General Info

File name

Win32.Bootkit.Lkf.rar

Full analysis
https://app.any.run/tasks/2d4b5831-1abe-4d43-a43c-f335002c68f7
Verdict
Malicious activity
Analysis date
14/01/2022, 22:13:24
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:

MIME:
application/x-rar
File info:
RAR archive data, v5
MD5

d33b2978f7f889dbf082ca25a35c1397

SHA1

e928a8a00aa7928c89d1344de9e7a3ed101b012f

SHA256

1f86982e8a7b4a58d5fd57278bc198d6b39e04ca95282bffaba11c24eb89cbda

SSDEEP

12288:Ej8udgCq9BEL+11eFTlBI1kzk42XEWzqQV+N6iLshO6aXS8OX:nuWCq9Bn1OI1k16VzqQYMhO6aXHa

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
60 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 11.0.9600.19596 KB4534251
  • Adobe Acrobat Reader DC (20.013.20064)
  • Adobe Flash Player 32 ActiveX (32.0.0.453)
  • Adobe Flash Player 32 NPAPI (32.0.0.453)
  • Adobe Flash Player 32 PPAPI (32.0.0.453)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.74)
  • FileZilla Client 3.51.0 (3.51.0)
  • Google Chrome (86.0.4240.198)
  • Google Update Helper (1.3.36.31)
  • Java 8 Update 271 (8.0.2710.9)
  • Java Auto Updater (2.8.271.9)
  • Microsoft .NET Framework 4.5.2 (4.5.51209)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
  • Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (German) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Mozilla Firefox 83.0 (x86 en-US) (83.0)
  • Mozilla Maintenance Service (83.0.0.7621)
  • Notepad++ (32-bit x86) (7.9.1)
  • Opera 12.15 (12.15.1748)
  • QGA (2.14.33)
  • Skype version 8.29 (8.29)
  • VLC media player (3.0.11)
  • WinRAR 5.91 (32-bit) (5.91.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Hyphenation Parent Package English
  • IE Spelling Parent Package English
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • InternetExplorer Package TopLevel
  • KB2479943
  • KB2491683
  • KB2506212
  • KB2506928
  • KB2532531
  • KB2533552
  • KB2533623
  • KB2534111
  • KB2545698
  • KB2547666
  • KB2552343
  • KB2560656
  • KB2564958
  • KB2574819
  • KB2579686
  • KB2585542
  • KB2604115
  • KB2620704
  • KB2621440
  • KB2631813
  • KB2639308
  • KB2640148
  • KB2653956
  • KB2654428
  • KB2656356
  • KB2660075
  • KB2667402
  • KB2676562
  • KB2685811
  • KB2685813
  • KB2685939
  • KB2690533
  • KB2698365
  • KB2705219
  • KB2719857
  • KB2726535
  • KB2727528
  • KB2729094
  • KB2729452
  • KB2731771
  • KB2732059
  • KB2736422
  • KB2742599
  • KB2750841
  • KB2758857
  • KB2761217
  • KB2770660
  • KB2773072
  • KB2786081
  • KB2789645
  • KB2799926
  • KB2800095
  • KB2807986
  • KB2808679
  • KB2813347
  • KB2813430
  • KB2820331
  • KB2834140
  • KB2836942
  • KB2836943
  • KB2840631
  • KB2843630
  • KB2847927
  • KB2852386
  • KB2853952
  • KB2857650
  • KB2861698
  • KB2862152
  • KB2862330
  • KB2862335
  • KB2864202
  • KB2868038
  • KB2871997
  • KB2872035
  • KB2884256
  • KB2891804
  • KB2893294
  • KB2893519
  • KB2894844
  • KB2900986
  • KB2908783
  • KB2911501
  • KB2912390
  • KB2918077
  • KB2919469
  • KB2923545
  • KB2931356
  • KB2937610
  • KB2943357
  • KB2952664
  • KB2968294
  • KB2970228
  • KB2972100
  • KB2972211
  • KB2973112
  • KB2973201
  • KB2977292
  • KB2978120
  • KB2978742
  • KB2984972
  • KB2984976
  • KB2984976 SP1
  • KB2985461
  • KB2991963
  • KB2992611
  • KB2999226
  • KB3004375
  • KB3006121
  • KB3006137
  • KB3010788
  • KB3011780
  • KB3013531
  • KB3019978
  • KB3020370
  • KB3020388
  • KB3021674
  • KB3021917
  • KB3022777
  • KB3023215
  • KB3030377
  • KB3031432
  • KB3035126
  • KB3037574
  • KB3042058
  • KB3045685
  • KB3046017
  • KB3046269
  • KB3054476
  • KB3055642
  • KB3059317
  • KB3060716
  • KB3061518
  • KB3067903
  • KB3068708
  • KB3071756
  • KB3072305
  • KB3074543
  • KB3075226
  • KB3078667
  • KB3080149
  • KB3086255
  • KB3092601
  • KB3093513
  • KB3097989
  • KB3101722
  • KB3102429
  • KB3102810
  • KB3107998
  • KB3108371
  • KB3108664
  • KB3109103
  • KB3109560
  • KB3110329
  • KB3115858
  • KB3118401
  • KB3122648
  • KB3123479
  • KB3126587
  • KB3127220
  • KB3133977
  • KB3137061
  • KB3138378
  • KB3138612
  • KB3138910
  • KB3139398
  • KB3139914
  • KB3140245
  • KB3147071
  • KB3150220
  • KB3150513
  • KB3155178
  • KB3156016
  • KB3159398
  • KB3161102
  • KB3161949
  • KB3170735
  • KB3172605
  • KB3179573
  • KB3184143
  • KB3185319
  • KB4019990
  • KB4040980
  • KB4474419
  • KB4490628
  • KB4524752
  • KB4532945
  • KB4536952
  • KB4567409
  • KB958488
  • KB976902
  • KB982018
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • Package 21 for KB2984976
  • Package 38 for KB2984976
  • Package 45 for KB2984976
  • Package 59 for KB2984976
  • Package 7 for KB2984976
  • Package 76 for KB2984976
  • PlatformUpdate Win7 SRV08R2 Package TopLevel
  • ProfessionalEdition
  • RDP BlueIP Package TopLevel
  • RDP WinIP Package TopLevel
  • RollupFix
  • UltimateEdition
  • WUClient SelfUpdate ActiveX
  • WUClient SelfUpdate Aux TopLevel
  • WUClient SelfUpdate Core TopLevel
  • WinMan WinIP Package TopLevel

Behavior activities

MALICIOUS SUSPICIOUS INFO
Application was dropped or rewritten from another process
  • nc.exe (PID: 3120)
  • WinFlash.exe (PID: 2752)
Checks supported languages
  • WinRAR.exe (PID: 2164)
  • nc.exe (PID: 3120)
  • WinFlash.exe (PID: 2752)
Reads the computer name
  • WinRAR.exe (PID: 2164)
  • WinFlash.exe (PID: 2752)
Executable content was dropped or overwritten
  • WinRAR.exe (PID: 2164)
Executes application which crashes
  • WinRAR.exe (PID: 2164)
Drops a file with a compile date too recent
  • WinRAR.exe (PID: 2164)
Drops a file that was compiled in debug mode
  • WinRAR.exe (PID: 2164)
Reads default file associations for system extensions
  • WinRAR.exe (PID: 2164)
  • WinFlash.exe (PID: 2752)
Drops a file with too old compile date
  • WinRAR.exe (PID: 2164)
Checks supported languages
  • ntvdm.exe (PID: 2332)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.rar
|   RAR compressed archive (v5.0) (61.5%)
.rar
|   RAR compressed archive (gen) (38.4%)

Screenshots

Processes

Total processes
39
Monitored processes
4
Malicious processes
1
Suspicious processes
1

Behavior graph

+
drop and start drop and start start winrar.exe nc.exe no specs ntvdm.exe no specs winflash.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
2164
CMD
"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Win32.Bootkit.Lkf.rar"
Path
C:\Program Files\WinRAR\WinRAR.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Alexander Roshal
Description
WinRAR archiver
Version
5.91.0
Modules
Image
c:\windows\system32\ntdll.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\imageres.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\apphelp.dll
c:\program files\winrar\winrar.exe
c:\windows\system32\gdi32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\devobj.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\imm32.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24542_none_5c0717c7a00ddc6d\gdiplus.dll
c:\windows\system32\slc.dll
c:\windows\system32\shell32.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\usp10.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscui.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\propsys.dll
c:\windows\system32\user32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\riched20.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\lpk.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\portabledeviceapi.dll
c:\windows\system32\wmasf.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\winsta.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\wmvcore.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\audiodev.dll
c:\windows\system32\mpr.dll
c:\windows\system32\dui70.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\winmm.dll
c:\windows\system32\drprov.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\secur32.dll
c:\windows\system32\samlib.dll
c:\windows\system32\netutils.dll
c:\windows\system32\ehstorapi.dll
c:\windows\system32\profapi.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\acppage.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\users\admin\appdata\local\temp\rar$exa2164.7153\lkfbiosrootkit\????\nc.exe
c:\windows\system32\userenv.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\version.dll
c:\windows\system32\ntvdm.exe
c:\users\admin\appdata\local\temp\rar$exa2164.8034\lkfbiosrootkit\????\winflash\winflash.exe

PID
3120
CMD
"C:\Users\admin\AppData\Local\Temp\Rar$EXa2164.7153\LkfBiosRootkit\????\nc.exe"
Path
C:\Users\admin\AppData\Local\Temp\Rar$EXa2164.7153\LkfBiosRootkit\????\nc.exe
Indicators
No indicators
Parent process
WinRAR.exe
User
admin
Integrity Level
MEDIUM
Exit code
3221225786
Version:
Company
Description
Version
Modules
Image
c:\windows\system32\wsock32.dll
c:\users\admin\appdata\local\temp\rar$exa2164.7153\lkfbiosrootkit\????\nc.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\nsi.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll

PID
2332
CMD
"C:\Windows\system32\ntvdm.exe" -i1
Path
C:\Windows\system32\ntvdm.exe
Indicators
No indicators
Parent process
WinRAR.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
NTVDM.EXE
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\ntvdm.exe
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\vdmredir.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msctf.dll
c:\windows\system32\winmm.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\sfc.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\imm32.dll
c:\windows\system32\ntvdmd.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll

PID
2752
CMD
"C:\Users\admin\AppData\Local\Temp\Rar$EXa2164.8034\LkfBiosRootkit\????\WinFlash\WinFlash.exe"
Path
C:\Users\admin\AppData\Local\Temp\Rar$EXa2164.8034\LkfBiosRootkit\????\WinFlash\WinFlash.exe
Indicators
No indicators
Parent process
WinRAR.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Phoenix Technologies Ltd.
Description
WinFlash MFC ????
Version
1.74
Modules
Image
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oledlg.dll
c:\windows\system32\winspool.drv
c:\windows\system32\devobj.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\imageres.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\slc.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\version.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\profapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\olepro32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\propsys.dll
c:\windows\system32\lpk.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\clbcatq.dll
c:\users\admin\appdata\local\temp\rar$exa2164.8034\lkfbiosrootkit\????\winflash\winflash.exe
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\webio.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\userenv.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\searchfolder.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\psapi.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\structuredquery.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\thumbcache.dll
c:\windows\system32\mssprxy.dll
c:\windows\system32\secur32.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\netutils.dll

Registry activity

Total events
2612
Read events
0
Write events
52
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
2164
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtIcon
2164
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtBMP
2164
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
LanguageList
en-US
2164
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
name
120
2164
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
type
120
2164
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
1
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
2164
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
mtime
100
2164
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
2
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
2164
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
0
C:\Users\admin\AppData\Local\Temp\Win32.Bootkit.Lkf.rar
2164
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
size
80
2164
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
@C:\Windows\System32\acppage.dll,-6002
Windows Batch File
2164
WinRAR.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
1
2164
WinRAR.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
0
2164
WinRAR.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
IntranetName
1
2164
WinRAR.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
ProxyBypass
1
2752
WinFlash.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
NodeSlots
0202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202
2752
WinFlash.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
MRUListEx
02000000010000000D0000000C000000000000000B00000007000000060000000A0000000900000008000000030000000500000004000000FFFFFFFF
2752
WinFlash.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\50\ComDlgLegacy
TV_TopViewID
{82BA0782-5B7A-4569-B5D7-EC83085F08CC}
2752
WinFlash.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\50\ComDlgLegacy
TV_FolderType
{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}
2752
WinFlash.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\50\ComDlgLegacy
TV_TopViewVersion
0
2752
WinFlash.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU\SYS
0
14001F4225481E03947BC34DB131E946B44C8DD5740000001A00EEBBFE23000010007DB10D7BD29C934A973346CC89022E7C00002A0000000000EFBE000000200000000000000000000000000000000000000000000000000100000020002A0000001900EFBE7E47B3FBE4C93B4BA2BAD3F5D3CD46F98207BA827A5B6945B5D7EC83085F08CC2000780300007203811914104803200000004840000000000000000000000000000000000000000000000000000000006F0000003153505330F125B7EF471A10A5F102608C9EEBAC2D0000000A000000001F0000000D000000570069006E0046006C006100730068002E0053005900530000000000150000000C00000000150000000000000000000000110000000D000000001300000080000000000000005C02000031535053A66A63283D95D211B5D600C04FD918D01100000019000000001300000077014840E5010000200000000011100000D101000014001F50E04FD020EA3A6910A2D808002B30309D19002F433A5C000000000000000000000000000000000000007400310000000000454B314E1100557365727300600008000400EFBEEE3AA314454B314E2A0000005A01000000000100000000000000000036000000000055007300650072007300000040007300680065006C006C00330032002E0064006C006C002C002D0032003100380031003300000014004C003100000000001C4D9960100061646D696E00380008000400EFBE454B804A1C4D99602A0000002D000000000004000000000000000000000000000000610064006D0069006E00000014008000310000000000E15269711100444F43554D457E310000680008000400EFBE454B814AE15269712A0000007A0100000000020000000000000000003E000000000044006F00630075006D0065006E0074007300000040007300680065006C006C00330032002E0064006C006C002C002D003200310037003700300000001800620032000000000000000000800057696E466C6173682E5359530000460008000400EFBE00000000000000002A00000000000000000000000000000000000000000000000000570069006E0046006C006100730068002E0053005900530000001C0000000000002D00000018000000001F0000000D000000570069006E0046006C006100730068002E00530059005300000000001D0000000B000000001F000000050000002E005300590053000000000000000000790000003153505340E83E1E2BBC6C4782372ACD1A839B225D00000008000000001F0000002600000043003A005C00550073006500720073005C00610064006D0069006E005C0044006F00630075006D0065006E00740073005C00570069006E0046006C006100730068002E005300590053000000000000000000000000000000
2752
WinFlash.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRULegacy
2
570069006E0046006C006100730068002E00650078006500000014001F4225481E03947BC34DB131E946B44C8DD5740000001A00EEBBFE23000010007DB10D7BD29C934A973346CC89022E7C00002A0000000000EFBE000000200000000000000000000000000000000000000000000000000100000020002A0000001900EFBE7E47B3FBE4C93B4BA2BAD3F5D3CD46F98207BA827A5B6945B5D7EC83085F08CC20000000
2752
WinFlash.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}
Mode
4
2752
WinFlash.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU\SYS
MRUListEx
00000000FFFFFFFF
2752
WinFlash.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\CIDSizeMRU
4
570069006E0046006C006100730068002E006500780065000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000AA010000D500000056030000DF01000000000000000000000000000000000000000000000000000000000000000000000100000000000000
2752
WinFlash.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}
FFlags
1
2752
WinFlash.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}
IconSize
16
2752
WinFlash.exe
write
HKEY_CURRENT_USER\Software\BIOSFLASH
RtnStatus
7
2752
WinFlash.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}
ColInfo
00000000000000000000000000000000FDDFDFFD100000000000000000000000040000001800000030F125B7EF471A10A5F102608C9EEBAC0A000000EE00000030F125B7EF471A10A5F102608C9EEBAC0E0000006900000030F125B7EF471A10A5F102608C9EEBAC040000006900000030F125B7EF471A10A5F102608C9EEBAC0C00000046000000
2752
WinFlash.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}
FFlags
2752
WinFlash.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU\*
7
14001F4225481E03947BC34DB131E946B44C8DD5740000001A00EEBBFE23000010007DB10D7BD29C934A973346CC89022E7C00002A0000000000EFBE000000200000000000000000000000000000000000000000000000000100000020002A0000001900EFBE7E47B3FBE4C93B4BA2BAD3F5D3CD46F98207BA827A5B6945B5D7EC83085F08CC2000780300007203811914104803200000004840000000000000000000000000000000000000000000000000000000006F0000003153505330F125B7EF471A10A5F102608C9EEBAC2D0000000A000000001F0000000D000000570069006E0046006C006100730068002E0053005900530000000000150000000C00000000150000000000000000000000110000000D000000001300000080000000000000005C02000031535053A66A63283D95D211B5D600C04FD918D01100000019000000001300000077014840E5010000200000000011100000D101000014001F50E04FD020EA3A6910A2D808002B30309D19002F433A5C000000000000000000000000000000000000007400310000000000454B314E1100557365727300600008000400EFBEEE3AA314454B314E2A0000005A01000000000100000000000000000036000000000055007300650072007300000040007300680065006C006C00330032002E0064006C006C002C002D0032003100380031003300000014004C003100000000001C4D9960100061646D696E00380008000400EFBE454B804A1C4D99602A0000002D000000000004000000000000000000000000000000610064006D0069006E00000014008000310000000000E15269711100444F43554D457E310000680008000400EFBE454B814AE15269712A0000007A0100000000020000000000000000003E000000000044006F00630075006D0065006E0074007300000040007300680065006C006C00330032002E0064006C006C002C002D003200310037003700300000001800620032000000000000000000800057696E466C6173682E5359530000460008000400EFBE00000000000000002A00000000000000000000000000000000000000000000000000570069006E0046006C006100730068002E0053005900530000001C0000000000002D00000018000000001F0000000D000000570069006E0046006C006100730068002E00530059005300000000001D0000000B000000001F000000050000002E005300590053000000000000000000790000003153505340E83E1E2BBC6C4782372ACD1A839B225D00000008000000001F0000002600000043003A005C00550073006500720073005C00610064006D0069006E005C0044006F00630075006D0065006E00740073005C00570069006E0046006C006100730068002E005300590053000000000000000000000000000000
2752
WinFlash.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\CIDSizeMRU
MRUListEx
0400000000000000030000000200000001000000FFFFFFFF
2752
WinFlash.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}
Sort
000000000000000000000000000000000200000030F125B7EF471A10A5F102608C9EEBAC0A0000000100000030F125B7EF471A10A5F102608C9EEBAC0E000000FFFFFFFF
2752
WinFlash.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}
LogicalViewMode
1
2752
WinFlash.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRULegacy
MRUListEx
020000000100000000000000FFFFFFFF
2752
WinFlash.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU\*
MRUListEx
0700000006000000050000000400000003000000020000000100000000000000FFFFFFFF
2752
WinFlash.exe
write
HKEY_CURRENT_USER\Software\BIOSFLASH
RtnMessage
�����޷��ҵ������ļ� WinFlash.sys��

Files activity

Executable files
21
Suspicious files
0
Text files
23
Unknown types
0

Dropped files

PID
Process
Filename
Type
2164
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa2164.8034\LkfBiosRootkit\????\nc.exe
executable
MD5: f3110e27f8ccf98121129339c612f493
SHA256: 21e7fc81c94d79bbea6bbed73fba2e4ce0ba14574b29efed8c54c3ffb370cf60
2164
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa2164.8034\LkfBiosRootkit\????\WinFlash\WinFlash.exe
executable
MD5: 84454fc28b3c92e89e4280c88ac6b600
SHA256: b1922c08b82056fea96db3f1e4a3ebfab6c80866f1b72fa939916e88b245e7b7
2164
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa2164.8034\LkfBiosRootkit\????\bios.exe
executable
MD5: d065e69c05a32f198674b9df45916404
SHA256: f3100217370fdaf0d403fe2a5424a9a66d38b908cb6abcb8bb8f04708409916f
2164
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa2164.8034\LkfBiosRootkit\Source\link.exe
executable
MD5: 706e1856d28b963911306168c4744844
SHA256: 2b5236e3f6198a5c4cebec02178786cdcea423f9b6b9823d538a1838e65f045c
2164
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa2164.8034\LkfBiosRootkit\Source\ML.EXE
executable
MD5: 0a05c3eae7888a2f01330862eeea7efd
SHA256: 94595b9ccc09dbcaf6b877aa11a35576f78de2ab0eb39546abfde430b79dce2f
2164
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa2164.8034\LkfBiosRootkit\????\WinFlash\WinFlash.sys
executable
MD5: fd5b87cd55134bf3545116dbbd45be88
SHA256: d35deec936108f0fbc9926f56cc8b92027cf1d867b1b446bb006877002be8607
2164
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa2164.8034\LkfBiosRootkit\Source\romtools.exe
executable
MD5: 567b5d7f12481ce7f1dff2d52eb6ffd7
SHA256: 315bb1e2ec52f333dc018fa5bce58e4fe7d116001704976f81292ee976a06b9c
2164
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa2164.7630\LkfBiosRootkit\????\WinFlash\WinFlash.sys
executable
MD5: fd5b87cd55134bf3545116dbbd45be88
SHA256: d35deec936108f0fbc9926f56cc8b92027cf1d867b1b446bb006877002be8607
2164
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa2164.7630\LkfBiosRootkit\Source\ML.EXE
executable
MD5: 0a05c3eae7888a2f01330862eeea7efd
SHA256: 94595b9ccc09dbcaf6b877aa11a35576f78de2ab0eb39546abfde430b79dce2f
2164
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa2164.7630\LkfBiosRootkit\????\WinFlash\WinFlash.exe
executable
MD5: 84454fc28b3c92e89e4280c88ac6b600
SHA256: b1922c08b82056fea96db3f1e4a3ebfab6c80866f1b72fa939916e88b245e7b7
2164
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa2164.7630\LkfBiosRootkit\????\nc.exe
executable
MD5: f3110e27f8ccf98121129339c612f493
SHA256: 21e7fc81c94d79bbea6bbed73fba2e4ce0ba14574b29efed8c54c3ffb370cf60
2164
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa2164.7630\LkfBiosRootkit\????\bios.exe
executable
MD5: d065e69c05a32f198674b9df45916404
SHA256: f3100217370fdaf0d403fe2a5424a9a66d38b908cb6abcb8bb8f04708409916f
2164
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa2164.7630\LkfBiosRootkit\Source\link.exe
executable
MD5: 706e1856d28b963911306168c4744844
SHA256: 2b5236e3f6198a5c4cebec02178786cdcea423f9b6b9823d538a1838e65f045c
2164
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa2164.7630\LkfBiosRootkit\Source\romtools.exe
executable
MD5: 567b5d7f12481ce7f1dff2d52eb6ffd7
SHA256: 315bb1e2ec52f333dc018fa5bce58e4fe7d116001704976f81292ee976a06b9c
2164
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa2164.7153\LkfBiosRootkit\????\WinFlash\WinFlash.sys
executable
MD5: fd5b87cd55134bf3545116dbbd45be88
SHA256: d35deec936108f0fbc9926f56cc8b92027cf1d867b1b446bb006877002be8607
2164
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa2164.7153\LkfBiosRootkit\????\WinFlash\WinFlash.exe
executable
MD5: 84454fc28b3c92e89e4280c88ac6b600
SHA256: b1922c08b82056fea96db3f1e4a3ebfab6c80866f1b72fa939916e88b245e7b7
2164
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa2164.7153\LkfBiosRootkit\????\nc.exe
executable
MD5: f3110e27f8ccf98121129339c612f493
SHA256: 21e7fc81c94d79bbea6bbed73fba2e4ce0ba14574b29efed8c54c3ffb370cf60
2164
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa2164.7153\LkfBiosRootkit\Source\romtools.exe
executable
MD5: 567b5d7f12481ce7f1dff2d52eb6ffd7
SHA256: 315bb1e2ec52f333dc018fa5bce58e4fe7d116001704976f81292ee976a06b9c
2164
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa2164.7153\LkfBiosRootkit\????\bios.exe
executable
MD5: d065e69c05a32f198674b9df45916404
SHA256: f3100217370fdaf0d403fe2a5424a9a66d38b908cb6abcb8bb8f04708409916f
2164
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa2164.7153\LkfBiosRootkit\Source\ML.EXE
executable
MD5: 0a05c3eae7888a2f01330862eeea7efd
SHA256: 94595b9ccc09dbcaf6b877aa11a35576f78de2ab0eb39546abfde430b79dce2f
2164
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa2164.7153\LkfBiosRootkit\Source\link.exe
executable
MD5: 706e1856d28b963911306168c4744844
SHA256: 2b5236e3f6198a5c4cebec02178786cdcea423f9b6b9823d538a1838e65f045c
2164
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa2164.8034\LkfBiosRootkit\????.txt
text
MD5: 567a30ae576ff45e5b98dd5cdb3a7e9f
SHA256: b3a415503032ab7b14c36bb07dab52fcfb1ff4a5325f5eb37b819e8b0606fa93
2164
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa2164.8034\LkfBiosRootkit\????\????.txt
text
MD5: a76e31219e754c557966d7084df8dfe9
SHA256: 95f5ee1c7cb73a799f81a003e8394ec157a30e8e240eb1dffcc526e79a899a4e
2164
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa2164.8034\LkfBiosRootkit\Source\??.bat
text
MD5: d9d8ca1f6d2e7235ff6891770ca879cd
SHA256: 21282096ac83cd667d08dbea96a01e5b47fd9c13e9edf8d84bd0dda20863fa77
2164
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa2164.8034\LkfBiosRootkit\????\??.txt
text
MD5: b126410267f9b837dd776ee8a3ca0226
SHA256: 8aad585bdb0b1d74c0c1f08042d6b72b4a61d6d0aba61c07276eefbaf2b5e48d
2164
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa2164.8034\LkfBiosRootkit\Source\ML.ERR
text
MD5: 6383413e54eb693e5bd1488422f925b9
SHA256: 092755d3a488767da3de277c141be7c8144110a156cdbd8ae1391eba64697cee
2164
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa2164.8034\LkfBiosRootkit\Source\test.ASM
text
MD5: a95d85e703a68b488d568da7b91c4f4c
SHA256: 667df48fb65d04f0e7218ed7fe1e7715719ee91835b8b747fc53c3962424bb99
2164
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa2164.8034\LkfBiosRootkit\Source\cmd.bat
text
MD5: 45e0edaca8702e6e90d1d98cf3647d5f
SHA256: 7371f071a9a4e653a5afd134bce9c735ef74b0421d6988958e5c6d8a34feaa3b
2164
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa2164.7630\LkfBiosRootkit\????\??.txt
text
MD5: b126410267f9b837dd776ee8a3ca0226
SHA256: 8aad585bdb0b1d74c0c1f08042d6b72b4a61d6d0aba61c07276eefbaf2b5e48d
2332
ntvdm.exe
C:\Users\admin\AppData\Local\Temp\scs630C.tmp
text
MD5: 8cf6ddb5aa59b49f34b967cd46f013b6
SHA256: ee06792197c3e025b84860a72460eaf628c66637685f8c52c5a08a9cc35d376c
2164
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa2164.7630\LkfBiosRootkit\????\????.txt
text
MD5: a76e31219e754c557966d7084df8dfe9
SHA256: 95f5ee1c7cb73a799f81a003e8394ec157a30e8e240eb1dffcc526e79a899a4e
2332
ntvdm.exe
C:\Users\admin\AppData\Local\Temp\scs631D.tmp
text
MD5: 4c361dea398f7aeef49953bdc0ab4a9b
SHA256: 06d61c23e6ca59b9ddad1796eccc42c032cd8f6f424af6cfee5d085d36ff7dfd
2164
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa2164.7630\LkfBiosRootkit\????.txt
text
MD5: 567a30ae576ff45e5b98dd5cdb3a7e9f
SHA256: b3a415503032ab7b14c36bb07dab52fcfb1ff4a5325f5eb37b819e8b0606fa93
2164
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa2164.7630\LkfBiosRootkit\Source\test.ASM
text
MD5: a95d85e703a68b488d568da7b91c4f4c
SHA256: 667df48fb65d04f0e7218ed7fe1e7715719ee91835b8b747fc53c3962424bb99
2164
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa2164.7630\LkfBiosRootkit\Source\ML.ERR
text
MD5: 6383413e54eb693e5bd1488422f925b9
SHA256: 092755d3a488767da3de277c141be7c8144110a156cdbd8ae1391eba64697cee
2164
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa2164.7153\LkfBiosRootkit\????.txt
text
MD5: 567a30ae576ff45e5b98dd5cdb3a7e9f
SHA256: b3a415503032ab7b14c36bb07dab52fcfb1ff4a5325f5eb37b819e8b0606fa93
2164
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa2164.7630\LkfBiosRootkit\Source\cmd.bat
text
MD5: 45e0edaca8702e6e90d1d98cf3647d5f
SHA256: 7371f071a9a4e653a5afd134bce9c735ef74b0421d6988958e5c6d8a34feaa3b
2164
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa2164.7630\LkfBiosRootkit\Source\??.bat
text
MD5: d9d8ca1f6d2e7235ff6891770ca879cd
SHA256: 21282096ac83cd667d08dbea96a01e5b47fd9c13e9edf8d84bd0dda20863fa77
2164
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa2164.7153\LkfBiosRootkit\????\????.txt
text
MD5: a76e31219e754c557966d7084df8dfe9
SHA256: 95f5ee1c7cb73a799f81a003e8394ec157a30e8e240eb1dffcc526e79a899a4e
2164
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa2164.7153\LkfBiosRootkit\????\??.txt
text
MD5: b126410267f9b837dd776ee8a3ca0226
SHA256: 8aad585bdb0b1d74c0c1f08042d6b72b4a61d6d0aba61c07276eefbaf2b5e48d
2164
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa2164.7153\LkfBiosRootkit\Source\??.bat
text
MD5: d9d8ca1f6d2e7235ff6891770ca879cd
SHA256: 21282096ac83cd667d08dbea96a01e5b47fd9c13e9edf8d84bd0dda20863fa77
2164
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa2164.7153\LkfBiosRootkit\Source\ML.ERR
text
MD5: 6383413e54eb693e5bd1488422f925b9
SHA256: 092755d3a488767da3de277c141be7c8144110a156cdbd8ae1391eba64697cee
2164
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa2164.7153\LkfBiosRootkit\Source\test.ASM
text
MD5: a95d85e703a68b488d568da7b91c4f4c
SHA256: 667df48fb65d04f0e7218ed7fe1e7715719ee91835b8b747fc53c3962424bb99
2164
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa2164.7153\LkfBiosRootkit\Source\cmd.bat
text
MD5: 45e0edaca8702e6e90d1d98cf3647d5f
SHA256: 7371f071a9a4e653a5afd134bce9c735ef74b0421d6988958e5c6d8a34feaa3b

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

No network activity.

Debug output strings

No debug info.