Analysis Overview
SHA256
36329712a21bc2a49d1e13920b3f7b647793f046e67a3c62aa7474ce61be0216
Threat Level: Known bad
The file 36329712a21bc2a49d1e13920b3f7b647793f046e67a3c62aa7474ce61be0216 was found to be: Known bad.
Malicious Activity Summary
RMS
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Suspicious use of SetThreadContext
Drops file in Windows directory
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Checks processor information in registry
Modifies Internet Explorer settings
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Enumerates system info in registry
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-01-28 21:24
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-01-28 21:24
Reported
2022-01-28 21:55
Platform
win7-en-20211208
Max time kernel
161s
Max time network
151s
Command Line
Signatures
RMS
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\36329712a21bc2a49d1e13920b3f7b647793f046e67a3c62aa7474ce61be0216.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\36329712a21bc2a49d1e13920b3f7b647793f046e67a3c62aa7474ce61be0216.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\36329712a21bc2a49d1e13920b3f7b647793f046e67a3c62aa7474ce61be0216.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 900 set thread context of 660 | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe |
| PID 956 set thread context of 1388 | N/A | C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe | C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe | C:\Windows\Explorer.EXE | N/A |
Enumerates physical storage devices
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\SysWOW64\xcopy.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk64.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\36329712a21bc2a49d1e13920b3f7b647793f046e67a3c62aa7474ce61be0216.exe
"C:\Users\Admin\AppData\Local\Temp\36329712a21bc2a49d1e13920b3f7b647793f046e67a3c62aa7474ce61be0216.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe" /inst /xwait
C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe" /inst /xwait
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C xcopy /Y /E /Q * C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\
C:\Windows\SysWOW64\xcopy.exe
xcopy /Y /E /Q * C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk64.exe /inj
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk64.exe
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk64.exe /inj
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\ZPDG.pdf"
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe -second
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rfusclient.exe
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rfusclient.exe /tray /user
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rutils.com | udp |
| US | 34.102.136.180:80 | rutils.com | tcp |
| US | 34.102.136.180:80 | rutils.com | tcp |
| US | 8.8.8.8:53 | server.rutils.com | udp |
| US | 209.205.218.178:5655 | server.rutils.com | tcp |
Files
memory/1568-54-0x0000000075B51000-0x0000000075B53000-memory.dmp
\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe
| MD5 | 3f0a7e73ee2fe43c22faad0a64eb3b5a |
| SHA1 | 500a447a187240706c059c16366fedf1aa13ea77 |
| SHA256 | ebba93f67e168ed2ea4b57a21e69a283665e934de670423daea6109ade0ac5d7 |
| SHA512 | 7632144e8dce8edea69766526c8367f24cec5d5a0e9069c877e96c29265c70dcb673d909ff91b6e11b371f2bf8f1148ddfcfbdd0d9b30cb7fd6b513f4e6521af |
\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe
| MD5 | 3f0a7e73ee2fe43c22faad0a64eb3b5a |
| SHA1 | 500a447a187240706c059c16366fedf1aa13ea77 |
| SHA256 | ebba93f67e168ed2ea4b57a21e69a283665e934de670423daea6109ade0ac5d7 |
| SHA512 | 7632144e8dce8edea69766526c8367f24cec5d5a0e9069c877e96c29265c70dcb673d909ff91b6e11b371f2bf8f1148ddfcfbdd0d9b30cb7fd6b513f4e6521af |
\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe
| MD5 | 3f0a7e73ee2fe43c22faad0a64eb3b5a |
| SHA1 | 500a447a187240706c059c16366fedf1aa13ea77 |
| SHA256 | ebba93f67e168ed2ea4b57a21e69a283665e934de670423daea6109ade0ac5d7 |
| SHA512 | 7632144e8dce8edea69766526c8367f24cec5d5a0e9069c877e96c29265c70dcb673d909ff91b6e11b371f2bf8f1148ddfcfbdd0d9b30cb7fd6b513f4e6521af |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe
| MD5 | 3f0a7e73ee2fe43c22faad0a64eb3b5a |
| SHA1 | 500a447a187240706c059c16366fedf1aa13ea77 |
| SHA256 | ebba93f67e168ed2ea4b57a21e69a283665e934de670423daea6109ade0ac5d7 |
| SHA512 | 7632144e8dce8edea69766526c8367f24cec5d5a0e9069c877e96c29265c70dcb673d909ff91b6e11b371f2bf8f1148ddfcfbdd0d9b30cb7fd6b513f4e6521af |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.ldr
| MD5 | 8ee5ab32edced6eb38819b7674bfb0cd |
| SHA1 | 030dc8c3832f664fa10efa3105dff0a9b6d48911 |
| SHA256 | a4de66b79f1d129e3da059ca93d62cf2f88e08fa06a5c492ca154ee25e321f9b |
| SHA512 | 82f4ccbb53c2ecb71c3dcd2c0d7d15ce5cc0a66f92f9f661cfc9ee98df093c481cbbb8888a854d359a388e28ab1085ec7e02452bffed030c118226caf70a6bf9 |
\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe
| MD5 | 3f0a7e73ee2fe43c22faad0a64eb3b5a |
| SHA1 | 500a447a187240706c059c16366fedf1aa13ea77 |
| SHA256 | ebba93f67e168ed2ea4b57a21e69a283665e934de670423daea6109ade0ac5d7 |
| SHA512 | 7632144e8dce8edea69766526c8367f24cec5d5a0e9069c877e96c29265c70dcb673d909ff91b6e11b371f2bf8f1148ddfcfbdd0d9b30cb7fd6b513f4e6521af |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe
| MD5 | 3f0a7e73ee2fe43c22faad0a64eb3b5a |
| SHA1 | 500a447a187240706c059c16366fedf1aa13ea77 |
| SHA256 | ebba93f67e168ed2ea4b57a21e69a283665e934de670423daea6109ade0ac5d7 |
| SHA512 | 7632144e8dce8edea69766526c8367f24cec5d5a0e9069c877e96c29265c70dcb673d909ff91b6e11b371f2bf8f1148ddfcfbdd0d9b30cb7fd6b513f4e6521af |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.dat
| MD5 | 0ebf33280fa7fe735abec71984132490 |
| SHA1 | 8d9a804b1433a05216cfe1d4e61ce5eb092a3505 |
| SHA256 | 09dc0560eee97af80a790c007b83fdea4313ac36f0d76c6548040081cf39bdb1 |
| SHA512 | 79e77d013daf055d7b42c3e7766b08b6df166e8750a93463d4325360eb95b69c77761d52160c2e63f527d9a38fa45c13ede92417b909d3351c2fe225ffabfc4c |
memory/660-66-0x0000000000400000-0x000000000041E000-memory.dmp
memory/660-68-0x0000000000400000-0x000000000041E000-memory.dmp
memory/660-70-0x0000000000400000-0x000000000041E000-memory.dmp
memory/660-69-0x0000000000400000-0x000000000041E000-memory.dmp
memory/660-67-0x0000000000400000-0x000000000041E000-memory.dmp
memory/660-65-0x0000000000400000-0x000000000041E000-memory.dmp
memory/660-64-0x0000000000400000-0x000000000041E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe
| MD5 | 3f0a7e73ee2fe43c22faad0a64eb3b5a |
| SHA1 | 500a447a187240706c059c16366fedf1aa13ea77 |
| SHA256 | ebba93f67e168ed2ea4b57a21e69a283665e934de670423daea6109ade0ac5d7 |
| SHA512 | 7632144e8dce8edea69766526c8367f24cec5d5a0e9069c877e96c29265c70dcb673d909ff91b6e11b371f2bf8f1148ddfcfbdd0d9b30cb7fd6b513f4e6521af |
memory/660-73-0x0000000000400000-0x000000000041E000-memory.dmp
memory/900-75-0x00000000001D0000-0x00000000001D1000-memory.dmp
memory/660-76-0x0000000000400000-0x000000000041E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\stg.cfg
| MD5 | ba9dbe65381759bb06d3dc6a2d0089c8 |
| SHA1 | 37a2a15c52caa7d63af86778c2dd1d2d81d4a270 |
| SHA256 | ff102c6601d2252ed19a1db07f4786813cca2797d404533c33fa0a065ab5a173 |
| SHA512 | 2471e3df6f15646aa06cdea9cc2388addffec85dfde9343dfee3b2f083d98d7e8a314d1cb51b07689a9529f035bd551fd16d3cc899f5e57f9c35fd778e8258cf |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk64.exe
| MD5 | 421d64aa1c38317d5d9726be08ffddfe |
| SHA1 | 9f2c6a44453e882098b17b66de70c430c64c3b26 |
| SHA256 | 58a8021190de309a72b4fa75950832a2eb5d6f987a78ea6247942837653aae43 |
| SHA512 | 3cf6474d0a089fa61d3ac0376d5c14af096f1b0f05d6cb431e03ad80db0030da96809a2760ffab8f534174ca644a7c9a259cb9bdce5f91ca19f3ca2d77f77184 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\winmmon.dll
| MD5 | cef5ee3c5f47f0b56c60af0e60ac929d |
| SHA1 | 5a3201048d8d9d696102a3c3b98da99c2cc4ff1f |
| SHA256 | 0083b30331124785573cc24a814344cdf1a1c37864306c45c6357a67f9df7279 |
| SHA512 | 9f5db9d0f33819c9867c2b2ce5d92a2690399e432e4a9965757e054b97a2a1a6aaef98b99a48826b6e0425d298ed6b244a0e58f0f3fc40d8705b6f57110de4e8 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\winmmon64.dll
| MD5 | 4cf02268e288f8f27ef95f63c9bd36f8 |
| SHA1 | 1c03ed1adf4b4e786efc00f3d892217faaafb268 |
| SHA256 | 655edae9bf7f65a6727cad4cd2ca80e19d17ef768a530010971d3323b2769fbf |
| SHA512 | 23d434e1b19249a382bde2d827c712a569e93b29c84ebbb7f30538e19ac98b689041afc6d373e89f652bef00fa7fcdc296aa7cbf6cbf3dc28331a8da0f2f185c |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ZPDG.pdf
| MD5 | 69e8ec9bdccd6ed33fcad2fa19602b2f |
| SHA1 | 9f48e109675cdb0a53400358c27853db48fcd156 |
| SHA256 | cff2de4c828e78febfb2eb8b4780092d395016608b641e126e67e27058415759 |
| SHA512 | b22b948aec9b58dca27481e5d638dd53c99e4f9ed4f7f2270ae1a60b36567ac9c02635d33e528d82dd77157e62107616bba199cf6f34078bd1ecdb7ebe424773 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\101\rfusclient.exe
| MD5 | 6113f919f542ab50e65b78f1ecde793f |
| SHA1 | d8d27c742da87292ef19a197594193c2c5e5f845 |
| SHA256 | b19ecc4669defcfd5d02da742d7348dca9119d0e845ce56faa5632655f718624 |
| SHA512 | 74885cae9a07f0e50db723e4a732b42a3597589ec16638da3ae98258f147b35a329522ee830116c010d775a59360d86427bf5a18c78e58e3d38687459b541943 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\101\rutserv.exe
| MD5 | 85a5decafe1aaa141d4480dabc39cc39 |
| SHA1 | 2a1bb4bb455d3238a01e121165603a9b58b4d09d |
| SHA256 | 1aed806fc4919d3b8b2ebe1469510f61ac2d95cdf34c51a468fd419c7bd8dc93 |
| SHA512 | 48c00f7e02f1ed3825024be5c942e0574000a3dba46e6356a50c5b977cdaf98514624461ff165a412868b315974e537d6a3343847797c5d4471413720e341a4d |
\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe
| MD5 | 3f0a7e73ee2fe43c22faad0a64eb3b5a |
| SHA1 | 500a447a187240706c059c16366fedf1aa13ea77 |
| SHA256 | ebba93f67e168ed2ea4b57a21e69a283665e934de670423daea6109ade0ac5d7 |
| SHA512 | 7632144e8dce8edea69766526c8367f24cec5d5a0e9069c877e96c29265c70dcb673d909ff91b6e11b371f2bf8f1148ddfcfbdd0d9b30cb7fd6b513f4e6521af |
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe
| MD5 | 3f0a7e73ee2fe43c22faad0a64eb3b5a |
| SHA1 | 500a447a187240706c059c16366fedf1aa13ea77 |
| SHA256 | ebba93f67e168ed2ea4b57a21e69a283665e934de670423daea6109ade0ac5d7 |
| SHA512 | 7632144e8dce8edea69766526c8367f24cec5d5a0e9069c877e96c29265c70dcb673d909ff91b6e11b371f2bf8f1148ddfcfbdd0d9b30cb7fd6b513f4e6521af |
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe
| MD5 | 3f0a7e73ee2fe43c22faad0a64eb3b5a |
| SHA1 | 500a447a187240706c059c16366fedf1aa13ea77 |
| SHA256 | ebba93f67e168ed2ea4b57a21e69a283665e934de670423daea6109ade0ac5d7 |
| SHA512 | 7632144e8dce8edea69766526c8367f24cec5d5a0e9069c877e96c29265c70dcb673d909ff91b6e11b371f2bf8f1148ddfcfbdd0d9b30cb7fd6b513f4e6521af |
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.ldr
| MD5 | 8ee5ab32edced6eb38819b7674bfb0cd |
| SHA1 | 030dc8c3832f664fa10efa3105dff0a9b6d48911 |
| SHA256 | a4de66b79f1d129e3da059ca93d62cf2f88e08fa06a5c492ca154ee25e321f9b |
| SHA512 | 82f4ccbb53c2ecb71c3dcd2c0d7d15ce5cc0a66f92f9f661cfc9ee98df093c481cbbb8888a854d359a388e28ab1085ec7e02452bffed030c118226caf70a6bf9 |
\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe
| MD5 | 3f0a7e73ee2fe43c22faad0a64eb3b5a |
| SHA1 | 500a447a187240706c059c16366fedf1aa13ea77 |
| SHA256 | ebba93f67e168ed2ea4b57a21e69a283665e934de670423daea6109ade0ac5d7 |
| SHA512 | 7632144e8dce8edea69766526c8367f24cec5d5a0e9069c877e96c29265c70dcb673d909ff91b6e11b371f2bf8f1148ddfcfbdd0d9b30cb7fd6b513f4e6521af |
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.dat
| MD5 | 0ebf33280fa7fe735abec71984132490 |
| SHA1 | 8d9a804b1433a05216cfe1d4e61ce5eb092a3505 |
| SHA256 | 09dc0560eee97af80a790c007b83fdea4313ac36f0d76c6548040081cf39bdb1 |
| SHA512 | 79e77d013daf055d7b42c3e7766b08b6df166e8750a93463d4325360eb95b69c77761d52160c2e63f527d9a38fa45c13ede92417b909d3351c2fe225ffabfc4c |
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe
| MD5 | 3f0a7e73ee2fe43c22faad0a64eb3b5a |
| SHA1 | 500a447a187240706c059c16366fedf1aa13ea77 |
| SHA256 | ebba93f67e168ed2ea4b57a21e69a283665e934de670423daea6109ade0ac5d7 |
| SHA512 | 7632144e8dce8edea69766526c8367f24cec5d5a0e9069c877e96c29265c70dcb673d909ff91b6e11b371f2bf8f1148ddfcfbdd0d9b30cb7fd6b513f4e6521af |
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\stg.cfg
| MD5 | ba9dbe65381759bb06d3dc6a2d0089c8 |
| SHA1 | 37a2a15c52caa7d63af86778c2dd1d2d81d4a270 |
| SHA256 | ff102c6601d2252ed19a1db07f4786813cca2797d404533c33fa0a065ab5a173 |
| SHA512 | 2471e3df6f15646aa06cdea9cc2388addffec85dfde9343dfee3b2f083d98d7e8a314d1cb51b07689a9529f035bd551fd16d3cc899f5e57f9c35fd778e8258cf |
memory/1200-104-0x0000000002530000-0x0000000002531000-memory.dmp
\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk64.exe
| MD5 | 421d64aa1c38317d5d9726be08ffddfe |
| SHA1 | 9f2c6a44453e882098b17b66de70c430c64c3b26 |
| SHA256 | 58a8021190de309a72b4fa75950832a2eb5d6f987a78ea6247942837653aae43 |
| SHA512 | 3cf6474d0a089fa61d3ac0376d5c14af096f1b0f05d6cb431e03ad80db0030da96809a2760ffab8f534174ca644a7c9a259cb9bdce5f91ca19f3ca2d77f77184 |
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk64.exe
| MD5 | 421d64aa1c38317d5d9726be08ffddfe |
| SHA1 | 9f2c6a44453e882098b17b66de70c430c64c3b26 |
| SHA256 | 58a8021190de309a72b4fa75950832a2eb5d6f987a78ea6247942837653aae43 |
| SHA512 | 3cf6474d0a089fa61d3ac0376d5c14af096f1b0f05d6cb431e03ad80db0030da96809a2760ffab8f534174ca644a7c9a259cb9bdce5f91ca19f3ca2d77f77184 |
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winmmon64.dll
| MD5 | 4cf02268e288f8f27ef95f63c9bd36f8 |
| SHA1 | 1c03ed1adf4b4e786efc00f3d892217faaafb268 |
| SHA256 | 655edae9bf7f65a6727cad4cd2ca80e19d17ef768a530010971d3323b2769fbf |
| SHA512 | 23d434e1b19249a382bde2d827c712a569e93b29c84ebbb7f30538e19ac98b689041afc6d373e89f652bef00fa7fcdc296aa7cbf6cbf3dc28331a8da0f2f185c |
\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winmmon64.dll
| MD5 | 4cf02268e288f8f27ef95f63c9bd36f8 |
| SHA1 | 1c03ed1adf4b4e786efc00f3d892217faaafb268 |
| SHA256 | 655edae9bf7f65a6727cad4cd2ca80e19d17ef768a530010971d3323b2769fbf |
| SHA512 | 23d434e1b19249a382bde2d827c712a569e93b29c84ebbb7f30538e19ac98b689041afc6d373e89f652bef00fa7fcdc296aa7cbf6cbf3dc28331a8da0f2f185c |
\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe
| MD5 | 85a5decafe1aaa141d4480dabc39cc39 |
| SHA1 | 2a1bb4bb455d3238a01e121165603a9b58b4d09d |
| SHA256 | 1aed806fc4919d3b8b2ebe1469510f61ac2d95cdf34c51a468fd419c7bd8dc93 |
| SHA512 | 48c00f7e02f1ed3825024be5c942e0574000a3dba46e6356a50c5b977cdaf98514624461ff165a412868b315974e537d6a3343847797c5d4471413720e341a4d |
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe
| MD5 | 85a5decafe1aaa141d4480dabc39cc39 |
| SHA1 | 2a1bb4bb455d3238a01e121165603a9b58b4d09d |
| SHA256 | 1aed806fc4919d3b8b2ebe1469510f61ac2d95cdf34c51a468fd419c7bd8dc93 |
| SHA512 | 48c00f7e02f1ed3825024be5c942e0574000a3dba46e6356a50c5b977cdaf98514624461ff165a412868b315974e537d6a3343847797c5d4471413720e341a4d |
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe
| MD5 | 85a5decafe1aaa141d4480dabc39cc39 |
| SHA1 | 2a1bb4bb455d3238a01e121165603a9b58b4d09d |
| SHA256 | 1aed806fc4919d3b8b2ebe1469510f61ac2d95cdf34c51a468fd419c7bd8dc93 |
| SHA512 | 48c00f7e02f1ed3825024be5c942e0574000a3dba46e6356a50c5b977cdaf98514624461ff165a412868b315974e537d6a3343847797c5d4471413720e341a4d |
memory/756-117-0x0000000000240000-0x0000000000241000-memory.dmp
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe
| MD5 | 85a5decafe1aaa141d4480dabc39cc39 |
| SHA1 | 2a1bb4bb455d3238a01e121165603a9b58b4d09d |
| SHA256 | 1aed806fc4919d3b8b2ebe1469510f61ac2d95cdf34c51a468fd419c7bd8dc93 |
| SHA512 | 48c00f7e02f1ed3825024be5c942e0574000a3dba46e6356a50c5b977cdaf98514624461ff165a412868b315974e537d6a3343847797c5d4471413720e341a4d |
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rfusclient.exe
| MD5 | 6113f919f542ab50e65b78f1ecde793f |
| SHA1 | d8d27c742da87292ef19a197594193c2c5e5f845 |
| SHA256 | b19ecc4669defcfd5d02da742d7348dca9119d0e845ce56faa5632655f718624 |
| SHA512 | 74885cae9a07f0e50db723e4a732b42a3597589ec16638da3ae98258f147b35a329522ee830116c010d775a59360d86427bf5a18c78e58e3d38687459b541943 |
memory/1548-121-0x0000000000230000-0x0000000000231000-memory.dmp
\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rfusclient.exe
| MD5 | 6113f919f542ab50e65b78f1ecde793f |
| SHA1 | d8d27c742da87292ef19a197594193c2c5e5f845 |
| SHA256 | b19ecc4669defcfd5d02da742d7348dca9119d0e845ce56faa5632655f718624 |
| SHA512 | 74885cae9a07f0e50db723e4a732b42a3597589ec16638da3ae98258f147b35a329522ee830116c010d775a59360d86427bf5a18c78e58e3d38687459b541943 |
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rfusclient.exe
| MD5 | 6113f919f542ab50e65b78f1ecde793f |
| SHA1 | d8d27c742da87292ef19a197594193c2c5e5f845 |
| SHA256 | b19ecc4669defcfd5d02da742d7348dca9119d0e845ce56faa5632655f718624 |
| SHA512 | 74885cae9a07f0e50db723e4a732b42a3597589ec16638da3ae98258f147b35a329522ee830116c010d775a59360d86427bf5a18c78e58e3d38687459b541943 |
memory/1588-125-0x0000000000230000-0x0000000000231000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-01-28 21:24
Reported
2022-01-28 21:55
Platform
win10-en-20211208
Max time kernel
168s
Max time network
174s
Command Line
Signatures
RMS
Executes dropped EXE
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\exe\rutserv.pdb | C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\symbols\exe\rutserv.pdb | C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\rutserv.pdb | C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2904 set thread context of 1020 | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe |
| PID 1700 set thread context of 1852 | N/A | C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe | C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\SysWOW64\xcopy.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\36329712a21bc2a49d1e13920b3f7b647793f046e67a3c62aa7474ce61be0216.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\36329712a21bc2a49d1e13920b3f7b647793f046e67a3c62aa7474ce61be0216.exe
"C:\Users\Admin\AppData\Local\Temp\36329712a21bc2a49d1e13920b3f7b647793f046e67a3c62aa7474ce61be0216.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe" /inst /xwait
C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe" /inst /xwait
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C xcopy /Y /E /Q * C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\
C:\Windows\SysWOW64\xcopy.exe
xcopy /Y /E /Q * C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk64.exe /inj
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk64.exe
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk64.exe /inj
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\ZPDG.pdf"
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe -second
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rfusclient.exe
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rfusclient.exe /tray /user
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=B3F2844079C7FAE4EECD390F7821DE86 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=B3F2844079C7FAE4EECD390F7821DE86 --renderer-client-id=2 --mojo-platform-channel-handle=1664 --allow-no-sandbox-job /prefetch:1
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=7C3275B1538474F3BD383ED07054BE1E --mojo-platform-channel-handle=1784 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=7ABA37C526B087F92C4B31481C02F50E --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=7ABA37C526B087F92C4B31481C02F50E --renderer-client-id=4 --mojo-platform-channel-handle=2120 --allow-no-sandbox-job /prefetch:1
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=50D6F1EA42C4FCDC3CA54C50E8A847A8 --mojo-platform-channel-handle=1924 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=D683AF045EEA4E30E5BD4684F0A5F9AB --mojo-platform-channel-handle=2012 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F98C00A902CDE3A54AABAE4977FC988E --mojo-platform-channel-handle=2568 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rutils.com | udp |
| US | 34.102.136.180:80 | rutils.com | tcp |
| US | 34.102.136.180:80 | rutils.com | tcp |
| US | 8.8.8.8:53 | server.rutils.com | udp |
| US | 209.205.218.178:5655 | server.rutils.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe
| MD5 | 3f0a7e73ee2fe43c22faad0a64eb3b5a |
| SHA1 | 500a447a187240706c059c16366fedf1aa13ea77 |
| SHA256 | ebba93f67e168ed2ea4b57a21e69a283665e934de670423daea6109ade0ac5d7 |
| SHA512 | 7632144e8dce8edea69766526c8367f24cec5d5a0e9069c877e96c29265c70dcb673d909ff91b6e11b371f2bf8f1148ddfcfbdd0d9b30cb7fd6b513f4e6521af |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe
| MD5 | 3f0a7e73ee2fe43c22faad0a64eb3b5a |
| SHA1 | 500a447a187240706c059c16366fedf1aa13ea77 |
| SHA256 | ebba93f67e168ed2ea4b57a21e69a283665e934de670423daea6109ade0ac5d7 |
| SHA512 | 7632144e8dce8edea69766526c8367f24cec5d5a0e9069c877e96c29265c70dcb673d909ff91b6e11b371f2bf8f1148ddfcfbdd0d9b30cb7fd6b513f4e6521af |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.ldr
| MD5 | 8ee5ab32edced6eb38819b7674bfb0cd |
| SHA1 | 030dc8c3832f664fa10efa3105dff0a9b6d48911 |
| SHA256 | a4de66b79f1d129e3da059ca93d62cf2f88e08fa06a5c492ca154ee25e321f9b |
| SHA512 | 82f4ccbb53c2ecb71c3dcd2c0d7d15ce5cc0a66f92f9f661cfc9ee98df093c481cbbb8888a854d359a388e28ab1085ec7e02452bffed030c118226caf70a6bf9 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.dat
| MD5 | 0ebf33280fa7fe735abec71984132490 |
| SHA1 | 8d9a804b1433a05216cfe1d4e61ce5eb092a3505 |
| SHA256 | 09dc0560eee97af80a790c007b83fdea4313ac36f0d76c6548040081cf39bdb1 |
| SHA512 | 79e77d013daf055d7b42c3e7766b08b6df166e8750a93463d4325360eb95b69c77761d52160c2e63f527d9a38fa45c13ede92417b909d3351c2fe225ffabfc4c |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe
| MD5 | 3f0a7e73ee2fe43c22faad0a64eb3b5a |
| SHA1 | 500a447a187240706c059c16366fedf1aa13ea77 |
| SHA256 | ebba93f67e168ed2ea4b57a21e69a283665e934de670423daea6109ade0ac5d7 |
| SHA512 | 7632144e8dce8edea69766526c8367f24cec5d5a0e9069c877e96c29265c70dcb673d909ff91b6e11b371f2bf8f1148ddfcfbdd0d9b30cb7fd6b513f4e6521af |
memory/1020-202-0x0000000000400000-0x000000000041E000-memory.dmp
memory/1020-204-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2904-205-0x0000000000430000-0x000000000057A000-memory.dmp
memory/1020-206-0x0000000000400000-0x000000000041E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\stg.cfg
| MD5 | ba9dbe65381759bb06d3dc6a2d0089c8 |
| SHA1 | 37a2a15c52caa7d63af86778c2dd1d2d81d4a270 |
| SHA256 | ff102c6601d2252ed19a1db07f4786813cca2797d404533c33fa0a065ab5a173 |
| SHA512 | 2471e3df6f15646aa06cdea9cc2388addffec85dfde9343dfee3b2f083d98d7e8a314d1cb51b07689a9529f035bd551fd16d3cc899f5e57f9c35fd778e8258cf |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk64.exe
| MD5 | 421d64aa1c38317d5d9726be08ffddfe |
| SHA1 | 9f2c6a44453e882098b17b66de70c430c64c3b26 |
| SHA256 | 58a8021190de309a72b4fa75950832a2eb5d6f987a78ea6247942837653aae43 |
| SHA512 | 3cf6474d0a089fa61d3ac0376d5c14af096f1b0f05d6cb431e03ad80db0030da96809a2760ffab8f534174ca644a7c9a259cb9bdce5f91ca19f3ca2d77f77184 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\winmmon.dll
| MD5 | cef5ee3c5f47f0b56c60af0e60ac929d |
| SHA1 | 5a3201048d8d9d696102a3c3b98da99c2cc4ff1f |
| SHA256 | 0083b30331124785573cc24a814344cdf1a1c37864306c45c6357a67f9df7279 |
| SHA512 | 9f5db9d0f33819c9867c2b2ce5d92a2690399e432e4a9965757e054b97a2a1a6aaef98b99a48826b6e0425d298ed6b244a0e58f0f3fc40d8705b6f57110de4e8 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\winmmon64.dll
| MD5 | 4cf02268e288f8f27ef95f63c9bd36f8 |
| SHA1 | 1c03ed1adf4b4e786efc00f3d892217faaafb268 |
| SHA256 | 655edae9bf7f65a6727cad4cd2ca80e19d17ef768a530010971d3323b2769fbf |
| SHA512 | 23d434e1b19249a382bde2d827c712a569e93b29c84ebbb7f30538e19ac98b689041afc6d373e89f652bef00fa7fcdc296aa7cbf6cbf3dc28331a8da0f2f185c |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\101\rfusclient.exe
| MD5 | 6113f919f542ab50e65b78f1ecde793f |
| SHA1 | d8d27c742da87292ef19a197594193c2c5e5f845 |
| SHA256 | b19ecc4669defcfd5d02da742d7348dca9119d0e845ce56faa5632655f718624 |
| SHA512 | 74885cae9a07f0e50db723e4a732b42a3597589ec16638da3ae98258f147b35a329522ee830116c010d775a59360d86427bf5a18c78e58e3d38687459b541943 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\101\rutserv.exe
| MD5 | 85a5decafe1aaa141d4480dabc39cc39 |
| SHA1 | 2a1bb4bb455d3238a01e121165603a9b58b4d09d |
| SHA256 | 1aed806fc4919d3b8b2ebe1469510f61ac2d95cdf34c51a468fd419c7bd8dc93 |
| SHA512 | 48c00f7e02f1ed3825024be5c942e0574000a3dba46e6356a50c5b977cdaf98514624461ff165a412868b315974e537d6a3343847797c5d4471413720e341a4d |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ZPDG.pdf
| MD5 | 69e8ec9bdccd6ed33fcad2fa19602b2f |
| SHA1 | 9f48e109675cdb0a53400358c27853db48fcd156 |
| SHA256 | cff2de4c828e78febfb2eb8b4780092d395016608b641e126e67e27058415759 |
| SHA512 | b22b948aec9b58dca27481e5d638dd53c99e4f9ed4f7f2270ae1a60b36567ac9c02635d33e528d82dd77157e62107616bba199cf6f34078bd1ecdb7ebe424773 |
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe
| MD5 | 3f0a7e73ee2fe43c22faad0a64eb3b5a |
| SHA1 | 500a447a187240706c059c16366fedf1aa13ea77 |
| SHA256 | ebba93f67e168ed2ea4b57a21e69a283665e934de670423daea6109ade0ac5d7 |
| SHA512 | 7632144e8dce8edea69766526c8367f24cec5d5a0e9069c877e96c29265c70dcb673d909ff91b6e11b371f2bf8f1148ddfcfbdd0d9b30cb7fd6b513f4e6521af |
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe
| MD5 | 3f0a7e73ee2fe43c22faad0a64eb3b5a |
| SHA1 | 500a447a187240706c059c16366fedf1aa13ea77 |
| SHA256 | ebba93f67e168ed2ea4b57a21e69a283665e934de670423daea6109ade0ac5d7 |
| SHA512 | 7632144e8dce8edea69766526c8367f24cec5d5a0e9069c877e96c29265c70dcb673d909ff91b6e11b371f2bf8f1148ddfcfbdd0d9b30cb7fd6b513f4e6521af |
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.ldr
| MD5 | 8ee5ab32edced6eb38819b7674bfb0cd |
| SHA1 | 030dc8c3832f664fa10efa3105dff0a9b6d48911 |
| SHA256 | a4de66b79f1d129e3da059ca93d62cf2f88e08fa06a5c492ca154ee25e321f9b |
| SHA512 | 82f4ccbb53c2ecb71c3dcd2c0d7d15ce5cc0a66f92f9f661cfc9ee98df093c481cbbb8888a854d359a388e28ab1085ec7e02452bffed030c118226caf70a6bf9 |
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.dat
| MD5 | 0ebf33280fa7fe735abec71984132490 |
| SHA1 | 8d9a804b1433a05216cfe1d4e61ce5eb092a3505 |
| SHA256 | 09dc0560eee97af80a790c007b83fdea4313ac36f0d76c6548040081cf39bdb1 |
| SHA512 | 79e77d013daf055d7b42c3e7766b08b6df166e8750a93463d4325360eb95b69c77761d52160c2e63f527d9a38fa45c13ede92417b909d3351c2fe225ffabfc4c |
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe
| MD5 | 3f0a7e73ee2fe43c22faad0a64eb3b5a |
| SHA1 | 500a447a187240706c059c16366fedf1aa13ea77 |
| SHA256 | ebba93f67e168ed2ea4b57a21e69a283665e934de670423daea6109ade0ac5d7 |
| SHA512 | 7632144e8dce8edea69766526c8367f24cec5d5a0e9069c877e96c29265c70dcb673d909ff91b6e11b371f2bf8f1148ddfcfbdd0d9b30cb7fd6b513f4e6521af |
memory/1852-220-0x0000000000400000-0x000000000041E000-memory.dmp
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\stg.cfg
| MD5 | ba9dbe65381759bb06d3dc6a2d0089c8 |
| SHA1 | 37a2a15c52caa7d63af86778c2dd1d2d81d4a270 |
| SHA256 | ff102c6601d2252ed19a1db07f4786813cca2797d404533c33fa0a065ab5a173 |
| SHA512 | 2471e3df6f15646aa06cdea9cc2388addffec85dfde9343dfee3b2f083d98d7e8a314d1cb51b07689a9529f035bd551fd16d3cc899f5e57f9c35fd778e8258cf |
memory/1852-227-0x0000000000400000-0x000000000041E000-memory.dmp
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk64.exe
| MD5 | 421d64aa1c38317d5d9726be08ffddfe |
| SHA1 | 9f2c6a44453e882098b17b66de70c430c64c3b26 |
| SHA256 | 58a8021190de309a72b4fa75950832a2eb5d6f987a78ea6247942837653aae43 |
| SHA512 | 3cf6474d0a089fa61d3ac0376d5c14af096f1b0f05d6cb431e03ad80db0030da96809a2760ffab8f534174ca644a7c9a259cb9bdce5f91ca19f3ca2d77f77184 |
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk64.exe
| MD5 | 421d64aa1c38317d5d9726be08ffddfe |
| SHA1 | 9f2c6a44453e882098b17b66de70c430c64c3b26 |
| SHA256 | 58a8021190de309a72b4fa75950832a2eb5d6f987a78ea6247942837653aae43 |
| SHA512 | 3cf6474d0a089fa61d3ac0376d5c14af096f1b0f05d6cb431e03ad80db0030da96809a2760ffab8f534174ca644a7c9a259cb9bdce5f91ca19f3ca2d77f77184 |
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe
| MD5 | 85a5decafe1aaa141d4480dabc39cc39 |
| SHA1 | 2a1bb4bb455d3238a01e121165603a9b58b4d09d |
| SHA256 | 1aed806fc4919d3b8b2ebe1469510f61ac2d95cdf34c51a468fd419c7bd8dc93 |
| SHA512 | 48c00f7e02f1ed3825024be5c942e0574000a3dba46e6356a50c5b977cdaf98514624461ff165a412868b315974e537d6a3343847797c5d4471413720e341a4d |
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe
| MD5 | 85a5decafe1aaa141d4480dabc39cc39 |
| SHA1 | 2a1bb4bb455d3238a01e121165603a9b58b4d09d |
| SHA256 | 1aed806fc4919d3b8b2ebe1469510f61ac2d95cdf34c51a468fd419c7bd8dc93 |
| SHA512 | 48c00f7e02f1ed3825024be5c942e0574000a3dba46e6356a50c5b977cdaf98514624461ff165a412868b315974e537d6a3343847797c5d4471413720e341a4d |
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winmmon64.dll
| MD5 | 4cf02268e288f8f27ef95f63c9bd36f8 |
| SHA1 | 1c03ed1adf4b4e786efc00f3d892217faaafb268 |
| SHA256 | 655edae9bf7f65a6727cad4cd2ca80e19d17ef768a530010971d3323b2769fbf |
| SHA512 | 23d434e1b19249a382bde2d827c712a569e93b29c84ebbb7f30538e19ac98b689041afc6d373e89f652bef00fa7fcdc296aa7cbf6cbf3dc28331a8da0f2f185c |
\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winmmon64.dll
| MD5 | 4cf02268e288f8f27ef95f63c9bd36f8 |
| SHA1 | 1c03ed1adf4b4e786efc00f3d892217faaafb268 |
| SHA256 | 655edae9bf7f65a6727cad4cd2ca80e19d17ef768a530010971d3323b2769fbf |
| SHA512 | 23d434e1b19249a382bde2d827c712a569e93b29c84ebbb7f30538e19ac98b689041afc6d373e89f652bef00fa7fcdc296aa7cbf6cbf3dc28331a8da0f2f185c |
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe
| MD5 | 85a5decafe1aaa141d4480dabc39cc39 |
| SHA1 | 2a1bb4bb455d3238a01e121165603a9b58b4d09d |
| SHA256 | 1aed806fc4919d3b8b2ebe1469510f61ac2d95cdf34c51a468fd419c7bd8dc93 |
| SHA512 | 48c00f7e02f1ed3825024be5c942e0574000a3dba46e6356a50c5b977cdaf98514624461ff165a412868b315974e537d6a3343847797c5d4471413720e341a4d |
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rfusclient.exe
| MD5 | 6113f919f542ab50e65b78f1ecde793f |
| SHA1 | d8d27c742da87292ef19a197594193c2c5e5f845 |
| SHA256 | b19ecc4669defcfd5d02da742d7348dca9119d0e845ce56faa5632655f718624 |
| SHA512 | 74885cae9a07f0e50db723e4a732b42a3597589ec16638da3ae98258f147b35a329522ee830116c010d775a59360d86427bf5a18c78e58e3d38687459b541943 |
memory/4820-237-0x0000000002700000-0x0000000002701000-memory.dmp
memory/2704-235-0x0000000000B70000-0x0000000000CBA000-memory.dmp
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rfusclient.exe
| MD5 | 6113f919f542ab50e65b78f1ecde793f |
| SHA1 | d8d27c742da87292ef19a197594193c2c5e5f845 |
| SHA256 | b19ecc4669defcfd5d02da742d7348dca9119d0e845ce56faa5632655f718624 |
| SHA512 | 74885cae9a07f0e50db723e4a732b42a3597589ec16638da3ae98258f147b35a329522ee830116c010d775a59360d86427bf5a18c78e58e3d38687459b541943 |
memory/4992-239-0x0000000000B40000-0x0000000000B41000-memory.dmp
memory/1876-240-0x00007FFB7D2B0000-0x00007FFB7D2B1000-memory.dmp
memory/1188-241-0x0000000077C32000-0x0000000077C33000-memory.dmp
memory/1160-244-0x0000000077C32000-0x0000000077C33000-memory.dmp
memory/1220-249-0x0000000077C32000-0x0000000077C33000-memory.dmp
memory/2108-254-0x0000000077C32000-0x0000000077C33000-memory.dmp
memory/2952-257-0x0000000077C32000-0x0000000077C33000-memory.dmp
memory/828-260-0x0000000077C32000-0x0000000077C33000-memory.dmp
\??\PIPE\RManFUSCallbackNotify32
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |