Analysis Overview
SHA256
6b40a43df8389ae182ee619fadd61ca837f6516f66602a41cc9fb327ef981af0
Threat Level: Known bad
The file 6b40a43df8389ae182ee619fadd61ca837f6516f66602a41cc9fb327ef981af0 was found to be: Known bad.
Malicious Activity Summary
RMS
Executes dropped EXE
Loads dropped DLL
Suspicious use of SetThreadContext
Drops file in System32 directory
Drops file in Windows directory
Enumerates physical storage devices
Checks processor information in registry
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Enumerates system info in registry
Modifies Internet Explorer settings
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-01-28 17:53
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-01-28 17:53
Reported
2022-01-28 18:05
Platform
win7-en-20211208
Max time kernel
155s
Max time network
148s
Command Line
Signatures
RMS
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6b40a43df8389ae182ee619fadd61ca837f6516f66602a41cc9fb327ef981af0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6b40a43df8389ae182ee619fadd61ca837f6516f66602a41cc9fb327ef981af0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6b40a43df8389ae182ee619fadd61ca837f6516f66602a41cc9fb327ef981af0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 900 set thread context of 660 | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe |
| PID 956 set thread context of 1388 | N/A | C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe | C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe | C:\Windows\Explorer.EXE | N/A |
Enumerates physical storage devices
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\SysWOW64\xcopy.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk64.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\6b40a43df8389ae182ee619fadd61ca837f6516f66602a41cc9fb327ef981af0.exe
"C:\Users\Admin\AppData\Local\Temp\6b40a43df8389ae182ee619fadd61ca837f6516f66602a41cc9fb327ef981af0.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe" /inst /xwait
C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe" /inst /xwait
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C xcopy /Y /E /Q * C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\
C:\Windows\SysWOW64\xcopy.exe
xcopy /Y /E /Q * C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk64.exe /inj
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\ZPDG.pdf"
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk64.exe
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk64.exe /inj
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe -second
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rfusclient.exe
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rfusclient.exe /tray /user
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rutils.com | udp |
| US | 34.102.136.180:80 | rutils.com | tcp |
| US | 34.102.136.180:80 | rutils.com | tcp |
| US | 8.8.8.8:53 | server.rutils.com | udp |
| US | 209.205.218.178:5655 | server.rutils.com | tcp |
Files
memory/952-54-0x0000000075B51000-0x0000000075B53000-memory.dmp
\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe
| MD5 | d0c6d15c0e4811547a6a8afe3a2448cd |
| SHA1 | 963cf321740c4ef606fec65fce85fb3a9a6223ac |
| SHA256 | 90f26c4e687ba5b90376c508d398f9f00b71e7d0d26c7337d81fc7fae473b431 |
| SHA512 | 6503ac3874dcc5a9f9bd9aa2586fccea01609ca758a54ef3f9508380468fdce638dfc8dbeed6b3d166842f7ac76b5297d5ceef8c0b2f0ab0cb44a9b347c67f2a |
\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe
| MD5 | d0c6d15c0e4811547a6a8afe3a2448cd |
| SHA1 | 963cf321740c4ef606fec65fce85fb3a9a6223ac |
| SHA256 | 90f26c4e687ba5b90376c508d398f9f00b71e7d0d26c7337d81fc7fae473b431 |
| SHA512 | 6503ac3874dcc5a9f9bd9aa2586fccea01609ca758a54ef3f9508380468fdce638dfc8dbeed6b3d166842f7ac76b5297d5ceef8c0b2f0ab0cb44a9b347c67f2a |
\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe
| MD5 | d0c6d15c0e4811547a6a8afe3a2448cd |
| SHA1 | 963cf321740c4ef606fec65fce85fb3a9a6223ac |
| SHA256 | 90f26c4e687ba5b90376c508d398f9f00b71e7d0d26c7337d81fc7fae473b431 |
| SHA512 | 6503ac3874dcc5a9f9bd9aa2586fccea01609ca758a54ef3f9508380468fdce638dfc8dbeed6b3d166842f7ac76b5297d5ceef8c0b2f0ab0cb44a9b347c67f2a |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe
| MD5 | d0c6d15c0e4811547a6a8afe3a2448cd |
| SHA1 | 963cf321740c4ef606fec65fce85fb3a9a6223ac |
| SHA256 | 90f26c4e687ba5b90376c508d398f9f00b71e7d0d26c7337d81fc7fae473b431 |
| SHA512 | 6503ac3874dcc5a9f9bd9aa2586fccea01609ca758a54ef3f9508380468fdce638dfc8dbeed6b3d166842f7ac76b5297d5ceef8c0b2f0ab0cb44a9b347c67f2a |
\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe
| MD5 | d0c6d15c0e4811547a6a8afe3a2448cd |
| SHA1 | 963cf321740c4ef606fec65fce85fb3a9a6223ac |
| SHA256 | 90f26c4e687ba5b90376c508d398f9f00b71e7d0d26c7337d81fc7fae473b431 |
| SHA512 | 6503ac3874dcc5a9f9bd9aa2586fccea01609ca758a54ef3f9508380468fdce638dfc8dbeed6b3d166842f7ac76b5297d5ceef8c0b2f0ab0cb44a9b347c67f2a |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.ldr
| MD5 | 8ee5ab32edced6eb38819b7674bfb0cd |
| SHA1 | 030dc8c3832f664fa10efa3105dff0a9b6d48911 |
| SHA256 | a4de66b79f1d129e3da059ca93d62cf2f88e08fa06a5c492ca154ee25e321f9b |
| SHA512 | 82f4ccbb53c2ecb71c3dcd2c0d7d15ce5cc0a66f92f9f661cfc9ee98df093c481cbbb8888a854d359a388e28ab1085ec7e02452bffed030c118226caf70a6bf9 |
memory/660-67-0x0000000000400000-0x000000000041E000-memory.dmp
memory/660-68-0x0000000000400000-0x000000000041E000-memory.dmp
memory/660-66-0x0000000000400000-0x000000000041E000-memory.dmp
memory/660-69-0x0000000000400000-0x000000000041E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe
| MD5 | d0c6d15c0e4811547a6a8afe3a2448cd |
| SHA1 | 963cf321740c4ef606fec65fce85fb3a9a6223ac |
| SHA256 | 90f26c4e687ba5b90376c508d398f9f00b71e7d0d26c7337d81fc7fae473b431 |
| SHA512 | 6503ac3874dcc5a9f9bd9aa2586fccea01609ca758a54ef3f9508380468fdce638dfc8dbeed6b3d166842f7ac76b5297d5ceef8c0b2f0ab0cb44a9b347c67f2a |
memory/660-70-0x0000000000400000-0x000000000041E000-memory.dmp
memory/660-65-0x0000000000400000-0x000000000041E000-memory.dmp
memory/660-64-0x0000000000400000-0x000000000041E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.dat
| MD5 | cfe2c4ec0998f1b71faf23496bf90b00 |
| SHA1 | c90756a3c6f6dc34e12babf5f26543510aace704 |
| SHA256 | cccffad62eda9ef83ac30bf03a5934f51f3120920156f4ff273e0528d3a3eea9 |
| SHA512 | f9211902b0c7b1f3451a98b03cbc12be440663eb49f77620ff8ae9b00fb8967765bfacfbd0b9ebf5d6554eb9379372981bc4ac96a69f8f58621c1215c5839c67 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe
| MD5 | d0c6d15c0e4811547a6a8afe3a2448cd |
| SHA1 | 963cf321740c4ef606fec65fce85fb3a9a6223ac |
| SHA256 | 90f26c4e687ba5b90376c508d398f9f00b71e7d0d26c7337d81fc7fae473b431 |
| SHA512 | 6503ac3874dcc5a9f9bd9aa2586fccea01609ca758a54ef3f9508380468fdce638dfc8dbeed6b3d166842f7ac76b5297d5ceef8c0b2f0ab0cb44a9b347c67f2a |
memory/900-72-0x00000000001D0000-0x00000000001D1000-memory.dmp
memory/660-74-0x0000000000400000-0x000000000041E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\stg.cfg
| MD5 | ba9dbe65381759bb06d3dc6a2d0089c8 |
| SHA1 | 37a2a15c52caa7d63af86778c2dd1d2d81d4a270 |
| SHA256 | ff102c6601d2252ed19a1db07f4786813cca2797d404533c33fa0a065ab5a173 |
| SHA512 | 2471e3df6f15646aa06cdea9cc2388addffec85dfde9343dfee3b2f083d98d7e8a314d1cb51b07689a9529f035bd551fd16d3cc899f5e57f9c35fd778e8258cf |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk64.exe
| MD5 | 00f39df9d0d2428803f9f1fee5a96586 |
| SHA1 | f6030ae46dc2cef9c68da1844f7dcea4f25a90a3 |
| SHA256 | 55abd66849d3eb61ed290e82b45351237cb379ae7988c13c3a807ffac44cf403 |
| SHA512 | affe2230ea0e44cd5dd1a17c064bbcbf6c10e51710779d3f9077124a2d79615e48233f72f6008c07c4951438cf3d44db649eef4311c6da4125d6f3672b57c484 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\winmmon.dll
| MD5 | 9f8575849738336f7a231e056122ceaa |
| SHA1 | 730e20ee7228080a7f90a238d9e65d55edd84301 |
| SHA256 | 24980d2af24ce57cb13275fc1f83fb498eae73bb800f55ac56b6bd317e8ee95c |
| SHA512 | fa3f214e6733b343e4b4cc823ef13a2f7e652bbfd63fe03fd512e9709d8df74e58cc96325f2a8c090f0a6ab08a6b64e76d6b48aff0b25fd7de5b8b155552116c |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\winmmon64.dll
| MD5 | 5c18c0ebbadf702d16100c4ad7484fd6 |
| SHA1 | f26c663d5f6f534543a7c42b02254c98bb4ec0d5 |
| SHA256 | 24a5d4d40d0505f4e022846dcadd7d18384cddb3614d3cb61488f8a3bc66a381 |
| SHA512 | ebeda5b362ea431a03fb282f7a6a6dc2980a718744a9887f91e615e8c02548e8a71abf3ec5774d56fe0068d0d6958e2477e53f674646c93b3254ad7abbbff543 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ZPDG.pdf
| MD5 | 69e8ec9bdccd6ed33fcad2fa19602b2f |
| SHA1 | 9f48e109675cdb0a53400358c27853db48fcd156 |
| SHA256 | cff2de4c828e78febfb2eb8b4780092d395016608b641e126e67e27058415759 |
| SHA512 | b22b948aec9b58dca27481e5d638dd53c99e4f9ed4f7f2270ae1a60b36567ac9c02635d33e528d82dd77157e62107616bba199cf6f34078bd1ecdb7ebe424773 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\101\rfusclient.exe
| MD5 | b1111bd15606f7b8bad5dbc672e89820 |
| SHA1 | 510c93d3dc620b17500c10369585f4af7cf3ce0d |
| SHA256 | fcf82d010dcb43630affed736b67a77363ef3762437ae0a348a0aabdc29303c3 |
| SHA512 | 4b3f86f1002b126083881a91b62c358f7799a066aa8766f4f1a1e12aefbec0a43e120fea388ce410d742fe3f1be2e46b0c7c58b52f2e60e16a2c00567935d40a |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\101\rutserv.exe
| MD5 | d04903fe8cc96fece1f22ebdbc1b644e |
| SHA1 | 446d3fbae9889fe59afad02c6fb71d8838c3fc67 |
| SHA256 | 80f2da88942f71f0963a46be74b00d50b9af71c746e52da775262680cc4baf96 |
| SHA512 | 40d179e8b27ada2c75e826f5bd33517e77a2f75ea89bd4e572c8e1d58ca1f82dd1bb45d46e7e1a421e797867ec8a5db9c921f89c9b06956692d3723f472372af |
memory/660-84-0x0000000000400000-0x000000000041E000-memory.dmp
\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe
| MD5 | d0c6d15c0e4811547a6a8afe3a2448cd |
| SHA1 | 963cf321740c4ef606fec65fce85fb3a9a6223ac |
| SHA256 | 90f26c4e687ba5b90376c508d398f9f00b71e7d0d26c7337d81fc7fae473b431 |
| SHA512 | 6503ac3874dcc5a9f9bd9aa2586fccea01609ca758a54ef3f9508380468fdce638dfc8dbeed6b3d166842f7ac76b5297d5ceef8c0b2f0ab0cb44a9b347c67f2a |
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe
| MD5 | d0c6d15c0e4811547a6a8afe3a2448cd |
| SHA1 | 963cf321740c4ef606fec65fce85fb3a9a6223ac |
| SHA256 | 90f26c4e687ba5b90376c508d398f9f00b71e7d0d26c7337d81fc7fae473b431 |
| SHA512 | 6503ac3874dcc5a9f9bd9aa2586fccea01609ca758a54ef3f9508380468fdce638dfc8dbeed6b3d166842f7ac76b5297d5ceef8c0b2f0ab0cb44a9b347c67f2a |
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe
| MD5 | d0c6d15c0e4811547a6a8afe3a2448cd |
| SHA1 | 963cf321740c4ef606fec65fce85fb3a9a6223ac |
| SHA256 | 90f26c4e687ba5b90376c508d398f9f00b71e7d0d26c7337d81fc7fae473b431 |
| SHA512 | 6503ac3874dcc5a9f9bd9aa2586fccea01609ca758a54ef3f9508380468fdce638dfc8dbeed6b3d166842f7ac76b5297d5ceef8c0b2f0ab0cb44a9b347c67f2a |
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.ldr
| MD5 | 8ee5ab32edced6eb38819b7674bfb0cd |
| SHA1 | 030dc8c3832f664fa10efa3105dff0a9b6d48911 |
| SHA256 | a4de66b79f1d129e3da059ca93d62cf2f88e08fa06a5c492ca154ee25e321f9b |
| SHA512 | 82f4ccbb53c2ecb71c3dcd2c0d7d15ce5cc0a66f92f9f661cfc9ee98df093c481cbbb8888a854d359a388e28ab1085ec7e02452bffed030c118226caf70a6bf9 |
\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe
| MD5 | d0c6d15c0e4811547a6a8afe3a2448cd |
| SHA1 | 963cf321740c4ef606fec65fce85fb3a9a6223ac |
| SHA256 | 90f26c4e687ba5b90376c508d398f9f00b71e7d0d26c7337d81fc7fae473b431 |
| SHA512 | 6503ac3874dcc5a9f9bd9aa2586fccea01609ca758a54ef3f9508380468fdce638dfc8dbeed6b3d166842f7ac76b5297d5ceef8c0b2f0ab0cb44a9b347c67f2a |
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.dat
| MD5 | cfe2c4ec0998f1b71faf23496bf90b00 |
| SHA1 | c90756a3c6f6dc34e12babf5f26543510aace704 |
| SHA256 | cccffad62eda9ef83ac30bf03a5934f51f3120920156f4ff273e0528d3a3eea9 |
| SHA512 | f9211902b0c7b1f3451a98b03cbc12be440663eb49f77620ff8ae9b00fb8967765bfacfbd0b9ebf5d6554eb9379372981bc4ac96a69f8f58621c1215c5839c67 |
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe
| MD5 | d0c6d15c0e4811547a6a8afe3a2448cd |
| SHA1 | 963cf321740c4ef606fec65fce85fb3a9a6223ac |
| SHA256 | 90f26c4e687ba5b90376c508d398f9f00b71e7d0d26c7337d81fc7fae473b431 |
| SHA512 | 6503ac3874dcc5a9f9bd9aa2586fccea01609ca758a54ef3f9508380468fdce638dfc8dbeed6b3d166842f7ac76b5297d5ceef8c0b2f0ab0cb44a9b347c67f2a |
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\stg.cfg
| MD5 | ba9dbe65381759bb06d3dc6a2d0089c8 |
| SHA1 | 37a2a15c52caa7d63af86778c2dd1d2d81d4a270 |
| SHA256 | ff102c6601d2252ed19a1db07f4786813cca2797d404533c33fa0a065ab5a173 |
| SHA512 | 2471e3df6f15646aa06cdea9cc2388addffec85dfde9343dfee3b2f083d98d7e8a314d1cb51b07689a9529f035bd551fd16d3cc899f5e57f9c35fd778e8258cf |
memory/1200-104-0x0000000002530000-0x0000000002531000-memory.dmp
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk64.exe
| MD5 | 00f39df9d0d2428803f9f1fee5a96586 |
| SHA1 | f6030ae46dc2cef9c68da1844f7dcea4f25a90a3 |
| SHA256 | 55abd66849d3eb61ed290e82b45351237cb379ae7988c13c3a807ffac44cf403 |
| SHA512 | affe2230ea0e44cd5dd1a17c064bbcbf6c10e51710779d3f9077124a2d79615e48233f72f6008c07c4951438cf3d44db649eef4311c6da4125d6f3672b57c484 |
\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk64.exe
| MD5 | 00f39df9d0d2428803f9f1fee5a96586 |
| SHA1 | f6030ae46dc2cef9c68da1844f7dcea4f25a90a3 |
| SHA256 | 55abd66849d3eb61ed290e82b45351237cb379ae7988c13c3a807ffac44cf403 |
| SHA512 | affe2230ea0e44cd5dd1a17c064bbcbf6c10e51710779d3f9077124a2d79615e48233f72f6008c07c4951438cf3d44db649eef4311c6da4125d6f3672b57c484 |
\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winmmon64.dll
| MD5 | 5c18c0ebbadf702d16100c4ad7484fd6 |
| SHA1 | f26c663d5f6f534543a7c42b02254c98bb4ec0d5 |
| SHA256 | 24a5d4d40d0505f4e022846dcadd7d18384cddb3614d3cb61488f8a3bc66a381 |
| SHA512 | ebeda5b362ea431a03fb282f7a6a6dc2980a718744a9887f91e615e8c02548e8a71abf3ec5774d56fe0068d0d6958e2477e53f674646c93b3254ad7abbbff543 |
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winmmon64.dll
| MD5 | 5c18c0ebbadf702d16100c4ad7484fd6 |
| SHA1 | f26c663d5f6f534543a7c42b02254c98bb4ec0d5 |
| SHA256 | 24a5d4d40d0505f4e022846dcadd7d18384cddb3614d3cb61488f8a3bc66a381 |
| SHA512 | ebeda5b362ea431a03fb282f7a6a6dc2980a718744a9887f91e615e8c02548e8a71abf3ec5774d56fe0068d0d6958e2477e53f674646c93b3254ad7abbbff543 |
\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe
| MD5 | d04903fe8cc96fece1f22ebdbc1b644e |
| SHA1 | 446d3fbae9889fe59afad02c6fb71d8838c3fc67 |
| SHA256 | 80f2da88942f71f0963a46be74b00d50b9af71c746e52da775262680cc4baf96 |
| SHA512 | 40d179e8b27ada2c75e826f5bd33517e77a2f75ea89bd4e572c8e1d58ca1f82dd1bb45d46e7e1a421e797867ec8a5db9c921f89c9b06956692d3723f472372af |
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe
| MD5 | d04903fe8cc96fece1f22ebdbc1b644e |
| SHA1 | 446d3fbae9889fe59afad02c6fb71d8838c3fc67 |
| SHA256 | 80f2da88942f71f0963a46be74b00d50b9af71c746e52da775262680cc4baf96 |
| SHA512 | 40d179e8b27ada2c75e826f5bd33517e77a2f75ea89bd4e572c8e1d58ca1f82dd1bb45d46e7e1a421e797867ec8a5db9c921f89c9b06956692d3723f472372af |
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe
| MD5 | d04903fe8cc96fece1f22ebdbc1b644e |
| SHA1 | 446d3fbae9889fe59afad02c6fb71d8838c3fc67 |
| SHA256 | 80f2da88942f71f0963a46be74b00d50b9af71c746e52da775262680cc4baf96 |
| SHA512 | 40d179e8b27ada2c75e826f5bd33517e77a2f75ea89bd4e572c8e1d58ca1f82dd1bb45d46e7e1a421e797867ec8a5db9c921f89c9b06956692d3723f472372af |
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe
| MD5 | d04903fe8cc96fece1f22ebdbc1b644e |
| SHA1 | 446d3fbae9889fe59afad02c6fb71d8838c3fc67 |
| SHA256 | 80f2da88942f71f0963a46be74b00d50b9af71c746e52da775262680cc4baf96 |
| SHA512 | 40d179e8b27ada2c75e826f5bd33517e77a2f75ea89bd4e572c8e1d58ca1f82dd1bb45d46e7e1a421e797867ec8a5db9c921f89c9b06956692d3723f472372af |
memory/2000-119-0x0000000000240000-0x0000000000241000-memory.dmp
memory/2028-120-0x00000000001C0000-0x00000000001C1000-memory.dmp
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rfusclient.exe
| MD5 | b1111bd15606f7b8bad5dbc672e89820 |
| SHA1 | 510c93d3dc620b17500c10369585f4af7cf3ce0d |
| SHA256 | fcf82d010dcb43630affed736b67a77363ef3762437ae0a348a0aabdc29303c3 |
| SHA512 | 4b3f86f1002b126083881a91b62c358f7799a066aa8766f4f1a1e12aefbec0a43e120fea388ce410d742fe3f1be2e46b0c7c58b52f2e60e16a2c00567935d40a |
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rfusclient.exe
| MD5 | b1111bd15606f7b8bad5dbc672e89820 |
| SHA1 | 510c93d3dc620b17500c10369585f4af7cf3ce0d |
| SHA256 | fcf82d010dcb43630affed736b67a77363ef3762437ae0a348a0aabdc29303c3 |
| SHA512 | 4b3f86f1002b126083881a91b62c358f7799a066aa8766f4f1a1e12aefbec0a43e120fea388ce410d742fe3f1be2e46b0c7c58b52f2e60e16a2c00567935d40a |
\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rfusclient.exe
| MD5 | b1111bd15606f7b8bad5dbc672e89820 |
| SHA1 | 510c93d3dc620b17500c10369585f4af7cf3ce0d |
| SHA256 | fcf82d010dcb43630affed736b67a77363ef3762437ae0a348a0aabdc29303c3 |
| SHA512 | 4b3f86f1002b126083881a91b62c358f7799a066aa8766f4f1a1e12aefbec0a43e120fea388ce410d742fe3f1be2e46b0c7c58b52f2e60e16a2c00567935d40a |
memory/1912-125-0x0000000000230000-0x0000000000231000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-01-28 17:53
Reported
2022-01-28 18:05
Platform
win10-en-20211208
Max time kernel
159s
Max time network
166s
Command Line
Signatures
RMS
Executes dropped EXE
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\rutserv.pdb | C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\exe\rutserv.pdb | C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\symbols\exe\rutserv.pdb | C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1096 set thread context of 1560 | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe |
| PID 960 set thread context of 1060 | N/A | C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe | C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\SysWOW64\xcopy.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\6b40a43df8389ae182ee619fadd61ca837f6516f66602a41cc9fb327ef981af0.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\6b40a43df8389ae182ee619fadd61ca837f6516f66602a41cc9fb327ef981af0.exe
"C:\Users\Admin\AppData\Local\Temp\6b40a43df8389ae182ee619fadd61ca837f6516f66602a41cc9fb327ef981af0.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe" /inst /xwait
C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe" /inst /xwait
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C xcopy /Y /E /Q * C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\
C:\Windows\SysWOW64\xcopy.exe
xcopy /Y /E /Q * C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk64.exe /inj
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\ZPDG.pdf"
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk64.exe
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk64.exe /inj
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe -second
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rfusclient.exe
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rfusclient.exe /tray /user
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=2B139CCF36B985D934646F26F8225271 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=2B139CCF36B985D934646F26F8225271 --renderer-client-id=2 --mojo-platform-channel-handle=1668 --allow-no-sandbox-job /prefetch:1
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=19AF2BA53F9495F0E6D5EDAA199E5EE0 --mojo-platform-channel-handle=1844 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=328A8A4B585085E84F44316F232ACD7D --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=328A8A4B585085E84F44316F232ACD7D --renderer-client-id=4 --mojo-platform-channel-handle=2108 --allow-no-sandbox-job /prefetch:1
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=16583FD51584AB54AC7D3126195C3B76 --mojo-platform-channel-handle=2112 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6647B8DF472F921E137908704C8BD1D2 --mojo-platform-channel-handle=2596 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=713929609013DD1C6651E1FBBBE79F84 --mojo-platform-channel-handle=2248 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rutils.com | udp |
| US | 34.102.136.180:80 | rutils.com | tcp |
| US | 34.102.136.180:80 | rutils.com | tcp |
| US | 8.8.8.8:53 | server.rutils.com | udp |
| US | 209.205.218.178:5655 | server.rutils.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe
| MD5 | d0c6d15c0e4811547a6a8afe3a2448cd |
| SHA1 | 963cf321740c4ef606fec65fce85fb3a9a6223ac |
| SHA256 | 90f26c4e687ba5b90376c508d398f9f00b71e7d0d26c7337d81fc7fae473b431 |
| SHA512 | 6503ac3874dcc5a9f9bd9aa2586fccea01609ca758a54ef3f9508380468fdce638dfc8dbeed6b3d166842f7ac76b5297d5ceef8c0b2f0ab0cb44a9b347c67f2a |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe
| MD5 | d0c6d15c0e4811547a6a8afe3a2448cd |
| SHA1 | 963cf321740c4ef606fec65fce85fb3a9a6223ac |
| SHA256 | 90f26c4e687ba5b90376c508d398f9f00b71e7d0d26c7337d81fc7fae473b431 |
| SHA512 | 6503ac3874dcc5a9f9bd9aa2586fccea01609ca758a54ef3f9508380468fdce638dfc8dbeed6b3d166842f7ac76b5297d5ceef8c0b2f0ab0cb44a9b347c67f2a |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.ldr
| MD5 | 8ee5ab32edced6eb38819b7674bfb0cd |
| SHA1 | 030dc8c3832f664fa10efa3105dff0a9b6d48911 |
| SHA256 | a4de66b79f1d129e3da059ca93d62cf2f88e08fa06a5c492ca154ee25e321f9b |
| SHA512 | 82f4ccbb53c2ecb71c3dcd2c0d7d15ce5cc0a66f92f9f661cfc9ee98df093c481cbbb8888a854d359a388e28ab1085ec7e02452bffed030c118226caf70a6bf9 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.dat
| MD5 | cfe2c4ec0998f1b71faf23496bf90b00 |
| SHA1 | c90756a3c6f6dc34e12babf5f26543510aace704 |
| SHA256 | cccffad62eda9ef83ac30bf03a5934f51f3120920156f4ff273e0528d3a3eea9 |
| SHA512 | f9211902b0c7b1f3451a98b03cbc12be440663eb49f77620ff8ae9b00fb8967765bfacfbd0b9ebf5d6554eb9379372981bc4ac96a69f8f58621c1215c5839c67 |
memory/1560-199-0x0000000000400000-0x000000000041E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe
| MD5 | d0c6d15c0e4811547a6a8afe3a2448cd |
| SHA1 | 963cf321740c4ef606fec65fce85fb3a9a6223ac |
| SHA256 | 90f26c4e687ba5b90376c508d398f9f00b71e7d0d26c7337d81fc7fae473b431 |
| SHA512 | 6503ac3874dcc5a9f9bd9aa2586fccea01609ca758a54ef3f9508380468fdce638dfc8dbeed6b3d166842f7ac76b5297d5ceef8c0b2f0ab0cb44a9b347c67f2a |
memory/1560-201-0x0000000000400000-0x000000000041E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\stg.cfg
| MD5 | ba9dbe65381759bb06d3dc6a2d0089c8 |
| SHA1 | 37a2a15c52caa7d63af86778c2dd1d2d81d4a270 |
| SHA256 | ff102c6601d2252ed19a1db07f4786813cca2797d404533c33fa0a065ab5a173 |
| SHA512 | 2471e3df6f15646aa06cdea9cc2388addffec85dfde9343dfee3b2f083d98d7e8a314d1cb51b07689a9529f035bd551fd16d3cc899f5e57f9c35fd778e8258cf |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk64.exe
| MD5 | 00f39df9d0d2428803f9f1fee5a96586 |
| SHA1 | f6030ae46dc2cef9c68da1844f7dcea4f25a90a3 |
| SHA256 | 55abd66849d3eb61ed290e82b45351237cb379ae7988c13c3a807ffac44cf403 |
| SHA512 | affe2230ea0e44cd5dd1a17c064bbcbf6c10e51710779d3f9077124a2d79615e48233f72f6008c07c4951438cf3d44db649eef4311c6da4125d6f3672b57c484 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ZPDG.pdf
| MD5 | 69e8ec9bdccd6ed33fcad2fa19602b2f |
| SHA1 | 9f48e109675cdb0a53400358c27853db48fcd156 |
| SHA256 | cff2de4c828e78febfb2eb8b4780092d395016608b641e126e67e27058415759 |
| SHA512 | b22b948aec9b58dca27481e5d638dd53c99e4f9ed4f7f2270ae1a60b36567ac9c02635d33e528d82dd77157e62107616bba199cf6f34078bd1ecdb7ebe424773 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\winmmon64.dll
| MD5 | 5c18c0ebbadf702d16100c4ad7484fd6 |
| SHA1 | f26c663d5f6f534543a7c42b02254c98bb4ec0d5 |
| SHA256 | 24a5d4d40d0505f4e022846dcadd7d18384cddb3614d3cb61488f8a3bc66a381 |
| SHA512 | ebeda5b362ea431a03fb282f7a6a6dc2980a718744a9887f91e615e8c02548e8a71abf3ec5774d56fe0068d0d6958e2477e53f674646c93b3254ad7abbbff543 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\winmmon.dll
| MD5 | 9f8575849738336f7a231e056122ceaa |
| SHA1 | 730e20ee7228080a7f90a238d9e65d55edd84301 |
| SHA256 | 24980d2af24ce57cb13275fc1f83fb498eae73bb800f55ac56b6bd317e8ee95c |
| SHA512 | fa3f214e6733b343e4b4cc823ef13a2f7e652bbfd63fe03fd512e9709d8df74e58cc96325f2a8c090f0a6ab08a6b64e76d6b48aff0b25fd7de5b8b155552116c |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\101\rfusclient.exe
| MD5 | b1111bd15606f7b8bad5dbc672e89820 |
| SHA1 | 510c93d3dc620b17500c10369585f4af7cf3ce0d |
| SHA256 | fcf82d010dcb43630affed736b67a77363ef3762437ae0a348a0aabdc29303c3 |
| SHA512 | 4b3f86f1002b126083881a91b62c358f7799a066aa8766f4f1a1e12aefbec0a43e120fea388ce410d742fe3f1be2e46b0c7c58b52f2e60e16a2c00567935d40a |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\101\rutserv.exe
| MD5 | d04903fe8cc96fece1f22ebdbc1b644e |
| SHA1 | 446d3fbae9889fe59afad02c6fb71d8838c3fc67 |
| SHA256 | 80f2da88942f71f0963a46be74b00d50b9af71c746e52da775262680cc4baf96 |
| SHA512 | 40d179e8b27ada2c75e826f5bd33517e77a2f75ea89bd4e572c8e1d58ca1f82dd1bb45d46e7e1a421e797867ec8a5db9c921f89c9b06956692d3723f472372af |
memory/1096-209-0x0000000000480000-0x0000000000736000-memory.dmp
memory/1560-210-0x0000000000400000-0x000000000041E000-memory.dmp
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe
| MD5 | d0c6d15c0e4811547a6a8afe3a2448cd |
| SHA1 | 963cf321740c4ef606fec65fce85fb3a9a6223ac |
| SHA256 | 90f26c4e687ba5b90376c508d398f9f00b71e7d0d26c7337d81fc7fae473b431 |
| SHA512 | 6503ac3874dcc5a9f9bd9aa2586fccea01609ca758a54ef3f9508380468fdce638dfc8dbeed6b3d166842f7ac76b5297d5ceef8c0b2f0ab0cb44a9b347c67f2a |
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe
| MD5 | d0c6d15c0e4811547a6a8afe3a2448cd |
| SHA1 | 963cf321740c4ef606fec65fce85fb3a9a6223ac |
| SHA256 | 90f26c4e687ba5b90376c508d398f9f00b71e7d0d26c7337d81fc7fae473b431 |
| SHA512 | 6503ac3874dcc5a9f9bd9aa2586fccea01609ca758a54ef3f9508380468fdce638dfc8dbeed6b3d166842f7ac76b5297d5ceef8c0b2f0ab0cb44a9b347c67f2a |
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.ldr
| MD5 | 8ee5ab32edced6eb38819b7674bfb0cd |
| SHA1 | 030dc8c3832f664fa10efa3105dff0a9b6d48911 |
| SHA256 | a4de66b79f1d129e3da059ca93d62cf2f88e08fa06a5c492ca154ee25e321f9b |
| SHA512 | 82f4ccbb53c2ecb71c3dcd2c0d7d15ce5cc0a66f92f9f661cfc9ee98df093c481cbbb8888a854d359a388e28ab1085ec7e02452bffed030c118226caf70a6bf9 |
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.dat
| MD5 | cfe2c4ec0998f1b71faf23496bf90b00 |
| SHA1 | c90756a3c6f6dc34e12babf5f26543510aace704 |
| SHA256 | cccffad62eda9ef83ac30bf03a5934f51f3120920156f4ff273e0528d3a3eea9 |
| SHA512 | f9211902b0c7b1f3451a98b03cbc12be440663eb49f77620ff8ae9b00fb8967765bfacfbd0b9ebf5d6554eb9379372981bc4ac96a69f8f58621c1215c5839c67 |
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe
| MD5 | d0c6d15c0e4811547a6a8afe3a2448cd |
| SHA1 | 963cf321740c4ef606fec65fce85fb3a9a6223ac |
| SHA256 | 90f26c4e687ba5b90376c508d398f9f00b71e7d0d26c7337d81fc7fae473b431 |
| SHA512 | 6503ac3874dcc5a9f9bd9aa2586fccea01609ca758a54ef3f9508380468fdce638dfc8dbeed6b3d166842f7ac76b5297d5ceef8c0b2f0ab0cb44a9b347c67f2a |
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\stg.cfg
| MD5 | ba9dbe65381759bb06d3dc6a2d0089c8 |
| SHA1 | 37a2a15c52caa7d63af86778c2dd1d2d81d4a270 |
| SHA256 | ff102c6601d2252ed19a1db07f4786813cca2797d404533c33fa0a065ab5a173 |
| SHA512 | 2471e3df6f15646aa06cdea9cc2388addffec85dfde9343dfee3b2f083d98d7e8a314d1cb51b07689a9529f035bd551fd16d3cc899f5e57f9c35fd778e8258cf |
memory/1060-218-0x0000000000400000-0x000000000041E000-memory.dmp
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk64.exe
| MD5 | 00f39df9d0d2428803f9f1fee5a96586 |
| SHA1 | f6030ae46dc2cef9c68da1844f7dcea4f25a90a3 |
| SHA256 | 55abd66849d3eb61ed290e82b45351237cb379ae7988c13c3a807ffac44cf403 |
| SHA512 | affe2230ea0e44cd5dd1a17c064bbcbf6c10e51710779d3f9077124a2d79615e48233f72f6008c07c4951438cf3d44db649eef4311c6da4125d6f3672b57c484 |
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk64.exe
| MD5 | 00f39df9d0d2428803f9f1fee5a96586 |
| SHA1 | f6030ae46dc2cef9c68da1844f7dcea4f25a90a3 |
| SHA256 | 55abd66849d3eb61ed290e82b45351237cb379ae7988c13c3a807ffac44cf403 |
| SHA512 | affe2230ea0e44cd5dd1a17c064bbcbf6c10e51710779d3f9077124a2d79615e48233f72f6008c07c4951438cf3d44db649eef4311c6da4125d6f3672b57c484 |
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winmmon64.dll
| MD5 | 5c18c0ebbadf702d16100c4ad7484fd6 |
| SHA1 | f26c663d5f6f534543a7c42b02254c98bb4ec0d5 |
| SHA256 | 24a5d4d40d0505f4e022846dcadd7d18384cddb3614d3cb61488f8a3bc66a381 |
| SHA512 | ebeda5b362ea431a03fb282f7a6a6dc2980a718744a9887f91e615e8c02548e8a71abf3ec5774d56fe0068d0d6958e2477e53f674646c93b3254ad7abbbff543 |
\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winmmon64.dll
| MD5 | 5c18c0ebbadf702d16100c4ad7484fd6 |
| SHA1 | f26c663d5f6f534543a7c42b02254c98bb4ec0d5 |
| SHA256 | 24a5d4d40d0505f4e022846dcadd7d18384cddb3614d3cb61488f8a3bc66a381 |
| SHA512 | ebeda5b362ea431a03fb282f7a6a6dc2980a718744a9887f91e615e8c02548e8a71abf3ec5774d56fe0068d0d6958e2477e53f674646c93b3254ad7abbbff543 |
memory/1060-228-0x0000000000400000-0x000000000041E000-memory.dmp
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe
| MD5 | d04903fe8cc96fece1f22ebdbc1b644e |
| SHA1 | 446d3fbae9889fe59afad02c6fb71d8838c3fc67 |
| SHA256 | 80f2da88942f71f0963a46be74b00d50b9af71c746e52da775262680cc4baf96 |
| SHA512 | 40d179e8b27ada2c75e826f5bd33517e77a2f75ea89bd4e572c8e1d58ca1f82dd1bb45d46e7e1a421e797867ec8a5db9c921f89c9b06956692d3723f472372af |
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe
| MD5 | d04903fe8cc96fece1f22ebdbc1b644e |
| SHA1 | 446d3fbae9889fe59afad02c6fb71d8838c3fc67 |
| SHA256 | 80f2da88942f71f0963a46be74b00d50b9af71c746e52da775262680cc4baf96 |
| SHA512 | 40d179e8b27ada2c75e826f5bd33517e77a2f75ea89bd4e572c8e1d58ca1f82dd1bb45d46e7e1a421e797867ec8a5db9c921f89c9b06956692d3723f472372af |
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe
| MD5 | d04903fe8cc96fece1f22ebdbc1b644e |
| SHA1 | 446d3fbae9889fe59afad02c6fb71d8838c3fc67 |
| SHA256 | 80f2da88942f71f0963a46be74b00d50b9af71c746e52da775262680cc4baf96 |
| SHA512 | 40d179e8b27ada2c75e826f5bd33517e77a2f75ea89bd4e572c8e1d58ca1f82dd1bb45d46e7e1a421e797867ec8a5db9c921f89c9b06956692d3723f472372af |
memory/2104-231-0x0000000000B90000-0x0000000000CDA000-memory.dmp
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rfusclient.exe
| MD5 | b1111bd15606f7b8bad5dbc672e89820 |
| SHA1 | 510c93d3dc620b17500c10369585f4af7cf3ce0d |
| SHA256 | fcf82d010dcb43630affed736b67a77363ef3762437ae0a348a0aabdc29303c3 |
| SHA512 | 4b3f86f1002b126083881a91b62c358f7799a066aa8766f4f1a1e12aefbec0a43e120fea388ce410d742fe3f1be2e46b0c7c58b52f2e60e16a2c00567935d40a |
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rfusclient.exe
| MD5 | b1111bd15606f7b8bad5dbc672e89820 |
| SHA1 | 510c93d3dc620b17500c10369585f4af7cf3ce0d |
| SHA256 | fcf82d010dcb43630affed736b67a77363ef3762437ae0a348a0aabdc29303c3 |
| SHA512 | 4b3f86f1002b126083881a91b62c358f7799a066aa8766f4f1a1e12aefbec0a43e120fea388ce410d742fe3f1be2e46b0c7c58b52f2e60e16a2c00567935d40a |
memory/3368-235-0x0000000000D20000-0x0000000000D21000-memory.dmp
memory/3056-236-0x00007FFB826F0000-0x00007FFB826F1000-memory.dmp
memory/3044-237-0x00000000024C0000-0x00000000024C1000-memory.dmp
memory/2692-238-0x0000000077522000-0x0000000077523000-memory.dmp
memory/2732-241-0x0000000077522000-0x0000000077523000-memory.dmp
memory/3420-246-0x0000000077522000-0x0000000077523000-memory.dmp
memory/1028-251-0x0000000077522000-0x0000000077523000-memory.dmp
memory/3180-254-0x0000000077522000-0x0000000077523000-memory.dmp
memory/3924-257-0x0000000077522000-0x0000000077523000-memory.dmp