Malware Analysis Report

2024-11-13 13:29

Sample ID 240604-bcvjnsgd38
Target 02f7524fbcca9e5fb197f47eabc66bbe.bin
SHA256 349838094cda907d089098bfc3a0839a63959b36f40344e4023cec7218acf92e
Tags
discovery spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

349838094cda907d089098bfc3a0839a63959b36f40344e4023cec7218acf92e

Threat Level: Shows suspicious behavior

The file 02f7524fbcca9e5fb197f47eabc66bbe.bin was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery spyware stealer

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Enumerates connected drives

Checks installed software on the system

Blocklisted process makes network request

Drops file in Windows directory

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-04 01:00

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-04 01:00

Reported

2024-06-04 01:03

Platform

win7-20240508-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSI2EFD.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI319F.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI326D.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f762b74.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI31DF.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI322E.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI354E.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI2FA9.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI3018.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f762b74.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f762b75.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI31AF.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI332A.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI351E.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f762b75.ipi C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\ED027176-629E-4B78-AF30-A74FC691BBF8\seederexe.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Users\Admin\AppData\Local\Temp\ED027176-629E-4B78-AF30-A74FC691BBF8\seederexe.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf1800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95 C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3020 wrote to memory of 2072 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3020 wrote to memory of 2072 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3020 wrote to memory of 2072 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3020 wrote to memory of 2072 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3020 wrote to memory of 2072 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3020 wrote to memory of 2072 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3020 wrote to memory of 2072 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2072 wrote to memory of 1908 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\E2F48082-47D5-4D7C-9C79-75720BC85F3B\lite_installer.exe
PID 2072 wrote to memory of 1908 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\E2F48082-47D5-4D7C-9C79-75720BC85F3B\lite_installer.exe
PID 2072 wrote to memory of 1908 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\E2F48082-47D5-4D7C-9C79-75720BC85F3B\lite_installer.exe
PID 2072 wrote to memory of 1908 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\E2F48082-47D5-4D7C-9C79-75720BC85F3B\lite_installer.exe
PID 2072 wrote to memory of 1908 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\E2F48082-47D5-4D7C-9C79-75720BC85F3B\lite_installer.exe
PID 2072 wrote to memory of 1908 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\E2F48082-47D5-4D7C-9C79-75720BC85F3B\lite_installer.exe
PID 2072 wrote to memory of 1908 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\E2F48082-47D5-4D7C-9C79-75720BC85F3B\lite_installer.exe
PID 2072 wrote to memory of 1880 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\ED027176-629E-4B78-AF30-A74FC691BBF8\seederexe.exe
PID 2072 wrote to memory of 1880 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\ED027176-629E-4B78-AF30-A74FC691BBF8\seederexe.exe
PID 2072 wrote to memory of 1880 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\ED027176-629E-4B78-AF30-A74FC691BBF8\seederexe.exe
PID 2072 wrote to memory of 1880 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\ED027176-629E-4B78-AF30-A74FC691BBF8\seederexe.exe
PID 1880 wrote to memory of 8580 N/A C:\Users\Admin\AppData\Local\Temp\ED027176-629E-4B78-AF30-A74FC691BBF8\seederexe.exe C:\Users\Admin\AppData\Local\Temp\4E90AD90-2D65-42B7-99AD-31FEB709715D\sender.exe
PID 1880 wrote to memory of 8580 N/A C:\Users\Admin\AppData\Local\Temp\ED027176-629E-4B78-AF30-A74FC691BBF8\seederexe.exe C:\Users\Admin\AppData\Local\Temp\4E90AD90-2D65-42B7-99AD-31FEB709715D\sender.exe
PID 1880 wrote to memory of 8580 N/A C:\Users\Admin\AppData\Local\Temp\ED027176-629E-4B78-AF30-A74FC691BBF8\seederexe.exe C:\Users\Admin\AppData\Local\Temp\4E90AD90-2D65-42B7-99AD-31FEB709715D\sender.exe
PID 1880 wrote to memory of 8580 N/A C:\Users\Admin\AppData\Local\Temp\ED027176-629E-4B78-AF30-A74FC691BBF8\seederexe.exe C:\Users\Admin\AppData\Local\Temp\4E90AD90-2D65-42B7-99AD-31FEB709715D\sender.exe

Processes

C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe

"C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 56D042A85CA163DCDF4B71DD20270003

C:\Users\Admin\AppData\Local\Temp\E2F48082-47D5-4D7C-9C79-75720BC85F3B\lite_installer.exe

"C:\Users\Admin\AppData\Local\Temp\E2F48082-47D5-4D7C-9C79-75720BC85F3B\lite_installer.exe" --use-user-default-locale --silent --cumtom-welcome-page=https://browser.yandex.ru/promo/welcome_com/5/

C:\Users\Admin\AppData\Local\Temp\ED027176-629E-4B78-AF30-A74FC691BBF8\seederexe.exe

"C:\Users\Admin\AppData\Local\Temp\ED027176-629E-4B78-AF30-A74FC691BBF8\seederexe.exe" "--yqs=" "--yhp=" "--ilight=" "--oem=" "--nopin=n" "--pin_custom=n" "--pin_desktop=n" "--pin_taskbar=y" "--locale=us" "--browser=" "--browser_default=" "--loglevel=trace" "--ess=" "--clids=C:\Users\Admin\AppData\Local\Temp\clids-yasearch.xml" "--sender=C:\Users\Admin\AppData\Local\Temp\4E90AD90-2D65-42B7-99AD-31FEB709715D\sender.exe" "--is_elevated=yes" "--ui_level=5" "--good_token=x" "--no_opera=n"

C:\Users\Admin\AppData\Local\Temp\4E90AD90-2D65-42B7-99AD-31FEB709715D\sender.exe

C:\Users\Admin\AppData\Local\Temp\4E90AD90-2D65-42B7-99AD-31FEB709715D\sender.exe --send "/status.xml?clid=2382047&uuid=33612107-553F-4635-8D1B-3A86777D534a&vnt=Windows 7x64&file-no=6%0A15%0A25%0A45%0A57%0A59%0A111%0A125%0A129%0A"

Network

Country Destination Domain Proto
US 8.8.8.8:53 clck.yandex.ru udp
RU 87.250.251.14:80 clck.yandex.ru tcp
RU 77.88.21.14:80 clck.yandex.ru tcp
US 8.8.8.8:53 soft.export.yandex.ru udp
RU 87.250.254.20:80 soft.export.yandex.ru tcp

Files

C:\Users\Admin\AppData\Local\Temp\{5B964E0E-B9A3-4276-9ED9-4D5A5720747A}\YandexSearch.msi

MD5 43937c99760d32c5bc1133505811d595
SHA1 079ae507971b9c19dd6b4b4379defc3227edf978
SHA256 af7328aabb530a997c5e8dd39b1ba7c6d28ed756bafc7afde1ae894c28cfd806
SHA512 d6b19c9bfc431fba4dc981c09061a00856435736d21485a7d435b9ca132bb752b0cd272eb68f1a30172caf82b371001c626dec08d9a829566ab8a250f92d753f

C:\Users\Admin\AppData\Local\Temp\Cab2760.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar2783.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar2882.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\Local\Temp\YandexSearch00000.log

MD5 91d22caef3a35aeef8fe188753d81045
SHA1 dfa7909588db1519e1ac12d2f67899a31600f5ee
SHA256 8888ef6480c90307d83fb73028dc8486813fc0180b550f9bf218bd4262004378
SHA512 15c96ae72595b791bf9542ceaa94564c0e92fb4ff826e023182498178d2f427f554f2423d35dd508166c3d2189f85262c6597404b5db7e5b3825b385a481ac2b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2e32a0af9f17970cf28768882cac0bca
SHA1 81a9b6be61cf4b2bd4d46e764b29a0a2759e1337
SHA256 be48465969bb8d323a2f41a619a74955d6c1105cc83c6449ed29f9ad5fbdb595
SHA512 9c81b25ae145b9b27cfe593875441b19703930261716c411d9cad84053cd4522e65fcdf63540093fadfef4aef40cf41fac1fcd8b55d3e2dc5e4a8515e6723db6

\Windows\Installer\MSI2EFD.tmp

MD5 0c80a997d37d930e7317d6dac8bb7ae1
SHA1 018f13dfa43e103801a69a20b1fab0d609ace8a5
SHA256 a5dd2f97c6787c335b7807ff9b6966877e9dd811f9e26326837a7d2bd224de86
SHA512 fe1caef6d727344c60df52380a6e4ab90ae1a8eb5f96d6054eced1b7734357ce080d944fa518cf1366e14c4c0bd9a41db679738a860800430034a75bb90e51a5

C:\Windows\Installer\MSI2FA9.tmp

MD5 e6fd0e66cf3bfd3cc04a05647c3c7c54
SHA1 6a1b7f1a45fb578de6492af7e2fede15c866739f
SHA256 669cc0aae068ced3154acaecb0c692c4c5e61bc2ca95b40395a3399e75fcb9b2
SHA512 fc8613f31acaf6155852d3ad6130fc3b76674b463dcdcfcd08a3b367dfd9e5b991e3f0a26994bcaf42f9e863a46a81e2520e77b1d99f703bcb08800bdca4efcb

C:\Users\Admin\AppData\Local\Temp\vendor00000.xml

MD5 281e659e73e029f83f4d70c3a4133593
SHA1 ed83fa8543310d058e038b78285396c534c743d0
SHA256 bb4f08a2684d5c9ea18b14f0febbaeef735aeee8c64c0bef827d8ea961930c25
SHA512 d0b414ba69460b2ed72a1a937bb3f599ee74816ddbb25e5d894530b42005e8f3faf662b237a26aef500f627685e95e4996d4ab5c64e39e4102c22e0f5b99682a

\Users\Admin\AppData\Local\Temp\E2F48082-47D5-4D7C-9C79-75720BC85F3B\lite_installer.exe

MD5 aafdfaa7a989ddb216510fc9ae5b877f
SHA1 41cf94692968a7d511b6051b7fe2b15c784770cb
SHA256 688d0b782437ccfae2944281ade651a2da063f222e80b3510789dbdce8b00fdc
SHA512 6e2b76ff6df79c6de6887cf739848d05c894fbd70dc9371fff95e6ccd9938d695c46516cb18ec8edd01e78cad1a6029a3d633895f7ddba4db4bf9cd39271bd44

\Users\Admin\AppData\Local\Temp\ED027176-629E-4B78-AF30-A74FC691BBF8\seederexe.exe

MD5 225ba20fa3edd13c9c72f600ff90e6cb
SHA1 5f1a9baa85c2afe29619e7cc848036d9174701e4
SHA256 35585d12899435e13e186490fcf1d270adbe3c74a1e0578b3d9314858bf2d797
SHA512 97e699cffe28d3c3611570d341ccbc1a0f0eec233c377c70e0e20d4ed3b956b6fe200a007f7e601a5724e733c97eaddc39d308b9af58d45f7598f10038d94ab3

C:\Users\Admin\AppData\Local\Temp\clids-yasearch.xml

MD5 751ba1f9a431ddb7dd5ad2693a642423
SHA1 7952264c1bd9d32a73fb17039662f147fe0cf09b
SHA256 e9ff2ac66c6736f7e1c64aa828f8eb522f73d715a6870ed6a39f77fc858c81fc
SHA512 57cbc62a53b701dd7f86525389fa736f952aa7f7271137bcde86a59012347899e97c86e888d9a879a1e27fe113b860dcf4f9f2820b7e5a19d199fc13c446bbc1

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 63a2a353bc83c6dd2b1510139cf5c31c
SHA1 911b47bd9dfd3d65eaf1d8f41b812ba51c79381f
SHA256 38f8a8769a3072589074a2f9443138a5e25d46fe47012dd963dc4d271dcf54a0
SHA512 d13db45dd84205039648240e881ba520d63d800aff0db4d8bfe60fab445663531136fb528ceb94bbdcc9fb4e23c791975b5c33b5dcf131850d32e08ed9f6fb22

C:\Users\Admin\AppData\Roaming\Yandex\ui

MD5 ef1bcacfb940f4468f819dd0b44d298c
SHA1 6ca4ff20d747a107af37068ff0a302fe61658231
SHA256 1131b135c2e059471bb5157b1ae9785d5b38eb23513e92f8d2aa26a447284414
SHA512 6e8d731762508020de0cb782d8bee7c4b1a80a1ae5bac77aa44c0628ee9c1cea6dd9bc3f1299dc7bd2ebcaca89bf257469905496499981600ad9e0890479cc5a

C:\Config.Msi\f762b76.rbs

MD5 f7d40dbec6cd7402ecb137000a4a868a
SHA1 2ce9c4be14f700ef3dad6e16df5d2a7b769823e6
SHA256 e94ac79cdb19a51c813840dd2576dcf8a0792f04fc416a9a7bae993f66a30872
SHA512 e4c00ea6c057e7859c1e462ca4d73698f2f6b7ba86fdcb27d28cc68dad5490fe5a6b49f316e039d0d21020358e205a9c20e38b595c59a113458cd09626dbe5c5

C:\Users\Admin\AppData\Local\Temp\OMNIJA~1.ZIP

MD5 cf385fabc0031978c8d675a4b5bc2894
SHA1 20945726e5e71cb937fae380d42e65eaef1d8521
SHA256 a0ea546ddbb9d9e37b653e9b71992328b2b78a58d5581224d3d898f36bf88a81
SHA512 7e55feb248b97edfad6a15499f5720551fe33391291a39b65ac912e41407811503f42b5156f355ff45a0f7d8ea0d5fb1b40a50e44dbc64318cd653f5fdc15b15

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nfhvy4wu.Admin\places.sqlite-20240604010039.037200.backup

MD5 314cb7ffb31e3cc676847e03108378ba
SHA1 3667d2ade77624e79d9efa08a2f1d33104ac6343
SHA256 b6d278384a3684409a2a86f03e4f52869818ce7dd8b5779876960353f7d35dc1
SHA512 dc795fa35ea214843a781ee2b2ef551b91b6841a799bef2c6fb1907d90f6c114071a951ebb7b2b30e81d52b594d447a26ab12ddb57c331e854577d11e5febef5

C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Preferences-20240604010039.271200.backup

MD5 af006f1bcc57b11c3478be8babc036a8
SHA1 c3bb4fa8c905565ca6a1f218e39fe7494910891e
SHA256 ed6a32e11cc99728771989b01f5ae813de80c46a59d3dc68c23a4671a343cb8c
SHA512 3d20689b0f39b414349c505be607e6bfc1f33ac401cf62a32f36f7114e4a486552f3e74661e90db29402bb85866944e9f8f31baba9605aa0c6def621511a26af

C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Bookmarks-20240604010039.271200.backup

MD5 3adec702d4472e3252ca8b58af62247c
SHA1 35d1d2f90b80dca80ad398f411c93fe8aef07435
SHA256 2b167248e8136c4d45c2c46e2bff6fb5e5137dd4dfdccde998599be2df2e9335
SHA512 7562e093d16ee6305c1bb143a3f5d60dafe8b5de74952709abc68a0c353b65416bf78b1fa1a6720331615898848c1464a7758c5dfe78f8098f77fbfa924784c0

C:\Users\Admin\AppData\Local\Temp\4E90AD90-2D65-42B7-99AD-31FEB709715D\sender.exe

MD5 f1a8f60c018647902e70cf3869e1563f
SHA1 3caf9c51dfd75206d944d4c536f5f5ff8e225ae9
SHA256 36022c6ecb3426791e6edee9074a3861fe5b660d98f2b2b7c13b80fe11a75577
SHA512 c02dfd6276ad136283230cdf07d30ec2090562e6c60d6c0d4ac3110013780fcafd76e13931be53b924a35cf473d0f5ace2f6b5c3f1f70ce66b40338e53d38d1e

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-04 01:00

Reported

2024-06-04 01:03

Platform

win10v2004-20240508-en

Max time kernel

140s

Max time network

134s

Command Line

"C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSI1ADC.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI1BC8.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI1C18.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI1CA5.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI1902.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI19FE.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI1A8D.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI1B3B.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e5816b0.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e5816b0.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI1990.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{5B964E0E-B9A3-4276-9ED9-4D5A5720747A} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI1827.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI1A3E.tmp C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Users\Admin\AppData\Local\Temp\E4075F79-2C80-4F47-8982-2E9D27B27AAA\seederexe.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\E4075F79-2C80-4F47-8982-2E9D27B27AAA\seederexe.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0400000001000000100000001bfe69d191b71933a372a80fe155e5b50f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e190000000100000010000000ea6089055218053dd01e37e1d806eedf2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 5c000000010000000400000000100000190000000100000010000000ea6089055218053dd01e37e1d806eedf0300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0b00000001000000100000005300650063007400690067006f0000001d0000000100000010000000885010358d29a38f059b028559c95f901400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd253000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd9796254830400000001000000100000001bfe69d191b71933a372a80fe155e5b52000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4136 wrote to memory of 4504 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4136 wrote to memory of 4504 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4136 wrote to memory of 4504 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4504 wrote to memory of 2352 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\A2B63F4F-F902-4778-AB0D-CD6612F46470\lite_installer.exe
PID 4504 wrote to memory of 2352 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\A2B63F4F-F902-4778-AB0D-CD6612F46470\lite_installer.exe
PID 4504 wrote to memory of 2352 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\A2B63F4F-F902-4778-AB0D-CD6612F46470\lite_installer.exe
PID 4504 wrote to memory of 1996 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\E4075F79-2C80-4F47-8982-2E9D27B27AAA\seederexe.exe
PID 4504 wrote to memory of 1996 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\E4075F79-2C80-4F47-8982-2E9D27B27AAA\seederexe.exe
PID 4504 wrote to memory of 1996 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\E4075F79-2C80-4F47-8982-2E9D27B27AAA\seederexe.exe
PID 1996 wrote to memory of 6248 N/A C:\Users\Admin\AppData\Local\Temp\E4075F79-2C80-4F47-8982-2E9D27B27AAA\seederexe.exe C:\Users\Admin\AppData\Local\Temp\3E6EA874-E3ED-46BC-A258-15E86C40A829\sender.exe
PID 1996 wrote to memory of 6248 N/A C:\Users\Admin\AppData\Local\Temp\E4075F79-2C80-4F47-8982-2E9D27B27AAA\seederexe.exe C:\Users\Admin\AppData\Local\Temp\3E6EA874-E3ED-46BC-A258-15E86C40A829\sender.exe
PID 1996 wrote to memory of 6248 N/A C:\Users\Admin\AppData\Local\Temp\E4075F79-2C80-4F47-8982-2E9D27B27AAA\seederexe.exe C:\Users\Admin\AppData\Local\Temp\3E6EA874-E3ED-46BC-A258-15E86C40A829\sender.exe

Processes

C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe

"C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 13D396AAD6C5018467648A3BFC7E0133

C:\Users\Admin\AppData\Local\Temp\A2B63F4F-F902-4778-AB0D-CD6612F46470\lite_installer.exe

"C:\Users\Admin\AppData\Local\Temp\A2B63F4F-F902-4778-AB0D-CD6612F46470\lite_installer.exe" --use-user-default-locale --silent --cumtom-welcome-page=https://browser.yandex.ru/promo/welcome_com/5/

C:\Users\Admin\AppData\Local\Temp\E4075F79-2C80-4F47-8982-2E9D27B27AAA\seederexe.exe

"C:\Users\Admin\AppData\Local\Temp\E4075F79-2C80-4F47-8982-2E9D27B27AAA\seederexe.exe" "--yqs=" "--yhp=" "--ilight=" "--oem=" "--nopin=n" "--pin_custom=n" "--pin_desktop=n" "--pin_taskbar=y" "--locale=us" "--browser=" "--browser_default=" "--loglevel=trace" "--ess=" "--clids=C:\Users\Admin\AppData\Local\Temp\clids-yasearch.xml" "--sender=C:\Users\Admin\AppData\Local\Temp\3E6EA874-E3ED-46BC-A258-15E86C40A829\sender.exe" "--is_elevated=yes" "--ui_level=5" "--good_token=x" "--no_opera=n"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4288,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=3772 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\3E6EA874-E3ED-46BC-A258-15E86C40A829\sender.exe

C:\Users\Admin\AppData\Local\Temp\3E6EA874-E3ED-46BC-A258-15E86C40A829\sender.exe --send "/status.xml?clid=2382047&uuid=58e02dc9-3ebe-4afc-95ae-02113ed8679e&vnt=Windows 10x64&file-no=8%0A15%0A25%0A45%0A57%0A59%0A102%0A111%0A125%0A129%0A"

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 226.20.18.104.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 clck.yandex.ru udp
RU 77.88.21.14:80 clck.yandex.ru tcp
US 8.8.8.8:53 14.21.88.77.in-addr.arpa udp
US 8.8.8.8:53 soft.export.yandex.ru udp
RU 93.158.134.14:80 clck.yandex.ru tcp
RU 87.250.254.20:80 soft.export.yandex.ru tcp
US 8.8.8.8:53 14.134.158.93.in-addr.arpa udp
US 8.8.8.8:53 20.254.250.87.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 209.80.50.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\{5B964E0E-B9A3-4276-9ED9-4D5A5720747A}\YandexSearch.msi

MD5 43937c99760d32c5bc1133505811d595
SHA1 079ae507971b9c19dd6b4b4379defc3227edf978
SHA256 af7328aabb530a997c5e8dd39b1ba7c6d28ed756bafc7afde1ae894c28cfd806
SHA512 d6b19c9bfc431fba4dc981c09061a00856435736d21485a7d435b9ca132bb752b0cd272eb68f1a30172caf82b371001c626dec08d9a829566ab8a250f92d753f

C:\Users\Admin\AppData\Local\Temp\YandexSearch00000.log

MD5 5087cf6d27cd1d262c9d7026d99570a4
SHA1 f5939eef20513cf63d86c6b9c0f77b7f2c37db5b
SHA256 c2819e8b353a44047aba048d2ed6d004fc5fa7d107055c96e83038690a4c8597
SHA512 4f650a6aadaf6d090bdff9e7d21a868365505dabc41de28afe18c651ebc9d5cb391d8f76b51416a4a42d50f5d28a3c0c46eae5c2c549ba3f6f676b3e18b40c3d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\357F04AD41BCF5FE18FCB69F60C6680F_394487CAFBCFB8C5917AD7A10924C8A7

MD5 26c0bbd19631c66b3462943385c2d590
SHA1 294b3b59a34d9f12655f4c6582042ddf0a0c4ab5
SHA256 b5ad09be1935bcd6ea92903252458d36a437d558bd958298c3bb9f4b45e95d03
SHA512 3fdcc2124c26da841925091869110b7a4610f2580bcd77c320bd8e96105d100c87d50b850669b524971b080d4eb3178b5ffa2bf851bc3e185059252c46b69b79

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\357F04AD41BCF5FE18FCB69F60C6680F_394487CAFBCFB8C5917AD7A10924C8A7

MD5 923e6cc53e302c56adbcc7e64f538c49
SHA1 82a77bc69abe3a198ae951c53987c215e8016091
SHA256 5b28449d7d0288da7d026d87482404d0d75f0e84e01a51c8d3ba1143b45d680b
SHA512 d8672572b332a4de2139c028d349529a6e5e8801d9d9316a089c0091dea6de55feef423d9f3770fb6c38938439f4dee2114500491ddba125ae5f00afb03031a7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E

MD5 17c39322c6b0ea6ec6b2a3ccee05b3e0
SHA1 f9048f67f15595e6eb9b38ab3aa7ec373d350bc9
SHA256 d1b45b42156a70fe4dbfdf64a3aec54f064ef9daec17a92be7ad87ab457ab4f8
SHA512 a84253f51e5776daaf479598e99caa9084c887c939515a55581cb479c06abdac958cd8949f3a0ffb454b908d2befbdd0f3c283b27afc03a316551135110185a9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E

MD5 5f8854a0897fb754b531571e19cc07fd
SHA1 c6459441361335dbabd58ce8b774f2c621514ad8
SHA256 ac3d7128235e7aad8c9bb130ad69b546da3973721e8120fc2c7ff3011c364c58
SHA512 5a09cba998b8784de3ad9b8118db84968d1428ee5a9157d19d48e2b6bf219dfe5b3fc95bc67d3f32be953ec0d7702c304a8908e04b2c28af4471edf1546464d7

C:\Windows\Installer\MSI1827.tmp

MD5 0c80a997d37d930e7317d6dac8bb7ae1
SHA1 018f13dfa43e103801a69a20b1fab0d609ace8a5
SHA256 a5dd2f97c6787c335b7807ff9b6966877e9dd811f9e26326837a7d2bd224de86
SHA512 fe1caef6d727344c60df52380a6e4ab90ae1a8eb5f96d6054eced1b7734357ce080d944fa518cf1366e14c4c0bd9a41db679738a860800430034a75bb90e51a5

C:\Windows\Installer\MSI1902.tmp

MD5 e6fd0e66cf3bfd3cc04a05647c3c7c54
SHA1 6a1b7f1a45fb578de6492af7e2fede15c866739f
SHA256 669cc0aae068ced3154acaecb0c692c4c5e61bc2ca95b40395a3399e75fcb9b2
SHA512 fc8613f31acaf6155852d3ad6130fc3b76674b463dcdcfcd08a3b367dfd9e5b991e3f0a26994bcaf42f9e863a46a81e2520e77b1d99f703bcb08800bdca4efcb

C:\Users\Admin\AppData\Local\Temp\vendor00000.xml

MD5 281e659e73e029f83f4d70c3a4133593
SHA1 ed83fa8543310d058e038b78285396c534c743d0
SHA256 bb4f08a2684d5c9ea18b14f0febbaeef735aeee8c64c0bef827d8ea961930c25
SHA512 d0b414ba69460b2ed72a1a937bb3f599ee74816ddbb25e5d894530b42005e8f3faf662b237a26aef500f627685e95e4996d4ab5c64e39e4102c22e0f5b99682a

C:\Users\Admin\AppData\Local\Temp\A2B63F4F-F902-4778-AB0D-CD6612F46470\lite_installer.exe

MD5 aafdfaa7a989ddb216510fc9ae5b877f
SHA1 41cf94692968a7d511b6051b7fe2b15c784770cb
SHA256 688d0b782437ccfae2944281ade651a2da063f222e80b3510789dbdce8b00fdc
SHA512 6e2b76ff6df79c6de6887cf739848d05c894fbd70dc9371fff95e6ccd9938d695c46516cb18ec8edd01e78cad1a6029a3d633895f7ddba4db4bf9cd39271bd44

C:\Users\Admin\AppData\Local\Temp\E4075F79-2C80-4F47-8982-2E9D27B27AAA\seederexe.exe

MD5 225ba20fa3edd13c9c72f600ff90e6cb
SHA1 5f1a9baa85c2afe29619e7cc848036d9174701e4
SHA256 35585d12899435e13e186490fcf1d270adbe3c74a1e0578b3d9314858bf2d797
SHA512 97e699cffe28d3c3611570d341ccbc1a0f0eec233c377c70e0e20d4ed3b956b6fe200a007f7e601a5724e733c97eaddc39d308b9af58d45f7598f10038d94ab3

C:\Users\Admin\AppData\Local\Temp\clids-yasearch.xml

MD5 751ba1f9a431ddb7dd5ad2693a642423
SHA1 7952264c1bd9d32a73fb17039662f147fe0cf09b
SHA256 e9ff2ac66c6736f7e1c64aa828f8eb522f73d715a6870ed6a39f77fc858c81fc
SHA512 57cbc62a53b701dd7f86525389fa736f952aa7f7271137bcde86a59012347899e97c86e888d9a879a1e27fe113b860dcf4f9f2820b7e5a19d199fc13c446bbc1

C:\Config.Msi\e5816b1.rbs

MD5 a35c70c22e6dee45fd6dda010bdffa47
SHA1 0584d1072758f4079da8711f14126f2565af1120
SHA256 06832d5c941f85c638b497732ccf0b0948ddaf5d72c9ae96ed64c606e8bda224
SHA512 2b6c3f33f5a959e4a0e35f6d6365cb8922881ef8f4cc80cf5104aa963ac2a0d6d715981e0092da86d0ac1faeb679e1494a43c045aa20b26a70a75a5ce72ea11f

C:\Users\Admin\AppData\Local\Temp\omnija-20240004.zip

MD5 dc5128fcb8d7f6b849f1166532db2dc8
SHA1 8427501d440d5edbbb2662294bc5650d2bc8aab5
SHA256 36e682f419c2b5d8e7c285d36088b56d59df3869dbd181943280696d4ca391ca
SHA512 bcf0d463ed4f01a313b8e6be745ad55b42108be84cc5850c411dec19aa7c6d996782da49fc208559f1188941bdd1082d954cfa316f08c0ad2efcf0662952e524

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kwvh0l1k.Admin\places.sqlite-20240604010041.025921.backup

MD5 314cb7ffb31e3cc676847e03108378ba
SHA1 3667d2ade77624e79d9efa08a2f1d33104ac6343
SHA256 b6d278384a3684409a2a86f03e4f52869818ce7dd8b5779876960353f7d35dc1
SHA512 dc795fa35ea214843a781ee2b2ef551b91b6841a799bef2c6fb1907d90f6c114071a951ebb7b2b30e81d52b594d447a26ab12ddb57c331e854577d11e5febef5

C:\Users\Admin\AppData\Local\Temp\3E6EA874-E3ED-46BC-A258-15E86C40A829\sender.exe

MD5 f1a8f60c018647902e70cf3869e1563f
SHA1 3caf9c51dfd75206d944d4c536f5f5ff8e225ae9
SHA256 36022c6ecb3426791e6edee9074a3861fe5b660d98f2b2b7c13b80fe11a75577
SHA512 c02dfd6276ad136283230cdf07d30ec2090562e6c60d6c0d4ac3110013780fcafd76e13931be53b924a35cf473d0f5ace2f6b5c3f1f70ce66b40338e53d38d1e

C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Bookmarks-20240604010041.104056.backup

MD5 3adec702d4472e3252ca8b58af62247c
SHA1 35d1d2f90b80dca80ad398f411c93fe8aef07435
SHA256 2b167248e8136c4d45c2c46e2bff6fb5e5137dd4dfdccde998599be2df2e9335
SHA512 7562e093d16ee6305c1bb143a3f5d60dafe8b5de74952709abc68a0c353b65416bf78b1fa1a6720331615898848c1464a7758c5dfe78f8098f77fbfa924784c0

C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Preferences-20240604010041.104056.backup

MD5 af006f1bcc57b11c3478be8babc036a8
SHA1 c3bb4fa8c905565ca6a1f218e39fe7494910891e
SHA256 ed6a32e11cc99728771989b01f5ae813de80c46a59d3dc68c23a4671a343cb8c
SHA512 3d20689b0f39b414349c505be607e6bfc1f33ac401cf62a32f36f7114e4a486552f3e74661e90db29402bb85866944e9f8f31baba9605aa0c6def621511a26af

C:\Users\Admin\AppData\Roaming\Yandex\ui

MD5 737dc0fb23bd24be3bdfece43877d2d1
SHA1 65d2c6fa8af7d6ddb14a97ef6ebd59e88f1d8fd1
SHA256 507c01ac3f5e0bec05599eb0e1c89a00182fe6281340bab01788bcdb44d01f9d
SHA512 e1910e39ba0b923513132fd133b04bf201a5b839f27533365d9d82393280bd286236d0d28aa04fd1e106094d528540c1728fcc0c610f6d081778245587187ffa