Technical Information
- [<HKLM>\SYSTEM\ControlSet001\services\Anofwacapeunviha] 'Start' = '00000002'
- '%APPDATA%\Roaming\AdihIfk\exicr.exe' 1 /START "<APATH_<Auxiliary name>.EXE>" /pid=0x1594 /log
- '%APPDATA%\Roaming\AdihIfk\exicr.exe' 1 /START "<APATH_<Auxiliary name>.EXE>" /pid=0x1400 /log
- '%APPDATA%\Roaming\AdihIfk\exicr.exe' 1 /START "<APATH_<Auxiliary name>.EXE>" /pid=0x16f8 /log
- '%APPDATA%\Roaming\AdihIfk\exicr.exe' 1 /START "<APATH_<Auxiliary name>.EXE>" /pid=0x1650 /log
- '%APPDATA%\Roaming\AdihIfk\exicr.exe' 1 /START "<APATH_DUMPER.EXE>" 0xa90 exicr.exe
- '%APPDATA%\Roaming\AdihIfk\exicr.exe' 1 /START "<APATH_DUMPER_NET.EXE>" --pid=0x3b4 --log --managed
- '%APPDATA%\Roaming\AdihIfk\exicr.exe' 1 /START "<APATH_DUMPER.EXE>" 0x3b4 exicr.exe
- '%APPDATA%\Roaming\AdihIfk\exicr.exe' 1 /START "<APATH_DUMPER.EXE>" 0x468 exicr.exe
- '%APPDATA%\Roaming\AdihIfk\exicr.exe' 1 /START "<APATH_<Auxiliary name>.EXE>" /pid=0x13bc /log
- '%APPDATA%\Roaming\AdihIfk\exicr.exe' 1 /START "<APATH_<Auxiliary name>.EXE>" /pid=0x1258 /log
- '%APPDATA%\Roaming\AdihIfk\exicr.exe' 1 /START "<APATH_DUMPER_NET.EXE>" --pid=0xa44 --log --managed
- '%APPDATA%\Roaming\AdihIfk\exicr.exe' 1 /START "<APATH_<Auxiliary name>.EXE>" /pid=0xa44 /log
- '%APPDATA%\Roaming\AdihIfk\exicr.exe' 1 /START "<APATH_<Auxiliary name>.EXE>" /pid=0x17f4 /log
- '%APPDATA%\Roaming\AdihIfk\exicr.exe' 1 /START "<APATH_<Auxiliary name>.EXE>" /pid=0x898 /log
- '%APPDATA%\Roaming\AdihIfk\exicr.exe' 1 /START "<APATH_<Auxiliary name>.EXE>" /pid=0x122c /log
- '%APPDATA%\Roaming\AdihIfk\exicr.exe' 1 /START "<APATH_DUMPER_NET.EXE>" --pid=0x17f4 --log --managed
- '%APPDATA%\Roaming\AdihIfk\exicr.exe' 1 /START "<APATH_<Auxiliary name>.EXE>" /pid=0x138 /log
- 'C:\ProgramData\AdihIfk0\exicr.exe'
- '%APPDATA%\Roaming\AdihIfk\exicr.exe' 1 /START "<APATH_<Auxiliary name>.EXE>" /pid=0x53c /log
- '%APPDATA%\Roaming\AdihIfk\exicr.exe' 1 /START "<APATH_<Auxiliary name>.EXE>" /pid=0x4fc /log
- 'C:\ProgramData\AdihIfk\exicr.exe' 1
- 'C:\ProgramData\AdihIfk\exicr.exe'
- '%APPDATA%\Roaming\AdihIfk\exicr.exe' 1 /START "<APATH_<Auxiliary name>.EXE>" /pid=0x89c /log
- '%APPDATA%\Roaming\AdihIfk\exicr.exe' 1
- '%APPDATA%\Roaming\AdihIfk\exicr.exe' 1 /START "<APATH_DUMPER_NET.EXE>" --pid=0x468 --log --managed
- '%APPDATA%\Roaming\AdihIfk\exicr.exe' 1 /START "<APATH_DUMPER_NET.EXE>" --pid=0x4fc --log --managed
- '%APPDATA%\Roaming\AdihIfk\exicr.exe' 1 /START "<APATH_DUMPER.EXE>" 0x4fc exicr.exe
- '%APPDATA%\Roaming\AdihIfk\exicr.exe' 1 /START "<APATH_DUMPER_NET.EXE>" --pid=0xa90 --log --managed
- '%APPDATA%\Roaming\AdihIfk\exicr.exe' 1 /START "<APATH_<Auxiliary name>.EXE>" /pid=0xa90 /log
- '%APPDATA%\Roaming\AdihIfk\exicr.exe' 1 /START "<APATH_<Auxiliary name>.EXE>" /pid=0x3b4 /log
- '%APPDATA%\Roaming\AdihIfk\exicr.exe' 1 /START "<APATH_DUMPER.EXE>" 0xed0 taskhost.exe
- '%APPDATA%\Roaming\AdihIfk\exicr.exe' 1 /START "<APATH_<Auxiliary name>.EXE>" /pid=0x468 /log
- '<SYSTEM32>\taskhost.exe'
- C:\ProgramData\AdihIfk\ogatafhuuves\xaufol.dmp
- C:\ProgramData\AdihIfk\ogatafhuuves\ofleret.ocx
- C:\ProgramData\AdihIfk\ogatafhuuves\nemu\furouqe.bin
- %APPDATA%\Roaming\AdihIfk\ogatafhuuves\omeqto\higere.ocx
- %APPDATA%\Roaming\AdihIfk\ogatafhuuves\fiiq.dmp
- %APPDATA%\Roaming\AdihIfk\ogatafhuuves\luos.sys
- %APPDATA%\Roaming\AdihIfk\ogatafhuuves\omeqto\fefeun.ocx
- C:\ProgramData\AdihIfk\ogatafhuuves\ivnerior.ocx
- C:\ProgramData\AdihIfk\ogatafhuuves\icos.dmp
- C:\ProgramData\AdihIfk\ogatafhuuves\uvedoduw\weis.bin
- C:\ProgramData\AdihIfk\ogatafhuuves\eqgoapcoo\pep.mui
- C:\ProgramData\AdihIfk\ogatafhuuves\nemu\wuexe.ocx
- C:\ProgramData\AdihIfk\ogatafhuuves\eqgoapcoo\xara.dmp
- C:\ProgramData\AdihIfk\ogatafhuuves\eqgoapcoo\bunubiexu.ocx
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\YIF7DGLM\MC978V79
- C:\ProgramData\AdihIfk0\ogatafhuuves\uvto.cat
- C:\ProgramData\AdihIfk0\ogatafhuuves\ihito.ocx
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\YIF7DGLM\G57VZ16X
- %TEMP%\HD4650.wav
- <SYSTEM32>\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F8N3M470
- <Auxiliary element>
- %APPDATA%\Roaming\AdihIfk\ogatafhuuves\esap\foenlootn.mui
- %APPDATA%\Roaming\AdihIfk\ogatafhuuves\esap\veu.mui
- %APPDATA%\Roaming\AdihIfk\ogatafhuuves\inutal.mui
- %APPDATA%\Roaming\AdihIfk\ogatafhuuves\esap\kaucxetauf.ocx
- C:\ProgramData\AdihIfk0\ogatafhuuves\wougitliqo.drv
- %APPDATA%\Roaming\AdihIfk\ogatafhuuves\esap\egl.cat
- %APPDATA%\Roaming\AdihIfk\ogatafhuuves\esap\xiinla.bin
- C:\ProgramData\AdihIfk\ugobvi\seqoahpesa.dat
- C:\ProgramData\AdihIfk\ugobvi\upbiad.ocx
- C:\ProgramData\AdihIfk\urabsa\tegako.sys
- C:\ProgramData\AdihIfk\isopudd.drv
- C:\ProgramData\AdihIfk0\emevn\aramawqou.dmp
- C:\ProgramData\AdihIfk0\daip.dmp
- C:\ProgramData\AdihIfk\exicr.exe
- C:\ProgramData\AdihIfk\elitit\urw.dmp
- C:\ProgramData\AdihIfk\rit.dmp
- C:\ProgramData\AdihIfk\ulitsav.dmp
- C:\ProgramData\AdihIfk\elitit\uni.drv
- C:\ProgramData\AdihIfk\urabsa\utibqaw.ocx
- C:\ProgramData\AdihIfk\afpoemc.dat
- C:\ProgramData\AdihIfk\elitit\uko.mui
- C:\ProgramData\AdihIfk0\exicr.exe
- C:\ProgramData\AdihIfk0\igu.dat
- C:\ProgramData\AdihIfk0\suhabou.ocx
- %APPDATA%\Roaming\AdihIfk\exicr.exe
- C:\ProgramData\AdihIfk\ogatafhuuves\uvedoduw\ruoc.ocx
- C:\ProgramData\AdihIfk\ogatafhuuves\uvedoduw\otmuegecl.ocx
- C:\ProgramData\AdihIfk\ogatafhuuves\uvedoduw\watunol.dat
- C:\ProgramData\AdihIfk0\emevn\pib.mui
- C:\ProgramData\AdihIfk0\emevn\ecamgoupox.cat
- C:\ProgramData\AdihIfk0\emevn\kug.drv
- C:\ProgramData\AdihIfk0\emevn\raowni.ocx
- C:\ProgramData\AdihIfk0\ipto.drv
- C:\ProgramData\AdihIfk0\vaequ.dat
- C:\ProgramData\AdihIfk0\igekkuaxu.bin
- <SYSTEM32>\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F8N3M470
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\YIF7DGLM\MC978V79
- C:\ProgramData\AdihIfk0\exicr.exe
- 'lo#####maxmui.ddns.net':80
- 'nu######apkucoe.ddns.net':80
- 'id####ocu.ddns.net':80
- 'so#####ixoc.ddns.net':80
- 'ma#####aixhooc.ddns.net':80
- 'ic###azip.com':80
- '89.##8.76.197':8123
- 'z3#####pmtw5b2xx.onion':80
- 'og#####eiqabbi.ddns.net':80
- 'ux#####ahocogo.ddns.net':80
- ic###azip.com/
- DNS ASK id####ocu.ddns.net
- DNS ASK lo#####maxmui.ddns.net
- DNS ASK so#####ixoc.ddns.net
- DNS ASK ma#####aixhooc.ddns.net
- DNS ASK nu######apkucoe.ddns.net
- DNS ASK z3#####pmtw5b2xx.onion
- DNS ASK ic###azip.com
- DNS ASK og#####eiqabbi.ddns.net
- DNS ASK ux#####ahocogo.ddns.net