b885660e1b3f46bd7b9cb277485f61b5f0e576ec9c205485133eda756fa21aba

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25-04-2024 21:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0012915ff4d35f107ab639a04345b133_JaffaCakes118.exe
Size

3.1MB
MD5

0012915ff4d35f107ab639a04345b133
SHA1

784a46a24dc59e4b5cf823ce61d6207358f42023
SHA256

b885660e1b3f46bd7b9cb277485f61b5f0e576ec9c205485133eda756fa21aba
SHA512

dafe8ee97afaddc621b01eb2fd2ba2d674a91f879cfa708a0828c59df44d2aa0a9f5ce4c05b3a772f3f39a98164147eeb6ca1af368ecb74dbd8c315b4e63e501
SSDEEP

98304:vlOtHCs1gTyEH/b+7hbb77jgKzZ/xqHiBNdsq5:9OtQTy0qDjgM/Lso

Score

8^/10

discovery evasion exploit persistence

Malware Config

Signatures

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003

Possible privilege escalation attempt 64 IoCs

exploit

Processes:

takeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exe

pid	process
2344	takeown.exe
448	icacls.exe
2440	icacls.exe
1596	takeown.exe
896	icacls.exe
2120	takeown.exe
2060	icacls.exe
1476	takeown.exe
2344	icacls.exe
1564	icacls.exe
544	icacls.exe
2224	icacls.exe
2036	icacls.exe
1892	icacls.exe
2844	icacls.exe
704	icacls.exe
2464	takeown.exe
2016	takeown.exe
1064	icacls.exe
1596	icacls.exe
2080	icacls.exe
1336	icacls.exe
2060	icacls.exe
1020	icacls.exe
2088	icacls.exe
2528	icacls.exe
2264	takeown.exe
1624	icacls.exe
2420	icacls.exe
2180	icacls.exe
2720	icacls.exe
1868	icacls.exe
1920	takeown.exe
1624	takeown.exe
2016	takeown.exe
2644	icacls.exe
2448	takeown.exe
1616	takeown.exe
2796	icacls.exe
1588	takeown.exe
2440	icacls.exe
2804	takeown.exe
1588	icacls.exe
2388	icacls.exe
1960	icacls.exe
944	takeown.exe
2884	takeown.exe
2324	takeown.exe
2252	icacls.exe
1224	icacls.exe
2544	takeown.exe
2220	takeown.exe
2080	icacls.exe
2004	icacls.exe
1992	icacls.exe
1192	takeown.exe
864	takeown.exe
1128	icacls.exe
2252	icacls.exe
2344	icacls.exe
892	icacls.exe
792	icacls.exe
868	takeown.exe
944	icacls.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Modifies file permissions 1 TTPs 64 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

icacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exe

pid	process
2096	icacls.exe
2712	icacls.exe
2032	takeown.exe
2332	icacls.exe
1192	icacls.exe
2652	takeown.exe
320	takeown.exe
1600	icacls.exe
1508	icacls.exe
2060	icacls.exe
2036	icacls.exe
468	takeown.exe
2312	icacls.exe
2344	takeown.exe
2688	icacls.exe
1260	icacls.exe
2284	icacls.exe
2960	icacls.exe
2840	icacls.exe
1064	icacls.exe
1468	takeown.exe
1728	icacls.exe
1428	icacls.exe
1448	icacls.exe
2928	icacls.exe
800	icacls.exe
2628	icacls.exe
792	icacls.exe
2920	takeown.exe
2208	icacls.exe
1060	icacls.exe
2844	icacls.exe
2392	takeown.exe
2240	icacls.exe
2372	icacls.exe
2724	icacls.exe
1948	takeown.exe
2516	icacls.exe
2636	icacls.exe
856	icacls.exe
2952	icacls.exe
2900	icacls.exe
2024	icacls.exe
3012	takeown.exe
1992	icacls.exe
868	takeown.exe
2584	icacls.exe
940	takeown.exe
2492	takeown.exe
1696	icacls.exe
1472	takeown.exe
1060	icacls.exe
2420	icacls.exe
2016	takeown.exe
2856	icacls.exe
2248	icacls.exe
1372	icacls.exe
2320	icacls.exe
2040	takeown.exe
2120	takeown.exe
2804	takeown.exe
2236	icacls.exe
688	takeown.exe
1376	icacls.exe

Drops file in System32 directory 21 IoCs

Processes:

WNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exe0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmpWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	WNAgent.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	WNAgent.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	WNAgent.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	WNAgent.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	WNAgent.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	WNAgent.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	WNAgent.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	WNAgent.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	WNAgent.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	WNAgent.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	WNAgent.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	WNAgent.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	WNAgent.exe
File opened for modification	C:\Windows\system32\msvcp60.dll	0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	WNAgent.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	WNAgent.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	WNAgent.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	WNAgent.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	WNAgent.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	WNAgent.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	WNAgent.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

Processes:

WNAgent.exeWNAgent.exe0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmpWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exe

description	ioc	process
File opened for modification	C:\Program Files\WinNexus\Desktop\bin\SysSoftCfg.ct	WNAgent.exe
File opened for modification	C:\Program Files\WinNexus\Desktop\bin\WinNexusLog\info.log	WNAgent.exe
File created	C:\Program Files\WinNexus\Desktop\bin\res\Cht\is-3P9BR.tmp	0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp
File created	C:\Program Files\WinNexus\Desktop\bin\is-I9K6U.tmp	0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp
File opened for modification	C:\Program Files\WinNexus\Desktop\unins000.dat	0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp
File opened for modification	C:\Program Files\WinNexus\Desktop\bin\WinNexusLog\Desktop.log	WNAgent.exe
File opened for modification	C:\Program Files\WinNexus\Desktop\bin\WinNexusLog\Error.log	WNAgent.exe
File created	C:\Program Files\WinNexus\Desktop\bin\res\Chs\is-DB0PL.tmp	0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp
File created	C:\Program Files\WinNexus\Desktop\bin\is-SRA5P.tmp	0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp
File created	C:\Program Files\WinNexus\Desktop\bin\is-QGL7D.tmp	0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp
File opened for modification	C:\Program Files\WinNexus\Desktop\bin\TMPGlobalhookdllx64.dll	0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp
File opened for modification	C:\Program Files\WinNexus\Desktop\bin\WinNexusLog\Action.log	WNAgent.exe
File created	C:\Program Files\WinNexus\Desktop\bin\res\Eng\is-HVTLP.tmp	0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp
File created	C:\Program Files\WinNexus\Desktop\bin\res\Common\is-KP3OB.tmp	0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp
File opened for modification	C:\Program Files\WinNexus\Desktop\bin\SysSoftCfg.ct	WNAgent.exe
File opened for modification	C:\Program Files\WinNexus\Desktop\bin\SysSoftCfg.ct	WNAgent.exe
File opened for modification	C:\Program Files\WinNexus\Desktop\bin\WinNexusLog\Action.log	WNAgent.exe
File opened for modification	C:\Program Files\WinNexus\Desktop\bin\DesktopInstall.exe	0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp
File created	C:\Program Files\WinNexus\Desktop\bin\res\Chs\is-AF68T.tmp	0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp
File created	C:\Program Files\WinNexus\Desktop\bin\res\Cht\is-R76GJ.tmp	0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp
File created	C:\Program Files\WinNexus\Desktop\bin\res\Eng\is-8TTFI.tmp	0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp
File created	C:\Program Files\WinNexus\Desktop\bin\uuid.ct	WNAgent.exe
File opened for modification	C:\Program Files\WinNexus\Desktop\bin\WinNexusLog\info.log	WNAgent.exe
File opened for modification	C:\Program Files\WinNexus\Desktop\bin\WinNexusLog\info.log	WNAgent.exe
File opened for modification	C:\Program Files\WinNexus\Desktop\bin\WinNexusLog\info.log	WNAgent.exe
File opened for modification	C:\Program Files\WinNexus\Desktop\bin\WinNexusLog\info.log	WNAgent.exe
File created	C:\Program Files\WinNexus\Desktop\bin\is-4I33P.tmp	0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp
File created	C:\Program Files\WinNexus\Desktop\bin\res\Chs\is-ILMPM.tmp	0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp
File created	C:\Program Files\WinNexus\Desktop\bin\is-GC4R0.tmp	0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp
File created	C:\Program Files\WinNexus\Desktop\bin\is-RFG85.tmp	0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp
File opened for modification	C:\Program Files\WinNexus\Desktop\bin\WinNexusLog\Desktop.log	WNAgent.exe
File created	C:\Program Files\WinNexus\Desktop\bin\res\Eng\is-F8CBD.tmp	0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp
File opened for modification	C:\Program Files\WinNexus\Desktop\bin\WinNexusLog\Action.log	WNAgent.exe
File opened for modification	C:\Program Files\WinNexus\Desktop\bin\WinNexusLog\Action.log	WNAgent.exe
File opened for modification	C:\Program Files\WinNexus\Desktop\bin\WinNexusLog\Desktop.log	WNAgent.exe
File created	C:\Program Files\WinNexus\Desktop\bin\res\Cht\is-D7JUK.tmp	0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp
File opened for modification	C:\Program Files\WinNexus\Desktop\bin\WinNexusLog\Error.log	WNAgent.exe
File opened for modification	C:\Program Files\WinNexus\Desktop\bin\WinNexusLog\Desktop.log	WNAgent.exe
File opened for modification	C:\Program Files\WinNexus\Desktop\bin\WinNexusLog\Error.log	WNAgent.exe
File opened for modification	C:\Program Files\WinNexus\Desktop\bin\SysSoftCfg.ct	WNAgent.exe
File opened for modification	C:\Program Files\WinNexus\Desktop\bin\EventRuleCfg.ct	WNAgent.exe
File opened for modification	C:\Program Files\WinNexus\Desktop\bin\EventRuleCfg.ct	WNAgent.exe
File opened for modification	C:\Program Files\WinNexus\Desktop\bin\WinNexusLog\info.log	WNAgent.exe
File opened for modification	C:\Program Files\WinNexus\Desktop\bin\SysSoftCfg.ct	WNAgent.exe
File opened for modification	C:\Program Files\WinNexus\Desktop\bin\WinNexusLog\Error.log	WNAgent.exe
File created	C:\Program Files\WinNexus\Desktop\bin\res\Cht\is-5OBRV.tmp	0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp
File created	C:\Program Files\WinNexus\Desktop\bin\is-7TVLS.tmp	0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp
File created	C:\Program Files\WinNexus\Desktop\bin\is-7C1VI.tmp	0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp
File opened for modification	C:\Program Files\WinNexus\Desktop\bin\WinNexusLog\Error.log	WNAgent.exe
File opened for modification	C:\Program Files\WinNexus\Desktop\bin\WinNexusLog\Desktop.log	WNAgent.exe
File opened for modification	C:\Program Files\WinNexus\Desktop\bin\WinNexusLog\Error.log	WNAgent.exe
File opened for modification	C:\Program Files\WinNexus\Desktop\bin\EventRuleCfg.ct	WNAgent.exe
File opened for modification	C:\Program Files\WinNexus\Desktop\bin\WinNexusLog\info.log	WNAgent.exe
File opened for modification	C:\Program Files\WinNexus\Desktop\bin\SysSoftCfg.ct	WNAgent.exe
File opened for modification	C:\Program Files\WinNexus\Desktop\bin\TMPglobalhookdll.dll	0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp
File created	C:\Program Files\WinNexus\Desktop\bin\res\Cht\is-2O1RG.tmp	0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp
File created	C:\Program Files\WinNexus\Desktop\bin\res\Common\is-5R4BB.tmp	0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp
File created	C:\Program Files\WinNexus\Desktop\bin\res\Common\is-J3GCS.tmp	0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp
File created	C:\Program Files\WinNexus\Desktop\bin\is-EU2P3.tmp	0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp
File created	C:\Program Files\WinNexus\Desktop\bin\res\Common\is-77EAV.tmp	0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp
File created	C:\Program Files\WinNexus\Desktop\bin\res\Cht\is-NLB6N.tmp	0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp
File created	C:\Program Files\WinNexus\Desktop\bin\res\Common\is-PBR3C.tmp	0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp
File opened for modification	C:\Program Files\WinNexus\Desktop\bin\EventRuleCfg.ct	WNAgent.exe
File opened for modification	C:\Program Files\WinNexus\Desktop\bin\WNXUninstall.exe	0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp

Drops file in Windows directory 4 IoCs

Processes:

DesktopInstall.EXEWNSvc.exe

description	ioc	process
File opened for modification	C:\Windows\WinNexusDesktopInstall.log	DesktopInstall.EXE
File opened for modification	C:\Windows\WNSvcAction.log	WNSvc.exe
File created	C:\Windows\WNSvc.log	WNSvc.exe
File opened for modification	C:\Windows\WNSvc.log	WNSvc.exe

Executes dropped EXE 43 IoCs

Processes:

0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmpDesktopInstall.EXEWNSvc.exeWNAgent.exewnmonitor.exeWNAgent.exewnmonitor.exeWNAgent.exewnmonitor.exeWNAgent.exewnmonitor.exeWNAgent.exewnmonitor.exeWNAgent.exewnmonitor.exeWNAgent.exewnmonitor.exeWNAgent.exewnmonitor.exeWNAgent.exewnmonitor.exeWNAgent.exewnmonitor.exeWNAgent.exewnmonitor.exeWNAgent.exewnmonitor.exeWNAgent.exewnmonitor.exeWNAgent.exewnmonitor.exeWNAgent.exewnmonitor.exeWNAgent.exewnmonitor.exeWNAgent.exewnmonitor.exeWNAgent.exewnmonitor.exeWNAgent.exewnmonitor.exeWNAgent.exewnmonitor.exe

pid	process
2464	0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp
2228	DesktopInstall.EXE
556	WNSvc.exe
272	WNAgent.exe
2332	wnmonitor.exe
2948	WNAgent.exe
1992	wnmonitor.exe
2380	WNAgent.exe
1768	wnmonitor.exe
2664	WNAgent.exe
2160	wnmonitor.exe
780	WNAgent.exe
1464	wnmonitor.exe
2864	WNAgent.exe
2236	wnmonitor.exe
2288	WNAgent.exe
2248	wnmonitor.exe
1032	WNAgent.exe
2136	wnmonitor.exe
2536	WNAgent.exe
2636	wnmonitor.exe
1228	WNAgent.exe
1640	wnmonitor.exe
2244	WNAgent.exe
2160	wnmonitor.exe
1048	WNAgent.exe
688	wnmonitor.exe
2752	WNAgent.exe
2452	wnmonitor.exe
2336	WNAgent.exe
1980	wnmonitor.exe
1132	WNAgent.exe
2504	wnmonitor.exe
2888	WNAgent.exe
3000	wnmonitor.exe
2344	WNAgent.exe
2024	wnmonitor.exe
2936	WNAgent.exe
1880	wnmonitor.exe
1600	WNAgent.exe
2168	wnmonitor.exe
2732	WNAgent.exe
2060	wnmonitor.exe

Launches sc.exe 23 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
2012	sc.exe
2240	sc.exe
2748	sc.exe
2148	sc.exe
2716	sc.exe
1932	sc.exe
1520	sc.exe
1676	sc.exe
1596	sc.exe
1520	sc.exe
2716	sc.exe
3008	sc.exe
2848	sc.exe
1588	sc.exe
1060	sc.exe
596	sc.exe
2964	sc.exe
2304	sc.exe
1544	sc.exe
1228	sc.exe
1384	sc.exe
2176	sc.exe
240	sc.exe

Loads dropped DLL 64 IoCs

Processes:

0012915ff4d35f107ab639a04345b133_JaffaCakes118.exe0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmpDesktopInstall.EXEWNSvc.exeWNAgent.exewnmonitor.exeWNAgent.exewnmonitor.exeWNAgent.exewnmonitor.exeWNAgent.exewnmonitor.exeWNAgent.exewnmonitor.exeWNAgent.exewnmonitor.exeWNAgent.exewnmonitor.exeWNAgent.exewnmonitor.exe

pid	process
2096	0012915ff4d35f107ab639a04345b133_JaffaCakes118.exe
2464	0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp
2464	0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp
2464	0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp
2228	DesktopInstall.EXE
2228	DesktopInstall.EXE
2228	DesktopInstall.EXE
556	WNSvc.exe
556	WNSvc.exe
556	WNSvc.exe
272	WNAgent.exe
272	WNAgent.exe
272	WNAgent.exe
272	WNAgent.exe
2332	wnmonitor.exe
2464	0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp
1200
556	WNSvc.exe
2948	WNAgent.exe
2948	WNAgent.exe
2948	WNAgent.exe
2392
1992	wnmonitor.exe
1200
556	WNSvc.exe
2380	WNAgent.exe
2380	WNAgent.exe
2380	WNAgent.exe
2848
1768	wnmonitor.exe
1200
556	WNSvc.exe
2664	WNAgent.exe
2664	WNAgent.exe
2664	WNAgent.exe
2704
2160	wnmonitor.exe
1200
556	WNSvc.exe
780	WNAgent.exe
780	WNAgent.exe
780	WNAgent.exe
2200
1464	wnmonitor.exe
1200
556	WNSvc.exe
2864	WNAgent.exe
2864	WNAgent.exe
2864	WNAgent.exe
2872
2236	wnmonitor.exe
1200
556	WNSvc.exe
2288	WNAgent.exe
2288	WNAgent.exe
2288	WNAgent.exe
2240
2248	wnmonitor.exe
556	WNSvc.exe
1032	WNAgent.exe
1032	WNAgent.exe
1032	WNAgent.exe
1252
2136	wnmonitor.exe

Modifies data under HKEY_USERS 20 IoCs

Processes:

WNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	WNAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	WNAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	WNAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	WNAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	WNAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	WNAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	WNAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	WNAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	WNAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	WNAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	WNAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	WNAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	WNAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	WNAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	WNAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	WNAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	WNAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	WNAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	WNAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	WNAgent.exe

Modifies registry class 40 IoCs

Processes:

WNAgent.exeWNAgent.exeWNAgent.exe0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmpWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Classes\	WNAgent.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Classes\	WNAgent.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Classes\	WNAgent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wdf	0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinNexus WDF file\BrowserFlags = "8"	0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\winnexus\DefaultIcon	0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Classes\	WNAgent.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Classes\	WNAgent.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Classes\	WNAgent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinNexus WDF file\DefaultIcon\ = "C:\\Program Files\\WinNexus\\Desktop\\bin\\WNAgent.exe"	0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinNexus WDF file\shell\open	0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Classes\	WNAgent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\winnexus\ = "URL:Alert Protocol"	0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Classes\	WNAgent.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Classes\	WNAgent.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Classes\	WNAgent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinNexus WDF file\shell\open\command	0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\winnexus\shell	0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Classes\	WNAgent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinNexus WDF file\shell\open\command\ = "C:\\Program Files\\WinNexus\\Desktop\\bin\\WinNexusLoader.exe %1"	0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\winnexus\shell\open	0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Classes\	WNAgent.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Classes\	WNAgent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinNexus WDF file\DefaultIcon	0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Classes\	WNAgent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\winnexus\DefaultIcon\ = "C:\\Program Files\\WinNexus\\Desktop\\bin\\WNAgent.exe"	0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Classes\	WNAgent.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Classes\	WNAgent.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Classes\	WNAgent.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinNexus WDF file\EditFlags = "65536"	0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\winnexus	0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.wdf\ = "WinNexus WDF file"	0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Classes\	WNAgent.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Classes\	WNAgent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinNexus WDF file	0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinNexus WDF file\shell	0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\winnexus\URL Protocol	0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Classes\	WNAgent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\winnexus\shell\open\command	0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\winnexus\shell\open\command\ = "\"C:\\Program Files\\WinNexus\\Desktop\\bin\\WinNexusLoader.exe\" \"%1\""	0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmpDesktopInstall.EXEWNSvc.exeWNAgent.exewnmonitor.exeWNAgent.exewnmonitor.exeWNAgent.exewnmonitor.exeWNAgent.exe

pid	process
2464	0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp
2464	0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp
2228	DesktopInstall.EXE
2228	DesktopInstall.EXE
2228	DesktopInstall.EXE
2228	DesktopInstall.EXE
2228	DesktopInstall.EXE
2228	DesktopInstall.EXE
2228	DesktopInstall.EXE
2228	DesktopInstall.EXE
2228	DesktopInstall.EXE
2228	DesktopInstall.EXE
2228	DesktopInstall.EXE
556	WNSvc.exe
556	WNSvc.exe
556	WNSvc.exe
556	WNSvc.exe
272	WNAgent.exe
272	WNAgent.exe
272	WNAgent.exe
272	WNAgent.exe
272	WNAgent.exe
272	WNAgent.exe
272	WNAgent.exe
272	WNAgent.exe
2332	wnmonitor.exe
556	WNSvc.exe
556	WNSvc.exe
556	WNSvc.exe
556	WNSvc.exe
556	WNSvc.exe
2948	WNAgent.exe
2948	WNAgent.exe
2948	WNAgent.exe
2948	WNAgent.exe
2948	WNAgent.exe
2948	WNAgent.exe
2948	WNAgent.exe
2948	WNAgent.exe
1992	wnmonitor.exe
2948	WNAgent.exe
556	WNSvc.exe
556	WNSvc.exe
556	WNSvc.exe
556	WNSvc.exe
2380	WNAgent.exe
2380	WNAgent.exe
2380	WNAgent.exe
2380	WNAgent.exe
2380	WNAgent.exe
2380	WNAgent.exe
2380	WNAgent.exe
2380	WNAgent.exe
1768	wnmonitor.exe
2380	WNAgent.exe
556	WNSvc.exe
556	WNSvc.exe
556	WNSvc.exe
556	WNSvc.exe
2664	WNAgent.exe
2664	WNAgent.exe
2664	WNAgent.exe
2664	WNAgent.exe
2664	WNAgent.exe

Suspicious behavior: LoadsDriver 21 IoCs

Processes:

pid process

476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476

pid	process
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476

Suspicious use of AdjustPrivilegeToken 55 IoCs

Processes:

takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2344	takeown.exe
Token: SeTakeOwnershipPrivilege	3012	takeown.exe
Token: SeTakeOwnershipPrivilege	2016	takeown.exe
Token: SeTakeOwnershipPrivilege	2080	takeown.exe
Token: SeTakeOwnershipPrivilege	2392	takeown.exe
Token: SeTakeOwnershipPrivilege	2360	takeown.exe
Token: SeTakeOwnershipPrivilege	1616	takeown.exe
Token: SeTakeOwnershipPrivilege	2784	takeown.exe
Token: SeTakeOwnershipPrivilege	800	takeown.exe
Token: SeTakeOwnershipPrivilege	1680	takeown.exe
Token: SeTakeOwnershipPrivilege	1920	takeown.exe
Token: SeTakeOwnershipPrivilege	1624	takeown.exe
Token: SeTakeOwnershipPrivilege	2928	takeown.exe
Token: SeTakeOwnershipPrivilege	320	takeown.exe
Token: SeTakeOwnershipPrivilege	1192	takeown.exe
Token: SeTakeOwnershipPrivilege	2756	takeown.exe
Token: SeTakeOwnershipPrivilege	1124	takeown.exe
Token: SeTakeOwnershipPrivilege	2544	takeown.exe
Token: SeTakeOwnershipPrivilege	2492	takeown.exe
Token: SeTakeOwnershipPrivilege	2464	takeown.exe
Token: SeTakeOwnershipPrivilege	1336	takeown.exe
Token: SeTakeOwnershipPrivilege	1736	takeown.exe
Token: SeTakeOwnershipPrivilege	2956	takeown.exe
Token: SeTakeOwnershipPrivilege	1912	takeown.exe
Token: SeTakeOwnershipPrivilege	1728	takeown.exe
Token: SeTakeOwnershipPrivilege	2180	takeown.exe
Token: SeTakeOwnershipPrivilege	2132	takeown.exe
Token: SeTakeOwnershipPrivilege	2280	takeown.exe
Token: SeTakeOwnershipPrivilege	2900	takeown.exe
Token: SeTakeOwnershipPrivilege	1948	takeown.exe
Token: SeTakeOwnershipPrivilege	2264	takeown.exe
Token: SeTakeOwnershipPrivilege	2256	takeown.exe
Token: SeTakeOwnershipPrivilege	688	takeown.exe
Token: SeTakeOwnershipPrivilege	1596	takeown.exe
Token: SeTakeOwnershipPrivilege	2460	takeown.exe
Token: SeTakeOwnershipPrivilege	2960	takeown.exe
Token: SeTakeOwnershipPrivilege	2016	takeown.exe
Token: SeTakeOwnershipPrivilege	3056	takeown.exe
Token: SeTakeOwnershipPrivilege	2300	takeown.exe
Token: SeTakeOwnershipPrivilege	2228	takeown.exe
Token: SeTakeOwnershipPrivilege	2736	takeown.exe
Token: SeTakeOwnershipPrivilege	944	takeown.exe
Token: SeTakeOwnershipPrivilege	2900	takeown.exe
Token: SeTakeOwnershipPrivilege	240	takeown.exe
Token: SeTakeOwnershipPrivilege	2652	takeown.exe
Token: SeTakeOwnershipPrivilege	2400	takeown.exe
Token: SeTakeOwnershipPrivilege	3000	takeown.exe
Token: SeTakeOwnershipPrivilege	1496	takeown.exe
Token: SeTakeOwnershipPrivilege	940	takeown.exe
Token: SeTakeOwnershipPrivilege	3060	takeown.exe
Token: SeTakeOwnershipPrivilege	2884	takeown.exe
Token: SeTakeOwnershipPrivilege	2920	takeown.exe
Token: SeTakeOwnershipPrivilege	2032	takeown.exe
Token: SeTakeOwnershipPrivilege	2120	takeown.exe
Token: SeTakeOwnershipPrivilege	2692	takeown.exe

Suspicious use of FindShellTrayWindow 40 IoCs

Processes:

0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmpWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exe

pid	process
2464	0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp
272	WNAgent.exe
272	WNAgent.exe
2948	WNAgent.exe
2948	WNAgent.exe
2380	WNAgent.exe
2380	WNAgent.exe
2664	WNAgent.exe
2664	WNAgent.exe
780	WNAgent.exe
780	WNAgent.exe
2864	WNAgent.exe
2864	WNAgent.exe
2288	WNAgent.exe
2288	WNAgent.exe
1032	WNAgent.exe
1032	WNAgent.exe
2536	WNAgent.exe
2536	WNAgent.exe
1228	WNAgent.exe
1228	WNAgent.exe
2244	WNAgent.exe
2244	WNAgent.exe
1048	WNAgent.exe
1048	WNAgent.exe
2752	WNAgent.exe
2752	WNAgent.exe
2336	WNAgent.exe
2336	WNAgent.exe
1132	WNAgent.exe
1132	WNAgent.exe
2888	WNAgent.exe
2888	WNAgent.exe
2344	WNAgent.exe
2344	WNAgent.exe
2936	WNAgent.exe
2936	WNAgent.exe
1600	WNAgent.exe
1600	WNAgent.exe
2732	WNAgent.exe

Suspicious use of SendNotifyMessage 39 IoCs

Processes:

pid	process
272	WNAgent.exe
272	WNAgent.exe
2948	WNAgent.exe
2948	WNAgent.exe
2380	WNAgent.exe
2380	WNAgent.exe
2664	WNAgent.exe
2664	WNAgent.exe
780	WNAgent.exe
780	WNAgent.exe
2864	WNAgent.exe
2864	WNAgent.exe
2288	WNAgent.exe
2288	WNAgent.exe
1032	WNAgent.exe
1032	WNAgent.exe
2536	WNAgent.exe
2536	WNAgent.exe
1228	WNAgent.exe
1228	WNAgent.exe
2244	WNAgent.exe
2244	WNAgent.exe
1048	WNAgent.exe
1048	WNAgent.exe
2752	WNAgent.exe
2752	WNAgent.exe
2336	WNAgent.exe
2336	WNAgent.exe
1132	WNAgent.exe
1132	WNAgent.exe
2888	WNAgent.exe
2888	WNAgent.exe
2344	WNAgent.exe
2344	WNAgent.exe
2936	WNAgent.exe
2936	WNAgent.exe
1600	WNAgent.exe
1600	WNAgent.exe
2732	WNAgent.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

WNAgent.exewnmonitor.exeWNAgent.exewnmonitor.exeWNAgent.exewnmonitor.exeWNAgent.exewnmonitor.exeWNAgent.exewnmonitor.exeWNAgent.exewnmonitor.exeWNAgent.exewnmonitor.exeWNAgent.exewnmonitor.exeWNAgent.exewnmonitor.exeWNAgent.exewnmonitor.exeWNAgent.exewnmonitor.exeWNAgent.exewnmonitor.exeWNAgent.exewnmonitor.exeWNAgent.exewnmonitor.exeWNAgent.exewnmonitor.exeWNAgent.exewnmonitor.exe

pid	process
272	WNAgent.exe
272	WNAgent.exe
272	WNAgent.exe
2332	wnmonitor.exe
2948	WNAgent.exe
2948	WNAgent.exe
2948	WNAgent.exe
1992	wnmonitor.exe
2380	WNAgent.exe
2380	WNAgent.exe
2380	WNAgent.exe
1768	wnmonitor.exe
2664	WNAgent.exe
2664	WNAgent.exe
2664	WNAgent.exe
2160	wnmonitor.exe
780	WNAgent.exe
780	WNAgent.exe
780	WNAgent.exe
1464	wnmonitor.exe
2864	WNAgent.exe
2864	WNAgent.exe
2864	WNAgent.exe
2236	wnmonitor.exe
2288	WNAgent.exe
2288	WNAgent.exe
2288	WNAgent.exe
2248	wnmonitor.exe
1032	WNAgent.exe
1032	WNAgent.exe
1032	WNAgent.exe
2136	wnmonitor.exe
2536	WNAgent.exe
2536	WNAgent.exe
2536	WNAgent.exe
2636	wnmonitor.exe
1228	WNAgent.exe
1228	WNAgent.exe
1228	WNAgent.exe
1640	wnmonitor.exe
2244	WNAgent.exe
2244	WNAgent.exe
2244	WNAgent.exe
2160	wnmonitor.exe
1048	WNAgent.exe
1048	WNAgent.exe
1048	WNAgent.exe
688	wnmonitor.exe
2752	WNAgent.exe
2752	WNAgent.exe
2752	WNAgent.exe
2452	wnmonitor.exe
2336	WNAgent.exe
2336	WNAgent.exe
2336	WNAgent.exe
1980	wnmonitor.exe
1132	WNAgent.exe
1132	WNAgent.exe
1132	WNAgent.exe
2504	wnmonitor.exe
2888	WNAgent.exe
2888	WNAgent.exe
2888	WNAgent.exe
3000	wnmonitor.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0012915ff4d35f107ab639a04345b133_JaffaCakes118.exe0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmpDesktopInstall.EXEcmd.exeWNSvc.execmd.execmd.exe

description	pid	process	target process
PID 2096 wrote to memory of 2464	2096	0012915ff4d35f107ab639a04345b133_JaffaCakes118.exe	0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp
PID 2096 wrote to memory of 2464	2096	0012915ff4d35f107ab639a04345b133_JaffaCakes118.exe	0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp
PID 2096 wrote to memory of 2464	2096	0012915ff4d35f107ab639a04345b133_JaffaCakes118.exe	0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp
PID 2096 wrote to memory of 2464	2096	0012915ff4d35f107ab639a04345b133_JaffaCakes118.exe	0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp
PID 2096 wrote to memory of 2464	2096	0012915ff4d35f107ab639a04345b133_JaffaCakes118.exe	0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp
PID 2096 wrote to memory of 2464	2096	0012915ff4d35f107ab639a04345b133_JaffaCakes118.exe	0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp
PID 2096 wrote to memory of 2464	2096	0012915ff4d35f107ab639a04345b133_JaffaCakes118.exe	0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp
PID 2464 wrote to memory of 2228	2464	0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp	DesktopInstall.EXE
PID 2464 wrote to memory of 2228	2464	0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp	DesktopInstall.EXE
PID 2464 wrote to memory of 2228	2464	0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp	DesktopInstall.EXE
PID 2464 wrote to memory of 2228	2464	0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp	DesktopInstall.EXE
PID 2464 wrote to memory of 2228	2464	0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp	DesktopInstall.EXE
PID 2464 wrote to memory of 2228	2464	0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp	DesktopInstall.EXE
PID 2464 wrote to memory of 2228	2464	0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp	DesktopInstall.EXE
PID 2228 wrote to memory of 1904	2228	DesktopInstall.EXE	cmd.exe
PID 2228 wrote to memory of 1904	2228	DesktopInstall.EXE	cmd.exe
PID 2228 wrote to memory of 1904	2228	DesktopInstall.EXE	cmd.exe
PID 2228 wrote to memory of 1904	2228	DesktopInstall.EXE	cmd.exe
PID 2228 wrote to memory of 1904	2228	DesktopInstall.EXE	cmd.exe
PID 2228 wrote to memory of 1904	2228	DesktopInstall.EXE	cmd.exe
PID 2228 wrote to memory of 1904	2228	DesktopInstall.EXE	cmd.exe
PID 1904 wrote to memory of 596	1904	cmd.exe	sc.exe
PID 1904 wrote to memory of 596	1904	cmd.exe	sc.exe
PID 1904 wrote to memory of 596	1904	cmd.exe	sc.exe
PID 1904 wrote to memory of 596	1904	cmd.exe	sc.exe
PID 1904 wrote to memory of 596	1904	cmd.exe	sc.exe
PID 1904 wrote to memory of 596	1904	cmd.exe	sc.exe
PID 1904 wrote to memory of 596	1904	cmd.exe	sc.exe
PID 2228 wrote to memory of 1716	2228	DesktopInstall.EXE	cmd.exe
PID 2228 wrote to memory of 1716	2228	DesktopInstall.EXE	cmd.exe
PID 2228 wrote to memory of 1716	2228	DesktopInstall.EXE	cmd.exe
PID 2228 wrote to memory of 1716	2228	DesktopInstall.EXE	cmd.exe
PID 2228 wrote to memory of 1716	2228	DesktopInstall.EXE	cmd.exe
PID 2228 wrote to memory of 1716	2228	DesktopInstall.EXE	cmd.exe
PID 2228 wrote to memory of 1716	2228	DesktopInstall.EXE	cmd.exe
PID 2228 wrote to memory of 1068	2228	DesktopInstall.EXE	cmd.exe
PID 2228 wrote to memory of 1068	2228	DesktopInstall.EXE	cmd.exe
PID 2228 wrote to memory of 1068	2228	DesktopInstall.EXE	cmd.exe
PID 2228 wrote to memory of 1068	2228	DesktopInstall.EXE	cmd.exe
PID 2228 wrote to memory of 1068	2228	DesktopInstall.EXE	cmd.exe
PID 2228 wrote to memory of 1068	2228	DesktopInstall.EXE	cmd.exe
PID 2228 wrote to memory of 1068	2228	DesktopInstall.EXE	cmd.exe
PID 556 wrote to memory of 272	556	WNSvc.exe	WNAgent.exe
PID 556 wrote to memory of 272	556	WNSvc.exe	WNAgent.exe
PID 556 wrote to memory of 272	556	WNSvc.exe	WNAgent.exe
PID 556 wrote to memory of 272	556	WNSvc.exe	WNAgent.exe
PID 1068 wrote to memory of 2964	1068	cmd.exe	sc.exe
PID 1068 wrote to memory of 2964	1068	cmd.exe	sc.exe
PID 1068 wrote to memory of 2964	1068	cmd.exe	sc.exe
PID 1068 wrote to memory of 2964	1068	cmd.exe	sc.exe
PID 1068 wrote to memory of 2964	1068	cmd.exe	sc.exe
PID 1068 wrote to memory of 2964	1068	cmd.exe	sc.exe
PID 1068 wrote to memory of 2964	1068	cmd.exe	sc.exe
PID 1716 wrote to memory of 2804	1716	cmd.exe	takeown.exe
PID 1716 wrote to memory of 2804	1716	cmd.exe	takeown.exe
PID 1716 wrote to memory of 2804	1716	cmd.exe	takeown.exe
PID 1716 wrote to memory of 2804	1716	cmd.exe	takeown.exe
PID 1716 wrote to memory of 2804	1716	cmd.exe	takeown.exe
PID 1716 wrote to memory of 2804	1716	cmd.exe	takeown.exe
PID 1716 wrote to memory of 2804	1716	cmd.exe	takeown.exe
PID 1716 wrote to memory of 800	1716	cmd.exe	icacls.exe
PID 1716 wrote to memory of 800	1716	cmd.exe	icacls.exe
PID 1716 wrote to memory of 800	1716	cmd.exe	icacls.exe
PID 1716 wrote to memory of 800	1716	cmd.exe	icacls.exe

System policy modification 1 TTPs 30 IoCs

evasion

Modify Registry

T1112

Processes:

WNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCDBurning = "0"	WNAgent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	WNAgent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	WNAgent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	WNAgent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	WNAgent.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCDBurning = "0"	WNAgent.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCDBurning = "0"	WNAgent.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCDBurning = "0"	WNAgent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	WNAgent.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCDBurning = "0"	WNAgent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	WNAgent.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCDBurning = "0"	WNAgent.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCDBurning = "0"	WNAgent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	WNAgent.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCDBurning = "0"	WNAgent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	WNAgent.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCDBurning = "0"	WNAgent.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCDBurning = "0"	WNAgent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	WNAgent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	WNAgent.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCDBurning = "0"	WNAgent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	WNAgent.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCDBurning = "0"	WNAgent.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCDBurning = "0"	WNAgent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	WNAgent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	WNAgent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	WNAgent.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCDBurning = "0"	WNAgent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	WNAgent.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCDBurning = "0"	WNAgent.exe

C:\Users\Admin\AppData\Local\Temp\0012915ff4d35f107ab639a04345b133_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0012915ff4d35f107ab639a04345b133_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2096

C:\Users\Admin\AppData\Local\Temp\is-4QR4P.tmp\0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp
"C:\Users\Admin\AppData\Local\Temp\is-4QR4P.tmp\0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp" /SL5="$6014E,2981574,56832,C:\Users\Admin\AppData\Local\Temp\0012915ff4d35f107ab639a04345b133_JaffaCakes118.exe"
2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2464

C:\Program Files\WinNexus\Desktop\bin\DesktopInstall.EXE
"C:\Program Files\WinNexus\Desktop\bin\DesktopInstall.EXE" /install
3⤵
- Drops file in Windows directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop WNPPDx64
4⤵
- Suspicious use of WriteProcessMemory
PID:1904

C:\Windows\SysWOW64\sc.exe
sc stop WNPPDx64
5⤵
- Launches sc.exe
PID:596

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\WinSxS" && icacls "C:\Windows\WinSxS" /grant administrators:F
4⤵
- Suspicious use of WriteProcessMemory
PID:1716

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\WinSxS"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2804

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\WinSxS" /grant administrators:F
5⤵
- Modifies file permissions
PID:800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc create WNPPDx64 binPath= "C:\Windows\SysWOW64\drivers\WNPPDx64.sys" type= "kernel" start= "auto" Displayname= "WNPPDx64"
4⤵
- Suspicious use of WriteProcessMemory
PID:1068

C:\Windows\SysWOW64\sc.exe
sc create WNPPDx64 binPath= "C:\Windows\SysWOW64\drivers\WNPPDx64.sys" type= "kernel" start= "auto" Displayname= "WNPPDx64"
5⤵
- Launches sc.exe
PID:2964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc start WNPPDx64
4⤵
PID:448

C:\Windows\SysWOW64\sc.exe
sc start WNPPDx64
5⤵
- Launches sc.exe
PID:1228

C:\Program Files\WinNexus\Desktop\bin\WNSvc.exe
"C:\Program Files\WinNexus\Desktop\bin\WNSvc.exe"
1⤵
- Drops file in Windows directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:556

C:\Program Files\WinNexus\Desktop\bin\WNAgent.exe
"C:\Program Files\WinNexus\Desktop\bin\WNAgent.exe" /startup
2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:272

C:\Windows\SysWOW64\cmd.exe
cmd /c sc start WNPPDx64
3⤵
PID:1696

C:\Windows\SysWOW64\sc.exe
sc start WNPPDx64
4⤵
- Launches sc.exe
PID:1676

C:\Program Files\WinNexus\Desktop\bin\wnmonitor.exe
"C:\Program Files\WinNexus\Desktop\bin\wnmonitor.exe" 41460
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2332

C:\Program Files\WinNexus\Desktop\bin\WNAgent.exe
"C:\Program Files\WinNexus\Desktop\bin\WNAgent.exe" /startup
2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2948

C:\Windows\SysWOW64\cmd.exe
cmd /c sc start WNPPDx64
3⤵
PID:2540

C:\Windows\SysWOW64\sc.exe
sc start WNPPDx64
4⤵
- Launches sc.exe
PID:2748

C:\Program Files\WinNexus\Desktop\bin\wnmonitor.exe
"C:\Program Files\WinNexus\Desktop\bin\wnmonitor.exe" 41492
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1992

C:\Program Files\WinNexus\Desktop\bin\WNAgent.exe
"C:\Program Files\WinNexus\Desktop\bin\WNAgent.exe" /startup
2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2380

C:\Windows\SysWOW64\cmd.exe
cmd /c sc start WNPPDx64
3⤵
PID:2504

C:\Windows\SysWOW64\sc.exe
sc start WNPPDx64
4⤵
- Launches sc.exe
PID:2304

C:\Program Files\WinNexus\Desktop\bin\wnmonitor.exe
"C:\Program Files\WinNexus\Desktop\bin\wnmonitor.exe" 41509
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1768

C:\Program Files\WinNexus\Desktop\bin\WNAgent.exe
"C:\Program Files\WinNexus\Desktop\bin\WNAgent.exe" /startup
2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2664

C:\Windows\SysWOW64\cmd.exe
cmd /c sc start WNPPDx64
3⤵
PID:2484

C:\Windows\SysWOW64\sc.exe
sc start WNPPDx64
4⤵
- Launches sc.exe
PID:2148

C:\Program Files\WinNexus\Desktop\bin\wnmonitor.exe
"C:\Program Files\WinNexus\Desktop\bin\wnmonitor.exe" 41525
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2160

C:\Program Files\WinNexus\Desktop\bin\WNAgent.exe
"C:\Program Files\WinNexus\Desktop\bin\WNAgent.exe" /startup
2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:780

C:\Windows\SysWOW64\cmd.exe
cmd /c sc start WNPPDx64
3⤵
PID:544

C:\Windows\SysWOW64\sc.exe
sc start WNPPDx64
4⤵
- Launches sc.exe
PID:1384

C:\Program Files\WinNexus\Desktop\bin\wnmonitor.exe
"C:\Program Files\WinNexus\Desktop\bin\wnmonitor.exe" 41558
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1464

C:\Program Files\WinNexus\Desktop\bin\WNAgent.exe
"C:\Program Files\WinNexus\Desktop\bin\WNAgent.exe" /startup
2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2864

C:\Windows\SysWOW64\cmd.exe
cmd /c sc start WNPPDx64
3⤵
PID:2860

C:\Windows\SysWOW64\sc.exe
sc start WNPPDx64
4⤵
- Launches sc.exe
PID:2716

C:\Program Files\WinNexus\Desktop\bin\wnmonitor.exe
"C:\Program Files\WinNexus\Desktop\bin\wnmonitor.exe" 41574
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2236

C:\Windows\system32\cmd.exe
/C takeown /f "C:\Windows\System32\bthserv.dll"
3⤵
PID:1432

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\bthserv.dll"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2344

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\bthserv.dll" /grant administrators:F
3⤵
PID:1128

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\bthserv.dll" /grant administrators:F
4⤵
PID:1228

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\bthserv.dll" /grant users:F
3⤵
PID:964

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\bthserv.dll" /grant users:F
4⤵
- Possible privilege escalation attempt
PID:448

C:\Windows\SysWOW64\cmd.exe
/C net start bthserv
3⤵
PID:1736

C:\Windows\SysWOW64\net.exe
net start bthserv
4⤵
PID:1136

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start bthserv
5⤵
PID:3000

C:\Windows\system32\cmd.exe
/C takeown /f "C:\Windows\System32\WpdMtp.dll"
3⤵
PID:2340

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\WpdMtp.dll"
4⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3012

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F
3⤵
PID:2980

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F
4⤵
- Possible privilege escalation attempt
PID:1588

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtp.dll" /grant users:F
3⤵
PID:1880

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtp.dll" /grant users:F
4⤵
PID:2820

C:\Windows\system32\cmd.exe
/C takeown /f "C:\Windows\System32\WpdMtpUS.dll"
3⤵
PID:1344

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\WpdMtpUS.dll"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2016

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F
3⤵
PID:2912

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F
4⤵
PID:2904

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F
3⤵
PID:1124

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F
4⤵
- Possible privilege escalation attempt
PID:2088

C:\Program Files\WinNexus\Desktop\bin\WNAgent.exe
"C:\Program Files\WinNexus\Desktop\bin\WNAgent.exe" /startup
2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2288

C:\Windows\SysWOW64\cmd.exe
cmd /c sc start WNPPDx64
3⤵
PID:1920

C:\Windows\SysWOW64\sc.exe
sc start WNPPDx64
4⤵
- Launches sc.exe
PID:1544

C:\Windows\system32\cmd.exe
/C takeown /f "C:\Windows\System32\bthserv.dll"
3⤵
PID:2320

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\bthserv.dll"
4⤵
- Possible privilege escalation attempt
PID:2324

C:\Program Files\WinNexus\Desktop\bin\wnmonitor.exe
"C:\Program Files\WinNexus\Desktop\bin\wnmonitor.exe" 41590
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2248

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\bthserv.dll" /grant administrators:F
3⤵
PID:2892

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\bthserv.dll" /grant administrators:F
4⤵
- Possible privilege escalation attempt
PID:2796

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\bthserv.dll" /grant users:F
3⤵
PID:304

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\bthserv.dll" /grant users:F
4⤵
PID:568

C:\Windows\SysWOW64\cmd.exe
/C net start bthserv
3⤵
PID:1692

C:\Windows\SysWOW64\net.exe
net start bthserv
4⤵
PID:2584

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start bthserv
5⤵
PID:2420

C:\Windows\system32\cmd.exe
/C takeown /f "C:\Windows\System32\WpdMtp.dll"
3⤵
PID:344

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\WpdMtp.dll"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2080

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F
3⤵
PID:2512

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F
4⤵
- Possible privilege escalation attempt
PID:2528

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtp.dll" /grant users:F
3⤵
PID:2616

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtp.dll" /grant users:F
4⤵
PID:2408

C:\Windows\system32\cmd.exe
/C takeown /f "C:\Windows\System32\WpdMtpUS.dll"
3⤵
PID:2612

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\WpdMtpUS.dll"
4⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2392

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F
3⤵
PID:2684

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F
4⤵
- Modifies file permissions
PID:2516

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F
3⤵
PID:2520

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F
4⤵
- Possible privilege escalation attempt
PID:2644

C:\Windows\system32\cmd.exe
/C takeown /f "C:\Windows\System32\bthserv.dll"
3⤵
PID:2432

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\bthserv.dll"
4⤵
- Possible privilege escalation attempt
PID:2448

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\bthserv.dll" /grant administrators:F
3⤵
PID:2416

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\bthserv.dll" /grant administrators:F
4⤵
- Possible privilege escalation attempt
PID:2252

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\bthserv.dll" /grant users:F
3⤵
PID:2404

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\bthserv.dll" /grant users:F
4⤵
PID:1376

C:\Windows\SysWOW64\cmd.exe
/C net start bthserv
3⤵
PID:2972

C:\Windows\SysWOW64\net.exe
net start bthserv
4⤵
PID:2372

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start bthserv
5⤵
PID:2840

C:\Windows\system32\cmd.exe
/C takeown /f "C:\Windows\System32\WpdMtp.dll"
3⤵
PID:1056

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\WpdMtp.dll"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2360

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F
3⤵
PID:2844

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F
4⤵
- Modifies file permissions
PID:1600

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtp.dll" /grant users:F
3⤵
PID:2900

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtp.dll" /grant users:F
4⤵
PID:776

C:\Windows\system32\cmd.exe
/C takeown /f "C:\Windows\System32\WpdMtpUS.dll"
3⤵
PID:2472

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\WpdMtpUS.dll"
4⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
PID:1616

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F
3⤵
PID:112

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F
4⤵
- Modifies file permissions
PID:2688

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F
3⤵
PID:1592

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F
4⤵
- Modifies file permissions
PID:1508

C:\Program Files\WinNexus\Desktop\bin\WNAgent.exe
"C:\Program Files\WinNexus\Desktop\bin\WNAgent.exe" /startup
2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1032

C:\Windows\SysWOW64\cmd.exe
cmd /c sc start WNPPDx64
3⤵
PID:2308

C:\Windows\SysWOW64\sc.exe
sc start WNPPDx64
4⤵
- Launches sc.exe
PID:1596

C:\Windows\system32\cmd.exe
/C takeown /f "C:\Windows\System32\bthserv.dll"
3⤵
PID:2720

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\bthserv.dll"
4⤵
PID:1060

C:\Program Files\WinNexus\Desktop\bin\wnmonitor.exe
"C:\Program Files\WinNexus\Desktop\bin\wnmonitor.exe" 41607
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2136

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\bthserv.dll" /grant administrators:F
3⤵
PID:2004

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\bthserv.dll" /grant administrators:F
4⤵
- Possible privilege escalation attempt
PID:2344

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\bthserv.dll" /grant users:F
3⤵
PID:2868

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\bthserv.dll" /grant users:F
4⤵
PID:2728

C:\Windows\SysWOW64\cmd.exe
/C net start bthserv
3⤵
PID:2824

C:\Windows\SysWOW64\net.exe
net start bthserv
4⤵
PID:2804

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start bthserv
5⤵
PID:1160

C:\Windows\system32\cmd.exe
/C takeown /f "C:\Windows\System32\WpdMtp.dll"
3⤵
PID:2716

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\WpdMtp.dll"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2784

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F
3⤵
PID:2176

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1064

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtp.dll" /grant users:F
3⤵
PID:664

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtp.dll" /grant users:F
4⤵
PID:1068

C:\Windows\system32\cmd.exe
/C takeown /f "C:\Windows\System32\WpdMtpUS.dll"
3⤵
PID:1128

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\WpdMtpUS.dll"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:800

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F
3⤵
PID:2348

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F
4⤵
- Possible privilege escalation attempt
PID:892

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F
3⤵
PID:2740

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F
4⤵
PID:2820

C:\Windows\system32\cmd.exe
/C takeown /f "C:\Windows\System32\bthserv.dll"
3⤵
PID:1740

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\bthserv.dll"
4⤵
PID:1344

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\bthserv.dll" /grant administrators:F
3⤵
PID:3040

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\bthserv.dll" /grant administrators:F
4⤵
PID:2880

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\bthserv.dll" /grant users:F
3⤵
PID:3004

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\bthserv.dll" /grant users:F
4⤵
PID:2756

C:\Windows\SysWOW64\cmd.exe
/C net start bthserv
3⤵
PID:2000

C:\Windows\SysWOW64\net.exe
net start bthserv
4⤵
PID:2836

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start bthserv
5⤵
PID:1584

C:\Windows\system32\cmd.exe
/C takeown /f "C:\Windows\System32\WpdMtp.dll"
3⤵
PID:2904

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\WpdMtp.dll"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1680

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F
3⤵
PID:1308

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F
4⤵
- Modifies file permissions
PID:2096

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtp.dll" /grant users:F
3⤵
PID:896

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtp.dll" /grant users:F
4⤵
PID:2220

C:\Windows\system32\cmd.exe
/C takeown /f "C:\Windows\System32\WpdMtpUS.dll"
3⤵
PID:856

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\WpdMtpUS.dll"
4⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
PID:1920

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F
3⤵
PID:2244

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2060

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F
3⤵
PID:2672

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F
4⤵
- Possible privilege escalation attempt
PID:2080

C:\Program Files\WinNexus\Desktop\bin\WNAgent.exe
"C:\Program Files\WinNexus\Desktop\bin\WNAgent.exe" /startup
2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2536

C:\Windows\SysWOW64\cmd.exe
cmd /c sc start WNPPDx64
3⤵
PID:1560

C:\Windows\SysWOW64\sc.exe
sc start WNPPDx64
4⤵
- Launches sc.exe
PID:1520

C:\Windows\system32\cmd.exe
/C takeown /f "C:\Windows\System32\bthserv.dll"
3⤵
PID:1756

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\bthserv.dll"
4⤵
PID:2924

C:\Program Files\WinNexus\Desktop\bin\wnmonitor.exe
"C:\Program Files\WinNexus\Desktop\bin\wnmonitor.exe" 41639
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2636

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\bthserv.dll" /grant administrators:F
3⤵
PID:2640

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\bthserv.dll" /grant administrators:F
4⤵
- Possible privilege escalation attempt
PID:2388

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\bthserv.dll" /grant users:F
3⤵
PID:2508

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\bthserv.dll" /grant users:F
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1992

C:\Windows\SysWOW64\cmd.exe
/C net start bthserv
3⤵
PID:1516

C:\Windows\SysWOW64\net.exe
net start bthserv
4⤵
PID:880

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start bthserv
5⤵
PID:2400

C:\Windows\system32\cmd.exe
/C takeown /f "C:\Windows\System32\WpdMtp.dll"
3⤵
PID:2684

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\WpdMtp.dll"
4⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
PID:1624

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F
3⤵
PID:2436

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F
4⤵
PID:2444

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtp.dll" /grant users:F
3⤵
PID:2360

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtp.dll" /grant users:F
4⤵
PID:2712

C:\Windows\system32\cmd.exe
/C takeown /f "C:\Windows\System32\WpdMtpUS.dll"
3⤵
PID:1220

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\WpdMtpUS.dll"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2928

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F
3⤵
PID:1524

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F
4⤵
PID:776

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F
3⤵
PID:2384

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F
4⤵
PID:2148

C:\Windows\system32\cmd.exe
/C takeown /f "C:\Windows\System32\bthserv.dll"
3⤵
PID:2472

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\bthserv.dll"
4⤵
PID:2496

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\bthserv.dll" /grant administrators:F
3⤵
PID:1644

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\bthserv.dll" /grant administrators:F
4⤵
- Possible privilege escalation attempt
PID:2224

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\bthserv.dll" /grant users:F
3⤵
PID:1532

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\bthserv.dll" /grant users:F
4⤵
PID:3060

C:\Windows\SysWOW64\cmd.exe
/C net start bthserv
3⤵
PID:1528

C:\Windows\SysWOW64\net.exe
net start bthserv
4⤵
PID:1888

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start bthserv
5⤵
PID:2040

C:\Windows\system32\cmd.exe
/C takeown /f "C:\Windows\System32\WpdMtp.dll"
3⤵
PID:812

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\WpdMtp.dll"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:320

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F
3⤵
PID:2312

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2036

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtp.dll" /grant users:F
3⤵
PID:1044

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtp.dll" /grant users:F
4⤵
- Modifies file permissions
PID:1260

C:\Windows\system32\cmd.exe
/C takeown /f "C:\Windows\System32\WpdMtpUS.dll"
3⤵
PID:2248

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\WpdMtpUS.dll"
4⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
PID:1192

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F
3⤵
PID:2860

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F
4⤵
- Possible privilege escalation attempt
PID:2004

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F
3⤵
PID:380

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F
4⤵
- Possible privilege escalation attempt
PID:2344

C:\Program Files\WinNexus\Desktop\bin\WNAgent.exe
"C:\Program Files\WinNexus\Desktop\bin\WNAgent.exe" /startup
2⤵
- Drops file in System32 directory
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1228

C:\Windows\SysWOW64\cmd.exe
cmd /c sc start WNPPDx64
3⤵
PID:2944

C:\Windows\SysWOW64\sc.exe
sc start WNPPDx64
4⤵
- Launches sc.exe
PID:2176

C:\Windows\system32\cmd.exe
/C takeown /f "C:\Windows\System32\bthserv.dll"
3⤵
PID:964

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\bthserv.dll"
4⤵
PID:1500

C:\Program Files\WinNexus\Desktop\bin\wnmonitor.exe
"C:\Program Files\WinNexus\Desktop\bin\wnmonitor.exe" 41672
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1640

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\bthserv.dll" /grant administrators:F
3⤵
PID:1696

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\bthserv.dll" /grant administrators:F
4⤵
PID:1852

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\bthserv.dll" /grant users:F
3⤵
PID:892

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\bthserv.dll" /grant users:F
4⤵
- Modifies file permissions
PID:2856

C:\Windows\SysWOW64\cmd.exe
/C net start bthserv
3⤵
PID:2348

C:\Windows\SysWOW64\net.exe
net start bthserv
4⤵
PID:2880

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start bthserv
5⤵
PID:1948

C:\Windows\system32\cmd.exe
/C takeown /f "C:\Windows\System32\WpdMtp.dll"
3⤵
PID:1588

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\WpdMtp.dll"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2756

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F
3⤵
PID:3004

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F
4⤵
PID:2888

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtp.dll" /grant users:F
3⤵
PID:3032

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtp.dll" /grant users:F
4⤵
- Modifies file permissions
PID:2240

C:\Windows\system32\cmd.exe
/C takeown /f "C:\Windows\System32\WpdMtpUS.dll"
3⤵
PID:2056

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\WpdMtpUS.dll"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1124

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F
3⤵
PID:2096

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F
4⤵
PID:1564

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F
3⤵
PID:1628

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F
4⤵
- Modifies file permissions
PID:2236

C:\Program Files\WinNexus\Desktop\bin\WNAgent.exe
"C:\Program Files\WinNexus\Desktop\bin\WNAgent.exe" /startup
2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2244

C:\Windows\SysWOW64\cmd.exe
cmd /c sc start WNPPDx64
3⤵
PID:1664

C:\Windows\SysWOW64\sc.exe
sc start WNPPDx64
4⤵
- Launches sc.exe
PID:3008

C:\Windows\system32\cmd.exe
/C takeown /f "C:\Windows\System32\bthserv.dll"
3⤵
PID:2300

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\bthserv.dll"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:868

C:\Program Files\WinNexus\Desktop\bin\wnmonitor.exe
"C:\Program Files\WinNexus\Desktop\bin\wnmonitor.exe" 41688
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2160

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\bthserv.dll" /grant administrators:F
3⤵
PID:2752

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\bthserv.dll" /grant administrators:F
4⤵
PID:2612

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\bthserv.dll" /grant users:F
3⤵
PID:2780

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\bthserv.dll" /grant users:F
4⤵
PID:2620

C:\Windows\SysWOW64\cmd.exe
/C net start bthserv
3⤵
PID:2408

C:\Windows\SysWOW64\net.exe
net start bthserv
4⤵
PID:2532

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start bthserv
5⤵
PID:2604

C:\Windows\system32\cmd.exe
/C takeown /f "C:\Windows\System32\WpdMtp.dll"
3⤵
PID:2468

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\WpdMtp.dll"
4⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
PID:2544

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F
3⤵
PID:2644

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F
4⤵
PID:880

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtp.dll" /grant users:F
3⤵
PID:1468

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtp.dll" /grant users:F
4⤵
PID:1376

C:\Windows\system32\cmd.exe
/C takeown /f "C:\Windows\System32\WpdMtpUS.dll"
3⤵
PID:816

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\WpdMtpUS.dll"
4⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2492

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F
3⤵
PID:2432

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F
4⤵
PID:2444

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F
3⤵
PID:1056

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F
4⤵
- Modifies file permissions
PID:2712

C:\Windows\system32\cmd.exe
/C takeown /f "C:\Windows\System32\bthserv.dll"
3⤵
PID:2360

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\bthserv.dll"
4⤵
- Possible privilege escalation attempt
PID:864

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\bthserv.dll" /grant administrators:F
3⤵
PID:2700

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\bthserv.dll" /grant administrators:F
4⤵
PID:2496

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\bthserv.dll" /grant users:F
3⤵
PID:2628

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\bthserv.dll" /grant users:F
4⤵
- Modifies file permissions
PID:2724

C:\Windows\SysWOW64\cmd.exe
/C net start bthserv
3⤵
PID:2140

C:\Windows\SysWOW64\net.exe
net start bthserv
4⤵
PID:1604

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start bthserv
5⤵
PID:1688

C:\Windows\system32\cmd.exe
/C takeown /f "C:\Windows\System32\WpdMtp.dll"
3⤵
PID:2172

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\WpdMtp.dll"
4⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
PID:2464

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F
3⤵
PID:2688

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F
4⤵
PID:812

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtp.dll" /grant users:F
3⤵
PID:1456

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtp.dll" /grant users:F
4⤵
PID:2736

C:\Windows\system32\cmd.exe
/C takeown /f "C:\Windows\System32\WpdMtpUS.dll"
3⤵
PID:1984

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\WpdMtpUS.dll"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1336

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F
3⤵
PID:1888

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F
4⤵
- Modifies file permissions
PID:2248

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F
3⤵
PID:1528

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F
4⤵
- Possible privilege escalation attempt
PID:2720

C:\Program Files\WinNexus\Desktop\bin\WNAgent.exe
"C:\Program Files\WinNexus\Desktop\bin\WNAgent.exe" /startup
2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1048

C:\Windows\SysWOW64\cmd.exe
cmd /c sc start WNPPDx64
3⤵
PID:2004

C:\Windows\SysWOW64\sc.exe
sc start WNPPDx64
4⤵
- Launches sc.exe
PID:2716

C:\Windows\system32\cmd.exe
/C takeown /f "C:\Windows\System32\bthserv.dll"
3⤵
PID:2232

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\bthserv.dll"
4⤵
- Possible privilege escalation attempt
PID:1476

C:\Program Files\WinNexus\Desktop\bin\wnmonitor.exe
"C:\Program Files\WinNexus\Desktop\bin\wnmonitor.exe" 41724
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:688

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\bthserv.dll" /grant administrators:F
3⤵
PID:2116

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\bthserv.dll" /grant administrators:F
4⤵
- Modifies file permissions
PID:2636

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\bthserv.dll" /grant users:F
3⤵
PID:2960

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\bthserv.dll" /grant users:F
4⤵
- Possible privilege escalation attempt
PID:1128

C:\Windows\SysWOW64\cmd.exe
/C net start bthserv
3⤵
PID:2524

C:\Windows\SysWOW64\net.exe
net start bthserv
4⤵
PID:2600

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start bthserv
5⤵
PID:1620

C:\Windows\system32\cmd.exe
/C takeown /f "C:\Windows\System32\WpdMtp.dll"
3⤵
PID:2120

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\WpdMtp.dll"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1736

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F
3⤵
PID:2016

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F
4⤵
PID:1932

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtp.dll" /grant users:F
3⤵
PID:764

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtp.dll" /grant users:F
4⤵
- Modifies file permissions
PID:1696

C:\Windows\system32\cmd.exe
/C takeown /f "C:\Windows\System32\WpdMtpUS.dll"
3⤵
PID:1012

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\WpdMtpUS.dll"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2956

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F
3⤵
PID:2792

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F
4⤵
PID:2888

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F
3⤵
PID:2088

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F
4⤵
PID:2836

C:\Windows\system32\cmd.exe
/C takeown /f "C:\Windows\System32\bthserv.dll"
3⤵
PID:1680

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\bthserv.dll"
4⤵
PID:1308

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\bthserv.dll" /grant administrators:F
3⤵
PID:1884

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\bthserv.dll" /grant administrators:F
4⤵
- Modifies file permissions
PID:856

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\bthserv.dll" /grant users:F
3⤵
PID:2064

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\bthserv.dll" /grant users:F
4⤵
- Modifies file permissions
PID:1448

C:\Windows\SysWOW64\cmd.exe
/C net start bthserv
3⤵
PID:1652

C:\Windows\SysWOW64\net.exe
net start bthserv
4⤵
PID:1856

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start bthserv
5⤵
PID:1312

C:\Windows\system32\cmd.exe
/C takeown /f "C:\Windows\System32\WpdMtp.dll"
3⤵
PID:1656

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\WpdMtp.dll"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1912

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F
3⤵
PID:3036

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F
4⤵
PID:2284

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtp.dll" /grant users:F
3⤵
PID:2652

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtp.dll" /grant users:F
4⤵
PID:640

C:\Windows\system32\cmd.exe
/C takeown /f "C:\Windows\System32\WpdMtpUS.dll"
3⤵
PID:2920

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\WpdMtpUS.dll"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1728

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F
3⤵
PID:1640

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F
4⤵
PID:2028

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F
3⤵
PID:544

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F
4⤵
- Modifies file permissions
PID:2952

C:\Program Files\WinNexus\Desktop\bin\WNAgent.exe
"C:\Program Files\WinNexus\Desktop\bin\WNAgent.exe" /startup
2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2752

C:\Windows\SysWOW64\cmd.exe
cmd /c sc start WNPPDx64
3⤵
PID:2608

C:\Windows\SysWOW64\sc.exe
sc start WNPPDx64
4⤵
- Launches sc.exe
PID:1520

C:\Windows\system32\cmd.exe
/C takeown /f "C:\Windows\System32\bthserv.dll"
3⤵
PID:2640

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\bthserv.dll"
4⤵
- Modifies file permissions
PID:1468

C:\Program Files\WinNexus\Desktop\bin\wnmonitor.exe
"C:\Program Files\WinNexus\Desktop\bin\wnmonitor.exe" 41757
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2452

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\bthserv.dll" /grant administrators:F
3⤵
PID:2576

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\bthserv.dll" /grant administrators:F
4⤵
PID:1132

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\bthserv.dll" /grant users:F
3⤵
PID:2304

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\bthserv.dll" /grant users:F
4⤵
- Modifies file permissions
PID:2928

C:\Windows\SysWOW64\cmd.exe
/C net start bthserv
3⤵
PID:2840

C:\Windows\SysWOW64\net.exe
net start bthserv
4⤵
PID:604

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start bthserv
5⤵
PID:1220

C:\Windows\system32\cmd.exe
/C takeown /f "C:\Windows\System32\WpdMtp.dll"
3⤵
PID:2848

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\WpdMtp.dll"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2180

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F
3⤵
PID:2360

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F
4⤵
PID:376

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtp.dll" /grant users:F
3⤵
PID:2972

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtp.dll" /grant users:F
4⤵
PID:1524

C:\Windows\system32\cmd.exe
/C takeown /f "C:\Windows\System32\WpdMtpUS.dll"
3⤵
PID:2276

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\WpdMtpUS.dll"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2132

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F
3⤵
PID:1592

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F
4⤵
PID:1580

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F
3⤵
PID:2172

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F
4⤵
- Possible privilege escalation attempt
PID:1596

C:\Windows\system32\cmd.exe
/C takeown /f "C:\Windows\System32\bthserv.dll"
3⤵
PID:2040

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\bthserv.dll"
4⤵
- Modifies file permissions
PID:1472

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\bthserv.dll" /grant administrators:F
3⤵
PID:708

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\bthserv.dll" /grant administrators:F
4⤵
- Modifies file permissions
PID:1060

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\bthserv.dll" /grant users:F
3⤵
PID:1336

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\bthserv.dll" /grant users:F
4⤵
PID:2460

C:\Windows\SysWOW64\cmd.exe
/C net start bthserv
3⤵
PID:1984

C:\Windows\SysWOW64\net.exe
net start bthserv
4⤵
PID:2200

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start bthserv
5⤵
PID:2008

C:\Windows\system32\cmd.exe
/C takeown /f "C:\Windows\System32\WpdMtp.dll"
3⤵
PID:2248

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\WpdMtp.dll"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2280

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F
3⤵
PID:2832

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F
4⤵
- Possible privilege escalation attempt
PID:1868

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtp.dll" /grant users:F
3⤵
PID:548

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtp.dll" /grant users:F
4⤵
PID:2876

C:\Windows\system32\cmd.exe
/C takeown /f "C:\Windows\System32\WpdMtpUS.dll"
3⤵
PID:592

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\WpdMtpUS.dll"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2900

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F
3⤵
PID:2716

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F
4⤵
PID:2480

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F
3⤵
PID:2728

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F
4⤵
PID:3012

C:\Program Files\WinNexus\Desktop\bin\WNAgent.exe
"C:\Program Files\WinNexus\Desktop\bin\WNAgent.exe" /startup
2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2336

C:\Windows\SysWOW64\cmd.exe
cmd /c sc start WNPPDx64
3⤵
PID:2624

C:\Windows\SysWOW64\sc.exe
sc start WNPPDx64
4⤵
- Launches sc.exe
PID:1932

C:\Windows\system32\cmd.exe
/C takeown /f "C:\Windows\System32\bthserv.dll"
3⤵
PID:2340

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\bthserv.dll"
4⤵
- Possible privilege escalation attempt
PID:1588

C:\Program Files\WinNexus\Desktop\bin\wnmonitor.exe
"C:\Program Files\WinNexus\Desktop\bin\wnmonitor.exe" 41773
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1980

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\bthserv.dll" /grant administrators:F
3⤵
PID:1740

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\bthserv.dll" /grant administrators:F
4⤵
- Modifies file permissions
PID:2208

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\bthserv.dll" /grant users:F
3⤵
PID:1696

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\bthserv.dll" /grant users:F
4⤵
PID:1272

C:\Windows\SysWOW64\cmd.exe
/C net start bthserv
3⤵
PID:2852

C:\Windows\SysWOW64\net.exe
net start bthserv
4⤵
PID:1344

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start bthserv
5⤵
PID:1628

C:\Windows\system32\cmd.exe
/C takeown /f "C:\Windows\System32\WpdMtp.dll"
3⤵
PID:920

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\WpdMtp.dll"
4⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1948

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F
3⤵
PID:2124

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F
4⤵
PID:856

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtp.dll" /grant users:F
3⤵
PID:2240

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtp.dll" /grant users:F
4⤵
PID:1884

C:\Windows\system32\cmd.exe
/C takeown /f "C:\Windows\System32\WpdMtpUS.dll"
3⤵
PID:2352

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\WpdMtpUS.dll"
4⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
PID:2264

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F
3⤵
PID:1912

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F
4⤵
PID:2060

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F
3⤵
PID:1656

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F
4⤵
- Modifies file permissions
PID:1728

C:\Windows\system32\cmd.exe
/C takeown /f "C:\Windows\System32\bthserv.dll"
3⤵
PID:2740

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\bthserv.dll"
4⤵
PID:2284

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\bthserv.dll" /grant administrators:F
3⤵
PID:3036

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\bthserv.dll" /grant administrators:F
4⤵
PID:2580

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\bthserv.dll" /grant users:F
3⤵
PID:3016

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\bthserv.dll" /grant users:F
4⤵
- Possible privilege escalation attempt
PID:2080

C:\Windows\SysWOW64\cmd.exe
/C net start bthserv
3⤵
PID:328

C:\Windows\SysWOW64\net.exe
net start bthserv
4⤵
PID:2548

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start bthserv
5⤵
PID:2612

C:\Windows\system32\cmd.exe
/C takeown /f "C:\Windows\System32\WpdMtp.dll"
3⤵
PID:2952

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\WpdMtp.dll"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2256

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F
3⤵
PID:2420

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F
4⤵
- Possible privilege escalation attempt
PID:2440

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtp.dll" /grant users:F
3⤵
PID:2344

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtp.dll" /grant users:F
4⤵
- Modifies file permissions
PID:1376

C:\Windows\system32\cmd.exe
/C takeown /f "C:\Windows\System32\WpdMtpUS.dll"
3⤵
PID:380

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\WpdMtpUS.dll"
4⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:688

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F
3⤵
PID:2532

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F
4⤵
PID:2680

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F
3⤵
PID:2608

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F
4⤵
- Possible privilege escalation attempt
PID:1624

C:\Program Files\WinNexus\Desktop\bin\WNAgent.exe
"C:\Program Files\WinNexus\Desktop\bin\WNAgent.exe" /startup
2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1132

C:\Windows\SysWOW64\cmd.exe
cmd /c sc start WNPPDx64
3⤵
PID:2436

C:\Windows\SysWOW64\sc.exe
sc start WNPPDx64
4⤵
- Launches sc.exe
PID:2848

C:\Windows\system32\cmd.exe
/C takeown /f "C:\Windows\System32\bthserv.dll"
3⤵
PID:2696

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\bthserv.dll"
4⤵
PID:2972

C:\Program Files\WinNexus\Desktop\bin\wnmonitor.exe
"C:\Program Files\WinNexus\Desktop\bin\wnmonitor.exe" 41789
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2504

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\bthserv.dll" /grant administrators:F
3⤵
PID:2360

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\bthserv.dll" /grant administrators:F
4⤵
PID:1224

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\bthserv.dll" /grant users:F
3⤵
PID:2692

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\bthserv.dll" /grant users:F
4⤵
PID:320

C:\Windows\SysWOW64\cmd.exe
/C net start bthserv
3⤵
PID:2724

C:\Windows\SysWOW64\net.exe
net start bthserv
4⤵
PID:1616

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start bthserv
5⤵
PID:1528

C:\Windows\system32\cmd.exe
/C takeown /f "C:\Windows\System32\WpdMtp.dll"
3⤵
PID:2276

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\WpdMtp.dll"
4⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
PID:1596

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F
3⤵
PID:3060

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F
4⤵
- Possible privilege escalation attempt
PID:2252

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtp.dll" /grant users:F
3⤵
PID:2688

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtp.dll" /grant users:F
4⤵
- Possible privilege escalation attempt
PID:1336

C:\Windows\system32\cmd.exe
/C takeown /f "C:\Windows\System32\WpdMtpUS.dll"
3⤵
PID:2040

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\WpdMtpUS.dll"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2460

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F
3⤵
PID:2280

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F
4⤵
PID:1044

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F
3⤵
PID:1576

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F
4⤵
- Modifies file permissions
PID:1372

C:\Windows\system32\cmd.exe
/C takeown /f "C:\Windows\System32\bthserv.dll"
3⤵
PID:1384

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\bthserv.dll"
4⤵
- Modifies file permissions
PID:468

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\bthserv.dll" /grant administrators:F
3⤵
PID:2872

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\bthserv.dll" /grant administrators:F
4⤵
- Modifies file permissions
PID:2584

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\bthserv.dll" /grant users:F
3⤵
PID:2980

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\bthserv.dll" /grant users:F
4⤵
PID:2728

C:\Windows\SysWOW64\cmd.exe
/C net start bthserv
3⤵
PID:2648

C:\Windows\SysWOW64\net.exe
net start bthserv
4⤵
PID:2408

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start bthserv
5⤵
PID:2544

C:\Windows\system32\cmd.exe
/C takeown /f "C:\Windows\System32\WpdMtp.dll"
3⤵
PID:2784

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\WpdMtp.dll"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2960

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F
3⤵
PID:2604

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F
4⤵
- Possible privilege escalation attempt
PID:1960

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtp.dll" /grant users:F
3⤵
PID:2748

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtp.dll" /grant users:F
4⤵
PID:2936

C:\Windows\system32\cmd.exe
/C takeown /f "C:\Windows\System32\WpdMtpUS.dll"
3⤵
PID:2296

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\WpdMtpUS.dll"
4⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
PID:2016

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F
3⤵
PID:2956

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F
4⤵
PID:2792

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F
3⤵
PID:892

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F
4⤵
PID:1948

C:\Program Files\WinNexus\Desktop\bin\WNAgent.exe
"C:\Program Files\WinNexus\Desktop\bin\WNAgent.exe" /startup
2⤵
- Drops file in System32 directory
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2888

C:\Windows\SysWOW64\cmd.exe
cmd /c sc start WNPPDx64
3⤵
PID:1012

C:\Windows\SysWOW64\sc.exe
sc start WNPPDx64
4⤵
- Launches sc.exe
PID:240

C:\Windows\system32\cmd.exe
/C takeown /f "C:\Windows\System32\bthserv.dll"
3⤵
PID:2660

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\bthserv.dll"
4⤵
- Possible privilege escalation attempt
PID:2220

C:\Program Files\WinNexus\Desktop\bin\wnmonitor.exe
"C:\Program Files\WinNexus\Desktop\bin\wnmonitor.exe" 41822
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3000

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\bthserv.dll" /grant administrators:F
3⤵
PID:1308

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\bthserv.dll" /grant administrators:F
4⤵
- Modifies file permissions
PID:2320

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\bthserv.dll" /grant users:F
3⤵
PID:2236

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\bthserv.dll" /grant users:F
4⤵
PID:2740

C:\Windows\SysWOW64\cmd.exe
/C net start bthserv
3⤵
PID:2912

C:\Windows\SysWOW64\net.exe
net start bthserv
4⤵
PID:1800

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start bthserv
5⤵
PID:2392

C:\Windows\system32\cmd.exe
/C takeown /f "C:\Windows\System32\WpdMtp.dll"
3⤵
PID:1084

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\WpdMtp.dll"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3056

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F
3⤵
PID:2020

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F
4⤵
PID:2080

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtp.dll" /grant users:F
3⤵
PID:640

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtp.dll" /grant users:F
4⤵
PID:3036

C:\Windows\system32\cmd.exe
/C takeown /f "C:\Windows\System32\WpdMtpUS.dll"
3⤵
PID:1640

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\WpdMtpUS.dll"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2300

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F
3⤵
PID:2476

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F
4⤵
- Possible privilege escalation attempt
PID:2440

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F
3⤵
PID:2612

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2420

C:\Program Files\WinNexus\Desktop\bin\WNAgent.exe
"C:\Program Files\WinNexus\Desktop\bin\WNAgent.exe" /startup
2⤵
- Drops file in System32 directory
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- System policy modification
PID:2344

C:\Windows\SysWOW64\cmd.exe
cmd /c sc start WNPPDx64
3⤵
PID:2404

C:\Windows\SysWOW64\sc.exe
sc start WNPPDx64
4⤵
- Launches sc.exe
PID:2012

C:\Windows\system32\cmd.exe
/C takeown /f "C:\Windows\System32\bthserv.dll"
3⤵
PID:448

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\bthserv.dll"
4⤵
PID:1736

C:\Program Files\WinNexus\Desktop\bin\wnmonitor.exe
"C:\Program Files\WinNexus\Desktop\bin\wnmonitor.exe" 41838
3⤵
- Executes dropped EXE
PID:2024

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\bthserv.dll" /grant administrators:F
3⤵
PID:2984

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\bthserv.dll" /grant administrators:F
4⤵
PID:604

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\bthserv.dll" /grant users:F
3⤵
PID:1852

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\bthserv.dll" /grant users:F
4⤵
- Modifies file permissions
PID:2628

C:\Windows\SysWOW64\cmd.exe
/C net start bthserv
3⤵
PID:1020

C:\Windows\SysWOW64\net.exe
net start bthserv
4⤵
PID:2972

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start bthserv
5⤵
PID:1580

C:\Windows\system32\cmd.exe
/C takeown /f "C:\Windows\System32\WpdMtp.dll"
3⤵
PID:2712

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\WpdMtp.dll"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2228

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F
3⤵
PID:320

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F
4⤵
- Modifies file permissions
PID:2332

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtp.dll" /grant users:F
3⤵
PID:2692

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtp.dll" /grant users:F
4⤵
- Modifies file permissions
PID:1060

C:\Windows\system32\cmd.exe
/C takeown /f "C:\Windows\System32\WpdMtpUS.dll"
3⤵
PID:2472

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\WpdMtpUS.dll"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2736

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F
3⤵
PID:1528

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F
4⤵
PID:708

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F
3⤵
PID:2552

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F
4⤵
PID:1888

C:\Windows\system32\cmd.exe
/C takeown /f "C:\Windows\System32\bthserv.dll"
3⤵
PID:2688

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\bthserv.dll"
4⤵
- Modifies file permissions
PID:2040

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\bthserv.dll" /grant administrators:F
3⤵
PID:2316

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\bthserv.dll" /grant administrators:F
4⤵
PID:344

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\bthserv.dll" /grant users:F
3⤵
PID:2268

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\bthserv.dll" /grant users:F
4⤵
- Modifies file permissions
PID:1192

C:\Windows\SysWOW64\cmd.exe
/C net start bthserv
3⤵
PID:2036

C:\Windows\SysWOW64\net.exe
net start bthserv
4⤵
PID:2584

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start bthserv
5⤵
PID:2308

C:\Windows\system32\cmd.exe
/C takeown /f "C:\Windows\System32\WpdMtp.dll"
3⤵
PID:2656

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\WpdMtp.dll"
4⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
PID:944

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F
3⤵
PID:2832

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F
4⤵
PID:2980

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtp.dll" /grant users:F
3⤵
PID:468

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtp.dll" /grant users:F
4⤵
PID:1796

C:\Windows\system32\cmd.exe
/C takeown /f "C:\Windows\System32\WpdMtpUS.dll"
3⤵
PID:792

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\WpdMtpUS.dll"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2900

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F
3⤵
PID:2960

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F
4⤵
PID:2648

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F
3⤵
PID:2784

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F
4⤵
PID:2824

C:\Program Files\WinNexus\Desktop\bin\WNAgent.exe
"C:\Program Files\WinNexus\Desktop\bin\WNAgent.exe" /startup
2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- System policy modification
PID:2936

C:\Windows\SysWOW64\cmd.exe
cmd /c sc start WNPPDx64
3⤵
PID:2632

C:\Windows\SysWOW64\sc.exe
sc start WNPPDx64
4⤵
- Launches sc.exe
PID:1588

C:\Windows\system32\cmd.exe
/C takeown /f "C:\Windows\System32\bthserv.dll"
3⤵
PID:2756

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\bthserv.dll"
4⤵
PID:112

C:\Program Files\WinNexus\Desktop\bin\wnmonitor.exe
"C:\Program Files\WinNexus\Desktop\bin\wnmonitor.exe" 41855
3⤵
- Executes dropped EXE
PID:1880

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\bthserv.dll" /grant administrators:F
3⤵
PID:904

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\bthserv.dll" /grant administrators:F
4⤵
PID:800

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\bthserv.dll" /grant users:F
3⤵
PID:2208

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\bthserv.dll" /grant users:F
4⤵
- Possible privilege escalation attempt
PID:896

C:\Windows\SysWOW64\cmd.exe
/C net start bthserv
3⤵
PID:2428

C:\Windows\SysWOW64\net.exe
net start bthserv
4⤵
PID:3040

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start bthserv
5⤵
PID:2904

C:\Windows\system32\cmd.exe
/C takeown /f "C:\Windows\System32\WpdMtp.dll"
3⤵
PID:1272

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\WpdMtp.dll"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:240

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F
3⤵
PID:2220

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F
4⤵
- Possible privilege escalation attempt
PID:2060

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtp.dll" /grant users:F
3⤵
PID:856

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtp.dll" /grant users:F
4⤵
- Possible privilege escalation attempt
PID:1892

C:\Windows\system32\cmd.exe
/C takeown /f "C:\Windows\System32\WpdMtpUS.dll"
3⤵
PID:2660

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\WpdMtpUS.dll"
4⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2652

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F
3⤵
PID:596

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F
4⤵
PID:1800

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F
3⤵
PID:2256

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F
4⤵
- Modifies file permissions
PID:2284

C:\Windows\system32\cmd.exe
/C takeown /f "C:\Windows\System32\bthserv.dll"
3⤵
PID:640

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\bthserv.dll"
4⤵
PID:1216

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\bthserv.dll" /grant administrators:F
3⤵
PID:2616

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\bthserv.dll" /grant administrators:F
4⤵
- Modifies file permissions
PID:1428

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\bthserv.dll" /grant users:F
3⤵
PID:2512

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\bthserv.dll" /grant users:F
4⤵
PID:1520

C:\Windows\SysWOW64\cmd.exe
/C net start bthserv
3⤵
PID:2796

C:\Windows\SysWOW64\net.exe
net start bthserv
4⤵
PID:2420

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start bthserv
5⤵
PID:1516

C:\Windows\system32\cmd.exe
/C takeown /f "C:\Windows\System32\WpdMtp.dll"
3⤵
PID:2032

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\WpdMtp.dll"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2400

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F
3⤵
PID:880

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F
4⤵
- Modifies file permissions
PID:2372

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtp.dll" /grant users:F
3⤵
PID:2880

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtp.dll" /grant users:F
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2844

C:\Windows\system32\cmd.exe
/C takeown /f "C:\Windows\System32\WpdMtpUS.dll"
3⤵
PID:1628

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\WpdMtpUS.dll"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3000

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F
3⤵
PID:2608

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F
4⤵
PID:448

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F
3⤵
PID:2404

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F
4⤵
PID:2432

C:\Program Files\WinNexus\Desktop\bin\WNAgent.exe
"C:\Program Files\WinNexus\Desktop\bin\WNAgent.exe" /startup
2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- System policy modification
PID:1600

C:\Windows\SysWOW64\cmd.exe
cmd /c sc start WNPPDx64
3⤵
PID:1852

C:\Windows\SysWOW64\sc.exe
sc start WNPPDx64
4⤵
- Launches sc.exe
PID:1060

C:\Windows\system32\cmd.exe
/C takeown /f "C:\Windows\System32\bthserv.dll"
3⤵
PID:2576

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\bthserv.dll"
4⤵
- Modifies file permissions
PID:320

C:\Program Files\WinNexus\Desktop\bin\wnmonitor.exe
"C:\Program Files\WinNexus\Desktop\bin\wnmonitor.exe" 41871
3⤵
- Executes dropped EXE
PID:2168

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\bthserv.dll" /grant administrators:F
3⤵
PID:1604

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\bthserv.dll" /grant administrators:F
4⤵
- Modifies file permissions
PID:2312

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\bthserv.dll" /grant users:F
3⤵
PID:2708

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\bthserv.dll" /grant users:F
4⤵
PID:1888

C:\Windows\SysWOW64\cmd.exe
/C net start bthserv
3⤵
PID:2704

C:\Windows\SysWOW64\net.exe
net start bthserv
4⤵
PID:2552

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start bthserv
5⤵
PID:1572

C:\Windows\system32\cmd.exe
/C takeown /f "C:\Windows\System32\WpdMtp.dll"
3⤵
PID:2252

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\WpdMtp.dll"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1496

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F
3⤵
PID:812

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F
4⤵
- Possible privilege escalation attempt
PID:944

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtp.dll" /grant users:F
3⤵
PID:2688

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtp.dll" /grant users:F
4⤵
PID:2656

C:\Windows\system32\cmd.exe
/C takeown /f "C:\Windows\System32\WpdMtpUS.dll"
3⤵
PID:1576

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\WpdMtpUS.dll"
4⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:940

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F
3⤵
PID:344

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:792

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F
3⤵
PID:2248

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F
4⤵
- Modifies file permissions
PID:2900

C:\Windows\system32\cmd.exe
/C takeown /f "C:\Windows\System32\bthserv.dll"
3⤵
PID:2768

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\bthserv.dll"
4⤵
PID:960

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\bthserv.dll" /grant administrators:F
3⤵
PID:2116

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\bthserv.dll" /grant administrators:F
4⤵
PID:1128

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\bthserv.dll" /grant users:F
3⤵
PID:468

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\bthserv.dll" /grant users:F
4⤵
- Modifies file permissions
PID:2960

C:\Windows\SysWOW64\cmd.exe
/C net start bthserv
3⤵
PID:2108

C:\Windows\SysWOW64\net.exe
net start bthserv
4⤵
PID:3012

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start bthserv
5⤵
PID:2604

C:\Windows\system32\cmd.exe
/C takeown /f "C:\Windows\System32\WpdMtp.dll"
3⤵
PID:1384

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\WpdMtp.dll"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3060

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F
3⤵
PID:2684

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F
4⤵
PID:2452

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtp.dll" /grant users:F
3⤵
PID:2508

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtp.dll" /grant users:F
4⤵
- Modifies file permissions
PID:2024

C:\Windows\system32\cmd.exe
/C takeown /f "C:\Windows\System32\WpdMtpUS.dll"
3⤵
PID:2388

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\WpdMtpUS.dll"
4⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
PID:2884

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F
3⤵
PID:1588

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F
4⤵
- Modifies file permissions
PID:2840

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F
3⤵
PID:1676

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F
4⤵
PID:888

C:\Program Files\WinNexus\Desktop\bin\WNAgent.exe
"C:\Program Files\WinNexus\Desktop\bin\WNAgent.exe" /startup
2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- System policy modification
PID:2732

C:\Windows\SysWOW64\cmd.exe
cmd /c sc start WNPPDx64
3⤵
PID:1272

C:\Windows\SysWOW64\sc.exe
sc start WNPPDx64
4⤵
- Launches sc.exe
PID:2240

C:\Windows\system32\cmd.exe
/C takeown /f "C:\Windows\System32\bthserv.dll"
3⤵
PID:3056

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\bthserv.dll"
4⤵
PID:648

C:\Program Files\WinNexus\Desktop\bin\wnmonitor.exe
"C:\Program Files\WinNexus\Desktop\bin\wnmonitor.exe" 41904
3⤵
- Executes dropped EXE
PID:2060

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\bthserv.dll" /grant administrators:F
3⤵
PID:1972

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\bthserv.dll" /grant administrators:F
4⤵
- Possible privilege escalation attempt
PID:2180

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\bthserv.dll" /grant users:F
3⤵
PID:2804

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\bthserv.dll" /grant users:F
4⤵
PID:2300

C:\Windows\SysWOW64\cmd.exe
/C net start bthserv
3⤵
PID:1544

C:\Windows\SysWOW64\net.exe
net start bthserv
4⤵
PID:664

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start bthserv
5⤵
PID:1428

C:\Windows\system32\cmd.exe
/C takeown /f "C:\Windows\System32\WpdMtp.dll"
3⤵
PID:2256

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\WpdMtp.dll"
4⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2920

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F
3⤵
PID:2924

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F
4⤵
PID:2400

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtp.dll" /grant users:F
3⤵
PID:1380

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtp.dll" /grant users:F
4⤵
PID:2500

C:\Windows\system32\cmd.exe
/C takeown /f "C:\Windows\System32\WpdMtpUS.dll"
3⤵
PID:2612

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\WpdMtpUS.dll"
4⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2032

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F
3⤵
PID:2860

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F
4⤵
- Possible privilege escalation attempt
PID:1564

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F
3⤵
PID:1376

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F
4⤵
- Possible privilege escalation attempt
PID:704

C:\Windows\system32\cmd.exe
/C takeown /f "C:\Windows\System32\bthserv.dll"
3⤵
PID:380

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\bthserv.dll"
4⤵
PID:2304

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\bthserv.dll" /grant administrators:F
3⤵
PID:688

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\bthserv.dll" /grant administrators:F
4⤵
PID:1736

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\bthserv.dll" /grant users:F
3⤵
PID:1848

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\bthserv.dll" /grant users:F
4⤵
- Possible privilege escalation attempt
PID:544

C:\Windows\SysWOW64\cmd.exe
/C net start bthserv
3⤵
PID:2052

C:\Windows\SysWOW64\net.exe
net start bthserv
4⤵
PID:2696

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start bthserv
5⤵
PID:1452

C:\Windows\system32\cmd.exe
/C takeown /f "C:\Windows\System32\WpdMtp.dll"
3⤵
PID:2432

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\WpdMtp.dll"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2120

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F
3⤵
PID:2524

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F
4⤵
- Possible privilege escalation attempt
PID:1020

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtp.dll" /grant users:F
3⤵
PID:2848

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtp.dll" /grant users:F
4⤵
PID:2464

C:\Windows\system32\cmd.exe
/C takeown /f "C:\Windows\System32\WpdMtpUS.dll"
3⤵
PID:2700

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\WpdMtpUS.dll"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2692

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F
3⤵
PID:1456

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F
4⤵
PID:1604

C:\Windows\system32\cmd.exe
/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F
3⤵
PID:1508

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F
4⤵
- Possible privilege escalation attempt
PID:1224

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\WinNexus\Desktop\bin\Agentcfg.ct
Filesize
250B

MD5
aa77c21801f63653b7e3dbdce2484823

SHA1
2ea2d4c0b23ef75c4ab2460addf1c2c02c6bbfbc

SHA256
1d3c37f22aaf6192a7876877346ffdcc6bc9b3f87e00f8bd15a60f2d095ef353

SHA512
bf7669faf264c797d88c52598c59955be362fd83a3b3f3262277e1c9aa2bec5b2b8090511da9901d814394ac26f157282145887f6943b16bd85bd71c6bd9e635

Download Submit
C:\Program Files\WinNexus\Desktop\bin\SysSoftCfg.ct
Filesize
434B

MD5
7bb2460a5eee8f05e04dcbc58a6754a0

SHA1
efa341ec79f49d73a6b97be56cddbba726f7bae6

SHA256
5a315c8472ca65f2e771a8fcf54d36a90e54bffa36447a359ca057def615838e

SHA512
e239a6e9725ef65cfb33421443968dfa1a55bc692a1fa0a2849aab3db09bfff7035f50aadb106d63d1f6f635171bd523184cfba2c319dcd04f2eac38a096a7c1

Download Submit
C:\Program Files\WinNexus\Desktop\bin\TMPGlobalhookdllx64.dll
Filesize
119KB

MD5
4742e47e520eebbbba13fa9d8727e365

SHA1
d2c27d3baf57e77307e2ad8adab481cbd2f5f6d9

SHA256
14aa73999497d475e5943547d587403d660138295ec13cd8a5e834378c8f9095

SHA512
806572f32ff6678fc7a6b4365d40f9f63cd2ce9dca3b6d87296a7ff07c403893820105a4b309c2fc8dc12d4b34b25b132266359b181606222f3b80372eaee66c

Download Submit
C:\Program Files\WinNexus\Desktop\bin\TMPcmdkey.exe
Filesize
19KB

MD5
e002c71165d09da89d023433dc15a897

SHA1
5dc36b3c4f71ee7e8db09d9903beadb61831d69b

SHA256
03dbfd2351f2b8e368489f8dda1a58a7eeea0884a34f296d3d425bb149670aec

SHA512
c7b5c427a8dc7f86f7664303ed126ba75e18aab997ce86b12e5959f606ac660c628268ce31b974eac57a3ce179d527d2de1f883e25229cf5343a3387872e778c

Download Submit
C:\Program Files\WinNexus\Desktop\bin\TMPglobalhookdll.dll
Filesize
70KB

MD5
7e96d78420fd867c51d11e4fd59ac752

SHA1
71db164de417aa2f3175fa80199319bdb72ad44e

SHA256
d17c2a72fb1620b242f402c505674ae7fa678717a329dd12b620f5ec4d98a13a

SHA512
a43f1789700ea08ceb90d6c828a5129bf64ed715b6bda5100ddd6ae354a164cc949665b1c746152c23852f75d08f05f944967578b1893c4b9b7e64cda9ef4367

Download Submit
C:\Program Files\WinNexus\Desktop\bin\WNMonitor.exe
Filesize
140KB

MD5
b23121481d2d64fba020b5f88c8468c1

SHA1
15b13c09471f9bbc2127a7b9e6822808b05d7e3d

SHA256
f9b7e76a79293bdb226cbb6f392e4287c21fd2535835e2e7fc261b53b07c997c

SHA512
f64931dd587f882ed7f270b08197581568a9318518c494b2e837de887688838ac4b5e8b92d1bb2087f3f5bfffea13148159174d8b0e09e3690817afb1ed2f12b

Download Submit
C:\Program Files\WinNexus\Desktop\bin\WNSvc.exe
Filesize
286KB

MD5
74683cfcbbace2e559ea7f1480ac98e5

SHA1
2eea08ddd323195b5039d05be8a8de38880c3c76

SHA256
d45791de986cf85ff536357daf2e09b626e5f12c717f3647a050cf89eab52bd1

SHA512
fe364f721dc1d789535f8748819f5ca7482297bb9e784dc3396aeb3a78f9701b67c615905ebd1e0d7487d615eabcc56362d11d241b3712f0c1227bd65e962826

Download Submit
C:\Program Files\WinNexus\Desktop\bin\WinNexusLog\Action.log
Filesize
1KB

MD5
bd1d34ab4b51cbb014d44d40d09b14ad

SHA1
bd55444fb6cbb3678b56345f300a11533123757f

SHA256
02aca6812bea55df21c98df0548f2b011e830cf7c0d9c021c643dbd21d6c6f4f

SHA512
c1c1ca4712c1233c50708ecf289749798fe91b5dc5948d9e89a66631f521d1d255ddebdd1f02472468b5927f92d7d292c7f995127aa511343df9b11193ddb24c

Download Submit
C:\Program Files\WinNexus\Desktop\bin\WinNexusLog\Action.log
Filesize
11KB

MD5
086a00bbff3458de417db3ade69b58b7

SHA1
87e4bdea62c6136ce6280000e78b5e03a8eef813

SHA256
a2eb96982b88216ae66275e9c7f265a6d32e97fa74146434840b9387c6324c39

SHA512
9f3aaab88cd83847652cac848ddf24d7dd3f9d3ede091e3d28b221db8c5e4843cfaa6a64fb317e8f288a8e49beed60aa71ca06e76a5a7b1bab84db7606ed05f9

Download Submit
C:\Program Files\WinNexus\Desktop\bin\WinNexusLog\Desktop.log
Filesize
5KB

MD5
98302adc5649b692fc7ac58739a27843

SHA1
d5c87e3fcdf6df48d8ba5385866298da4466c87a

SHA256
7f77ccb8a6da82337cfdb28a50edf92d6da397b900032622ad7273069c434c56

SHA512
0607df35037629fce0776d0934cab758a02dcfd763b553a609c4a6963164fe9b15bfa8c299a089b90391d87c84771d5461f3e7a781a77a487a48d83647295d30

Download Submit
C:\Program Files\WinNexus\Desktop\bin\WinNexusLog\Desktop.log
Filesize
25KB

MD5
eec6d0d141cfa3517fd6b8994a2262e7

SHA1
c54d2896dd5cd0111929a074c9d8c635abc6e2d6

SHA256
e4bd8ee6e0f72d8c13cad74e947133a1a87da8f9507c46476c0a2e58de947a68

SHA512
905f1a65c5c2a2b91dfbfc3e596f6c3a44e47cbfb47797c17f41e92b61af1d3bcb2eb913d5353c416e0b688f1af90acb291c52dd1b5ca50ae34dc7dd1ae52912

Download Submit
C:\Program Files\WinNexus\Desktop\bin\WinNexusLog\Error.log
Filesize
156B

MD5
c02dabc5e7b976cca2fba8f5cd0b9ad4

SHA1
c73de0c9156e75f1abc83c5e317ee10c5bbd2c98

SHA256
d27d8ab96242d7f8a1e78deb5b267c73567f63a33cfaf49e066751996a924fed

SHA512
87dea88300fa861ca38e62c31c651c56c84478b1238a656697154a1b312cd2d27ef7fc173252517ca5eb44a20027a2a9ab7954d1f93827dab3bc8d5566c4bca0

Download Submit
C:\Program Files\WinNexus\Desktop\bin\WinNexusLog\info.log
Filesize
7KB

MD5
6f2306ec50d8265c2ddd4e65c5313246

SHA1
4cbe1f16507435da308888b10dedbfe72fbb3658

SHA256
79c4ed4f1051e739504f7928935f7cfc72f70176c0297461031df7c75b46b95e

SHA512
ef623a9c6f4ea9fce6bedc25e53419ad213cffa3f08cb8a29a45821ea92a08c64ac59ee88824c693cdae11b6e1b574a8ba22b03ea8ea2a65df2858748c5eb5b6

Download Submit
C:\Program Files\WinNexus\Desktop\bin\WinNexusLog\info.log
Filesize
31KB

MD5
08011ccafb8ac1cac458747c584874be

SHA1
49f3f4ccfc762569a0f43b7dbcd0d277c6271d8c

SHA256
f409a4ff25f39d8a79478871b9b07712256e4127e770c86e211985af84bd1cb4

SHA512
ff610be451cf0f114b6c86dabaeccd5fa8b7be318816618820a7fc7a898190421a00f7c84a6e33174f6119f4c3e06afb084ecfd600e96fd7e0033f8687559af3

Download Submit
C:\Program Files\WinNexus\Desktop\bin\language\ErrorMessage\Desktop_ENG.mwm
Filesize
18KB

MD5
c19be8f3c300e5700f9d931cb2896bce

SHA1
f4806c5bd44ebe8273c89cd84d212a5098c885b9

SHA256
1cf45f2c5b11ea0079bbe635f5fa1064057e4dc5aaa7656b20cdddff2648346a

SHA512
c004871e6a085dde0101bcd49bc45f404cd11dab6948fbc01c97e885831e33b7b6a134d2c87a3849fab358c3ce8ee493ecb587f4313907bc8453fbff7828bc14

Download Submit
C:\Program Files\WinNexus\Desktop\bin\language\Source\Eng.ct
Filesize
3KB

MD5
b37c038c0c425b60a3c975223cbc6d5c

SHA1
b813e310223b659b583ff2508444c06abe4fedd4

SHA256
c7c4509264538728e1a8f7bfad0bd09f90e6b5e0d39a51a5a5c58d205b6ba4d5

SHA512
d604ada5ef7e0e1a12abad0c94922f6a9342e247cfafeba64538ba2c61ecc36a72476a7f32143bd97578b139584913b4d625c81d5c8e4fb7310284b50791430f

Download Submit
C:\Program Files\WinNexus\Desktop\bin\libcurl.dll
Filesize
270KB

MD5
2ce2e4f4c9296a11bf2c68f985deb3bd

SHA1
6e890f2d5e4aefac7f7771c9dd7bbb4114399a17

SHA256
fce0872188b447e67dddec5e46ffc6b367d60bd00c559980c8b2feeb0683eacd

SHA512
be5c0897ff13d5a2583a008dded604ee5ed8ec560c74320c9971a603caa1eaee255f789e4f4df4e6de87c9d316c6961e6859eebe95ac5f534cd3f53b34ac8eda

Download Submit
C:\Program Files\WinNexus\Desktop\bin\log4clpus.cfg
Filesize
1KB

MD5
52fe7a08b10b6e44dcb6e55829994ed0

SHA1
47bf13fe3719ba000522c7b15f6958a0c04c2747

SHA256
2c073e571de8cb5c74119acd238dec99875621ccb22ef7504ae94e759804ed61

SHA512
2f255701b0d995182fb47bd1f9e9227ae622b0acfcb8007477fe7c1c21af715525383554b47c0342c576aed6c018517f3654851168d9ab73a382b56b95d70bb9

Download Submit
C:\Program Files\WinNexus\Desktop\bin\log4cplus.dll
Filesize
268KB

MD5
a70eda33710cbd69f92e383b27e6821a

SHA1
8f713a7c98fd5462d7725228c0fc4468be9bd238

SHA256
68a0027c6dc4efd8335ef67fcccee9040cba9ce6d31819f1c41c5303d97a0e5d

SHA512
4d3c02a9bcc7dde843c91b10a42c8389087e978079a43b84c99ed757d2af87a9d147914bc10730d84dc3b7cdf1c8ab1dd6bdb3dc22edccd2fb935cbc89681dfa

Download Submit
C:\Program Files\WinNexus\Desktop\bin\res\Common\SlideBar.jpg
Filesize
24KB

MD5
2964ddab79c99c415194a166fe42b886

SHA1
aea3cf6a7858039b5712746fba949d58f0dc1ffd

SHA256
fdc1ca7b5b1192b9c0e41baa00e2c160c3eed697600f3a82e5617b43fad01063

SHA512
ec233543cf3847e7b7456f6eef6e579f0011789c13a103fa16bbff2b4093f7e86b10e787f8c0a98f6dd06edeeb48f9b12f83aca0bd0d7b0adcffa4b7b7edc151

Download Submit
C:\Program Files\WinNexus\Desktop\bin\res\Common\TabBar.jpg
Filesize
32KB

MD5
7581c56594040792d4e3dc6143bcd77a

SHA1
24e60c55119a2d4aedde4207f3ad2732d85f7425

SHA256
cc5cdf83f4543f5875f448d83dc9aadde8c460e953d2a2e5b425eb9e9a46bca4

SHA512
4a7bd62f70136dcb0406bda1a36e1373ef36194d3866d63a768745f1695ec559421d0f34a82c08f1b820d8dab3afd97c46d47e16a62f64c2367e715c8860ad11

Download Submit
C:\Program Files\WinNexus\Desktop\bin\res\Eng\AboutTab.ico
Filesize
6KB

MD5
fc0f806ee37e100c487a0f2a0aa24e94

SHA1
143a274d75b2a8e1a960de68c9d3874daa3a6606

SHA256
317d74281c96f556cb6633f6faf0c27e638c60a2d4fd54487dc8312738b1d818

SHA512
e6eb281a89a42eb2bf4f326a145fd7649d5cc5b43adfdb3a67978f257ff2b1d9bb58caa11cc0b6168f9274a49fcaa1fead64690b552d82f5d47d97b7e4e395c5

Download Submit
C:\Program Files\WinNexus\Desktop\bin\res\Eng\ApplicationTab_Enable.ico
Filesize
6KB

MD5
94207d5485f5c86f6b26c45711df99b5

SHA1
0b66eb515811d6933ce66c8dfa0dc2d5e4942d0a

SHA256
fee842c932e30dc0cd9ef9a060cebca5208166585153e7277d4d4e0067de59f0

SHA512
f0f5c75f24546b7214289d9a32ca07dafe4f5380d79936a3f02796ac84686ac0455f85346aa0cc654652bb81a7dcab3e091ab71cb5fd3c1bb4385617ee670851

Download Submit
C:\Program Files\WinNexus\Desktop\bin\res\Eng\FileTypeTab.ico
Filesize
7KB

MD5
1281dcec1140388c17bf4ded769a4843

SHA1
c0200fef39db64f4af71a4ef5a6790a6a6b4a176

SHA256
0216a0116cb281f29f2e6e975e9d020b0ca54d4cfa1ac1e7fecf8e9720199e18

SHA512
f4653b8e3a49b8e33976ac720560166eb936ffdb4bdc53a94cabb0461ead21657bf55630fc7ebb108115f67a156df1d1e123e32bf4a494f69356aa3892cfdcd5

Download Submit
C:\Program Files\WinNexus\Desktop\bin\res\Eng\NetworkTab.ico
Filesize
6KB

MD5
0a44b95765a43941c9baf3b968aec3c5

SHA1
72f48b2420933aa174efcdcaca94cdddda416c33

SHA256
baf4edb08ca48232c39f9691438dc01817188dcc950162d9ff35027d8f3bea16

SHA512
0523bc26cab672f91bc8b34968d96460e4fe95d26103fb44e597d64332c76b6720240d0fd4cef9b374889ba16572ddb353b56ddaf533a367aae0e1af231a06c5

Download Submit
C:\Program Files\WinNexus\Desktop\bin\res\Eng\add.ico
Filesize
4KB

MD5
756393a68fc08413c9c329f189c0aa00

SHA1
4f51bb6b60b501d7d42435dd726c8dc8029483af

SHA256
fb329a56640a39eee578d903f0248474d35f5ea5b2d59c1126029bbc22399cf2

SHA512
8309b7224580407a8670cc43376deea862ab7b3b7fba5003be7c243927e68ab36317caf05fe287b47537e85e22be2217720410a31a5923a0fc8c26d24b70d20f

Download Submit
C:\Program Files\WinNexus\Desktop\bin\res\Eng\remove.ico
Filesize
4KB

MD5
b7e98473ce90e85bbeb15bc7d2294496

SHA1
7cc535871800ef24119dafd83eab69c7a9219a3d

SHA256
68f63f4f8ff8e60063ab38b023862d40c6d3eab204fdc84144db4e9b796dcd61

SHA512
ca24fd610a5e3910f42dd9290c4ae02e934b05ee2152208960b6b5e9674afddaae6bb449cc990c4e2f9f3dbec92678610fada64b041b3392a494f0134b18ceef

Download Submit
C:\Program Files\WinNexus\Desktop\bin\res\Eng\run.ico
Filesize
4KB

MD5
9e4a3ff8da85a85c6874c6d539206bdc

SHA1
fc2ed3f1a53d0a8ac153b6eb55d986ac3e268b0c

SHA256
e025fc00022b3230c445e6df9460eb739cc1c50f9b38a14027e3bb429b963453

SHA512
16755949d56112e8961b02a2e77c4463dcd3d637c528f77761e4b818dab18bc49d6e84e012fc83828d2dd5b91496b2d0d04bc09a4aca76fa58d7a75d64a706aa

Download Submit
C:\Program Files\WinNexus\Desktop\bin\res\Eng\stop.ico
Filesize
4KB

MD5
70d02b31fe6a9e6443b532256195a38a

SHA1
064481c7597fea1cada3d58db54110d5d5b7f7f9

SHA256
9a9bf27435e2f47ca2626566a4b0ee083c920951530363f731f3caad5c081b75

SHA512
c739470c1f5d16dd0e966702ef23d6d088a0229855ced74172ff78c48762be82a18c89462ad587f96229c943c3cb50ae87e321f0249dc4c141fb2879f52c5759

Download Submit
C:\Windows\WNSvcAction.log
Filesize
259B

MD5
ef14eb5ae6db3b7207bec48ffd49e5a0

SHA1
636ed794b79beafa5887ae6e8b67ad8c948262db

SHA256
432852218c7d18074f0cca3c3810a7d29ef763eb0576247f9004882461306789

SHA512
730919507c2061296d4635bc56c74d72c983b3bf40eddae101a42b9feae30d8e0c1ac8c03e51ea38d62db985faba8a22992cbb1f605905af5604c3352a43d456

Download Submit
C:\Windows\WNSvcAction.log
Filesize
841B

MD5
d16d1e1d6bbb76f565a6fdbf21cf6a23

SHA1
92a8f854594e3d4b0bf11eb9d73b1721102a0212

SHA256
c96a9b7d9550ac5631da00c712a8630efd3cc0368f6ac31963cd4be09f246ff8

SHA512
b1ed72947a6dad54a744429cb6d48bd7d7003ff8c56e5ac65c53e567f014b35089ea259194352953f212dbe4b092c375ef097e488d258bd8c8078999c1f8aa20

Download Submit
\Program Files\WinNexus\Desktop\bin\DesktopInstall.exe
Filesize
154KB

MD5
5d13f762a425d77d7888fd7bb58edceb

SHA1
1531df2b5fd097fc94c2e6556af87285369a60f7

SHA256
9a1e0297c6a048eba159acbf1c16e2151a810c6f2bea0b826c3346554f546e00

SHA512
a7f892bd4e4257169313f39234608b04ca9929ba78fb71d198cf6e686aa6b2f543b6d44f656d55e25f641e8d3e81657f618cb2fc3812ed6b83803c0a43234d5a

Download Submit
\Program Files\WinNexus\Desktop\bin\WNAgent.exe
Filesize
1.7MB

MD5
2a1785703bb638b6fdadaed97878ef1e

SHA1
8bd8107127bdb1c80429356ddfbce63b3cbcfccd

SHA256
dc099ec15be2950d5b01797007dcae6b87a10aff94c3426031dd4fe04139eeb6

SHA512
f6af92c62704ceea56ec732a7d11e01d894f78612b687ac5d68b4c61e15c666b32398465d56fe7fdeda3a9a5c2b27d5c87248dd89b6af7c84b101e0fcb795053

Download Submit
\Users\Admin\AppData\Local\Temp\is-4QR4P.tmp\0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp
Filesize
690KB

MD5
1305181de520f125aeabf85dc24a89d6

SHA1
98b7548fede3f1468ccbdee405abdc4e5d2ec671

SHA256
0e19765b89a1a29afee09810dcb3ec5cc7c66053947be8f1aebdbb7c801dfeaf

SHA512
b0bfa9749a6a5a18c1926e6c5ebb4cdb156df1652cb822f067422a1cd21583340f32e4a1fc2f4c21a09343d73a55651972edbd2dec98ce44641a1097c16bc793

Download Submit
\Users\Admin\AppData\Local\Temp\is-G92NL.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/272-253-0x0000000000020000-0x0000000000030000-memory.dmp

Filesize
64KB

Download
memory/272-255-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/1032-363-0x00000000005C0000-0x0000000000600000-memory.dmp

Filesize
256KB

Download
memory/1048-391-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/2096-2-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2096-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2096-282-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2244-384-0x00000000002A0000-0x00000000002E0000-memory.dmp

Filesize
256KB

Download
memory/2344-426-0x00000000001B0000-0x00000000001F0000-memory.dmp

Filesize
256KB

Download
memory/2380-324-0x00000000003A0000-0x00000000003E0000-memory.dmp

Filesize
256KB

Download
memory/2464-10-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2464-281-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download

pid	process
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476

pid	process
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476

pid	process
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476