Техническая информация
Для обеспечения автозапуска и распространения
Создает или изменяет следующие файлы
- %APPDATA%\microsoft\windows\start menu\programs\startup\systemfilemain.exe
Вредоносные функции
Запускает большое число процессов
Изменения в файловой системе
Создает следующие файлы
- %TEMP%\etilqs_ejnfucm6lvkoalf
- %TEMP%\etilqs_blwkyrz7gdhpy4p
- %TEMP%\etilqs_eh5xuqbleeulnwk
Сетевая активность
Подключается к
- 'gs.###dex.com.tr':443
- 'en######d-tbn0.gstatic.com':443
- 'tr##kino.me':443
- 'clients3.google.com':443
- 'tr######e.googleapis.com':443
- 'clients4.google.com':443
- 'clients2.google.com':443
- 'ss#.#static.com':443
- 'eb##ity.com':443
- 'cd##.#vvstream.pro':443
- 'yandex.ru':443
- 'ya###tic.net':443
- 'av#####.mds.yandex.net':443
- 'im###.rl0.ru':443
- 'si##i.name':443
- 'x1.#.lencr.org':80
- 'cd####.mndcdn.net':443
- 'er#.#oloe.me':443
- 'cd#####.boyfriendtv.com':443
- 'im#.####no.net':443
- 'im#.##gboss.love':443
TCP
Запросы HTTP GET
- http://x1.#.lencr.org/
- http://www.gs##tic.com/generate_204
Другие
- 'gs.###dex.com.tr':443
- 'en######d-tbn0.gstatic.com':443
- 'tr##kino.me':443
- 'clients3.google.com':443
- 'tr######e.googleapis.com':443
- 'clients4.google.com':443
- 'ss#.#static.com':443
- 'eb##ity.com':443
- 'cd##.#vvstream.pro':443
- 'google.com':443
- 'ya###tic.net':443
- 'av#####.mds.yandex.net':443
- 'im###.rl0.ru':443
- 'si##i.name':443
- 'cd####.mndcdn.net':443
- 'safebrowsing.google.com':443
- 'alt2-safebrowsing.google.com':443
- 'er#.#oloe.me':443
- 'cd#####.boyfriendtv.com':443
- 'im#.####no.net':443
- 'im#.##gboss.love':443
UDP
- DNS ASK google.com
- DNS ASK gs.###dex.com.tr
- DNS ASK en######d-tbn0.gstatic.com
- DNS ASK tr##kino.me
- DNS ASK clients3.google.com
- DNS ASK tr######e.googleapis.com
- DNS ASK clients4.google.com
- DNS ASK clients2.google.com
- DNS ASK ss#.#static.com
- DNS ASK eb##ity.com
- DNS ASK cd##.#vvstream.pro
- DNS ASK yandex.ru
- DNS ASK ya###tic.net
- DNS ASK av#####.mds.yandex.net
- DNS ASK im###.rl0.ru
- DNS ASK si##i.name
- DNS ASK x1.#.lencr.org
- DNS ASK gs##tic.com
- DNS ASK cd####.mndcdn.net
- DNS ASK safebrowsing.google.com
- DNS ASK alt2-safebrowsing.google.com
- DNS ASK er#.#oloe.me
- DNS ASK cd#####.boyfriendtv.com
- DNS ASK im#.####no.net
- DNS ASK im#.##gboss.love
Другое
Ищет следующие окна
- ClassName: 'Chrome_MessageWindow' WindowName: '%LOCALAPPDATA%\Google\Chrome\User Data'
Создает и запускает на исполнение
- '%APPDATA%\microsoft\windows\start menu\programs\startup\systemfilemain.exe'
Запускает на исполнение
- '<SYSTEM32>\cmd.exe' /c start chrome --new-window https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcSaT0aJZcqMrqQD1DQquXbXs6jRjeo52M7cxQ&s
- '<SYSTEM32>\cmd.exe' /c start chrome --new-window https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcRDURJbMNIyO7OUsOyFcrYKD557HuvnZ9cM2DVtVTREImcvlJKcG_moPcvy9kjEwd6puCU&usqp=CAU
- '<SYSTEM32>\cmd.exe' /c start chrome --new-window https://gs.yandex.com.tr/video/preview/6149572662745161180
- '<SYSTEM32>\cmd.exe' /c start chrome --new-window https://trahkino.me/contents/videos_screenshots/49000/49818/preview.jpg
- '<SYSTEM32>\cmd.exe' /c start chrome --new-window https://trahkino.me/contents/videos_screenshots/99000/99322/preview.mp4.jpg
- '<SYSTEM32>\cmd.exe' /c start chrome --new-window https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQ_6Vk7GtLKBxAsBNnjnNIlgG8hABXwuiRlGX-MtcmDh0gM9M_x-JXl20b6hA6LBo9LQcA&usqp=CAU
- '<SYSTEM32>\cmd.exe' /c start chrome --new-window https://ebality.com/6968621/5.jpg
- '<SYSTEM32>\cmd.exe' /c start chrome --new-window https://cdn2.pvvstream.pro/videos/-190626523/456239037/preview_800.jpg?secure=1751026536-8KgW%2Fi00pVTCEbA5Rhv7fb1Hhb66aHSZ%2BVKX785B%2FGQ%3D
- '<SYSTEM32>\cmd.exe' /c start chrome --new-window https://img07.rl0.ru/6d7fc9ebe478fd65efb7d705b7df9a9d/c1280x1125/dilatationanale.d.i.pic.centerblog.net/o/668afd20.jpg
- '<SYSTEM32>\cmd.exe' /c start chrome --new-window https://siski.name/uploads/posts/2021-12/1639748773_4-siski-name-p-porno-muzhskie-piski-negrov-4.jpg
- '<SYSTEM32>\cmd.exe' /c start chrome --new-window https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcSQDeFipBpgG_Nc--2uKW29Rsn0yhcWuXFt4A&s
- '<SYSTEM32>\cmd.exe' /c start chrome --new-window https://cdn015.mndcdn.net/photo/5/1/4/34eba0d4ae083d82293b75acadc30381_view.jpg
- '<SYSTEM32>\cmd.exe' /c start chrome --new-window https://ero.goloe.me/uploads/posts/2021-12/1640847446_14-goloe-me-p-erotika-bolshikh-khuev-geev-25.jpg
- '<SYSTEM32>\cmd.exe' /c start chrome --new-window https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcSA_dQ7CJ7qs_dFsf6JLKOy105tGxbL8mJDTA&s
- '<SYSTEM32>\cmd.exe' /c start chrome --new-window https://cdn77-t.boyfriendtv.com/b-boyfriendtv/thumbs/bftv-320x240/2025-01/79/a46dfca79318c5d299c5ff191e6f00a24.mp4-320x240-5.jpg
- '<SYSTEM32>\cmd.exe' /c start chrome --new-window https://img.5porno.net/archive/66/5/65439/9-540x360.jpg
- '<SYSTEM32>\cmd.exe' /c start chrome --new-window https://img.bigboss.love/thumbs/66/5/65403/4-540x360.jpg
- '<SYSTEM32>\cmd.exe' /c start chrome --new-window https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcRbk04gmaXUixL1Q7T6gu2DcsyqMPTZ_UWXhg&s
- '<SYSTEM32>\cmd.exe' /c start chrome --new-window https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcRArrjEUAPrx6LYRIH3a6MlWULdU5OjQu70sQ&s
- '<SYSTEM32>\cmd.exe' /c start chrome --new-window https://ic-vt-nss.xhcdn.com/a/MjIzNDA0MDlmMGNhM2RmZjhkOWU3NzhiOGZiMGRiNGE/s(w:2560,h:1440),webp/021/547/855/v2/2560x1440.247.webp
- '<SYSTEM32>\cmd.exe' /c start chrome --new-window https://s.erocdn.com/399/005/000/04.jpg
- '<SYSTEM32>\cmd.exe' /c start chrome --new-window https://ic-vt-nss.xhcdn.com/a/ZGI5Nzc3N2JmMDUxNjUwOWY0YTNlMGRjZWU5ODIwNDk/s(w:1280,h:720),webp/012/206/396/1280x720.c.jpg.v1565685360
- '<SYSTEM32>\cmd.exe' /c start chrome --new-window https://img.bigboss.love/thumbs/48/6/47509/10-540x360.jpg
- '<SYSTEM32>\cmd.exe' /c start chrome --new-window https://ic-vt-nss.xhcdn.com/a/M2IyNDFiOGY1MWUzOWFjY2JmN2Y0YzY4OTVhYmE1NGE/s(w:2560,h:1440),webp/019/043/332/v2/2560x1440.251.webp
- '%APPDATA%\microsoft\windows\start menu\programs\startup\systemfilemain.exe' (со скрытым окном)
