Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
20-06-2024 14:10
Static task
static1
Behavioral task
behavioral1
Sample
06b2a063d4f7ed1fbdf89ac4da07890a_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
06b2a063d4f7ed1fbdf89ac4da07890a_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
06b2a063d4f7ed1fbdf89ac4da07890a_JaffaCakes118.exe
-
Size
242KB
-
MD5
06b2a063d4f7ed1fbdf89ac4da07890a
-
SHA1
cfbec43e3d4ff6075a9f8593cf83467aa4b2ea40
-
SHA256
03e9725ebc272cc3c9e07d5d1a50278b35fa72dc209239d076e9376310e71149
-
SHA512
35f5fdbefc61b4aedeffc159f769add5f1406fb10c48ebfa47da3d8549280ced0373aac150ba16f6f3f6ebe60acf0cea3438c581cae139089c3fbfe3aa95d6ec
-
SSDEEP
6144:3663lQ0l+9TIddHOCOVrX7tfQN5/inEaMadDKNa1aIc8eH:Xl+1HCOVHtfQunka1KNaTc8eH
Malware Config
Signatures
-
Modifies security service 2 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe -
Executes dropped EXE 64 IoCs
pid Process 2700 iqlvu.com 2896 mktvt.com 548 euhvs.com 596 pqifi.com 1624 cgdir.com 2952 jwyad.com 2032 qhxfa.com 2456 bdqyh.com 2652 qljgo.com 1760 avyik.com 1604 idmiw.com 1836 xxjvf.com 564 zklya.com 2656 uybij.com 2824 uclvt.com 1540 jniic.com 1132 wiryi.com 3000 glhiv.com 2560 tbjlm.com 3012 gaeou.com 2724 poflk.com 2804 dbobq.com 1332 kmvgn.com 1384 zchou.com 1772 msbrd.com 1608 wdrbq.com 2240 juuez.com 2680 wwalk.com 376 grbea.com 1896 txkyo.com 1848 gnnbw.com 112 sptri.com 2880 coxos.com 1668 pfsrj.com 3004 cduur.com 2884 mczrc.com 1240 wblom.com 568 mrwwt.com 1880 wumho.com 2260 gebrb.com 2716 trthh.com 2972 ginkq.com 2312 qpzha.com 2688 avswy.com 1344 kcecj.com 1356 xtzer.com 2140 hslck.com 1300 uurkv.com 2672 hkmme.com 2300 uxeck.com 2448 dlwza.com 3024 qkzci.com 1108 defsc.com 2616 nljpm.com 2404 acmsv.com 2156 npwha.com 584 xdwfr.com 1272 ktrih.com 2696 xgjxn.com 1832 hryia.com 2332 uhbkj.com 924 yjhsu.com 1216 imwcp.com 2372 yywxl.com -
Loads dropped DLL 64 IoCs
pid Process 2352 06b2a063d4f7ed1fbdf89ac4da07890a_JaffaCakes118.exe 2352 06b2a063d4f7ed1fbdf89ac4da07890a_JaffaCakes118.exe 2700 iqlvu.com 2700 iqlvu.com 2896 mktvt.com 2896 mktvt.com 548 euhvs.com 548 euhvs.com 596 pqifi.com 596 pqifi.com 1624 cgdir.com 1624 cgdir.com 2952 jwyad.com 2952 jwyad.com 2032 qhxfa.com 2032 qhxfa.com 2456 bdqyh.com 2456 bdqyh.com 2652 qljgo.com 2652 qljgo.com 1760 avyik.com 1760 avyik.com 1604 idmiw.com 1604 idmiw.com 1836 xxjvf.com 1836 xxjvf.com 564 zklya.com 564 zklya.com 2656 uybij.com 2656 uybij.com 2824 uclvt.com 2824 uclvt.com 1540 jniic.com 1540 jniic.com 1132 wiryi.com 1132 wiryi.com 3000 glhiv.com 3000 glhiv.com 2560 tbjlm.com 2560 tbjlm.com 3012 gaeou.com 3012 gaeou.com 2724 poflk.com 2724 poflk.com 2804 dbobq.com 2804 dbobq.com 1332 kmvgn.com 1332 kmvgn.com 1384 zchou.com 1384 zchou.com 1772 msbrd.com 1772 msbrd.com 1608 wdrbq.com 1608 wdrbq.com 2240 juuez.com 2240 juuez.com 2680 wwalk.com 2680 wwalk.com 376 grbea.com 376 grbea.com 1896 txkyo.com 1896 txkyo.com 1848 gnnbw.com 1848 gnnbw.com -
Writes to the Master Boot Record (MBR) 1 TTPs 64 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 aambo.com File opened for modification \??\PhysicalDrive0 Process not Found File opened for modification \??\PhysicalDrive0 Process not Found File opened for modification \??\PhysicalDrive0 qljgo.com File opened for modification \??\PhysicalDrive0 cvzaq.com File opened for modification \??\PhysicalDrive0 rrfsv.com File opened for modification \??\PhysicalDrive0 nhldu.com File opened for modification \??\PhysicalDrive0 oojlq.com File opened for modification \??\PhysicalDrive0 glhiv.com File opened for modification \??\PhysicalDrive0 Process not Found File opened for modification \??\PhysicalDrive0 Process not Found File opened for modification \??\PhysicalDrive0 Process not Found File opened for modification \??\PhysicalDrive0 Process not Found File opened for modification \??\PhysicalDrive0 pfsrj.com File opened for modification \??\PhysicalDrive0 Process not Found File opened for modification \??\PhysicalDrive0 Process not Found File opened for modification \??\PhysicalDrive0 Process not Found File opened for modification \??\PhysicalDrive0 Process not Found File opened for modification \??\PhysicalDrive0 Process not Found File opened for modification \??\PhysicalDrive0 Process not Found File opened for modification \??\PhysicalDrive0 uclvt.com File opened for modification \??\PhysicalDrive0 etalv.com File opened for modification \??\PhysicalDrive0 emfhe.com File opened for modification \??\PhysicalDrive0 rzwib.com File opened for modification \??\PhysicalDrive0 zkfvo.com File opened for modification \??\PhysicalDrive0 vjmlo.com File opened for modification \??\PhysicalDrive0 iwbeq.com File opened for modification \??\PhysicalDrive0 Process not Found File opened for modification \??\PhysicalDrive0 Process not Found File opened for modification \??\PhysicalDrive0 wumho.com File opened for modification \??\PhysicalDrive0 mcafr.com File opened for modification \??\PhysicalDrive0 Process not Found File opened for modification \??\PhysicalDrive0 Process not Found File opened for modification \??\PhysicalDrive0 Process not Found File opened for modification \??\PhysicalDrive0 gbzuc.com File opened for modification \??\PhysicalDrive0 cdgjx.com File opened for modification \??\PhysicalDrive0 zewtm.com File opened for modification \??\PhysicalDrive0 iiduf.com File opened for modification \??\PhysicalDrive0 Process not Found File opened for modification \??\PhysicalDrive0 Process not Found File opened for modification \??\PhysicalDrive0 Process not Found File opened for modification \??\PhysicalDrive0 mktvt.com File opened for modification \??\PhysicalDrive0 coxos.com File opened for modification \??\PhysicalDrive0 bolfn.com File opened for modification \??\PhysicalDrive0 lrfwg.com File opened for modification \??\PhysicalDrive0 Process not Found File opened for modification \??\PhysicalDrive0 Process not Found File opened for modification \??\PhysicalDrive0 Process not Found File opened for modification \??\PhysicalDrive0 Process not Found File opened for modification \??\PhysicalDrive0 qpzha.com File opened for modification \??\PhysicalDrive0 idofp.com File opened for modification \??\PhysicalDrive0 nhevn.com File opened for modification \??\PhysicalDrive0 wzshu.com File opened for modification \??\PhysicalDrive0 twudz.com File opened for modification \??\PhysicalDrive0 vqmix.com File opened for modification \??\PhysicalDrive0 usouf.com File opened for modification \??\PhysicalDrive0 Process not Found File opened for modification \??\PhysicalDrive0 Process not Found File opened for modification \??\PhysicalDrive0 Process not Found File opened for modification \??\PhysicalDrive0 yzuhe.com File opened for modification \??\PhysicalDrive0 ruhpm.com File opened for modification \??\PhysicalDrive0 Process not Found File opened for modification \??\PhysicalDrive0 Process not Found File opened for modification \??\PhysicalDrive0 Process not Found -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\ktrih.com xdwfr.com File opened for modification C:\Windows\SysWOW64\aspr_keys.ini eagmz.com File opened for modification C:\Windows\SysWOW64\waayo.com Process not Found File created C:\Windows\SysWOW64\rcoob.com Process not Found File opened for modification C:\Windows\SysWOW64\yieck.com lrbzc.com File opened for modification C:\Windows\SysWOW64\fxtrt.com vqhtb.com File opened for modification C:\Windows\SysWOW64\aspr_keys.ini Process not Found File created C:\Windows\SysWOW64\blgue.com Process not Found File opened for modification C:\Windows\SysWOW64\aspr_keys.ini rkhck.com File opened for modification C:\Windows\SysWOW64\aspr_keys.ini Process not Found File opened for modification C:\Windows\SysWOW64\nuefk.com Process not Found File opened for modification C:\Windows\SysWOW64\aspr_keys.ini Process not Found File opened for modification C:\Windows\SysWOW64\clnux.com Process not Found File opened for modification C:\Windows\SysWOW64\aspr_keys.ini Process not Found File opened for modification C:\Windows\SysWOW64\aspr_keys.ini Process not Found File created C:\Windows\SysWOW64\avyik.com qljgo.com File opened for modification C:\Windows\SysWOW64\aspr_keys.ini ylmtc.com File opened for modification C:\Windows\SysWOW64\aspr_keys.ini otujo.com File opened for modification C:\Windows\SysWOW64\aspr_keys.ini Process not Found File created C:\Windows\SysWOW64\gbole.com Process not Found File opened for modification C:\Windows\SysWOW64\aspr_keys.ini Process not Found File opened for modification C:\Windows\SysWOW64\ebqza.com Process not Found File opened for modification C:\Windows\SysWOW64\eegay.com rolxp.com File created C:\Windows\SysWOW64\vbgsw.com izsll.com File created C:\Windows\SysWOW64\jqvbx.com Process not Found File opened for modification C:\Windows\SysWOW64\aspr_keys.ini Process not Found File opened for modification C:\Windows\SysWOW64\aspr_keys.ini Process not Found File created C:\Windows\SysWOW64\ndjpy.com Process not Found File opened for modification C:\Windows\SysWOW64\tscnq.com Process not Found File opened for modification C:\Windows\SysWOW64\aspr_keys.ini Process not Found File created C:\Windows\SysWOW64\cknqm.com siyfr.com File opened for modification C:\Windows\SysWOW64\nafnh.com ayzxw.com File opened for modification C:\Windows\SysWOW64\aspr_keys.ini vjopg.com File opened for modification C:\Windows\SysWOW64\aspr_keys.ini ospfz.com File created C:\Windows\SysWOW64\rgyuz.com epdrq.com File opened for modification C:\Windows\SysWOW64\cpsrp.com Process not Found File opened for modification C:\Windows\SysWOW64\igxst.com Process not Found File opened for modification C:\Windows\SysWOW64\aspr_keys.ini Process not Found File opened for modification C:\Windows\SysWOW64\onmbc.com Process not Found File opened for modification C:\Windows\SysWOW64\ayohg.com Process not Found File opened for modification C:\Windows\SysWOW64\tvigl.com Process not Found File opened for modification C:\Windows\SysWOW64\aspr_keys.ini Process not Found File opened for modification C:\Windows\SysWOW64\fjubz.com Process not Found File opened for modification C:\Windows\SysWOW64\klrch.com xjlmv.com File opened for modification C:\Windows\SysWOW64\lcmcl.com bolfn.com File created C:\Windows\SysWOW64\dbosz.com uvnuj.com File created C:\Windows\SysWOW64\lrfwg.com zlnbs.com File opened for modification C:\Windows\SysWOW64\aspr_keys.ini Process not Found File created C:\Windows\SysWOW64\agdpw.com Process not Found File created C:\Windows\SysWOW64\ndrni.com Process not Found File opened for modification C:\Windows\SysWOW64\aspr_keys.ini iqlvu.com File opened for modification C:\Windows\SysWOW64\vqmix.com jsrop.com File opened for modification C:\Windows\SysWOW64\aspr_keys.ini Process not Found File created C:\Windows\SysWOW64\nnbco.com Process not Found File opened for modification C:\Windows\SysWOW64\uptnq.com Process not Found File created C:\Windows\SysWOW64\aambo.com nygtc.com File opened for modification C:\Windows\SysWOW64\cwwlj.com Process not Found File opened for modification C:\Windows\SysWOW64\ymprl.com lwuoc.com File created C:\Windows\SysWOW64\vjopg.com kkksw.com File opened for modification C:\Windows\SysWOW64\sldxk.com Process not Found File opened for modification C:\Windows\SysWOW64\tfffj.com Process not Found File opened for modification C:\Windows\SysWOW64\qbttf.com ddyqw.com File created C:\Windows\SysWOW64\fejwl.com snotc.com File opened for modification C:\Windows\SysWOW64\aspr_keys.ini Process not Found -
Runs .reg file with regedit 64 IoCs
pid Process 1780 regedit.exe 3848 Process not Found 4888 Process not Found 1888 regedit.exe 1732 regedit.exe 2036 regedit.exe 3576 Process not Found 4564 Process not Found 2164 Process not Found 4328 Process not Found 1064 regedit.exe 3104 Process not Found 1804 regedit.exe 1936 regedit.exe 2908 regedit.exe 3148 Process not Found 4804 Process not Found 2108 regedit.exe 2768 regedit.exe 2036 regedit.exe 3616 regedit.exe 1840 Process not Found 4372 Process not Found 4404 Process not Found 2776 regedit.exe 3892 Process not Found 1840 Process not Found 3244 Process not Found 3244 Process not Found 4208 Process not Found 1660 regedit.exe 2992 regedit.exe 2608 regedit.exe 840 regedit.exe 3552 Process not Found 1388 Process not Found 4348 Process not Found 4816 Process not Found 3044 regedit.exe 3048 regedit.exe 2684 regedit.exe 1744 regedit.exe 3768 Process not Found 3304 Process not Found 2780 regedit.exe 2856 regedit.exe 3416 regedit.exe 3868 Process not Found 2472 Process not Found 4440 Process not Found 4692 Process not Found 5028 Process not Found 1560 regedit.exe 1264 regedit.exe 2120 regedit.exe 1284 Process not Found 3264 Process not Found 2232 regedit.exe 920 Process not Found 1904 regedit.exe 2120 Process not Found 3092 Process not Found 4272 Process not Found 4572 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2352 wrote to memory of 2644 2352 06b2a063d4f7ed1fbdf89ac4da07890a_JaffaCakes118.exe 28 PID 2352 wrote to memory of 2644 2352 06b2a063d4f7ed1fbdf89ac4da07890a_JaffaCakes118.exe 28 PID 2352 wrote to memory of 2644 2352 06b2a063d4f7ed1fbdf89ac4da07890a_JaffaCakes118.exe 28 PID 2352 wrote to memory of 2644 2352 06b2a063d4f7ed1fbdf89ac4da07890a_JaffaCakes118.exe 28 PID 2644 wrote to memory of 1864 2644 cmd.exe 29 PID 2644 wrote to memory of 1864 2644 cmd.exe 29 PID 2644 wrote to memory of 1864 2644 cmd.exe 29 PID 2644 wrote to memory of 1864 2644 cmd.exe 29 PID 2352 wrote to memory of 2700 2352 06b2a063d4f7ed1fbdf89ac4da07890a_JaffaCakes118.exe 30 PID 2352 wrote to memory of 2700 2352 06b2a063d4f7ed1fbdf89ac4da07890a_JaffaCakes118.exe 30 PID 2352 wrote to memory of 2700 2352 06b2a063d4f7ed1fbdf89ac4da07890a_JaffaCakes118.exe 30 PID 2352 wrote to memory of 2700 2352 06b2a063d4f7ed1fbdf89ac4da07890a_JaffaCakes118.exe 30 PID 2700 wrote to memory of 2896 2700 iqlvu.com 31 PID 2700 wrote to memory of 2896 2700 iqlvu.com 31 PID 2700 wrote to memory of 2896 2700 iqlvu.com 31 PID 2700 wrote to memory of 2896 2700 iqlvu.com 31 PID 2896 wrote to memory of 548 2896 mktvt.com 32 PID 2896 wrote to memory of 548 2896 mktvt.com 32 PID 2896 wrote to memory of 548 2896 mktvt.com 32 PID 2896 wrote to memory of 548 2896 mktvt.com 32 PID 548 wrote to memory of 596 548 euhvs.com 33 PID 548 wrote to memory of 596 548 euhvs.com 33 PID 548 wrote to memory of 596 548 euhvs.com 33 PID 548 wrote to memory of 596 548 euhvs.com 33 PID 596 wrote to memory of 1624 596 pqifi.com 34 PID 596 wrote to memory of 1624 596 pqifi.com 34 PID 596 wrote to memory of 1624 596 pqifi.com 34 PID 596 wrote to memory of 1624 596 pqifi.com 34 PID 1624 wrote to memory of 2952 1624 cgdir.com 35 PID 1624 wrote to memory of 2952 1624 cgdir.com 35 PID 1624 wrote to memory of 2952 1624 cgdir.com 35 PID 1624 wrote to memory of 2952 1624 cgdir.com 35 PID 2952 wrote to memory of 2032 2952 jwyad.com 36 PID 2952 wrote to memory of 2032 2952 jwyad.com 36 PID 2952 wrote to memory of 2032 2952 jwyad.com 36 PID 2952 wrote to memory of 2032 2952 jwyad.com 36 PID 2032 wrote to memory of 2456 2032 qhxfa.com 37 PID 2032 wrote to memory of 2456 2032 qhxfa.com 37 PID 2032 wrote to memory of 2456 2032 qhxfa.com 37 PID 2032 wrote to memory of 2456 2032 qhxfa.com 37 PID 2456 wrote to memory of 1560 2456 bdqyh.com 38 PID 2456 wrote to memory of 1560 2456 bdqyh.com 38 PID 2456 wrote to memory of 1560 2456 bdqyh.com 38 PID 2456 wrote to memory of 1560 2456 bdqyh.com 38 PID 1560 wrote to memory of 2912 1560 cmd.exe 39 PID 1560 wrote to memory of 2912 1560 cmd.exe 39 PID 1560 wrote to memory of 2912 1560 cmd.exe 39 PID 1560 wrote to memory of 2912 1560 cmd.exe 39 PID 2456 wrote to memory of 2652 2456 bdqyh.com 40 PID 2456 wrote to memory of 2652 2456 bdqyh.com 40 PID 2456 wrote to memory of 2652 2456 bdqyh.com 40 PID 2456 wrote to memory of 2652 2456 bdqyh.com 40 PID 2652 wrote to memory of 2560 2652 qljgo.com 41 PID 2652 wrote to memory of 2560 2652 qljgo.com 41 PID 2652 wrote to memory of 2560 2652 qljgo.com 41 PID 2652 wrote to memory of 2560 2652 qljgo.com 41 PID 2560 wrote to memory of 2464 2560 cmd.exe 42 PID 2560 wrote to memory of 2464 2560 cmd.exe 42 PID 2560 wrote to memory of 2464 2560 cmd.exe 42 PID 2560 wrote to memory of 2464 2560 cmd.exe 42 PID 2652 wrote to memory of 1760 2652 qljgo.com 43 PID 2652 wrote to memory of 1760 2652 qljgo.com 43 PID 2652 wrote to memory of 1760 2652 qljgo.com 43 PID 2652 wrote to memory of 1760 2652 qljgo.com 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\06b2a063d4f7ed1fbdf89ac4da07890a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\06b2a063d4f7ed1fbdf89ac4da07890a_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat2⤵
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg3⤵PID:1864
-
-
-
C:\Windows\SysWOW64\iqlvu.comC:\Windows\system32\iqlvu.com 524 "C:\Users\Admin\AppData\Local\Temp\06b2a063d4f7ed1fbdf89ac4da07890a_JaffaCakes118.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\mktvt.comC:\Windows\system32\mktvt.com 552 "C:\Windows\SysWOW64\iqlvu.com"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\euhvs.comC:\Windows\system32\euhvs.com 564 "C:\Windows\SysWOW64\mktvt.com"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Windows\SysWOW64\pqifi.comC:\Windows\system32\pqifi.com 568 "C:\Windows\SysWOW64\euhvs.com"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:596 -
C:\Windows\SysWOW64\cgdir.comC:\Windows\system32\cgdir.com 556 "C:\Windows\SysWOW64\pqifi.com"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\jwyad.comC:\Windows\system32\jwyad.com 572 "C:\Windows\SysWOW64\cgdir.com"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\qhxfa.comC:\Windows\system32\qhxfa.com 560 "C:\Windows\SysWOW64\jwyad.com"8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\bdqyh.comC:\Windows\system32\bdqyh.com 576 "C:\Windows\SysWOW64\qhxfa.com"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat10⤵
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg11⤵PID:2912
-
-
-
C:\Windows\SysWOW64\qljgo.comC:\Windows\system32\qljgo.com 588 "C:\Windows\SysWOW64\bdqyh.com"10⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat11⤵
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg12⤵PID:2464
-
-
-
C:\Windows\SysWOW64\avyik.comC:\Windows\system32\avyik.com 592 "C:\Windows\SysWOW64\qljgo.com"11⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1760 -
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat12⤵PID:1252
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg13⤵PID:1288
-
-
-
C:\Windows\SysWOW64\idmiw.comC:\Windows\system32\idmiw.com 600 "C:\Windows\SysWOW64\avyik.com"12⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1604 -
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat13⤵PID:2212
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg14⤵PID:1824
-
-
-
C:\Windows\SysWOW64\xxjvf.comC:\Windows\system32\xxjvf.com 596 "C:\Windows\SysWOW64\idmiw.com"13⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1836 -
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat14⤵PID:892
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg15⤵PID:696
-
-
-
C:\Windows\SysWOW64\zklya.comC:\Windows\system32\zklya.com 492 "C:\Windows\SysWOW64\xxjvf.com"14⤵
- Executes dropped EXE
- Loads dropped DLL
PID:564 -
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat15⤵PID:1332
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg16⤵PID:2360
-
-
-
C:\Windows\SysWOW64\uybij.comC:\Windows\system32\uybij.com 608 "C:\Windows\SysWOW64\zklya.com"15⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2656 -
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat16⤵PID:2144
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg17⤵PID:1864
-
-
-
C:\Windows\SysWOW64\uclvt.comC:\Windows\system32\uclvt.com 584 "C:\Windows\SysWOW64\uybij.com"16⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
PID:2824 -
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat17⤵PID:2884
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg18⤵PID:2364
-
-
-
C:\Windows\SysWOW64\jniic.comC:\Windows\system32\jniic.com 616 "C:\Windows\SysWOW64\uclvt.com"17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1540 -
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat18⤵PID:1728
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg19⤵
- Runs .reg file with regedit
PID:3044
-
-
-
C:\Windows\SysWOW64\wiryi.comC:\Windows\system32\wiryi.com 624 "C:\Windows\SysWOW64\jniic.com"18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1132 -
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat19⤵PID:1576
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg20⤵PID:2132
-
-
-
C:\Windows\SysWOW64\glhiv.comC:\Windows\system32\glhiv.com 628 "C:\Windows\SysWOW64\wiryi.com"19⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
PID:3000 -
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat20⤵PID:3032
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg21⤵PID:896
-
-
-
C:\Windows\SysWOW64\tbjlm.comC:\Windows\system32\tbjlm.com 620 "C:\Windows\SysWOW64\glhiv.com"20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2560 -
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat21⤵PID:2936
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg22⤵PID:3024
-
-
-
C:\Windows\SysWOW64\gaeou.comC:\Windows\system32\gaeou.com 632 "C:\Windows\SysWOW64\tbjlm.com"21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3012 -
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat22⤵PID:2684
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg23⤵PID:2228
-
-
-
C:\Windows\SysWOW64\poflk.comC:\Windows\system32\poflk.com 644 "C:\Windows\SysWOW64\gaeou.com"22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2724 -
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat23⤵PID:2284
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg24⤵PID:1892
-
-
-
C:\Windows\SysWOW64\dbobq.comC:\Windows\system32\dbobq.com 636 "C:\Windows\SysWOW64\poflk.com"23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2804 -
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat24⤵PID:1068
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg25⤵
- Runs .reg file with regedit
PID:2780
-
-
-
C:\Windows\SysWOW64\kmvgn.comC:\Windows\system32\kmvgn.com 640 "C:\Windows\SysWOW64\dbobq.com"24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1332 -
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat25⤵PID:2856
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg26⤵PID:1476
-
-
-
C:\Windows\SysWOW64\zchou.comC:\Windows\system32\zchou.com 652 "C:\Windows\SysWOW64\kmvgn.com"25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1384 -
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat26⤵PID:2004
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg27⤵PID:2416
-
-
-
C:\Windows\SysWOW64\msbrd.comC:\Windows\system32\msbrd.com 660 "C:\Windows\SysWOW64\zchou.com"26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1772 -
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat27⤵PID:2404
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg28⤵PID:1052
-
-
-
C:\Windows\SysWOW64\wdrbq.comC:\Windows\system32\wdrbq.com 648 "C:\Windows\SysWOW64\msbrd.com"27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1608 -
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat28⤵PID:768
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg29⤵PID:844
-
-
-
C:\Windows\SysWOW64\juuez.comC:\Windows\system32\juuez.com 656 "C:\Windows\SysWOW64\wdrbq.com"28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2240 -
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat29⤵PID:1240
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg30⤵PID:2788
-
-
-
C:\Windows\SysWOW64\wwalk.comC:\Windows\system32\wwalk.com 668 "C:\Windows\SysWOW64\juuez.com"29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2680 -
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat30⤵PID:2808
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg31⤵PID:2848
-
-
-
C:\Windows\SysWOW64\grbea.comC:\Windows\system32\grbea.com 604 "C:\Windows\SysWOW64\wwalk.com"30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:376 -
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat31⤵PID:2568
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg32⤵PID:3052
-
-
-
C:\Windows\SysWOW64\txkyo.comC:\Windows\system32\txkyo.com 672 "C:\Windows\SysWOW64\grbea.com"31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1896 -
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat32⤵PID:2756
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg33⤵
- Modifies security service
PID:3024
-
-
-
C:\Windows\SysWOW64\gnnbw.comC:\Windows\system32\gnnbw.com 680 "C:\Windows\SysWOW64\txkyo.com"32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1848 -
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat33⤵PID:2224
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg34⤵PID:1692
-
-
-
C:\Windows\SysWOW64\sptri.comC:\Windows\system32\sptri.com 676 "C:\Windows\SysWOW64\gnnbw.com"33⤵
- Executes dropped EXE
PID:112 -
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat34⤵PID:2704
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg35⤵PID:2944
-
-
-
C:\Windows\SysWOW64\coxos.comC:\Windows\system32\coxos.com 688 "C:\Windows\SysWOW64\sptri.com"34⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:2880 -
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat35⤵PID:1300
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg36⤵
- Runs .reg file with regedit
PID:3048
-
-
-
C:\Windows\SysWOW64\pfsrj.comC:\Windows\system32\pfsrj.com 692 "C:\Windows\SysWOW64\coxos.com"35⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:1668 -
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat36⤵PID:812
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg37⤵PID:1288
-
-
-
C:\Windows\SysWOW64\cduur.comC:\Windows\system32\cduur.com 684 "C:\Windows\SysWOW64\pfsrj.com"36⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat37⤵PID:1812
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg38⤵
- Modifies security service
PID:2912
-
-
-
C:\Windows\SysWOW64\mczrc.comC:\Windows\system32\mczrc.com 696 "C:\Windows\SysWOW64\cduur.com"37⤵
- Executes dropped EXE
PID:2884 -
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat38⤵PID:2868
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg39⤵PID:2876
-
-
-
C:\Windows\SysWOW64\wblom.comC:\Windows\system32\wblom.com 700 "C:\Windows\SysWOW64\mczrc.com"38⤵
- Executes dropped EXE
PID:1240 -
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat39⤵PID:1680
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg40⤵PID:1688
-
-
-
C:\Windows\SysWOW64\mrwwt.comC:\Windows\system32\mrwwt.com 704 "C:\Windows\SysWOW64\wblom.com"39⤵
- Executes dropped EXE
PID:568 -
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat40⤵PID:1904
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg41⤵PID:1376
-
-
-
C:\Windows\SysWOW64\wumho.comC:\Windows\system32\wumho.com 712 "C:\Windows\SysWOW64\mrwwt.com"40⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:1880 -
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat41⤵PID:2568
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg42⤵PID:1888
-
-
-
C:\Windows\SysWOW64\gebrb.comC:\Windows\system32\gebrb.com 716 "C:\Windows\SysWOW64\wumho.com"41⤵
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat42⤵PID:2328
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg43⤵PID:2712
-
-
-
C:\Windows\SysWOW64\trthh.comC:\Windows\system32\trthh.com 720 "C:\Windows\SysWOW64\gebrb.com"42⤵
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat43⤵PID:1640
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg44⤵PID:2152
-
-
-
C:\Windows\SysWOW64\ginkq.comC:\Windows\system32\ginkq.com 724 "C:\Windows\SysWOW64\trthh.com"43⤵
- Executes dropped EXE
PID:2972 -
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat44⤵PID:1736
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg45⤵PID:896
-
-
-
C:\Windows\SysWOW64\qpzha.comC:\Windows\system32\qpzha.com 708 "C:\Windows\SysWOW64\ginkq.com"44⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:2312 -
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat45⤵PID:1600
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg46⤵PID:840
-
-
-
C:\Windows\SysWOW64\avswy.comC:\Windows\system32\avswy.com 728 "C:\Windows\SysWOW64\qpzha.com"45⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat46⤵PID:2540
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg47⤵
- Modifies security service
PID:2288
-
-
-
C:\Windows\SysWOW64\kcecj.comC:\Windows\system32\kcecj.com 732 "C:\Windows\SysWOW64\avswy.com"46⤵
- Executes dropped EXE
PID:1344 -
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat47⤵PID:1388
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg48⤵PID:2080
-
-
-
C:\Windows\SysWOW64\xtzer.comC:\Windows\system32\xtzer.com 744 "C:\Windows\SysWOW64\kcecj.com"47⤵
- Executes dropped EXE
PID:1356 -
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat48⤵PID:856
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg49⤵PID:2820
-
-
-
C:\Windows\SysWOW64\hslck.comC:\Windows\system32\hslck.com 740 "C:\Windows\SysWOW64\xtzer.com"48⤵
- Executes dropped EXE
PID:2140 -
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat49⤵PID:2616
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg50⤵PID:1108
-
-
-
C:\Windows\SysWOW64\uurkv.comC:\Windows\system32\uurkv.com 748 "C:\Windows\SysWOW64\hslck.com"49⤵
- Executes dropped EXE
PID:1300 -
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat50⤵PID:2404
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg51⤵PID:2520
-
-
-
C:\Windows\SysWOW64\hkmme.comC:\Windows\system32\hkmme.com 736 "C:\Windows\SysWOW64\uurkv.com"50⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat51⤵PID:2768
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg52⤵PID:1576
-
-
-
C:\Windows\SysWOW64\uxeck.comC:\Windows\system32\uxeck.com 752 "C:\Windows\SysWOW64\hkmme.com"51⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat52⤵PID:2364
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg53⤵PID:624
-
-
-
C:\Windows\SysWOW64\dlwza.comC:\Windows\system32\dlwza.com 756 "C:\Windows\SysWOW64\uxeck.com"52⤵
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat53⤵PID:1664
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg54⤵PID:2900
-
-
-
C:\Windows\SysWOW64\qkzci.comC:\Windows\system32\qkzci.com 764 "C:\Windows\SysWOW64\dlwza.com"53⤵
- Executes dropped EXE
PID:3024 -
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat54⤵PID:2828
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg55⤵PID:1860
-
-
-
C:\Windows\SysWOW64\defsc.comC:\Windows\system32\defsc.com 760 "C:\Windows\SysWOW64\qkzci.com"54⤵
- Executes dropped EXE
PID:1108 -
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat55⤵PID:1960
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg56⤵PID:1140
-
-
-
C:\Windows\SysWOW64\nljpm.comC:\Windows\system32\nljpm.com 768 "C:\Windows\SysWOW64\defsc.com"55⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat56⤵PID:1948
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg57⤵
- Modifies security service
PID:1560
-
-
-
C:\Windows\SysWOW64\acmsv.comC:\Windows\system32\acmsv.com 776 "C:\Windows\SysWOW64\nljpm.com"56⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat57⤵PID:616
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg58⤵PID:3068
-
-
-
C:\Windows\SysWOW64\npwha.comC:\Windows\system32\npwha.com 772 "C:\Windows\SysWOW64\acmsv.com"57⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat58⤵PID:1040
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg59⤵PID:2900
-
-
-
C:\Windows\SysWOW64\xdwfr.comC:\Windows\system32\xdwfr.com 780 "C:\Windows\SysWOW64\npwha.com"58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:584 -
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat59⤵PID:1724
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg60⤵PID:1488
-
-
-
C:\Windows\SysWOW64\ktrih.comC:\Windows\system32\ktrih.com 788 "C:\Windows\SysWOW64\xdwfr.com"59⤵
- Executes dropped EXE
PID:1272 -
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat60⤵PID:572
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg61⤵PID:2644
-
-
-
C:\Windows\SysWOW64\xgjxn.comC:\Windows\system32\xgjxn.com 784 "C:\Windows\SysWOW64\ktrih.com"60⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat61⤵PID:2152
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg62⤵
- Runs .reg file with regedit
PID:1560
-
-
-
C:\Windows\SysWOW64\hryia.comC:\Windows\system32\hryia.com 792 "C:\Windows\SysWOW64\xgjxn.com"61⤵
- Executes dropped EXE
PID:1832 -
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat62⤵PID:1640
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg63⤵PID:2424
-
-
-
C:\Windows\SysWOW64\uhbkj.comC:\Windows\system32\uhbkj.com 800 "C:\Windows\SysWOW64\hryia.com"62⤵
- Executes dropped EXE
PID:2332 -
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat63⤵PID:2624
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg64⤵
- Runs .reg file with regedit
PID:1064
-
-
-
C:\Windows\SysWOW64\yjhsu.comC:\Windows\system32\yjhsu.com 796 "C:\Windows\SysWOW64\uhbkj.com"63⤵
- Executes dropped EXE
PID:924 -
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat64⤵PID:864
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg65⤵PID:1920
-
-
-
C:\Windows\SysWOW64\imwcp.comC:\Windows\system32\imwcp.com 804 "C:\Windows\SysWOW64\yjhsu.com"64⤵
- Executes dropped EXE
PID:1216 -
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat65⤵PID:1480
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg66⤵
- Runs .reg file with regedit
PID:1888
-
-
-
C:\Windows\SysWOW64\yywxl.comC:\Windows\system32\yywxl.com 812 "C:\Windows\SysWOW64\imwcp.com"65⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat66⤵PID:2040
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg67⤵PID:2620
-
-
-
C:\Windows\SysWOW64\ixjve.comC:\Windows\system32\ixjve.com 816 "C:\Windows\SysWOW64\yywxl.com"66⤵PID:1204
-
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat67⤵PID:2204
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg68⤵PID:2632
-
-
-
C:\Windows\SysWOW64\siyfr.comC:\Windows\system32\siyfr.com 808 "C:\Windows\SysWOW64\ixjve.com"67⤵
- Drops file in System32 directory
PID:2536 -
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat68⤵PID:2760
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg69⤵PID:1652
-
-
-
C:\Windows\SysWOW64\cknqm.comC:\Windows\system32\cknqm.com 820 "C:\Windows\SysWOW64\siyfr.com"68⤵PID:2756
-
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat69⤵PID:480
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg70⤵PID:1800
-
-
-
C:\Windows\SysWOW64\pbisv.comC:\Windows\system32\pbisv.com 828 "C:\Windows\SysWOW64\cknqm.com"69⤵PID:2932
-
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat70⤵PID:1432
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg71⤵PID:1588
-
-
-
C:\Windows\SysWOW64\cwaib.comC:\Windows\system32\cwaib.com 832 "C:\Windows\SysWOW64\pbisv.com"70⤵PID:1752
-
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat71⤵PID:3048
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg72⤵PID:2296
-
-
-
C:\Windows\SysWOW64\mcafr.comC:\Windows\system32\mcafr.com 824 "C:\Windows\SysWOW64\cwaib.com"71⤵
- Writes to the Master Boot Record (MBR)
PID:2924 -
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat72⤵PID:2676
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg73⤵PID:2080
-
-
-
C:\Windows\SysWOW64\wjedj.comC:\Windows\system32\wjedj.com 840 "C:\Windows\SysWOW64\mcafr.com"72⤵PID:2944
-
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat73⤵PID:2908
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg74⤵PID:2328
-
-
-
C:\Windows\SysWOW64\mrqli.comC:\Windows\system32\mrqli.com 844 "C:\Windows\SysWOW64\wjedj.com"73⤵PID:2816
-
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat74⤵PID:2468
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg75⤵PID:2948
-
-
-
C:\Windows\SysWOW64\zqtnq.comC:\Windows\system32\zqtnq.com 848 "C:\Windows\SysWOW64\mrqli.com"74⤵PID:1892
-
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat75⤵PID:3008
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg76⤵PID:2492
-
-
-
C:\Windows\SysWOW64\lkzvk.comC:\Windows\system32\lkzvk.com 852 "C:\Windows\SysWOW64\zqtnq.com"75⤵PID:1472
-
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat76⤵PID:1376
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg77⤵PID:1092
-
-
-
C:\Windows\SysWOW64\vrdtu.comC:\Windows\system32\vrdtu.com 856 "C:\Windows\SysWOW64\lkzvk.com"76⤵PID:2748
-
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat77⤵PID:816
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg78⤵PID:2640
-
-
-
C:\Windows\SysWOW64\iljig.comC:\Windows\system32\iljig.com 836 "C:\Windows\SysWOW64\vrdtu.com"77⤵PID:964
-
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat78⤵PID:2396
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg79⤵PID:1560
-
-
-
C:\Windows\SysWOW64\vjmlo.comC:\Windows\system32\vjmlo.com 864 "C:\Windows\SysWOW64\iljig.com"78⤵
- Writes to the Master Boot Record (MBR)
PID:1932 -
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat79⤵PID:1744
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg80⤵PID:1628
-
-
-
C:\Windows\SysWOW64\iahox.comC:\Windows\system32\iahox.com 868 "C:\Windows\SysWOW64\vjmlo.com"79⤵PID:2316
-
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat80⤵PID:1504
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg81⤵PID:588
-
-
-
C:\Windows\SysWOW64\vqbqg.comC:\Windows\system32\vqbqg.com 860 "C:\Windows\SysWOW64\iahox.com"80⤵PID:2204
-
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat81⤵PID:2308
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg82⤵PID:1800
-
-
-
C:\Windows\SysWOW64\hshgz.comC:\Windows\system32\hshgz.com 876 "C:\Windows\SysWOW64\vqbqg.com"81⤵PID:2160
-
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat82⤵PID:2988
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg83⤵PID:480
-
-
-
C:\Windows\SysWOW64\srudj.comC:\Windows\system32\srudj.com 880 "C:\Windows\SysWOW64\hshgz.com"82⤵PID:2832
-
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat83⤵PID:2468
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg84⤵
- Runs .reg file with regedit
PID:2856
-
-
-
C:\Windows\SysWOW64\etalv.comC:\Windows\system32\etalv.com 872 "C:\Windows\SysWOW64\srudj.com"83⤵
- Writes to the Master Boot Record (MBR)
PID:2860 -
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat84⤵PID:2544
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg85⤵
- Runs .reg file with regedit
PID:1660
-
-
-
C:\Windows\SysWOW64\rkuod.comC:\Windows\system32\rkuod.com 884 "C:\Windows\SysWOW64\etalv.com"84⤵PID:1620
-
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat85⤵PID:492
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg86⤵PID:780
-
-
-
C:\Windows\SysWOW64\eixqm.comC:\Windows\system32\eixqm.com 888 "C:\Windows\SysWOW64\rkuod.com"85⤵PID:2876
-
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat86⤵PID:860
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg87⤵
- Modifies security service
PID:1736
-
-
-
C:\Windows\SysWOW64\owqok.comC:\Windows\system32\owqok.com 892 "C:\Windows\SysWOW64\eixqm.com"86⤵PID:2636
-
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat87⤵PID:2664
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg88⤵PID:1640
-
-
-
C:\Windows\SysWOW64\bntqt.comC:\Windows\system32\bntqt.com 896 "C:\Windows\SysWOW64\owqok.com"87⤵PID:2060
-
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat88⤵PID:2684
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg89⤵
- Runs .reg file with regedit
PID:2776
-
-
-
C:\Windows\SysWOW64\oacgy.comC:\Windows\system32\oacgy.com 900 "C:\Windows\SysWOW64\bntqt.com"88⤵PID:2272
-
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat89⤵PID:2212
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg90⤵PID:2308
-
-
-
C:\Windows\SysWOW64\xodeo.comC:\Windows\system32\xodeo.com 904 "C:\Windows\SysWOW64\oacgy.com"89⤵PID:2600
-
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat90⤵PID:1756
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg91⤵PID:2948
-
-
-
C:\Windows\SysWOW64\lbutu.comC:\Windows\system32\lbutu.com 912 "C:\Windows\SysWOW64\xodeo.com"90⤵PID:688
-
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat91⤵PID:2704
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg92⤵PID:1500
-
-
-
C:\Windows\SysWOW64\vlkep.comC:\Windows\system32\vlkep.com 908 "C:\Windows\SysWOW64\lbutu.com"91⤵PID:532
-
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat92⤵PID:2532
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg93⤵PID:2108
-
-
-
C:\Windows\SysWOW64\iybtv.comC:\Windows\system32\iybtv.com 920 "C:\Windows\SysWOW64\vlkep.com"92⤵PID:1560
-
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat93⤵PID:2208
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg94⤵PID:2224
-
-
-
C:\Windows\SysWOW64\sbrej.comC:\Windows\system32\sbrej.com 924 "C:\Windows\SysWOW64\iybtv.com"93⤵PID:1548
-
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat94⤵PID:2872
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg95⤵PID:2788
-
-
-
C:\Windows\SysWOW64\edxtu.comC:\Windows\system32\edxtu.com 916 "C:\Windows\SysWOW64\sbrej.com"94⤵PID:2820
-
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat95⤵PID:2708
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg96⤵
- Runs .reg file with regedit
PID:2992
-
-
-
C:\Windows\SysWOW64\ruswd.comC:\Windows\system32\ruswd.com 932 "C:\Windows\SysWOW64\edxtu.com"95⤵PID:1792
-
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat96⤵PID:624
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg97⤵PID:2608
-
-
-
C:\Windows\SysWOW64\behyy.comC:\Windows\system32\behyy.com 940 "C:\Windows\SysWOW64\ruswd.com"96⤵PID:2124
-
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat97⤵PID:2580
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg98⤵PID:2712
-
-
-
C:\Windows\SysWOW64\orzwe.comC:\Windows\system32\orzwe.com 936 "C:\Windows\SysWOW64\behyy.com"97⤵PID:1800
-
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat98⤵PID:1968
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg99⤵PID:1052
-
-
-
C:\Windows\SysWOW64\btfep.comC:\Windows\system32\btfep.com 944 "C:\Windows\SysWOW64\orzwe.com"98⤵PID:264
-
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat99⤵PID:1644
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg100⤵
- Modifies security service
PID:1288
-
-
-
C:\Windows\SysWOW64\lwuoc.comC:\Windows\system32\lwuoc.com 928 "C:\Windows\SysWOW64\btfep.com"99⤵
- Drops file in System32 directory
PID:2796 -
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat100⤵PID:600
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg101⤵PID:2592
-
-
-
C:\Windows\SysWOW64\ymprl.comC:\Windows\system32\ymprl.com 948 "C:\Windows\SysWOW64\lwuoc.com"100⤵PID:2612
-
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat101⤵PID:2524
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg102⤵PID:1868
-
-
-
C:\Windows\SysWOW64\kovhe.comC:\Windows\system32\kovhe.com 956 "C:\Windows\SysWOW64\ymprl.com"101⤵PID:1532
-
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat102⤵PID:1288
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg103⤵PID:2532
-
-
-
C:\Windows\SysWOW64\ybmwk.comC:\Windows\system32\ybmwk.com 952 "C:\Windows\SysWOW64\kovhe.com"102⤵PID:2720
-
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat103⤵PID:2520
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg104⤵PID:692
-
-
-
C:\Windows\SysWOW64\kdsmv.comC:\Windows\system32\kdsmv.com 964 "C:\Windows\SysWOW64\ybmwk.com"103⤵PID:2624
-
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat104⤵PID:1908
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg105⤵PID:1388
-
-
-
C:\Windows\SysWOW64\xunpe.comC:\Windows\system32\xunpe.com 960 "C:\Windows\SysWOW64\kdsmv.com"104⤵PID:2292
-
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat105⤵PID:2468
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg106⤵
- Modifies security service
PID:2956
-
-
-
C:\Windows\SysWOW64\ksqjn.comC:\Windows\system32\ksqjn.com 968 "C:\Windows\SysWOW64\xunpe.com"105⤵PID:2848
-
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat106⤵PID:768
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg107⤵
- Modifies security service
PID:2776
-
-
-
C:\Windows\SysWOW64\xjlmv.comC:\Windows\system32\xjlmv.com 976 "C:\Windows\SysWOW64\ksqjn.com"106⤵
- Drops file in System32 directory
PID:2228 -
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat107⤵PID:304
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg108⤵PID:2704
-
-
-
C:\Windows\SysWOW64\klrch.comC:\Windows\system32\klrch.com 972 "C:\Windows\SysWOW64\xjlmv.com"107⤵PID:2284
-
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat108⤵PID:372
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg109⤵PID:1068
-
-
-
C:\Windows\SysWOW64\ukdzr.comC:\Windows\system32\ukdzr.com 980 "C:\Windows\SysWOW64\klrch.com"108⤵PID:2320
-
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat109⤵PID:1860
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg110⤵PID:2132
-
-
-
C:\Windows\SysWOW64\gmjpl.comC:\Windows\system32\gmjpl.com 984 "C:\Windows\SysWOW64\ukdzr.com"109⤵PID:2088
-
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat110⤵PID:696
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg111⤵PID:2120
-
-
-
C:\Windows\SysWOW64\tcert.comC:\Windows\system32\tcert.com 988 "C:\Windows\SysWOW64\gmjpl.com"110⤵PID:2836
-
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat111⤵PID:1092
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg112⤵PID:2044
-
-
-
C:\Windows\SysWOW64\gbzuc.comC:\Windows\system32\gbzuc.com 992 "C:\Windows\SysWOW64\tcert.com"111⤵
- Writes to the Master Boot Record (MBR)
PID:1876 -
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat112⤵PID:2132
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg113⤵PID:1268
-
-
-
C:\Windows\SysWOW64\idofp.comC:\Windows\system32\idofp.com 996 "C:\Windows\SysWOW64\gbzuc.com"112⤵
- Writes to the Master Boot Record (MBR)
PID:1680 -
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat113⤵PID:956
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg114⤵PID:1160
-
-
-
C:\Windows\SysWOW64\vfcma.comC:\Windows\system32\vfcma.com 1000 "C:\Windows\SysWOW64\idofp.com"113⤵PID:2192
-
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat114⤵PID:2572
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg115⤵PID:1528
-
-
-
C:\Windows\SysWOW64\hzicm.comC:\Windows\system32\hzicm.com 1004 "C:\Windows\SysWOW64\vfcma.com"114⤵PID:440
-
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat115⤵PID:1068
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg116⤵
- Modifies security service
PID:1756
-
-
-
C:\Windows\SysWOW64\uydfc.comC:\Windows\system32\uydfc.com 1012 "C:\Windows\SysWOW64\hzicm.com"115⤵PID:1644
-
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat116⤵PID:2132
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg117⤵PID:2604
-
-
-
C:\Windows\SysWOW64\ilnui.comC:\Windows\system32\ilnui.com 1008 "C:\Windows\SysWOW64\uydfc.com"116⤵PID:480
-
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat117⤵PID:1860
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg118⤵PID:1724
-
-
-
C:\Windows\SysWOW64\rznsy.comC:\Windows\system32\rznsy.com 1016 "C:\Windows\SysWOW64\ilnui.com"117⤵PID:2052
-
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat118⤵PID:2704
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg119⤵
- Modifies security service
PID:2172
-
-
-
C:\Windows\SysWOW64\emfhe.comC:\Windows\system32\emfhe.com 1020 "C:\Windows\SysWOW64\rznsy.com"118⤵
- Writes to the Master Boot Record (MBR)
PID:2868 -
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat119⤵PID:3052
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg120⤵PID:2888
-
-
-
C:\Windows\SysWOW64\rolxp.comC:\Windows\system32\rolxp.com 1028 "C:\Windows\SysWOW64\emfhe.com"119⤵
- Drops file in System32 directory
PID:2004 -
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat120⤵PID:912
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg121⤵PID:2544
-
-
-
C:\Windows\SysWOW64\eegay.comC:\Windows\system32\eegay.com 1032 "C:\Windows\SysWOW64\rolxp.com"120⤵PID:2476
-
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat121⤵PID:1596
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg122⤵PID:1688
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-