Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
16/07/2023, 13:07 UTC
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
70fc1cb8040d8c_JC.exe
Resource
win7-20230712-en
windows7-x64
18 signatures
150 seconds
Behavioral task
behavioral2
Sample
70fc1cb8040d8c_JC.exe
Resource
win10v2004-20230703-en
windows10-2004-x64
16 signatures
150 seconds
General
-
Target
70fc1cb8040d8c_JC.exe
-
Size
329KB
-
MD5
70fc1cb8040d8cf805935315c7748542
-
SHA1
c266c308eac95687553a3577fee1438714681535
-
SHA256
84723ebfd4d98baaf0cd21ebd0fc695734ea99ecd946d9ba334199de65d0221a
-
SHA512
5e0ced633bf82472886b8c5fa15701a5d1cddeb262a10d44930955e0cf6da7e720323bb7e2ea73150e186e30dce8d7066c34f32fa8761c86440725718c140414
-
SSDEEP
6144:jVBjI4zHp2b1I1NXp3AdoIFr52mmWGZNBS5qldVbNb5vx+FF95ri1HswCDXNrGV9:7IQ0b1IX90oIFr52mC3S5q5to5W1HAjk
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cmd.exe Set value (int) \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cmd.exe Set value (int) \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cscript.exe Set value (int) \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cscript.exe Set value (int) \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cmd.exe Set value (int) \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" DllHost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 70fc1cb8040d8c_JC.exe Set value (int) \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cscript.exe Set value (int) \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cmd.exe Set value (int) \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 70fc1cb8040d8c_JC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" DllHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 70fc1cb8040d8c_JC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 70fc1cb8040d8c_JC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Control Panel\International\Geo\Nation cQUEwEkc.exe -
Executes dropped EXE 2 IoCs
pid Process 4884 cQUEwEkc.exe 1928 HKkcMEIs.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cQUEwEkc.exe = "C:\\Users\\Admin\\dyAIYgoA\\cQUEwEkc.exe" 70fc1cb8040d8c_JC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKkcMEIs.exe = "C:\\ProgramData\\PgwYEAkI\\HKkcMEIs.exe" 70fc1cb8040d8c_JC.exe Set value (str) \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cQUEwEkc.exe = "C:\\Users\\Admin\\dyAIYgoA\\cQUEwEkc.exe" cQUEwEkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKkcMEIs.exe = "C:\\ProgramData\\PgwYEAkI\\HKkcMEIs.exe" HKkcMEIs.exe Set value (str) \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GaEkYwMk.exe = "C:\\Users\\Admin\\waYowsks\\GaEkYwMk.exe" 70fc1cb8040d8c_JC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\IckIYwsE.exe = "C:\\ProgramData\\gcIEMYIA\\IckIYwsE.exe" 70fc1cb8040d8c_JC.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Process not Found Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Process not Found Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Process not Found Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 70fc1cb8040d8c_JC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 70fc1cb8040d8c_JC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 70fc1cb8040d8c_JC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cscript.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 70fc1cb8040d8c_JC.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 70fc1cb8040d8c_JC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cscript.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Process not Found Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 70fc1cb8040d8c_JC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cscript.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 70fc1cb8040d8c_JC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 70fc1cb8040d8c_JC.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Process not Found Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 70fc1cb8040d8c_JC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cscript.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 70fc1cb8040d8c_JC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cscript.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\shell32.dll.exe cQUEwEkc.exe File opened for modification C:\Windows\SysWOW64\shell32.dll.exe HKkcMEIs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 4940 1448 WerFault.exe 136 2216 1232 WerFault.exe 139 -
Modifies registry key 1 TTPs 64 IoCs
pid Process 1820 reg.exe 3448 reg.exe 544 reg.exe 2132 reg.exe 4680 reg.exe 884 reg.exe 4376 reg.exe 4000 reg.exe 3748 reg.exe 628 reg.exe 2496 reg.exe 4044 reg.exe 1080 reg.exe 1952 reg.exe 3508 reg.exe 3752 Process not Found 4900 reg.exe 4852 reg.exe 1452 reg.exe 3616 reg.exe 4204 reg.exe 1660 reg.exe 4568 reg.exe 3948 reg.exe 4232 reg.exe 4164 reg.exe 4376 reg.exe 5084 reg.exe 3560 reg.exe 1660 reg.exe 4408 reg.exe 1308 reg.exe 3716 reg.exe 3348 reg.exe 1420 reg.exe 2272 reg.exe 516 reg.exe 836 reg.exe 1848 reg.exe 836 reg.exe 1864 reg.exe 1064 reg.exe 1660 reg.exe 3376 reg.exe 1524 reg.exe 4268 reg.exe 4132 reg.exe 4116 reg.exe 4972 reg.exe 5104 reg.exe 884 reg.exe 3232 reg.exe 2164 reg.exe 2228 reg.exe 3600 reg.exe 4916 reg.exe 4376 reg.exe 2436 reg.exe 1100 reg.exe 5084 reg.exe 920 reg.exe 4916 reg.exe 1804 reg.exe 1884 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1212 70fc1cb8040d8c_JC.exe 1212 70fc1cb8040d8c_JC.exe 1212 70fc1cb8040d8c_JC.exe 1212 70fc1cb8040d8c_JC.exe 2084 70fc1cb8040d8c_JC.exe 2084 70fc1cb8040d8c_JC.exe 2084 70fc1cb8040d8c_JC.exe 2084 70fc1cb8040d8c_JC.exe 4464 70fc1cb8040d8c_JC.exe 4464 70fc1cb8040d8c_JC.exe 4464 70fc1cb8040d8c_JC.exe 4464 70fc1cb8040d8c_JC.exe 3392 70fc1cb8040d8c_JC.exe 3392 70fc1cb8040d8c_JC.exe 3392 70fc1cb8040d8c_JC.exe 3392 70fc1cb8040d8c_JC.exe 1344 70fc1cb8040d8c_JC.exe 1344 70fc1cb8040d8c_JC.exe 1344 70fc1cb8040d8c_JC.exe 1344 70fc1cb8040d8c_JC.exe 3052 70fc1cb8040d8c_JC.exe 3052 70fc1cb8040d8c_JC.exe 3052 reg.exe 3052 reg.exe 2812 70fc1cb8040d8c_JC.exe 2812 70fc1cb8040d8c_JC.exe 2812 70fc1cb8040d8c_JC.exe 2812 70fc1cb8040d8c_JC.exe 4792 70fc1cb8040d8c_JC.exe 4792 70fc1cb8040d8c_JC.exe 4792 70fc1cb8040d8c_JC.exe 4792 70fc1cb8040d8c_JC.exe 1840 Conhost.exe 1840 Conhost.exe 1840 Conhost.exe 1840 Conhost.exe 3012 70fc1cb8040d8c_JC.exe 3012 70fc1cb8040d8c_JC.exe 3012 70fc1cb8040d8c_JC.exe 3012 70fc1cb8040d8c_JC.exe 3340 70fc1cb8040d8c_JC.exe 3340 70fc1cb8040d8c_JC.exe 3340 70fc1cb8040d8c_JC.exe 3340 70fc1cb8040d8c_JC.exe 3800 70fc1cb8040d8c_JC.exe 3800 70fc1cb8040d8c_JC.exe 3800 70fc1cb8040d8c_JC.exe 3800 70fc1cb8040d8c_JC.exe 228 70fc1cb8040d8c_JC.exe 228 70fc1cb8040d8c_JC.exe 228 70fc1cb8040d8c_JC.exe 228 70fc1cb8040d8c_JC.exe 3372 reg.exe 3372 reg.exe 3372 reg.exe 3372 reg.exe 1284 Conhost.exe 1284 Conhost.exe 1284 Conhost.exe 1284 Conhost.exe 1816 70fc1cb8040d8c_JC.exe 1816 70fc1cb8040d8c_JC.exe 1816 70fc1cb8040d8c_JC.exe 1816 70fc1cb8040d8c_JC.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4884 cQUEwEkc.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4884 cQUEwEkc.exe 4884 cQUEwEkc.exe 4884 cQUEwEkc.exe 4884 cQUEwEkc.exe 4884 cQUEwEkc.exe 4884 cQUEwEkc.exe 4884 cQUEwEkc.exe 4884 cQUEwEkc.exe 4884 cQUEwEkc.exe 4884 cQUEwEkc.exe 4884 cQUEwEkc.exe 4884 cQUEwEkc.exe 4884 cQUEwEkc.exe 4884 cQUEwEkc.exe 4884 cQUEwEkc.exe 4884 cQUEwEkc.exe 4884 cQUEwEkc.exe 4884 cQUEwEkc.exe 4884 cQUEwEkc.exe 4884 cQUEwEkc.exe 4884 cQUEwEkc.exe 4884 cQUEwEkc.exe 4884 cQUEwEkc.exe 4884 cQUEwEkc.exe 4884 cQUEwEkc.exe 4884 cQUEwEkc.exe 4884 cQUEwEkc.exe 4884 cQUEwEkc.exe 4884 cQUEwEkc.exe 4884 cQUEwEkc.exe 4884 cQUEwEkc.exe 4884 cQUEwEkc.exe 4884 cQUEwEkc.exe 4884 cQUEwEkc.exe 4884 cQUEwEkc.exe 4884 cQUEwEkc.exe 4884 cQUEwEkc.exe 4884 cQUEwEkc.exe 4884 cQUEwEkc.exe 4884 cQUEwEkc.exe 4884 cQUEwEkc.exe 4884 cQUEwEkc.exe 4884 cQUEwEkc.exe 4884 cQUEwEkc.exe 4884 cQUEwEkc.exe 4884 cQUEwEkc.exe 4884 cQUEwEkc.exe 4884 cQUEwEkc.exe 4884 cQUEwEkc.exe 4884 cQUEwEkc.exe 4884 cQUEwEkc.exe 4884 cQUEwEkc.exe 4884 cQUEwEkc.exe 4884 cQUEwEkc.exe 4884 cQUEwEkc.exe 4884 cQUEwEkc.exe 4884 cQUEwEkc.exe 4884 cQUEwEkc.exe 4884 cQUEwEkc.exe 4884 cQUEwEkc.exe 4884 cQUEwEkc.exe 4884 cQUEwEkc.exe 4884 cQUEwEkc.exe 4884 cQUEwEkc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1212 wrote to memory of 4884 1212 70fc1cb8040d8c_JC.exe 85 PID 1212 wrote to memory of 4884 1212 70fc1cb8040d8c_JC.exe 85 PID 1212 wrote to memory of 4884 1212 70fc1cb8040d8c_JC.exe 85 PID 1212 wrote to memory of 1928 1212 70fc1cb8040d8c_JC.exe 86 PID 1212 wrote to memory of 1928 1212 70fc1cb8040d8c_JC.exe 86 PID 1212 wrote to memory of 1928 1212 70fc1cb8040d8c_JC.exe 86 PID 1212 wrote to memory of 4940 1212 70fc1cb8040d8c_JC.exe 87 PID 1212 wrote to memory of 4940 1212 70fc1cb8040d8c_JC.exe 87 PID 1212 wrote to memory of 4940 1212 70fc1cb8040d8c_JC.exe 87 PID 1212 wrote to memory of 3600 1212 70fc1cb8040d8c_JC.exe 96 PID 1212 wrote to memory of 3600 1212 70fc1cb8040d8c_JC.exe 96 PID 1212 wrote to memory of 3600 1212 70fc1cb8040d8c_JC.exe 96 PID 1212 wrote to memory of 2440 1212 70fc1cb8040d8c_JC.exe 95 PID 1212 wrote to memory of 2440 1212 70fc1cb8040d8c_JC.exe 95 PID 1212 wrote to memory of 2440 1212 70fc1cb8040d8c_JC.exe 95 PID 1212 wrote to memory of 4580 1212 70fc1cb8040d8c_JC.exe 94 PID 1212 wrote to memory of 4580 1212 70fc1cb8040d8c_JC.exe 94 PID 1212 wrote to memory of 4580 1212 70fc1cb8040d8c_JC.exe 94 PID 1212 wrote to memory of 1540 1212 70fc1cb8040d8c_JC.exe 89 PID 1212 wrote to memory of 1540 1212 70fc1cb8040d8c_JC.exe 89 PID 1212 wrote to memory of 1540 1212 70fc1cb8040d8c_JC.exe 89 PID 4940 wrote to memory of 2084 4940 cmd.exe 97 PID 4940 wrote to memory of 2084 4940 cmd.exe 97 PID 4940 wrote to memory of 2084 4940 cmd.exe 97 PID 1540 wrote to memory of 2480 1540 cmd.exe 98 PID 1540 wrote to memory of 2480 1540 cmd.exe 98 PID 1540 wrote to memory of 2480 1540 cmd.exe 98 PID 2084 wrote to memory of 4864 2084 70fc1cb8040d8c_JC.exe 99 PID 2084 wrote to memory of 4864 2084 70fc1cb8040d8c_JC.exe 99 PID 2084 wrote to memory of 4864 2084 70fc1cb8040d8c_JC.exe 99 PID 2084 wrote to memory of 1240 2084 70fc1cb8040d8c_JC.exe 108 PID 2084 wrote to memory of 1240 2084 70fc1cb8040d8c_JC.exe 108 PID 2084 wrote to memory of 1240 2084 70fc1cb8040d8c_JC.exe 108 PID 2084 wrote to memory of 1464 2084 70fc1cb8040d8c_JC.exe 107 PID 2084 wrote to memory of 1464 2084 70fc1cb8040d8c_JC.exe 107 PID 2084 wrote to memory of 1464 2084 70fc1cb8040d8c_JC.exe 107 PID 2084 wrote to memory of 3052 2084 70fc1cb8040d8c_JC.exe 106 PID 2084 wrote to memory of 3052 2084 70fc1cb8040d8c_JC.exe 106 PID 2084 wrote to memory of 3052 2084 70fc1cb8040d8c_JC.exe 106 PID 2084 wrote to memory of 4564 2084 70fc1cb8040d8c_JC.exe 101 PID 2084 wrote to memory of 4564 2084 70fc1cb8040d8c_JC.exe 101 PID 2084 wrote to memory of 4564 2084 70fc1cb8040d8c_JC.exe 101 PID 4864 wrote to memory of 4464 4864 cmd.exe 109 PID 4864 wrote to memory of 4464 4864 cmd.exe 109 PID 4864 wrote to memory of 4464 4864 cmd.exe 109 PID 4564 wrote to memory of 2280 4564 cmd.exe 110 PID 4564 wrote to memory of 2280 4564 cmd.exe 110 PID 4564 wrote to memory of 2280 4564 cmd.exe 110 PID 4464 wrote to memory of 2120 4464 70fc1cb8040d8c_JC.exe 111 PID 4464 wrote to memory of 2120 4464 70fc1cb8040d8c_JC.exe 111 PID 4464 wrote to memory of 2120 4464 70fc1cb8040d8c_JC.exe 111 PID 2120 wrote to memory of 3392 2120 cmd.exe 113 PID 2120 wrote to memory of 3392 2120 cmd.exe 113 PID 2120 wrote to memory of 3392 2120 cmd.exe 113 PID 4464 wrote to memory of 1620 4464 70fc1cb8040d8c_JC.exe 117 PID 4464 wrote to memory of 1620 4464 70fc1cb8040d8c_JC.exe 117 PID 4464 wrote to memory of 1620 4464 70fc1cb8040d8c_JC.exe 117 PID 4464 wrote to memory of 3116 4464 70fc1cb8040d8c_JC.exe 116 PID 4464 wrote to memory of 3116 4464 70fc1cb8040d8c_JC.exe 116 PID 4464 wrote to memory of 3116 4464 70fc1cb8040d8c_JC.exe 116 PID 4464 wrote to memory of 3340 4464 70fc1cb8040d8c_JC.exe 173 PID 4464 wrote to memory of 3340 4464 70fc1cb8040d8c_JC.exe 173 PID 4464 wrote to memory of 3340 4464 70fc1cb8040d8c_JC.exe 173 PID 4464 wrote to memory of 5080 4464 70fc1cb8040d8c_JC.exe 114 -
System policy modification 1 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 70fc1cb8040d8c_JC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 70fc1cb8040d8c_JC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 70fc1cb8040d8c_JC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 70fc1cb8040d8c_JC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 70fc1cb8040d8c_JC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 70fc1cb8040d8c_JC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 70fc1cb8040d8c_JC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 70fc1cb8040d8c_JC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 70fc1cb8040d8c_JC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 70fc1cb8040d8c_JC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe"C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Users\Admin\dyAIYgoA\cQUEwEkc.exe"C:\Users\Admin\dyAIYgoA\cQUEwEkc.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:4884
-
-
C:\ProgramData\PgwYEAkI\HKkcMEIs.exe"C:\ProgramData\PgwYEAkI\HKkcMEIs.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:1928
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"2⤵
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exeC:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"4⤵
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exeC:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4464 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"6⤵
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exeC:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC7⤵
- Suspicious behavior: EnumeratesProcesses
PID:3392 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"8⤵PID:4556
-
C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exeC:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC9⤵
- Adds Run key to start application
PID:4952 -
C:\Users\Admin\waYowsks\GaEkYwMk.exe"C:\Users\Admin\waYowsks\GaEkYwMk.exe"10⤵PID:1448
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1448 -s 22411⤵
- Program crash
PID:4940
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"10⤵PID:3660
-
C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exeC:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC11⤵
- Suspicious behavior: EnumeratesProcesses
PID:1344 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"12⤵PID:2620
-
C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exeC:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC13⤵
- UAC bypass
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:3052 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"14⤵PID:4032
-
C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exeC:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC15⤵
- Suspicious behavior: EnumeratesProcesses
PID:2812 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"16⤵PID:1100
-
C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exeC:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC17⤵
- Suspicious behavior: EnumeratesProcesses
PID:4792 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"18⤵PID:4988
-
C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exeC:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC19⤵PID:1840
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"20⤵PID:1792
-
C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exeC:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC21⤵
- Suspicious behavior: EnumeratesProcesses
PID:3012 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"22⤵PID:4364
-
C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exeC:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC23⤵
- Suspicious behavior: EnumeratesProcesses
PID:3340 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"24⤵PID:4680
-
C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exeC:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC25⤵
- Suspicious behavior: EnumeratesProcesses
PID:3800 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"26⤵PID:4496
-
C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exeC:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC27⤵PID:228
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"28⤵PID:468
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV129⤵
- Suspicious behavior: EnumeratesProcesses
PID:1840
-
-
C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exeC:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC29⤵PID:3372
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"30⤵PID:4160
-
C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exeC:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC31⤵PID:1284
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"32⤵PID:1308
-
C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exeC:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC33⤵
- Suspicious behavior: EnumeratesProcesses
PID:1816 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"34⤵PID:640
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV135⤵PID:4040
-
-
C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exeC:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC35⤵PID:4216
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"36⤵PID:3392
-
C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exeC:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC37⤵PID:3724
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"38⤵PID:4060
-
C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exeC:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC39⤵PID:2120
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"40⤵PID:1352
-
C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exeC:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC41⤵PID:3560
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"42⤵PID:1876
-
C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exeC:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC43⤵
- Modifies visibility of file extensions in Explorer
PID:3948 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"44⤵PID:3740
-
C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exeC:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC45⤵PID:2216
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"46⤵PID:956
-
C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exeC:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC47⤵PID:3192
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"48⤵PID:2076
-
C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exeC:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC49⤵PID:1308
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"50⤵PID:4852
-
C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exeC:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC51⤵PID:4984
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"52⤵PID:388
-
C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exeC:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC53⤵PID:3480
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"54⤵PID:5008
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV155⤵
- Suspicious behavior: EnumeratesProcesses
PID:1284
-
-
C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exeC:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC55⤵PID:736
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"56⤵
- Checks whether UAC is enabled
- System policy modification
PID:2976 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV157⤵
- UAC bypass
PID:220
-
-
C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exeC:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC57⤵PID:752
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"58⤵PID:4208
-
C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exeC:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC59⤵
- Suspicious behavior: EnumeratesProcesses
PID:228 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"60⤵PID:4520
-
C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exeC:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC61⤵PID:2892
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"62⤵PID:956
-
C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exeC:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC63⤵PID:3536
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"64⤵PID:4836
-
C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exeC:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC65⤵PID:2164
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"66⤵PID:4252
-
C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exeC:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC67⤵PID:640
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"68⤵
- Checks whether UAC is enabled
- System policy modification
PID:4392 -
C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exeC:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC69⤵PID:3820
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"70⤵
- Checks whether UAC is enabled
- System policy modification
PID:1108 -
C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exeC:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC71⤵PID:860
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"72⤵PID:4556
-
C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exeC:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC73⤵PID:1352
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"74⤵PID:5080
-
C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exeC:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC75⤵PID:4448
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"76⤵PID:3480
-
C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exeC:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC77⤵PID:3052
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"78⤵PID:3820
-
C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exeC:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC79⤵PID:5008
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"80⤵PID:4748
-
C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exeC:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC81⤵PID:4208
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"82⤵PID:4976
-
C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exeC:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC83⤵PID:4232
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"84⤵PID:2512
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV185⤵PID:3396
-
-
C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exeC:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC85⤵PID:3824
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"86⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:1696 -
C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exeC:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC87⤵PID:1352
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"88⤵PID:1504
-
C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exeC:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC89⤵PID:4356
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"90⤵PID:1764
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV191⤵
- UAC bypass
PID:1408
-
-
C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exeC:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC91⤵PID:5024
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"92⤵PID:1840
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV193⤵PID:4852
-
-
C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exeC:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC93⤵PID:2812
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"94⤵PID:4044
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV195⤵PID:1216
-
-
C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exeC:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC95⤵PID:4792
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"96⤵PID:4128
-
C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exeC:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC97⤵PID:4252
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"98⤵PID:1452
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV199⤵PID:1108
-
-
C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exeC:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC99⤵PID:4436
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"100⤵PID:4712
-
C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exeC:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC101⤵PID:2272
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"102⤵PID:3768
-
C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exeC:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC103⤵PID:1404
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"104⤵PID:868
-
C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exeC:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC105⤵PID:2708
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"106⤵PID:228
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1107⤵PID:3364
-
-
C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exeC:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC107⤵PID:4320
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"108⤵PID:4976
-
C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exeC:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC109⤵PID:2076
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"110⤵PID:1524
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1111⤵PID:3536
-
-
C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exeC:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC111⤵PID:4916
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"112⤵PID:1840
-
C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exeC:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC113⤵PID:4564
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"114⤵PID:3560
-
C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exeC:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC115⤵PID:3544
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"116⤵PID:3652
-
C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exeC:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC117⤵PID:2812
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"118⤵PID:4040
-
C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exeC:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC119⤵PID:3988
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"120⤵PID:4208
-
C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exeC:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC121⤵PID:3544
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-