Graftor.560443 removal instruction

The Graftor.560443 is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

Gridinsoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend using GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the trial period.

DOWNLOAD NOW

6-day free trial available.

What Graftor.560443 virus can do?

• SetUnhandledExceptionFilter detected (possible anti-debug)
• Executed a command line with /C or /R argument to terminate command shell on completion which can be used to hide execution
• Yara rule detections observed from a process memory dump/dropped files/CAPE
• Presents an Authenticode digital signature
• Creates RWX memory
• Anomalous file deletion behavior detected (10+)
• A process attempted to delay the analysis task.
• Dynamic (imported) function loading detected
• Performs HTTP requests potentially not found in PCAP.
• Enumerates running processes
• Repeatedly searches for a not-found process, may want to run with startbrowser=1 option
• Reads data out of its own binary image
• A process created a hidden window
• CAPE extracted potentially suspicious content
• Executed a command line with /V argument which modifies variable behaviour and whitespace allowing for increased obfuscation options
• A HTTP/S link was seen in a script or command line
• Executed a very long command line or script command which may be indicative of chained commands or obfuscation
• Authenticode signature is invalid
• Uses Windows utilities for basic functionality
• Steals private information from local Internet browsers
• Detects VirtualBox through the presence of a device
• Attempts to modify proxy settings
• Appears to use command line obfuscation
• Collects information to fingerprint the system
• Uses suspicious command line tools or Windows utilities

Related domains:

How to determine Graftor.560443?

File Info:
name: 6F29203E33667AF967D0.mlw
path: /opt/CAPEv2/storage/binaries/23238f556035afbdbba409bd9a3ddb2157d6be74b2161d176f99e62612ae9842
crc32: 7CC64BC3
md5: 6f29203e33667af967d0c41987680601
sha1: 407296c3108d144dd08aaf61733eeabf1cadb56e
sha256: 23238f556035afbdbba409bd9a3ddb2157d6be74b2161d176f99e62612ae9842
sha512: 511eedba6698ec50f7421258dd04c079063288c38a39cb5eb0ad0de11b53ff002a9d5a3d6d78fc1a9b3c4db2317224266247b914c56744092764768e6edf62c3
ssdeep: 49152:fOQdPY70EgLtaOPpH48QFchCJdwNQkC5:fOQJDHJPptQFch8wNQk4
type: PE32 executable (GUI) Intel 80386, for MS Windows
tlsh: T1559533149FD29CF6FCEF14F926F962A0F2B5FF1C42183E4B23A909541ED964E994A01C
sha3_384: 3778443d99df5f355e11216ac3d19b12ff41c665e1aee57f495489cb5ef1445dc8448d7df2af4026c3768f5e3bcc9439
ep_bytes: 81ec8001000053555633db57895c2418
timestamp: 2009-12-05 22:50:52

Version Info:
CompanyName: CeresProd Co.
FileDescription: CeresProd
FileVersion: 2.0.9.1
LegalCopyright: CeresProd Co. 2018
ProductName: CeresProd
ProductVersion: 2.0.9.1
Publisher: CeresProd Co.
Translation: 0x0000 0x04e4

Graftor.560443 also known as:

How to remove Graftor.560443?

• Download and install GridinSoft Anti-Malware.
• Open GridinSoft Anti-Malware and perform a “Standard scan“.
• “Move to quarantine” all items.
• Open “Tools” tab – Press “Reset Browser Settings“.
• Select proper browser and options – Click “Reset”.
• Restart your computer.