Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
22/07/2023, 21:47
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NA_0137617edfd5e2exe_JC.exe
Resource
win7-20230712-en
windows7-x64
16 signatures
150 seconds
Behavioral task
behavioral2
Sample
NA_0137617edfd5e2exe_JC.exe
Resource
win10v2004-20230703-en
windows10-2004-x64
17 signatures
150 seconds
General
-
Target
NA_0137617edfd5e2exe_JC.exe
-
Size
237KB
-
MD5
0137617edfd5e23268af612e9229dc41
-
SHA1
b1b962f308f9a0155138b96fbb30b7a82e90f194
-
SHA256
a08e42b3763d3864cc8b6d8bbe13b6301a0f41ae3392acbedff9ae4395c99480
-
SHA512
c785e0f078835bee68203846cdc53203bd0828682622b7cb7ec9310de9ba4140845f939a2e4fd4107dc495e02ece9c6b84247d999fc35a66b9d70fe1a9f9a27b
-
SSDEEP
6144:ouT5KpAgyYGFQygE4qNpyx0+aRulY555iM:D1K+gyYGFCNC+CuK//
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" NA_0137617edfd5e2exe_JC.exe Set value (int) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cscript.exe Set value (int) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cscript.exe Set value (int) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cscript.exe Set value (int) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cmd.exe Set value (int) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cscript.exe Set value (int) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cscript.exe Set value (int) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cscript.exe Set value (int) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cscript.exe Set value (int) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NA_0137617edfd5e2exe_JC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NA_0137617edfd5e2exe_JC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe -
Blocklisted process makes network request 3 IoCs
flow pid Process 59 4848 Process not Found 60 4848 Process not Found 61 4848 Process not Found -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Control Panel\International\Geo\Nation ecUokAgc.exe -
Executes dropped EXE 2 IoCs
pid Process 1640 ecUokAgc.exe 548 SkosQwMY.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SkosQwMY.exe = "C:\\ProgramData\\UwsMwskU\\SkosQwMY.exe" NA_0137617edfd5e2exe_JC.exe Set value (str) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ecUokAgc.exe = "C:\\Users\\Admin\\JSUwAYgA\\ecUokAgc.exe" ecUokAgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SkosQwMY.exe = "C:\\ProgramData\\UwsMwskU\\SkosQwMY.exe" SkosQwMY.exe Set value (str) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\usIcQoMs.exe = "C:\\Users\\Admin\\omUEwckI\\usIcQoMs.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sycoskgM.exe = "C:\\ProgramData\\UaYEAgks\\sycoskgM.exe" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ecUokAgc.exe = "C:\\Users\\Admin\\JSUwAYgA\\ecUokAgc.exe" NA_0137617edfd5e2exe_JC.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NA_0137617edfd5e2exe_JC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cscript.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Process not Found Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Process not Found Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cscript.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA NA_0137617edfd5e2exe_JC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cscript.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NA_0137617edfd5e2exe_JC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Process not Found Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cscript.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Process not Found Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA NA_0137617edfd5e2exe_JC.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NA_0137617edfd5e2exe_JC.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cscript.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cscript.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Process not Found Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA NA_0137617edfd5e2exe_JC.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cscript.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA NA_0137617edfd5e2exe_JC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cscript.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cscript.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NA_0137617edfd5e2exe_JC.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cscript.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NA_0137617edfd5e2exe_JC.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Process not Found Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\shell32.dll.exe ecUokAgc.exe File opened for modification C:\Windows\SysWOW64\shell32.dll.exe ecUokAgc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 1804 3892 WerFault.exe 1007 568 2908 WerFault.exe 1008 -
Modifies registry key 1 TTPs 64 IoCs
pid Process 2936 reg.exe 4412 reg.exe 3876 reg.exe 3876 reg.exe 3732 reg.exe 4644 reg.exe 1392 reg.exe 4676 reg.exe 1836 reg.exe 684 reg.exe 1680 reg.exe 1780 Process not Found 1448 reg.exe 640 reg.exe 4420 reg.exe 1944 reg.exe 1048 reg.exe 772 reg.exe 2520 Process not Found 4368 reg.exe 3156 reg.exe 2924 reg.exe 4480 reg.exe 4220 reg.exe 664 reg.exe 1940 Process not Found 768 reg.exe 4984 reg.exe 1020 reg.exe 2908 reg.exe 1712 reg.exe 1020 Process not Found 3388 reg.exe 1760 reg.exe 4712 reg.exe 1260 Process not Found 1196 reg.exe 3704 reg.exe 2784 reg.exe 1636 reg.exe 3248 reg.exe 212 reg.exe 1096 Process not Found 4720 reg.exe 3496 reg.exe 1676 reg.exe 4548 reg.exe 3936 reg.exe 2024 reg.exe 3892 reg.exe 1368 reg.exe 2424 reg.exe 4180 Process not Found 2784 reg.exe 3436 reg.exe 3056 reg.exe 3060 reg.exe 4836 reg.exe 4388 reg.exe 4208 reg.exe 4052 reg.exe 4276 reg.exe 1972 Process not Found 3632 Process not Found -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4720 NA_0137617edfd5e2exe_JC.exe 4720 NA_0137617edfd5e2exe_JC.exe 4720 NA_0137617edfd5e2exe_JC.exe 4720 NA_0137617edfd5e2exe_JC.exe 4856 NA_0137617edfd5e2exe_JC.exe 4856 NA_0137617edfd5e2exe_JC.exe 4856 NA_0137617edfd5e2exe_JC.exe 4856 NA_0137617edfd5e2exe_JC.exe 1332 NA_0137617edfd5e2exe_JC.exe 1332 NA_0137617edfd5e2exe_JC.exe 1332 NA_0137617edfd5e2exe_JC.exe 1332 NA_0137617edfd5e2exe_JC.exe 2440 NA_0137617edfd5e2exe_JC.exe 2440 NA_0137617edfd5e2exe_JC.exe 2440 NA_0137617edfd5e2exe_JC.exe 2440 NA_0137617edfd5e2exe_JC.exe 1252 NA_0137617edfd5e2exe_JC.exe 1252 NA_0137617edfd5e2exe_JC.exe 1252 NA_0137617edfd5e2exe_JC.exe 1252 NA_0137617edfd5e2exe_JC.exe 3232 NA_0137617edfd5e2exe_JC.exe 3232 NA_0137617edfd5e2exe_JC.exe 3232 NA_0137617edfd5e2exe_JC.exe 3232 NA_0137617edfd5e2exe_JC.exe 3676 NA_0137617edfd5e2exe_JC.exe 3676 NA_0137617edfd5e2exe_JC.exe 3676 NA_0137617edfd5e2exe_JC.exe 3676 NA_0137617edfd5e2exe_JC.exe 1188 Conhost.exe 1188 Conhost.exe 1188 Conhost.exe 1188 Conhost.exe 4888 NA_0137617edfd5e2exe_JC.exe 4888 NA_0137617edfd5e2exe_JC.exe 4888 NA_0137617edfd5e2exe_JC.exe 4888 NA_0137617edfd5e2exe_JC.exe 2380 NA_0137617edfd5e2exe_JC.exe 2380 NA_0137617edfd5e2exe_JC.exe 2380 NA_0137617edfd5e2exe_JC.exe 2380 NA_0137617edfd5e2exe_JC.exe 1664 reg.exe 1664 reg.exe 1664 reg.exe 1664 reg.exe 1836 NA_0137617edfd5e2exe_JC.exe 1836 NA_0137617edfd5e2exe_JC.exe 1836 NA_0137617edfd5e2exe_JC.exe 1836 NA_0137617edfd5e2exe_JC.exe 2552 NA_0137617edfd5e2exe_JC.exe 2552 NA_0137617edfd5e2exe_JC.exe 2552 NA_0137617edfd5e2exe_JC.exe 2552 NA_0137617edfd5e2exe_JC.exe 5084 NA_0137617edfd5e2exe_JC.exe 5084 NA_0137617edfd5e2exe_JC.exe 5084 NA_0137617edfd5e2exe_JC.exe 5084 NA_0137617edfd5e2exe_JC.exe 4072 cmd.exe 4072 cmd.exe 4072 cmd.exe 4072 cmd.exe 3388 cmd.exe 3388 cmd.exe 3388 cmd.exe 3388 cmd.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1640 ecUokAgc.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1640 ecUokAgc.exe 1640 ecUokAgc.exe 1640 ecUokAgc.exe 1640 ecUokAgc.exe 1640 ecUokAgc.exe 1640 ecUokAgc.exe 1640 ecUokAgc.exe 1640 ecUokAgc.exe 1640 ecUokAgc.exe 1640 ecUokAgc.exe 1640 ecUokAgc.exe 1640 ecUokAgc.exe 1640 ecUokAgc.exe 1640 ecUokAgc.exe 1640 ecUokAgc.exe 1640 ecUokAgc.exe 1640 ecUokAgc.exe 1640 ecUokAgc.exe 1640 ecUokAgc.exe 1640 ecUokAgc.exe 1640 ecUokAgc.exe 1640 ecUokAgc.exe 1640 ecUokAgc.exe 1640 ecUokAgc.exe 1640 ecUokAgc.exe 1640 ecUokAgc.exe 1640 ecUokAgc.exe 1640 ecUokAgc.exe 1640 ecUokAgc.exe 1640 ecUokAgc.exe 1640 ecUokAgc.exe 1640 ecUokAgc.exe 1640 ecUokAgc.exe 1640 ecUokAgc.exe 1640 ecUokAgc.exe 1640 ecUokAgc.exe 1640 ecUokAgc.exe 1640 ecUokAgc.exe 1640 ecUokAgc.exe 1640 ecUokAgc.exe 1640 ecUokAgc.exe 1640 ecUokAgc.exe 1640 ecUokAgc.exe 1640 ecUokAgc.exe 1640 ecUokAgc.exe 1640 ecUokAgc.exe 1640 ecUokAgc.exe 1640 ecUokAgc.exe 1640 ecUokAgc.exe 1640 ecUokAgc.exe 1640 ecUokAgc.exe 1640 ecUokAgc.exe 1640 ecUokAgc.exe 1640 ecUokAgc.exe 1640 ecUokAgc.exe 1640 ecUokAgc.exe 1640 ecUokAgc.exe 1640 ecUokAgc.exe 1640 ecUokAgc.exe 1640 ecUokAgc.exe 1640 ecUokAgc.exe 1640 ecUokAgc.exe 1640 ecUokAgc.exe 1640 ecUokAgc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4720 wrote to memory of 1640 4720 NA_0137617edfd5e2exe_JC.exe 86 PID 4720 wrote to memory of 1640 4720 NA_0137617edfd5e2exe_JC.exe 86 PID 4720 wrote to memory of 1640 4720 NA_0137617edfd5e2exe_JC.exe 86 PID 4720 wrote to memory of 548 4720 NA_0137617edfd5e2exe_JC.exe 87 PID 4720 wrote to memory of 548 4720 NA_0137617edfd5e2exe_JC.exe 87 PID 4720 wrote to memory of 548 4720 NA_0137617edfd5e2exe_JC.exe 87 PID 4720 wrote to memory of 3664 4720 NA_0137617edfd5e2exe_JC.exe 88 PID 4720 wrote to memory of 3664 4720 NA_0137617edfd5e2exe_JC.exe 88 PID 4720 wrote to memory of 3664 4720 NA_0137617edfd5e2exe_JC.exe 88 PID 4720 wrote to memory of 2424 4720 NA_0137617edfd5e2exe_JC.exe 90 PID 4720 wrote to memory of 2424 4720 NA_0137617edfd5e2exe_JC.exe 90 PID 4720 wrote to memory of 2424 4720 NA_0137617edfd5e2exe_JC.exe 90 PID 4720 wrote to memory of 1836 4720 NA_0137617edfd5e2exe_JC.exe 91 PID 4720 wrote to memory of 1836 4720 NA_0137617edfd5e2exe_JC.exe 91 PID 4720 wrote to memory of 1836 4720 NA_0137617edfd5e2exe_JC.exe 91 PID 4720 wrote to memory of 3252 4720 NA_0137617edfd5e2exe_JC.exe 92 PID 4720 wrote to memory of 3252 4720 NA_0137617edfd5e2exe_JC.exe 92 PID 4720 wrote to memory of 3252 4720 NA_0137617edfd5e2exe_JC.exe 92 PID 4720 wrote to memory of 4200 4720 NA_0137617edfd5e2exe_JC.exe 93 PID 4720 wrote to memory of 4200 4720 NA_0137617edfd5e2exe_JC.exe 93 PID 4720 wrote to memory of 4200 4720 NA_0137617edfd5e2exe_JC.exe 93 PID 3664 wrote to memory of 4856 3664 cmd.exe 98 PID 3664 wrote to memory of 4856 3664 cmd.exe 98 PID 3664 wrote to memory of 4856 3664 cmd.exe 98 PID 4200 wrote to memory of 4848 4200 cmd.exe 99 PID 4200 wrote to memory of 4848 4200 cmd.exe 99 PID 4200 wrote to memory of 4848 4200 cmd.exe 99 PID 4856 wrote to memory of 2264 4856 NA_0137617edfd5e2exe_JC.exe 100 PID 4856 wrote to memory of 2264 4856 NA_0137617edfd5e2exe_JC.exe 100 PID 4856 wrote to memory of 2264 4856 NA_0137617edfd5e2exe_JC.exe 100 PID 4856 wrote to memory of 1452 4856 NA_0137617edfd5e2exe_JC.exe 159 PID 4856 wrote to memory of 1452 4856 NA_0137617edfd5e2exe_JC.exe 159 PID 4856 wrote to memory of 1452 4856 NA_0137617edfd5e2exe_JC.exe 159 PID 4856 wrote to memory of 1952 4856 NA_0137617edfd5e2exe_JC.exe 105 PID 4856 wrote to memory of 1952 4856 NA_0137617edfd5e2exe_JC.exe 105 PID 4856 wrote to memory of 1952 4856 NA_0137617edfd5e2exe_JC.exe 105 PID 4856 wrote to memory of 3892 4856 NA_0137617edfd5e2exe_JC.exe 104 PID 4856 wrote to memory of 3892 4856 NA_0137617edfd5e2exe_JC.exe 104 PID 4856 wrote to memory of 3892 4856 NA_0137617edfd5e2exe_JC.exe 104 PID 4856 wrote to memory of 2636 4856 NA_0137617edfd5e2exe_JC.exe 103 PID 4856 wrote to memory of 2636 4856 NA_0137617edfd5e2exe_JC.exe 103 PID 4856 wrote to memory of 2636 4856 NA_0137617edfd5e2exe_JC.exe 103 PID 2264 wrote to memory of 1332 2264 cmd.exe 110 PID 2264 wrote to memory of 1332 2264 cmd.exe 110 PID 2264 wrote to memory of 1332 2264 cmd.exe 110 PID 2636 wrote to memory of 4352 2636 cmd.exe 111 PID 2636 wrote to memory of 4352 2636 cmd.exe 111 PID 2636 wrote to memory of 4352 2636 cmd.exe 111 PID 1332 wrote to memory of 4476 1332 NA_0137617edfd5e2exe_JC.exe 112 PID 1332 wrote to memory of 4476 1332 NA_0137617edfd5e2exe_JC.exe 112 PID 1332 wrote to memory of 4476 1332 NA_0137617edfd5e2exe_JC.exe 112 PID 4476 wrote to memory of 2440 4476 cmd.exe 114 PID 4476 wrote to memory of 2440 4476 cmd.exe 114 PID 4476 wrote to memory of 2440 4476 cmd.exe 114 PID 1332 wrote to memory of 2204 1332 NA_0137617edfd5e2exe_JC.exe 122 PID 1332 wrote to memory of 2204 1332 NA_0137617edfd5e2exe_JC.exe 122 PID 1332 wrote to memory of 2204 1332 NA_0137617edfd5e2exe_JC.exe 122 PID 1332 wrote to memory of 4832 1332 NA_0137617edfd5e2exe_JC.exe 121 PID 1332 wrote to memory of 4832 1332 NA_0137617edfd5e2exe_JC.exe 121 PID 1332 wrote to memory of 4832 1332 NA_0137617edfd5e2exe_JC.exe 121 PID 1332 wrote to memory of 4480 1332 NA_0137617edfd5e2exe_JC.exe 172 PID 1332 wrote to memory of 4480 1332 NA_0137617edfd5e2exe_JC.exe 172 PID 1332 wrote to memory of 4480 1332 NA_0137617edfd5e2exe_JC.exe 172 PID 1332 wrote to memory of 1928 1332 NA_0137617edfd5e2exe_JC.exe 115 -
System policy modification 1 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System NA_0137617edfd5e2exe_JC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NA_0137617edfd5e2exe_JC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NA_0137617edfd5e2exe_JC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NA_0137617edfd5e2exe_JC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NA_0137617edfd5e2exe_JC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System NA_0137617edfd5e2exe_JC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System NA_0137617edfd5e2exe_JC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NA_0137617edfd5e2exe_JC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System NA_0137617edfd5e2exe_JC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NA_0137617edfd5e2exe_JC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Process not Found
Processes
-
C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC.exe"C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4720 -
C:\Users\Admin\JSUwAYgA\ecUokAgc.exe"C:\Users\Admin\JSUwAYgA\ecUokAgc.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:1640
-
-
C:\ProgramData\UwsMwskU\SkosQwMY.exe"C:\ProgramData\UwsMwskU\SkosQwMY.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:548
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC"2⤵
- Suspicious use of WriteProcessMemory
PID:3664 -
C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC.exeC:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC"4⤵
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC.exeC:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1332 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC"6⤵
- Suspicious use of WriteProcessMemory
PID:4476 -
C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC.exeC:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC7⤵
- Suspicious behavior: EnumeratesProcesses
PID:2440 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC"8⤵PID:888
-
C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC.exeC:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC9⤵
- Suspicious behavior: EnumeratesProcesses
PID:1252 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC"10⤵PID:3804
-
C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC.exeC:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC11⤵
- Suspicious behavior: EnumeratesProcesses
PID:3232 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC"12⤵PID:3252
-
C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC.exeC:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC13⤵
- Suspicious behavior: EnumeratesProcesses
PID:3676 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC"14⤵PID:1056
-
C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC.exeC:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC15⤵PID:1188
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC"16⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:4480 -
C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC.exeC:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC17⤵
- Suspicious behavior: EnumeratesProcesses
PID:4888 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC"18⤵PID:1156
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV119⤵
- Modifies visibility of file extensions in Explorer
PID:4376
-
-
C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC.exeC:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC19⤵
- Suspicious behavior: EnumeratesProcesses
PID:2380 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC"20⤵PID:1804
-
C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC.exeC:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC21⤵PID:1664
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC"22⤵PID:1972
-
C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC.exeC:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC23⤵
- Suspicious behavior: EnumeratesProcesses
PID:1836 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC"24⤵PID:3996
-
C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC.exeC:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC25⤵
- Suspicious behavior: EnumeratesProcesses
PID:2552 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC"26⤵PID:768
-
C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC.exeC:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC27⤵
- Suspicious behavior: EnumeratesProcesses
PID:5084 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC"28⤵PID:1060
-
C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC.exeC:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC29⤵PID:4072
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC"30⤵PID:3208
-
C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC.exeC:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC31⤵PID:3388
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC"32⤵PID:3948
-
C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC.exeC:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC33⤵PID:3536
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC"34⤵PID:3792
-
C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC.exeC:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC35⤵PID:4200
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC"36⤵PID:4176
-
C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC.exeC:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC37⤵PID:4872
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC"38⤵PID:3336
-
C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC.exeC:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC39⤵PID:1356
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC"40⤵PID:2908
-
C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC.exeC:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC41⤵PID:752
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC"42⤵PID:4676
-
C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC.exeC:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC43⤵PID:4920
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC"44⤵PID:1708
-
C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC.exeC:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC45⤵PID:1272
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC"46⤵PID:4824
-
C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC.exeC:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC47⤵PID:3772
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC"48⤵PID:1964
-
C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC.exeC:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC49⤵PID:3132
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC"50⤵PID:3140
-
C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC.exeC:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC51⤵PID:3148
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC"52⤵PID:4920
-
C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC.exeC:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC53⤵PID:2024
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC"54⤵PID:3588
-
C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC.exeC:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC55⤵PID:3796
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC"56⤵PID:3772
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV157⤵PID:4840
-
-
C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC.exeC:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC57⤵PID:2160
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC"58⤵PID:3664
-
C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC.exeC:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC59⤵PID:380
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC"60⤵PID:3704
-
C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC.exeC:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC61⤵PID:2852
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC"62⤵
- Suspicious behavior: EnumeratesProcesses
PID:3388 -
C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC.exeC:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC63⤵PID:2056
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC"64⤵PID:4628
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV165⤵PID:3536
-
-
C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC.exeC:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC65⤵PID:1016
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC"66⤵PID:3592
-
C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC.exeC:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC67⤵PID:3932
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC"68⤵PID:4040
-
C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC.exeC:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC69⤵PID:4236
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC"70⤵PID:4060
-
C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC.exeC:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC71⤵PID:2572
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC"72⤵PID:3972
-
C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC.exeC:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC73⤵PID:1136
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC"74⤵PID:2696
-
C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC.exeC:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC75⤵PID:212
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC"76⤵PID:4920
-
C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC.exeC:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC77⤵PID:4344
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC"78⤵PID:4876
-
C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC.exeC:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC79⤵PID:3860
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC"80⤵PID:3132
-
C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC.exeC:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC81⤵PID:4548
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC"82⤵PID:3040
-
C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC.exeC:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC83⤵PID:1596
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC"84⤵PID:1888
-
C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC.exeC:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC85⤵PID:5048
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC"86⤵PID:2056
-
C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC.exeC:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC87⤵PID:4456
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC"88⤵PID:488
-
C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC.exeC:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC89⤵PID:1780
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC"90⤵PID:4480
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV191⤵PID:4984
-
-
C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC.exeC:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC91⤵PID:3252
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC"92⤵PID:2852
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV193⤵PID:4836
-
-
C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC.exeC:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC93⤵PID:1452
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC"94⤵PID:984
-
C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC.exeC:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC95⤵PID:1448
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC"96⤵
- Checks whether UAC is enabled
- System policy modification
PID:1556 -
C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC.exeC:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC97⤵
- Checks whether UAC is enabled
- System policy modification
PID:2424 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC"98⤵PID:3132
-
C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC.exeC:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC99⤵PID:1804
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC"100⤵PID:3244
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1101⤵PID:3252
-
-
C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC.exeC:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC101⤵PID:4848
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC"102⤵PID:2260
-
C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC.exeC:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC103⤵PID:2572
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC"104⤵PID:1448
-
C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC.exeC:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC105⤵PID:1712
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC"106⤵PID:4628
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1107⤵
- UAC bypass
PID:2152
-
-
C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC.exeC:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC107⤵PID:3248
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC"108⤵PID:1804
-
C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC.exeC:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC109⤵PID:1748
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC"110⤵PID:2696
-
C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC.exeC:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC111⤵PID:3856
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC"112⤵PID:3892
-
C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC.exeC:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC113⤵PID:4352
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC"114⤵PID:3592
-
C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC.exeC:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC115⤵PID:3912
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC"116⤵PID:2608
-
C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC.exeC:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC117⤵
- Modifies visibility of file extensions in Explorer
PID:2784 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC"118⤵PID:3424
-
C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC.exeC:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC119⤵PID:1160
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC"120⤵PID:2520
-
C:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC.exeC:\Users\Admin\AppData\Local\Temp\NA_0137617edfd5e2exe_JC121⤵PID:1136
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-