Threat Database Adware Adware.Browster

Adware.Browster

By CagedTech in Adware

Threat Scorecard

Popularity Rank: 516
Threat Level: 20 % (Normal)
Infected Computers: 2,500
First Seen: February 2, 2026
Last Seen: July 1, 2026
OS(es) Affected: Windows

SpyHunter Detects & Remove Adware.Browster

File System Details

Adware.Browster may create the following file(s):
# File Name MD5 Detections
1. chrmstp.exe 7f4c027aa429849884ade9394c75563b 1,158

Directories

Adware.Browster may create the following directory or directories:

%allusersprofile%\Artificius Web Solutions
%allusersprofile%\Local Net Solutions17
%allusersprofile%\Local World Solutions
%allusersprofile%\Local World Solutions1
%allusersprofile%\Local World Solutions10
%allusersprofile%\Local World Solutions11
%allusersprofile%\Local World Solutions12
%allusersprofile%\Local World Solutions13
%allusersprofile%\Local World Solutions14
%allusersprofile%\Local World Solutions15
%allusersprofile%\Local World Solutions16
%allusersprofile%\Local World Solutions2
%allusersprofile%\Local World Solutions3
%allusersprofile%\Local World Solutions4
%allusersprofile%\Local World Solutions5
%allusersprofile%\Local World Solutions6
%allusersprofile%\Local World Solutions7
%allusersprofile%\Local World Solutions8
%allusersprofile%\Local World Solutions9
%allusersprofile%\LocalNetSolutionsFive20
%allusersprofile%\LocalNetSolutionsFive21
%allusersprofile%\LocalNetSolutionsFive23
%allusersprofile%\LocalNetSolutionsFive24
%allusersprofile%\LocalNetSolutionsFive25
%allusersprofile%\LocalNetSolutionsFour18.1
%allusersprofile%\LocalNetSolutionsFour18.2
%allusersprofile%\LocalNetSolutionsFour18.4
%allusersprofile%\LocalNetSolutionsOne17.7
%allusersprofile%\LocalNetSolutionsSix27
%allusersprofile%\LocalNetSolutionsSix28
%allusersprofile%\LocalNetSolutionsSix29
%allusersprofile%\LocalNetSolutionsSix30
%allusersprofile%\LocalNetSolutionsThree17.7
%allusersprofile%\LocalNetSolutionsTwo17.7
%allusersprofile%\RaceCarTwoolutions
%allusersprofile%\SistemaTownOneWorkstation
%allusersprofile%\SistemaTownSevenWorkstation
%allusersprofile%\SpaceCarEightSolutions
%allusersprofile%\TableBoatTenWorkstation
%allusersprofile%\WaveTownSixWorkstation
%allusersprofile%\WaveTownThreeWorkstation
%allusersprofile%\Web Browser Solutions
%allusersprofile%\Web Framework Solutions
%allusersprofile%\Web Genius Solutions
%allusersprofile%\World Wide Solutions
%allusersprofile%\localnetsolutionseight40
%appdata%\LocalNetSolutionsSix27
%programfiles%\DagiDimSolutions
%programfiles%\EasySupportEightWorkstation
%programfiles%\EasySupportFiveWorkstation
%programfiles%\EasySupportFourWorkstation
%programfiles%\EasySupportNineWorkstation
%programfiles%\EasySupportOneWorkstation
%programfiles%\EasySupportSevenWorkstation
%programfiles%\EasySupportSixWorkstation
%programfiles%\EasySupportTenWorkstation
%programfiles%\EasySupportThreeWorkstation
%programfiles%\EasySupportTwoWorkstation
%programfiles%\FutureSpaceSixSolutions
%programfiles%\FutureSpaceThreeSolutions
%programfiles%\FutureSpaceTwoSolutions
%programfiles%\GeneralAISupport2Solutions
%programfiles%\KanTheProSolutions
%programfiles%\Local World Solutions
%programfiles%\Local World Solutions1
%programfiles%\Local World Solutions10
%programfiles%\Local World Solutions11
%programfiles%\Local World Solutions12
%programfiles%\Local World Solutions13
%programfiles%\Local World Solutions14
%programfiles%\Local World Solutions15
%programfiles%\Local World Solutions16
%programfiles%\Local World Solutions2
%programfiles%\Local World Solutions3
%programfiles%\Local World Solutions4
%programfiles%\Local World Solutions5
%programfiles%\Local World Solutions6
%programfiles%\Local World Solutions7
%programfiles%\Local World Solutions8
%programfiles%\Local World Solutions9
%programfiles%\LocalNetServiceFive23
%programfiles%\LocalNetServiceFive24
%programfiles%\LocalNetServiceFour18.2
%programfiles%\LocalNetSolutionsEight40
%programfiles%\LocalNetSolutionsFive20
%programfiles%\LocalNetSolutionsFive21
%programfiles%\LocalNetSolutionsFive23
%programfiles%\LocalNetSolutionsFive24
%programfiles%\LocalNetSolutionsFive25
%programfiles%\LocalNetSolutionsFour18.1
%programfiles%\LocalNetSolutionsFour18.2
%programfiles%\LocalNetSolutionsFour18.4
%programfiles%\LocalNetSolutionsOne17.7
%programfiles%\LocalNetSolutionsSix28
%programfiles%\LocalNetSolutionsSix29
%programfiles%\LocalNetSolutionsSix30
%programfiles%\LocalNetSolutionsThree17.7
%programfiles%\LocalNetSolutionsThree18.1
%programfiles%\LocalNetSolutionsTwo17.7
%programfiles%\NarProSolutions
%programfiles%\ProductSetupEightSolutions
%programfiles%\ProductSetupFiveSolutions
%programfiles%\ProductSetupFourSolutions
%programfiles%\ProductSetupNineSolutions
%programfiles%\ProductSetupOneSolutions
%programfiles%\ProductSetupSevenSolutions
%programfiles%\ProductSetupSixSolutions
%programfiles%\ProductSetupTenSolutions
%programfiles%\ProductSetupThreeSolutions
%programfiles%\ProductSetupTwoSolutions
%programfiles%\PupiProSolutions
%programfiles%\RaceCarThreeolutions
%programfiles%\RaceCarTwoolutions
%programfiles%\ReadySpaceOneSolutions
%programfiles%\SistemaTownOneWorkstation
%programfiles%\SistemaTownSevenWorkstation
%programfiles%\SpaceCarEightSolutions
%programfiles%\TNWProSolutions
%programfiles%\TableBoatEightWorkstation
%programfiles%\TableBoatFiveWorkstation
%programfiles%\TableBoatFourWorkstation
%programfiles%\TableBoatNineWorkstation
%programfiles%\TableBoatOneWorkstation
%programfiles%\TableBoatSevenWorkstation
%programfiles%\TableBoatSixWorkstation
%programfiles%\TableBoatTenWorkstation
%programfiles%\TableBoatThreeWorkstation
%programfiles%\TableBoatTwoWorkstation
%programfiles%\WaveTownEightWorkstation
%programfiles%\WaveTownFiveWorkstation
%programfiles%\WaveTownFourWorkstation
%programfiles%\WaveTownNineWorkstation
%programfiles%\WaveTownOneWorkstation
%programfiles%\WaveTownSevenWorkstation
%programfiles%\WaveTownSixWorkstation
%programfiles%\WaveTownThreeWorkstation
%programfiles%\WaveTownTwoWorkstation
%programfiles%\Web Genius Solutions
%programfiles%\WinDefenseEightSolutions
%programfiles%\WinDefenseFiveSolutions
%programfiles%\WinDefenseFourSolutions
%programfiles%\WinDefenseNineSolutions
%programfiles%\WinDefenseOneSolutions
%programfiles%\WinDefenseSevenSolutions
%programfiles%\WinDefenseSixSolutions
%programfiles%\WinDefenseTenSolutions
%programfiles%\WinDefenseThreeSolutions
%programfiles%\WinDefenseTwoSolutions
%programfiles%\WinSupportEightSolutions
%programfiles%\WinSupportFiveSolutions
%programfiles%\WinSupportFourSolutions
%programfiles%\WinSupportNineSolutions
%programfiles%\WinSupportOneSolutions
%programfiles%\WinSupportSevenSolutions
%programfiles%\WinSupportSixSolutions
%programfiles%\WinSupportTenSolutions
%programfiles%\WinSupportThreeSolutions
%programfiles%\WinSupportTwoSolutions

Analysis Report

General information

Family Name: Adware.Browster
Signature status: Self Signed

Known Samples

MD5: 92e62932f5fa0648dee5419eb2152899
SHA1: db2ec97de3dfa37c81bd16b85c4e40be78f62cba
SHA256: 0BFF29FF56337DB1784A1B2115DE5A6CA56C9B446FAC563A1EBDC2A81BBCA48C
File Size: 555.95 KB, 555952 bytes
MD5: cd1b63c518a2650839512bdff61d810c
SHA1: af8052126501a0213f935838c4e063dd177adfa4
SHA256: 65006F81131D37DA02F359B306D33CDB06B076D9AF2942E4ACB3726150C9C6E8
File Size: 1.23 MB, 1227184 bytes
MD5: 0fa229fdc88c61efd189a35173c9db76
SHA1: 6aef07de2339f1b6f87e8c32536efddd4ee7556b
SHA256: 34B20BF646FBA4F2702CB1A7D308DBA1EC765B1F08249171A2E8A11AA510783C
File Size: 556.03 KB, 556032 bytes
MD5: 33c1ac3a2a3d22ab84956d202d2ba75f
SHA1: b72a8f3696417b8b06b5d83837c0cbecf6eb1cf1
SHA256: FCB3A43F09FD4F70217217287D0D11250D5D60615A0491EFA8EE8DFD6A739F2A
File Size: 339.21 KB, 339208 bytes
MD5: 3a1f6bb7923cbcbfe1c6c303b8bdf68f
SHA1: 47bbc2d9a092c2976eb84471f165c2c156352ff5
SHA256: 43A0DC77BDE1D338DF8BC11E5E5D428B8E0195FEBC845C14A9264B8E13680396
File Size: 338.70 KB, 338696 bytes
Show More
MD5: b248d2fc326a73e098228aa5f69406bb
SHA1: e82057b4da23977b4964c86c858be4dfb1edd255
SHA256: AC8C4A0A6FB07314BE81B3E78EEAA8C182181034971ACCFE21263A07C200668B
File Size: 523.39 KB, 523392 bytes
MD5: 054bb0ad3e0ef4100791bf6daab425cc
SHA1: 4872645082c6ce8dec3fcaf4674116ff5936efcc
SHA256: 6983A42FE559680D58BBE4657C9CD9AB16E3EC278490327D8AF508FFAAE48D60
File Size: 529.81 KB, 529808 bytes
MD5: ba48ddf305b05c021949a6dde7ea1f1c
SHA1: ede649bdbd3bd21f95da3fdd02e7f9d55928b08e
SHA256: 11E574CC461F0013C9FB4A4E09FE9297CE8AAB0143EA60296551D079A64B0158
File Size: 1.23 MB, 1227184 bytes
MD5: 6c0f8e11478f088b3bf87523d1d2acdc
SHA1: 0cd598963297f132eec137c694ba24cbe707cccc
SHA256: 0A6DEB9496CF8FB61A78DD5F576296A8A15E54493F4C1EF9FDA0D7D292C43D9A
File Size: 61.57 KB, 61568 bytes
MD5: 20e4c4ff0692a0469fa0e5f5a545a083
SHA1: d1469b57c33b804dd532704aaa1ce4368cc53870
SHA256: 6F731700A10A26952ADCCD753FC02004B41D4A751C2BEC042682B43986338264
File Size: 5.53 MB, 5528200 bytes
MD5: 148815bb0de620d6d622d2d331e8253a
SHA1: 76d83b3e014781cf0306368b8339ebc9ad5b9a18
SHA256: 77A040AAD9F2FB58D5FFEC60236D27477D0CA2146628CC05ECD4BC937296BE99
File Size: 1.10 MB, 1101112 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File has TLS information
  • File is 32-bit executable
  • File is 64-bit executable
  • File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
Show More
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name Value
Company Name
  • Igor Pavlov
  • Let's Compress
File Description
  • 7-Zip Console
  • Let's Compress Installer
  • updater 1.4.0.0
  • updater 1.4.1.0
File Version
  • 22.01
  • 1.4.1.0
  • 1.4.0.0
Internal Name
  • 7z
  • Let's Compress
  • updater
Legal Copyright
  • Copyright (c) 1999-2022 Igor Pavlov
  • Copyright (C) 2024 Let's Compress
  • Copyright (C) 2025 Let's Compress
Original File Name
  • Let's Compress.exe
  • updater.exe
Original Filename 7z.exe
Product Name
  • 7-Zip
  • Let's Compress
Product Version
  • 22.01
  • 1.4.1.0
  • 1.4.0.0

Digital Signatures

Signer Root Status
UTILITY ACCESS (SMC-PRIVATE) LIMITED GlobalSign GCC R45 EV CodeSigning CA 2020 Self Signed

Block Information

Total Blocks: 2,581
Potentially Malicious Blocks: 66
Whitelisted Blocks: 2,229
Unknown Blocks: 286

Visual Map

x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x 0 0 0 0 ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 ? 0 0 0 x 0 0 0 0 ? ? 0 0 0 0 0 ? ? 0 0 ? 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 ? ? 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 ? 0 0 0 0 0 0 0 0 ? ? ? 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 ? ? 0 0 0 0 0 0 ? ? ? ? ? ? ? 0 0 0 0 0 0 0 ? 0 0 x 0 ? ? 0 0 0 0 0 ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 1 0 0 0 0 0 2 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 1 1 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 1 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 2 0 3 1 1 1 0 0 1 1 0 0 0 0 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 1 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 0 0 0 0 0 0 0 0 0 0 ? 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 ? 0 ? ? x ? 0 ? 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 ? 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 ? x 0 0 ? x 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? 0 x 0 x 0 x 0 x 0 x 0 x x 0 0 0 0 0 ? ? ? ? ? ? ? 0 0 0 0 0 0 ? ? ? ? 0 0 ? ? 0 0 x ? ? 0 0 0 0 0 x 0 0 0 x 0 0 0 0 0 ? 0 0 x 0 ? 0 0 ? x 0 0 0 ? ? x x ? 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 3 1 1 1 1 0 0 0 0 0 0 0 0 0 2 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 0 1 1 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
... Data truncated
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Files Modified

File Attributes
\device\namedpipe\dav rpc service Generic Read,Write Data,Write Attributes,Write extended,Append data
\device\namedpipe\gmdasllogger Generic Write,Read Attributes
\device\namedpipe\pshost.134259542222196047.4356.defaultappdomain.powershell Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\wkssvc Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\microsoft\windows\powershell\startupprofiledata-noninteractive Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_eckdml3c.rnp.psm1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_x44h5bxq.eg0.ps1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\decrypt.zip Generic Write,Read Attributes
c:\users\user\appdata\local\temp\handler.ps1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\handler1.ps1 Generic Write,Read Attributes

Registry Modifications

Key::Value Data API Name
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe ☒ꇜﱗǜ RegNtPreCreateKey
HKLM\software\microsoft\systemcertificates\authroot\certificates\4efc31460c619ecae59c1bce2c008036d94c84b8::blob 0�0��{�5��^�kOxw�� ӹ�)+�j�n�L%.2� hɨ��� < BGlobalSign Code Signing Root R45b {�U>��n��7���67W��K7�/��"��߆S00g� 00 +�7<��F� �x9���C�VP�Ζ RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::enablefiletracing RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::enableautofiletracing RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::enableconsoletracing RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::filetracingmask ￿ RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::consoletracingmask ￿ RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::maxfilesize  RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::filedirectory %windir%\tracing RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::enablefiletracing RegNtPreCreateKey
Show More
HKLM\software\microsoft\tracing\rasmancs::enableautofiletracing RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::enableconsoletracing RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::filetracingmask ￿ RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::consoletracingmask ￿ RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::maxfilesize  RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::filedirectory %windir%\tracing RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 먭ꑘﱗǜ RegNtPreCreateKey
HKCU\software\microsoft\ctf\msutb::left RegNtPreCreateKey
HKCU\software\microsoft\ctf\msutb::top RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 n�8�tXjg�8 �� �v �Z ��T��������%��3bBx�<#��$kF%�&� (�(X�(�)E)�`*J*9*�"-!R1`1�1HO5,]=�@V�A��G�IH[uH�pI��K��N$N�U_*Z^�_�za$b"hc�wc�zg�Xh�rj�bk`k�qk�8l(�lR  RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 n�8�tXjg�8 �� �v �Z ��T��������%��3bBx�<#��$kF%�&� (�(X�(�)E)�`*J*9*�"-!R1`1�1HO5,]=�@V�A��G�IH[uH�pI��K��N$N�U_*Z^�_�za$b"hc�wc�ze�vg�Xh�rj�bk`k�qk�8l(� RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 n�8�tXjg�8 �� �v �Z ��T��������%��3bBx�<#��$kF%�&� (�(X�(�)E)�`*J*9*�",=�-!R1`1�1HO5,]=�@V�A��G�IH[uH�pI��K��N$N�U_*Z^�_�za$b"hc�wc�ze�vg�Xh�rj�bk`k�qk�8 RegNtPreCreateKey

Windows API Usage

Category API
Syscall Use
  • ntdll.dll!NtAccessCheck
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAllocateLocallyUniqueId
  • ntdll.dll!NtAlpcConnectPort
  • ntdll.dll!NtAlpcConnectPortEx
  • ntdll.dll!NtAlpcCreatePortSection
  • ntdll.dll!NtAlpcCreateSectionView
  • ntdll.dll!NtAlpcCreateSecurityContext
  • ntdll.dll!NtAlpcDeleteSecurityContext
  • ntdll.dll!NtAlpcDisconnectPort
Show More
  • ntdll.dll!NtAlpcQueryInformation
  • ntdll.dll!NtAlpcQueryInformationMessage
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtAlpcSetInformation
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtAssociateWaitCompletionPacket
  • ntdll.dll!NtCancelTimer2
  • ntdll.dll!NtCancelWaitCompletionPacket
  • ntdll.dll!NtClearEvent
  • ntdll.dll!NtClose
  • ntdll.dll!NtCompareSigningLevels
  • ntdll.dll!NtConnectPort
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateIoCompletion
  • ntdll.dll!NtCreateKey
  • ntdll.dll!NtCreateMutant
  • ntdll.dll!NtCreatePrivateNamespace
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtCreateSemaphore
  • ntdll.dll!NtCreateThreadEx
  • ntdll.dll!NtCreateTimer
  • ntdll.dll!NtCreateTimer2
  • ntdll.dll!NtCreateWaitCompletionPacket
  • ntdll.dll!NtCreateWorkerFactory
  • ntdll.dll!NtDelayExecution
  • ntdll.dll!NtDeleteValueKey
  • ntdll.dll!NtDeviceIoControlFile
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtDuplicateToken
  • ntdll.dll!NtEnumerateKey
  • ntdll.dll!NtEnumerateValueKey
  • ntdll.dll!NtFlushProcessWriteBuffers
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtFsControlFile
  • ntdll.dll!NtGetCachedSigningLevel
  • ntdll.dll!NtGetCompleteWnfStateSubscription
  • ntdll.dll!NtGetWriteWatch
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtNotifyChangeKey
  • ntdll.dll!NtOpenDirectoryObject
  • ntdll.dll!NtOpenEvent
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenProcess
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenProcessTokenEx
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenSemaphore
  • ntdll.dll!NtOpenSymbolicLinkObject
  • ntdll.dll!NtOpenThread
  • ntdll.dll!NtOpenThreadToken
  • ntdll.dll!NtOpenThreadTokenEx
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryDefaultLocale
  • ntdll.dll!NtQueryDirectoryFileEx
  • ntdll.dll!NtQueryFullAttributesFile
  • ntdll.dll!NtQueryInformationFile
  • ntdll.dll!NtQueryInformationJobObject
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryLicenseValue
  • ntdll.dll!NtQueryObject
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQuerySecurityObject
  • ntdll.dll!NtQuerySymbolicLinkObject
  • ntdll.dll!NtQuerySystemInformation
  • ntdll.dll!NtQuerySystemInformationEx
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtQueryWnfStateData
  • ntdll.dll!NtQueueApcThread
  • ntdll.dll!NtQueueApcThreadEx2
  • ntdll.dll!NtReadFile
  • ntdll.dll!NtReadVirtualMemory
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtReleaseSemaphore
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtRemoveIoCompletion
  • ntdll.dll!NtRequestWaitReplyPort
  • ntdll.dll!NtResetWriteWatch
  • ntdll.dll!NtResumeThread
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationFile

25 additional items are not displayed above.

Anti Debug
  • IsDebuggerPresent
  • NtQuerySystemInformation
  • OutputDebugString
User Data Access
  • GetComputerName
  • GetUserDefaultLocaleName
  • GetUserName
  • GetUserNameEx
  • GetUserObjectInformation
Process Manipulation Evasion
  • NtUnmapViewOfSection
Process Shell Execute
  • CreateProcess
  • WriteConsole
Encryption Used
  • BCryptOpenAlgorithmProvider
Other Suspicious
  • AdjustTokenPrivileges
Network Winsock2
  • WSAConnect
  • WSASocket
  • WSAStartup
  • WSAttemptAutodialName
Network Winsock
  • accept
  • bind
  • closesocket
  • connect
  • freeaddrinfo
  • getaddrinfo
  • getpeername
  • getsockname
  • recv
  • send
Show More
  • setsockopt
  • socket
Network Winhttp
  • WinHttpOpen
Network Info Queried
  • GetAdaptersAddresses
  • GetNetworkParams
Process Terminate
  • TerminateProcess

Shell Command Execution

powershell -ExecutionPolicy Bypass -File "C:\Users\Mpkjpbgo\AppData\Local\Temp\\handler.ps1"
WriteConsole: Get-CimInstance
WriteConsole:
WriteConsole: loaded. For more
WriteConsole: At C:\Users\Mpkj
Show More
WriteConsole: + $machineGuid =
WriteConsole: +
WriteConsole: + CategoryIn
WriteConsole: + FullyQuali
WriteConsole:
WriteConsole: Exception callin
WriteConsole: Parameter name:
WriteConsole: + $hashBytes = $
WriteConsole: + ~~~~~~~~~~~~~~
WriteConsole: + $truncatedHash
WriteConsole: You cannot call
WriteConsole: + $shortValue =
WriteConsole: closed unexpecte
WriteConsole: + $cli.DownloadF
c:\users\user\downloads/util/7z.exe x "C:\Users\Mpkjpbgo\AppData\Local\Temp\\decrypt.zip" -p123456 -y
powershell -ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\Users\Mpkjpbgo\AppData\Local\Temp\\handler1.ps1"

Related Posts

Trending

Most Viewed

Loading...