Technical Information
Modifies file system
Creates the following files
- C:\temp.ini
- %TEMP%\r08q24y8gauol6.dll
- %ProgramFiles(x86)%\nvidia corporation\dytnevjarijqn.exe
- %ProgramFiles(x86)%\nvidia corporation\dytnevjarijqn.exe.exe
Deletes the following files
- %WINDIR%\prefetch\42.0.2311.135_chrome_installe-7fd75326.pf
- %WINDIR%\prefetch\sppsvc.exe-b0f8131b.pf
- %WINDIR%\prefetch\steamservice.exe-57e215d3.pf
- %WINDIR%\prefetch\steamsetup_2.10.91.91.exe-91d3eed3.pf
- %WINDIR%\prefetch\svchost.exe-007fea55.pf
- %WINDIR%\prefetch\svchost.exe-05f624ab.pf
- %WINDIR%\prefetch\svchost.exe-7cfedea3.pf
- %WINDIR%\prefetch\thunderbird setup 78.9.1 (x64-07c878f8.pf
- %WINDIR%\prefetch\unpack200.exe-bb96da5f.pf
- %WINDIR%\prefetch\thunderbird.exe-5119524c.pf
- %WINDIR%\prefetch\trustedinstaller.exe-3cc531e5.pf
- %WINDIR%\prefetch\tsetup.1.4.3.exe-ef3d6f27.pf
- %WINDIR%\prefetch\tsetup.1.4.3.tmp-9455db0f.pf
- %WINDIR%\prefetch\uninstall.exe-a11d6b07.pf
- %WINDIR%\prefetch\unlodctr.exe-531facc7.pf
- %WINDIR%\prefetch\taskhost.exe-7238f31d.pf
- %WINDIR%\prefetch\unlodctr.exe-a3d4deeb.pf
- %WINDIR%\prefetch\setuputility.exe-8e8b4811.pf
- %WINDIR%\prefetch\setup.exe-c5a66008.pf
- %WINDIR%\prefetch\setup.exe-b2453f21.pf
- %WINDIR%\prefetch\setup.exe-a76b5a2e.pf
- %WINDIR%\prefetch\setup.exe-9c5f31fe.pf
- %WINDIR%\prefetch\setup.exe-995118bd.pf
- %WINDIR%\prefetch\setup.exe-7c026c7f.pf
- %WINDIR%\prefetch\setup.exe-3caebeac.pf
- %WINDIR%\prefetch\setup.exe-3c1c5c45.pf
- %WINDIR%\prefetch\setup.exe-0e8606b0.pf
- %WINDIR%\prefetch\setup.exe-04541c92.pf
- %WINDIR%\prefetch\servicemodelreg.exe-afddd121.pf
- %WINDIR%\prefetch\servicemodelreg.exe-1f42b3e3.pf
- %WINDIR%\prefetch\searchprotocolhost.exe-0cb8cade.pf
- %WINDIR%\prefetch\shutdown.exe-e7d5c9cc.pf
- %WINDIR%\prefetch\mscorsvw.exe-90526fac.pf
- %WINDIR%\prefetch\userinit.exe-2257a3e7.pf
- %WINDIR%\prefetch\wusa.exe-f04b35c8.pf
- %WINDIR%\prefetch\vc_redist.x86.exe-35b8af5d.pf
- %WINDIR%\prefetch\vc_redist.x86.exe-451fb36d.pf
- %WINDIR%\prefetch\vc_redist.x86.exe-4da5e6b3.pf
- %WINDIR%\prefetch\vc_redist.x86.exe-92eb15bb.pf
- %WINDIR%\prefetch\vc_redist.x86.exe-aace95dd.pf
- %WINDIR%\prefetch\vssvc.exe-b8afc319.pf
- %WINDIR%\prefetch\wevtutil.exe-400d93e8.pf
- %WINDIR%\prefetch\vcredist_x64.exe-24aea5d8.pf
- %WINDIR%\prefetch\wevtutil.exe-ef5861c4.pf
- %WINDIR%\prefetch\winrar-x64-531.exe-91d4b934.pf
- %WINDIR%\prefetch\wmiadap.exe-f8dfdfa2.pf
- %WINDIR%\prefetch\wmiprvse.exe-1628051c.pf
- %WINDIR%\prefetch\wuauclt.exe-70318591.pf
- %WINDIR%\prefetch\wusa.exe-a8d5906c.pf
- %WINDIR%\prefetch\vc_redist.x86.exe-1dcb7807.pf
- %WINDIR%\prefetch\vc_redist.x86.exe-1c5672a5.pf
- %WINDIR%\prefetch\vcredist_x64.exe-8227a7ef.pf
- %WINDIR%\prefetch\vc_redist.x64.exe-2c3b2083.pf
- %WINDIR%\prefetch\vc_redist.x64.exe-d3a3c549.pf
- %WINDIR%\prefetch\vc_redist.x64.exe-b0c890fd.pf
- %WINDIR%\prefetch\vc_redist.x64.exe-9dedc9d2.pf
- %WINDIR%\prefetch\vc_redist.x64.exe-6181748b.pf
- %WINDIR%\prefetch\vc_redist.x64.exe-5c158f2f.pf
- %WINDIR%\prefetch\setx.exe-a7e52bf4.pf
- %WINDIR%\prefetch\vc_redist.x64.exe-442857d9.pf
- %WINDIR%\prefetch\searchindexer.exe-4a6353b9.pf
- %WINDIR%\prefetch\vcredist_x86.exe-96cf69cf.pf
- %WINDIR%\prefetch\vcredist_x86.exe-73b7ff73.pf
- %WINDIR%\prefetch\vcredist_x86.exe-163efd5c.pf
- %WINDIR%\prefetch\vcredist_x64.exe-d4929c6b.pf
- %WINDIR%\prefetch\vcredist_x64.exe-a53f124b.pf
- %WINDIR%\prefetch\vcredist_x86.exe-c622f3ef.pf
- %WINDIR%\prefetch\searchfilterhost.exe-77482212.pf
- %WINDIR%\prefetch\sc.exe-945d79ae.pf
- %WINDIR%\prefetch\rundll32.exe-e6258edf.pf
- %WINDIR%\prefetch\conhost.exe-1f3e9d7e.pf
- %WINDIR%\prefetch\installer.exe-ee562215.pf
- %WINDIR%\prefetch\installer.exe-6c3ab888.pf
- %WINDIR%\prefetch\install.exe-3f13c328.pf
- %WINDIR%\prefetch\firefox.exe-a606b53c.pf
- %WINDIR%\prefetch\firefox setup 78.0.2 (x64).ex-d6c4efe8.pf
- %WINDIR%\prefetch\dwm.exe-6ffd3da8.pf
- %WINDIR%\prefetch\drvinst.exe-4cb4314a.pf
- %WINDIR%\prefetch\dotnetfx40_full_x86_x64.exe-d34ac1bf.pf
- %WINDIR%\prefetch\dotnetfx35setup.exe-7deb9041.pf
- %WINDIR%\prefetch\dotnetfx35.exe-852dd91f.pf
- %WINDIR%\prefetch\dllhost.exe-b2eb1806.pf
- %WINDIR%\prefetch\dllhost.exe-766398d2.pf
- %WINDIR%\prefetch\dllhost.exe-5e46fa0d.pf
- %WINDIR%\prefetch\default-browser-agent.exe-01c82e17.pf
- %WINDIR%\prefetch\cmd.exe-ac113aa8.pf
- %WINDIR%\prefetch\aspnet_regiis.exe-86915b5a.pf
- %WINDIR%\prefetch\cmd.exe-4a81b364.pf
- %WINDIR%\prefetch\clrgc.exe-5d5b90f5.pf
- %WINDIR%\prefetch\chrome.exe-5617a1bf.pf
- %WINDIR%\prefetch\bspatch.exe-dd9e5e46.pf
- %WINDIR%\prefetch\bfsvc.exe-9c7a4dee.pf
- %WINDIR%\prefetch\audiodg.exe-bdfd3029.pf
- %WINDIR%\prefetch\xcopy.exe-41e6513f.pf
- %WINDIR%\prefetch\aspnet_regiis.exe-75651a3c.pf
- %WINDIR%\prefetch\agrobust.db
- %WINDIR%\prefetch\agglglobalhistory.db
- %WINDIR%\prefetch\agglfgapphistory.db
- %WINDIR%\prefetch\agglfaulthistory.db
- %WINDIR%\prefetch\agapplaunch.db
- %WINDIR%\prefetch\acrordrdc1501020056_en_us.exe-3b58c109.pf
- %WINDIR%\prefetch\javaw.exe-dccf0ab8.pf
- %WINDIR%\prefetch\wermgr.exe-0f2ac88c.pf
- %WINDIR%\prefetch\javaws.exe-ed58c697.pf
- %WINDIR%\prefetch\ngen.exe-ae594a6b.pf
- %WINDIR%\prefetch\readyboot\trace1.fx
- %WINDIR%\prefetch\opera_29.0.1795.47_setup.exe-9c628850.pf
- %WINDIR%\prefetch\ose.exe-51c16f0e.pf
- %WINDIR%\prefetch\ose00000.exe-2a4efdbf.pf
- %WINDIR%\prefetch\pfsvperfstats.bin
- %WINDIR%\prefetch\ping.exe-7e94e73e.pf
- %WINDIR%\prefetch\rdrservicesupdater.exe-3d26e665.pf
- %WINDIR%\prefetch\readyboot\trace2.fx
- %WINDIR%\prefetch\jaureg.exe-2358f266.pf
- %WINDIR%\prefetch\reg.exe-e7e8bd26.pf
- %WINDIR%\prefetch\regsvr32.exe-8461dbee.pf
- %WINDIR%\prefetch\regtlibv12.exe-b7c4f383.pf
- %WINDIR%\prefetch\regtlibv12.exe-d3a27e55.pf
- %WINDIR%\prefetch\rundll32.exe-36dac103.pf
- %WINDIR%\prefetch\rundll32.exe-860c49a4.pf
- %WINDIR%\prefetch\opera_29.0.1795.47_setup.exe-839f60fd.pf
- %WINDIR%\prefetch\ntosboot-b00dfaad.pf
- %WINDIR%\prefetch\netsh.exe-f1b6da12.pf
- %WINDIR%\prefetch\ndp48-x86-x64-allos-enu.exe-54656820.pf
- %WINDIR%\prefetch\msiexec.exe-e09a077a.pf
- %WINDIR%\prefetch\msiexec.exe-a2d55cb6.pf
- %WINDIR%\prefetch\mscorsvw.exe-c3c515bd.pf
- %WINDIR%\prefetch\mscorsvw.exe-57d17daf.pf
- %WINDIR%\prefetch\jre-8u45-windows-x64.exe-61cc34b3.pf
- %WINDIR%\prefetch\jp2launcher.exe-7dccd1b9.pf
- %WINDIR%\prefetch\mofcomp.exe-fde76efc.pf
- %WINDIR%\prefetch\mofcomp.exe-8fe3d558.pf
- %WINDIR%\prefetch\logonui.exe-09140401.pf
- %WINDIR%\prefetch\lodctr.exe-72cd50d0.pf
- %WINDIR%\prefetch\lodctr.exe-3cce0534.pf
- %WINDIR%\prefetch\ngen.exe-ec3f9239.pf
- %WINDIR%\prefetch\mscorsvw.exe-245ed79e.pf
- %ProgramFiles(x86)%\nvidia corporation\dytnevjarijqn.exe.exe
Moves the following files
- from %TEMP%\r08q24y8gauol6.dll to %TEMP%\gityd\....\gafhmoz.rar
Substitutes the following files
- %TEMP%\r08q24y8gauol6.dll
Network activity
Connects to
- '01#.##sbxxdd.lol':4490
TCP
Other
- '01#.##sbxxdd.lol':4490
UDP
- DNS ASK 01#.##sbxxdd.lol
Miscellaneous
Creates and executes the following
- '%ProgramFiles(x86)%\nvidia corporation\dytnevjarijqn.exe.exe'
- '%ProgramFiles(x86)%\nvidia corporation\dytnevjarijqn.exe'
- '%WINDIR%\syswow64\sc.exe' stop MessageTransfer' (with hidden window)
- '<SYSTEM32>\sc.exe' delete NeacSafe' (with hidden window)
- '<SYSTEM32>\sc.exe' stop NeacSafe' (with hidden window)
- '<SYSTEM32>\sc.exe' delete Neac' (with hidden window)
- '<SYSTEM32>\sc.exe' stop Neac' (with hidden window)
- '%ProgramFiles(x86)%\nvidia corporation\dytnevjarijqn.exe' ' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete 5ESafe' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' stop 5ESafe' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete cheano_drv' (with hidden window)
- '<SYSTEM32>\sc.exe' delete NeacSafe64' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' stop cheano_drv' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' stop vibran_drv' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete B5Safe6410' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' stop B5Safe6410' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete B5Safe64' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' stop B5Safe64' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete B5SafePreview' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' stop B5SafePreview' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete MessageTransfer_x86' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' stop MessageTransfer_x86' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete MessageTransfer' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete vibran_drv' (with hidden window)
- '<SYSTEM32>\sc.exe' stop NeacSafe64' (with hidden window)
Executes the following
- '%WINDIR%\syswow64\sc.exe' stop MessageTransfer
- '<SYSTEM32>\sc.exe' delete NeacSafe
- '<SYSTEM32>\sc.exe' stop NeacSafe
- '<SYSTEM32>\sc.exe' delete Neac
- '<SYSTEM32>\sc.exe' stop Neac
- '%WINDIR%\syswow64\sc.exe' delete 5ESafe
- '%WINDIR%\syswow64\sc.exe' stop 5ESafe
- '%WINDIR%\syswow64\sc.exe' delete cheano_drv
- '%WINDIR%\syswow64\sc.exe' stop cheano_drv
- '%WINDIR%\syswow64\sc.exe' delete vibran_drv
- '%WINDIR%\syswow64\sc.exe' stop vibran_drv
- '%WINDIR%\syswow64\sc.exe' delete B5Safe6410
- '%WINDIR%\syswow64\sc.exe' stop B5Safe6410
- '%WINDIR%\syswow64\sc.exe' delete B5Safe64
- '%WINDIR%\syswow64\sc.exe' stop B5Safe64
- '%WINDIR%\syswow64\sc.exe' delete B5SafePreview
- '%WINDIR%\syswow64\sc.exe' stop B5SafePreview
- '%WINDIR%\syswow64\sc.exe' delete MessageTransfer_x86
- '%WINDIR%\syswow64\sc.exe' stop MessageTransfer_x86
- '%WINDIR%\syswow64\sc.exe' delete MessageTransfer
- '<SYSTEM32>\sc.exe' delete NeacSafe64
- '<SYSTEM32>\sc.exe' stop NeacSafe64
