Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
25-04-2024 21:05
Static task
static1
Behavioral task
behavioral1
Sample
0012915ff4d35f107ab639a04345b133_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
0012915ff4d35f107ab639a04345b133_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
0012915ff4d35f107ab639a04345b133_JaffaCakes118.exe
-
Size
3.1MB
-
MD5
0012915ff4d35f107ab639a04345b133
-
SHA1
784a46a24dc59e4b5cf823ce61d6207358f42023
-
SHA256
b885660e1b3f46bd7b9cb277485f61b5f0e576ec9c205485133eda756fa21aba
-
SHA512
dafe8ee97afaddc621b01eb2fd2ba2d674a91f879cfa708a0828c59df44d2aa0a9f5ce4c05b3a772f3f39a98164147eeb6ca1af368ecb74dbd8c315b4e63e501
-
SSDEEP
98304:vlOtHCs1gTyEH/b+7hbb77jgKzZ/xqHiBNdsq5:9OtQTy0qDjgM/Lso
Malware Config
Signatures
-
Creates new service(s) 1 TTPs
-
Possible privilege escalation attempt 64 IoCs
Processes:
takeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exepid process 2344 takeown.exe 448 icacls.exe 2440 icacls.exe 1596 takeown.exe 896 icacls.exe 2120 takeown.exe 2060 icacls.exe 1476 takeown.exe 2344 icacls.exe 1564 icacls.exe 544 icacls.exe 2224 icacls.exe 2036 icacls.exe 1892 icacls.exe 2844 icacls.exe 704 icacls.exe 2464 takeown.exe 2016 takeown.exe 1064 icacls.exe 1596 icacls.exe 2080 icacls.exe 1336 icacls.exe 2060 icacls.exe 1020 icacls.exe 2088 icacls.exe 2528 icacls.exe 2264 takeown.exe 1624 icacls.exe 2420 icacls.exe 2180 icacls.exe 2720 icacls.exe 1868 icacls.exe 1920 takeown.exe 1624 takeown.exe 2016 takeown.exe 2644 icacls.exe 2448 takeown.exe 1616 takeown.exe 2796 icacls.exe 1588 takeown.exe 2440 icacls.exe 2804 takeown.exe 1588 icacls.exe 2388 icacls.exe 1960 icacls.exe 944 takeown.exe 2884 takeown.exe 2324 takeown.exe 2252 icacls.exe 1224 icacls.exe 2544 takeown.exe 2220 takeown.exe 2080 icacls.exe 2004 icacls.exe 1992 icacls.exe 1192 takeown.exe 864 takeown.exe 1128 icacls.exe 2252 icacls.exe 2344 icacls.exe 892 icacls.exe 792 icacls.exe 868 takeown.exe 944 icacls.exe -
Stops running service(s) 3 TTPs
-
Modifies file permissions 1 TTPs 64 IoCs
Processes:
icacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exepid process 2096 icacls.exe 2712 icacls.exe 2032 takeown.exe 2332 icacls.exe 1192 icacls.exe 2652 takeown.exe 320 takeown.exe 1600 icacls.exe 1508 icacls.exe 2060 icacls.exe 2036 icacls.exe 468 takeown.exe 2312 icacls.exe 2344 takeown.exe 2688 icacls.exe 1260 icacls.exe 2284 icacls.exe 2960 icacls.exe 2840 icacls.exe 1064 icacls.exe 1468 takeown.exe 1728 icacls.exe 1428 icacls.exe 1448 icacls.exe 2928 icacls.exe 800 icacls.exe 2628 icacls.exe 792 icacls.exe 2920 takeown.exe 2208 icacls.exe 1060 icacls.exe 2844 icacls.exe 2392 takeown.exe 2240 icacls.exe 2372 icacls.exe 2724 icacls.exe 1948 takeown.exe 2516 icacls.exe 2636 icacls.exe 856 icacls.exe 2952 icacls.exe 2900 icacls.exe 2024 icacls.exe 3012 takeown.exe 1992 icacls.exe 868 takeown.exe 2584 icacls.exe 940 takeown.exe 2492 takeown.exe 1696 icacls.exe 1472 takeown.exe 1060 icacls.exe 2420 icacls.exe 2016 takeown.exe 2856 icacls.exe 2248 icacls.exe 1372 icacls.exe 2320 icacls.exe 2040 takeown.exe 2120 takeown.exe 2804 takeown.exe 2236 icacls.exe 688 takeown.exe 1376 icacls.exe -
Drops file in System32 directory 21 IoCs
Processes:
WNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exe0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmpWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat WNAgent.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat WNAgent.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat WNAgent.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat WNAgent.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat WNAgent.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat WNAgent.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat WNAgent.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat WNAgent.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat WNAgent.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat WNAgent.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat WNAgent.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat WNAgent.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat WNAgent.exe File opened for modification C:\Windows\system32\msvcp60.dll 0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat WNAgent.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat WNAgent.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat WNAgent.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat WNAgent.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat WNAgent.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat WNAgent.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat WNAgent.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 64 IoCs
Processes:
WNAgent.exeWNAgent.exe0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmpWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exedescription ioc process File opened for modification C:\Program Files\WinNexus\Desktop\bin\SysSoftCfg.ct WNAgent.exe File opened for modification C:\Program Files\WinNexus\Desktop\bin\WinNexusLog\info.log WNAgent.exe File created C:\Program Files\WinNexus\Desktop\bin\res\Cht\is-3P9BR.tmp 0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp File created C:\Program Files\WinNexus\Desktop\bin\is-I9K6U.tmp 0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp File opened for modification C:\Program Files\WinNexus\Desktop\unins000.dat 0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp File opened for modification C:\Program Files\WinNexus\Desktop\bin\WinNexusLog\Desktop.log WNAgent.exe File opened for modification C:\Program Files\WinNexus\Desktop\bin\WinNexusLog\Error.log WNAgent.exe File created C:\Program Files\WinNexus\Desktop\bin\res\Chs\is-DB0PL.tmp 0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp File created C:\Program Files\WinNexus\Desktop\bin\is-SRA5P.tmp 0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp File created C:\Program Files\WinNexus\Desktop\bin\is-QGL7D.tmp 0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp File opened for modification C:\Program Files\WinNexus\Desktop\bin\TMPGlobalhookdllx64.dll 0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp File opened for modification C:\Program Files\WinNexus\Desktop\bin\WinNexusLog\Action.log WNAgent.exe File created C:\Program Files\WinNexus\Desktop\bin\res\Eng\is-HVTLP.tmp 0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp File created C:\Program Files\WinNexus\Desktop\bin\res\Common\is-KP3OB.tmp 0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp File opened for modification C:\Program Files\WinNexus\Desktop\bin\SysSoftCfg.ct WNAgent.exe File opened for modification C:\Program Files\WinNexus\Desktop\bin\SysSoftCfg.ct WNAgent.exe File opened for modification C:\Program Files\WinNexus\Desktop\bin\WinNexusLog\Action.log WNAgent.exe File opened for modification C:\Program Files\WinNexus\Desktop\bin\DesktopInstall.exe 0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp File created C:\Program Files\WinNexus\Desktop\bin\res\Chs\is-AF68T.tmp 0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp File created C:\Program Files\WinNexus\Desktop\bin\res\Cht\is-R76GJ.tmp 0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp File created C:\Program Files\WinNexus\Desktop\bin\res\Eng\is-8TTFI.tmp 0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp File created C:\Program Files\WinNexus\Desktop\bin\uuid.ct WNAgent.exe File opened for modification C:\Program Files\WinNexus\Desktop\bin\WinNexusLog\info.log WNAgent.exe File opened for modification C:\Program Files\WinNexus\Desktop\bin\WinNexusLog\info.log WNAgent.exe File opened for modification C:\Program Files\WinNexus\Desktop\bin\WinNexusLog\info.log WNAgent.exe File opened for modification C:\Program Files\WinNexus\Desktop\bin\WinNexusLog\info.log WNAgent.exe File created C:\Program Files\WinNexus\Desktop\bin\is-4I33P.tmp 0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp File created C:\Program Files\WinNexus\Desktop\bin\res\Chs\is-ILMPM.tmp 0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp File created C:\Program Files\WinNexus\Desktop\bin\is-GC4R0.tmp 0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp File created C:\Program Files\WinNexus\Desktop\bin\is-RFG85.tmp 0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp File opened for modification C:\Program Files\WinNexus\Desktop\bin\WinNexusLog\Desktop.log WNAgent.exe File created C:\Program Files\WinNexus\Desktop\bin\res\Eng\is-F8CBD.tmp 0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp File opened for modification C:\Program Files\WinNexus\Desktop\bin\WinNexusLog\Action.log WNAgent.exe File opened for modification C:\Program Files\WinNexus\Desktop\bin\WinNexusLog\Action.log WNAgent.exe File opened for modification C:\Program Files\WinNexus\Desktop\bin\WinNexusLog\Desktop.log WNAgent.exe File created C:\Program Files\WinNexus\Desktop\bin\res\Cht\is-D7JUK.tmp 0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp File opened for modification C:\Program Files\WinNexus\Desktop\bin\WinNexusLog\Error.log WNAgent.exe File opened for modification C:\Program Files\WinNexus\Desktop\bin\WinNexusLog\Desktop.log WNAgent.exe File opened for modification C:\Program Files\WinNexus\Desktop\bin\WinNexusLog\Error.log WNAgent.exe File opened for modification C:\Program Files\WinNexus\Desktop\bin\SysSoftCfg.ct WNAgent.exe File opened for modification C:\Program Files\WinNexus\Desktop\bin\EventRuleCfg.ct WNAgent.exe File opened for modification C:\Program Files\WinNexus\Desktop\bin\EventRuleCfg.ct WNAgent.exe File opened for modification C:\Program Files\WinNexus\Desktop\bin\WinNexusLog\info.log WNAgent.exe File opened for modification C:\Program Files\WinNexus\Desktop\bin\SysSoftCfg.ct WNAgent.exe File opened for modification C:\Program Files\WinNexus\Desktop\bin\WinNexusLog\Error.log WNAgent.exe File created C:\Program Files\WinNexus\Desktop\bin\res\Cht\is-5OBRV.tmp 0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp File created C:\Program Files\WinNexus\Desktop\bin\is-7TVLS.tmp 0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp File created C:\Program Files\WinNexus\Desktop\bin\is-7C1VI.tmp 0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp File opened for modification C:\Program Files\WinNexus\Desktop\bin\WinNexusLog\Error.log WNAgent.exe File opened for modification C:\Program Files\WinNexus\Desktop\bin\WinNexusLog\Desktop.log WNAgent.exe File opened for modification C:\Program Files\WinNexus\Desktop\bin\WinNexusLog\Error.log WNAgent.exe File opened for modification C:\Program Files\WinNexus\Desktop\bin\EventRuleCfg.ct WNAgent.exe File opened for modification C:\Program Files\WinNexus\Desktop\bin\WinNexusLog\info.log WNAgent.exe File opened for modification C:\Program Files\WinNexus\Desktop\bin\SysSoftCfg.ct WNAgent.exe File opened for modification C:\Program Files\WinNexus\Desktop\bin\TMPglobalhookdll.dll 0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp File created C:\Program Files\WinNexus\Desktop\bin\res\Cht\is-2O1RG.tmp 0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp File created C:\Program Files\WinNexus\Desktop\bin\res\Common\is-5R4BB.tmp 0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp File created C:\Program Files\WinNexus\Desktop\bin\res\Common\is-J3GCS.tmp 0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp File created C:\Program Files\WinNexus\Desktop\bin\is-EU2P3.tmp 0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp File created C:\Program Files\WinNexus\Desktop\bin\res\Common\is-77EAV.tmp 0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp File created C:\Program Files\WinNexus\Desktop\bin\res\Cht\is-NLB6N.tmp 0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp File created C:\Program Files\WinNexus\Desktop\bin\res\Common\is-PBR3C.tmp 0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp File opened for modification C:\Program Files\WinNexus\Desktop\bin\EventRuleCfg.ct WNAgent.exe File opened for modification C:\Program Files\WinNexus\Desktop\bin\WNXUninstall.exe 0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp -
Drops file in Windows directory 4 IoCs
Processes:
DesktopInstall.EXEWNSvc.exedescription ioc process File opened for modification C:\Windows\WinNexusDesktopInstall.log DesktopInstall.EXE File opened for modification C:\Windows\WNSvcAction.log WNSvc.exe File created C:\Windows\WNSvc.log WNSvc.exe File opened for modification C:\Windows\WNSvc.log WNSvc.exe -
Executes dropped EXE 43 IoCs
Processes:
0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmpDesktopInstall.EXEWNSvc.exeWNAgent.exewnmonitor.exeWNAgent.exewnmonitor.exeWNAgent.exewnmonitor.exeWNAgent.exewnmonitor.exeWNAgent.exewnmonitor.exeWNAgent.exewnmonitor.exeWNAgent.exewnmonitor.exeWNAgent.exewnmonitor.exeWNAgent.exewnmonitor.exeWNAgent.exewnmonitor.exeWNAgent.exewnmonitor.exeWNAgent.exewnmonitor.exeWNAgent.exewnmonitor.exeWNAgent.exewnmonitor.exeWNAgent.exewnmonitor.exeWNAgent.exewnmonitor.exeWNAgent.exewnmonitor.exeWNAgent.exewnmonitor.exeWNAgent.exewnmonitor.exeWNAgent.exewnmonitor.exepid process 2464 0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp 2228 DesktopInstall.EXE 556 WNSvc.exe 272 WNAgent.exe 2332 wnmonitor.exe 2948 WNAgent.exe 1992 wnmonitor.exe 2380 WNAgent.exe 1768 wnmonitor.exe 2664 WNAgent.exe 2160 wnmonitor.exe 780 WNAgent.exe 1464 wnmonitor.exe 2864 WNAgent.exe 2236 wnmonitor.exe 2288 WNAgent.exe 2248 wnmonitor.exe 1032 WNAgent.exe 2136 wnmonitor.exe 2536 WNAgent.exe 2636 wnmonitor.exe 1228 WNAgent.exe 1640 wnmonitor.exe 2244 WNAgent.exe 2160 wnmonitor.exe 1048 WNAgent.exe 688 wnmonitor.exe 2752 WNAgent.exe 2452 wnmonitor.exe 2336 WNAgent.exe 1980 wnmonitor.exe 1132 WNAgent.exe 2504 wnmonitor.exe 2888 WNAgent.exe 3000 wnmonitor.exe 2344 WNAgent.exe 2024 wnmonitor.exe 2936 WNAgent.exe 1880 wnmonitor.exe 1600 WNAgent.exe 2168 wnmonitor.exe 2732 WNAgent.exe 2060 wnmonitor.exe -
Launches sc.exe 23 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 2012 sc.exe 2240 sc.exe 2748 sc.exe 2148 sc.exe 2716 sc.exe 1932 sc.exe 1520 sc.exe 1676 sc.exe 1596 sc.exe 1520 sc.exe 2716 sc.exe 3008 sc.exe 2848 sc.exe 1588 sc.exe 1060 sc.exe 596 sc.exe 2964 sc.exe 2304 sc.exe 1544 sc.exe 1228 sc.exe 1384 sc.exe 2176 sc.exe 240 sc.exe -
Loads dropped DLL 64 IoCs
Processes:
0012915ff4d35f107ab639a04345b133_JaffaCakes118.exe0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmpDesktopInstall.EXEWNSvc.exeWNAgent.exewnmonitor.exeWNAgent.exewnmonitor.exeWNAgent.exewnmonitor.exeWNAgent.exewnmonitor.exeWNAgent.exewnmonitor.exeWNAgent.exewnmonitor.exeWNAgent.exewnmonitor.exeWNAgent.exewnmonitor.exepid process 2096 0012915ff4d35f107ab639a04345b133_JaffaCakes118.exe 2464 0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp 2464 0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp 2464 0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp 2228 DesktopInstall.EXE 2228 DesktopInstall.EXE 2228 DesktopInstall.EXE 556 WNSvc.exe 556 WNSvc.exe 556 WNSvc.exe 272 WNAgent.exe 272 WNAgent.exe 272 WNAgent.exe 272 WNAgent.exe 2332 wnmonitor.exe 2464 0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp 1200 556 WNSvc.exe 2948 WNAgent.exe 2948 WNAgent.exe 2948 WNAgent.exe 2392 1992 wnmonitor.exe 1200 556 WNSvc.exe 2380 WNAgent.exe 2380 WNAgent.exe 2380 WNAgent.exe 2848 1768 wnmonitor.exe 1200 556 WNSvc.exe 2664 WNAgent.exe 2664 WNAgent.exe 2664 WNAgent.exe 2704 2160 wnmonitor.exe 1200 556 WNSvc.exe 780 WNAgent.exe 780 WNAgent.exe 780 WNAgent.exe 2200 1464 wnmonitor.exe 1200 556 WNSvc.exe 2864 WNAgent.exe 2864 WNAgent.exe 2864 WNAgent.exe 2872 2236 wnmonitor.exe 1200 556 WNSvc.exe 2288 WNAgent.exe 2288 WNAgent.exe 2288 WNAgent.exe 2240 2248 wnmonitor.exe 556 WNSvc.exe 1032 WNAgent.exe 1032 WNAgent.exe 1032 WNAgent.exe 1252 2136 wnmonitor.exe -
Modifies data under HKEY_USERS 20 IoCs
Processes:
WNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings WNAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings WNAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings WNAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings WNAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings WNAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings WNAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings WNAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings WNAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings WNAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings WNAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings WNAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings WNAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings WNAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings WNAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings WNAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings WNAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings WNAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings WNAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings WNAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings WNAgent.exe -
Modifies registry class 40 IoCs
Processes:
WNAgent.exeWNAgent.exeWNAgent.exe0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmpWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Classes\ WNAgent.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Classes\ WNAgent.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Classes\ WNAgent.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wdf 0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WinNexus WDF file\BrowserFlags = "8" 0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\winnexus\DefaultIcon 0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Classes\ WNAgent.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Classes\ WNAgent.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Classes\ WNAgent.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinNexus WDF file\DefaultIcon\ = "C:\\Program Files\\WinNexus\\Desktop\\bin\\WNAgent.exe" 0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinNexus WDF file\shell\open 0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Classes\ WNAgent.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\winnexus\ = "URL:Alert Protocol" 0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Classes\ WNAgent.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Classes\ WNAgent.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Classes\ WNAgent.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinNexus WDF file\shell\open\command 0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\winnexus\shell 0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Classes\ WNAgent.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinNexus WDF file\shell\open\command\ = "C:\\Program Files\\WinNexus\\Desktop\\bin\\WinNexusLoader.exe %1" 0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\winnexus\shell\open 0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Classes\ WNAgent.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Classes\ WNAgent.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinNexus WDF file\DefaultIcon 0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Classes\ WNAgent.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\winnexus\DefaultIcon\ = "C:\\Program Files\\WinNexus\\Desktop\\bin\\WNAgent.exe" 0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Classes\ WNAgent.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Classes\ WNAgent.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Classes\ WNAgent.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WinNexus WDF file\EditFlags = "65536" 0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\winnexus 0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wdf\ = "WinNexus WDF file" 0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Classes\ WNAgent.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Classes\ WNAgent.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinNexus WDF file 0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinNexus WDF file\shell 0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\winnexus\URL Protocol 0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Classes\ WNAgent.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\winnexus\shell\open\command 0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\winnexus\shell\open\command\ = "\"C:\\Program Files\\WinNexus\\Desktop\\bin\\WinNexusLoader.exe\" \"%1\"" 0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmpDesktopInstall.EXEWNSvc.exeWNAgent.exewnmonitor.exeWNAgent.exewnmonitor.exeWNAgent.exewnmonitor.exeWNAgent.exepid process 2464 0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp 2464 0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp 2228 DesktopInstall.EXE 2228 DesktopInstall.EXE 2228 DesktopInstall.EXE 2228 DesktopInstall.EXE 2228 DesktopInstall.EXE 2228 DesktopInstall.EXE 2228 DesktopInstall.EXE 2228 DesktopInstall.EXE 2228 DesktopInstall.EXE 2228 DesktopInstall.EXE 2228 DesktopInstall.EXE 556 WNSvc.exe 556 WNSvc.exe 556 WNSvc.exe 556 WNSvc.exe 272 WNAgent.exe 272 WNAgent.exe 272 WNAgent.exe 272 WNAgent.exe 272 WNAgent.exe 272 WNAgent.exe 272 WNAgent.exe 272 WNAgent.exe 2332 wnmonitor.exe 556 WNSvc.exe 556 WNSvc.exe 556 WNSvc.exe 556 WNSvc.exe 556 WNSvc.exe 2948 WNAgent.exe 2948 WNAgent.exe 2948 WNAgent.exe 2948 WNAgent.exe 2948 WNAgent.exe 2948 WNAgent.exe 2948 WNAgent.exe 2948 WNAgent.exe 1992 wnmonitor.exe 2948 WNAgent.exe 556 WNSvc.exe 556 WNSvc.exe 556 WNSvc.exe 556 WNSvc.exe 2380 WNAgent.exe 2380 WNAgent.exe 2380 WNAgent.exe 2380 WNAgent.exe 2380 WNAgent.exe 2380 WNAgent.exe 2380 WNAgent.exe 2380 WNAgent.exe 1768 wnmonitor.exe 2380 WNAgent.exe 556 WNSvc.exe 556 WNSvc.exe 556 WNSvc.exe 556 WNSvc.exe 2664 WNAgent.exe 2664 WNAgent.exe 2664 WNAgent.exe 2664 WNAgent.exe 2664 WNAgent.exe -
Suspicious behavior: LoadsDriver 21 IoCs
Processes:
pid process 476 476 476 476 476 476 476 476 476 476 476 476 476 476 476 476 476 476 476 476 476 -
Suspicious use of AdjustPrivilegeToken 55 IoCs
Processes:
takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exedescription pid process Token: SeTakeOwnershipPrivilege 2344 takeown.exe Token: SeTakeOwnershipPrivilege 3012 takeown.exe Token: SeTakeOwnershipPrivilege 2016 takeown.exe Token: SeTakeOwnershipPrivilege 2080 takeown.exe Token: SeTakeOwnershipPrivilege 2392 takeown.exe Token: SeTakeOwnershipPrivilege 2360 takeown.exe Token: SeTakeOwnershipPrivilege 1616 takeown.exe Token: SeTakeOwnershipPrivilege 2784 takeown.exe Token: SeTakeOwnershipPrivilege 800 takeown.exe Token: SeTakeOwnershipPrivilege 1680 takeown.exe Token: SeTakeOwnershipPrivilege 1920 takeown.exe Token: SeTakeOwnershipPrivilege 1624 takeown.exe Token: SeTakeOwnershipPrivilege 2928 takeown.exe Token: SeTakeOwnershipPrivilege 320 takeown.exe Token: SeTakeOwnershipPrivilege 1192 takeown.exe Token: SeTakeOwnershipPrivilege 2756 takeown.exe Token: SeTakeOwnershipPrivilege 1124 takeown.exe Token: SeTakeOwnershipPrivilege 2544 takeown.exe Token: SeTakeOwnershipPrivilege 2492 takeown.exe Token: SeTakeOwnershipPrivilege 2464 takeown.exe Token: SeTakeOwnershipPrivilege 1336 takeown.exe Token: SeTakeOwnershipPrivilege 1736 takeown.exe Token: SeTakeOwnershipPrivilege 2956 takeown.exe Token: SeTakeOwnershipPrivilege 1912 takeown.exe Token: SeTakeOwnershipPrivilege 1728 takeown.exe Token: SeTakeOwnershipPrivilege 2180 takeown.exe Token: SeTakeOwnershipPrivilege 2132 takeown.exe Token: SeTakeOwnershipPrivilege 2280 takeown.exe Token: SeTakeOwnershipPrivilege 2900 takeown.exe Token: SeTakeOwnershipPrivilege 1948 takeown.exe Token: SeTakeOwnershipPrivilege 2264 takeown.exe Token: SeTakeOwnershipPrivilege 2256 takeown.exe Token: SeTakeOwnershipPrivilege 688 takeown.exe Token: SeTakeOwnershipPrivilege 1596 takeown.exe Token: SeTakeOwnershipPrivilege 2460 takeown.exe Token: SeTakeOwnershipPrivilege 2960 takeown.exe Token: SeTakeOwnershipPrivilege 2016 takeown.exe Token: SeTakeOwnershipPrivilege 3056 takeown.exe Token: SeTakeOwnershipPrivilege 2300 takeown.exe Token: SeTakeOwnershipPrivilege 2228 takeown.exe Token: SeTakeOwnershipPrivilege 2736 takeown.exe Token: SeTakeOwnershipPrivilege 944 takeown.exe Token: SeTakeOwnershipPrivilege 2900 takeown.exe Token: SeTakeOwnershipPrivilege 240 takeown.exe Token: SeTakeOwnershipPrivilege 2652 takeown.exe Token: SeTakeOwnershipPrivilege 2400 takeown.exe Token: SeTakeOwnershipPrivilege 3000 takeown.exe Token: SeTakeOwnershipPrivilege 1496 takeown.exe Token: SeTakeOwnershipPrivilege 940 takeown.exe Token: SeTakeOwnershipPrivilege 3060 takeown.exe Token: SeTakeOwnershipPrivilege 2884 takeown.exe Token: SeTakeOwnershipPrivilege 2920 takeown.exe Token: SeTakeOwnershipPrivilege 2032 takeown.exe Token: SeTakeOwnershipPrivilege 2120 takeown.exe Token: SeTakeOwnershipPrivilege 2692 takeown.exe -
Suspicious use of FindShellTrayWindow 40 IoCs
Processes:
0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmpWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exepid process 2464 0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp 272 WNAgent.exe 272 WNAgent.exe 2948 WNAgent.exe 2948 WNAgent.exe 2380 WNAgent.exe 2380 WNAgent.exe 2664 WNAgent.exe 2664 WNAgent.exe 780 WNAgent.exe 780 WNAgent.exe 2864 WNAgent.exe 2864 WNAgent.exe 2288 WNAgent.exe 2288 WNAgent.exe 1032 WNAgent.exe 1032 WNAgent.exe 2536 WNAgent.exe 2536 WNAgent.exe 1228 WNAgent.exe 1228 WNAgent.exe 2244 WNAgent.exe 2244 WNAgent.exe 1048 WNAgent.exe 1048 WNAgent.exe 2752 WNAgent.exe 2752 WNAgent.exe 2336 WNAgent.exe 2336 WNAgent.exe 1132 WNAgent.exe 1132 WNAgent.exe 2888 WNAgent.exe 2888 WNAgent.exe 2344 WNAgent.exe 2344 WNAgent.exe 2936 WNAgent.exe 2936 WNAgent.exe 1600 WNAgent.exe 1600 WNAgent.exe 2732 WNAgent.exe -
Suspicious use of SendNotifyMessage 39 IoCs
Processes:
WNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exepid process 272 WNAgent.exe 272 WNAgent.exe 2948 WNAgent.exe 2948 WNAgent.exe 2380 WNAgent.exe 2380 WNAgent.exe 2664 WNAgent.exe 2664 WNAgent.exe 780 WNAgent.exe 780 WNAgent.exe 2864 WNAgent.exe 2864 WNAgent.exe 2288 WNAgent.exe 2288 WNAgent.exe 1032 WNAgent.exe 1032 WNAgent.exe 2536 WNAgent.exe 2536 WNAgent.exe 1228 WNAgent.exe 1228 WNAgent.exe 2244 WNAgent.exe 2244 WNAgent.exe 1048 WNAgent.exe 1048 WNAgent.exe 2752 WNAgent.exe 2752 WNAgent.exe 2336 WNAgent.exe 2336 WNAgent.exe 1132 WNAgent.exe 1132 WNAgent.exe 2888 WNAgent.exe 2888 WNAgent.exe 2344 WNAgent.exe 2344 WNAgent.exe 2936 WNAgent.exe 2936 WNAgent.exe 1600 WNAgent.exe 1600 WNAgent.exe 2732 WNAgent.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
Processes:
WNAgent.exewnmonitor.exeWNAgent.exewnmonitor.exeWNAgent.exewnmonitor.exeWNAgent.exewnmonitor.exeWNAgent.exewnmonitor.exeWNAgent.exewnmonitor.exeWNAgent.exewnmonitor.exeWNAgent.exewnmonitor.exeWNAgent.exewnmonitor.exeWNAgent.exewnmonitor.exeWNAgent.exewnmonitor.exeWNAgent.exewnmonitor.exeWNAgent.exewnmonitor.exeWNAgent.exewnmonitor.exeWNAgent.exewnmonitor.exeWNAgent.exewnmonitor.exepid process 272 WNAgent.exe 272 WNAgent.exe 272 WNAgent.exe 2332 wnmonitor.exe 2948 WNAgent.exe 2948 WNAgent.exe 2948 WNAgent.exe 1992 wnmonitor.exe 2380 WNAgent.exe 2380 WNAgent.exe 2380 WNAgent.exe 1768 wnmonitor.exe 2664 WNAgent.exe 2664 WNAgent.exe 2664 WNAgent.exe 2160 wnmonitor.exe 780 WNAgent.exe 780 WNAgent.exe 780 WNAgent.exe 1464 wnmonitor.exe 2864 WNAgent.exe 2864 WNAgent.exe 2864 WNAgent.exe 2236 wnmonitor.exe 2288 WNAgent.exe 2288 WNAgent.exe 2288 WNAgent.exe 2248 wnmonitor.exe 1032 WNAgent.exe 1032 WNAgent.exe 1032 WNAgent.exe 2136 wnmonitor.exe 2536 WNAgent.exe 2536 WNAgent.exe 2536 WNAgent.exe 2636 wnmonitor.exe 1228 WNAgent.exe 1228 WNAgent.exe 1228 WNAgent.exe 1640 wnmonitor.exe 2244 WNAgent.exe 2244 WNAgent.exe 2244 WNAgent.exe 2160 wnmonitor.exe 1048 WNAgent.exe 1048 WNAgent.exe 1048 WNAgent.exe 688 wnmonitor.exe 2752 WNAgent.exe 2752 WNAgent.exe 2752 WNAgent.exe 2452 wnmonitor.exe 2336 WNAgent.exe 2336 WNAgent.exe 2336 WNAgent.exe 1980 wnmonitor.exe 1132 WNAgent.exe 1132 WNAgent.exe 1132 WNAgent.exe 2504 wnmonitor.exe 2888 WNAgent.exe 2888 WNAgent.exe 2888 WNAgent.exe 3000 wnmonitor.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
0012915ff4d35f107ab639a04345b133_JaffaCakes118.exe0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmpDesktopInstall.EXEcmd.exeWNSvc.execmd.execmd.exedescription pid process target process PID 2096 wrote to memory of 2464 2096 0012915ff4d35f107ab639a04345b133_JaffaCakes118.exe 0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp PID 2096 wrote to memory of 2464 2096 0012915ff4d35f107ab639a04345b133_JaffaCakes118.exe 0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp PID 2096 wrote to memory of 2464 2096 0012915ff4d35f107ab639a04345b133_JaffaCakes118.exe 0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp PID 2096 wrote to memory of 2464 2096 0012915ff4d35f107ab639a04345b133_JaffaCakes118.exe 0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp PID 2096 wrote to memory of 2464 2096 0012915ff4d35f107ab639a04345b133_JaffaCakes118.exe 0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp PID 2096 wrote to memory of 2464 2096 0012915ff4d35f107ab639a04345b133_JaffaCakes118.exe 0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp PID 2096 wrote to memory of 2464 2096 0012915ff4d35f107ab639a04345b133_JaffaCakes118.exe 0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp PID 2464 wrote to memory of 2228 2464 0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp DesktopInstall.EXE PID 2464 wrote to memory of 2228 2464 0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp DesktopInstall.EXE PID 2464 wrote to memory of 2228 2464 0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp DesktopInstall.EXE PID 2464 wrote to memory of 2228 2464 0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp DesktopInstall.EXE PID 2464 wrote to memory of 2228 2464 0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp DesktopInstall.EXE PID 2464 wrote to memory of 2228 2464 0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp DesktopInstall.EXE PID 2464 wrote to memory of 2228 2464 0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp DesktopInstall.EXE PID 2228 wrote to memory of 1904 2228 DesktopInstall.EXE cmd.exe PID 2228 wrote to memory of 1904 2228 DesktopInstall.EXE cmd.exe PID 2228 wrote to memory of 1904 2228 DesktopInstall.EXE cmd.exe PID 2228 wrote to memory of 1904 2228 DesktopInstall.EXE cmd.exe PID 2228 wrote to memory of 1904 2228 DesktopInstall.EXE cmd.exe PID 2228 wrote to memory of 1904 2228 DesktopInstall.EXE cmd.exe PID 2228 wrote to memory of 1904 2228 DesktopInstall.EXE cmd.exe PID 1904 wrote to memory of 596 1904 cmd.exe sc.exe PID 1904 wrote to memory of 596 1904 cmd.exe sc.exe PID 1904 wrote to memory of 596 1904 cmd.exe sc.exe PID 1904 wrote to memory of 596 1904 cmd.exe sc.exe PID 1904 wrote to memory of 596 1904 cmd.exe sc.exe PID 1904 wrote to memory of 596 1904 cmd.exe sc.exe PID 1904 wrote to memory of 596 1904 cmd.exe sc.exe PID 2228 wrote to memory of 1716 2228 DesktopInstall.EXE cmd.exe PID 2228 wrote to memory of 1716 2228 DesktopInstall.EXE cmd.exe PID 2228 wrote to memory of 1716 2228 DesktopInstall.EXE cmd.exe PID 2228 wrote to memory of 1716 2228 DesktopInstall.EXE cmd.exe PID 2228 wrote to memory of 1716 2228 DesktopInstall.EXE cmd.exe PID 2228 wrote to memory of 1716 2228 DesktopInstall.EXE cmd.exe PID 2228 wrote to memory of 1716 2228 DesktopInstall.EXE cmd.exe PID 2228 wrote to memory of 1068 2228 DesktopInstall.EXE cmd.exe PID 2228 wrote to memory of 1068 2228 DesktopInstall.EXE cmd.exe PID 2228 wrote to memory of 1068 2228 DesktopInstall.EXE cmd.exe PID 2228 wrote to memory of 1068 2228 DesktopInstall.EXE cmd.exe PID 2228 wrote to memory of 1068 2228 DesktopInstall.EXE cmd.exe PID 2228 wrote to memory of 1068 2228 DesktopInstall.EXE cmd.exe PID 2228 wrote to memory of 1068 2228 DesktopInstall.EXE cmd.exe PID 556 wrote to memory of 272 556 WNSvc.exe WNAgent.exe PID 556 wrote to memory of 272 556 WNSvc.exe WNAgent.exe PID 556 wrote to memory of 272 556 WNSvc.exe WNAgent.exe PID 556 wrote to memory of 272 556 WNSvc.exe WNAgent.exe PID 1068 wrote to memory of 2964 1068 cmd.exe sc.exe PID 1068 wrote to memory of 2964 1068 cmd.exe sc.exe PID 1068 wrote to memory of 2964 1068 cmd.exe sc.exe PID 1068 wrote to memory of 2964 1068 cmd.exe sc.exe PID 1068 wrote to memory of 2964 1068 cmd.exe sc.exe PID 1068 wrote to memory of 2964 1068 cmd.exe sc.exe PID 1068 wrote to memory of 2964 1068 cmd.exe sc.exe PID 1716 wrote to memory of 2804 1716 cmd.exe takeown.exe PID 1716 wrote to memory of 2804 1716 cmd.exe takeown.exe PID 1716 wrote to memory of 2804 1716 cmd.exe takeown.exe PID 1716 wrote to memory of 2804 1716 cmd.exe takeown.exe PID 1716 wrote to memory of 2804 1716 cmd.exe takeown.exe PID 1716 wrote to memory of 2804 1716 cmd.exe takeown.exe PID 1716 wrote to memory of 2804 1716 cmd.exe takeown.exe PID 1716 wrote to memory of 800 1716 cmd.exe icacls.exe PID 1716 wrote to memory of 800 1716 cmd.exe icacls.exe PID 1716 wrote to memory of 800 1716 cmd.exe icacls.exe PID 1716 wrote to memory of 800 1716 cmd.exe icacls.exe -
System policy modification 1 TTPs 30 IoCs
Processes:
WNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exeWNAgent.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCDBurning = "0" WNAgent.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer WNAgent.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer WNAgent.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer WNAgent.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer WNAgent.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCDBurning = "0" WNAgent.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCDBurning = "0" WNAgent.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCDBurning = "0" WNAgent.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer WNAgent.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCDBurning = "0" WNAgent.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer WNAgent.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCDBurning = "0" WNAgent.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCDBurning = "0" WNAgent.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer WNAgent.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCDBurning = "0" WNAgent.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer WNAgent.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCDBurning = "0" WNAgent.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCDBurning = "0" WNAgent.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer WNAgent.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer WNAgent.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCDBurning = "0" WNAgent.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer WNAgent.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCDBurning = "0" WNAgent.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCDBurning = "0" WNAgent.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer WNAgent.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer WNAgent.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer WNAgent.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCDBurning = "0" WNAgent.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer WNAgent.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCDBurning = "0" WNAgent.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0012915ff4d35f107ab639a04345b133_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0012915ff4d35f107ab639a04345b133_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-4QR4P.tmp\0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp"C:\Users\Admin\AppData\Local\Temp\is-4QR4P.tmp\0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmp" /SL5="$6014E,2981574,56832,C:\Users\Admin\AppData\Local\Temp\0012915ff4d35f107ab639a04345b133_JaffaCakes118.exe"2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files\WinNexus\Desktop\bin\DesktopInstall.EXE"C:\Program Files\WinNexus\Desktop\bin\DesktopInstall.EXE" /install3⤵
- Drops file in Windows directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop WNPPDx644⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc stop WNPPDx645⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f "C:\Windows\WinSxS" && icacls "C:\Windows\WinSxS" /grant administrators:F4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS"5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS" /grant administrators:F5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc create WNPPDx64 binPath= "C:\Windows\SysWOW64\drivers\WNPPDx64.sys" type= "kernel" start= "auto" Displayname= "WNPPDx64"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc create WNPPDx64 binPath= "C:\Windows\SysWOW64\drivers\WNPPDx64.sys" type= "kernel" start= "auto" Displayname= "WNPPDx64"5⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc start WNPPDx644⤵
-
C:\Windows\SysWOW64\sc.exesc start WNPPDx645⤵
- Launches sc.exe
-
C:\Program Files\WinNexus\Desktop\bin\WNSvc.exe"C:\Program Files\WinNexus\Desktop\bin\WNSvc.exe"1⤵
- Drops file in Windows directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Program Files\WinNexus\Desktop\bin\WNAgent.exe"C:\Program Files\WinNexus\Desktop\bin\WNAgent.exe" /startup2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.execmd /c sc start WNPPDx643⤵
-
C:\Windows\SysWOW64\sc.exesc start WNPPDx644⤵
- Launches sc.exe
-
C:\Program Files\WinNexus\Desktop\bin\wnmonitor.exe"C:\Program Files\WinNexus\Desktop\bin\wnmonitor.exe" 414603⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\WinNexus\Desktop\bin\WNAgent.exe"C:\Program Files\WinNexus\Desktop\bin\WNAgent.exe" /startup2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.execmd /c sc start WNPPDx643⤵
-
C:\Windows\SysWOW64\sc.exesc start WNPPDx644⤵
- Launches sc.exe
-
C:\Program Files\WinNexus\Desktop\bin\wnmonitor.exe"C:\Program Files\WinNexus\Desktop\bin\wnmonitor.exe" 414923⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\WinNexus\Desktop\bin\WNAgent.exe"C:\Program Files\WinNexus\Desktop\bin\WNAgent.exe" /startup2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.execmd /c sc start WNPPDx643⤵
-
C:\Windows\SysWOW64\sc.exesc start WNPPDx644⤵
- Launches sc.exe
-
C:\Program Files\WinNexus\Desktop\bin\wnmonitor.exe"C:\Program Files\WinNexus\Desktop\bin\wnmonitor.exe" 415093⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\WinNexus\Desktop\bin\WNAgent.exe"C:\Program Files\WinNexus\Desktop\bin\WNAgent.exe" /startup2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.execmd /c sc start WNPPDx643⤵
-
C:\Windows\SysWOW64\sc.exesc start WNPPDx644⤵
- Launches sc.exe
-
C:\Program Files\WinNexus\Desktop\bin\wnmonitor.exe"C:\Program Files\WinNexus\Desktop\bin\wnmonitor.exe" 415253⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\WinNexus\Desktop\bin\WNAgent.exe"C:\Program Files\WinNexus\Desktop\bin\WNAgent.exe" /startup2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.execmd /c sc start WNPPDx643⤵
-
C:\Windows\SysWOW64\sc.exesc start WNPPDx644⤵
- Launches sc.exe
-
C:\Program Files\WinNexus\Desktop\bin\wnmonitor.exe"C:\Program Files\WinNexus\Desktop\bin\wnmonitor.exe" 415583⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\WinNexus\Desktop\bin\WNAgent.exe"C:\Program Files\WinNexus\Desktop\bin\WNAgent.exe" /startup2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Windows\SysWOW64\cmd.execmd /c sc start WNPPDx643⤵
-
C:\Windows\SysWOW64\sc.exesc start WNPPDx644⤵
- Launches sc.exe
-
C:\Program Files\WinNexus\Desktop\bin\wnmonitor.exe"C:\Program Files\WinNexus\Desktop\bin\wnmonitor.exe" 415743⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.exe/C takeown /f "C:\Windows\System32\bthserv.dll"3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\bthserv.dll"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\bthserv.dll" /grant administrators:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\bthserv.dll" /grant administrators:F4⤵
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\bthserv.dll" /grant users:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\bthserv.dll" /grant users:F4⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\cmd.exe/C net start bthserv3⤵
-
C:\Windows\SysWOW64\net.exenet start bthserv4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start bthserv5⤵
-
C:\Windows\system32\cmd.exe/C takeown /f "C:\Windows\System32\WpdMtp.dll"3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\WpdMtp.dll"4⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F4⤵
- Possible privilege escalation attempt
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtp.dll" /grant users:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtp.dll" /grant users:F4⤵
-
C:\Windows\system32\cmd.exe/C takeown /f "C:\Windows\System32\WpdMtpUS.dll"3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\WpdMtpUS.dll"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F4⤵
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F4⤵
- Possible privilege escalation attempt
-
C:\Program Files\WinNexus\Desktop\bin\WNAgent.exe"C:\Program Files\WinNexus\Desktop\bin\WNAgent.exe" /startup2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Windows\SysWOW64\cmd.execmd /c sc start WNPPDx643⤵
-
C:\Windows\SysWOW64\sc.exesc start WNPPDx644⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exe/C takeown /f "C:\Windows\System32\bthserv.dll"3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\bthserv.dll"4⤵
- Possible privilege escalation attempt
-
C:\Program Files\WinNexus\Desktop\bin\wnmonitor.exe"C:\Program Files\WinNexus\Desktop\bin\wnmonitor.exe" 415903⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\bthserv.dll" /grant administrators:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\bthserv.dll" /grant administrators:F4⤵
- Possible privilege escalation attempt
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\bthserv.dll" /grant users:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\bthserv.dll" /grant users:F4⤵
-
C:\Windows\SysWOW64\cmd.exe/C net start bthserv3⤵
-
C:\Windows\SysWOW64\net.exenet start bthserv4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start bthserv5⤵
-
C:\Windows\system32\cmd.exe/C takeown /f "C:\Windows\System32\WpdMtp.dll"3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\WpdMtp.dll"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F4⤵
- Possible privilege escalation attempt
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtp.dll" /grant users:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtp.dll" /grant users:F4⤵
-
C:\Windows\system32\cmd.exe/C takeown /f "C:\Windows\System32\WpdMtpUS.dll"3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\WpdMtpUS.dll"4⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F4⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F4⤵
- Possible privilege escalation attempt
-
C:\Windows\system32\cmd.exe/C takeown /f "C:\Windows\System32\bthserv.dll"3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\bthserv.dll"4⤵
- Possible privilege escalation attempt
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\bthserv.dll" /grant administrators:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\bthserv.dll" /grant administrators:F4⤵
- Possible privilege escalation attempt
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\bthserv.dll" /grant users:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\bthserv.dll" /grant users:F4⤵
-
C:\Windows\SysWOW64\cmd.exe/C net start bthserv3⤵
-
C:\Windows\SysWOW64\net.exenet start bthserv4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start bthserv5⤵
-
C:\Windows\system32\cmd.exe/C takeown /f "C:\Windows\System32\WpdMtp.dll"3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\WpdMtp.dll"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F4⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtp.dll" /grant users:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtp.dll" /grant users:F4⤵
-
C:\Windows\system32\cmd.exe/C takeown /f "C:\Windows\System32\WpdMtpUS.dll"3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\WpdMtpUS.dll"4⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F4⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F4⤵
- Modifies file permissions
-
C:\Program Files\WinNexus\Desktop\bin\WNAgent.exe"C:\Program Files\WinNexus\Desktop\bin\WNAgent.exe" /startup2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Windows\SysWOW64\cmd.execmd /c sc start WNPPDx643⤵
-
C:\Windows\SysWOW64\sc.exesc start WNPPDx644⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exe/C takeown /f "C:\Windows\System32\bthserv.dll"3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\bthserv.dll"4⤵
-
C:\Program Files\WinNexus\Desktop\bin\wnmonitor.exe"C:\Program Files\WinNexus\Desktop\bin\wnmonitor.exe" 416073⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\bthserv.dll" /grant administrators:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\bthserv.dll" /grant administrators:F4⤵
- Possible privilege escalation attempt
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\bthserv.dll" /grant users:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\bthserv.dll" /grant users:F4⤵
-
C:\Windows\SysWOW64\cmd.exe/C net start bthserv3⤵
-
C:\Windows\SysWOW64\net.exenet start bthserv4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start bthserv5⤵
-
C:\Windows\system32\cmd.exe/C takeown /f "C:\Windows\System32\WpdMtp.dll"3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\WpdMtp.dll"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtp.dll" /grant users:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtp.dll" /grant users:F4⤵
-
C:\Windows\system32\cmd.exe/C takeown /f "C:\Windows\System32\WpdMtpUS.dll"3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\WpdMtpUS.dll"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F4⤵
- Possible privilege escalation attempt
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F4⤵
-
C:\Windows\system32\cmd.exe/C takeown /f "C:\Windows\System32\bthserv.dll"3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\bthserv.dll"4⤵
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\bthserv.dll" /grant administrators:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\bthserv.dll" /grant administrators:F4⤵
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\bthserv.dll" /grant users:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\bthserv.dll" /grant users:F4⤵
-
C:\Windows\SysWOW64\cmd.exe/C net start bthserv3⤵
-
C:\Windows\SysWOW64\net.exenet start bthserv4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start bthserv5⤵
-
C:\Windows\system32\cmd.exe/C takeown /f "C:\Windows\System32\WpdMtp.dll"3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\WpdMtp.dll"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F4⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtp.dll" /grant users:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtp.dll" /grant users:F4⤵
-
C:\Windows\system32\cmd.exe/C takeown /f "C:\Windows\System32\WpdMtpUS.dll"3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\WpdMtpUS.dll"4⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F4⤵
- Possible privilege escalation attempt
-
C:\Program Files\WinNexus\Desktop\bin\WNAgent.exe"C:\Program Files\WinNexus\Desktop\bin\WNAgent.exe" /startup2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Windows\SysWOW64\cmd.execmd /c sc start WNPPDx643⤵
-
C:\Windows\SysWOW64\sc.exesc start WNPPDx644⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exe/C takeown /f "C:\Windows\System32\bthserv.dll"3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\bthserv.dll"4⤵
-
C:\Program Files\WinNexus\Desktop\bin\wnmonitor.exe"C:\Program Files\WinNexus\Desktop\bin\wnmonitor.exe" 416393⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\bthserv.dll" /grant administrators:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\bthserv.dll" /grant administrators:F4⤵
- Possible privilege escalation attempt
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\bthserv.dll" /grant users:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\bthserv.dll" /grant users:F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exe/C net start bthserv3⤵
-
C:\Windows\SysWOW64\net.exenet start bthserv4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start bthserv5⤵
-
C:\Windows\system32\cmd.exe/C takeown /f "C:\Windows\System32\WpdMtp.dll"3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\WpdMtp.dll"4⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F4⤵
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtp.dll" /grant users:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtp.dll" /grant users:F4⤵
-
C:\Windows\system32\cmd.exe/C takeown /f "C:\Windows\System32\WpdMtpUS.dll"3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\WpdMtpUS.dll"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F4⤵
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F4⤵
-
C:\Windows\system32\cmd.exe/C takeown /f "C:\Windows\System32\bthserv.dll"3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\bthserv.dll"4⤵
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\bthserv.dll" /grant administrators:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\bthserv.dll" /grant administrators:F4⤵
- Possible privilege escalation attempt
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\bthserv.dll" /grant users:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\bthserv.dll" /grant users:F4⤵
-
C:\Windows\SysWOW64\cmd.exe/C net start bthserv3⤵
-
C:\Windows\SysWOW64\net.exenet start bthserv4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start bthserv5⤵
-
C:\Windows\system32\cmd.exe/C takeown /f "C:\Windows\System32\WpdMtp.dll"3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\WpdMtp.dll"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtp.dll" /grant users:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtp.dll" /grant users:F4⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exe/C takeown /f "C:\Windows\System32\WpdMtpUS.dll"3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\WpdMtpUS.dll"4⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F4⤵
- Possible privilege escalation attempt
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F4⤵
- Possible privilege escalation attempt
-
C:\Program Files\WinNexus\Desktop\bin\WNAgent.exe"C:\Program Files\WinNexus\Desktop\bin\WNAgent.exe" /startup2⤵
- Drops file in System32 directory
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Windows\SysWOW64\cmd.execmd /c sc start WNPPDx643⤵
-
C:\Windows\SysWOW64\sc.exesc start WNPPDx644⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exe/C takeown /f "C:\Windows\System32\bthserv.dll"3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\bthserv.dll"4⤵
-
C:\Program Files\WinNexus\Desktop\bin\wnmonitor.exe"C:\Program Files\WinNexus\Desktop\bin\wnmonitor.exe" 416723⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\bthserv.dll" /grant administrators:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\bthserv.dll" /grant administrators:F4⤵
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\bthserv.dll" /grant users:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\bthserv.dll" /grant users:F4⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exe/C net start bthserv3⤵
-
C:\Windows\SysWOW64\net.exenet start bthserv4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start bthserv5⤵
-
C:\Windows\system32\cmd.exe/C takeown /f "C:\Windows\System32\WpdMtp.dll"3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\WpdMtp.dll"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F4⤵
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtp.dll" /grant users:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtp.dll" /grant users:F4⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exe/C takeown /f "C:\Windows\System32\WpdMtpUS.dll"3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\WpdMtpUS.dll"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F4⤵
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F4⤵
- Modifies file permissions
-
C:\Program Files\WinNexus\Desktop\bin\WNAgent.exe"C:\Program Files\WinNexus\Desktop\bin\WNAgent.exe" /startup2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Windows\SysWOW64\cmd.execmd /c sc start WNPPDx643⤵
-
C:\Windows\SysWOW64\sc.exesc start WNPPDx644⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exe/C takeown /f "C:\Windows\System32\bthserv.dll"3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\bthserv.dll"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Program Files\WinNexus\Desktop\bin\wnmonitor.exe"C:\Program Files\WinNexus\Desktop\bin\wnmonitor.exe" 416883⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\bthserv.dll" /grant administrators:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\bthserv.dll" /grant administrators:F4⤵
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\bthserv.dll" /grant users:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\bthserv.dll" /grant users:F4⤵
-
C:\Windows\SysWOW64\cmd.exe/C net start bthserv3⤵
-
C:\Windows\SysWOW64\net.exenet start bthserv4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start bthserv5⤵
-
C:\Windows\system32\cmd.exe/C takeown /f "C:\Windows\System32\WpdMtp.dll"3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\WpdMtp.dll"4⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F4⤵
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtp.dll" /grant users:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtp.dll" /grant users:F4⤵
-
C:\Windows\system32\cmd.exe/C takeown /f "C:\Windows\System32\WpdMtpUS.dll"3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\WpdMtpUS.dll"4⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F4⤵
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F4⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exe/C takeown /f "C:\Windows\System32\bthserv.dll"3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\bthserv.dll"4⤵
- Possible privilege escalation attempt
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\bthserv.dll" /grant administrators:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\bthserv.dll" /grant administrators:F4⤵
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\bthserv.dll" /grant users:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\bthserv.dll" /grant users:F4⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exe/C net start bthserv3⤵
-
C:\Windows\SysWOW64\net.exenet start bthserv4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start bthserv5⤵
-
C:\Windows\system32\cmd.exe/C takeown /f "C:\Windows\System32\WpdMtp.dll"3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\WpdMtp.dll"4⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F4⤵
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtp.dll" /grant users:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtp.dll" /grant users:F4⤵
-
C:\Windows\system32\cmd.exe/C takeown /f "C:\Windows\System32\WpdMtpUS.dll"3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\WpdMtpUS.dll"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F4⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F4⤵
- Possible privilege escalation attempt
-
C:\Program Files\WinNexus\Desktop\bin\WNAgent.exe"C:\Program Files\WinNexus\Desktop\bin\WNAgent.exe" /startup2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Windows\SysWOW64\cmd.execmd /c sc start WNPPDx643⤵
-
C:\Windows\SysWOW64\sc.exesc start WNPPDx644⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exe/C takeown /f "C:\Windows\System32\bthserv.dll"3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\bthserv.dll"4⤵
- Possible privilege escalation attempt
-
C:\Program Files\WinNexus\Desktop\bin\wnmonitor.exe"C:\Program Files\WinNexus\Desktop\bin\wnmonitor.exe" 417243⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\bthserv.dll" /grant administrators:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\bthserv.dll" /grant administrators:F4⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\bthserv.dll" /grant users:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\bthserv.dll" /grant users:F4⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\cmd.exe/C net start bthserv3⤵
-
C:\Windows\SysWOW64\net.exenet start bthserv4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start bthserv5⤵
-
C:\Windows\system32\cmd.exe/C takeown /f "C:\Windows\System32\WpdMtp.dll"3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\WpdMtp.dll"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F4⤵
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtp.dll" /grant users:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtp.dll" /grant users:F4⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exe/C takeown /f "C:\Windows\System32\WpdMtpUS.dll"3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\WpdMtpUS.dll"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F4⤵
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F4⤵
-
C:\Windows\system32\cmd.exe/C takeown /f "C:\Windows\System32\bthserv.dll"3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\bthserv.dll"4⤵
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\bthserv.dll" /grant administrators:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\bthserv.dll" /grant administrators:F4⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\bthserv.dll" /grant users:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\bthserv.dll" /grant users:F4⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exe/C net start bthserv3⤵
-
C:\Windows\SysWOW64\net.exenet start bthserv4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start bthserv5⤵
-
C:\Windows\system32\cmd.exe/C takeown /f "C:\Windows\System32\WpdMtp.dll"3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\WpdMtp.dll"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F4⤵
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtp.dll" /grant users:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtp.dll" /grant users:F4⤵
-
C:\Windows\system32\cmd.exe/C takeown /f "C:\Windows\System32\WpdMtpUS.dll"3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\WpdMtpUS.dll"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F4⤵
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F4⤵
- Modifies file permissions
-
C:\Program Files\WinNexus\Desktop\bin\WNAgent.exe"C:\Program Files\WinNexus\Desktop\bin\WNAgent.exe" /startup2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Windows\SysWOW64\cmd.execmd /c sc start WNPPDx643⤵
-
C:\Windows\SysWOW64\sc.exesc start WNPPDx644⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exe/C takeown /f "C:\Windows\System32\bthserv.dll"3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\bthserv.dll"4⤵
- Modifies file permissions
-
C:\Program Files\WinNexus\Desktop\bin\wnmonitor.exe"C:\Program Files\WinNexus\Desktop\bin\wnmonitor.exe" 417573⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\bthserv.dll" /grant administrators:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\bthserv.dll" /grant administrators:F4⤵
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\bthserv.dll" /grant users:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\bthserv.dll" /grant users:F4⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exe/C net start bthserv3⤵
-
C:\Windows\SysWOW64\net.exenet start bthserv4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start bthserv5⤵
-
C:\Windows\system32\cmd.exe/C takeown /f "C:\Windows\System32\WpdMtp.dll"3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\WpdMtp.dll"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F4⤵
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtp.dll" /grant users:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtp.dll" /grant users:F4⤵
-
C:\Windows\system32\cmd.exe/C takeown /f "C:\Windows\System32\WpdMtpUS.dll"3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\WpdMtpUS.dll"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F4⤵
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F4⤵
- Possible privilege escalation attempt
-
C:\Windows\system32\cmd.exe/C takeown /f "C:\Windows\System32\bthserv.dll"3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\bthserv.dll"4⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\bthserv.dll" /grant administrators:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\bthserv.dll" /grant administrators:F4⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\bthserv.dll" /grant users:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\bthserv.dll" /grant users:F4⤵
-
C:\Windows\SysWOW64\cmd.exe/C net start bthserv3⤵
-
C:\Windows\SysWOW64\net.exenet start bthserv4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start bthserv5⤵
-
C:\Windows\system32\cmd.exe/C takeown /f "C:\Windows\System32\WpdMtp.dll"3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\WpdMtp.dll"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F4⤵
- Possible privilege escalation attempt
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtp.dll" /grant users:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtp.dll" /grant users:F4⤵
-
C:\Windows\system32\cmd.exe/C takeown /f "C:\Windows\System32\WpdMtpUS.dll"3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\WpdMtpUS.dll"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F4⤵
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F4⤵
-
C:\Program Files\WinNexus\Desktop\bin\WNAgent.exe"C:\Program Files\WinNexus\Desktop\bin\WNAgent.exe" /startup2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Windows\SysWOW64\cmd.execmd /c sc start WNPPDx643⤵
-
C:\Windows\SysWOW64\sc.exesc start WNPPDx644⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exe/C takeown /f "C:\Windows\System32\bthserv.dll"3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\bthserv.dll"4⤵
- Possible privilege escalation attempt
-
C:\Program Files\WinNexus\Desktop\bin\wnmonitor.exe"C:\Program Files\WinNexus\Desktop\bin\wnmonitor.exe" 417733⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\bthserv.dll" /grant administrators:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\bthserv.dll" /grant administrators:F4⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\bthserv.dll" /grant users:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\bthserv.dll" /grant users:F4⤵
-
C:\Windows\SysWOW64\cmd.exe/C net start bthserv3⤵
-
C:\Windows\SysWOW64\net.exenet start bthserv4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start bthserv5⤵
-
C:\Windows\system32\cmd.exe/C takeown /f "C:\Windows\System32\WpdMtp.dll"3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\WpdMtp.dll"4⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F4⤵
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtp.dll" /grant users:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtp.dll" /grant users:F4⤵
-
C:\Windows\system32\cmd.exe/C takeown /f "C:\Windows\System32\WpdMtpUS.dll"3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\WpdMtpUS.dll"4⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F4⤵
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F4⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exe/C takeown /f "C:\Windows\System32\bthserv.dll"3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\bthserv.dll"4⤵
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\bthserv.dll" /grant administrators:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\bthserv.dll" /grant administrators:F4⤵
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\bthserv.dll" /grant users:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\bthserv.dll" /grant users:F4⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\cmd.exe/C net start bthserv3⤵
-
C:\Windows\SysWOW64\net.exenet start bthserv4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start bthserv5⤵
-
C:\Windows\system32\cmd.exe/C takeown /f "C:\Windows\System32\WpdMtp.dll"3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\WpdMtp.dll"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F4⤵
- Possible privilege escalation attempt
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtp.dll" /grant users:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtp.dll" /grant users:F4⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exe/C takeown /f "C:\Windows\System32\WpdMtpUS.dll"3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\WpdMtpUS.dll"4⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F4⤵
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F4⤵
- Possible privilege escalation attempt
-
C:\Program Files\WinNexus\Desktop\bin\WNAgent.exe"C:\Program Files\WinNexus\Desktop\bin\WNAgent.exe" /startup2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Windows\SysWOW64\cmd.execmd /c sc start WNPPDx643⤵
-
C:\Windows\SysWOW64\sc.exesc start WNPPDx644⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exe/C takeown /f "C:\Windows\System32\bthserv.dll"3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\bthserv.dll"4⤵
-
C:\Program Files\WinNexus\Desktop\bin\wnmonitor.exe"C:\Program Files\WinNexus\Desktop\bin\wnmonitor.exe" 417893⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\bthserv.dll" /grant administrators:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\bthserv.dll" /grant administrators:F4⤵
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\bthserv.dll" /grant users:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\bthserv.dll" /grant users:F4⤵
-
C:\Windows\SysWOW64\cmd.exe/C net start bthserv3⤵
-
C:\Windows\SysWOW64\net.exenet start bthserv4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start bthserv5⤵
-
C:\Windows\system32\cmd.exe/C takeown /f "C:\Windows\System32\WpdMtp.dll"3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\WpdMtp.dll"4⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F4⤵
- Possible privilege escalation attempt
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtp.dll" /grant users:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtp.dll" /grant users:F4⤵
- Possible privilege escalation attempt
-
C:\Windows\system32\cmd.exe/C takeown /f "C:\Windows\System32\WpdMtpUS.dll"3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\WpdMtpUS.dll"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F4⤵
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F4⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exe/C takeown /f "C:\Windows\System32\bthserv.dll"3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\bthserv.dll"4⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\bthserv.dll" /grant administrators:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\bthserv.dll" /grant administrators:F4⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\bthserv.dll" /grant users:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\bthserv.dll" /grant users:F4⤵
-
C:\Windows\SysWOW64\cmd.exe/C net start bthserv3⤵
-
C:\Windows\SysWOW64\net.exenet start bthserv4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start bthserv5⤵
-
C:\Windows\system32\cmd.exe/C takeown /f "C:\Windows\System32\WpdMtp.dll"3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\WpdMtp.dll"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F4⤵
- Possible privilege escalation attempt
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtp.dll" /grant users:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtp.dll" /grant users:F4⤵
-
C:\Windows\system32\cmd.exe/C takeown /f "C:\Windows\System32\WpdMtpUS.dll"3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\WpdMtpUS.dll"4⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F4⤵
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F4⤵
-
C:\Program Files\WinNexus\Desktop\bin\WNAgent.exe"C:\Program Files\WinNexus\Desktop\bin\WNAgent.exe" /startup2⤵
- Drops file in System32 directory
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Windows\SysWOW64\cmd.execmd /c sc start WNPPDx643⤵
-
C:\Windows\SysWOW64\sc.exesc start WNPPDx644⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exe/C takeown /f "C:\Windows\System32\bthserv.dll"3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\bthserv.dll"4⤵
- Possible privilege escalation attempt
-
C:\Program Files\WinNexus\Desktop\bin\wnmonitor.exe"C:\Program Files\WinNexus\Desktop\bin\wnmonitor.exe" 418223⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\bthserv.dll" /grant administrators:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\bthserv.dll" /grant administrators:F4⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\bthserv.dll" /grant users:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\bthserv.dll" /grant users:F4⤵
-
C:\Windows\SysWOW64\cmd.exe/C net start bthserv3⤵
-
C:\Windows\SysWOW64\net.exenet start bthserv4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start bthserv5⤵
-
C:\Windows\system32\cmd.exe/C takeown /f "C:\Windows\System32\WpdMtp.dll"3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\WpdMtp.dll"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F4⤵
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtp.dll" /grant users:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtp.dll" /grant users:F4⤵
-
C:\Windows\system32\cmd.exe/C takeown /f "C:\Windows\System32\WpdMtpUS.dll"3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\WpdMtpUS.dll"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F4⤵
- Possible privilege escalation attempt
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Program Files\WinNexus\Desktop\bin\WNAgent.exe"C:\Program Files\WinNexus\Desktop\bin\WNAgent.exe" /startup2⤵
- Drops file in System32 directory
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- System policy modification
-
C:\Windows\SysWOW64\cmd.execmd /c sc start WNPPDx643⤵
-
C:\Windows\SysWOW64\sc.exesc start WNPPDx644⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exe/C takeown /f "C:\Windows\System32\bthserv.dll"3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\bthserv.dll"4⤵
-
C:\Program Files\WinNexus\Desktop\bin\wnmonitor.exe"C:\Program Files\WinNexus\Desktop\bin\wnmonitor.exe" 418383⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\bthserv.dll" /grant administrators:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\bthserv.dll" /grant administrators:F4⤵
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\bthserv.dll" /grant users:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\bthserv.dll" /grant users:F4⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exe/C net start bthserv3⤵
-
C:\Windows\SysWOW64\net.exenet start bthserv4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start bthserv5⤵
-
C:\Windows\system32\cmd.exe/C takeown /f "C:\Windows\System32\WpdMtp.dll"3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\WpdMtp.dll"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F4⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtp.dll" /grant users:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtp.dll" /grant users:F4⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exe/C takeown /f "C:\Windows\System32\WpdMtpUS.dll"3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\WpdMtpUS.dll"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F4⤵
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F4⤵
-
C:\Windows\system32\cmd.exe/C takeown /f "C:\Windows\System32\bthserv.dll"3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\bthserv.dll"4⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\bthserv.dll" /grant administrators:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\bthserv.dll" /grant administrators:F4⤵
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\bthserv.dll" /grant users:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\bthserv.dll" /grant users:F4⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exe/C net start bthserv3⤵
-
C:\Windows\SysWOW64\net.exenet start bthserv4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start bthserv5⤵
-
C:\Windows\system32\cmd.exe/C takeown /f "C:\Windows\System32\WpdMtp.dll"3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\WpdMtp.dll"4⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F4⤵
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtp.dll" /grant users:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtp.dll" /grant users:F4⤵
-
C:\Windows\system32\cmd.exe/C takeown /f "C:\Windows\System32\WpdMtpUS.dll"3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\WpdMtpUS.dll"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F4⤵
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F4⤵
-
C:\Program Files\WinNexus\Desktop\bin\WNAgent.exe"C:\Program Files\WinNexus\Desktop\bin\WNAgent.exe" /startup2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- System policy modification
-
C:\Windows\SysWOW64\cmd.execmd /c sc start WNPPDx643⤵
-
C:\Windows\SysWOW64\sc.exesc start WNPPDx644⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exe/C takeown /f "C:\Windows\System32\bthserv.dll"3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\bthserv.dll"4⤵
-
C:\Program Files\WinNexus\Desktop\bin\wnmonitor.exe"C:\Program Files\WinNexus\Desktop\bin\wnmonitor.exe" 418553⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\bthserv.dll" /grant administrators:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\bthserv.dll" /grant administrators:F4⤵
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\bthserv.dll" /grant users:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\bthserv.dll" /grant users:F4⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\cmd.exe/C net start bthserv3⤵
-
C:\Windows\SysWOW64\net.exenet start bthserv4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start bthserv5⤵
-
C:\Windows\system32\cmd.exe/C takeown /f "C:\Windows\System32\WpdMtp.dll"3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\WpdMtp.dll"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F4⤵
- Possible privilege escalation attempt
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtp.dll" /grant users:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtp.dll" /grant users:F4⤵
- Possible privilege escalation attempt
-
C:\Windows\system32\cmd.exe/C takeown /f "C:\Windows\System32\WpdMtpUS.dll"3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\WpdMtpUS.dll"4⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F4⤵
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F4⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exe/C takeown /f "C:\Windows\System32\bthserv.dll"3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\bthserv.dll"4⤵
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\bthserv.dll" /grant administrators:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\bthserv.dll" /grant administrators:F4⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\bthserv.dll" /grant users:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\bthserv.dll" /grant users:F4⤵
-
C:\Windows\SysWOW64\cmd.exe/C net start bthserv3⤵
-
C:\Windows\SysWOW64\net.exenet start bthserv4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start bthserv5⤵
-
C:\Windows\system32\cmd.exe/C takeown /f "C:\Windows\System32\WpdMtp.dll"3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\WpdMtp.dll"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F4⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtp.dll" /grant users:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtp.dll" /grant users:F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\cmd.exe/C takeown /f "C:\Windows\System32\WpdMtpUS.dll"3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\WpdMtpUS.dll"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F4⤵
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F4⤵
-
C:\Program Files\WinNexus\Desktop\bin\WNAgent.exe"C:\Program Files\WinNexus\Desktop\bin\WNAgent.exe" /startup2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- System policy modification
-
C:\Windows\SysWOW64\cmd.execmd /c sc start WNPPDx643⤵
-
C:\Windows\SysWOW64\sc.exesc start WNPPDx644⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exe/C takeown /f "C:\Windows\System32\bthserv.dll"3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\bthserv.dll"4⤵
- Modifies file permissions
-
C:\Program Files\WinNexus\Desktop\bin\wnmonitor.exe"C:\Program Files\WinNexus\Desktop\bin\wnmonitor.exe" 418713⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\bthserv.dll" /grant administrators:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\bthserv.dll" /grant administrators:F4⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\bthserv.dll" /grant users:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\bthserv.dll" /grant users:F4⤵
-
C:\Windows\SysWOW64\cmd.exe/C net start bthserv3⤵
-
C:\Windows\SysWOW64\net.exenet start bthserv4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start bthserv5⤵
-
C:\Windows\system32\cmd.exe/C takeown /f "C:\Windows\System32\WpdMtp.dll"3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\WpdMtp.dll"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F4⤵
- Possible privilege escalation attempt
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtp.dll" /grant users:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtp.dll" /grant users:F4⤵
-
C:\Windows\system32\cmd.exe/C takeown /f "C:\Windows\System32\WpdMtpUS.dll"3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\WpdMtpUS.dll"4⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F4⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exe/C takeown /f "C:\Windows\System32\bthserv.dll"3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\bthserv.dll"4⤵
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\bthserv.dll" /grant administrators:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\bthserv.dll" /grant administrators:F4⤵
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\bthserv.dll" /grant users:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\bthserv.dll" /grant users:F4⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exe/C net start bthserv3⤵
-
C:\Windows\SysWOW64\net.exenet start bthserv4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start bthserv5⤵
-
C:\Windows\system32\cmd.exe/C takeown /f "C:\Windows\System32\WpdMtp.dll"3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\WpdMtp.dll"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F4⤵
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtp.dll" /grant users:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtp.dll" /grant users:F4⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exe/C takeown /f "C:\Windows\System32\WpdMtpUS.dll"3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\WpdMtpUS.dll"4⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F4⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F4⤵
-
C:\Program Files\WinNexus\Desktop\bin\WNAgent.exe"C:\Program Files\WinNexus\Desktop\bin\WNAgent.exe" /startup2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- System policy modification
-
C:\Windows\SysWOW64\cmd.execmd /c sc start WNPPDx643⤵
-
C:\Windows\SysWOW64\sc.exesc start WNPPDx644⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exe/C takeown /f "C:\Windows\System32\bthserv.dll"3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\bthserv.dll"4⤵
-
C:\Program Files\WinNexus\Desktop\bin\wnmonitor.exe"C:\Program Files\WinNexus\Desktop\bin\wnmonitor.exe" 419043⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\bthserv.dll" /grant administrators:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\bthserv.dll" /grant administrators:F4⤵
- Possible privilege escalation attempt
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\bthserv.dll" /grant users:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\bthserv.dll" /grant users:F4⤵
-
C:\Windows\SysWOW64\cmd.exe/C net start bthserv3⤵
-
C:\Windows\SysWOW64\net.exenet start bthserv4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start bthserv5⤵
-
C:\Windows\system32\cmd.exe/C takeown /f "C:\Windows\System32\WpdMtp.dll"3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\WpdMtp.dll"4⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F4⤵
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtp.dll" /grant users:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtp.dll" /grant users:F4⤵
-
C:\Windows\system32\cmd.exe/C takeown /f "C:\Windows\System32\WpdMtpUS.dll"3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\WpdMtpUS.dll"4⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F4⤵
- Possible privilege escalation attempt
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F4⤵
- Possible privilege escalation attempt
-
C:\Windows\system32\cmd.exe/C takeown /f "C:\Windows\System32\bthserv.dll"3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\bthserv.dll"4⤵
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\bthserv.dll" /grant administrators:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\bthserv.dll" /grant administrators:F4⤵
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\bthserv.dll" /grant users:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\bthserv.dll" /grant users:F4⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\cmd.exe/C net start bthserv3⤵
-
C:\Windows\SysWOW64\net.exenet start bthserv4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start bthserv5⤵
-
C:\Windows\system32\cmd.exe/C takeown /f "C:\Windows\System32\WpdMtp.dll"3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\WpdMtp.dll"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtp.dll" /grant administrators:F4⤵
- Possible privilege escalation attempt
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtp.dll" /grant users:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtp.dll" /grant users:F4⤵
-
C:\Windows\system32\cmd.exe/C takeown /f "C:\Windows\System32\WpdMtpUS.dll"3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\WpdMtpUS.dll"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtpUS.dll" /grant administrators:F4⤵
-
C:\Windows\system32\cmd.exe/C icacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\WpdMtpUS.dll" /grant users:F4⤵
- Possible privilege escalation attempt
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\WinNexus\Desktop\bin\Agentcfg.ctFilesize
250B
MD5aa77c21801f63653b7e3dbdce2484823
SHA12ea2d4c0b23ef75c4ab2460addf1c2c02c6bbfbc
SHA2561d3c37f22aaf6192a7876877346ffdcc6bc9b3f87e00f8bd15a60f2d095ef353
SHA512bf7669faf264c797d88c52598c59955be362fd83a3b3f3262277e1c9aa2bec5b2b8090511da9901d814394ac26f157282145887f6943b16bd85bd71c6bd9e635
-
C:\Program Files\WinNexus\Desktop\bin\SysSoftCfg.ctFilesize
434B
MD57bb2460a5eee8f05e04dcbc58a6754a0
SHA1efa341ec79f49d73a6b97be56cddbba726f7bae6
SHA2565a315c8472ca65f2e771a8fcf54d36a90e54bffa36447a359ca057def615838e
SHA512e239a6e9725ef65cfb33421443968dfa1a55bc692a1fa0a2849aab3db09bfff7035f50aadb106d63d1f6f635171bd523184cfba2c319dcd04f2eac38a096a7c1
-
C:\Program Files\WinNexus\Desktop\bin\TMPGlobalhookdllx64.dllFilesize
119KB
MD54742e47e520eebbbba13fa9d8727e365
SHA1d2c27d3baf57e77307e2ad8adab481cbd2f5f6d9
SHA25614aa73999497d475e5943547d587403d660138295ec13cd8a5e834378c8f9095
SHA512806572f32ff6678fc7a6b4365d40f9f63cd2ce9dca3b6d87296a7ff07c403893820105a4b309c2fc8dc12d4b34b25b132266359b181606222f3b80372eaee66c
-
C:\Program Files\WinNexus\Desktop\bin\TMPcmdkey.exeFilesize
19KB
MD5e002c71165d09da89d023433dc15a897
SHA15dc36b3c4f71ee7e8db09d9903beadb61831d69b
SHA25603dbfd2351f2b8e368489f8dda1a58a7eeea0884a34f296d3d425bb149670aec
SHA512c7b5c427a8dc7f86f7664303ed126ba75e18aab997ce86b12e5959f606ac660c628268ce31b974eac57a3ce179d527d2de1f883e25229cf5343a3387872e778c
-
C:\Program Files\WinNexus\Desktop\bin\TMPglobalhookdll.dllFilesize
70KB
MD57e96d78420fd867c51d11e4fd59ac752
SHA171db164de417aa2f3175fa80199319bdb72ad44e
SHA256d17c2a72fb1620b242f402c505674ae7fa678717a329dd12b620f5ec4d98a13a
SHA512a43f1789700ea08ceb90d6c828a5129bf64ed715b6bda5100ddd6ae354a164cc949665b1c746152c23852f75d08f05f944967578b1893c4b9b7e64cda9ef4367
-
C:\Program Files\WinNexus\Desktop\bin\WNMonitor.exeFilesize
140KB
MD5b23121481d2d64fba020b5f88c8468c1
SHA115b13c09471f9bbc2127a7b9e6822808b05d7e3d
SHA256f9b7e76a79293bdb226cbb6f392e4287c21fd2535835e2e7fc261b53b07c997c
SHA512f64931dd587f882ed7f270b08197581568a9318518c494b2e837de887688838ac4b5e8b92d1bb2087f3f5bfffea13148159174d8b0e09e3690817afb1ed2f12b
-
C:\Program Files\WinNexus\Desktop\bin\WNSvc.exeFilesize
286KB
MD574683cfcbbace2e559ea7f1480ac98e5
SHA12eea08ddd323195b5039d05be8a8de38880c3c76
SHA256d45791de986cf85ff536357daf2e09b626e5f12c717f3647a050cf89eab52bd1
SHA512fe364f721dc1d789535f8748819f5ca7482297bb9e784dc3396aeb3a78f9701b67c615905ebd1e0d7487d615eabcc56362d11d241b3712f0c1227bd65e962826
-
C:\Program Files\WinNexus\Desktop\bin\WinNexusLog\Action.logFilesize
1KB
MD5bd1d34ab4b51cbb014d44d40d09b14ad
SHA1bd55444fb6cbb3678b56345f300a11533123757f
SHA25602aca6812bea55df21c98df0548f2b011e830cf7c0d9c021c643dbd21d6c6f4f
SHA512c1c1ca4712c1233c50708ecf289749798fe91b5dc5948d9e89a66631f521d1d255ddebdd1f02472468b5927f92d7d292c7f995127aa511343df9b11193ddb24c
-
C:\Program Files\WinNexus\Desktop\bin\WinNexusLog\Action.logFilesize
11KB
MD5086a00bbff3458de417db3ade69b58b7
SHA187e4bdea62c6136ce6280000e78b5e03a8eef813
SHA256a2eb96982b88216ae66275e9c7f265a6d32e97fa74146434840b9387c6324c39
SHA5129f3aaab88cd83847652cac848ddf24d7dd3f9d3ede091e3d28b221db8c5e4843cfaa6a64fb317e8f288a8e49beed60aa71ca06e76a5a7b1bab84db7606ed05f9
-
C:\Program Files\WinNexus\Desktop\bin\WinNexusLog\Desktop.logFilesize
5KB
MD598302adc5649b692fc7ac58739a27843
SHA1d5c87e3fcdf6df48d8ba5385866298da4466c87a
SHA2567f77ccb8a6da82337cfdb28a50edf92d6da397b900032622ad7273069c434c56
SHA5120607df35037629fce0776d0934cab758a02dcfd763b553a609c4a6963164fe9b15bfa8c299a089b90391d87c84771d5461f3e7a781a77a487a48d83647295d30
-
C:\Program Files\WinNexus\Desktop\bin\WinNexusLog\Desktop.logFilesize
25KB
MD5eec6d0d141cfa3517fd6b8994a2262e7
SHA1c54d2896dd5cd0111929a074c9d8c635abc6e2d6
SHA256e4bd8ee6e0f72d8c13cad74e947133a1a87da8f9507c46476c0a2e58de947a68
SHA512905f1a65c5c2a2b91dfbfc3e596f6c3a44e47cbfb47797c17f41e92b61af1d3bcb2eb913d5353c416e0b688f1af90acb291c52dd1b5ca50ae34dc7dd1ae52912
-
C:\Program Files\WinNexus\Desktop\bin\WinNexusLog\Error.logFilesize
156B
MD5c02dabc5e7b976cca2fba8f5cd0b9ad4
SHA1c73de0c9156e75f1abc83c5e317ee10c5bbd2c98
SHA256d27d8ab96242d7f8a1e78deb5b267c73567f63a33cfaf49e066751996a924fed
SHA51287dea88300fa861ca38e62c31c651c56c84478b1238a656697154a1b312cd2d27ef7fc173252517ca5eb44a20027a2a9ab7954d1f93827dab3bc8d5566c4bca0
-
C:\Program Files\WinNexus\Desktop\bin\WinNexusLog\info.logFilesize
7KB
MD56f2306ec50d8265c2ddd4e65c5313246
SHA14cbe1f16507435da308888b10dedbfe72fbb3658
SHA25679c4ed4f1051e739504f7928935f7cfc72f70176c0297461031df7c75b46b95e
SHA512ef623a9c6f4ea9fce6bedc25e53419ad213cffa3f08cb8a29a45821ea92a08c64ac59ee88824c693cdae11b6e1b574a8ba22b03ea8ea2a65df2858748c5eb5b6
-
C:\Program Files\WinNexus\Desktop\bin\WinNexusLog\info.logFilesize
31KB
MD508011ccafb8ac1cac458747c584874be
SHA149f3f4ccfc762569a0f43b7dbcd0d277c6271d8c
SHA256f409a4ff25f39d8a79478871b9b07712256e4127e770c86e211985af84bd1cb4
SHA512ff610be451cf0f114b6c86dabaeccd5fa8b7be318816618820a7fc7a898190421a00f7c84a6e33174f6119f4c3e06afb084ecfd600e96fd7e0033f8687559af3
-
C:\Program Files\WinNexus\Desktop\bin\language\ErrorMessage\Desktop_ENG.mwmFilesize
18KB
MD5c19be8f3c300e5700f9d931cb2896bce
SHA1f4806c5bd44ebe8273c89cd84d212a5098c885b9
SHA2561cf45f2c5b11ea0079bbe635f5fa1064057e4dc5aaa7656b20cdddff2648346a
SHA512c004871e6a085dde0101bcd49bc45f404cd11dab6948fbc01c97e885831e33b7b6a134d2c87a3849fab358c3ce8ee493ecb587f4313907bc8453fbff7828bc14
-
C:\Program Files\WinNexus\Desktop\bin\language\Source\Eng.ctFilesize
3KB
MD5b37c038c0c425b60a3c975223cbc6d5c
SHA1b813e310223b659b583ff2508444c06abe4fedd4
SHA256c7c4509264538728e1a8f7bfad0bd09f90e6b5e0d39a51a5a5c58d205b6ba4d5
SHA512d604ada5ef7e0e1a12abad0c94922f6a9342e247cfafeba64538ba2c61ecc36a72476a7f32143bd97578b139584913b4d625c81d5c8e4fb7310284b50791430f
-
C:\Program Files\WinNexus\Desktop\bin\libcurl.dllFilesize
270KB
MD52ce2e4f4c9296a11bf2c68f985deb3bd
SHA16e890f2d5e4aefac7f7771c9dd7bbb4114399a17
SHA256fce0872188b447e67dddec5e46ffc6b367d60bd00c559980c8b2feeb0683eacd
SHA512be5c0897ff13d5a2583a008dded604ee5ed8ec560c74320c9971a603caa1eaee255f789e4f4df4e6de87c9d316c6961e6859eebe95ac5f534cd3f53b34ac8eda
-
C:\Program Files\WinNexus\Desktop\bin\log4clpus.cfgFilesize
1KB
MD552fe7a08b10b6e44dcb6e55829994ed0
SHA147bf13fe3719ba000522c7b15f6958a0c04c2747
SHA2562c073e571de8cb5c74119acd238dec99875621ccb22ef7504ae94e759804ed61
SHA5122f255701b0d995182fb47bd1f9e9227ae622b0acfcb8007477fe7c1c21af715525383554b47c0342c576aed6c018517f3654851168d9ab73a382b56b95d70bb9
-
C:\Program Files\WinNexus\Desktop\bin\log4cplus.dllFilesize
268KB
MD5a70eda33710cbd69f92e383b27e6821a
SHA18f713a7c98fd5462d7725228c0fc4468be9bd238
SHA25668a0027c6dc4efd8335ef67fcccee9040cba9ce6d31819f1c41c5303d97a0e5d
SHA5124d3c02a9bcc7dde843c91b10a42c8389087e978079a43b84c99ed757d2af87a9d147914bc10730d84dc3b7cdf1c8ab1dd6bdb3dc22edccd2fb935cbc89681dfa
-
C:\Program Files\WinNexus\Desktop\bin\res\Common\SlideBar.jpgFilesize
24KB
MD52964ddab79c99c415194a166fe42b886
SHA1aea3cf6a7858039b5712746fba949d58f0dc1ffd
SHA256fdc1ca7b5b1192b9c0e41baa00e2c160c3eed697600f3a82e5617b43fad01063
SHA512ec233543cf3847e7b7456f6eef6e579f0011789c13a103fa16bbff2b4093f7e86b10e787f8c0a98f6dd06edeeb48f9b12f83aca0bd0d7b0adcffa4b7b7edc151
-
C:\Program Files\WinNexus\Desktop\bin\res\Common\TabBar.jpgFilesize
32KB
MD57581c56594040792d4e3dc6143bcd77a
SHA124e60c55119a2d4aedde4207f3ad2732d85f7425
SHA256cc5cdf83f4543f5875f448d83dc9aadde8c460e953d2a2e5b425eb9e9a46bca4
SHA5124a7bd62f70136dcb0406bda1a36e1373ef36194d3866d63a768745f1695ec559421d0f34a82c08f1b820d8dab3afd97c46d47e16a62f64c2367e715c8860ad11
-
C:\Program Files\WinNexus\Desktop\bin\res\Eng\AboutTab.icoFilesize
6KB
MD5fc0f806ee37e100c487a0f2a0aa24e94
SHA1143a274d75b2a8e1a960de68c9d3874daa3a6606
SHA256317d74281c96f556cb6633f6faf0c27e638c60a2d4fd54487dc8312738b1d818
SHA512e6eb281a89a42eb2bf4f326a145fd7649d5cc5b43adfdb3a67978f257ff2b1d9bb58caa11cc0b6168f9274a49fcaa1fead64690b552d82f5d47d97b7e4e395c5
-
C:\Program Files\WinNexus\Desktop\bin\res\Eng\ApplicationTab_Enable.icoFilesize
6KB
MD594207d5485f5c86f6b26c45711df99b5
SHA10b66eb515811d6933ce66c8dfa0dc2d5e4942d0a
SHA256fee842c932e30dc0cd9ef9a060cebca5208166585153e7277d4d4e0067de59f0
SHA512f0f5c75f24546b7214289d9a32ca07dafe4f5380d79936a3f02796ac84686ac0455f85346aa0cc654652bb81a7dcab3e091ab71cb5fd3c1bb4385617ee670851
-
C:\Program Files\WinNexus\Desktop\bin\res\Eng\FileTypeTab.icoFilesize
7KB
MD51281dcec1140388c17bf4ded769a4843
SHA1c0200fef39db64f4af71a4ef5a6790a6a6b4a176
SHA2560216a0116cb281f29f2e6e975e9d020b0ca54d4cfa1ac1e7fecf8e9720199e18
SHA512f4653b8e3a49b8e33976ac720560166eb936ffdb4bdc53a94cabb0461ead21657bf55630fc7ebb108115f67a156df1d1e123e32bf4a494f69356aa3892cfdcd5
-
C:\Program Files\WinNexus\Desktop\bin\res\Eng\NetworkTab.icoFilesize
6KB
MD50a44b95765a43941c9baf3b968aec3c5
SHA172f48b2420933aa174efcdcaca94cdddda416c33
SHA256baf4edb08ca48232c39f9691438dc01817188dcc950162d9ff35027d8f3bea16
SHA5120523bc26cab672f91bc8b34968d96460e4fe95d26103fb44e597d64332c76b6720240d0fd4cef9b374889ba16572ddb353b56ddaf533a367aae0e1af231a06c5
-
C:\Program Files\WinNexus\Desktop\bin\res\Eng\add.icoFilesize
4KB
MD5756393a68fc08413c9c329f189c0aa00
SHA14f51bb6b60b501d7d42435dd726c8dc8029483af
SHA256fb329a56640a39eee578d903f0248474d35f5ea5b2d59c1126029bbc22399cf2
SHA5128309b7224580407a8670cc43376deea862ab7b3b7fba5003be7c243927e68ab36317caf05fe287b47537e85e22be2217720410a31a5923a0fc8c26d24b70d20f
-
C:\Program Files\WinNexus\Desktop\bin\res\Eng\remove.icoFilesize
4KB
MD5b7e98473ce90e85bbeb15bc7d2294496
SHA17cc535871800ef24119dafd83eab69c7a9219a3d
SHA25668f63f4f8ff8e60063ab38b023862d40c6d3eab204fdc84144db4e9b796dcd61
SHA512ca24fd610a5e3910f42dd9290c4ae02e934b05ee2152208960b6b5e9674afddaae6bb449cc990c4e2f9f3dbec92678610fada64b041b3392a494f0134b18ceef
-
C:\Program Files\WinNexus\Desktop\bin\res\Eng\run.icoFilesize
4KB
MD59e4a3ff8da85a85c6874c6d539206bdc
SHA1fc2ed3f1a53d0a8ac153b6eb55d986ac3e268b0c
SHA256e025fc00022b3230c445e6df9460eb739cc1c50f9b38a14027e3bb429b963453
SHA51216755949d56112e8961b02a2e77c4463dcd3d637c528f77761e4b818dab18bc49d6e84e012fc83828d2dd5b91496b2d0d04bc09a4aca76fa58d7a75d64a706aa
-
C:\Program Files\WinNexus\Desktop\bin\res\Eng\stop.icoFilesize
4KB
MD570d02b31fe6a9e6443b532256195a38a
SHA1064481c7597fea1cada3d58db54110d5d5b7f7f9
SHA2569a9bf27435e2f47ca2626566a4b0ee083c920951530363f731f3caad5c081b75
SHA512c739470c1f5d16dd0e966702ef23d6d088a0229855ced74172ff78c48762be82a18c89462ad587f96229c943c3cb50ae87e321f0249dc4c141fb2879f52c5759
-
C:\Windows\WNSvcAction.logFilesize
259B
MD5ef14eb5ae6db3b7207bec48ffd49e5a0
SHA1636ed794b79beafa5887ae6e8b67ad8c948262db
SHA256432852218c7d18074f0cca3c3810a7d29ef763eb0576247f9004882461306789
SHA512730919507c2061296d4635bc56c74d72c983b3bf40eddae101a42b9feae30d8e0c1ac8c03e51ea38d62db985faba8a22992cbb1f605905af5604c3352a43d456
-
C:\Windows\WNSvcAction.logFilesize
841B
MD5d16d1e1d6bbb76f565a6fdbf21cf6a23
SHA192a8f854594e3d4b0bf11eb9d73b1721102a0212
SHA256c96a9b7d9550ac5631da00c712a8630efd3cc0368f6ac31963cd4be09f246ff8
SHA512b1ed72947a6dad54a744429cb6d48bd7d7003ff8c56e5ac65c53e567f014b35089ea259194352953f212dbe4b092c375ef097e488d258bd8c8078999c1f8aa20
-
\Program Files\WinNexus\Desktop\bin\DesktopInstall.exeFilesize
154KB
MD55d13f762a425d77d7888fd7bb58edceb
SHA11531df2b5fd097fc94c2e6556af87285369a60f7
SHA2569a1e0297c6a048eba159acbf1c16e2151a810c6f2bea0b826c3346554f546e00
SHA512a7f892bd4e4257169313f39234608b04ca9929ba78fb71d198cf6e686aa6b2f543b6d44f656d55e25f641e8d3e81657f618cb2fc3812ed6b83803c0a43234d5a
-
\Program Files\WinNexus\Desktop\bin\WNAgent.exeFilesize
1.7MB
MD52a1785703bb638b6fdadaed97878ef1e
SHA18bd8107127bdb1c80429356ddfbce63b3cbcfccd
SHA256dc099ec15be2950d5b01797007dcae6b87a10aff94c3426031dd4fe04139eeb6
SHA512f6af92c62704ceea56ec732a7d11e01d894f78612b687ac5d68b4c61e15c666b32398465d56fe7fdeda3a9a5c2b27d5c87248dd89b6af7c84b101e0fcb795053
-
\Users\Admin\AppData\Local\Temp\is-4QR4P.tmp\0012915ff4d35f107ab639a04345b133_JaffaCakes118.tmpFilesize
690KB
MD51305181de520f125aeabf85dc24a89d6
SHA198b7548fede3f1468ccbdee405abdc4e5d2ec671
SHA2560e19765b89a1a29afee09810dcb3ec5cc7c66053947be8f1aebdbb7c801dfeaf
SHA512b0bfa9749a6a5a18c1926e6c5ebb4cdb156df1652cb822f067422a1cd21583340f32e4a1fc2f4c21a09343d73a55651972edbd2dec98ce44641a1097c16bc793
-
\Users\Admin\AppData\Local\Temp\is-G92NL.tmp\_isetup\_shfoldr.dllFilesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
memory/272-253-0x0000000000020000-0x0000000000030000-memory.dmpFilesize
64KB
-
memory/272-255-0x0000000000220000-0x0000000000260000-memory.dmpFilesize
256KB
-
memory/1032-363-0x00000000005C0000-0x0000000000600000-memory.dmpFilesize
256KB
-
memory/1048-391-0x00000000002D0000-0x0000000000310000-memory.dmpFilesize
256KB
-
memory/2096-2-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/2096-0-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/2096-282-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/2244-384-0x00000000002A0000-0x00000000002E0000-memory.dmpFilesize
256KB
-
memory/2344-426-0x00000000001B0000-0x00000000001F0000-memory.dmpFilesize
256KB
-
memory/2380-324-0x00000000003A0000-0x00000000003E0000-memory.dmpFilesize
256KB
-
memory/2464-10-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB
-
memory/2464-281-0x0000000000400000-0x00000000004BC000-memory.dmpFilesize
752KB