Analysis
-
max time kernel
150s -
max time network
113s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
29-02-2024 06:31
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ade99c01a1e92f6dc5c4a4bfec9649e3.exe
Resource
win7-20240221-en
8 signatures
150 seconds
General
-
Target
ade99c01a1e92f6dc5c4a4bfec9649e3.exe
-
Size
98KB
-
MD5
ade99c01a1e92f6dc5c4a4bfec9649e3
-
SHA1
21a66edc54dcb6ec86007a7a696eb08b98ab36f6
-
SHA256
f007989340d051c2715bedb1bd5d4736cd90dde2453591e4614c3787dae9b126
-
SHA512
d86653c1c2a0b93648e379ee793c830db237385d9cee8718d2eb87a3aa46a5594d18029d54026f8dea02e24be31b87dc19eb2d9d4e786dfefe07998324df87e7
-
SSDEEP
1536:s2XG4+6SPT8X1Yy6GR+R4n35HaAEWpeUPawcYRgtmz3OENtlesuR3Up3/R:s+G4sPoX1HRZ3NE4e8awP+tmSIc36/R
Malware Config
Signatures
-
Detect Lumma Stealer payload V4 64 IoCs
Processes:
resource yara_rule behavioral2/memory/1484-228-0x0000000000400000-0x000000000048A000-memory.dmp family_lumma_v4 behavioral2/memory/4516-347-0x0000000000400000-0x000000000048A000-memory.dmp family_lumma_v4 behavioral2/memory/2276-352-0x0000000000400000-0x000000000048A000-memory.dmp family_lumma_v4 behavioral2/memory/2548-464-0x0000000000400000-0x000000000048A000-memory.dmp family_lumma_v4 behavioral2/memory/2276-580-0x0000000000400000-0x000000000048A000-memory.dmp family_lumma_v4 behavioral2/memory/1748-588-0x0000000000400000-0x000000000048A000-memory.dmp family_lumma_v4 behavioral2/memory/3076-703-0x0000000000400000-0x000000000048A000-memory.dmp family_lumma_v4 behavioral2/memory/432-822-0x0000000000400000-0x000000000048A000-memory.dmp family_lumma_v4 behavioral2/memory/1448-935-0x0000000000400000-0x000000000048A000-memory.dmp family_lumma_v4 behavioral2/memory/2056-943-0x0000000000400000-0x000000000048A000-memory.dmp family_lumma_v4 behavioral2/memory/2668-1052-0x0000000000400000-0x000000000048A000-memory.dmp family_lumma_v4 behavioral2/memory/3880-1060-0x0000000000400000-0x000000000048A000-memory.dmp family_lumma_v4 behavioral2/memory/2056-1171-0x0000000000400000-0x000000000048A000-memory.dmp family_lumma_v4 behavioral2/memory/3612-1176-0x0000000000400000-0x000000000048A000-memory.dmp family_lumma_v4 behavioral2/memory/3880-1286-0x0000000000400000-0x000000000048A000-memory.dmp family_lumma_v4 behavioral2/memory/3612-1405-0x0000000000400000-0x000000000048A000-memory.dmp family_lumma_v4 behavioral2/memory/1776-1528-0x0000000000400000-0x000000000048A000-memory.dmp family_lumma_v4 behavioral2/memory/2880-1522-0x0000000000400000-0x000000000048A000-memory.dmp family_lumma_v4 behavioral2/memory/3144-1640-0x0000000000400000-0x000000000048A000-memory.dmp family_lumma_v4 behavioral2/memory/3516-1645-0x0000000000400000-0x000000000048A000-memory.dmp family_lumma_v4 behavioral2/memory/1776-1754-0x0000000000400000-0x000000000048A000-memory.dmp family_lumma_v4 behavioral2/memory/3516-1873-0x0000000000400000-0x000000000048A000-memory.dmp family_lumma_v4 behavioral2/memory/1804-1985-0x0000000000400000-0x000000000048A000-memory.dmp family_lumma_v4 behavioral2/memory/4504-1989-0x0000000000400000-0x000000000048A000-memory.dmp family_lumma_v4 behavioral2/memory/4500-2098-0x0000000000400000-0x000000000048A000-memory.dmp family_lumma_v4 behavioral2/memory/4504-2211-0x0000000000400000-0x000000000048A000-memory.dmp family_lumma_v4 behavioral2/memory/4948-2215-0x0000000000400000-0x000000000048A000-memory.dmp family_lumma_v4 behavioral2/memory/4784-2322-0x0000000000400000-0x000000000048A000-memory.dmp family_lumma_v4 behavioral2/memory/4948-2434-0x0000000000400000-0x000000000048A000-memory.dmp family_lumma_v4 behavioral2/memory/1900-2547-0x0000000000400000-0x000000000048A000-memory.dmp family_lumma_v4 behavioral2/memory/3100-2552-0x0000000000400000-0x000000000048A000-memory.dmp family_lumma_v4 behavioral2/memory/3020-2660-0x0000000000400000-0x000000000048A000-memory.dmp family_lumma_v4 behavioral2/memory/1384-2665-0x0000000000400000-0x000000000048A000-memory.dmp family_lumma_v4 behavioral2/memory/3100-2775-0x0000000000400000-0x000000000048A000-memory.dmp family_lumma_v4 behavioral2/memory/1384-2888-0x0000000000400000-0x000000000048A000-memory.dmp family_lumma_v4 behavioral2/memory/3752-2893-0x0000000000400000-0x000000000048A000-memory.dmp family_lumma_v4 behavioral2/memory/3308-3002-0x0000000000400000-0x000000000048A000-memory.dmp family_lumma_v4 behavioral2/memory/3752-3112-0x0000000000400000-0x000000000048A000-memory.dmp family_lumma_v4 behavioral2/memory/1800-3224-0x0000000000400000-0x000000000048A000-memory.dmp family_lumma_v4 behavioral2/memory/5000-3229-0x0000000000400000-0x000000000048A000-memory.dmp family_lumma_v4 behavioral2/memory/1516-3337-0x0000000000400000-0x000000000048A000-memory.dmp family_lumma_v4 behavioral2/memory/5000-3449-0x0000000000400000-0x000000000048A000-memory.dmp family_lumma_v4 behavioral2/memory/3112-3455-0x0000000000400000-0x000000000048A000-memory.dmp family_lumma_v4 behavioral2/memory/4436-3551-0x0000000000400000-0x000000000048A000-memory.dmp family_lumma_v4 behavioral2/memory/3368-3568-0x0000000000400000-0x000000000048A000-memory.dmp family_lumma_v4 behavioral2/memory/3112-3677-0x0000000000400000-0x000000000048A000-memory.dmp family_lumma_v4 behavioral2/memory/3368-3787-0x0000000000400000-0x000000000048A000-memory.dmp family_lumma_v4 behavioral2/memory/3156-3793-0x0000000000400000-0x000000000048A000-memory.dmp family_lumma_v4 behavioral2/memory/3664-3902-0x0000000000400000-0x000000000048A000-memory.dmp family_lumma_v4 behavioral2/memory/3156-4014-0x0000000000400000-0x000000000048A000-memory.dmp family_lumma_v4 behavioral2/memory/4208-4017-0x0000000000400000-0x000000000048A000-memory.dmp family_lumma_v4 behavioral2/memory/1512-4023-0x0000000000400000-0x000000000048A000-memory.dmp family_lumma_v4 behavioral2/memory/2268-4132-0x0000000000400000-0x000000000048A000-memory.dmp family_lumma_v4 behavioral2/memory/1512-4137-0x0000000000400000-0x000000000048A000-memory.dmp family_lumma_v4 behavioral2/memory/3416-4142-0x0000000000400000-0x000000000048A000-memory.dmp family_lumma_v4 behavioral2/memory/3212-4250-0x0000000000400000-0x000000000048A000-memory.dmp family_lumma_v4 behavioral2/memory/3416-4365-0x0000000000400000-0x000000000048A000-memory.dmp family_lumma_v4 behavioral2/memory/3952-4478-0x0000000000400000-0x000000000048A000-memory.dmp family_lumma_v4 behavioral2/memory/4092-4590-0x0000000000400000-0x000000000048A000-memory.dmp family_lumma_v4 behavioral2/memory/4640-4703-0x0000000000400000-0x000000000048A000-memory.dmp family_lumma_v4 behavioral2/memory/4968-4813-0x0000000000400000-0x000000000048A000-memory.dmp family_lumma_v4 behavioral2/memory/3944-4819-0x0000000000400000-0x000000000048A000-memory.dmp family_lumma_v4 behavioral2/memory/2100-4928-0x0000000000400000-0x000000000048A000-memory.dmp family_lumma_v4 behavioral2/memory/3944-5038-0x0000000000400000-0x000000000048A000-memory.dmp family_lumma_v4 -
Modifies security service 2 TTPs 64 IoCs
Processes:
regedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" -
Executes dropped EXE 64 IoCs
Processes:
jrmsat.comrvxxse.combrppzy.comlqbnsx.comwirkwn.comjcxaia.comwphqoe.comgkiivy.comtjcley.comgzfnug.comtmpdak.comhwvgdk.comqhkqqf.comeqrbte.comomslbz.combgybul.comlbzlcg.combozggl.comlqorto.comwiewye.comjzhrhm.comwinckm.comgtcmfp.comtcjpip.comdfyzvs.comtgvhwt.comenzfhr.comoxpkui.combwjncq.comoqpcou.comblhsty.comdgidbt.comtotlik.comawhdca.comqmaljj.comvjxtok.comnywyzm.comeztoav.comojiynq.comyfbjvk.comlstybo.comyfkops.comlsueuw.comwrgjfu.comgykhpt.comtpfjyt.comdhvhlk.comtarcuf.combtqcbm.comtaahgf.comaiohsd.comqmwcwi.comwstkkj.comqyivkm.comyfwnfj.comogtvgk.comyfxsqj.comlhdicv.comvdesjq.comiqvqpu.comvoqtgu.comyjtikh.comquhise.combmwgxd.compid Process 4516 jrmsat.com 2548 rvxxse.com 2276 brppzy.com 1748 lqbnsx.com 3076 wirkwn.com 432 jcxaia.com 1448 wphqoe.com 2668 gkiivy.com 2056 tjcley.com 3880 gzfnug.com 3612 tmpdak.com 2880 hwvgdk.com 3144 qhkqqf.com 1776 eqrbte.com 3516 omslbz.com 1804 bgybul.com 4500 lbzlcg.com 4504 bozggl.com 4784 lqorto.com 4948 wiewye.com 1900 jzhrhm.com 3020 winckm.com 3100 gtcmfp.com 1384 tcjpip.com 3308 dfyzvs.com 3752 tgvhwt.com 1800 enzfhr.com 1516 oxpkui.com 5000 bwjncq.com 4436 oqpcou.com 3112 blhsty.com 3368 dgidbt.com 3664 totlik.com 3156 awhdca.com 4208 qmaljj.com 2268 vjxtok.com 1512 nywyzm.com 3212 eztoav.com 3416 ojiynq.com 3952 yfbjvk.com 4092 lstybo.com 4640 yfkops.com 4968 lsueuw.com 2100 wrgjfu.com 3944 gykhpt.com 468 tpfjyt.com 4820 dhvhlk.com 944 tarcuf.com 448 btqcbm.com 1640 taahgf.com 1880 aiohsd.com 2488 qmwcwi.com 3484 wstkkj.com 528 qyivkm.com 1456 yfwnfj.com 3976 ogtvgk.com 4912 yfxsqj.com 2436 lhdicv.com 5068 vdesjq.com 3652 iqvqpu.com 752 voqtgu.com 4932 yjtikh.com 1356 quhise.com 3804 bmwgxd.com -
Drops file in System32 directory 64 IoCs
Processes:
nmralu.comraenvc.comxpmdeb.comegeglt.comybplxg.comlbzlcg.compojnho.comxfqzpo.comzxxkea.commufjny.comtdnqmq.comlxmqsy.comkfrmum.comcbsxbk.comzzhokj.comppoatr.comgiwaym.comaskdph.comhcknbg.comeutklx.comugqcqr.comrpkjos.comgaqzhe.comjyszku.comvqrdxu.comgxjtac.comnqkjue.comeqrbte.comklkgzs.comvxwjee.comhfzmbg.compjnujt.comttzfqx.comwwwhnb.comeztoav.compzyyuh.comksyjjs.comcapxat.combwgsgs.comknkwfy.comwhdsau.comgykhpt.comilaclz.comdescription ioc Process File created C:\Windows\SysWOW64\azjqry.com nmralu.com File created \??\c:\windows\SysWOW64\sm1.bat raenvc.com File opened for modification C:\Windows\SysWOW64\johyvj.com xpmdeb.com File opened for modification C:\Windows\SysWOW64\rpkjos.com egeglt.com File created \??\c:\windows\SysWOW64\sm1.bat File opened for modification C:\Windows\SysWOW64\nstnny.com File opened for modification C:\Windows\SysWOW64\iefvsj.com ybplxg.com File created \??\c:\windows\SysWOW64\sm1.bat lbzlcg.com File created C:\Windows\SysWOW64\dbbdns.com pojnho.com File opened for modification C:\Windows\SysWOW64\kshpvs.com xfqzpo.com File created C:\Windows\SysWOW64\jecipz.com zxxkea.com File opened for modification C:\Windows\SysWOW64\wmuhzo.com mufjny.com File created C:\Windows\SysWOW64\hfutpp.com tdnqmq.com File created C:\Windows\SysWOW64\qvjobd.com File created \??\c:\windows\SysWOW64\sm1.bat File opened for modification C:\Windows\SysWOW64\afxyzp.com lxmqsy.com File created \??\c:\windows\SysWOW64\sm1.bat kfrmum.com File opened for modification C:\Windows\SysWOW64\pojnho.com cbsxbk.com File created C:\Windows\SysWOW64\bmkqfj.com zzhokj.com File opened for modification C:\Windows\SysWOW64\zosxlq.com ppoatr.com File opened for modification C:\Windows\SysWOW64\tdnqmq.com giwaym.com File opened for modification C:\Windows\SysWOW64\ncrosh.com askdph.com File created \??\c:\windows\SysWOW64\sm1.bat hcknbg.com File opened for modification C:\Windows\SysWOW64\jlontf.com eutklx.com File created C:\Windows\SysWOW64\cmcfkb.com File opened for modification C:\Windows\SysWOW64\ekcjxm.com File opened for modification \??\c:\windows\SysWOW64\sm1.bat ugqcqr.com File opened for modification C:\Windows\SysWOW64\eonlwa.com rpkjos.com File created \??\c:\windows\SysWOW64\sm1.bat gaqzhe.com File created C:\Windows\SysWOW64\kuozpy.com File created \??\c:\windows\SysWOW64\sm1.bat ppoatr.com File created C:\Windows\SysWOW64\wwvbbc.com jyszku.com File created C:\Windows\SysWOW64\jditdy.com vqrdxu.com File opened for modification \??\c:\windows\SysWOW64\sm1.bat File created \??\c:\windows\SysWOW64\sm1.bat gxjtac.com File opened for modification C:\Windows\SysWOW64\aommcm.com nqkjue.com File opened for modification C:\Windows\SysWOW64\ekdoil.com File opened for modification C:\Windows\SysWOW64\omslbz.com eqrbte.com File created C:\Windows\SysWOW64\vvaeei.com klkgzs.com File opened for modification C:\Windows\SysWOW64\qummmr.com File created C:\Windows\SysWOW64\epqumg.com File created \??\c:\windows\SysWOW64\sm1.bat File created \??\c:\windows\SysWOW64\sm1.bat vxwjee.com File created C:\Windows\SysWOW64\mskgyw.com File opened for modification C:\Windows\SysWOW64\rgqpas.com File created C:\Windows\SysWOW64\udugjo.com hfzmbg.com File created \??\c:\windows\SysWOW64\sm1.bat pjnujt.com File created C:\Windows\SysWOW64\gjbizf.com ttzfqx.com File created C:\Windows\SysWOW64\gvaexa.com wwwhnb.com File created \??\c:\windows\SysWOW64\sm1.bat File opened for modification C:\Windows\SysWOW64\lhyaqd.com File opened for modification C:\Windows\SysWOW64\ojiynq.com eztoav.com File created \??\c:\windows\SysWOW64\sm1.bat pzyyuh.com File opened for modification C:\Windows\SysWOW64\xfqzpo.com ksyjjs.com File created C:\Windows\SysWOW64\pvzugx.com capxat.com File created C:\Windows\SysWOW64\ojqhmv.com bwgsgs.com File created \??\c:\windows\SysWOW64\sm1.bat File created C:\Windows\SysWOW64\uilons.com knkwfy.com File opened for modification C:\Windows\SysWOW64\hrtpfl.com whdsau.com File created \??\c:\windows\SysWOW64\sm1.bat File created C:\Windows\SysWOW64\nutoby.com File opened for modification C:\Windows\SysWOW64\odbnmn.com File opened for modification C:\Windows\SysWOW64\tpfjyt.com gykhpt.com File opened for modification C:\Windows\SysWOW64\swpngc.com ilaclz.com -
Runs .reg file with regedit 64 IoCs
Processes:
regedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exepid Process 6584 2552 regedit.exe 4520 regedit.exe 6068 3844 regedit.exe 4272 7040 3780 regedit.exe 4180 regedit.exe 228 regedit.exe 1200 4228 4608 regedit.exe 5720 5432 7056 4576 5724 5632 5756 2044 regedit.exe 4016 regedit.exe 6912 1164 1368 regedit.exe 5624 4632 4928 regedit.exe 1404 1564 regedit.exe 4604 regedit.exe 1988 regedit.exe 6664 7068 4892 regedit.exe 4580 5880 3404 regedit.exe 5924 5140 728 regedit.exe 4656 regedit.exe 5920 regedit.exe 3360 regedit.exe 5112 regedit.exe 6264 4944 5580 6612 3176 regedit.exe 5992 4552 5792 regedit.exe 5196 regedit.exe 5920 regedit.exe 3884 3624 regedit.exe 1836 regedit.exe 4580 regedit.exe 1580 regedit.exe 1644 6524 5716 regedit.exe 5560 -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
ade99c01a1e92f6dc5c4a4bfec9649e3.execmd.exejrmsat.comcmd.exervxxse.comcmd.exebrppzy.comcmd.exelqbnsx.comcmd.exewirkwn.comjcxaia.comcmd.exewphqoe.comcmd.exedescription pid Process procid_target PID 1484 wrote to memory of 404 1484 ade99c01a1e92f6dc5c4a4bfec9649e3.exe 86 PID 1484 wrote to memory of 404 1484 ade99c01a1e92f6dc5c4a4bfec9649e3.exe 86 PID 1484 wrote to memory of 404 1484 ade99c01a1e92f6dc5c4a4bfec9649e3.exe 86 PID 404 wrote to memory of 2352 404 cmd.exe 87 PID 404 wrote to memory of 2352 404 cmd.exe 87 PID 404 wrote to memory of 2352 404 cmd.exe 87 PID 1484 wrote to memory of 4516 1484 ade99c01a1e92f6dc5c4a4bfec9649e3.exe 88 PID 1484 wrote to memory of 4516 1484 ade99c01a1e92f6dc5c4a4bfec9649e3.exe 88 PID 1484 wrote to memory of 4516 1484 ade99c01a1e92f6dc5c4a4bfec9649e3.exe 88 PID 4516 wrote to memory of 1932 4516 jrmsat.com 89 PID 4516 wrote to memory of 1932 4516 jrmsat.com 89 PID 4516 wrote to memory of 1932 4516 jrmsat.com 89 PID 1932 wrote to memory of 4992 1932 cmd.exe 90 PID 1932 wrote to memory of 4992 1932 cmd.exe 90 PID 1932 wrote to memory of 4992 1932 cmd.exe 90 PID 4516 wrote to memory of 2548 4516 jrmsat.com 91 PID 4516 wrote to memory of 2548 4516 jrmsat.com 91 PID 4516 wrote to memory of 2548 4516 jrmsat.com 91 PID 2548 wrote to memory of 2412 2548 rvxxse.com 92 PID 2548 wrote to memory of 2412 2548 rvxxse.com 92 PID 2548 wrote to memory of 2412 2548 rvxxse.com 92 PID 2412 wrote to memory of 3872 2412 cmd.exe 94 PID 2412 wrote to memory of 3872 2412 cmd.exe 94 PID 2412 wrote to memory of 3872 2412 cmd.exe 94 PID 2548 wrote to memory of 2276 2548 rvxxse.com 95 PID 2548 wrote to memory of 2276 2548 rvxxse.com 95 PID 2548 wrote to memory of 2276 2548 rvxxse.com 95 PID 2276 wrote to memory of 4664 2276 brppzy.com 96 PID 2276 wrote to memory of 4664 2276 brppzy.com 96 PID 2276 wrote to memory of 4664 2276 brppzy.com 96 PID 4664 wrote to memory of 2836 4664 cmd.exe 98 PID 4664 wrote to memory of 2836 4664 cmd.exe 98 PID 4664 wrote to memory of 2836 4664 cmd.exe 98 PID 2276 wrote to memory of 1748 2276 brppzy.com 99 PID 2276 wrote to memory of 1748 2276 brppzy.com 99 PID 2276 wrote to memory of 1748 2276 brppzy.com 99 PID 1748 wrote to memory of 3416 1748 lqbnsx.com 100 PID 1748 wrote to memory of 3416 1748 lqbnsx.com 100 PID 1748 wrote to memory of 3416 1748 lqbnsx.com 100 PID 3416 wrote to memory of 516 3416 cmd.exe 101 PID 3416 wrote to memory of 516 3416 cmd.exe 101 PID 3416 wrote to memory of 516 3416 cmd.exe 101 PID 1748 wrote to memory of 3076 1748 lqbnsx.com 103 PID 1748 wrote to memory of 3076 1748 lqbnsx.com 103 PID 1748 wrote to memory of 3076 1748 lqbnsx.com 103 PID 3076 wrote to memory of 2932 3076 wirkwn.com 104 PID 3076 wrote to memory of 2932 3076 wirkwn.com 104 PID 3076 wrote to memory of 2932 3076 wirkwn.com 104 PID 3076 wrote to memory of 432 3076 wirkwn.com 106 PID 3076 wrote to memory of 432 3076 wirkwn.com 106 PID 3076 wrote to memory of 432 3076 wirkwn.com 106 PID 432 wrote to memory of 4008 432 jcxaia.com 107 PID 432 wrote to memory of 4008 432 jcxaia.com 107 PID 432 wrote to memory of 4008 432 jcxaia.com 107 PID 4008 wrote to memory of 5072 4008 cmd.exe 108 PID 4008 wrote to memory of 5072 4008 cmd.exe 108 PID 4008 wrote to memory of 5072 4008 cmd.exe 108 PID 432 wrote to memory of 1448 432 jcxaia.com 109 PID 432 wrote to memory of 1448 432 jcxaia.com 109 PID 432 wrote to memory of 1448 432 jcxaia.com 109 PID 1448 wrote to memory of 3944 1448 wphqoe.com 110 PID 1448 wrote to memory of 3944 1448 wphqoe.com 110 PID 1448 wrote to memory of 3944 1448 wphqoe.com 110 PID 3944 wrote to memory of 4820 3944 cmd.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\ade99c01a1e92f6dc5c4a4bfec9649e3.exe"C:\Users\Admin\AppData\Local\Temp\ade99c01a1e92f6dc5c4a4bfec9649e3.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat2⤵
- Suspicious use of WriteProcessMemory
PID:404 -
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg3⤵PID:2352
-
-
-
C:\Windows\SysWOW64\jrmsat.comC:\Windows\system32\jrmsat.com 1208 "C:\Users\Admin\AppData\Local\Temp\ade99c01a1e92f6dc5c4a4bfec9649e3.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4516 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat3⤵
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg4⤵PID:4992
-
-
-
C:\Windows\SysWOW64\rvxxse.comC:\Windows\system32\rvxxse.com 1164 "C:\Windows\SysWOW64\jrmsat.com"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat4⤵
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg5⤵PID:3872
-
-
-
C:\Windows\SysWOW64\brppzy.comC:\Windows\system32\brppzy.com 1172 "C:\Windows\SysWOW64\rvxxse.com"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat5⤵
- Suspicious use of WriteProcessMemory
PID:4664 -
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg6⤵PID:2836
-
-
-
C:\Windows\SysWOW64\lqbnsx.comC:\Windows\system32\lqbnsx.com 1168 "C:\Windows\SysWOW64\brppzy.com"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat6⤵
- Suspicious use of WriteProcessMemory
PID:3416 -
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg7⤵PID:516
-
-
-
C:\Windows\SysWOW64\wirkwn.comC:\Windows\system32\wirkwn.com 1176 "C:\Windows\SysWOW64\lqbnsx.com"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3076 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat7⤵PID:2932
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg8⤵
- Modifies security service
PID:1728
-
-
-
C:\Windows\SysWOW64\jcxaia.comC:\Windows\system32\jcxaia.com 1184 "C:\Windows\SysWOW64\wirkwn.com"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat8⤵
- Suspicious use of WriteProcessMemory
PID:4008 -
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg9⤵
- Modifies security service
PID:5072
-
-
-
C:\Windows\SysWOW64\wphqoe.comC:\Windows\system32\wphqoe.com 1188 "C:\Windows\SysWOW64\jcxaia.com"8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat9⤵
- Suspicious use of WriteProcessMemory
PID:3944 -
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg10⤵PID:4820
-
-
-
C:\Windows\SysWOW64\gkiivy.comC:\Windows\system32\gkiivy.com 1180 "C:\Windows\SysWOW64\wphqoe.com"9⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat10⤵PID:872
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg11⤵PID:4800
-
-
-
C:\Windows\SysWOW64\tjcley.comC:\Windows\system32\tjcley.com 1196 "C:\Windows\SysWOW64\gkiivy.com"10⤵
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat11⤵PID:1644
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg12⤵PID:4280
-
-
-
C:\Windows\SysWOW64\gzfnug.comC:\Windows\system32\gzfnug.com 1200 "C:\Windows\SysWOW64\tjcley.com"11⤵
- Executes dropped EXE
PID:3880 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat12⤵PID:1364
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg13⤵PID:4580
-
-
-
C:\Windows\SysWOW64\tmpdak.comC:\Windows\system32\tmpdak.com 1204 "C:\Windows\SysWOW64\gzfnug.com"12⤵
- Executes dropped EXE
PID:3612 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat13⤵PID:1500
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg14⤵PID:4076
-
-
-
C:\Windows\SysWOW64\hwvgdk.comC:\Windows\system32\hwvgdk.com 1212 "C:\Windows\SysWOW64\tmpdak.com"13⤵
- Executes dropped EXE
PID:2880 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat14⤵PID:2556
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg15⤵PID:1216
-
-
-
C:\Windows\SysWOW64\qhkqqf.comC:\Windows\system32\qhkqqf.com 1192 "C:\Windows\SysWOW64\hwvgdk.com"14⤵
- Executes dropped EXE
PID:3144 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat15⤵PID:4540
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg16⤵PID:2520
-
-
-
C:\Windows\SysWOW64\eqrbte.comC:\Windows\system32\eqrbte.com 1216 "C:\Windows\SysWOW64\qhkqqf.com"15⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1776 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat16⤵PID:2700
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg17⤵PID:4968
-
-
-
C:\Windows\SysWOW64\omslbz.comC:\Windows\system32\omslbz.com 1224 "C:\Windows\SysWOW64\eqrbte.com"16⤵
- Executes dropped EXE
PID:3516 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat17⤵PID:4816
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg18⤵PID:2996
-
-
-
C:\Windows\SysWOW64\bgybul.comC:\Windows\system32\bgybul.com 1228 "C:\Windows\SysWOW64\omslbz.com"17⤵
- Executes dropped EXE
PID:1804 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat18⤵PID:2508
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg19⤵
- Runs .reg file with regedit
PID:3780
-
-
-
C:\Windows\SysWOW64\lbzlcg.comC:\Windows\system32\lbzlcg.com 1232 "C:\Windows\SysWOW64\bgybul.com"18⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4500 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat19⤵PID:5116
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg20⤵PID:4228
-
-
-
C:\Windows\SysWOW64\bozggl.comC:\Windows\system32\bozggl.com 1236 "C:\Windows\SysWOW64\lbzlcg.com"19⤵
- Executes dropped EXE
PID:4504 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat20⤵PID:4456
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg21⤵PID:3776
-
-
-
C:\Windows\SysWOW64\lqorto.comC:\Windows\system32\lqorto.com 1220 "C:\Windows\SysWOW64\bozggl.com"20⤵
- Executes dropped EXE
PID:4784 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat21⤵PID:1116
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg22⤵PID:3020
-
-
-
C:\Windows\SysWOW64\wiewye.comC:\Windows\system32\wiewye.com 1240 "C:\Windows\SysWOW64\lqorto.com"21⤵
- Executes dropped EXE
PID:4948 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat22⤵PID:404
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg23⤵PID:4588
-
-
-
C:\Windows\SysWOW64\jzhrhm.comC:\Windows\system32\jzhrhm.com 1244 "C:\Windows\SysWOW64\wiewye.com"22⤵
- Executes dropped EXE
PID:1900 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat23⤵PID:3280
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg24⤵PID:456
-
-
-
C:\Windows\SysWOW64\winckm.comC:\Windows\system32\winckm.com 1248 "C:\Windows\SysWOW64\jzhrhm.com"23⤵
- Executes dropped EXE
PID:3020 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat24⤵PID:3812
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg25⤵PID:5060
-
-
-
C:\Windows\SysWOW64\gtcmfp.comC:\Windows\system32\gtcmfp.com 1256 "C:\Windows\SysWOW64\winckm.com"24⤵
- Executes dropped EXE
PID:3100 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat25⤵PID:3032
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg26⤵PID:2304
-
-
-
C:\Windows\SysWOW64\tcjpip.comC:\Windows\system32\tcjpip.com 1260 "C:\Windows\SysWOW64\gtcmfp.com"25⤵
- Executes dropped EXE
PID:1384 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat26⤵PID:1620
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg27⤵PID:4356
-
-
-
C:\Windows\SysWOW64\dfyzvs.comC:\Windows\system32\dfyzvs.com 1264 "C:\Windows\SysWOW64\tcjpip.com"26⤵
- Executes dropped EXE
PID:3308 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat27⤵PID:100
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg28⤵
- Modifies security service
PID:2384
-
-
-
C:\Windows\SysWOW64\tgvhwt.comC:\Windows\system32\tgvhwt.com 1252 "C:\Windows\SysWOW64\dfyzvs.com"27⤵
- Executes dropped EXE
PID:3752 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat28⤵PID:2996
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg29⤵PID:2700
-
-
-
C:\Windows\SysWOW64\enzfhr.comC:\Windows\system32\enzfhr.com 1272 "C:\Windows\SysWOW64\tgvhwt.com"28⤵
- Executes dropped EXE
PID:1800 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat29⤵PID:4584
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg30⤵PID:2120
-
-
-
C:\Windows\SysWOW64\oxpkui.comC:\Windows\system32\oxpkui.com 1276 "C:\Windows\SysWOW64\enzfhr.com"29⤵
- Executes dropped EXE
PID:1516 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat30⤵PID:708
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg31⤵PID:872
-
-
-
C:\Windows\SysWOW64\bwjncq.comC:\Windows\system32\bwjncq.com 1280 "C:\Windows\SysWOW64\oxpkui.com"30⤵
- Executes dropped EXE
PID:5000 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat31⤵PID:2492
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg32⤵
- Runs .reg file with regedit
PID:4608
-
-
-
C:\Windows\SysWOW64\oqpcou.comC:\Windows\system32\oqpcou.com 1284 "C:\Windows\SysWOW64\bwjncq.com"31⤵
- Executes dropped EXE
PID:4436 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat32⤵PID:1920
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg33⤵PID:2324
-
-
-
C:\Windows\SysWOW64\blhsty.comC:\Windows\system32\blhsty.com 1288 "C:\Windows\SysWOW64\oqpcou.com"32⤵
- Executes dropped EXE
PID:3112 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat33⤵PID:2972
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg34⤵PID:4224
-
-
-
C:\Windows\SysWOW64\dgidbt.comC:\Windows\system32\dgidbt.com 1268 "C:\Windows\SysWOW64\blhsty.com"33⤵
- Executes dropped EXE
PID:3368 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat34⤵PID:2260
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg35⤵PID:4932
-
-
-
C:\Windows\SysWOW64\totlik.comC:\Windows\system32\totlik.com 1292 "C:\Windows\SysWOW64\dgidbt.com"34⤵
- Executes dropped EXE
PID:3664 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat35⤵PID:1460
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg36⤵PID:1368
-
-
-
C:\Windows\SysWOW64\awhdca.comC:\Windows\system32\awhdca.com 1296 "C:\Windows\SysWOW64\totlik.com"35⤵
- Executes dropped EXE
PID:3156 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat36⤵PID:3484
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg37⤵PID:4092
-
-
-
C:\Windows\SysWOW64\qmaljj.comC:\Windows\system32\qmaljj.com 1300 "C:\Windows\SysWOW64\awhdca.com"36⤵
- Executes dropped EXE
PID:4208 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat37⤵PID:2552
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg38⤵PID:2540
-
-
-
C:\Windows\SysWOW64\vjxtok.comC:\Windows\system32\vjxtok.com 1304 "C:\Windows\SysWOW64\qmaljj.com"37⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat38⤵PID:4996
-
-
C:\Windows\SysWOW64\nywyzm.comC:\Windows\system32\nywyzm.com 1312 "C:\Windows\SysWOW64\vjxtok.com"38⤵
- Executes dropped EXE
PID:1512 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat39⤵PID:2500
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg40⤵PID:1904
-
-
-
C:\Windows\SysWOW64\eztoav.comC:\Windows\system32\eztoav.com 1308 "C:\Windows\SysWOW64\nywyzm.com"39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3212 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat40⤵PID:3980
-
-
C:\Windows\SysWOW64\ojiynq.comC:\Windows\system32\ojiynq.com 1320 "C:\Windows\SysWOW64\eztoav.com"40⤵
- Executes dropped EXE
PID:3416 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat41⤵PID:3956
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg42⤵PID:3588
-
-
-
C:\Windows\SysWOW64\yfbjvk.comC:\Windows\system32\yfbjvk.com 1316 "C:\Windows\SysWOW64\ojiynq.com"41⤵
- Executes dropped EXE
PID:3952 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat42⤵PID:4244
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg43⤵PID:100
-
-
-
C:\Windows\SysWOW64\lstybo.comC:\Windows\system32\lstybo.com 1324 "C:\Windows\SysWOW64\yfbjvk.com"42⤵
- Executes dropped EXE
PID:4092 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat43⤵PID:3624
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg44⤵PID:868
-
-
-
C:\Windows\SysWOW64\yfkops.comC:\Windows\system32\yfkops.com 1332 "C:\Windows\SysWOW64\lstybo.com"43⤵
- Executes dropped EXE
PID:4640 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat44⤵PID:4664
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg45⤵PID:3104
-
-
-
C:\Windows\SysWOW64\lsueuw.comC:\Windows\system32\lsueuw.com 1328 "C:\Windows\SysWOW64\yfkops.com"44⤵
- Executes dropped EXE
PID:4968 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat45⤵PID:2560
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg46⤵PID:1896
-
-
-
C:\Windows\SysWOW64\wrgjfu.comC:\Windows\system32\wrgjfu.com 1336 "C:\Windows\SysWOW64\lsueuw.com"45⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat46⤵PID:228
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg47⤵PID:2996
-
-
-
C:\Windows\SysWOW64\gykhpt.comC:\Windows\system32\gykhpt.com 1344 "C:\Windows\SysWOW64\wrgjfu.com"46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3944 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat47⤵PID:4472
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg48⤵PID:4716
-
-
-
C:\Windows\SysWOW64\tpfjyt.comC:\Windows\system32\tpfjyt.com 1340 "C:\Windows\SysWOW64\gykhpt.com"47⤵
- Executes dropped EXE
PID:468 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat48⤵PID:4824
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg49⤵PID:2444
-
-
-
C:\Windows\SysWOW64\dhvhlk.comC:\Windows\system32\dhvhlk.com 1352 "C:\Windows\SysWOW64\tpfjyt.com"48⤵
- Executes dropped EXE
PID:4820 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat49⤵PID:2384
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg50⤵PID:2324
-
-
-
C:\Windows\SysWOW64\tarcuf.comC:\Windows\system32\tarcuf.com 1348 "C:\Windows\SysWOW64\dhvhlk.com"49⤵
- Executes dropped EXE
PID:944 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat50⤵PID:5044
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg51⤵PID:1764
-
-
-
C:\Windows\SysWOW64\btqcbm.comC:\Windows\system32\btqcbm.com 1356 "C:\Windows\SysWOW64\tarcuf.com"50⤵
- Executes dropped EXE
PID:448 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat51⤵PID:1212
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg52⤵PID:3684
-
-
-
C:\Windows\SysWOW64\taahgf.comC:\Windows\system32\taahgf.com 1360 "C:\Windows\SysWOW64\btqcbm.com"51⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat52⤵PID:4484
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg53⤵PID:3404
-
-
-
C:\Windows\SysWOW64\aiohsd.comC:\Windows\system32\aiohsd.com 1368 "C:\Windows\SysWOW64\taahgf.com"52⤵
- Executes dropped EXE
PID:1880 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat53⤵PID:4584
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg54⤵
- Runs .reg file with regedit
PID:3624
-
-
-
C:\Windows\SysWOW64\qmwcwi.comC:\Windows\system32\qmwcwi.com 1372 "C:\Windows\SysWOW64\aiohsd.com"53⤵
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat54⤵PID:436
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg55⤵PID:3960
-
-
-
C:\Windows\SysWOW64\wstkkj.comC:\Windows\system32\wstkkj.com 1364 "C:\Windows\SysWOW64\qmwcwi.com"54⤵
- Executes dropped EXE
PID:3484 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat55⤵PID:3512
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg56⤵PID:3932
-
-
-
C:\Windows\SysWOW64\qyivkm.comC:\Windows\system32\qyivkm.com 1376 "C:\Windows\SysWOW64\wstkkj.com"55⤵
- Executes dropped EXE
PID:528 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat56⤵PID:4376
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg57⤵PID:4828
-
-
-
C:\Windows\SysWOW64\yfwnfj.comC:\Windows\system32\yfwnfj.com 1384 "C:\Windows\SysWOW64\qyivkm.com"56⤵
- Executes dropped EXE
PID:1456 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat57⤵PID:680
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg58⤵PID:1044
-
-
-
C:\Windows\SysWOW64\ogtvgk.comC:\Windows\system32\ogtvgk.com 1388 "C:\Windows\SysWOW64\yfwnfj.com"57⤵
- Executes dropped EXE
PID:3976 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat58⤵PID:4812
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg59⤵PID:4324
-
-
-
C:\Windows\SysWOW64\yfxsqj.comC:\Windows\system32\yfxsqj.com 1380 "C:\Windows\SysWOW64\ogtvgk.com"58⤵
- Executes dropped EXE
PID:4912 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat59⤵PID:4796
-
-
C:\Windows\SysWOW64\lhdicv.comC:\Windows\system32\lhdicv.com 1400 "C:\Windows\SysWOW64\yfxsqj.com"59⤵
- Executes dropped EXE
PID:2436 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat60⤵PID:2580
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg61⤵PID:4856
-
-
-
C:\Windows\SysWOW64\vdesjq.comC:\Windows\system32\vdesjq.com 1396 "C:\Windows\SysWOW64\lhdicv.com"60⤵
- Executes dropped EXE
PID:5068 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat61⤵PID:1768
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg62⤵
- Modifies security service
- Runs .reg file with regedit
PID:2552
-
-
-
C:\Windows\SysWOW64\iqvqpu.comC:\Windows\system32\iqvqpu.com 1392 "C:\Windows\SysWOW64\vdesjq.com"61⤵
- Executes dropped EXE
PID:3652 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat62⤵PID:2688
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg63⤵PID:1784
-
-
-
C:\Windows\SysWOW64\voqtgu.comC:\Windows\system32\voqtgu.com 1408 "C:\Windows\SysWOW64\iqvqpu.com"62⤵
- Executes dropped EXE
PID:752 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat63⤵PID:4996
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg64⤵PID:4964
-
-
-
C:\Windows\SysWOW64\yjtikh.comC:\Windows\system32\yjtikh.com 1036 "C:\Windows\SysWOW64\voqtgu.com"63⤵
- Executes dropped EXE
PID:4932 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat64⤵PID:4076
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg65⤵PID:4388
-
-
-
C:\Windows\SysWOW64\quhise.comC:\Windows\system32\quhise.com 1412 "C:\Windows\SysWOW64\yjtikh.com"64⤵
- Executes dropped EXE
PID:1356 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat65⤵PID:4664
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg66⤵PID:1336
-
-
-
C:\Windows\SysWOW64\bmwgxd.comC:\Windows\system32\bmwgxd.com 1416 "C:\Windows\SysWOW64\quhise.com"65⤵
- Executes dropped EXE
PID:3804 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat66⤵PID:3940
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg67⤵PID:3404
-
-
-
C:\Windows\SysWOW64\lxmqsy.comC:\Windows\system32\lxmqsy.com 1420 "C:\Windows\SysWOW64\bmwgxd.com"66⤵
- Drops file in System32 directory
PID:968 -
C:\Windows\SysWOW64\afxyzp.comC:\Windows\system32\afxyzp.com 1424 "C:\Windows\SysWOW64\lxmqsy.com"67⤵PID:2836
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat68⤵PID:1036
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg69⤵
- Modifies security service
PID:3776
-
-
-
C:\Windows\SysWOW64\ifwyfw.comC:\Windows\system32\ifwyfw.com 1432 "C:\Windows\SysWOW64\afxyzp.com"68⤵PID:4524
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat69⤵PID:3032
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg70⤵PID:1988
-
-
-
C:\Windows\SysWOW64\txmwkm.comC:\Windows\system32\txmwkm.com 1428 "C:\Windows\SysWOW64\ifwyfw.com"69⤵PID:4760
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat70⤵PID:4540
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg71⤵PID:4632
-
-
-
C:\Windows\SysWOW64\dabgfp.comC:\Windows\system32\dabgfp.com 1436 "C:\Windows\SysWOW64\txmwkm.com"70⤵PID:4324
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat71⤵PID:1560
-
-
C:\Windows\SysWOW64\vlphfm.comC:\Windows\system32\vlphfm.com 1444 "C:\Windows\SysWOW64\dabgfp.com"71⤵PID:2064
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat72⤵PID:2508
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg73⤵PID:440
-
-
-
C:\Windows\SysWOW64\gztzpy.comC:\Windows\system32\gztzpy.com 1448 "C:\Windows\SysWOW64\vlphfm.com"72⤵PID:1212
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat73⤵PID:1540
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg74⤵PID:3032
-
-
-
C:\Windows\SysWOW64\tqwuyg.comC:\Windows\system32\tqwuyg.com 1440 "C:\Windows\SysWOW64\gztzpy.com"73⤵PID:4972
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat74⤵PID:808
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg75⤵PID:3524
-
-
-
C:\Windows\SysWOW64\ggqwgp.comC:\Windows\system32\ggqwgp.com 1456 "C:\Windows\SysWOW64\tqwuyg.com"74⤵PID:4196
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat75⤵PID:1988
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg76⤵
- Modifies security service
PID:2012
-
-
-
C:\Windows\SysWOW64\tflzpp.comC:\Windows\system32\tflzpp.com 1460 "C:\Windows\SysWOW64\ggqwgp.com"75⤵PID:4880
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat76⤵PID:5084
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg77⤵PID:4124
-
-
-
C:\Windows\SysWOW64\dxbfun.comC:\Windows\system32\dxbfun.com 1452 "C:\Windows\SysWOW64\tflzpp.com"76⤵PID:2520
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat77⤵PID:3280
-
-
C:\Windows\SysWOW64\qrhufr.comC:\Windows\system32\qrhufr.com 1464 "C:\Windows\SysWOW64\dxbfun.com"77⤵PID:2008
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat78⤵PID:4064
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg79⤵PID:3208
-
-
-
C:\Windows\SysWOW64\qodhrc.comC:\Windows\system32\qodhrc.com 1468 "C:\Windows\SysWOW64\qrhufr.com"78⤵PID:4856
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat79⤵PID:680
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg80⤵PID:1216
-
-
-
C:\Windows\SysWOW64\fldheu.comC:\Windows\system32\fldheu.com 1472 "C:\Windows\SysWOW64\qodhrc.com"79⤵PID:1364
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat80⤵PID:4608
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg81⤵
- Modifies security service
- Runs .reg file with regedit
PID:4180
-
-
-
C:\Windows\SysWOW64\qvsnik.comC:\Windows\system32\qvsnik.com 1476 "C:\Windows\SysWOW64\fldheu.com"80⤵PID:1984
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat81⤵PID:4488
-
-
C:\Windows\SysWOW64\dxyuux.comC:\Windows\system32\dxyuux.com 1484 "C:\Windows\SysWOW64\qvsnik.com"81⤵PID:4888
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat82⤵PID:4832
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg83⤵PID:4084
-
-
-
C:\Windows\SysWOW64\issxfl.comC:\Windows\system32\issxfl.com 1144 "C:\Windows\SysWOW64\dxyuux.com"82⤵PID:392
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat83⤵PID:2608
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg84⤵PID:4876
-
-
-
C:\Windows\SysWOW64\acfqmj.comC:\Windows\system32\acfqmj.com 1492 "C:\Windows\SysWOW64\issxfl.com"83⤵PID:4780
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat84⤵PID:4992
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg85⤵PID:1464
-
-
-
C:\Windows\SysWOW64\lbknxh.comC:\Windows\system32\lbknxh.com 1496 "C:\Windows\SysWOW64\acfqmj.com"84⤵PID:3512
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat85⤵PID:636
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg86⤵PID:4472
-
-
-
C:\Windows\SysWOW64\scrndw.comC:\Windows\system32\scrndw.com 1500 "C:\Windows\SysWOW64\lbknxh.com"85⤵PID:4736
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat86⤵PID:4356
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg87⤵
- Runs .reg file with regedit
PID:728
-
-
-
C:\Windows\SysWOW64\lbtaip.comC:\Windows\system32\lbtaip.com 1504 "C:\Windows\SysWOW64\scrndw.com"86⤵PID:4824
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat87⤵PID:4340
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg88⤵PID:4432
-
-
-
C:\Windows\SysWOW64\qomicz.comC:\Windows\system32\qomicz.com 1508 "C:\Windows\SysWOW64\lbtaip.com"87⤵PID:2920
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat88⤵PID:3656
-
-
C:\Windows\SysWOW64\lnftxt.comC:\Windows\system32\lnftxt.com 1488 "C:\Windows\SysWOW64\qomicz.com"88⤵PID:872
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat89⤵PID:1368
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg90⤵PID:832
-
-
-
C:\Windows\SysWOW64\vmjqps.comC:\Windows\system32\vmjqps.com 1516 "C:\Windows\SysWOW64\lnftxt.com"89⤵PID:2492
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat90⤵PID:3988
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg91⤵PID:5116
-
-
-
C:\Windows\SysWOW64\iketya.comC:\Windows\system32\iketya.com 1520 "C:\Windows\SysWOW64\vmjqps.com"90⤵PID:4536
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat91⤵PID:1576
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg92⤵
- Runs .reg file with regedit
PID:4656
-
-
-
C:\Windows\SysWOW64\vxwjee.comC:\Windows\system32\vxwjee.com 1524 "C:\Windows\SysWOW64\iketya.com"91⤵
- Drops file in System32 directory
PID:376 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat92⤵PID:3980
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg93⤵PID:4604
-
-
-
C:\Windows\SysWOW64\fxagod.comC:\Windows\system32\fxagod.com 1528 "C:\Windows\SysWOW64\vxwjee.com"92⤵PID:3204
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat93⤵PID:1764
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg94⤵PID:4764
-
-
-
C:\Windows\SysWOW64\tkrwuz.comC:\Windows\system32\tkrwuz.com 1532 "C:\Windows\SysWOW64\fxagod.com"93⤵PID:3568
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat94⤵PID:1248
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg95⤵PID:5116
-
-
-
C:\Windows\SysWOW64\gxjtac.comC:\Windows\system32\gxjtac.com 1512 "C:\Windows\SysWOW64\tkrwuz.com"94⤵
- Drops file in System32 directory
PID:2428 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat95⤵PID:5060
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg96⤵PID:4340
-
-
-
C:\Windows\SysWOW64\qhywvg.comC:\Windows\system32\qhywvg.com 1540 "C:\Windows\SysWOW64\gxjtac.com"95⤵PID:3468
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat96⤵PID:3268
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg97⤵PID:2012
-
-
-
C:\Windows\SysWOW64\duiubj.comC:\Windows\system32\duiubj.com 1544 "C:\Windows\SysWOW64\qhywvg.com"96⤵PID:3452
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat97⤵PID:4228
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg98⤵PID:456
-
-
-
C:\Windows\SysWOW64\qeowej.comC:\Windows\system32\qeowej.com 1548 "C:\Windows\SysWOW64\duiubj.com"97⤵PID:3980
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat98⤵PID:1496
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg99⤵
- Modifies security service
PID:2112
-
-
-
C:\Windows\SysWOW64\aodhrm.comC:\Windows\system32\aodhrm.com 1552 "C:\Windows\SysWOW64\qeowej.com"98⤵PID:1048
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat99⤵PID:4100
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg100⤵PID:3536
-
-
-
C:\Windows\SysWOW64\nqkjue.comC:\Windows\system32\nqkjue.com 1556 "C:\Windows\SysWOW64\aodhrm.com"99⤵
- Drops file in System32 directory
PID:2972 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat100⤵PID:3640
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg101⤵PID:4388
-
-
-
C:\Windows\SysWOW64\aommcm.comC:\Windows\system32\aommcm.com 1536 "C:\Windows\SysWOW64\nqkjue.com"100⤵PID:4508
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat101⤵PID:4496
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg102⤵PID:4584
-
-
-
C:\Windows\SysWOW64\lnrknl.comC:\Windows\system32\lnrknl.com 1564 "C:\Windows\SysWOW64\aommcm.com"101⤵PID:792
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat102⤵PID:2812
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg103⤵PID:1336
-
-
-
C:\Windows\SysWOW64\yxxuyk.comC:\Windows\system32\yxxuyk.com 1568 "C:\Windows\SysWOW64\lnrknl.com"102⤵PID:3940
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat103⤵PID:4268
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg104⤵PID:1496
-
-
-
C:\Windows\SysWOW64\kcopmt.comC:\Windows\system32\kcopmt.com 1560 "C:\Windows\SysWOW64\yxxuyk.com"103⤵PID:2504
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat104⤵PID:2852
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg105⤵PID:4496
-
-
-
C:\Windows\SysWOW64\vyhhun.comC:\Windows\system32\vyhhun.com 1576 "C:\Windows\SysWOW64\kcopmt.com"104⤵PID:640
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat105⤵PID:4560
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg106⤵PID:4964
-
-
-
C:\Windows\SysWOW64\ilzxzr.comC:\Windows\system32\ilzxzr.com 1572 "C:\Windows\SysWOW64\vyhhun.com"105⤵PID:2688
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat106⤵PID:3632
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg107⤵PID:2176
-
-
-
C:\Windows\SysWOW64\vyqnfv.comC:\Windows\system32\vyqnfv.com 1584 "C:\Windows\SysWOW64\ilzxzr.com"106⤵PID:1556
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat107⤵PID:2452
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg108⤵PID:4456
-
-
-
C:\Windows\SysWOW64\ilaclz.comC:\Windows\system32\ilaclz.com 1580 "C:\Windows\SysWOW64\vyqnfv.com"107⤵
- Drops file in System32 directory
PID:5092 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat108⤵PID:1116
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg109⤵
- Runs .reg file with regedit
PID:1564
-
-
-
C:\Windows\SysWOW64\swpngc.comC:\Windows\system32\swpngc.com 1592 "C:\Windows\SysWOW64\ilaclz.com"108⤵PID:2996
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat109⤵PID:4484
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg110⤵PID:3888
-
-
-
C:\Windows\SysWOW64\gfvyjt.comC:\Windows\system32\gfvyjt.com 1596 "C:\Windows\SysWOW64\swpngc.com"109⤵PID:3656
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat110⤵PID:1764
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg111⤵PID:4988
-
-
-
C:\Windows\SysWOW64\swyasc.comC:\Windows\system32\swyasc.com 1600 "C:\Windows\SysWOW64\gfvyjt.com"110⤵PID:5044
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat111⤵PID:868
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg112⤵
- Modifies security service
- Runs .reg file with regedit
PID:4604
-
-
-
C:\Windows\SysWOW64\gjiqyf.comC:\Windows\system32\gjiqyf.com 1588 "C:\Windows\SysWOW64\swyasc.com"111⤵PID:4008
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat112⤵PID:4532
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg113⤵PID:2696
-
-
-
C:\Windows\SysWOW64\qqunie.comC:\Windows\system32\qqunie.com 1608 "C:\Windows\SysWOW64\gjiqyf.com"112⤵PID:5048
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat113⤵PID:456
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg114⤵PID:3412
-
-
-
C:\Windows\SysWOW64\ddddoi.comC:\Windows\system32\ddddoi.com 1604 "C:\Windows\SysWOW64\qqunie.com"113⤵PID:2508
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat114⤵PID:3524
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg115⤵PID:4792
-
-
-
C:\Windows\SysWOW64\qtggwi.comC:\Windows\system32\qtggwi.com 1616 "C:\Windows\SysWOW64\ddddoi.com"114⤵PID:5116
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat115⤵PID:2700
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg116⤵PID:2112
-
-
-
C:\Windows\SysWOW64\askdph.comC:\Windows\system32\askdph.com 1612 "C:\Windows\SysWOW64\qtggwi.com"115⤵
- Drops file in System32 directory
PID:3532 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat116⤵PID:4568
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg117⤵PID:3956
-
-
-
C:\Windows\SysWOW64\ncrosh.comC:\Windows\system32\ncrosh.com 1620 "C:\Windows\SysWOW64\askdph.com"116⤵PID:3836
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat117⤵PID:1684
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg118⤵PID:3280
-
-
-
C:\Windows\SysWOW64\yjvlcf.comC:\Windows\system32\yjvlcf.com 1628 "C:\Windows\SysWOW64\ncrosh.com"117⤵PID:856
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat118⤵PID:1768
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg119⤵PID:2560
-
-
-
C:\Windows\SysWOW64\nroljp.comC:\Windows\system32\nroljp.com 1632 "C:\Windows\SysWOW64\yjvlcf.com"118⤵PID:4456
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat119⤵PID:4712
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg120⤵PID:4872
-
-
-
C:\Windows\SysWOW64\xqsrto.comC:\Windows\system32\xqsrto.com 1636 "C:\Windows\SysWOW64\nroljp.com"119⤵PID:4988
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat120⤵PID:1620
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg121⤵PID:440
-
-
-
C:\Windows\SysWOW64\klkgzs.comC:\Windows\system32\klkgzs.com 1640 "C:\Windows\SysWOW64\xqsrto.com"120⤵
- Drops file in System32 directory
PID:3684 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\sm1.bat121⤵PID:5032
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg122⤵PID:3328
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-