Technical Information
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Bing Service' = '%APPDATA%\Bing Service.exe'
- Command Prompt (CMD)
- Windows Task Manager (Taskmgr)
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'NoFolderOptions' = '00000001'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'NoFolderOptions' = '00000001'
- notepad.exe
- %HOMEPATH%\desktop\1189.jpeg
- %HOMEPATH%\desktop\13.jpeg
- %HOMEPATH%\desktop\adhd_and_obesity.docx
- %HOMEPATH%\desktop\holycrosschurchinstructions.docx
- %HOMEPATH%\desktop\issi2013_template_for_posters.docx
- %HOMEPATH%\desktop\nwfieldnotes1966.docx
- %HOMEPATH%\desktop\parnas_01.jpeg
- %HOMEPATH%\desktop\pushkin.jpeg
- %HOMEPATH%\desktop\region-north-karelia.jpeg
- %HOMEPATH%\desktop\thlps_keeper_mayer_1965.docx
- %HOMEPATH%\desktop\weeklysheet1215.doc
- %HOMEPATH%\desktop\correct.avi
- %HOMEPATH%\desktop\dashborder_96.bmp
- %HOMEPATH%\desktop\join.avi
- %HOMEPATH%\desktop\tileimage.bmp
- %HOMEPATH%\desktop\toolbar.bmp
- %APPDATA%\mata2.bat
- %WINDIR%\temp\msg\m_turkish.wnry
- %WINDIR%\temp\msg\m_vietnamese.wnry
- %WINDIR%\temp\r.wnry
- %WINDIR%\temp\s.wnry
- %WINDIR%\temp\t.wnry
- %WINDIR%\temp\taskdl.exe
- %WINDIR%\temp\taskse.exe
- %WINDIR%\temp\u.wnry
- %WINDIR%\temp\00000000.pky
- %WINDIR%\temp\00000000.eky
- %WINDIR%\temp\00000000.res
- %WINDIR%\temp\@wanadecryptor@.exe
- %WINDIR%\temp\msg\m_english.wnry
- %WINDIR%\temp\209061620262342.bat
- %HOMEPATH%\desktop\1189.jpeg.wncryt
- %HOMEPATH%\desktop\13.jpeg.wncryt
- %HOMEPATH%\desktop\adhd_and_obesity.docx.wncryt
- %HOMEPATH%\desktop\holycrosschurchinstructions.docx.wncryt
- %HOMEPATH%\desktop\issi2013_template_for_posters.docx.wncryt
- %HOMEPATH%\desktop\nwfieldnotes1966.docx.wncryt
- %HOMEPATH%\desktop\parnas_01.jpeg.wncryt
- %HOMEPATH%\desktop\pushkin.jpeg.wncryt
- %HOMEPATH%\desktop\region-north-karelia.jpeg.wncryt
- %HOMEPATH%\desktop\thlps_keeper_mayer_1965.docx.wncryt
- %HOMEPATH%\desktop\weeklysheet1215.doc.wncryt
- %HOMEPATH%\desktop\@please_read_me@.txt
- %WINDIR%\temp\msg\m_spanish.wnry
- %WINDIR%\temp\msg\m_swedish.wnry
- %WINDIR%\temp\msg\m_slovak.wnry
- %WINDIR%\temp\msg\m_russian.wnry
- %WINDIR%\temp\msg\m_romanian.wnry
- %APPDATA%\invs.vbs
- %APPDATA%\mata.bat
- %WINDIR%\temp\notepad.exe
- %APPDATA%\per.bat
- %WINDIR%\temp\b.wnry
- %WINDIR%\temp\c.wnry
- %WINDIR%\temp\msg\m_bulgarian.wnry
- %WINDIR%\temp\msg\m_chinese (simplified).wnry
- %WINDIR%\temp\msg\m_chinese (traditional).wnry
- %WINDIR%\temp\msg\m_croatian.wnry
- %WINDIR%\temp\msg\m_czech.wnry
- %WINDIR%\temp\msg\m_danish.wnry
- %HOMEPATH%\desktop\@wanadecryptor@.exe
- %WINDIR%\temp\@please_read_me@.txt
- %WINDIR%\temp\msg\m_dutch.wnry
- %WINDIR%\temp\msg\m_finnish.wnry
- %WINDIR%\temp\msg\m_french.wnry
- %WINDIR%\temp\msg\m_german.wnry
- %WINDIR%\temp\msg\m_greek.wnry
- %WINDIR%\temp\msg\m_indonesian.wnry
- %WINDIR%\temp\msg\m_italian.wnry
- %WINDIR%\temp\msg\m_japanese.wnry
- %WINDIR%\temp\msg\m_korean.wnry
- %WINDIR%\temp\msg\m_latvian.wnry
- %WINDIR%\temp\msg\m_norwegian.wnry
- %WINDIR%\temp\msg\m_polish.wnry
- %WINDIR%\temp\msg\m_portuguese.wnry
- %APPDATA%\rundll32-.txt
- %WINDIR%\temp\msg\m_filipino.wnry
- %HOMEPATH%\desktop\correct.avi.wncryt
- %APPDATA%\mata2.bat
- %APPDATA%\mata.bat
- %APPDATA%\rundll32-.txt
- %APPDATA%\invs.vbs
- <Drive name for removable media>:\ovp25012015.doc.wncryt
- from %HOMEPATH%\desktop\1189.jpeg.wncryt to %HOMEPATH%\desktop\1189.jpeg.wncry
- from %HOMEPATH%\desktop\13.jpeg.wncryt to %HOMEPATH%\desktop\13.jpeg.wncry
- from %HOMEPATH%\desktop\adhd_and_obesity.docx.wncryt to %HOMEPATH%\desktop\adhd_and_obesity.docx.wncry
- from %HOMEPATH%\desktop\holycrosschurchinstructions.docx.wncryt to %HOMEPATH%\desktop\holycrosschurchinstructions.docx.wncry
- from %HOMEPATH%\desktop\issi2013_template_for_posters.docx.wncryt to %HOMEPATH%\desktop\issi2013_template_for_posters.docx.wncry
- from %HOMEPATH%\desktop\nwfieldnotes1966.docx.wncryt to %HOMEPATH%\desktop\nwfieldnotes1966.docx.wncry
- from %HOMEPATH%\desktop\parnas_01.jpeg.wncryt to %HOMEPATH%\desktop\parnas_01.jpeg.wncry
- from %HOMEPATH%\desktop\pushkin.jpeg.wncryt to %HOMEPATH%\desktop\pushkin.jpeg.wncry
- from %HOMEPATH%\desktop\region-north-karelia.jpeg.wncryt to %HOMEPATH%\desktop\region-north-karelia.jpeg.wncry
- from %HOMEPATH%\desktop\thlps_keeper_mayer_1965.docx.wncryt to %HOMEPATH%\desktop\thlps_keeper_mayer_1965.docx.wncry
- from %HOMEPATH%\desktop\weeklysheet1215.doc.wncryt to %HOMEPATH%\desktop\weeklysheet1215.doc.wncry
- from %HOMEPATH%\desktop\correct.avi.wncryt to %HOMEPATH%\desktop\correct.avi.wncry
- %HOMEPATH%\desktop\1189.jpeg
- %HOMEPATH%\desktop\13.jpeg
- %HOMEPATH%\desktop\adhd_and_obesity.docx
- %HOMEPATH%\desktop\holycrosschurchinstructions.docx
- %HOMEPATH%\desktop\issi2013_template_for_posters.docx
- %HOMEPATH%\desktop\nwfieldnotes1966.docx
- %HOMEPATH%\desktop\parnas_01.jpeg
- %HOMEPATH%\desktop\pushkin.jpeg
- %HOMEPATH%\desktop\region-north-karelia.jpeg
- %HOMEPATH%\desktop\thlps_keeper_mayer_1965.docx
- %HOMEPATH%\desktop\weeklysheet1215.doc
- %HOMEPATH%\desktop\correct.avi
- '%WINDIR%\temp\notepad.exe'
- '%WINDIR%\temp\taskdl.exe'
- '%WINDIR%\syswow64\cmd.exe' /c ""%APPDATA%\mata.bat" "' (with hidden window)
- '%WINDIR%\syswow64\reg.exe' add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f' (with hidden window)
- '%WINDIR%\syswow64\reg.exe' add HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 1 /f' (with hidden window)
- '%WINDIR%\syswow64\reg.exe' add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFolderOptions /t REG_DWORD /d 1 /f' (with hidden window)
- '%WINDIR%\syswow64\reg.exe' add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFolderOptions /t REG_DWORD /d 1 /f' (with hidden window)
- '%WINDIR%\syswow64\attrib.exe' +h .' (with hidden window)
- '%WINDIR%\syswow64\icacls.exe' . /grant Everyone:F /T /C /Q' (with hidden window)
- '%WINDIR%\temp\taskdl.exe' ' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c 209061620262342.bat' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c ""%APPDATA%\mata.bat" "
- '%WINDIR%\syswow64\reg.exe' add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
- '%WINDIR%\syswow64\reg.exe' add HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 1 /f
- '%WINDIR%\syswow64\reg.exe' add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFolderOptions /t REG_DWORD /d 1 /f
- '%WINDIR%\syswow64\reg.exe' add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFolderOptions /t REG_DWORD /d 1 /f
- '%WINDIR%\syswow64\attrib.exe' +h .
- '%WINDIR%\syswow64\icacls.exe' . /grant Everyone:F /T /C /Q
- '%WINDIR%\syswow64\cmd.exe' /c 209061620262342.bat