Technical Information
- %WINDIR%\Tasks\ZB20DCImbe4Yvtz.job
- [<HKLM>\SYSTEM\ControlSet001\Services\EBC8360psDNVz] 'Start' = '00000002'
- [<HKLM>\SYSTEM\ControlSet001\Services\EBC8360psDNVz] 'ImagePath' = '<Current directory>\EBC8360psDN.exe .PleaseDoNotReportMe'
- '<SYSTEM32>\net.exe' stop sqlbrowsers
- '<SYSTEM32>\net.exe' stop WinRDPSvc
- '<SYSTEM32>\net.exe' stop RpcEptManger
- '<SYSTEM32>\net.exe' stop Samserver
- '<SYSTEM32>\net.exe' stop eccm
- '<SYSTEM32>\net.exe' stop WSService
- '<SYSTEM32>\net.exe' stop Googler
- '<SYSTEM32>\net.exe' stop MsUpdateServiceD
- '<SYSTEM32>\net.exe' stop TaskNetHost
- '<SYSTEM32>\net.exe' stop reg
- '<SYSTEM32>\net.exe' stop Service4
- '<SYSTEM32>\net.exe' stop sqlservrd
- '<SYSTEM32>\net.exe' stop LocalConnectXdc
- '<SYSTEM32>\net.exe' stop WindowsDefender
- '<SYSTEM32>\net.exe' stop AdobeFlashPlayerHash
- '<SYSTEM32>\net.exe' stop RegGroom
- '<SYSTEM32>\net.exe' stop LanmanServersetes
- %WINDIR%\XXInstall\ps.exe
- <Current directory>\EBC8360psDN.exe
- <Current directory>\EBC8360psDN.exe
- <Full path to file>
- '21#.#3.190.122':888
- 'po##.#upportxmr.com':3333
- 'po##.#upportxmr.com':5555
- 'po##.#upportxmr.com':80
- 'po##.#upportxmr.com':8080
- '21#.#32.25.156':3333
- '21#.#32.25.156':5555
- '21#.#32.25.156':80
- '21#.#32.25.156':8080
- DNS ASK po##.#upportxmr.com
- '<Current directory>\EBC8360psDN.exe' .PleaseDoNotReportMe
- '<SYSTEM32>\cmd.exe' /c <SYSTEM32>\schtasks.exe /Delete /TN * /F >nul 2>&1
- '<SYSTEM32>\net1.exe' stop RpcEptManger
- '<SYSTEM32>\cmd.exe' /c net stop RpcEptManger
- '<SYSTEM32>\cmd.exe' /c %comspec% /c net stop RpcEptManger >nul 2>&1
- '<SYSTEM32>\sc.exe' config Samserver start= Disabled
- '<SYSTEM32>\cmd.exe' /c sc config Samserver start= Disabled
- '<SYSTEM32>\cmd.exe' /c %comspec% /c sc config Samserver start= Disabled >nul 2>&1
- '<SYSTEM32>\net1.exe' stop Samserver
- '<SYSTEM32>\cmd.exe' /c net stop Samserver
- '<SYSTEM32>\cmd.exe' /c %comspec% /c net stop Samserver >nul 2>&1
- '<SYSTEM32>\sc.exe' config eccm start= Disabled
- '<SYSTEM32>\cmd.exe' /c sc config eccm start= Disabled
- '<SYSTEM32>\cmd.exe' /c %comspec% /c sc config eccm start= Disabled >nul 2>&1
- '<SYSTEM32>\net1.exe' stop eccm
- '<SYSTEM32>\cmd.exe' /c %comspec% /c sc config TaskNetHost start= Disabled >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c net stop eccm
- '<SYSTEM32>\sc.exe' config WSService start= Disabled
- '<SYSTEM32>\cmd.exe' /c sc config WSService start= Disabled
- '<SYSTEM32>\cmd.exe' /c %comspec% /c sc config WSService start= Disabled >nul 2>&1
- '<SYSTEM32>\net1.exe' stop WSService
- '<SYSTEM32>\cmd.exe' /c net stop WSService
- '<SYSTEM32>\cmd.exe' /c %comspec% /c net stop WSService >nul 2>&1
- '<SYSTEM32>\sc.exe' config Googler start= Disabled
- '<SYSTEM32>\cmd.exe' /c sc config Googler start= Disabled
- '<SYSTEM32>\cmd.exe' /c %comspec% /c sc config Googler start= Disabled >nul 2>&1
- '<SYSTEM32>\net1.exe' stop Googler
- '<SYSTEM32>\cmd.exe' /c net stop Googler
- '<SYSTEM32>\cmd.exe' /c %comspec% /c net stop Googler >nul 2>&1
- '<SYSTEM32>\sc.exe' config TaskNetHost start= Disabled
- '<SYSTEM32>\cmd.exe' /c %comspec% /c net stop eccm >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c sc config TaskNetHost start= Disabled
- '<SYSTEM32>\cmd.exe' /c %comspec% /c sc config RpcEptManger start= Disabled >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c sc config WinDefend start= disabled
- '<SYSTEM32>\cmd.exe' /c %comspec% /c sc config WMIUpdateService start= Disabled >nul 2>&1
- '<SYSTEM32>\net1.exe' stop WMIUpdateService
- '%WINDIR%\XXInstall\ps.exe' stop WMIUpdateService
- '<SYSTEM32>\cmd.exe' /c net stop WMIUpdateService
- '<SYSTEM32>\sc.exe' config LanmanServersetes start= Disabled
- '<SYSTEM32>\cmd.exe' /c sc config LanmanServersetes start= Disabled
- '<SYSTEM32>\cmd.exe' /c %comspec% /c sc config LanmanServersetes start= Disabled >nul 2>&1
- '<SYSTEM32>\net1.exe' stop LanmanServersetes
- '<SYSTEM32>\cmd.exe' /c net stop LanmanServersetes
- '<SYSTEM32>\cmd.exe' /c %comspec% /c net stop LanmanServersetes >nul 2>&1
- '<SYSTEM32>\sc.exe' stop WinDefend
- '<SYSTEM32>\cmd.exe' /c sc stop WinDefend
- '<SYSTEM32>\cmd.exe' /c %comspec% /c sc stop WinDefend >nul 2>&1
- '<SYSTEM32>\sc.exe' config RpcEptManger start= Disabled
- '<SYSTEM32>\cmd.exe' /c sc config RpcEptManger start= Disabled
- '<SYSTEM32>\cmd.exe' /c %comspec% /c sc config WinDefend start= disabled >nul 2>&1
- '<SYSTEM32>\sc.exe' config MsUpdateServiceD start= Disabled
- '<SYSTEM32>\cmd.exe' /c sc config MsUpdateServiceD start= Disabled
- '<SYSTEM32>\cmd.exe' /c %comspec% /c sc config MsUpdateServiceD start= Disabled >nul 2>&1
- '<SYSTEM32>\net1.exe' stop MsUpdateServiceD
- '<SYSTEM32>\cmd.exe' /c net stop MsUpdateServiceD
- '<SYSTEM32>\cmd.exe' /c %comspec% /c net stop MsUpdateServiceD >nul 2>&1
- '<SYSTEM32>\sc.exe' config WinRDPSvc start= Disabled
- '<SYSTEM32>\cmd.exe' /c sc config WinRDPSvc start= Disabled
- '<SYSTEM32>\cmd.exe' /c %comspec% /c sc config WinRDPSvc start= Disabled >nul 2>&1
- '<SYSTEM32>\net1.exe' stop WinRDPSvc
- '<SYSTEM32>\cmd.exe' /c net stop WinRDPSvc
- '<SYSTEM32>\cmd.exe' /c %comspec% /c net stop WinRDPSvc >nul 2>&1
- '<SYSTEM32>\sc.exe' config WinDefend start= disabled
- '<SYSTEM32>\net1.exe' stop TaskNetHost
- '<SYSTEM32>\cmd.exe' /c net stop TaskNetHost
- '<SYSTEM32>\cmd.exe' /c %comspec% /c net stop TaskNetHost >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c sc config WindowsDefender start= Disabled
- '<SYSTEM32>\cmd.exe' /c %comspec% /c sc config WindowsDefender start= Disabled >nul 2>&1
- '<SYSTEM32>\net1.exe' stop WindowsDefender
- '<SYSTEM32>\cmd.exe' /c net stop WindowsDefender
- '<SYSTEM32>\cmd.exe' /c %comspec% /c net stop WindowsDefender >nul 2>&1
- '<SYSTEM32>\sc.exe' config AdobeFlashPlayerHash start= Disabled
- '<SYSTEM32>\cmd.exe' /c sc config AdobeFlashPlayerHash start= Disabled
- '<SYSTEM32>\cmd.exe' /c %comspec% /c sc config AdobeFlashPlayerHash start= Disabled >nul 2>&1
- '<SYSTEM32>\net1.exe' stop AdobeFlashPlayerHash
- '<SYSTEM32>\cmd.exe' /c net stop AdobeFlashPlayerHash
- '<SYSTEM32>\cmd.exe' /c %comspec% /c net stop AdobeFlashPlayerHash >nul 2>&1
- '<SYSTEM32>\sc.exe' delete sqlbrowsers
- '<SYSTEM32>\cmd.exe' /c %comspec% /c net stop LocalConnectXdc >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c sc delete sqlbrowsers
- '<SYSTEM32>\sc.exe' config sqlbrowsers start= Disabled
- '<SYSTEM32>\cmd.exe' /c sc config sqlbrowsers start= Disabled
- '<SYSTEM32>\schtasks.exe' /Create /tn ZB20DCImbe4Yvtz /tr "<Current directory>\EBC8360psDN.exe" /sc HOURLY /mo 3 /st 00:00:00 /ru SYSTEM
- '<SYSTEM32>\cmd.exe' /c %comspec% /c sc config sqlbrowsers start= Disabled >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c <SYSTEM32>\schtasks.exe /Create /tn ZB20DCImbe4Yvtz /tr "<Current directory>\EBC8360psDN.exe" /sc HOURLY /mo 3 /st 00:00:00 /ru SYSTEM >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c echo Y
- '<SYSTEM32>\net1.exe' stop sqlbrowsers
- '<SYSTEM32>\schtasks.exe' /Delete /TN *
- '<SYSTEM32>\cmd.exe' /c start /b /min <SYSTEM32>\cmd.exe /c echo Y
- '<SYSTEM32>\cmd.exe' /c %comspec% /c start /b /min %comspec% /c echo Y|<SYSTEM32>\schtasks.exe /Delete /TN * >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c net stop sqlbrowsers
- '<SYSTEM32>\schtasks.exe' /Delete /TN * /F
- '<SYSTEM32>\cmd.exe' /c %comspec% /c net stop sqlbrowsers >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c %comspec% /c sc delete sqlbrowsers >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c net stop LocalConnectXdc
- '<SYSTEM32>\sc.exe' config WindowsDefender start= Disabled
- '<SYSTEM32>\net1.exe' stop LocalConnectXdc
- '<SYSTEM32>\sc.exe' config RegGroom start= Disabled
- '<SYSTEM32>\cmd.exe' /c %comspec% /c sc config Service4 start= Disabled >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c sc config RegGroom start= Disabled
- '<SYSTEM32>\cmd.exe' /c %comspec% /c sc config RegGroom start= Disabled >nul 2>&1
- '<SYSTEM32>\net1.exe' stop RegGroom
- '<SYSTEM32>\cmd.exe' /c net stop RegGroom
- '<SYSTEM32>\cmd.exe' /c %comspec% /c net stop RegGroom >nul 2>&1
- '<SYSTEM32>\sc.exe' config reg start= Disabled
- '<SYSTEM32>\cmd.exe' /c sc config reg start= Disabled
- '<SYSTEM32>\cmd.exe' /c %comspec% /c sc config reg start= Disabled >nul 2>&1
- '<SYSTEM32>\net1.exe' stop reg
- '<SYSTEM32>\cmd.exe' /c net stop reg
- '<SYSTEM32>\cmd.exe' /c %comspec% /c net stop reg >nul 2>&1
- '<SYSTEM32>\sc.exe' config Service4 start= Disabled
- '<SYSTEM32>\cmd.exe' /c sc config Service4 start= Disabled
- '<SYSTEM32>\net1.exe' stop Service4
- '<SYSTEM32>\cmd.exe' /c %comspec% /c sc config LocalConnectXdc start= Disabled >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c net stop Service4
- '<SYSTEM32>\cmd.exe' /c %comspec% /c net stop Service4 >nul 2>&1
- '<SYSTEM32>\sc.exe' delete sqlservrd
- '<SYSTEM32>\cmd.exe' /c sc delete sqlservrd
- '<SYSTEM32>\cmd.exe' /c %comspec% /c sc delete sqlservrd >nul 2>&1
- '<SYSTEM32>\sc.exe' config sqlservrd start= Disabled
- '<SYSTEM32>\cmd.exe' /c sc config sqlservrd start= Disabled
- '<SYSTEM32>\cmd.exe' /c %comspec% /c sc config sqlservrd start= Disabled >nul 2>&1
- '<SYSTEM32>\net1.exe' stop sqlservrd
- '<SYSTEM32>\cmd.exe' /c net stop sqlservrd
- '<SYSTEM32>\cmd.exe' /c %comspec% /c net stop sqlservrd >nul 2>&1
- '<SYSTEM32>\sc.exe' config LocalConnectXdc start= Disabled
- '<SYSTEM32>\cmd.exe' /c sc config LocalConnectXdc start= Disabled
- '<SYSTEM32>\cmd.exe' /c sc config WMIUpdateService start= Disabled
- '<SYSTEM32>\sc.exe' config WMIUpdateService start= Disabled