Analysis
-
max time kernel
54s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
20-06-2024 14:10
Static task
static1
Behavioral task
behavioral1
Sample
06b2a063d4f7ed1fbdf89ac4da07890a_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
06b2a063d4f7ed1fbdf89ac4da07890a_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
06b2a063d4f7ed1fbdf89ac4da07890a_JaffaCakes118.exe
-
Size
242KB
-
MD5
06b2a063d4f7ed1fbdf89ac4da07890a
-
SHA1
cfbec43e3d4ff6075a9f8593cf83467aa4b2ea40
-
SHA256
03e9725ebc272cc3c9e07d5d1a50278b35fa72dc209239d076e9376310e71149
-
SHA512
35f5fdbefc61b4aedeffc159f769add5f1406fb10c48ebfa47da3d8549280ced0373aac150ba16f6f3f6ebe60acf0cea3438c581cae139089c3fbfe3aa95d6ec
-
SSDEEP
6144:3663lQ0l+9TIddHOCOVrX7tfQN5/inEaMadDKNa1aIc8eH:Xl+1HCOVHtfQunka1KNaTc8eH
Malware Config
Signatures
-
Modifies security service 2 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" regedit.exe -
Blocklisted process makes network request 1 IoCs
flow pid Process 21 416 cmd.exe -
Executes dropped EXE 64 IoCs
pid Process 4552 scxbt.com 2180 mzjoo.com 3912 nvhox.com 3100 pfyep.com 2912 zbzwx.com 4592 wyywy.com 4820 fkixz.com 2492 hrxho.com 2408 nsfcf.com 3016 uasur.com 960 cpoqd.com 2388 zjkdt.com 4752 kbzig.com 2672 pgtir.com 2712 jmztg.com 1832 rqjgy.com 4908 zrige.com 4468 flcbp.com 4536 knkwf.com 1308 xdfzo.com 2884 cjkoc.com 1604 jryho.com 1536 rjwhc.com 1392 cfxrk.com 4516 phemh.com 2292 zgrsa.com 1436 hdefd.com 980 ohokv.com 4892 wezxe.com 4272 ebmkq.com 4276 eqkqh.com 2164 uukll.com 1792 zhetw.com 4976 krtyj.com 5004 rzpqv.com 2460 euygb.com 1064 opzyr.com 3988 xfnmv.com 2316 haowc.com 3484 oijow.com 1836 zazub.com 4496 eywkp.com 2248 jzeff.com 1092 omxmy.com 4696 oxkfn.com 1724 reyhc.com 1184 mzbfp.com 3900 rijax.com 3600 ldoqx.com 4464 wypaf.com 3684 raulw.com 2108 rbvwq.com 640 wzsle.com 3132 yjsbw.com 1948 jbhhb.com 2864 mwcwo.com 4548 tlywi.com 4216 zjven.com 4948 hccec.com 3184 jmtuu.com 2524 rmsub.com 2528 bxjsi.com 4492 jmefl.com 3516 wolnx.com -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 qdsun.com -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\aspr_keys.ini hrxho.com File opened for modification C:\Windows\SysWOW64\aspr_keys.ini dbxdr.com File opened for modification C:\Windows\SysWOW64\aspr_keys.ini cztmu.com File opened for modification C:\Windows\SysWOW64\cjkoc.com xdfzo.com File created C:\Windows\SysWOW64\rijax.com mzbfp.com File created C:\Windows\SysWOW64\ebmkq.com wezxe.com File created C:\Windows\SysWOW64\rmsub.com jmtuu.com File created C:\Windows\SysWOW64\etqxc.com wevky.com File created C:\Windows\SysWOW64\eywkp.com zazub.com File opened for modification C:\Windows\SysWOW64\rmsub.com jmtuu.com File opened for modification C:\Windows\SysWOW64\aspr_keys.ini scxbt.com File created C:\Windows\SysWOW64\bmjiw.com txvvs.com File created C:\Windows\SysWOW64\tlywi.com mwcwo.com File opened for modification C:\Windows\SysWOW64\qoepg.com ntbst.com File created C:\Windows\SysWOW64\fkixz.com wyywy.com File created C:\Windows\SysWOW64\knkwf.com flcbp.com File created C:\Windows\SysWOW64\raulw.com wypaf.com File created C:\Windows\SysWOW64\vadtq.com ghgyg.com File opened for modification C:\Windows\SysWOW64\aspr_keys.ini ysocp.com File opened for modification C:\Windows\SysWOW64\zrige.com rqjgy.com File opened for modification C:\Windows\SysWOW64\aspr_keys.ini cfxrk.com File created C:\Windows\SysWOW64\rdizd.com ducws.com File opened for modification C:\Windows\SysWOW64\lqpgi.com yhref.com File opened for modification C:\Windows\SysWOW64\eqkqh.com ebmkq.com File opened for modification C:\Windows\SysWOW64\aspr_keys.ini euygb.com File opened for modification C:\Windows\SysWOW64\jpypq.com bozoc.com File created C:\Windows\SysWOW64\yywsd.com ndvho.com File opened for modification C:\Windows\SysWOW64\jbhhb.com yjsbw.com File opened for modification C:\Windows\SysWOW64\aspr_keys.ini jryho.com File created C:\Windows\SysWOW64\yjsbw.com wzsle.com File opened for modification C:\Windows\SysWOW64\aspr_keys.ini vadtq.com File opened for modification C:\Windows\SysWOW64\qdwis.com jvbqy.com File created C:\Windows\SysWOW64\ghgyg.com ajjqs.com File opened for modification C:\Windows\SysWOW64\hvzdn.com bmjiw.com File opened for modification C:\Windows\SysWOW64\qhsym.com gigbc.com File opened for modification C:\Windows\SysWOW64\wezxe.com ohokv.com File created C:\Windows\SysWOW64\tstge.com jtpju.com File created C:\Windows\SysWOW64\vmqrq.com lqpgi.com File opened for modification C:\Windows\SysWOW64\aspr_keys.ini dxahm.com File opened for modification C:\Windows\SysWOW64\aspr_keys.ini eywkp.com File created C:\Windows\SysWOW64\gfkek.com tstge.com File opened for modification C:\Windows\SysWOW64\jmtuu.com hccec.com File opened for modification C:\Windows\SysWOW64\lfrfg.com bnbhb.com File opened for modification C:\Windows\SysWOW64\mzjoo.com scxbt.com File created C:\Windows\SysWOW64\bvmox.com qdwis.com File opened for modification C:\Windows\SysWOW64\aspr_keys.ini rbvwq.com File created C:\Windows\SysWOW64\oqokz.com jpypq.com File created C:\Windows\SysWOW64\nsfcf.com hrxho.com File created C:\Windows\SysWOW64\ohokv.com hdefd.com File opened for modification C:\Windows\SysWOW64\aspr_keys.ini jgkfv.com File opened for modification C:\Windows\SysWOW64\aspr_keys.ini tolam.com File opened for modification C:\Windows\SysWOW64\ghgyg.com ajjqs.com File opened for modification C:\Windows\SysWOW64\dxahm.com qdsun.com File opened for modification C:\Windows\SysWOW64\zgrsa.com phemh.com File created C:\Windows\SysWOW64\wolnx.com jmefl.com File opened for modification C:\Windows\SysWOW64\bxjsi.com rmsub.com File opened for modification C:\Windows\SysWOW64\aspr_keys.ini rzpqv.com File created C:\Windows\SysWOW64\ldoqx.com rijax.com File opened for modification C:\Windows\SysWOW64\aspr_keys.ini yoxim.com File opened for modification C:\Windows\SysWOW64\aspr_keys.ini xfnmv.com File created C:\Windows\SysWOW64\qhsym.com gigbc.com File opened for modification C:\Windows\SysWOW64\zbzwx.com pfyep.com File opened for modification C:\Windows\SysWOW64\dbxdr.com ghcqb.com File opened for modification C:\Windows\SysWOW64\phemh.com cfxrk.com -
Runs .reg file with regedit 64 IoCs
pid Process 3172 regedit.exe 5836 regedit.exe 5876 regedit.exe 2608 Process not Found 3732 regedit.exe 6064 regedit.exe 4076 regedit.exe 5640 regedit.exe 1396 regedit.exe 8 regedit.exe 5796 regedit.exe 5268 regedit.exe 2440 Process not Found 4476 Process not Found 3784 Process not Found 5304 regedit.exe 2892 regedit.exe 3484 regedit.exe 1396 regedit.exe 4200 regedit.exe 5412 regedit.exe 3248 regedit.exe 1968 regedit.exe 2816 regedit.exe 3536 regedit.exe 5760 regedit.exe 892 Process not Found 1996 Process not Found 4852 Process not Found 6060 Process not Found 1576 Process not Found 4068 regedit.exe 5468 regedit.exe 500 regedit.exe 1188 regedit.exe 2608 Process not Found 1692 regedit.exe 5512 regedit.exe 1156 regedit.exe 5772 Process not Found 5196 regedit.exe 3788 regedit.exe 3688 regedit.exe 5620 regedit.exe 3244 regedit.exe 5836 regedit.exe 4608 regedit.exe 5140 regedit.exe 4424 regedit.exe 2300 Process not Found 2876 Process not Found 532 Process not Found 6132 regedit.exe 2012 regedit.exe 5200 regedit.exe 5500 regedit.exe 5316 regedit.exe 5648 Process not Found 6060 Process not Found 5472 Process not Found 5856 regedit.exe 5664 regedit.exe 5680 regedit.exe 5856 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4832 wrote to memory of 1576 4832 06b2a063d4f7ed1fbdf89ac4da07890a_JaffaCakes118.exe 91 PID 4832 wrote to memory of 1576 4832 06b2a063d4f7ed1fbdf89ac4da07890a_JaffaCakes118.exe 91 PID 4832 wrote to memory of 1576 4832 06b2a063d4f7ed1fbdf89ac4da07890a_JaffaCakes118.exe 91 PID 1576 wrote to memory of 2412 1576 cmd.exe 92 PID 1576 wrote to memory of 2412 1576 cmd.exe 92 PID 1576 wrote to memory of 2412 1576 cmd.exe 92 PID 4832 wrote to memory of 4552 4832 06b2a063d4f7ed1fbdf89ac4da07890a_JaffaCakes118.exe 93 PID 4832 wrote to memory of 4552 4832 06b2a063d4f7ed1fbdf89ac4da07890a_JaffaCakes118.exe 93 PID 4832 wrote to memory of 4552 4832 06b2a063d4f7ed1fbdf89ac4da07890a_JaffaCakes118.exe 93 PID 4552 wrote to memory of 4724 4552 scxbt.com 94 PID 4552 wrote to memory of 4724 4552 scxbt.com 94 PID 4552 wrote to memory of 4724 4552 scxbt.com 94 PID 4724 wrote to memory of 1448 4724 cmd.exe 95 PID 4724 wrote to memory of 1448 4724 cmd.exe 95 PID 4724 wrote to memory of 1448 4724 cmd.exe 95 PID 4552 wrote to memory of 2180 4552 scxbt.com 96 PID 4552 wrote to memory of 2180 4552 scxbt.com 96 PID 4552 wrote to memory of 2180 4552 scxbt.com 96 PID 2180 wrote to memory of 1396 2180 mzjoo.com 97 PID 2180 wrote to memory of 1396 2180 mzjoo.com 97 PID 2180 wrote to memory of 1396 2180 mzjoo.com 97 PID 1396 wrote to memory of 1356 1396 cmd.exe 98 PID 1396 wrote to memory of 1356 1396 cmd.exe 98 PID 1396 wrote to memory of 1356 1396 cmd.exe 98 PID 2180 wrote to memory of 3912 2180 mzjoo.com 99 PID 2180 wrote to memory of 3912 2180 mzjoo.com 99 PID 2180 wrote to memory of 3912 2180 mzjoo.com 99 PID 3912 wrote to memory of 1208 3912 nvhox.com 100 PID 3912 wrote to memory of 1208 3912 nvhox.com 100 PID 3912 wrote to memory of 1208 3912 nvhox.com 100 PID 3912 wrote to memory of 3100 3912 nvhox.com 101 PID 3912 wrote to memory of 3100 3912 nvhox.com 101 PID 3912 wrote to memory of 3100 3912 nvhox.com 101 PID 1208 wrote to memory of 4536 1208 cmd.exe 142 PID 1208 wrote to memory of 4536 1208 cmd.exe 142 PID 1208 wrote to memory of 4536 1208 cmd.exe 142 PID 3100 wrote to memory of 1272 3100 pfyep.com 103 PID 3100 wrote to memory of 1272 3100 pfyep.com 103 PID 3100 wrote to memory of 1272 3100 pfyep.com 103 PID 3100 wrote to memory of 2912 3100 pfyep.com 104 PID 3100 wrote to memory of 2912 3100 pfyep.com 104 PID 3100 wrote to memory of 2912 3100 pfyep.com 104 PID 2912 wrote to memory of 4948 2912 zbzwx.com 105 PID 2912 wrote to memory of 4948 2912 zbzwx.com 105 PID 2912 wrote to memory of 4948 2912 zbzwx.com 105 PID 4948 wrote to memory of 684 4948 cmd.exe 106 PID 4948 wrote to memory of 684 4948 cmd.exe 106 PID 4948 wrote to memory of 684 4948 cmd.exe 106 PID 2912 wrote to memory of 4592 2912 zbzwx.com 107 PID 2912 wrote to memory of 4592 2912 zbzwx.com 107 PID 2912 wrote to memory of 4592 2912 zbzwx.com 107 PID 4592 wrote to memory of 2520 4592 wyywy.com 108 PID 4592 wrote to memory of 2520 4592 wyywy.com 108 PID 4592 wrote to memory of 2520 4592 wyywy.com 108 PID 2520 wrote to memory of 3484 2520 cmd.exe 109 PID 2520 wrote to memory of 3484 2520 cmd.exe 109 PID 2520 wrote to memory of 3484 2520 cmd.exe 109 PID 4592 wrote to memory of 4820 4592 wyywy.com 110 PID 4592 wrote to memory of 4820 4592 wyywy.com 110 PID 4592 wrote to memory of 4820 4592 wyywy.com 110 PID 4820 wrote to memory of 1604 4820 fkixz.com 150 PID 4820 wrote to memory of 1604 4820 fkixz.com 150 PID 4820 wrote to memory of 1604 4820 fkixz.com 150 PID 1604 wrote to memory of 3872 1604 cmd.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\06b2a063d4f7ed1fbdf89ac4da07890a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\06b2a063d4f7ed1fbdf89ac4da07890a_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4832 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat2⤵
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg3⤵
- Modifies security service
PID:2412
-
-
-
C:\Windows\SysWOW64\scxbt.comC:\Windows\system32\scxbt.com 1096 "C:\Users\Admin\AppData\Local\Temp\06b2a063d4f7ed1fbdf89ac4da07890a_JaffaCakes118.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4552 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat3⤵
- Suspicious use of WriteProcessMemory
PID:4724 -
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg4⤵PID:1448
-
-
-
C:\Windows\SysWOW64\mzjoo.comC:\Windows\system32\mzjoo.com 1208 "C:\Windows\SysWOW64\scxbt.com"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat4⤵
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg5⤵
- Modifies security service
PID:1356
-
-
-
C:\Windows\SysWOW64\nvhox.comC:\Windows\system32\nvhox.com 1076 "C:\Windows\SysWOW64\mzjoo.com"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3912 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat5⤵
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg6⤵
- Modifies security service
PID:4536
-
-
-
C:\Windows\SysWOW64\pfyep.comC:\Windows\system32\pfyep.com 1108 "C:\Windows\SysWOW64\nvhox.com"5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3100 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat6⤵PID:1272
-
-
C:\Windows\SysWOW64\zbzwx.comC:\Windows\system32\zbzwx.com 1112 "C:\Windows\SysWOW64\pfyep.com"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat7⤵
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg8⤵PID:684
-
-
-
C:\Windows\SysWOW64\wyywy.comC:\Windows\system32\wyywy.com 1116 "C:\Windows\SysWOW64\zbzwx.com"7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat8⤵
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg9⤵
- Runs .reg file with regedit
PID:3484
-
-
-
C:\Windows\SysWOW64\fkixz.comC:\Windows\system32\fkixz.com 1120 "C:\Windows\SysWOW64\wyywy.com"8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4820 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat9⤵
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg10⤵
- Modifies security service
PID:3872
-
-
-
C:\Windows\SysWOW64\hrxho.comC:\Windows\system32\hrxho.com 1080 "C:\Windows\SysWOW64\fkixz.com"9⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2492 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat10⤵PID:1016
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg11⤵
- Modifies security service
PID:3960
-
-
-
C:\Windows\SysWOW64\nsfcf.comC:\Windows\system32\nsfcf.com 1084 "C:\Windows\SysWOW64\hrxho.com"10⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat11⤵PID:1628
-
-
C:\Windows\SysWOW64\uasur.comC:\Windows\system32\uasur.com 1088 "C:\Windows\SysWOW64\nsfcf.com"11⤵
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat12⤵PID:4424
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg13⤵PID:2268
-
-
-
C:\Windows\SysWOW64\cpoqd.comC:\Windows\system32\cpoqd.com 1136 "C:\Windows\SysWOW64\uasur.com"12⤵
- Executes dropped EXE
PID:960 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat13⤵PID:2972
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg14⤵
- Modifies security service
PID:1516
-
-
-
C:\Windows\SysWOW64\zjkdt.comC:\Windows\system32\zjkdt.com 1124 "C:\Windows\SysWOW64\cpoqd.com"13⤵
- Executes dropped EXE
PID:2388 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat14⤵PID:1068
-
-
C:\Windows\SysWOW64\kbzig.comC:\Windows\system32\kbzig.com 1092 "C:\Windows\SysWOW64\zjkdt.com"14⤵
- Executes dropped EXE
PID:4752 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat15⤵PID:4436
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg16⤵
- Modifies security service
PID:1900
-
-
-
C:\Windows\SysWOW64\pgtir.comC:\Windows\system32\pgtir.com 1148 "C:\Windows\SysWOW64\kbzig.com"15⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat16⤵PID:2316
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg17⤵
- Runs .reg file with regedit
PID:3244
-
-
-
C:\Windows\SysWOW64\jmztg.comC:\Windows\system32\jmztg.com 1140 "C:\Windows\SysWOW64\pgtir.com"16⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat17⤵PID:2684
-
-
C:\Windows\SysWOW64\rqjgy.comC:\Windows\system32\rqjgy.com 1100 "C:\Windows\SysWOW64\jmztg.com"17⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1832 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat18⤵PID:4400
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg19⤵PID:1536
-
-
-
C:\Windows\SysWOW64\zrige.comC:\Windows\system32\zrige.com 1104 "C:\Windows\SysWOW64\rqjgy.com"18⤵
- Executes dropped EXE
PID:4908 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat19⤵PID:1960
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg20⤵PID:4588
-
-
-
C:\Windows\SysWOW64\flcbp.comC:\Windows\system32\flcbp.com 1164 "C:\Windows\SysWOW64\zrige.com"19⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4468 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat20⤵PID:1212
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg21⤵PID:3000
-
-
-
C:\Windows\SysWOW64\knkwf.comC:\Windows\system32\knkwf.com 1168 "C:\Windows\SysWOW64\flcbp.com"20⤵
- Executes dropped EXE
PID:4536 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat21⤵PID:2424
-
-
C:\Windows\SysWOW64\xdfzo.comC:\Windows\system32\xdfzo.com 1172 "C:\Windows\SysWOW64\knkwf.com"21⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1308 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat22⤵PID:1184
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg23⤵
- Modifies security service
PID:3244
-
-
-
C:\Windows\SysWOW64\cjkoc.comC:\Windows\system32\cjkoc.com 1176 "C:\Windows\SysWOW64\xdfzo.com"22⤵
- Executes dropped EXE
PID:2884 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat23⤵PID:4140
-
-
C:\Windows\SysWOW64\jryho.comC:\Windows\system32\jryho.com 1144 "C:\Windows\SysWOW64\cjkoc.com"23⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1604 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat24⤵PID:980
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg25⤵
- Modifies security service
- Runs .reg file with regedit
PID:3248
-
-
-
C:\Windows\SysWOW64\rjwhc.comC:\Windows\system32\rjwhc.com 1156 "C:\Windows\SysWOW64\jryho.com"24⤵
- Executes dropped EXE
PID:1536 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat25⤵PID:4208
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg26⤵PID:4588
-
-
-
C:\Windows\SysWOW64\cfxrk.comC:\Windows\system32\cfxrk.com 1200 "C:\Windows\SysWOW64\rjwhc.com"25⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1392 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat26⤵PID:4664
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg27⤵PID:2732
-
-
-
C:\Windows\SysWOW64\phemh.comC:\Windows\system32\phemh.com 1128 "C:\Windows\SysWOW64\cfxrk.com"26⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4516 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat27⤵PID:5004
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg28⤵
- Modifies security service
PID:4216
-
-
-
C:\Windows\SysWOW64\zgrsa.comC:\Windows\system32\zgrsa.com 1192 "C:\Windows\SysWOW64\phemh.com"27⤵
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat28⤵PID:1560
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg29⤵PID:1548
-
-
-
C:\Windows\SysWOW64\hdefd.comC:\Windows\system32\hdefd.com 1196 "C:\Windows\SysWOW64\zgrsa.com"28⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1436 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat29⤵PID:2244
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg30⤵
- Modifies security service
- Runs .reg file with regedit
PID:1968
-
-
-
C:\Windows\SysWOW64\ohokv.comC:\Windows\system32\ohokv.com 1152 "C:\Windows\SysWOW64\hdefd.com"29⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:980 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat30⤵PID:1088
-
-
C:\Windows\SysWOW64\wezxe.comC:\Windows\system32\wezxe.com 1184 "C:\Windows\SysWOW64\ohokv.com"30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4892 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat31⤵PID:1384
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg32⤵
- Modifies security service
PID:3664
-
-
-
C:\Windows\SysWOW64\ebmkq.comC:\Windows\system32\ebmkq.com 1132 "C:\Windows\SysWOW64\wezxe.com"31⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4272 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat32⤵PID:1700
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg33⤵PID:3684
-
-
-
C:\Windows\SysWOW64\eqkqh.comC:\Windows\system32\eqkqh.com 1220 "C:\Windows\SysWOW64\ebmkq.com"32⤵
- Executes dropped EXE
PID:4276 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat33⤵PID:4596
-
-
C:\Windows\SysWOW64\uukll.comC:\Windows\system32\uukll.com 1332 "C:\Windows\SysWOW64\eqkqh.com"33⤵
- Executes dropped EXE
PID:2164 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat34⤵PID:5028
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg35⤵
- Modifies security service
PID:4428
-
-
-
C:\Windows\SysWOW64\zhetw.comC:\Windows\system32\zhetw.com 1160 "C:\Windows\SysWOW64\uukll.com"34⤵
- Executes dropped EXE
PID:1792 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat35⤵PID:2420
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg36⤵PID:1064
-
-
-
C:\Windows\SysWOW64\krtyj.comC:\Windows\system32\krtyj.com 1228 "C:\Windows\SysWOW64\zhetw.com"35⤵
- Executes dropped EXE
PID:4976 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat36⤵PID:1912
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg37⤵
- Modifies security service
PID:3484
-
-
-
C:\Windows\SysWOW64\rzpqv.comC:\Windows\system32\rzpqv.com 1340 "C:\Windows\SysWOW64\krtyj.com"36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5004 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat37⤵PID:1548
-
-
C:\Windows\SysWOW64\euygb.comC:\Windows\system32\euygb.com 1344 "C:\Windows\SysWOW64\rzpqv.com"37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2460 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat38⤵PID:4136
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg39⤵
- Modifies security service
PID:2196
-
-
-
C:\Windows\SysWOW64\opzyr.comC:\Windows\system32\opzyr.com 1180 "C:\Windows\SysWOW64\euygb.com"38⤵
- Executes dropped EXE
PID:1064 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat39⤵PID:1836
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg40⤵
- Modifies security service
PID:1960
-
-
-
C:\Windows\SysWOW64\xfnmv.comC:\Windows\system32\xfnmv.com 1236 "C:\Windows\SysWOW64\opzyr.com"39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3988 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat40⤵PID:2908
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg41⤵
- Modifies security service
PID:208
-
-
-
C:\Windows\SysWOW64\haowc.comC:\Windows\system32\haowc.com 1252 "C:\Windows\SysWOW64\xfnmv.com"40⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat41⤵PID:4068
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg42⤵
- Modifies security service
PID:3516
-
-
-
C:\Windows\SysWOW64\oijow.comC:\Windows\system32\oijow.com 1360 "C:\Windows\SysWOW64\haowc.com"41⤵
- Executes dropped EXE
PID:3484 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat42⤵PID:1092
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg43⤵
- Modifies security service
PID:1040
-
-
-
C:\Windows\SysWOW64\zazub.comC:\Windows\system32\zazub.com 1256 "C:\Windows\SysWOW64\oijow.com"42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1836 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat43⤵PID:5112
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg44⤵PID:2268
-
-
-
C:\Windows\SysWOW64\eywkp.comC:\Windows\system32\eywkp.com 1248 "C:\Windows\SysWOW64\zazub.com"43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4496 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat44⤵PID:2608
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg45⤵
- Modifies security service
- Runs .reg file with regedit
PID:1396
-
-
-
C:\Windows\SysWOW64\jzeff.comC:\Windows\system32\jzeff.com 1240 "C:\Windows\SysWOW64\eywkp.com"44⤵
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat45⤵PID:436
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg46⤵PID:5096
-
-
-
C:\Windows\SysWOW64\omxmy.comC:\Windows\system32\omxmy.com 1244 "C:\Windows\SysWOW64\jzeff.com"45⤵
- Executes dropped EXE
PID:1092 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat46⤵PID:2028
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg47⤵
- Modifies security service
- Runs .reg file with regedit
PID:4068
-
-
-
C:\Windows\SysWOW64\oxkfn.comC:\Windows\system32\oxkfn.com 1380 "C:\Windows\SysWOW64\omxmy.com"46⤵
- Executes dropped EXE
PID:4696 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat47⤵PID:4140
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg48⤵
- Modifies security service
PID:3888
-
-
-
C:\Windows\SysWOW64\reyhc.comC:\Windows\system32\reyhc.com 1268 "C:\Windows\SysWOW64\oxkfn.com"47⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat48⤵PID:3080
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg49⤵
- Modifies security service
- Runs .reg file with regedit
PID:1396
-
-
-
C:\Windows\SysWOW64\mzbfp.comC:\Windows\system32\mzbfp.com 1188 "C:\Windows\SysWOW64\reyhc.com"48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1184 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat49⤵PID:2244
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg50⤵
- Modifies security service
PID:3200
-
-
-
C:\Windows\SysWOW64\rijax.comC:\Windows\system32\rijax.com 1216 "C:\Windows\SysWOW64\mzbfp.com"49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3900 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat50⤵PID:4588
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg51⤵
- Modifies security service
PID:4216
-
-
-
C:\Windows\SysWOW64\ldoqx.comC:\Windows\system32\ldoqx.com 1284 "C:\Windows\SysWOW64\rijax.com"50⤵
- Executes dropped EXE
PID:3600 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat51⤵PID:1576
-
-
C:\Windows\SysWOW64\wypaf.comC:\Windows\system32\wypaf.com 1320 "C:\Windows\SysWOW64\ldoqx.com"51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4464 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat52⤵PID:2332
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg53⤵PID:3216
-
-
-
C:\Windows\SysWOW64\raulw.comC:\Windows\system32\raulw.com 1204 "C:\Windows\SysWOW64\wypaf.com"52⤵
- Executes dropped EXE
PID:3684 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat53⤵PID:3260
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg54⤵PID:2268
-
-
-
C:\Windows\SysWOW64\rbvwq.comC:\Windows\system32\rbvwq.com 1276 "C:\Windows\SysWOW64\raulw.com"53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2108 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat54⤵PID:4476
-
-
C:\Windows\SysWOW64\wzsle.comC:\Windows\system32\wzsle.com 1260 "C:\Windows\SysWOW64\rbvwq.com"54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:640 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat55⤵PID:5108
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg56⤵PID:3080
-
-
-
C:\Windows\SysWOW64\yjsbw.comC:\Windows\system32\yjsbw.com 1296 "C:\Windows\SysWOW64\wzsle.com"55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3132 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat56⤵PID:4588
-
-
C:\Windows\SysWOW64\jbhhb.comC:\Windows\system32\jbhhb.com 1420 "C:\Windows\SysWOW64\yjsbw.com"56⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat57⤵
- Blocklisted process makes network request
PID:416 -
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg58⤵
- Modifies security service
PID:1592
-
-
-
C:\Windows\SysWOW64\mwcwo.comC:\Windows\system32\mwcwo.com 1288 "C:\Windows\SysWOW64\jbhhb.com"57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2864 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat58⤵PID:3920
-
-
C:\Windows\SysWOW64\tlywi.comC:\Windows\system32\tlywi.com 1292 "C:\Windows\SysWOW64\mwcwo.com"58⤵
- Executes dropped EXE
PID:4548 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat59⤵PID:3608
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg60⤵PID:3488
-
-
-
C:\Windows\SysWOW64\zjven.comC:\Windows\system32\zjven.com 1280 "C:\Windows\SysWOW64\tlywi.com"59⤵
- Executes dropped EXE
PID:4216 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat60⤵PID:684
-
-
C:\Windows\SysWOW64\hccec.comC:\Windows\system32\hccec.com 1316 "C:\Windows\SysWOW64\zjven.com"60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4948 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat61⤵PID:2972
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg62⤵
- Modifies security service
PID:2028
-
-
-
C:\Windows\SysWOW64\jmtuu.comC:\Windows\system32\jmtuu.com 1440 "C:\Windows\SysWOW64\hccec.com"61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3184 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat62⤵PID:4992
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg63⤵PID:1144
-
-
-
C:\Windows\SysWOW64\rmsub.comC:\Windows\system32\rmsub.com 1444 "C:\Windows\SysWOW64\jmtuu.com"62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2524 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat63⤵PID:2244
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg64⤵
- Modifies security service
- Runs .reg file with regedit
PID:4200
-
-
-
C:\Windows\SysWOW64\bxjsi.comC:\Windows\system32\bxjsi.com 1264 "C:\Windows\SysWOW64\rmsub.com"63⤵
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat64⤵PID:3116
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg65⤵
- Modifies security service
PID:3008
-
-
-
C:\Windows\SysWOW64\jmefl.comC:\Windows\system32\jmefl.com 1212 "C:\Windows\SysWOW64\bxjsi.com"64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4492 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat65⤵PID:3940
-
-
C:\Windows\SysWOW64\wolnx.comC:\Windows\system32\wolnx.com 1456 "C:\Windows\SysWOW64\jmefl.com"65⤵
- Executes dropped EXE
PID:3516 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat66⤵PID:3416
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg67⤵PID:4396
-
-
-
C:\Windows\SysWOW64\jffqo.comC:\Windows\system32\jffqo.com 1460 "C:\Windows\SysWOW64\wolnx.com"66⤵PID:2028
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat67⤵PID:2452
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg68⤵
- Modifies security service
PID:2156
-
-
-
C:\Windows\SysWOW64\txvvs.comC:\Windows\system32\txvvs.com 1312 "C:\Windows\SysWOW64\jffqo.com"67⤵
- Drops file in System32 directory
PID:208 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat68⤵PID:5116
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg69⤵PID:2332
-
-
-
C:\Windows\SysWOW64\bmjiw.comC:\Windows\system32\bmjiw.com 1232 "C:\Windows\SysWOW64\txvvs.com"68⤵
- Drops file in System32 directory
PID:2268 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat69⤵PID:5104
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg70⤵
- Modifies security service
PID:5028
-
-
-
C:\Windows\SysWOW64\hvzdn.comC:\Windows\system32\hvzdn.com 1476 "C:\Windows\SysWOW64\bmjiw.com"69⤵PID:3596
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat70⤵PID:1376
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg71⤵
- Modifies security service
PID:4560
-
-
-
C:\Windows\SysWOW64\ooydb.comC:\Windows\system32\ooydb.com 1328 "C:\Windows\SysWOW64\hvzdn.com"70⤵PID:684
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat71⤵PID:2668
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg72⤵PID:4396
-
-
-
C:\Windows\SysWOW64\odnjs.comC:\Windows\system32\odnjs.com 1224 "C:\Windows\SysWOW64\ooydb.com"71⤵PID:2420
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat72⤵PID:1668
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg73⤵
- Modifies security service
PID:2996
-
-
-
C:\Windows\SysWOW64\tqiwx.comC:\Windows\system32\tqiwx.com 1364 "C:\Windows\SysWOW64\odnjs.com"72⤵PID:1548
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat73⤵PID:4556
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg74⤵
- Modifies security service
PID:4260
-
-
-
C:\Windows\SysWOW64\bqhwe.comC:\Windows\system32\bqhwe.com 1348 "C:\Windows\SysWOW64\tqiwx.com"73⤵PID:4428
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat74⤵PID:1516
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg75⤵PID:4260
-
-
-
C:\Windows\SysWOW64\gsxru.comC:\Windows\system32\gsxru.com 1352 "C:\Windows\SysWOW64\bqhwe.com"74⤵PID:3692
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat75⤵PID:3872
-
-
C:\Windows\SysWOW64\owzem.comC:\Windows\system32\owzem.com 1396 "C:\Windows\SysWOW64\gsxru.com"75⤵PID:1376
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat76⤵PID:2332
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg77⤵PID:1104
-
-
-
C:\Windows\SysWOW64\bnbhb.comC:\Windows\system32\bnbhb.com 1272 "C:\Windows\SysWOW64\owzem.com"76⤵
- Drops file in System32 directory
PID:4200 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat77⤵PID:1716
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg78⤵
- Modifies security service
PID:3352
-
-
-
C:\Windows\SysWOW64\lfrfg.comC:\Windows\system32\lfrfg.com 1384 "C:\Windows\SysWOW64\bnbhb.com"77⤵PID:1936
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat78⤵PID:2264
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg79⤵PID:4904
-
-
-
C:\Windows\SysWOW64\wevky.comC:\Windows\system32\wevky.com 1508 "C:\Windows\SysWOW64\lfrfg.com"78⤵
- Drops file in System32 directory
PID:2668 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat79⤵PID:4472
-
-
C:\Windows\SysWOW64\etqxc.comC:\Windows\system32\etqxc.com 1368 "C:\Windows\SysWOW64\wevky.com"79⤵PID:4132
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat80⤵PID:3536
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg81⤵PID:1592
-
-
-
C:\Windows\SysWOW64\jgkfv.comC:\Windows\system32\jgkfv.com 1372 "C:\Windows\SysWOW64\etqxc.com"80⤵
- Drops file in System32 directory
PID:4588 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat81⤵PID:5104
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg82⤵PID:4380
-
-
-
C:\Windows\SysWOW64\oisal.comC:\Windows\system32\oisal.com 1300 "C:\Windows\SysWOW64\jgkfv.com"81⤵PID:4020
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat82⤵PID:4036
-
-
C:\Windows\SysWOW64\yaiyq.comC:\Windows\system32\yaiyq.com 1528 "C:\Windows\SysWOW64\oisal.com"82⤵PID:5072
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat83⤵PID:3244
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg84⤵PID:3536
-
-
-
C:\Windows\SysWOW64\jvbqy.comC:\Windows\system32\jvbqy.com 1304 "C:\Windows\SysWOW64\yaiyq.com"83⤵
- Drops file in System32 directory
PID:1668 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat84⤵PID:3664
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg85⤵PID:4448
-
-
-
C:\Windows\SysWOW64\qdwis.comC:\Windows\system32\qdwis.com 1404 "C:\Windows\SysWOW64\jvbqy.com"84⤵
- Drops file in System32 directory
PID:4560 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat85⤵PID:5028
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg86⤵PID:4328
-
-
-
C:\Windows\SysWOW64\bvmox.comC:\Windows\system32\bvmox.com 1412 "C:\Windows\SysWOW64\qdwis.com"85⤵PID:1016
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat86⤵PID:5108
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg87⤵
- Modifies security service
PID:4400
-
-
-
C:\Windows\SysWOW64\luqlp.comC:\Windows\system32\luqlp.com 1408 "C:\Windows\SysWOW64\bvmox.com"86⤵PID:4996
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat87⤵PID:3080
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg88⤵PID:2440
-
-
-
C:\Windows\SysWOW64\vqrdx.comC:\Windows\system32\vqrdx.com 1548 "C:\Windows\SysWOW64\luqlp.com"87⤵PID:1396
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat88⤵PID:4336
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg89⤵
- Modifies security service
PID:3416
-
-
-
C:\Windows\SysWOW64\gigbc.comC:\Windows\system32\gigbc.com 1544 "C:\Windows\SysWOW64\vqrdx.com"88⤵
- Drops file in System32 directory
PID:440 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat89⤵PID:1800
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg90⤵PID:1408
-
-
-
C:\Windows\SysWOW64\qhsym.comC:\Windows\system32\qhsym.com 1424 "C:\Windows\SysWOW64\gigbc.com"89⤵PID:4448
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat90⤵PID:1628
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg91⤵PID:2484
-
-
-
C:\Windows\SysWOW64\ducws.comC:\Windows\system32\ducws.com 1416 "C:\Windows\SysWOW64\qhsym.com"90⤵
- Drops file in System32 directory
PID:4380 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat91⤵PID:3676
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg92⤵
- Modifies security service
PID:4336
-
-
-
C:\Windows\SysWOW64\rdizd.comC:\Windows\system32\rdizd.com 1432 "C:\Windows\SysWOW64\ducws.com"91⤵PID:3216
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat92⤵PID:5040
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg93⤵
- Modifies security service
PID:3728
-
-
-
C:\Windows\SysWOW64\bozoc.comC:\Windows\system32\bozoc.com 1392 "C:\Windows\SysWOW64\rdizd.com"92⤵
- Drops file in System32 directory
PID:3620 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat93⤵PID:4556
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg94⤵
- Modifies security service
PID:2204
-
-
-
C:\Windows\SysWOW64\jpypq.comC:\Windows\system32\jpypq.com 1400 "C:\Windows\SysWOW64\bozoc.com"93⤵
- Drops file in System32 directory
PID:2520 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat94⤵PID:4988
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg95⤵
- Modifies security service
PID:2416
-
-
-
C:\Windows\SysWOW64\oqokz.comC:\Windows\system32\oqokz.com 1324 "C:\Windows\SysWOW64\jpypq.com"94⤵PID:2204
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat95⤵PID:4852
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg96⤵PID:4572
-
-
-
C:\Windows\SysWOW64\tolam.comC:\Windows\system32\tolam.com 1376 "C:\Windows\SysWOW64\oqokz.com"95⤵
- Drops file in System32 directory
PID:2996 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat96⤵PID:4328
-
-
C:\Windows\SysWOW64\yeqmi.comC:\Windows\system32\yeqmi.com 1308 "C:\Windows\SysWOW64\tolam.com"96⤵PID:1740
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat97⤵PID:1968
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg98⤵
- Modifies security service
PID:4040
-
-
-
C:\Windows\SysWOW64\jtufk.comC:\Windows\system32\jtufk.com 1588 "C:\Windows\SysWOW64\yeqmi.com"97⤵PID:4600
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat98⤵PID:4472
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg99⤵
- Runs .reg file with regedit
PID:1692
-
-
-
C:\Windows\SysWOW64\lzipa.comC:\Windows\system32\lzipa.com 1056 "C:\Windows\SysWOW64\jtufk.com"98⤵PID:3728
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat99⤵PID:1996
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg100⤵
- Modifies security service
PID:4372
-
-
-
C:\Windows\SysWOW64\qeuxt.comC:\Windows\system32\qeuxt.com 1464 "C:\Windows\SysWOW64\lzipa.com"99⤵PID:4904
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat100⤵PID:2600
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg101⤵
- Runs .reg file with regedit
PID:2816
-
-
-
C:\Windows\SysWOW64\vnksj.comC:\Windows\system32\vnksj.com 1468 "C:\Windows\SysWOW64\qeuxt.com"100⤵PID:1804
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat101⤵PID:1960
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg102⤵PID:3792
-
-
-
C:\Windows\SysWOW64\blhap.comC:\Windows\system32\blhap.com 1472 "C:\Windows\SysWOW64\vnksj.com"101⤵PID:4260
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat102⤵PID:3608
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg103⤵PID:1960
-
-
-
C:\Windows\SysWOW64\dvzyh.comC:\Windows\system32\dvzyh.com 1436 "C:\Windows\SysWOW64\blhap.com"102⤵PID:2424
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat103⤵PID:1208
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg104⤵
- Modifies security service
PID:884
-
-
-
C:\Windows\SysWOW64\itegv.comC:\Windows\system32\itegv.com 1612 "C:\Windows\SysWOW64\dvzyh.com"103⤵PID:3416
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat104⤵PID:3704
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg105⤵
- Modifies security service
PID:5144
-
-
-
C:\Windows\SysWOW64\gnztl.comC:\Windows\system32\gnztl.com 1480 "C:\Windows\SysWOW64\itegv.com"104⤵PID:1716
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat105⤵PID:5176
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg106⤵PID:5632
-
-
-
C:\Windows\SysWOW64\twgeo.comC:\Windows\system32\twgeo.com 1356 "C:\Windows\SysWOW64\gnztl.com"105⤵PID:5660
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat106⤵PID:5692
-
-
C:\Windows\SysWOW64\esyoe.comC:\Windows\system32\esyoe.com 1492 "C:\Windows\SysWOW64\twgeo.com"106⤵PID:5740
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat107⤵PID:5772
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg108⤵
- Modifies security service
PID:3020
-
-
-
C:\Windows\SysWOW64\jtpju.comC:\Windows\system32\jtpju.com 1388 "C:\Windows\SysWOW64\esyoe.com"107⤵
- Drops file in System32 directory
PID:940 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat108⤵PID:4400
-
-
C:\Windows\SysWOW64\tstge.comC:\Windows\system32\tstge.com 1628 "C:\Windows\SysWOW64\jtpju.com"108⤵
- Drops file in System32 directory
PID:2828 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat109⤵PID:2892
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg110⤵PID:5388
-
-
-
C:\Windows\SysWOW64\gfkek.comC:\Windows\system32\gfkek.com 1636 "C:\Windows\SysWOW64\tstge.com"109⤵PID:5368
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat110⤵PID:5420
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg111⤵
- Modifies security service
PID:6008
-
-
-
C:\Windows\SysWOW64\jxacp.comC:\Windows\system32\jxacp.com 1452 "C:\Windows\SysWOW64\gfkek.com"110⤵PID:5880
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat111⤵PID:5932
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg112⤵PID:4472
-
-
-
C:\Windows\SysWOW64\qfncj.comC:\Windows\system32\qfncj.com 1640 "C:\Windows\SysWOW64\jxacp.com"111⤵PID:1204
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat112⤵PID:1072
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg113⤵
- Modifies security service
- Runs .reg file with regedit
PID:5512
-
-
-
C:\Windows\SysWOW64\ygmcq.comC:\Windows\system32\ygmcq.com 1496 "C:\Windows\SysWOW64\qfncj.com"112⤵PID:5456
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat113⤵PID:5564
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg114⤵PID:6128
-
-
-
C:\Windows\SysWOW64\iyczd.comC:\Windows\system32\iyczd.com 1512 "C:\Windows\SysWOW64\ygmcq.com"113⤵PID:6120
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat114⤵PID:6076
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg115⤵
- Modifies security service
PID:2012
-
-
-
C:\Windows\SysWOW64\ndvho.comC:\Windows\system32\ndvho.com 1524 "C:\Windows\SysWOW64\iyczd.com"114⤵
- Drops file in System32 directory
PID:4720 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat115⤵PID:5196
-
-
C:\Windows\SysWOW64\yywsd.comC:\Windows\system32\yywsd.com 1488 "C:\Windows\SysWOW64\ndvho.com"115⤵PID:5244
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat116⤵PID:5336
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg117⤵
- Modifies security service
PID:5692
-
-
-
C:\Windows\SysWOW64\bnmie.comC:\Windows\system32\bnmie.com 1428 "C:\Windows\SysWOW64\yywsd.com"116⤵PID:5504
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat117⤵PID:3552
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg118⤵
- Modifies security service
PID:4424
-
-
-
C:\Windows\SysWOW64\iuzir.comC:\Windows\system32\iuzir.com 1448 "C:\Windows\SysWOW64\bnmie.com"117⤵PID:5216
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat118⤵PID:4624
-
-
C:\Windows\SysWOW64\tepfd.comC:\Windows\system32\tepfd.com 1532 "C:\Windows\SysWOW64\iuzir.com"118⤵PID:4556
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat119⤵PID:5920
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg120⤵PID:5464
-
-
-
C:\Windows\SysWOW64\yoxim.comC:\Windows\system32\yoxim.com 1536 "C:\Windows\SysWOW64\tepfd.com"119⤵
- Drops file in System32 directory
PID:5520 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat120⤵PID:5492
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg121⤵
- Modifies security service
PID:6112
-
-
-
C:\Windows\SysWOW64\sikqm.comC:\Windows\system32\sikqm.com 1484 "C:\Windows\SysWOW64\yoxim.com"120⤵PID:5160
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\acx.bat121⤵PID:5972
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg122⤵
- Modifies security service
PID:5140
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-