Technical Information
- [<HKCU>\Software\Microsoft\Windows NT\CurrentVersion\Windows] 'Load' = '%APPDATA%\SecureDefend\notepad.exe.lnk'
- [<HKLM>\Software\Microsoft\Windows\CurrentVersion\Run\] 'SecureDefend32bit' = '%PROGRAMDATA%\SecureDefend.exe'
- <SYSTEM32>\tasks\s-1-7-14-1367508075-1383877453-1214317971-9143\{6ieac3xi-iq8m-85nc-bcc7-9b5klcc2vkgd}
- [<HKLM>\System\CurrentControlSet\Services\TermService] 'Start' = '00000002'
- [<HKLM>\SYSTEM\CurrentControlSet\Services\TermService\Parameters] 'ServiceDll' = '%ProgramFiles%\Microsoft DN1\sqlmap.dll'
- %WINDIR%\explorer.exe
- <SYSTEM32>\svchost.exe
- %LOCALAPPDATA%\google\chrome\user data\default\login data
- %LOCALAPPDATA%\google\chrome\user data\default\web data
- %HOMEPATH%\desktop\508softwareandos.doc
- %HOMEPATH%\desktop\ovp25012015.doc
- %HOMEPATH%\desktop\weeklysheet1215.doc
- %HOMEPATH%\desktop\adhd_and_obesity.docx
- %HOMEPATH%\desktop\aoc_saq_d_v3_merchant.docx
- %HOMEPATH%\desktop\holycrosschurchinstructions.docx
- %HOMEPATH%\desktop\issi2013_template_for_posters.docx
- %APPDATA%\thunderbird\profiles.ini
- %APPDATA%\mozilla\firefox\profiles.ini
- %APPDATA%\securedefend\notepad.exe
- %APPDATA%\x86_microsoft-windows-s..interface.resources\1\desktop txt files\aoc_saq_d_v3_merchant.docx
- %APPDATA%\x86_microsoft-windows-s..interface.resources\1\desktop txt files\holycrosschurchinstructions.docx
- %APPDATA%\x86_microsoft-windows-s..interface.resources\1\desktop txt files\issi2013_template_for_posters.docx
- %APPDATA%\x86_microsoft-windows-s..interface.resources\1\steam\config\config.vdf
- %APPDATA%\x86_microsoft-windows-s..interface.resources\1\steam\инструкция по установке.txt
- %APPDATA%\x86_microsoft-windows-s..interface.resources\1\steam\config\dialogconfig.vdf
- %APPDATA%\x86_microsoft-windows-s..interface.resources\1\telegram\d877f783d5d3ef8c\map0
- %APPDATA%\x86_microsoft-windows-s..interface.resources\1\telegram\инструкция по установке.txt
- %APPDATA%\x86_microsoft-windows-s..interface.resources\1\telegram\d877f783d5d3ef8c1
- %LOCALAPPDATA%\microsoft\windows\history\low\history.ie5\desktop.ini
- <SYSTEM32>\microsoft\protect\s-1-5-20\be11106b-fdee-48d9-bbb9-8839f3dae76a
- %PROGRAMDATA%\microsoft\crypto\rsa\machinekeys\f686aace6942fb7f7ceb231212eef4a4_597d9903-ea81-40e6-803a-40d3e5258fa4
- %APPDATA%\avzdjqq.tmp
- %PROGRAMDATA%\microsoft\vault\ac658cb4-9126-49bd-b877-31eedab3f204\policy.vpol
- %PROGRAMDATA%\microsoft\vault\ac658cb4-9126-49bd-b877-31eedab3f204\3ccd5499-87a8-4b10-a215-608888dd3b55.vsch
- %PROGRAMDATA%\microsoft\vault\ac658cb4-9126-49bd-b877-31eedab3f204\2f1a6504-0641-44cf-8bb5-3612d865f2e5.vsch
- %LOCALAPPDATA%\microsoft\vault\4bf4c442-9b8a-41a0-b380-dd4a704ddb28\policy.vpol
- %APPDATA%\x86_microsoft-windows-s..interface.resources\1\information.txt
- %TEMP%\autb83f.tmp
- %APPDATA%\x86_microsoft-windows-s..interface.resources\spwinsat.module.exe.9
- %APPDATA%\x86_microsoft-windows-s..interface.resources\1\desktop txt files\weeklysheet1215.doc
- %APPDATA%\x86_microsoft-windows-s..interface.resources\1\desktop txt files\adhd_and_obesity.docx
- %APPDATA%\x86_microsoft-windows-s..interface.resources\1\desktop txt files\ovp25012015.doc
- %APPDATA%\x86_microsoft-windows-s..interface.resources\1\desktop txt files\508softwareandos.doc
- %APPDATA%\x86_microsoft-windows-s..interface.resources\1\screen.jpg
- %APPDATA%\tmp.exe
- %TEMP%\svhost.exe
- %PROGRAMDATA%\securedefend.exe
- %APPDATA%\ehbeehjw..exe
- %ProgramFiles%\microsoft dn1\sqlmap.dll
- %ProgramFiles%\microsoft dn1\rdpwrap.ini
- %APPDATA%\x86_microsoft-windows-s..interface.resources\enu_6887fe97432215152535
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\desktop.ini
- %APPDATA%\x86_microsoft-windows-s..interface.resources\spwinsat.module.exe
- <SYSTEM32>\microsoft\protect\s-1-5-20\preferred
- %LOCALAPPDATA%\microsoft\windows\history\low\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\gamgvi3x\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\qcjm6kvd\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\d1anyanj\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\sbgbwj3i\desktop.ini
- %APPDATA%\microsoft\windows\cookies\low\index.dat
- %LOCALAPPDATA%\microsoft\windows\history\low\history.ie5\index.dat
- %TEMP%\aut43f9.tmp
- %APPDATA%\x86_microsoft-windows-s..interface.resources\spwinsat.sqlite3.module.dll.9
- %APPDATA%\x86_microsoft-windows-s..interface.resources\spwinsat.sqlite3.module.dll
- %APPDATA%\securedefend\notepad.exe.lnk
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\index.dat
- %APPDATA%\x86_microsoft-windows-s..interface.resources\[] .7z
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\gamgvi3x\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\qcjm6kvd\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\d1anyanj\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\sbgbwj3i\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\history\low\history.ie5\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\history\low\desktop.ini
- %TEMP%\aut43f9.tmp
- %APPDATA%\x86_microsoft-windows-s..interface.resources\1\telegram\d877f783d5d3ef8c1
- %APPDATA%\x86_microsoft-windows-s..interface.resources\1\steam\config\dialogconfig.vdf
- %APPDATA%\x86_microsoft-windows-s..interface.resources\1\steam\config\config.vdf
- %APPDATA%\x86_microsoft-windows-s..interface.resources\1\steam\инструкция по установке.txt
- %APPDATA%\x86_microsoft-windows-s..interface.resources\1\desktop txt files\weeklysheet1215.doc
- %APPDATA%\x86_microsoft-windows-s..interface.resources\1\desktop txt files\ovp25012015.doc
- %APPDATA%\x86_microsoft-windows-s..interface.resources\1\desktop txt files\issi2013_template_for_posters.docx
- %APPDATA%\x86_microsoft-windows-s..interface.resources\1\desktop txt files\holycrosschurchinstructions.docx
- %APPDATA%\x86_microsoft-windows-s..interface.resources\1\desktop txt files\aoc_saq_d_v3_merchant.docx
- %APPDATA%\x86_microsoft-windows-s..interface.resources\1\desktop txt files\adhd_and_obesity.docx
- %APPDATA%\x86_microsoft-windows-s..interface.resources\1\desktop txt files\508softwareandos.doc
- %APPDATA%\x86_microsoft-windows-s..interface.resources\1\screen.jpg
- %APPDATA%\x86_microsoft-windows-s..interface.resources\1\information.txt
- %APPDATA%\x86_microsoft-windows-s..interface.resources\spwinsat.module.exe
- %APPDATA%\x86_microsoft-windows-s..interface.resources\spwinsat.module.exe.9
- %TEMP%\autb83f.tmp
- %APPDATA%\avzdjqq.tmp
- %APPDATA%\x86_microsoft-windows-s..interface.resources\spwinsat.sqlite3.module.dll
- %APPDATA%\x86_microsoft-windows-s..interface.resources\spwinsat.sqlite3.module.dll.9
- %APPDATA%\x86_microsoft-windows-s..interface.resources\1\telegram\инструкция по установке.txt
- %APPDATA%\x86_microsoft-windows-s..interface.resources\1\telegram\d877f783d5d3ef8c\map0
- from %APPDATA%\ehbeehjw..exe to %APPDATA%\x86_microsoft-windows-s..interface.resources\spwinsat.exe
- http://14#.#85.195.20/upnp.exe
- http://cd####5d.ngrok.io/Build.exe
- DNS ASK u8###28.nvpn.so
- DNS ASK cd####5d.ngrok.io
- '%APPDATA%\tmp.exe'
- '%PROGRAMDATA%\securedefend.exe'
- '%APPDATA%\ehbeehjw..exe'
- '%APPDATA%\x86_microsoft-windows-s..interface.resources\spwinsat.exe'
- '%APPDATA%\x86_microsoft-windows-s..interface.resources\spwinsat.module.exe' a -y -mx9 -ssw "%APPDATA%\x86_microsoft-windows-s..interface.resources\[] .7z" "%APPDATA%\x86_microsoft-windows-s..interface.resources\1\*"
- '<SYSTEM32>\cmd.exe' /c copy "C:/zsdfyn/<File name>.exe" "%appdata%\SecureDefend\notepad.exe" /Y' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%appdata%\SecureDefend\notepad.exe.lnk" /f' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c echo [zoneTransfer]ZoneID = 2 > %appdata%\SecureDefend\notepad.exe:Zone.Identifier' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c ren "%appdata%\SecureDefend\notepad.exe.jpg" notepad.exe' (with hidden window)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath C:\' (with hidden window)
- '%APPDATA%\x86_microsoft-windows-s..interface.resources\spwinsat.module.exe' a -y -mx9 -ssw "%APPDATA%\x86_microsoft-windows-s..interface.resources\[] .7z" "%APPDATA%\x86_microsoft-windows-s..interface.resources\1\*"' (with hidden window)
- '<SYSTEM32>\attrib.exe' +s +h "%APPDATA%\x86_microsoft-windows-s..interface.resources"' (with hidden window)
- '%APPDATA%\x86_microsoft-windows-s..interface.resources\spwinsat.exe' ' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c copy "C:/zsdfyn/<File name>.exe" "%appdata%\SecureDefend\notepad.exe" /Y
- '<SYSTEM32>\cmd.exe' /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%appdata%\SecureDefend\notepad.exe.lnk" /f
- '<SYSTEM32>\reg.exe' add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%APPDATA%\SecureDefend\notepad.exe.lnk" /f
- '<SYSTEM32>\cmd.exe' /c echo [zoneTransfer]ZoneID = 2 > %appdata%\SecureDefend\notepad.exe:Zone.Identifier
- '<SYSTEM32>\cmd.exe' /c ren "%appdata%\SecureDefend\notepad.exe.jpg" notepad.exe
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath C:\
- '<SYSTEM32>\rundll32.exe' "<SYSTEM32>\WININET.dll",DispatchAPICall 1
- '<SYSTEM32>\attrib.exe' +s +h "%APPDATA%\x86_microsoft-windows-s..interface.resources"
- '<SYSTEM32>\taskeng.exe' {B4CC32D2-6A02-4F2B-B0B3-E4D96053D162} S-1-5-21-2922372159-162323534-3872807762-1001:eaeqrbct\user:Interactive:[1]