Техническая информация
Для обеспечения автозапуска и распространения
Модифицирует следующие ключи реестра
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] 'OneDriveUpdateHelper' = '%APPDATA%\Microsoft\Windows\Themes\CachedFiles\start.bat'
Вредоносные функции
Внедряет код в
следующие системные процессы:
- %WINDIR%\microsoft.net\framework64\v4.0.30319\caspol.exe
- <SYSTEM32>\svchost.exe
Изменения в файловой системе
Создает следующие файлы
- %TEMP%\re_core_859781.tmp
- %TEMP%\unrar_temp.exe
- %TEMP%\trainer_859781\runtimebroker.exe
- %TEMP%\re_enhance_860906.tmp
- %TEMP%\enhancement_860906\systemcomponent.exe
- %TEMP%\system_runtime_862015.tmp
- %TEMP%\runtime_862015\123.exe
- %TEMP%\runtime_862015\liblzma-5.dll
- %TEMP%\108df222-5845-4005-8db5-b55a0bb35171.exe
- %APPDATA%\microsoft\windows\themes\cachedfiles\123.exe
- %APPDATA%\microsoft\windows\themes\cachedfiles\liblzma-5.dll
- %APPDATA%\microsoft\windows\themes\cachedfiles\start.bat
- %TEMP%\edge_brokecker_874296.tmp
- %TEMP%\mrguzddyntyw.sys
- %TEMP%\edge_874296\edgebrocker.exe
- %TEMP%\dd_edgebrocker_decompression_log.txt
- %TEMP%\7f92a6c6c4bed5a3c7cdfff256d1a933\vs_bootstrapper_d15\helpfile\1033\help.html
- %TEMP%\7f92a6c6c4bed5a3c7cdfff256d1a933\vs_bootstrapper_d15\helpfile\2052\help.html
- %TEMP%\7f92a6c6c4bed5a3c7cdfff256d1a933\vs_bootstrapper_d15\helpfile\1046\help.html
- %TEMP%\7f92a6c6c4bed5a3c7cdfff256d1a933\vs_bootstrapper_d15\helpfile\1045\help.html
- %TEMP%\7f92a6c6c4bed5a3c7cdfff256d1a933\vs_bootstrapper_d15\helpfile\1042\help.html
- %TEMP%\7f92a6c6c4bed5a3c7cdfff256d1a933\vs_bootstrapper_d15\helpfile\1040\help.html
- %TEMP%\7f92a6c6c4bed5a3c7cdfff256d1a933\vs_bootstrapper_d15\helpfile\1031\help.html
- %TEMP%\7f92a6c6c4bed5a3c7cdfff256d1a933\vs_bootstrapper_d15\helpfile\3082\help.html
- %TEMP%\7f92a6c6c4bed5a3c7cdfff256d1a933\vs_bootstrapper_d15\helpfile\1041\help.html
- %TEMP%\7f92a6c6c4bed5a3c7cdfff256d1a933\vs_bootstrapper_d15\helpfile\1049\help.html
- %TEMP%\7f92a6c6c4bed5a3c7cdfff256d1a933\vs_bootstrapper_d15\helpfile\1028\help.html
- %TEMP%\7f92a6c6c4bed5a3c7cdfff256d1a933\vs_bootstrapper_d15\helpfile\1055\help.html
- %TEMP%\7f92a6c6c4bed5a3c7cdfff256d1a933\vs_bootstrapper_d15\helpfile\1036\help.html
- %TEMP%\7f92a6c6c4bed5a3c7cdfff256d1a933\vs_bootstrapper_d15\helpfile\1029\help.html
- %TEMP%\7f92a6c6c4bed5a3c7cdfff256d1a933\vs_bootstrapper_d15\vs_setup_bootstrapper.exe
- %TEMP%\7f92a6c6c4bed5a3c7cdfff256d1a933\vs_bootstrapper_d15\microsoft.c2rsignaturereader.interop.dll
- %TEMP%\7f92a6c6c4bed5a3c7cdfff256d1a933\vs_bootstrapper_d15\microsoft.c2rsignaturereader.native.dll
- %TEMP%\7f92a6c6c4bed5a3c7cdfff256d1a933\vs_bootstrapper_d15\microsoft.identity.client.broker.dll
- %TEMP%\7f92a6c6c4bed5a3c7cdfff256d1a933\vs_bootstrapper_d15\microsoft.identity.client.dll
- %TEMP%\7f92a6c6c4bed5a3c7cdfff256d1a933\vs_bootstrapper_d15\microsoft.identity.client.extensions.msal.dll
- %TEMP%\7f92a6c6c4bed5a3c7cdfff256d1a933\vs_bootstrapper_d15\microsoft.identity.client.nativeinterop.dll
- %TEMP%\7f92a6c6c4bed5a3c7cdfff256d1a933\vs_bootstrapper_d15\microsoft.identitymodel.abstractions.dll
- %TEMP%\7f92a6c6c4bed5a3c7cdfff256d1a933\vs_bootstrapper_d15\microsoft.visualstudio.remotecontrol.dll
- %TEMP%\7f92a6c6c4bed5a3c7cdfff256d1a933\vs_bootstrapper_d15\microsoft.visualstudio.setup.common.dll
- %TEMP%\7f92a6c6c4bed5a3c7cdfff256d1a933\vs_bootstrapper_d15\microsoft.visualstudio.setup.dll
- %TEMP%\7f92a6c6c4bed5a3c7cdfff256d1a933\vs_bootstrapper_d15\microsoft.visualstudio.setup.download.dll
- %TEMP%\7f92a6c6c4bed5a3c7cdfff256d1a933\vs_bootstrapper_d15\microsoft.visualstudio.telemetry.dll
- %TEMP%\7f92a6c6c4bed5a3c7cdfff256d1a933\vs_bootstrapper_d15\microsoft.visualstudio.utilities.internal.dll
- %TEMP%\7f92a6c6c4bed5a3c7cdfff256d1a933\vs_bootstrapper_d15\runtimes\win-x64\native\msalruntime.dll
- %TEMP%\7f92a6c6c4bed5a3c7cdfff256d1a933\vs_bootstrapper_d15\runtimes\win-arm64\native\msalruntime_arm64.dll
- %TEMP%\7f92a6c6c4bed5a3c7cdfff256d1a933\vs_bootstrapper_d15\runtimes\win-x86\native\msalruntime_x86.dll
- %TEMP%\7f92a6c6c4bed5a3c7cdfff256d1a933\vs_bootstrapper_d15\newtonsoft.json.dll
- %TEMP%\7f92a6c6c4bed5a3c7cdfff256d1a933\vs_bootstrapper_d15\system.memory.dll
- %TEMP%\7f92a6c6c4bed5a3c7cdfff256d1a933\vs_bootstrapper_d15\system.runtime.compilerservices.unsafe.dll
- %TEMP%\7f92a6c6c4bed5a3c7cdfff256d1a933\vs_bootstrapper_d15\vsinstallerelevationservice.contracts.dll
- %TEMP%\7f92a6c6c4bed5a3c7cdfff256d1a933\vs_bootstrapper_d15\zh-hant\vs_setup_bootstrapper.resources.dll
- %TEMP%\7f92a6c6c4bed5a3c7cdfff256d1a933\vs_bootstrapper_d15\it\vs_setup_bootstrapper.resources.dll
- %TEMP%\7f92a6c6c4bed5a3c7cdfff256d1a933\vs_bootstrapper_d15\zh-hans\vs_setup_bootstrapper.resources.dll
- %TEMP%\7f92a6c6c4bed5a3c7cdfff256d1a933\vs_bootstrapper_d15\pt-br\vs_setup_bootstrapper.resources.dll
- %TEMP%\7f92a6c6c4bed5a3c7cdfff256d1a933\vs_bootstrapper_d15\pl\vs_setup_bootstrapper.resources.dll
- %TEMP%\7f92a6c6c4bed5a3c7cdfff256d1a933\vs_bootstrapper_d15\ja\vs_setup_bootstrapper.resources.dll
- %TEMP%\7f92a6c6c4bed5a3c7cdfff256d1a933\vs_bootstrapper_d15\tr\vs_setup_bootstrapper.resources.dll
- %TEMP%\7f92a6c6c4bed5a3c7cdfff256d1a933\vs_bootstrapper_d15\cs\vs_setup_bootstrapper.resources.dll
- %TEMP%\7f92a6c6c4bed5a3c7cdfff256d1a933\vs_bootstrapper_d15\de\vs_setup_bootstrapper.resources.dll
- %TEMP%\7f92a6c6c4bed5a3c7cdfff256d1a933\vs_bootstrapper_d15\ru\vs_setup_bootstrapper.resources.dll
- %TEMP%\7f92a6c6c4bed5a3c7cdfff256d1a933\vs_bootstrapper_d15\es\vs_setup_bootstrapper.resources.dll
- %TEMP%\7f92a6c6c4bed5a3c7cdfff256d1a933\vs_bootstrapper_d15\ko\vs_setup_bootstrapper.resources.dll
- %TEMP%\7f92a6c6c4bed5a3c7cdfff256d1a933\vs_bootstrapper_d15\fr\vs_setup_bootstrapper.resources.dll
- %TEMP%\7f92a6c6c4bed5a3c7cdfff256d1a933\vs_bootstrapper_d15\vs_setup_bootstrapper.config
- %TEMP%\7f92a6c6c4bed5a3c7cdfff256d1a933\vs_bootstrapper_d15\vs_setup_bootstrapper.exe.config
- %TEMP%\7f92a6c6c4bed5a3c7cdfff256d1a933\vs_bootstrapper_d15\detection.json
- %TEMP%\7f92a6c6c4bed5a3c7cdfff256d1a933\vs_bootstrapper_d15\vs_setup_bootstrapper.json
- %TEMP%\dd_bootstrapper_20260227190434.log
- %ALLUSERSPROFILE%\microsoft\visualstudio\packages\_bootstrapper\vs_setup_bootstrapper_202602271904366623.json
- %ALLUSERSPROFILE%\microsoft devdiv\installation\installationid.txt\
- %LOCALAPPDATA%\microsoft\vsapplicationinsights\vstelf3e86b4023cc43f0be495508d51f588a\20260228030511_87d86c9f74934ada82cea947dd22e226.tmp\
Удаляет файлы, которые сам же создал
- %TEMP%\re_core_859781.tmp
- %TEMP%\trainer_859781\runtimebroker.exe
- %TEMP%\re_enhance_860906.tmp
- %TEMP%\enhancement_860906\systemcomponent.exe
- %TEMP%\system_runtime_862015.tmp
- %TEMP%\runtime_862015\123.exe
- %TEMP%\runtime_862015\liblzma-5.dll
- %TEMP%\edge_brokecker_874296.tmp
- %TEMP%\edge_874296\edgebrocker.exe
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\ie\2ry89y2b\remotesettings_installer[1].cache
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\ie\2ry89y2b\dyntelconfig[1].cache
Сетевая активность
Подключается к
- 'dr####ulgar.live':443
- 'gi##ub.com':443
- 're#########ets.githubusercontent.com':443
- 'po##.#ashvault.pro':443
- 'pa###bin.com':443
- 'localhost':9050
- 'telemetry.visualstudio.microsoft.com':443
- 'go.microsoft.com':443
- 'microsoft.com':80
- 'settings.visualstudio.microsoft.com':443
- 'ta##########fications-tm.trafficmanager.net':443
- 'mobile.events.data.microsoft.com':443
TCP
Запросы HTTP GET
Другие
- 'dr####ulgar.live':443
- 'gi##ub.com':443
- 're#########ets.githubusercontent.com':443
- 'pa###bin.com':443
- 'po##.#ashvault.pro':443
- 'telemetry.visualstudio.microsoft.com':443
- 'go.microsoft.com':443
- 'settings.visualstudio.microsoft.com':443
- 'ta##########fications-tm.trafficmanager.net':443
- 'mobile.events.data.microsoft.com':443
UDP
- DNS ASK dr####ulgar.live
- DNS ASK gi##ub.com
- DNS ASK re#########ets.githubusercontent.com
- DNS ASK po##.#ashvault.pro
- DNS ASK pa###bin.com
- DNS ASK telemetry.visualstudio.microsoft.com
- DNS ASK go.microsoft.com
- DNS ASK microsoft.com
- DNS ASK settings.visualstudio.microsoft.com
- DNS ASK ta##########fications-tm.trafficmanager.net
- DNS ASK mobile.events.data.microsoft.com
Другое
Создает и запускает на исполнение
- '%TEMP%\unrar_temp.exe' x -pXJ7#mK9$pL2@nQ5 -y "%TEMP%\re_core_859781.tmp" "%TEMP%\trainer_859781\"
- '%TEMP%\trainer_859781\runtimebroker.exe'
- '%TEMP%\unrar_temp.exe' x -pXJ7#mK9$pL2@nQ5 -y "%TEMP%\re_enhance_860906.tmp" "%TEMP%\enhancement_860906\"
- '%TEMP%\enhancement_860906\systemcomponent.exe'
- '%TEMP%\unrar_temp.exe' x -pXJ7#mK9$pL2@nQ5 -y "%TEMP%\system_runtime_862015.tmp" "%TEMP%\runtime_862015\"
- '%TEMP%\runtime_862015\123.exe'
- '%TEMP%\unrar_temp.exe' x -pXJ7#mK9$pL2@nQ5 -y "%TEMP%\edge_brokecker_874296.tmp" "%TEMP%\edge_874296\"
- '%TEMP%\edge_874296\edgebrocker.exe'
- '%TEMP%\7f92a6c6c4bed5a3c7cdfff256d1a933\vs_bootstrapper_d15\vs_setup_bootstrapper.exe' --env "_SFX_CAB_EXE_PACKAGE:%TEMP%\edge_874296\EdgeBrocker.exe _SFX_CAB_EXE_ORIGINALWORKINGDIR:%TEMP%\edge_874296"
Запускает на исполнение
- '%WINDIR%\microsoft.net\framework64\v4.0.30319\caspol.exe'
- '<SYSTEM32>\svchost.exe'
- '%WINDIR%\syswow64\getmac.exe'
- '%TEMP%\unrar_temp.exe' x -pXJ7#mK9$pL2@nQ5 -y "%TEMP%\re_core_859781.tmp" "%TEMP%\trainer_859781\" (со скрытым окном)
- '%TEMP%\unrar_temp.exe' x -pXJ7#mK9$pL2@nQ5 -y "%TEMP%\re_enhance_860906.tmp" "%TEMP%\enhancement_860906\" (со скрытым окном)
- '%TEMP%\unrar_temp.exe' x -pXJ7#mK9$pL2@nQ5 -y "%TEMP%\system_runtime_862015.tmp" "%TEMP%\runtime_862015\" (со скрытым окном)
- '%TEMP%\unrar_temp.exe' x -pXJ7#mK9$pL2@nQ5 -y "%TEMP%\edge_brokecker_874296.tmp" "%TEMP%\edge_874296\" (со скрытым окном)
