Техническая информация
Для обеспечения автозапуска и распространения
Модифицирует следующие ключи реестра
- [<HKLM>\Software\Microsoft\Windows\CurrentVersion\RunOnce] 'GrpConv' = 'grpconv -o'
- [<HKLM>\Software\Classes\CLSID\{9ce424a8-8388-495f-a400-2bd50eb35657}\Shell\Open\Command] '' = '%ProgramFiles%\Uninstall Tool\UninstallToolExec.exe'
Создает или изменяет следующие файлы
- <SYSTEM32>\tasks\rununinstalltool_skipuac
Устанавливает следующие настройки сервисов
- [<HKLM>\System\CurrentControlSet\Services\CisUtMonitor] 'ImagePath' = 'system32\DRIVERS\CisUtMonitor.sys'
Создает следующие сервисы
- 'CisUtMonitor' system32\DRIVERS\CisUtMonitor.sys
Вредоносные функции
Запускает на исполнение
- '%WINDIR%\syswow64\taskkill.exe' /f /im UninstallTool.exe
Регистрирует фильтр файловой системы
- [<HKLM>\System\CurrentControlSet\Services\CisUtMonitor] 'Group' = 'FSFilter Activity Monitor'
Изменения в файловой системе
Создает следующие файлы
- %TEMP%\autd4bc.tmp
- %ProgramFiles%\uninstall tool\languages\is-f02o9.tmp
- %ProgramFiles%\uninstall tool\languages\is-t36m1.tmp
- %ProgramFiles%\uninstall tool\languages\is-eiq64.tmp
- %ProgramFiles%\uninstall tool\languages\is-c42ur.tmp
- %ProgramFiles%\uninstall tool\languages\is-hqr3m.tmp
- %ProgramFiles%\uninstall tool\languages\is-hvpa6.tmp
- %ProgramFiles%\uninstall tool\languages\is-sejhu.tmp
- %ProgramFiles%\uninstall tool\languages\is-vmesu.tmp
- %ProgramFiles%\uninstall tool\languages\is-quo93.tmp
- %ProgramFiles%\uninstall tool\languages\is-4aig4.tmp
- %ProgramFiles%\uninstall tool\is-i3m6j.tmp
- %ProgramFiles%\uninstall tool\is-pijn5.tmp
- %ProgramFiles%\uninstall tool\is-qs6b6.tmp
- %ProgramFiles%\uninstall tool\languages\is-8evs5.tmp
- %ProgramFiles%\uninstall tool\is-1g6li.tmp
- %ProgramFiles%\uninstall tool\is-ee058.tmp
- %ProgramFiles%\uninstall tool\is-re70n.tmp
- %ProgramFiles%\uninstall tool\is-v6mc9.tmp
- %ALLUSERSPROFILE%\microsoft\windows\start menu\programs\uninstall tool\unіnstall tool.lnk
- %HOMEPATH%\desktop\uninstall tool.lnk
- %ALLUSERSPROFILE%\microsoft\windows\start menu\programs\uninstall tool\uninstall tool on the web.lnk
- %ProgramFiles%\uninstall tool\uninstalltool.url
- %ProgramFiles%\uninstall tool\unins000.msg
- %ProgramFiles%\uninstall tool\unins000.dat
- <DRIVERS>\set143b.tmp
- %WINDIR%\temp\udd187f.tmp
- %APPDATA%\crystalidea software\uninstall tool\preferences.xml
- %APPDATA%\crystalidea software\uninstall tool\cacheddata.dat
- %ProgramFiles%\uninstall tool\languages\is-r52id.tmp
- %ProgramFiles%\uninstall tool\languages\is-nqi95.tmp
- %ProgramFiles%\uninstall tool\languages\is-2649t.tmp
- %ProgramFiles%\uninstall tool\languages\is-002o1.tmp
- %ProgramFiles%\uninstall tool\languages\is-moic4.tmp
- %TEMP%\is-ajdgh.tmp\~lwxaprd.tmp
- %TEMP%\is-5c3fo.tmp\_isetup\_setup64.tmp
- %ProgramFiles%\uninstall tool\is-jkj14.tmp
- %ProgramFiles%\uninstall tool\languages\is-r1raa.tmp
- %ProgramFiles%\uninstall tool\languages\is-hchje.tmp
- %ProgramFiles%\uninstall tool\languages\is-jf99a.tmp
- %ProgramFiles%\uninstall tool\languages\is-efgvu.tmp
- %ProgramFiles%\uninstall tool\languages\is-mulvb.tmp
- %ProgramFiles%\uninstall tool\languages\is-p6f3k.tmp
- %ProgramFiles%\uninstall tool\languages\is-n8lt8.tmp
- %ProgramFiles%\uninstall tool\languages\is-t8dim.tmp
- %ProgramFiles%\uninstall tool\languages\is-8bo84.tmp
- %ProgramFiles%\uninstall tool\languages\is-45r6k.tmp
- %APPDATA%\microsoft\internet explorer\quick launch\user pinned\taskbar\unіnstall tool.lnk
- %ProgramFiles%\uninstall tool\is-gn08q.tmp
- %ProgramFiles%\uninstall tool\languages\is-pilvb.tmp
- %ProgramFiles%\uninstall tool\languages\is-ov717.tmp
- %ProgramFiles%\uninstall tool\languages\is-tgn7a.tmp
- %ProgramFiles%\uninstall tool\languages\is-144j2.tmp
- %ProgramFiles%\uninstall tool\languages\is-h5tg1.tmp
- %ProgramFiles%\uninstall tool\languages\is-jsgc5.tmp
- %ProgramFiles%\uninstall tool\languages\is-j56gu.tmp
- %ProgramFiles%\uninstall tool\languages\is-s7k26.tmp
- %ProgramFiles%\uninstall tool\languages\is-l7pml.tmp
- %ProgramFiles%\uninstall tool\languages\is-gj7k5.tmp
- %ProgramFiles%\uninstall tool\languages\is-e0drv.tmp
- %ProgramFiles%\uninstall tool\languages\is-12o88.tmp
- %ProgramFiles%\uninstall tool\languages\is-4tc00.tmp
- %ProgramFiles%\uninstall tool\languages\is-cflq0.tmp
- %CommonProgramFiles(x86)%\~lwxaprd.tmp
- %ProgramFiles%\uninstall tool\languages\is-vidif.tmp
- %ProgramFiles%\uninstall tool\uninstalltool.exe
Присваивает атрибут 'скрытый' для следующих файлов
- %CommonProgramFiles(x86)%\~lwxaprd.tmp
Удаляет следующие файлы
- %TEMP%\autd4bc.tmp
- %WINDIR%\temp\udd187f.tmp
- %TEMP%\is-5c3fo.tmp\_isetup\_setup64.tmp
- %TEMP%\is-ajdgh.tmp\~lwxaprd.tmp
- %CommonProgramFiles(x86)%\~lwxaprd.tmp
Перемещает следующие файлы
- %ProgramFiles%\uninstall tool\is-jkj14.tmp в %ProgramFiles%\uninstall tool\unins000.exe
- %ProgramFiles%\uninstall tool\languages\is-moic4.tmp в %ProgramFiles%\uninstall tool\languages\norwegian.xml
- %ProgramFiles%\uninstall tool\languages\is-002o1.tmp в %ProgramFiles%\uninstall tool\languages\persian.xml
- %ProgramFiles%\uninstall tool\languages\is-2649t.tmp в %ProgramFiles%\uninstall tool\languages\polish.xml
- %ProgramFiles%\uninstall tool\languages\is-r52id.tmp в %ProgramFiles%\uninstall tool\languages\portuguese.xml
- %ProgramFiles%\uninstall tool\languages\is-nqi95.tmp в %ProgramFiles%\uninstall tool\languages\portuguese_brazilian.xml
- %ProgramFiles%\uninstall tool\languages\is-f02o9.tmp в %ProgramFiles%\uninstall tool\languages\romanian.xml
- %ProgramFiles%\uninstall tool\languages\is-t36m1.tmp в %ProgramFiles%\uninstall tool\languages\russian.xml
- %ProgramFiles%\uninstall tool\languages\is-eiq64.tmp в %ProgramFiles%\uninstall tool\languages\serbian_cyrillic.xml
- %ProgramFiles%\uninstall tool\languages\is-c42ur.tmp в %ProgramFiles%\uninstall tool\languages\serbian_latin.xml
- %ProgramFiles%\uninstall tool\languages\is-hqr3m.tmp в %ProgramFiles%\uninstall tool\languages\slovak.xml
- %ProgramFiles%\uninstall tool\languages\is-sejhu.tmp в %ProgramFiles%\uninstall tool\languages\swedish.xml
- %ProgramFiles%\uninstall tool\is-v6mc9.tmp в %ProgramFiles%\uninstall tool\cisutmonitor.sys
- %ProgramFiles%\uninstall tool\languages\is-vmesu.tmp в %ProgramFiles%\uninstall tool\languages\turkish.xml
- %ProgramFiles%\uninstall tool\languages\is-quo93.tmp в %ProgramFiles%\uninstall tool\languages\ukrainian.xml
- %ProgramFiles%\uninstall tool\languages\is-4aig4.tmp в %ProgramFiles%\uninstall tool\languages\vietnamese.xml
- %ProgramFiles%\uninstall tool\is-i3m6j.tmp в %ProgramFiles%\uninstall tool\uninstalltool.exe
- %ProgramFiles%\uninstall tool\is-pijn5.tmp в %ProgramFiles%\uninstall tool\uninstalltool.cpl
- %ProgramFiles%\uninstall tool\is-qs6b6.tmp в %ProgramFiles%\uninstall tool\utshellext.dll
- %ProgramFiles%\uninstall tool\is-1g6li.tmp в %ProgramFiles%\uninstall tool\utshellext_x86.dll
- %ProgramFiles%\uninstall tool\is-gn08q.tmp в %ProgramFiles%\uninstall tool\uninstalltoolhelper.exe
- %ProgramFiles%\uninstall tool\is-ee058.tmp в %ProgramFiles%\uninstall tool\uninstalltoolexec.exe
- %ProgramFiles%\uninstall tool\is-re70n.tmp в %ProgramFiles%\uninstall tool\cisutmonitor.inf
- %ProgramFiles%\uninstall tool\languages\is-cflq0.tmp в %ProgramFiles%\uninstall tool\languages\lithuanian.xml
- %ProgramFiles%\uninstall tool\languages\is-hvpa6.tmp в %ProgramFiles%\uninstall tool\languages\spanish.xml
- %ProgramFiles%\uninstall tool\languages\is-4tc00.tmp в %ProgramFiles%\uninstall tool\languages\latvian.xml
- %ProgramFiles%\uninstall tool\languages\is-pilvb.tmp в %ProgramFiles%\uninstall tool\languages\dutch.xml
- %ProgramFiles%\uninstall tool\languages\is-r1raa.tmp в %ProgramFiles%\uninstall tool\languages\arabic.xml
- %ProgramFiles%\uninstall tool\languages\is-hchje.tmp в %ProgramFiles%\uninstall tool\languages\armenian.xml
- %ProgramFiles%\uninstall tool\languages\is-jf99a.tmp в %ProgramFiles%\uninstall tool\languages\azerbaijani.xml
- %ProgramFiles%\uninstall tool\languages\is-efgvu.tmp в %ProgramFiles%\uninstall tool\languages\belarusian.xml
- %ProgramFiles%\uninstall tool\languages\is-mulvb.tmp в %ProgramFiles%\uninstall tool\languages\bulgarian.xml
- %ProgramFiles%\uninstall tool\languages\is-p6f3k.tmp в %ProgramFiles%\uninstall tool\languages\chinese_simplified.xml
- %ProgramFiles%\uninstall tool\languages\is-n8lt8.tmp в %ProgramFiles%\uninstall tool\languages\chinese_traditional.xml
- %ProgramFiles%\uninstall tool\languages\is-t8dim.tmp в %ProgramFiles%\uninstall tool\languages\croatian.xml
- %ProgramFiles%\uninstall tool\languages\is-8bo84.tmp в %ProgramFiles%\uninstall tool\languages\czech.xml
- %ProgramFiles%\uninstall tool\languages\is-45r6k.tmp в %ProgramFiles%\uninstall tool\languages\danish.xml
- %ProgramFiles%\uninstall tool\languages\is-8evs5.tmp в %ProgramFiles%\uninstall tool\languages\english.xml
- %ProgramFiles%\uninstall tool\languages\is-e0drv.tmp в %ProgramFiles%\uninstall tool\languages\japanese.xml
- %ProgramFiles%\uninstall tool\languages\is-vidif.tmp в %ProgramFiles%\uninstall tool\languages\estonian.xml
- %ProgramFiles%\uninstall tool\languages\is-ov717.tmp в %ProgramFiles%\uninstall tool\languages\french.xml
- %ProgramFiles%\uninstall tool\languages\is-tgn7a.tmp в %ProgramFiles%\uninstall tool\languages\georgian.xml
- %ProgramFiles%\uninstall tool\languages\is-144j2.tmp в %ProgramFiles%\uninstall tool\languages\german.xml
- %ProgramFiles%\uninstall tool\languages\is-h5tg1.tmp в %ProgramFiles%\uninstall tool\languages\greek.xml
- %ProgramFiles%\uninstall tool\languages\is-jsgc5.tmp в %ProgramFiles%\uninstall tool\languages\hebrew.xml
- %ProgramFiles%\uninstall tool\languages\is-j56gu.tmp в %ProgramFiles%\uninstall tool\languages\hindi.xml
- %ProgramFiles%\uninstall tool\languages\is-s7k26.tmp в %ProgramFiles%\uninstall tool\languages\hungarian.xml
- %ProgramFiles%\uninstall tool\languages\is-l7pml.tmp в %ProgramFiles%\uninstall tool\languages\indonesian.xml
- %ProgramFiles%\uninstall tool\languages\is-gj7k5.tmp в %ProgramFiles%\uninstall tool\languages\italian.xml
- %ProgramFiles%\uninstall tool\languages\is-12o88.tmp в %ProgramFiles%\uninstall tool\languages\korean.xml
- <DRIVERS>\set143b.tmp в <DRIVERS>\cisutmonitor.sys
Сетевая активность
TCP
- 'cr###alidea.com':443
UDP
- DNS ASK cr###alidea.com
Другое
Ищет следующие окна
- ClassName: '' WindowName: ''
Создает и запускает на исполнение
- '%CommonProgramFiles(x86)%\~lwxaprd.tmp' /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP-
- '%TEMP%\is-ajdgh.tmp\~lwxaprd.tmp' /SL5="$B0202,3211406,185856,%CommonProgramFiles(x86)%\~lwxaprd.tmp" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP-
- '%ProgramFiles%\uninstall tool\uninstalltool.exe' /install_service_silent
- '%ProgramFiles%\uninstall tool\uninstalltool.exe' /init
- '%ProgramFiles%\uninstall tool\uninstalltool.exe' /add_control_panel_icon
- '%ProgramFiles%\uninstall tool\uninstalltool.exe' /pin_to_taskbar
- '%ProgramFiles%\uninstall tool\uninstalltoolexec.exe'
- '%ProgramFiles%\uninstall tool\uninstalltool.exe'
- '%ProgramFiles%\uninstall tool\uninstalltoolhelper.exe'
- '%WINDIR%\syswow64\taskkill.exe' /f /im UninstallTool.exe' (со скрытым окном)
Запускает на исполнение
- '<SYSTEM32>\regsvr32.exe' /s "%ProgramFiles%\Uninstall Tool\utshellext.dll"
- '<SYSTEM32>\regsvr32.exe' /s "%ProgramFiles%\Uninstall Tool\utshellext_x86.dll"
- '<SYSTEM32>\rundll32.exe' setupapi.dll, InstallHinfSection DefaultInstall 132 .\CisUtMonitor.inf
- '<SYSTEM32>\runonce.exe' -r
- '<SYSTEM32>\grpconv.exe' -o
