Analysis Overview
SHA256
368f1100b8a647f2d758ae34183cfb37f432dced201f52021762f759423ecc5c
Threat Level: Known bad
The file 368f1100b8a647f2d758ae34183cfb37f432dced201f52021762f759423ecc5c was found to be: Known bad.
Malicious Activity Summary
RMS
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Suspicious use of SetThreadContext
Drops file in Windows directory
Enumerates physical storage devices
Modifies Internet Explorer settings
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Checks processor information in registry
Suspicious use of FindShellTrayWindow
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-01-28 20:06
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-01-28 20:06
Reported
2022-01-28 21:18
Platform
win7-en-20211208
Max time kernel
154s
Max time network
129s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk64.exe | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\368f1100b8a647f2d758ae34183cfb37f432dced201f52021762f759423ecc5c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\368f1100b8a647f2d758ae34183cfb37f432dced201f52021762f759423ecc5c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\368f1100b8a647f2d758ae34183cfb37f432dced201f52021762f759423ecc5c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 572 set thread context of 1076 | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe |
| PID 1168 set thread context of 1372 | N/A | C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe | C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe | C:\Windows\Explorer.EXE | N/A |
Enumerates physical storage devices
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\SysWOW64\xcopy.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk64.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\368f1100b8a647f2d758ae34183cfb37f432dced201f52021762f759423ecc5c.exe
"C:\Users\Admin\AppData\Local\Temp\368f1100b8a647f2d758ae34183cfb37f432dced201f52021762f759423ecc5c.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe" /inst /xwait
C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe" /inst /xwait
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C xcopy /Y /E /Q * C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\
C:\Windows\SysWOW64\xcopy.exe
xcopy /Y /E /Q * C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk64.exe /inj
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\ZPDG.pdf"
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk64.exe
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk64.exe /inj
Network
Files
memory/892-54-0x0000000076451000-0x0000000076453000-memory.dmp
\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe
| MD5 | 7bec0ad537dc3ffc3c6ec5da3ab8ab26 |
| SHA1 | c8cbbc175451a097e605e448f94c89d3e050acd5 |
| SHA256 | eca2853dbf19fe38a21609cca506fb95d517220512bb932ad03e41474b7ecab4 |
| SHA512 | 060b6beb53819681ed6bcc97e2c4790d424514016db9b94d33e94b5359904906893226901896d1e3c728b676b30cc5bf2fe369022d92dff1953a624caecccb94 |
\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe
| MD5 | 7bec0ad537dc3ffc3c6ec5da3ab8ab26 |
| SHA1 | c8cbbc175451a097e605e448f94c89d3e050acd5 |
| SHA256 | eca2853dbf19fe38a21609cca506fb95d517220512bb932ad03e41474b7ecab4 |
| SHA512 | 060b6beb53819681ed6bcc97e2c4790d424514016db9b94d33e94b5359904906893226901896d1e3c728b676b30cc5bf2fe369022d92dff1953a624caecccb94 |
\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe
| MD5 | 7bec0ad537dc3ffc3c6ec5da3ab8ab26 |
| SHA1 | c8cbbc175451a097e605e448f94c89d3e050acd5 |
| SHA256 | eca2853dbf19fe38a21609cca506fb95d517220512bb932ad03e41474b7ecab4 |
| SHA512 | 060b6beb53819681ed6bcc97e2c4790d424514016db9b94d33e94b5359904906893226901896d1e3c728b676b30cc5bf2fe369022d92dff1953a624caecccb94 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe
| MD5 | 7bec0ad537dc3ffc3c6ec5da3ab8ab26 |
| SHA1 | c8cbbc175451a097e605e448f94c89d3e050acd5 |
| SHA256 | eca2853dbf19fe38a21609cca506fb95d517220512bb932ad03e41474b7ecab4 |
| SHA512 | 060b6beb53819681ed6bcc97e2c4790d424514016db9b94d33e94b5359904906893226901896d1e3c728b676b30cc5bf2fe369022d92dff1953a624caecccb94 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.ldr
| MD5 | 8ee5ab32edced6eb38819b7674bfb0cd |
| SHA1 | 030dc8c3832f664fa10efa3105dff0a9b6d48911 |
| SHA256 | a4de66b79f1d129e3da059ca93d62cf2f88e08fa06a5c492ca154ee25e321f9b |
| SHA512 | 82f4ccbb53c2ecb71c3dcd2c0d7d15ce5cc0a66f92f9f661cfc9ee98df093c481cbbb8888a854d359a388e28ab1085ec7e02452bffed030c118226caf70a6bf9 |
\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe
| MD5 | 7bec0ad537dc3ffc3c6ec5da3ab8ab26 |
| SHA1 | c8cbbc175451a097e605e448f94c89d3e050acd5 |
| SHA256 | eca2853dbf19fe38a21609cca506fb95d517220512bb932ad03e41474b7ecab4 |
| SHA512 | 060b6beb53819681ed6bcc97e2c4790d424514016db9b94d33e94b5359904906893226901896d1e3c728b676b30cc5bf2fe369022d92dff1953a624caecccb94 |
memory/1076-67-0x0000000000400000-0x000000000041E000-memory.dmp
memory/1076-68-0x0000000000400000-0x000000000041E000-memory.dmp
memory/1076-66-0x0000000000400000-0x000000000041E000-memory.dmp
memory/1076-65-0x0000000000400000-0x000000000041E000-memory.dmp
memory/1076-64-0x0000000000400000-0x000000000041E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.dat
| MD5 | 02a6192af3a76221a2b47000382af829 |
| SHA1 | aedf43347af24d266ec5d471723f4b30b4acc0d0 |
| SHA256 | 2d188cfebc4e2df9c402ad9f993a1827511ff4ead96e25f0bba8f210559a55c9 |
| SHA512 | df55acbf8b2829c849cbe560471030ccda8c1a12a0d938c7128e1ffe46684d1612da2d8807fbe7f537ee3f1c79e42198ddafc2faa51f6325f86cc609cba4200e |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe
| MD5 | 7bec0ad537dc3ffc3c6ec5da3ab8ab26 |
| SHA1 | c8cbbc175451a097e605e448f94c89d3e050acd5 |
| SHA256 | eca2853dbf19fe38a21609cca506fb95d517220512bb932ad03e41474b7ecab4 |
| SHA512 | 060b6beb53819681ed6bcc97e2c4790d424514016db9b94d33e94b5359904906893226901896d1e3c728b676b30cc5bf2fe369022d92dff1953a624caecccb94 |
memory/1076-69-0x0000000000400000-0x000000000041E000-memory.dmp
memory/1076-70-0x0000000000400000-0x000000000041E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe
| MD5 | 7bec0ad537dc3ffc3c6ec5da3ab8ab26 |
| SHA1 | c8cbbc175451a097e605e448f94c89d3e050acd5 |
| SHA256 | eca2853dbf19fe38a21609cca506fb95d517220512bb932ad03e41474b7ecab4 |
| SHA512 | 060b6beb53819681ed6bcc97e2c4790d424514016db9b94d33e94b5359904906893226901896d1e3c728b676b30cc5bf2fe369022d92dff1953a624caecccb94 |
memory/1076-73-0x0000000000400000-0x000000000041E000-memory.dmp
memory/572-75-0x0000000000240000-0x0000000000241000-memory.dmp
memory/1076-76-0x0000000000400000-0x000000000041E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\stg.cfg
| MD5 | ba9dbe65381759bb06d3dc6a2d0089c8 |
| SHA1 | 37a2a15c52caa7d63af86778c2dd1d2d81d4a270 |
| SHA256 | ff102c6601d2252ed19a1db07f4786813cca2797d404533c33fa0a065ab5a173 |
| SHA512 | 2471e3df6f15646aa06cdea9cc2388addffec85dfde9343dfee3b2f083d98d7e8a314d1cb51b07689a9529f035bd551fd16d3cc899f5e57f9c35fd778e8258cf |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk64.exe
| MD5 | d837ecd5fd552877a62dd5701ae74c20 |
| SHA1 | f06cb000f9a25dde791c7e5bc30917c74a8f2876 |
| SHA256 | a5b7369eb63d87b12dfb7d415a537a66ad02a5f35e7275e23991dc07bf688001 |
| SHA512 | 291968310037f00d45cfd2a723341cea74f7dc8007b6065717fbd86f7807509711ec283d339bdc4364466bc39341ac27b54e3ce65e4551ac587c578b91537274 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\winmmon.dll
| MD5 | f7a17ddd9546077ccbe8e84efad68819 |
| SHA1 | c90b5471bba3293c0a0e6829a81fbe2eb10b42b2 |
| SHA256 | 5c7a5a153475b28d27bb7cd3c5d3774341462ef8a79df8bcb2c51947a12e82c4 |
| SHA512 | 76ed4b716cbefd6d996c957faaa3fda9daf04783934bb5f550c6e47e4b600242ba6d47063cb766aedc0eaf0f791d413950296135f89ca50c3535628ad4543161 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\winmmon64.dll
| MD5 | 4e6f91c20f821d5f6590bfebce12b179 |
| SHA1 | 3170b45fb642301687a3a320282099b9d7b7f0f2 |
| SHA256 | 9a5403858d2ad0d181ac743974323c38b509b1e38d2a5e836e25dfecba494105 |
| SHA512 | e782218aeba61809fe1083cdd8772bab225196426ff8a25cf31c321f1cf70075c9958484bca11a3e16bf730d6c4e33c31e7eb5e680c2e320b8834fe53f1f5d3b |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ZPDG.pdf
| MD5 | 69e8ec9bdccd6ed33fcad2fa19602b2f |
| SHA1 | 9f48e109675cdb0a53400358c27853db48fcd156 |
| SHA256 | cff2de4c828e78febfb2eb8b4780092d395016608b641e126e67e27058415759 |
| SHA512 | b22b948aec9b58dca27481e5d638dd53c99e4f9ed4f7f2270ae1a60b36567ac9c02635d33e528d82dd77157e62107616bba199cf6f34078bd1ecdb7ebe424773 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\101\rfusclient.exe
| MD5 | fb07837d481aba2ecdd17b8a5b998410 |
| SHA1 | 3b88d4047fa2b8f8fa6241320d81508eb676ea7a |
| SHA256 | 098e937b0ba5352d9bd5f96bacd301490d168a428f0835f9641013c91e120c5b |
| SHA512 | 66245e0a725fbd054b987f9210a9d3edc3bce15a07a3b519ee1a2bfc693969827b5e451a64efed9bd12005050caa15c69ae16fb85acc953a491abe16b6f91ce0 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\101\rutserv.exe
| MD5 | 85c18c3b57d7a7143128b158d9cdd0a9 |
| SHA1 | c6e62a113e95705f9b612cdbf49dac6bad2073bd |
| SHA256 | 6645db899f4cd1fe80ec5adc50978053dc690a7a50368ee7d56f6a3e8cc94ff6 |
| SHA512 | f6fd286f71a43109bccdadc0c14465dcd9cdda063382ae31e9ed7cba2071dbf4bc1f0006cb4f4752ef996aeed30ecd004b4757b22d08b4a5bfec5dee75ba484c |
\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe
| MD5 | 7bec0ad537dc3ffc3c6ec5da3ab8ab26 |
| SHA1 | c8cbbc175451a097e605e448f94c89d3e050acd5 |
| SHA256 | eca2853dbf19fe38a21609cca506fb95d517220512bb932ad03e41474b7ecab4 |
| SHA512 | 060b6beb53819681ed6bcc97e2c4790d424514016db9b94d33e94b5359904906893226901896d1e3c728b676b30cc5bf2fe369022d92dff1953a624caecccb94 |
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe
| MD5 | 7bec0ad537dc3ffc3c6ec5da3ab8ab26 |
| SHA1 | c8cbbc175451a097e605e448f94c89d3e050acd5 |
| SHA256 | eca2853dbf19fe38a21609cca506fb95d517220512bb932ad03e41474b7ecab4 |
| SHA512 | 060b6beb53819681ed6bcc97e2c4790d424514016db9b94d33e94b5359904906893226901896d1e3c728b676b30cc5bf2fe369022d92dff1953a624caecccb94 |
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe
| MD5 | 7bec0ad537dc3ffc3c6ec5da3ab8ab26 |
| SHA1 | c8cbbc175451a097e605e448f94c89d3e050acd5 |
| SHA256 | eca2853dbf19fe38a21609cca506fb95d517220512bb932ad03e41474b7ecab4 |
| SHA512 | 060b6beb53819681ed6bcc97e2c4790d424514016db9b94d33e94b5359904906893226901896d1e3c728b676b30cc5bf2fe369022d92dff1953a624caecccb94 |
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.ldr
| MD5 | 8ee5ab32edced6eb38819b7674bfb0cd |
| SHA1 | 030dc8c3832f664fa10efa3105dff0a9b6d48911 |
| SHA256 | a4de66b79f1d129e3da059ca93d62cf2f88e08fa06a5c492ca154ee25e321f9b |
| SHA512 | 82f4ccbb53c2ecb71c3dcd2c0d7d15ce5cc0a66f92f9f661cfc9ee98df093c481cbbb8888a854d359a388e28ab1085ec7e02452bffed030c118226caf70a6bf9 |
\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe
| MD5 | 7bec0ad537dc3ffc3c6ec5da3ab8ab26 |
| SHA1 | c8cbbc175451a097e605e448f94c89d3e050acd5 |
| SHA256 | eca2853dbf19fe38a21609cca506fb95d517220512bb932ad03e41474b7ecab4 |
| SHA512 | 060b6beb53819681ed6bcc97e2c4790d424514016db9b94d33e94b5359904906893226901896d1e3c728b676b30cc5bf2fe369022d92dff1953a624caecccb94 |
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.dat
| MD5 | 02a6192af3a76221a2b47000382af829 |
| SHA1 | aedf43347af24d266ec5d471723f4b30b4acc0d0 |
| SHA256 | 2d188cfebc4e2df9c402ad9f993a1827511ff4ead96e25f0bba8f210559a55c9 |
| SHA512 | df55acbf8b2829c849cbe560471030ccda8c1a12a0d938c7128e1ffe46684d1612da2d8807fbe7f537ee3f1c79e42198ddafc2faa51f6325f86cc609cba4200e |
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe
| MD5 | 7bec0ad537dc3ffc3c6ec5da3ab8ab26 |
| SHA1 | c8cbbc175451a097e605e448f94c89d3e050acd5 |
| SHA256 | eca2853dbf19fe38a21609cca506fb95d517220512bb932ad03e41474b7ecab4 |
| SHA512 | 060b6beb53819681ed6bcc97e2c4790d424514016db9b94d33e94b5359904906893226901896d1e3c728b676b30cc5bf2fe369022d92dff1953a624caecccb94 |
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\stg.cfg
| MD5 | ba9dbe65381759bb06d3dc6a2d0089c8 |
| SHA1 | 37a2a15c52caa7d63af86778c2dd1d2d81d4a270 |
| SHA256 | ff102c6601d2252ed19a1db07f4786813cca2797d404533c33fa0a065ab5a173 |
| SHA512 | 2471e3df6f15646aa06cdea9cc2388addffec85dfde9343dfee3b2f083d98d7e8a314d1cb51b07689a9529f035bd551fd16d3cc899f5e57f9c35fd778e8258cf |
memory/1224-104-0x0000000002B10000-0x0000000002B11000-memory.dmp
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk64.exe
| MD5 | d837ecd5fd552877a62dd5701ae74c20 |
| SHA1 | f06cb000f9a25dde791c7e5bc30917c74a8f2876 |
| SHA256 | a5b7369eb63d87b12dfb7d415a537a66ad02a5f35e7275e23991dc07bf688001 |
| SHA512 | 291968310037f00d45cfd2a723341cea74f7dc8007b6065717fbd86f7807509711ec283d339bdc4364466bc39341ac27b54e3ce65e4551ac587c578b91537274 |
\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk64.exe
| MD5 | d837ecd5fd552877a62dd5701ae74c20 |
| SHA1 | f06cb000f9a25dde791c7e5bc30917c74a8f2876 |
| SHA256 | a5b7369eb63d87b12dfb7d415a537a66ad02a5f35e7275e23991dc07bf688001 |
| SHA512 | 291968310037f00d45cfd2a723341cea74f7dc8007b6065717fbd86f7807509711ec283d339bdc4364466bc39341ac27b54e3ce65e4551ac587c578b91537274 |
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winmmon64.dll
| MD5 | 4e6f91c20f821d5f6590bfebce12b179 |
| SHA1 | 3170b45fb642301687a3a320282099b9d7b7f0f2 |
| SHA256 | 9a5403858d2ad0d181ac743974323c38b509b1e38d2a5e836e25dfecba494105 |
| SHA512 | e782218aeba61809fe1083cdd8772bab225196426ff8a25cf31c321f1cf70075c9958484bca11a3e16bf730d6c4e33c31e7eb5e680c2e320b8834fe53f1f5d3b |
\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winmmon64.dll
| MD5 | 4e6f91c20f821d5f6590bfebce12b179 |
| SHA1 | 3170b45fb642301687a3a320282099b9d7b7f0f2 |
| SHA256 | 9a5403858d2ad0d181ac743974323c38b509b1e38d2a5e836e25dfecba494105 |
| SHA512 | e782218aeba61809fe1083cdd8772bab225196426ff8a25cf31c321f1cf70075c9958484bca11a3e16bf730d6c4e33c31e7eb5e680c2e320b8834fe53f1f5d3b |
Analysis: behavioral2
Detonation Overview
Submitted
2022-01-28 20:06
Reported
2022-01-28 21:19
Platform
win10-en-20211208
Max time kernel
162s
Max time network
167s
Command Line
Signatures
RMS
Executes dropped EXE
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\rutserv.pdb | C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\exe\rutserv.pdb | C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\symbols\exe\rutserv.pdb | C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1572 set thread context of 3100 | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe |
| PID 1068 set thread context of 2104 | N/A | C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe | C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\SysWOW64\xcopy.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\368f1100b8a647f2d758ae34183cfb37f432dced201f52021762f759423ecc5c.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\368f1100b8a647f2d758ae34183cfb37f432dced201f52021762f759423ecc5c.exe
"C:\Users\Admin\AppData\Local\Temp\368f1100b8a647f2d758ae34183cfb37f432dced201f52021762f759423ecc5c.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe" /inst /xwait
C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe" /inst /xwait
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C xcopy /Y /E /Q * C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\
C:\Windows\SysWOW64\xcopy.exe
xcopy /Y /E /Q * C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk64.exe /inj
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk64.exe
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk64.exe /inj
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\ZPDG.pdf"
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe -second
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rfusclient.exe
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rfusclient.exe /tray /user
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=AC4B6A9509FA70C5094D41072307107E --mojo-platform-channel-handle=1672 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=EBA54D2855B779ACFCB78397838FFDDF --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=EBA54D2855B779ACFCB78397838FFDDF --renderer-client-id=2 --mojo-platform-channel-handle=1688 --allow-no-sandbox-job /prefetch:1
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=FB11D6E49476CCE0F0E5770AAF7523C5 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=FB11D6E49476CCE0F0E5770AAF7523C5 --renderer-client-id=4 --mojo-platform-channel-handle=2108 --allow-no-sandbox-job /prefetch:1
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=DE5DCB7A0C2363DDDFFA7D0D536F517B --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=5007B4B6351899A23BA67273E03AEA2E --mojo-platform-channel-handle=1860 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6E5442C9062664CF9375FBD76756D25C --mojo-platform-channel-handle=2540 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rutils.com | udp |
| US | 34.102.136.180:80 | rutils.com | tcp |
| US | 34.102.136.180:80 | rutils.com | tcp |
| US | 8.8.8.8:53 | server.rutils.com | udp |
| US | 209.205.218.178:5655 | server.rutils.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe
| MD5 | 7bec0ad537dc3ffc3c6ec5da3ab8ab26 |
| SHA1 | c8cbbc175451a097e605e448f94c89d3e050acd5 |
| SHA256 | eca2853dbf19fe38a21609cca506fb95d517220512bb932ad03e41474b7ecab4 |
| SHA512 | 060b6beb53819681ed6bcc97e2c4790d424514016db9b94d33e94b5359904906893226901896d1e3c728b676b30cc5bf2fe369022d92dff1953a624caecccb94 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe
| MD5 | 7bec0ad537dc3ffc3c6ec5da3ab8ab26 |
| SHA1 | c8cbbc175451a097e605e448f94c89d3e050acd5 |
| SHA256 | eca2853dbf19fe38a21609cca506fb95d517220512bb932ad03e41474b7ecab4 |
| SHA512 | 060b6beb53819681ed6bcc97e2c4790d424514016db9b94d33e94b5359904906893226901896d1e3c728b676b30cc5bf2fe369022d92dff1953a624caecccb94 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.ldr
| MD5 | 8ee5ab32edced6eb38819b7674bfb0cd |
| SHA1 | 030dc8c3832f664fa10efa3105dff0a9b6d48911 |
| SHA256 | a4de66b79f1d129e3da059ca93d62cf2f88e08fa06a5c492ca154ee25e321f9b |
| SHA512 | 82f4ccbb53c2ecb71c3dcd2c0d7d15ce5cc0a66f92f9f661cfc9ee98df093c481cbbb8888a854d359a388e28ab1085ec7e02452bffed030c118226caf70a6bf9 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.dat
| MD5 | 02a6192af3a76221a2b47000382af829 |
| SHA1 | aedf43347af24d266ec5d471723f4b30b4acc0d0 |
| SHA256 | 2d188cfebc4e2df9c402ad9f993a1827511ff4ead96e25f0bba8f210559a55c9 |
| SHA512 | df55acbf8b2829c849cbe560471030ccda8c1a12a0d938c7128e1ffe46684d1612da2d8807fbe7f537ee3f1c79e42198ddafc2faa51f6325f86cc609cba4200e |
memory/3100-258-0x0000000000400000-0x000000000041E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe
| MD5 | 7bec0ad537dc3ffc3c6ec5da3ab8ab26 |
| SHA1 | c8cbbc175451a097e605e448f94c89d3e050acd5 |
| SHA256 | eca2853dbf19fe38a21609cca506fb95d517220512bb932ad03e41474b7ecab4 |
| SHA512 | 060b6beb53819681ed6bcc97e2c4790d424514016db9b94d33e94b5359904906893226901896d1e3c728b676b30cc5bf2fe369022d92dff1953a624caecccb94 |
memory/3100-260-0x0000000000400000-0x000000000041E000-memory.dmp
memory/1572-261-0x0000000000530000-0x0000000000531000-memory.dmp
memory/3100-262-0x0000000000400000-0x000000000041E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\stg.cfg
| MD5 | ba9dbe65381759bb06d3dc6a2d0089c8 |
| SHA1 | 37a2a15c52caa7d63af86778c2dd1d2d81d4a270 |
| SHA256 | ff102c6601d2252ed19a1db07f4786813cca2797d404533c33fa0a065ab5a173 |
| SHA512 | 2471e3df6f15646aa06cdea9cc2388addffec85dfde9343dfee3b2f083d98d7e8a314d1cb51b07689a9529f035bd551fd16d3cc899f5e57f9c35fd778e8258cf |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk64.exe
| MD5 | d837ecd5fd552877a62dd5701ae74c20 |
| SHA1 | f06cb000f9a25dde791c7e5bc30917c74a8f2876 |
| SHA256 | a5b7369eb63d87b12dfb7d415a537a66ad02a5f35e7275e23991dc07bf688001 |
| SHA512 | 291968310037f00d45cfd2a723341cea74f7dc8007b6065717fbd86f7807509711ec283d339bdc4364466bc39341ac27b54e3ce65e4551ac587c578b91537274 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\winmmon.dll
| MD5 | f7a17ddd9546077ccbe8e84efad68819 |
| SHA1 | c90b5471bba3293c0a0e6829a81fbe2eb10b42b2 |
| SHA256 | 5c7a5a153475b28d27bb7cd3c5d3774341462ef8a79df8bcb2c51947a12e82c4 |
| SHA512 | 76ed4b716cbefd6d996c957faaa3fda9daf04783934bb5f550c6e47e4b600242ba6d47063cb766aedc0eaf0f791d413950296135f89ca50c3535628ad4543161 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\winmmon64.dll
| MD5 | 4e6f91c20f821d5f6590bfebce12b179 |
| SHA1 | 3170b45fb642301687a3a320282099b9d7b7f0f2 |
| SHA256 | 9a5403858d2ad0d181ac743974323c38b509b1e38d2a5e836e25dfecba494105 |
| SHA512 | e782218aeba61809fe1083cdd8772bab225196426ff8a25cf31c321f1cf70075c9958484bca11a3e16bf730d6c4e33c31e7eb5e680c2e320b8834fe53f1f5d3b |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ZPDG.pdf
| MD5 | 69e8ec9bdccd6ed33fcad2fa19602b2f |
| SHA1 | 9f48e109675cdb0a53400358c27853db48fcd156 |
| SHA256 | cff2de4c828e78febfb2eb8b4780092d395016608b641e126e67e27058415759 |
| SHA512 | b22b948aec9b58dca27481e5d638dd53c99e4f9ed4f7f2270ae1a60b36567ac9c02635d33e528d82dd77157e62107616bba199cf6f34078bd1ecdb7ebe424773 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\101\rfusclient.exe
| MD5 | fb07837d481aba2ecdd17b8a5b998410 |
| SHA1 | 3b88d4047fa2b8f8fa6241320d81508eb676ea7a |
| SHA256 | 098e937b0ba5352d9bd5f96bacd301490d168a428f0835f9641013c91e120c5b |
| SHA512 | 66245e0a725fbd054b987f9210a9d3edc3bce15a07a3b519ee1a2bfc693969827b5e451a64efed9bd12005050caa15c69ae16fb85acc953a491abe16b6f91ce0 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\101\rutserv.exe
| MD5 | 85c18c3b57d7a7143128b158d9cdd0a9 |
| SHA1 | c6e62a113e95705f9b612cdbf49dac6bad2073bd |
| SHA256 | 6645db899f4cd1fe80ec5adc50978053dc690a7a50368ee7d56f6a3e8cc94ff6 |
| SHA512 | f6fd286f71a43109bccdadc0c14465dcd9cdda063382ae31e9ed7cba2071dbf4bc1f0006cb4f4752ef996aeed30ecd004b4757b22d08b4a5bfec5dee75ba484c |
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe
| MD5 | 7bec0ad537dc3ffc3c6ec5da3ab8ab26 |
| SHA1 | c8cbbc175451a097e605e448f94c89d3e050acd5 |
| SHA256 | eca2853dbf19fe38a21609cca506fb95d517220512bb932ad03e41474b7ecab4 |
| SHA512 | 060b6beb53819681ed6bcc97e2c4790d424514016db9b94d33e94b5359904906893226901896d1e3c728b676b30cc5bf2fe369022d92dff1953a624caecccb94 |
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe
| MD5 | 7bec0ad537dc3ffc3c6ec5da3ab8ab26 |
| SHA1 | c8cbbc175451a097e605e448f94c89d3e050acd5 |
| SHA256 | eca2853dbf19fe38a21609cca506fb95d517220512bb932ad03e41474b7ecab4 |
| SHA512 | 060b6beb53819681ed6bcc97e2c4790d424514016db9b94d33e94b5359904906893226901896d1e3c728b676b30cc5bf2fe369022d92dff1953a624caecccb94 |
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.ldr
| MD5 | 8ee5ab32edced6eb38819b7674bfb0cd |
| SHA1 | 030dc8c3832f664fa10efa3105dff0a9b6d48911 |
| SHA256 | a4de66b79f1d129e3da059ca93d62cf2f88e08fa06a5c492ca154ee25e321f9b |
| SHA512 | 82f4ccbb53c2ecb71c3dcd2c0d7d15ce5cc0a66f92f9f661cfc9ee98df093c481cbbb8888a854d359a388e28ab1085ec7e02452bffed030c118226caf70a6bf9 |
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.dat
| MD5 | 02a6192af3a76221a2b47000382af829 |
| SHA1 | aedf43347af24d266ec5d471723f4b30b4acc0d0 |
| SHA256 | 2d188cfebc4e2df9c402ad9f993a1827511ff4ead96e25f0bba8f210559a55c9 |
| SHA512 | df55acbf8b2829c849cbe560471030ccda8c1a12a0d938c7128e1ffe46684d1612da2d8807fbe7f537ee3f1c79e42198ddafc2faa51f6325f86cc609cba4200e |
memory/2104-276-0x0000000000400000-0x000000000041E000-memory.dmp
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe
| MD5 | 7bec0ad537dc3ffc3c6ec5da3ab8ab26 |
| SHA1 | c8cbbc175451a097e605e448f94c89d3e050acd5 |
| SHA256 | eca2853dbf19fe38a21609cca506fb95d517220512bb932ad03e41474b7ecab4 |
| SHA512 | 060b6beb53819681ed6bcc97e2c4790d424514016db9b94d33e94b5359904906893226901896d1e3c728b676b30cc5bf2fe369022d92dff1953a624caecccb94 |
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\stg.cfg
| MD5 | ba9dbe65381759bb06d3dc6a2d0089c8 |
| SHA1 | 37a2a15c52caa7d63af86778c2dd1d2d81d4a270 |
| SHA256 | ff102c6601d2252ed19a1db07f4786813cca2797d404533c33fa0a065ab5a173 |
| SHA512 | 2471e3df6f15646aa06cdea9cc2388addffec85dfde9343dfee3b2f083d98d7e8a314d1cb51b07689a9529f035bd551fd16d3cc899f5e57f9c35fd778e8258cf |
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk64.exe
| MD5 | d837ecd5fd552877a62dd5701ae74c20 |
| SHA1 | f06cb000f9a25dde791c7e5bc30917c74a8f2876 |
| SHA256 | a5b7369eb63d87b12dfb7d415a537a66ad02a5f35e7275e23991dc07bf688001 |
| SHA512 | 291968310037f00d45cfd2a723341cea74f7dc8007b6065717fbd86f7807509711ec283d339bdc4364466bc39341ac27b54e3ce65e4551ac587c578b91537274 |
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk64.exe
| MD5 | d837ecd5fd552877a62dd5701ae74c20 |
| SHA1 | f06cb000f9a25dde791c7e5bc30917c74a8f2876 |
| SHA256 | a5b7369eb63d87b12dfb7d415a537a66ad02a5f35e7275e23991dc07bf688001 |
| SHA512 | 291968310037f00d45cfd2a723341cea74f7dc8007b6065717fbd86f7807509711ec283d339bdc4364466bc39341ac27b54e3ce65e4551ac587c578b91537274 |
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winmmon64.dll
| MD5 | 4e6f91c20f821d5f6590bfebce12b179 |
| SHA1 | 3170b45fb642301687a3a320282099b9d7b7f0f2 |
| SHA256 | 9a5403858d2ad0d181ac743974323c38b509b1e38d2a5e836e25dfecba494105 |
| SHA512 | e782218aeba61809fe1083cdd8772bab225196426ff8a25cf31c321f1cf70075c9958484bca11a3e16bf730d6c4e33c31e7eb5e680c2e320b8834fe53f1f5d3b |
\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winmmon64.dll
| MD5 | 4e6f91c20f821d5f6590bfebce12b179 |
| SHA1 | 3170b45fb642301687a3a320282099b9d7b7f0f2 |
| SHA256 | 9a5403858d2ad0d181ac743974323c38b509b1e38d2a5e836e25dfecba494105 |
| SHA512 | e782218aeba61809fe1083cdd8772bab225196426ff8a25cf31c321f1cf70075c9958484bca11a3e16bf730d6c4e33c31e7eb5e680c2e320b8834fe53f1f5d3b |
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe
| MD5 | 85c18c3b57d7a7143128b158d9cdd0a9 |
| SHA1 | c6e62a113e95705f9b612cdbf49dac6bad2073bd |
| SHA256 | 6645db899f4cd1fe80ec5adc50978053dc690a7a50368ee7d56f6a3e8cc94ff6 |
| SHA512 | f6fd286f71a43109bccdadc0c14465dcd9cdda063382ae31e9ed7cba2071dbf4bc1f0006cb4f4752ef996aeed30ecd004b4757b22d08b4a5bfec5dee75ba484c |
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe
| MD5 | 85c18c3b57d7a7143128b158d9cdd0a9 |
| SHA1 | c6e62a113e95705f9b612cdbf49dac6bad2073bd |
| SHA256 | 6645db899f4cd1fe80ec5adc50978053dc690a7a50368ee7d56f6a3e8cc94ff6 |
| SHA512 | f6fd286f71a43109bccdadc0c14465dcd9cdda063382ae31e9ed7cba2071dbf4bc1f0006cb4f4752ef996aeed30ecd004b4757b22d08b4a5bfec5dee75ba484c |
memory/2104-286-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2968-287-0x00007FFBC2B80000-0x00007FFBC2B81000-memory.dmp
memory/3700-288-0x0000000000BC0000-0x0000000000D0A000-memory.dmp
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe
| MD5 | 85c18c3b57d7a7143128b158d9cdd0a9 |
| SHA1 | c6e62a113e95705f9b612cdbf49dac6bad2073bd |
| SHA256 | 6645db899f4cd1fe80ec5adc50978053dc690a7a50368ee7d56f6a3e8cc94ff6 |
| SHA512 | f6fd286f71a43109bccdadc0c14465dcd9cdda063382ae31e9ed7cba2071dbf4bc1f0006cb4f4752ef996aeed30ecd004b4757b22d08b4a5bfec5dee75ba484c |
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rfusclient.exe
| MD5 | fb07837d481aba2ecdd17b8a5b998410 |
| SHA1 | 3b88d4047fa2b8f8fa6241320d81508eb676ea7a |
| SHA256 | 098e937b0ba5352d9bd5f96bacd301490d168a428f0835f9641013c91e120c5b |
| SHA512 | 66245e0a725fbd054b987f9210a9d3edc3bce15a07a3b519ee1a2bfc693969827b5e451a64efed9bd12005050caa15c69ae16fb85acc953a491abe16b6f91ce0 |
memory/3940-291-0x0000000000D20000-0x0000000000D21000-memory.dmp
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rfusclient.exe
| MD5 | fb07837d481aba2ecdd17b8a5b998410 |
| SHA1 | 3b88d4047fa2b8f8fa6241320d81508eb676ea7a |
| SHA256 | 098e937b0ba5352d9bd5f96bacd301490d168a428f0835f9641013c91e120c5b |
| SHA512 | 66245e0a725fbd054b987f9210a9d3edc3bce15a07a3b519ee1a2bfc693969827b5e451a64efed9bd12005050caa15c69ae16fb85acc953a491abe16b6f91ce0 |
memory/2064-293-0x0000000000B40000-0x0000000000B41000-memory.dmp
memory/3260-294-0x0000000077CA2000-0x0000000077CA3000-memory.dmp
memory/1428-297-0x0000000077CA2000-0x0000000077CA3000-memory.dmp
memory/2880-302-0x0000000077CA2000-0x0000000077CA3000-memory.dmp
memory/1280-307-0x0000000077CA2000-0x0000000077CA3000-memory.dmp
memory/3720-310-0x0000000077CA2000-0x0000000077CA3000-memory.dmp
memory/2608-313-0x0000000077CA2000-0x0000000077CA3000-memory.dmp