Trojan.Encoder.38610

Technical Information

To ensure autorun and distribution

Modifies the following registry keys

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'conUpdate' = '"%LOCALAPPDATA%\{288D3514-4B27-0929-C18F-74352F8D2629}\conUpdate.exe" '
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Sysmon64.exe] 'Debugger' = '<SYSTEM32>\Systray.exe'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Sysmon.exe] 'Debugger' = '<SYSTEM32>\Systray.exe'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ssms.exe] 'Debugger' = '<SYSTEM32>\Systray.exe'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sqlwriter.exe] 'Debugger' = '<SYSTEM32>\Systray.exe'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sqlservr.exe] 'Debugger' = '<SYSTEM32>\Systray.exe'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sqlmangr.exe] 'Debugger' = '<SYSTEM32>\Systray.exe'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sqlbrowser.exe] 'Debugger' = '<SYSTEM32>\Systray.exe'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sqlagent.exe] 'Debugger' = '<SYSTEM32>\Systray.exe'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tbirdconfig.exe] 'Debugger' = '<SYSTEM32>\Systray.exe'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sql.exe] 'Debugger' = '<SYSTEM32>\Systray.exe'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SimplyConnectionManager.exe] 'Debugger' = '<SYSTEM32>\Systray.exe'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\raw_agent_svc.exe] 'Debugger' = '<SYSTEM32>\Systray.exe'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAgui.exe] 'Debugger' = '<SYSTEM32>\Systray.exe'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VeeamDeploymentSvc.exe] 'Debugger' = '<SYSTEM32>\Systray.exe'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RaccineSettings.exe] 'Debugger' = '<SYSTEM32>\Systray.exe'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RaccineElevatedCfg.exe] 'Debugger' = '<SYSTEM32>\Systray.exe'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Raccine_x86.exe] 'Debugger' = '<SYSTEM32>\Systray.exe'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Raccine.exe] 'Debugger' = '<SYSTEM32>\Systray.exe'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sqbcoreservice.exe] 'Debugger' = '<SYSTEM32>\Systray.exe'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TeamViewer.exe] 'Debugger' = '<SYSTEM32>\Systray.exe'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TeamViewer_Service.exe] 'Debugger' = '<SYSTEM32>\Systray.exe'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tv_w32.exe] 'Debugger' = '<SYSTEM32>\Systray.exe'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logoff.exe] 'Debugger' = '<SYSTEM32>\Systray.exe'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe] 'Debugger' = '<SYSTEM32>\Systray.exe'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe] 'Debugger' = '<SYSTEM32>\Systray.exe'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe] 'Debugger' = '<SYSTEM32>\Systray.exe'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe] 'Debugger' = '<SYSTEM32>\Systray.exe'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wsqmcons.exe] 'Debugger' = '<SYSTEM32>\Systray.exe'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CompatTelRunner.exe] 'Debugger' = '<SYSTEM32>\Systray.exe'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SearchApp.exe] 'Debugger' = '<SYSTEM32>\Systray.exe'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SearchProtocolHost.exe] 'Debugger' = '<SYSTEM32>\Systray.exe'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SearchIndexer.exe] 'Debugger' = '<SYSTEM32>\Systray.exe'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xfssvccon.exe] 'Debugger' = '<SYSTEM32>\Systray.exe'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wxServerView.exe] 'Debugger' = '<SYSTEM32>\Systray.exe'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wxServer.exe] 'Debugger' = '<SYSTEM32>\Systray.exe'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wsa_service.exe] 'Debugger' = '<SYSTEM32>\Systray.exe'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wdswfsafe.exe] 'Debugger' = '<SYSTEM32>\Systray.exe'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vxmon.exe] 'Debugger' = '<SYSTEM32>\Systray.exe'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsnapvss.exe] 'Debugger' = '<SYSTEM32>\Systray.exe'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tomcat6.exe] 'Debugger' = '<SYSTEM32>\Systray.exe'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tv_x64.exe] 'Debugger' = '<SYSTEM32>\Systray.exe'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QBW64.exe] 'Debugger' = '<SYSTEM32>\Systray.exe'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shutdown.exe] 'Debugger' = '<SYSTEM32>\Systray.exe'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QBW32.exe] 'Debugger' = '<SYSTEM32>\Systray.exe'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QBIDPService.exe] 'Debugger' = '<SYSTEM32>\Systray.exe'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fdhost.exe] 'Debugger' = '<SYSTEM32>\Systray.exe'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fbserver.exe] 'Debugger' = '<SYSTEM32>\Systray.exe'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fbguard.exe] 'Debugger' = '<SYSTEM32>\Systray.exe'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EnterpriseClient.exe] 'Debugger' = '<SYSTEM32>\Systray.exe'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\encsvc.exe] 'Debugger' = '<SYSTEM32>\Systray.exe'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dbsnmp.exe] 'Debugger' = '<SYSTEM32>\Systray.exe'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dbeng50.exe] 'Debugger' = '<SYSTEM32>\Systray.exe'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Creative Cloud.exe] 'Debugger' = '<SYSTEM32>\Systray.exe'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fdlauncher.exe] 'Debugger' = '<SYSTEM32>\Systray.exe'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CoreSync.exe] 'Debugger' = '<SYSTEM32>\Systray.exe'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bengien.exe] 'Debugger' = '<SYSTEM32>\Systray.exe'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\benetns.exe] 'Debugger' = '<SYSTEM32>\Systray.exe'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bedbh.exe] 'Debugger' = '<SYSTEM32>\Systray.exe'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\axlbridge.exe] 'Debugger' = '<SYSTEM32>\Systray.exe'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AutodeskDesktopApp.exe] 'Debugger' = '<SYSTEM32>\Systray.exe'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\agntsvc.exe] 'Debugger' = '<SYSTEM32>\Systray.exe'
[HKCU\Software\Classes\exefile\shell\open\command] '' = '"%1" %*'
[HKLM\Software\Classes\exefile\shell\open\command] '' = '"%1" %*'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\beserver.exe] 'Debugger' = '<SYSTEM32>\Systray.exe'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\httpd.exe] 'Debugger' = '<SYSTEM32>\Systray.exe'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\isqlplussvc.exe] 'Debugger' = '<SYSTEM32>\Systray.exe'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msaccess.exe] 'Debugger' = '<SYSTEM32>\Systray.exe'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QBDBMgrN.exe] 'Debugger' = '<SYSTEM32>\Systray.exe'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QBDBMgr.exe] 'Debugger' = '<SYSTEM32>\Systray.exe'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wpython.exe] 'Debugger' = '<SYSTEM32>\Systray.exe'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\python.exe] 'Debugger' = '<SYSTEM32>\Systray.exe'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\java.exe] 'Debugger' = '<SYSTEM32>\Systray.exe'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\node.exe] 'Debugger' = '<SYSTEM32>\Systray.exe'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pvlsvr.exe] 'Debugger' = '<SYSTEM32>\Systray.exe'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\oracle.exe] 'Debugger' = '<SYSTEM32>\Systray.exe'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ocssd.exe] 'Debugger' = '<SYSTEM32>\Systray.exe'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ocomm.exe] 'Debugger' = '<SYSTEM32>\Systray.exe'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ocautoupds.exe] 'Debugger' = '<SYSTEM32>\Systray.exe'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mysqld-opt.exe] 'Debugger' = '<SYSTEM32>\Systray.exe'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mysqld-nt.exe] 'Debugger' = '<SYSTEM32>\Systray.exe'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mysqld.exe] 'Debugger' = '<SYSTEM32>\Systray.exe'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mydesktopservice.exe] 'Debugger' = '<SYSTEM32>\Systray.exe'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mydesktopqos.exe] 'Debugger' = '<SYSTEM32>\Systray.exe'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mspub.exe] 'Debugger' = '<SYSTEM32>\Systray.exe'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msftesql.exe] 'Debugger' = '<SYSTEM32>\Systray.exe'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsDtSrvr.exe] 'Debugger' = '<SYSTEM32>\Systray.exe'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qbupdate.exe] 'Debugger' = '<SYSTEM32>\Systray.exe'
[HKLM\Software\Classes\mimicfile\shell\open\command] '' = 'notepad.exe "%LOCALAPPDATA%\Instruction.txt"'

Creates the following files on removable media

<Drive name for removable media>:\glidescope_review_rev_010.docx
<Drive name for removable media>:\nwfieldnotes1966.docx

Malicious functions

To complicate detection of its presence in the operating system,

blocks the following features:

User Account Control (UAC)

modifies the following system settings:

[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'NoClose' = '00000001'
[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'StartMenuLogOff' = '00000001'

Terminates or attempts to terminate

the following user processes:

firefox.exe

Modifies file system

Creates the following files

%TEMP%\7zipsfx.000\7za.exe
C:\instruction.txt
C:\temp\session.tmp
%LOCALAPPDATA%\{288d3514-4b27-0929-c18f-74352f8d2629}\session.tmp
%LOCALAPPDATA%\{288d3514-4b27-0929-c18f-74352f8d2629}\xdel.exe
%LOCALAPPDATA%\{288d3514-4b27-0929-c18f-74352f8d2629}\everything64.dll
%LOCALAPPDATA%\{288d3514-4b27-0929-c18f-74352f8d2629}\everything32.dll
%LOCALAPPDATA%\{288d3514-4b27-0929-c18f-74352f8d2629}\everything2.ini
%LOCALAPPDATA%\{288d3514-4b27-0929-c18f-74352f8d2629}\everything.ini
%LOCALAPPDATA%\{288d3514-4b27-0929-c18f-74352f8d2629}\everything.exe
%LOCALAPPDATA%\{288d3514-4b27-0929-c18f-74352f8d2629}\encrypt.exe
%LOCALAPPDATA%\{288d3514-4b27-0929-c18f-74352f8d2629}\7za.exe
%LOCALAPPDATA%\{288d3514-4b27-0929-c18f-74352f8d2629}\conupdate.exe
C:\temp\mimic_log.txt
%TEMP%\7zipsfx.000\xdel.exe
%TEMP%\7zipsfx.000\encrypt.exe
%TEMP%\7zipsfx.000\7dyedhqu59c.exe
%TEMP%\7zipsfx.000\everything2.ini
%TEMP%\7zipsfx.000\everything.ini
%TEMP%\7zipsfx.000\everything64.dll
%TEMP%\7zipsfx.000\everything32.dll
%TEMP%\7zipsfx.000\everything.exe
%TEMP%\7zsfx000.cmd
%LOCALAPPDATA%\instruction.txt

Deletes the following files

%TEMP%\7zipsfx.000\7dyedhqu59c.exe
%TEMP%\7zipsfx.000\7za.exe
%TEMP%\7zipsfx.000\encrypt.exe
%TEMP%\7zipsfx.000\everything.exe
%TEMP%\7zipsfx.000\xdel.exe
%TEMP%\7zipsfx.000\everything.ini
%TEMP%\7zipsfx.000\everything2.ini
%TEMP%\7zipsfx.000\everything32.dll
%TEMP%\7zipsfx.000\everything64.dll
%TEMP%\7zsfx000.cmd

Moves the following files

from %APPDATA%\thunderbird\profiles\npsdfqy3.default-release\favicons.sqlite to %APPDATA%\thunderbird\profiles\npsdfqy3.default-release\favicons.sqlite.7dyedhqu59c
from %APPDATA%\thunderbird\profiles\npsdfqy3.default-release\places.sqlite to %APPDATA%\thunderbird\profiles\npsdfqy3.default-release\places.sqlite.7dyedhqu59c
from %APPDATA%\thunderbird\profiles\npsdfqy3.default-release\blist.sqlite to %APPDATA%\thunderbird\profiles\npsdfqy3.default-release\blist.sqlite.7dyedhqu59c
from %APPDATA%\thunderbird\profiles\npsdfqy3.default-release\global-messages-db.sqlite to %APPDATA%\thunderbird\profiles\npsdfqy3.default-release\global-messages-db.sqlite.7dyedhqu59c

Modifies the following files

%APPDATA%\thunderbird\profiles\npsdfqy3.default-release\favicons.sqlite.7dyedhqu59c
%APPDATA%\thunderbird\profiles\npsdfqy3.default-release\places.sqlite.7dyedhqu59c
%APPDATA%\thunderbird\profiles\npsdfqy3.default-release\blist.sqlite.7dyedhqu59c
%APPDATA%\thunderbird\profiles\npsdfqy3.default-release\global-messages-db.sqlite.7dyedhqu59c
%HOMEPATH%\desktop\fi51.doc.7dyedhqu59c
%HOMEPATH%\desktop\cveuropeo.doc.7dyedhqu59c
%LOCALAPPDATA%low\oracle\java\au\au.msi.7dyedhqu59c
%LOCALAPPDATA%\thunderbird\profiles\npsdfqy3.default-release\startupcache\startupcache.8.little.7dyedhqu59c
%LOCALAPPDATA%low\sun\java\jre1.8.0_45_x64\jre1.8.0_45.msi.7dyedhqu59c
C:\recovery\fc7d0508-3f8d-11ed-bf82-c9aa0b5639b5\winre.wim.7dyedhqu59c
C:\recovery\fc7d0508-3f8d-11ed-bf82-c9aa0b5639b5\boot.sdi.7dyedhqu59c

Deletes itself.

Network activity

Connects to

'<LOCALNET>.11.0':445
'<LOCALNET>.11.161':445
'<LOCALNET>.11.162':445
'<LOCALNET>.11.163':445
'<LOCALNET>.11.164':445
'<LOCALNET>.11.165':445
'<LOCALNET>.11.166':445
'<LOCALNET>.11.167':445
'<LOCALNET>.11.168':445
'<LOCALNET>.11.169':445
'<LOCALNET>.11.170':445
'<LOCALNET>.11.171':445
'<LOCALNET>.11.172':445
'<LOCALNET>.11.173':445
'<LOCALNET>.11.175':445
'<LOCALNET>.11.189':445
'<LOCALNET>.11.176':445
'<LOCALNET>.11.177':445
'<LOCALNET>.11.178':445
'<LOCALNET>.11.179':445
'<LOCALNET>.11.180':445
'<LOCALNET>.11.181':445
'<LOCALNET>.11.182':445
'<LOCALNET>.11.183':445
'<LOCALNET>.11.184':445
'<LOCALNET>.11.185':445
'<LOCALNET>.11.186':445
'<LOCALNET>.11.187':445
'<LOCALNET>.11.188':445
'<LOCALNET>.11.160':445
'<LOCALNET>.11.174':445
'<LOCALNET>.11.159':445
'<LOCALNET>.11.142':445
'<LOCALNET>.11.129':445
'<LOCALNET>.11.130':445
'<LOCALNET>.11.131':445
'<LOCALNET>.11.132':445
'<LOCALNET>.11.133':445
'<LOCALNET>.11.134':445
'<LOCALNET>.11.135':445
'<LOCALNET>.11.136':445
'<LOCALNET>.11.137':445
'<LOCALNET>.11.138':445
'<LOCALNET>.11.139':445
'<LOCALNET>.11.140':445
'<LOCALNET>.11.141':445
'<LOCALNET>.11.143':445
'<LOCALNET>.11.157':445
'<LOCALNET>.11.144':445
'<LOCALNET>.11.145':445
'<LOCALNET>.11.146':445
'<LOCALNET>.11.147':445
'<LOCALNET>.11.148':445
'<LOCALNET>.11.149':445
'<LOCALNET>.11.150':445
'<LOCALNET>.11.151':445
'<LOCALNET>.11.152':445
'<LOCALNET>.11.153':445
'<LOCALNET>.11.154':445
'<LOCALNET>.11.155':445
'<LOCALNET>.11.156':445
'<LOCALNET>.11.158':445
'<LOCALNET>.11.207':445
'<LOCALNET>.11.253':445
'<LOCALNET>.11.192':445
'<LOCALNET>.11.225':445
'<LOCALNET>.11.226':445
'<LOCALNET>.11.227':445
'<LOCALNET>.11.228':445
'<LOCALNET>.11.229':445
'<LOCALNET>.11.230':445
'<LOCALNET>.11.231':445
'<LOCALNET>.11.232':445
'<LOCALNET>.11.233':445
'<LOCALNET>.11.234':445
'<LOCALNET>.11.235':445
'<LOCALNET>.11.236':445
'<LOCALNET>.11.237':445
'<LOCALNET>.11.239':445
'<LOCALNET>.11.191':445
'<LOCALNET>.11.240':445
'<LOCALNET>.11.241':445
'<LOCALNET>.11.242':445
'<LOCALNET>.11.243':445
'<LOCALNET>.11.244':445
'<LOCALNET>.11.245':445
'<LOCALNET>.11.246':445
'<LOCALNET>.11.247':445
'<LOCALNET>.11.248':445
'<LOCALNET>.11.249':445
'<LOCALNET>.11.250':445
'<LOCALNET>.11.251':445
'<LOCALNET>.11.252':445
'<LOCALNET>.11.224':445
'<LOCALNET>.11.128':445
'<LOCALNET>.11.223':445
'<LOCALNET>.11.206':445
'<LOCALNET>.11.193':445
'<LOCALNET>.11.194':445
'<LOCALNET>.11.195':445
'<LOCALNET>.11.196':445
'<LOCALNET>.11.197':445
'<LOCALNET>.11.198':445
'<LOCALNET>.11.199':445
'<LOCALNET>.11.200':445
'<LOCALNET>.11.201':445
'<LOCALNET>.11.202':445
'<LOCALNET>.11.203':445
'<LOCALNET>.11.204':445
'<LOCALNET>.11.205':445
'<LOCALNET>.11.190':445
'<LOCALNET>.11.221':445
'<LOCALNET>.11.208':445
'<LOCALNET>.11.209':445
'<LOCALNET>.11.210':445
'<LOCALNET>.11.211':445
'<LOCALNET>.11.212':445
'<LOCALNET>.11.213':445
'<LOCALNET>.11.214':445
'<LOCALNET>.11.215':445
'<LOCALNET>.11.216':445
'<LOCALNET>.11.217':445
'<LOCALNET>.11.218':445
'<LOCALNET>.11.219':445
'<LOCALNET>.11.220':445
'<LOCALNET>.11.222':445
'<LOCALNET>.11.238':445
'<LOCALNET>.11.127':445
'<LOCALNET>.11.110':445
'<LOCALNET>.11.33':445
'<LOCALNET>.11.34':445
'<LOCALNET>.11.35':445
'<LOCALNET>.11.36':445
'<LOCALNET>.11.37':445
'<LOCALNET>.11.38':445
'<LOCALNET>.11.39':445
'<LOCALNET>.11.40':445
'<LOCALNET>.11.41':445
'<LOCALNET>.11.42':445
'<LOCALNET>.11.43':445
'<LOCALNET>.11.44':445
'<LOCALNET>.11.45':445
'<LOCALNET>.11.47':445
'<LOCALNET>.11.61':445
'<LOCALNET>.11.48':445
'<LOCALNET>.11.49':445
'<LOCALNET>.11.50':445
'<LOCALNET>.11.51':445
'<LOCALNET>.11.52':445
'<LOCALNET>.11.53':445
'<LOCALNET>.11.54':445
'<LOCALNET>.11.55':445
'<LOCALNET>.11.56':445
'<LOCALNET>.11.57':445
'<LOCALNET>.11.58':445
'<LOCALNET>.11.59':445
'<LOCALNET>.11.60':445
'<LOCALNET>.11.32':445
'<LOCALNET>.11.46':445
'<LOCALNET>.11.31':445
'<LOCALNET>.11.14':445
'<LOCALNET>.11.1':445
'<LOCALNET>.11.2':445
'<LOCALNET>.11.3':445
'<LOCALNET>.11.4':445
'<LOCALNET>.11.5':445
'<LOCALNET>.11.6':445
'<LOCALNET>.11.7':445
'<LOCALNET>.11.8':445
'<LOCALNET>.11.9':445
'<LOCALNET>.11.10':445
'<LOCALNET>.11.11':445
'<LOCALNET>.11.12':445
'<LOCALNET>.11.13':445
'<LOCALNET>.11.15':445
'<LOCALNET>.11.29':445
'<LOCALNET>.11.16':445
'<LOCALNET>.11.17':445
'<LOCALNET>.11.18':445
'<LOCALNET>.11.19':445
'<LOCALNET>.11.20':445
'<LOCALNET>.11.21':445
'<LOCALNET>.11.22':445
'<LOCALNET>.11.23':445
'<LOCALNET>.11.24':445
'<LOCALNET>.11.25':445
'<LOCALNET>.11.26':445
'<LOCALNET>.11.27':445
'<LOCALNET>.11.28':445
'<LOCALNET>.11.30':445
'<LOCALNET>.11.79':445
'<LOCALNET>.11.125':445
'<LOCALNET>.11.64':445
'<LOCALNET>.11.97':445
'<LOCALNET>.11.98':445
'<LOCALNET>.11.99':445
'<LOCALNET>.11.100':445
'<LOCALNET>.11.101':445
'<LOCALNET>.11.102':445
'<LOCALNET>.11.103':445
'<LOCALNET>.11.104':445
'<LOCALNET>.11.105':445
'<LOCALNET>.11.106':445
'<LOCALNET>.11.107':445
'<LOCALNET>.11.108':445
'<LOCALNET>.11.109':445
'<LOCALNET>.11.111':445
'<LOCALNET>.11.63':445
'<LOCALNET>.11.112':445
'<LOCALNET>.11.113':445
'<LOCALNET>.11.114':445
'<LOCALNET>.11.115':445
'<LOCALNET>.11.116':445
'<LOCALNET>.11.117':445
'<LOCALNET>.11.118':445
'<LOCALNET>.11.119':445
'<LOCALNET>.11.120':445
'<LOCALNET>.11.121':445
'<LOCALNET>.11.122':445
'<LOCALNET>.11.123':445
'<LOCALNET>.11.124':445
'<LOCALNET>.11.96':445
'<LOCALNET>.11.126':445
'<LOCALNET>.11.95':445
'<LOCALNET>.11.78':445
'<LOCALNET>.11.65':445
'<LOCALNET>.11.66':445
'<LOCALNET>.11.67':445
'<LOCALNET>.11.68':445
'<LOCALNET>.11.69':445
'<LOCALNET>.11.70':445
'<LOCALNET>.11.71':445
'<LOCALNET>.11.72':445
'<LOCALNET>.11.73':445
'<LOCALNET>.11.74':445
'<LOCALNET>.11.75':445
'<LOCALNET>.11.76':445
'<LOCALNET>.11.77':445
'<LOCALNET>.11.62':445
'<LOCALNET>.11.93':445
'<LOCALNET>.11.80':445
'<LOCALNET>.11.81':445
'<LOCALNET>.11.82':445
'<LOCALNET>.11.83':445
'<LOCALNET>.11.84':445
'<LOCALNET>.11.85':445
'<LOCALNET>.11.86':445
'<LOCALNET>.11.87':445
'<LOCALNET>.11.88':445
'<LOCALNET>.11.89':445
'<LOCALNET>.11.90':445
'<LOCALNET>.11.91':445
'<LOCALNET>.11.92':445
'<LOCALNET>.11.94':445
'<LOCALNET>.11.254':445

Miscellaneous

Searches for the following windows

ClassName: 'EVERYTHING_TASKBAR_NOTIFICATION' WindowName: ''

Creates and executes the following

'%TEMP%\7zipsfx.000\7za.exe' i
'%TEMP%\7zipsfx.000\7za.exe' x -y -p1794527295111223482 Everything64.dll
'%TEMP%\7zipsfx.000\7dyedhqu59c.exe'
'%LOCALAPPDATA%\{288d3514-4b27-0929-c18f-74352f8d2629}\conupdate.exe'
'%LOCALAPPDATA%\{288d3514-4b27-0929-c18f-74352f8d2629}\everything.exe' -startup
'%LOCALAPPDATA%\{288d3514-4b27-0929-c18f-74352f8d2629}\conupdate.exe' -e watch -pid 2024 -!
'%LOCALAPPDATA%\{288d3514-4b27-0929-c18f-74352f8d2629}\conupdate.exe' -e ul2
'%LOCALAPPDATA%\{288d3514-4b27-0929-c18f-74352f8d2629}\conupdate.exe' -e ul1
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy Bypass "Get-VM | Stop-VM"' (with hidden window)
'<SYSTEM32>\powercfg.exe' -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 0' (with hidden window)
'<SYSTEM32>\powercfg.exe' -S 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c' (with hidden window)
'<SYSTEM32>\powercfg.exe' -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0' (with hidden window)
'<SYSTEM32>\powercfg.exe' -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 0' (with hidden window)
'<SYSTEM32>\powercfg.exe' -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 0' (with hidden window)
'<SYSTEM32>\powercfg.exe' -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0' (with hidden window)
'<SYSTEM32>\powercfg.exe' -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0' (with hidden window)
'<SYSTEM32>\powercfg.exe' -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0' (with hidden window)
'<SYSTEM32>\powercfg.exe' -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0' (with hidden window)
'<SYSTEM32>\powercfg.exe' -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 0' (with hidden window)
'<SYSTEM32>\powercfg.exe' -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0' (with hidden window)
'<SYSTEM32>\powercfg.exe' -S e9a42b02-d5df-448d-aa00-03f14749eb61' (with hidden window)
'%TEMP%\7zipsfx.000\7za.exe' x -y -p1794527295111223482 Everything64.dll' (with hidden window)
'%LOCALAPPDATA%\{288d3514-4b27-0929-c18f-74352f8d2629}\conupdate.exe' -e watch -pid 2024 -!' (with hidden window)
'%TEMP%\7zipsfx.000\7za.exe' i' (with hidden window)
'<SYSTEM32>\powercfg.exe' -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0' (with hidden window)
'<SYSTEM32>\powercfg.exe' -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0' (with hidden window)
'%LOCALAPPDATA%\{288d3514-4b27-0929-c18f-74352f8d2629}\conupdate.exe' ' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c DC.exe /D' (with hidden window)
'%TEMP%\7zipsfx.000\7dyedhqu59c.exe' ' (with hidden window)
'%LOCALAPPDATA%\{288d3514-4b27-0929-c18f-74352f8d2629}\conupdate.exe' -e ul1' (with hidden window)
'%LOCALAPPDATA%\{288d3514-4b27-0929-c18f-74352f8d2629}\conupdate.exe' -e ul2' (with hidden window)
'%LOCALAPPDATA%\{288d3514-4b27-0929-c18f-74352f8d2629}\everything.exe' -startup' (with hidden window)
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy Bypass "Get-VM | Select-Object vmid | Get-VHD | %{Get-DiskImage -ImagePath $_.Path; Get-DiskImage -ImagePath $_.ParentPath} | Dismount-DiskImage"' (with hidden window)
'<SYSTEM32>\powercfg.exe' -H off' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c ""%TEMP%\7ZSfx000.cmd" "' (with hidden window)
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy Bypass "Get-Volume | Get-DiskImage | Dismount-DiskImage"' (with hidden window)

Executes the following

'%WINDIR%\syswow64\cmd.exe' /c DC.exe /D
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy Bypass "Get-VM | Stop-VM"
'<SYSTEM32>\powercfg.exe' -S e9a42b02-d5df-448d-aa00-03f14749eb61
'<SYSTEM32>\powercfg.exe' -S 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c
'<SYSTEM32>\powercfg.exe' -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0
'<SYSTEM32>\powercfg.exe' -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 0
'<SYSTEM32>\powercfg.exe' -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0
'<SYSTEM32>\powercfg.exe' -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0
'<SYSTEM32>\powercfg.exe' -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0
'<SYSTEM32>\powercfg.exe' -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 0
'<SYSTEM32>\powercfg.exe' -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0
'<SYSTEM32>\powercfg.exe' -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 0
'<SYSTEM32>\powercfg.exe' -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0
'<SYSTEM32>\powercfg.exe' -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0
'<SYSTEM32>\powercfg.exe' -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 0
'<SYSTEM32>\powercfg.exe' -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0
'<SYSTEM32>\powercfg.exe' -H off
'%WINDIR%\syswow64\cmd.exe' /c ""%TEMP%\7ZSfx000.cmd" "
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy Bypass "Get-VM | Select-Object vmid | Get-VHD | %{Get-DiskImage -ImagePath $_.Path; Get-DiskImage -ImagePath $_.ParentPath} | Dismount-DiskImage"
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy Bypass "Get-Volume | Get-DiskImage | Dismount-DiskImage"

Технологии

Термины

Обучение и просвещение

Мифы

Technical Information

Рекомендации по лечению

Демо бесплатно на 14 дней