Trojan.Encoder.33510

Technical Information

To ensure autorun and distribution

Modifies the following registry keys

[<HKCU>\Software\Microsoft\Windows\CurrentVersion\RunOnce] 'WindowsUpdateCheck' = '<Full path to file>'

Creates or modifies the following files

%HOMEPATH%\start menu\programs\startup\.a8d68e42e88bfdf0d21e

Creates the following files on removable media

<Drive name for removable media>:\.a8d68e42e88bfdf0d21e
<Drive name for removable media>:\correct.avi
<Drive name for removable media>:\split.avi
<Drive name for removable media>:\delete.avi

Malicious functions

To complicate detection of its presence in the operating system,

blocks execution of the following system utilities:

Windows Defender

deletes volume shadow copies.

Executes the following

'%WINDIR%\syswow64\taskkill.exe' /F /IM Veeam.Backup.Agent.ConfigurationService.exe
'%WINDIR%\syswow64\net.exe' stop "igfxCUIService2.0.0.0"
'%WINDIR%\syswow64\net.exe' stop U8WorkerService2
'%WINDIR%\syswow64\net.exe' stop HaoZipSvc
'%WINDIR%\syswow64\net.exe' stop UIODetect
'%WINDIR%\syswow64\taskkill.exe' /IM sqlservr.exe /F
'%WINDIR%\syswow64\taskkill.exe' /IM ThunderPlatform.exe /F
'%WINDIR%\syswow64\taskkill.exe' /IM BackupExec.exe /F
'%WINDIR%\syswow64\taskkill.exe' /IM VBoxSDS.exe /F
'%WINDIR%\syswow64\net.exe' stop "SQLAgent$SHOPCONTROL9"
'%WINDIR%\syswow64\net.exe' stop "NetBackup Client Service"
'%WINDIR%\syswow64\taskkill.exe' /IM pg_ctl.exe /F
'%WINDIR%\syswow64\taskkill.exe' /IM ReportingServicesService.exe /F
'%WINDIR%\syswow64\net.exe' stop "ReportServer$SHOPCONTROL9"
'%WINDIR%\syswow64\taskkill.exe' /F /IM Veeam.Backup.BrokerService.exe
'%WINDIR%\syswow64\taskkill.exe' /IM "UFSoft.U8.OC.QuartzScheduler.exe" /F
'%WINDIR%\syswow64\taskkill.exe' /IM DDSoftPwsTomcat9.exe /F
'%WINDIR%\syswow64\net.exe' stop "MSSQLFDLauncher$SHOPCONTROL9"
'%WINDIR%\syswow64\net.exe' stop "MSSQL$SHOPCONTROL9"
'%WINDIR%\syswow64\net.exe' stop "MSOLAP$SHOPCONTROL9"
'%WINDIR%\syswow64\taskkill.exe' /IM Tomcat7w.exe /F
'%WINDIR%\syswow64\net.exe' stop U8WorkerService1
'%WINDIR%\syswow64\net.exe' stop VMwareHostd

Modifies file system

Creates the following files

C:\users\public\pictures\killer.bat
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache2\doomed\.a8d68e42e88bfdf0d21e
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache2\doomed\how to back your files.txt
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\.a8d68e42e88bfdf0d21e
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\_cache_001_
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\_cache_002_
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\_cache_003_
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache2\entries\.a8d68e42e88bfdf0d21e
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache2\entries\how to back your files.txt
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\_cache_map_
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\f\how to back your files.txt
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\e\.a8d68e42e88bfdf0d21e
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\e\how to back your files.txt
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\d\.a8d68e42e88bfdf0d21e
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\d\how to back your files.txt
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\c\.a8d68e42e88bfdf0d21e
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\how to back your files.txt
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\f\.a8d68e42e88bfdf0d21e
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache2\how to back your files.txt
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache2\.a8d68e42e88bfdf0d21e
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\startupcache\how to back your files.txt
%HOMEPATH%\local settings\how to back your files.txt
%HOMEPATH%\local settings\virtualstore\.a8d68e42e88bfdf0d21e
%HOMEPATH%\local settings\virtualstore\how to back your files.txt
%HOMEPATH%\local settings\thunderbird\.a8d68e42e88bfdf0d21e
%HOMEPATH%\local settings\thunderbird\how to back your files.txt
%HOMEPATH%\local settings\thunderbird\updates\.a8d68e42e88bfdf0d21e
%HOMEPATH%\local settings\thunderbird\updates\how to back your files.txt
%HOMEPATH%\local settings\iconcache.db
%HOMEPATH%\local settings\thunderbird\updates\8216c80c92c4e828\.a8d68e42e88bfdf0d21e
%HOMEPATH%\local settings\thunderbird\profiles\.a8d68e42e88bfdf0d21e
%HOMEPATH%\local settings\thunderbird\profiles\how to back your files.txt
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\.a8d68e42e88bfdf0d21e
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\_cache_clean_
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\how to back your files.txt
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\startupcache\.a8d68e42e88bfdf0d21e
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\startupcache\startupcache.4.little
%HOMEPATH%\local settings\thunderbird\updates\8216c80c92c4e828\how to back your files.txt
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\c\how to back your files.txt
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\b\how to back your files.txt
%HOMEPATH%\local settings\temp\microsoft .net framework 4.7.1 setup_20200610_200621826-msi_netfx_full_x64.msi.txt
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\a\.a8d68e42e88bfdf0d21e
%HOMEPATH%\local settings\<INETFILES>\virtualized\.a8d68e42e88bfdf0d21e
%HOMEPATH%\local settings\<INETFILES>\low\.a8d68e42e88bfdf0d21e
%HOMEPATH%\local settings\temp\.a8d68e42e88bfdf0d21e
%HOMEPATH%\local settings\temp\dd_ndp452-kb2901907-x86-x64-allos-enu_decompression_log.txt
%HOMEPATH%\local settings\temp\dd_ndp471-kb4033342-x86-x64-allos-enu_decompression_log.txt
%HOMEPATH%\local settings\temp\dd_setuputility.txt
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\0\how to back your files.txt
%HOMEPATH%\local settings\<INETFILES>\.a8d68e42e88bfdf0d21e
%HOMEPATH%\local settings\temp\dd_wcf_ca_smci_20151217_052858_840.txt
%HOMEPATH%\local settings\temp\dd_wcf_ca_smci_20200611_031101_060.txt
%HOMEPATH%\local settings\temp\jawshtml.html
%HOMEPATH%\local settings\temp\microsoft .net framework 4.5 setup_20150506_155317844.html
%HOMEPATH%\local settings\temp\microsoft .net framework 4.5.2 setup_20151216_212237215-msi_netfx_full_gdr_x64.msi.txt
%HOMEPATH%\local settings\temp\microsoft .net framework 4.5.2 setup_20151216_212237215.html
%HOMEPATH%\local settings\temp\microsoft .net framework 4.7.1 setup_20200610_195959602.html
%HOMEPATH%\local settings\temp\dd_wcf_ca_smci_20151217_052908_497.txt
%HOMEPATH%\local settings\temp\dd_wcf_ca_smci_20200611_031056_919.txt
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\0\.a8d68e42e88bfdf0d21e
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\1\how to back your files.txt
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\1\.a8d68e42e88bfdf0d21e
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\9\.a8d68e42e88bfdf0d21e
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\9\how to back your files.txt
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\8\.a8d68e42e88bfdf0d21e
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\8\how to back your files.txt
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\7\.a8d68e42e88bfdf0d21e
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\7\how to back your files.txt
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\6\.a8d68e42e88bfdf0d21e
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\a\how to back your files.txt
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\6\how to back your files.txt
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\5\how to back your files.txt
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\4\.a8d68e42e88bfdf0d21e
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\4\how to back your files.txt
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\3\.a8d68e42e88bfdf0d21e
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\3\how to back your files.txt
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\2\.a8d68e42e88bfdf0d21e
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\2\how to back your files.txt
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\5\.a8d68e42e88bfdf0d21e
%HOMEPATH%\local settings\gdipfontcachev1.dat
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\b\.a8d68e42e88bfdf0d21e
%HOMEPATH%\local settings\.a8d68e42e88bfdf0d21e
%HOMEPATH%\start menu\programs\accessories\accessibility\.a8d68e42e88bfdf0d21e
%HOMEPATH%\start menu\programs\total commander\.a8d68e42e88bfdf0d21e
%HOMEPATH%\start menu\programs\total commander\how to back your files.txt
%HOMEPATH%\start menu\programs\telegram desktop\.a8d68e42e88bfdf0d21e
%HOMEPATH%\start menu\programs\telegram desktop\how to back your files.txt
%HOMEPATH%\start menu\programs\maintenance\.a8d68e42e88bfdf0d21e
%HOMEPATH%\start menu\programs\maintenance\how to back your files.txt
%HOMEPATH%\start menu\programs\winrar\.a8d68e42e88bfdf0d21e
%HOMEPATH%\start menu\programs\winrar\how to back your files.txt
%HOMEPATH%\start menu\programs\mail.ru\.a8d68e42e88bfdf0d21e
%HOMEPATH%\start menu\programs\icq\how to back your files.txt
%HOMEPATH%\start menu\programs\administrative tools\.a8d68e42e88bfdf0d21e
%HOMEPATH%\start menu\programs\administrative tools\how to back your files.txt
%HOMEPATH%\start menu\programs\accessories\.a8d68e42e88bfdf0d21e
%HOMEPATH%\start menu\programs\accessories\how to back your files.txt
%HOMEPATH%\start menu\programs\accessories\system tools\.a8d68e42e88bfdf0d21e
%HOMEPATH%\start menu\programs\mail.ru\how to back your files.txt
%HOMEPATH%\start menu\programs\icq\.a8d68e42e88bfdf0d21e
%HOMEPATH%\start menu\programs\how to back your files.txt
%HOMEPATH%\start menu\programs\.a8d68e42e88bfdf0d21e
%HOMEPATH%\start menu\how to back your files.txt
<Current directory>\ids.txt
z:\.a8d68e42e88bfdf0d21e
z:\system volume information\.a8d68e42e88bfdf0d21e
C:\.a8d68e42e88bfdf0d21e
C:\how to back your files.txt
C:\users\.a8d68e42e88bfdf0d21e
C:\users\how to back your files.txt
%ALLUSERSPROFILE%\local\.a8d68e42e88bfdf0d21e
%HOMEPATH%\.a8d68e42e88bfdf0d21e
%HOMEPATH%\voip\.a8d68e42e88bfdf0d21e
%HOMEPATH%\voip\how to back your files.txt
%HOMEPATH%\videos\.a8d68e42e88bfdf0d21e
%HOMEPATH%\videos\how to back your files.txt
%HOMEPATH%\templates\.a8d68e42e88bfdf0d21e
%HOMEPATH%\templates\how to back your files.txt
%HOMEPATH%\start menu\.a8d68e42e88bfdf0d21e
%HOMEPATH%\how to back your files.txt
%HOMEPATH%\start menu\programs\accessories\system tools\how to back your files.txt
%HOMEPATH%\start menu\programs\accessories\accessibility\how to back your files.txt
%HOMEPATH%\my documents\my music\.a8d68e42e88bfdf0d21e
%HOMEPATH%\sendto\.a8d68e42e88bfdf0d21e
%HOMEPATH%\recent\customdestinations\c312e260e424ae76.customdestinations-ms
%HOMEPATH%\recent\customdestinations\how to back your files.txt
%HOMEPATH%\recent\automaticdestinations\.a8d68e42e88bfdf0d21e
%HOMEPATH%\recent\automaticdestinations\1b4dd67f29cb1962.automaticdestinations-ms
%HOMEPATH%\recent\automaticdestinations\74d7f43c1561fc1e.automaticdestinations-ms
%HOMEPATH%\recent\automaticdestinations\7e4dca80246863e3.automaticdestinations-ms
%HOMEPATH%\recent\customdestinations\969252ce11249fdd.customdestinations-ms
%HOMEPATH%\recent\customdestinations\bf8efb871eda5262.customdestinations-ms
%HOMEPATH%\recent\automaticdestinations\how to back your files.txt
%HOMEPATH%\pictures\.a8d68e42e88bfdf0d21e
%HOMEPATH%\pictures\how to back your files.txt
%HOMEPATH%\nethood\.a8d68e42e88bfdf0d21e
%HOMEPATH%\nethood\how to back your files.txt
%HOMEPATH%\my documents\.a8d68e42e88bfdf0d21e
%HOMEPATH%\my documents\how to back your files.txt
%HOMEPATH%\printhood\.a8d68e42e88bfdf0d21e
%HOMEPATH%\printhood\how to back your files.txt
%HOMEPATH%\recent\customdestinations\9027fe24326910d2.customdestinations-ms
%HOMEPATH%\recent\customdestinations\7e4dca80246863e3.customdestinations-ms
%HOMEPATH%\recent\customdestinations\74d7f43c1561fc1e.customdestinations-ms
%HOMEPATH%\sendto\desktop (create shortcut).desklink
%HOMEPATH%\sendto\mail recipient.mapimail
%HOMEPATH%\sendto\how to back your files.txt
%HOMEPATH%\searches\.a8d68e42e88bfdf0d21e
%HOMEPATH%\searches\how to back your files.txt
%HOMEPATH%\saved games\.a8d68e42e88bfdf0d21e
%HOMEPATH%\saved games\how to back your files.txt
%HOMEPATH%\sendto\compressed (zipped) folder.zfsendtotarget
%HOMEPATH%\recent\.a8d68e42e88bfdf0d21e
%HOMEPATH%\recent\customdestinations\.a8d68e42e88bfdf0d21e
%HOMEPATH%\recent\customdestinations\10a2479c877ca098.customdestinations-ms
%HOMEPATH%\recent\customdestinations\1b4dd67f29cb1962.customdestinations-ms
%HOMEPATH%\recent\customdestinations\28c8b86deab549a1.customdestinations-ms
%HOMEPATH%\recent\customdestinations\590aee7bdd69b59b.customdestinations-ms
%HOMEPATH%\recent\customdestinations\5afe4de1b92fc382.customdestinations-ms
%HOMEPATH%\recent\customdestinations\5d696d521de238c3.customdestinations-ms
%HOMEPATH%\recent\how to back your files.txt
%HOMEPATH%\my documents\my music\how to back your files.txt
D:\.a8d68e42e88bfdf0d21e

Sets the 'hidden' attribute to the following files

%ALLUSERSPROFILE%\local\.a8d68e42e88bfdf0d21e
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\8\.a8d68e42e88bfdf0d21e
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\9\.a8d68e42e88bfdf0d21e
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\a\.a8d68e42e88bfdf0d21e
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\b\.a8d68e42e88bfdf0d21e
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\c\.a8d68e42e88bfdf0d21e
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\d\.a8d68e42e88bfdf0d21e
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\6\.a8d68e42e88bfdf0d21e
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\7\.a8d68e42e88bfdf0d21e
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\.a8d68e42e88bfdf0d21e
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache2\doomed\.a8d68e42e88bfdf0d21e
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache2\entries\.a8d68e42e88bfdf0d21e
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache2\.a8d68e42e88bfdf0d21e
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\startupcache\.a8d68e42e88bfdf0d21e
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\.a8d68e42e88bfdf0d21e
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\e\.a8d68e42e88bfdf0d21e
%HOMEPATH%\start menu\programs\administrative tools\.a8d68e42e88bfdf0d21e
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\5\.a8d68e42e88bfdf0d21e
%HOMEPATH%\local settings\<INETFILES>\content.ie5\0u8lpyu9\.a8d68e42e88bfdf0d21e
%HOMEPATH%\local settings\<INETFILES>\content.ie5\bzjx5bke\.a8d68e42e88bfdf0d21e
%HOMEPATH%\local settings\<INETFILES>\content.ie5\caasbycl\.a8d68e42e88bfdf0d21e
%HOMEPATH%\local settings\<INETFILES>\content.ie5\re1n75kr\.a8d68e42e88bfdf0d21e
%HOMEPATH%\local settings\<INETFILES>\content.ie5\.a8d68e42e88bfdf0d21e
%HOMEPATH%\local settings\<INETFILES>\content.mra.images\.a8d68e42e88bfdf0d21e
%HOMEPATH%\local settings\<INETFILES>\content.mso\.a8d68e42e88bfdf0d21e
%HOMEPATH%\local settings\<INETFILES>\content.word\.a8d68e42e88bfdf0d21e
%HOMEPATH%\local settings\<INETFILES>\low\.a8d68e42e88bfdf0d21e
%HOMEPATH%\local settings\<INETFILES>\virtualized\.a8d68e42e88bfdf0d21e
%HOMEPATH%\local settings\<INETFILES>\.a8d68e42e88bfdf0d21e
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\0\.a8d68e42e88bfdf0d21e
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\1\.a8d68e42e88bfdf0d21e
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\2\.a8d68e42e88bfdf0d21e
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\3\.a8d68e42e88bfdf0d21e
%HOMEPATH%\local settings\thunderbird\profiles\.a8d68e42e88bfdf0d21e
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\f\.a8d68e42e88bfdf0d21e
%HOMEPATH%\local settings\thunderbird\updates\8216c80c92c4e828\.a8d68e42e88bfdf0d21e
%HOMEPATH%\local settings\thunderbird\updates\.a8d68e42e88bfdf0d21e
%HOMEPATH%\local settings\thunderbird\.a8d68e42e88bfdf0d21e
%HOMEPATH%\templates\.a8d68e42e88bfdf0d21e
%HOMEPATH%\start menu\programs\startup\.a8d68e42e88bfdf0d21e
%HOMEPATH%\start menu\programs\telegram desktop\.a8d68e42e88bfdf0d21e
%HOMEPATH%\start menu\programs\total commander\.a8d68e42e88bfdf0d21e
%HOMEPATH%\start menu\programs\winrar\.a8d68e42e88bfdf0d21e
%HOMEPATH%\start menu\programs\.a8d68e42e88bfdf0d21e
%HOMEPATH%\start menu\.a8d68e42e88bfdf0d21e
%HOMEPATH%\videos\.a8d68e42e88bfdf0d21e
%HOMEPATH%\start menu\programs\mail.ru\.a8d68e42e88bfdf0d21e
%HOMEPATH%\voip\.a8d68e42e88bfdf0d21e
%HOMEPATH%\.a8d68e42e88bfdf0d21e
C:\users\.a8d68e42e88bfdf0d21e
C:\.a8d68e42e88bfdf0d21e
z:\system volume information\.a8d68e42e88bfdf0d21e
z:\.a8d68e42e88bfdf0d21e
%HOMEPATH%\local settings\temp\.a8d68e42e88bfdf0d21e
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\4\.a8d68e42e88bfdf0d21e
%HOMEPATH%\start menu\programs\icq\.a8d68e42e88bfdf0d21e
%HOMEPATH%\start menu\programs\accessories\system tools\.a8d68e42e88bfdf0d21e
%HOMEPATH%\start menu\programs\maintenance\.a8d68e42e88bfdf0d21e
%HOMEPATH%\local settings\virtualstore\.a8d68e42e88bfdf0d21e
%HOMEPATH%\local settings\.a8d68e42e88bfdf0d21e
%HOMEPATH%\my documents\my music\.a8d68e42e88bfdf0d21e
%HOMEPATH%\my documents\.a8d68e42e88bfdf0d21e
%HOMEPATH%\nethood\.a8d68e42e88bfdf0d21e
%HOMEPATH%\pictures\.a8d68e42e88bfdf0d21e
%HOMEPATH%\printhood\.a8d68e42e88bfdf0d21e
%HOMEPATH%\recent\automaticdestinations\.a8d68e42e88bfdf0d21e
%HOMEPATH%\recent\customdestinations\.a8d68e42e88bfdf0d21e
%HOMEPATH%\recent\.a8d68e42e88bfdf0d21e
%HOMEPATH%\saved games\.a8d68e42e88bfdf0d21e
%HOMEPATH%\searches\.a8d68e42e88bfdf0d21e
%HOMEPATH%\sendto\.a8d68e42e88bfdf0d21e
%HOMEPATH%\start menu\programs\accessories\accessibility\.a8d68e42e88bfdf0d21e
%HOMEPATH%\start menu\programs\accessories\.a8d68e42e88bfdf0d21e
<Drive name for removable media>:\.a8d68e42e88bfdf0d21e

Moves the following files

from %HOMEPATH%\sendto\compressed (zipped) folder.zfsendtotarget to %HOMEPATH%\sendto\compressed (zipped) folder.zfsendtotarget.globeimposter-alpha666qqz
from %HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\_cache_001_ to %HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\_cache_001_.globeimposter-alpha666qqz
from %HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\_cache_002_ to %HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\_cache_002_.globeimposter-alpha666qqz
from %HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\_cache_003_ to %HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\_cache_003_.globeimposter-alpha666qqz
from %HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\_cache_map_ to %HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\_cache_map_.globeimposter-alpha666qqz
from %HOMEPATH%\local settings\temp\dd_ndp452-kb2901907-x86-x64-allos-enu_decompression_log.txt to %HOMEPATH%\local settings\temp\dd_ndp452-kb2901907-x86-x64-allos-enu_decompression_log.txt.globeimposter-alpha666qqz
from %HOMEPATH%\local settings\temp\dd_ndp471-kb4033342-x86-x64-allos-enu_decompression_log.txt to %HOMEPATH%\local settings\temp\dd_ndp471-kb4033342-x86-x64-allos-enu_decompression_log.txt.globeimposter-alpha666qqz
from %HOMEPATH%\recent\customdestinations\74d7f43c1561fc1e.customdestinations-ms to %HOMEPATH%\recent\customdestinations\74d7f43c1561fc1e.customdestinations-ms.globeimposter-alpha666qqz
from %HOMEPATH%\local settings\temp\dd_setuputility.txt to %HOMEPATH%\local settings\temp\dd_setuputility.txt.globeimposter-alpha666qqz
from %HOMEPATH%\local settings\temp\dd_wcf_ca_smci_20151217_052908_497.txt to %HOMEPATH%\local settings\temp\dd_wcf_ca_smci_20151217_052908_497.txt.globeimposter-alpha666qqz
from %HOMEPATH%\local settings\temp\dd_wcf_ca_smci_20200611_031056_919.txt to %HOMEPATH%\local settings\temp\dd_wcf_ca_smci_20200611_031056_919.txt.globeimposter-alpha666qqz
from %HOMEPATH%\local settings\temp\dd_wcf_ca_smci_20200611_031101_060.txt to %HOMEPATH%\local settings\temp\dd_wcf_ca_smci_20200611_031101_060.txt.globeimposter-alpha666qqz
from %HOMEPATH%\local settings\temp\jawshtml.html to %HOMEPATH%\local settings\temp\jawshtml.html.globeimposter-alpha666qqz
from %HOMEPATH%\local settings\temp\microsoft .net framework 4.5 setup_20150506_155317844.html to %HOMEPATH%\local settings\temp\microsoft .net framework 4.5 setup_20150506_155317844.html.globeimposter-alpha666qqz
from %HOMEPATH%\local settings\temp\microsoft .net framework 4.5.2 setup_20151216_212237215-msi_netfx_full_gdr_x64.msi.txt to %HOMEPATH%\local settings\temp\microsoft .net framework 4.5.2 setup_20151216_212237215-msi_netfx_full_gdr_x64.msi.txt.globeimposter-alpha666qqz
from %HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\_cache_clean_ to %HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\_cache_clean_.globeimposter-alpha666qqz
from %HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\startupcache\startupcache.4.little to %HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\startupcache\startupcache.4.little.globeimposter-alpha666qqz
from %HOMEPATH%\local settings\iconcache.db to %HOMEPATH%\local settings\iconcache.db.globeimposter-alpha666qqz
from %HOMEPATH%\local settings\gdipfontcachev1.dat to %HOMEPATH%\local settings\gdipfontcachev1.dat.globeimposter-alpha666qqz
from %HOMEPATH%\recent\automaticdestinations\7e4dca80246863e3.automaticdestinations-ms to %HOMEPATH%\recent\automaticdestinations\7e4dca80246863e3.automaticdestinations-ms.globeimposter-alpha666qqz
from %HOMEPATH%\sendto\mail recipient.mapimail to %HOMEPATH%\sendto\mail recipient.mapimail.globeimposter-alpha666qqz
from %HOMEPATH%\recent\customdestinations\10a2479c877ca098.customdestinations-ms to %HOMEPATH%\recent\customdestinations\10a2479c877ca098.customdestinations-ms.globeimposter-alpha666qqz
from %HOMEPATH%\recent\customdestinations\1b4dd67f29cb1962.customdestinations-ms to %HOMEPATH%\recent\customdestinations\1b4dd67f29cb1962.customdestinations-ms.globeimposter-alpha666qqz
from %HOMEPATH%\recent\customdestinations\28c8b86deab549a1.customdestinations-ms to %HOMEPATH%\recent\customdestinations\28c8b86deab549a1.customdestinations-ms.globeimposter-alpha666qqz
from %HOMEPATH%\recent\customdestinations\590aee7bdd69b59b.customdestinations-ms to %HOMEPATH%\recent\customdestinations\590aee7bdd69b59b.customdestinations-ms.globeimposter-alpha666qqz
from %HOMEPATH%\recent\customdestinations\5afe4de1b92fc382.customdestinations-ms to %HOMEPATH%\recent\customdestinations\5afe4de1b92fc382.customdestinations-ms.globeimposter-alpha666qqz
from %HOMEPATH%\local settings\temp\microsoft .net framework 4.5.2 setup_20151216_212237215.html to %HOMEPATH%\local settings\temp\microsoft .net framework 4.5.2 setup_20151216_212237215.html.globeimposter-alpha666qqz
from %HOMEPATH%\local settings\temp\dd_wcf_ca_smci_20151217_052858_840.txt to %HOMEPATH%\local settings\temp\dd_wcf_ca_smci_20151217_052858_840.txt.globeimposter-alpha666qqz
from %HOMEPATH%\recent\customdestinations\5d696d521de238c3.customdestinations-ms to %HOMEPATH%\recent\customdestinations\5d696d521de238c3.customdestinations-ms.globeimposter-alpha666qqz
from %HOMEPATH%\recent\customdestinations\9027fe24326910d2.customdestinations-ms to %HOMEPATH%\recent\customdestinations\9027fe24326910d2.customdestinations-ms.globeimposter-alpha666qqz
from %HOMEPATH%\recent\customdestinations\969252ce11249fdd.customdestinations-ms to %HOMEPATH%\recent\customdestinations\969252ce11249fdd.customdestinations-ms.globeimposter-alpha666qqz
from %HOMEPATH%\recent\customdestinations\bf8efb871eda5262.customdestinations-ms to %HOMEPATH%\recent\customdestinations\bf8efb871eda5262.customdestinations-ms.globeimposter-alpha666qqz
from %HOMEPATH%\recent\customdestinations\c312e260e424ae76.customdestinations-ms to %HOMEPATH%\recent\customdestinations\c312e260e424ae76.customdestinations-ms.globeimposter-alpha666qqz
from %HOMEPATH%\recent\automaticdestinations\1b4dd67f29cb1962.automaticdestinations-ms to %HOMEPATH%\recent\automaticdestinations\1b4dd67f29cb1962.automaticdestinations-ms.globeimposter-alpha666qqz
from %HOMEPATH%\recent\automaticdestinations\74d7f43c1561fc1e.automaticdestinations-ms to %HOMEPATH%\recent\automaticdestinations\74d7f43c1561fc1e.automaticdestinations-ms.globeimposter-alpha666qqz
from %HOMEPATH%\sendto\desktop (create shortcut).desklink to %HOMEPATH%\sendto\desktop (create shortcut).desklink.globeimposter-alpha666qqz
from %HOMEPATH%\recent\customdestinations\7e4dca80246863e3.customdestinations-ms to %HOMEPATH%\recent\customdestinations\7e4dca80246863e3.customdestinations-ms.globeimposter-alpha666qqz
from %HOMEPATH%\local settings\temp\microsoft .net framework 4.7.1 setup_20200610_195959602.html to %HOMEPATH%\local settings\temp\microsoft .net framework 4.7.1 setup_20200610_195959602.html.globeimposter-alpha666qqz

Modifies the following files

Changes user data files extensions (Trojan.Encoder).

Network activity

Connects to

'google.com':443
'bing.com':443

TCP

'google.com':443
'bing.com':443

UDP

DNS ASK google.com
DNS ASK bing.com

Miscellaneous

Searches for the following windows

ClassName: '' WindowName: ''

Executes the following

'%WINDIR%\syswow64\cmd.exe' /c ""C:\Users\Public\Pictures\killer.bat" "
'%WINDIR%\syswow64\net1.exe' stop "ReportServer$SHOPCONTROL9"
'%WINDIR%\syswow64\sc.exe' delete eCardMPService
'%WINDIR%\syswow64\sc.exe' delete "UWS LoPriv Services"
'%WINDIR%\syswow64\sc.exe' delete SQLSERVERAGENT
'%WINDIR%\syswow64\sc.exe' delete OracleOraDb11g_home1TNSListener
'%WINDIR%\syswow64\net1.exe' stop U8WorkerService1
'%WINDIR%\syswow64\sc.exe' delete EnergyDataService
'%WINDIR%\syswow64\sc.exe' delete ftnlsv3
'%WINDIR%\syswow64\sc.exe' delete "XT800Service_Personal"
'%WINDIR%\syswow64\sc.exe' delete OracleOraDb11g_home1ClrAgent
'%WINDIR%\syswow64\sc.exe' delete MSCRMAsyncService
'%WINDIR%\syswow64\net1.exe' stop UIODetect
'%WINDIR%\syswow64\sc.exe' delete SQLWriter
'%WINDIR%\syswow64\sc.exe' delete OracleVssWriterORCL
'%WINDIR%\syswow64\sc.exe' delete ftnlses3
'%WINDIR%\syswow64\sc.exe' delete UI0Detect
'%WINDIR%\syswow64\sc.exe' delete REPLICA
'%WINDIR%\syswow64\net1.exe' stop U8WorkerService2
'%WINDIR%\syswow64\net1.exe' stop "igfxCUIService2.0.0.0"
'%WINDIR%\syswow64\net1.exe' stop "SQLAgent$SHOPCONTROL9"
'%WINDIR%\syswow64\net1.exe' stop HaoZipSvc
'%WINDIR%\syswow64\sc.exe' delete "eCard-TTransServer"
'%WINDIR%\syswow64\cmd.exe' /c @echo off sc config browser sc config browser start=enabled vssadmin delete shadows /all /quiet sc stop vss sc config vss start=disabled sc stop MongoDB sc config MongoDB start=disabl...
'%WINDIR%\syswow64\net1.exe' stop "MSSQLFDLauncher$SHOPCONTROL9"
'%WINDIR%\syswow64\cmd.exe' /c "color b & net stop "MSOLAP$SHOPCONTROL9" & net stop "MSSQL$SHOPCONTROL9" & net stop "MSSQLFDLauncher$SHOPCONTROL9" & net stop "ReportServer$SHOPCONTROL9" & net stop "SQLAgent$SHOPCONTROL9" ...
'%WINDIR%\syswow64\cmd.exe' /c "color b & @taskkill /IM Tomcat7w.exe /F & @taskkill /IM "UFSoft.U8.OC.QuartzScheduler.exe" /F & @taskkill /IM UFSoft.U8.OC.QuartzScheduler.exe /F & @taskkill /IM Launchpad.exe /F & @taskkil...
'%WINDIR%\syswow64\net1.exe' stop "MSOLAP$SHOPCONTROL9"
'%WINDIR%\syswow64\cmd.exe' /c "color b & @taskkill /IM DDSoftPwsTomcat9.exe /F & @taskkill /IM U8SmartClient.exe /F & @taskkill /IM U8SmartClientMonitor.exe /F & @taskkill /IM tomcat9.exe /F & @taskkill /IM SqlManagement...
'%WINDIR%\syswow64\cmd.exe' /c "color b & @sc delete "XT800Service_Personal" & @sc delete SQLSERVERAGENT & @sc delete SQLWriter & @sc delete SQLBrowser & @sc delete MSSQLFDLauncher & @sc delete MSSQLSERVER & @sc delete Qc...
'%WINDIR%\syswow64\cmd.exe' /c "color b & @sc delete "DAService_TCP" & @sc delete "eCard-TTransServer" & @sc delete eCardMPService & @sc delete EnergyDataService & @sc delete UI0Detect & @sc delete K3MobileService & @sc d...
'%WINDIR%\syswow64\cmd.exe' /c "color b & @sc delete OracleOraDb11g_home1ClrAgent & @sc delete OracleOraDb11g_home1TNSListener & @sc delete OracleVssWriterORCL & @sc delete OracleServiceORCL & @sc delete aspnet_state @sc ...
'%WINDIR%\syswow64\cmd.exe' /c "color b & @sc delete "UWS LoPriv Services" & @sc delete ftnlsv3 & @sc delete ftnlses3 & @sc delete FxService & @sc delete "UtilDev Web Server Pro" & @sc delete ftusbrdwks & @sc delete ftusb...
'%WINDIR%\syswow64\cmd.exe' /c "@color b & sc delete MSCRMAsyncService & @sc delete REPLICA & @sc delete RTCATS & @sc delete RTCAVMCU & @sc delete RtcQms & @sc delete RTCMEETINGMCU & @sc delete RTCIMMCU & @sc delete RTCDA...
'%WINDIR%\syswow64\cmd.exe' /c "color b & taskkill /F /IM Veeam.Backup.Agent.ConfigurationService.exe & taskkill /F /IM Veeam.Backup.BrokerService.exe & taskkill /F /IM Veeam.Backup.CatalogDataService.exe & taskkill /F /I...
'%WINDIR%\syswow64\cmd.exe' /c "color b & @taskkill /IM ReportingServicesService.exe /F & @sc delete "SQL Server Reporting Services" & @sc delete MSSQLFDLauncher & @taskkill /IM U8CEServer.exe /F & @taskkill /IM ServerNT....
'%WINDIR%\syswow64\cmd.exe' /c "color a & @net stop HaoZipSvc & @net stop "igfxCUIService2.0.0.0" & @net stop Realtek11nSU & @net stop xenlite & @net stop XenSvc & @net stop Apache2.2 & @net stop "Synology Drive VSS Servi...
'%WINDIR%\syswow64\cmd.exe' /c "color a & @net stop UIODetect & @net stop VMwareHostd & @net stop TeamViewer8 & @net stop VMUSBArbService & @net stop VMAuthdService & @net stop wanxiao-monitor & @net stop WebAttendServer ...
'%WINDIR%\syswow64\cmd.exe' /c "color e & @taskkill /IM sqlservr.exe /F & @taskkill /IM httpd.exe /F & @taskkill /IM java.exe /F & @taskkill /IM fdhost.exe /F & @taskkill /IM fdlauncher.exe /F & @taskkill /IM Veeam.Backup...
'%WINDIR%\syswow64\cmd.exe' /c "color e & @taskkill /IM ThunderPlatform.exe /F & @taskkill /IM iexplore.exe /F & @taskkill /IM vm-agent.exe /F & @taskkill /IM vm-agent-daemon.exe /F & @taskkill /IM eSightService.exe /F & ...
'%WINDIR%\syswow64\cmd.exe' /c "color e & @taskkill /IM pg_ctl.exe /F & @taskkill /IM rcrelay.exe /F & @taskkill /IM SogouImeBroker.exe /F & @taskkill /IM CCenter.exe /F & @taskkill /IM ScanFrm.exe /F & @taskkill /IM d_ma...
'%WINDIR%\syswow64\cmd.exe' /c "color e & @taskkill /IM BackupExec.exe /F & @taskkill /IM Att.exe /F & @taskkill /IM mdm.exe /F & @taskkill /IM BackupExecManagementService.exe /F & @taskkill /IM bengine.exe /F & @taskkill...
'%WINDIR%\syswow64\cmd.exe' /c "color e & @taskkill /IM VBoxSDS.exe /F & @taskkill /IM mysqld.exe /F & @taskkill /IM TeamViewer_Service.exe /F & @taskkill /IM TeamViewer.exe /F & @taskkill /IM CasLicenceServer.exe /F & @t...
'%WINDIR%\syswow64\net1.exe' stop "MSSQL$SHOPCONTROL9"
'%WINDIR%\syswow64\sc.exe' delete "DAService_TCP"
'%WINDIR%\syswow64\cmd.exe' /c "color a & @net stop U8WorkerService1 & @net stop U8WorkerService2 & @net stop "memcached Server" & @net stop Apache2.4 & @net stop UFIDAWebService & @net stop MSComplianceAudit & @net stop ...
'%WINDIR%\syswow64\sc.exe' delete OracleServiceORCL
'%WINDIR%\syswow64\sc.exe' delete SQLBrowser

テクノロジー

用語

トレーニングコースおよび啓蒙プロジェクト

アンチウイルスに関する誤解と噂

Technical Information

Curing recommendations

Free trial