Техническая информация
Изменения в файловой системе
Создает следующие файлы
- %TEMP%\6d52.tmp\6d63.tmp\6d64.bat
- %TEMP%\8abd.tmp\8abe.tmp\8abf.bat
- %TEMP%\d052.tmp\d062.tmp\d073.bat
- %TEMP%\setupexe(202509121326148bc).log
- %TEMP%\setup000008bc\osetupui.dll
- %TEMP%\setup000008bc\branding.xml
- %TEMP%\setup000008bc\setup.chm
- %TEMP%\setupexe(2025091213263097c).log
- %TEMP%\setup0000097c\osetupui.dll
- %TEMP%\setup0000097c\branding.xml
- %TEMP%\setup0000097c\setup.chm
- %LOCALAPPDATA%\microsoft\office\16.0\officefilecache\centraltable.ini
- %TEMP%\hsperfdata_user\3736
- %TEMP%\hsperfdata_user\2220
- %TEMP%\hsperfdata_user\3168
- %TEMP%\hsperfdata_user\3380
- %TEMP%\hsperfdata_user\2196
- %TEMP%\hsperfdata_user\3152
- %TEMP%\hsperfdata_user\4244
- %TEMP%\hsperfdata_user\772
- %TEMP%\hsperfdata_user\4112
- %TEMP%\hsperfdata_user\4180
- %TEMP%\hsperfdata_user\4404
- %TEMP%\hsperfdata_user\4556
- %TEMP%\hsperfdata_user\4352
- %TEMP%\hsperfdata_user\5232
- %TEMP%\hsperfdata_user\5684
- %TEMP%\hsperfdata_user\5776
- %TEMP%\hsperfdata_user\6088
- %TEMP%\hsperfdata_user\5844
Изменяет следующие файлы
- %HOMEPATH%\.oracle_jre_usage\90737d32e3aba6b.timestamp
Сетевая активность
TCP
Запросы HTTP GET
- http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?6e##############
Другое
Перезапускает анализируемый образец
Запускает на исполнение
- '<SYSTEM32>\cmd.exe' /c "%TEMP%\6D52.tmp\6D63.tmp\6D64.bat <Полный путь к файлу>" (со скрытым окном)
- '%CommonProgramFiles%\microsoft shared\ink\inputpersonalization.exe'
- '%CommonProgramFiles%\microsoft shared\ink\mip.exe'
- '%CommonProgramFiles%\microsoft shared\ink\shapecollector.exe'
- '<SYSTEM32>\cmd.exe' /c "%TEMP%\8ABD.tmp\8ABE.tmp\8ABF.bat <Полный путь к файлу>" (со скрытым окном)
- '%CommonProgramFiles%\microsoft shared\ink\shapecollector.exe' -Embedding
- '%CommonProgramFiles%\microsoft shared\ink\tabtip.exe'
- '%CommonProgramFiles%\microsoft shared\ink\inputpersonalization.exe' -Embedding
- '%CommonProgramFiles%\microsoft shared\msinfo\msinfo32.exe'
- '%CommonProgramFiles%\microsoft shared\office16\cmigrate.exe'
- '%CommonProgramFiles%\microsoft shared\office16\msoxmled.exe'
- '%CommonProgramFiles%\microsoft shared\vsto\10.0\vstoinstaller.exe'
- '<SYSTEM32>\cmd.exe' /c "%TEMP%\D052.tmp\D062.tmp\D073.bat <Полный путь к файлу>" (со скрытым окном)
- '%ProgramFiles%\internet explorer\extexport.exe'
- '%ProgramFiles%\internet explorer\iediagcmd.exe'
- '%ProgramFiles%\internet explorer\ieinstal.exe'
- '%ProgramFiles%\internet explorer\ielowutil.exe'
- '%ProgramFiles%\internet explorer\iexplore.exe'
- '%ProgramFiles%\java\jre1.8.0_77\bin\jabswitch.exe'
- '%ProgramFiles%\java\jre1.8.0_77\bin\java-rmi.exe'
- '%ProgramFiles%\java\jre1.8.0_77\bin\java.exe'
- '%ProgramFiles%\java\jre1.8.0_77\bin\javacpl.exe'
- '%ProgramFiles%\java\jre1.8.0_77\bin\javaw.exe'
- '%ProgramFiles%\java\jre1.8.0_77\bin\javaws.exe'
- '%ProgramFiles%\java\jre1.8.0_77\bin\jjs.exe'
- '%ProgramFiles%\java\jre1.8.0_77\bin\jp2launcher.exe'
- '%ProgramFiles%\java\jre1.8.0_77\bin\keytool.exe'
- '%ProgramFiles%\java\jre1.8.0_77\bin\kinit.exe'
- '%ProgramFiles%\java\jre1.8.0_77\bin\javaw.exe' -Xbootclasspath/a:"%ProgramFiles%\Java\jre1.8.0_77\bin\..\lib\deploy.jar" -Djava.locale.providers=HOST,JRE,SPI -Duser.home="%HOMEPATH%" com.sun.deploy.panel.ControlPanel
- '%ProgramFiles%\java\jre1.8.0_77\bin\klist.exe'
- '%ProgramFiles%\java\jre1.8.0_77\bin\ktab.exe'
- '%CommonProgramFiles(x86)%\microsoft shared\vsto\10.0\vstoinstaller.exe'
- '%ProgramFiles%\java\jre1.8.0_77\bin\orbd.exe'
- '%ProgramFiles%\java\jre1.8.0_77\bin\pack200.exe'
- '%ProgramFiles%\java\jre1.8.0_77\bin\policytool.exe'
- '%ProgramFiles%\java\jre1.8.0_77\bin\rmid.exe'
- '%ProgramFiles%\java\jre1.8.0_77\bin\rmiregistry.exe'
- '%ProgramFiles%\java\jre1.8.0_77\bin\servertool.exe'
- '%ProgramFiles%\java\jre1.8.0_77\bin\ssvagent.exe'
- '%ProgramFiles%\java\jre1.8.0_77\bin\tnameserv.exe'
- '%ProgramFiles%\java\jre1.8.0_77\bin\unpack200.exe'
- '%ProgramFiles%\microsoft office\office16\appsharinghookcontroller64.exe'
- '%ProgramFiles%\microsoft office\office16\msohtmed.exe'
- '%ProgramFiles%\microsoft office\office16\msoia.exe'
- '%ProgramFiles%\mozilla firefox\crashreporter.exe'
- '%ProgramFiles%\mozilla firefox\default-browser-agent.exe'
- '%ProgramFiles%\mozilla firefox\firefox.exe'
- '%ProgramFiles%\mozilla firefox\maintenanceservice.exe'
- '%ProgramFiles%\mozilla firefox\maintenanceservice_installer.exe'
- '%ProgramFiles%\mozilla firefox\minidump-analyzer.exe'
- '%ProgramFiles%\mozilla firefox\pingsender.exe'
- '%ProgramFiles%\mozilla firefox\plugin-container.exe'
- '%ProgramFiles%\mozilla firefox\updater.exe'
- '%ProgramFiles%\mozilla firefox\uninstall\helper.exe'
- '%ProgramFiles%\mozilla thunderbird\crashreporter.exe'
- '%ProgramFiles%\mozilla thunderbird\maintenanceservice.exe'
- '%ProgramFiles%\mozilla thunderbird\maintenanceservice_installer.exe'
- '%ProgramFiles%\mozilla thunderbird\minidump-analyzer.exe'
- '%ProgramFiles%\mozilla thunderbird\pingsender.exe'
- '%ProgramFiles%\mozilla thunderbird\plugin-container.exe'
- '%ProgramFiles%\mozilla thunderbird\plugin-hang-ui.exe'
- '%ProgramFiles%\mozilla thunderbird\thunderbird.exe'
- '%ProgramFiles%\mozilla thunderbird\updater.exe'
- '%ProgramFiles%\mozilla thunderbird\wsenable.exe'
- '%ProgramFiles%\mozilla thunderbird\uninstall\helper.exe'
- '%ProgramFiles%\windows defender advanced threat protection\mssense.exe'
- '%ProgramFiles%\windows defender advanced threat protection\sensecncproxy.exe'
- '%ProgramFiles%\windows defender advanced threat protection\senseir.exe'
- '%ProgramFiles%\windows defender advanced threat protection\sensendr.exe'
- '%ProgramFiles%\windows defender advanced threat protection\sensesampleuploader.exe'
- '%ProgramFiles%\windows defender advanced threat protection\sensesc.exe'
- '%ProgramFiles%\windows defender advanced threat protection\classification\sensece.exe'
- '%ProgramFiles%\windows defender.bak\configsecuritypolicy.exe'
- '%ProgramFiles%\windows defender.bak\mpcmdrun.exe'
- '<SYSTEM32>\cmd.exe' /c "%TEMP%\3CF2.tmp\3CF3.tmp\3CF4.bat <Полный путь к файлу>" (со скрытым окном)
- '%ProgramFiles%\windows defender.bak\msmpeng.exe'
- '<SYSTEM32>\rundll32.exe' <SYSTEM32>\FirewallControlPanel.dll,ShowNotificationDialog /configure /ETOnly 0 /OnProfiles 6 /OtherAllowed 0 /OtherBlocked 0 /OtherEdgeAllowed 0 /NewBlocked 4 "%ProgramFiles%\java\jre1.8.0_77\...
- '%ProgramFiles%\windows defender.bak\nissrv.exe'
- '%ProgramFiles%\windows defender.bak\offline\offlinescannershell.exe'
- '%ProgramFiles%\windows mail\wab.exe'
- '%ProgramFiles%\windows mail\wabmig.exe'
- '%ProgramFiles%\windows media player\setup_wm.exe'
- '%ProgramFiles%\windows media player\wmlaunch.exe'
- '%ProgramFiles%\windows media player\wmpconfig.exe'
- '%ProgramFiles%\windows media player\wmplayer.exe'
- '%ProgramFiles%\windows media player\wmpnetwk.exe'
- '%ProgramFiles%\windows media player\wmpnscfg.exe'
- '%ProgramFiles%\windows media player\wmprph.exe'
- '%CommonProgramFiles(x86)%\java\java update\jucheck.exe' -getconfig=1
- '%ProgramFiles%\windows media player\wmpshare.exe'
- '%ProgramFiles%\windows nt\accessories\wordpad.exe'
- '%ProgramFiles%\windows photo viewer\imagingdevices.exe'
- '%ProgramFiles%\windows security\browsercore\browsercore.exe'
