Analysis
-
max time kernel
2s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
07/01/2024, 19:37
Static task
static1
Behavioral task
behavioral1
Sample
a26d9e5d11f35a7c611d1a0bfb7be899.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
a26d9e5d11f35a7c611d1a0bfb7be899.exe
Resource
win10v2004-20231222-en
General
-
Target
a26d9e5d11f35a7c611d1a0bfb7be899.exe
-
Size
959KB
-
MD5
a26d9e5d11f35a7c611d1a0bfb7be899
-
SHA1
ef5c2587c1c47f3be9ff198adb06b512b326b7a2
-
SHA256
82b649cdc3f2ab838a8b576e7562112eb151d4e75974060251703a2b5af1dc27
-
SHA512
1afba3f95f9ca981f6dbe8a791698f43d1fd58ff2ce21b5527992a30f969e2c95b658aa251bfd37bf69197eddb27612aa7ce444776e4b1ef8ac5964978e3c42e
-
SSDEEP
12288:UZWtI6RkR+erQZb+md4w1U4upOB09a4VeZJys73dOvXDpNjNe8r:UuhaR+erQZb+md4wm9OahVeZJ8NI8r
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe -
Blocks application from running via registry modification 17 IoCs
Adds application to list of disallowed applications.
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\8 = "RavService.exe" Conhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\9 = "Rav.exe" Conhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\10 = "rfwcfg.exe" Conhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\11 = "KPFW32.EXE" Conhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\12 = "KPFW32X.EXE" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" Conhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "RfwMain.exe" Conhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "RavMoD.exe" Conhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\15 = "KAVStart.EXE" Conhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "avp.exe" Conhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "CCenter.exe" Conhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 = "RavStub.exe" Conhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\14 = "KAV32.EXE" Conhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "Rfwsrv.exe" Conhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 = "RavMon.exe" Conhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\13 = "KAVPFW.EXE" Conhost.exe Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun Conhost.exe -
Sets file execution options in registry 2 TTPs 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe Conhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe Conhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe Conhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe\Debugger = "D:\\RECYCLER\\????8.exe" Conhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "D:\\RECYCLER\\????8.exe" Conhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMoD.exe Conhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe\Debugger = "D:\\RECYCLER\\????8.exe" Conhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe\Debugger = "D:\\RECYCLER\\????8.exe" Conhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe\Debugger = "D:\\RECYCLER\\????8.exe" Conhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.EXE\Debugger = "D:\\RECYCLER\\????8.exe" Conhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rfwsrv.exe\Debugger = "D:\\RECYCLER\\????8.exe" Conhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe Conhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RfwMain.exe Conhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RfwMain.exe\Debugger = "D:\\RECYCLER\\????8.exe" Conhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMoD.exe\Debugger = "D:\\RECYCLER\\????8.exe" Conhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.EXE Conhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe Conhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe Conhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "D:\\RECYCLER\\????8.exe" Conhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rfwsrv.exe Conhost.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\Option.bat a26d9e5d11f35a7c611d1a0bfb7be899.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification C:\Windows\system\KavUpda.exe a26d9e5d11f35a7c611d1a0bfb7be899.exe File created C:\Windows\Help\HelpCat.exe a26d9e5d11f35a7c611d1a0bfb7be899.exe File opened for modification C:\Windows\Help\HelpCat.exe a26d9e5d11f35a7c611d1a0bfb7be899.exe File created C:\Windows\Sysinf.bat a26d9e5d11f35a7c611d1a0bfb7be899.exe File created C:\Windows\regedt32.sys a26d9e5d11f35a7c611d1a0bfb7be899.exe File created C:\Windows\system\KavUpda.exe a26d9e5d11f35a7c611d1a0bfb7be899.exe -
Launches sc.exe 8 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 3132 sc.exe 4144 sc.exe 960 sc.exe 4832 sc.exe 528 sc.exe 2944 sc.exe 400 sc.exe 3032 sc.exe -
Runs net.exe
-
Runs regedit.exe 1 IoCs
pid Process 1064 regedit.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3996 a26d9e5d11f35a7c611d1a0bfb7be899.exe -
Suspicious use of WriteProcessMemory 57 IoCs
description pid Process procid_target PID 3996 wrote to memory of 4720 3996 a26d9e5d11f35a7c611d1a0bfb7be899.exe 25 PID 3996 wrote to memory of 4720 3996 a26d9e5d11f35a7c611d1a0bfb7be899.exe 25 PID 3996 wrote to memory of 4720 3996 a26d9e5d11f35a7c611d1a0bfb7be899.exe 25 PID 3996 wrote to memory of 5048 3996 a26d9e5d11f35a7c611d1a0bfb7be899.exe 18 PID 3996 wrote to memory of 5048 3996 a26d9e5d11f35a7c611d1a0bfb7be899.exe 18 PID 3996 wrote to memory of 5048 3996 a26d9e5d11f35a7c611d1a0bfb7be899.exe 18 PID 5048 wrote to memory of 2964 5048 net.exe 161 PID 5048 wrote to memory of 2964 5048 net.exe 161 PID 5048 wrote to memory of 2964 5048 net.exe 161 PID 3996 wrote to memory of 4356 3996 a26d9e5d11f35a7c611d1a0bfb7be899.exe 164 PID 3996 wrote to memory of 4356 3996 a26d9e5d11f35a7c611d1a0bfb7be899.exe 164 PID 3996 wrote to memory of 4356 3996 a26d9e5d11f35a7c611d1a0bfb7be899.exe 164 PID 3996 wrote to memory of 1596 3996 a26d9e5d11f35a7c611d1a0bfb7be899.exe 163 PID 3996 wrote to memory of 1596 3996 a26d9e5d11f35a7c611d1a0bfb7be899.exe 163 PID 3996 wrote to memory of 1596 3996 a26d9e5d11f35a7c611d1a0bfb7be899.exe 163 PID 3996 wrote to memory of 2168 3996 a26d9e5d11f35a7c611d1a0bfb7be899.exe 233 PID 3996 wrote to memory of 2168 3996 a26d9e5d11f35a7c611d1a0bfb7be899.exe 233 PID 3996 wrote to memory of 2168 3996 a26d9e5d11f35a7c611d1a0bfb7be899.exe 233 PID 3996 wrote to memory of 1600 3996 a26d9e5d11f35a7c611d1a0bfb7be899.exe 97 PID 3996 wrote to memory of 1600 3996 a26d9e5d11f35a7c611d1a0bfb7be899.exe 97 PID 3996 wrote to memory of 1600 3996 a26d9e5d11f35a7c611d1a0bfb7be899.exe 97 PID 3996 wrote to memory of 2324 3996 a26d9e5d11f35a7c611d1a0bfb7be899.exe 95 PID 3996 wrote to memory of 2324 3996 a26d9e5d11f35a7c611d1a0bfb7be899.exe 95 PID 3996 wrote to memory of 2324 3996 a26d9e5d11f35a7c611d1a0bfb7be899.exe 95 PID 3996 wrote to memory of 3440 3996 a26d9e5d11f35a7c611d1a0bfb7be899.exe 93 PID 3996 wrote to memory of 3440 3996 a26d9e5d11f35a7c611d1a0bfb7be899.exe 93 PID 3996 wrote to memory of 3440 3996 a26d9e5d11f35a7c611d1a0bfb7be899.exe 93 PID 3996 wrote to memory of 4840 3996 a26d9e5d11f35a7c611d1a0bfb7be899.exe 90 PID 3996 wrote to memory of 4840 3996 a26d9e5d11f35a7c611d1a0bfb7be899.exe 90 PID 3996 wrote to memory of 4840 3996 a26d9e5d11f35a7c611d1a0bfb7be899.exe 90 PID 3996 wrote to memory of 4928 3996 a26d9e5d11f35a7c611d1a0bfb7be899.exe 58 PID 3996 wrote to memory of 4928 3996 a26d9e5d11f35a7c611d1a0bfb7be899.exe 58 PID 3996 wrote to memory of 4928 3996 a26d9e5d11f35a7c611d1a0bfb7be899.exe 58 PID 3996 wrote to memory of 3032 3996 a26d9e5d11f35a7c611d1a0bfb7be899.exe 87 PID 3996 wrote to memory of 3032 3996 a26d9e5d11f35a7c611d1a0bfb7be899.exe 87 PID 3996 wrote to memory of 3032 3996 a26d9e5d11f35a7c611d1a0bfb7be899.exe 87 PID 3996 wrote to memory of 400 3996 a26d9e5d11f35a7c611d1a0bfb7be899.exe 84 PID 3996 wrote to memory of 400 3996 a26d9e5d11f35a7c611d1a0bfb7be899.exe 84 PID 3996 wrote to memory of 400 3996 a26d9e5d11f35a7c611d1a0bfb7be899.exe 84 PID 3996 wrote to memory of 2944 3996 a26d9e5d11f35a7c611d1a0bfb7be899.exe 102 PID 3996 wrote to memory of 2944 3996 a26d9e5d11f35a7c611d1a0bfb7be899.exe 102 PID 3996 wrote to memory of 2944 3996 a26d9e5d11f35a7c611d1a0bfb7be899.exe 102 PID 3996 wrote to memory of 528 3996 a26d9e5d11f35a7c611d1a0bfb7be899.exe 79 PID 3996 wrote to memory of 528 3996 a26d9e5d11f35a7c611d1a0bfb7be899.exe 79 PID 3996 wrote to memory of 528 3996 a26d9e5d11f35a7c611d1a0bfb7be899.exe 79 PID 3996 wrote to memory of 1064 3996 a26d9e5d11f35a7c611d1a0bfb7be899.exe 134 PID 3996 wrote to memory of 1064 3996 a26d9e5d11f35a7c611d1a0bfb7be899.exe 134 PID 3996 wrote to memory of 1064 3996 a26d9e5d11f35a7c611d1a0bfb7be899.exe 134 PID 3996 wrote to memory of 808 3996 a26d9e5d11f35a7c611d1a0bfb7be899.exe 77 PID 3996 wrote to memory of 808 3996 a26d9e5d11f35a7c611d1a0bfb7be899.exe 77 PID 3996 wrote to memory of 808 3996 a26d9e5d11f35a7c611d1a0bfb7be899.exe 77 PID 3996 wrote to memory of 460 3996 a26d9e5d11f35a7c611d1a0bfb7be899.exe 61 PID 3996 wrote to memory of 460 3996 a26d9e5d11f35a7c611d1a0bfb7be899.exe 61 PID 3996 wrote to memory of 460 3996 a26d9e5d11f35a7c611d1a0bfb7be899.exe 61 PID 2324 wrote to memory of 3616 2324 net.exe 109 PID 2324 wrote to memory of 3616 2324 net.exe 109 PID 2324 wrote to memory of 3616 2324 net.exe 109 -
Views/modifies file attributes 1 TTPs 16 IoCs
pid Process 5064 attrib.exe 3796 attrib.exe 3616 attrib.exe 1140 attrib.exe 1048 attrib.exe 1728 attrib.exe 716 attrib.exe 1072 attrib.exe 3704 attrib.exe 3252 attrib.exe 5068 attrib.exe 972 attrib.exe 5084 attrib.exe 4424 attrib.exe 3912 attrib.exe 4388 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a26d9e5d11f35a7c611d1a0bfb7be899.exe"C:\Users\Admin\AppData\Local\Temp\a26d9e5d11f35a7c611d1a0bfb7be899.exe"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3996 -
C:\Windows\SysWOW64\net.exenet.exe start schedule /y2⤵
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start schedule /y3⤵PID:2964
-
C:\Windows\SysWOW64\at.exeat 7:39:37 PM C:\Windows\Sysinf.bat4⤵PID:2520
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\system32\Option.bat2⤵PID:4720
-
-
C:\Windows\SysWOW64\net.exenet.exe stop 360timeprot /y2⤵PID:4928
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop 360timeprot /y3⤵PID:1196
-
-
-
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe delete "hklm\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}" /f2⤵PID:460
-
-
C:\Windows\system\KavUpda.exeC:\Windows\system\KavUpda.exe2⤵PID:1472
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir F:\Autorun.inf /s /q3⤵PID:3884
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d3⤵PID:2180
-
-
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe delete "hklm\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}" /f3⤵PID:1164
-
-
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe delete "hklm\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}" /f3⤵PID:4700
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe config srservice start= disabled3⤵
- Launches sc.exe
PID:3132
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe config wscsvc start= disabled3⤵
- Launches sc.exe
PID:4144
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe config SharedAccess start= disabled3⤵
- Launches sc.exe
PID:960
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe config srservice start= disabled3⤵
- Launches sc.exe
PID:4832
-
-
C:\Windows\SysWOW64\net.exenet.exe stop 360timeprot /y3⤵PID:4424
-
-
C:\Windows\SysWOW64\net.exenet.exe stop srservice /y3⤵PID:3764
-
-
C:\Windows\SysWOW64\net.exenet.exe stop wuauserv /y3⤵PID:4664
-
-
C:\Windows\SysWOW64\net.exenet.exe stop sharedaccess /y3⤵PID:4032
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir C:\Autorun.inf /s /q3⤵PID:3296
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d3⤵PID:1048
-
-
C:\Windows\SysWOW64\net.exenet.exe stop wscsvc /y3⤵PID:2848
-
-
C:\Windows\SysWOW64\cmd.execmd /c at 7:42:37 PM C:\Windows\Sysinf.bat3⤵PID:2536
-
-
C:\Windows\SysWOW64\cmd.execmd /c at 7:39:37 PM C:\Windows\Sysinf.bat3⤵PID:2964
-
-
C:\Windows\SysWOW64\At.exeAt.exe 7:40:35 PM C:\Windows\Help\HelpCat.exe3⤵PID:3564
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir F:\Autorun.inf /s /q3⤵PID:3272
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d3⤵PID:4328
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir C:\Autorun.inf /s /q3⤵PID:3432
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d3⤵PID:2012
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir F:\Autorun.inf /s /q3⤵PID:3296
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d3⤵PID:3052
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir C:\Autorun.inf /s /q3⤵PID:3884
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d3⤵PID:2576
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir F:\Autorun.inf /s /q3⤵PID:3092
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d3⤵PID:4388
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir C:\Autorun.inf /s /q3⤵PID:5024
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d3⤵PID:2740
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir F:\Autorun.inf /s /q3⤵PID:1992
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d3⤵PID:1772
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir C:\Autorun.inf /s /q3⤵PID:868
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d3⤵PID:3440
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir F:\Autorun.inf /s /q3⤵PID:4668
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d3⤵PID:4404
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir C:\Autorun.inf /s /q3⤵PID:4672
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d3⤵PID:3168
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir F:\Autorun.inf /s /q3⤵PID:2020
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d3⤵PID:3392
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir C:\Autorun.inf /s /q3⤵PID:1644
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d3⤵PID:4840
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir F:\Autorun.inf /s /q3⤵PID:4480
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d3⤵PID:4580
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir C:\Autorun.inf /s /q3⤵PID:1456
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d3⤵PID:3268
-
-
-
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe delete "hklm\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}" /f2⤵PID:808
-
-
C:\Windows\SysWOW64\regedit.exeregedit.exe /s C:\Windows\regedt32.sys2⤵
- Runs regedit.exe
PID:1064
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe config srservice start= disabled2⤵
- Launches sc.exe
PID:528
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe config wscsvc start= disabled2⤵
- Launches sc.exe
PID:2944
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe config SharedAccess start= disabled2⤵
- Launches sc.exe
PID:400
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe config srservice start= disabled2⤵
- Launches sc.exe
PID:3032
-
-
C:\Windows\SysWOW64\net.exenet.exe stop srservice /y2⤵PID:4840
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r C:\Autorun.inf\*.* /s /d3⤵
- Views/modifies file attributes
PID:3796
-
-
-
C:\Windows\SysWOW64\net.exenet.exe stop wuauserv /y2⤵PID:3440
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r C:\Autorun.inf\*.* /s /d3⤵
- Views/modifies file attributes
PID:972
-
-
-
C:\Windows\SysWOW64\net.exenet.exe stop sharedaccess /y2⤵
- Suspicious use of WriteProcessMemory
PID:2324
-
-
C:\Windows\SysWOW64\net.exenet.exe stop wscsvc /y2⤵PID:1600
-
-
C:\Windows\SysWOW64\cmd.execmd /c at 7:42:34 PM C:\Windows\Sysinf.bat2⤵PID:2168
-
-
C:\Windows\SysWOW64\net.exenet.exe stop 360timeprot /y2⤵PID:4388
-
-
C:\Windows\SysWOW64\net.exenet.exe stop srservice /y2⤵PID:1068
-
-
C:\Windows\SysWOW64\net.exenet.exe stop wuauserv /y2⤵PID:4856
-
-
C:\Windows\SysWOW64\net.exenet.exe stop sharedaccess /y2⤵PID:4612
-
-
C:\Windows\SysWOW64\net.exenet.exe stop wscsvc /y2⤵PID:3004
-
-
C:\Windows\SysWOW64\cmd.execmd /c at 7:39:34 PM C:\Windows\Sysinf.bat2⤵PID:1596
-
-
C:\Windows\SysWOW64\At.exeAt.exe 7:40:32 PM C:\Windows\Help\HelpCat.exe2⤵PID:4356
-
-
C:\Windows\SysWOW64\at.exeat 7:42:34 PM C:\Windows\Sysinf.bat1⤵PID:1624
-
C:\Windows\SysWOW64\at.exeat 7:39:34 PM C:\Windows\Sysinf.bat1⤵PID:1564
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop srservice /y1⤵PID:3944
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start schedule /y1⤵PID:4444
-
C:\Windows\SysWOW64\net.exenet.exe start schedule /y1⤵PID:1232
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\system32\Option.bat1⤵PID:336
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wuauserv /y1⤵PID:1440
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wscsvc /y1⤵PID:5080
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop sharedaccess /y1⤵PID:3616
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:2944
-
C:\Windows\SysWOW64\at.exeat 7:42:37 PM C:\Windows\Sysinf.bat1⤵PID:1028
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wscsvc /y1⤵PID:4312
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r F:\Autorun.inf\*.* /s /d1⤵
- Views/modifies file attributes
PID:3616
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop 360timeprot /y1⤵PID:4416
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop 360timeprot /y1⤵PID:1688
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop sharedaccess /y1⤵PID:3680
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop srservice /y1⤵PID:4376
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wuauserv /y1⤵PID:208
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wscsvc /y1⤵PID:2024
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop sharedaccess /y1⤵PID:3052
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r F:\Autorun.inf\*.* /s /d2⤵
- Views/modifies file attributes
PID:1728
-
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop srservice /y1⤵PID:372
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wuauserv /y1⤵PID:2168
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Modifies visibility of file extensions in Explorer
- Blocks application from running via registry modification
- Sets file execution options in registry
PID:1064
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r C:\Autorun.inf\*.* /s /d1⤵
- Views/modifies file attributes
PID:3252
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r F:\Autorun.inf\*.* /s /d1⤵
- Views/modifies file attributes
PID:1140
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r C:\Autorun.inf\*.* /s /d1⤵
- Views/modifies file attributes
PID:1048
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r C:\Autorun.inf\*.* /s /d1⤵
- Views/modifies file attributes
PID:5068
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r F:\Autorun.inf\*.* /s /d1⤵
- Views/modifies file attributes
PID:716
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:2168
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r C:\Autorun.inf\*.* /s /d1⤵
- Views/modifies file attributes
PID:5084
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r F:\Autorun.inf\*.* /s /d1⤵
- Views/modifies file attributes
PID:4388
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r F:\Autorun.inf\*.* /s /d1⤵
- Views/modifies file attributes
PID:1072
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r C:\Autorun.inf\*.* /s /d1⤵
- Views/modifies file attributes
PID:5064
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r F:\Autorun.inf\*.* /s /d1⤵
- Views/modifies file attributes
PID:4424
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r F:\Autorun.inf\*.* /s /d1⤵
- Views/modifies file attributes
PID:3912
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r C:\Autorun.inf\*.* /s /d1⤵
- Views/modifies file attributes
PID:3704