Technical Information
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'dd' = '%APPDATA%\dw32ede\Loader.exe'
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=6588
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=6208
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=6560
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=6360
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=6188
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=7824
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=8004
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=4408
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=8024
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=7840
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=7860
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=7720
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=7740
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=7760
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=7228
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=7128
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=7120
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=7448
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=6684
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=6544
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=6820
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=6644
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=6380
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=2924
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=6168
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=6184
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=6304
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=7604
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=7524
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=7704
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=7620
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=7404
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=7020
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=6884
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=7220
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=7204
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=8140
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=6160
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=6508
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=6408
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=7148
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=7664
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=7688
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=7040
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=8128
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=7908
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=8352
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=8328
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=8568
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=8552
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=8536
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=7304
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=6748
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=8212
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=6648
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=7200
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=7260
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=7940
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=7280
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=7464
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=6464
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=6204
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=6800
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=6768
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=6900
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=8120
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=10236
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=7328
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=6364
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=7724
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=8064
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=8108
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=8084
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=5688
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=5996
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=4296
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=2872
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=5408
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=5728
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=5708
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=5776
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=4196
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=4748
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=3644
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=5148
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=3204
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=2944
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=1092
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=3344
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=3124
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=4628
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=5496
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=2740
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=5476
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=5316
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=5528
- '%APPDATA%\dw32ede\UFASoft.exe' -a sha256 -g no -o http://ap#.##tcoin.cz:8332 -u kalandershihab.botnet -p kala123 -t 4
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=4616
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=6008
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=5416
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=824
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=2492
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=756
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=4528
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=2792
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=5396
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=3304
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=5556
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=4208
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=4828
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=5988
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=5048
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=4816
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=3044
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=4328
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=3724
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=5656
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=5816
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=3404
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=5336
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=4536
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=2576
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=5808
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=5436
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=5248
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=4836
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=4696
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=6028
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=5296
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=4136
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=6136
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=5508
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=2832
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=5328
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=4228
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=3732
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=4548
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=3672
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=2560
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=3772
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=2572
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=5228
- '%APPDATA%\dw32ede\UFASoft.exe' /pid=5676
- '<SYSTEM32>\cmd.exe' (downloaded from the Internet)
- '%APPDATA%\dw32ede\UFASoft.exe' (downloaded from the Internet)
- '<SYSTEM32>\attrib.exe' (downloaded from the Internet)
- '<SYSTEM32>\attrib.exe' -a sha256 -g no -o http://ap#.##tcoin.cz:8332 -u kalandershihab.botnet -p kala123 -t 4
- '<SYSTEM32>\attrib.exe' -s -h %APPDATA%\dw32ede
- <SYSTEM32>\cmd.exe
- <SYSTEM32>\attrib.exe
- %APPDATA%\dw32ede\phatk.cl
- %APPDATA%\dw32ede\miner.dll
- %APPDATA%\dw32ede\usft_ext.dll
- %APPDATA%\dw32ede\phatk.ptx
- %APPDATA%\dw32ede\coinutil.dll
- %APPDATA%\dw32ede\bdb.dll
- %APPDATA%\dw32ede\UFASoft.exe
- %APPDATA%\dw32ede\btc-evergreen.il
- %APPDATA%\dw32ede\btc.il
- from <Full path to virus> to %APPDATA%\dw32ede\Loader.exe
- '19#.#0.57.179':80
- 'wp#d':80
- 19#.#0.57.179/sov1001/miner.dll
- 19#.#0.57.179/sov1001/coinutil.dll
- 19#.#0.57.179/sov1001/phatk.cl
- 19#.#0.57.179/sov1001/usft_ext.dll
- 19#.#0.57.179/sov1001/phatk.ptx
- 19#.#0.57.179/sov1001/coin-miner.exe
- wp#d/wpad.dat
- 19#.#0.57.179/sov1001/bdb.dll
- 19#.#0.57.179/sov1001/btc-evergreen.il
- 19#.#0.57.179/sov1001/btc.il
- DNS ASK wp#d
- ClassName: 'Indicator' WindowName: '(null)'