Technical Information
- <SYSTEM32>\tasks\firefox default browser agent 96dceeeaff1b1a59
- '<SYSTEM32>\taskkill.exe' /F /im "Wed066f5b23a5ec2e646.exe"
- wed06edd6b8998.exe
- %TEMP%\nsn6b60.tmp
- %TEMP%\is-knp1f.tmp\wed0650a8380a8741df.tmp
- %TEMP%\is-hkd2n.tmp\_isetup\_shfoldr.dll
- %TEMP%\is-hkd2n.tmp\idp.dll
- %TEMP%\is-ojnsq.tmp\wed0650a8380a8741df.tmp
- %TEMP%\is-pmu5c.tmp\_isetup\_shfoldr.dll
- %TEMP%\is-pmu5c.tmp\idp.dll
- %TEMP%\zspely.cnm
- %TEMP%\m9wdkh25.n
- %TEMP%\ojm3yr.x
- %TEMP%\svnzw.c2
- %TEMP%\amtzy.zxt
- %TEMP%\lpme79o.f1
- %TEMP%\nytfsko.4
- %TEMP%\x5w6aa.zs
- %TEMP%\7zs4929a344\wed06f9fffb9fce655c.exe
- %TEMP%\05xkvf6f.exe
- %TEMP%\7zs4929a344\wed06edd6b8998.exe
- %TEMP%\7zs4929a344\setup_install.exe
- %TEMP%\setup_installer.exe
- %TEMP%\7zs4929a344\libcurl.dll
- %TEMP%\7zs4929a344\libcurlpp.dll
- %TEMP%\7zs4929a344\libgcc_s_dw2-1.dll
- %TEMP%\7zs4929a344\libstdc++-6.dll
- %TEMP%\7zs4929a344\libwinpthread-1.dll
- %TEMP%\7zs4929a344\wed06002750541796d.exe
- %TEMP%\7zs4929a344\wed06c309967f8043c8c.exe
- %TEMP%\7zs4929a344\wed06433b0cfc741.exe
- %TEMP%\7zs4929a344\wed0650a8380a8741df.exe
- %TEMP%\7zs4929a344\wed0658076940.exe
- %TEMP%\7zs4929a344\wed066f5b23a5ec2e646.exe
- %TEMP%\7zs4929a344\wed06846d415c1fb8.exe
- %TEMP%\7zs4929a344\wed06bc5204dc0448.exe
- %TEMP%\7zs4929a344\wed06d91f4e16fac21d.exe
- %APPDATA%\uvurcwu
- %APPDATA%\uvurcwu
- %TEMP%\is-hkd2n.tmp\idp.dll
- %TEMP%\is-hkd2n.tmp\_isetup\_shfoldr.dll
- %TEMP%\is-knp1f.tmp\wed0650a8380a8741df.tmp
- %TEMP%\7zs4929a344\wed06002750541796d.exe
- 'localhost':49166
- 'localhost':49168
- '45.##3.1.107':80
- 't.###amec.com':443
- 'ni###nnbest.me':443
- '91.##1.67.60':2151
- '13#.#81.129.119':4805
- 'cd#.##scordapp.com':443
- 'pa###bin.com':443
- '2.##.59.42':80
- 'ti###ahnarzt.at':80
- 'st####ofcards.com':80
- 'yc##zd.com':80
- 'su####scoachceo.com':80
- 'uh#u.cn':80
- http://ti###ahnarzt.at/upload/
- 'localhost':49166
- 'localhost':49168
- 'localhost':49169
- 't.###amec.com':443
- 'ni###nnbest.me':443
- 'cd#.##scordapp.com':443
- 'pa###bin.com':443
- DNS ASK sa##nu.xyz
- DNS ASK t.###amec.com
- DNS ASK pr###nla.com
- DNS ASK ni###nnbest.me
- DNS ASK cd#.##scordapp.com
- DNS ASK pa###bin.com
- DNS ASK di####orycart.com
- DNS ASK ti###ahnarzt.at
- DNS ASK st####ofcards.com
- DNS ASK yc##zd.com
- DNS ASK su####scoachceo.com
- DNS ASK uh#u.cn
- DNS ASK ja####rticle.com
- DNS ASK al######le-pa1ments.com.mx
- DNS ASK bu######asy-football.com.sg
- DNS ASK to#####annpickshop.cc
- ClassName: 'ConsoleWindowClass' WindowName: ''
- ClassName: 'EDIT' WindowName: ''
- ClassName: '' WindowName: ''
- '%TEMP%\setup_installer.exe'
- '%TEMP%\7zs4929a344\wed0650a8380a8741df.exe'
- '%TEMP%\05xkvf6f.exe' /PttJqbtIGV_gKpayWgLcpQuUGXL9h
- '%TEMP%\is-ojnsq.tmp\wed0650a8380a8741df.tmp' /SL5="$B021A,140785,56832,%TEMP%\7zS4929A344\Wed0650a8380a8741df.exe" /SILENT
- '%TEMP%\7zs4929a344\wed0650a8380a8741df.exe' /SILENT
- '%TEMP%\is-knp1f.tmp\wed0650a8380a8741df.tmp' /SL5="$120136,140785,56832,%TEMP%\7zS4929A344\Wed0650a8380a8741df.exe"
- '%TEMP%\7zs4929a344\wed06edd6b8998.exe'
- '%TEMP%\7zs4929a344\wed066f5b23a5ec2e646.exe'
- '%TEMP%\7zs4929a344\wed06846d415c1fb8.exe'
- '%TEMP%\7zs4929a344\wed0658076940.exe'
- '%TEMP%\7zs4929a344\wed06433b0cfc741.exe'
- '%TEMP%\7zs4929a344\wed06002750541796d.exe'
- '%TEMP%\7zs4929a344\wed06c309967f8043c8c.exe'
- '%TEMP%\7zs4929a344\setup_install.exe'
- '%TEMP%\7zs4929a344\wed06d91f4e16fac21d.exe'
- '%TEMP%\7zs4929a344\wed06bc5204dc0448.exe'
- '<SYSTEM32>\cmd.exe' /c copy /Y "%TEMP%\05XkvF6f.EXe" 05XkvF6f.EXe&&stArt 05XkVf6F.exe /PttJqbtIGV_gKpayWgLcpQuUGXL9h&IF "/PttJqbtIGV_gKpayWgLcpQuUGXL9h"=="" for %m In ( ...' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c copy /Y "%TEMP%\7zS4929A344\Wed066f5b23a5ec2e646.exe" 05XkvF6f.EXe&&stArt 05XkVf6F.exe /PttJqbtIGV_gKpayWgLcpQuUGXL9h&IF ""=="" for %m In ( "%T...' (with hidden window)
- '<SYSTEM32>\cmd.exe' /q /C Echo | sEt /P = "MZ" >X5W6AA.ZS & CoPY /b /y X5w6AA.ZS+ ZSPELY.cNM + OJM3YR.X+ SVnzW.C2+ AmtZY.zXT+ LPME79O.f1+ NytFSko.4 ...' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
- '<SYSTEM32>\cmd.exe' /S /D /c" Echo "
- '<SYSTEM32>\cmd.exe' /q /C Echo | sEt /P = "MZ" >X5W6AA.ZS & CoPY /b /y X5w6AA.ZS+ ZSPELY.cNM + OJM3YR.X+ SVnzW.C2+ AmtZY.zXT+ LPME79O.f1+ NytFSko.4 ...
- '<SYSTEM32>\mshta.exe' vBscrIpt: ClOse ( cReateobJecT( "wScriPT.shEll" ). Run("<SYSTEM32>\cmd.exe /q /C Echo | sEt /P = ""MZ"" >X5W6AA.ZS & CoPY /b...
- '<SYSTEM32>\cmd.exe' /c copy /Y "%TEMP%\05XkvF6f.EXe" 05XkvF6f.EXe&&stArt 05XkVf6F.exe /PttJqbtIGV_gKpayWgLcpQuUGXL9h&IF "/PttJqbtIGV_gKpayWgLcpQuUGXL9h"=="" for %m In ( ...
- '<SYSTEM32>\mshta.exe' VBsCripT: CloSe ( crEAtEobJEct( "WSCrIpT.ShELl").RuN ("cmd.exe /c copy /Y ""%TEMP%\05XkvF6f.EXe"" 05XkvF6f.EXe && stArt 05XkVf6F.exe /PttJqbtIGV_...
- '<SYSTEM32>\cmd.exe' /c copy /Y "%TEMP%\7zS4929A344\Wed066f5b23a5ec2e646.exe" 05XkvF6f.EXe&&stArt 05XkVf6F.exe /PttJqbtIGV_gKpayWgLcpQuUGXL9h&IF ""=="" for %m In ( "%T...
- '<SYSTEM32>\mshta.exe' VBsCripT: CloSe ( crEAtEobJEct( "WSCrIpT.ShELl").RuN ("cmd.exe /c copy /Y ""%TEMP%\7zS4929A344\Wed066f5b23a5ec2e646.exe"" 05XkvF6f.EXe && stArt 0...
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "%LOCALAPPDATA%\Temp"
- '<SYSTEM32>\cmd.exe' /c Wed0650a8380a8741df.exe
- '<SYSTEM32>\cmd.exe' /c Wed06bc5204dc0448.exe
- '<SYSTEM32>\cmd.exe' /c Wed066f5b23a5ec2e646.exe
- '<SYSTEM32>\cmd.exe' /c Wed06edd6b8998.exe
- '<SYSTEM32>\cmd.exe' /c Wed06433b0cfc741.exe
- '<SYSTEM32>\cmd.exe' /c Wed06846d415c1fb8.exe
- '<SYSTEM32>\cmd.exe' /c Wed06d91f4e16fac21d.exe
- '<SYSTEM32>\cmd.exe' /c Wed06f9fffb9fce655c.exe
- '<SYSTEM32>\cmd.exe' /c Wed0658076940.exe
- '<SYSTEM32>\cmd.exe' /c Wed06002750541796d.exe
- '<SYSTEM32>\cmd.exe' /c Wed06c309967f8043c8c.exe
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
- '<SYSTEM32>\cmd.exe' /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "%LOCALAPPDATA%\Temp"
- '<SYSTEM32>\cmd.exe' /S /D /c" sEt /P = "MZ" 1>X5W6AA.ZS"
- '<SYSTEM32>\msiexec.exe' -y .\M9WDkH25.n