Trojan.DownLoader30.30185

Техническая информация

Для обеспечения автозапуска и распространения

Создает или изменяет следующие файлы

%APPDATA%\microsoft\windows\start menu\programs\startup\startup.bat

Изменения в файловой системе

Создает следующие файлы

%TEMP%\ixp000.tmp\7z.dll
C:\nhm\nhm\plugins_packages\exampleplugin_v1.1_455c4d98-a45d-45d6-98ca-499ce866b2c7.zip
C:\nhm\nhm\plugins_packages\gminercuda9.0+_v3.0_mptoolkitv1_1b7019d0-7237-11e9-b20c-f9f12eb6d835.zip
C:\nhm\nhm\plugins_packages\lolminerbeam_v3.0_mptoolkitv1_435f0820-7237-11e9-b20c-f9f12eb6d835.zip
C:\nhm\nhm\plugins_packages\miniz_v3.0_mptoolkitv1_59bba2c0-b1ef-11e9-8e4e-bb1e2c6e76b4.zip
C:\nhm\nhm\plugins_packages\nanominer_v3.0_mptoolkitv1_a841b4b0-ae17-11e9-8e4e-bb1e2c6e76b4.zip
C:\nhm\nhm\plugins_packages\nbminer_v3.0_mptoolkitv1_6c07f7a0-7237-11e9-b20c-f9f12eb6d835.zip
C:\nhm\nhm\plugins_packages\phoenix_v3.0_mptoolkitv1_f5d4a470-e360-11e9-a914-497feefbdfc8.zip
C:\nhm\nhm\plugins_packages\ethlargement_v1.2_mptoolkitv1_efd40691-618c-491a-b328-e7e020bda7a3.zip
C:\nhm\nhm\plugins_packages\ewbf_v3.0_mptoolkitv1_f7d5dfa0-7236-11e9-b20c-f9f12eb6d835.zip
C:\nhm\nhm\plugins_packages\sgmineravemore_v3.0_mptoolkitv1_bc95fd70-e361-11e9-a914-497feefbdfc8.zip
C:\nhm\nhm\plugins_packages\teamredminer_v3.0_mptoolkitv1_abc3e2a0-7237-11e9-b20c-f9f12eb6d835.zip
C:\nhm\nhm\plugins_packages\trex_v3.0_mptoolkitv1_d47d9b00-7237-11e9-b20c-f9f12eb6d835.zip
C:\nhm\nhm\plugins_packages\ttminer_v3.0_mptoolkitv1_f1945a30-7237-11e9-b20c-f9f12eb6d835.zip
C:\nhm\nhm\plugins_packages\update.json
C:\nhm\nhm\plugins_packages\wildrig_v3.0_mptoolkitv1_2edd8080-9cb6-11e9-a6b8-09e27549d5bb.zip
C:\nhm\nhm\plugins_packages\xmrig_v3.0_mptoolkitv1_1046ea50-c261-11e9-8e4e-bb1e2c6e76b4.zip
C:\nhm\nhm\plugins_packages\xmrstak_v3.0_mptoolkitv1_3d4e56b0-7238-11e9-b20c-f9f12eb6d835.zip
C:\nhm\nhm\plugins_packages\sgminergm_v3.0_mptoolkitv1_d5f18960-e361-11e9-a914-497feefbdfc8.zip
C:\nhm\nhm\plugins_packages\srbminer_v3.0_mptoolkitv1_85f507c0-b2ba-11e9-8e4e-bb1e2c6e76b4.zip
C:\nhm\nhm\plugins_packages\cryptodredge_v3.0_mptoolkitv1_d9c2e620-7236-11e9-b20c-f9f12eb6d835.zip
C:\nhm\nhm\plugins_packages\claymoredual_v3.0_mptoolkitv1_70984aa0-7236-11e9-b20c-f9f12eb6d835.zip
C:\nhm\nhm\rigidprinter.exe
C:\nhm\nhm\nicehashminer.exe
C:\nhm\nhm\nicehashminer.exe.config
C:\nhm\nhm\nicehashminer.pdb
C:\nhm\nhm\nvidiasetp0state.exe
C:\nhm\nhm\nvidiasetp0state.exe.config
C:\nhm\nhm\nvidiasetp0state.pdb
C:\nhm\nhm\nvidia\license.txt
C:\nhm\nhm\nvidia\nvml.dll
C:\nhm\nhm\nvidia\readme.md
C:\nhm\nhm\ongpuslost.bat
C:\nhm\nhm\opencl\opencl.dll
C:\nhm\nhm\opencl\readme.md
C:\nhm\nhm\opencl_device_detection.dll
C:\nhm\nhm\owo.ps1
C:\nhm\nhm\plugins_packages\bminer_v3.0_mptoolkitv1_e5fbd330-7235-11e9-b20c-f9f12eb6d835.zip
C:\nhm\nhm\plugins_packages\broken plugin_v1.0_mptoolkitv1_brokenminerpluginuuid.zip
C:\nhm\nhm\plugins_packages\ccminertpruvot_v3.0_mptoolkitv1_2257f160-7236-11e9-b20c-f9f12eb6d835.zip
C:\nhm\nhm\plugins_packages\zenemy_v3.0_mptoolkitv1_5532d300-7238-11e9-b20c-f9f12eb6d835.zip
C:\nhm\nhm\nhmcore.dll.config
C:\nhm\nhm\plugins_packages\cpuminer-opt_v3.0_mptoolkitv1_92fceb00-7236-11e9-b20c-f9f12eb6d835.zip
C:\nhm\nhm\miner_plugins\d47d9b00-7237-11e9-b20c-f9f12eb6d835\trex.dll
C:\nhm\nhm\rigidprinter.exe.config
C:\nhm\nhm\miner_plugins\3d4e56b0-7238-11e9-b20c-f9f12eb6d835\internals\minerreservedports.json
C:\nhm\nhm\miner_plugins\3d4e56b0-7238-11e9-b20c-f9f12eb6d835\internals\minerapimaxtimeoutsetting.json
C:\nhm\nhm\miner_plugins\3d4e56b0-7238-11e9-b20c-f9f12eb6d835\internals\minerbenchmarktimesettings.json
C:\nhm\nhm\miner_plugins\3d4e56b0-7238-11e9-b20c-f9f12eb6d835\internals\minersbinsurlssettings.json
C:\nhm\nhm\miner_plugins\92fceb00-7236-11e9-b20c-f9f12eb6d835\version.txt
C:\nhm\nhm\miner_plugins\92fceb00-7236-11e9-b20c-f9f12eb6d835\internals\minersystemenvironmentvariables.json
C:\nhm\nhm\miner_plugins\92fceb00-7236-11e9-b20c-f9f12eb6d835\internals\mineroptionspackage.json
C:\nhm\nhm\miner_plugins\92fceb00-7236-11e9-b20c-f9f12eb6d835\internals\minerreservedports.json
C:\nhm\nhm\miner_plugins\92fceb00-7236-11e9-b20c-f9f12eb6d835\internals\minerapimaxtimeoutsetting.json
C:\nhm\nhm\miner_plugins\92fceb00-7236-11e9-b20c-f9f12eb6d835\internals\minerbenchmarktimesettings.json
C:\nhm\nhm\miner_plugins\92fceb00-7236-11e9-b20c-f9f12eb6d835\internals\minersbinsurlssettings.json
C:\nhm\nhm\miner_plugins\ethlargement\bins\miner_bins..7z
C:\nhm\nhm\internals\cached_sma.json
C:\nhm\nhm\miner_plugins\ethlargement\bins\credits.txt
C:\nhm\nhm\miner_plugins\ethlargement\bins\donation_addresses.txt
C:\nhm\nhm\miner_plugins\ethlargement\bins\license
C:\nhm\nhm\miner_plugins\ethlargement\bins\ohgodanethlargementpill-r2
C:\nhm\nhm\miner_plugins\ethlargement\bins\prescription.txt
C:\nhm\nhm\miner_plugins\ethlargement\bins\ohgodanethlargementpill-r2.exe
C:\nhm\nhm\miner_plugins\3d4e56b0-7238-11e9-b20c-f9f12eb6d835\internals\mineroptionspackage.json
C:\nhm\nhm\nhmcore.dll
C:\nhm\nhm\nhmcore.pdb
C:\nhm\nhm\internals\supportedalgorithmsfilter.json
C:\nhm\nhm\runnhmasadmin.exe
C:\nhm\nhm\runnhmasadmin.exe.config
C:\nhm\nhm\runnhmasadmin.pdb
C:\nhm\nhm\sharpcompress.dll
C:\nhm\nhm\shh.vbs
C:\nhm\nhm\start.bat
C:\nhm\nhm\startup.bat
C:\nhm\nhm\system.valuetuple.dll
C:\nhm\nhm\system.valuetuple.xml
C:\nhm\nhm\translations.json
C:\nhm\nhm\uac.ps1
C:\nhm\nhm\websocket-sharp.dll
C:\nhm\nhm\logs\log.txt
C:\nhm\nhm\internals\supportedpluginsfilter.json
C:\nhm\nhm\configs\device_settings_cpu-077750b0-883f-5c05-8d2f-4e1eb1506f31.json
C:\nhm\nhm\miner_plugins\ethlargement\version.txt
C:\nhm\nhm\miner_plugins\ethlargement\internals\minersbinsurlssettings.json
C:\nhm\nhm\miner_plugins\ethlargement\internals\ethlargementsettings.json
C:\nhm\nhm\miner_plugins\vc_redist_x64_2015_2019\version.txt
C:\nhm\nhm\miner_plugins\3d4e56b0-7238-11e9-b20c-f9f12eb6d835\version.txt
C:\nhm\nhm\rigidprinter.pdb
C:\nhm\nhm\nhm.uuid.pdb
C:\nhm\nhm\nhm.uuid.dll
C:\nhm\nhm\nhm.minersdownloader.pdb
C:\nhm\nhm\devicedetectionprinter.exe
C:\nhm\nhm\devicedetectionprinter.exe.config
C:\nhm\nhm\devicedetectionprinter.pdb
C:\nhm\nhm\device_detection_test.bat
C:\nhm\nhm\ethlargement.dll
C:\nhm\nhm\ethlargement.pdb
C:\nhm\nhm\eula.html
C:\nhm\nhm\eula.rtf
C:\nhm\nhm\firewallrules.exe
C:\nhm\nhm\firewallrules.exe.config
C:\nhm\nhm\firewallrules.pdb
C:\nhm\nhm\log4net.dll
C:\nhm\nhm\log4net.xml
C:\nhm\nhm\managednvml.dll
C:\nhm\nhm\managednvml.pdb
C:\nhm\nhm\megaapiclient.dll
C:\nhm\nhm\megaapiclient.xml
C:\nhm\nhm\createlogreport.exe.config
C:\nhm\nhm\cpuid.dll
C:\nhm\nhm\cuda_device_detection.dll
C:\nhm\nhm\miner_plugins\vc_redist_x64_2015_2019\bins\miner_bins..7z
C:\nhm\nhm\messageboxmanager.dll
C:\nhm\nhm\configs\general.json
%TEMP%\ixp000.tmp\nhm.zip
%TEMP%\ixp000.tmp\run.exe
%TEMP%\ixp000.tmp\uac.ps1
%TEMP%\ixp000.tmp\temp.bat
C:\nhm\nhm\7z.dll
C:\nhm\nhm\7z.exe
C:\nhm\nhm\a.ps1
C:\nhm\nhm\bouncycastle.crypto.dll
%TEMP%\ixp000.tmp\7z.exe
C:\nhm\nhm\common\cudart32_80.dll
C:\nhm\nhm\common\cudart64_91.dll
C:\nhm\nhm\common\libcurl.dll
C:\nhm\nhm\common\msvcp120.dll
C:\nhm\nhm\common\msvcp140.dll
C:\nhm\nhm\common\msvcr110.dll
C:\nhm\nhm\common\msvcr120.dll
C:\nhm\nhm\common\opencl.dll
C:\nhm\nhm\common\vcruntime140.dll
C:\nhm\nhm\common\cudart64_80.dll
C:\nhm\nhm\createlogreport.exe
C:\nhm\nhm\miner_plugins\3d4e56b0-7238-11e9-b20c-f9f12eb6d835\internals\minersystemenvironmentvariables.json
C:\nhm\nhm\messageboxmanager.pdb
C:\nhm\nhm\minerpluginloader.dll
C:\nhm\nhm\mydownloader.core.dll
C:\nhm\nhm\mydownloader.core.dll.config
C:\nhm\nhm\mydownloader.core.pdb
C:\nhm\nhm\mydownloader.extension.dll
C:\nhm\nhm\mydownloader.extension.dll.config
C:\nhm\nhm\mydownloader.extension.pdb
C:\nhm\nhm\newtonsoft.json.dll
C:\nhm\nhm\newtonsoft.json.xml
C:\nhm\nhm\nhm.common.dll
C:\nhm\nhm\nhm.common.pdb
C:\nhm\nhm\nhm.devicedetection.dll
C:\nhm\nhm\nhm.devicedetection.pdb
C:\nhm\nhm\nhm.devicemonitoring.dll
C:\nhm\nhm\nhm.devicemonitoring.pdb
C:\nhm\nhm\nhm.extensions.dll
C:\nhm\nhm\nhm.extensions.pdb
C:\nhm\nhm\nhm.minersdownloader.dll
C:\nhm\nhm\nhm.minersdownloader.dll.config
C:\nhm\nhm\minerplugin.dll
C:\nhm\nhm\msvcr120.dll
C:\nhm\nhm\minerplugin.pdb
C:\nhm\nhm\msvcp120.dll
C:\nhm\nhm\createlogreport.pdb
C:\nhm\nhm\minerpluginloader.pdb
C:\nhm\nhm\minerplugintoolkitv1.dll
C:\nhm\nhm\minerplugintoolkitv1.pdb
C:\nhm\nhm\minerprocesscounter.exe
C:\nhm\nhm\minerprocesscounter.exe.config
C:\nhm\nhm\minerprocesscounter.pdb
C:\nhm\nhm\minersmoketest.exe
C:\nhm\nhm\minersmoketest.exe.config
C:\nhm\nhm\minersmoketest.pdb
C:\nhm\nhm\miner_plugins\1b7019d0-7237-11e9-b20c-f9f12eb6d835\gminer.dll
C:\nhm\nhm\miner_plugins\2257f160-7236-11e9-b20c-f9f12eb6d835\ccminertpruvot.dll
C:\nhm\nhm\miner_plugins\3d4e56b0-7238-11e9-b20c-f9f12eb6d835\xmrstak.dll
C:\nhm\nhm\miner_plugins\435f0820-7237-11e9-b20c-f9f12eb6d835\lolminerbeam.dll
C:\nhm\nhm\miner_plugins\5532d300-7238-11e9-b20c-f9f12eb6d835\zenemy.dll
C:\nhm\nhm\miner_plugins\59bba2c0-b1ef-11e9-8e4e-bb1e2c6e76b4\miniz.dll
C:\nhm\nhm\miner_plugins\6c07f7a0-7237-11e9-b20c-f9f12eb6d835\nbminer.dll
C:\nhm\nhm\miner_plugins\70984aa0-7236-11e9-b20c-f9f12eb6d835\claymoredual14.dll
C:\nhm\nhm\miner_plugins\92fceb00-7236-11e9-b20c-f9f12eb6d835\cpumineropt.dll
C:\nhm\nhm\miner_plugins\abc3e2a0-7237-11e9-b20c-f9f12eb6d835\teamredminer.dll
C:\nhm\nhm\miner_plugins\f5d4a470-e360-11e9-a914-497feefbdfc8\phoenix.dll
C:\nhm\nhm\miner_plugins\vc_redist_x64_2015_2019\bins\vc_redist.x64_2015_2019.exe

Удаляет следующие файлы

C:\nhm\nhm\miner_plugins\ethlargement\bins\miner_bins..7z
C:\nhm\nhm\miner_plugins\vc_redist_x64_2015_2019\bins\miner_bins..7z

Сетевая активность

UDP

DNS ASK mi######ugins.nicehash.com
DNS ASK nh###.nicehash.com
DNS ASK gi##ub.com
DNS ASK gi#############on-release-asset-2e65be.s3.amazonaws.com

Другое

Создает и запускает на исполнение

'%TEMP%\ixp000.tmp\run.exe'
'%TEMP%\ixp000.tmp\7z.exe' x "%TEMP%\IXP000.TMP/NHM.zip" * -oc:/NHM -aoa
'C:\nhm\nhm\nicehashminer.exe'
'C:\nhm\nhm\devicedetectionprinter.exe' cuda -n -nvmlFallback
'C:\nhm\nhm\devicedetectionprinter.exe' ocl -n
'%TEMP%\ixp000.tmp\run.exe' ' (со скрытым окном)
'<SYSTEM32>\cmd.exe' /c ""C:\NHM\NHM\startup.bat" "' (со скрытым окном)
'C:\nhm\nhm\nicehashminer.exe' ' (со скрытым окном)

Запускает на исполнение

'<SYSTEM32>\cmd.exe' /c ""%TEMP%\IXP000.TMP\temp.bat""
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -executionpolicy remotesigned -File %TEMP%\IXP000.TMP/uac.ps1
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -executionpolicy remotesigned -File C:/NHM/NHM/a.ps1
'<SYSTEM32>\cmd.exe' /c ""C:\NHM\NHM\startup.bat" "
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -executionpolicy remotesigned -File C:/NHM/NMH/uac.ps1
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -executionpolicy remotesigned -File C:/NHM/NHM/owo.ps1

Технологии

Термины

Обучение и просвещение

Мифы

Техническая информация

Рекомендации по лечению

Демо бесплатно на 14 дней