Analysis
-
max time kernel
132s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
07/01/2024, 19:36
Static task
static1
Behavioral task
behavioral1
Sample
a559c11bbcbce51b55b0c4c732c77453.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
a559c11bbcbce51b55b0c4c732c77453.exe
Resource
win10v2004-20231215-en
General
-
Target
a559c11bbcbce51b55b0c4c732c77453.exe
-
Size
4.1MB
-
MD5
a559c11bbcbce51b55b0c4c732c77453
-
SHA1
f9d6710bc7643c763fc3e5339f525c0ef0aed171
-
SHA256
fd41d4eac5882713ed3aee01dcd191e4c283fd7479abcf50ba83a5e16a9c9868
-
SHA512
c9c32f745c32e28a713248a69755da0e3a7aee8c4fe242536a54110089f09c5310ffd3a99e67468bb252cd117ffec3b59cce9743b9d520b9bb4f8327eada4a31
-
SSDEEP
24576:UuhaXOWOA2eZJ8NI8GOWOA2eZJ8NI8GOWOA2eZJ8NI8GOWOA2eZJ8NI8/uYOWOAJ:by8q8q8q8WQ8q8q8q8Wd
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" regedit.exe -
Blocks application from running via registry modification 17 IoCs
Adds application to list of disallowed applications.
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "Rfwsrv.exe" regedit.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 = "RavMon.exe" regedit.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\12 = "KPFW32X.EXE" regedit.exe Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun regedit.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\8 = "RavService.exe" regedit.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\13 = "KAVPFW.EXE" regedit.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "CCenter.exe" regedit.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\15 = "KAVStart.EXE" regedit.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 = "RavStub.exe" regedit.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "avp.exe" regedit.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "RfwMain.exe" regedit.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "RavMoD.exe" regedit.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\9 = "Rav.exe" regedit.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\10 = "rfwcfg.exe" regedit.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\11 = "KPFW32.EXE" regedit.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\14 = "KAV32.EXE" regedit.exe Set value (int) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" regedit.exe -
Sets file execution options in registry 2 TTPs 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe\Debugger = "D:\\RECYCLER\\????8.exe" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe\Debugger = "D:\\RECYCLER\\????8.exe" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.EXE\Debugger = "D:\\RECYCLER\\????8.exe" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RfwMain.exe regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rfwsrv.exe\Debugger = "D:\\RECYCLER\\????8.exe" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rfwsrv.exe regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMoD.exe\Debugger = "D:\\RECYCLER\\????8.exe" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe\Debugger = "D:\\RECYCLER\\????8.exe" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "D:\\RECYCLER\\????8.exe" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "D:\\RECYCLER\\????8.exe" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMoD.exe regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RfwMain.exe\Debugger = "D:\\RECYCLER\\????8.exe" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe\Debugger = "D:\\RECYCLER\\????8.exe" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.EXE regedit.exe -
Executes dropped EXE 3 IoCs
pid Process 372 KavUpda.exe 4916 a559c11bbcbce51b55b0c4c732c77453~4.exe 3212 KavUpda.exe -
resource yara_rule behavioral2/memory/4916-91-0x0000000000400000-0x0000000000440000-memory.dmp upx behavioral2/memory/4916-33-0x0000000000400000-0x0000000000440000-memory.dmp upx behavioral2/files/0x000f000000023139-32.dat upx behavioral2/memory/4916-114-0x0000000000400000-0x0000000000440000-memory.dmp upx behavioral2/memory/4916-393-0x0000000000400000-0x0000000000440000-memory.dmp upx -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\Autorun.inf KavUpda.exe File opened for modification F:\Autorun.inf KavUpda.exe -
Drops file in System32 directory 5 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ExceRes a559c11bbcbce51b55b0c4c732c77453~4.exe File created C:\Windows\SysWOW64\Option.bat a559c11bbcbce51b55b0c4c732c77453.exe File opened for modification C:\Windows\SysWOW64\Option.bat KavUpda.exe File opened for modification C:\Windows\SysWOW64\Option.bat a559c11bbcbce51b55b0c4c732c77453~4.exe File opened for modification C:\Windows\SysWOW64\Option.bat KavUpda.exe -
Drops file in Program Files directory 34 IoCs
description ioc Process File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe a559c11bbcbce51b55b0c4c732c77453~4.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe a559c11bbcbce51b55b0c4c732c77453~4.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe a559c11bbcbce51b55b0c4c732c77453~4.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe a559c11bbcbce51b55b0c4c732c77453~4.exe File opened for modification C:\Program Files\7-Zip\7z.exe a559c11bbcbce51b55b0c4c732c77453~4.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\createdump.exe a559c11bbcbce51b55b0c4c732c77453~4.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe a559c11bbcbce51b55b0c4c732c77453~4.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe a559c11bbcbce51b55b0c4c732c77453~4.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe a559c11bbcbce51b55b0c4c732c77453~4.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe a559c11bbcbce51b55b0c4c732c77453~4.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe a559c11bbcbce51b55b0c4c732c77453~4.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe a559c11bbcbce51b55b0c4c732c77453~4.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe a559c11bbcbce51b55b0c4c732c77453~4.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe a559c11bbcbce51b55b0c4c732c77453~4.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe a559c11bbcbce51b55b0c4c732c77453~4.exe File opened for modification C:\Program Files\OpenMeasure.xls a559c11bbcbce51b55b0c4c732c77453~4.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe a559c11bbcbce51b55b0c4c732c77453~4.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe a559c11bbcbce51b55b0c4c732c77453~4.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe a559c11bbcbce51b55b0c4c732c77453~4.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe a559c11bbcbce51b55b0c4c732c77453~4.exe File opened for modification C:\Program Files\7-Zip\7zG.exe a559c11bbcbce51b55b0c4c732c77453~4.exe File opened for modification C:\Program Files\dotnet\dotnet.exe a559c11bbcbce51b55b0c4c732c77453~4.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe a559c11bbcbce51b55b0c4c732c77453~4.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe a559c11bbcbce51b55b0c4c732c77453~4.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe a559c11bbcbce51b55b0c4c732c77453~4.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe a559c11bbcbce51b55b0c4c732c77453~4.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe a559c11bbcbce51b55b0c4c732c77453~4.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\createdump.exe a559c11bbcbce51b55b0c4c732c77453~4.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe a559c11bbcbce51b55b0c4c732c77453~4.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe a559c11bbcbce51b55b0c4c732c77453~4.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe a559c11bbcbce51b55b0c4c732c77453~4.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe a559c11bbcbce51b55b0c4c732c77453~4.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe a559c11bbcbce51b55b0c4c732c77453~4.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe a559c11bbcbce51b55b0c4c732c77453~4.exe -
Drops file in Windows directory 17 IoCs
description ioc Process File opened for modification C:\Windows\system\KavUpda.exe KavUpda.exe File opened for modification C:\Windows\system\KavUpda.exe KavUpda.exe File opened for modification C:\Windows\regedt32.sys KavUpda.exe File opened for modification C:\Windows\Sysinf.bat a559c11bbcbce51b55b0c4c732c77453~4.exe File opened for modification C:\Windows\regedt32.sys a559c11bbcbce51b55b0c4c732c77453~4.exe File created C:\Windows\regedt32.sys a559c11bbcbce51b55b0c4c732c77453~4.exe File opened for modification C:\Windows\system\KavUpda.exe a559c11bbcbce51b55b0c4c732c77453~4.exe File created C:\Windows\Sysinf.bat a559c11bbcbce51b55b0c4c732c77453.exe File opened for modification C:\Windows\Sysinf.bat KavUpda.exe File opened for modification C:\Windows\regedt32.sys KavUpda.exe File created C:\Windows\regedt32.sys KavUpda.exe File opened for modification C:\Windows\Sysinf.bat KavUpda.exe File created C:\Windows\regedt32.sys KavUpda.exe File opened for modification C:\Windows\system\KavUpda.exe a559c11bbcbce51b55b0c4c732c77453.exe File created C:\Windows\Help\HelpCat.exe a559c11bbcbce51b55b0c4c732c77453.exe File opened for modification C:\Windows\Help\HelpCat.exe a559c11bbcbce51b55b0c4c732c77453.exe File created C:\Windows\regedt32.sys a559c11bbcbce51b55b0c4c732c77453.exe -
Launches sc.exe 16 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 3364 sc.exe 1540 sc.exe 3972 sc.exe 4508 sc.exe 4400 sc.exe 4996 sc.exe 3636 sc.exe 3536 sc.exe 4004 sc.exe 4780 sc.exe 4476 sc.exe 1032 sc.exe 4476 sc.exe 3992 sc.exe 4388 sc.exe 3188 sc.exe -
Runs net.exe
-
Runs regedit.exe 1 IoCs
pid Process 644 regedit.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: 33 372 KavUpda.exe Token: SeIncBasePriorityPrivilege 372 KavUpda.exe Token: 33 372 KavUpda.exe Token: SeIncBasePriorityPrivilege 372 KavUpda.exe Token: 33 372 KavUpda.exe Token: SeIncBasePriorityPrivilege 372 KavUpda.exe Token: 33 4916 a559c11bbcbce51b55b0c4c732c77453~4.exe Token: SeIncBasePriorityPrivilege 4916 a559c11bbcbce51b55b0c4c732c77453~4.exe Token: 33 4916 a559c11bbcbce51b55b0c4c732c77453~4.exe Token: SeIncBasePriorityPrivilege 4916 a559c11bbcbce51b55b0c4c732c77453~4.exe Token: 33 4916 a559c11bbcbce51b55b0c4c732c77453~4.exe Token: SeIncBasePriorityPrivilege 4916 a559c11bbcbce51b55b0c4c732c77453~4.exe Token: 33 4916 a559c11bbcbce51b55b0c4c732c77453~4.exe Token: SeIncBasePriorityPrivilege 4916 a559c11bbcbce51b55b0c4c732c77453~4.exe Token: 33 4916 a559c11bbcbce51b55b0c4c732c77453~4.exe Token: SeIncBasePriorityPrivilege 4916 a559c11bbcbce51b55b0c4c732c77453~4.exe Token: 33 4916 a559c11bbcbce51b55b0c4c732c77453~4.exe Token: SeIncBasePriorityPrivilege 4916 a559c11bbcbce51b55b0c4c732c77453~4.exe Token: 33 4916 a559c11bbcbce51b55b0c4c732c77453~4.exe Token: SeIncBasePriorityPrivilege 4916 a559c11bbcbce51b55b0c4c732c77453~4.exe Token: 33 4916 a559c11bbcbce51b55b0c4c732c77453~4.exe Token: SeIncBasePriorityPrivilege 4916 a559c11bbcbce51b55b0c4c732c77453~4.exe Token: 33 4916 a559c11bbcbce51b55b0c4c732c77453~4.exe Token: SeIncBasePriorityPrivilege 4916 a559c11bbcbce51b55b0c4c732c77453~4.exe Token: 33 4916 a559c11bbcbce51b55b0c4c732c77453~4.exe Token: SeIncBasePriorityPrivilege 4916 a559c11bbcbce51b55b0c4c732c77453~4.exe Token: 33 4916 a559c11bbcbce51b55b0c4c732c77453~4.exe Token: SeIncBasePriorityPrivilege 4916 a559c11bbcbce51b55b0c4c732c77453~4.exe Token: 33 4916 a559c11bbcbce51b55b0c4c732c77453~4.exe Token: SeIncBasePriorityPrivilege 4916 a559c11bbcbce51b55b0c4c732c77453~4.exe Token: 33 4916 a559c11bbcbce51b55b0c4c732c77453~4.exe Token: SeIncBasePriorityPrivilege 4916 a559c11bbcbce51b55b0c4c732c77453~4.exe Token: 33 4916 a559c11bbcbce51b55b0c4c732c77453~4.exe Token: SeIncBasePriorityPrivilege 4916 a559c11bbcbce51b55b0c4c732c77453~4.exe Token: 33 4916 a559c11bbcbce51b55b0c4c732c77453~4.exe Token: SeIncBasePriorityPrivilege 4916 a559c11bbcbce51b55b0c4c732c77453~4.exe Token: 33 4916 a559c11bbcbce51b55b0c4c732c77453~4.exe Token: SeIncBasePriorityPrivilege 4916 a559c11bbcbce51b55b0c4c732c77453~4.exe Token: 33 4916 a559c11bbcbce51b55b0c4c732c77453~4.exe Token: SeIncBasePriorityPrivilege 4916 a559c11bbcbce51b55b0c4c732c77453~4.exe Token: 33 4916 a559c11bbcbce51b55b0c4c732c77453~4.exe Token: SeIncBasePriorityPrivilege 4916 a559c11bbcbce51b55b0c4c732c77453~4.exe Token: 33 4916 a559c11bbcbce51b55b0c4c732c77453~4.exe Token: SeIncBasePriorityPrivilege 4916 a559c11bbcbce51b55b0c4c732c77453~4.exe Token: 33 4916 a559c11bbcbce51b55b0c4c732c77453~4.exe Token: SeIncBasePriorityPrivilege 4916 a559c11bbcbce51b55b0c4c732c77453~4.exe Token: 33 4916 a559c11bbcbce51b55b0c4c732c77453~4.exe Token: SeIncBasePriorityPrivilege 4916 a559c11bbcbce51b55b0c4c732c77453~4.exe Token: 33 4916 a559c11bbcbce51b55b0c4c732c77453~4.exe Token: SeIncBasePriorityPrivilege 4916 a559c11bbcbce51b55b0c4c732c77453~4.exe Token: 33 4916 a559c11bbcbce51b55b0c4c732c77453~4.exe Token: SeIncBasePriorityPrivilege 4916 a559c11bbcbce51b55b0c4c732c77453~4.exe Token: 33 4916 a559c11bbcbce51b55b0c4c732c77453~4.exe Token: SeIncBasePriorityPrivilege 4916 a559c11bbcbce51b55b0c4c732c77453~4.exe Token: 33 4916 a559c11bbcbce51b55b0c4c732c77453~4.exe Token: SeIncBasePriorityPrivilege 4916 a559c11bbcbce51b55b0c4c732c77453~4.exe Token: 33 4916 a559c11bbcbce51b55b0c4c732c77453~4.exe Token: SeIncBasePriorityPrivilege 4916 a559c11bbcbce51b55b0c4c732c77453~4.exe Token: 33 4916 a559c11bbcbce51b55b0c4c732c77453~4.exe Token: SeIncBasePriorityPrivilege 4916 a559c11bbcbce51b55b0c4c732c77453~4.exe Token: 33 4916 a559c11bbcbce51b55b0c4c732c77453~4.exe Token: SeIncBasePriorityPrivilege 4916 a559c11bbcbce51b55b0c4c732c77453~4.exe Token: 33 4916 a559c11bbcbce51b55b0c4c732c77453~4.exe Token: SeIncBasePriorityPrivilege 4916 a559c11bbcbce51b55b0c4c732c77453~4.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 3164 a559c11bbcbce51b55b0c4c732c77453.exe 372 KavUpda.exe 4916 a559c11bbcbce51b55b0c4c732c77453~4.exe 3212 KavUpda.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3164 wrote to memory of 976 3164 a559c11bbcbce51b55b0c4c732c77453.exe 26 PID 3164 wrote to memory of 976 3164 a559c11bbcbce51b55b0c4c732c77453.exe 26 PID 3164 wrote to memory of 976 3164 a559c11bbcbce51b55b0c4c732c77453.exe 26 PID 3164 wrote to memory of 220 3164 a559c11bbcbce51b55b0c4c732c77453.exe 20 PID 3164 wrote to memory of 220 3164 a559c11bbcbce51b55b0c4c732c77453.exe 20 PID 3164 wrote to memory of 220 3164 a559c11bbcbce51b55b0c4c732c77453.exe 20 PID 220 wrote to memory of 3352 220 net.exe 21 PID 220 wrote to memory of 3352 220 net.exe 21 PID 220 wrote to memory of 3352 220 net.exe 21 PID 3164 wrote to memory of 2396 3164 a559c11bbcbce51b55b0c4c732c77453.exe 239 PID 3164 wrote to memory of 2396 3164 a559c11bbcbce51b55b0c4c732c77453.exe 239 PID 3164 wrote to memory of 2396 3164 a559c11bbcbce51b55b0c4c732c77453.exe 239 PID 3164 wrote to memory of 672 3164 a559c11bbcbce51b55b0c4c732c77453.exe 151 PID 3164 wrote to memory of 672 3164 a559c11bbcbce51b55b0c4c732c77453.exe 151 PID 3164 wrote to memory of 672 3164 a559c11bbcbce51b55b0c4c732c77453.exe 151 PID 3164 wrote to memory of 4972 3164 a559c11bbcbce51b55b0c4c732c77453.exe 191 PID 3164 wrote to memory of 4972 3164 a559c11bbcbce51b55b0c4c732c77453.exe 191 PID 3164 wrote to memory of 4972 3164 a559c11bbcbce51b55b0c4c732c77453.exe 191 PID 3164 wrote to memory of 1468 3164 a559c11bbcbce51b55b0c4c732c77453.exe 100 PID 3164 wrote to memory of 1468 3164 a559c11bbcbce51b55b0c4c732c77453.exe 100 PID 3164 wrote to memory of 1468 3164 a559c11bbcbce51b55b0c4c732c77453.exe 100 PID 3164 wrote to memory of 4796 3164 a559c11bbcbce51b55b0c4c732c77453.exe 98 PID 3164 wrote to memory of 4796 3164 a559c11bbcbce51b55b0c4c732c77453.exe 98 PID 3164 wrote to memory of 4796 3164 a559c11bbcbce51b55b0c4c732c77453.exe 98 PID 3164 wrote to memory of 4420 3164 a559c11bbcbce51b55b0c4c732c77453.exe 108 PID 3164 wrote to memory of 4420 3164 a559c11bbcbce51b55b0c4c732c77453.exe 108 PID 3164 wrote to memory of 4420 3164 a559c11bbcbce51b55b0c4c732c77453.exe 108 PID 3164 wrote to memory of 3036 3164 a559c11bbcbce51b55b0c4c732c77453.exe 111 PID 3164 wrote to memory of 3036 3164 a559c11bbcbce51b55b0c4c732c77453.exe 111 PID 3164 wrote to memory of 3036 3164 a559c11bbcbce51b55b0c4c732c77453.exe 111 PID 3164 wrote to memory of 3376 3164 a559c11bbcbce51b55b0c4c732c77453.exe 91 PID 3164 wrote to memory of 3376 3164 a559c11bbcbce51b55b0c4c732c77453.exe 91 PID 3164 wrote to memory of 3376 3164 a559c11bbcbce51b55b0c4c732c77453.exe 91 PID 3164 wrote to memory of 1540 3164 a559c11bbcbce51b55b0c4c732c77453.exe 89 PID 3164 wrote to memory of 1540 3164 a559c11bbcbce51b55b0c4c732c77453.exe 89 PID 3164 wrote to memory of 1540 3164 a559c11bbcbce51b55b0c4c732c77453.exe 89 PID 3164 wrote to memory of 4004 3164 a559c11bbcbce51b55b0c4c732c77453.exe 88 PID 3164 wrote to memory of 4004 3164 a559c11bbcbce51b55b0c4c732c77453.exe 88 PID 3164 wrote to memory of 4004 3164 a559c11bbcbce51b55b0c4c732c77453.exe 88 PID 3164 wrote to memory of 3536 3164 a559c11bbcbce51b55b0c4c732c77453.exe 206 PID 3164 wrote to memory of 3536 3164 a559c11bbcbce51b55b0c4c732c77453.exe 206 PID 3164 wrote to memory of 3536 3164 a559c11bbcbce51b55b0c4c732c77453.exe 206 PID 3164 wrote to memory of 3364 3164 a559c11bbcbce51b55b0c4c732c77453.exe 175 PID 3164 wrote to memory of 3364 3164 a559c11bbcbce51b55b0c4c732c77453.exe 175 PID 3164 wrote to memory of 3364 3164 a559c11bbcbce51b55b0c4c732c77453.exe 175 PID 3164 wrote to memory of 644 3164 a559c11bbcbce51b55b0c4c732c77453.exe 64 PID 3164 wrote to memory of 644 3164 a559c11bbcbce51b55b0c4c732c77453.exe 64 PID 3164 wrote to memory of 644 3164 a559c11bbcbce51b55b0c4c732c77453.exe 64 PID 1468 wrote to memory of 3192 1468 net.exe 82 PID 1468 wrote to memory of 3192 1468 net.exe 82 PID 1468 wrote to memory of 3192 1468 net.exe 82 PID 3164 wrote to memory of 4456 3164 a559c11bbcbce51b55b0c4c732c77453.exe 121 PID 3164 wrote to memory of 4456 3164 a559c11bbcbce51b55b0c4c732c77453.exe 121 PID 3164 wrote to memory of 4456 3164 a559c11bbcbce51b55b0c4c732c77453.exe 121 PID 3164 wrote to memory of 2076 3164 a559c11bbcbce51b55b0c4c732c77453.exe 172 PID 3164 wrote to memory of 2076 3164 a559c11bbcbce51b55b0c4c732c77453.exe 172 PID 3164 wrote to memory of 2076 3164 a559c11bbcbce51b55b0c4c732c77453.exe 172 PID 4420 wrote to memory of 1916 4420 Conhost.exe 79 PID 4420 wrote to memory of 1916 4420 Conhost.exe 79 PID 4420 wrote to memory of 1916 4420 Conhost.exe 79 PID 4796 wrote to memory of 1708 4796 net.exe 77 PID 4796 wrote to memory of 1708 4796 net.exe 77 PID 4796 wrote to memory of 1708 4796 net.exe 77 PID 3036 wrote to memory of 4556 3036 cmd.exe 76 -
Views/modifies file attributes 1 TTPs 16 IoCs
pid Process 3188 attrib.exe 316 attrib.exe 2044 attrib.exe 4472 attrib.exe 2640 attrib.exe 1084 attrib.exe 4296 attrib.exe 532 attrib.exe 4372 attrib.exe 3364 attrib.exe 1452 attrib.exe 456 attrib.exe 2056 attrib.exe 4216 attrib.exe 1316 attrib.exe 4068 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a559c11bbcbce51b55b0c4c732c77453.exe"C:\Users\Admin\AppData\Local\Temp\a559c11bbcbce51b55b0c4c732c77453.exe"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3164 -
C:\Windows\SysWOW64\net.exenet.exe start schedule /y2⤵
- Suspicious use of WriteProcessMemory
PID:220 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start schedule /y3⤵PID:3352
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\system32\Option.bat2⤵PID:976
-
-
C:\Windows\SysWOW64\regedit.exeregedit.exe /s C:\Windows\regedt32.sys2⤵
- Modifies visibility of file extensions in Explorer
- Blocks application from running via registry modification
- Sets file execution options in registry
- Runs regedit.exe
PID:644
-
-
C:\Windows\system\KavUpda.exeC:\Windows\system\KavUpda.exe2⤵
- Executes dropped EXE
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:372 -
C:\Windows\SysWOW64\cmd.execmd /c rmdir F:\Autorun.inf /s /q3⤵PID:3844
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:4376
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir C:\Autorun.inf /s /q3⤵PID:3004
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d3⤵PID:4432
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d3⤵PID:2852
-
-
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe delete "hklm\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}" /f3⤵PID:1308
-
-
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe delete "hklm\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}" /f3⤵PID:2528
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe config srservice start= disabled3⤵
- Launches sc.exe
PID:1032
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe config wscsvc start= disabled3⤵
- Launches sc.exe
PID:4476
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe config SharedAccess start= disabled3⤵
- Launches sc.exe
PID:3636
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe config srservice start= disabled3⤵
- Launches sc.exe
PID:3188
-
-
C:\Windows\SysWOW64\net.exenet.exe stop 360timeprot /y3⤵PID:2396
-
-
C:\Windows\SysWOW64\net.exenet.exe stop srservice /y3⤵PID:4572
-
-
C:\Windows\SysWOW64\net.exenet.exe stop wuauserv /y3⤵PID:3580
-
-
C:\Windows\SysWOW64\net.exenet.exe stop sharedaccess /y3⤵PID:4092
-
-
C:\Windows\SysWOW64\net.exenet.exe stop wscsvc /y3⤵PID:2708
-
-
C:\Windows\SysWOW64\cmd.execmd /c at 7:41:35 PM C:\Windows\Sysinf.bat3⤵PID:3220
-
-
C:\Windows\SysWOW64\cmd.execmd /c at 7:38:35 PM C:\Windows\Sysinf.bat3⤵PID:2916
-
-
C:\Windows\SysWOW64\At.exeAt.exe 7:39:33 PM C:\Windows\Help\HelpCat.exe3⤵PID:3800
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir F:\Autorun.inf /s /q3⤵PID:3968
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d3⤵PID:4840
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir C:\Autorun.inf /s /q3⤵
- Suspicious use of WriteProcessMemory
PID:3036
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d3⤵PID:5020
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir F:\Autorun.inf /s /q3⤵PID:800
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d3⤵PID:3932
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir C:\Autorun.inf /s /q3⤵PID:2332
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d3⤵PID:4064
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d3⤵PID:3800
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r F:\Autorun.inf\*.* /s /d4⤵
- Views/modifies file attributes
PID:4296
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir F:\Autorun.inf /s /q3⤵PID:4276
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d3⤵PID:4072
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r C:\Autorun.inf\*.* /s /d4⤵
- Views/modifies file attributes
PID:4216
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir C:\Autorun.inf /s /q3⤵PID:1224
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d3⤵PID:1092
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r F:\Autorun.inf\*.* /s /d4⤵
- Views/modifies file attributes
PID:1316
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir F:\Autorun.inf /s /q3⤵PID:4300
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d3⤵PID:316
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r C:\Autorun.inf\*.* /s /d4⤵
- Views/modifies file attributes
PID:2044
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir C:\Autorun.inf /s /q3⤵PID:3652
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d3⤵PID:3800
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r F:\Autorun.inf\*.* /s /d4⤵
- Views/modifies file attributes
PID:4068
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir F:\Autorun.inf /s /q3⤵PID:5008
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d3⤵PID:1932
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r C:\Autorun.inf\*.* /s /d4⤵
- Views/modifies file attributes
PID:532
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir C:\Autorun.inf /s /q3⤵PID:1596
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d3⤵PID:3932
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r F:\Autorun.inf\*.* /s /d4⤵
- Views/modifies file attributes
PID:3364
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir F:\Autorun.inf /s /q3⤵PID:3832
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d3⤵PID:4840
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r C:\Autorun.inf\*.* /s /d4⤵
- Views/modifies file attributes
PID:4472
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir C:\Autorun.inf /s /q3⤵PID:4876
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir F:\Autorun.inf /s /q3⤵PID:1932
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d3⤵PID:4660
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir C:\Autorun.inf /s /q3⤵PID:5072
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d3⤵PID:932
-
-
-
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe delete "hklm\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}" /f2⤵PID:2076
-
-
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe delete "hklm\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}" /f2⤵PID:4456
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe config srservice start= disabled2⤵
- Launches sc.exe
PID:3364
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe config wscsvc start= disabled2⤵
- Launches sc.exe
PID:3536
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe config SharedAccess start= disabled2⤵
- Launches sc.exe
PID:4004
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe config srservice start= disabled2⤵
- Launches sc.exe
PID:1540
-
-
C:\Windows\SysWOW64\net.exenet.exe stop 360timeprot /y2⤵PID:3376
-
-
C:\Windows\SysWOW64\net.exenet.exe stop srservice /y2⤵PID:3036
-
-
C:\Windows\SysWOW64\net.exenet.exe stop wuauserv /y2⤵PID:4420
-
-
C:\Windows\SysWOW64\net.exenet.exe stop sharedaccess /y2⤵
- Suspicious use of WriteProcessMemory
PID:4796
-
-
C:\Windows\SysWOW64\net.exenet.exe stop wscsvc /y2⤵
- Suspicious use of WriteProcessMemory
PID:1468
-
-
C:\Windows\SysWOW64\cmd.execmd /c at 7:41:32 PM C:\Windows\Sysinf.bat2⤵PID:4972
-
-
C:\Windows\SysWOW64\cmd.execmd /c at 7:38:32 PM C:\Windows\Sysinf.bat2⤵PID:672
-
-
C:\Windows\SysWOW64\At.exeAt.exe 7:39:30 PM C:\Windows\Help\HelpCat.exe2⤵PID:2396
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop 360timeprot /y3⤵PID:3344
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:1076
-
-
-
C:\Users\Admin\AppData\Local\Temp\a559c11bbcbce51b55b0c4c732c77453~4.exea559c11bbcbce51b55b0c4c732c77453~4.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4916
-
-
C:\Windows\SysWOW64\at.exeat 7:38:32 PM C:\Windows\Sysinf.bat1⤵PID:1060
-
C:\Windows\SysWOW64\at.exeat 7:41:32 PM C:\Windows\Sysinf.bat1⤵PID:4376
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop 360timeprot /y1⤵PID:1232
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start schedule /y1⤵PID:4396
-
C:\Windows\SysWOW64\net.exenet.exe start schedule /y1⤵PID:4472
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\system32\Option.bat1⤵PID:3892
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop srservice /y1⤵PID:4556
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop sharedaccess /y1⤵PID:1708
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wuauserv /y1⤵PID:1916
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wscsvc /y1⤵PID:3192
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Suspicious use of WriteProcessMemory
PID:4420
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wuauserv /y1⤵PID:3036
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wscsvc /y1⤵PID:4820
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r F:\Autorun.inf\*.* /s /d1⤵
- Views/modifies file attributes
PID:1084
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start schedule /y1⤵PID:4588
-
C:\Windows\SysWOW64\at.exeat 7:41:35 PM C:\Windows\Sysinf.bat1⤵PID:4396
-
C:\Windows\SysWOW64\at.exeat 7:38:35 PM C:\Windows\Sysinf.bat1⤵PID:696
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop srservice /y1⤵PID:1564
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop sharedaccess /y1⤵PID:3600
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:4456
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe config wscsvc start= disabled1⤵
- Launches sc.exe
PID:3992 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:672
-
-
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe delete "hklm\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}" /f1⤵PID:2528
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop srservice /y1⤵PID:4972
-
C:\Windows\SysWOW64\at.exeat 7:38:38 PM C:\Windows\Sysinf.bat1⤵PID:3844
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start schedule /y1⤵PID:4860
-
C:\Windows\SysWOW64\net.exenet.exe start schedule /y1⤵PID:1076
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\system32\Option.bat1⤵PID:1396
-
C:\Windows\system\KavUpda.exeC:\Windows\system\KavUpda.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3212 -
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe config srservice start= disabled2⤵
- Launches sc.exe
PID:4508
-
-
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe delete "hklm\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}" /f2⤵PID:4672
-
-
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe delete "hklm\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}" /f2⤵PID:4116
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe config wscsvc start= disabled2⤵
- Launches sc.exe
PID:4996
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe config SharedAccess start= disabled2⤵
- Launches sc.exe
PID:4400
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe config srservice start= disabled2⤵
- Launches sc.exe
PID:4388
-
-
C:\Windows\SysWOW64\net.exenet.exe stop 360timeprot /y2⤵PID:4904
-
-
C:\Windows\SysWOW64\net.exenet.exe stop srservice /y2⤵PID:1072
-
-
C:\Windows\SysWOW64\net.exenet.exe stop wuauserv /y2⤵PID:2024
-
-
C:\Windows\SysWOW64\net.exenet.exe stop sharedaccess /y2⤵PID:3416
-
-
C:\Windows\SysWOW64\net.exenet.exe stop wscsvc /y2⤵PID:1952
-
-
C:\Windows\SysWOW64\cmd.execmd /c at 7:41:41 PM C:\Windows\Sysinf.bat2⤵PID:1316
-
-
C:\Windows\SysWOW64\cmd.execmd /c at 7:38:41 PM C:\Windows\Sysinf.bat2⤵PID:4360
-
-
C:\Windows\SysWOW64\At.exeAt.exe 7:39:39 PM C:\Windows\Help\HelpCat.exe2⤵PID:3632
-
-
C:\Windows\SysWOW64\at.exeat 7:41:38 PM C:\Windows\Sysinf.bat1⤵PID:2128
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop 360timeprot /y1⤵PID:4672
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wuauserv /y1⤵PID:4588
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wscsvc /y1⤵PID:1308
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop sharedaccess /y1⤵PID:5100
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r C:\Autorun.inf\*.* /s /d1⤵
- Views/modifies file attributes
PID:1452
-
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe delete "hklm\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}" /f1⤵PID:4024
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wscsvc /y2⤵PID:2180
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe config srservice start= disabled1⤵
- Launches sc.exe
PID:3972
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe config SharedAccess start= disabled1⤵
- Launches sc.exe
PID:4780
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe config srservice start= disabled1⤵
- Launches sc.exe
PID:4476
-
C:\Windows\SysWOW64\net.exenet.exe stop 360timeprot /y1⤵PID:1420
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wscsvc /y1⤵PID:8
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop sharedaccess /y1⤵PID:1472
-
C:\Windows\SysWOW64\at.exeat 7:38:41 PM C:\Windows\Sysinf.bat1⤵PID:4504
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wuauserv /y1⤵PID:404
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop 360timeprot /y1⤵PID:2076
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop 360timeprot /y1⤵PID:1980
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop srservice /y1⤵PID:5096
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop srservice /y1⤵PID:3364
-
C:\Windows\SysWOW64\at.exeat 7:41:41 PM C:\Windows\Sysinf.bat1⤵PID:472
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wuauserv /y1⤵PID:3976
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop sharedaccess /y1⤵PID:1620
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:4972
-
C:\Windows\SysWOW64\net.exenet.exe stop 360timeprot /y1⤵PID:3872
-
C:\Windows\SysWOW64\net.exenet.exe stop srservice /y1⤵PID:2600
-
C:\Windows\SysWOW64\net.exenet.exe stop wuauserv /y1⤵PID:4876
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:3536
-
C:\Windows\SysWOW64\net.exenet.exe stop sharedaccess /y1⤵PID:3288
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:3992
-
C:\Windows\SysWOW64\net.exenet.exe stop wscsvc /y1⤵PID:4024
-
C:\Windows\SysWOW64\net.exenet.exe stop srservice /y1⤵PID:2176
-
C:\Windows\SysWOW64\net.exenet.exe stop wuauserv /y1⤵PID:4332
-
C:\Windows\SysWOW64\net.exenet.exe stop sharedaccess /y1⤵PID:1732
-
C:\Windows\SysWOW64\net.exenet.exe stop wscsvc /y1⤵PID:1072
-
C:\Windows\SysWOW64\cmd.execmd /c at 7:41:38 PM C:\Windows\Sysinf.bat1⤵PID:2788
-
C:\Windows\SysWOW64\cmd.execmd /c at 7:38:38 PM C:\Windows\Sysinf.bat1⤵PID:4568
-
C:\Windows\SysWOW64\At.exeAt.exe 7:39:36 PM C:\Windows\Help\HelpCat.exe1⤵PID:456
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:4504
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:4876
-
C:\Windows\SysWOW64\net.exenet.exe start schedule /y1⤵PID:1836
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\system32\Option.bat1⤵PID:1440
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:1836
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r F:\Autorun.inf\*.* /s /d1⤵
- Views/modifies file attributes
PID:456
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r C:\Autorun.inf\*.* /s /d1⤵
- Views/modifies file attributes
PID:2056
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:2788
-
C:\Windows\System32\sihclient.exeC:\Windows\System32\sihclient.exe /cv bg67Zd8rVEeu2LmkuSOXIw.0.21⤵PID:3344
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r F:\Autorun.inf\*.* /s /d1⤵
- Views/modifies file attributes
PID:3188
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r C:\Autorun.inf\*.* /s /d1⤵
- Views/modifies file attributes
PID:316
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r F:\Autorun.inf\*.* /s /d1⤵
- Views/modifies file attributes
PID:4372
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r C:\Autorun.inf\*.* /s /d1⤵
- Views/modifies file attributes
PID:2640
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.0MB
MD57df24f13c7a5cdb7533589b4fa3382bf
SHA1a7725265847de6633cea72dba05345a69b0965b3
SHA25617408dd300776bb93cc257e5d61533b241ad451b3ee2919e8f7616f9d9d300b4
SHA5124427f3a43fc8fd106c0f095f76f6577f9f2002687b973214d5b12198b83ab3bede7d31d7e1ab646434869aab18259de934ee9abbbbdd19164643b46e0d0ffc64
-
Filesize
82B
MD53f7fbd2eb34892646e93fd5e6e343512
SHA1265ac1061b54f62350fb7a5f57e566454d013a66
SHA256e75e8d9bfc7a2876d908305186c3656e9de2a4af7f6927ccc6d8c812645abbc7
SHA51253d40eb2f05a23464fbf06193868e7cb30cf0df3da53586a75123fb2c37b29cdddda287ce134809d16a559d87fb20aee0e8add22d396fcb7a55f9a753739b140
-
Filesize
460B
MD57db3d565d6ddbe65a8b0e093910e7dcd
SHA1d4804e6180c6e74ba79d3343f2f2ccb15e502f12
SHA256a2778cb87fd88c7508ffd506a8ff8d58d0ffc02156f846956e5e99c6cb3d2f3f
SHA5120b3d1d0f44feba9dd78903ff77fdeaea834d930990a86641fb2e4ce04da280d33f6bee0ae0b1320e4070cbe20824062e45b52e5cad797c5985d8e31dce1ef82b
-
Filesize
893KB
MD532f886b2532e4448ff0cbafa17331161
SHA15dd6e85240bdbdd4ba818ccbaff666cd86b16677
SHA256c5675588eeef36557ac7d72204a8177083c205ef5d53394ba2678484b93cd676
SHA512b26bd9405190ba3b81781952b61ebf6c7bc5c551cbee73acf0d7477f4db40753a7cad7708e97ce9ed936c861da98ecf59536157a73c66f6b19f346dc0c3973d4
-
Filesize
2KB
MD5e7d7ec66bd61fac3843c98650b0c68f6
SHA1a15ae06e1be51038863650746368a71024539bac
SHA2566475d5ecc14fea090774be55723d2d52b7ec7670527a7dbd61edf28c77944cb8
SHA512ac9e9893f5a0af03957731445f63279085f164e9a968d706a99d13012e4459314a7ccc32dc48f62379d69e21a0953c13543c9ded38b5ad5fbc346aa442af1ae6
-
Filesize
92KB
MD59253be46af98a0b40c26d6bdd6a13107
SHA1e5c93a9d400921734c8ef43472432f5735d9a429
SHA256af5b86a2ec44ebd362552ba20cf8bdcaceab76c83d962a54b4c36b59dc9eb759
SHA512b6e2b37e962c2e17c38a519203e8817252cb53f812fb0722f52029dafa50ccc3a921db9707d7249d732d30b8359ecfa74c18e998b985792d265eb76c2c7b8589