Trojan.Encoder.43723

Technical Information

To ensure autorun and distribution

Modifies the following registry keys

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run] 'TriggerService' = '<Full path to file>'
[HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run] 'TriggerService' = '<Full path to file>'
[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce] 'TriggerServiceOnce' = '<Full path to file>'
[HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce] 'TriggerServiceOnce' = '<Full path to file>'
[HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Userinit' = ',<Full path to file>'
[HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Shell' = 'explorer.exe, <Full path to file>'

Creates or modifies the following files

<SYSTEM32>\tasks\triggerservice

Sets the following service settings

[HKLM\SYSTEM\CurrentControlSet\Services\TriggerService] 'Start' = '00000002'
[HKLM\SYSTEM\CurrentControlSet\Services\TriggerService] 'ImagePath' = '<Full path to file>'

Creates the following services

'TriggerService' <Full path to file>

Creates the following files on removable media

<Drive name for removable media>:\wrar520.exe.trigger
<Drive name for removable media>:\dotnetfx45_full_setup.exe.trigger
<Drive name for removable media>:\jre-7u75-windows-i586-iftw.exe.trigger
<Drive name for removable media>:\skypesetup.exe.trigger
<Drive name for removable media>:\tcm851ax32.exe.trigger
<Drive name for removable media>:\winmine.exe.trigger

Modifies master boot record (MBR).

Malicious functions

Reads files which store third party applications passwords

%HOMEPATH%\desktop\dashborder_144.bmp
%HOMEPATH%\desktop\dashborder_120.bmp
%HOMEPATH%\desktop\default.bmp
%HOMEPATH%\desktop\dialmap.bmp
%HOMEPATH%\desktop\fi51.doc
%HOMEPATH%\desktop\glidescope_review_rev_010.docx
%HOMEPATH%\desktop\iisstart.htm
%HOMEPATH%\desktop\lisp_success.doc
%HOMEPATH%\desktop\nwfieldnotes1966.docx
%HOMEPATH%\desktop\ovp25012015.doc
%HOMEPATH%\desktop\split.avi
%HOMEPATH%\desktop\testee.cer
%HOMEPATH%\desktop\tree_view.htm

Modifies file system

Creates the following files

%APPDATA%\trig.bin
%APPDATA%\tipotest\config.txt
C:\$recycle.bin\s-1-5-21-4226853953-3309226944-3078887307-1000\desktop.ini.trigger
C:\msocache\all users\{90160000-0011-0000-0000-0000000ff1ce}-c\office64ww.msi.trigger
C:\msocache\all users\{90160000-0011-0000-0000-0000000ff1ce}-c\office64ww.xml.trigger
C:\msocache\all users\{90160000-0011-0000-0000-0000000ff1ce}-c\ose.exe.trigger
C:\msocache\all users\{90160000-0011-0000-0000-0000000ff1ce}-c\osetup.dll.trigger
C:\msocache\all users\{90160000-0011-0000-0000-0000000ff1ce}-c\owow64ww.cab.trigger
C:\msocache\all users\{90160000-0011-0000-0000-0000000ff1ce}-c\pidgenx.dll.trigger
C:\msocache\all users\{90160000-0011-0000-0000-0000000ff1ce}-c\pkeyconfig-office.xrm-ms.trigger
C:\msocache\all users\{90160000-0011-0000-0000-0000000ff1ce}-c\proplusww.msi.trigger
C:\msocache\all users\{90160000-0011-0000-0000-0000000ff1ce}-c\proplusww.xml.trigger
C:\msocache\all users\{90160000-0011-0000-0000-0000000ff1ce}-c\propsww.cab.trigger
C:\msocache\all users\{90160000-0011-0000-0000-0000000ff1ce}-c\propsww2.cab.trigger
C:\msocache\all users\{90160000-0011-0000-0000-0000000ff1ce}-c\setup.dll.trigger
C:\msocache\all users\{90160000-0011-0000-0000-0000000ff1ce}-c\setup.exe.trigger
C:\msocache\all users\{90160000-0011-0000-0000-0000000ff1ce}-c\setup.xml.trigger
C:\msocache\all users\{90160000-0016-0409-0000-0000000ff1ce}-c\excellr.cab.trigger
C:\msocache\all users\{90160000-0016-0409-0000-0000000ff1ce}-c\excelmui.msi.trigger
C:\msocache\all users\{90160000-0016-0409-0000-0000000ff1ce}-c\excelmui.xml.trigger
C:\msocache\all users\{90160000-0016-0409-0000-0000000ff1ce}-c\setup.xml.trigger
C:\msocache\all users\{90160000-0018-0409-0000-0000000ff1ce}-c\powerpointmui.msi.trigger
C:\msocache\all users\{90160000-0018-0409-0000-0000000ff1ce}-c\powerpointmui.xml.trigger
C:\msocache\all users\{90160000-0018-0409-0000-0000000ff1ce}-c\pptlr.cab.trigger
C:\msocache\all users\{90160000-0018-0409-0000-0000000ff1ce}-c\setup.xml.trigger
C:\msocache\all users\{90160000-0019-0409-0000-0000000ff1ce}-c\publishermui.msi.trigger
C:\msocache\all users\{90160000-0019-0409-0000-0000000ff1ce}-c\publishermui.xml.trigger
C:\msocache\all users\{90160000-0019-0409-0000-0000000ff1ce}-c\publr.cab.trigger
C:\msocache\all users\{90160000-0019-0409-0000-0000000ff1ce}-c\setup.xml.trigger
C:\msocache\all users\{90160000-001a-0409-0000-0000000ff1ce}-c\outlklr.cab.trigger
C:\msocache\all users\{90160000-001a-0409-0000-0000000ff1ce}-c\outlookmui.msi.trigger
C:\msocache\all users\{90160000-001a-0409-0000-0000000ff1ce}-c\outlookmui.xml.trigger
C:\msocache\all users\{90160000-001a-0409-0000-0000000ff1ce}-c\setup.xml.trigger
C:\msocache\all users\{90160000-001b-0409-0000-0000000ff1ce}-c\setup.xml.trigger
C:\msocache\all users\{90160000-001b-0409-0000-0000000ff1ce}-c\wordlr.cab.trigger
C:\msocache\all users\{90160000-001b-0409-0000-0000000ff1ce}-c\wordmui.msi.trigger
C:\msocache\all users\{90160000-001b-0409-0000-0000000ff1ce}-c\wordmui.xml.trigger
C:\msocache\all users\{90160000-002c-0409-0000-0000000ff1ce}-c\proofing.msi.trigger
C:\msocache\all users\{90160000-002c-0409-0000-0000000ff1ce}-c\proofing.xml.trigger
C:\msocache\all users\{90160000-002c-0409-0000-0000000ff1ce}-c\setup.xml.trigger
C:\msocache\all users\{90160000-002c-0409-0000-0000000ff1ce}-c\proof.en\proof.cab.trigger
C:\msocache\all users\{90160000-002c-0409-0000-0000000ff1ce}-c\proof.en\proof.msi.trigger
C:\msocache\all users\{90160000-002c-0409-0000-0000000ff1ce}-c\proof.en\proof.xml.trigger
C:\msocache\all users\{90160000-002c-0409-0000-0000000ff1ce}-c\proof.es\proof.cab.trigger
C:\msocache\all users\{90160000-002c-0409-0000-0000000ff1ce}-c\proof.es\proof.msi.trigger
C:\msocache\all users\{90160000-002c-0409-0000-0000000ff1ce}-c\proof.es\proof.xml.trigger
C:\msocache\all users\{90160000-002c-0409-0000-0000000ff1ce}-c\proof.fr\proof.cab.trigger
C:\msocache\all users\{90160000-002c-0409-0000-0000000ff1ce}-c\proof.fr\proof.msi.trigger
C:\msocache\all users\{90160000-002c-0409-0000-0000000ff1ce}-c\proof.fr\proof.xml.trigger
C:\msocache\all users\{90160000-0044-0409-0000-0000000ff1ce}-c\inflr.cab.trigger
C:\msocache\all users\{90160000-0044-0409-0000-0000000ff1ce}-c\infopathmui.msi.trigger
C:\msocache\all users\{90160000-0044-0409-0000-0000000ff1ce}-c\infopathmui.xml.trigger
C:\msocache\all users\{90160000-0044-0409-0000-0000000ff1ce}-c\setup.xml.trigger
C:\msocache\all users\{90160000-0090-0409-0000-0000000ff1ce}-c\dcfmui.cab.trigger
C:\msocache\all users\{90160000-0090-0409-0000-0000000ff1ce}-c\dcfmui.msi.trigger
C:\msocache\all users\{90160000-0090-0409-0000-0000000ff1ce}-c\dcfmui.xml.trigger
C:\msocache\all users\{90160000-0090-0409-0000-0000000ff1ce}-c\setup.xml.trigger
C:\msocache\all users\{90160000-00a1-0409-0000-0000000ff1ce}-c\onenotemui.msi.trigger
C:\msocache\all users\{90160000-00a1-0409-0000-0000000ff1ce}-c\onenotemui.xml.trigger
C:\msocache\all users\{90160000-00a1-0409-0000-0000000ff1ce}-c\onotelr.cab.trigger
C:\msocache\all users\{90160000-00a1-0409-0000-0000000ff1ce}-c\setup.xml.trigger
C:\msocache\all users\{90160000-00ba-0409-0000-0000000ff1ce}-c\groovelr.cab.trigger
C:\msocache\all users\{90160000-00ba-0409-0000-0000000ff1ce}-c\groovemui.msi.trigger
C:\msocache\all users\{90160000-00ba-0409-0000-0000000ff1ce}-c\groovemui.xml.trigger
C:\msocache\all users\{90160000-00ba-0409-0000-0000000ff1ce}-c\setup.xml.trigger
C:\msocache\all users\{90160000-00e1-0409-0000-0000000ff1ce}-c\osmmui.cab.trigger
C:\msocache\all users\{90160000-00e1-0409-0000-0000000ff1ce}-c\osmmui.msi.trigger
C:\msocache\all users\{90160000-00e1-0409-0000-0000000ff1ce}-c\osmmui.xml.trigger
C:\msocache\all users\{90160000-00e1-0409-0000-0000000ff1ce}-c\setup.xml.trigger
C:\msocache\all users\{90160000-00e2-0409-0000-0000000ff1ce}-c\osmuxmui.cab.trigger
C:\msocache\all users\{90160000-00e2-0409-0000-0000000ff1ce}-c\osmuxmui.msi.trigger
C:\msocache\all users\{90160000-00e2-0409-0000-0000000ff1ce}-c\osmuxmui.xml.trigger
C:\msocache\all users\{90160000-00e2-0409-0000-0000000ff1ce}-c\setup.xml.trigger
C:\msocache\all users\{90160000-0115-0409-0000-0000000ff1ce}-c\branding.xml.trigger
C:\msocache\all users\{90160000-0115-0409-0000-0000000ff1ce}-c\officelr.cab.trigger
C:\msocache\all users\{90160000-0115-0409-0000-0000000ff1ce}-c\officemui.msi.trigger
C:\msocache\all users\{90160000-0115-0409-0000-0000000ff1ce}-c\officemui.xml.trigger
C:\msocache\all users\{90160000-0115-0409-0000-0000000ff1ce}-c\officemuiset.msi.trigger
C:\msocache\all users\{90160000-0115-0409-0000-0000000ff1ce}-c\officemuiset.xml.trigger
C:\msocache\all users\{90160000-0115-0409-0000-0000000ff1ce}-c\offsetlr.cab.trigger
C:\msocache\all users\{90160000-0115-0409-0000-0000000ff1ce}-c\osetupui.dll.trigger
C:\msocache\all users\{90160000-0115-0409-0000-0000000ff1ce}-c\pss10r.chm.trigger
C:\msocache\all users\{90160000-0115-0409-0000-0000000ff1ce}-c\setup.chm.trigger
C:\msocache\all users\{90160000-0115-0409-0000-0000000ff1ce}-c\setup.xml.trigger
C:\msocache\all users\{90160000-0115-0409-0000-0000000ff1ce}-c\shellui.mst.trigger
C:\msocache\all users\{90160000-0116-0409-1000-0000000ff1ce}-c\office64mui.msi.trigger
C:\msocache\all users\{90160000-0116-0409-1000-0000000ff1ce}-c\office64mui.xml.trigger
C:\msocache\all users\{90160000-0116-0409-1000-0000000ff1ce}-c\office64muiset.msi.trigger
C:\msocache\all users\{90160000-0116-0409-1000-0000000ff1ce}-c\office64muiset.xml.trigger
C:\msocache\all users\{90160000-0116-0409-1000-0000000ff1ce}-c\owow64lr.cab.trigger
C:\msocache\all users\{90160000-0116-0409-1000-0000000ff1ce}-c\setup.xml.trigger
C:\msocache\all users\{90160000-0117-0409-0000-0000000ff1ce}-c\accessmuiset.msi.trigger
C:\msocache\all users\{90160000-0117-0409-0000-0000000ff1ce}-c\accessmuiset.xml.trigger
C:\msocache\all users\{90160000-0117-0409-0000-0000000ff1ce}-c\setup.xml.trigger
C:\msocache\all users\{90160000-0117-0409-0000-0000000ff1ce}-c\access.en-us\accessmui.msi.trigger
C:\msocache\all users\{90160000-0117-0409-0000-0000000ff1ce}-c\access.en-us\accessmui.xml.trigger
C:\msocache\all users\{90160000-0117-0409-0000-0000000ff1ce}-c\access.en-us\acclr.cab.trigger
C:\msocache\all users\{90160000-0117-0409-0000-0000000ff1ce}-c\access.en-us\branding.xml.trigger
C:\msocache\all users\{90160000-012b-0409-0000-0000000ff1ce}-c\lyncmui.cab.trigger
C:\msocache\all users\{90160000-012b-0409-0000-0000000ff1ce}-c\lyncmui.msi.trigger
C:\msocache\all users\{90160000-012b-0409-0000-0000000ff1ce}-c\lyncmui.xml.trigger
C:\msocache\all users\{90160000-012b-0409-0000-0000000ff1ce}-c\setup.xml.trigger
C:\users\desktop.ini.trigger
%ALLUSERSPROFILE%\adobe\setup\{ac76ba86-7ad7-1033-7b44-ac0f074e4100}\abcpy.ini.trigger
%ALLUSERSPROFILE%\adobe\setup\{ac76ba86-7ad7-1033-7b44-ac0f074e4100}\acrordrdcupd1501020060.msp.trigger
%ALLUSERSPROFILE%\adobe\setup\{ac76ba86-7ad7-1033-7b44-ac0f074e4100}\acroread.msi.trigger
%ALLUSERSPROFILE%\adobe\setup\{ac76ba86-7ad7-1033-7b44-ac0f074e4100}\data1.cab.trigger
%ALLUSERSPROFILE%\adobe\setup\{ac76ba86-7ad7-1033-7b44-ac0f074e4100}\setup.exe.trigger
%ALLUSERSPROFILE%\adobe\setup\{ac76ba86-7ad7-1033-7b44-ac0f074e4100}\setup.ini.trigger
%ALLUSERSPROFILE%\microsoft\appv\setup\officeintegrator.ps1.trigger
%ALLUSERSPROFILE%\microsoft\crypto\systemkeys\d3c41fa3acf8a2df1a3b10b0caaa8cff_8cf7b530-613e-439b-a8c5-ccfc0e745400.trigger
%ALLUSERSPROFILE%\microsoft\device stage\device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.trigger
%ALLUSERSPROFILE%\microsoft\device stage\device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\behavior.xml.trigger
%ALLUSERSPROFILE%\microsoft\device stage\device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.trigger
%ALLUSERSPROFILE%\microsoft\device stage\device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.trigger
%ALLUSERSPROFILE%\microsoft\device stage\device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.trigger
%ALLUSERSPROFILE%\microsoft\device stage\device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.trigger
%ALLUSERSPROFILE%\microsoft\device stage\device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml.trigger
%ALLUSERSPROFILE%\microsoft\device stage\device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.trigger
%ALLUSERSPROFILE%\microsoft\device stage\task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\folder.ico.trigger
%ALLUSERSPROFILE%\microsoft\device stage\task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\netfol.ico.trigger
%ALLUSERSPROFILE%\microsoft\device stage\task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\pictures.ico.trigger
%ALLUSERSPROFILE%\microsoft\device stage\task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml.trigger
%ALLUSERSPROFILE%\microsoft\device stage\task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\ringtones.ico.trigger
%ALLUSERSPROFILE%\microsoft\device stage\task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\settings.ico.trigger
%ALLUSERSPROFILE%\microsoft\device stage\task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\sync.ico.trigger
%ALLUSERSPROFILE%\microsoft\device stage\task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\tasks.xml.trigger
%ALLUSERSPROFILE%\microsoft\device stage\task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\wmp.ico.trigger
%ALLUSERSPROFILE%\microsoft\device stage\task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-us\resource.xml.trigger
%ALLUSERSPROFILE%\microsoft\device stage\task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\folder.ico.trigger
%ALLUSERSPROFILE%\microsoft\device stage\task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\print_pref.ico.trigger
%ALLUSERSPROFILE%\microsoft\device stage\task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\print_property.ico.trigger
%ALLUSERSPROFILE%\microsoft\device stage\task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\print_queue.ico.trigger
%ALLUSERSPROFILE%\microsoft\device stage\task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\scan_.ico.trigger
%ALLUSERSPROFILE%\microsoft\device stage\task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\scan_property.ico.trigger
%ALLUSERSPROFILE%\microsoft\device stage\task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\scan_settings.ico.trigger
%ALLUSERSPROFILE%\microsoft\device stage\task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml.trigger
%ALLUSERSPROFILE%\microsoft\device stage\task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-us\resource.xml.trigger
%ALLUSERSPROFILE%\microsoft\diagnosis\eventstore.db.trigger
%ALLUSERSPROFILE%\microsoft\diagnosis\osver.txt.trigger
%ALLUSERSPROFILE%\microsoft\diagnosis\parse.dat.trigger
%ALLUSERSPROFILE%\microsoft\diagnosis\downloadedsettings\telemetry.asm-windowsdefault.json.trigger
%ALLUSERSPROFILE%\microsoft\diagnosis\downloadedsettings\utc.allow.json.trigger
%ALLUSERSPROFILE%\microsoft\diagnosis\downloadedsettings\utc.app.json.trigger
%ALLUSERSPROFILE%\microsoft\diagnosis\downloadedsettings\utc.privacy.json.trigger
%ALLUSERSPROFILE%\microsoft\diagnosis\downloadedsettings\utc.tracing.json.trigger
%ALLUSERSPROFILE%\microsoft\diagnosis\scenariossqlstore\eventstore.db.trigger
%ALLUSERSPROFILE%\microsoft\diagnosis\tenantstorage\p-aria\eventstore.db.trigger
%ALLUSERSPROFILE%\microsoft\diagnosticlogcsp\collectors\diagnosticlogcsp_collector_deviceprovisioning_2024_8_11_18_45_22.etl.trigger
%ALLUSERSPROFILE%\microsoft\diagnosticlogcsp\collectors\diagnosticlogcsp_collector_deviceprovisioning_2024_8_11_18_5_7.etl.trigger
%ALLUSERSPROFILE%\microsoft\diagnosticlogcsp\collectors\diagnosticlogcsp_collector_deviceprovisioning_2024_8_11_18_6_21.etl.trigger
%ALLUSERSPROFILE%\microsoft\identitycrl\int\wlidsvcconfig.xml.trigger
%ALLUSERSPROFILE%\microsoft\identitycrl\production\wlidsvcconfig.xml.trigger
%ALLUSERSPROFILE%\microsoft\mf\active.grl.trigger
%ALLUSERSPROFILE%\microsoft\mf\pending.grl.trigger
%ALLUSERSPROFILE%\microsoft\network\downloader\edb.chk.trigger
%ALLUSERSPROFILE%\microsoft\network\downloader\edb.log.trigger
%ALLUSERSPROFILE%\microsoft\network\downloader\edbres00001.jrs.trigger
%ALLUSERSPROFILE%\microsoft\network\downloader\edbres00002.jrs.trigger
%ALLUSERSPROFILE%\microsoft\network\downloader\edbtmp.log.trigger
%ALLUSERSPROFILE%\microsoft\network\downloader\qmgr.db.trigger
%ALLUSERSPROFILE%\microsoft\network\downloader\qmgr.jfm.trigger
%ALLUSERSPROFILE%\microsoft\office\assetlibrary.ico.trigger
%ALLUSERSPROFILE%\microsoft\office\documentrepository.ico.trigger
%ALLUSERSPROFILE%\microsoft\office\mysharepoints.ico.trigger
%ALLUSERSPROFILE%\microsoft\office\mysite.ico.trigger
%ALLUSERSPROFILE%\microsoft\office\sharepointportalsite.ico.trigger
%ALLUSERSPROFILE%\microsoft\office\sharepointteamsite.ico.trigger
%ALLUSERSPROFILE%\microsoft\smsrouter\messagestore\edb.chk.trigger
%ALLUSERSPROFILE%\microsoft\smsrouter\messagestore\edb.log.trigger
%ALLUSERSPROFILE%\microsoft\smsrouter\messagestore\edb00002.log.trigger
%ALLUSERSPROFILE%\microsoft\smsrouter\messagestore\edbres00001.jrs.trigger
%ALLUSERSPROFILE%\microsoft\smsrouter\messagestore\edbres00002.jrs.trigger
%ALLUSERSPROFILE%\microsoft\smsrouter\messagestore\edbtmp.log.trigger
%ALLUSERSPROFILE%\microsoft\smsrouter\messagestore\smsinterceptstore.db.trigger
%ALLUSERSPROFILE%\microsoft\smsrouter\messagestore\smsinterceptstore.jfm.trigger
%ALLUSERSPROFILE%\microsoft\storage health\storagehealthmodel.dat.trigger
%ALLUSERSPROFILE%\microsoft\uev\inboxtemplates\desktopsettings2013.xml.trigger
%ALLUSERSPROFILE%\microsoft\uev\inboxtemplates\easeofaccesssettings2013.xml.trigger
%ALLUSERSPROFILE%\microsoft\uev\inboxtemplates\microsoftinternetexplorer2013.xml.trigger
%ALLUSERSPROFILE%\microsoft\uev\inboxtemplates\microsoftinternetexplorer2013backup.xml.trigger
%ALLUSERSPROFILE%\microsoft\uev\inboxtemplates\microsoftlync2010.xml.trigger
%ALLUSERSPROFILE%\microsoft\uev\inboxtemplates\microsoftlync2013win32.xml.trigger
%ALLUSERSPROFILE%\microsoft\uev\inboxtemplates\microsoftlync2013win64.xml.trigger
%ALLUSERSPROFILE%\microsoft\uev\inboxtemplates\microsoftnotepad.xml.trigger
%ALLUSERSPROFILE%\microsoft\uev\inboxtemplates\microsoftoffice2010win32.xml.trigger
%ALLUSERSPROFILE%\microsoft\uev\inboxtemplates\microsoftoffice2010win64.xml.trigger
%ALLUSERSPROFILE%\microsoft\uev\inboxtemplates\microsoftoffice2013backupwin32.xml.trigger
%ALLUSERSPROFILE%\microsoft\uev\inboxtemplates\microsoftoffice2013backupwin64.xml.trigger
%ALLUSERSPROFILE%\microsoft\uev\inboxtemplates\microsoftoffice2013office365win32.xml.trigger
%ALLUSERSPROFILE%\microsoft\uev\inboxtemplates\microsoftoffice2013office365win64.xml.trigger
%ALLUSERSPROFILE%\microsoft\uev\inboxtemplates\microsoftoffice2013win32.xml.trigger
%ALLUSERSPROFILE%\microsoft\uev\inboxtemplates\microsoftoffice2013win64.xml.trigger
%ALLUSERSPROFILE%\microsoft\uev\inboxtemplates\microsoftoffice2016backupwin32.xml.trigger
%ALLUSERSPROFILE%\microsoft\uev\inboxtemplates\microsoftoffice2016backupwin64.xml.trigger
%ALLUSERSPROFILE%\microsoft\uev\inboxtemplates\microsoftoffice2016win32.xml.trigger
%ALLUSERSPROFILE%\microsoft\uev\inboxtemplates\microsoftoffice2016win64.xml.trigger
%ALLUSERSPROFILE%\microsoft\uev\inboxtemplates\microsoftoutlook2013cawin32.xml.trigger
%ALLUSERSPROFILE%\microsoft\uev\inboxtemplates\microsoftoutlook2013cawin64.xml.trigger
%ALLUSERSPROFILE%\microsoft\uev\inboxtemplates\microsoftoutlook2016cawin32.xml.trigger
%ALLUSERSPROFILE%\microsoft\uev\inboxtemplates\microsoftoutlook2016cawin64.xml.trigger
%ALLUSERSPROFILE%\microsoft\uev\inboxtemplates\microsoftskypeforbusiness2016win32.xml.trigger
%ALLUSERSPROFILE%\microsoft\uev\inboxtemplates\microsoftskypeforbusiness2016win64.xml.trigger
%ALLUSERSPROFILE%\microsoft\uev\inboxtemplates\microsoftwordpad.xml.trigger
%ALLUSERSPROFILE%\microsoft\uev\inboxtemplates\networkprinters.xml.trigger
%ALLUSERSPROFILE%\microsoft\uev\inboxtemplates\roamingcredentialsettings.xml.trigger
%ALLUSERSPROFILE%\microsoft\uev\inboxtemplates\themesettings2013.xml.trigger
%ALLUSERSPROFILE%\microsoft\uev\inboxtemplates\vdistate.xml.trigger
%ALLUSERSPROFILE%\microsoft\uev\scripts\registerinboxtemplates.ps1.trigger
%ALLUSERSPROFILE%\microsoft\uev\templates\settingslocationtemplate.xsd.trigger
%ALLUSERSPROFILE%\microsoft\uev\templates\settingslocationtemplate2013.xsd.trigger
%ALLUSERSPROFILE%\microsoft\uev\templates\settingslocationtemplate2013a.xsd.trigger
%ALLUSERSPROFILE%\microsoft\vault\ac658cb4-9126-49bd-b877-31eedab3f204\154e23d0-c644-4e6f-8ce6-5069272f999f.vsch.trigger
%ALLUSERSPROFILE%\microsoft\vault\ac658cb4-9126-49bd-b877-31eedab3f204\2f1a6504-0641-44cf-8bb5-3612d865f2e5.vsch.trigger
%ALLUSERSPROFILE%\microsoft\vault\ac658cb4-9126-49bd-b877-31eedab3f204\3ccd5499-87a8-4b10-a215-608888dd3b55.vsch.trigger
%ALLUSERSPROFILE%\microsoft\vault\ac658cb4-9126-49bd-b877-31eedab3f204\policy.vpol.trigger
%ALLUSERSPROFILE%\microsoft help\ms.databasecompare.16.1033.hxn.trigger
%ALLUSERSPROFILE%\microsoft help\ms.excel.16.1033.hxn.trigger
%ALLUSERSPROFILE%\microsoft help\ms.graph.16.1033.hxn.trigger
%ALLUSERSPROFILE%\microsoft help\ms.lync.16.1033.hxn.trigger
%ALLUSERSPROFILE%\microsoft help\ms.lync_basic.16.1033.hxn.trigger
%ALLUSERSPROFILE%\microsoft help\ms.lync_online.16.1033.hxn.trigger
%ALLUSERSPROFILE%\microsoft help\ms.msaccess.16.1033.hxn.trigger
%ALLUSERSPROFILE%\microsoft help\ms.msouc.16.1033.hxn.trigger
%ALLUSERSPROFILE%\microsoft help\ms.mspub.16.1033.hxn.trigger
%ALLUSERSPROFILE%\microsoft help\ms.onenote.16.1033.hxn.trigger
%ALLUSERSPROFILE%\microsoft help\ms.outlook.16.1033.hxn.trigger
%ALLUSERSPROFILE%\microsoft help\ms.powerpnt.16.1033.hxn.trigger
%ALLUSERSPROFILE%\microsoft help\ms.setlang.16.1033.hxn.trigger
%ALLUSERSPROFILE%\microsoft help\ms.skypefb.16.1033.hxn.trigger
%ALLUSERSPROFILE%\microsoft help\ms.skypefb_basic.16.1033.hxn.trigger
%ALLUSERSPROFILE%\microsoft help\ms.skypefb_online.16.1033.hxn.trigger
%ALLUSERSPROFILE%\microsoft help\ms.skypefb_onlineg.16.1033.hxn.trigger
%ALLUSERSPROFILE%\microsoft help\ms.spreadsheetcompare.16.1033.hxn.trigger
%ALLUSERSPROFILE%\microsoft help\ms.winword.16.1033.hxn.trigger
%ALLUSERSPROFILE%\microsoft help\nslist.hxl.trigger
%ALLUSERSPROFILE%\mozilla\profile_count_308046b0af4a39cb.json.trigger
%ALLUSERSPROFILE%\mozilla\uninstall_ping_308046b0af4a39cb_2e7ebf48-2503-4ffa-a4d1-c79a82df0a6b.json.trigger
%ALLUSERSPROFILE%\mozilla\updates\308046b0af4a39cb\update-config.json.trigger
%ALLUSERSPROFILE%\mozilla\updates\d78bf5dd33499ec2\update-config.json.trigger
%ALLUSERSPROFILE%\oracle\java\installcache_x64\baseimagefam8.trigger
%ALLUSERSPROFILE%\oracle\java\javapath\java.exe.trigger
%ALLUSERSPROFILE%\oracle\java\javapath\javaw.exe.trigger
%ALLUSERSPROFILE%\oracle\java\javapath\javaws.exe.trigger
%ALLUSERSPROFILE%\package cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\state.rsm.trigger
%ALLUSERSPROFILE%\package cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe.trigger
%ALLUSERSPROFILE%\package cache\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\packages\vcruntimeminimum_x86\cab1.cab.trigger
%ALLUSERSPROFILE%\package cache\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\packages\vcruntimeminimum_x86\vc_runtimeminimum_x86.msi.trigger
%ALLUSERSPROFILE%\package cache\{295d1583-fdb9-414b-a4c8-da539362a26b}\state.rsm.trigger
%ALLUSERSPROFILE%\package cache\{295d1583-fdb9-414b-a4c8-da539362a26b}\vc_redist.x64.exe.trigger
%ALLUSERSPROFILE%\package cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\state.rsm.trigger
%ALLUSERSPROFILE%\package cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe.trigger
%ALLUSERSPROFILE%\package cache\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\packages\vcruntimeadditional_amd64\cab1.cab.trigger
%ALLUSERSPROFILE%\package cache\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\packages\vcruntimeadditional_amd64\vc_runtimeadditional_x64.msi.trigger
%ALLUSERSPROFILE%\package cache\{38b2c744-ad08-4d5b-91a2-3fb6f739ff3e}\state.rsm.trigger
%ALLUSERSPROFILE%\package cache\{38b2c744-ad08-4d5b-91a2-3fb6f739ff3e}\vc_redist.x86.exe.trigger
%ALLUSERSPROFILE%\package cache\{42667d2e-b054-46c1-9d46-2ee1332c14c1}v14.29.30133\packages\vcruntimeadditional_x86\cab1.cab.trigger
%ALLUSERSPROFILE%\package cache\{42667d2e-b054-46c1-9d46-2ee1332c14c1}v14.29.30133\packages\vcruntimeadditional_x86\vc_runtimeadditional_x86.msi.trigger
%ALLUSERSPROFILE%\package cache\{6cd9e9ed-906d-4196-8dc3-f987d2f6615f}v14.29.30133\packages\vcruntimeminimum_amd64\cab1.cab.trigger
%ALLUSERSPROFILE%\package cache\{6cd9e9ed-906d-4196-8dc3-f987d2f6615f}v14.29.30133\packages\vcruntimeminimum_amd64\vc_runtimeminimum_x64.msi.trigger
%ALLUSERSPROFILE%\package cache\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\packages\vcruntimeadditional_amd64\cab1.cab.trigger
%ALLUSERSPROFILE%\package cache\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\packages\vcruntimeadditional_amd64\vc_runtimeadditional_x64.msi.trigger
%ALLUSERSPROFILE%\package cache\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\packages\vcruntimeminimum_amd64\cab1.cab.trigger
%ALLUSERSPROFILE%\package cache\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\packages\vcruntimeminimum_amd64\vc_runtimeminimum_x64.msi.trigger
%ALLUSERSPROFILE%\package cache\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\packages\vcruntimeadditional_x86\cab1.cab.trigger
%ALLUSERSPROFILE%\package cache\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\packages\vcruntimeadditional_x86\vc_runtimeadditional_x86.msi.trigger
%ALLUSERSPROFILE%\package cache\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\packages\vcruntimeminimum_x86\cab1.cab.trigger
%ALLUSERSPROFILE%\package cache\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\packages\vcruntimeminimum_x86\vc_runtimeminimum_x86.msi.trigger
%ALLUSERSPROFILE%\package cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\state.rsm.trigger
%ALLUSERSPROFILE%\package cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe.trigger
%ALLUSERSPROFILE%\package cache\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\packages\vcruntimeminimum_amd64\cab1.cab.trigger
%ALLUSERSPROFILE%\package cache\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\packages\vcruntimeminimum_amd64\vc_runtimeminimum_x64.msi.trigger
%ALLUSERSPROFILE%\package cache\{e699e009-1c3c-4e50-9b57-2b39f0954c7f}v14.29.30133\packages\vcruntimeadditional_amd64\cab1.cab.trigger
%ALLUSERSPROFILE%\package cache\{e699e009-1c3c-4e50-9b57-2b39f0954c7f}v14.29.30133\packages\vcruntimeadditional_amd64\vc_runtimeadditional_x64.msi.trigger
%ALLUSERSPROFILE%\package cache\{ec9807de-b577-47b1-a024-0251805acf24}v14.29.30133\packages\vcruntimeminimum_x86\cab1.cab.trigger
%ALLUSERSPROFILE%\package cache\{ec9807de-b577-47b1-a024-0251805acf24}v14.29.30133\packages\vcruntimeminimum_x86\vc_runtimeminimum_x86.msi.trigger
%ALLUSERSPROFILE%\package cache\{f65db027-aff3-4070-886a-0d87064aabb1}\state.rsm.trigger
%ALLUSERSPROFILE%\package cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe.trigger
%ALLUSERSPROFILE%\package cache\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\packages\vcruntimeadditional_x86\cab1.cab.trigger
%ALLUSERSPROFILE%\package cache\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\packages\vcruntimeadditional_x86\vc_runtimeadditional_x86.msi.trigger
%ALLUSERSPROFILE%\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft microsoft office professional plus 2016.swidtag.trigger
%ALLUSERSPROFILE%\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft_windows-10-pro.swidtag.trigger
C:\users\default\ntuser.dat.log1.trigger
C:\users\default\ntuser.dat.log2.trigger
C:\users\default\ntuser.dat{53b39e88-18c4-11ea-a811-000d3aa4692b}.tm.blf.trigger
C:\users\default\ntuser.dat{53b39e88-18c4-11ea-a811-000d3aa4692b}.tmcontainer00000000000000000001.regtrans-ms.trigger
C:\users\default\ntuser.dat{53b39e88-18c4-11ea-a811-000d3aa4692b}.tmcontainer00000000000000000002.regtrans-ms.trigger
C:\users\public\desktop.ini.trigger
C:\users\public\accountpictures\desktop.ini.trigger
C:\users\public\desktop\acrobat reader dc.lnk.trigger
C:\users\public\desktop\desktop.ini.trigger
C:\users\public\desktop\firefox.lnk.trigger
C:\users\public\desktop\microsoft edge.lnk.trigger
C:\users\public\desktop\mozilla thunderbird.lnk.trigger
C:\users\public\desktop\opera.lnk.trigger
C:\users\public\desktop\steam.lnk.trigger
C:\users\public\documents\desktop.ini.trigger
C:\users\public\downloads\desktop.ini.trigger
C:\users\public\libraries\desktop.ini.trigger
C:\users\public\libraries\recordedtv.library-ms.trigger
C:\users\public\music\desktop.ini.trigger
C:\users\public\pictures\desktop.ini.trigger
C:\users\public\videos\desktop.ini.trigger
%HOMEPATH%\ntuser.ini.trigger
%HOMEPATH%\.oracle_jre_usage\90737d32e3aba6b.timestamp.trigger
%HOMEPATH%\3d objects\desktop.ini.trigger
%HOMEPATH%\contacts\desktop.ini.trigger
%HOMEPATH%\desktop\chromesetup.exe.trigger
%HOMEPATH%\desktop\desktop.ini.trigger
%HOMEPATH%\desktop\google chrome.lnk.trigger
%HOMEPATH%\desktop\jre-7u75-windows-i586-iftw.exe.trigger
%HOMEPATH%\desktop\skypesetup.exe.trigger
%HOMEPATH%\desktop\telegram.lnk.trigger
%HOMEPATH%\documents\desktop.ini.trigger
%HOMEPATH%\downloads\desktop.ini.trigger
%HOMEPATH%\favorites\bing.url.trigger
%HOMEPATH%\favorites\desktop.ini.trigger
%HOMEPATH%\favorites\links\desktop.ini.trigger
%HOMEPATH%\links\desktop.ini.trigger
%HOMEPATH%\links\desktop.lnk.trigger
%HOMEPATH%\links\downloads.lnk.trigger
%HOMEPATH%\music\desktop.ini.trigger
%HOMEPATH%\pictures\desktop.ini.trigger
%HOMEPATH%\pictures\camera roll\desktop.ini.trigger
%HOMEPATH%\saved games\desktop.ini.trigger
%HOMEPATH%\searches\desktop.ini.trigger
%HOMEPATH%\searches\everywhere.search-ms.trigger
%HOMEPATH%\searches\indexed locations.search-ms.trigger
%HOMEPATH%\searches\winrt--{s-1-5-21-4226853953-3309226944-3078887307-1000}-.searchconnector-ms.trigger
%HOMEPATH%\videos\desktop.ini.trigger
D:\$recycle.bin\s-1-5-21-4226853953-3309226944-3078887307-1000\desktop.ini.trigger

Modifies the following files

%LOCALAPPDATA%\microsoft\windows\explorer\thumbcache_idx.db

Changes user data files extensions (Trojan.Encoder).

Network activity

UDP

DNS ASK google.com
DNS ASK fi#####.###tings.services.mozilla.com
DNS ASK ap#.#pify.org

Miscellaneous

Executes the following

'%WINDIR%\syswow64\schtasks.exe' /Create /SC ONLOGON /TN "TriggerService" /TR "\"<Full path to file>\"" /RL HIGHEST /RU SYSTEM /F
'%WINDIR%\syswow64\sc.exe' create "TriggerService" binPath= "<Full path to file>" start= auto

Technologies

Begriffe

Schulung und Training

Mythen

Technical Information

Curing recommendations

Free trial