Technical Information
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'ColdPine' = '"%WINDIR%\rss\csrss.exe"'
- %APPDATA%\microsoft\windows\start menu\programs\startup\skzqitwjjc.url
- [<HKLM>\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths] '%WINDIR%' = '00000000'
- [<HKLM>\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths] '%WINDIR%\rss' = '00000000'
- [<HKLM>\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths] '%TEMP%\csrss' = '00000000'
- [<HKLM>\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths] '%APPDATA%\ColdPine' = '00000000'
- [<HKLM>\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths] '%WINDIR%\windefender.exe' = '00000000'
- [<HKLM>\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths] '%TEMP%\wup' = '00000000'
- [<HKLM>\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths] '<DRIVERS>' = '00000000'
- [<HKLM>\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes] 'csrss.exe' = '00000000'
- [<HKLM>\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes] 'windefender.exe' = '00000000'
- [<HKLM>\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes] 'BYgAfsB8fNSVOmflTS96R_Lo.exe' = '00000000'
- '%WINDIR%\syswow64\taskkill.exe' /im "CsiXsmCM8zgl8QyzoydnnAGf.exe" /f
- '<SYSTEM32>\netsh.exe' advfirewall firewall add rule name="csrss" dir=in action=allow program="%WINDIR%\rss\csrss.exe" enable=yes
- '%WINDIR%\syswow64\taskkill.exe' /f /im chrome.exe
- _tukslr1k77x37pahilmbkym.exe
- ClassName: 'FilemonClass', WindowName: ''
- ClassName: 'PROCMON_WINDOW_CLASS', WindowName: ''
- ClassName: 'RegmonClass', WindowName: ''
- %HOMEPATH%\documents\ajb76a7bfinjvtwulzm7fj8f.exe
- %TEMP%\7zipsfx.000\s
- %HOMEPATH%\documents\3kbsczk7lrkx5sfq_yuej9xp.exe
- %HOMEPATH%\documents\fzfmbmyi7nyvefhov4mavctc.exe
- %HOMEPATH%\documents\qwhx4zfsngaiqj0wpgqqbaia.exe
- %HOMEPATH%\documents\b7ghlx8iqa1wkbzpe_3h7vd7.exe
- %HOMEPATH%\documents\hriij9ooc8lowqkmg65buwsv.exe
- %HOMEPATH%\documents\bygafsb8fnsvomflts96r_lo.exe
- %HOMEPATH%\documents\ezol1pqogjnessycmig90dig.exe
- %APPDATA%\rerrmdfnas\u
- %APPDATA%\rerrmdfnas\skzqitwjjc.exe.com
- %APPDATA%\rerrmdfnas\era.vssm
- %APPDATA%\rerrmdfnas\rgpkpagfkmo.js
- %TEMP%\11111.exe
- %TEMP%\fj4ghga23_fsa.txt
- %TEMP%\7zipsfx.000\bordatino.exe.com
- %HOMEPATH%\documents\u2qqbimwgzsilqdg_vbigwjq.exe
- %TEMP%\7zipsfx.000\ripreso.vssm
- %TEMP%\7zipsfx.000\pura.vssm
- %TEMP%\7zipsfx.000\era.vssm
- %TEMP%\7zipsfx.000\cancellata.vssm
- %HOMEPATH%\documents\bhz_wnd1kmkt0eaq6ce51vcv.exe
- %HOMEPATH%\documents\yet6iqusv1kuaj4dtn0n5bps.exe
- %HOMEPATH%\documents\sjsaopocfgh15cghtwfwzbzb.exe
- %HOMEPATH%\documents\csixsmcm8zgl8qyzoydnnagf.exe
- %HOMEPATH%\documents\1o3ohxfy5klijlge1sl7gkef.exe
- %HOMEPATH%\documents\cia3nzks6pkyq9t_h9_rqwgu.exe
- %HOMEPATH%\documents\xjpenaamfmjx8f3vfztba6bf.exe
- %HOMEPATH%\documents\_tukslr1k77x37pahilmbkym.exe
- %HOMEPATH%\documents\o1mpyrvnmz0tlfqsqv0wt_uw.exe
- %HOMEPATH%\documents\3iy2pchqnb16raiihaftrqa8.exe
- %HOMEPATH%\documents\vgeqsblod_jo01lhm9xpko8n.exe
- %TEMP%\22222.exe
- %WINDIR%\rss\csrss.exe
- %HOMEPATH%\documents\csixsmcm8zgl8qyzoydnnagf.exe
- %TEMP%\7zipsfx.000\s
- %TEMP%\7zipsfx.000\era.vssm
- %TEMP%\11111.exe
- %TEMP%\fj4ghga23_fsa.txt
- %TEMP%\22222.exe
- %TEMP%\fj4ghga23_fsa.txt
- 'ip##fo.io':443
- 'ap#.ip.sb':443
- 'wo###lorda.xyz':80
- 'iv###ribar.xyz':80
- 'dw###mlari.xyz':80
- '45.#4.49.71':18845
- '18#.#30.143.16':32115
- 'ip##pi.com':80
- 'ip###ger.org':443
- 'st#####.##gitalcertvalidation.com':80
- 'microsoft.com':80
- 'za###aucov.xyz':80
- 'ip##s.ru':443
- 'a.###game.vip':443
- 'cd#.##scordapp.com':443
- 'sz##js.com':80
- 'a.###game.vip':80
- 'cd#.##scordapp.com':80
- 'i.###sgrt.com':80
- '18#.#0.227.194':80
- '13#.#44.41.201':80
- '37.#.11.41':80
- '37.#.8.235':80
- 'li###ncode.com':443
- '77.##0.213.35':52349
- http://13#.#44.41.201/WW/file7.exe
- http://www.sz##js.com/askinstall53.exe
- http://13#.#44.41.201/WW/file2.exe
- http://13#.#44.41.201/WW/file3.exe
- http://37.#.11.41/base/api/getData.php
- http://45.##.49.71:18845/ via 45.#4.49.71
- http://18#.###.143.16:32115/ via 18#.#30.143.16
- http://iv###ribar.xyz/
- http://dw###mlari.xyz/
- http://ze###malev.xyz/
- http://wo###lorda.xyz/
- http://za###aucov.xyz/
- http://77.###.213.35:52349/ via 77.##0.213.35
- 'ip##fo.io':443
- 'cd#.##scordapp.com':80
- 'a.###game.vip':80
- 'cd#.##scordapp.com':443
- 'a.###game.vip':443
- 'li###ncode.com':443
- 's.###tlee.com':443
- 'ip##s.ru':443
- 'ap#.ip.sb':443
- 'sh####25.tumblr.com':443
- DNS ASK ip##fo.io
- DNS ASK za###aucov.xyz
- DNS ASK ap#.ip.sb
- DNS ASK ze###malev.xyz
- DNS ASK dw###mlari.xyz
- DNS ASK iv###ribar.xyz
- DNS ASK wo###lorda.xyz
- DNS ASK ip##pi.com
- DNS ASK mu##c-s.xyz
- DNS ASK ip###ger.org
- DNS ASK st#####.##gitalcertvalidation.com
- DNS ASK microsoft.com
- DNS ASK oz######gOhlA.ozIyJaJmgOhlA
- DNS ASK ip##s.ru
- DNS ASK g-###nrs.top
- DNS ASK s.###tlee.com
- DNS ASK li###ncode.com
- DNS ASK a.###game.vip
- DNS ASK cd#.##scordapp.com
- DNS ASK sz##js.com
- DNS ASK i.###sgrt.com
- DNS ASK fl####avmaga.com
- DNS ASK sh####25.tumblr.com
- DNS ASK oc##.#tartssl.com
- ClassName: 'File Monitor - Sysinternals: www.sysinternals.com' WindowName: ''
- ClassName: 'Process Monitor - Sysinternals: www.sysinternals.com' WindowName: ''
- ClassName: 'Registry Monitor - Sysinternals: www.sysinternals.com' WindowName: ''
- ClassName: '18467-41' WindowName: ''
- ClassName: '' WindowName: ''
- '%HOMEPATH%\documents\3iy2pchqnb16raiihaftrqa8.exe'
- '%HOMEPATH%\documents\3kbsczk7lrkx5sfq_yuej9xp.exe'
- '%WINDIR%\rss\csrss.exe' /51-51
- '%TEMP%\22222.exe' /CookiesFile "%LOCALAPPDATA%\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt %TEMP%\fj4ghga23_fsa.txt
- '%TEMP%\22222.exe' /CookiesFile "%LOCALAPPDATA%\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt %TEMP%\fj4ghga23_fsa.txt
- '%TEMP%\11111.exe' /CookiesFile "%LOCALAPPDATA%\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt %TEMP%\fj4ghga23_fsa.txt
- '%TEMP%\11111.exe' /scookiestxt %TEMP%\fj4ghga23_fsa.txt
- '%HOMEPATH%\documents\csixsmcm8zgl8qyzoydnnagf.exe'
- '%HOMEPATH%\documents\b7ghlx8iqa1wkbzpe_3h7vd7.exe'
- '%HOMEPATH%\documents\fzfmbmyi7nyvefhov4mavctc.exe'
- '%HOMEPATH%\documents\qwhx4zfsngaiqj0wpgqqbaia.exe'
- '%HOMEPATH%\documents\o1mpyrvnmz0tlfqsqv0wt_uw.exe'
- '%HOMEPATH%\documents\bygafsb8fnsvomflts96r_lo.exe'
- '%HOMEPATH%\documents\bhz_wnd1kmkt0eaq6ce51vcv.exe'
- '%HOMEPATH%\documents\sjsaopocfgh15cghtwfwzbzb.exe'
- '%HOMEPATH%\documents\ezol1pqogjnessycmig90dig.exe'
- '%TEMP%\7zipsfx.000\bordatino.exe.com' s
- '%HOMEPATH%\documents\yet6iqusv1kuaj4dtn0n5bps.exe'
- '%HOMEPATH%\documents\xjpenaamfmjx8f3vfztba6bf.exe'
- '%HOMEPATH%\documents\vgeqsblod_jo01lhm9xpko8n.exe'
- '%HOMEPATH%\documents\1o3ohxfy5klijlge1sl7gkef.exe'
- '%HOMEPATH%\documents\cia3nzks6pkyq9t_h9_rqwgu.exe'
- '%HOMEPATH%\documents\_tukslr1k77x37pahilmbkym.exe'
- '%HOMEPATH%\documents\u2qqbimwgzsilqdg_vbigwjq.exe'
- '%TEMP%\11111.exe' /CookiesFile "%LOCALAPPDATA%\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt %TEMP%\fj4ghga23_fsa.txt' (with hidden window)
- '%HOMEPATH%\documents\3iy2pchqnb16raiihaftrqa8.exe' ' (with hidden window)
- '%TEMP%\22222.exe' /CookiesFile "%LOCALAPPDATA%\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt %TEMP%\fj4ghga23_fsa.txt' (with hidden window)
- '<SYSTEM32>\cmd.exe' /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="%WINDIR%\rss\csrss.exe" enable=yes"' (with hidden window)
- '%TEMP%\22222.exe' /CookiesFile "%LOCALAPPDATA%\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt %TEMP%\fj4ghga23_fsa.txt' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c taskkill /im "CsiXsmCM8zgl8QyzoydnnAGf.exe" /f & erase "%HOMEPATH%\Documents\CsiXsmCM8zgl8QyzoydnnAGf.exe" & exit' (with hidden window)
- '%HOMEPATH%\documents\vgeqsblod_jo01lhm9xpko8n.exe' ' (with hidden window)
- '%TEMP%\11111.exe' /scookiestxt %TEMP%\fj4ghga23_fsa.txt' (with hidden window)
- '%HOMEPATH%\documents\csixsmcm8zgl8qyzoydnnagf.exe' ' (with hidden window)
- '%HOMEPATH%\documents\ezol1pqogjnessycmig90dig.exe' ' (with hidden window)
- '%HOMEPATH%\documents\bygafsb8fnsvomflts96r_lo.exe' ' (with hidden window)
- '%HOMEPATH%\documents\b7ghlx8iqa1wkbzpe_3h7vd7.exe' ' (with hidden window)
- '%HOMEPATH%\documents\qwhx4zfsngaiqj0wpgqqbaia.exe' ' (with hidden window)
- '%HOMEPATH%\documents\yet6iqusv1kuaj4dtn0n5bps.exe' ' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c cmd < Pura.vssm' (with hidden window)
- '%HOMEPATH%\documents\fzfmbmyi7nyvefhov4mavctc.exe' ' (with hidden window)
- '%HOMEPATH%\documents\1o3ohxfy5klijlge1sl7gkef.exe' ' (with hidden window)
- '%HOMEPATH%\documents\bhz_wnd1kmkt0eaq6ce51vcv.exe' ' (with hidden window)
- '%HOMEPATH%\documents\u2qqbimwgzsilqdg_vbigwjq.exe' ' (with hidden window)
- '%HOMEPATH%\documents\sjsaopocfgh15cghtwfwzbzb.exe' ' (with hidden window)
- '%WINDIR%\rss\csrss.exe' /51-51' (with hidden window)
- '%HOMEPATH%\documents\cia3nzks6pkyq9t_h9_rqwgu.exe' ' (with hidden window)
- '%HOMEPATH%\documents\3kbsczk7lrkx5sfq_yuej9xp.exe' ' (with hidden window)
- '%HOMEPATH%\documents\o1mpyrvnmz0tlfqsqv0wt_uw.exe' ' (with hidden window)
- '%HOMEPATH%\documents\xjpenaamfmjx8f3vfztba6bf.exe' ' (with hidden window)
- '%HOMEPATH%\documents\_tukslr1k77x37pahilmbkym.exe' ' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c taskkill /f /im chrome.exe' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c cmd < Pura.vssm
- '%WINDIR%\syswow64\cmd.exe'
- '%WINDIR%\syswow64\findstr.exe' /V /R "^mDHHnooFzwuKWdLxXAvOmqexElRneQaCvwawdMkcQdyHAkGxAHZauWenBjehsKCCIDhUYKrkfwXoVxUaEvXxRZvAZTAtJXtuNCYXYLvQENryYTDusKJU$" Cancellata.vssm
- '%WINDIR%\syswow64\ping.exe' 127.0.0.1 -n 30
- '%WINDIR%\syswow64\cmd.exe' /c taskkill /im "CsiXsmCM8zgl8QyzoydnnAGf.exe" /f & erase "%HOMEPATH%\Documents\CsiXsmCM8zgl8QyzoydnnAGf.exe" & exit
- '<SYSTEM32>\cmd.exe' /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="%WINDIR%\rss\csrss.exe" enable=yes"
- '%WINDIR%\syswow64\cmd.exe' /c taskkill /f /im chrome.exe
- '%WINDIR%\syswow64\xcopy.exe' "%LOCALAPPDATA%\Google\Chrome\User Data" "%TEMP%\cghjgasaaz99\" /s /e /y