Local\Temp\5bc96210e5b1a0e452facc9c0a26f18e.exe
"C:\Users\Admin\AppData\Local\Temp\5bc96210e5b1a0e452facc9c0a26f18e.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4864
- C:\Windows\SysWOW64\net.exe
  net.exe start schedule /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5008
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\system32\Option.bat
  2⤵
  PID:2200
- C:\Windows\SysWOW64\sc.exe
  C:\Windows\system32\sc.exe config SharedAccess start= disabled
  2⤵
  - Launches sc.exe
  PID:4512
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\Windows\regedt32.sys
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Blocks application from running via registry modification
  - Sets file execution options in registry
  - Runs regedit.exe
  PID:4276
- C:\Windows\SysWOW64\sc.exe
  C:\Windows\system32\sc.exe config srservice start= disabled
  2⤵
  - Launches sc.exe
  PID:968
- C:\Windows\SysWOW64\reg.exe
  C:\Windows\system32\reg.exe delete "hklm\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}" /f
  2⤵
  PID:220
- C:\Windows\SysWOW64\reg.exe
  C:\Windows\system32\reg.exe delete "hklm\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}" /f
  2⤵
  PID:3700
- C:\Windows\SysWOW64\sc.exe
  C:\Windows\system32\sc.exe config wscsvc start= disabled
  2⤵
  - Launches sc.exe
  PID:2724
- C:\Windows\SysWOW64\sc.exe
  C:\Windows\system32\sc.exe config srservice start= disabled
  2⤵
  - Launches sc.exe
  PID:3772
- C:\Windows\SysWOW64\net.exe
  net.exe stop 360timeprot /y
  2⤵
  PID:2044
- C:\Windows\SysWOW64\net.exe
  net.exe stop srservice /y
  2⤵
  PID:2068
- C:\Windows\SysWOW64\net.exe
  net.exe stop wuauserv /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:964
- C:\Windows\SysWOW64\net.exe
  net.exe stop sharedaccess /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4944
- C:\Windows\SysWOW64\net.exe
  net.exe stop wscsvc /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:372
- C:\Windows\SysWOW64\cmd.exe
  cmd /c at 1:37:32 AM C:\Windows\Sysinf.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4596
- C:\Windows\SysWOW64\cmd.exe
  cmd /c at 1:34:32 AM C:\Windows\Sysinf.bat
  2⤵
  PID:4844
- C:\Windows\SysWOW64\At.exe
  At.exe 1:35:30 AM C:\Windows\Help\HelpCat.exe
  2⤵
  PID:2652
- C:\Windows\system\KavUpda.exe
  C:\Windows\system\KavUpda.exe
  2⤵
  - Executes dropped EXE
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:736
- - C:\Windows\SysWOW64\net.exe
    net.exe start schedule /y
    3⤵
    PID:1512
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start schedule /y
      4⤵
      PID:1524
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\system32\Option.bat
    3⤵
    PID:4584
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe delete "hklm\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}" /f
    3⤵
    PID:1588
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4448
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c rmdir F:\Autorun.inf /s /q
    3⤵
    PID:8
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d
    3⤵
    PID:2008
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h -r F:\Autorun.inf\*.* /s /d
      4⤵
      Views/modifies file attributes
      PID:2052
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4844
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe delete "hklm\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}" /f
    3⤵
    PID:2304
- - C:\Windows\SysWOW64\sc.exe
    C:\Windows\system32\sc.exe config srservice start= disabled
    3⤵
    - Launches sc.exe
    PID:744
- - C:\Windows\SysWOW64\sc.exe
    C:\Windows\system32\sc.exe config wscsvc start= disabled
    3⤵
    - Launches sc.exe
    PID:1272
- - C:\Windows\SysWOW64\sc.exe
    C:\Windows\system32\sc.exe config SharedAccess start= disabled
    3⤵
    - Launches sc.exe
    PID:2720
- - C:\Windows\SysWOW64\sc.exe
    C:\Windows\system32\sc.exe config srservice start= disabled
    3⤵
    - Launches sc.exe
    PID:2512
- - C:\Windows\SysWOW64\net.exe
    net.exe stop 360timeprot /y
    3⤵
    PID:3204
- - C:\Windows\SysWOW64\net.exe
    net.exe stop srservice /y
    3⤵
    PID:2640
- - C:\Windows\SysWOW64\net.exe
    net.exe stop wuauserv /y
    3⤵
    PID:3312
- - C:\Windows\SysWOW64\net.exe
    net.exe stop sharedaccess /y
    3⤵
    PID:3552
- - C:\Windows\SysWOW64\net.exe
    net.exe stop wscsvc /y
    3⤵
    PID:224
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c at 1:37:35 AM C:\Windows\Sysinf.bat
    3⤵
    PID:3792
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c at 1:34:35 AM C:\Windows\Sysinf.bat
    3⤵
    PID:3992
- - C:\Windows\SysWOW64\At.exe
    At.exe 1:35:33 AM C:\Windows\Help\HelpCat.exe
    3⤵
    PID:3988
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c rmdir C:\Autorun.inf /s /q
    3⤵
    PID:2868
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d
    3⤵
    PID:4468
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c rmdir F:\Autorun.inf /s /q
    3⤵
    PID:2792
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d
    3⤵
    PID:4424
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c rmdir C:\Autorun.inf /s /q
    3⤵
    PID:912
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d
    3⤵
    PID:4856
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h -r C:\Autorun.inf\*.* /s /d
      4⤵
      Views/modifies file attributes
      PID:1020
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c rmdir F:\Autorun.inf /s /q
    3⤵
    PID:4608
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d
    3⤵
    PID:4528
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c rmdir C:\Autorun.inf /s /q
    3⤵
    PID:2244
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d
    3⤵
    PID:3892
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h -r C:\Autorun.inf\*.* /s /d
      4⤵
      Views/modifies file attributes
      PID:3420
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c rmdir F:\Autorun.inf /s /q
    3⤵
    PID:1020
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d
    3⤵
    PID:3916
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h -r F:\Autorun.inf\*.* /s /d
      4⤵
      Views/modifies file attributes
      PID:1964
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c rmdir C:\Autorun.inf /s /q
    3⤵
    PID:3552
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d
    3⤵
    PID:3996
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c rmdir F:\Autorun.inf /s /q
    3⤵
    PID:2496
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d
    3⤵
    PID:3460
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c rmdir C:\Autorun.inf /s /q
    3⤵
    PID:3356
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d
    3⤵
    PID:1560
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c rmdir F:\Autorun.inf /s /q
    3⤵
    PID:2440
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d
    3⤵
    PID:3480
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h -r F:\Autorun.inf\*.* /s /d
      4⤵
      Views/modifies file attributes
      PID:1324
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d
    3⤵
    PID:628
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h -r C:\Autorun.inf\*.* /s /d
      4⤵
      Views/modifies file attributes
      PID:3544
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c rmdir C:\Autorun.inf /s /q
    3⤵
    PID:2272
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c rmdir F:\Autorun.inf /s /q
    3⤵
    PID:3484
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d
    3⤵
    PID:3720
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c rmdir C:\Autorun.inf /s /q
    3⤵
    PID:3704
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d
    3⤵
    PID:3148
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h -r C:\Autorun.inf\*.* /s /d
      4⤵
      Views/modifies file attributes
      PID:4400
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c rmdir F:\Autorun.inf /s /q
    3⤵
    PID:3032
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d
    3⤵
    PID:1184
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h -r F:\Autorun.inf\*.* /s /d
      4⤵
      Views/modifies file attributes
      PID:3392
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c rmdir C:\Autorun.inf /s /q
    3⤵
    PID:2556
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d
    3⤵
    PID:3052
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h -r C:\Autorun.inf\*.* /s /d
      4⤵
      Views/modifies file attributes
      PID:3268
- C:\Windows\SysWOW64\net.exe
  net.exe stop 360timeprot /y
  2⤵
  PID:1100
- C:\Windows\SysWOW64\net.exe
  net.exe stop srservice /y
  2⤵
  PID:3672
- C:\Windows\SysWOW64\net.exe
  net.exe stop wuauserv /y
  2⤵
  PID:1952
- C:\Windows\SysWOW64\net.exe
  net.exe stop sharedaccess /y
  2⤵
  PID:5068
- C:\Windows\SysWOW64\net.exe
  net.exe stop wscsvc /y
  2⤵
  PID:1324

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start schedule /y
1⤵
PID:736

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop sharedaccess /y
1⤵
PID:3644

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop srservice /y
1⤵
PID:2096

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop 360timeprot /y
1⤵
PID:3408

C:\Windows\SysWOW64\at.exe
at 1:34:32 AM C:\Windows\Sysinf.bat
1⤵
PID:4448

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wuauserv /y
1⤵
PID:1800

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wscsvc /y
1⤵
PID:2556

C:\Windows\SysWOW64\at.exe
at 1:37:32 AM C:\Windows\Sysinf.bat
1⤵
PID:2316

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wscsvc /y
1⤵
PID:4536

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop srservice /y
1⤵
PID:4324

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop 360timeprot /y
1⤵
PID:2204

C:\Windows\SysWOW64\at.exe
at 1:34:35 AM C:\Windows\Sysinf.bat
1⤵
PID:4464

C:\Windows\SysWOW64\at.exe
at 1:37:35 AM C:\Windows\Sysinf.bat
1⤵
PID:2312

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop sharedaccess /y
1⤵
PID:2428

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop 360timeprot /y
1⤵
PID:4588

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wuauserv /y
1⤵
PID:4936

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop sharedaccess /y
1⤵
PID:3804

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wuauserv /y
1⤵
PID:3456

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop srservice /y
1⤵
PID:4648

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wscsvc /y
1⤵
PID:1496

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3772

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r C:\Autorun.inf\*.* /s /d
1⤵
- Views/modifies file attributes
PID:1852

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:2096

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r F:\Autorun.inf\*.* /s /d
1⤵
- Views/modifies file attributes
PID:3308

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3408

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3792

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r F:\Autorun.inf\*.* /s /d
1⤵
- Views/modifies file attributes
PID:3292

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r C:\Autorun.inf\*.* /s /d
1⤵
- Views/modifies file attributes
PID:4572

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r F:\Autorun.inf\*.* /s /d
1⤵
- Views/modifies file attributes
PID:1776

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r C:\Autorun.inf\*.* /s /d
1⤵
- Views/modifies file attributes
PID:2352

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r F:\Autorun.inf\*.* /s /d
1⤵
- Views/modifies file attributes
PID:1764

Network

DNS

83.177.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

83.177.190.20.in-addr.arpa

IN PTR

Response
DNS

180.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

180.178.17.96.in-addr.arpa

IN PTR

Response

180.178.17.96.in-addr.arpa

IN PTR

a96-17-178-180deploystaticakamaitechnologiescom
DNS

158.240.127.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

158.240.127.40.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

9.228.82.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

9.228.82.20.in-addr.arpa

IN PTR

Response
DNS

55.36.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

55.36.223.20.in-addr.arpa

IN PTR

Response
DNS

55.36.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

55.36.223.20.in-addr.arpa

IN PTR
DNS

41.110.16.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

41.110.16.96.in-addr.arpa

IN PTR

Response

41.110.16.96.in-addr.arpa

IN PTR

a96-16-110-41deploystaticakamaitechnologiescom
DNS

41.110.16.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

41.110.16.96.in-addr.arpa

IN PTR
DNS

59.128.231.4.in-addr.arpa

Remote address:

8.8.8.8:53

Request

59.128.231.4.in-addr.arpa

IN PTR

Response
DNS

50.23.12.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

50.23.12.20.in-addr.arpa

IN PTR

Response
DNS

206.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.23.85.13.in-addr.arpa

IN PTR

Response
DNS

194.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

194.178.17.96.in-addr.arpa

IN PTR

Response

194.178.17.96.in-addr.arpa

IN PTR

a96-17-178-194deploystaticakamaitechnologiescom
DNS

43.58.199.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.58.199.20.in-addr.arpa

IN PTR

Response
DNS

19.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

19.229.111.52.in-addr.arpa

IN PTR

Response
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317300929_14U14WCS4159DH3B0&pid=21.2&w=1920&h=1080&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317300929_14U14WCS4159DH3B0&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 475808
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 7F0A393D5C044536AAC510CBBB814519 Ref B: LON04EDGE1012 Ref C: 2024-01-15T01:34:16Z
date: Mon, 15 Jan 2024 01:34:15 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301362_1O9HVN7VX0LX9G6S2&pid=21.2&w=1080&h=1920&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301362_1O9HVN7VX0LX9G6S2&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 527482
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: CF3EA7C792834DA49A7279ABA179461C Ref B: LON04EDGE1012 Ref C: 2024-01-15T01:34:16Z
date: Mon, 15 Jan 2024 01:34:15 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301528_1GXBJ11CWSVGL69Z6&pid=21.2&w=1080&h=1920&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301528_1GXBJ11CWSVGL69Z6&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 517132
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 9ECE5354CF8D4048A8C03C4A7312AB6C Ref B: LON04EDGE1012 Ref C: 2024-01-15T01:34:16Z
date: Mon, 15 Jan 2024 01:34:15 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301095_1DVS21CWR8N49JQ44&pid=21.2&w=1920&h=1080&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301095_1DVS21CWR8N49JQ44&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 328898
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: C81401A28FD7465A9FC26FFC1907BBD9 Ref B: LON04EDGE1012 Ref C: 2024-01-15T01:34:16Z
date: Mon, 15 Jan 2024 01:34:15 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340418587_1WAY0EU9WVN81W6N5&pid=21.2&w=1080&h=1920&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239340418587_1WAY0EU9WVN81W6N5&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 467227
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: AEED830433404E808FF9A3341EC47CFA Ref B: LON04EDGE1012 Ref C: 2024-01-15T01:34:16Z
date: Mon, 15 Jan 2024 01:34:15 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340418588_1PJ4HLSB51V9JOSDD&pid=21.2&w=1920&h=1080&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239340418588_1PJ4HLSB51V9JOSDD&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
DNS

200.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

200.197.79.204.in-addr.arpa

IN PTR

Response

200.197.79.204.in-addr.arpa

IN PTR

a-0001a-msedgenet

204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.5kB
8.3kB
17
14
204.79.197.200:443

https://tse1.mm.bing.net/th?id=OADD2.10239340418588_1PJ4HLSB51V9JOSDD&pid=21.2&w=1920&h=1080&c=4

tls, http2

82.8kB
2.3MB
1704
1699

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317300929_14U14WCS4159DH3B0&pid=21.2&w=1920&h=1080&c=4

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301362_1O9HVN7VX0LX9G6S2&pid=21.2&w=1080&h=1920&c=4

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301528_1GXBJ11CWSVGL69Z6&pid=21.2&w=1080&h=1920&c=4

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301095_1DVS21CWR8N49JQ44&pid=21.2&w=1920&h=1080&c=4

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340418587_1WAY0EU9WVN81W6N5&pid=21.2&w=1080&h=1920&c=4

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340418588_1PJ4HLSB51V9JOSDD&pid=21.2&w=1920&h=1080&c=4
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.3kB
16
14
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.3kB
16
14
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.3kB
16
14

8.8.8.8:53

83.177.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

83.177.190.20.in-addr.arpa
8.8.8.8:53

180.178.17.96.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

180.178.17.96.in-addr.arpa
8.8.8.8:53

158.240.127.40.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

158.240.127.40.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

9.228.82.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

9.228.82.20.in-addr.arpa
8.8.8.8:53

55.36.223.20.in-addr.arpa

dns

142 B
157 B
2
1

DNS Request

55.36.223.20.in-addr.arpa

DNS Request

55.36.223.20.in-addr.arpa
8.8.8.8:53

41.110.16.96.in-addr.arpa

dns

142 B
135 B
2
1

DNS Request

41.110.16.96.in-addr.arpa

DNS Request

41.110.16.96.in-addr.arpa
8.8.8.8:53

59.128.231.4.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

59.128.231.4.in-addr.arpa
8.8.8.8:53

50.23.12.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

50.23.12.20.in-addr.arpa
8.8.8.8:53

206.23.85.13.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

206.23.85.13.in-addr.arpa
8.8.8.8:53

194.178.17.96.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

194.178.17.96.in-addr.arpa
8.8.8.8:53

43.58.199.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

43.58.199.20.in-addr.arpa
8.8.8.8:53

19.229.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

19.229.111.52.in-addr.arpa
8.8.8.8:53

tse1.mm.bing.net

dns

62 B
173 B
1
1

DNS Request

tse1.mm.bing.net

DNS Response

204.79.197.200

13.107.21.200
8.8.8.8:53

200.197.79.204.in-addr.arpa

dns

73 B
106 B
1
1

DNS Request

200.197.79.204.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Option.bat

Filesize
82B

MD5
3f7fbd2eb34892646e93fd5e6e343512

SHA1
265ac1061b54f62350fb7a5f57e566454d013a66

SHA256
e75e8d9bfc7a2876d908305186c3656e9de2a4af7f6927ccc6d8c812645abbc7

SHA512
53d40eb2f05a23464fbf06193868e7cb30cf0df3da53586a75123fb2c37b29cdddda287ce134809d16a559d87fb20aee0e8add22d396fcb7a55f9a753739b140

Download Submit
C:\Windows\Sysinf.bat

Filesize
460B

MD5
7db3d565d6ddbe65a8b0e093910e7dcd

SHA1
d4804e6180c6e74ba79d3343f2f2ccb15e502f12

SHA256
a2778cb87fd88c7508ffd506a8ff8d58d0ffc02156f846956e5e99c6cb3d2f3f

SHA512
0b3d1d0f44feba9dd78903ff77fdeaea834d930990a86641fb2e4ce04da280d33f6bee0ae0b1320e4070cbe20824062e45b52e5cad797c5985d8e31dce1ef82b

Download Submit
C:\Windows\System\KavUpda.exe

Filesize
48KB

MD5
0afc86456945fa14b231d0b6493ae2c8

SHA1
2c961c4068ab61cc6bb5953eafec5ae6be3db67e

SHA256
c1ddbaaa8c378a158292b412c6601eae48b42d5d64b42bb558c700742b27c8f1

SHA512
5cabb919c7e552abc51d21518cecd694347a25144b1a8537c8eda2b650fc27095ef93485d071d5815d2b50c54877dd74d9f6fa6c67e4717d788f1002094f7936

Download Submit
C:\Windows\System\KavUpda.exe

Filesize
341KB

MD5
af44a2e658d90bd9ebd67fb43372ab3b

SHA1
777d7d0cb55760427665b0123edb7a62cbbc9231

SHA256
0f8d1ea5604dc2b24599e1422347bec1749ef73012ccce19d9953f2c17a609f2

SHA512
d52545e2ec21db4392a5c65b537aac96142c4b4b5c5aea400442eaa5f767e5009d74482c4b519a37488b5745b3e0db31d8ffb43c464160465a8f1da29823ad8e

Download Submit
C:\Windows\regedt32.sys

Filesize
2KB

MD5
e7d7ec66bd61fac3843c98650b0c68f6

SHA1
a15ae06e1be51038863650746368a71024539bac

SHA256
6475d5ecc14fea090774be55723d2d52b7ec7670527a7dbd61edf28c77944cb8

SHA512
ac9e9893f5a0af03957731445f63279085f164e9a968d706a99d13012e4459314a7ccc32dc48f62379d69e21a0953c13543c9ded38b5ad5fbc346aa442af1ae6

Download Submit
C:\Windows\system\KavUpda.exe

Filesize
90KB

MD5
86d8e8e0df66441b04a25785d90eb93a

SHA1
a558bf20045972d1809dba1454a9dd38d6196aee

SHA256
f5aac4e46610773e92d513d72b3f70bec8cbbc16de9737394e81aaf31af18626

SHA512
4a4f2809f71d9494a0cf4c1ad1dbbbc06b4aa4bcc74134dcc3d740a0726a0102b8459726d7b726e76acdcb470b0301df38a96bd1391e4a3de60262ada80c6906

Download Submit
F:\Autorun.inf

Filesize
237B

MD5
94bcd02c5afd5918b4446345e7a5ded9

SHA1
79839238e84be225132e1382fae6333dfc4906a1

SHA256
5d9f41e4f886926dae2ed8a57807708110d3c6964ab462be21462bff0088d9a1

SHA512
149f6bd49fc3b62fa5f41666bfb3a58060514eec1b61c6aa1ac4c75417c840b028e701eb5533460eb00e2fee8543379564bc47d7477264771d81b99a0caab500

Download Submit
memory/4864-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Response

HTTP Response

HTTP Response

HTTP Response

HTTP Response

HTTP Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.