Trojan.Encoder.37229

Technical Information

To ensure autorun and distribution

Modifies the following registry keys

[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'vlc' = '"%APPDATA%\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\RunOnce] 'WindowsUpdateCheck' = '<Full path to file>'

Creates or modifies the following files

Creates the following files on removable media

<Drive name for removable media>:\.c4d1664ef40ce18f8d41
<Drive name for removable media>:\delete.avi
<Drive name for removable media>:\split.avi
<Drive name for removable media>:\toolbar.bmp
<Drive name for removable media>:\default.bmp
<Drive name for removable media>:\dialmap.bmp
<Drive name for removable media>:\tileimage.bmp
<Drive name for removable media>:\coffee.bmp
<Drive name for removable media>:\dashborder_96.bmp
<Drive name for removable media>:\sdksampleprivdeveloper.cer
<Drive name for removable media>:\contosoroot_1.cer
<Drive name for removable media>:\sdkfailsafeemulator.cer
<Drive name for removable media>:\testee.cer
<Drive name for removable media>:\fi51.doc
<Drive name for removable media>:\hanni_umami_chapter.doc
<Drive name for removable media>:\february_catalogue__2015.doc

Malicious functions

To complicate detection of its presence in the operating system,

blocks execution of the following system utilities:

Windows Defender

Executes the following

'<SYSTEM32>\net.exe' stop U8WorkerService1
'<SYSTEM32>\net.exe' stop MSExchangeHM
'<SYSTEM32>\net.exe' stop "Alibaba Security Aegis Detect Service"
'<SYSTEM32>\taskkill.exe' /IM vm-agent-daemon.exe /F
'<SYSTEM32>\taskkill.exe' /IM SogouImeBroker.exe /F
'<SYSTEM32>\net.exe' stop MSExchangeFrontEndTransport
'<SYSTEM32>\taskkill.exe' /IM java.exe /F
'<SYSTEM32>\net.exe' stop AutoUpdateService
'<SYSTEM32>\net.exe' stop "Alibaba Security Aegis Update Service"
'<SYSTEM32>\taskkill.exe' /IM TeamViewer_Service.exe /F
'<SYSTEM32>\net.exe' stop CASLicenceServer
'<SYSTEM32>\net.exe' stop MSExchangeFastSearch
'<SYSTEM32>\net.exe' stop QPCore
'<SYSTEM32>\net.exe' stop MSExchangeEdgeSync
'<SYSTEM32>\net.exe' stop TeamViewer
'<SYSTEM32>\net.exe' stop MSExchangeDiagnostics
'<SYSTEM32>\net.exe' stop Tomcat8
'<SYSTEM32>\net.exe' stop CASWebServer
'<SYSTEM32>\taskkill.exe' /IM sqlservr.exe /F
'<SYSTEM32>\net.exe' stop MSSQL$SQL2008
'<SYSTEM32>\taskkill.exe' /IM cygrunsrv.exe /F
'<SYSTEM32>\net.exe' stop CASMsgSrv
'<SYSTEM32>\net.exe' stop MSExchangeIMAP4BE
'<SYSTEM32>\net.exe' stop CASVirtualDiskService
'<SYSTEM32>\taskkill.exe' /IM CCenter.exe /F
'<SYSTEM32>\taskkill.exe' /IM bengine.exe /F
'<SYSTEM32>\net.exe' stop iNethinkSQLBackupSvc
'<SYSTEM32>\taskkill.exe' /IM TeamViewer.exe /F
'<SYSTEM32>\taskkill.exe' /IM fdhost.exe /F
'<SYSTEM32>\taskkill.exe' /IM eSightService.exe /F
'<SYSTEM32>\net.exe' stop DDNSService
'<SYSTEM32>\taskkill.exe' /IM BackupExecManagementService.exe /F
'<SYSTEM32>\net.exe' stop MSExchangeImap4
'<SYSTEM32>\net.exe' stop RapService
'<SYSTEM32>\net.exe' stop AGSService
'<SYSTEM32>\net.exe' stop CASXMLService
'<SYSTEM32>\net.exe' stop MSExchangeHMRecovery
'<SYSTEM32>\taskkill.exe' /IM mysqld.exe /F
'<SYSTEM32>\taskkill.exe' /IM mdm.exe /F
'<SYSTEM32>\net.exe' stop MSExchangeDelivery
'<SYSTEM32>\taskkill.exe' /IM rcrelay.exe /F
'<SYSTEM32>\taskkill.exe' /IM vm-agent.exe /F
'<SYSTEM32>\net.exe' stop VMUSBArbService
'<SYSTEM32>\net.exe' stop wanxiao-monitor
'<SYSTEM32>\taskkill.exe' /IM ThunderPlatform.exe /F
'<SYSTEM32>\net.exe' stop MSComplianceAudit
'<SYSTEM32>\net.exe' stop xenlite
'<SYSTEM32>\net.exe' stop VMAuthdService
'<SYSTEM32>\net.exe' stop UFIDAWebService
'<SYSTEM32>\net.exe' stop Realtek11nSU
'<SYSTEM32>\net.exe' stop "igfxCUIService2.0.0.0"
'<SYSTEM32>\net.exe' stop XenSvc
'<SYSTEM32>\net.exe' stop Apache2.4
'<SYSTEM32>\net.exe' stop TeamViewer8
'<SYSTEM32>\net.exe' stop VMwareHostd
'<SYSTEM32>\net.exe' stop "memcached Server"
'<SYSTEM32>\net.exe' stop HaoZipSvc
'<SYSTEM32>\net.exe' stop UIODetect
'<SYSTEM32>\net.exe' stop U8WorkerService2
'<SYSTEM32>\taskkill.exe' /IM fdlauncher.exe /F
'<SYSTEM32>\net.exe' stop "AliyunService"
'<SYSTEM32>\net.exe' stop WebAttendServer
'<SYSTEM32>\net.exe' stop "Synology Drive VSS Service x64"
'<SYSTEM32>\net.exe' stop MSExchangeADTopology
'<SYSTEM32>\taskkill.exe' /IM httpd.exe /F
'<SYSTEM32>\net.exe' stop JWRinfoClientService
'<SYSTEM32>\net.exe' stop "VMware NAT Service"
'<SYSTEM32>\taskkill.exe' /IM Att.exe /F
'<SYSTEM32>\net.exe' stop MSExchangeDagMgmt
'<SYSTEM32>\taskkill.exe' /IM iexplore.exe /F
'<SYSTEM32>\net.exe' stop JWEM3DBAUTORun
'<SYSTEM32>\net.exe' stop VMnetDHCP
'<SYSTEM32>\taskkill.exe' /IM pg_ctl.exe /F
'<SYSTEM32>\net.exe' stop FirebirdGuardianDeafaultInstance
'<SYSTEM32>\taskkill.exe' /IM VBoxSDS.exe /F
'<SYSTEM32>\net.exe' stop MSExchangeCompliance
'<SYSTEM32>\net.exe' stop DellDRLogSvc
'<SYSTEM32>\taskkill.exe' /IM BackupExec.exe /F
'<SYSTEM32>\net.exe' stop MSExchangeAntispamUpdate
'<SYSTEM32>\net.exe' stop mysqltransport
'<SYSTEM32>\net.exe' stop Apache2.2
'<SYSTEM32>\net.exe' stop "OracleOraDb10g_homeliSQL*Plus"

Terminates or attempts to terminate

the following system processes:

<SYSTEM32>\cmd.exe

Modifies file system

Creates the following files

%TEMP%\test.exe
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache2\how to back your files.txt
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache2\entries\.c4d1664ef40ce18f8d41
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache2\entries\how to back your files.txt
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache2\doomed\.c4d1664ef40ce18f8d41
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache2\doomed\how to back your files.txt
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\.c4d1664ef40ce18f8d41
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\_cache_002_
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\e\how to back your files.txt
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\_cache_003_
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\_cache_map_
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\how to back your files.txt
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\f\.c4d1664ef40ce18f8d41
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\f\how to back your files.txt
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\e\.c4d1664ef40ce18f8d41
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache2\.c4d1664ef40ce18f8d41
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\_cache_001_
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\startupcache\how to back your files.txt
%HOMEPATH%\local settings\thunderbird\updates\how to back your files.txt
%HOMEPATH%\local settings\how to back your files.txt
%HOMEPATH%\local settings\virtualstore\.c4d1664ef40ce18f8d41
%HOMEPATH%\local settings\virtualstore\how to back your files.txt
%HOMEPATH%\local settings\thunderbird\.c4d1664ef40ce18f8d41
%HOMEPATH%\local settings\thunderbird\how to back your files.txt
%HOMEPATH%\local settings\thunderbird\updates\.c4d1664ef40ce18f8d41
%HOMEPATH%\local settings\thunderbird\updates\8216c80c92c4e828\.c4d1664ef40ce18f8d41
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\startupcache\.c4d1664ef40ce18f8d41
%HOMEPATH%\local settings\thunderbird\updates\8216c80c92c4e828\how to back your files.txt
%HOMEPATH%\local settings\thunderbird\profiles\.c4d1664ef40ce18f8d41
%HOMEPATH%\local settings\thunderbird\profiles\how to back your files.txt
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\.c4d1664ef40ce18f8d41
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\_cache_clean_
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\how to back your files.txt
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\startupcache\startupcache.4.little
%HOMEPATH%\start menu\programs\accessories\.c4d1664ef40ce18f8d41
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\d\.c4d1664ef40ce18f8d41
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\d\how to back your files.txt
%HOMEPATH%\start menu\programs\accessories\how to back your files.txt
%HOMEPATH%\start menu\programs\videolan\.c4d1664ef40ce18f8d41
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\4\how to back your files.txt
%HOMEPATH%\start menu\programs\videolan\vlc.exe
%HOMEPATH%\start menu\programs\videolan\how to back your files.txt
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\5\.c4d1664ef40ce18f8d41
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\5\how to back your files.txt
%HOMEPATH%\start menu\programs\total commander\how to back your files.txt
%HOMEPATH%\start menu\programs\accessories\accessibility\how to back your files.txt
%HOMEPATH%\start menu\programs\telegram desktop\how to back your files.txt
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\2\how to back your files.txt
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\1\how to back your files.txt
%HOMEPATH%\start menu\programs\maintenance\how to back your files.txt
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\3\how to back your files.txt
%HOMEPATH%\start menu\programs\accessories\system tools\how to back your files.txt
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\6\how to back your files.txt
%HOMEPATH%\start menu\programs\winrar\how to back your files.txt
%HOMEPATH%\start menu\programs\accessories\accessibility\.c4d1664ef40ce18f8d41
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\c\how to back your files.txt
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\b\.c4d1664ef40ce18f8d41
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\b\how to back your files.txt
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\a\.c4d1664ef40ce18f8d41
%HOMEPATH%\start menu\programs\how to back your files.txt
%HOMEPATH%\start menu\programs\winrar\.c4d1664ef40ce18f8d41
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\c\.c4d1664ef40ce18f8d41
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\a\how to back your files.txt
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\9\how to back your files.txt
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\8\.c4d1664ef40ce18f8d41
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\8\how to back your files.txt
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\7\.c4d1664ef40ce18f8d41
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\7\how to back your files.txt
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\6\.c4d1664ef40ce18f8d41
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\9\.c4d1664ef40ce18f8d41
%HOMEPATH%\local settings\iconcache.db
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\0\how to back your files.txt
%HOMEPATH%\local settings\gdipfontcachev1.dat
%HOMEPATH%\my documents\my music\how to back your files.txt
C:\$recycle.bin\s-1-5-21-1960123792-2022915161-3775307078-1001\.c4d1664ef40ce18f8d41
%HOMEPATH%\voip\.c4d1664ef40ce18f8d41
%HOMEPATH%\voip\how to back your files.txt
%HOMEPATH%\videos\.c4d1664ef40ce18f8d41
C:\$recycle.bin\how to back your files.txt
%HOMEPATH%\videos\how to back your files.txt
C:\$recycle.bin\s-1-5-21-1960123792-2022915161-3775307078-1001\how to back your files.txt
%HOMEPATH%\sendto\desktop (create shortcut).desklink
%HOMEPATH%\templates\how to back your files.txt
%HOMEPATH%\start menu\.c4d1664ef40ce18f8d41
%HOMEPATH%\start menu\programs\.c4d1664ef40ce18f8d41
%HOMEPATH%\start menu\how to back your files.txt
%HOMEPATH%\sendto\.c4d1664ef40ce18f8d41
%HOMEPATH%\sendto\compressed (zipped) folder.zfsendtotarget
D:\$recycle.bin\s-1-5-21-1960123792-2022915161-3775307078-1001\.c4d1664ef40ce18f8d41
%HOMEPATH%\templates\.c4d1664ef40ce18f8d41
%HOMEPATH%\how to back your files.txt
D:\.c4d1664ef40ce18f8d41
%TEMP%\luwfhemn.vbs
%APPDATA%\microsoft\windows\start menu\programs\videolan\vlc.exe
%TEMP%\e0ec.tmp\e0ed.tmp\e0ee.bat
%ALLUSERSPROFILE%\local\.c4d1664ef40ce18f8d41
<Current directory>\ids.txt
C:\.c4d1664ef40ce18f8d41
z:\.c4d1664ef40ce18f8d41
C:\users\how to back your files.txt
C:\$recycle.bin\.c4d1664ef40ce18f8d41
D:\$recycle.bin\.c4d1664ef40ce18f8d41
D:\system volume information\.c4d1664ef40ce18f8d41
C:\how to back your files.txt
z:\system volume information\.c4d1664ef40ce18f8d41
C:\users\.c4d1664ef40ce18f8d41
%HOMEPATH%\.c4d1664ef40ce18f8d41
%HOMEPATH%\sendto\mail recipient.mapimail
%HOMEPATH%\sendto\how to back your files.txt
%HOMEPATH%\searches\.c4d1664ef40ce18f8d41
%HOMEPATH%\recent\automaticdestinations\1b4dd67f29cb1962.automaticdestinations-ms
%HOMEPATH%\recent\automaticdestinations\74d7f43c1561fc1e.automaticdestinations-ms
%HOMEPATH%\recent\automaticdestinations\7e4dca80246863e3.automaticdestinations-ms
%HOMEPATH%\recent\automaticdestinations\how to back your files.txt
%HOMEPATH%\printhood\.c4d1664ef40ce18f8d41
%HOMEPATH%\recent\customdestinations\how to back your files.txt
%HOMEPATH%\recent\automaticdestinations\.c4d1664ef40ce18f8d41
%HOMEPATH%\printhood\how to back your files.txt
%HOMEPATH%\nethood\.c4d1664ef40ce18f8d41
%HOMEPATH%\nethood\how to back your files.txt
%HOMEPATH%\my documents\.c4d1664ef40ce18f8d41
%HOMEPATH%\my documents\how to back your files.txt
%HOMEPATH%\my documents\my music\.c4d1664ef40ce18f8d41
%HOMEPATH%\pictures\.c4d1664ef40ce18f8d41
%HOMEPATH%\pictures\how to back your files.txt
%HOMEPATH%\recent\customdestinations\c312e260e424ae76.customdestinations-ms
%HOMEPATH%\recent\customdestinations\bf8efb871eda5262.customdestinations-ms
%HOMEPATH%\recent\customdestinations\969252ce11249fdd.customdestinations-ms
%HOMEPATH%\saved games\.c4d1664ef40ce18f8d41
%HOMEPATH%\saved games\how to back your files.txt
%HOMEPATH%\recent\.c4d1664ef40ce18f8d41
%HOMEPATH%\recent\how to back your files.txt
%HOMEPATH%\recent\customdestinations\.c4d1664ef40ce18f8d41
%HOMEPATH%\recent\customdestinations\10a2479c877ca098.customdestinations-ms
%HOMEPATH%\searches\how to back your files.txt
%HOMEPATH%\recent\customdestinations\1b4dd67f29cb1962.customdestinations-ms
%HOMEPATH%\recent\customdestinations\590aee7bdd69b59b.customdestinations-ms
%HOMEPATH%\recent\customdestinations\5afe4de1b92fc382.customdestinations-ms
%HOMEPATH%\recent\customdestinations\5d696d521de238c3.customdestinations-ms
%HOMEPATH%\recent\customdestinations\74d7f43c1561fc1e.customdestinations-ms
%HOMEPATH%\recent\customdestinations\7e4dca80246863e3.customdestinations-ms
%HOMEPATH%\recent\customdestinations\9027fe24326910d2.customdestinations-ms
%HOMEPATH%\recent\customdestinations\28c8b86deab549a1.customdestinations-ms
%HOMEPATH%\local settings\.c4d1664ef40ce18f8d41
%HOMEPATH%\start menu\programs\mail.ru\how to back your files.txt

Sets the 'hidden' attribute to the following files

%ALLUSERSPROFILE%\local\.c4d1664ef40ce18f8d41
%HOMEPATH%\local settings\thunderbird\.c4d1664ef40ce18f8d41
%HOMEPATH%\local settings\thunderbird\updates\.c4d1664ef40ce18f8d41
%HOMEPATH%\local settings\thunderbird\updates\8216c80c92c4e828\.c4d1664ef40ce18f8d41
%HOMEPATH%\local settings\thunderbird\profiles\.c4d1664ef40ce18f8d41
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\.c4d1664ef40ce18f8d41
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\startupcache\.c4d1664ef40ce18f8d41
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache2\.c4d1664ef40ce18f8d41
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache2\entries\.c4d1664ef40ce18f8d41
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache2\doomed\.c4d1664ef40ce18f8d41
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\.c4d1664ef40ce18f8d41
%HOMEPATH%\local settings\.c4d1664ef40ce18f8d41
%HOMEPATH%\local settings\virtualstore\.c4d1664ef40ce18f8d41
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\f\.c4d1664ef40ce18f8d41
%HOMEPATH%\start menu\programs\accessories\.c4d1664ef40ce18f8d41
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\c\.c4d1664ef40ce18f8d41
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\b\.c4d1664ef40ce18f8d41
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\a\.c4d1664ef40ce18f8d41
%HOMEPATH%\start menu\programs\winrar\.c4d1664ef40ce18f8d41
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\9\.c4d1664ef40ce18f8d41
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\8\.c4d1664ef40ce18f8d41
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\7\.c4d1664ef40ce18f8d41
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\6\.c4d1664ef40ce18f8d41
%HOMEPATH%\start menu\programs\accessories\accessibility\.c4d1664ef40ce18f8d41
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\e\.c4d1664ef40ce18f8d41
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\d\.c4d1664ef40ce18f8d41
%HOMEPATH%\my documents\my music\.c4d1664ef40ce18f8d41
%HOMEPATH%\my documents\.c4d1664ef40ce18f8d41
%HOMEPATH%\nethood\.c4d1664ef40ce18f8d41
C:\.c4d1664ef40ce18f8d41
D:\.c4d1664ef40ce18f8d41
z:\.c4d1664ef40ce18f8d41
C:\$recycle.bin\.c4d1664ef40ce18f8d41
D:\$recycle.bin\.c4d1664ef40ce18f8d41
D:\system volume information\.c4d1664ef40ce18f8d41
z:\system volume information\.c4d1664ef40ce18f8d41
C:\users\.c4d1664ef40ce18f8d41
%HOMEPATH%\.c4d1664ef40ce18f8d41
D:\$recycle.bin\s-1-5-21-1960123792-2022915161-3775307078-1001\.c4d1664ef40ce18f8d41
%HOMEPATH%\voip\.c4d1664ef40ce18f8d41
<Drive name for removable media>:\.c4d1664ef40ce18f8d41
C:\$recycle.bin\s-1-5-21-1960123792-2022915161-3775307078-1001\.c4d1664ef40ce18f8d41
%HOMEPATH%\templates\.c4d1664ef40ce18f8d41
%HOMEPATH%\start menu\.c4d1664ef40ce18f8d41
%HOMEPATH%\start menu\programs\.c4d1664ef40ce18f8d41
%HOMEPATH%\sendto\.c4d1664ef40ce18f8d41
%HOMEPATH%\searches\.c4d1664ef40ce18f8d41
%HOMEPATH%\saved games\.c4d1664ef40ce18f8d41
%HOMEPATH%\recent\.c4d1664ef40ce18f8d41
%HOMEPATH%\recent\customdestinations\.c4d1664ef40ce18f8d41
%HOMEPATH%\recent\automaticdestinations\.c4d1664ef40ce18f8d41
%HOMEPATH%\printhood\.c4d1664ef40ce18f8d41
%HOMEPATH%\pictures\.c4d1664ef40ce18f8d41
%HOMEPATH%\videos\.c4d1664ef40ce18f8d41
%HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\5\.c4d1664ef40ce18f8d41
%HOMEPATH%\start menu\programs\videolan\.c4d1664ef40ce18f8d41

Deletes the following files

%TEMP%\test.exe
%TEMP%\e0ec.tmp\e0ed.tmp\e0ee.bat

Moves the following files

from %HOMEPATH%\sendto\compressed (zipped) folder.zfsendtotarget to %HOMEPATH%\sendto\compressed (zipped) folder.zfsendtotarget.globeimposter-alpha865qqz
from %HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\_cache_003_ to %HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\_cache_003_.globeimposter-alpha865qqz
from %HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\_cache_002_ to %HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\_cache_002_.globeimposter-alpha865qqz
from %HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\_cache_001_ to %HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\_cache_001_.globeimposter-alpha865qqz
from %HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\startupcache\startupcache.4.little to %HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\startupcache\startupcache.4.little.globeimposter-alpha865qqz
from %HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\_cache_clean_ to %HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\_cache_clean_.globeimposter-alpha865qqz
from %HOMEPATH%\recent\automaticdestinations\7e4dca80246863e3.automaticdestinations-ms to %HOMEPATH%\recent\automaticdestinations\7e4dca80246863e3.automaticdestinations-ms.globeimposter-alpha865qqz
from %HOMEPATH%\recent\automaticdestinations\74d7f43c1561fc1e.automaticdestinations-ms to %HOMEPATH%\recent\automaticdestinations\74d7f43c1561fc1e.automaticdestinations-ms.globeimposter-alpha865qqz
from %HOMEPATH%\recent\automaticdestinations\1b4dd67f29cb1962.automaticdestinations-ms to %HOMEPATH%\recent\automaticdestinations\1b4dd67f29cb1962.automaticdestinations-ms.globeimposter-alpha865qqz
from %HOMEPATH%\recent\customdestinations\c312e260e424ae76.customdestinations-ms to %HOMEPATH%\recent\customdestinations\c312e260e424ae76.customdestinations-ms.globeimposter-alpha865qqz
from %HOMEPATH%\recent\customdestinations\bf8efb871eda5262.customdestinations-ms to %HOMEPATH%\recent\customdestinations\bf8efb871eda5262.customdestinations-ms.globeimposter-alpha865qqz
from %HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\_cache_map_ to %HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\_cache_map_.globeimposter-alpha865qqz
from %HOMEPATH%\recent\customdestinations\969252ce11249fdd.customdestinations-ms to %HOMEPATH%\recent\customdestinations\969252ce11249fdd.customdestinations-ms.globeimposter-alpha865qqz
from %HOMEPATH%\recent\customdestinations\7e4dca80246863e3.customdestinations-ms to %HOMEPATH%\recent\customdestinations\7e4dca80246863e3.customdestinations-ms.globeimposter-alpha865qqz
from %HOMEPATH%\recent\customdestinations\74d7f43c1561fc1e.customdestinations-ms to %HOMEPATH%\recent\customdestinations\74d7f43c1561fc1e.customdestinations-ms.globeimposter-alpha865qqz
from %HOMEPATH%\recent\customdestinations\5d696d521de238c3.customdestinations-ms to %HOMEPATH%\recent\customdestinations\5d696d521de238c3.customdestinations-ms.globeimposter-alpha865qqz
from %HOMEPATH%\recent\customdestinations\5afe4de1b92fc382.customdestinations-ms to %HOMEPATH%\recent\customdestinations\5afe4de1b92fc382.customdestinations-ms.globeimposter-alpha865qqz
from %HOMEPATH%\recent\customdestinations\590aee7bdd69b59b.customdestinations-ms to %HOMEPATH%\recent\customdestinations\590aee7bdd69b59b.customdestinations-ms.globeimposter-alpha865qqz
from %HOMEPATH%\recent\customdestinations\28c8b86deab549a1.customdestinations-ms to %HOMEPATH%\recent\customdestinations\28c8b86deab549a1.customdestinations-ms.globeimposter-alpha865qqz
from %HOMEPATH%\recent\customdestinations\1b4dd67f29cb1962.customdestinations-ms to %HOMEPATH%\recent\customdestinations\1b4dd67f29cb1962.customdestinations-ms.globeimposter-alpha865qqz
from %HOMEPATH%\recent\customdestinations\10a2479c877ca098.customdestinations-ms to %HOMEPATH%\recent\customdestinations\10a2479c877ca098.customdestinations-ms.globeimposter-alpha865qqz
from %HOMEPATH%\sendto\mail recipient.mapimail to %HOMEPATH%\sendto\mail recipient.mapimail.globeimposter-alpha865qqz
from %HOMEPATH%\sendto\desktop (create shortcut).desklink to %HOMEPATH%\sendto\desktop (create shortcut).desklink.globeimposter-alpha865qqz
from %HOMEPATH%\recent\customdestinations\9027fe24326910d2.customdestinations-ms to %HOMEPATH%\recent\customdestinations\9027fe24326910d2.customdestinations-ms.globeimposter-alpha865qqz
from %HOMEPATH%\start menu\programs\videolan\vlc.exe to %HOMEPATH%\start menu\programs\videolan\vlc.exe.globeimposter-alpha865qqz

Modifies the following files

Modifies user data files (Trojan.Encoder).

Changes user data files extensions (Trojan.Encoder).

Miscellaneous

Searches for the following windows

ClassName: '' WindowName: ''

Creates and executes the following

'%WINDIR%\syswow64\wscript.exe' "%TEMP%\Luwfhemn.vbs"
'%TEMP%\test.exe'
'%TEMP%\test.exe' ' (with hidden window)

Executes the following

'<SYSTEM32>\cmd.exe' /c "%TEMP%\E0EC.tmp\E0ED.tmp\E0EE.bat %TEMP%\test.exe"
'<SYSTEM32>\sc.exe' delete MSSQL$SQL2008
'<SYSTEM32>\sc.exe' delete VmAgentDaemon
'<SYSTEM32>\sc.exe' delete OSearch16
'<SYSTEM32>\net1.exe' stop Tomcat8
'<SYSTEM32>\sc.exe' delete MsDtsServer100
'<SYSTEM32>\net1.exe' stop MSExchangeDiagnostics
'<SYSTEM32>\sc.exe' delete OpenSSHd
'<SYSTEM32>\sc.exe' delete ProjectCalcService16
'<SYSTEM32>\net1.exe' stop MSExchangeDelivery
'<SYSTEM32>\sc.exe' delete IpOverUsbSvc
'<SYSTEM32>\sc.exe' delete SQLAgent$SQL2008
'<SYSTEM32>\sc.exe' delete eSightService
'<SYSTEM32>\sc.exe' delete c2wts
'<SYSTEM32>\sc.exe' delete KMSELDI
'<SYSTEM32>\net1.exe' stop MSExchangeEdgeSync
'<SYSTEM32>\net1.exe' stop QPCore
'<SYSTEM32>\sc.exe' delete TPlusStdTaskService1300
'<SYSTEM32>\sc.exe' delete apachezt
'<SYSTEM32>\sc.exe' delete btPanel
'<SYSTEM32>\sc.exe' delete KuaiYunTools
'<SYSTEM32>\net1.exe' stop TeamViewer
'<SYSTEM32>\sc.exe' delete SPTraceV4
'<SYSTEM32>\sc.exe' delete "vm-agent"
'<SYSTEM32>\sc.exe' delete TPlusStdAppService1300
'<SYSTEM32>\net1.exe' stop DellDRLogSvc
'<SYSTEM32>\sc.exe' delete ZTEVdservice
'<SYSTEM32>\sc.exe' delete VMAuthdService
'<SYSTEM32>\sc.exe' delete ProjectQueueService16
'<SYSTEM32>\net1.exe' stop FirebirdGuardianDeafaultInstance
'<SYSTEM32>\sc.exe' delete SSMonitorService
'<SYSTEM32>\net1.exe' stop MSExchangeCompliance
'<SYSTEM32>\net1.exe' stop VMnetDHCP
'<SYSTEM32>\sc.exe' delete SPAdminV4
'<SYSTEM32>\sc.exe' delete "Sense Shield Service"
'<SYSTEM32>\net1.exe' stop JWEM3DBAUTORun
'<SYSTEM32>\sc.exe' delete kbasesrv
'<SYSTEM32>\sc.exe' delete SSSyncService
'<SYSTEM32>\net1.exe' stop MSExchangeDagMgmt
'<SYSTEM32>\net1.exe' stop "VMware NAT Service"
'<SYSTEM32>\sc.exe' delete SPSearchHostController
'<SYSTEM32>\sc.exe' delete MMRHookService
'<SYSTEM32>\sc.exe' delete VMwareHostd
'<SYSTEM32>\sc.exe' delete SPTimerV4
'<SYSTEM32>\sc.exe' delete OracleJobSchedulerORCL
'<SYSTEM32>\sc.exe' delete VMUSBArbService
'<SYSTEM32>\net1.exe' stop CASLicenceServer
'<SYSTEM32>\sc.exe' delete Jenkins
'<SYSTEM32>\sc.exe' delete GPSGatewaySvr
'<SYSTEM32>\sc.exe' delete TPlusStdUpgradeService1300
'<SYSTEM32>\sc.exe' delete OracleRemExecService
'<SYSTEM32>\net1.exe' stop AGSService
'<SYSTEM32>\sc.exe' delete GPSDaemon
'<SYSTEM32>\sc.exe' delete 360EntHttpServer
'<SYSTEM32>\net1.exe' stop RapService
'<SYSTEM32>\sc.exe' delete GPSUserSvr
'<SYSTEM32>\sc.exe' delete 360EntSvc
'<SYSTEM32>\net1.exe' stop MSExchangeImap4
'<SYSTEM32>\net1.exe' stop CASXMLService
'<SYSTEM32>\sc.exe' delete zyb_sync
'<SYSTEM32>\net1.exe' stop DDNSService
'<SYSTEM32>\net1.exe' stop iNethinkSQLBackupSvc
'<SYSTEM32>\sc.exe' delete GPSStorageSvr
'<SYSTEM32>\sc.exe' delete NFWebServer
'<SYSTEM32>\net1.exe' stop CASVirtualDiskService
'<SYSTEM32>\sc.exe' delete GPSDataProcSvr
'<SYSTEM32>\net1.exe' stop MSExchangeIMAP4BE
'<SYSTEM32>\net1.exe' stop CASMsgSrv
'<SYSTEM32>\sc.exe' delete wampapache
'<SYSTEM32>\sc.exe' delete GPSDownSvr
'<SYSTEM32>\sc.exe' delete 360EntClientSvc
'<SYSTEM32>\net1.exe' stop MSExchangeHMRecovery
'<SYSTEM32>\sc.exe' delete "OSP Service"
'<SYSTEM32>\sc.exe' delete QQCertificateService
'<SYSTEM32>\net1.exe' stop CASWebServer
'<SYSTEM32>\sc.exe' delete secbizsrv
'<SYSTEM32>\sc.exe' delete VirboxWebServer
'<SYSTEM32>\sc.exe' delete 2345PicSvc
'<SYSTEM32>\net1.exe' stop AutoUpdateService
'<SYSTEM32>\net1.exe' stop MSExchangeFrontEndTransport
'<SYSTEM32>\sc.exe' delete SQLTELEMETRY
'<SYSTEM32>\sc.exe' delete vmware-converter-agent
'<SYSTEM32>\sc.exe' delete jhi_service
'<SYSTEM32>\sc.exe' delete Protect_2345Explorer
'<SYSTEM32>\net1.exe' stop "Alibaba Security Aegis Detect Service"
'<SYSTEM32>\net1.exe' stop MSExchangeHM
'<SYSTEM32>\sc.exe' delete LMS
'<SYSTEM32>\sc.exe' delete MSMQ
'<SYSTEM32>\net1.exe' stop "Alibaba Security Aegis Update Service"
'<SYSTEM32>\sc.exe' delete vmware-converter-worker
'<SYSTEM32>\sc.exe' delete "FontCache3.0.0.0"
'<SYSTEM32>\net1.exe' stop MSSQL$SQL2008
'<SYSTEM32>\sc.exe' delete smtpsvrJT
'<SYSTEM32>\net1.exe' stop "AliyunService"
'<SYSTEM32>\sc.exe' delete vmware-converter-server
'<SYSTEM32>\sc.exe' delete AlibabaProtect
'<SYSTEM32>\net1.exe' stop MSExchangeFastSearch
'<SYSTEM32>\sc.exe' delete ProjectEventService16
'<SYSTEM32>\net1.exe' stop UIODetect
'<SYSTEM32>\sc.exe' delete VMTools
'<SYSTEM32>\sc.exe' delete ftnlses3
'<SYSTEM32>\sc.exe' delete ImeDictUpdateService
'<SYSTEM32>\sc.exe' delete FxService
'<SYSTEM32>\sc.exe' delete "UtilDev Web Server Pro"
'<SYSTEM32>\sc.exe' delete VGAuthService
'<SYSTEM32>\sc.exe' delete ftusbrdwks
'<SYSTEM32>\cmd.exe' /c "color e & @taskkill /IM ThunderPlatform.exe /F & @taskkill /IM iexplore.exe /F & @taskkill /IM vm-agent.exe /F & @taskkill /IM vm-agent-daemon.exe /F & @taskkill /IM eSightService.exe /F & ...
'<SYSTEM32>\sc.exe' delete "UWS LoPriv Services"
'<SYSTEM32>\sc.exe' delete ftnlsv3
'<SYSTEM32>\sc.exe' delete ftusbrdsrv
'<SYSTEM32>\sc.exe' delete MSDTC
'<SYSTEM32>\sc.exe' delete "eCard-TTransServer"
'<SYSTEM32>\net1.exe' stop U8WorkerService1
'<SYSTEM32>\sc.exe' delete "ZTE USBIP Client Guard"
'<SYSTEM32>\sc.exe' delete MSCRMAsyncService
'<SYSTEM32>\sc.exe' delete eCardMPService
'<SYSTEM32>\sc.exe' delete MCService
'<SYSTEM32>\sc.exe' delete REPLICA
'<SYSTEM32>\sc.exe' delete XT800Service_Personal
'<SYSTEM32>\sc.exe' delete "DAService_TCP"
'<SYSTEM32>\sc.exe' delete JhTask
'%WINDIR%\syswow64\cmd.exe' /c @echo off sc config browser sc config browser start=enabled vssadmin delete shadows /all /quiet sc stop vss sc config vss start=disabled sc stop MongoDB sc config MongoDB start=disabl...
'<SYSTEM32>\sc.exe' delete aspnet_state @sc delete Redis
'<SYSTEM32>\cmd.exe' /c "color b & @sc delete "DAService_TCP" & @sc delete "eCard-TTransServer" & @sc delete eCardMPService & @sc delete EnergyDataService & @sc delete UI0Detect & @sc delete K3MobileService & @sc d...
'<SYSTEM32>\cmd.exe' /c "color b & @sc delete OracleOraDb11g_home1ClrAgent & @sc delete OracleOraDb11g_home1TNSListener & @sc delete OracleVssWriterORCL & @sc delete OracleServiceORCL & @sc delete aspnet_state @sc ...
'<SYSTEM32>\cmd.exe' /c "color b & @sc delete "UWS LoPriv Services" & @sc delete ftnlsv3 & @sc delete ftnlses3 & @sc delete FxService & @sc delete "UtilDev Web Server Pro" & @sc delete ftusbrdwks & @sc delete ftusb...
'<SYSTEM32>\cmd.exe' /c "@color b & sc delete MSCRMAsyncService & @sc delete REPLICA & @sc delete RTCATS & @sc delete RTCAVMCU & @sc delete RtcQms & @sc delete RTCMEETINGMCU & @sc delete RTCIMMCU & @sc delete RTCDA...
'<SYSTEM32>\cmd.exe' /c "color a & @net stop U8WorkerService1 & @net stop U8WorkerService2 & @net stop "memcached Server" & @net stop Apache2.4 & @net stop UFIDAWebService & @net stop MSComplianceAudit & @net stop ...
'<SYSTEM32>\cmd.exe' /c "color a & @net stop HaoZipSvc & @net stop "igfxCUIService2.0.0.0" & @net stop Realtek11nSU & @net stop xenlite & @net stop XenSvc & @net stop Apache2.2 & @net stop "Synology Drive VSS Servi...
'<SYSTEM32>\sc.exe' delete "XT800Service_Personal"
'<SYSTEM32>\cmd.exe' /c "color a & @net stop UIODetect & @net stop VMwareHostd & @net stop TeamViewer8 & @net stop VMUSBArbService & @net stop VMAuthdService & @net stop wanxiao-monitor & @net stop WebAttendServer ...
'<SYSTEM32>\sc.exe' delete SQLSERVERAGENT
'<SYSTEM32>\cmd.exe' /c "color b & @sc delete "XT800Service_Personal" & @sc delete SQLSERVERAGENT & @sc delete SQLWriter & @sc delete SQLBrowser & @sc delete MSSQLFDLauncher & @sc delete MSSQLSERVER & @sc delete Qc...
'<SYSTEM32>\sc.exe' delete SQLWriter
'<SYSTEM32>\sc.exe' delete MSSQLFDLauncher
'<SYSTEM32>\sc.exe' delete MSSQLSERVER
'<SYSTEM32>\sc.exe' delete QcSoftService
'<SYSTEM32>\sc.exe' delete OracleOraDb11g_home1ClrAgent
'<SYSTEM32>\sc.exe' delete OracleOraDb11g_home1TNSListener
'<SYSTEM32>\sc.exe' delete MSSQLServerOLAPService
'<SYSTEM32>\sc.exe' delete OracleVssWriterORCL
'<SYSTEM32>\cmd.exe' /c "color e & @taskkill /IM sqlservr.exe /F & @taskkill /IM httpd.exe /F & @taskkill /IM java.exe /F & @taskkill /IM fdhost.exe /F & @taskkill /IM fdlauncher.exe /F & @taskkill /IM reportingser...
'<SYSTEM32>\sc.exe' delete OracleServiceORCL
'<SYSTEM32>\sc.exe' delete SQLBrowser
'<SYSTEM32>\sc.exe' delete EnergyDataService
'<SYSTEM32>\net1.exe' stop U8WorkerService2
'<SYSTEM32>\net1.exe' stop MSExchangeAntispamUpdate
'<SYSTEM32>\cmd.exe' /c "color e & @taskkill /IM pg_ctl.exe /F & @taskkill /IM rcrelay.exe /F & @taskkill /IM SogouImeBroker.exe /F & @taskkill /IM CCenter.exe /F & @taskkill /IM ScanFrm.exe /F & @taskkill /IM d_ma...
'<SYSTEM32>\sc.exe' delete "Flash Helper Service"
'<SYSTEM32>\sc.exe' delete RTCDATAMCU
'<SYSTEM32>\net1.exe' stop xenlite
'<SYSTEM32>\net1.exe' stop MSComplianceAudit
'<SYSTEM32>\sc.exe' delete wwbizsrv
'<SYSTEM32>\net1.exe' stop wanxiao-monitor
'<SYSTEM32>\sc.exe' delete RabbitMQ
'<SYSTEM32>\net1.exe' stop XenSvc
'<SYSTEM32>\sc.exe' delete allpass_redisservice_port21160
'<SYSTEM32>\net1.exe' stop VMAuthdService
'<SYSTEM32>\net1.exe' stop MSExchangeADTopology
'<SYSTEM32>\net1.exe' stop Apache2.2
'<SYSTEM32>\sc.exe' delete "Kiwi Syslog Server"
'<SYSTEM32>\sc.exe' delete RTCCDR
'<SYSTEM32>\sc.exe' delete qemu-ga
'<SYSTEM32>\net1.exe' stop "Synology Drive VSS Service x64"
'<SYSTEM32>\sc.exe' delete "UWS HiPriv Services"
'<SYSTEM32>\sc.exe' delete "AHS SERVICE"
'<SYSTEM32>\net1.exe' stop mysqltransport
'<SYSTEM32>\sc.exe' delete UIODetect
'<SYSTEM32>\net1.exe' stop WebAttendServer
'<SYSTEM32>\sc.exe' delete WebAttendServer
'<SYSTEM32>\net1.exe' stop UFIDAWebService
'<SYSTEM32>\net1.exe' stop Realtek11nSU
'<SYSTEM32>\sc.exe' delete RTCATS
'<SYSTEM32>\sc.exe' delete UI0Detect
'<SYSTEM32>\net1.exe' stop HaoZipSvc
'<SYSTEM32>\net1.exe' stop VMwareHostd
'<SYSTEM32>\sc.exe' delete RTCAVMCU
'<SYSTEM32>\cmd.exe' /c "color e & @taskkill /IM BackupExec.exe /F & @taskkill /IM Att.exe /F & @taskkill /IM mdm.exe /F & @taskkill /IM BackupExecManagementService.exe /F & @taskkill /IM bengine.exe /F & @taskkill...
'<SYSTEM32>\net1.exe' stop "memcached Server"
'<SYSTEM32>\sc.exe' delete K3MobileService
'<SYSTEM32>\sc.exe' delete "ZTE USBIP Client"
'<SYSTEM32>\sc.exe' delete TeamViewer
'<SYSTEM32>\sc.exe' delete RtcQms
'<SYSTEM32>\cmd.exe' /c "color e & @taskkill /IM VBoxSDS.exe /F & @taskkill /IM mysqld.exe /F & @taskkill /IM TeamViewer_Service.exe /F & @taskkill /IM TeamViewer.exe /F & @taskkill /IM CasLicenceServer.exe /F & @t...
'<SYSTEM32>\sc.exe' delete RTCMEETINGMCU
'<SYSTEM32>\net1.exe' stop TeamViewer8
'<SYSTEM32>\net1.exe' stop Apache2.4
'<SYSTEM32>\net1.exe' stop "igfxCUIService2.0.0.0"
'<SYSTEM32>\sc.exe' delete RTCIMMCU
'<SYSTEM32>\sc.exe' delete ReportServer
'<SYSTEM32>\net1.exe' stop VMUSBArbService
'<SYSTEM32>\sc.exe' delete "ZTE FileTranS"
'<SYSTEM32>\sc.exe' delete TCPIDDAService
'<SYSTEM32>\sc.exe' delete "wanxiao-monitor"
'<SYSTEM32>\net1.exe' stop "OracleOraDb10g_homeliSQL*Plus"

Technologies

Begriffe

Schulung und Training

Mythen

Technical Information

Curing recommendations

Free trial