c14db4f709fa70fb70c7f3969cee4177d2641c098e06b1909af77e09addfa64f

Analysis

max time kernel
119s
max time network
124s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
10-07-2024 10:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-10_b0a674f3e540801c827953089e6c9f03_avoslocker.exe
Size

4.3MB
MD5

b0a674f3e540801c827953089e6c9f03
SHA1

d0fbeb2bf51324360835e51b80ae0df4f80c760c
SHA256

c14db4f709fa70fb70c7f3969cee4177d2641c098e06b1909af77e09addfa64f
SHA512

fc2132048a7f8b25ca31e1f3f9a570124834a80633ad5b867513a73e87187c0ce2c2bf6cca1337ba468f3bc45c4c14bbf5d9ba39584ba3aa9d3b1e615a453afc
SSDEEP

98304:dpq/d8kCBwlMyQjujDW9tBcg2jGqwwAqWFnhGJ98j02rSYC6dkB3tiXFR:ecP5ujyp8jGqwwtanagrRC6ONtmFR

Score

8^/10

bootkit evasion persistence trojan

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
1792	2024-07-10_b0a674f3e540801c827953089e6c9f03_avoslocker.exe

Loads dropped DLL 40 IoCs

pid	Process
2536	2024-07-10_b0a674f3e540801c827953089e6c9f03_avoslocker.exe
1792	2024-07-10_b0a674f3e540801c827953089e6c9f03_avoslocker.exe
1792	2024-07-10_b0a674f3e540801c827953089e6c9f03_avoslocker.exe
1792	2024-07-10_b0a674f3e540801c827953089e6c9f03_avoslocker.exe
1792	2024-07-10_b0a674f3e540801c827953089e6c9f03_avoslocker.exe
1792	2024-07-10_b0a674f3e540801c827953089e6c9f03_avoslocker.exe
1792	2024-07-10_b0a674f3e540801c827953089e6c9f03_avoslocker.exe
1792	2024-07-10_b0a674f3e540801c827953089e6c9f03_avoslocker.exe
1792	2024-07-10_b0a674f3e540801c827953089e6c9f03_avoslocker.exe
1792	2024-07-10_b0a674f3e540801c827953089e6c9f03_avoslocker.exe
1792	2024-07-10_b0a674f3e540801c827953089e6c9f03_avoslocker.exe
1792	2024-07-10_b0a674f3e540801c827953089e6c9f03_avoslocker.exe
1792	2024-07-10_b0a674f3e540801c827953089e6c9f03_avoslocker.exe
1792	2024-07-10_b0a674f3e540801c827953089e6c9f03_avoslocker.exe
1792	2024-07-10_b0a674f3e540801c827953089e6c9f03_avoslocker.exe
1792	2024-07-10_b0a674f3e540801c827953089e6c9f03_avoslocker.exe
1792	2024-07-10_b0a674f3e540801c827953089e6c9f03_avoslocker.exe
1792	2024-07-10_b0a674f3e540801c827953089e6c9f03_avoslocker.exe
1792	2024-07-10_b0a674f3e540801c827953089e6c9f03_avoslocker.exe
1792	2024-07-10_b0a674f3e540801c827953089e6c9f03_avoslocker.exe
1792	2024-07-10_b0a674f3e540801c827953089e6c9f03_avoslocker.exe
1792	2024-07-10_b0a674f3e540801c827953089e6c9f03_avoslocker.exe
1792	2024-07-10_b0a674f3e540801c827953089e6c9f03_avoslocker.exe
1792	2024-07-10_b0a674f3e540801c827953089e6c9f03_avoslocker.exe
1792	2024-07-10_b0a674f3e540801c827953089e6c9f03_avoslocker.exe
1792	2024-07-10_b0a674f3e540801c827953089e6c9f03_avoslocker.exe
1792	2024-07-10_b0a674f3e540801c827953089e6c9f03_avoslocker.exe
1792	2024-07-10_b0a674f3e540801c827953089e6c9f03_avoslocker.exe
1792	2024-07-10_b0a674f3e540801c827953089e6c9f03_avoslocker.exe
1792	2024-07-10_b0a674f3e540801c827953089e6c9f03_avoslocker.exe
1792	2024-07-10_b0a674f3e540801c827953089e6c9f03_avoslocker.exe
1792	2024-07-10_b0a674f3e540801c827953089e6c9f03_avoslocker.exe
1792	2024-07-10_b0a674f3e540801c827953089e6c9f03_avoslocker.exe
1792	2024-07-10_b0a674f3e540801c827953089e6c9f03_avoslocker.exe
1792	2024-07-10_b0a674f3e540801c827953089e6c9f03_avoslocker.exe
1792	2024-07-10_b0a674f3e540801c827953089e6c9f03_avoslocker.exe
1792	2024-07-10_b0a674f3e540801c827953089e6c9f03_avoslocker.exe
1792	2024-07-10_b0a674f3e540801c827953089e6c9f03_avoslocker.exe
1792	2024-07-10_b0a674f3e540801c827953089e6c9f03_avoslocker.exe
1792	2024-07-10_b0a674f3e540801c827953089e6c9f03_avoslocker.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2024-07-10_b0a674f3e540801c827953089e6c9f03_avoslocker.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	2024-07-10_b0a674f3e540801c827953089e6c9f03_avoslocker.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	2024-07-10_b0a674f3e540801c827953089e6c9f03_avoslocker.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	2024-07-10_b0a674f3e540801c827953089e6c9f03_avoslocker.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	2024-07-10_b0a674f3e540801c827953089e6c9f03_avoslocker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	2024-07-10_b0a674f3e540801c827953089e6c9f03_avoslocker.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	2024-07-10_b0a674f3e540801c827953089e6c9f03_avoslocker.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	2024-07-10_b0a674f3e540801c827953089e6c9f03_avoslocker.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	2024-07-10_b0a674f3e540801c827953089e6c9f03_avoslocker.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2536 wrote to memory of 1792	2536	2024-07-10_b0a674f3e540801c827953089e6c9f03_avoslocker.exe	30
PID 2536 wrote to memory of 1792	2536	2024-07-10_b0a674f3e540801c827953089e6c9f03_avoslocker.exe	30
PID 2536 wrote to memory of 1792	2536	2024-07-10_b0a674f3e540801c827953089e6c9f03_avoslocker.exe	30
PID 2536 wrote to memory of 1792	2536	2024-07-10_b0a674f3e540801c827953089e6c9f03_avoslocker.exe	30
PID 2536 wrote to memory of 1792	2536	2024-07-10_b0a674f3e540801c827953089e6c9f03_avoslocker.exe	30
PID 2536 wrote to memory of 1792	2536	2024-07-10_b0a674f3e540801c827953089e6c9f03_avoslocker.exe	30
PID 2536 wrote to memory of 1792	2536	2024-07-10_b0a674f3e540801c827953089e6c9f03_avoslocker.exe	30

C:\Users\Admin\AppData\Local\Temp\2024-07-10_b0a674f3e540801c827953089e6c9f03_avoslocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-10_b0a674f3e540801c827953089e6c9f03_avoslocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Windows\temp\00DA66B98AE3FE11896E6E9458E94CC6\2024-07-10_b0a674f3e540801c827953089e6c9f03_avoslocker.exe
  "C:\Windows\temp\00DA66B98AE3FE11896E6E9458E94CC6\2024-07-10_b0a674f3e540801c827953089e6c9f03_avoslocker.exe" -initialNonSecureSetupPath="C:\Users\Admin\AppData\Local\Temp\2024-07-10_b0a674f3e540801c827953089e6c9f03_avoslocker.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - Writes to the Master Boot Record (MBR)
  - Checks for VirtualBox DLLs, possible anti-VM trick
  - Modifies system certificate store
  PID:1792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Kaspersky Lab Setup Files\KFA21.17.7.539.0.372.0\au_setup_9B908BC3-3EA8-11EF-98E6-E649859EC46C\startup.exe

Filesize
4.3MB

MD5
a423a6a12fe4e5958e22d4382e3e8124

SHA1
e9932b58b88a55c0f958729d909c7425a8d37541

SHA256
e81dc2c3ff23d7ce547c7109a78ed876158f6f92cb684fb6256824f0800c0db9

SHA512
f0e8f6620ae0e8b82d20e1c46c8fc98baf1bc47a3bb5075bfeaa59eeda1ab3a1deefe0c6b6c24201e4cd64dac070b5ad28bf951a7a69e4b3ceb60720d0676994

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a70fbc056ef768c6936a9dbdbf435dbb

SHA1
a05a4dd0a4f045c0eefbf93a9937b2dc53ef91f3

SHA256
10b79b9ce25b34a338cc913144fc780d286d79179a1b34497b4abbf6f483c4bb

SHA512
29677f7f692c3adebe2bf72d1b78b719071249bf8d8cd47ebe741b0ed45afc423520bfc2f35c4c2314088c8f9ebd97c008e14b821f17655d4a72c9f6f2a4b7eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA5B3.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA5F5.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\0CB809B98AE3FE11896E6E9458E94CC6\kl.setup.ui.core.dll

Filesize
89KB

MD5
2c8f5ec07cb84d844e3fdee32b2a8e00

SHA1
2e27daffed27a7e6ee3adc50eef1710da318ca32

SHA256
8d5bd8184fbc3f79ea9edc2c25e1a5a935514518c3fba89bde308c06722375f9

SHA512
ef37109b456a68d55dee8a45340e25cb9901909b30f9f882f62060951bec20d838561dbe5ebe0480aa2feb668c6ffbb2137ed2f69cd3d6337c6f38cf395f6eca

Download Submit
\Users\Admin\AppData\Local\Temp\0CB809B98AE3FE11896E6E9458E94CC6\kl.setup.ui.dll

Filesize
278KB

MD5
1bebc399a1b31eabc3361169df0316d1

SHA1
56091143fafa680dc65dd5f2b5d6fafa94590041

SHA256
894914e74da8c8faf8bb9b34e0f9b586db3cb248c3f6edb715a7cb8c930dd66b

SHA512
d0d1fb7e23391a352f6bb3d5756dbbcd5a3558e0c477b265453931940a223dfa31cafe20232a9d08fbb127158bce325dd8b769e7bb62907be89019cd3f02f1ac

Download Submit
\Users\Admin\AppData\Local\Temp\0CB809B98AE3FE11896E6E9458E94CC6\kl.setup.ui.interoplayer.dll

Filesize
56KB

MD5
baf69d3c6977161e0c2b631b3f9958d4

SHA1
a1b2982c11811c4e5f6bce95f3072a855d11c369

SHA256
e6392d0cf3a5984034ca0b346476d7482243550ddd0c65a8c0ff2f03a15867bc

SHA512
2fb765d07638d239b666d4043f9ae75e91dc271ddf399dfe5bfd1c894bcabb95e6e965b478f5208687d9ebaa18cdafd6fc3400cd47694fd9db4ac30f3f1d5839

Download Submit
\Users\Admin\AppData\Local\Temp\0CB809B98AE3FE11896E6E9458E94CC6\kl.setup.ui.visuals.dll

Filesize
420KB

MD5
6181240bc579d2dfb176a1ca260f5a90

SHA1
eb13b6cd4a242c8399396795d1863954b8d79507

SHA256
b07c4d99d4cbb62b31a425e60c993b809c7043518a9ef0b7b561abd180a1b768

SHA512
f5bb4bdd05836c494a560dc9aa16d62d29b90df7c5854d4a97b8e274890dd1476de955637237867a666c1f08785f5dc06d571e023b124530ee87cf6fdb98689f

Download Submit
\Users\Admin\AppData\Local\Temp\0CB809B98AE3FE11896E6E9458E94CC6\kl.ui.framework.dll

Filesize
264KB

MD5
2ad2ab4f8517da8e2efdfed22ad49f1e

SHA1
55916e3e5c4c40cf2e5644fbad07baf31459673e

SHA256
6efe8efc6701c80d59ad33bd139aeca1b47a27f49d3ccc16ed01a49da9bfc2e7

SHA512
12800c7d475af627c98cecb6e6c2de8247094166126978e24bd8be3f7193828781e853ee10b3133c989d625f0e2860ce4551369d864748b70db4ec220c515bbd

Download Submit
\Users\Admin\AppData\Local\Temp\0CB809B98AE3FE11896E6E9458E94CC6\kl.ui.framework.localization.dll

Filesize
283KB

MD5
079ac68d4beb2ab9602d754b09ff652b

SHA1
90032834cc5cffd0b00119e4e38b5f4c5f877e4c

SHA256
9377c35b19c30ee75c010b1e592796daf1d3493b397ef9d61a1c63a5ab30a88e

SHA512
53782adc516950888ec69b21e744fe4d7f8567223e7c067e362800c78e3621dc148d5aa19f6011962bece1ada3691ef1ef40838a8072480c54aeedb2f4e0c9b9

Download Submit
\Users\Admin\AppData\Local\Temp\0CB809B98AE3FE11896E6E9458E94CC6\kl.ui.framework.uikit.b2c.dll

Filesize
631KB

MD5
445e34aa976419cae54e13ede8d41ce5

SHA1
98ca3ee808f97ae16970b0fcefd3387bd07278eb

SHA256
a255bb5dfaa685d7443dbc8bb7fca71417c8f0b1f617ade7077ee437a23a9b24

SHA512
86b4084cf781d4efbb814fce3ed6ca48addbf4c15c5ed3630673350cf65056a80e2a9bc00581a45ae370a64f0bc720d506622eccd9d7ef170814faab1cce14c4

Download Submit
\Users\Admin\AppData\Local\Temp\0CB809B98AE3FE11896E6E9458E94CC6\kl.ui.framework.uikit.dll

Filesize
2.7MB

MD5
18defb1e3b7460f592a8ca61e4b40ff0

SHA1
8f8f7d7d1ee8a048d162603cc21a0f4c40b9036b

SHA256
02a884babc5584fec80b227eb1c52dc800c516f1117ff9637617ad84c632da9d

SHA512
7cbdc0c113a0c7ff9628674a8a23f4224290455d4a9a41a66889d01baf1f28b0175197c3078a791ecf6b2052c3fdfc35cf38cfae5bf5917bde80f82499d40b12

Download Submit
\Users\Admin\AppData\Local\Temp\0CB809B98AE3FE11896E6E9458E94CC6\setup.dll

Filesize
5.6MB

MD5
3278c1155c263b1feed37a4485e07464

SHA1
25c405c0c4b39b3542874bdd927db147caa4a645

SHA256
c3794a5439c3b67facfde818d9f08ef9913c08fca2fe658f84bc22133ce1711b

SHA512
da08c6ea3e994ad452a6343a1f3029fff5dc122421b8a7006762a357e94691efb1c21f3e5a39635d64b82b49290227ba9524cf7b8b12f572ff3cc8e9aebc0145

Download Submit
\Users\Admin\AppData\Local\Temp\0CB809B98AE3FE11896E6E9458E94CC6\sharpvectorconverterswpf.dll

Filesize
137KB

MD5
a56a73b39703d5ff85b5cf12f9b00009

SHA1
e6448c87f969e19ae4c6514d69d8286d26a2b5db

SHA256
bb5966185017d904d2d7fd952bcc6d5c19fdf6bbbe34ab29c63a3784cd1074c7

SHA512
7fa07a1fcc0735186ee71b3c123b1c4076f04dba5ad319588ea695ef117ab7c39918593e4ee42f18cbd3fe01d043e896981ca6f07293fc2fb0a9bce5d66992b5

Download Submit
\Users\Admin\AppData\Local\Temp\0CB809B98AE3FE11896E6E9458E94CC6\sharpvectorcore.dll

Filesize
201KB

MD5
24e3b7177eeabdf085a01796b49c8e55

SHA1
6916a0bb98892252f59692fd0405e6da62af0f8b

SHA256
eab963926cf2d62b575c6f33804372fea04db328b2b3f0adfb45fee3f27e5386

SHA512
5e377e609673f3d84e22d070012578b8a18fce848a3815d9da05e10043d3e9fde8070094d1841acb44a4f876d8741e371a5fbcc86cce80cdf826131370a41e64

Download Submit
\Users\Admin\AppData\Local\Temp\0CB809B98AE3FE11896E6E9458E94CC6\sharpvectorcss.dll

Filesize
109KB

MD5
726d04bbe783a3510b18a491adac05c0

SHA1
11a01c68204dd80b32c01dcdb2e51f5b0ee34d98

SHA256
639e091c9e87986eaf9fe00f0f401834e14878ebc48084697fd4307713a065ca

SHA512
90592ddef83b6640cf8f28f0818098f95acc4139c7b3f5e8afa63bb873530be1613d42ee02dae12160737ee612187fc0139e19ee4a7f1abb3fec1fcaee1ae297

Download Submit
\Users\Admin\AppData\Local\Temp\0CB809B98AE3FE11896E6E9458E94CC6\sharpvectordom.dll

Filesize
55KB

MD5
e4f6efef27708458ecda4ee22edf3cef

SHA1
07ccb5fa980dead816737ad83802cbfed18e4a4f

SHA256
413e485d8dd07231d70107d86ee1a17ce705517aed8346b4701747d1fdbfdfc3

SHA512
4920e508304df14041df1189938a1102e4a71e2e57ac4b9b804b6b0405c89c8292012a5ff4dae21268204ed6d9b56a279f4ce18d709074d1cba71cc9d5e11a1d

Download Submit
\Users\Admin\AppData\Local\Temp\0CB809B98AE3FE11896E6E9458E94CC6\sharpvectormodel.dll

Filesize
998KB

MD5
225a73e5a0cf87453832b578db6daddb

SHA1
a36717a1b2c7eb2ba160fec5fa80e48b9e57c4ac

SHA256
0499708762c56b9339c980e731ffab294e9b18362af3dcb4ad4481f1c7bd60c1

SHA512
565ee2105bd626650857e0e6f9c8f7d87a68c3ec41923de119a3b710038a4785e16ccf79feb4c1c4f8a308f682163089228ac4ac81295cea754ae1189311c965

Download Submit
\Users\Admin\AppData\Local\Temp\0CB809B98AE3FE11896E6E9458E94CC6\sharpvectorrenderingwpf.dll

Filesize
203KB

MD5
faec58e7785c287a7c688f274207048d

SHA1
66c038c720035b7212a7d3733da4520e3b95d63b

SHA256
4c76dd0441a8021a308be24cf0c1957bee280451abcc1467acf47f1a6f7f5dce

SHA512
9269a91a5bab01f076d8e9fde2991463fb224dc6382f8cde3a118e83cb35bdf580b4ea7686f2ea767a2a9c04650222edfc3a8b2569978b734c51b7135915448e

Download Submit
\Users\Admin\AppData\Local\Temp\0CB809B98AE3FE11896E6E9458E94CC6\sharpvectorruntimewpf.dll

Filesize
69KB

MD5
0e203d24d04e89779638dd70d5335b39

SHA1
98ffc3718c6e34bd6d696bbcce605db666f99b01

SHA256
f15b5199850b8ed98d2202972ada759823a17893a68d60ca3a0f76ee31aeb204

SHA512
a07f54cce2add948340807b8ecf430e72c07032332046e5dd05d9da90f7d732921c0ff628592ff0710914ec9d9b7188b46377e1594a9f9809a107a022de1cfee

Download Submit
\Windows\Temp\00DA66B98AE3FE11896E6E9458E94CC6\2024-07-10_b0a674f3e540801c827953089e6c9f03_avoslocker.exe

Filesize
4.3MB

MD5
b0a674f3e540801c827953089e6c9f03

SHA1
d0fbeb2bf51324360835e51b80ae0df4f80c760c

SHA256
c14db4f709fa70fb70c7f3969cee4177d2641c098e06b1909af77e09addfa64f

SHA512
fc2132048a7f8b25ca31e1f3f9a570124834a80633ad5b867513a73e87187c0ce2c2bf6cca1337ba468f3bc45c4c14bbf5d9ba39584ba3aa9d3b1e615a453afc

Download Submit
memory/1792-48-0x00000000738A0000-0x0000000073F8E000-memory.dmp

Filesize
6.9MB

Download
memory/1792-47-0x00000000738A0000-0x0000000073F8E000-memory.dmp

Filesize
6.9MB

Download
memory/1792-84-0x0000000006050000-0x0000000006098000-memory.dmp

Filesize
288KB

Download
memory/1792-97-0x0000000007560000-0x00000000075CA000-memory.dmp

Filesize
424KB

Download
memory/1792-92-0x0000000007560000-0x00000000075CA000-memory.dmp

Filesize
424KB

Download
memory/1792-80-0x00000000031C0000-0x00000000031D6000-memory.dmp

Filesize
88KB

Download
memory/1792-103-0x0000000007850000-0x00000000078EE000-memory.dmp

Filesize
632KB

Download
memory/1792-108-0x0000000007850000-0x00000000078EE000-memory.dmp

Filesize
632KB

Download
memory/1792-113-0x0000000003940000-0x000000000394A000-memory.dmp

Filesize
40KB

Download
memory/1792-112-0x0000000003940000-0x000000000394A000-memory.dmp

Filesize
40KB

Download
memory/1792-121-0x0000000005F50000-0x0000000005F72000-memory.dmp

Filesize
136KB

Download
memory/1792-76-0x0000000003B50000-0x0000000003B92000-memory.dmp

Filesize
264KB

Download
memory/1792-117-0x00000000068D0000-0x0000000006904000-memory.dmp

Filesize
208KB

Download
memory/1792-52-0x0000000002B60000-0x0000000002BA6000-memory.dmp

Filesize
280KB

Download
memory/1792-431-0x00000000738A0000-0x0000000073F8E000-memory.dmp

Filesize
6.9MB

Download
memory/1792-125-0x0000000006BE0000-0x0000000006C12000-memory.dmp

Filesize
200KB

Download
memory/1792-129-0x00000000089C0000-0x0000000008ABA000-memory.dmp

Filesize
1000KB

Download
memory/1792-88-0x0000000008000000-0x00000000082C0000-memory.dmp

Filesize
2.8MB

Download
memory/1792-137-0x0000000003BA0000-0x0000000003BAE000-memory.dmp

Filesize
56KB

Download
memory/1792-44-0x0000000000AD0000-0x0000000000ADE000-memory.dmp

Filesize
56KB

Download
memory/1792-133-0x00000000060F0000-0x000000000610C000-memory.dmp

Filesize
112KB

Download
memory/1792-40-0x00000000738AE000-0x00000000738AF000-memory.dmp

Filesize
4KB

Download
memory/1792-8-0x0000000077D20000-0x0000000077D30000-memory.dmp

Filesize
64KB

Download
memory/1792-141-0x0000000006950000-0x0000000006962000-memory.dmp

Filesize
72KB

Download
memory/1792-150-0x00000000738A0000-0x0000000073F8E000-memory.dmp

Filesize
6.9MB

Download
memory/1792-151-0x00000000738A0000-0x0000000073F8E000-memory.dmp

Filesize
6.9MB

Download
memory/1792-9-0x0000000077D20000-0x0000000077D30000-memory.dmp

Filesize
64KB

Download
memory/1792-10-0x0000000077D20000-0x0000000077D30000-memory.dmp

Filesize
64KB

Download
memory/1792-430-0x0000000003940000-0x000000000394A000-memory.dmp

Filesize
40KB

Download
memory/1792-429-0x00000000738A0000-0x0000000073F8E000-memory.dmp

Filesize
6.9MB

Download
memory/1792-428-0x00000000738AE000-0x00000000738AF000-memory.dmp

Filesize
4KB

Download
memory/2536-2-0x0000000077D00000-0x0000000077D10000-memory.dmp

Filesize
64KB

Download
memory/2536-0-0x0000000077D00000-0x0000000077D10000-memory.dmp

Filesize
64KB

Download
memory/2536-1-0x0000000077D00000-0x0000000077D10000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads