Click to jump to signature section
Source: C:\Baldi\Baldi.exe | Avira: detection malicious, Label: TR/BAS.Samca.amdgw |
Source: C:\Baldi\kill.exe | Avira: detection malicious, Label: TR/AD.Nekark.sjwrf |
Source: C:\Baldi\mbr.exe | Avira: detection malicious, Label: DR/Delphi.Gen |
Source: C:\Baldi\Baldi.exe | ReversingLabs: Detection: 70% |
Source: C:\Baldi\DisableUAC.exe | ReversingLabs: Detection: 20% |
Source: C:\Baldi\kill.exe | ReversingLabs: Detection: 75% |
Source: C:\Baldi\mbr.exe | ReversingLabs: Detection: 70% |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_00405D07 FindFirstFileA,FindClose, |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_00405331 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_0040263E FindFirstFileA, |
Source: Baldi.exe, 00000003.00000000.371792165.0000000000640000.00000002.00000001.01000000.00000004.sdmp, Baldi.exe.0.dr | String found in binary or memory: <YT: https://www.youtube.com/channel/UCsKC-cU51wQN_jz-jUrzu-A equals www.youtube.com (Youtube) |
Source: Baldi.exe, 00000003.00000002.637111077.0000000002E36000.00000004.00001000.00020000.00000000.sdmp | String found in binary or memory: <YT: https://www.youtube.com/channel/UCsKC-cU51wQN_jz-jUrzu-AExperience Controls LibraryX equals www.youtube.com (Youtube) |
Source: Baldi.exe, 00000003.00000002.637111077.0000000002E0A000.00000004.00001000.00020000.00000000.sdmp | String found in binary or memory: ~YT: https://www.youtube.com/channel/UCsKC-cU51wQN_jz-jUrzu-Ang equals www.youtube.com (Youtube) |
Source: file.exe | String found in binary or memory: http://nsis.sf.net/NSIS_Error |
Source: file.exe | String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError |
Source: Baldi.exe, 00000003.00000002.637111077.0000000002EEC000.00000004.00001000.00020000.00000000.sdmp, Baldi.exe, 00000003.00000000.371792165.0000000000640000.00000002.00000001.01000000.00000004.sdmp, Baldi.exe.0.dr | String found in binary or memory: https://vk.com/endnet |
Source: Baldi.exe, 00000003.00000000.371792165.0000000000640000.00000002.00000001.01000000.00000004.sdmp, Baldi.exe.0.dr | String found in binary or memory: https://www.youtube.com/channel/UCsKC-cU51wQN_jz-jUrzu-A |
Source: Baldi.exe, 00000003.00000002.637111077.0000000002E36000.00000004.00001000.00020000.00000000.sdmp | String found in binary or memory: https://www.youtube.com/channel/UCsKC-cU51wQN_jz-jUrzu-AExperience |
Source: Baldi.exe, 00000003.00000002.637111077.0000000002E0A000.00000004.00001000.00020000.00000000.sdmp | String found in binary or memory: https://www.youtube.com/channel/UCsKC-cU51wQN_jz-jUrzu-Ang |
Source: C:\Baldi\DisableUAC.exe | Code function: 4_2_000000014000E9BC GetFocus,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetClassNameA,strncmp,SendMessageA,GetKeyState,GetKeyState,GetKeyState,GetPropA,GetPropA,GetWindowThreadProcessId,GetCurrentProcessId, |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_00404EE8 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard, |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_004030FA EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_00406128 |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_004046F9 |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_004068FF |
Source: C:\Baldi\DisableUAC.exe | Code function: 4_3_021A79B8 |
Source: C:\Baldi\DisableUAC.exe | Code function: 4_2_000000014000A15C |
Source: C:\Baldi\DisableUAC.exe | Code function: 4_2_0000000140012B80 |
Source: C:\Baldi\DisableUAC.exe | Code function: 4_2_00000001400127C0 |
Source: C:\Baldi\DisableUAC.exe | Code function: 4_2_000000014000DFD0 |
Source: unknown | Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe |
Source: C:\Users\user\Desktop\file.exe | Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c CleanZUpdater.bat |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Baldi\Baldi.exe C:\Baldi\Baldi.exe |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Baldi\DisableUAC.exe C:\Baldi\DisableUAC.exe |
Source: C:\Baldi\DisableUAC.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
Source: C:\Baldi\Baldi.exe | Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\System32\taskkill.exe" /f /im explorer.exe |
Source: C:\Baldi\DisableUAC.exe | Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd" /c "C:\Users\user\AppData\Local\Temp\FC2B.tmp\FC2C.bat C:\Baldi\DisableUAC.exe |
Source: C:\Windows\SysWOW64\taskkill.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\reg.exe reg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\shutdown.exe shutdown -r -t 1 -c "BALDI EVIL..." |
Source: C:\Users\user\Desktop\file.exe | Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c CleanZUpdater.bat |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Baldi\Baldi.exe C:\Baldi\Baldi.exe |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Baldi\DisableUAC.exe C:\Baldi\DisableUAC.exe |
Source: C:\Baldi\Baldi.exe | Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\System32\taskkill.exe" /f /im explorer.exe |
Source: C:\Baldi\DisableUAC.exe | Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd" /c "C:\Users\user\AppData\Local\Temp\FC2B.tmp\FC2C.bat C:\Baldi\DisableUAC.exe |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\reg.exe reg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\shutdown.exe shutdown -r -t 1 -c "BALDI EVIL..." |
Source: C:\Windows\SysWOW64\taskkill.exe | WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "explorer.exe") |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_004041FC GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, |
Source: C:\Windows\System32\conhost.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5744:120:WilError_01 |
Source: C:\Windows\System32\conhost.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5332:120:WilError_01 |
Source: C:\Windows\System32\conhost.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6844:120:WilError_01 |
Source: Yara match | File source: 00000004.00000002.380014233.0000000000470000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000009.00000002.378526790.000001FFF3EF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000007.00000002.379502958.0000016157B60000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000009.00000002.378545012.000001FFF3F00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000007.00000003.378633984.0000016157B70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.379811354.0000000002370000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.379822097.00000000001C4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 0000000A.00000002.379169390.000001E5CE7B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000007.00000002.379654166.0000016157B70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 0000000A.00000002.379112663.000001E5CE4F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000009.00000002.378526790.000001FFF3EF4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 0000000A.00000002.379112663.000001E5CE4F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000007.00000003.379239394.0000016157B6F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000007.00000002.379709392.0000016157DD0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000007.00000002.379502958.0000016157B6B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 0000000A.00000002.379169390.000001E5CE7B4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000002.380014233.0000000000448000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: DisableUAC.exe PID: 7140, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: cmd.exe PID: 6040, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: reg.exe PID: 5744, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: shutdown.exe PID: 3816, type: MEMORYSTR |
Source: Baldi.exe.0.dr | Static PE information: section name: .didata |
Source: Baldi.exe.0.dr | Static PE information: section name: .debug |
Source: DisableUAC.exe.0.dr | Static PE information: section name: .code |
Source: kill.exe.0.dr | Static PE information: section name: .code |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\cmd.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\cmd.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\cmd.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\cmd.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\cmd.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\conhost.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Baldi\Baldi.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Baldi\Baldi.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Baldi\Baldi.exe | Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX |
Source: C:\Baldi\Baldi.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Baldi\Baldi.exe | Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX |
Source: C:\Baldi\Baldi.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Baldi\Baldi.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Baldi\Baldi.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Baldi\Baldi.exe | Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX |
Source: C:\Baldi\Baldi.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Baldi\Baldi.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Baldi\Baldi.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Baldi\Baldi.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Baldi\Baldi.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Baldi\Baldi.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Baldi\Baldi.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Baldi\Baldi.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Baldi\Baldi.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Baldi\Baldi.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Baldi\Baldi.exe | Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX |
Source: C:\Baldi\Baldi.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Baldi\Baldi.exe | Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX |
Source: C:\Baldi\Baldi.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Baldi\Baldi.exe | Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX |
Source: C:\Baldi\Baldi.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Baldi\DisableUAC.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Baldi\DisableUAC.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Baldi\DisableUAC.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Baldi\DisableUAC.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Baldi\DisableUAC.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Baldi\DisableUAC.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\cmd.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\cmd.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\cmd.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\cmd.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\cmd.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\cmd.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\cmd.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\conhost.exe | Last function: Thread delayed |
Source: C:\Windows\System32\conhost.exe | Last function: Thread delayed |
Source: C:\Windows\System32\conhost.exe | Last function: Thread delayed |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_00405D07 FindFirstFileA,FindClose, |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_00405331 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_0040263E FindFirstFileA, |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Baldi\Baldi.exe C:\Baldi\Baldi.exe |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Baldi\DisableUAC.exe C:\Baldi\DisableUAC.exe |
Source: C:\Baldi\Baldi.exe | Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\System32\taskkill.exe" /f /im explorer.exe |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\reg.exe reg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\shutdown.exe shutdown -r -t 1 -c "BALDI EVIL..." |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_00405A2E GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA, |