Technical Information
Malicious functions
Executes the following
- '%WINDIR%\syswow64\netsh.exe' advfirewall firewall add rule name="Port range" protocol=TCP remoteport=34223 action=block dir=OUT
- '%WINDIR%\syswow64\netsh.exe' advfirewall firewall add rule name="Port range" protocol=TCP remoteport=12123 action=block dir=OUT
- '%WINDIR%\syswow64\netsh.exe' advfirewall firewall add rule name="Port range" protocol=TCP remoteport=5049 action=block dir=OUT
- '%WINDIR%\syswow64\taskkill.exe' /f /im python.exe
- '%WINDIR%\syswow64\taskkill.exe' /f /im crashpad_handler.exe
- '%WINDIR%\syswow64\taskkill.exe' /f /im qemu-ga.exe
- '%WINDIR%\syswow64\taskkill.exe' /f /im OpenWith.exe
Modifies file system
Creates the following files
- C:\pr.exe
- %TEMP%\afxc830ce3a.tmp
- %APPDATA%\tor\cached-microdesc-consensus.tmp
- %APPDATA%\tor\cached-certs.tmp
- %APPDATA%\tor\unverified-microdesc-consensus.tmp
- %APPDATA%\tor\state.tmp
- %TEMP%\is-qauav.tmp\_isetup\_setup64.tmp
- %TEMP%\is-j55i2.tmp\pr.tmp
- C:\tor\libevent-2-1-7.dll
- C:\tor\libevent_extra-2-1-7.dll
- C:\tor\libevent_core-2-1-7.dll
- C:\tor\libcrypto-1_1.dll
- C:\tor\zlib1.dll
- C:\tor\svchost.exe
- C:\tor\libwinpthread-1.dll
- C:\tor\libssp-0.dll
- C:\tor\libssl-1_1.dll
- C:\tor\libgcc_s_sjlj-1.dll
- C:\mcr2.exe
- C:\miner\bruh.exe
- C:\miner\config.txt
- C:\users\gamer\appdata\roaming\proxifier4\profiles\default.ppx
- C:\q.exe
- C:\mcr.exe
- %TEMP%\afxfe684b21.tmp
- %APPDATA%\proxifier4\profiles\default.ppx
Deletes the following files
- %APPDATA%\tor\unverified-microdesc-consensus
- %TEMP%\is-j55i2.tmp\pr.tmp
Moves the following files
- from %APPDATA%\tor\state.tmp to %APPDATA%\tor\state
- from %APPDATA%\tor\unverified-microdesc-consensus.tmp to %APPDATA%\tor\unverified-microdesc-consensus
- from %APPDATA%\tor\cached-certs.tmp to %APPDATA%\tor\cached-certs
- from %APPDATA%\tor\cached-microdesc-consensus.tmp to %APPDATA%\tor\cached-microdesc-consensus
Network activity
Connects to
- 'cd#.##scordapp.com':443
- 'localhost':49174
- '5.###.142.236':9001
- '17#.#7.170.23':9001
TCP
Other
- 'cd#.##scordapp.com':443
- '17#.#7.170.23':9001
UDP
- DNS ASK cd#.##scordapp.com
- DNS ASK ia##.org
Miscellaneous
Searches for the following windows
- ClassName: '' WindowName: ''
- ClassName: 'Progman' WindowName: 'Program Manager'
- ClassName: 'Proxifier32Cls' WindowName: ''
- ClassName: 'MS_WINHELP' WindowName: ''
Creates and executes the following
- '%TEMP%\is-j55i2.tmp\pr.tmp' /SL5="$160156,4567104,921088,C:\pr.exe"
- 'C:\q.exe'
- 'C:\mcr.exe'
- 'C:\pr.exe'
- 'C:\tor\svchost.exe'
- 'C:\miner\bruh.exe'
- '%WINDIR%\syswow64\taskkill.exe' /f /im OpenWith.exe' (with hidden window)
- '%WINDIR%\syswow64\reg.exe' add "HKU\S-1-5-21-1539546198-1320305224-2392476415-1000\Software\Initex\alekey gay\Settings" /v UpdateCheck /t REG_DWORD /d 0 /f' (with hidden window)
- '%WINDIR%\syswow64\reg.exe' add "HKU\S-1-5-21-1539546198-1320305224-2392476415-1000\Software\Initex\alekey gay\License" /v Owner /t REG_SZ /d A /f' (with hidden window)
- '%WINDIR%\syswow64\reg.exe' add "HKU\S-1-5-21-1539546198-1320305224-2392476415-1000\Software\Initex\alekey gay\License" /v Key /t REG_SZ /d S5ZWH-5WFNB-24F25-R6BQ2-W9B43 /f' (with hidden window)
- '%WINDIR%\syswow64\reg.exe' add "HKU\S-1-5-20\Software\Initex\alekey gay\Settings" /v UpdateCheck /t REG_DWORD /d 0 /f' (with hidden window)
- '%WINDIR%\syswow64\reg.exe' add "HKU\S-1-5-18\Software\Initex\alekey gay\License" /v Owner /t REG_SZ /d A /f' (with hidden window)
- '%WINDIR%\syswow64\reg.exe' add "HKU\S-1-5-20\Software\Initex\alekey gay\License" /v Key /t REG_SZ /d S5ZWH-5WFNB-24F25-R6BQ2-W9B43 /f' (with hidden window)
- '%WINDIR%\syswow64\reg.exe' add "HKU\S-1-5-18\Software\Initex\alekey gay\License" /v Key /t REG_SZ /d S5ZWH-5WFNB-24F25-R6BQ2-W9B43 /f' (with hidden window)
- '%WINDIR%\syswow64\reg.exe' add "HKU\S-1-5-18\Software\Initex\alekey gay\Settings" /v UpdateCheck /t REG_DWORD /d 0 /f' (with hidden window)
- '%WINDIR%\syswow64\taskkill.exe' /f /im qemu-ga.exe' (with hidden window)
- '%WINDIR%\syswow64\netsh.exe' advfirewall firewall add rule name="Port range" protocol=TCP remoteport=12123 action=block dir=OUT' (with hidden window)
- '%WINDIR%\syswow64\netsh.exe' advfirewall firewall add rule name="Port range" protocol=TCP remoteport=5049 action=block dir=OUT' (with hidden window)
- '%WINDIR%\syswow64\taskkill.exe' /f /im python.exe' (with hidden window)
- 'C:\tor\svchost.exe' ' (with hidden window)
- '%WINDIR%\syswow64\taskkill.exe' /f /im crashpad_handler.exe' (with hidden window)
- '%WINDIR%\syswow64\reg.exe' add "HKU\S-1-5-20\Software\Initex\alekey gay\License" /v Owner /t REG_SZ /d A /f' (with hidden window)
- '%WINDIR%\syswow64\netsh.exe' advfirewall firewall add rule name="Port range" protocol=TCP remoteport=34223 action=block dir=OUT' (with hidden window)
Executes the following
- '%WINDIR%\syswow64\reg.exe' add "HKU\S-1-5-18\Software\Initex\alekey gay\License" /v Key /t REG_SZ /d S5ZWH-5WFNB-24F25-R6BQ2-W9B43 /f
- '%WINDIR%\syswow64\reg.exe' add "HKU\S-1-5-18\Software\Initex\alekey gay\License" /v Owner /t REG_SZ /d A /f
- '%WINDIR%\syswow64\reg.exe' add "HKU\S-1-5-18\Software\Initex\alekey gay\Settings" /v UpdateCheck /t REG_DWORD /d 0 /f
- '%WINDIR%\syswow64\reg.exe' add "HKU\S-1-5-20\Software\Initex\alekey gay\License" /v Key /t REG_SZ /d S5ZWH-5WFNB-24F25-R6BQ2-W9B43 /f
- '%WINDIR%\syswow64\reg.exe' add "HKU\S-1-5-20\Software\Initex\alekey gay\License" /v Owner /t REG_SZ /d A /f
- '%WINDIR%\syswow64\reg.exe' add "HKU\S-1-5-20\Software\Initex\alekey gay\Settings" /v UpdateCheck /t REG_DWORD /d 0 /f
- '%WINDIR%\syswow64\reg.exe' add "HKU\S-1-5-21-1539546198-1320305224-2392476415-1000\Software\Initex\alekey gay\License" /v Key /t REG_SZ /d S5ZWH-5WFNB-24F25-R6BQ2-W9B43 /f
- '%WINDIR%\syswow64\reg.exe' add "HKU\S-1-5-21-1539546198-1320305224-2392476415-1000\Software\Initex\alekey gay\License" /v Owner /t REG_SZ /d A /f
- '%WINDIR%\syswow64\reg.exe' add "HKU\S-1-5-21-1539546198-1320305224-2392476415-1000\Software\Initex\alekey gay\Settings" /v UpdateCheck /t REG_DWORD /d 0 /f
- '<SYSTEM32>\ipconfig.exe' /flushdns