Jump to content
HexaPro

64.exe c64.exe service.exe in C:\Windows

Recommended Posts

These .exe keep showing up in (C:\Windows) on Windows Server 2008 R2 Datacenter even after manual deletion. I think it's a miner, it also create .xml and .exe in (C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5) and also in (C:\Windows\Fonts\Mysql) that I can't access.

Share this post


Link to post
Share on other sites

You can submit the files to us for review on immunet.com. If they are found to be malicious, we will write detection for them

If you can provide the SHA's of the files, I can look at them quicker,- though not necessarily.
 

Share this post


Link to post
Share on other sites

The problem with most rootkits is that they generally use some sort of advanced encryption method which usually makes 'em hard to detect let alone access & read.

So it wouldn't surprise me if HexaPro was unable to submit any SHA256 or MD5 checksum(s) hash tag(s).

Besides Immunet it never hurts to have an additional on-demand rootkit scanner at your disposal! Speaking of such...

Malwarebytes has a new beta "CMD based on-demand rootkit scanner" available that looks rather promising.

They're also looking for beta testers with (preferably) virtual test rigs for anyone that's into that sort of thing.

As with any beta software please read the legal Disclaimer documentation carefully before use.

Not 100% sure if it's compatible with Server 2008 R2 however. https://www.malwarebytes.com/antirootkit/

 

Share this post


Link to post
Share on other sites
On 3/14/2019 at 8:59 AM, HexaPro said:

These .exe keep showing up in (C:\Windows) on Windows Server 2008 R2 Datacenter even after manual deletion. I think it's a miner, it also create .xml and .exe in (C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5) and also in (C:\Windows\Fonts\Mysql) that I can't access.

You can try to upload the two files on Virustotal and check the results from different AVs

https://www.virustotal.com/#/home/upload

  • Like 1

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...