Analysis
-
max time kernel
150s -
max time network
131s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
18/07/2023, 14:27
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bc1398d4d1df17_JC.exe
Resource
win7-20230712-en
windows7-x64
14 signatures
150 seconds
Behavioral task
behavioral2
Sample
bc1398d4d1df17_JC.exe
Resource
win10v2004-20230703-en
windows10-2004-x64
15 signatures
150 seconds
General
-
Target
bc1398d4d1df17_JC.exe
-
Size
227KB
-
MD5
bc1398d4d1df17b13b699952607c78fe
-
SHA1
fa1b577c019f29bd444e53db993737298c10e342
-
SHA256
a6b34b376e0bc6c6061784b24c155fedb1d5cbcf74a5ac48bcd05a4b6c7558a0
-
SHA512
24669a6b29335e89995db962d50809b9a8bda766e94f1d22d1dc10e84be9ca56b1cd7fc45eeee68a1c1af20317e49b05cd687a049d46a2db95eb1d3e27893fe9
-
SSDEEP
6144:iupHGRYgJHaOPf/bN1NkBQOp/qi0DdC3/:iupH6vHfNsDp2d8/
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" bc1398d4d1df17_JC.exe Set value (int) \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" bc1398d4d1df17_JC.exe Set value (int) \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cscript.exe Set value (int) \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cscript.exe Set value (int) \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cmd.exe Set value (int) \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cscript.exe Set value (int) \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cmd.exe Set value (int) \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cmd.exe Set value (int) \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cscript.exe Set value (int) \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" bc1398d4d1df17_JC.exe Set value (int) \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cmd.exe Set value (int) \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" bc1398d4d1df17_JC.exe Set value (int) \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bc1398d4d1df17_JC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Control Panel\International\Geo\Nation POwUEssY.exe -
Executes dropped EXE 2 IoCs
pid Process 3852 POwUEssY.exe 3232 BacowgME.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BacowgME.exe = "C:\\ProgramData\\vSwQYkEc\\BacowgME.exe" bc1398d4d1df17_JC.exe Set value (str) \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\POwUEssY.exe = "C:\\Users\\Admin\\OEIYIkws\\POwUEssY.exe" POwUEssY.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BacowgME.exe = "C:\\ProgramData\\vSwQYkEc\\BacowgME.exe" BacowgME.exe Set value (str) \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\POwUEssY.exe = "C:\\Users\\Admin\\OEIYIkws\\POwUEssY.exe" bc1398d4d1df17_JC.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Process not Found Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bc1398d4d1df17_JC.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cscript.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Process not Found Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bc1398d4d1df17_JC.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Process not Found Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bc1398d4d1df17_JC.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cscript.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bc1398d4d1df17_JC.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Process not Found Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bc1398d4d1df17_JC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bc1398d4d1df17_JC.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\shell32.dll.exe POwUEssY.exe File opened for modification C:\Windows\SysWOW64\shell32.dll.exe POwUEssY.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry key 1 TTPs 64 IoCs
pid Process 4452 reg.exe 5076 reg.exe 5004 reg.exe 972 reg.exe 2700 reg.exe 2968 reg.exe 4988 reg.exe 4556 reg.exe 3400 reg.exe 3396 reg.exe 2400 reg.exe 2400 Process not Found 1436 reg.exe 1708 reg.exe 832 reg.exe 4680 reg.exe 3812 reg.exe 1192 reg.exe 3664 reg.exe 3248 reg.exe 2296 reg.exe 4160 reg.exe 628 reg.exe 4084 reg.exe 1232 reg.exe 3068 reg.exe 5104 reg.exe 524 Process not Found 3256 reg.exe 2444 reg.exe 3656 reg.exe 4396 reg.exe 3088 reg.exe 2084 reg.exe 3720 reg.exe 2752 reg.exe 1412 reg.exe 2692 reg.exe 876 reg.exe 4656 Process not Found 3276 Process not Found 2056 reg.exe 4272 reg.exe 1884 reg.exe 2088 reg.exe 2700 reg.exe 4392 reg.exe 4072 reg.exe 4880 reg.exe 3828 reg.exe 2552 reg.exe 3084 reg.exe 4972 reg.exe 1056 reg.exe 2816 Process not Found 1108 reg.exe 936 reg.exe 1624 reg.exe 4692 reg.exe 3612 reg.exe 4136 reg.exe 2168 reg.exe 4884 reg.exe 1540 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4060 bc1398d4d1df17_JC.exe 4060 bc1398d4d1df17_JC.exe 4060 bc1398d4d1df17_JC.exe 4060 bc1398d4d1df17_JC.exe 4968 bc1398d4d1df17_JC.exe 4968 bc1398d4d1df17_JC.exe 4968 bc1398d4d1df17_JC.exe 4968 bc1398d4d1df17_JC.exe 2164 bc1398d4d1df17_JC.exe 2164 bc1398d4d1df17_JC.exe 2164 bc1398d4d1df17_JC.exe 2164 bc1398d4d1df17_JC.exe 4748 bc1398d4d1df17_JC.exe 4748 bc1398d4d1df17_JC.exe 4748 bc1398d4d1df17_JC.exe 4748 bc1398d4d1df17_JC.exe 3088 bc1398d4d1df17_JC.exe 3088 bc1398d4d1df17_JC.exe 3088 bc1398d4d1df17_JC.exe 3088 bc1398d4d1df17_JC.exe 4164 bc1398d4d1df17_JC.exe 4164 bc1398d4d1df17_JC.exe 4164 bc1398d4d1df17_JC.exe 4164 bc1398d4d1df17_JC.exe 4528 bc1398d4d1df17_JC.exe 4528 bc1398d4d1df17_JC.exe 4528 bc1398d4d1df17_JC.exe 4528 bc1398d4d1df17_JC.exe 1936 bc1398d4d1df17_JC.exe 1936 bc1398d4d1df17_JC.exe 1936 bc1398d4d1df17_JC.exe 1936 bc1398d4d1df17_JC.exe 1500 bc1398d4d1df17_JC.exe 1500 bc1398d4d1df17_JC.exe 1500 bc1398d4d1df17_JC.exe 1500 bc1398d4d1df17_JC.exe 5008 Conhost.exe 5008 Conhost.exe 5008 Conhost.exe 5008 Conhost.exe 1596 bc1398d4d1df17_JC.exe 1596 bc1398d4d1df17_JC.exe 1596 bc1398d4d1df17_JC.exe 1596 bc1398d4d1df17_JC.exe 2496 cscript.exe 2496 cscript.exe 2496 cscript.exe 2496 cscript.exe 4120 bc1398d4d1df17_JC.exe 4120 bc1398d4d1df17_JC.exe 4120 bc1398d4d1df17_JC.exe 4120 bc1398d4d1df17_JC.exe 2644 bc1398d4d1df17_JC.exe 2644 bc1398d4d1df17_JC.exe 2644 bc1398d4d1df17_JC.exe 2644 bc1398d4d1df17_JC.exe 2328 svchost.exe 2328 svchost.exe 2328 svchost.exe 2328 svchost.exe 1060 bc1398d4d1df17_JC.exe 1060 bc1398d4d1df17_JC.exe 1060 bc1398d4d1df17_JC.exe 1060 bc1398d4d1df17_JC.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3852 POwUEssY.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3852 POwUEssY.exe 3852 POwUEssY.exe 3852 POwUEssY.exe 3852 POwUEssY.exe 3852 POwUEssY.exe 3852 POwUEssY.exe 3852 POwUEssY.exe 3852 POwUEssY.exe 3852 POwUEssY.exe 3852 POwUEssY.exe 3852 POwUEssY.exe 3852 POwUEssY.exe 3852 POwUEssY.exe 3852 POwUEssY.exe 3852 POwUEssY.exe 3852 POwUEssY.exe 3852 POwUEssY.exe 3852 POwUEssY.exe 3852 POwUEssY.exe 3852 POwUEssY.exe 3852 POwUEssY.exe 3852 POwUEssY.exe 3852 POwUEssY.exe 3852 POwUEssY.exe 3852 POwUEssY.exe 3852 POwUEssY.exe 3852 POwUEssY.exe 3852 POwUEssY.exe 3852 POwUEssY.exe 3852 POwUEssY.exe 3852 POwUEssY.exe 3852 POwUEssY.exe 3852 POwUEssY.exe 3852 POwUEssY.exe 3852 POwUEssY.exe 3852 POwUEssY.exe 3852 POwUEssY.exe 3852 POwUEssY.exe 3852 POwUEssY.exe 3852 POwUEssY.exe 3852 POwUEssY.exe 3852 POwUEssY.exe 3852 POwUEssY.exe 3852 POwUEssY.exe 3852 POwUEssY.exe 3852 POwUEssY.exe 3852 POwUEssY.exe 3852 POwUEssY.exe 3852 POwUEssY.exe 3852 POwUEssY.exe 3852 POwUEssY.exe 3852 POwUEssY.exe 3852 POwUEssY.exe 3852 POwUEssY.exe 3852 POwUEssY.exe 3852 POwUEssY.exe 3852 POwUEssY.exe 3852 POwUEssY.exe 3852 POwUEssY.exe 3852 POwUEssY.exe 3852 POwUEssY.exe 3852 POwUEssY.exe 3852 POwUEssY.exe 3852 POwUEssY.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4060 wrote to memory of 3852 4060 bc1398d4d1df17_JC.exe 85 PID 4060 wrote to memory of 3852 4060 bc1398d4d1df17_JC.exe 85 PID 4060 wrote to memory of 3852 4060 bc1398d4d1df17_JC.exe 85 PID 4060 wrote to memory of 3232 4060 bc1398d4d1df17_JC.exe 86 PID 4060 wrote to memory of 3232 4060 bc1398d4d1df17_JC.exe 86 PID 4060 wrote to memory of 3232 4060 bc1398d4d1df17_JC.exe 86 PID 4060 wrote to memory of 1048 4060 bc1398d4d1df17_JC.exe 87 PID 4060 wrote to memory of 1048 4060 bc1398d4d1df17_JC.exe 87 PID 4060 wrote to memory of 1048 4060 bc1398d4d1df17_JC.exe 87 PID 4060 wrote to memory of 1836 4060 bc1398d4d1df17_JC.exe 89 PID 4060 wrote to memory of 1836 4060 bc1398d4d1df17_JC.exe 89 PID 4060 wrote to memory of 1836 4060 bc1398d4d1df17_JC.exe 89 PID 4060 wrote to memory of 4328 4060 bc1398d4d1df17_JC.exe 90 PID 4060 wrote to memory of 4328 4060 bc1398d4d1df17_JC.exe 90 PID 4060 wrote to memory of 4328 4060 bc1398d4d1df17_JC.exe 90 PID 4060 wrote to memory of 836 4060 bc1398d4d1df17_JC.exe 93 PID 4060 wrote to memory of 836 4060 bc1398d4d1df17_JC.exe 93 PID 4060 wrote to memory of 836 4060 bc1398d4d1df17_JC.exe 93 PID 4060 wrote to memory of 5048 4060 bc1398d4d1df17_JC.exe 92 PID 4060 wrote to memory of 5048 4060 bc1398d4d1df17_JC.exe 92 PID 4060 wrote to memory of 5048 4060 bc1398d4d1df17_JC.exe 92 PID 1048 wrote to memory of 4968 1048 cmd.exe 96 PID 1048 wrote to memory of 4968 1048 cmd.exe 96 PID 1048 wrote to memory of 4968 1048 cmd.exe 96 PID 5048 wrote to memory of 4984 5048 cmd.exe 98 PID 5048 wrote to memory of 4984 5048 cmd.exe 98 PID 5048 wrote to memory of 4984 5048 cmd.exe 98 PID 4968 wrote to memory of 2240 4968 bc1398d4d1df17_JC.exe 99 PID 4968 wrote to memory of 2240 4968 bc1398d4d1df17_JC.exe 99 PID 4968 wrote to memory of 2240 4968 bc1398d4d1df17_JC.exe 99 PID 4968 wrote to memory of 2084 4968 bc1398d4d1df17_JC.exe 101 PID 4968 wrote to memory of 2084 4968 bc1398d4d1df17_JC.exe 101 PID 4968 wrote to memory of 2084 4968 bc1398d4d1df17_JC.exe 101 PID 4968 wrote to memory of 2824 4968 bc1398d4d1df17_JC.exe 102 PID 4968 wrote to memory of 2824 4968 bc1398d4d1df17_JC.exe 102 PID 4968 wrote to memory of 2824 4968 bc1398d4d1df17_JC.exe 102 PID 4968 wrote to memory of 3828 4968 bc1398d4d1df17_JC.exe 103 PID 4968 wrote to memory of 3828 4968 bc1398d4d1df17_JC.exe 103 PID 4968 wrote to memory of 3828 4968 bc1398d4d1df17_JC.exe 103 PID 4968 wrote to memory of 4580 4968 bc1398d4d1df17_JC.exe 104 PID 4968 wrote to memory of 4580 4968 bc1398d4d1df17_JC.exe 104 PID 4968 wrote to memory of 4580 4968 bc1398d4d1df17_JC.exe 104 PID 2240 wrote to memory of 2164 2240 cmd.exe 109 PID 2240 wrote to memory of 2164 2240 cmd.exe 109 PID 2240 wrote to memory of 2164 2240 cmd.exe 109 PID 4580 wrote to memory of 4180 4580 cmd.exe 110 PID 4580 wrote to memory of 4180 4580 cmd.exe 110 PID 4580 wrote to memory of 4180 4580 cmd.exe 110 PID 2164 wrote to memory of 812 2164 bc1398d4d1df17_JC.exe 111 PID 2164 wrote to memory of 812 2164 bc1398d4d1df17_JC.exe 111 PID 2164 wrote to memory of 812 2164 bc1398d4d1df17_JC.exe 111 PID 2164 wrote to memory of 1924 2164 bc1398d4d1df17_JC.exe 113 PID 2164 wrote to memory of 1924 2164 bc1398d4d1df17_JC.exe 113 PID 2164 wrote to memory of 1924 2164 bc1398d4d1df17_JC.exe 113 PID 2164 wrote to memory of 3248 2164 bc1398d4d1df17_JC.exe 114 PID 2164 wrote to memory of 3248 2164 bc1398d4d1df17_JC.exe 114 PID 2164 wrote to memory of 3248 2164 bc1398d4d1df17_JC.exe 114 PID 2164 wrote to memory of 2284 2164 bc1398d4d1df17_JC.exe 115 PID 2164 wrote to memory of 2284 2164 bc1398d4d1df17_JC.exe 115 PID 2164 wrote to memory of 2284 2164 bc1398d4d1df17_JC.exe 115 PID 2164 wrote to memory of 2492 2164 bc1398d4d1df17_JC.exe 116 PID 2164 wrote to memory of 2492 2164 bc1398d4d1df17_JC.exe 116 PID 2164 wrote to memory of 2492 2164 bc1398d4d1df17_JC.exe 116 PID 2492 wrote to memory of 1464 2492 cmd.exe 121 -
System policy modification 1 TTPs 48 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bc1398d4d1df17_JC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bc1398d4d1df17_JC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bc1398d4d1df17_JC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bc1398d4d1df17_JC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bc1398d4d1df17_JC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bc1398d4d1df17_JC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found
Processes
-
C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC.exe"C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4060 -
C:\Users\Admin\OEIYIkws\POwUEssY.exe"C:\Users\Admin\OEIYIkws\POwUEssY.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:3852
-
-
C:\ProgramData\vSwQYkEc\BacowgME.exe"C:\ProgramData\vSwQYkEc\BacowgME.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3232
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC"2⤵
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC.exeC:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC"4⤵
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC.exeC:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC"6⤵PID:812
-
C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC.exeC:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC7⤵
- Suspicious behavior: EnumeratesProcesses
PID:4748 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC"8⤵PID:4788
-
C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC.exeC:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC9⤵
- Suspicious behavior: EnumeratesProcesses
PID:3088 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC"10⤵PID:216
-
C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC.exeC:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC11⤵
- Suspicious behavior: EnumeratesProcesses
PID:4164 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC"12⤵PID:1868
-
C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC.exeC:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC13⤵
- Suspicious behavior: EnumeratesProcesses
PID:4528 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC"14⤵PID:3836
-
C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC.exeC:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC15⤵
- Suspicious behavior: EnumeratesProcesses
PID:1936 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC"16⤵PID:1020
-
C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC.exeC:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC17⤵
- Suspicious behavior: EnumeratesProcesses
PID:1500 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC"18⤵PID:4416
-
C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC.exeC:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC19⤵PID:5008
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC"20⤵PID:1332
-
C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC.exeC:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC21⤵
- Suspicious behavior: EnumeratesProcesses
PID:1596 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC"22⤵PID:3104
-
C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC.exeC:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC23⤵PID:2496
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC"24⤵PID:540
-
C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC.exeC:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC25⤵
- UAC bypass
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:4120 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC"26⤵PID:4172
-
C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC.exeC:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC27⤵
- Suspicious behavior: EnumeratesProcesses
PID:2644 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC"28⤵PID:4972
-
C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC.exeC:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC29⤵PID:2328
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC"30⤵PID:4024
-
C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC.exeC:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC31⤵
- Suspicious behavior: EnumeratesProcesses
PID:1060 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC"32⤵PID:4108
-
C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC.exeC:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC33⤵PID:1620
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC"34⤵PID:1348
-
C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC.exeC:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC35⤵PID:2004
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC"36⤵PID:2356
-
C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC.exeC:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC37⤵PID:1824
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC"38⤵PID:4380
-
C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC.exeC:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC39⤵PID:1676
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC"40⤵PID:2600
-
C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC.exeC:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC41⤵PID:756
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC"42⤵PID:3664
-
C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC.exeC:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC43⤵PID:4616
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC"44⤵PID:920
-
C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC.exeC:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC45⤵PID:4592
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC"46⤵PID:3272
-
C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC.exeC:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC47⤵PID:2336
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC"48⤵PID:3484
-
C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC.exeC:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC49⤵PID:4080
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC"50⤵PID:756
-
C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC.exeC:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC51⤵
- Modifies visibility of file extensions in Explorer
PID:2552 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC"52⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:1108 -
C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC.exeC:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC53⤵PID:4324
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC"54⤵PID:5048
-
C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC.exeC:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC55⤵PID:5020
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC"56⤵PID:4348
-
C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC.exeC:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC57⤵PID:2020
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC"58⤵PID:2788
-
C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC.exeC:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC59⤵PID:3080
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC"60⤵PID:3088
-
C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC.exeC:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC61⤵PID:3008
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC"62⤵PID:3236
-
C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC.exeC:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC63⤵PID:3544
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC"64⤵PID:3104
-
C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC.exeC:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC65⤵PID:1436
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC"66⤵PID:4376
-
C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC.exeC:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC67⤵PID:4016
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC"68⤵PID:1872
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV169⤵PID:3248
-
-
C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC.exeC:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC69⤵PID:2444
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC"70⤵PID:4024
-
C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC.exeC:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC71⤵
- Checks whether UAC is enabled
- System policy modification
PID:4272 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC"72⤵PID:840
-
C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC.exeC:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC73⤵PID:3884
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC"74⤵PID:4160
-
C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC.exeC:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC75⤵PID:336
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC"76⤵PID:4316
-
C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC.exeC:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC77⤵PID:4540
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC"78⤵PID:1104
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV179⤵
- Modifies visibility of file extensions in Explorer
PID:936
-
-
C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC.exeC:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC79⤵PID:4308
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC"80⤵PID:832
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV181⤵PID:3540
-
-
C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC.exeC:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC81⤵PID:4380
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC"82⤵PID:1876
-
C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC.exeC:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC83⤵PID:1620
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC"84⤵PID:4936
-
C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC.exeC:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC85⤵PID:4700
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC"86⤵PID:1028
-
C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC.exeC:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC87⤵PID:4192
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC"88⤵PID:868
-
C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC.exeC:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC89⤵PID:4588
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC"90⤵PID:1812
-
C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC.exeC:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC91⤵PID:1432
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC"92⤵PID:2788
-
C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC.exeC:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC93⤵PID:620
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC"94⤵PID:1196
-
C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC.exeC:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC95⤵PID:3728
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC"96⤵PID:1440
-
C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC.exeC:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC97⤵PID:3012
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC"98⤵PID:868
-
C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC.exeC:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC99⤵PID:2272
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC"100⤵PID:2084
-
C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC.exeC:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC101⤵PID:884
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC"102⤵PID:2184
-
C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC.exeC:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC103⤵
- Modifies visibility of file extensions in Explorer
PID:1824 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC"104⤵PID:5008
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1105⤵
- Modifies visibility of file extensions in Explorer
PID:4884
-
-
C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC.exeC:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC105⤵PID:4592
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC"106⤵PID:1864
-
C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC.exeC:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC107⤵PID:2400
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC"108⤵PID:2272
-
C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC.exeC:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC109⤵PID:3636
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC"110⤵PID:2880
-
C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC.exeC:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC111⤵PID:2084
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC"112⤵PID:3940
-
C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC.exeC:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC113⤵PID:2552
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC"114⤵PID:3664
-
C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC.exeC:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC115⤵PID:4148
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC"116⤵PID:4988
-
C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC.exeC:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC117⤵PID:1784
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC"118⤵PID:1760
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1119⤵PID:1812
-
-
C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC.exeC:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC119⤵PID:1028
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC"120⤵PID:3740
-
C:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC.exeC:\Users\Admin\AppData\Local\Temp\bc1398d4d1df17_JC121⤵PID:2352
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-