Analysis Overview
SHA256
fe580d1ff6731875a28c8c9370749aef80cc7ae1cf40d9a656148e00ecf3f5c9
Threat Level: Known bad
The file fe580d1ff6731875a28c8c9370749aef80cc7ae1cf40d9a656148e00ecf3f5c9 was found to be: Known bad.
Malicious Activity Summary
RMS
Executes dropped EXE
Loads dropped DLL
Suspicious use of SetThreadContext
Drops file in System32 directory
Drops file in Windows directory
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Checks processor information in registry
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Modifies Internet Explorer settings
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Enumerates system info in registry
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-01-28 22:41
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-01-28 22:41
Reported
2022-01-28 23:08
Platform
win7-en-20211208
Max time kernel
165s
Max time network
166s
Command Line
Signatures
RMS
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fe580d1ff6731875a28c8c9370749aef80cc7ae1cf40d9a656148e00ecf3f5c9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fe580d1ff6731875a28c8c9370749aef80cc7ae1cf40d9a656148e00ecf3f5c9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fe580d1ff6731875a28c8c9370749aef80cc7ae1cf40d9a656148e00ecf3f5c9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 332 set thread context of 304 | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe |
| PID 1332 set thread context of 2024 | N/A | C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe | C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe | C:\Windows\Explorer.EXE | N/A |
Enumerates physical storage devices
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\SysWOW64\xcopy.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk64.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\fe580d1ff6731875a28c8c9370749aef80cc7ae1cf40d9a656148e00ecf3f5c9.exe
"C:\Users\Admin\AppData\Local\Temp\fe580d1ff6731875a28c8c9370749aef80cc7ae1cf40d9a656148e00ecf3f5c9.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe" /inst /xwait
C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe" /inst /xwait
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C xcopy /Y /E /Q * C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\
C:\Windows\SysWOW64\xcopy.exe
xcopy /Y /E /Q * C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk64.exe /inj
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk64.exe
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk64.exe /inj
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\ZPDG.pdf"
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe -second
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rfusclient.exe
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rfusclient.exe /tray /user
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rutils.com | udp |
| US | 34.102.136.180:80 | rutils.com | tcp |
| US | 34.102.136.180:80 | rutils.com | tcp |
| US | 8.8.8.8:53 | server.rutils.com | udp |
| US | 209.205.218.178:5655 | server.rutils.com | tcp |
Files
memory/1860-54-0x0000000075891000-0x0000000075893000-memory.dmp
\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe
| MD5 | c824e16c7c6de8e677d2ed01dfa5283a |
| SHA1 | 8852647b1c1a2efa4f25fea393d773f9ff94d6fa |
| SHA256 | 541d742d37b03dcd164368ab927c1ee27eacf556bfc88076e43f6f61879ccb6c |
| SHA512 | 2b2745780f7f238a61cd3b1a2ee5fd260694a92a6fd1492540824e9753554fc56911610db421b0bbd4146ad683f6e762c45a8bc94114c8b7234ea879c95a01b8 |
\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe
| MD5 | c824e16c7c6de8e677d2ed01dfa5283a |
| SHA1 | 8852647b1c1a2efa4f25fea393d773f9ff94d6fa |
| SHA256 | 541d742d37b03dcd164368ab927c1ee27eacf556bfc88076e43f6f61879ccb6c |
| SHA512 | 2b2745780f7f238a61cd3b1a2ee5fd260694a92a6fd1492540824e9753554fc56911610db421b0bbd4146ad683f6e762c45a8bc94114c8b7234ea879c95a01b8 |
\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe
| MD5 | c824e16c7c6de8e677d2ed01dfa5283a |
| SHA1 | 8852647b1c1a2efa4f25fea393d773f9ff94d6fa |
| SHA256 | 541d742d37b03dcd164368ab927c1ee27eacf556bfc88076e43f6f61879ccb6c |
| SHA512 | 2b2745780f7f238a61cd3b1a2ee5fd260694a92a6fd1492540824e9753554fc56911610db421b0bbd4146ad683f6e762c45a8bc94114c8b7234ea879c95a01b8 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe
| MD5 | c824e16c7c6de8e677d2ed01dfa5283a |
| SHA1 | 8852647b1c1a2efa4f25fea393d773f9ff94d6fa |
| SHA256 | 541d742d37b03dcd164368ab927c1ee27eacf556bfc88076e43f6f61879ccb6c |
| SHA512 | 2b2745780f7f238a61cd3b1a2ee5fd260694a92a6fd1492540824e9753554fc56911610db421b0bbd4146ad683f6e762c45a8bc94114c8b7234ea879c95a01b8 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.ldr
| MD5 | 8ee5ab32edced6eb38819b7674bfb0cd |
| SHA1 | 030dc8c3832f664fa10efa3105dff0a9b6d48911 |
| SHA256 | a4de66b79f1d129e3da059ca93d62cf2f88e08fa06a5c492ca154ee25e321f9b |
| SHA512 | 82f4ccbb53c2ecb71c3dcd2c0d7d15ce5cc0a66f92f9f661cfc9ee98df093c481cbbb8888a854d359a388e28ab1085ec7e02452bffed030c118226caf70a6bf9 |
\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe
| MD5 | c824e16c7c6de8e677d2ed01dfa5283a |
| SHA1 | 8852647b1c1a2efa4f25fea393d773f9ff94d6fa |
| SHA256 | 541d742d37b03dcd164368ab927c1ee27eacf556bfc88076e43f6f61879ccb6c |
| SHA512 | 2b2745780f7f238a61cd3b1a2ee5fd260694a92a6fd1492540824e9753554fc56911610db421b0bbd4146ad683f6e762c45a8bc94114c8b7234ea879c95a01b8 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.dat
| MD5 | 678c4ed1623cc7eff5d23d5b6e876c59 |
| SHA1 | 6e27f7c61230452555b52b39ab9f51d42c725bed |
| SHA256 | 7208cbd7b8cff4369945eb61fe503277dc2968283d2cb6d52252ed5a6d0304b5 |
| SHA512 | eb31541c5fbe496d58b9810c2b4886a8195ed31c4a011ada32c35a13d10d170a582b387022fae55ea8f0738a3e789f59662710dcbc455aec5767e98d11a70579 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe
| MD5 | c824e16c7c6de8e677d2ed01dfa5283a |
| SHA1 | 8852647b1c1a2efa4f25fea393d773f9ff94d6fa |
| SHA256 | 541d742d37b03dcd164368ab927c1ee27eacf556bfc88076e43f6f61879ccb6c |
| SHA512 | 2b2745780f7f238a61cd3b1a2ee5fd260694a92a6fd1492540824e9753554fc56911610db421b0bbd4146ad683f6e762c45a8bc94114c8b7234ea879c95a01b8 |
memory/304-66-0x0000000000400000-0x000000000041E000-memory.dmp
memory/304-68-0x0000000000400000-0x000000000041E000-memory.dmp
memory/304-69-0x0000000000400000-0x000000000041E000-memory.dmp
memory/332-70-0x0000000000240000-0x0000000000241000-memory.dmp
memory/304-67-0x0000000000400000-0x000000000041E000-memory.dmp
memory/304-65-0x0000000000400000-0x000000000041E000-memory.dmp
memory/304-71-0x0000000000400000-0x000000000041E000-memory.dmp
memory/304-64-0x0000000000400000-0x000000000041E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe
| MD5 | c824e16c7c6de8e677d2ed01dfa5283a |
| SHA1 | 8852647b1c1a2efa4f25fea393d773f9ff94d6fa |
| SHA256 | 541d742d37b03dcd164368ab927c1ee27eacf556bfc88076e43f6f61879ccb6c |
| SHA512 | 2b2745780f7f238a61cd3b1a2ee5fd260694a92a6fd1492540824e9753554fc56911610db421b0bbd4146ad683f6e762c45a8bc94114c8b7234ea879c95a01b8 |
memory/304-74-0x0000000000400000-0x000000000041E000-memory.dmp
memory/304-76-0x0000000000400000-0x000000000041E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\stg.cfg
| MD5 | ba9dbe65381759bb06d3dc6a2d0089c8 |
| SHA1 | 37a2a15c52caa7d63af86778c2dd1d2d81d4a270 |
| SHA256 | ff102c6601d2252ed19a1db07f4786813cca2797d404533c33fa0a065ab5a173 |
| SHA512 | 2471e3df6f15646aa06cdea9cc2388addffec85dfde9343dfee3b2f083d98d7e8a314d1cb51b07689a9529f035bd551fd16d3cc899f5e57f9c35fd778e8258cf |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk64.exe
| MD5 | ae7c86923b62ace7215d6aa3a921b810 |
| SHA1 | c3813734d3bfc07e339c05417055a1a106e2fbbd |
| SHA256 | 1dab39583011142746095f5f938fa9c318a27974796a434492b7f0866016c580 |
| SHA512 | cd80eab9e6779820e8cb801113479427c6ef28eec71d9430feb53247e9078d317f500c3750693e995c87018477a2c2f31cd7a252218afa1104ef3475fb82b1fa |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\winmmon.dll
| MD5 | cd3a52f7b929abd4202023bc6de11970 |
| SHA1 | 6c83abe56219ca656b71aa8c109e0955061da536 |
| SHA256 | c7d5ac2a12278b256e92993602666a5ed386df502e80ecf1873e2436c6d22b1d |
| SHA512 | 4fba37c06c5185c4753eefb04f947cb9c388f4f75c15c81fbd7fdec49e0a0b677e3dd5c280ab48769f56d8d7a8b5c39dcf0c299184372177a2054fa0d0b42efa |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\winmmon64.dll
| MD5 | ce291f327ba42a06414ba0cceef4628c |
| SHA1 | bfe3f5cec25181f1b6852e145013e548b920651e |
| SHA256 | 9b059b6cdeca45cfd82a3d1b7833e3cfac7ab782c3598d445a0e5cd2ccb5a17b |
| SHA512 | 1bd900d07e17ad4c19ec9eb4fe322237e0e544c465f4a1189482dd4cfde6a73e95a498de9125a1fbb3e22b615cdc2d3dedec89385d42343e0d2070354792bb6f |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ZPDG.pdf
| MD5 | 69e8ec9bdccd6ed33fcad2fa19602b2f |
| SHA1 | 9f48e109675cdb0a53400358c27853db48fcd156 |
| SHA256 | cff2de4c828e78febfb2eb8b4780092d395016608b641e126e67e27058415759 |
| SHA512 | b22b948aec9b58dca27481e5d638dd53c99e4f9ed4f7f2270ae1a60b36567ac9c02635d33e528d82dd77157e62107616bba199cf6f34078bd1ecdb7ebe424773 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\101\rfusclient.exe
| MD5 | 9fbbba26c746f2c11d404a1ab92f82b2 |
| SHA1 | 7cec39ac6a436577e02e7e8fe8226a00e58564cb |
| SHA256 | 6b0c588bc1e1f1d8b105da805e18adae4cccf66cb72cc515132c0fb65ba98172 |
| SHA512 | 845ebfdf7c98cbf190e5bde01a87fdc5e00a08b97f11a8105ebdae234b02fc460db497d39c156613b56cd5cb241a48196cb2ef0f1bc0d440d4e8049ac627690b |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\101\rutserv.exe
| MD5 | 6312a04933c5081d19cf9711fc77e1b5 |
| SHA1 | b77cfff0e359946029120dd642505bc0a9713ecc |
| SHA256 | 549b9895d6f5c46c2af9ede197ddf8569e041a2067b34d7970bbdd173528f3ea |
| SHA512 | 75ad6056b0c5b09e01324e3c8745f6d917353c8bcba39c0fa578bdf6baef17e773eb6a94d6b994c303587ae50d59f0cf5d95cc457a9400257afda33e15dcab33 |
\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe
| MD5 | c824e16c7c6de8e677d2ed01dfa5283a |
| SHA1 | 8852647b1c1a2efa4f25fea393d773f9ff94d6fa |
| SHA256 | 541d742d37b03dcd164368ab927c1ee27eacf556bfc88076e43f6f61879ccb6c |
| SHA512 | 2b2745780f7f238a61cd3b1a2ee5fd260694a92a6fd1492540824e9753554fc56911610db421b0bbd4146ad683f6e762c45a8bc94114c8b7234ea879c95a01b8 |
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe
| MD5 | c824e16c7c6de8e677d2ed01dfa5283a |
| SHA1 | 8852647b1c1a2efa4f25fea393d773f9ff94d6fa |
| SHA256 | 541d742d37b03dcd164368ab927c1ee27eacf556bfc88076e43f6f61879ccb6c |
| SHA512 | 2b2745780f7f238a61cd3b1a2ee5fd260694a92a6fd1492540824e9753554fc56911610db421b0bbd4146ad683f6e762c45a8bc94114c8b7234ea879c95a01b8 |
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe
| MD5 | c824e16c7c6de8e677d2ed01dfa5283a |
| SHA1 | 8852647b1c1a2efa4f25fea393d773f9ff94d6fa |
| SHA256 | 541d742d37b03dcd164368ab927c1ee27eacf556bfc88076e43f6f61879ccb6c |
| SHA512 | 2b2745780f7f238a61cd3b1a2ee5fd260694a92a6fd1492540824e9753554fc56911610db421b0bbd4146ad683f6e762c45a8bc94114c8b7234ea879c95a01b8 |
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.ldr
| MD5 | 8ee5ab32edced6eb38819b7674bfb0cd |
| SHA1 | 030dc8c3832f664fa10efa3105dff0a9b6d48911 |
| SHA256 | a4de66b79f1d129e3da059ca93d62cf2f88e08fa06a5c492ca154ee25e321f9b |
| SHA512 | 82f4ccbb53c2ecb71c3dcd2c0d7d15ce5cc0a66f92f9f661cfc9ee98df093c481cbbb8888a854d359a388e28ab1085ec7e02452bffed030c118226caf70a6bf9 |
\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe
| MD5 | c824e16c7c6de8e677d2ed01dfa5283a |
| SHA1 | 8852647b1c1a2efa4f25fea393d773f9ff94d6fa |
| SHA256 | 541d742d37b03dcd164368ab927c1ee27eacf556bfc88076e43f6f61879ccb6c |
| SHA512 | 2b2745780f7f238a61cd3b1a2ee5fd260694a92a6fd1492540824e9753554fc56911610db421b0bbd4146ad683f6e762c45a8bc94114c8b7234ea879c95a01b8 |
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.dat
| MD5 | 678c4ed1623cc7eff5d23d5b6e876c59 |
| SHA1 | 6e27f7c61230452555b52b39ab9f51d42c725bed |
| SHA256 | 7208cbd7b8cff4369945eb61fe503277dc2968283d2cb6d52252ed5a6d0304b5 |
| SHA512 | eb31541c5fbe496d58b9810c2b4886a8195ed31c4a011ada32c35a13d10d170a582b387022fae55ea8f0738a3e789f59662710dcbc455aec5767e98d11a70579 |
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe
| MD5 | c824e16c7c6de8e677d2ed01dfa5283a |
| SHA1 | 8852647b1c1a2efa4f25fea393d773f9ff94d6fa |
| SHA256 | 541d742d37b03dcd164368ab927c1ee27eacf556bfc88076e43f6f61879ccb6c |
| SHA512 | 2b2745780f7f238a61cd3b1a2ee5fd260694a92a6fd1492540824e9753554fc56911610db421b0bbd4146ad683f6e762c45a8bc94114c8b7234ea879c95a01b8 |
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\stg.cfg
| MD5 | ba9dbe65381759bb06d3dc6a2d0089c8 |
| SHA1 | 37a2a15c52caa7d63af86778c2dd1d2d81d4a270 |
| SHA256 | ff102c6601d2252ed19a1db07f4786813cca2797d404533c33fa0a065ab5a173 |
| SHA512 | 2471e3df6f15646aa06cdea9cc2388addffec85dfde9343dfee3b2f083d98d7e8a314d1cb51b07689a9529f035bd551fd16d3cc899f5e57f9c35fd778e8258cf |
memory/1416-104-0x00000000026A0000-0x00000000026A1000-memory.dmp
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk64.exe
| MD5 | ae7c86923b62ace7215d6aa3a921b810 |
| SHA1 | c3813734d3bfc07e339c05417055a1a106e2fbbd |
| SHA256 | 1dab39583011142746095f5f938fa9c318a27974796a434492b7f0866016c580 |
| SHA512 | cd80eab9e6779820e8cb801113479427c6ef28eec71d9430feb53247e9078d317f500c3750693e995c87018477a2c2f31cd7a252218afa1104ef3475fb82b1fa |
\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk64.exe
| MD5 | ae7c86923b62ace7215d6aa3a921b810 |
| SHA1 | c3813734d3bfc07e339c05417055a1a106e2fbbd |
| SHA256 | 1dab39583011142746095f5f938fa9c318a27974796a434492b7f0866016c580 |
| SHA512 | cd80eab9e6779820e8cb801113479427c6ef28eec71d9430feb53247e9078d317f500c3750693e995c87018477a2c2f31cd7a252218afa1104ef3475fb82b1fa |
\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe
| MD5 | 6312a04933c5081d19cf9711fc77e1b5 |
| SHA1 | b77cfff0e359946029120dd642505bc0a9713ecc |
| SHA256 | 549b9895d6f5c46c2af9ede197ddf8569e041a2067b34d7970bbdd173528f3ea |
| SHA512 | 75ad6056b0c5b09e01324e3c8745f6d917353c8bcba39c0fa578bdf6baef17e773eb6a94d6b994c303587ae50d59f0cf5d95cc457a9400257afda33e15dcab33 |
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe
| MD5 | 6312a04933c5081d19cf9711fc77e1b5 |
| SHA1 | b77cfff0e359946029120dd642505bc0a9713ecc |
| SHA256 | 549b9895d6f5c46c2af9ede197ddf8569e041a2067b34d7970bbdd173528f3ea |
| SHA512 | 75ad6056b0c5b09e01324e3c8745f6d917353c8bcba39c0fa578bdf6baef17e773eb6a94d6b994c303587ae50d59f0cf5d95cc457a9400257afda33e15dcab33 |
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe
| MD5 | 6312a04933c5081d19cf9711fc77e1b5 |
| SHA1 | b77cfff0e359946029120dd642505bc0a9713ecc |
| SHA256 | 549b9895d6f5c46c2af9ede197ddf8569e041a2067b34d7970bbdd173528f3ea |
| SHA512 | 75ad6056b0c5b09e01324e3c8745f6d917353c8bcba39c0fa578bdf6baef17e773eb6a94d6b994c303587ae50d59f0cf5d95cc457a9400257afda33e15dcab33 |
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winmmon64.dll
| MD5 | ce291f327ba42a06414ba0cceef4628c |
| SHA1 | bfe3f5cec25181f1b6852e145013e548b920651e |
| SHA256 | 9b059b6cdeca45cfd82a3d1b7833e3cfac7ab782c3598d445a0e5cd2ccb5a17b |
| SHA512 | 1bd900d07e17ad4c19ec9eb4fe322237e0e544c465f4a1189482dd4cfde6a73e95a498de9125a1fbb3e22b615cdc2d3dedec89385d42343e0d2070354792bb6f |
\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winmmon64.dll
| MD5 | ce291f327ba42a06414ba0cceef4628c |
| SHA1 | bfe3f5cec25181f1b6852e145013e548b920651e |
| SHA256 | 9b059b6cdeca45cfd82a3d1b7833e3cfac7ab782c3598d445a0e5cd2ccb5a17b |
| SHA512 | 1bd900d07e17ad4c19ec9eb4fe322237e0e544c465f4a1189482dd4cfde6a73e95a498de9125a1fbb3e22b615cdc2d3dedec89385d42343e0d2070354792bb6f |
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe
| MD5 | 6312a04933c5081d19cf9711fc77e1b5 |
| SHA1 | b77cfff0e359946029120dd642505bc0a9713ecc |
| SHA256 | 549b9895d6f5c46c2af9ede197ddf8569e041a2067b34d7970bbdd173528f3ea |
| SHA512 | 75ad6056b0c5b09e01324e3c8745f6d917353c8bcba39c0fa578bdf6baef17e773eb6a94d6b994c303587ae50d59f0cf5d95cc457a9400257afda33e15dcab33 |
memory/580-119-0x0000000000240000-0x0000000000241000-memory.dmp
memory/1120-120-0x00000000003C0000-0x00000000003C1000-memory.dmp
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rfusclient.exe
| MD5 | 9fbbba26c746f2c11d404a1ab92f82b2 |
| SHA1 | 7cec39ac6a436577e02e7e8fe8226a00e58564cb |
| SHA256 | 6b0c588bc1e1f1d8b105da805e18adae4cccf66cb72cc515132c0fb65ba98172 |
| SHA512 | 845ebfdf7c98cbf190e5bde01a87fdc5e00a08b97f11a8105ebdae234b02fc460db497d39c156613b56cd5cb241a48196cb2ef0f1bc0d440d4e8049ac627690b |
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rfusclient.exe
| MD5 | 9fbbba26c746f2c11d404a1ab92f82b2 |
| SHA1 | 7cec39ac6a436577e02e7e8fe8226a00e58564cb |
| SHA256 | 6b0c588bc1e1f1d8b105da805e18adae4cccf66cb72cc515132c0fb65ba98172 |
| SHA512 | 845ebfdf7c98cbf190e5bde01a87fdc5e00a08b97f11a8105ebdae234b02fc460db497d39c156613b56cd5cb241a48196cb2ef0f1bc0d440d4e8049ac627690b |
\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rfusclient.exe
| MD5 | 9fbbba26c746f2c11d404a1ab92f82b2 |
| SHA1 | 7cec39ac6a436577e02e7e8fe8226a00e58564cb |
| SHA256 | 6b0c588bc1e1f1d8b105da805e18adae4cccf66cb72cc515132c0fb65ba98172 |
| SHA512 | 845ebfdf7c98cbf190e5bde01a87fdc5e00a08b97f11a8105ebdae234b02fc460db497d39c156613b56cd5cb241a48196cb2ef0f1bc0d440d4e8049ac627690b |
memory/1724-125-0x0000000000230000-0x0000000000231000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-01-28 22:41
Reported
2022-01-28 23:08
Platform
win10-en-20211208
Max time kernel
161s
Max time network
164s
Command Line
Signatures
RMS
Executes dropped EXE
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\exe\rutserv.pdb | C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\symbols\exe\rutserv.pdb | C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\rutserv.pdb | C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1284 set thread context of 1624 | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe |
| PID 2036 set thread context of 1552 | N/A | C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe | C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\SysWOW64\xcopy.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\fe580d1ff6731875a28c8c9370749aef80cc7ae1cf40d9a656148e00ecf3f5c9.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\fe580d1ff6731875a28c8c9370749aef80cc7ae1cf40d9a656148e00ecf3f5c9.exe
"C:\Users\Admin\AppData\Local\Temp\fe580d1ff6731875a28c8c9370749aef80cc7ae1cf40d9a656148e00ecf3f5c9.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe" /inst /xwait
C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe" /inst /xwait
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C xcopy /Y /E /Q * C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\
C:\Windows\SysWOW64\xcopy.exe
xcopy /Y /E /Q * C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk64.exe /inj
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk64.exe
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk64.exe /inj
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\ZPDG.pdf"
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe -second
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rfusclient.exe
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rfusclient.exe /tray /user
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=07AB7342471CFF2A514C63B4714B6014 --mojo-platform-channel-handle=1656 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=D79BA702F02AFD6716D01D99302A9F1A --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=D79BA702F02AFD6716D01D99302A9F1A --renderer-client-id=2 --mojo-platform-channel-handle=1668 --allow-no-sandbox-job /prefetch:1
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=F6DB30402D63DD32943760A25D409405 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=F6DB30402D63DD32943760A25D409405 --renderer-client-id=4 --mojo-platform-channel-handle=2104 --allow-no-sandbox-job /prefetch:1
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=5BDB2FC952F427D99F90D43CF12F4F1D --mojo-platform-channel-handle=2484 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A2B3CFD33D4B2D38AA75CC86613324C1 --mojo-platform-channel-handle=2608 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=81A3ABEF1135D5996DCB905AED0D92B4 --mojo-platform-channel-handle=2488 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rutils.com | udp |
| US | 34.102.136.180:80 | rutils.com | tcp |
| US | 34.102.136.180:80 | rutils.com | tcp |
| US | 8.8.8.8:53 | server.rutils.com | udp |
| US | 209.205.218.178:5655 | server.rutils.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe
| MD5 | c824e16c7c6de8e677d2ed01dfa5283a |
| SHA1 | 8852647b1c1a2efa4f25fea393d773f9ff94d6fa |
| SHA256 | 541d742d37b03dcd164368ab927c1ee27eacf556bfc88076e43f6f61879ccb6c |
| SHA512 | 2b2745780f7f238a61cd3b1a2ee5fd260694a92a6fd1492540824e9753554fc56911610db421b0bbd4146ad683f6e762c45a8bc94114c8b7234ea879c95a01b8 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe
| MD5 | c824e16c7c6de8e677d2ed01dfa5283a |
| SHA1 | 8852647b1c1a2efa4f25fea393d773f9ff94d6fa |
| SHA256 | 541d742d37b03dcd164368ab927c1ee27eacf556bfc88076e43f6f61879ccb6c |
| SHA512 | 2b2745780f7f238a61cd3b1a2ee5fd260694a92a6fd1492540824e9753554fc56911610db421b0bbd4146ad683f6e762c45a8bc94114c8b7234ea879c95a01b8 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.ldr
| MD5 | 8ee5ab32edced6eb38819b7674bfb0cd |
| SHA1 | 030dc8c3832f664fa10efa3105dff0a9b6d48911 |
| SHA256 | a4de66b79f1d129e3da059ca93d62cf2f88e08fa06a5c492ca154ee25e321f9b |
| SHA512 | 82f4ccbb53c2ecb71c3dcd2c0d7d15ce5cc0a66f92f9f661cfc9ee98df093c481cbbb8888a854d359a388e28ab1085ec7e02452bffed030c118226caf70a6bf9 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.dat
| MD5 | 678c4ed1623cc7eff5d23d5b6e876c59 |
| SHA1 | 6e27f7c61230452555b52b39ab9f51d42c725bed |
| SHA256 | 7208cbd7b8cff4369945eb61fe503277dc2968283d2cb6d52252ed5a6d0304b5 |
| SHA512 | eb31541c5fbe496d58b9810c2b4886a8195ed31c4a011ada32c35a13d10d170a582b387022fae55ea8f0738a3e789f59662710dcbc455aec5767e98d11a70579 |
memory/1624-258-0x0000000000400000-0x000000000041E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe
| MD5 | c824e16c7c6de8e677d2ed01dfa5283a |
| SHA1 | 8852647b1c1a2efa4f25fea393d773f9ff94d6fa |
| SHA256 | 541d742d37b03dcd164368ab927c1ee27eacf556bfc88076e43f6f61879ccb6c |
| SHA512 | 2b2745780f7f238a61cd3b1a2ee5fd260694a92a6fd1492540824e9753554fc56911610db421b0bbd4146ad683f6e762c45a8bc94114c8b7234ea879c95a01b8 |
memory/1624-260-0x0000000000400000-0x000000000041E000-memory.dmp
memory/1284-261-0x0000000000430000-0x000000000057A000-memory.dmp
memory/1624-262-0x0000000000400000-0x000000000041E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\stg.cfg
| MD5 | ba9dbe65381759bb06d3dc6a2d0089c8 |
| SHA1 | 37a2a15c52caa7d63af86778c2dd1d2d81d4a270 |
| SHA256 | ff102c6601d2252ed19a1db07f4786813cca2797d404533c33fa0a065ab5a173 |
| SHA512 | 2471e3df6f15646aa06cdea9cc2388addffec85dfde9343dfee3b2f083d98d7e8a314d1cb51b07689a9529f035bd551fd16d3cc899f5e57f9c35fd778e8258cf |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\winmmon.dll
| MD5 | cd3a52f7b929abd4202023bc6de11970 |
| SHA1 | 6c83abe56219ca656b71aa8c109e0955061da536 |
| SHA256 | c7d5ac2a12278b256e92993602666a5ed386df502e80ecf1873e2436c6d22b1d |
| SHA512 | 4fba37c06c5185c4753eefb04f947cb9c388f4f75c15c81fbd7fdec49e0a0b677e3dd5c280ab48769f56d8d7a8b5c39dcf0c299184372177a2054fa0d0b42efa |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\101\rfusclient.exe
| MD5 | 9fbbba26c746f2c11d404a1ab92f82b2 |
| SHA1 | 7cec39ac6a436577e02e7e8fe8226a00e58564cb |
| SHA256 | 6b0c588bc1e1f1d8b105da805e18adae4cccf66cb72cc515132c0fb65ba98172 |
| SHA512 | 845ebfdf7c98cbf190e5bde01a87fdc5e00a08b97f11a8105ebdae234b02fc460db497d39c156613b56cd5cb241a48196cb2ef0f1bc0d440d4e8049ac627690b |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\101\rutserv.exe
| MD5 | 6312a04933c5081d19cf9711fc77e1b5 |
| SHA1 | b77cfff0e359946029120dd642505bc0a9713ecc |
| SHA256 | 549b9895d6f5c46c2af9ede197ddf8569e041a2067b34d7970bbdd173528f3ea |
| SHA512 | 75ad6056b0c5b09e01324e3c8745f6d917353c8bcba39c0fa578bdf6baef17e773eb6a94d6b994c303587ae50d59f0cf5d95cc457a9400257afda33e15dcab33 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ZPDG.pdf
| MD5 | 69e8ec9bdccd6ed33fcad2fa19602b2f |
| SHA1 | 9f48e109675cdb0a53400358c27853db48fcd156 |
| SHA256 | cff2de4c828e78febfb2eb8b4780092d395016608b641e126e67e27058415759 |
| SHA512 | b22b948aec9b58dca27481e5d638dd53c99e4f9ed4f7f2270ae1a60b36567ac9c02635d33e528d82dd77157e62107616bba199cf6f34078bd1ecdb7ebe424773 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\winmmon64.dll
| MD5 | ce291f327ba42a06414ba0cceef4628c |
| SHA1 | bfe3f5cec25181f1b6852e145013e548b920651e |
| SHA256 | 9b059b6cdeca45cfd82a3d1b7833e3cfac7ab782c3598d445a0e5cd2ccb5a17b |
| SHA512 | 1bd900d07e17ad4c19ec9eb4fe322237e0e544c465f4a1189482dd4cfde6a73e95a498de9125a1fbb3e22b615cdc2d3dedec89385d42343e0d2070354792bb6f |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk64.exe
| MD5 | ae7c86923b62ace7215d6aa3a921b810 |
| SHA1 | c3813734d3bfc07e339c05417055a1a106e2fbbd |
| SHA256 | 1dab39583011142746095f5f938fa9c318a27974796a434492b7f0866016c580 |
| SHA512 | cd80eab9e6779820e8cb801113479427c6ef28eec71d9430feb53247e9078d317f500c3750693e995c87018477a2c2f31cd7a252218afa1104ef3475fb82b1fa |
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe
| MD5 | c824e16c7c6de8e677d2ed01dfa5283a |
| SHA1 | 8852647b1c1a2efa4f25fea393d773f9ff94d6fa |
| SHA256 | 541d742d37b03dcd164368ab927c1ee27eacf556bfc88076e43f6f61879ccb6c |
| SHA512 | 2b2745780f7f238a61cd3b1a2ee5fd260694a92a6fd1492540824e9753554fc56911610db421b0bbd4146ad683f6e762c45a8bc94114c8b7234ea879c95a01b8 |
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe
| MD5 | c824e16c7c6de8e677d2ed01dfa5283a |
| SHA1 | 8852647b1c1a2efa4f25fea393d773f9ff94d6fa |
| SHA256 | 541d742d37b03dcd164368ab927c1ee27eacf556bfc88076e43f6f61879ccb6c |
| SHA512 | 2b2745780f7f238a61cd3b1a2ee5fd260694a92a6fd1492540824e9753554fc56911610db421b0bbd4146ad683f6e762c45a8bc94114c8b7234ea879c95a01b8 |
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.ldr
| MD5 | 8ee5ab32edced6eb38819b7674bfb0cd |
| SHA1 | 030dc8c3832f664fa10efa3105dff0a9b6d48911 |
| SHA256 | a4de66b79f1d129e3da059ca93d62cf2f88e08fa06a5c492ca154ee25e321f9b |
| SHA512 | 82f4ccbb53c2ecb71c3dcd2c0d7d15ce5cc0a66f92f9f661cfc9ee98df093c481cbbb8888a854d359a388e28ab1085ec7e02452bffed030c118226caf70a6bf9 |
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.dat
| MD5 | 678c4ed1623cc7eff5d23d5b6e876c59 |
| SHA1 | 6e27f7c61230452555b52b39ab9f51d42c725bed |
| SHA256 | 7208cbd7b8cff4369945eb61fe503277dc2968283d2cb6d52252ed5a6d0304b5 |
| SHA512 | eb31541c5fbe496d58b9810c2b4886a8195ed31c4a011ada32c35a13d10d170a582b387022fae55ea8f0738a3e789f59662710dcbc455aec5767e98d11a70579 |
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe
| MD5 | c824e16c7c6de8e677d2ed01dfa5283a |
| SHA1 | 8852647b1c1a2efa4f25fea393d773f9ff94d6fa |
| SHA256 | 541d742d37b03dcd164368ab927c1ee27eacf556bfc88076e43f6f61879ccb6c |
| SHA512 | 2b2745780f7f238a61cd3b1a2ee5fd260694a92a6fd1492540824e9753554fc56911610db421b0bbd4146ad683f6e762c45a8bc94114c8b7234ea879c95a01b8 |
memory/1552-276-0x0000000000400000-0x000000000041E000-memory.dmp
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\stg.cfg
| MD5 | ba9dbe65381759bb06d3dc6a2d0089c8 |
| SHA1 | 37a2a15c52caa7d63af86778c2dd1d2d81d4a270 |
| SHA256 | ff102c6601d2252ed19a1db07f4786813cca2797d404533c33fa0a065ab5a173 |
| SHA512 | 2471e3df6f15646aa06cdea9cc2388addffec85dfde9343dfee3b2f083d98d7e8a314d1cb51b07689a9529f035bd551fd16d3cc899f5e57f9c35fd778e8258cf |
memory/1552-278-0x0000000000400000-0x000000000041E000-memory.dmp
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe
| MD5 | 6312a04933c5081d19cf9711fc77e1b5 |
| SHA1 | b77cfff0e359946029120dd642505bc0a9713ecc |
| SHA256 | 549b9895d6f5c46c2af9ede197ddf8569e041a2067b34d7970bbdd173528f3ea |
| SHA512 | 75ad6056b0c5b09e01324e3c8745f6d917353c8bcba39c0fa578bdf6baef17e773eb6a94d6b994c303587ae50d59f0cf5d95cc457a9400257afda33e15dcab33 |
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe
| MD5 | 6312a04933c5081d19cf9711fc77e1b5 |
| SHA1 | b77cfff0e359946029120dd642505bc0a9713ecc |
| SHA256 | 549b9895d6f5c46c2af9ede197ddf8569e041a2067b34d7970bbdd173528f3ea |
| SHA512 | 75ad6056b0c5b09e01324e3c8745f6d917353c8bcba39c0fa578bdf6baef17e773eb6a94d6b994c303587ae50d59f0cf5d95cc457a9400257afda33e15dcab33 |
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk64.exe
| MD5 | ae7c86923b62ace7215d6aa3a921b810 |
| SHA1 | c3813734d3bfc07e339c05417055a1a106e2fbbd |
| SHA256 | 1dab39583011142746095f5f938fa9c318a27974796a434492b7f0866016c580 |
| SHA512 | cd80eab9e6779820e8cb801113479427c6ef28eec71d9430feb53247e9078d317f500c3750693e995c87018477a2c2f31cd7a252218afa1104ef3475fb82b1fa |
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk64.exe
| MD5 | ae7c86923b62ace7215d6aa3a921b810 |
| SHA1 | c3813734d3bfc07e339c05417055a1a106e2fbbd |
| SHA256 | 1dab39583011142746095f5f938fa9c318a27974796a434492b7f0866016c580 |
| SHA512 | cd80eab9e6779820e8cb801113479427c6ef28eec71d9430feb53247e9078d317f500c3750693e995c87018477a2c2f31cd7a252218afa1104ef3475fb82b1fa |
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winmmon64.dll
| MD5 | ce291f327ba42a06414ba0cceef4628c |
| SHA1 | bfe3f5cec25181f1b6852e145013e548b920651e |
| SHA256 | 9b059b6cdeca45cfd82a3d1b7833e3cfac7ab782c3598d445a0e5cd2ccb5a17b |
| SHA512 | 1bd900d07e17ad4c19ec9eb4fe322237e0e544c465f4a1189482dd4cfde6a73e95a498de9125a1fbb3e22b615cdc2d3dedec89385d42343e0d2070354792bb6f |
\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winmmon64.dll
| MD5 | ce291f327ba42a06414ba0cceef4628c |
| SHA1 | bfe3f5cec25181f1b6852e145013e548b920651e |
| SHA256 | 9b059b6cdeca45cfd82a3d1b7833e3cfac7ab782c3598d445a0e5cd2ccb5a17b |
| SHA512 | 1bd900d07e17ad4c19ec9eb4fe322237e0e544c465f4a1189482dd4cfde6a73e95a498de9125a1fbb3e22b615cdc2d3dedec89385d42343e0d2070354792bb6f |
memory/3064-287-0x00007FF8B9800000-0x00007FF8B9801000-memory.dmp
memory/1896-288-0x0000000002820000-0x0000000002990000-memory.dmp
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe
| MD5 | 6312a04933c5081d19cf9711fc77e1b5 |
| SHA1 | b77cfff0e359946029120dd642505bc0a9713ecc |
| SHA256 | 549b9895d6f5c46c2af9ede197ddf8569e041a2067b34d7970bbdd173528f3ea |
| SHA512 | 75ad6056b0c5b09e01324e3c8745f6d917353c8bcba39c0fa578bdf6baef17e773eb6a94d6b994c303587ae50d59f0cf5d95cc457a9400257afda33e15dcab33 |
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rfusclient.exe
| MD5 | 9fbbba26c746f2c11d404a1ab92f82b2 |
| SHA1 | 7cec39ac6a436577e02e7e8fe8226a00e58564cb |
| SHA256 | 6b0c588bc1e1f1d8b105da805e18adae4cccf66cb72cc515132c0fb65ba98172 |
| SHA512 | 845ebfdf7c98cbf190e5bde01a87fdc5e00a08b97f11a8105ebdae234b02fc460db497d39c156613b56cd5cb241a48196cb2ef0f1bc0d440d4e8049ac627690b |
memory/3080-291-0x0000000000BD0000-0x0000000000D1A000-memory.dmp
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rfusclient.exe
| MD5 | 9fbbba26c746f2c11d404a1ab92f82b2 |
| SHA1 | 7cec39ac6a436577e02e7e8fe8226a00e58564cb |
| SHA256 | 6b0c588bc1e1f1d8b105da805e18adae4cccf66cb72cc515132c0fb65ba98172 |
| SHA512 | 845ebfdf7c98cbf190e5bde01a87fdc5e00a08b97f11a8105ebdae234b02fc460db497d39c156613b56cd5cb241a48196cb2ef0f1bc0d440d4e8049ac627690b |
memory/3780-293-0x0000000000C60000-0x0000000000C61000-memory.dmp
memory/2600-294-0x0000000077162000-0x0000000077163000-memory.dmp
memory/1692-297-0x0000000077162000-0x0000000077163000-memory.dmp
memory/684-302-0x0000000077162000-0x0000000077163000-memory.dmp
memory/3004-307-0x0000000077162000-0x0000000077163000-memory.dmp
memory/3960-310-0x0000000077162000-0x0000000077163000-memory.dmp