Technical Information
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Bing Service' = '%APPDATA%\Bing Service.exe'
- Command Prompt (CMD)
- Windows Task Manager (Taskmgr)
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'NoFolderOptions' = '00000001'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'NoFolderOptions' = '00000001'
- %WINDIR%\temp\notepad.exe
- %HOMEPATH%\desktop\1189.jpeg
- %HOMEPATH%\desktop\dashborder_96.bmp
- %HOMEPATH%\desktop\dashborder_120.bmp
- %HOMEPATH%\desktop\archer.avi
- %HOMEPATH%\desktop\000814251_video_01.avi
- %HOMEPATH%\desktop\region-north-karelia.jpg
- %HOMEPATH%\desktop\pushkin.jpg
- %HOMEPATH%\desktop\pushkin.jpeg
- %HOMEPATH%\desktop\parnas_01.jpeg
- %HOMEPATH%\desktop\default.bmp
- %HOMEPATH%\desktop\nwfieldnotes1966.docx
- %HOMEPATH%\desktop\hadac_newsletter_july_2010_final.docx
- %HOMEPATH%\desktop\glidescope_review_rev_010.docx
- %HOMEPATH%\desktop\fi51.doc
- %HOMEPATH%\desktop\february_catalogue__2015.doc
- %HOMEPATH%\desktop\aoc_saq_d_v3_merchant.docx
- %HOMEPATH%\desktop\3.jpg
- %HOMEPATH%\desktop\3.jpeg
- %HOMEPATH%\desktop\168.jpeg
- %HOMEPATH%\desktop\issi2013_template_for_posters.docx
- %HOMEPATH%\desktop\toolbar.bmp
- %TEMP%\readme.txt
- %WINDIR%\temp\msg\m_turkish.wnry
- %WINDIR%\temp\msg\m_vietnamese.wnry
- %WINDIR%\temp\r.wnry
- %WINDIR%\temp\s.wnry
- %WINDIR%\temp\t.wnry
- %WINDIR%\temp\taskdl.exe
- %WINDIR%\temp\taskse.exe
- %WINDIR%\temp\u.wnry
- %WINDIR%\temp\00000000.pky
- %WINDIR%\temp\00000000.eky
- %WINDIR%\temp\00000000.res
- %WINDIR%\temp\@wanadecryptor@.exe
- %WINDIR%\temp\308741664143573.bat
- %WINDIR%\temp\@please_read_me@.txt
- %HOMEPATH%\desktop\168.jpeg.wncryt
- %HOMEPATH%\desktop\@wanadecryptor@.exe
- %HOMEPATH%\desktop\3.jpeg.wncryt
- %HOMEPATH%\desktop\3.jpg.wncryt
- %HOMEPATH%\desktop\aoc_saq_d_v3_merchant.docx.wncryt
- %HOMEPATH%\desktop\february_catalogue__2015.doc.wncryt
- %HOMEPATH%\desktop\fi51.doc.wncryt
- %HOMEPATH%\desktop\glidescope_review_rev_010.docx.wncryt
- %HOMEPATH%\desktop\hadac_newsletter_july_2010_final.docx.wncryt
- %HOMEPATH%\desktop\issi2013_template_for_posters.docx.wncryt
- %HOMEPATH%\desktop\nwfieldnotes1966.docx.wncryt
- %HOMEPATH%\desktop\parnas_01.jpeg.wncryt
- %HOMEPATH%\desktop\pushkin.jpeg.wncryt
- %HOMEPATH%\desktop\pushkin.jpg.wncryt
- %HOMEPATH%\desktop\region-north-karelia.jpg.wncryt
- %HOMEPATH%\desktop\@please_read_me@.txt
- %WINDIR%\temp\msg\m_swedish.wnry
- %HOMEPATH%\desktop\1189.jpeg.wncryt
- %WINDIR%\temp\msg\m_spanish.wnry
- %WINDIR%\temp\msg\m_dutch.wnry
- %APPDATA%\mata2.bat
- %APPDATA%\rundll32-.txt
- %APPDATA%\invs.vbs
- %APPDATA%\mata.bat
- %WINDIR%\temp\notepad.exe
- %APPDATA%\per.bat
- %WINDIR%\temp\b.wnry
- %WINDIR%\temp\c.wnry
- %WINDIR%\temp\msg\m_bulgarian.wnry
- %WINDIR%\temp\msg\m_chinese (simplified).wnry
- %WINDIR%\temp\msg\m_chinese (traditional).wnry
- %WINDIR%\temp\msg\m_croatian.wnry
- %WINDIR%\temp\msg\m_czech.wnry
- %WINDIR%\temp\msg\m_danish.wnry
- %WINDIR%\temp\msg\m_english.wnry
- %WINDIR%\temp\msg\m_russian.wnry
- %WINDIR%\temp\msg\m_filipino.wnry
- %WINDIR%\temp\msg\m_finnish.wnry
- %WINDIR%\temp\msg\m_french.wnry
- %WINDIR%\temp\msg\m_german.wnry
- %WINDIR%\temp\msg\m_greek.wnry
- %WINDIR%\temp\msg\m_indonesian.wnry
- %WINDIR%\temp\msg\m_italian.wnry
- %WINDIR%\temp\msg\m_japanese.wnry
- %WINDIR%\temp\msg\m_korean.wnry
- %WINDIR%\temp\msg\m_latvian.wnry
- %WINDIR%\temp\msg\m_norwegian.wnry
- %WINDIR%\temp\msg\m_polish.wnry
- %WINDIR%\temp\msg\m_portuguese.wnry
- %WINDIR%\temp\msg\m_romanian.wnry
- %WINDIR%\temp\msg\m_slovak.wnry
- %WINDIR%\temp\f.wnry
- %APPDATA%\mata2.bat
- %APPDATA%\mata.bat
- %APPDATA%\rundll32-.txt
- %APPDATA%\invs.vbs
- from %HOMEPATH%\desktop\1189.jpeg.wncryt to %HOMEPATH%\desktop\1189.jpeg.wncry
- from %HOMEPATH%\desktop\168.jpeg.wncryt to %HOMEPATH%\desktop\168.jpeg.wncry
- from %HOMEPATH%\desktop\3.jpeg.wncryt to %HOMEPATH%\desktop\3.jpeg.wncry
- from %HOMEPATH%\desktop\3.jpg.wncryt to %HOMEPATH%\desktop\3.jpg.wncry
- from %HOMEPATH%\desktop\aoc_saq_d_v3_merchant.docx.wncryt to %HOMEPATH%\desktop\aoc_saq_d_v3_merchant.docx.wncry
- from %HOMEPATH%\desktop\february_catalogue__2015.doc.wncryt to %HOMEPATH%\desktop\february_catalogue__2015.doc.wncry
- from %HOMEPATH%\desktop\fi51.doc.wncryt to %HOMEPATH%\desktop\fi51.doc.wncry
- from %HOMEPATH%\desktop\glidescope_review_rev_010.docx.wncryt to %HOMEPATH%\desktop\glidescope_review_rev_010.docx.wncry
- from %HOMEPATH%\desktop\hadac_newsletter_july_2010_final.docx.wncryt to %HOMEPATH%\desktop\hadac_newsletter_july_2010_final.docx.wncry
- from %HOMEPATH%\desktop\issi2013_template_for_posters.docx.wncryt to %HOMEPATH%\desktop\issi2013_template_for_posters.docx.wncry
- from %HOMEPATH%\desktop\nwfieldnotes1966.docx.wncryt to %HOMEPATH%\desktop\nwfieldnotes1966.docx.wncry
- from %HOMEPATH%\desktop\parnas_01.jpeg.wncryt to %HOMEPATH%\desktop\parnas_01.jpeg.wncry
- from %HOMEPATH%\desktop\pushkin.jpeg.wncryt to %HOMEPATH%\desktop\pushkin.jpeg.wncry
- from %HOMEPATH%\desktop\pushkin.jpg.wncryt to %HOMEPATH%\desktop\pushkin.jpg.wncry
- from %HOMEPATH%\desktop\region-north-karelia.jpg.wncryt to %HOMEPATH%\desktop\region-north-karelia.jpg.wncry
- %HOMEPATH%\desktop\1189.jpeg
- %HOMEPATH%\desktop\168.jpeg
- %HOMEPATH%\desktop\3.jpeg
- %HOMEPATH%\desktop\3.jpg
- %HOMEPATH%\desktop\aoc_saq_d_v3_merchant.docx
- %HOMEPATH%\desktop\february_catalogue__2015.doc
- %HOMEPATH%\desktop\fi51.doc
- %HOMEPATH%\desktop\glidescope_review_rev_010.docx
- %HOMEPATH%\desktop\hadac_newsletter_july_2010_final.docx
- %HOMEPATH%\desktop\issi2013_template_for_posters.docx
- %HOMEPATH%\desktop\nwfieldnotes1966.docx
- %HOMEPATH%\desktop\parnas_01.jpeg
- %HOMEPATH%\desktop\pushkin.jpeg
- %HOMEPATH%\desktop\pushkin.jpg
- %HOMEPATH%\desktop\region-north-karelia.jpg
- '%WINDIR%\temp\notepad.exe'
- '%WINDIR%\temp\taskdl.exe'
- '%WINDIR%\syswow64\cmd.exe' /c ""%APPDATA%\mata.bat" "' (with hidden window)
- '%WINDIR%\syswow64\reg.exe' add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f' (with hidden window)
- '%WINDIR%\syswow64\reg.exe' add HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 1 /f' (with hidden window)
- '%WINDIR%\syswow64\reg.exe' add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFolderOptions /t REG_DWORD /d 1 /f' (with hidden window)
- '%WINDIR%\syswow64\reg.exe' add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFolderOptions /t REG_DWORD /d 1 /f' (with hidden window)
- '%WINDIR%\syswow64\attrib.exe' +h .' (with hidden window)
- '%WINDIR%\syswow64\icacls.exe' . /grant Everyone:F /T /C /Q' (with hidden window)
- '%WINDIR%\temp\taskdl.exe' ' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c 308741664143573.bat' (with hidden window)
- '%WINDIR%\syswow64\notepad.exe' %TEMP%\readme.txt
- '%WINDIR%\syswow64\cmd.exe' /c ""%APPDATA%\mata.bat" "
- '%WINDIR%\syswow64\reg.exe' add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
- '%WINDIR%\syswow64\reg.exe' add HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 1 /f
- '%WINDIR%\syswow64\reg.exe' add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFolderOptions /t REG_DWORD /d 1 /f
- '%WINDIR%\syswow64\reg.exe' add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFolderOptions /t REG_DWORD /d 1 /f
- '%WINDIR%\syswow64\attrib.exe' +h .
- '%WINDIR%\syswow64\icacls.exe' . /grant Everyone:F /T /C /Q
- '%WINDIR%\syswow64\cmd.exe' /c 308741664143573.bat