Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Trojan.AutoIt.289

Added to the Dr.Web virus database: 2018-12-19

Virus description added:

Technical Information

To ensure autorun and distribution
Modifies the following registry keys
  • [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Realtek HD Audio' = '%PROGRAMDATA%\RealtekHD\taskhostw.exe'
Malicious functions
To complicate detection of its presence in the operating system,
forces the system hide from view:
  • hidden files
Modifies file system
Creates the following files
  • %TEMP%\autd577.tmp
  • %PROGRAMDATA%\rundll\pcreposix-0.dll
  • %PROGRAMDATA%\rundll\pcrecpp-0.dll
  • %PROGRAMDATA%\rundll\pcre-0.dll
  • %PROGRAMDATA%\rundll\pcla-0.dll
  • %PROGRAMDATA%\rundll\msvcp140.dll
  • %PROGRAMDATA%\rundll\mfcm140u.dll
  • %PROGRAMDATA%\rundll\mfcm140.dll
  • %PROGRAMDATA%\rundll\mfc140rus.dll
  • %PROGRAMDATA%\rundll\mfc140kor.dll
  • %PROGRAMDATA%\rundll\mfc140jpn.dll
  • %PROGRAMDATA%\rundll\mfc140ita.dll
  • %PROGRAMDATA%\rundll\mfc140fra.dll
  • %PROGRAMDATA%\rundll\posh.dll
  • %PROGRAMDATA%\rundll\posh-0.dll
  • %PROGRAMDATA%\rundll\mfc140deu.dll
  • %PROGRAMDATA%\rundll\mfc140cht.dll
  • %PROGRAMDATA%\rundll\mfc140chs.dll
  • %PROGRAMDATA%\rundll\libxml2.dll
  • %PROGRAMDATA%\rundll\libiconv-2.dll
  • %PROGRAMDATA%\rundll\libeay32.dll
  • %PROGRAMDATA%\rundll\libcurl.dll
  • %PROGRAMDATA%\rundll\iconv.dll
  • %PROGRAMDATA%\rundll\exma.dll
  • %PROGRAMDATA%\rundll\exma-1.dll
  • %PROGRAMDATA%\rundll\etebcore-2.x86.dll
  • %PROGRAMDATA%\rundll\etebcore-2.x64.dll
  • %PROGRAMDATA%\rundll\mfc140esn.dll
  • %PROGRAMDATA%\rundll\api-ms-win-core-localization-l1-2-0.dll
  • %PROGRAMDATA%\rundll\riar-2.dll
  • %PROGRAMDATA%\windowstask\microsofthost.exe
  • %PROGRAMDATA%\windowstask\scandll.dat
  • %PROGRAMDATA%\rundll\start.vbs
  • %PROGRAMDATA%\rundll\eternalblue-2.2.0.fb
  • %PROGRAMDATA%\rundll\zlib1.dll
  • %PROGRAMDATA%\rundll\zibe.dll
  • %PROGRAMDATA%\rundll\xdvl-0.dll
  • %PROGRAMDATA%\rundll\x86.dll
  • %PROGRAMDATA%\rundll\x64.dll
  • %PROGRAMDATA%\rundll\vcruntime140.dll
  • %PROGRAMDATA%\rundll\vcomp140.dll
  • %PROGRAMDATA%\rundll\vccorlib140.dll
  • %PROGRAMDATA%\rundll\vcamp140.dll
  • %PROGRAMDATA%\rundll\ucrtbase.dll
  • %PROGRAMDATA%\rundll\ucl.dll
  • %PROGRAMDATA%\rundll\tucl.dll
  • %PROGRAMDATA%\rundll\tucl-1.dll
  • %PROGRAMDATA%\rundll\trfo.dll
  • %PROGRAMDATA%\rundll\trfo-2.dll
  • %PROGRAMDATA%\rundll\trfo-0.dll
  • %PROGRAMDATA%\rundll\trch.dll
  • %PROGRAMDATA%\rundll\trch-1.dll
  • %PROGRAMDATA%\rundll\trch-0.dll
  • %PROGRAMDATA%\rundll\tibe.dll
  • %PROGRAMDATA%\rundll\tibe-2.dll
  • %PROGRAMDATA%\rundll\tibe-1.dll
  • %PROGRAMDATA%\rundll\ssleay32.dll
  • %PROGRAMDATA%\rundll\eteb-2.dll
  • %PROGRAMDATA%\rundll\mfc140enu.dll
  • %PROGRAMDATA%\rundll\etchcore-0.x86.dll
  • %PROGRAMDATA%\rundll\etchcore-0.x64.dll
  • %PROGRAMDATA%\rundll\etch-0.dll
  • %PROGRAMDATA%\rundll\scan.txt
  • %PROGRAMDATA%\rundll\adfw-2.dll
  • %PROGRAMDATA%\rundll\2x86.dll
  • %PROGRAMDATA%\rundll\2x64.dll
  • %PROGRAMDATA%\rundll\system.exe
  • %PROGRAMDATA%\rundll\start.exe
  • %PROGRAMDATA%\rundll\rundll.exe
  • %PROGRAMDATA%\rundll\eternalblue-2.2.0.exe
  • %PROGRAMDATA%\rundll\doublepulsar-1.3.1.exe
  • %PROGRAMDATA%\rundll\eternalblue-2.2.0.xml
  • %PROGRAMDATA%\rundll\eternalblue-2.2.0.skeleton.xml
  • %PROGRAMDATA%\rundll\doublepulsar-1.3.1.xml
  • %PROGRAMDATA%\rundll\doublepulsar-1.3.1.skeleton.xml
  • %PROGRAMDATA%\windowstask\scaner.dat
  • %PROGRAMDATA%\rundll\api-ms-win-core-file-l1-2-0.dll
  • %LOCALAPPDATA%\microsoft\windows\history\low\history.ie5\index.dat
  • %APPDATA%\microsoft\windows\cookies\low\index.dat
  • %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\7x7ua0tm\desktop.ini
  • %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\39hwi0wl\desktop.ini
  • %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\o9onj1qo\desktop.ini
  • %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\wsing5k9\desktop.ini
  • %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\index.dat
  • %LOCALAPPDATA%\microsoft\windows\history\low\history.ie5\desktop.ini
  • %LOCALAPPDATA%\microsoft\windows\history\low\desktop.ini
  • %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\desktop.ini
  • %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\desktop.ini
  • %PROGRAMDATA%\windowstask\winlogon.exe
  • %PROGRAMDATA%\rundll\result.txt
  • %PROGRAMDATA%\rundll\riar.dll
  • %PROGRAMDATA%\rundll\api-ms-win-core-file-l2-1-0.dll
  • %PROGRAMDATA%\rundll\api-ms-win-core-synch-l1-2-0.dll
  • %PROGRAMDATA%\rundll\adfw.dll
  • %PROGRAMDATA%\rundll\esco-0.dll
  • %PROGRAMDATA%\rundll\dmgd-4.dll
  • %PROGRAMDATA%\rundll\dmgd-1.dll
  • %PROGRAMDATA%\rundll\crli-0.dll
  • %PROGRAMDATA%\rundll\concrt140.dll
  • %PROGRAMDATA%\rundll\coli-0.dll
  • %PROGRAMDATA%\rundll\cnli-1.dll
  • %PROGRAMDATA%\rundll\cnli-0.dll
  • %PROGRAMDATA%\rundll\api-ms-win-eventing-provider-l1-1-0.dll
  • %PROGRAMDATA%\rundll\api-ms-win-crt-utility-l1-1-0.dll
  • %PROGRAMDATA%\rundll\api-ms-win-crt-time-l1-1-0.dll
  • %PROGRAMDATA%\rundll\api-ms-win-crt-string-l1-1-0.dll
  • %PROGRAMDATA%\rundll\api-ms-win-crt-stdio-l1-1-0.dll
  • %PROGRAMDATA%\rundll\api-ms-win-crt-runtime-l1-1-0.dll
  • %PROGRAMDATA%\rundll\api-ms-win-crt-process-l1-1-0.dll
  • %PROGRAMDATA%\rundll\api-ms-win-crt-private-l1-1-0.dll
  • %PROGRAMDATA%\rundll\api-ms-win-crt-multibyte-l1-1-0.dll
  • %PROGRAMDATA%\rundll\api-ms-win-crt-math-l1-1-0.dll
  • %PROGRAMDATA%\rundll\api-ms-win-crt-locale-l1-1-0.dll
  • %PROGRAMDATA%\rundll\api-ms-win-crt-heap-l1-1-0.dll
  • %PROGRAMDATA%\rundll\api-ms-win-crt-filesystem-l1-1-0.dll
  • %PROGRAMDATA%\rundll\api-ms-win-crt-environment-l1-1-0.dll
  • %PROGRAMDATA%\rundll\api-ms-win-crt-convert-l1-1-0.dll
  • %PROGRAMDATA%\rundll\api-ms-win-crt-conio-l1-1-0.dll
  • %PROGRAMDATA%\rundll\api-ms-win-core-xstate-l2-1-0.dll
  • %PROGRAMDATA%\rundll\api-ms-win-core-timezone-l1-1-0.dll
  • %PROGRAMDATA%\rundll\api-ms-win-core-processthreads-l1-1-1.dll
  • %PROGRAMDATA%\windowstask\audiodg.exe
Sets the 'hidden' attribute to the following files
  • %PROGRAMDATA%\windowstask\winlogon.exe
  • %PROGRAMDATA%\rundll\riar.dll
  • %PROGRAMDATA%\rundll\riar-2.dll
  • %PROGRAMDATA%\rundll\posh.dll
  • %PROGRAMDATA%\rundll\posh-0.dll
  • %PROGRAMDATA%\rundll\pcreposix-0.dll
  • %PROGRAMDATA%\rundll\pcrecpp-0.dll
  • %PROGRAMDATA%\rundll\pcre-0.dll
  • %PROGRAMDATA%\rundll\pcla-0.dll
  • %PROGRAMDATA%\rundll\msvcp140.dll
  • %PROGRAMDATA%\rundll\mfcm140u.dll
  • %PROGRAMDATA%\rundll\mfcm140.dll
  • %PROGRAMDATA%\rundll\mfc140rus.dll
  • %PROGRAMDATA%\rundll\rundll.exe
  • %PROGRAMDATA%\rundll\mfc140kor.dll
  • %PROGRAMDATA%\rundll\mfc140ita.dll
  • %PROGRAMDATA%\rundll\mfc140fra.dll
  • %PROGRAMDATA%\rundll\mfc140esn.dll
  • %PROGRAMDATA%\rundll\mfc140enu.dll
  • %PROGRAMDATA%\rundll\mfc140deu.dll
  • %PROGRAMDATA%\rundll\mfc140cht.dll
  • %PROGRAMDATA%\rundll\mfc140chs.dll
  • %PROGRAMDATA%\rundll\libxml2.dll
  • %PROGRAMDATA%\rundll\libiconv-2.dll
  • %PROGRAMDATA%\rundll\libeay32.dll
  • %PROGRAMDATA%\rundll\libcurl.dll
  • %PROGRAMDATA%\rundll\iconv.dll
  • %PROGRAMDATA%\rundll\mfc140jpn.dll
  • %PROGRAMDATA%\rundll\tucl.dll
  • %PROGRAMDATA%\windowstask\microsofthost.exe
  • %PROGRAMDATA%\rundll\start.exe
  • %PROGRAMDATA%\windowstask\scandll.exe
  • %PROGRAMDATA%\windowstask\scandll.dat
  • %PROGRAMDATA%\rundll\zlib1.dll
  • %PROGRAMDATA%\rundll\zibe.dll
  • %PROGRAMDATA%\rundll\xdvl-0.dll
  • %PROGRAMDATA%\rundll\x86.dll
  • %PROGRAMDATA%\rundll\x64.dll
  • %PROGRAMDATA%\rundll\vcruntime140.dll
  • %PROGRAMDATA%\rundll\vcomp140.dll
  • %PROGRAMDATA%\rundll\vccorlib140.dll
  • %PROGRAMDATA%\rundll\vcamp140.dll
  • %PROGRAMDATA%\rundll\ucrtbase.dll
  • %PROGRAMDATA%\rundll\exma.dll
  • %PROGRAMDATA%\rundll\ucl.dll
  • %PROGRAMDATA%\rundll\tucl-1.dll
  • %PROGRAMDATA%\rundll\trfo.dll
  • %PROGRAMDATA%\rundll\trfo-2.dll
  • %PROGRAMDATA%\rundll\trfo-0.dll
  • %PROGRAMDATA%\rundll\trch.dll
  • %PROGRAMDATA%\rundll\trch-1.dll
  • %PROGRAMDATA%\rundll\trch-0.dll
  • %PROGRAMDATA%\rundll\tibe.dll
  • %PROGRAMDATA%\rundll\tibe-2.dll
  • %PROGRAMDATA%\rundll\tibe-1.dll
  • %PROGRAMDATA%\rundll\system.exe
  • %PROGRAMDATA%\rundll\start.vbs
  • %PROGRAMDATA%\rundll\scan.txt
  • %PROGRAMDATA%\rundll\ssleay32.dll
  • %PROGRAMDATA%\rundll\exma-1.dll
  • %PROGRAMDATA%\rundll\api-ms-win-crt-multibyte-l1-1-0.dll
  • %PROGRAMDATA%\rundll\api-ms-win-crt-heap-l1-1-0.dll
  • %PROGRAMDATA%\rundll\api-ms-win-crt-filesystem-l1-1-0.dll
  • %PROGRAMDATA%\rundll\api-ms-win-crt-environment-l1-1-0.dll
  • %PROGRAMDATA%\rundll\api-ms-win-crt-convert-l1-1-0.dll
  • %PROGRAMDATA%\rundll\api-ms-win-crt-conio-l1-1-0.dll
  • %PROGRAMDATA%\rundll\api-ms-win-core-xstate-l2-1-0.dll
  • %PROGRAMDATA%\rundll\api-ms-win-core-timezone-l1-1-0.dll
  • %PROGRAMDATA%\rundll\api-ms-win-core-synch-l1-2-0.dll
  • %PROGRAMDATA%\rundll\api-ms-win-core-processthreads-l1-1-1.dll
  • %PROGRAMDATA%\rundll\api-ms-win-core-localization-l1-2-0.dll
  • %PROGRAMDATA%\rundll\api-ms-win-core-file-l2-1-0.dll
  • %PROGRAMDATA%\rundll\api-ms-win-core-file-l1-2-0.dll
  • %PROGRAMDATA%\rundll\api-ms-win-crt-locale-l1-1-0.dll
  • %PROGRAMDATA%\rundll\adfw.dll
  • %PROGRAMDATA%\rundll\2x86.dll
  • %PROGRAMDATA%\rundll\2x64.dll
  • %PROGRAMDATA%\windowstask\scaner.exe
  • %PROGRAMDATA%\windowstask\scaner.dat
  • %LOCALAPPDATA%\microsoft\windows\history\low\desktop.ini
  • %LOCALAPPDATA%\microsoft\windows\history\low\history.ie5\desktop.ini
  • %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\7x7ua0tm\desktop.ini
  • %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\39hwi0wl\desktop.ini
  • %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\o9onj1qo\desktop.ini
  • %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\wsing5k9\desktop.ini
  • %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\desktop.ini
  • %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\desktop.ini
  • %PROGRAMDATA%\rundll\adfw-2.dll
  • %PROGRAMDATA%\rundll\dmgd-1.dll
  • %PROGRAMDATA%\rundll\eternalblue-2.2.0.skeleton.xml
  • %PROGRAMDATA%\rundll\api-ms-win-crt-private-l1-1-0.dll
  • %PROGRAMDATA%\rundll\eternalblue-2.2.0.fb
  • %PROGRAMDATA%\rundll\eternalblue-2.2.0.exe
  • %PROGRAMDATA%\rundll\etebcore-2.x86.dll
  • %PROGRAMDATA%\rundll\etebcore-2.x64.dll
  • %PROGRAMDATA%\rundll\eteb-2.dll
  • %PROGRAMDATA%\rundll\etchcore-0.x86.dll
  • %PROGRAMDATA%\rundll\etchcore-0.x64.dll
  • %PROGRAMDATA%\rundll\etch-0.dll
  • %PROGRAMDATA%\rundll\esco-0.dll
  • %PROGRAMDATA%\rundll\doublepulsar-1.3.1.xml
  • %PROGRAMDATA%\rundll\doublepulsar-1.3.1.skeleton.xml
  • %PROGRAMDATA%\rundll\doublepulsar-1.3.1.exe
  • %PROGRAMDATA%\rundll\eternalblue-2.2.0.xml
  • %PROGRAMDATA%\rundll\dmgd-4.dll
  • %PROGRAMDATA%\rundll\crli-0.dll
  • %PROGRAMDATA%\rundll\concrt140.dll
  • %PROGRAMDATA%\rundll\coli-0.dll
  • %PROGRAMDATA%\rundll\cnli-1.dll
  • %PROGRAMDATA%\rundll\cnli-0.dll
  • %PROGRAMDATA%\rundll\api-ms-win-eventing-provider-l1-1-0.dll
  • %PROGRAMDATA%\rundll\api-ms-win-crt-utility-l1-1-0.dll
  • %PROGRAMDATA%\rundll\api-ms-win-crt-time-l1-1-0.dll
  • %PROGRAMDATA%\rundll\api-ms-win-crt-string-l1-1-0.dll
  • %PROGRAMDATA%\rundll\api-ms-win-crt-stdio-l1-1-0.dll
  • %PROGRAMDATA%\rundll\api-ms-win-crt-runtime-l1-1-0.dll
  • %PROGRAMDATA%\rundll\api-ms-win-crt-process-l1-1-0.dll
  • %PROGRAMDATA%\rundll\api-ms-win-crt-math-l1-1-0.dll
  • %PROGRAMDATA%\windowstask\audiodg.exe
Deletes the following files
  • %TEMP%\autd577.tmp
  • <SYSTEM32>\tasks\officesoftwareprotectionplatform\svcrestarttask
  • <SYSTEM32>\tasks\adobe acrobat update task
  • %WINDIR%\tasks\adobe flash player updater.job
  • <SYSTEM32>\tasks\adobe flash player updater
  • %PROGRAMDATA%\windowstask\scaner.exe
  • %PROGRAMDATA%\windowstask\scandll.exe
  • %PROGRAMDATA%\rundll\result.txt
Moves the following files
  • from %PROGRAMDATA%\windowstask\scaner.dat to %PROGRAMDATA%\windowstask\scaner.exe
  • from %PROGRAMDATA%\windowstask\scandll.dat to %PROGRAMDATA%\windowstask\scandll.exe
Substitutes the following files
  • %PROGRAMDATA%\ntuser.pol
  • %HOMEPATH%\ntuser.pol
  • %PROGRAMDATA%\rundll\result.txt
Network activity
Connects to
  • '<LOCALNET>.1.47':445
  • '<LOCALNET>.2.192':445
  • '<LOCALNET>.2.193':445
  • '<LOCALNET>.2.194':445
  • '<LOCALNET>.2.195':445
  • '<LOCALNET>.2.189':445
  • '<LOCALNET>.2.196':445
  • '<LOCALNET>.2.191':445
  • '<LOCALNET>.2.198':445
  • '<LOCALNET>.2.200':445
  • '<LOCALNET>.2.201':445
  • '<LOCALNET>.2.202':445
  • '<LOCALNET>.2.203':445
  • '<LOCALNET>.2.197':445
  • '<LOCALNET>.2.187':445
  • '<LOCALNET>.2.199':445
  • '<LOCALNET>.2.190':445
  • '<LOCALNET>.2.188':445
  • '<LOCALNET>.2.186':445
  • '<LOCALNET>.2.174':445
  • '<LOCALNET>.2.175':445
  • '<LOCALNET>.2.176':445
  • '<LOCALNET>.2.177':445
  • '<LOCALNET>.2.178':445
  • '<LOCALNET>.2.179':445
  • '<LOCALNET>.2.180':445
  • '<LOCALNET>.2.181':445
  • '<LOCALNET>.2.182':445
  • '<LOCALNET>.2.183':445
  • '<LOCALNET>.2.184':445
  • '<LOCALNET>.2.185':445
  • '<LOCALNET>.2.204':445
  • '<LOCALNET>.2.171':445
  • '<LOCALNET>.2.205':445
  • '<LOCALNET>.2.149':445
  • '<LOCALNET>.2.206':445
  • '<LOCALNET>.2.227':445
  • '<LOCALNET>.2.209':445
  • '<LOCALNET>.2.229':445
  • '<LOCALNET>.2.230':445
  • '<LOCALNET>.2.231':445
  • '<LOCALNET>.2.232':445
  • '<LOCALNET>.2.233':445
  • '<LOCALNET>.2.234':445
  • '<LOCALNET>.2.235':445
  • '<LOCALNET>.2.236':445
  • '<LOCALNET>.2.237':445
  • '<LOCALNET>.2.238':445
  • '<LOCALNET>.2.239':445
  • '<LOCALNET>.2.240':445
  • '<LOCALNET>.2.241':445
  • '<LOCALNET>.2.226':445
  • '<LOCALNET>.2.225':445
  • '<LOCALNET>.2.228':445
  • '<LOCALNET>.2.173':445
  • '<LOCALNET>.2.170':445
  • '<LOCALNET>.2.207':445
  • '<LOCALNET>.2.210':445
  • '<LOCALNET>.2.211':445
  • '<LOCALNET>.2.212':445
  • '<LOCALNET>.2.213':445
  • '<LOCALNET>.2.214':445
  • '<LOCALNET>.2.215':445
  • '<LOCALNET>.2.216':445
  • '<LOCALNET>.2.217':445
  • '<LOCALNET>.2.218':445
  • '<LOCALNET>.2.219':445
  • '<LOCALNET>.2.220':445
  • '<LOCALNET>.2.221':445
  • '<LOCALNET>.2.222':445
  • '<LOCALNET>.2.224':445
  • '<LOCALNET>.2.208':445
  • '<LOCALNET>.2.223':445
  • '<LOCALNET>.2.172':445
  • '<LOCALNET>.2.169':445
  • '<LOCALNET>.2.168':445
  • '<LOCALNET>.2.117':445
  • '<LOCALNET>.2.118':445
  • '<LOCALNET>.2.119':445
  • '<LOCALNET>.2.120':445
  • '<LOCALNET>.2.121':445
  • '<LOCALNET>.2.122':445
  • '<LOCALNET>.2.123':445
  • '<LOCALNET>.2.124':445
  • '<LOCALNET>.2.125':445
  • '<LOCALNET>.2.126':445
  • '<LOCALNET>.2.127':445
  • '<LOCALNET>.2.128':445
  • '<LOCALNET>.2.113':445
  • '<LOCALNET>.2.111':445
  • '<LOCALNET>.2.242':445
  • '<LOCALNET>.2.116':445
  • '<LOCALNET>.2.130':445
  • '<LOCALNET>.2.115':445
  • '<LOCALNET>.2.112':445
  • '<LOCALNET>.2.97':445
  • '<LOCALNET>.2.98':445
  • '<LOCALNET>.2.99':445
  • '<LOCALNET>.2.100':445
  • '<LOCALNET>.2.101':445
  • '<LOCALNET>.2.95':445
  • '<LOCALNET>.2.102':445
  • '<LOCALNET>.2.104':445
  • '<LOCALNET>.2.105':445
  • '<LOCALNET>.2.106':445
  • '<LOCALNET>.2.107':445
  • '<LOCALNET>.2.108':445
  • '<LOCALNET>.2.109':445
  • '<LOCALNET>.2.103':445
  • '<LOCALNET>.2.110':445
  • '<LOCALNET>.2.129':445
  • '<LOCALNET>.2.94':445
  • '<LOCALNET>.2.132':445
  • '<LOCALNET>.2.134':445
  • '<LOCALNET>.2.154':445
  • '<LOCALNET>.2.155':445
  • '<LOCALNET>.2.156':445
  • '<LOCALNET>.2.157':445
  • '<LOCALNET>.2.158':445
  • '<LOCALNET>.2.159':445
  • '<LOCALNET>.2.160':445
  • '<LOCALNET>.2.161':445
  • '<LOCALNET>.2.162':445
  • '<LOCALNET>.2.163':445
  • '<LOCALNET>.2.164':445
  • '<LOCALNET>.2.165':445
  • '<LOCALNET>.2.166':445
  • '<LOCALNET>.2.131':445
  • '<LOCALNET>.2.167':445
  • '<LOCALNET>.2.153':445
  • '<LOCALNET>.2.133':445
  • '<LOCALNET>.2.152':445
  • '<LOCALNET>.2.150':445
  • '<LOCALNET>.2.135':445
  • '<LOCALNET>.2.136':445
  • '<LOCALNET>.2.137':445
  • '<LOCALNET>.2.138':445
  • '<LOCALNET>.2.139':445
  • '<LOCALNET>.2.140':445
  • '<LOCALNET>.2.141':445
  • '<LOCALNET>.2.142':445
  • '<LOCALNET>.2.143':445
  • '<LOCALNET>.2.144':445
  • '<LOCALNET>.2.145':445
  • '<LOCALNET>.2.146':445
  • '<LOCALNET>.2.147':445
  • '<LOCALNET>.2.148':445
  • '<LOCALNET>.2.114':445
  • '<LOCALNET>.2.151':445
  • '<LOCALNET>.2.96':445
  • '<LOCALNET>.2.243':445
  • '<LOCALNET>.2.247':445
  • '<LOCALNET>.3.86':445
  • '<LOCALNET>.3.87':445
  • '<LOCALNET>.3.88':445
  • '<LOCALNET>.3.89':445
  • '<LOCALNET>.3.90':445
  • '<LOCALNET>.3.84':445
  • '<LOCALNET>.3.85':445
  • '<LOCALNET>.3.91':445
  • '<LOCALNET>.3.94':445
  • '<LOCALNET>.3.95':445
  • '<LOCALNET>.3.96':445
  • '<LOCALNET>.3.97':445
  • '<LOCALNET>.3.98':445
  • '<LOCALNET>.3.92':445
  • '<LOCALNET>.3.93':445
  • '<LOCALNET>.3.83':445
  • '<LOCALNET>.3.81':445
  • '<LOCALNET>.3.100':445
  • '<LOCALNET>.3.68':445
  • '<LOCALNET>.3.69':445
  • '<LOCALNET>.3.70':445
  • '<LOCALNET>.3.71':445
  • '<LOCALNET>.3.72':445
  • '<LOCALNET>.3.73':445
  • '<LOCALNET>.3.74':445
  • '<LOCALNET>.3.75':445
  • '<LOCALNET>.3.76':445
  • '<LOCALNET>.3.77':445
  • '<LOCALNET>.3.78':445
  • '<LOCALNET>.3.79':445
  • '<LOCALNET>.3.80':445
  • '<LOCALNET>.3.99':445
  • '<LOCALNET>.3.66':445
  • '<LOCALNET>.3.82':445
  • '<LOCALNET>.3.63':445
  • '<LOCALNET>.3.101':445
  • '<LOCALNET>.3.122':445
  • '<LOCALNET>.3.123':445
  • '<LOCALNET>.3.124':445
  • '<LOCALNET>.3.125':445
  • '<LOCALNET>.3.126':445
  • '<LOCALNET>.3.127':445
  • '<LOCALNET>.3.128':445
  • '<LOCALNET>.3.129':445
  • '<LOCALNET>.3.130':445
  • '<LOCALNET>.3.131':445
  • '<LOCALNET>.3.132':445
  • '<LOCALNET>.3.133':445
  • '<LOCALNET>.3.134':445
  • '<LOCALNET>.3.135':445
  • '<LOCALNET>.3.136':445
  • '<LOCALNET>.3.121':445
  • '<LOCALNET>.3.65':445
  • '<LOCALNET>.3.67':445
  • '<LOCALNET>.3.118':445
  • '<LOCALNET>.3.103':445
  • '<LOCALNET>.3.104':445
  • '<LOCALNET>.3.105':445
  • '<LOCALNET>.3.106':445
  • '<LOCALNET>.3.107':445
  • '<LOCALNET>.3.108':445
  • '<LOCALNET>.3.109':445
  • '<LOCALNET>.3.110':445
  • '<LOCALNET>.3.111':445
  • '<LOCALNET>.3.112':445
  • '<LOCALNET>.3.113':445
  • '<LOCALNET>.3.114':445
  • '<LOCALNET>.3.115':445
  • '<LOCALNET>.3.116':445
  • '<LOCALNET>.3.117':445
  • '<LOCALNET>.3.119':445
  • '<LOCALNET>.3.102':445
  • '<LOCALNET>.3.64':445
  • '<LOCALNET>.3.62':445
  • '<LOCALNET>.1.253':445
  • '<LOCALNET>.3.11':445
  • '<LOCALNET>.3.12':445
  • '<LOCALNET>.3.13':445
  • '<LOCALNET>.3.14':445
  • '<LOCALNET>.3.15':445
  • '<LOCALNET>.3.16':445
  • '<LOCALNET>.3.17':445
  • '<LOCALNET>.3.18':445
  • '<LOCALNET>.3.19':445
  • '<LOCALNET>.3.20':445
  • '<LOCALNET>.3.21':445
  • '<LOCALNET>.3.22':445
  • '<LOCALNET>.3.23':445
  • '<LOCALNET>.3.8':445
  • '<LOCALNET>.3.7':445
  • '<LOCALNET>.3.10':445
  • '<LOCALNET>.3.9':445
  • '<LOCALNET>.3.24':445
  • '<LOCALNET>.2.244':445
  • '<LOCALNET>.2.248':445
  • '<LOCALNET>.2.249':445
  • '<LOCALNET>.2.250':445
  • '<LOCALNET>.2.251':445
  • '<LOCALNET>.2.252':445
  • '<LOCALNET>.2.253':445
  • '<LOCALNET>.2.254':445
  • '<LOCALNET>.2.255':445
  • '<LOCALNET>.3.0':445
  • '<LOCALNET>.3.1':445
  • '<LOCALNET>.3.2':445
  • '<LOCALNET>.3.3':445
  • '<LOCALNET>.3.4':445
  • '<LOCALNET>.3.6':445
  • '<LOCALNET>.2.246':445
  • '<LOCALNET>.3.5':445
  • '<LOCALNET>.2.245':445
  • '<LOCALNET>.3.25':445
  • '<LOCALNET>.3.29':445
  • '<LOCALNET>.3.49':445
  • '<LOCALNET>.3.50':445
  • '<LOCALNET>.3.51':445
  • '<LOCALNET>.3.52':445
  • '<LOCALNET>.3.53':445
  • '<LOCALNET>.3.54':445
  • '<LOCALNET>.3.55':445
  • '<LOCALNET>.3.56':445
  • '<LOCALNET>.3.57':445
  • '<LOCALNET>.3.58':445
  • '<LOCALNET>.3.59':445
  • '<LOCALNET>.3.60':445
  • '<LOCALNET>.3.61':445
  • '<LOCALNET>.3.46':445
  • '<LOCALNET>.3.45':445
  • '<LOCALNET>.3.48':445
  • '<LOCALNET>.3.47':445
  • '<LOCALNET>.3.26':445
  • '<LOCALNET>.3.27':445
  • '<LOCALNET>.3.30':445
  • '<LOCALNET>.3.31':445
  • '<LOCALNET>.3.32':445
  • '<LOCALNET>.3.33':445
  • '<LOCALNET>.3.34':445
  • '<LOCALNET>.3.35':445
  • '<LOCALNET>.3.36':445
  • '<LOCALNET>.3.37':445
  • '<LOCALNET>.3.38':445
  • '<LOCALNET>.3.39':445
  • '<LOCALNET>.3.40':445
  • '<LOCALNET>.3.41':445
  • '<LOCALNET>.3.42':445
  • '<LOCALNET>.3.44':445
  • '<LOCALNET>.3.28':445
  • '<LOCALNET>.3.43':445
  • '<LOCALNET>.2.93':445
  • '<LOCALNET>.2.92':445
  • '<LOCALNET>.2.91':445
  • '<LOCALNET>.1.145':445
  • '<LOCALNET>.1.146':445
  • '<LOCALNET>.1.147':445
  • '<LOCALNET>.1.148':445
  • '<LOCALNET>.1.142':445
  • '<LOCALNET>.1.149':445
  • '<LOCALNET>.1.144':445
  • '<LOCALNET>.1.151':445
  • '<LOCALNET>.1.153':445
  • '<LOCALNET>.1.154':445
  • '<LOCALNET>.1.155':445
  • '<LOCALNET>.1.156':445
  • '<LOCALNET>.1.150':445
  • '<LOCALNET>.1.141':445
  • '<LOCALNET>.1.152':445
  • '<LOCALNET>.1.140':445
  • '<LOCALNET>.1.124':445
  • '<LOCALNET>.1.159':445
  • '<LOCALNET>.1.127':445
  • '<LOCALNET>.1.128':445
  • '<LOCALNET>.1.129':445
  • '<LOCALNET>.1.130':445
  • '<LOCALNET>.1.131':445
  • '<LOCALNET>.1.132':445
  • '<LOCALNET>.1.133':445
  • '<LOCALNET>.1.134':445
  • '<LOCALNET>.1.135':445
  • '<LOCALNET>.1.136':445
  • '<LOCALNET>.1.137':445
  • '<LOCALNET>.1.138':445
  • '<LOCALNET>.1.157':445
  • '<LOCALNET>.1.158':445
  • '<LOCALNET>.1.125':445
  • '<LOCALNET>.1.139':445
  • '<LOCALNET>.1.196':445
  • '<LOCALNET>.1.160':445
  • '<LOCALNET>.1.181':445
  • '<LOCALNET>.1.182':445
  • '<LOCALNET>.1.183':445
  • '<LOCALNET>.1.184':445
  • '<LOCALNET>.1.185':445
  • '<LOCALNET>.1.186':445
  • '<LOCALNET>.1.187':445
  • '<LOCALNET>.1.188':445
  • '<LOCALNET>.1.189':445
  • '<LOCALNET>.1.190':445
  • '<LOCALNET>.1.191':445
  • '<LOCALNET>.1.192':445
  • '<LOCALNET>.1.193':445
  • '<LOCALNET>.1.194':445
  • '<LOCALNET>.1.179':445
  • '<LOCALNET>.1.123':445
  • '<LOCALNET>.1.178':445
  • '<LOCALNET>.1.126':445
  • '<LOCALNET>.1.161':445
  • '<LOCALNET>.1.162':445
  • '<LOCALNET>.1.163':445
  • '<LOCALNET>.1.164':445
  • '<LOCALNET>.1.165':445
  • '<LOCALNET>.1.166':445
  • '<LOCALNET>.1.167':445
  • '<LOCALNET>.1.168':445
  • '<LOCALNET>.1.169':445
  • '<LOCALNET>.1.170':445
  • '<LOCALNET>.1.171':445
  • '<LOCALNET>.1.172':445
  • '<LOCALNET>.1.173':445
  • '<LOCALNET>.1.174':445
  • '<LOCALNET>.1.175':445
  • '<LOCALNET>.1.177':445
  • '<LOCALNET>.1.122':445
  • '<LOCALNET>.1.180':445
  • '<LOCALNET>.1.121':445
  • '<LOCALNET>.1.120':445
  • '<LOCALNET>.1.67':445
  • '<LOCALNET>.1.70':445
  • '<LOCALNET>.1.71':445
  • '<LOCALNET>.1.72':445
  • '<LOCALNET>.1.73':445
  • '<LOCALNET>.1.74':445
  • '<LOCALNET>.1.75':445
  • '<LOCALNET>.1.76':445
  • '<LOCALNET>.1.77':445
  • '<LOCALNET>.1.78':445
  • '<LOCALNET>.1.79':445
  • '<LOCALNET>.1.80':445
  • '<LOCALNET>.1.81':445
  • '<LOCALNET>.1.66':445
  • '<LOCALNET>.1.82':445
  • '<LOCALNET>.1.195':445
  • '<LOCALNET>.1.69':445
  • '<LOCALNET>.1.83':445
  • '<LOCALNET>.1.65':445
  • '<LOCALNET>.1.48':445
  • '<LOCALNET>.1.50':445
  • '<LOCALNET>.1.51':445
  • '<LOCALNET>.1.52':445
  • '<LOCALNET>.1.53':445
  • '<LOCALNET>.1.54':445
  • '<LOCALNET>.1.55':445
  • '<LOCALNET>.1.49':445
  • '<LOCALNET>.1.56':445
  • '<LOCALNET>.1.58':445
  • '<LOCALNET>.1.59':445
  • '<LOCALNET>.1.60':445
  • '<LOCALNET>.1.61':445
  • '<LOCALNET>.1.62':445
  • '<LOCALNET>.1.64':445
  • '<LOCALNET>.1.57':445
  • '<LOCALNET>.1.63':445
  • '<LOCALNET>.1.176':445
  • '<LOCALNET>.1.85':445
  • '<LOCALNET>.1.87':445
  • '<LOCALNET>.1.107':445
  • '<LOCALNET>.1.108':445
  • '<LOCALNET>.1.109':445
  • '<LOCALNET>.1.110':445
  • '<LOCALNET>.1.111':445
  • '<LOCALNET>.1.112':445
  • '<LOCALNET>.1.113':445
  • '<LOCALNET>.1.114':445
  • '<LOCALNET>.1.115':445
  • '<LOCALNET>.1.116':445
  • '<LOCALNET>.1.117':445
  • '<LOCALNET>.1.118':445
  • '<LOCALNET>.1.119':445
  • '<LOCALNET>.1.104':445
  • '<LOCALNET>.1.103':445
  • '<LOCALNET>.1.106':445
  • '<LOCALNET>.1.105':445
  • '<LOCALNET>.1.84':445
  • '<LOCALNET>.1.68':445
  • '<LOCALNET>.1.88':445
  • '<LOCALNET>.1.89':445
  • '<LOCALNET>.1.90':445
  • '<LOCALNET>.1.91':445
  • '<LOCALNET>.1.92':445
  • '<LOCALNET>.1.93':445
  • '<LOCALNET>.1.94':445
  • '<LOCALNET>.1.95':445
  • '<LOCALNET>.1.96':445
  • '<LOCALNET>.1.97':445
  • '<LOCALNET>.1.98':445
  • '<LOCALNET>.1.99':445
  • '<LOCALNET>.1.100':445
  • '<LOCALNET>.1.102':445
  • '<LOCALNET>.1.86':445
  • '<LOCALNET>.1.101':445
  • '<LOCALNET>.1.143':445
  • '<LOCALNET>.1.197':445
  • '<LOCALNET>.2.38':445
  • '<LOCALNET>.2.40':445
  • '<LOCALNET>.2.41':445
  • '<LOCALNET>.2.42':445
  • '<LOCALNET>.2.43':445
  • '<LOCALNET>.2.44':445
  • '<LOCALNET>.2.45':445
  • '<LOCALNET>.2.46':445
  • '<LOCALNET>.2.47':445
  • '<LOCALNET>.2.48':445
  • '<LOCALNET>.2.49':445
  • '<LOCALNET>.2.50':445
  • '<LOCALNET>.2.51':445
  • '<LOCALNET>.2.52':445
  • '<LOCALNET>.2.37':445
  • '<LOCALNET>.2.36':445
  • '<LOCALNET>.2.39':445
  • '<LOCALNET>.1.198':445
  • '<LOCALNET>.2.53':445
  • '<LOCALNET>.2.18':445
  • '<LOCALNET>.2.21':445
  • '<LOCALNET>.2.22':445
  • '<LOCALNET>.2.23':445
  • '<LOCALNET>.2.24':445
  • '<LOCALNET>.2.25':445
  • '<LOCALNET>.2.26':445
  • '<LOCALNET>.2.27':445
  • '<LOCALNET>.2.28':445
  • '<LOCALNET>.2.29':445
  • '<LOCALNET>.2.30':445
  • '<LOCALNET>.2.31':445
  • '<LOCALNET>.2.32':445
  • '<LOCALNET>.2.33':445
  • '<LOCALNET>.2.35':445
  • '<LOCALNET>.2.19':445
  • '<LOCALNET>.2.34':445
  • '<LOCALNET>.2.20':445
  • '<LOCALNET>.2.54':445
  • '<LOCALNET>.2.58':445
  • '<LOCALNET>.2.78':445
  • '<LOCALNET>.2.79':445
  • '<LOCALNET>.2.80':445
  • '<LOCALNET>.2.81':445
  • '<LOCALNET>.2.82':445
  • '<LOCALNET>.2.83':445
  • '<LOCALNET>.2.84':445
  • '<LOCALNET>.2.85':445
  • '<LOCALNET>.2.86':445
  • '<LOCALNET>.2.87':445
  • '<LOCALNET>.2.88':445
  • '<LOCALNET>.2.89':445
  • '<LOCALNET>.2.90':445
  • '<LOCALNET>.2.75':445
  • '<LOCALNET>.2.74':445
  • '<LOCALNET>.2.77':445
  • '<LOCALNET>.2.76':445
  • '<LOCALNET>.2.55':445
  • '<LOCALNET>.2.56':445
  • '<LOCALNET>.2.59':445
  • '<LOCALNET>.2.60':445
  • '<LOCALNET>.2.61':445
  • '<LOCALNET>.2.62':445
  • '<LOCALNET>.2.63':445
  • '<LOCALNET>.2.64':445
  • '<LOCALNET>.2.65':445
  • '<LOCALNET>.2.66':445
  • '<LOCALNET>.2.67':445
  • '<LOCALNET>.2.68':445
  • '<LOCALNET>.2.69':445
  • '<LOCALNET>.2.70':445
  • '<LOCALNET>.2.71':445
  • '<LOCALNET>.2.73':445
  • '<LOCALNET>.2.57':445
  • '<LOCALNET>.2.72':445
  • '<LOCALNET>.3.120':445
  • '<LOCALNET>.3.137':445
  • '<LOCALNET>.2.15':445
  • '<LOCALNET>.1.220':445
  • '<LOCALNET>.1.221':445
  • '<LOCALNET>.1.222':445
  • '<LOCALNET>.1.223':445
  • '<LOCALNET>.1.224':445
  • '<LOCALNET>.1.225':445
  • '<LOCALNET>.1.226':445
  • '<LOCALNET>.1.227':445
  • '<LOCALNET>.1.228':445
  • '<LOCALNET>.1.229':445
  • '<LOCALNET>.1.230':445
  • '<LOCALNET>.1.231':445
  • '<LOCALNET>.1.232':445
  • '<LOCALNET>.1.217':445
  • '<LOCALNET>.1.215':445
  • '<LOCALNET>.1.219':445
  • '<LOCALNET>.2.16':445
  • '<LOCALNET>.1.233':445
  • '<LOCALNET>.1.214':445
  • '<LOCALNET>.1.200':445
  • '<LOCALNET>.1.201':445
  • '<LOCALNET>.1.202':445
  • '<LOCALNET>.1.203':445
  • '<LOCALNET>.1.204':445
  • '<LOCALNET>.1.205':445
  • '<LOCALNET>.1.199':445
  • '<LOCALNET>.1.206':445
  • '<LOCALNET>.1.208':445
  • '<LOCALNET>.1.209':445
  • '<LOCALNET>.1.210':445
  • '<LOCALNET>.1.211':445
  • '<LOCALNET>.1.212':445
  • '<LOCALNET>.1.213':445
  • '<LOCALNET>.1.207':445
  • '<LOCALNET>.1.216':445
  • '<LOCALNET>.2.17':445
  • '<LOCALNET>.1.234':445
  • '<LOCALNET>.1.237':445
  • '<LOCALNET>.2.1':445
  • '<LOCALNET>.2.2':445
  • '<LOCALNET>.2.3':445
  • '<LOCALNET>.2.4':445
  • '<LOCALNET>.2.5':445
  • '<LOCALNET>.2.6':445
  • '<LOCALNET>.2.7':445
  • '<LOCALNET>.2.8':445
  • '<LOCALNET>.2.9':445
  • '<LOCALNET>.2.10':445
  • '<LOCALNET>.2.11':445
  • '<LOCALNET>.2.12':445
  • '<LOCALNET>.2.13':445
  • '<LOCALNET>.2.14':445
  • '<LOCALNET>.1.235':445
  • '<LOCALNET>.2.0':445
  • '<LOCALNET>.1.236':445
  • '<LOCALNET>.1.255':445
  • '<LOCALNET>.1.218':445
  • '<LOCALNET>.1.238':445
  • '<LOCALNET>.1.239':445
  • '<LOCALNET>.1.240':445
  • '<LOCALNET>.1.241':445
  • '<LOCALNET>.1.242':445
  • '<LOCALNET>.1.243':445
  • '<LOCALNET>.1.244':445
  • '<LOCALNET>.1.245':445
  • '<LOCALNET>.1.246':445
  • '<LOCALNET>.1.247':445
  • '<LOCALNET>.1.248':445
  • '<LOCALNET>.1.249':445
  • '<LOCALNET>.1.250':445
  • '<LOCALNET>.1.251':445
  • '<LOCALNET>.1.252':445
  • '<LOCALNET>.1.254':445
  • '<LOCALNET>.3.138':445
TCP
HTTP GET requests
  • http://ta###ostw.com/trashgame/STATUS.html
  • http://ta###ostw.com/trashgame/loaderTOP.html
  • http://ta###ostw.com/trashgame/Login.html
  • http://ta###ostw.com/trashgame/Password.html
  • http://ta###ostw.com/trashgame/Server.html
  • http://ta###ostw.com/trashgame/configCPUX.html
  • http://ta###ostw.com/trashgame/DLL.html
  • http://ta###ostw.com/LTC.html
  • http://ta###ostw.com/BTC.html
  • http://ta###ostw.com/ETH.html
  • http://ta###ostw.com/ZEC.html
  • http://ta###ostw.com/DOGE.html
  • '19#.#2.188.155':21
  • 'ex##mac.xyz':3333
  • UDP
    • DNS ASK ta###ostw.com
    • DNS ASK ex##mac.xyz
    Miscellaneous
    Searches for the following windows
    • ClassName: 'EDIT' WindowName: ''
    Creates and executes the following
    • '%PROGRAMDATA%\windowstask\winlogon.exe'
    • '%PROGRAMDATA%\windowstask\audiodg.exe'
    • '%PROGRAMDATA%\rundll\system.exe' TCP 10.0.55.58/16 445 150 /save
    • '%PROGRAMDATA%\rundll\eternalblue-2.2.0.exe' --inconfig Eternalblue-2.2.0.xml --NetworkTimeout 60 --TargetIp Scan --TargetPort 445 --Target WIN72K8R2
    • '%PROGRAMDATA%\rundll\system.exe' TCP 192.168.1.1 445 150 /save
    • '%PROGRAMDATA%\rundll\rundll.exe'
    • '%PROGRAMDATA%\windowstask\microsofthost.exe' -o stratum+tcp://ex20mac.xyz:3333 -u CPU --donate-level=1 -k -t1
    • '%PROGRAMDATA%\rundll\start.exe'
    • '%WINDIR%\syswow64\wscript.exe' "%PROGRAMDATA%\RunDLL\start.vbs"
    • '%PROGRAMDATA%\windowstask\scaner.exe' -pnaxui
    • '%PROGRAMDATA%\windowstask\scandll.exe' -pnaxui
    • '<SYSTEM32>\cmd.exe' /c ipconfig /flushdns' (with hidden window)
    • '%WINDIR%\syswow64\cmd.exe' /C schtasks /query /fo list' (with hidden window)
    • '<SYSTEM32>\cmd.exe' /c gpupdate /force' (with hidden window)
    • '%WINDIR%\syswow64\cmd.exe' /c Rundll.exe' (with hidden window)
    • '%WINDIR%\syswow64\cmd.exe' /C schtasks /Delete /TN "OfficeSoftwareProtectionPlatform\SvcRestartTask" /F' (with hidden window)
    • '%WINDIR%\syswow64\cmd.exe' /c "system.exe TCP 192.168.1.1 445 150 /save"' (with hidden window)
    • '%WINDIR%\syswow64\cmd.exe' /C schtasks /Delete /TN "Adobe Flash Player Updater" /F' (with hidden window)
    • '%WINDIR%\syswow64\cmd.exe' /c "Eternalblue-2.2.0.exe --inconfig Eternalblue-2.2.0.xml --NetworkTimeout 60 --TargetIp Scan --TargetPort 445 --Target WIN72K8R2"' (with hidden window)
    • '%WINDIR%\syswow64\cmd.exe' /c "system.exe TCP 10.0.55.58/16 445 150 /save"' (with hidden window)
    • '%WINDIR%\syswow64\cmd.exe' /C schtasks /Delete /TN "Adobe Acrobat Update Task" /F' (with hidden window)
    • '%PROGRAMDATA%\windowstask\microsofthost.exe' -o stratum+tcp://ex20mac.xyz:3333 -u CPU --donate-level=1 -k -t1' (with hidden window)
    Executes the following
    • '%WINDIR%\syswow64\cmd.exe' /C schtasks /query /fo list
    • '%WINDIR%\syswow64\cmd.exe' /c "system.exe TCP 192.168.1.1 445 150 /save"
    • '%WINDIR%\syswow64\cmd.exe' /c Rundll.exe
    • '<SYSTEM32>\raserver.exe' /offerraupdate
    • '<SYSTEM32>\gpscript.exe' /RefreshSystemParam
    • '<SYSTEM32>\rundll32.exe' "<SYSTEM32>\WININET.dll",DispatchAPICall 1
    • '<SYSTEM32>\gpupdate.exe' /force
    • '%WINDIR%\syswow64\schtasks.exe' /Delete /TN "OfficeSoftwareProtectionPlatform\SvcRestartTask" /F
    • '%WINDIR%\syswow64\cmd.exe' /c "Eternalblue-2.2.0.exe --inconfig Eternalblue-2.2.0.xml --NetworkTimeout 60 --TargetIp Scan --TargetPort 445 --Target WIN72K8R2"
    • '%WINDIR%\syswow64\schtasks.exe' /Delete /TN "Adobe Flash Player Updater" /F
    • '<SYSTEM32>\ipconfig.exe' /flushdns
    • '<SYSTEM32>\cmd.exe' /c gpupdate /force
    • '%WINDIR%\syswow64\cmd.exe' /C schtasks /Delete /TN "OfficeSoftwareProtectionPlatform\SvcRestartTask" /F
    • '%WINDIR%\syswow64\cmd.exe' /C schtasks /Delete /TN "Adobe Flash Player Updater" /F
    • '%WINDIR%\syswow64\cmd.exe' /C schtasks /Delete /TN "Adobe Acrobat Update Task" /F
    • '<SYSTEM32>\cmd.exe' /c ipconfig /flushdns
    • '%WINDIR%\syswow64\schtasks.exe' /query /fo list
    • '%WINDIR%\syswow64\schtasks.exe' /Delete /TN "Adobe Acrobat Update Task" /F
    • '%WINDIR%\syswow64\cmd.exe' /c "system.exe TCP 10.0.55.58/16 445 150 /save"

    Curing recommendations

    1. If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
    2. If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
    Download Dr.Web

    Download by serial number

    Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

    After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

    Download Dr.Web

    Download by serial number

    1. If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
    2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
      • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
      • Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
      • Switch off your device and turn it on as normal.

    Find out more about Dr.Web for Android