Техническая информация
Изменения в файловой системе
Создает следующие файлы
- <Текущая директория>\5d5b9045d1f2ab
- %WINDIR%\downloaded program files\runtimebroker.exe
- %WINDIR%\downloaded program files\9e8d7a4ca61bd9
- C:\recovery\windowsre\securityhealthservice.exe
- C:\recovery\windowsre\926e3e4b62361b
- C:\msocache\all users\{90160000-0018-0409-0000-0000000ff1ce}-c\csrss.exe
- C:\msocache\all users\{90160000-0018-0409-0000-0000000ff1ce}-c\886983d96e3d3e
- <Текущая директория>\fontdrvhost.exe
- <Текущая директория>\5b884080fd4f94
- C:\msocache\all users\{90160000-0090-0409-0000-0000000ff1ce}-c\searchapp.exe
- C:\msocache\all users\{90160000-0090-0409-0000-0000000ff1ce}-c\38384e6a620884
- %TEMP%\6xqrxlik6k
- %TEMP%\kymdkqxt0e.bat
- %LOCALAPPDATA%\microsoft\clr_v4.0\usagelogs\<Имя файла>.exe.log
- nul
- %HOMEPATH%\desktop\bejfbclt.log
- %HOMEPATH%\desktop\hysrwjff.log
- %HOMEPATH%\desktop\xqzbmhzy.log
- %HOMEPATH%\desktop\pmrlcnkr.log
- %HOMEPATH%\desktop\wapgjrpc.log
- %HOMEPATH%\desktop\nrvqzpku.log
- %HOMEPATH%\desktop\vftkftpf.log
- %HOMEPATH%\desktop\jleuvyew.log
- %HOMEPATH%\desktop\rzcobcji.log
- %HOMEPATH%\desktop\zsljiqet.log
- %HOMEPATH%\desktop\gaydolte.log
- %HOMEPATH%\desktop\ooxyupyp.log
- %HOMEPATH%\desktop\vwksakoz.log
- %HOMEPATH%\desktop\ckinhotk.log
- %HOMEPATH%\desktop\kyghnsyv.log
- %HOMEPATH%\desktop\slectwdh.log
- %HOMEPATH%\desktop\qqjgqydk.log
- %HOMEPATH%\desktop\gcfqgmic.log
- %HOMEPATH%\desktop\nqdlmqnn.log
- %HOMEPATH%\desktop\fmuvcxyg.log
- %HOMEPATH%\desktop\natqjbdr.log
- %HOMEPATH%\desktop\exkazinj.log
- %TEMP%\pek42mpvtk
- %TEMP%\e96mm2hrmu.bat
- %LOCALAPPDATA%\microsoft\clr_v4.0\usagelogs\searchapp.exe.log
- %HOMEPATH%\desktop\zhdgdqpi.log
- %HOMEPATH%\desktop\vjdxrkoj.log
- %HOMEPATH%\desktop\mfvhiqzc.log
- %HOMEPATH%\desktop\dxbryotu.log
- %HOMEPATH%\desktop\lkamesyf.log
- %HOMEPATH%\desktop\chrxuzjy.log
- %HOMEPATH%\desktop\rtngknoq.log
- %HOMEPATH%\desktop\alwbrajb.log
- %HOMEPATH%\desktop\izuwxfom.log
- %HOMEPATH%\desktop\xlqfntte.log
- %HOMEPATH%\desktop\fzoatxyp.log
- %HOMEPATH%\desktop\nmmvabda.log
- %HOMEPATH%\desktop\vakpgfil.log
- %HOMEPATH%\desktop\kmgzwund.log
- %HOMEPATH%\desktop\admjmriv.log
- %HOMEPATH%\desktop\irldsvng.log
- %HOMEPATH%\desktop\hbaipgck.log
- %HOMEPATH%\desktop\ppzdvkhv.log
- %HOMEPATH%\desktop\ebunlznn.log
- %HOMEPATH%\desktop\xcxybpmg.log
- %HOMEPATH%\desktop\moshsdsy.log
- %HOMEPATH%\desktop\elksikcr.log
- %TEMP%\xymse2rrzj
- %TEMP%\xiljtboeza.bat
- %HOMEPATH%\desktop\qkzdlfxk.log
- %HOMEPATH%\desktop\nrkuaimm.log
- %HOMEPATH%\desktop\gtnfqymf.log
- %HOMEPATH%\desktop\wktpgwhx.log
- %HOMEPATH%\desktop\eysknami.log
- %HOMEPATH%\desktop\upyudxgb.log
- %HOMEPATH%\desktop\cdwojblm.log
- %HOMEPATH%\desktop\jljipwbw.log
- %HOMEPATH%\desktop\zcqtfuwp.log
- %HOMEPATH%\desktop\ivzomhqa.log
- %HOMEPATH%\desktop\wckxcmgs.log
- %HOMEPATH%\desktop\eqirirld.log
- %HOMEPATH%\desktop\efjxflqh.log
- %HOMEPATH%\desktop\tmtgvqfy.log
- %HOMEPATH%\desktop\azrbbulj.log
- %HOMEPATH%\desktop\jsbwhhfv.log
- %HOMEPATH%\desktop\ixfaejfy.log
- %HOMEPATH%\desktop\xjbkuxkq.log
- %HOMEPATH%\desktop\fxzeabpb.log
- %HOMEPATH%\desktop\xycpqrpu.log
- %HOMEPATH%\desktop\lfmzgwfm.log
- %HOMEPATH%\desktop\dcejxdpf.log
- %TEMP%\bvb00ndihg
- %TEMP%\4wm4wqhwvf.bat
- %HOMEPATH%\desktop\scaqegav.log
- %HOMEPATH%\desktop\zrexcmue.log
- %HOMEPATH%\desktop\sthiscux.log
- %HOMEPATH%\desktop\pikhsjpw.log
- %HOMEPATH%\desktop\ybuczxki.log
- %HOMEPATH%\desktop\xwjczouh.log
- %HOMEPATH%\desktop\gpsxfbpt.log
- %HOMEPATH%\desktop\odqrlfue.log
- %HOMEPATH%\desktop\dpmbbtzw.log
- %HOMEPATH%\desktop\mhvwihuh.log
- %HOMEPATH%\desktop\btqgyvzz.log
- %HOMEPATH%\desktop\kmabeitl.log
- %HOMEPATH%\desktop\zyvkuxyd.log
- %HOMEPATH%\desktop\hmtfbbeo.log
- %HOMEPATH%\desktop\xypprpjg.log
- %HOMEPATH%\desktop\frykxddr.log
- %HOMEPATH%\desktop\ewdotedu.log
- %HOMEPATH%\desktop\dgttqpty.log
- %HOMEPATH%\desktop\ijvnwbsi.log
- %HOMEPATH%\desktop\rceiconu.log
- %HOMEPATH%\desktop\zqcdjssf.log
- %HOMEPATH%\desktop\phjnzqnx.log
- %TEMP%\eaqiuzeku5
- %TEMP%\q8sisb3arb.bat
- %HOMEPATH%\desktop\nknjqmov.log
- %HOMEPATH%\desktop\vfcrobxe.log
- %HOMEPATH%\desktop\tvgqojse.log
- %HOMEPATH%\desktop\kmnaegnw.log
- %HOMEPATH%\desktop\ralulksh.log
- %HOMEPATH%\desktop\kbnfbasa.log
- %HOMEPATH%\desktop\znjprpxs.log
- %HOMEPATH%\desktop\qeqzhmsk.log
- %HOMEPATH%\desktop\yxzuozmw.log
- %HOMEPATH%\desktop\glxpuerh.log
- %HOMEPATH%\desktop\vxsykswz.log
- %HOMEPATH%\desktop\moziaprr.log
- %HOMEPATH%\desktop\mdaoxjwv.log
- %HOMEPATH%\desktop\bqvxnybn.log
- %HOMEPATH%\desktop\kifstlwz.log
- %HOMEPATH%\desktop\auacjzbr.log
- %HOMEPATH%\desktop\zeqhgkru.log
- %HOMEPATH%\desktop\oqlrwzwm.log
- %HOMEPATH%\desktop\eisbmwqf.log
- %HOMEPATH%\desktop\weklcdbx.log
- %HOMEPATH%\desktop\esigihgi.log
- %HOMEPATH%\desktop\vozqyoqb.log
- %TEMP%\zjvrwhyqsf
- %TEMP%\sft2vwrbzi.bat
- %HOMEPATH%\desktop\kovxgrbr.log
- %HOMEPATH%\desktop\qyoeenga.log
- %HOMEPATH%\desktop\hqvoulas.log
- %HOMEPATH%\desktop\ymnzkrll.log
- %HOMEPATH%\desktop\galtrwqw.log
- %HOMEPATH%\desktop\xwcehcap.log
- %HOMEPATH%\desktop\onjoxavh.log
- %HOMEPATH%\desktop\vbhideas.log
- %HOMEPATH%\desktop\lndstsfk.log
- %HOMEPATH%\desktop\ugmnagaw.log
- %HOMEPATH%\desktop\inwwqlpn.log
- %HOMEPATH%\desktop\rggrwykz.log
- %HOMEPATH%\desktop\ztemccpk.log
- %HOMEPATH%\desktop\plkwtakc.log
- %HOMEPATH%\desktop\exgfjopu.log
- %HOMEPATH%\desktop\mkeapsuf.log
- %HOMEPATH%\desktop\luufldjj.log
- %HOMEPATH%\desktop\tisashpu.log
- %HOMEPATH%\desktop\iuojiwum.log
- %HOMEPATH%\desktop\bwquyluf.log
- %HOMEPATH%\desktop\hedoegjq.log
- %HOMEPATH%\desktop\zavzunti.log
- %TEMP%\lelkvialzl
- %TEMP%\czppxkeusu.bat
Удаляет файлы, которые сам же создал
- %TEMP%\6xqrxlik6k
- %TEMP%\pek42mpvtk
- %TEMP%\xymse2rrzj
- %TEMP%\bvb00ndihg
- %TEMP%\eaqiuzeku5
- %TEMP%\zjvrwhyqsf
- %TEMP%\lelkvialzl
Сетевая активность
UDP
- DNS ASK 11#####m.nyashvibe.ru
- 'localhost':123
Другое
Создает и запускает на исполнение
- 'C:\msocache\all users\{90160000-0090-0409-0000-0000000ff1ce}-c\searchapp.exe'
Запускает на исполнение
- '<SYSTEM32>\cmd.exe' /C "%TEMP%\kYMDkQXT0e.bat" (со скрытым окном)
- '<SYSTEM32>\chcp.com' 65001
- '<SYSTEM32>\w32tm.exe' /stripchart /computer:localhost /period:5 /dataonly /samples:2
- '<SYSTEM32>\cmd.exe' /C "%TEMP%\e96MM2hRMu.bat" (со скрытым окном)
- '<SYSTEM32>\ping.exe' -n 10 localhost
- '<SYSTEM32>\cmd.exe' /C "%TEMP%\XilJTboezA.bat" (со скрытым окном)
- '<SYSTEM32>\cmd.exe' /C "%TEMP%\4wM4wqHWVF.bat" (со скрытым окном)
- '<SYSTEM32>\cmd.exe' /C "%TEMP%\Q8sISb3ARb.bat" (со скрытым окном)
- '<SYSTEM32>\cmd.exe' /C "%TEMP%\sFt2vWrbZi.bat" (со скрытым окном)
- '<SYSTEM32>\cmd.exe' /C "%TEMP%\czppXKEUSU.bat" (со скрытым окном)
- '<SYSTEM32>\cmd.exe' /C "%TEMP%\0H3zCkvC0l.bat" (со скрытым окном)
