Техническая информация
Для обеспечения автозапуска и распространения:
Модифицирует следующие ключи реестра:
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] '{FDF17B4A-8E6F-AD41-BE62-06E3AC4E25FE}' = '%APPDATA%\Roaming\Ejov\ciify.exe'
Вредоносные функции:
Создает и запускает на исполнение:
- '%APPDATA%\Roaming\Ejov\ciify.exe'
Запускает на исполнение:
- '<SYSTEM32>\conhost.exe'
- '<SYSTEM32>\rundll32.exe' <SYSTEM32>\FirewallControlPanel.dll,ShowNotificationDialog /ETOnly 0 /OnProfiles 6 /OtherAllowed 0 /OtherBlocked 0 /OtherEdgeAllowed 0 /NewBlocked 4 "<SYSTEM32>\taskhost.exe"
Внедряет код в
следующие системные процессы:
- <SYSTEM32>\rundll32.exe
Изменения в файловой системе:
Создает следующие файлы:
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\orvknrprupswnzpztlrugbumnyh_biz[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\hnjnxukcebuddeaqzhxcfynjjr_org[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\xoswdipqqscmojdeojqqwpvtw_com[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\gyxfmakbhqkndmlaizdeydixfq_com[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\empzhcuciizdyucdamjuglayhyuc_ru[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\pzmfxvstdlwqclbnfdeiwgx_net[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\gmfgujnhicuuwjrhelbgmpfyjz_net[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\okjphtkyhqkxljaidlribovug_org[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\ltkobeakncaifgqqwkhadexkib_biz[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\yuptsrivyrcnzbiljzhekzir_com[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\dkrkvofqwiflknmzpnrpzxnfbu_ru[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\drqequkblnrbiornzxzthivfa_org[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\wgndmjvcphazhqrgifculfcyt_biz[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\jfayeyxkjeuhxwdyhpryxciaq_info[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\nrhkrusvsoffutsgyvbuwudmvgdu_ru[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\culvdatrfcucieaxwdfgeofvw_com[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\yxrgnzvgealhhycieudeydqci_com[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\njlrjrlffuozbqxgytnpncax_biz[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\vwlfyhaknhilojbeyjnptcmzfu_info[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\kbylirwcdmdpnnjuseatoneqx_net[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\bprrkjeivpjpmfvwuzxspn_ru[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\tnvguoffixovxhypaqwsxqwdi_com[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\ozpvvtwhqgbenvhcylffelftcqd_info[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\zpxfilvqclblrrjbeuxkaqow_com[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\dbihhadywpnsifzpudytrgam_info[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\rwyaiaulronbylcidevbmhcavw_ru[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\adabyljnfhyvwuhvcvwswshfqnz_biz[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\lvdqijwgylmbuoijprvsfyizcudmfx_com[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\aysofpwnjpzamjkjlqoifcyor_biz[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\cyscdehunvzptpjvinctkt_com[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\xwovivluoxhpusfmxpfdizprgyx_biz[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\ojxhzxpjdugitokzlzpbltspnd_ru[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\danbxqkpvvofaypxcxgeuaeovkdi_net[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\ofmdefqigmpdtqgcqdytoz_com[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\blfewhiusxonwvwltwzhucscbe_info[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\pnaxijdnvcgmduthbqhut_org[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\aezcytsxlxguehutxhiirx_com[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\tfmwkpozrodmrwayipyxpn_com[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\mrzlrpbjbcuaucecutkkndaknjfs_ru[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\vkciljwsphlfxgzhvkcargmnyscfu_net[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\tweittpzzdsrtobscvg_net[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\hovzplvuklamhxnrbmfekzzlheov_org[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\wsgmkfusyhpduaufqpnnzvcxuw_com[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\muskvdkmbhacyduvvggarw_biz[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\yjnllremzxvgcalzzeavcmbxwpf_ru[1]
- <LS_APPDATA>\Microsoft\Windows Mail\Local Folders\Inbox\3030573F-00000001.eml
- <LS_APPDATA>\Microsoft\Windows Mail\Local Folders\Inbox\3030573F-00000001.eml:OECustomProperty
- <LS_APPDATA>\Microsoft\Windows Mail\Local Folders\Junk E-mail\winmail.fol
- <LS_APPDATA>\Microsoft\Windows Mail\Local Folders\Deleted Items\winmail.fol
- <LS_APPDATA>\Microsoft\Windows Mail\Local Folders\Drafts\winmail.fol
- %TEMP%\tmp9bb5ca7f.bat
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\nbqljnvofturcojfyqktdtpnlv_ru[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\eipaqlgicyqghytkpsgbixgmfusp_biz[1]
- %TEMP%\ppcrlui_984_2
- %TEMP%\CabDF85.tmp
- %TEMP%\TarDF96.tmp
- <LS_APPDATA>\Microsoft\Windows Mail\Backup\temp\WindowsMail.MSMessageStore
- <LS_APPDATA>\Microsoft\Windows Mail\edbtmp.log
- <LS_APPDATA>\Microsoft\Windows Mail\tmp.edb
- %APPDATA%\Roaming\Ejov\ciify.exe
- <LS_APPDATA>\Microsoft\Windows Mail\Backup\temp\edb00002.log
- <LS_APPDATA>\Microsoft\Windows Mail\Local Folders\Outbox\winmail.fol
- <LS_APPDATA>\Microsoft\Windows Mail\Local Folders\Sent Items\winmail.fol
- <LS_APPDATA>\Microsoft\Windows Mail\Local Folders\Inbox\winmail.fol
- <LS_APPDATA>\Microsoft\Windows Mail\Backup\temp\WindowsMail.pat
- <LS_APPDATA>\Microsoft\Windows Mail\edb.log
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\xoarrclrypgyemtougrwqktgi_net[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\bumnoryxztlvcknhqkrjftpbbq_org[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\galgmvslsclfafipxaytll_ru[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\faxzvwaudenfmrwdgujbhllhu_net[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\hyxfqthmkvhlnqajnzhyl_ru[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\euldugpjijtzxamxknjcqjbxm_com[1]
- C:\ProgramData\Microsoft\Windows\WER\ReportQueue\NonCritical_80070422_76a4385aa7fdcd3dc476f7ea51e8ea5565f02fd_057852ff\Report.wer
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\pdpvppjljwkonhutbuzlp_info[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\rchpskcubkzlcanzwohpupvcq_biz[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\eulrdeeidtglxgtvowcitof_org[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\tkvswbiwkcykjuobqivcmuwvgij_com[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\fivusgqdynrktnbzgumvccikjem_net[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\qgrkpbpdvjbifduhdmxtba_ru[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\zlrzhdhrknvwsfufmqsswkzdcu_com[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\mjgqlnbmjhjrdqkfgylngypjtqjz_com[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\xsglbhqhvkfahiwgheztxxx_org[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\xwgcmyxgihnzirhejrwhidmnnf_info[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\tspddtovautjvtcethathm_info[1]
- %WINDIR%\Temp\MPTelemetrySubmit\watson_manifest.txt
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\lzmbblzlgigydqshunrqcxrwus_biz[1]
- %WINDIR%\Temp\MPTelemetrySubmit\client_manifest.txt
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\gqskgyifbyxcyxfekvhizhea_org[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\bqvculfhukborxaifupvcydhedlz_net[1]
Удаляет следующие файлы:
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\gmfgujnhicuuwjrhelbgmpfyjz_net[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\okjphtkyhqkxljaidlribovug_org[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\dkrkvofqwiflknmzpnrpzxnfbu_ru[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\ltkobeakncaifgqqwkhadexkib_biz[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\ozpvvtwhqgbenvhcylffelftcqd_info[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\aezcytsxlxguehutxhiirx_com[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\blfewhiusxonwvwltwzhucscbe_info[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\tfmwkpozrodmrwayipyxpn_com[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\mrzlrpbjbcuaucecutkkndaknjfs_ru[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\gyxfmakbhqkndmlaizdeydixfq_com[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\empzhcuciizdyucdamjuglayhyuc_ru[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\njlrjrlffuozbqxgytnpncax_biz[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\vwlfyhaknhilojbeyjnptcmzfu_info[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\xoswdipqqscmojdeojqqwpvtw_com[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\pzmfxvstdlwqclbnfdeiwgx_net[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\yuptsrivyrcnzbiljzhekzir_com[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\orvknrprupswnzpztlrugbumnyh_biz[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\hnjnxukcebuddeaqzhxcfynjjr_org[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\dbihhadywpnsifzpudytrgam_info[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\aysofpwnjpzamjkjlqoifcyor_biz[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\rwyaiaulronbylcidevbmhcavw_ru[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\zpxfilvqclblrrjbeuxkaqow_com[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\danbxqkpvvofaypxcxgeuaeovkdi_net[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\cyscdehunvzptpjvinctkt_com[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\xwovivluoxhpusfmxpfdizprgyx_biz[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\ofmdefqigmpdtqgcqdytoz_com[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\ojxhzxpjdugitokzlzpbltspnd_ru[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\muskvdkmbhacyduvvggarw_biz[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\yjnllremzxvgcalzzeavcmbxwpf_ru[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\pnaxijdnvcgmduthbqhut_org[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\vkciljwsphlfxgzhvkcargmnyscfu_net[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\wsgmkfusyhpduaufqpnnzvcxuw_com[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\adabyljnfhyvwuhvcvwswshfqnz_biz[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\lvdqijwgylmbuoijprvsfyizcudmfx_com[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\tweittpzzdsrtobscvg_net[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\hovzplvuklamhxnrbmfekzzlheov_org[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\tspddtovautjvtcethathm_info[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\gqskgyifbyxcyxfekvhizhea_org[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\qgrkpbpdvjbifduhdmxtba_ru[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\zlrzhdhrknvwsfufmqsswkzdcu_com[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\bqvculfhukborxaifupvcydhedlz_net[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\euldugpjijtzxamxknjcqjbxm_com[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\faxzvwaudenfmrwdgujbhllhu_net[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\lzmbblzlgigydqshunrqcxrwus_biz[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\hyxfqthmkvhlnqajnzhyl_ru[1]
- %TEMP%\ppcrlui_984_2
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\nbqljnvofturcojfyqktdtpnlv_ru[1]
- %TEMP%\CabDF85.tmp
- %TEMP%\TarDF96.tmp
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\eipaqlgicyqghytkpsgbixgmfusp_biz[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\xwgcmyxgihnzirhejrwhidmnnf_info[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\mjgqlnbmjhjrdqkfgylngypjtqjz_com[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\xoarrclrypgyemtougrwqktgi_net[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\xsglbhqhvkfahiwgheztxxx_org[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\jfayeyxkjeuhxwdyhpryxciaq_info[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\drqequkblnrbiornzxzthivfa_org[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\nrhkrusvsoffutsgyvbuwudmvgdu_ru[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\culvdatrfcucieaxwdfgeofvw_com[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\wgndmjvcphazhqrgifculfcyt_biz[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\tnvguoffixovxhypaqwsxqwdi_com[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\kbylirwcdmdpnnjuseatoneqx_net[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\yxrgnzvgealhhycieudeydqci_com[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\bprrkjeivpjpmfvwuzxspn_ru[1]
- %WINDIR%\Temp\MPTelemetrySubmit\watson_manifest.txt
- %WINDIR%\Temp\MPTelemetrySubmit\client_manifest.txt
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\bumnoryxztlvcknhqkrjftpbbq_org[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\galgmvslsclfafipxaytll_ru[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\tkvswbiwkcykjuobqivcmuwvgij_com[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\pdpvppjljwkonhutbuzlp_info[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\rchpskcubkzlcanzwohpupvcq_biz[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\fivusgqdynrktnbzgumvccikjem_net[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\eulrdeeidtglxgtvowcitof_org[1]
Перемещает следующие файлы:
- <LS_APPDATA>\Microsoft\Windows Mail\edbtmp.log в <LS_APPDATA>\Microsoft\Windows Mail\edb.log
Самоудаляется.
Сетевая активность:
Подключается к:
- 'ok#######qkxljaidlribovug.org':80
- 'oz########benvhcylffelftcqd.info':80
- 'lt#######caifgqqwkhadexkib.biz':80
- 'gm#######cuuwjrhelbgmpfyjz.net':80
- 'ae######lxguehutxhiirx.com':80
- 'bl#######xonwvwltwzhucscbe.info':80
- 'tf######rodmrwayipyxpn.com':80
- 'mr#######cuaucecutkkndaknjfs.ru':80
- 'dk#######iflknmzpnrpzxnfbu.ru':80
- 'em#######izdyucdamjuglayhyuc.ru':80
- 'xo#######scmojdeojqqwpvtw.com':80
- 'vw#######hilojbeyjnptcmzfu.info':80
- 'gy#######qkndmlaizdeydixfq.com':80
- 'pz######dlwqclbnfdeiwgx.net':80
- 'yu#######rcnzbiljzhekzir.com':80
- 'or#######pswnzpztlrugbumnyh.biz':80
- 'hn#######buddeaqzhxcfynjjr.org':80
- 'pn######vcgmduthbqhut.org':80
- 'ay#######pzamjkjlqoifcyor.biz':80
- 'da########ofaypxcxgeuaeovkdi.net':80
- 'zp#######lblrrjbeuxkaqow.com':80
- 'db#######pnsifzpudytrgam.info':80
- 'cy######nvzptpjvinctkt.com':80
- 'xw#######xhpusfmxpfdizprgyx.biz':80
- 'of######gmpdtqgcqdytoz.com':80
- 'oj#######ugitokzlzpbltspnd.ru':80
- 'rw#######onbylcidevbmhcavw.ru':80
- 'yj#######xvgcalzzeavcmbxwpf.ru':80
- 'ws#######hpduaufqpnnzvcxuw.com':80
- 'vk########lfxgzhvkcargmnyscfu.net':80
- 'mu######bhacyduvvggarw.biz':80
- 'ad#######hyvwuhvcvwswshfqnz.biz':80
- 'lv########mbuoijprvsfyizcudmfx.com':80
- 'tw#####zzdsrtobscvg.net':80
- 'ho########amhxnrbmfekzzlheov.org':80
- 'gq#######yxcyxfekvhizhea.org':80
- 'bq########borxaifupvcydhedlz.net':80
- 'zl#######nvwsfufmqsswkzdcu.com':80
- 'ts######autjvtcethathm.info':80
- 'eu#######jtzxamxknjcqjbxm.com':80
- 'fa#######enfmrwdgujbhllhu.net':80
- 'lz#######igydqshunrqcxrwus.biz':80
- 'hy######kvhlnqajnzhyl.ru':80
- 'qg######vjbifduhdmxtba.ru':80
- 'nb#######turcojfyqktdtpnlv.ru':80
- 'ei########qghytkpsgbixgmfusp.biz':80
- '74.##5.232.51':80
- 'www.bing.com':80
- 'xw#######hnzirhejrwhidmnnf.info':80
- 'mj########jrdqkfgylngypjtqjz.com':80
- 'xo#######pgyemtougrwqktgi.net':80
- 'xs######vkfahiwgheztxxx.org':80
- 'bu#######tlvcknhqkrjftpbbq.org':80
- 'wg#######hazhqrgifculfcyt.biz':80
- 'yx#######alhhycieudeydqci.com':80
- 'jf#######euhxwdyhpryxciaq.info':80
- 'dr#######nrbiornzxzthivfa.org':80
- 'kb#######mdpnnjuseatoneqx.net':80
- 'nj#######uozbqxgytnpncax.biz':80
- 'bp######vpjpmfvwuzxspn.ru':80
- 'tn#######xovxhypaqwsxqwdi.com':80
- 'cu#######cucieaxwdfgeofvw.com':80
- 'tk#######cykjuobqivcmuwvgij.com':80
- 'fi#######nrktnbzgumvccikjem.net':80
- 'ga######sclfafipxaytll.ru':80
- '20#.#6.232.182':80
- 'rc#######kzlcanzwohpupvcq.biz':80
- 'nr#######offutsgyvbuwudmvgdu.ru':80
- 'eu######dtglxgtvowcitof.org':80
- 'pd######jwkonhutbuzlp.info':80
TCP:
Запросы HTTP GET:
- ok#######qkxljaidlribovug.org/
- oz########benvhcylffelftcqd.info/
- lt#######caifgqqwkhadexkib.biz/
- gm#######cuuwjrhelbgmpfyjz.net/
- ae######lxguehutxhiirx.com/
- bl#######xonwvwltwzhucscbe.info/
- tf######rodmrwayipyxpn.com/
- mr#######cuaucecutkkndaknjfs.ru/
- dk#######iflknmzpnrpzxnfbu.ru/
- em#######izdyucdamjuglayhyuc.ru/
- xo#######scmojdeojqqwpvtw.com/
- vw#######hilojbeyjnptcmzfu.info/
- gy#######qkndmlaizdeydixfq.com/
- pz######dlwqclbnfdeiwgx.net/
- yu#######rcnzbiljzhekzir.com/
- or#######pswnzpztlrugbumnyh.biz/
- hn#######buddeaqzhxcfynjjr.org/
- pn######vcgmduthbqhut.org/
- ay#######pzamjkjlqoifcyor.biz/
- da########ofaypxcxgeuaeovkdi.net/
- zp#######lblrrjbeuxkaqow.com/
- db#######pnsifzpudytrgam.info/
- cy######nvzptpjvinctkt.com/
- xw#######xhpusfmxpfdizprgyx.biz/
- of######gmpdtqgcqdytoz.com/
- oj#######ugitokzlzpbltspnd.ru/
- rw#######onbylcidevbmhcavw.ru/
- yj#######xvgcalzzeavcmbxwpf.ru/
- ws#######hpduaufqpnnzvcxuw.com/
- vk########lfxgzhvkcargmnyscfu.net/
- mu######bhacyduvvggarw.biz/
- ad#######hyvwuhvcvwswshfqnz.biz/
- lv########mbuoijprvsfyizcudmfx.com/
- tw#####zzdsrtobscvg.net/
- ho########amhxnrbmfekzzlheov.org/
- gq#######yxcyxfekvhizhea.org/
- bq########borxaifupvcydhedlz.net/
- zl#######nvwsfufmqsswkzdcu.com/
- ts######autjvtcethathm.info/
- eu#######jtzxamxknjcqjbxm.com/
- fa#######enfmrwdgujbhllhu.net/
- lz#######igydqshunrqcxrwus.biz/
- hy######kvhlnqajnzhyl.ru/
- qg######vjbifduhdmxtba.ru/
- nb#######turcojfyqktdtpnlv.ru/
- ei########qghytkpsgbixgmfusp.biz/
- 74.##5.232.51/
- www.bing.com/
- xw#######hnzirhejrwhidmnnf.info/
- mj########jrdqkfgylngypjtqjz.com/
- xo#######pgyemtougrwqktgi.net/
- xs######vkfahiwgheztxxx.org/
- bu#######tlvcknhqkrjftpbbq.org/
- wg#######hazhqrgifculfcyt.biz/
- yx#######alhhycieudeydqci.com/
- jf#######euhxwdyhpryxciaq.info/
- dr#######nrbiornzxzthivfa.org/
- kb#######mdpnnjuseatoneqx.net/
- nj#######uozbqxgytnpncax.biz/
- bp######vpjpmfvwuzxspn.ru/
- tn#######xovxhypaqwsxqwdi.com/
- cu#######cucieaxwdfgeofvw.com/
- fi#######nrktnbzgumvccikjem.net/
- eu######dtglxgtvowcitof.org/
- ga######sclfafipxaytll.ru/
- tk#######cykjuobqivcmuwvgij.com/
- rc#######kzlcanzwohpupvcq.biz/
- nr#######offutsgyvbuwudmvgdu.ru/
- 20#.#6.232.182/fwlink/?Li######################################################################################################
- pd######jwkonhutbuzlp.info/
UDP:
- DNS ASK or#######pswnzpztlrugbumnyh.biz
- DNS ASK hn#######buddeaqzhxcfynjjr.org
- DNS ASK xo#######scmojdeojqqwpvtw.com
- DNS ASK gy#######qkndmlaizdeydixfq.com
- DNS ASK em#######izdyucdamjuglayhyuc.ru
- DNS ASK pz######dlwqclbnfdeiwgx.net
- DNS ASK gm#######cuuwjrhelbgmpfyjz.net
- DNS ASK ok#######qkxljaidlribovug.org
- DNS ASK lt#######caifgqqwkhadexkib.biz
- DNS ASK yu#######rcnzbiljzhekzir.com
- DNS ASK dk#######iflknmzpnrpzxnfbu.ru
- DNS ASK dr#######nrbiornzxzthivfa.org
- DNS ASK wg#######hazhqrgifculfcyt.biz
- DNS ASK jf#######euhxwdyhpryxciaq.info
- DNS ASK xw#######xhpusfmxpfdizprgyx.biz
- DNS ASK cu#######cucieaxwdfgeofvw.com
- DNS ASK yx#######alhhycieudeydqci.com
- DNS ASK nj#######uozbqxgytnpncax.biz
- DNS ASK vw#######hilojbeyjnptcmzfu.info
- DNS ASK kb#######mdpnnjuseatoneqx.net
- DNS ASK bp######vpjpmfvwuzxspn.ru
- DNS ASK tn#######xovxhypaqwsxqwdi.com
- DNS ASK rw#######onbylcidevbmhcavw.ru
- DNS ASK zp#######lblrrjbeuxkaqow.com
- DNS ASK lv########mbuoijprvsfyizcudmfx.com
- DNS ASK ho########amhxnrbmfekzzlheov.org
- DNS ASK ad#######hyvwuhvcvwswshfqnz.biz
- DNS ASK db#######pnsifzpudytrgam.info
- DNS ASK oj#######ugitokzlzpbltspnd.ru
- DNS ASK cy######nvzptpjvinctkt.com
- DNS ASK of######gmpdtqgcqdytoz.com
- DNS ASK ay#######pzamjkjlqoifcyor.biz
- DNS ASK da########ofaypxcxgeuaeovkdi.net
- DNS ASK ae######lxguehutxhiirx.com
- DNS ASK bl#######xonwvwltwzhucscbe.info
- DNS ASK mr#######cuaucecutkkndaknjfs.ru
- DNS ASK oz########benvhcylffelftcqd.info
- DNS ASK tf######rodmrwayipyxpn.com
- DNS ASK pn######vcgmduthbqhut.org
- DNS ASK ws#######hpduaufqpnnzvcxuw.com
- DNS ASK tw#####zzdsrtobscvg.net
- DNS ASK yj#######xvgcalzzeavcmbxwpf.ru
- DNS ASK vk########lfxgzhvkcargmnyscfu.net
- DNS ASK mu######bhacyduvvggarw.biz
- DNS ASK qg######vjbifduhdmxtba.ru
- DNS ASK mj########jrdqkfgylngypjtqjz.com
- DNS ASK xw#######hnzirhejrwhidmnnf.info
- DNS ASK gq#######yxcyxfekvhizhea.org
- DNS ASK ts######autjvtcethathm.info
- DNS ASK zl#######nvwsfufmqsswkzdcu.com
- DNS ASK xs######vkfahiwgheztxxx.org
- DNS ASK www.bing.com
- DNS ASK www.google.com
- DNS ASK nr#######offutsgyvbuwudmvgdu.ru
- DNS ASK xo#######pgyemtougrwqktgi.net
- DNS ASK ei########qghytkpsgbixgmfusp.biz
- DNS ASK nb#######turcojfyqktdtpnlv.ru
- DNS ASK bq########borxaifupvcydhedlz.net
- DNS ASK eu######dtglxgtvowcitof.org
- DNS ASK fi#######nrktnbzgumvccikjem.net
- DNS ASK tk#######cykjuobqivcmuwvgij.com
- DNS ASK rc#######kzlcanzwohpupvcq.biz
- DNS ASK pd######jwkonhutbuzlp.info
- DNS ASK go.###rosoft.com
- DNS ASK wa####.microsoft.com
- DNS ASK eu#######jtzxamxknjcqjbxm.com
- DNS ASK hy######kvhlnqajnzhyl.ru
- DNS ASK lz#######igydqshunrqcxrwus.biz
- DNS ASK ga######sclfafipxaytll.ru
- DNS ASK bu#######tlvcknhqkrjftpbbq.org
- DNS ASK fa#######enfmrwdgujbhllhu.net
- '18#.#48.91.99':23798
- '64.##1.249.250':27667
- '10#.#33.89.74':12851
- '94.##0.224.115':27794
- '22#.0.0.252':5355
- '37.##2.27.130':11815
- '2.##.42.157':22487
- '18#.#72.45.5':11680
- '18#.#34.187.62':13338
- '95.##9.225.8':11922
- '19#.#9.157.124':11145
- '17#.#3.238.72':22869
- '95.##.104.231':26178
- '19#.#69.125.228':29902
- '76.##5.44.216':13467
- '69.##.132.197':13027
- '75.##.131.25':25864
- '79.##.36.133':14056
