Техническая информация
Для обеспечения автозапуска и распространения
Создает или изменяет следующие файлы
- <SYSTEM32>\tasks\updatetask
Вредоносные функции
Запускает на исполнение
- '<SYSTEM32>\taskkill.exe' /F /IM Telegram.exe
Изменения в файловой системе
Создает следующие файлы
- %APPDATA%\microsoft\crypto\rsa\s-1-5-21-4226853953-3309226944-3078887307-1000\83aa4cc77f591dfc2374580bbd95f6ba_8cf7b530-613e-439b-a8c5-ccfc0e745400
- %HOMEPATH%\.app_cache\updater.exe
- %TEMP%\onefile_3080_540051_5frqyz3c428\output.dll
- %TEMP%\onefile_3080_540051_5frqyz3c428\81d243bd2c585b0f4821__mypyc.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\_asyncio.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\_bz2.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\_cffi_backend.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\_ctypes.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\_decimal.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\_elementtree.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\_hashlib.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\_lzma.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\_multiprocessing.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\_overlapped.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\_queue.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\_socket.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\_sqlite3.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\_ssl.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\_uuid.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\_wmi.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\libcrypto-3.dll
- %TEMP%\onefile_3080_540051_5frqyz3c428\libffi-8.dll
- %TEMP%\onefile_3080_540051_5frqyz3c428\libssl-3.dll
- %TEMP%\onefile_3080_540051_5frqyz3c428\pyexpat.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\python3.dll
- %TEMP%\onefile_3080_540051_5frqyz3c428\python313.dll
- %TEMP%\onefile_3080_540051_5frqyz3c428\pythoncom313.dll
- %TEMP%\onefile_3080_540051_5frqyz3c428\pywintypes313.dll
- %TEMP%\onefile_3080_540051_5frqyz3c428\select.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\sqlite3.dll
- %TEMP%\onefile_3080_540051_5frqyz3c428\unicodedata.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\vcruntime140.dll
- %TEMP%\onefile_3080_540051_5frqyz3c428\vcruntime140_1.dll
- %TEMP%\onefile_3080_540051_5frqyz3c428\win32api.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\win32crypt.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\crypto\cipher\_arc4.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\crypto\cipher\_salsa20.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\crypto\cipher\_chacha20.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\crypto\cipher\_pkcs1_decode.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\crypto\cipher\_raw_aes.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\crypto\cipher\_raw_aesni.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\crypto\cipher\_raw_arc2.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\crypto\cipher\_raw_blowfish.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\crypto\cipher\_raw_cast.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\crypto\cipher\_raw_cbc.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\crypto\cipher\_raw_cfb.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\crypto\cipher\_raw_ctr.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\crypto\cipher\_raw_des.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\crypto\cipher\_raw_des3.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\crypto\cipher\_raw_ecb.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\crypto\cipher\_raw_eksblowfish.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\crypto\cipher\_raw_ocb.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\crypto\cipher\_raw_ofb.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\crypto\hash\_blake2b.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\crypto\hash\_blake2s.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\crypto\hash\_md2.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\crypto\hash\_md4.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\crypto\hash\_md5.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\crypto\hash\_ripemd160.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\crypto\hash\_sha1.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\crypto\hash\_sha224.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\crypto\hash\_sha256.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\crypto\hash\_sha384.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\crypto\hash\_sha512.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\crypto\hash\_ghash_clmul.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\crypto\hash\_ghash_portable.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\crypto\hash\_keccak.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\crypto\hash\_poly1305.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\crypto\math\_modexp.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\crypto\protocol\_scrypt.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\crypto\publickey\_curve25519.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\crypto\publickey\_curve448.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\crypto\publickey\_ec_ws.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\crypto\publickey\_ed25519.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\crypto\publickey\_ed448.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\crypto\util\_cpuid_c.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\crypto\util\_strxor.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\certifi\cacert.pem
- %TEMP%\onefile_3080_540051_5frqyz3c428\charset_normalizer\cd.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\charset_normalizer\md.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\cryptography\hazmat\bindings\_rust.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\psutil\_psutil_windows.pyd
- nul
- %APPDATA%\update.exe
- %TEMP%\hl5zso5a
- %TEMP%\tmpyqylc5b5\zr06euzytzmkba6d.dll
- %TEMP%\tmpsqrg89no\h9knqm4glibxuwd9.dll
- %TEMP%\tmp_q7h4juq\cookies.sqlite
- %TEMP%\tmp_q7h4juq\cookies.sqlite-shm
- %TEMP%\tmpby0mu8nz.ps1
Удаляет файлы, которые сам же создал
- %TEMP%\hl5zso5a
- %TEMP%\tmp_q7h4juq\cookies.sqlite-shm
- %TEMP%\tmp_q7h4juq\cookies.sqlite
- %TEMP%\tmpby0mu8nz.ps1
- %TEMP%\tmpyqylc5b5\zr06euzytzmkba6d.dll
- %TEMP%\tmpsqrg89no\h9knqm4glibxuwd9.dll
- %TEMP%\content\1328-3152-powershell.exe-10-22-32-984.dump
- %TEMP%\content\1328-3152-powershell.exe-10-22-33-192.dump
- %TEMP%\content\1328-3152-powershell.exe-10-22-33-277.dump
- %TEMP%\content\1328-3152-powershell.exe-10-22-33-415.dump
- %TEMP%\content\1328-3152-powershell.exe-10-22-34-313.dump
- %TEMP%\content\3768-704-powershell.exe-10-23-52-013.dump
- %TEMP%\content\3768-704-powershell.exe-10-23-52-260.dump
- %TEMP%\content\3768-704-powershell.exe-10-23-52-298.dump
- %TEMP%\content\3768-704-powershell.exe-10-23-52-414.dump
- %TEMP%\content\3768-704-powershell.exe-10-23-52-476.dump
- %TEMP%\content\3768-704-powershell.exe-10-23-52-551.dump
- %TEMP%\content\3768-704-powershell.exe-10-23-52-768.dump
- %TEMP%\content\4828-4764-powershell.exe-10-22-25-265.dump
- %TEMP%\content\4828-4764-powershell.exe-10-22-25-497.dump
- %TEMP%\content\4828-4764-powershell.exe-10-22-25-644.dump
- %TEMP%\content\4828-4764-powershell.exe-10-22-25-785.dump
- %TEMP%\content\4828-4764-powershell.exe-10-22-26-701.dump
- %TEMP%\onefile_3080_540051_5frqyz3c428\certifi\cacert.pem
- %TEMP%\onefile_3080_540051_5frqyz3c428\charset_normalizer\cd.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\charset_normalizer\md.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\crypto\cipher\_arc4.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\crypto\cipher\_chacha20.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\crypto\cipher\_pkcs1_decode.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\crypto\cipher\_raw_aes.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\crypto\cipher\_raw_aesni.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\crypto\cipher\_raw_arc2.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\crypto\cipher\_raw_blowfish.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\crypto\cipher\_raw_cast.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\crypto\cipher\_raw_cbc.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\crypto\cipher\_raw_cfb.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\crypto\cipher\_raw_ctr.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\crypto\cipher\_raw_des.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\crypto\cipher\_raw_des3.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\crypto\cipher\_raw_ecb.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\crypto\cipher\_raw_eksblowfish.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\crypto\cipher\_raw_ocb.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\crypto\cipher\_raw_ofb.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\crypto\cipher\_salsa20.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\crypto\hash\_blake2b.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\crypto\hash\_blake2s.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\crypto\hash\_ghash_clmul.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\crypto\hash\_ghash_portable.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\crypto\hash\_keccak.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\crypto\hash\_md2.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\crypto\hash\_md4.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\crypto\hash\_md5.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\crypto\hash\_poly1305.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\crypto\hash\_ripemd160.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\crypto\hash\_sha1.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\crypto\hash\_sha224.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\crypto\hash\_sha256.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\crypto\hash\_sha384.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\crypto\hash\_sha512.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\crypto\math\_modexp.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\crypto\protocol\_scrypt.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\crypto\publickey\_curve25519.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\crypto\publickey\_curve448.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\crypto\publickey\_ec_ws.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\crypto\publickey\_ed25519.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\crypto\publickey\_ed448.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\crypto\util\_cpuid_c.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\crypto\util\_strxor.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\cryptography\hazmat\bindings\_rust.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\psutil\_psutil_windows.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\81d243bd2c585b0f4821__mypyc.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\libcrypto-3.dll
- %TEMP%\onefile_3080_540051_5frqyz3c428\libffi-8.dll
- %TEMP%\onefile_3080_540051_5frqyz3c428\libssl-3.dll
- %TEMP%\onefile_3080_540051_5frqyz3c428\output.dll
- %TEMP%\onefile_3080_540051_5frqyz3c428\pyexpat.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\python3.dll
- %TEMP%\onefile_3080_540051_5frqyz3c428\python313.dll
- %TEMP%\onefile_3080_540051_5frqyz3c428\pythoncom313.dll
- %TEMP%\onefile_3080_540051_5frqyz3c428\pywintypes313.dll
- %TEMP%\onefile_3080_540051_5frqyz3c428\select.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\sqlite3.dll
- %TEMP%\onefile_3080_540051_5frqyz3c428\unicodedata.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\vcruntime140.dll
- %TEMP%\onefile_3080_540051_5frqyz3c428\vcruntime140_1.dll
- %TEMP%\onefile_3080_540051_5frqyz3c428\win32api.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\win32crypt.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\_asyncio.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\_bz2.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\_cffi_backend.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\_ctypes.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\_decimal.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\_elementtree.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\_hashlib.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\_lzma.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\_multiprocessing.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\_overlapped.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\_queue.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\_socket.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\_sqlite3.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\_ssl.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\_uuid.pyd
- %TEMP%\onefile_3080_540051_5frqyz3c428\_wmi.pyd
Сетевая активность
Подключается к
- 'er##4u.com':443
TCP
Другие
- '<DNS_SERVER>':53
- 'er##4u.com':443
UDP
- DNS ASK er##4u.com
Другое
Ищет следующие окна
- ClassName: '' WindowName: ''
Создает и запускает на исполнение
- '%HOMEPATH%\.app_cache\updater.exe'
- '%HOMEPATH%\.app_cache\updater.exe' -m pip install pycryptodome requests psutil --quiet
- '%HOMEPATH%\.app_cache\updater.exe' "--multiprocessing-fork" "parent_pid=3228" "pipe_handle=988"
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoProfile -ExecutionPolicy Bypass -File %TEMP%\tmpby0mu8nz.ps1
Запускает на исполнение
- '<SYSTEM32>\cmd.exe' /c "schtasks /create /tn "UpdateTask" /tr "%APPDATA%\Update.exe" /sc onlogon /f" (со скрытым окном)
- '<SYSTEM32>\schtasks.exe' /create /tn "UpdateTask" /tr "%APPDATA%\Update.exe" /sc onlogon /f
- '%ProgramFiles(x86)%\microsoft\edge\application\msedge.exe'
