ユーザー向け情報

閉じる

マイライブラリ
マイライブラリ

+ マイライブラリに追加

検索
検索

電話
テクニカルサポート利用方法

問い合わせ

新規お問い合わせ

電話(英語)

+7 (495) 789-45-86

フォーラム(英語)

お問い合わせ履歴

新規お問い合わせ

電話(英語)

+7 (495) 789-45-86

Profile

JP

RU CN DE EN ES FR IT JP KZ UZ PL BY
閉じる
サービス
スキャナー
Dr.Web vxCube
トライアル
ウイルスライブラリ
ナレッジベース

テクノロジー

用語

トレーニングコースおよび啓蒙プロジェクト

アンチウイルスに関する誤解と噂

ニュース

Trojan.DownLoader6.25596

Added to the Dr.Web virus database: 2012-07-01

Virus description added:

Technical Information

To ensure autorun and distribution:
Modifies the following registry keys:
  • [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'WindowsUpdater' = '%APPDATA%\Svchost.bat'
  • [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'WindowsUpdater' = '%APPDATA%\Svchost.bat'
Malicious functions:
Creates and executes the following:
  • %APPDATA%\Svchost.bat
Executes the following:
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\wmxofoms.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\holzgprd.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\szqoirni.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\yjx3zmvq.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\ik6hrzrs.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\21uvslbo.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\hzmtx0fg.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\3d3rkmbl.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\z5jyli7x.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\lwd9hmmz.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\mrxkw3wq.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\lmrgl6wf.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\5ilyc66u.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\cnp6k6zw.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\95mvesol.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\r37b4jja.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\uwxaxvxx.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\ka52ngbh.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\elqfdeoj.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\m8n6orhe.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\6otjy3mj.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\xkcn97cy.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\gerkrayf.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\l0ytmgq9.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\embpve0e.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\dn8imk_z.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\fpsaqy7d.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\3-vqwhzb.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\zuu9cr9r.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\nka5eics.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\jkwlf9v4.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\p-nrngpv.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\__nfjlgy.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\9gio0ipp.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\r6hnghht.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\dgbjvevw.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\_cxgubt0.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\5k-qlndh.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\9l-w6srx.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\lvnieoo3.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\bmmzpsek.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\wmc2_l7b.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\yqpmsi7-.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\htwc4mt-.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\gvc9pmk2.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\rrdauv9i.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\9xtse-bz.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\oeh2zb7g.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\t1qr6zvv.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\azujyus7.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\3jb47xa4.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\194nyhqj.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\ubuca1vm.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\p6dkabjh.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\yms2bkwk.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\oj2xsfti.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\zv7lg6or.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\kzc0mgx-.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\a34ai1jf.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\fxpnhahz.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\55puib0w.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\nuldszx6.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\ncttqf28.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\mjjsnpf0.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\kpwitvnw.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\pmjefe-d.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\xziprdbw.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\nzivepch.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\qqtrblv0.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\xlo_z1ou.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\2i5p2jux.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\bio0nrw2.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\hnbqwbt5.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\h-phv1ws.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\_hzgs0do.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\xzvzbfxh.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\eecniyyw.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\j95azf1f.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\rjdjtwka.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\n2lht8so.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\krxoa2z9.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\e5lpbcfg.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\l6e5ypiv.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\wnccoczc.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\w90wj9s6.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\wakrjwpi.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\yohyuaxh.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\izdptn7y.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\sm1disb8.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\ji-2msm9.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\jocz3g6g.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\esktu8i4.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\rjny_oq2.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\adbhrdly.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\k2bwje-j.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\yrnh2ub2.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\22l3rgrd.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\mrjwrzia.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\yadeeprk.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\c-fo4aos.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\grnkgbej.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\kmjda0jh.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\6r-w93wt.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\23is4hej.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\iwg1hr0a.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\cph7usgb.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\u3kampxr.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\8wj3qve7.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\srk7p_j0.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\zynbnn4_.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\f9x6q2jq.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\dulcjo3h.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\bxrnpztx.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\litz-eii.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\bmvu3dh_.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\zevenkxc.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\-z2nyy_4.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\vvnwuoap.cmdline"
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\6qqtwso9.cmdline"
Modifies file system :
Creates the following files:
  • %TEMP%\wmxofoms.0.vb
  • %TEMP%\wmxofoms.cmdline
  • %TEMP%\yjx3zmvq.out
  • %TEMP%\yjx3zmvq.0.vb
  • %TEMP%\yjx3zmvq.cmdline
  • %TEMP%\wmxofoms.out
  • %TEMP%\szqoirni.0.vb
  • %TEMP%\szqoirni.cmdline
  • %TEMP%\holzgprd.out
  • %TEMP%\holzgprd.0.vb
  • %TEMP%\holzgprd.cmdline
  • %TEMP%\ik6hrzrs.cmdline
  • %TEMP%\ik6hrzrs.out
  • %TEMP%\ik6hrzrs.0.vb
  • %TEMP%\95mvesol.cmdline
  • %TEMP%\95mvesol.out
  • %TEMP%\21uvslbo.0.vb
  • %TEMP%\hzmtx0fg.cmdline
  • %TEMP%\hzmtx0fg.out
  • %TEMP%\hzmtx0fg.0.vb
  • %TEMP%\21uvslbo.cmdline
  • %TEMP%\21uvslbo.out
  • %TEMP%\3d3rkmbl.cmdline
  • %TEMP%\3d3rkmbl.out
  • %TEMP%\3d3rkmbl.0.vb
  • %TEMP%\mrxkw3wq.cmdline
  • %TEMP%\mrxkw3wq.out
  • %TEMP%\z5jyli7x.0.vb
  • %TEMP%\lwd9hmmz.cmdline
  • %TEMP%\lwd9hmmz.out
  • %TEMP%\lwd9hmmz.0.vb
  • %TEMP%\z5jyli7x.cmdline
  • %TEMP%\z5jyli7x.out
  • %TEMP%\lmrgl6wf.out
  • %TEMP%\5ilyc66u.0.vb
  • %TEMP%\lmrgl6wf.cmdline
  • %TEMP%\szqoirni.out
  • %TEMP%\lmrgl6wf.0.vb
  • %TEMP%\5ilyc66u.cmdline
  • %TEMP%\cnp6k6zw.out
  • %TEMP%\mrxkw3wq.0.vb
  • %TEMP%\cnp6k6zw.cmdline
  • %TEMP%\5ilyc66u.out
  • %TEMP%\cnp6k6zw.0.vb
  • %TEMP%\95mvesol.0.vb
  • %TEMP%\r37b4jja.0.vb
  • %TEMP%\r37b4jja.cmdline
  • %TEMP%\elqfdeoj.out
  • %TEMP%\elqfdeoj.0.vb
  • %TEMP%\elqfdeoj.cmdline
  • %TEMP%\r37b4jja.out
  • %TEMP%\ka52ngbh.0.vb
  • %TEMP%\ka52ngbh.cmdline
  • %TEMP%\uwxaxvxx.out
  • %TEMP%\uwxaxvxx.0.vb
  • %TEMP%\uwxaxvxx.cmdline
  • %TEMP%\m8n6orhe.cmdline
  • %TEMP%\m8n6orhe.out
  • %TEMP%\m8n6orhe.0.vb
  • %TEMP%\fxpnhahz.cmdline
  • %TEMP%\fxpnhahz.out
  • %TEMP%\6otjy3mj.0.vb
  • %TEMP%\xkcn97cy.cmdline
  • %TEMP%\xkcn97cy.out
  • %TEMP%\xkcn97cy.0.vb
  • %TEMP%\6otjy3mj.cmdline
  • %TEMP%\6otjy3mj.out
  • %TEMP%\gerkrayf.cmdline
  • %TEMP%\gerkrayf.out
  • %TEMP%\gerkrayf.0.vb
  • %TEMP%\dn8imk_z.cmdline
  • %TEMP%\dn8imk_z.out
  • %TEMP%\l0ytmgq9.0.vb
  • %TEMP%\embpve0e.cmdline
  • %TEMP%\embpve0e.out
  • %TEMP%\embpve0e.0.vb
  • %TEMP%\l0ytmgq9.cmdline
  • %TEMP%\l0ytmgq9.out
  • %TEMP%\fpsaqy7d.out
  • %TEMP%\3-vqwhzb.0.vb
  • %TEMP%\fpsaqy7d.cmdline
  • %TEMP%\ka52ngbh.out
  • %TEMP%\fpsaqy7d.0.vb
  • %TEMP%\3-vqwhzb.cmdline
  • %TEMP%\zuu9cr9r.out
  • %TEMP%\dn8imk_z.0.vb
  • %TEMP%\zuu9cr9r.cmdline
  • %TEMP%\3-vqwhzb.out
  • %TEMP%\zuu9cr9r.0.vb
  • %TEMP%\nka5eics.0.vb
  • %TEMP%\jkwlf9v4.0.vb
  • %TEMP%\jkwlf9v4.cmdline
  • %TEMP%\9gio0ipp.out
  • %TEMP%\9gio0ipp.0.vb
  • %TEMP%\9gio0ipp.cmdline
  • %TEMP%\jkwlf9v4.out
  • %TEMP%\__nfjlgy.0.vb
  • %TEMP%\__nfjlgy.cmdline
  • %TEMP%\p-nrngpv.out
  • %TEMP%\p-nrngpv.0.vb
  • %TEMP%\p-nrngpv.cmdline
  • %TEMP%\r6hnghht.cmdline
  • %TEMP%\r6hnghht.out
  • %TEMP%\r6hnghht.0.vb
  • %TEMP%\gvc9pmk2.cmdline
  • %TEMP%\gvc9pmk2.out
  • %TEMP%\dgbjvevw.0.vb
  • %TEMP%\_cxgubt0.cmdline
  • %TEMP%\_cxgubt0.out
  • %TEMP%\_cxgubt0.0.vb
  • %TEMP%\dgbjvevw.cmdline
  • %TEMP%\dgbjvevw.out
  • %TEMP%\5k-qlndh.cmdline
  • %TEMP%\5k-qlndh.out
  • %TEMP%\5k-qlndh.0.vb
  • %TEMP%\bmmzpsek.cmdline
  • %TEMP%\bmmzpsek.out
  • %TEMP%\9l-w6srx.0.vb
  • %TEMP%\lvnieoo3.cmdline
  • %TEMP%\lvnieoo3.out
  • %TEMP%\lvnieoo3.0.vb
  • %TEMP%\9l-w6srx.cmdline
  • %TEMP%\9l-w6srx.out
  • %TEMP%\wmc2_l7b.out
  • %TEMP%\yqpmsi7-.0.vb
  • %TEMP%\wmc2_l7b.cmdline
  • %TEMP%\__nfjlgy.out
  • %TEMP%\wmc2_l7b.0.vb
  • %TEMP%\yqpmsi7-.cmdline
  • %TEMP%\htwc4mt-.out
  • %TEMP%\bmmzpsek.0.vb
  • %TEMP%\htwc4mt-.cmdline
  • %TEMP%\yqpmsi7-.out
  • %TEMP%\htwc4mt-.0.vb
  • %TEMP%\gvc9pmk2.0.vb
  • %TEMP%\rrdauv9i.0.vb
  • %TEMP%\rrdauv9i.cmdline
  • %TEMP%\t1qr6zvv.out
  • %TEMP%\t1qr6zvv.0.vb
  • %TEMP%\t1qr6zvv.cmdline
  • %TEMP%\rrdauv9i.out
  • %TEMP%\oeh2zb7g.0.vb
  • %TEMP%\oeh2zb7g.cmdline
  • %TEMP%\9xtse-bz.out
  • %TEMP%\9xtse-bz.0.vb
  • %TEMP%\9xtse-bz.cmdline
  • %TEMP%\azujyus7.cmdline
  • %TEMP%\azujyus7.out
  • %TEMP%\azujyus7.0.vb
  • %TEMP%\nka5eics.cmdline
  • %TEMP%\nka5eics.out
  • %TEMP%\3jb47xa4.0.vb
  • %TEMP%\194nyhqj.cmdline
  • %TEMP%\194nyhqj.out
  • %TEMP%\194nyhqj.0.vb
  • %TEMP%\3jb47xa4.cmdline
  • %TEMP%\3jb47xa4.out
  • %TEMP%\ubuca1vm.cmdline
  • %TEMP%\ubuca1vm.out
  • %TEMP%\ubuca1vm.0.vb
  • %TEMP%\oj2xsfti.cmdline
  • %TEMP%\oj2xsfti.out
  • %TEMP%\p6dkabjh.0.vb
  • %TEMP%\yms2bkwk.cmdline
  • %TEMP%\yms2bkwk.out
  • %TEMP%\yms2bkwk.0.vb
  • %TEMP%\p6dkabjh.cmdline
  • %TEMP%\p6dkabjh.out
  • %TEMP%\zv7lg6or.out
  • %TEMP%\kzc0mgx-.0.vb
  • %TEMP%\zv7lg6or.cmdline
  • %TEMP%\oeh2zb7g.out
  • %TEMP%\zv7lg6or.0.vb
  • %TEMP%\kzc0mgx-.cmdline
  • %TEMP%\a34ai1jf.out
  • %TEMP%\oj2xsfti.0.vb
  • %TEMP%\a34ai1jf.cmdline
  • %TEMP%\kzc0mgx-.out
  • %TEMP%\a34ai1jf.0.vb
  • %TEMP%\55puib0w.cmdline
  • %TEMP%\55puib0w.out
  • %TEMP%\55puib0w.0.vb
  • %TEMP%\mjjsnpf0.cmdline
  • %TEMP%\mjjsnpf0.out
  • %TEMP%\nuldszx6.0.vb
  • %TEMP%\ncttqf28.cmdline
  • %TEMP%\ncttqf28.out
  • %TEMP%\ncttqf28.0.vb
  • %TEMP%\nuldszx6.cmdline
  • %TEMP%\nuldszx6.out
  • %TEMP%\kpwitvnw.out
  • %TEMP%\pmjefe-d.0.vb
  • %TEMP%\kpwitvnw.cmdline
  • %TEMP%\_hzgs0do.out
  • %TEMP%\kpwitvnw.0.vb
  • %TEMP%\pmjefe-d.cmdline
  • %TEMP%\xziprdbw.out
  • %TEMP%\mjjsnpf0.0.vb
  • %TEMP%\xziprdbw.cmdline
  • %TEMP%\pmjefe-d.out
  • %TEMP%\xziprdbw.0.vb
  • %TEMP%\nzivepch.out
  • %TEMP%\qqtrblv0.0.vb
  • %TEMP%\nzivepch.cmdline
  • %TEMP%\2i5p2jux.out
  • %TEMP%\nzivepch.0.vb
  • %TEMP%\qqtrblv0.cmdline
  • %TEMP%\xlo_z1ou.out
  • %TEMP%\ji-2msm9.0.vb
  • %TEMP%\xlo_z1ou.cmdline
  • %TEMP%\qqtrblv0.out
  • %TEMP%\xlo_z1ou.0.vb
  • %TEMP%\hnbqwbt5.0.vb
  • %TEMP%\hnbqwbt5.cmdline
  • %TEMP%\bio0nrw2.out
  • %TEMP%\bio0nrw2.0.vb
  • %TEMP%\bio0nrw2.cmdline
  • %TEMP%\hnbqwbt5.out
  • %TEMP%\2i5p2jux.0.vb
  • %TEMP%\2i5p2jux.cmdline
  • %TEMP%\h-phv1ws.out
  • %TEMP%\h-phv1ws.0.vb
  • %TEMP%\h-phv1ws.cmdline
  • %TEMP%\_hzgs0do.cmdline
  • %TEMP%\xzvzbfxh.cmdline
  • %TEMP%\xzvzbfxh.out
  • %TEMP%\xzvzbfxh.0.vb
  • %TEMP%\rjdjtwka.cmdline
  • %TEMP%\rjdjtwka.out
  • %TEMP%\eecniyyw.0.vb
  • %TEMP%\j95azf1f.cmdline
  • %TEMP%\j95azf1f.out
  • %TEMP%\j95azf1f.0.vb
  • %TEMP%\eecniyyw.cmdline
  • %TEMP%\eecniyyw.out
  • %TEMP%\n2lht8so.out
  • %TEMP%\krxoa2z9.0.vb
  • %TEMP%\n2lht8so.cmdline
  • %APPDATA%\Svchost.bat
  • %TEMP%\n2lht8so.0.vb
  • %TEMP%\krxoa2z9.cmdline
  • %TEMP%\e5lpbcfg.out
  • %TEMP%\rjdjtwka.0.vb
  • %TEMP%\e5lpbcfg.cmdline
  • %TEMP%\krxoa2z9.out
  • %TEMP%\e5lpbcfg.0.vb
  • %TEMP%\l6e5ypiv.out
  • %TEMP%\wnccoczc.0.vb
  • %TEMP%\l6e5ypiv.cmdline
  • %TEMP%\wakrjwpi.out
  • %TEMP%\l6e5ypiv.0.vb
  • %TEMP%\wnccoczc.cmdline
  • %TEMP%\w90wj9s6.out
  • %TEMP%\_hzgs0do.0.vb
  • %TEMP%\w90wj9s6.cmdline
  • %TEMP%\wnccoczc.out
  • %TEMP%\w90wj9s6.0.vb
  • %TEMP%\izdptn7y.0.vb
  • %TEMP%\izdptn7y.cmdline
  • %TEMP%\yohyuaxh.out
  • %TEMP%\yohyuaxh.0.vb
  • %TEMP%\yohyuaxh.cmdline
  • %TEMP%\izdptn7y.out
  • %TEMP%\wakrjwpi.0.vb
  • %TEMP%\wakrjwpi.cmdline
  • %TEMP%\sm1disb8.out
  • %TEMP%\sm1disb8.0.vb
  • %TEMP%\sm1disb8.cmdline
  • %TEMP%\ji-2msm9.cmdline
  • %TEMP%\jocz3g6g.cmdline
  • %TEMP%\jocz3g6g.out
  • %TEMP%\jocz3g6g.0.vb
  • %TEMP%\adbhrdly.cmdline
  • %TEMP%\adbhrdly.out
  • %TEMP%\esktu8i4.0.vb
  • %TEMP%\rjny_oq2.cmdline
  • %TEMP%\rjny_oq2.out
  • %TEMP%\rjny_oq2.0.vb
  • %TEMP%\esktu8i4.cmdline
  • %TEMP%\esktu8i4.out
  • %TEMP%\k2bwje-j.out
  • %TEMP%\yrnh2ub2.0.vb
  • %TEMP%\k2bwje-j.cmdline
  • %TEMP%\iwg1hr0a.out
  • %TEMP%\k2bwje-j.0.vb
  • %TEMP%\yrnh2ub2.cmdline
  • %TEMP%\22l3rgrd.out
  • %TEMP%\adbhrdly.0.vb
  • %TEMP%\22l3rgrd.cmdline
  • %TEMP%\yrnh2ub2.out
  • %TEMP%\22l3rgrd.0.vb
  • %TEMP%\mrjwrzia.out
  • %TEMP%\yadeeprk.0.vb
  • %TEMP%\mrjwrzia.cmdline
  • %TEMP%\grnkgbej.out
  • %TEMP%\mrjwrzia.0.vb
  • %TEMP%\yadeeprk.cmdline
  • %TEMP%\c-fo4aos.out
  • %TEMP%\fxpnhahz.0.vb
  • %TEMP%\c-fo4aos.cmdline
  • %TEMP%\yadeeprk.out
  • %TEMP%\c-fo4aos.0.vb
  • %TEMP%\6r-w93wt.0.vb
  • %TEMP%\6r-w93wt.cmdline
  • %TEMP%\kmjda0jh.out
  • %TEMP%\kmjda0jh.0.vb
  • %TEMP%\kmjda0jh.cmdline
  • %TEMP%\6r-w93wt.out
  • %TEMP%\grnkgbej.0.vb
  • %TEMP%\grnkgbej.cmdline
  • %TEMP%\23is4hej.out
  • %TEMP%\23is4hej.0.vb
  • %TEMP%\23is4hej.cmdline
  • %TEMP%\iwg1hr0a.cmdline
  • %TEMP%\cph7usgb.cmdline
  • %TEMP%\cph7usgb.out
  • %TEMP%\cph7usgb.0.vb
  • %TEMP%\srk7p_j0.cmdline
  • %TEMP%\srk7p_j0.out
  • %TEMP%\u3kampxr.0.vb
  • %TEMP%\8wj3qve7.cmdline
  • %TEMP%\8wj3qve7.out
  • %TEMP%\8wj3qve7.0.vb
  • %TEMP%\u3kampxr.cmdline
  • %TEMP%\u3kampxr.out
  • %TEMP%\zynbnn4_.out
  • %TEMP%\f9x6q2jq.0.vb
  • %TEMP%\zynbnn4_.cmdline
  • %TEMP%\ji-2msm9.out
  • %TEMP%\zynbnn4_.0.vb
  • %TEMP%\f9x6q2jq.cmdline
  • %TEMP%\dulcjo3h.out
  • %TEMP%\srk7p_j0.0.vb
  • %TEMP%\dulcjo3h.cmdline
  • %TEMP%\f9x6q2jq.out
  • %TEMP%\dulcjo3h.0.vb
  • %TEMP%\bxrnpztx.out
  • %TEMP%\litz-eii.0.vb
  • %TEMP%\bxrnpztx.cmdline
  • %TEMP%\zevenkxc.out
  • %TEMP%\bxrnpztx.0.vb
  • %TEMP%\litz-eii.cmdline
  • %TEMP%\bmvu3dh_.out
  • %TEMP%\iwg1hr0a.0.vb
  • %TEMP%\bmvu3dh_.cmdline
  • %TEMP%\litz-eii.out
  • %TEMP%\bmvu3dh_.0.vb
  • %TEMP%\vvnwuoap.0.vb
  • %TEMP%\vvnwuoap.cmdline
  • %TEMP%\-z2nyy_4.out
  • %TEMP%\-z2nyy_4.0.vb
  • %TEMP%\-z2nyy_4.cmdline
  • %TEMP%\vvnwuoap.out
  • %TEMP%\zevenkxc.0.vb
  • %TEMP%\zevenkxc.cmdline
  • %TEMP%\6qqtwso9.out
  • %TEMP%\6qqtwso9.0.vb
  • %TEMP%\6qqtwso9.cmdline
Sets the 'hidden' attribute to the following files:
  • %APPDATA%\Svchost.bat
Deletes the following files:
  • %TEMP%\yjx3zmvq.cmdline
  • %TEMP%\yjx3zmvq.out
  • %TEMP%\yjx3zmvq.0.vb
  • %TEMP%\hzmtx0fg.cmdline
  • %TEMP%\hzmtx0fg.0.vb
  • %TEMP%\wmxofoms.0.vb
  • %TEMP%\holzgprd.cmdline
  • %TEMP%\holzgprd.0.vb
  • %TEMP%\holzgprd.out
  • %TEMP%\wmxofoms.cmdline
  • %TEMP%\wmxofoms.out
  • %TEMP%\95mvesol.cmdline
  • %TEMP%\ik6hrzrs.out
  • %TEMP%\95mvesol.out
  • %TEMP%\embpve0e.cmdline
  • %TEMP%\95mvesol.0.vb
  • %TEMP%\ik6hrzrs.cmdline
  • %TEMP%\21uvslbo.out
  • %TEMP%\hzmtx0fg.out
  • %TEMP%\21uvslbo.0.vb
  • %TEMP%\ik6hrzrs.0.vb
  • %TEMP%\21uvslbo.cmdline
  • %TEMP%\mrxkw3wq.cmdline
  • %TEMP%\3d3rkmbl.cmdline
  • %TEMP%\mrxkw3wq.out
  • %TEMP%\cnp6k6zw.cmdline
  • %TEMP%\mrxkw3wq.0.vb
  • %TEMP%\3d3rkmbl.out
  • %TEMP%\z5jyli7x.0.vb
  • %TEMP%\lwd9hmmz.0.vb
  • %TEMP%\z5jyli7x.out
  • %TEMP%\3d3rkmbl.0.vb
  • %TEMP%\z5jyli7x.cmdline
  • %TEMP%\lmrgl6wf.out
  • %TEMP%\lmrgl6wf.0.vb
  • %TEMP%\szqoirni.0.vb
  • %TEMP%\szqoirni.cmdline
  • %TEMP%\szqoirni.out
  • %TEMP%\lmrgl6wf.cmdline
  • %TEMP%\cnp6k6zw.0.vb
  • %TEMP%\cnp6k6zw.out
  • %TEMP%\5ilyc66u.out
  • %TEMP%\5ilyc66u.cmdline
  • %TEMP%\5ilyc66u.0.vb
  • %TEMP%\elqfdeoj.out
  • %TEMP%\r37b4jja.out
  • %TEMP%\elqfdeoj.0.vb
  • %TEMP%\xkcn97cy.out
  • %TEMP%\elqfdeoj.cmdline
  • %TEMP%\r37b4jja.cmdline
  • %TEMP%\uwxaxvxx.out
  • %TEMP%\ka52ngbh.cmdline
  • %TEMP%\uwxaxvxx.cmdline
  • %TEMP%\r37b4jja.0.vb
  • %TEMP%\uwxaxvxx.0.vb
  • %TEMP%\m8n6orhe.0.vb
  • %TEMP%\m8n6orhe.cmdline
  • %TEMP%\fxpnhahz.out
  • %TEMP%\fxpnhahz.cmdline
  • %TEMP%\fxpnhahz.0.vb
  • %TEMP%\m8n6orhe.out
  • %TEMP%\xkcn97cy.cmdline
  • %TEMP%\xkcn97cy.0.vb
  • %TEMP%\6otjy3mj.cmdline
  • %TEMP%\6otjy3mj.0.vb
  • %TEMP%\6otjy3mj.out
  • %TEMP%\gerkrayf.0.vb
  • %TEMP%\gerkrayf.out
  • %TEMP%\dn8imk_z.0.vb
  • %TEMP%\dn8imk_z.cmdline
  • %TEMP%\dn8imk_z.out
  • %TEMP%\gerkrayf.cmdline
  • %TEMP%\embpve0e.0.vb
  • %TEMP%\embpve0e.out
  • %TEMP%\l0ytmgq9.out
  • %TEMP%\l0ytmgq9.0.vb
  • %TEMP%\l0ytmgq9.cmdline
  • %TEMP%\fpsaqy7d.0.vb
  • %TEMP%\fpsaqy7d.out
  • %TEMP%\fpsaqy7d.cmdline
  • %TEMP%\ka52ngbh.0.vb
  • %TEMP%\ka52ngbh.out
  • %TEMP%\3-vqwhzb.0.vb
  • %TEMP%\zuu9cr9r.cmdline
  • %TEMP%\zuu9cr9r.out
  • %TEMP%\zuu9cr9r.0.vb
  • %TEMP%\3-vqwhzb.out
  • %TEMP%\3-vqwhzb.cmdline
  • %TEMP%\lwd9hmmz.out
  • %TEMP%\9gio0ipp.0.vb
  • %TEMP%\9gio0ipp.cmdline
  • %TEMP%\_cxgubt0.out
  • %TEMP%\_cxgubt0.0.vb
  • %TEMP%\_cxgubt0.cmdline
  • %TEMP%\9gio0ipp.out
  • %TEMP%\p-nrngpv.cmdline
  • %TEMP%\p-nrngpv.0.vb
  • %TEMP%\jkwlf9v4.out
  • %TEMP%\jkwlf9v4.cmdline
  • %TEMP%\jkwlf9v4.0.vb
  • %TEMP%\gvc9pmk2.out
  • %TEMP%\gvc9pmk2.0.vb
  • %TEMP%\gvc9pmk2.cmdline
  • %TEMP%\yms2bkwk.0.vb
  • %TEMP%\yms2bkwk.cmdline
  • %TEMP%\r6hnghht.out
  • %TEMP%\dgbjvevw.out
  • %TEMP%\dgbjvevw.cmdline
  • %TEMP%\dgbjvevw.0.vb
  • %TEMP%\r6hnghht.cmdline
  • %TEMP%\r6hnghht.0.vb
  • %TEMP%\bmmzpsek.out
  • %TEMP%\bmmzpsek.cmdline
  • %TEMP%\bmmzpsek.0.vb
  • %TEMP%\htwc4mt-.out
  • %TEMP%\htwc4mt-.cmdline
  • %TEMP%\5k-qlndh.cmdline
  • %TEMP%\9l-w6srx.cmdline
  • %TEMP%\9l-w6srx.out
  • %TEMP%\9l-w6srx.0.vb
  • %TEMP%\5k-qlndh.0.vb
  • %TEMP%\5k-qlndh.out
  • %TEMP%\__nfjlgy.out
  • %TEMP%\wmc2_l7b.cmdline
  • %TEMP%\__nfjlgy.cmdline
  • %TEMP%\p-nrngpv.out
  • %TEMP%\__nfjlgy.0.vb
  • %TEMP%\wmc2_l7b.0.vb
  • %TEMP%\yqpmsi7-.out
  • %TEMP%\htwc4mt-.0.vb
  • %TEMP%\yqpmsi7-.0.vb
  • %TEMP%\wmc2_l7b.out
  • %TEMP%\yqpmsi7-.cmdline
  • %TEMP%\t1qr6zvv.out
  • %TEMP%\t1qr6zvv.0.vb
  • %TEMP%\t1qr6zvv.cmdline
  • %TEMP%\194nyhqj.out
  • %TEMP%\194nyhqj.cmdline
  • %TEMP%\rrdauv9i.0.vb
  • %TEMP%\9xtse-bz.cmdline
  • %TEMP%\9xtse-bz.0.vb
  • %TEMP%\9xtse-bz.out
  • %TEMP%\rrdauv9i.out
  • %TEMP%\rrdauv9i.cmdline
  • %TEMP%\nka5eics.cmdline
  • %TEMP%\azujyus7.cmdline
  • %TEMP%\nka5eics.out
  • %TEMP%\lwd9hmmz.cmdline
  • %TEMP%\nka5eics.0.vb
  • %TEMP%\azujyus7.0.vb
  • %TEMP%\3jb47xa4.out
  • %TEMP%\194nyhqj.0.vb
  • %TEMP%\3jb47xa4.cmdline
  • %TEMP%\azujyus7.out
  • %TEMP%\3jb47xa4.0.vb
  • %TEMP%\oj2xsfti.0.vb
  • %TEMP%\ubuca1vm.cmdline
  • %TEMP%\oj2xsfti.out
  • %TEMP%\a34ai1jf.cmdline
  • %TEMP%\oj2xsfti.cmdline
  • %TEMP%\ubuca1vm.out
  • %TEMP%\p6dkabjh.cmdline
  • %TEMP%\yms2bkwk.out
  • %TEMP%\p6dkabjh.out
  • %TEMP%\ubuca1vm.0.vb
  • %TEMP%\p6dkabjh.0.vb
  • %TEMP%\zv7lg6or.out
  • %TEMP%\zv7lg6or.0.vb
  • %TEMP%\oeh2zb7g.0.vb
  • %TEMP%\oeh2zb7g.cmdline
  • %TEMP%\oeh2zb7g.out
  • %TEMP%\zv7lg6or.cmdline
  • %TEMP%\a34ai1jf.out
  • %TEMP%\a34ai1jf.0.vb
  • %TEMP%\kzc0mgx-.0.vb
  • %TEMP%\kzc0mgx-.cmdline
  • %TEMP%\kzc0mgx-.out
  • %TEMP%\55puib0w.out
  • %TEMP%\55puib0w.cmdline
  • %TEMP%\55puib0w.0.vb
  • %TEMP%\mjjsnpf0.0.vb
  • %TEMP%\mjjsnpf0.out
  • %TEMP%\nuldszx6.out
  • %TEMP%\ncttqf28.out
  • %TEMP%\ncttqf28.cmdline
  • %TEMP%\ncttqf28.0.vb
  • %TEMP%\nuldszx6.0.vb
  • %TEMP%\nuldszx6.cmdline
  • %TEMP%\kpwitvnw.0.vb
  • %TEMP%\pmjefe-d.out
  • %TEMP%\kpwitvnw.cmdline
  • %TEMP%\_hzgs0do.out
  • %TEMP%\kpwitvnw.out
  • %TEMP%\pmjefe-d.cmdline
  • %TEMP%\xziprdbw.0.vb
  • %TEMP%\mjjsnpf0.cmdline
  • %TEMP%\xziprdbw.out
  • %TEMP%\pmjefe-d.0.vb
  • %TEMP%\xziprdbw.cmdline
  • %TEMP%\nzivepch.0.vb
  • %TEMP%\qqtrblv0.0.vb
  • %TEMP%\nzivepch.out
  • %TEMP%\2i5p2jux.0.vb
  • %TEMP%\nzivepch.cmdline
  • %TEMP%\qqtrblv0.out
  • %TEMP%\xlo_z1ou.cmdline
  • %TEMP%\ji-2msm9.cmdline
  • %TEMP%\xlo_z1ou.out
  • %TEMP%\qqtrblv0.cmdline
  • %TEMP%\xlo_z1ou.0.vb
  • %TEMP%\hnbqwbt5.cmdline
  • %TEMP%\hnbqwbt5.0.vb
  • %TEMP%\bio0nrw2.cmdline
  • %TEMP%\bio0nrw2.0.vb
  • %TEMP%\bio0nrw2.out
  • %TEMP%\hnbqwbt5.out
  • %TEMP%\2i5p2jux.out
  • %TEMP%\2i5p2jux.cmdline
  • %TEMP%\h-phv1ws.cmdline
  • %TEMP%\h-phv1ws.out
  • %TEMP%\h-phv1ws.0.vb
  • %TEMP%\xzvzbfxh.out
  • %TEMP%\eecniyyw.0.vb
  • %TEMP%\xzvzbfxh.0.vb
  • %TEMP%\rjdjtwka.out
  • %TEMP%\xzvzbfxh.cmdline
  • %TEMP%\eecniyyw.out
  • %TEMP%\j95azf1f.out
  • %TEMP%\yohyuaxh.cmdline
  • %TEMP%\j95azf1f.0.vb
  • %TEMP%\eecniyyw.cmdline
  • %TEMP%\j95azf1f.cmdline
  • %TEMP%\krxoa2z9.cmdline
  • %TEMP%\krxoa2z9.0.vb
  • %TEMP%\n2lht8so.cmdline
  • %TEMP%\n2lht8so.out
  • %TEMP%\n2lht8so.0.vb
  • %TEMP%\krxoa2z9.out
  • %TEMP%\rjdjtwka.0.vb
  • %TEMP%\rjdjtwka.cmdline
  • %TEMP%\e5lpbcfg.cmdline
  • %TEMP%\e5lpbcfg.out
  • %TEMP%\e5lpbcfg.0.vb
  • %TEMP%\wnccoczc.0.vb
  • %TEMP%\wnccoczc.cmdline
  • %TEMP%\l6e5ypiv.out
  • %TEMP%\l6e5ypiv.cmdline
  • %TEMP%\l6e5ypiv.0.vb
  • %TEMP%\wnccoczc.out
  • %TEMP%\_hzgs0do.cmdline
  • %TEMP%\_hzgs0do.0.vb
  • %TEMP%\w90wj9s6.out
  • %TEMP%\w90wj9s6.0.vb
  • %TEMP%\w90wj9s6.cmdline
  • %TEMP%\izdptn7y.cmdline
  • %TEMP%\izdptn7y.out
  • %TEMP%\izdptn7y.0.vb
  • %TEMP%\yohyuaxh.out
  • %TEMP%\yohyuaxh.0.vb
  • %TEMP%\sm1disb8.0.vb
  • %TEMP%\wakrjwpi.out
  • %TEMP%\wakrjwpi.0.vb
  • %TEMP%\wakrjwpi.cmdline
  • %TEMP%\sm1disb8.cmdline
  • %TEMP%\sm1disb8.out
  • %TEMP%\ji-2msm9.out
  • %TEMP%\jocz3g6g.0.vb
  • %TEMP%\jocz3g6g.cmdline
  • %TEMP%\adbhrdly.cmdline
  • %TEMP%\adbhrdly.out
  • %TEMP%\adbhrdly.0.vb
  • %TEMP%\jocz3g6g.out
  • %TEMP%\rjny_oq2.cmdline
  • %TEMP%\rjny_oq2.out
  • %TEMP%\esktu8i4.out
  • %TEMP%\esktu8i4.cmdline
  • %TEMP%\esktu8i4.0.vb
  • %TEMP%\k2bwje-j.out
  • %TEMP%\k2bwje-j.0.vb
  • %TEMP%\k2bwje-j.cmdline
  • %TEMP%\iwg1hr0a.0.vb
  • %TEMP%\iwg1hr0a.cmdline
  • %TEMP%\yrnh2ub2.0.vb
  • %TEMP%\22l3rgrd.out
  • %TEMP%\22l3rgrd.cmdline
  • %TEMP%\22l3rgrd.0.vb
  • %TEMP%\yrnh2ub2.out
  • %TEMP%\yrnh2ub2.cmdline
  • %TEMP%\mrjwrzia.cmdline
  • %TEMP%\mrjwrzia.out
  • %TEMP%\mrjwrzia.0.vb
  • %TEMP%\grnkgbej.cmdline
  • %TEMP%\grnkgbej.out
  • %TEMP%\yadeeprk.cmdline
  • %TEMP%\c-fo4aos.0.vb
  • %TEMP%\c-fo4aos.cmdline
  • %TEMP%\c-fo4aos.out
  • %TEMP%\yadeeprk.out
  • %TEMP%\yadeeprk.0.vb
  • %TEMP%\kmjda0jh.0.vb
  • %TEMP%\6r-w93wt.0.vb
  • %TEMP%\kmjda0jh.out
  • %TEMP%\rjny_oq2.0.vb
  • %TEMP%\kmjda0jh.cmdline
  • %TEMP%\6r-w93wt.out
  • %TEMP%\23is4hej.0.vb
  • %TEMP%\grnkgbej.0.vb
  • %TEMP%\23is4hej.cmdline
  • %TEMP%\6r-w93wt.cmdline
  • %TEMP%\23is4hej.out
  • %TEMP%\cph7usgb.0.vb
  • %TEMP%\cph7usgb.cmdline
  • %TEMP%\cph7usgb.out
  • %TEMP%\srk7p_j0.out
  • %TEMP%\srk7p_j0.cmdline
  • %TEMP%\u3kampxr.0.vb
  • %TEMP%\8wj3qve7.0.vb
  • %TEMP%\8wj3qve7.out
  • %TEMP%\8wj3qve7.cmdline
  • %TEMP%\u3kampxr.cmdline
  • %TEMP%\u3kampxr.out
  • %TEMP%\zynbnn4_.out
  • %TEMP%\f9x6q2jq.out
  • %TEMP%\zynbnn4_.0.vb
  • %TEMP%\ji-2msm9.0.vb
  • %TEMP%\zynbnn4_.cmdline
  • %TEMP%\f9x6q2jq.cmdline
  • %TEMP%\dulcjo3h.0.vb
  • %TEMP%\srk7p_j0.0.vb
  • %TEMP%\dulcjo3h.cmdline
  • %TEMP%\f9x6q2jq.0.vb
  • %TEMP%\dulcjo3h.out
  • %TEMP%\bxrnpztx.cmdline
  • %TEMP%\litz-eii.cmdline
  • %TEMP%\bxrnpztx.out
  • %TEMP%\zevenkxc.cmdline
  • %TEMP%\bxrnpztx.0.vb
  • %TEMP%\litz-eii.0.vb
  • %TEMP%\bmvu3dh_.cmdline
  • %TEMP%\iwg1hr0a.out
  • %TEMP%\bmvu3dh_.0.vb
  • %TEMP%\litz-eii.out
  • %TEMP%\bmvu3dh_.out
  • %TEMP%\vvnwuoap.0.vb
  • %TEMP%\vvnwuoap.out
  • %TEMP%\-z2nyy_4.out
  • %TEMP%\-z2nyy_4.0.vb
  • %TEMP%\-z2nyy_4.cmdline
  • %TEMP%\vvnwuoap.cmdline
  • %TEMP%\zevenkxc.out
  • %TEMP%\zevenkxc.0.vb
  • %TEMP%\6qqtwso9.0.vb
  • %TEMP%\6qqtwso9.cmdline
  • %TEMP%\6qqtwso9.out
Moves itself:
  • from <Full path to virus> to %TEMP%\tmpG281.tmp
Network activity:
Connects to:
  • 'te####15.zapto.org':7777
UDP:
  • DNS ASK te####15.zapto.org
Miscellaneous:
Searches for the following windows:
  • ClassName: 'Indicator' WindowName: ''

Curing recommendations

  1. If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
  2. If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
Free trial

 

Download Dr.Web

Download by serial number

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

Free trial

 

Download Dr.Web

Download by serial number

Download on App Store

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

 

Download Dr.Web

Download by serial number

  1. If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android

Free trial

14 days

Download now
Get it on Google Play