Техническая информация
Изменения в файловой системе
Создает следующие файлы
- %TEMP%\aut29ed.tmp
- C:\gecici_proje_klasoru\bin\x86\gatherosstate.exe
- C:\gecici_proje_klasoru\bin\x86\slc.dll
- C:\gecici_proje_klasoru\$oem$\$$\setup\scripts\bin\entn.ps1
- C:\gecici_proje_klasoru\$oem$\$$\setup\scripts\bin\entsn.ps1
- C:\gecici_proje_klasoru\$oem$\$$\setup\scripts\bin\x64\gatherosstate.exe
- C:\gecici_proje_klasoru\$oem$\$$\setup\scripts\bin\x64\slc.dll
- C:\gecici_proje_klasoru\$oem$\$$\setup\scripts\bin\x86\gatherosstate.exe
- C:\gecici_proje_klasoru\$oem$\$$\setup\scripts\install.cmd
- %HOMEPATH%\desktop\download free full programs\facebook grups.url
- C:\gecici_proje_klasoru\$oem$\$$\setup\scripts\setupcomplete.cmd
- %TEMP%\4182.tmp\windows_10_digital_activation.cmd
- nul
- C:\gecici_proje_klasoru\bin\x64\genuineticket.xml
- %TEMP%\b911.tmp\ac.cmd
- %HOMEPATH%\desktop\download free full programs\byemir candan - youtube.url
- %HOMEPATH%\desktop\download free full programs\download free full programs.url
- C:\gecici_proje_klasoru\bin\x64\slc.dll
- C:\gecici_proje_klasoru\$oem$\$$\setup\scripts\bin\x86\slc.dll
- C:\gecici_proje_klasoru\bin\x64\gatherosstate.exe
- %TEMP%\aut2aea.tmp
- C:\gecici_proje_klasoru\grey.gif
- %TEMP%\aut2a1c.tmp
- C:\gecici_proje_klasoru\k.png
- %TEMP%\aut2a4c.tmp
- C:\gecici_proje_klasoru\ac.exe
- %TEMP%\aut2a9b.tmp
- C:\gecici_proje_klasoru\e.exe
- C:\gecici_proje_klasoru\etkinlestirme.vbs
- C:\gecici_proje_klasoru\bin\entn.ps1
- %TEMP%\aut2b1a.tmp
- C:\gecici_proje_klasoru\h.exe
- %TEMP%\aut2d0e.tmp
- C:\gecici_proje_klasoru\s.exe
- %TEMP%\aut2d4e.tmp
- C:\gecici_proje_klasoru\wg.exe
- %TEMP%\2f49.tmp\s.bat
- C:\gecici_proje_klasoru\bin\entsn.ps1
- %HOMEPATH%\desktop\download free full programs\important note.txt
Присваивает атрибут 'скрытый' для следующих файлов
- C:\gecici_proje_klasoru\s.exe
- C:\gecici_proje_klasoru\h.exe
- C:\gecici_proje_klasoru\wg.exe
- C:\gecici_proje_klasoru\e.exe
- C:\gecici_proje_klasoru\etkinlestirme.vbs
- C:\gecici_proje_klasoru\k.png
Удаляет следующие файлы
- %TEMP%\aut29ed.tmp
- C:\gecici_proje_klasoru\wg.exe
- C:\gecici_proje_klasoru\$oem$\$$\setup\scripts\install.cmd
- C:\gecici_proje_klasoru\$oem$\$$\setup\scripts\setupcomplete.cmd
- C:\gecici_proje_klasoru\$oem$\$$\setup\scripts\bin\entn.ps1
- C:\gecici_proje_klasoru\$oem$\$$\setup\scripts\bin\entsn.ps1
- C:\gecici_proje_klasoru\$oem$\$$\setup\scripts\bin\x64\gatherosstate.exe
- C:\gecici_proje_klasoru\$oem$\$$\setup\scripts\bin\x86\gatherosstate.exe
- %TEMP%\2f49.tmp\s.bat
- C:\gecici_proje_klasoru\$oem$\$$\setup\scripts\bin\x86\slc.dll
- C:\gecici_proje_klasoru\bin\entn.ps1
- C:\gecici_proje_klasoru\bin\entsn.ps1
- C:\gecici_proje_klasoru\bin\x64\gatherosstate.exe
- C:\gecici_proje_klasoru\bin\x64\genuineticket.xml
- C:\gecici_proje_klasoru\bin\x64\slc.dll
- C:\gecici_proje_klasoru\s.exe
- C:\gecici_proje_klasoru\k.png
- C:\gecici_proje_klasoru\h.exe
- C:\gecici_proje_klasoru\grey.gif
- C:\gecici_proje_klasoru\etkinlestirme.vbs
- C:\gecici_proje_klasoru\e.exe
- C:\gecici_proje_klasoru\ac.exe
- %TEMP%\b911.tmp\ac.cmd
- %TEMP%\4182.tmp\windows_10_digital_activation.cmd
- C:\gecici_proje_klasoru\$oem$\$$\setup\scripts\bin\x64\slc.dll
- %TEMP%\aut2d4e.tmp
- %TEMP%\aut2d0e.tmp
- %TEMP%\aut2b1a.tmp
- %TEMP%\aut2aea.tmp
- %TEMP%\aut2a9b.tmp
- %TEMP%\aut2a4c.tmp
- %TEMP%\aut2a1c.tmp
- C:\gecici_proje_klasoru\bin\x86\gatherosstate.exe
- C:\gecici_proje_klasoru\bin\x86\slc.dll
Другое
Ищет следующие окна
- ClassName: 'EDIT' WindowName: ''
Создает и запускает на исполнение
- 'C:\gecici_proje_klasoru\s.exe'
- 'C:\gecici_proje_klasoru\h.exe'
- 'C:\gecici_proje_klasoru\wg.exe'
- 'C:\gecici_proje_klasoru\bin\x64\gatherosstate.exe'
- 'C:\gecici_proje_klasoru\ac.exe'
- '%WINDIR%\syswow64\wscript.exe' "C:\gecici_proje_klasoru\etkinlestirme.vbs"
- 'C:\gecici_proje_klasoru\e.exe'
- '<SYSTEM32>\cmd.exe' /c "%TEMP%\2F49.tmp\S.bat C:\gecici_proje_klasoru\S.exe"' (со скрытым окном)
- '<SYSTEM32>\cmd.exe' /c "%TEMP%\4182.tmp\Windows_10_Digital_Activation.cmd C:\gecici_proje_klasoru\WG.exe"' (со скрытым окном)
- '<SYSTEM32>\cmd.exe' /c "%TEMP%\B911.tmp\ac.cmd C:\gecici_proje_klasoru\ac.exe"' (со скрытым окном)
Запускает на исполнение
- '<SYSTEM32>\cmd.exe' /c "%TEMP%\2F49.tmp\S.bat C:\gecici_proje_klasoru\S.exe"
- '<SYSTEM32>\cmd.exe' /c "%TEMP%\B911.tmp\ac.cmd C:\gecici_proje_klasoru\ac.exe"
- '<SYSTEM32>\mode.com' con cols=60 lines=25
- '<SYSTEM32>\reg.exe' delete "HKLM\SYSTEM\Tokens" /f
- '<SYSTEM32>\cscript.exe' /nologo <SYSTEM32>\slmgr.vbs -ato
- '<SYSTEM32>\timeout.exe' /t 3
- '<SYSTEM32>\cscript.exe' /nologo <SYSTEM32>\slmgr.vbs -ipk
- '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\Tokens\Kernel" /v "Security-SPP-GenuineLocalStatus" /t REG_DWORD /d 1 /f
- '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\Tokens\Kernel" /v "Kernel-ProductInfo" /t REG_DWORD /d /f
- '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\Tokens" /v "Channel" /t REG_SZ /d "Retail" /f
- '<SYSTEM32>\mode.com' con cols=97 lines=48
- '<SYSTEM32>\mode.com' con cols=97 lines=15
- '<SYSTEM32>\wbem\wmic.exe' path SoftwareLicensingProduct where (Name LIKE '%Windows%' and LicenseStatus='1') get name /value
- '<SYSTEM32>\cmd.exe' /c "wmic path SoftwareLicensingProduct where (Name LIKE '%Windows%' and LicenseStatus='1') get name /value"
- '<SYSTEM32>\wbem\wmic.exe' path SoftwareLicensingProduct where (Name LIKE '%Windows%' and PartialProductKey is not null) get LicenseStatus /format:list
- '<SYSTEM32>\control.exe' /name Microsoft.System
- '<SYSTEM32>\cmd.exe' /c "wmic path SoftwareLicensingProduct where (Name LIKE '%Windows%' and PartialProductKey is not null) get LicenseStatus /format:list"
- '<SYSTEM32>\cmd.exe' /c reg query "HKLM\System\CurrentControlSet\Control\Session Manager\Environment" /v "PROCESSOR_ARCHITECTURE"
- '<SYSTEM32>\findstr.exe' REG_SZ
- '<SYSTEM32>\findstr.exe' CurrentVersion
- '<SYSTEM32>\reg.exe' query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion"
- '<SYSTEM32>\cmd.exe' /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" | findstr CurrentVersion | findstr REG_SZ
- '<SYSTEM32>\fltmc.exe'
- '<SYSTEM32>\cmd.exe' /c "%TEMP%\4182.tmp\Windows_10_Digital_Activation.cmd C:\gecici_proje_klasoru\WG.exe"
- '<SYSTEM32>\attrib.exe' +r +h +s "\gecici_proje_klasoru\K.png"
- '<SYSTEM32>\attrib.exe' +r +h +s "\gecici_proje_klasoru\etkinlestirme.vbs"
- '<SYSTEM32>\attrib.exe' +r +h +s "\gecici_proje_klasoru\E.exe"
- '<SYSTEM32>\attrib.exe' +r +h +s "\gecici_proje_klasoru\WG.exe"
- '<SYSTEM32>\attrib.exe' +r +h +s "\gecici_proje_klasoru\H.exe"
- '<SYSTEM32>\attrib.exe' +r +h +s "\gecici_proje_klasoru\S.exe"
- '<SYSTEM32>\attrib.exe' +r +h +s "\gecici_proje_klasoru"
- '<SYSTEM32>\reg.exe' query "HKLM\System\CurrentControlSet\Control\Session Manager\Environment" /v "PROCESSOR_ARCHITECTURE"
- '%WINDIR%\syswow64\wscript.exe' "<SYSTEM32>\slmgr.vbs" -XPR
