File name:

Alcohol.120.v2.1.1.2201.exe

Full analysis: https://app.any.run/tasks/e21d676b-c7e1-4b81-82ff-9fe3ec40f049
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: June 30, 2025, 01:39:00
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto-reg
pastebin
loader
auto
generic
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

C15AED06AE50022F4C081A188D53B96A

SHA1:

9433CFCDB98BE6E74099CFA1C9C407FBCE57C5DE

SHA256:

16A3FA940FC6D32C3E75C373A9BF260FCDE83824D63BE2ECFDDD19BBFF348B6B

SSDEEP:

98304:8heOy4uEnQoVSVh/90VGpadcZBxutp1echTosn8f7jfYJD6kCHOc032drVHlb2Sg:UEg0Fl4gBzbUcPcgxYK0

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Registers / Runs the DLL via REGSVR32.EXE

      • Alcohol.120.v2.1.1.2201.exe (PID: 1332)

    • Changes the autorun value in the registry

      • Alcohol.120.v2.1.1.2201.exe (PID: 1332)

    • GENERIC has been found (auto)

      • Alcohol.120.v2.1.1.2201.exe (PID: 1332)
      • PACK.EXE (PID: 6260)

    • Executing a file with an untrusted certificate

      • AxAutoMntSrv.exe (PID: 6344)
      • AxAutoMntSrv.exe (PID: 6868)

    • Changes Windows Defender settings

      • PACK.EXE (PID: 6260)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 5172)
      • powershell.exe (PID: 6516)
      • powershell.exe (PID: 4664)

    • Steals credentials from Web Browsers

      • setup.exe (PID: 5744)
      • setup.exe (PID: 4920)
      • setup.exe (PID: 1524)
      • setup.exe (PID: 7132)
      • setup.exe (PID: 4500)
      • setup.exe (PID: 1508)

    • Actions looks like stealing of personal data

      • setup.exe (PID: 5744)

  • SUSPICIOUS

    • Malware-specific behavior (creating "System.dll" in Temp)

      • Alcohol.120.v2.1.1.2201.exe (PID: 1332)
      • ya.exe (PID: 4308)

    • Executable content was dropped or overwritten

      • Alcohol.120.v2.1.1.2201.exe (PID: 1332)
      • SPTD2inst-x64.exe (PID: 3196)
      • PACK.EXE (PID: 6260)
      • ya.exe (PID: 4308)
      • OperaSetup.exe (PID: 6224)
      • setup.exe (PID: 5744)
      • setup.exe (PID: 4920)
      • setup.exe (PID: 3876)
      • setup.exe (PID: 1524)
      • setup.exe (PID: 7132)
      • OperaSetup.exe (PID: 4680)
      • setup.exe (PID: 3956)
      • setup.exe (PID: 1508)
      • setup.exe (PID: 4500)

    • The process creates files with name similar to system file names

      • Alcohol.120.v2.1.1.2201.exe (PID: 1332)
      • ya.exe (PID: 4308)

    • Creates a software uninstall entry

      • Alcohol.120.v2.1.1.2201.exe (PID: 1332)

    • Process drops legitimate windows executable

      • Alcohol.120.v2.1.1.2201.exe (PID: 1332)

    • Executes as Windows Service

      • VSSVC.exe (PID: 3392)

    • Searches for installed software

      • dllhost.exe (PID: 2388)
      • SPTD2inst-x64.exe (PID: 3196)

    • There is functionality for taking screenshot (YARA)

      • Alcohol.120.v2.1.1.2201.exe (PID: 1332)

    • Creates files in the driver directory

      • SPTD2inst-x64.exe (PID: 3196)

    • Drops a system driver (possible attempt to evade defenses)

      • SPTD2inst-x64.exe (PID: 3196)

    • Reads security settings of Internet Explorer

      • Alcohol.120.v2.1.1.2201.exe (PID: 1332)
      • PACK.EXE (PID: 6260)
      • ya.exe (PID: 4308)
      • setup.exe (PID: 5744)
      • setup.exe (PID: 4500)

    • Starts CMD.EXE for commands execution

      • Alcohol.120.v2.1.1.2201.exe (PID: 1332)

    • The executable file from the user directory is run by the CMD process

      • PACK.EXE (PID: 6260)

    • Creates/Modifies COM task schedule object

      • regsvr32.exe (PID: 4664)

    • The process bypasses the loading of PowerShell profile settings

      • PACK.EXE (PID: 6260)

    • The process hide an interactive prompt from the user

      • PACK.EXE (PID: 6260)

    • Script uses the treat ID number to allow Windows Defender to execute it

      • PACK.EXE (PID: 6260)

    • The process hides Powershell's copyright startup banner

      • PACK.EXE (PID: 6260)

    • Starts POWERSHELL.EXE for commands execution

      • PACK.EXE (PID: 6260)

    • Application launched itself

      • setup.exe (PID: 5744)
      • setup.exe (PID: 1524)
      • setup.exe (PID: 4500)

    • Starts itself from another location

      • setup.exe (PID: 5744)
      • setup.exe (PID: 4500)

  • INFO

    • Create files in a temporary directory

      • Alcohol.120.v2.1.1.2201.exe (PID: 1332)
      • PACK.EXE (PID: 6260)
      • ya.exe (PID: 4308)
      • setup.exe (PID: 5744)
      • setup.exe (PID: 4920)
      • OperaSetup.exe (PID: 6224)
      • setup.exe (PID: 3876)
      • setup.exe (PID: 1524)
      • setup.exe (PID: 7132)
      • OperaSetup.exe (PID: 4680)
      • setup.exe (PID: 4500)
      • setup.exe (PID: 1508)
      • setup.exe (PID: 3956)

    • The sample compiled with english language support

      • Alcohol.120.v2.1.1.2201.exe (PID: 1332)
      • PACK.EXE (PID: 6260)
      • ya.exe (PID: 4308)
      • setup.exe (PID: 5744)
      • setup.exe (PID: 4920)
      • OperaSetup.exe (PID: 6224)
      • setup.exe (PID: 3876)
      • setup.exe (PID: 1524)
      • setup.exe (PID: 7132)
      • OperaSetup.exe (PID: 4680)
      • setup.exe (PID: 4500)
      • setup.exe (PID: 1508)
      • setup.exe (PID: 3956)

    • Checks supported languages

      • Alcohol.120.v2.1.1.2201.exe (PID: 1332)
      • SPTD2inst-x64.exe (PID: 3196)
      • AxAutoMntSrv.exe (PID: 6344)
      • PACK.EXE (PID: 6260)
      • AxAutoMntSrv.exe (PID: 6868)
      • ya.exe (PID: 4308)
      • setup.exe (PID: 4920)
      • OperaSetup.exe (PID: 6224)
      • setup.exe (PID: 3876)
      • setup.exe (PID: 5744)
      • setup.exe (PID: 1524)
      • setup.exe (PID: 7132)
      • OperaSetup.exe (PID: 4680)
      • setup.exe (PID: 4500)
      • setup.exe (PID: 3956)
      • setup.exe (PID: 1508)

    • Creates files in the program directory

      • Alcohol.120.v2.1.1.2201.exe (PID: 1332)

    • Reads the computer name

      • Alcohol.120.v2.1.1.2201.exe (PID: 1332)
      • SPTD2inst-x64.exe (PID: 3196)
      • AxAutoMntSrv.exe (PID: 6344)
      • PACK.EXE (PID: 6260)
      • AxAutoMntSrv.exe (PID: 6868)
      • ya.exe (PID: 4308)
      • setup.exe (PID: 5744)
      • setup.exe (PID: 1524)
      • setup.exe (PID: 4500)

    • The sample compiled with russian language support

      • Alcohol.120.v2.1.1.2201.exe (PID: 1332)

    • Manages system restore points

      • SrTasks.exe (PID: 6372)

    • Launching a file from a Registry key

      • Alcohol.120.v2.1.1.2201.exe (PID: 1332)

    • Checks proxy server information

      • Alcohol.120.v2.1.1.2201.exe (PID: 1332)
      • ya.exe (PID: 4308)
      • setup.exe (PID: 5744)
      • setup.exe (PID: 4500)
      • slui.exe (PID: 4528)

    • Reads the software policy settings

      • Alcohol.120.v2.1.1.2201.exe (PID: 1332)
      • ya.exe (PID: 4308)
      • setup.exe (PID: 5744)
      • setup.exe (PID: 4500)
      • slui.exe (PID: 4528)

    • Creates files or folders in the user directory

      • Alcohol.120.v2.1.1.2201.exe (PID: 1332)
      • ya.exe (PID: 4308)
      • setup.exe (PID: 5744)
      • setup.exe (PID: 4920)
      • setup.exe (PID: 4500)

    • Reads the machine GUID from the registry

      • Alcohol.120.v2.1.1.2201.exe (PID: 1332)
      • ya.exe (PID: 4308)
      • setup.exe (PID: 5744)
      • setup.exe (PID: 4500)

    • Manual execution by a user

      • ALC.exe (PID: 6208)
      • AxAutoMntSrv.exe (PID: 6868)
      • OperaSetup.exe (PID: 4680)

    • Process checks computer location settings

      • PACK.EXE (PID: 6260)
      • ya.exe (PID: 4308)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 5172)
      • powershell.exe (PID: 6516)
      • powershell.exe (PID: 4664)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 5172)
      • powershell.exe (PID: 4664)
      • powershell.exe (PID: 6516)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2019:12:16 00:54:10+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 26112
InitializedDataSize: 428544
UninitializedDataSize: 16384
EntryPoint: 0x350d
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 2.1.1.2201
ProductVersionNumber: 2.1.1.2201
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
Comments: -
CompanyName: Alcohol Soft Development Team
FileDescription: Alcohol 120% v2.1.1.2201
FileVersion: 2.1.1.2201
LegalCopyright: © Alcohol Soft Development Team
ProductName: Alcohol 120% v2.1.1.2201
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
172
Monitored processes
36
Malicious processes
10
Suspicious processes
6

Behavior graph

Click at the process to see the details
start #GENERIC alcohol.120.v2.1.1.2201.exe sptd2inst-x64.exe vssvc.exe no specs SPPSurrogate no specs srtasks.exe no specs conhost.exe no specs regsvr32.exe no specs regsvr32.exe no specs axautomntsrv.exe no specs regini.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs alc.exe no specs #GENERIC pack.exe axautomntsrv.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs ya.exe operasetup.exe setup.exe setup.exe setup.exe setup.exe setup.exe operasetup.exe setup.exe setup.exe setup.exe slui.exe svchost.exe alcohol.120.v2.1.1.2201.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1332"C:\Users\admin\Desktop\Alcohol.120.v2.1.1.2201.exe" C:\Users\admin\Desktop\Alcohol.120.v2.1.1.2201.exe
explorer.exe
User:
admin
Company:
Alcohol Soft Development Team
Integrity Level:
HIGH
Description:
Alcohol 120% v2.1.1.2201
Exit code:
0
Version:
2.1.1.2201
Modules
Images
c:\users\admin\desktop\alcohol.120.v2.1.1.2201.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
1508C:\Users\admin\AppData\Local\Temp\7zS842939B7\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win64 --annotation=prod=OperaDesktop --annotation=ver=119.0.5497.141 --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0x7ffc414ea108,0x7ffc414ea114,0x7ffc414ea120C:\Users\admin\AppData\Local\Temp\7zS842939B7\setup.exe
setup.exe
User:
admin
Company:
Opera Software
Integrity Level:
MEDIUM
Description:
Opera Installer
Version:
119.0.5497.141
Modules
Images
c:\users\admin\appdata\local\temp\7zs842939b7\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
1524"C:\Users\admin\AppData\Local\Temp\7zS058E4DD7\setup.exe" --backend --install --import-browser-data=0 --enable-crash-reporting=1 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --showunbox=0 --installfolder="C:\Users\admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=5744 --package-dir-prefix="C:\Users\admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20250630013946" --session-guid=4de16429-7d95-4b46-9644-ff490e6a221d --server-tracking-blob="OTc4MzZiNGVjNzdhOTkxYWMzZjQyYjc2ZTc2NGM5ZjQ1NTVjMWRmMTVhY2MxMzlmYzhkNjllMGJkMDE5MzVkOTp7ImNvdW50cnkiOiJFUyIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cz91dG1fc291cmNlPURXTkxTVCZ1dG1fbWVkaXVtPWFwYiZ1dG1fY2FtcGFpZ249cjEwIiwic3lzdGVtIjp7InBsYXRmb3JtIjp7ImFyY2giOiJ4ODZfNjQiLCJvcHN5cyI6IldpbmRvd3MiLCJvcHN5cy12ZXJzaW9uIjoiMTAiLCJwYWNrYWdlIjoiRVhFIn19LCJ0aW1lc3RhbXAiOiIxNzUxMjQ3NTgzLjY5NjIiLCJ1c2VyYWdlbnQiOiJOU0lTX0luZXRjIChNb3ppbGxhKSIsInV0bSI6eyJjYW1wYWlnbiI6InIxMCIsIm1lZGl1bSI6ImFwYiIsInNvdXJjZSI6IkRXTkxTVCJ9LCJ1dWlkIjoiMTIxNGI0ZjgtMjg0NC00MzE1LTk4ZmQtOGUxOTlkYWUzN2U0In0= " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=2809000000000000C:\Users\admin\AppData\Local\Temp\7zS058E4DD7\setup.exe
setup.exe
User:
admin
Company:
Opera Software
Integrity Level:
HIGH
Description:
Opera Installer
Version:
119.0.5497.141
Modules
Images
c:\users\admin\appdata\local\temp\7zs058e4dd7\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
2200C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2388C:\WINDOWS\system32\DllHost.exe /Processid:{F32D97DF-E3E5-4CB9-9E3E-0EB5B4E49801}C:\Windows\System32\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
2520cmd.exe /c "C:\Users\admin\AppData\Local\Temp\PACK.EXE" -p123C:\Windows\SysWOW64\cmd.exeAlcohol.120.v2.1.1.2201.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2664\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2680REGINI "C:\Users\admin\AppData\Local\Temp\nsa5C6A.tmp\Aero.dll"C:\Windows\SysWOW64\regini.exeAlcohol.120.v2.1.1.2201.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Initializer
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\regini.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
3048\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3196"C:\Program Files (x86)\Alcohol Soft\Alcohol 120\SPTD2inst-x64.exe" add /qC:\Program Files (x86)\Alcohol Soft\Alcohol 120\SPTD2inst-x64.exe
Alcohol.120.v2.1.1.2201.exe
User:
admin
Company:
Duplex Secure Ltd
Integrity Level:
HIGH
Description:
SCSI Pass Through Direct setup
Exit code:
1
Version:
2.13.0.0
Modules
Images
c:\program files (x86)\alcohol soft\alcohol 120\sptd2inst-x64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
Total events
37 180
Read events
36 906
Write events
247
Delete events
27

Modification events

(PID) Process:(1332) Alcohol.120.v2.1.1.2201.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Alcohol 120%
Operation:writeName:Publisher
Value:
Alcohol Soft Development Team
(PID) Process:(1332) Alcohol.120.v2.1.1.2201.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Alcohol 120%
Operation:writeName:DisplayName
Value:
Alcohol 120%
(PID) Process:(1332) Alcohol.120.v2.1.1.2201.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Alcohol 120%
Operation:writeName:InstallLocation
Value:
C:\Program Files (x86)\Alcohol Soft\Alcohol 120
(PID) Process:(1332) Alcohol.120.v2.1.1.2201.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Alcohol 120%
Operation:writeName:DisplayIcon
Value:
C:\Program Files (x86)\Alcohol Soft\Alcohol 120\Alcohol.exe
(PID) Process:(1332) Alcohol.120.v2.1.1.2201.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Alcohol 120%
Operation:writeName:UninstallString
Value:
C:\Program Files (x86)\Alcohol Soft\Alcohol 120\Uninstall.exe
(PID) Process:(3196) SPTD2inst-x64.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Leave)
Value:
480000000000000092DE4DCC5FE9DB017C0C0000B80B0000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3196) SPTD2inst-x64.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Enter)
Value:
480000000000000092DE4DCC5FE9DB017C0C0000B80B0000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3196) SPTD2inst-x64.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
480000000000000075A552CC5FE9DB017C0C0000B80B0000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(1332) Alcohol.120.v2.1.1.2201.exeKey:HKEY_CURRENT_USER\SOFTWARE\Alcohol Soft\Alcohol 120%\Options\General
Operation:writeName:AutoCheckCurrentVersionViaInternetAtStart
Value:
0
(PID) Process:(1332) Alcohol.120.v2.1.1.2201.exeKey:HKEY_CURRENT_USER\SOFTWARE\Alcohol Soft\Alcohol 120%\Options
Operation:writeName:Language
Value:
1033
Executable files
91
Suspicious files
20
Text files
20
Unknown types
0

Dropped files

PID
Process
Filename
Type
1332Alcohol.120.v2.1.1.2201.exeC:\Users\admin\AppData\Local\Temp\nsa5C6A.tmp\en.bmpimage
MD5:ED25F74135602D4F678F47C8A90B3927
SHA256:572AFBBE22CE62759BC3B1D1E40BFD6F3914994F1EBAF4C93EF9D0ACA93CC6C4
1332Alcohol.120.v2.1.1.2201.exeC:\Program Files (x86)\Alcohol Soft\Alcohol 120\AxAutoMntSrv.exeexecutable
MD5:8562C35489C8D687E47DB87885E3BEF6
SHA256:C01700A08ABFCD4FC4ECBCE621DE6C2DB5BF48810A6B5D54A15873CBFD587397
1332Alcohol.120.v2.1.1.2201.exeC:\Users\admin\AppData\Local\Temp\nsa5C6A.tmp\System.dllexecutable
MD5:8CF2AC271D7679B1D68EEFC1AE0C5618
SHA256:6950991102462D84FDC0E3B0AE30C95AF8C192F77CE3D78E8D54E6B22F7C09BA
1332Alcohol.120.v2.1.1.2201.exeC:\Users\admin\AppData\Local\Temp\nsa5C6A.tmp\LangDLL.dllexecutable
MD5:109B201717AB5EF9B5628A9F3EFEF36F
SHA256:20E642707EF82852BCF153254CB94B629B93EE89A8E8A03F838EEF6CBB493319
1332Alcohol.120.v2.1.1.2201.exeC:\Users\admin\AppData\Local\Temp\nsa5C6A.tmp\ru.bmpimage
MD5:ACBA4CB0FEE2EA0560DCE560D8BB1D00
SHA256:A134FDAFE45A29C94295C6164C118B0166870807BFAFA94DB211BF61802EE432
1332Alcohol.120.v2.1.1.2201.exeC:\Users\admin\AppData\Local\Temp\nsa5C6A.tmp\Aero.dlltext
MD5:25D290D1F821E5EB03D9DC037B3F27DE
SHA256:C6C6B50FAF255F25D3C5ACC8FE7509F987FFAB113BCDCC553C6C11B219E742B6
1332Alcohol.120.v2.1.1.2201.exeC:\Program Files (x86)\Alcohol Soft\Alcohol 120\Alcoholx.dllexecutable
MD5:619D3846C60821FCF42E1B8D30AE1F1A
SHA256:24A259A22F46BD796702D70080F76F86DD7D0E6D6BA77ABB23CB5273C90C5A89
1332Alcohol.120.v2.1.1.2201.exeC:\Users\admin\AppData\Local\Temp\nsa5C6A.tmp\modern-header.bmpimage
MD5:FB92573CFB0BB44E9959DCED823AFC29
SHA256:AE1ADD5231C0DD45DB31BB46189F45C4F85FD91A26989E99A546F4548858D4FD
1332Alcohol.120.v2.1.1.2201.exeC:\Program Files (x86)\Alcohol Soft\Alcohol 120\Alcohol.exeexecutable
MD5:A45B8C978B0DCA04038579F418494223
SHA256:048E31432A397FFDB16D88040DE5FDD8D75054BCEA8D38A84378FA12306F4F13
1332Alcohol.120.v2.1.1.2201.exeC:\Program Files (x86)\Alcohol Soft\Alcohol 120\ACID.exeexecutable
MD5:53E6C87FF177C54617ED0A3FFCD51026
SHA256:10C15F8324128B38E4BBBF6DC9E95C4AEB052C70E3D3C67637432BE6692BCC51
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
51
TCP/UDP connections
61
DNS requests
18
Threats
16

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
2.20.245.137:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4860
RUXIMICS.exe
GET
200
2.20.245.137:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
2.20.245.137:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
52.59.136.219:443
https://net.geo.opera.com/opera/stable/windows?utm_source=DWNLST&utm_medium=apb&utm_campaign=r10
unknown
executable
2.49 Mb
whitelisted
4860
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
109.122.197.1:443
https://mail.repack.me/tsjtmfdm.pkg
unknown
executable
410 Kb
whitelisted
POST
200
82.145.216.46:443
https://autoupdate.opera.com/v5/netinstaller/opera/Stable/windows/x64
unknown
binary
931 b
whitelisted
POST
201
82.145.217.121:443
https://desktop-netinstaller-sub.osp.opera.software/v1/binary
unknown
text
36 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1268
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4860
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
2.20.245.137:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
5944
MoUsoCoreWorker.exe
2.20.245.137:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
4860
RUXIMICS.exe
2.20.245.137:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
1268
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
5944
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 20.73.194.208
whitelisted
google.com
  • 142.250.186.46
whitelisted
crl.microsoft.com
  • 2.20.245.137
  • 2.20.245.139
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
pastebin.com
  • 104.22.68.199
  • 104.22.69.199
  • 172.67.25.94
whitelisted
mail.repack.me
  • 109.122.197.1
whitelisted
net.geo.opera.com
  • 185.26.182.111
  • 185.26.182.112
whitelisted
desktop-netinstaller-sub.osp.opera.software
  • 82.145.217.121
whitelisted
autoupdate.opera.com
  • 185.26.182.124
  • 185.26.182.123
whitelisted
api.config.opr.gg
  • 104.18.24.17
  • 104.18.25.17
unknown

Threats

PID
Process
Class
Message
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
2200
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Online Pastebin Text Storage
Potentially Bad Traffic
ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))
Potentially Bad Traffic
ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
Potentially Bad Traffic
ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))
Potentially Bad Traffic
ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
Potentially Bad Traffic
ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Alcohol.120.v2.1.1.2201.exe