IOC Report
file.exe

loading gif

Files

File Path
Type
Category
Malicious
file.exe
PE32+ executable (console) x86-64, for MS Windows
initial sample
malicious
C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe
PE32+ executable (console) x86-64, for MS Windows
dropped
malicious
C:\Windows\Temp\gtebvdararzg.sys
PE32+ executable (native) x86-64, for MS Windows
dropped
malicious
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
data
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hmgre3nn.jyw.ps1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r4oek4jq.iqf.ps1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_twscbzmi.cu3.psm1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ukrdmtf5.ewz.psm1
ASCII text, with no line terminators
dropped
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
data
dropped
C:\Windows\Temp\__PSScriptPolicyTest_1ksoiwsx.q32.ps1
ASCII text, with no line terminators
dropped
C:\Windows\Temp\__PSScriptPolicyTest_l35xcuuo.y1v.psm1
ASCII text, with no line terminators
dropped
C:\Windows\Temp\__PSScriptPolicyTest_o2zndmgw.43f.psm1
ASCII text, with no line terminators
dropped
C:\Windows\Temp\__PSScriptPolicyTest_usg3rmda.ml4.ps1
ASCII text, with no line terminators
dropped
There are 3 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\file.exe
"C:\Users\user\Desktop\file.exe"
malicious
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
malicious
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
malicious
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
malicious
C:\Windows\System32\sc.exe
C:\Windows\system32\sc.exe delete "MXOLIHZI"
malicious
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
malicious
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
malicious
C:\Windows\System32\sc.exe
C:\Windows\system32\sc.exe create "MXOLIHZI" binpath= "C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe" start= "auto"
malicious
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
malicious
C:\Windows\System32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
malicious
C:\Windows\System32\sc.exe
C:\Windows\system32\sc.exe start "MXOLIHZI"
malicious
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
malicious
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
malicious
C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe
C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe
malicious
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
malicious
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
malicious
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe
malicious
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
malicious
C:\Windows\System32\conhost.exe
conhost.exe
malicious
C:\Windows\System32\notepad.exe
notepad.exe
C:\Windows\System32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\System32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\System32\notepad.exe
notepad.exe
C:\Windows\System32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\System32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
There are 15 hidden processes, click here to show them.

URLs

Name
IP
Malicious
https://172.94.1q
unknown
https://xmrig.com/docs/algorithms
unknown

Domains

Name
IP
Malicious
pool.hashvault.pro
45.76.89.70
malicious