Technical Information
Modifies file system
Creates the following files
- C:\recovery\4d53d3aa-5835-11ef-baad-8f07b80b2fb5\wininit.exe
- C:\recovery\4d53d3aa-5835-11ef-baad-8f07b80b2fb5\56085415360792
- %WINDIR%\branding\basebrd\en-us\wininit.exe
- %WINDIR%\branding\basebrd\en-us\56085415360792
- C:\users\public\downloads\wmiprvse.exe
- C:\users\public\downloads\24dbde2999530e
- C:\users\default\appdata\local\application data\dwm.exe
- C:\users\default\appdata\local\application data\6cb0b6c459d5d3
- %WINDIR%\pla\system\audiodg.exe
- %WINDIR%\pla\system\42af1c969fbb7b
- %TEMP%\is5mntuycq
- %TEMP%\9vcmjab02e.bat
- nul
- %HOMEPATH%\desktop\hrwdgcqr.log
Deletes the following files
- %TEMP%\is5mntuycq
Network activity
Connects to
- '21#.#09.221.153':80
TCP
HTTP POST requests
- http://21#.#09.221.153/php/PythonvoiddbpipeAsync/Voiddb/datalifeflowerDatalife0/To5/DlebaseDefault/video5/javascript/8centralImage/Voiddb/pollProcessprotectsqltrackTempcdn.php
Miscellaneous
Creates and executes the following
- 'C:\users\default\appdata\local\application data\dwm.exe'
Executes the following
- '<SYSTEM32>\cmd.exe' /C "%TEMP%\9VcMJab02e.bat"
- '<SYSTEM32>\chcp.com' 65001
- '<SYSTEM32>\ping.exe' -n 10 localhost
- '<SYSTEM32>\cmd.exe' /C "%TEMP%\9VcMJab02e.bat"' (with hidden window)
