Analysis
-
max time kernel
2s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
07/01/2024, 19:37
Static task
static1
Behavioral task
behavioral1
Sample
a666581b6ef559d6f3d20106c385fd7a.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
a666581b6ef559d6f3d20106c385fd7a.exe
Resource
win10v2004-20231222-en
General
-
Target
a666581b6ef559d6f3d20106c385fd7a.exe
-
Size
755KB
-
MD5
a666581b6ef559d6f3d20106c385fd7a
-
SHA1
e6bf29103ee5a496a60956a94a0d17cb467681f6
-
SHA256
a29ab3ea6a5b22d408e47505a557d08ea9d3bcf91852e907dfc94854e7407625
-
SHA512
6f26f667c9284d2990a94176fbdac90989340240faeb990947d95d8f57a6dc80ed1546802daa3ffee628aa2f4e11dc69d330737f9c2be5eda798487321ce96e5
-
SSDEEP
12288:UZWtI6RkuBo4eZJys73dOvXDpNjNe8LONB/4eZJys73dOvXDpNjNe8ZLZ:UuhauBBeZJ8NI8cBAeZJ8NI8hZ
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" regedit.exe -
Blocks application from running via registry modification 17 IoCs
Adds application to list of disallowed applications.
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 = "RavMon.exe" regedit.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 = "RavStub.exe" regedit.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\8 = "RavService.exe" regedit.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\9 = "Rav.exe" regedit.exe Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun regedit.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "RavMoD.exe" regedit.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "CCenter.exe" regedit.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "RfwMain.exe" regedit.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\14 = "KAV32.EXE" regedit.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\15 = "KAVStart.EXE" regedit.exe Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" regedit.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\10 = "rfwcfg.exe" regedit.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\13 = "KAVPFW.EXE" regedit.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\12 = "KPFW32X.EXE" regedit.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "avp.exe" regedit.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "Rfwsrv.exe" regedit.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\11 = "KPFW32.EXE" regedit.exe -
Sets file execution options in registry 2 TTPs 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "D:\\RECYCLER\\????8.exe" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RfwMain.exe regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMoD.exe\Debugger = "D:\\RECYCLER\\????8.exe" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.EXE\Debugger = "D:\\RECYCLER\\????8.exe" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rfwsrv.exe regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rfwsrv.exe\Debugger = "D:\\RECYCLER\\????8.exe" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe\Debugger = "D:\\RECYCLER\\????8.exe" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMoD.exe regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe\Debugger = "D:\\RECYCLER\\????8.exe" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.EXE regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "D:\\RECYCLER\\????8.exe" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RfwMain.exe\Debugger = "D:\\RECYCLER\\????8.exe" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe\Debugger = "D:\\RECYCLER\\????8.exe" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe\Debugger = "D:\\RECYCLER\\????8.exe" regedit.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\Option.bat a666581b6ef559d6f3d20106c385fd7a.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File created C:\Windows\system\KavUpda.exe a666581b6ef559d6f3d20106c385fd7a.exe File opened for modification C:\Windows\system\KavUpda.exe a666581b6ef559d6f3d20106c385fd7a.exe File created C:\Windows\Help\HelpCat.exe a666581b6ef559d6f3d20106c385fd7a.exe File opened for modification C:\Windows\Help\HelpCat.exe a666581b6ef559d6f3d20106c385fd7a.exe File created C:\Windows\Sysinf.bat a666581b6ef559d6f3d20106c385fd7a.exe File created C:\Windows\regedt32.sys a666581b6ef559d6f3d20106c385fd7a.exe -
Launches sc.exe 8 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1880 sc.exe 2908 sc.exe 3512 sc.exe 440 sc.exe 4776 sc.exe 2336 sc.exe 4980 sc.exe 2024 sc.exe -
Runs net.exe
-
Runs regedit.exe 1 IoCs
pid Process 2472 regedit.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4280 a666581b6ef559d6f3d20106c385fd7a.exe -
Suspicious use of WriteProcessMemory 57 IoCs
description pid Process procid_target PID 4280 wrote to memory of 3872 4280 a666581b6ef559d6f3d20106c385fd7a.exe 23 PID 4280 wrote to memory of 3872 4280 a666581b6ef559d6f3d20106c385fd7a.exe 23 PID 4280 wrote to memory of 3872 4280 a666581b6ef559d6f3d20106c385fd7a.exe 23 PID 4280 wrote to memory of 2752 4280 a666581b6ef559d6f3d20106c385fd7a.exe 16 PID 4280 wrote to memory of 2752 4280 a666581b6ef559d6f3d20106c385fd7a.exe 16 PID 4280 wrote to memory of 2752 4280 a666581b6ef559d6f3d20106c385fd7a.exe 16 PID 2752 wrote to memory of 2948 2752 net.exe 18 PID 2752 wrote to memory of 2948 2752 net.exe 18 PID 2752 wrote to memory of 2948 2752 net.exe 18 PID 4280 wrote to memory of 1588 4280 a666581b6ef559d6f3d20106c385fd7a.exe 162 PID 4280 wrote to memory of 1588 4280 a666581b6ef559d6f3d20106c385fd7a.exe 162 PID 4280 wrote to memory of 1588 4280 a666581b6ef559d6f3d20106c385fd7a.exe 162 PID 4280 wrote to memory of 2348 4280 a666581b6ef559d6f3d20106c385fd7a.exe 161 PID 4280 wrote to memory of 2348 4280 a666581b6ef559d6f3d20106c385fd7a.exe 161 PID 4280 wrote to memory of 2348 4280 a666581b6ef559d6f3d20106c385fd7a.exe 161 PID 4280 wrote to memory of 2052 4280 a666581b6ef559d6f3d20106c385fd7a.exe 96 PID 4280 wrote to memory of 2052 4280 a666581b6ef559d6f3d20106c385fd7a.exe 96 PID 4280 wrote to memory of 2052 4280 a666581b6ef559d6f3d20106c385fd7a.exe 96 PID 4280 wrote to memory of 1764 4280 a666581b6ef559d6f3d20106c385fd7a.exe 210 PID 4280 wrote to memory of 1764 4280 a666581b6ef559d6f3d20106c385fd7a.exe 210 PID 4280 wrote to memory of 1764 4280 a666581b6ef559d6f3d20106c385fd7a.exe 210 PID 4280 wrote to memory of 3552 4280 a666581b6ef559d6f3d20106c385fd7a.exe 121 PID 4280 wrote to memory of 3552 4280 a666581b6ef559d6f3d20106c385fd7a.exe 121 PID 4280 wrote to memory of 3552 4280 a666581b6ef559d6f3d20106c385fd7a.exe 121 PID 4280 wrote to memory of 3380 4280 a666581b6ef559d6f3d20106c385fd7a.exe 89 PID 4280 wrote to memory of 3380 4280 a666581b6ef559d6f3d20106c385fd7a.exe 89 PID 4280 wrote to memory of 3380 4280 a666581b6ef559d6f3d20106c385fd7a.exe 89 PID 4280 wrote to memory of 3076 4280 a666581b6ef559d6f3d20106c385fd7a.exe 87 PID 4280 wrote to memory of 3076 4280 a666581b6ef559d6f3d20106c385fd7a.exe 87 PID 4280 wrote to memory of 3076 4280 a666581b6ef559d6f3d20106c385fd7a.exe 87 PID 4280 wrote to memory of 3424 4280 a666581b6ef559d6f3d20106c385fd7a.exe 106 PID 4280 wrote to memory of 3424 4280 a666581b6ef559d6f3d20106c385fd7a.exe 106 PID 4280 wrote to memory of 3424 4280 a666581b6ef559d6f3d20106c385fd7a.exe 106 PID 4280 wrote to memory of 1880 4280 a666581b6ef559d6f3d20106c385fd7a.exe 233 PID 4280 wrote to memory of 1880 4280 a666581b6ef559d6f3d20106c385fd7a.exe 233 PID 4280 wrote to memory of 1880 4280 a666581b6ef559d6f3d20106c385fd7a.exe 233 PID 4280 wrote to memory of 2024 4280 a666581b6ef559d6f3d20106c385fd7a.exe 205 PID 4280 wrote to memory of 2024 4280 a666581b6ef559d6f3d20106c385fd7a.exe 205 PID 4280 wrote to memory of 2024 4280 a666581b6ef559d6f3d20106c385fd7a.exe 205 PID 4280 wrote to memory of 4980 4280 a666581b6ef559d6f3d20106c385fd7a.exe 80 PID 4280 wrote to memory of 4980 4280 a666581b6ef559d6f3d20106c385fd7a.exe 80 PID 4280 wrote to memory of 4980 4280 a666581b6ef559d6f3d20106c385fd7a.exe 80 PID 4280 wrote to memory of 2336 4280 a666581b6ef559d6f3d20106c385fd7a.exe 79 PID 4280 wrote to memory of 2336 4280 a666581b6ef559d6f3d20106c385fd7a.exe 79 PID 4280 wrote to memory of 2336 4280 a666581b6ef559d6f3d20106c385fd7a.exe 79 PID 4280 wrote to memory of 2472 4280 a666581b6ef559d6f3d20106c385fd7a.exe 77 PID 4280 wrote to memory of 2472 4280 a666581b6ef559d6f3d20106c385fd7a.exe 77 PID 4280 wrote to memory of 2472 4280 a666581b6ef559d6f3d20106c385fd7a.exe 77 PID 4280 wrote to memory of 1456 4280 a666581b6ef559d6f3d20106c385fd7a.exe 76 PID 4280 wrote to memory of 1456 4280 a666581b6ef559d6f3d20106c385fd7a.exe 76 PID 4280 wrote to memory of 1456 4280 a666581b6ef559d6f3d20106c385fd7a.exe 76 PID 4280 wrote to memory of 1184 4280 a666581b6ef559d6f3d20106c385fd7a.exe 75 PID 4280 wrote to memory of 1184 4280 a666581b6ef559d6f3d20106c385fd7a.exe 75 PID 4280 wrote to memory of 1184 4280 a666581b6ef559d6f3d20106c385fd7a.exe 75 PID 3552 wrote to memory of 3316 3552 reg.exe 74 PID 3552 wrote to memory of 3316 3552 reg.exe 74 PID 3552 wrote to memory of 3316 3552 reg.exe 74 -
Views/modifies file attributes 1 TTPs 16 IoCs
pid Process 1112 attrib.exe 400 attrib.exe 3600 attrib.exe 400 attrib.exe 976 attrib.exe 516 attrib.exe 1392 attrib.exe 4868 attrib.exe 1468 attrib.exe 3184 attrib.exe 228 attrib.exe 3424 attrib.exe 4520 attrib.exe 3396 attrib.exe 2164 attrib.exe 4372 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a666581b6ef559d6f3d20106c385fd7a.exe"C:\Users\Admin\AppData\Local\Temp\a666581b6ef559d6f3d20106c385fd7a.exe"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4280 -
C:\Windows\SysWOW64\net.exenet.exe start schedule /y2⤵
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start schedule /y3⤵PID:2948
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\system32\Option.bat2⤵PID:3872
-
-
C:\Windows\system\KavUpda.exeC:\Windows\system\KavUpda.exe2⤵PID:2556
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir F:\Autorun.inf /s /q3⤵PID:4484
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d3⤵PID:1764
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r F:\Autorun.inf\*.* /s /d4⤵
- Views/modifies file attributes
PID:1112
-
-
-
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe delete "hklm\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}" /f3⤵
- Suspicious use of WriteProcessMemory
PID:3552
-
-
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe delete "hklm\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}" /f3⤵PID:3192
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe config srservice start= disabled3⤵
- Launches sc.exe
PID:2908
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe config wscsvc start= disabled3⤵
- Launches sc.exe
PID:3512
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe config SharedAccess start= disabled3⤵
- Launches sc.exe
PID:440
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe config srservice start= disabled3⤵
- Launches sc.exe
PID:4776
-
-
C:\Windows\SysWOW64\net.exenet.exe stop 360timeprot /y3⤵PID:1788
-
-
C:\Windows\SysWOW64\net.exenet.exe stop srservice /y3⤵PID:4316
-
-
C:\Windows\SysWOW64\net.exenet.exe stop wuauserv /y3⤵PID:2144
-
-
C:\Windows\SysWOW64\net.exenet.exe stop sharedaccess /y3⤵PID:1924
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir C:\Autorun.inf /s /q3⤵PID:3356
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d3⤵PID:1488
-
-
C:\Windows\SysWOW64\net.exenet.exe stop wscsvc /y3⤵PID:4524
-
-
C:\Windows\SysWOW64\cmd.execmd /c at 7:42:57 PM C:\Windows\Sysinf.bat3⤵PID:2088
-
-
C:\Windows\SysWOW64\cmd.execmd /c at 7:39:57 PM C:\Windows\Sysinf.bat3⤵PID:1864
-
-
C:\Windows\SysWOW64\At.exeAt.exe 7:40:55 PM C:\Windows\Help\HelpCat.exe3⤵PID:1416
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir F:\Autorun.inf /s /q3⤵PID:3684
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d3⤵PID:1764
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir C:\Autorun.inf /s /q3⤵PID:2388
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d3⤵PID:4808
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir F:\Autorun.inf /s /q3⤵PID:3416
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d3⤵PID:544
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir C:\Autorun.inf /s /q3⤵PID:3624
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d3⤵PID:1220
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir F:\Autorun.inf /s /q3⤵PID:1100
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d3⤵PID:1880
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir C:\Autorun.inf /s /q3⤵PID:3804
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d3⤵PID:3184
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir F:\Autorun.inf /s /q3⤵PID:5040
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d3⤵PID:4272
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir C:\Autorun.inf /s /q3⤵PID:4864
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d3⤵PID:3052
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir F:\Autorun.inf /s /q3⤵PID:404
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d3⤵PID:2916
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir C:\Autorun.inf /s /q3⤵PID:3132
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d3⤵PID:4460
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir F:\Autorun.inf /s /q3⤵PID:916
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d3⤵PID:4732
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir C:\Autorun.inf /s /q3⤵PID:3612
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d3⤵PID:1888
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir F:\Autorun.inf /s /q3⤵PID:2252
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d3⤵PID:1444
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir C:\Autorun.inf /s /q3⤵PID:2168
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d3⤵PID:456
-
-
-
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe delete "hklm\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}" /f2⤵PID:1184
-
-
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe delete "hklm\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}" /f2⤵PID:1456
-
-
C:\Windows\SysWOW64\regedit.exeregedit.exe /s C:\Windows\regedt32.sys2⤵
- Modifies visibility of file extensions in Explorer
- Blocks application from running via registry modification
- Sets file execution options in registry
- Runs regedit.exe
PID:2472
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe config srservice start= disabled2⤵
- Launches sc.exe
PID:2336
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe config wscsvc start= disabled2⤵
- Launches sc.exe
PID:4980
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe config SharedAccess start= disabled2⤵
- Launches sc.exe
PID:2024
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe config srservice start= disabled2⤵
- Launches sc.exe
PID:1880 -
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r F:\Autorun.inf\*.* /s /d3⤵
- Views/modifies file attributes
PID:3600
-
-
-
C:\Windows\SysWOW64\net.exenet.exe stop 360timeprot /y2⤵PID:3424
-
-
C:\Windows\SysWOW64\net.exenet.exe stop srservice /y2⤵PID:3076
-
-
C:\Windows\SysWOW64\net.exenet.exe stop wuauserv /y2⤵PID:3380
-
-
C:\Windows\SysWOW64\net.exenet.exe stop sharedaccess /y2⤵PID:3552
-
-
C:\Windows\SysWOW64\net.exenet.exe stop wscsvc /y2⤵PID:1764
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r F:\Autorun.inf\*.* /s /d3⤵
- Views/modifies file attributes
PID:3424
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c at 7:42:54 PM C:\Windows\Sysinf.bat2⤵PID:2052
-
-
C:\Windows\SysWOW64\net.exenet.exe stop 360timeprot /y2⤵PID:1112
-
-
C:\Windows\SysWOW64\net.exenet.exe stop srservice /y2⤵PID:2240
-
-
C:\Windows\SysWOW64\net.exenet.exe stop wuauserv /y2⤵PID:724
-
-
C:\Windows\SysWOW64\net.exenet.exe stop sharedaccess /y2⤵PID:2684
-
-
C:\Windows\SysWOW64\net.exenet.exe stop wscsvc /y2⤵PID:4608
-
-
C:\Windows\SysWOW64\cmd.execmd /c at 7:39:54 PM C:\Windows\Sysinf.bat2⤵PID:2348
-
-
C:\Windows\SysWOW64\At.exeAt.exe 7:40:52 PM C:\Windows\Help\HelpCat.exe2⤵PID:1588
-
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop 360timeprot /y1⤵PID:868
-
C:\Windows\SysWOW64\at.exeat 7:42:54 PM C:\Windows\Sysinf.bat1⤵PID:3656
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start schedule /y1⤵PID:684
-
C:\Windows\SysWOW64\net.exenet.exe start schedule /y1⤵PID:4508
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\system32\Option.bat1⤵PID:1508
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wscsvc /y1⤵PID:2720
-
C:\Windows\SysWOW64\at.exeat 7:39:54 PM C:\Windows\Sysinf.bat1⤵PID:4868
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wuauserv /y1⤵PID:928
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop srservice /y1⤵PID:4884
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop sharedaccess /y1⤵PID:3316
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop sharedaccess /y1⤵PID:404
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop 360timeprot /y1⤵PID:1452
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop sharedaccess /y1⤵PID:1984
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wuauserv /y1⤵PID:3096
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop srservice /y1⤵PID:1656
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wuauserv /y1⤵PID:1564
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop 360timeprot /y1⤵PID:2356
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wscsvc /y1⤵PID:392
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wscsvc /y1⤵PID:2984
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop srservice /y1⤵PID:1848
-
C:\Windows\SysWOW64\at.exeat 7:42:57 PM C:\Windows\Sysinf.bat1⤵PID:4444
-
C:\Windows\SysWOW64\at.exeat 7:39:57 PM C:\Windows\Sysinf.bat1⤵PID:3804
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r C:\Autorun.inf\*.* /s /d1⤵
- Views/modifies file attributes
PID:976
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding1⤵PID:2024
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r C:\Autorun.inf\*.* /s /d1⤵
- Views/modifies file attributes
PID:400
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r F:\Autorun.inf\*.* /s /d1⤵
- Views/modifies file attributes
PID:4868
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r C:\Autorun.inf\*.* /s /d1⤵
- Views/modifies file attributes
PID:1468
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r C:\Autorun.inf\*.* /s /d1⤵
- Views/modifies file attributes
PID:4520
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r F:\Autorun.inf\*.* /s /d1⤵
- Views/modifies file attributes
PID:3396
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r C:\Autorun.inf\*.* /s /d1⤵
- Views/modifies file attributes
PID:3184
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r F:\Autorun.inf\*.* /s /d1⤵
- Views/modifies file attributes
PID:516
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r C:\Autorun.inf\*.* /s /d1⤵
- Views/modifies file attributes
PID:228
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r F:\Autorun.inf\*.* /s /d1⤵
- Views/modifies file attributes
PID:1392
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r C:\Autorun.inf\*.* /s /d1⤵
- Views/modifies file attributes
PID:2164
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r F:\Autorun.inf\*.* /s /d1⤵
- Views/modifies file attributes
PID:400
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r C:\Autorun.inf\*.* /s /d1⤵
- Views/modifies file attributes
PID:4372