Technical Information
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'rsmsink' = '%APPDATA%\MDaemon\hundbloed.exe'
- '%APPDATA%\MDaemon\nslookup.exe' /pid=7560
- '%APPDATA%\MDaemon\nslookup.exe' /pid=6840
- '%APPDATA%\MDaemon\nslookup.exe' /pid=7140
- '%APPDATA%\MDaemon\nslookup.exe' /pid=8184
- '%APPDATA%\MDaemon\nslookup.exe' /pid=6112
- '%APPDATA%\MDaemon\nslookup.exe' /pid=6336
- '%APPDATA%\MDaemon\nslookup.exe' /pid=6040
- '%APPDATA%\MDaemon\nslookup.exe' /pid=5512
- '%APPDATA%\MDaemon\nslookup.exe' /pid=8116
- '%APPDATA%\MDaemon\nslookup.exe' /pid=7976
- '%APPDATA%\MDaemon\nslookup.exe' /pid=720
- '%APPDATA%\MDaemon\nslookup.exe' /pid=6224
- '%APPDATA%\MDaemon\nslookup.exe' /pid=8136
- '%APPDATA%\MDaemon\nslookup.exe' /pid=7256
- '%APPDATA%\MDaemon\nslookup.exe' /pid=7736
- '%APPDATA%\MDaemon\nslookup.exe' /pid=7656
- '%APPDATA%\MDaemon\nslookup.exe' /pid=6424
- '%APPDATA%\MDaemon\nslookup.exe' /pid=3436
- '%APPDATA%\MDaemon\nslookup.exe' /pid=3548
- '%APPDATA%\MDaemon\nslookup.exe' /pid=6180
- '%APPDATA%\MDaemon\nslookup.exe' /pid=6220
- '%APPDATA%\MDaemon\nslookup.exe' /pid=752
- '%APPDATA%\MDaemon\nslookup.exe' /pid=4580
- '%APPDATA%\MDaemon\nslookup.exe' /pid=8076
- '%APPDATA%\MDaemon\nslookup.exe' /pid=2728
- '%APPDATA%\MDaemon\nslookup.exe' /pid=3212
- '%APPDATA%\MDaemon\nslookup.exe' /pid=4832
- '%APPDATA%\MDaemon\nslookup.exe' /pid=4512
- '%APPDATA%\MDaemon\nslookup.exe' /pid=3608
- '%APPDATA%\MDaemon\nslookup.exe' /pid=3448
- '%APPDATA%\MDaemon\nslookup.exe' /pid=3004
- '%APPDATA%\MDaemon\nslookup.exe' /pid=3344
- '%APPDATA%\MDaemon\nslookup.exe' /pid=8064
- '%APPDATA%\MDaemon\nslookup.exe' /pid=5952
- '%APPDATA%\MDaemon\nslookup.exe' /pid=8180
- '%APPDATA%\MDaemon\nslookup.exe' /pid=7344
- '%APPDATA%\MDaemon\nslookup.exe' /pid=8016
- '%APPDATA%\MDaemon\nslookup.exe' /pid=7116
- '%APPDATA%\MDaemon\nslookup.exe' /pid=2764
- '%APPDATA%\MDaemon\nslookup.exe' /pid=6260
- '%APPDATA%\MDaemon\nslookup.exe' /pid=2016
- '%APPDATA%\MDaemon\nslookup.exe' /pid=5852
- '%APPDATA%\MDaemon\nslookup.exe' /pid=6684
- '%APPDATA%\MDaemon\nslookup.exe' /pid=6824
- '%APPDATA%\MDaemon\nslookup.exe' /pid=7804
- '%APPDATA%\MDaemon\nslookup.exe' /pid=6420
- '%APPDATA%\MDaemon\nslookup.exe' /pid=6444
- '%APPDATA%\MDaemon\nslookup.exe' /pid=1688
- '%APPDATA%\MDaemon\nslookup.exe' /pid=3044
- '%APPDATA%\MDaemon\nslookup.exe' /pid=4028
- '%APPDATA%\MDaemon\nslookup.exe' /pid=5752
- '%APPDATA%\MDaemon\nslookup.exe' /pid=3024
- '%APPDATA%\MDaemon\nslookup.exe' /pid=4360
- '%APPDATA%\MDaemon\nslookup.exe' /pid=6664
- '%APPDATA%\MDaemon\nslookup.exe' /pid=3848
- '%APPDATA%\MDaemon\nslookup.exe' /pid=2912
- '%APPDATA%\MDaemon\nslookup.exe' /pid=6400
- '%APPDATA%\MDaemon\nslookup.exe' /pid=4100
- '%APPDATA%\MDaemon\nslookup.exe' /pid=7960
- '%APPDATA%\MDaemon\nslookup.exe' /pid=7240
- '%APPDATA%\MDaemon\nslookup.exe' /pid=5860
- '%APPDATA%\MDaemon\nslookup.exe' /pid=4852
- '%APPDATA%\MDaemon\nslookup.exe' /pid=7220
- '%APPDATA%\MDaemon\nslookup.exe' /pid=6676
- '%APPDATA%\MDaemon\nslookup.exe' /pid=7836
- '%APPDATA%\MDaemon\nslookup.exe' /pid=7300
- '%APPDATA%\MDaemon\nslookup.exe' /pid=7360
- '%APPDATA%\MDaemon\nslookup.exe' /pid=7400
- '%APPDATA%\MDaemon\nslookup.exe' /pid=7136
- '%APPDATA%\MDaemon\nslookup.exe' /pid=6896
- '%APPDATA%\MDaemon\nslookup.exe' /pid=7000
- '%APPDATA%\MDaemon\nslookup.exe' /pid=7100
- '%APPDATA%\MDaemon\nslookup.exe' /pid=7516
- '%APPDATA%\MDaemon\nslookup.exe' /pid=5180
- '%APPDATA%\MDaemon\nslookup.exe' /pid=8140
- '%APPDATA%\MDaemon\nslookup.exe' /pid=4120
- '%APPDATA%\MDaemon\nslookup.exe' /pid=7980
- '%APPDATA%\MDaemon\nslookup.exe' /pid=7640
- '%APPDATA%\MDaemon\nslookup.exe' /pid=7780
- '%APPDATA%\MDaemon\nslookup.exe' /pid=7740
- '%APPDATA%\MDaemon\nslookup.exe' /pid=6820
- '%APPDATA%\MDaemon\nslookup.exe' /pid=5260
- '%APPDATA%\MDaemon\nslookup.exe' /pid=6280
- '%APPDATA%\MDaemon\nslookup.exe' /pid=6160
- '%APPDATA%\MDaemon\nslookup.exe' /pid=6340
- '%APPDATA%\MDaemon\nslookup.exe' -a sha256 -o http://hu############l.com:Password@pool.50btc.com:8332 -T 85 -l yes -t 12
- '%APPDATA%\MDaemon\nslookup.exe' /pid=2652
- '%APPDATA%\MDaemon\nslookup.exe' /pid=5360
- '%APPDATA%\MDaemon\nslookup.exe' /pid=5060
- '%APPDATA%\MDaemon\nslookup.exe' /pid=6660
- '%APPDATA%\MDaemon\nslookup.exe' /pid=6640
- '%APPDATA%\MDaemon\nslookup.exe' /pid=6480
- '%APPDATA%\MDaemon\nslookup.exe' /pid=4460
- '%APPDATA%\MDaemon\nslookup.exe' /pid=2440
- '%APPDATA%\MDaemon\nslookup.exe' /pid=4660
- '%APPDATA%\MDaemon\nslookup.exe' /pid=6320
- '%APPDATA%\MDaemon\nslookup.exe' /pid=1120
- '%APPDATA%\MDaemon\nslookup.exe' /pid=6576
- '%APPDATA%\MDaemon\nslookup.exe' /pid=7060
- '%APPDATA%\MDaemon\nslookup.exe' /pid=6760
- '%APPDATA%\MDaemon\nslookup.exe' /pid=6904
- '%APPDATA%\MDaemon\nslookup.exe' /pid=6012
- '%APPDATA%\MDaemon\nslookup.exe' /pid=6132
- '%APPDATA%\MDaemon\nslookup.exe' /pid=748
- '%APPDATA%\MDaemon\nslookup.exe' /pid=7224
- '%APPDATA%\MDaemon\nslookup.exe' /pid=7536
- '%APPDATA%\MDaemon\nslookup.exe' /pid=7924
- '%APPDATA%\MDaemon\nslookup.exe' /pid=7756
- '%APPDATA%\MDaemon\nslookup.exe' /pid=7396
- '%APPDATA%\MDaemon\nslookup.exe' /pid=7276
- '%APPDATA%\MDaemon\nslookup.exe' /pid=7724
- '%APPDATA%\MDaemon\nslookup.exe' /pid=7576
- '%APPDATA%\MDaemon\nslookup.exe' /pid=5332
- '%APPDATA%\MDaemon\nslookup.exe' /pid=4960
- '%APPDATA%\MDaemon\nslookup.exe' /pid=4860
- '%APPDATA%\MDaemon\nslookup.exe' /pid=4760
- '%APPDATA%\MDaemon\nslookup.exe' /pid=6360
- '%APPDATA%\MDaemon\nslookup.exe' /pid=2708
- '%APPDATA%\MDaemon\nslookup.exe' /pid=3072
- '%APPDATA%\MDaemon\nslookup.exe' /pid=5460
- '%APPDATA%\MDaemon\nslookup.exe' /pid=5960
- '%APPDATA%\MDaemon\nslookup.exe' /pid=4932
- '%APPDATA%\MDaemon\nslookup.exe' /pid=4432
- '%APPDATA%\MDaemon\nslookup.exe' /pid=5132
- '%APPDATA%\MDaemon\nslookup.exe' /pid=3928
- '%APPDATA%\MDaemon\nslookup.exe' /pid=3728
- '%APPDATA%\MDaemon\nslookup.exe' /pid=3224
- '%APPDATA%\MDaemon\nslookup.exe' /pid=4132
- '%APPDATA%\MDaemon\nslookup.exe' (downloaded from the Internet)
- %APPDATA%\MDaemon\nslookup.exe
- from <Full path to virus> to %APPDATA%\MDaemon\hundbloed.exe
- '19#.#3.167.160':80
- 'wp#d':80
- 19#.#3.167.160/sil1001/UFA.exe
- wp#d/wpad.dat
- DNS ASK wp#d
- ClassName: 'Indicator' WindowName: '(null)'