Technical Information
- <SYSTEM32>\tasks\windows protection
- %TEMP%\aut59e2.tmp
- %ALLUSERSPROFILE%\defender\windows protection.exe
- %TEMP%\aut9993.tmp
- %ALLUSERSPROFILE%\defender\winring0x64.sys
- %TEMP%\aut99c3.tmp
- %ALLUSERSPROFILE%\defender\start.exe
- %TEMP%\aut9a31.tmp
- %ALLUSERSPROFILE%\defender\start.vbs
- %TEMP%\aut9a61.tmp
- %ALLUSERSPROFILE%\defender\k.bat
- %TEMP%\aut9a81.tmp
- %ALLUSERSPROFILE%\defender\k.vbs
- %TEMP%\aut9ad0.tmp
- %ALLUSERSPROFILE%\defender\p.vbs
- %TEMP%\aut9b6d.tmp
- %ALLUSERSPROFILE%\defender\s.vbs
- %TEMP%\aut9b9d.tmp
- %ALLUSERSPROFILE%\defender\s.bat
- %TEMP%\aut9bbd.tmp
- %ALLUSERSPROFILE%\defender\timeout.ps1
- nul
- %TEMP%\b145.tmp\b146.tmp\b156.bat
- %TEMP%\gecpgllu.0.cs
- %TEMP%\gecpgllu.cmdline
- %TEMP%\gecpgllu.out
- %TEMP%\cscfed7.tmp
- %LOCALAPPDATA%\tempscratch.bat
- %TEMP%\resfee8.tmp
- %TEMP%\aut94c2.tmp
- %TEMP%\aut93d7.tmp
- %ALLUSERSPROFILE%\defender\a.exe
- %TEMP%\aut5a31.tmp
- %ALLUSERSPROFILE%\defender\d.bat
- %TEMP%\aut5a61.tmp
- %ALLUSERSPROFILE%\defender\d.vbs
- %TEMP%\aut5a91.tmp
- %ALLUSERSPROFILE%\defender\w.bat
- %TEMP%\aut5ad0.tmp
- %ALLUSERSPROFILE%\defender\d.exe
- %TEMP%\aut5b1f.tmp
- %ALLUSERSPROFILE%\defender\t.bat
- %TEMP%\aut5b5e.tmp
- %ALLUSERSPROFILE%\defender\t.vbs
- %TEMP%\aut7278.tmp
- %ALLUSERSPROFILE%\defender\ab.exe
- %ALLUSERSPROFILE%\defender\dc.ini
- %ALLUSERSPROFILE%\defender\dd.bat
- %ALLUSERSPROFILE%\defender\ddd.bat
- %ALLUSERSPROFILE%\defender\dc.exe
- %ALLUSERSPROFILE%\defender\dd.vbs
- %TEMP%\aut86b4.tmp
- %ALLUSERSPROFILE%\defender\ac.exe
- %ALLUSERSPROFILE%\defender\min.exe
- %TEMP%\aut9397.tmp
- %ALLUSERSPROFILE%\defender\config.json
- %ALLUSERSPROFILE%\task host\svchost.exe
- %TEMP%\gecpgllu.dll
- %TEMP%\aut59e2.tmp
- %TEMP%\gecpgllu.cmdline
- %TEMP%\gecpgllu.pdb
- %TEMP%\gecpgllu.out
- %TEMP%\cscfed7.tmp
- %TEMP%\resfee8.tmp
- %TEMP%\b145.tmp\b146.tmp\b156.bat
- %TEMP%\aut9bbd.tmp
- %TEMP%\aut9b9d.tmp
- %TEMP%\aut9b6d.tmp
- %TEMP%\aut9ad0.tmp
- %TEMP%\aut9a81.tmp
- %TEMP%\aut9a61.tmp
- %TEMP%\gecpgllu.0.cs
- %TEMP%\aut9a31.tmp
- %TEMP%\aut9993.tmp
- %TEMP%\aut94c2.tmp
- %TEMP%\aut93d7.tmp
- %TEMP%\aut9397.tmp
- %TEMP%\aut86b4.tmp
- %TEMP%\aut7278.tmp
- %TEMP%\aut5b5e.tmp
- %TEMP%\aut5b1f.tmp
- %TEMP%\aut5ad0.tmp
- %TEMP%\aut5a91.tmp
- %TEMP%\aut5a61.tmp
- %TEMP%\aut5a31.tmp
- %TEMP%\aut99c3.tmp
- %TEMP%\gecpgllu.dll
- '17#.#4.88.173':5501
- 'xm#.###l.minergate.com':45700
- DNS ASK xm#.###l.minergate.com
- ClassName: 'EDIT' WindowName: ''
- '%WINDIR%\syswow64\wscript.exe' "%ALLUSERSPROFILE%\Defender\d.vbs"
- '%ALLUSERSPROFILE%\defender\min.exe'
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -executionpolicy Unrestricted %ALLUSERSPROFILE%\Defender\timeout.ps1
- '%ALLUSERSPROFILE%\task host\svchost.exe'
- '<SYSTEM32>\wscript.exe' "%ALLUSERSPROFILE%\Defender\s.vbs"
- '%ALLUSERSPROFILE%\defender\windows protection.exe'
- '<SYSTEM32>\wscript.exe' "%ALLUSERSPROFILE%\Defender\p.vbs"
- '%ALLUSERSPROFILE%\defender\ac.exe' -pMym5DNNMnqsLhbcZaef2Zau9zuxyKFRzEav3QTVA
- '%ALLUSERSPROFILE%\defender\start.exe'
- '%ALLUSERSPROFILE%\defender\d.exe' 61 %ALLUSERSPROFILE%\Defender\dd.bat
- '%WINDIR%\syswow64\wscript.exe' "%ALLUSERSPROFILE%\Defender\dd.vbs"
- '%ALLUSERSPROFILE%\defender\d.exe' 61 %ALLUSERSPROFILE%\Defender\d.bat
- '%ALLUSERSPROFILE%\defender\ab.exe' -pMym5DNNMnqsLhbcZaef2Zau9zuxyKFRzEav3QTVA
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESFEE8.tmp" "%TEMP%\CSCFED7.tmp"' (with hidden window)
- '%ALLUSERSPROFILE%\defender\d.exe' 61 %ALLUSERSPROFILE%\Defender\dd.bat' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c %LOCALAPPDATA%\Tempscratch.bat' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c "%TEMP%\B145.tmp\B146.tmp\B156.bat %ALLUSERSPROFILE%\Defender\Start.exe"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c ""%ALLUSERSPROFILE%\Defender\t.bat" "' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c ""%ALLUSERSPROFILE%\Defender\s.bat" "' (with hidden window)
- '%ALLUSERSPROFILE%\task host\svchost.exe' ' (with hidden window)
- '%ALLUSERSPROFILE%\defender\d.exe' 61 %ALLUSERSPROFILE%\Defender\d.bat' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\gecpgllu.cmdline"' (with hidden window)
- '%ALLUSERSPROFILE%\defender\windows protection.exe' ' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c ""%ALLUSERSPROFILE%\Defender\t.bat" "
- '%WINDIR%\syswow64\schtasks.exe' /CREATE /SC ONLOGON /TN "Windows Protection" /TR "%ALLUSERSPROFILE%\Defender\Start.exe" /f
- '%WINDIR%\syswow64\cmd.exe' /c %LOCALAPPDATA%\Tempscratch.bat
- '%WINDIR%\syswow64\ping.exe' -n 0127.0.0.1
- '<SYSTEM32>\cmd.exe' /c "%TEMP%\B145.tmp\B146.tmp\B156.bat %ALLUSERSPROFILE%\Defender\Start.exe"
- '<SYSTEM32>\timeout.exe' /t 10
- '<SYSTEM32>\cmd.exe' /c ""%ALLUSERSPROFILE%\Defender\s.bat" "
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\gecpgllu.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESFEE8.tmp" "%TEMP%\CSCFED7.tmp"