Техническая информация
Вредоносные функции
Запускает на исполнение
- '%WINDIR%\syswow64\taskkill.exe' /f /im msftesql.exe
- '%WINDIR%\syswow64\taskkill.exe' /f /im dbeng50.exe
- '%WINDIR%\syswow64\taskkill.exe' /f /im sqbcoreservice.exe
- '%WINDIR%\syswow64\taskkill.exe' /f /im excel.exe
- '%WINDIR%\syswow64\taskkill.exe' /f /im infopath.exe
- '%WINDIR%\syswow64\taskkill.exe' /f /im msaccess.exe
- '%WINDIR%\syswow64\taskkill.exe' /f /im mspub.exe
- '%WINDIR%\syswow64\taskkill.exe' /f /im mydesktopqos.exe
- '%WINDIR%\syswow64\taskkill.exe' /f /im onenote.exe
- '%WINDIR%\syswow64\taskkill.exe' /f /im powerpnt.exe
- '%WINDIR%\syswow64\taskkill.exe' /f /im steam.exe
- '%WINDIR%\syswow64\taskkill.exe' /f /im thebat.exe
- '%WINDIR%\syswow64\taskkill.exe' /f /im thebat64.exe
- '%WINDIR%\syswow64\taskkill.exe' /f /im thunderbird.exe
- '%WINDIR%\syswow64\taskkill.exe' /f /im visio.exe
- '%WINDIR%\syswow64\taskkill.exe' /f /im mysqld-nt.exe
- '%WINDIR%\syswow64\taskkill.exe' /f /im mysqld-opt.exe
- '%WINDIR%\syswow64\taskkill.exe' /f /im mysqld.exe
- '%WINDIR%\syswow64\taskkill.exe' /f /im ocomm.exe
- '%WINDIR%\syswow64\taskkill.exe' /f /im tbirdconfig.exe
- '%WINDIR%\syswow64\taskkill.exe' /f /im sqlbrowser.exe
- '%WINDIR%\syswow64\taskkill.exe' /f /im sqlservr.exe
- '%WINDIR%\syswow64\taskkill.exe' /f /im sqlwriter.exe
- '%WINDIR%\syswow64\taskkill.exe' /f /im oracle.exe
- '%WINDIR%\syswow64\taskkill.exe' /f /im ocssd.exe
- '%WINDIR%\syswow64\taskkill.exe' /f /im dbsnmp.exe
- '%WINDIR%\syswow64\taskkill.exe' /f /im winword.exe
- '%WINDIR%\syswow64\taskkill.exe' /f /im outlook.exe
- '%WINDIR%\syswow64\taskkill.exe' /f /im synctime.exe
- '%WINDIR%\syswow64\taskkill.exe' /f /im xfssvccon.exe
- '%WINDIR%\syswow64\taskkill.exe' /f /im mydesktopservice.exe
- '%WINDIR%\syswow64\taskkill.exe' /f /im ocautoupds.exe
- '%WINDIR%\syswow64\taskkill.exe' /f /im agntsvc.exeagntsvc.exe
- '%WINDIR%\syswow64\taskkill.exe' /f /im agntsvc.exeencsvc.exe
- '%WINDIR%\syswow64\taskkill.exe' /f /im firefoxconfig.exe
- '%WINDIR%\syswow64\taskkill.exe' /f /im sqlagent.exe
- '%WINDIR%\syswow64\taskkill.exe' /f /im agntsvc.exeisqlplussvc.exe
- '%WINDIR%\syswow64\taskkill.exe' /f /im wordpad.exe
Читает файлы, отвечающие за хранение паролей сторонними программами
- %HOMEPATH%\desktop\000814251_video_01.avi
- %HOMEPATH%\desktop\garden.htm
- %HOMEPATH%\desktop\sdkfailsafeemulator.cer
- %HOMEPATH%\desktop\advice_process.htm
- %HOMEPATH%\desktop\alert.htm
- %HOMEPATH%\desktop\sdszfo.docx
- %HOMEPATH%\desktop\sdksampleprivdeveloper.cer
- %HOMEPATH%\desktop\browse.htm
- %HOMEPATH%\desktop\default.bmp
- %HOMEPATH%\desktop\applicantform_en.doc
- %HOMEPATH%\desktop\contoso.cer
- %HOMEPATH%\desktop\tree_view.htm
- %HOMEPATH%\desktop\dashborder_192.bmp
- %HOMEPATH%\desktop\trivial-merge.htm
- %HOMEPATH%\desktop\hanni_umami_chapter.doc
Изменения в файловой системе
Создает следующие файлы
- %WINDIR%\debug.bat
- %HOMEPATH%\contacts\readme.html
- %HOMEPATH%\desktop\readme.html
- %HOMEPATH%\documents\readme.html
- %HOMEPATH%\downloads\readme.html
- %HOMEPATH%\favorites\readme.html
- %HOMEPATH%\favorites\links\readme.html
- %HOMEPATH%\favorites\links for united states\readme.html
- %HOMEPATH%\favorites\msn websites\readme.html
- %HOMEPATH%\favorites\microsoft websites\readme.html
- %HOMEPATH%\links\readme.html
- %HOMEPATH%\music\readme.html
- %HOMEPATH%\pictures\readme.html
- %HOMEPATH%\saved games\readme.html
- C:\users\default\links\readme.html
- %HOMEPATH%\searches\readme.html
- C:\kms\readme.html
- <Текущая директория>\readme.html
- C:\users\public\music\sample music\maid with the flaxen hair.mp3.locked
- %HOMEPATH%\contacts\user.contact.locked
- %HOMEPATH%\desktop\000814251_video_01.avi.locked
- C:\users\public\videos\sample videos\wildlife.wmv.locked
- C:\users\public\music\sample music\kalimba.mp3.locked
- C:\users\public\music\sample music\sleep away.mp3.locked
- %HOMEPATH%\desktop\garden.htm.locked
- C:\users\public\pictures\sample pictures\desert.jpg.locked
- C:\users\public\pictures\sample pictures\hydrangeas.jpg.locked
- C:\recovery\4d53d3aa-5835-11ef-baad-8f07b80b2fb5\winre.wim.locked
- C:\users\public\pictures\sample pictures\chrysanthemum.jpg.locked
- C:\users\public\videos\sample videos\readme.html
- %HOMEPATH%\readme.html
- C:\users\public\videos\readme.html
- C:\users\public\recorded tv\sample media\readme.html
- C:\users\public\recorded tv\readme.html
- nul
- %ALLUSERSPROFILE%\hello.txt
- %ALLUSERSPROFILE%\wvove.txt
- C:\msocache\readme.html
- C:\perflogs\readme.html
- C:\perflogs\admin\readme.html
- C:\recovery\readme.html
- C:\recovery\4d53d3aa-5835-11ef-baad-8f07b80b2fb5\readme.html
- C:\users\readme.html
- C:\users\default\readme.html
- C:\users\default\desktop\readme.html
- C:\users\default\documents\readme.html
- C:\users\default\downloads\readme.html
- C:\users\public\pictures\sample pictures\tulips.jpg.locked
- %HOMEPATH%\videos\readme.html
- C:\users\default\favorites\readme.html
- C:\users\default\pictures\readme.html
- C:\users\default\saved games\readme.html
- C:\users\default\videos\readme.html
- C:\users\public\readme.html
- C:\users\public\desktop\readme.html
- C:\users\public\documents\readme.html
- C:\users\public\downloads\readme.html
- C:\users\public\favorites\readme.html
- C:\users\public\libraries\readme.html
- C:\users\public\music\readme.html
- C:\users\public\music\sample music\readme.html
- C:\users\public\pictures\readme.html
- C:\users\public\pictures\sample pictures\readme.html
- %WINDIR%\windebug.exe
- C:\users\default\music\readme.html
- C:\users\public\pictures\sample pictures\koala.jpg.locked
Подменяет следующие файлы
- %HOMEPATH%\Desktop\000814251_video_01.avi
- %HOMEPATH%\Contacts\user.contact
- C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3
- %HOMEPATH%\Desktop\Garden.htm
- %HOMEPATH%\Desktop\SDKFailsafeEmulator.cer
- C:\Users\Public\Pictures\Sample Pictures\Desert.jpg
- %HOMEPATH%\Desktop\advice_process.htm
- C:\Users\Public\Pictures\Sample Pictures\Koala.jpg
- C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg
- C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg
- C:\Users\Public\Music\Sample Music\Kalimba.mp3
- C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg
- C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg
- C:\Users\Public\Music\Sample Music\Sleep Away.mp3
Изменяет множество файлов пользовательских данных (Trojan.Encoder).
Изменяет расширения файлов пользовательских данных (Trojan.Encoder).
Сетевая активность
Подключается к
- '19#.#6.28.230':80
Другое
Ищет следующие окна
- ClassName: 'EDIT' WindowName: ''
- ClassName: '' WindowName: ''
Создает и запускает на исполнение
- '%WINDIR%\windebug.exe'
Запускает на исполнение
- '%WINDIR%\syswow64\cmd.exe' /c ""%WINDIR%\debug.bat" "
- '%WINDIR%\syswow64\cmd.exe' /c "taskkill /f /im mysqld.exe "
- '%WINDIR%\syswow64\cmd.exe' /c "taskkill /f /im mysqld-nt.exe "
- '%WINDIR%\syswow64\cmd.exe' /c "taskkill /f /im mysqld-opt.exe "
- '%WINDIR%\syswow64\cmd.exe' /c "taskkill /f /im dbeng50.exe "
- '%WINDIR%\syswow64\cmd.exe' /c "taskkill /f /im sqbcoreservice.exe "
- '%WINDIR%\syswow64\cmd.exe' /c "taskkill /f /im excel.exe "
- '%WINDIR%\syswow64\cmd.exe' /c "taskkill /f /im infopath.exe "
- '%WINDIR%\syswow64\cmd.exe' /c "taskkill /f /im msaccess.exe "
- '%WINDIR%\syswow64\cmd.exe' /c "taskkill /f /im mspub.exe "
- '%WINDIR%\syswow64\cmd.exe' /c "taskkill /f /im onenote.exe "
- '%WINDIR%\syswow64\cmd.exe' /c "taskkill /f /im outlook.exe "
- '%WINDIR%\syswow64\cmd.exe' /c "taskkill /f /im powerpnt.exe "
- '%WINDIR%\syswow64\cmd.exe' /c "taskkill /f /im steam.exe "
- '%WINDIR%\syswow64\cmd.exe' /c "taskkill /f /im thebat.exe "
- '%WINDIR%\syswow64\cmd.exe' /c "taskkill /f /im thebat64.exe "
- '%WINDIR%\syswow64\cmd.exe' /c "taskkill /f /im thunderbird.exe "
- '%WINDIR%\syswow64\cmd.exe' /c "taskkill /f /im visio.exe "
- '%WINDIR%\syswow64\cmd.exe' /c "taskkill /f /im winword.exe "
- '%WINDIR%\syswow64\cmd.exe' /c "taskkill /f /im wordpad.exe"
- '%WINDIR%\syswow64\cmd.exe' /c "taskkill /f /im ocomm.exe "
- '%WINDIR%\syswow64\cmd.exe' /c "whoami >>%ALLUSERSPROFILE%\WVOVE.txt"
- '%WINDIR%\syswow64\cmd.exe' /c "taskkill /f /im tbirdconfig.exe "
- '%WINDIR%\syswow64\cmd.exe' /c "taskkill /f /im agntsvc.exeencsvc.exe "
- '%WINDIR%\syswow64\cmd.exe' /c "taskkill /f /im msftesql.exe "
- '%WINDIR%\syswow64\cmd.exe' /c "schtasks /delete /tn WM /F "
- '%WINDIR%\syswow64\schtasks.exe' /delete /tn WM /F
- '%WINDIR%\syswow64\cmd.exe' /c "del C:\e.bat"
- '%WINDIR%\syswow64\cmd.exe' /c "del C:\a.bat"
- '%WINDIR%\syswow64\cmd.exe' /c "taskkill /f /im sqlagent.exe "
- '%WINDIR%\syswow64\cmd.exe' /c "taskkill /f /im sqlbrowser.exe "
- '%WINDIR%\syswow64\cmd.exe' /c "taskkill /f /im sqlservr.exe "
- '%WINDIR%\syswow64\cmd.exe' /c "taskkill /f /im sqlwriter.exe "
- '%WINDIR%\syswow64\cmd.exe' /c "taskkill /f /im oracle.exe "
- '%WINDIR%\syswow64\cmd.exe' /c "taskkill /f /im ocssd.exe "
- '%WINDIR%\syswow64\cmd.exe' /c "taskkill /f /im dbsnmp.exe "
- '%WINDIR%\syswow64\cmd.exe' /c "taskkill /f /im synctime.exe "
- '%WINDIR%\syswow64\cmd.exe' /c "taskkill /f /im mydesktopqos.exe "
- '%WINDIR%\syswow64\cmd.exe' /c "taskkill /f /im agntsvc.exeisqlplussvc.exe "
- '%WINDIR%\syswow64\cmd.exe' /c "taskkill /f /im xfssvccon.exe "
- '%WINDIR%\syswow64\cmd.exe' /c "taskkill /f /im mydesktopservice.exe "
- '%WINDIR%\syswow64\cmd.exe' /c "taskkill /f /im ocautoupds.exe "
- '%WINDIR%\syswow64\cmd.exe' /c "taskkill /f /im agntsvc.exeagntsvc.exe "
- '%WINDIR%\syswow64\cmd.exe' /c "taskkill /f /im firefoxconfig.exe "
- '%WINDIR%\syswow64\whoami.exe'
