e6ea9a4f102ba876cd208092e784f5af3fad5812df9ee50323b10b5447bc6d8f

Analysis

max time kernel
2s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 18:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

34f3ed7b9a9c520f558d9a22e3994521.exe
Size

2.0MB
MD5

34f3ed7b9a9c520f558d9a22e3994521
SHA1

dde0d0672a16456fd6f0905034c43e6e2182eb37
SHA256

e6ea9a4f102ba876cd208092e784f5af3fad5812df9ee50323b10b5447bc6d8f
SHA512

9cee950c1f7903ea5bc94319bc2cd1149f431f79329fbd188b9a54020ba386cf1802909a5b77b02c18cc391491de7c2f5ef77c5dc7f1c5cdba9721d3153db4a2
SSDEEP

49152:bQerQZbd2terQZbd2uerQZbd2terQZbd2H8r:VrQZjrQZYrQZjrQZr

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	regedit.exe

Blocks application from running via registry modification 17 IoCs

Adds application to list of disallowed applications.

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\9 = "Rav.exe"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\11 = "KPFW32.EXE"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\12 = "KPFW32X.EXE"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\14 = "KAV32.EXE"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "avp.exe"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 = "RavMon.exe"	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "RfwMain.exe"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 = "RavStub.exe"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\8 = "RavService.exe"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "Rfwsrv.exe"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "RavMoD.exe"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "CCenter.exe"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\10 = "rfwcfg.exe"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\13 = "KAVPFW.EXE"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\15 = "KAVStart.EXE"	regedit.exe

Sets file execution options in registry 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe\Debugger = "D:\\RECYCLER\\????8.exe"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe\Debugger = "D:\\RECYCLER\\????8.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe\Debugger = "D:\\RECYCLER\\????8.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rfwsrv.exe\Debugger = "D:\\RECYCLER\\????8.exe"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMoD.exe	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe\Debugger = "D:\\RECYCLER\\????8.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMoD.exe\Debugger = "D:\\RECYCLER\\????8.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.EXE\Debugger = "D:\\RECYCLER\\????8.exe"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.EXE	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "D:\\RECYCLER\\????8.exe"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rfwsrv.exe	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RfwMain.exe\Debugger = "D:\\RECYCLER\\????8.exe"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "D:\\RECYCLER\\????8.exe"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RfwMain.exe	regedit.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Option.bat	34f3ed7b9a9c520f558d9a22e3994521.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system\KavUpda.exe	34f3ed7b9a9c520f558d9a22e3994521.exe
File created	C:\Windows\Help\HelpCat.exe	34f3ed7b9a9c520f558d9a22e3994521.exe
File opened for modification	C:\Windows\Help\HelpCat.exe	34f3ed7b9a9c520f558d9a22e3994521.exe
File created	C:\Windows\Sysinf.bat	34f3ed7b9a9c520f558d9a22e3994521.exe
File created	C:\Windows\regedt32.sys	34f3ed7b9a9c520f558d9a22e3994521.exe
File created	C:\Windows\system\KavUpda.exe	34f3ed7b9a9c520f558d9a22e3994521.exe

Launches sc.exe 8 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3972	sc.exe
4740	sc.exe
2284	sc.exe
2380	sc.exe
4476	sc.exe
1952	sc.exe
3928	sc.exe
4744	sc.exe

Runs net.exe

Runs regedit.exe 1 IoCs

pid	Process
1108	regedit.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2428	34f3ed7b9a9c520f558d9a22e3994521.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 2428 wrote to memory of 1532	2428	34f3ed7b9a9c520f558d9a22e3994521.exe	23
PID 2428 wrote to memory of 1532	2428	34f3ed7b9a9c520f558d9a22e3994521.exe	23
PID 2428 wrote to memory of 1532	2428	34f3ed7b9a9c520f558d9a22e3994521.exe	23
PID 2428 wrote to memory of 2368	2428	34f3ed7b9a9c520f558d9a22e3994521.exe	22
PID 2428 wrote to memory of 2368	2428	34f3ed7b9a9c520f558d9a22e3994521.exe	22
PID 2428 wrote to memory of 2368	2428	34f3ed7b9a9c520f558d9a22e3994521.exe	22
PID 2368 wrote to memory of 3076	2368	net.exe	226
PID 2368 wrote to memory of 3076	2368	net.exe	226
PID 2368 wrote to memory of 3076	2368	net.exe	226
PID 2428 wrote to memory of 932	2428	34f3ed7b9a9c520f558d9a22e3994521.exe	205
PID 2428 wrote to memory of 932	2428	34f3ed7b9a9c520f558d9a22e3994521.exe	205
PID 2428 wrote to memory of 932	2428	34f3ed7b9a9c520f558d9a22e3994521.exe	205
PID 2428 wrote to memory of 2812	2428	34f3ed7b9a9c520f558d9a22e3994521.exe	162
PID 2428 wrote to memory of 2812	2428	34f3ed7b9a9c520f558d9a22e3994521.exe	162
PID 2428 wrote to memory of 2812	2428	34f3ed7b9a9c520f558d9a22e3994521.exe	162
PID 2428 wrote to memory of 1616	2428	34f3ed7b9a9c520f558d9a22e3994521.exe	160
PID 2428 wrote to memory of 1616	2428	34f3ed7b9a9c520f558d9a22e3994521.exe	160
PID 2428 wrote to memory of 1616	2428	34f3ed7b9a9c520f558d9a22e3994521.exe	160
PID 2428 wrote to memory of 4100	2428	34f3ed7b9a9c520f558d9a22e3994521.exe	207
PID 2428 wrote to memory of 4100	2428	34f3ed7b9a9c520f558d9a22e3994521.exe	207
PID 2428 wrote to memory of 4100	2428	34f3ed7b9a9c520f558d9a22e3994521.exe	207
PID 2428 wrote to memory of 1884	2428	34f3ed7b9a9c520f558d9a22e3994521.exe	96
PID 2428 wrote to memory of 1884	2428	34f3ed7b9a9c520f558d9a22e3994521.exe	96
PID 2428 wrote to memory of 1884	2428	34f3ed7b9a9c520f558d9a22e3994521.exe	96
PID 2428 wrote to memory of 1112	2428	34f3ed7b9a9c520f558d9a22e3994521.exe	95
PID 2428 wrote to memory of 1112	2428	34f3ed7b9a9c520f558d9a22e3994521.exe	95
PID 2428 wrote to memory of 1112	2428	34f3ed7b9a9c520f558d9a22e3994521.exe	95
PID 2428 wrote to memory of 2120	2428	34f3ed7b9a9c520f558d9a22e3994521.exe	91
PID 2428 wrote to memory of 2120	2428	34f3ed7b9a9c520f558d9a22e3994521.exe	91
PID 2428 wrote to memory of 2120	2428	34f3ed7b9a9c520f558d9a22e3994521.exe	91
PID 2428 wrote to memory of 3244	2428	34f3ed7b9a9c520f558d9a22e3994521.exe	154
PID 2428 wrote to memory of 3244	2428	34f3ed7b9a9c520f558d9a22e3994521.exe	154
PID 2428 wrote to memory of 3244	2428	34f3ed7b9a9c520f558d9a22e3994521.exe	154
PID 2428 wrote to memory of 4744	2428	34f3ed7b9a9c520f558d9a22e3994521.exe	88
PID 2428 wrote to memory of 4744	2428	34f3ed7b9a9c520f558d9a22e3994521.exe	88
PID 2428 wrote to memory of 4744	2428	34f3ed7b9a9c520f558d9a22e3994521.exe	88
PID 2428 wrote to memory of 3928	2428	34f3ed7b9a9c520f558d9a22e3994521.exe	87
PID 2428 wrote to memory of 3928	2428	34f3ed7b9a9c520f558d9a22e3994521.exe	87
PID 2428 wrote to memory of 3928	2428	34f3ed7b9a9c520f558d9a22e3994521.exe	87
PID 2428 wrote to memory of 1952	2428	34f3ed7b9a9c520f558d9a22e3994521.exe	122
PID 2428 wrote to memory of 1952	2428	34f3ed7b9a9c520f558d9a22e3994521.exe	122
PID 2428 wrote to memory of 1952	2428	34f3ed7b9a9c520f558d9a22e3994521.exe	122
PID 2428 wrote to memory of 4476	2428	34f3ed7b9a9c520f558d9a22e3994521.exe	84
PID 2428 wrote to memory of 4476	2428	34f3ed7b9a9c520f558d9a22e3994521.exe	84
PID 2428 wrote to memory of 4476	2428	34f3ed7b9a9c520f558d9a22e3994521.exe	84
PID 2428 wrote to memory of 1108	2428	34f3ed7b9a9c520f558d9a22e3994521.exe	58
PID 2428 wrote to memory of 1108	2428	34f3ed7b9a9c520f558d9a22e3994521.exe	58
PID 2428 wrote to memory of 1108	2428	34f3ed7b9a9c520f558d9a22e3994521.exe	58
PID 1884 wrote to memory of 3888	1884	net.exe	113
PID 1884 wrote to memory of 3888	1884	net.exe	113
PID 1884 wrote to memory of 3888	1884	net.exe	113
PID 2428 wrote to memory of 4444	2428	34f3ed7b9a9c520f558d9a22e3994521.exe	78
PID 2428 wrote to memory of 4444	2428	34f3ed7b9a9c520f558d9a22e3994521.exe	78
PID 2428 wrote to memory of 4444	2428	34f3ed7b9a9c520f558d9a22e3994521.exe	78
PID 2428 wrote to memory of 1692	2428	34f3ed7b9a9c520f558d9a22e3994521.exe	76
PID 2428 wrote to memory of 1692	2428	34f3ed7b9a9c520f558d9a22e3994521.exe	76
PID 2428 wrote to memory of 1692	2428	34f3ed7b9a9c520f558d9a22e3994521.exe	76
PID 1616 wrote to memory of 3812	1616	cmd.exe	61
PID 1616 wrote to memory of 3812	1616	cmd.exe	61
PID 1616 wrote to memory of 3812	1616	cmd.exe	61

Views/modifies file attributes 1 TTPs 16 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4304	attrib.exe
2240	attrib.exe
2220	attrib.exe
4280	attrib.exe
1200	attrib.exe
3576	attrib.exe
556	attrib.exe
3488	attrib.exe
4440	attrib.exe
4392	attrib.exe
2892	attrib.exe
4432	attrib.exe
1180	attrib.exe
1800	attrib.exe
2512	attrib.exe
2652	attrib.exe

C:\Users\Admin\AppData\Local\Temp\34f3ed7b9a9c520f558d9a22e3994521.exe
"C:\Users\Admin\AppData\Local\Temp\34f3ed7b9a9c520f558d9a22e3994521.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2428
- C:\Windows\SysWOW64\net.exe
  net.exe start schedule /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2368
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\system32\Option.bat
  2⤵
  PID:1532
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\Windows\regedt32.sys
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Blocks application from running via registry modification
  - Sets file execution options in registry
  - Runs regedit.exe
  PID:1108
- C:\Windows\system\KavUpda.exe
  C:\Windows\system\KavUpda.exe
  2⤵
  PID:3508
- - C:\Windows\SysWOW64\net.exe
    net.exe start schedule /y
    3⤵
    PID:1872
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\system32\Option.bat
    3⤵
    PID:2716
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe delete "hklm\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}" /f
    3⤵
    PID:1800
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c rmdir F:\Autorun.inf /s /q
    3⤵
    PID:4552
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d
    3⤵
    PID:4928
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h -r C:\Autorun.inf\*.* /s /d
      4⤵
      Views/modifies file attributes
      PID:2512
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe delete "hklm\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}" /f
    3⤵
    PID:2240
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h -r C:\Autorun.inf\*.* /s /d
      4⤵
      Views/modifies file attributes
      PID:1800
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3244
- - C:\Windows\SysWOW64\sc.exe
    C:\Windows\system32\sc.exe config srservice start= disabled
    3⤵
    - Launches sc.exe
    PID:3972
- - C:\Windows\SysWOW64\sc.exe
    C:\Windows\system32\sc.exe config wscsvc start= disabled
    3⤵
    - Launches sc.exe
    PID:4740
- - C:\Windows\SysWOW64\sc.exe
    C:\Windows\system32\sc.exe config SharedAccess start= disabled
    3⤵
    - Launches sc.exe
    PID:2284
- - C:\Windows\SysWOW64\sc.exe
    C:\Windows\system32\sc.exe config srservice start= disabled
    3⤵
    - Launches sc.exe
    PID:2380
- - C:\Windows\SysWOW64\net.exe
    net.exe stop 360timeprot /y
    3⤵
    PID:5068
- - C:\Windows\SysWOW64\net.exe
    net.exe stop srservice /y
    3⤵
    PID:4616
- - C:\Windows\SysWOW64\net.exe
    net.exe stop wuauserv /y
    3⤵
    PID:1392
- - C:\Windows\SysWOW64\net.exe
    net.exe stop sharedaccess /y
    3⤵
    PID:552
- - C:\Windows\SysWOW64\net.exe
    net.exe stop wscsvc /y
    3⤵
    PID:3064
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c at 4:17:42 PM C:\Windows\Sysinf.bat
    3⤵
    PID:4080
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c rmdir C:\Autorun.inf /s /q
    3⤵
    PID:1832
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d
    3⤵
    PID:2240
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c at 4:14:42 PM C:\Windows\Sysinf.bat
    3⤵
    PID:640
- - C:\Windows\SysWOW64\At.exe
    At.exe 4:15:40 PM C:\Windows\Help\HelpCat.exe
    3⤵
    PID:4372
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c rmdir F:\Autorun.inf /s /q
    3⤵
    PID:3736
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d
    3⤵
    PID:4396
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c rmdir C:\Autorun.inf /s /q
    3⤵
    PID:2888
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d
    3⤵
    PID:1528
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c rmdir F:\Autorun.inf /s /q
    3⤵
    PID:3656
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d
    3⤵
    PID:2836
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c rmdir C:\Autorun.inf /s /q
    3⤵
    PID:1012
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d
    3⤵
    PID:2852
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c rmdir F:\Autorun.inf /s /q
    3⤵
    PID:1020
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d
    3⤵
    PID:5076
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c rmdir C:\Autorun.inf /s /q
    3⤵
    PID:2676
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d
    3⤵
    PID:4928
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c rmdir F:\Autorun.inf /s /q
    3⤵
    PID:4412
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d
    3⤵
    PID:4796
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c rmdir C:\Autorun.inf /s /q
    3⤵
    PID:3048
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d
    3⤵
    PID:4956
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c rmdir F:\Autorun.inf /s /q
    3⤵
    PID:1464
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d
    3⤵
    PID:4244
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c rmdir C:\Autorun.inf /s /q
    3⤵
    PID:1304
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d
    3⤵
    PID:3016
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c rmdir F:\Autorun.inf /s /q
    3⤵
    PID:2892
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d
    3⤵
    PID:2024
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c rmdir C:\Autorun.inf /s /q
    3⤵
    PID:4544
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d
    3⤵
    PID:3088
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c rmdir F:\Autorun.inf /s /q
    3⤵
    PID:4100
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d
    3⤵
    PID:880
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c rmdir C:\Autorun.inf /s /q
    3⤵
    PID:2224
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d
    3⤵
    PID:3676
- C:\Windows\SysWOW64\reg.exe
  C:\Windows\system32\reg.exe delete "hklm\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}" /f
  2⤵
  PID:1692
- C:\Windows\SysWOW64\reg.exe
  C:\Windows\system32\reg.exe delete "hklm\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}" /f
  2⤵
  PID:4444
- C:\Windows\SysWOW64\sc.exe
  C:\Windows\system32\sc.exe config srservice start= disabled
  2⤵
  - Launches sc.exe
  PID:4476
- C:\Windows\SysWOW64\sc.exe
  C:\Windows\system32\sc.exe config wscsvc start= disabled
  2⤵
  - Launches sc.exe
  PID:1952
- C:\Windows\SysWOW64\sc.exe
  C:\Windows\system32\sc.exe config SharedAccess start= disabled
  2⤵
  - Launches sc.exe
  PID:3928
- C:\Windows\SysWOW64\sc.exe
  C:\Windows\system32\sc.exe config srservice start= disabled
  2⤵
  - Launches sc.exe
  PID:4744
- C:\Windows\SysWOW64\net.exe
  net.exe stop 360timeprot /y
  2⤵
  PID:3244
- C:\Windows\SysWOW64\net.exe
  net.exe stop srservice /y
  2⤵
  PID:2120
- C:\Windows\SysWOW64\net.exe
  net.exe stop wuauserv /y
  2⤵
  PID:1112
- C:\Windows\SysWOW64\net.exe
  net.exe stop sharedaccess /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1884
- C:\Windows\SysWOW64\net.exe
  net.exe stop 360timeprot /y
  2⤵
  PID:932
- C:\Windows\SysWOW64\net.exe
  net.exe stop srservice /y
  2⤵
  PID:208
- C:\Windows\SysWOW64\net.exe
  net.exe stop wuauserv /y
  2⤵
  PID:3824
- C:\Windows\SysWOW64\net.exe
  net.exe stop sharedaccess /y
  2⤵
  PID:3120
- C:\Windows\SysWOW64\net.exe
  net.exe stop wscsvc /y
  2⤵
  PID:4592
- C:\Windows\SysWOW64\net.exe
  net.exe stop wscsvc /y
  2⤵
  PID:4100
- C:\Windows\SysWOW64\cmd.exe
  cmd /c at 4:17:39 PM C:\Windows\Sysinf.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1616
- C:\Windows\SysWOW64\cmd.exe
  cmd /c at 4:14:39 PM C:\Windows\Sysinf.bat
  2⤵
  PID:2812
- C:\Windows\SysWOW64\At.exe
  At.exe 4:15:37 PM C:\Windows\Help\HelpCat.exe
  2⤵
  PID:932

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start schedule /y
1⤵
PID:3076

C:\Windows\SysWOW64\at.exe
at 4:17:39 PM C:\Windows\Sysinf.bat
1⤵
PID:3812

C:\Windows\SysWOW64\at.exe
at 4:14:39 PM C:\Windows\Sysinf.bat
1⤵
PID:3332

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop srservice /y
1⤵
PID:712

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start schedule /y
1⤵
PID:4348

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop 360timeprot /y
1⤵
PID:4452

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wscsvc /y
1⤵
PID:980

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wuauserv /y
1⤵
PID:5032

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop sharedaccess /y
1⤵
PID:3888

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wscsvc /y
1⤵
PID:1684

C:\Windows\SysWOW64\at.exe
at 4:14:42 PM C:\Windows\Sysinf.bat
1⤵
PID:980

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop srservice /y
1⤵
PID:1020

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r F:\Autorun.inf\*.* /s /d
1⤵
- Views/modifies file attributes
PID:4440

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop 360timeprot /y
1⤵
PID:3132

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop 360timeprot /y
1⤵
PID:4416

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop sharedaccess /y
1⤵
PID:5044

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wuauserv /y
1⤵
PID:524

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wuauserv /y
1⤵
PID:1708

C:\Windows\SysWOW64\at.exe
at 4:17:42 PM C:\Windows\Sysinf.bat
1⤵
PID:3936

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop srservice /y
1⤵
PID:3888

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop sharedaccess /y
1⤵
PID:2508

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wscsvc /y
1⤵
PID:1872

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:932

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4100

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r F:\Autorun.inf\*.* /s /d
1⤵
- Views/modifies file attributes
PID:4304

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r C:\Autorun.inf\*.* /s /d
1⤵
- Views/modifies file attributes
PID:2240

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r F:\Autorun.inf\*.* /s /d
1⤵
- Views/modifies file attributes
PID:4392

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3076

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r C:\Autorun.inf\*.* /s /d
1⤵
- Views/modifies file attributes
PID:2220

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r F:\Autorun.inf\*.* /s /d
1⤵
- Views/modifies file attributes
PID:2892

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r F:\Autorun.inf\*.* /s /d
1⤵
- Views/modifies file attributes
PID:4432

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r C:\Autorun.inf\*.* /s /d
1⤵
- Views/modifies file attributes
PID:1180

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r F:\Autorun.inf\*.* /s /d
1⤵
- Views/modifies file attributes
PID:2652

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r C:\Autorun.inf\*.* /s /d
1⤵
- Views/modifies file attributes
PID:3576

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r F:\Autorun.inf\*.* /s /d
1⤵
- Views/modifies file attributes
PID:4280

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r C:\Autorun.inf\*.* /s /d
1⤵
- Views/modifies file attributes
PID:556

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r F:\Autorun.inf\*.* /s /d
1⤵
- Views/modifies file attributes
PID:1200

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r C:\Autorun.inf\*.* /s /d
1⤵
- Views/modifies file attributes
PID:3488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2428-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads