Analysis
-
max time kernel
2s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
07/01/2024, 19:36
Static task
static1
Behavioral task
behavioral1
Sample
a559c11bbcbce51b55b0c4c732c77453.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
a559c11bbcbce51b55b0c4c732c77453.exe
Resource
win10v2004-20231215-en
General
-
Target
a559c11bbcbce51b55b0c4c732c77453.exe
-
Size
4.1MB
-
MD5
a559c11bbcbce51b55b0c4c732c77453
-
SHA1
f9d6710bc7643c763fc3e5339f525c0ef0aed171
-
SHA256
fd41d4eac5882713ed3aee01dcd191e4c283fd7479abcf50ba83a5e16a9c9868
-
SHA512
c9c32f745c32e28a713248a69755da0e3a7aee8c4fe242536a54110089f09c5310ffd3a99e67468bb252cd117ffec3b59cce9743b9d520b9bb4f8327eada4a31
-
SSDEEP
24576:UuhaXOWOA2eZJ8NI8GOWOA2eZJ8NI8GOWOA2eZJ8NI8GOWOA2eZJ8NI8/uYOWOAJ:by8q8q8q8WQ8q8q8q8Wd
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/632-56-0x0000000000400000-0x0000000000440000-memory.dmp upx behavioral1/files/0x00060000000141f1-119.dat upx behavioral1/memory/632-152-0x0000000000400000-0x0000000000440000-memory.dmp upx behavioral1/memory/632-171-0x0000000000400000-0x0000000000440000-memory.dmp upx behavioral1/memory/632-210-0x0000000000400000-0x0000000000440000-memory.dmp upx behavioral1/memory/632-217-0x0000000000400000-0x0000000000440000-memory.dmp upx behavioral1/memory/632-227-0x0000000000400000-0x0000000000440000-memory.dmp upx behavioral1/memory/632-228-0x0000000000400000-0x0000000000440000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\Option.bat a559c11bbcbce51b55b0c4c732c77453.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\system\KavUpda.exe a559c11bbcbce51b55b0c4c732c77453.exe File created C:\Windows\Help\HelpCat.exe a559c11bbcbce51b55b0c4c732c77453.exe File opened for modification C:\Windows\Help\HelpCat.exe a559c11bbcbce51b55b0c4c732c77453.exe File created C:\Windows\Sysinf.bat a559c11bbcbce51b55b0c4c732c77453.exe -
Launches sc.exe 16 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1368 sc.exe 2128 sc.exe 2924 sc.exe 2576 sc.exe 1420 sc.exe 2308 sc.exe 1048 sc.exe 3044 sc.exe 2272 sc.exe 940 sc.exe 2248 sc.exe 964 sc.exe 1740 sc.exe 2760 sc.exe 2712 sc.exe 1768 sc.exe -
Runs net.exe
-
Runs regedit.exe 1 IoCs
pid Process 1068 regedit.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2416 a559c11bbcbce51b55b0c4c732c77453.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2416 wrote to memory of 1892 2416 a559c11bbcbce51b55b0c4c732c77453.exe 21 PID 2416 wrote to memory of 1892 2416 a559c11bbcbce51b55b0c4c732c77453.exe 21 PID 2416 wrote to memory of 1892 2416 a559c11bbcbce51b55b0c4c732c77453.exe 21 PID 2416 wrote to memory of 1892 2416 a559c11bbcbce51b55b0c4c732c77453.exe 21 PID 2416 wrote to memory of 2872 2416 a559c11bbcbce51b55b0c4c732c77453.exe 20 PID 2416 wrote to memory of 2872 2416 a559c11bbcbce51b55b0c4c732c77453.exe 20 PID 2416 wrote to memory of 2872 2416 a559c11bbcbce51b55b0c4c732c77453.exe 20 PID 2416 wrote to memory of 2872 2416 a559c11bbcbce51b55b0c4c732c77453.exe 20 PID 2872 wrote to memory of 2268 2872 net.exe 18 PID 2872 wrote to memory of 2268 2872 net.exe 18 PID 2872 wrote to memory of 2268 2872 net.exe 18 PID 2872 wrote to memory of 2268 2872 net.exe 18 PID 2416 wrote to memory of 2224 2416 a559c11bbcbce51b55b0c4c732c77453.exe 74 PID 2416 wrote to memory of 2224 2416 a559c11bbcbce51b55b0c4c732c77453.exe 74 PID 2416 wrote to memory of 2224 2416 a559c11bbcbce51b55b0c4c732c77453.exe 74 PID 2416 wrote to memory of 2224 2416 a559c11bbcbce51b55b0c4c732c77453.exe 74 PID 2416 wrote to memory of 2580 2416 a559c11bbcbce51b55b0c4c732c77453.exe 73 PID 2416 wrote to memory of 2580 2416 a559c11bbcbce51b55b0c4c732c77453.exe 73 PID 2416 wrote to memory of 2580 2416 a559c11bbcbce51b55b0c4c732c77453.exe 73 PID 2416 wrote to memory of 2580 2416 a559c11bbcbce51b55b0c4c732c77453.exe 73 PID 2416 wrote to memory of 2640 2416 a559c11bbcbce51b55b0c4c732c77453.exe 71 PID 2416 wrote to memory of 2640 2416 a559c11bbcbce51b55b0c4c732c77453.exe 71 PID 2416 wrote to memory of 2640 2416 a559c11bbcbce51b55b0c4c732c77453.exe 71 PID 2416 wrote to memory of 2640 2416 a559c11bbcbce51b55b0c4c732c77453.exe 71 PID 2416 wrote to memory of 2656 2416 a559c11bbcbce51b55b0c4c732c77453.exe 69 PID 2416 wrote to memory of 2656 2416 a559c11bbcbce51b55b0c4c732c77453.exe 69 PID 2416 wrote to memory of 2656 2416 a559c11bbcbce51b55b0c4c732c77453.exe 69 PID 2416 wrote to memory of 2656 2416 a559c11bbcbce51b55b0c4c732c77453.exe 69 PID 2416 wrote to memory of 2596 2416 a559c11bbcbce51b55b0c4c732c77453.exe 67 PID 2416 wrote to memory of 2596 2416 a559c11bbcbce51b55b0c4c732c77453.exe 67 PID 2416 wrote to memory of 2596 2416 a559c11bbcbce51b55b0c4c732c77453.exe 67 PID 2416 wrote to memory of 2596 2416 a559c11bbcbce51b55b0c4c732c77453.exe 67 PID 2416 wrote to memory of 2572 2416 a559c11bbcbce51b55b0c4c732c77453.exe 66 PID 2416 wrote to memory of 2572 2416 a559c11bbcbce51b55b0c4c732c77453.exe 66 PID 2416 wrote to memory of 2572 2416 a559c11bbcbce51b55b0c4c732c77453.exe 66 PID 2416 wrote to memory of 2572 2416 a559c11bbcbce51b55b0c4c732c77453.exe 66 PID 2416 wrote to memory of 2724 2416 a559c11bbcbce51b55b0c4c732c77453.exe 63 PID 2416 wrote to memory of 2724 2416 a559c11bbcbce51b55b0c4c732c77453.exe 63 PID 2416 wrote to memory of 2724 2416 a559c11bbcbce51b55b0c4c732c77453.exe 63 PID 2416 wrote to memory of 2724 2416 a559c11bbcbce51b55b0c4c732c77453.exe 63 PID 2416 wrote to memory of 2744 2416 a559c11bbcbce51b55b0c4c732c77453.exe 62 PID 2416 wrote to memory of 2744 2416 a559c11bbcbce51b55b0c4c732c77453.exe 62 PID 2416 wrote to memory of 2744 2416 a559c11bbcbce51b55b0c4c732c77453.exe 62 PID 2416 wrote to memory of 2744 2416 a559c11bbcbce51b55b0c4c732c77453.exe 62 PID 2580 wrote to memory of 1088 2580 cmd.exe 59 PID 2580 wrote to memory of 1088 2580 cmd.exe 59 PID 2580 wrote to memory of 1088 2580 cmd.exe 59 PID 2580 wrote to memory of 1088 2580 cmd.exe 59 PID 2416 wrote to memory of 2576 2416 a559c11bbcbce51b55b0c4c732c77453.exe 58 PID 2416 wrote to memory of 2576 2416 a559c11bbcbce51b55b0c4c732c77453.exe 58 PID 2416 wrote to memory of 2576 2416 a559c11bbcbce51b55b0c4c732c77453.exe 58 PID 2416 wrote to memory of 2576 2416 a559c11bbcbce51b55b0c4c732c77453.exe 58 PID 2724 wrote to memory of 2752 2724 net.exe 56 PID 2724 wrote to memory of 2752 2724 net.exe 56 PID 2724 wrote to memory of 2752 2724 net.exe 56 PID 2724 wrote to memory of 2752 2724 net.exe 56 PID 2744 wrote to memory of 2800 2744 net.exe 55 PID 2744 wrote to memory of 2800 2744 net.exe 55 PID 2744 wrote to memory of 2800 2744 net.exe 55 PID 2744 wrote to memory of 2800 2744 net.exe 55 PID 2572 wrote to memory of 2512 2572 net.exe 53 PID 2572 wrote to memory of 2512 2572 net.exe 53 PID 2572 wrote to memory of 2512 2572 net.exe 53 PID 2572 wrote to memory of 2512 2572 net.exe 53 -
Views/modifies file attributes 1 TTPs 16 IoCs
pid Process 2984 attrib.exe 604 attrib.exe 3040 attrib.exe 880 attrib.exe 1972 attrib.exe 2264 attrib.exe 2316 attrib.exe 2420 attrib.exe 2684 attrib.exe 2172 attrib.exe 2420 attrib.exe 2352 attrib.exe 2564 attrib.exe 2608 attrib.exe 1528 attrib.exe 2524 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a559c11bbcbce51b55b0c4c732c77453.exe"C:\Users\Admin\AppData\Local\Temp\a559c11bbcbce51b55b0c4c732c77453.exe"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\net.exenet.exe start schedule /y2⤵
- Suspicious use of WriteProcessMemory
PID:2872
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\system32\Option.bat2⤵PID:1892
-
-
C:\Windows\SysWOW64\regedit.exeregedit.exe /s C:\Windows\regedt32.sys2⤵
- Runs regedit.exe
PID:1068
-
-
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe delete "hklm\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}" /f2⤵PID:2700
-
-
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe delete "hklm\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}" /f2⤵PID:2336
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe config srservice start= disabled2⤵
- Launches sc.exe
PID:940
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe config wscsvc start= disabled2⤵
- Launches sc.exe
PID:1368
-
-
C:\Windows\system\KavUpda.exeC:\Windows\system\KavUpda.exe2⤵PID:796
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir F:\Autorun.inf /s /q3⤵PID:1180
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d3⤵PID:1872
-
-
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe delete "hklm\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}" /f3⤵PID:1600
-
-
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe delete "hklm\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}" /f3⤵PID:1788
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe config srservice start= disabled3⤵
- Launches sc.exe
PID:2248
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe config wscsvc start= disabled3⤵
- Launches sc.exe
PID:2128
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe config SharedAccess start= disabled3⤵
- Launches sc.exe
PID:1420
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe config srservice start= disabled3⤵
- Launches sc.exe
PID:964
-
-
C:\Windows\SysWOW64\net.exenet.exe stop 360timeprot /y3⤵PID:360
-
-
C:\Windows\SysWOW64\net.exenet.exe stop srservice /y3⤵PID:1048
-
-
C:\Windows\SysWOW64\net.exenet.exe stop wuauserv /y3⤵PID:1896
-
-
C:\Windows\SysWOW64\net.exenet.exe stop sharedaccess /y3⤵PID:1924
-
-
C:\Windows\SysWOW64\net.exenet.exe stop wscsvc /y3⤵PID:624
-
-
C:\Windows\SysWOW64\cmd.execmd /c at 7:41:31 PM C:\Windows\Sysinf.bat3⤵PID:1692
-
-
C:\Windows\SysWOW64\cmd.execmd /c at 7:38:31 PM C:\Windows\Sysinf.bat3⤵PID:1520
-
-
C:\Windows\SysWOW64\At.exeAt.exe 7:39:29 PM C:\Windows\Help\HelpCat.exe3⤵PID:1628
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r F:\Autorun.inf\*.* /s /d4⤵
- Views/modifies file attributes
PID:2264
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir C:\Autorun.inf /s /q3⤵PID:1860
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d3⤵PID:2352
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir F:\Autorun.inf /s /q3⤵PID:2944
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d3⤵PID:1704
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir C:\Autorun.inf /s /q3⤵PID:3060
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d3⤵PID:2928
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir F:\Autorun.inf /s /q3⤵PID:2480
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d3⤵PID:2436
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir C:\Autorun.inf /s /q3⤵PID:2952
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d3⤵PID:2988
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir F:\Autorun.inf /s /q3⤵PID:1164
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d3⤵PID:1372
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir C:\Autorun.inf /s /q3⤵PID:2776
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d3⤵PID:2508
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir F:\Autorun.inf /s /q3⤵PID:2052
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d3⤵PID:1628
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir C:\Autorun.inf /s /q3⤵PID:2892
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d3⤵PID:3020
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir F:\Autorun.inf /s /q3⤵PID:1228
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d3⤵PID:304
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir C:\Autorun.inf /s /q3⤵PID:280
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d3⤵PID:2900
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d3⤵PID:2812
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r F:\Autorun.inf\*.* /s /d4⤵
- Views/modifies file attributes
PID:2352
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir F:\Autorun.inf /s /q3⤵PID:936
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir C:\Autorun.inf /s /q3⤵PID:832
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d3⤵PID:2252
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir F:\Autorun.inf /s /q3⤵PID:2268
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d3⤵PID:2164
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir C:\Autorun.inf /s /q3⤵PID:2864
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d3⤵PID:1444
-
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe config SharedAccess start= disabled2⤵
- Launches sc.exe
PID:2712
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe config srservice start= disabled2⤵
- Launches sc.exe
PID:2576
-
-
C:\Windows\SysWOW64\net.exenet.exe stop 360timeprot /y2⤵
- Suspicious use of WriteProcessMemory
PID:2744
-
-
C:\Windows\SysWOW64\net.exenet.exe stop srservice /y2⤵
- Suspicious use of WriteProcessMemory
PID:2724
-
-
C:\Windows\SysWOW64\net.exenet.exe stop wuauserv /y2⤵
- Suspicious use of WriteProcessMemory
PID:2572
-
-
C:\Windows\SysWOW64\net.exenet.exe stop sharedaccess /y2⤵PID:2596
-
-
C:\Windows\SysWOW64\net.exenet.exe stop wscsvc /y2⤵PID:2656
-
-
C:\Windows\SysWOW64\cmd.execmd /c at 7:41:28 PM C:\Windows\Sysinf.bat2⤵PID:2640
-
-
C:\Windows\SysWOW64\cmd.execmd /c at 7:38:28 PM C:\Windows\Sysinf.bat2⤵
- Suspicious use of WriteProcessMemory
PID:2580
-
-
C:\Windows\SysWOW64\At.exeAt.exe 7:39:26 PM C:\Windows\Help\HelpCat.exe2⤵PID:2224
-
-
C:\Users\Admin\AppData\Local\Temp\a559c11bbcbce51b55b0c4c732c77453~4.exea559c11bbcbce51b55b0c4c732c77453~4.exe2⤵PID:632
-
C:\Windows\SysWOW64\net.exenet.exe start schedule /y3⤵PID:2508
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start schedule /y4⤵PID:2780
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r C:\Autorun.inf\*.* /s /d4⤵
- Views/modifies file attributes
PID:1972
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\system32\Option.bat3⤵PID:2644
-
-
C:\Windows\SysWOW64\net.exenet.exe stop srservice /y3⤵PID:2320
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop srservice /y4⤵PID:1744
-
-
-
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe delete "hklm\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}" /f3⤵PID:1640
-
-
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe delete "hklm\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}" /f3⤵PID:1728
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe config srservice start= disabled3⤵
- Launches sc.exe
PID:1740
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe config wscsvc start= disabled3⤵
- Launches sc.exe
PID:2308
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe config SharedAccess start= disabled3⤵
- Launches sc.exe
PID:1048
-
-
C:\Windows\system\KavUpda.exeC:\Windows\system\KavUpda.exe3⤵PID:360
-
C:\Windows\SysWOW64\net.exenet.exe start schedule /y4⤵PID:2256
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start schedule /y5⤵PID:1920
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\system32\Option.bat4⤵PID:1648
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe config wscsvc start= disabled4⤵
- Launches sc.exe
PID:3044
-
-
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe delete "hklm\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}" /f4⤵PID:2804
-
-
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe delete "hklm\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}" /f4⤵PID:2532
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe config srservice start= disabled4⤵
- Launches sc.exe
PID:2272
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe config SharedAccess start= disabled4⤵
- Launches sc.exe
PID:2924
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe config srservice start= disabled4⤵
- Launches sc.exe
PID:2760
-
-
C:\Windows\SysWOW64\net.exenet.exe stop 360timeprot /y4⤵PID:3040
-
-
C:\Windows\SysWOW64\net.exenet.exe stop srservice /y4⤵PID:2156
-
-
C:\Windows\SysWOW64\net.exenet.exe stop wuauserv /y4⤵PID:1552
-
-
C:\Windows\SysWOW64\net.exenet.exe stop sharedaccess /y4⤵PID:2228
-
-
C:\Windows\SysWOW64\net.exenet.exe stop wscsvc /y4⤵PID:1916
-
-
C:\Windows\SysWOW64\cmd.execmd /c at 7:42:20 PM C:\Windows\Sysinf.bat4⤵PID:1556
-
-
C:\Windows\SysWOW64\cmd.execmd /c at 7:39:20 PM C:\Windows\Sysinf.bat4⤵PID:1856
-
-
C:\Windows\SysWOW64\At.exeAt.exe 7:40:18 PM C:\Windows\Help\HelpCat.exe4⤵PID:1840
-
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe config srservice start= disabled3⤵
- Launches sc.exe
PID:1768
-
-
C:\Windows\SysWOW64\net.exenet.exe stop 360timeprot /y3⤵PID:2116
-
-
C:\Windows\SysWOW64\net.exenet.exe stop wuauserv /y3⤵PID:804
-
-
C:\Windows\SysWOW64\net.exenet.exe stop sharedaccess /y3⤵PID:2940
-
-
C:\Windows\SysWOW64\net.exenet.exe stop wscsvc /y3⤵PID:2332
-
-
C:\Windows\SysWOW64\cmd.execmd /c at 7:42:16 PM C:\Windows\Sysinf.bat3⤵PID:2936
-
-
C:\Windows\SysWOW64\cmd.execmd /c at 7:39:16 PM C:\Windows\Sysinf.bat3⤵PID:344
-
-
C:\Windows\SysWOW64\At.exeAt.exe 7:40:14 PM C:\Windows\Help\HelpCat.exe3⤵PID:2816
-
-
C:\Windows\SysWOW64\net.exenet.exe stop 360timeprot /y3⤵PID:2864
-
-
C:\Windows\SysWOW64\net.exenet.exe stop srservice /y3⤵PID:1748
-
-
C:\Windows\SysWOW64\net.exenet.exe stop wuauserv /y3⤵PID:1820
-
-
C:\Windows\SysWOW64\net.exenet.exe stop sharedaccess /y3⤵PID:2348
-
-
C:\Windows\SysWOW64\net.exenet.exe stop wscsvc /y3⤵PID:1644
-
-
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start schedule /y1⤵PID:2268
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start schedule /y1⤵PID:1580
-
C:\Windows\SysWOW64\net.exenet.exe start schedule /y1⤵PID:1288
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\system32\Option.bat1⤵PID:3000
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop sharedaccess /y1⤵PID:2560
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wuauserv /y1⤵PID:2512
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wscsvc /y1⤵PID:2452
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop 360timeprot /y1⤵PID:2800
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop srservice /y1⤵PID:2752
-
C:\Windows\SysWOW64\at.exeat 7:38:28 PM C:\Windows\Sysinf.bat1⤵PID:1088
-
C:\Windows\SysWOW64\at.exeat 7:41:28 PM C:\Windows\Sysinf.bat1⤵PID:2464
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r F:\Autorun.inf\*.* /s /d1⤵
- Views/modifies file attributes
PID:2420
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop 360timeprot /y1⤵PID:2012
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop sharedaccess /y1⤵PID:1232
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop srservice /y1⤵PID:1908
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wuauserv /y1⤵PID:584
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wscsvc /y1⤵PID:1248
-
C:\Windows\SysWOW64\at.exeat 7:41:31 PM C:\Windows\Sysinf.bat1⤵PID:1728
-
C:\Windows\SysWOW64\at.exeat 7:38:31 PM C:\Windows\Sysinf.bat1⤵PID:1740
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r C:\Autorun.inf\*.* /s /d1⤵
- Views/modifies file attributes
PID:880
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r F:\Autorun.inf\*.* /s /d1⤵
- Views/modifies file attributes
PID:2524
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r C:\Autorun.inf\*.* /s /d1⤵
- Views/modifies file attributes
PID:2984
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r F:\Autorun.inf\*.* /s /d1⤵
- Views/modifies file attributes
PID:2608
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r C:\Autorun.inf\*.* /s /d1⤵
- Views/modifies file attributes
PID:2684
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop sharedaccess /y1⤵PID:1584
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop 360timeprot /y1⤵PID:480
-
C:\Windows\SysWOW64\at.exeat 7:42:16 PM C:\Windows\Sysinf.bat1⤵PID:1140
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wuauserv /y1⤵PID:828
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wscsvc /y1⤵PID:108
-
C:\Windows\SysWOW64\at.exeat 7:39:16 PM C:\Windows\Sysinf.bat1⤵PID:1832
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wscsvc /y1⤵PID:2916
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop sharedaccess /y1⤵PID:1852
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop 360timeprot /y1⤵PID:2456
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop 360timeprot /y1⤵PID:2928
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop srservice /y1⤵PID:2896
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop srservice /y1⤵PID:2524
-
C:\Windows\SysWOW64\at.exeat 7:42:20 PM C:\Windows\Sysinf.bat1⤵PID:1572
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wuauserv /y1⤵PID:832
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wuauserv /y1⤵PID:2964
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop sharedaccess /y1⤵PID:1756
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wscsvc /y1⤵PID:2844
-
C:\Windows\SysWOW64\at.exeat 7:39:20 PM C:\Windows\Sysinf.bat1⤵PID:936
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r F:\Autorun.inf\*.* /s /d1⤵
- Views/modifies file attributes
PID:2172
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r C:\Autorun.inf\*.* /s /d1⤵
- Views/modifies file attributes
PID:2316
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r F:\Autorun.inf\*.* /s /d1⤵
- Views/modifies file attributes
PID:604
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r C:\Autorun.inf\*.* /s /d1⤵
- Views/modifies file attributes
PID:2420
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r C:\Autorun.inf\*.* /s /d1⤵
- Views/modifies file attributes
PID:1528
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r F:\Autorun.inf\*.* /s /d1⤵
- Views/modifies file attributes
PID:3040
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r C:\Autorun.inf\*.* /s /d1⤵
- Views/modifies file attributes
PID:2564
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
17KB
MD55179b9f6a5176c56a6c4edaf445352cb
SHA154767ffbeae7815df66464029754a44286a303e9
SHA2562726c457e2683108075403492fafb4c84a9c27b9f7bfbf9374dfb960e590e68b
SHA512f3a435efd4249572e03f7c4661bd36f834049a5f74d497c169a49f1104eb7e0e5c7676ca82d389e1ef666394a622a04e798f5fef2b41d04344b625b87313a388
-
Filesize
460B
MD57db3d565d6ddbe65a8b0e093910e7dcd
SHA1d4804e6180c6e74ba79d3343f2f2ccb15e502f12
SHA256a2778cb87fd88c7508ffd506a8ff8d58d0ffc02156f846956e5e99c6cb3d2f3f
SHA5120b3d1d0f44feba9dd78903ff77fdeaea834d930990a86641fb2e4ce04da280d33f6bee0ae0b1320e4070cbe20824062e45b52e5cad797c5985d8e31dce1ef82b
-
Filesize
32KB
MD5c893f228646504abedb930cdf8916ca7
SHA1be238f958284f4d9b7d5b2894c5457a5769510f5
SHA25662491349e6de4be03806393d6b82ebdc842f74fa6aa4169f220339d4e7f012b5
SHA5127073aaeb679684789c2c1d5d5d99797e828653e01c93ac6acb3d2f4275cb260894b8a10c7d72ba27386f1cb30788cec9fabfc5984b17691f813ed9eb0704d6bf
-
Filesize
30KB
MD5fded11b530b62d3099950d25178f5fef
SHA1059686157cd62299e1798f24e8a0c7c4592f2de3
SHA256544e147549c4cfa964bd3ad4cfaef745b7e190bb1b6b0c1aeb0cbf280eca9082
SHA512a5960efc617d53840a11d5f4a1ef4b8dd49b5ec145e71a327f650dbeefefbf65982e96ff9051ae996160ddf1656a5b828613d7862c990108dbe56b13cfda7e10