Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run\] 'GameXP AccessPoint' = '"<Current directory>\accesspoint.exe" -silent'
Modifies file system
Creates the following files
- <Current directory>\accesspoint-bin.log
- <Current directory>\update_cache\955782cc8aada5845d4fa3856deb8706
- <Current directory>\update_cache\29161ed7085b7941ad838a728c419683
- <Current directory>\update_cache\503c8d0492c9b33c5e79855ac47dd602
- <Current directory>\update_cache\e030fdcccc95338d8f9f942bdf62cdaf
- <Current directory>\update_cache\b6443b516b5ae6a4b37afaa344b37fcc
- <Current directory>\update_cache\b0bc76d17f4fcf3bcf2e5ae1c4ae0c91
- <Current directory>\update_cache\9ca776b4320582404eb25e1fdf714488
- <Current directory>\update_cache\9bba68fd27e34e323b812674db95b489
- <Current directory>\update_cache\fe94285a6485a64112176ded9bcc8697
- <Current directory>\update_cache\cfc8a62d0e2b5738238e4688bdee9bb0
- <Current directory>\accesspoint-bin.ini.lock
- <Current directory>\accesspoint-bin.ini.zx1700
Deletes the following files
- <Current directory>\accesspoint-bin.ini.lock
Moves the following files
- from <Current directory>\update_cache\955782cc8aada5845d4fa3856deb8706 to <Current directory>\accesspoint-bin.json
- from <Current directory>\update_cache\fe94285a6485a64112176ded9bcc8697 to <Current directory>\accesspoint_new.exe
- from <Current directory>\update_cache\29161ed7085b7941ad838a728c419683 to <Current directory>\accesspoint-distr.ini
- from <Current directory>\update_cache\b6443b516b5ae6a4b37afaa344b37fcc to <Current directory>\downloads\torrents\3.torrent
- from <Current directory>\update_cache\b0bc76d17f4fcf3bcf2e5ae1c4ae0c91 to <Current directory>\downloads\torrents\48.torrent
- from <Current directory>\update_cache\503c8d0492c9b33c5e79855ac47dd602 to <Current directory>\downloads\torrents\66.torrent
- from <Current directory>\update_cache\e030fdcccc95338d8f9f942bdf62cdaf to <Current directory>\downloads\torrents\96.torrent
- from <Current directory>\update_cache\9ca776b4320582404eb25e1fdf714488 to <Current directory>\downloads\torrents\12.torrent
- from <Current directory>\update_cache\9bba68fd27e34e323b812674db95b489 to <Current directory>\downloads\torrents\34.torrent
- from <Current directory>\update_cache\cfc8a62d0e2b5738238e4688bdee9bb0 to <Current directory>\accesspoint-bin.exe
- from <Current directory>\accesspoint_new.exe to <Current directory>\accesspoint.exe
- from <Current directory>\accesspoint-bin.ini.zx1700 to <Current directory>\accesspoint-bin.ini
Network activity
TCP
HTTP GET requests
- http://ge#.#amexp.ru/ap/updates/release_hz.hash?rn###############
- http://ge#.#amexp.ru/ap/updates/release_hz.list?rn###############
- http://ge#.#amexp.ru/ap/updates/release_hz/5eebf34c49ec53a98d1e9bd00fc3bffb?rn###############
- http://ge#.#amexp.ru/ap/updates/release_hz/8f84f4ed5dc5d2a219a41ffca7d45a13?rn###############
- http://ge#.#amexp.ru/ap/updates/release_hz/e0f33f066d21adad97d85113e7d97914?rn###############
- http://ge#.#amexp.ru/ap/updates/release_hz/d9160732b178edbbd7697246e0152bc3?rn###############
- http://ge#.#amexp.ru/ap/updates/release_hz/a59e88e3821c729707cc5366ff34d938?rn###############
- http://ge#.#amexp.ru/ap/updates/release_hz/5d8dc4899ff2e1f3b6c8ec7232e5c64c?rn###############
- http://ge#.#amexp.ru/ap/updates/release_hz/8b8f2ae2311c8b470168faeb5edb1004?rn###############
- http://ge#.#amexp.ru/ap/updates/release_hz/56c09a0d32ac7c07deeccc3ceab4054f?rn###############
- http://ge#.#amexp.ru/ap/updates/release_hz/26e7a17dd42b56d7cbaafe50773e7857?rn###############
- http://ge#.#amexp.ru/ap/updates/release_hz/7cd2f945dd4972bbdae7cdad1c2b54b9?rn###############
UDP
- DNS ASK ge#.#amexp.ru
- DNS ASK go#####agmanager.com
- DNS ASK ha####.gamexp.com
- DNS ASK im#.#amexp.ru
- DNS ASK pi#.#amexp.com
- DNS ASK to####z1.mail.ru
- DNS ASK mc.yandex.ru
- DNS ASK fo###.gstatic.com
- DNS ASK ws####.gamexp.com
- DNS ASK br######updater.yandex.net
- DNS ASK ya###tic.net
- DNS ASK gl#####tatic.gamexp.ru
- DNS ASK microsoft.com
- DNS ASK pl##.gamexp.com
- DNS ASK dh#.##btorrent.org
- DNS ASK au####p.gamexp.ru
- DNS ASK ap####.gamexp.ru
- DNS ASK fo###.#oogleapis.com
- '76.##6.181.185':51413
- '10#.#70.150.228':46959
- '21#.#27.41.176':30244
- '90.##1.243.231':9863
- '85.##3.132.221':12421
- '27.##4.133.84':17450
- '81.##.23.196':6881
- '84.#8.9.30':58168
- '72.##5.128.250':62751
- '20#.#18.184.160':6881
- '99.##4.132.211':11708
- '79.#.165.211':4608
- '95.##.111.188':49103
- '17#.#62.139.150':10328
- '93.#0.8.199':46676
- '5.##.189.73':2408
- '11#.#70.242.114':51317
- '85.##1.109.162':51413
- '18#.#50.154.46':2181
- '12#.#4.141.164':18638
- '20#.#.182.110':13286
- '70.##.169.11':46089
- '15#.#0.44.106':6881
- '10#.#80.97.94':55255
- '78.##.90.165':61072
- '18#.#34.65.253':7881
- '12#.#9.105.32':9443
- '19#.#9.10.89':56889
- '17#.#6.106.245':51413
- '46.##0.88.223':52409
- '5.#.10.133':6881
- '77.##8.13.99':64232
- '5.###.39.213':38084
- '17#.#31.104.47':20865
- '18#.#22.159.122':6882
- '51.##.67.179':16121
- '94.##.179.14':57430
- '5.##.93.235':50321
- '88.##0.224.235':36468
- '82.##.246.98':6881
- '94.#6.58.95':36215
- '70.##6.112.3':50321
- '18#.#7.232.133':6880
- '5.##.89.37':51413
- '13#.#85.202.51':51413
- '11#.#41.29.62':6889
- '14#.#20.221.178':33415
- '17#.#3.0.166':13115
- '89.##9.163.12':51413
- '85.##.144.212':51111
- '94.##1.244.238':6889
- '17#.#2.245.217':6881
- '10#.#52.34.58':18536
- '17#.#7.60.249':6882
- '2.##.31.212':6881
- '1.###.237.203':8654
- '37.##7.140.81':6897
- '18#.#32.150.85':42475
- '10#.#93.193.6':12829
- '18#.#63.9.120':48402
- '94.##0.136.71':21522
- '31.##.152.230':38511
- '17#.#51.20.158':49001
- '17#.#18.48.34':26887
- '17#.#48.2.105':6881
- '85.##6.57.57':12988
- 'dh#.##btorrent.org':25401
- '<LOCALNET>.54.1':5351
- '23#.#55.255.250':1900
- '10#.#52.11.20':15289
- '45.##4.203.20':51932
- '15#.#4.11.20':59357
- '17#.#33.120.16':24767
- '83.##8.144.21':51413
- '11#.#02.205.195':25790
- '96.##.222.12':17548
- '83.##9.127.121':30194
- '62.##5.156.101':11888
- '5.##.124.85':18507
- '2.##.145.226':15920
- '17#.#09.22.249':51062
- '93.##.138.120':6881
- '17#.#3.236.97':15843
- '31.##3.235.156':51413
- '17#.#9.154.179':6881
- '19#.#51.106.151':62117
- '10#.#19.43.170':63660
- '24.##4.224.224':40666
- '17#.#1.48.187':6881
- '37.##.94.165':16796
- '46.##6.128.249':51413
- '79.##0.184.204':28706
- '37.##3.168.5':16843
- '37.##4.33.43':6881
- '95.##1.156.165':45893
- '21#.#07.127.77':5636
- '19#.#.70.177':56809
- '95.##4.25.252':51413
- '17#.#.151.166':19112
- '5.##5.46.10':34755
- '5.##.6.237':6882
- '83.##2.185.3':18573
- '54.##4.62.31':6881
- '12#.#8.125.2':19438
- '78.##.202.141':22716
- '37.#9.62.65':51413
- '93.##.120.40':1387
- '2.###.255.196':50352
- '16#.#72.43.117':6881
- '5.##.67.33':44346
- '89.##.17.106':5469
- '11#.#8.233.173':10445
- '11#.#36.61.63':13567
- '37.#4.42.70':44444
- '82.##9.99.15':18611
- '93.##.249.224':6881
- '21#.#3.25.77':58849
- '11#.#64.52.78':6881
- '5.##.149.163':62596
- '17#.#6.25.208':6364
- '95.##.126.12':26465
- '10#.#6.76.96':63105
- '17#.#6.82.40':51413
- '89.##5.149.122':22048
- '13#.#55.36.163':6881
- '18#.#55.236.43':59999
- '10#.#06.30.195':37920
- '37.#8.92.95':51413
- '18#.#5.51.218':50321
- '21#.#64.39.85':13845
- '21#.#23.176.190':40939
- '10#.#52.7.38':14361
- '89.##9.95.110':59386
- '15#.#79.226.212':42127
- '10#.#81.168.249':62962
- '18#.#59.158.51':1459
- '82.##.22.165':59402
- '47.#1.184.9':64431
- '17#.#6.169.33':25775
- '11#.#56.88.132':43631
- '15#.#81.185.238':5012
- '21#.#5.189.4':1639
- '46.##.241.168':27017
- '47.##6.16.242':41324
- '83.##2.163.156':51413
- '99.##.180.178':47326
- '94.##0.240.7':51413
- '49.#5.4.60':59325
- '61.##9.166.188':1172
- '2.###.157.63':23869
- '14.##7.17.126':50388
- '62.##0.10.82':6881
- '17#.#05.247.128':35441
- '18#.#5.195.169':28039
- '17#.#2.170.95':4055
- '88.##9.134.207':22595
- '18#.#35.1.60':51413
- '2.##.209.219':50089
- '5.##.66.33':51413
- '81.##1.118.185':8999
- '11#.#6.150.184':24783
- '5.##6.32.3':6881
- '95.##.173.197':6881
- '21#.#03.35.173':6881
- '10#.#70.57.101':51413
- '79.##0.15.168':1030
- '79.#34.45.1':50771
- '5.##.199.178':6881
- '31.##5.106.211':64323
- '51.#8.57.28':47115
- '21#.#29.19.188':33967
- '22#.#86.141.195':5234
- '14#.#1.123.241':41366
- '18#.#5.195.158':28159
- '5.##.72.242':24395
- '31.##8.51.206':56826
- '94.#.75.20':42822
- '17#.#21.16.142':50473
- '85.##3.158.104':62213
- '5.###.188.23':57908
- '78.##.19.216':5376
- '18#.#6.149.110':53782
- '17#.#5.179.85':15127
- '12#.#9.213.220':51413
- '77.##8.138.65':6881
- '11#.#41.252.214':6889
- '11#.#86.155.78':40931
- '13#.#9.131.245':36102
- '62.##3.162.89':27308
- '11#.#97.254.253':12517
- '22#.#7.90.98':17819
- '80.##2.167.132':63640
- '47.#.246.99':50824
- '18#.#6.50.131':21243
- '46.##1.41.188':36525
- '31.##1.178.140':41671
- '94.##6.155.59':12786
- '14#.#36.90.205':21689
- '90.##.103.195':6886
- '16#.#79.222.193':25533
- '2.##.209.121':39752
- '95.##2.132.24':62762
- '81.##3.50.156':9692
- '72.#1.94.99':50321
- '18#.#08.110.25':7764
- '21#.#4.163.254':50239
Miscellaneous
Searches for the following windows
- ClassName: 'DDEMLMom' WindowName: ''
- ClassName: 'IEFrame' WindowName: ''
- ClassName: 'Static' WindowName: ''
- ClassName: 'MS_AutodialMonitor' WindowName: ''
- ClassName: 'MS_WebCheckMonitor' WindowName: ''
Creates and executes the following
- '<Current directory>\accesspoint_new.exe' -restart
- '<Current directory>\accesspoint-bin.exe' -launch
Executes the following
- '<SYSTEM32>\rundll32.exe' <SYSTEM32>\FirewallControlPanel.dll,ShowNotificationDialog /configure /ETOnly 0 /OnProfiles 6 /OtherAllowed 0 /OtherBlocked 0 /OtherEdgeAllowed 0 /NewBlocked 4 "<Current directory>\accesspoint-...
