Technical Information
- '<SYSTEM32>\taskkill.exe' /IM svchost.exe.exe /T /F
- '<SYSTEM32>\taskkill.exe' /f /im Rar.exe
- C:\rdp\Rar.exe
- C:\rdp\run.vbs
- %TEMP%\RarSFX0\R.vbs
- C:\Programdata\Microsoft\Intel\Cheat64.exe
- C:\rdp\pause.bat
- C:\rdp\db.rar
- %TEMP%\RarSFX0\M.exe
- C:\Programdata\System32\logs\svchost.exe
- C:\Log\pause.bat
- C:\Log\Rar.exe
- C:\Programdata\Microsoft\TaskList\folders.cfg
- C:\Programdata\Microsoft\TaskList\whitelist.cfg
- C:\Programdata\Microsoft\TaskList\System.exe
- %TEMP%\dw.log
- C:\Log\install.bat
- C:\Log\svcservice.exe
- C:\Programdata\Microsoft\Intel\OS.bat
- C:\Programdata\Microsoft\rootsystem\passwords.txt
- %TEMP%\24F8D.dmp
- C:\Log\regedit.reg
- C:\Programdata\Microsoft\rootsystem\1.exe
- C:\Programdata\Microsoft\rootsystem\P.vbs
- C:\Log\vp8encoder.dll
- C:\Programdata\Microsoft\rootsystem\P.exe
- C:\Log\svnhost.exe
- C:\Programdata\Microsoft\Intel\Cheat32.exe
- C:\Log\install.vbs
- C:\Programdata\Microsoft\Intel\Temp.exe
- C:\Programdata\Microsoft\Intel\TaskList.exe
- C:\Programdata\Microsoft\Intel\taskhost.exe
- C:\Programdata\Microsoft\Intel\L.bat
- C:\Programdata\Microsoft\Intel\fake.vbs
- C:\Programdata\Microsoft\Intel\winlogon.exe
- C:\Programdata\Microsoft\Intel\svchost.exe
- %TEMP%\aut2.tmp
- C:\Programdata\Microsoft\Intel\Cheat.exe
- %TEMP%\aut1.tmp
- C:\Programdata\Microsoft\Intel\smss.exe
- C:\Programdata\Microsoft\Intel\R8.exe
- C:\Programdata\Microsoft\Intel\Check.exe
- C:\Programdata\Microsoft\Intel\MOS.exe
- %TEMP%\3.tmp\4.bat
- C:\Programdata\Microsoft\temp\Clean.bat
- C:\Programdata\Microsoft\temp\Block.exe
- C:\Log\db.exe
- %TEMP%\6.tmp\7.bat
- C:\Log\run.vbs
- C:\Programdata\Microsoft\temp\5.xml
- C:\Programdata\Microsoft\Check\Check.txt
- C:\Programdata\Microsoft\Intel\R.exe
- C:\Programdata\Microsoft\Intel\P.exe
- C:\Programdata\Microsoft\temp\Temp.bat
- C:\Programdata\Microsoft\temp\H.bat
- C:\Programdata\Microsoft\temp\Clean.vbs
- C:\Programdata\Microsoft\Intel\svchost.exe
- C:\Programdata\Microsoft\Intel\taskhost.exe
- C:\Programdata\Microsoft\Intel\smss.exe
- C:\Programdata\Microsoft\Intel\R.exe
- C:\Programdata\Microsoft\Intel\R8.exe
- C:\Programdata\Microsoft\Intel\TaskList.exe
- C:\Programdata\Microsoft\rootsystem\P.exe
- C:\Programdata\Microsoft\rootsystem\P.vbs
- C:\Programdata\Microsoft\rootsystem\1.exe
- C:\Programdata\Microsoft\Intel\Temp.exe
- C:\Programdata\Microsoft\Intel\winlogon.exe
- C:\Programdata\Microsoft\Intel\Cheat32.exe
- C:\Programdata\Microsoft\Intel\Cheat64.exe
- C:\Programdata\Microsoft\Intel\Cheat.exe
- %TEMP%\aut1.tmp
- %TEMP%\aut2.tmp
- C:\Programdata\Microsoft\Intel\Check.exe
- C:\Programdata\Microsoft\Intel\OS.bat
- C:\Programdata\Microsoft\Intel\P.exe
- C:\Programdata\Microsoft\Intel\MOS.exe
- C:\Programdata\Microsoft\Intel\fake.vbs
- C:\Programdata\Microsoft\Intel\L.bat
- 's5.###ost.com.ua':465
- DNS ASK s5.###ost.com.ua
- ClassName: '' WindowName: ''
- ClassName: 'EDIT' WindowName: ''
- 'C:\Programdata\Microsoft\Intel\R8.exe'
- 'C:\Log\Rar.exe' e -p40564203 db.exe
- '%TEMP%\RarSFX0\M.exe'
- 'C:\Programdata\Microsoft\Intel\MOS.exe'
- 'C:\Programdata\Microsoft\TaskList\System.exe'
- '<SYSTEM32>\wscript.exe' "C:\rdp\run.vbs"
- 'C:\Programdata\Microsoft\Intel\taskhost.exe'
- 'C:\Programdata\Microsoft\rootsystem\1.exe' /LoadPasswordsIE=1 /LoadPasswordsFirefox=1 /LoadPasswordsChrome=1 /LoadPasswordsOpera=1 /LoadPasswordsSafari=1 /LoadPasswordsSeaMonkey=1 /LoadPasswordsYandex=1 /stext passwords.txt
- '<SYSTEM32>\wscript.exe' "c:\programdata\microsoft\rootsystem\P.vbs"
- 'C:\Programdata\Microsoft\Intel\P.exe'
- 'C:\Programdata\Microsoft\rootsystem\P.exe'
- '<SYSTEM32>\wscript.exe' "C:\Log\run.vbs"
- 'C:\Programdata\Microsoft\Intel\smss.exe'
- 'C:\Programdata\Microsoft\Intel\winlogon.exe'
- 'C:\Programdata\Microsoft\Intel\Temp.exe'
- 'C:\Programdata\Microsoft\Intel\Cheat.exe' -p123
- 'C:\Programdata\Microsoft\Intel\Check.exe'
- 'C:\Programdata\Microsoft\Intel\R.exe'
- 'C:\Programdata\Microsoft\Intel\TaskList.exe'
- 'C:\Programdata\Microsoft\temp\Block.exe'
- '<SYSTEM32>\wscript.exe' "c:\programdata\microsoft\temp\Clean.vbs"
- 'C:\Programdata\Microsoft\Intel\svchost.exe'
- '<SYSTEM32>\wscript.exe' "c:\programdata\microsoft\intel\fake.vbs"
- '<SYSTEM32>\cmd.exe' /c c:\programdata\microsoft\rootsystem\1.exe /LoadPasswordsIE=1 /LoadPasswordsFirefox=1 /LoadPasswordsChrome=1 /LoadPasswordsOpera=1 /LoadPasswordsSafari=1 /LoadPasswordsSeaMonkey=1 /LoadPasswo...
- '<SYSTEM32>\cmd.exe' /c C:\programdata\microsoft\temp\H.bat
- '<SYSTEM32>\cmd.exe' /c ""C:\rdp\pause.bat" "
- '<SYSTEM32>\sc.exe' delete swprv
- '<SYSTEM32>\cmd.exe' /c ""c:\ProgramData\microsoft\Temp\Clean.bat" "
- '<SYSTEM32>\cmd.exe' /c C:\programdata\microsoft\temp\Temp.bat
- '<SYSTEM32>\reg.exe' add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableOAProtection /t REG_DWORD /d 1 /f
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\3.tmp\4.bat" c:\programdata\microsoft\intel\smss.exe"
- '<SYSTEM32>\cmd.exe' /c ""c:\programdata\microsoft\intel\L.bat" "
- '%CommonProgramFiles%\Microsoft Shared\DW\DW20.EXE' -x -s 544
- '<SYSTEM32>\cmd.exe' /c ""C:\Log\pause.bat" "
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\6.tmp\7.bat" c:\programdata\microsoft\intel\winlogon.exe"