Trojan.DownLoader49.35806

Technical Information

Modifies file system

Creates the following files

%TEMP%\pkg-kzqevf\82567c55bb0ba88de564bbc66e7e4557b1747caff6bb950ce568c87f73050e8e
%TEMP%\pkg\7fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01\sqlite3\binding.gyp
%TEMP%\pkg-kzqevf\7686f81e580cd6774f609a2d8a41b2cebdf79bc30e6b46c3efff5a656158981c
%TEMP%\pkg\7fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01\sqlite3\license
%TEMP%\pkg-kzqevf\e54f3930ed2f0f54a318e25094ff51f7f8faaac345d1a813ee96f8d9f98b4021
%TEMP%\pkg\7fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01\sqlite3\package.json
%TEMP%\pkg-kzqevf\33fea1cb73771c2e0dab8c567d57b25a5c8e2ef0432615ce32dccf243d4d8b90
%TEMP%\pkg\7fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01\sqlite3\readme.md
%TEMP%\pkg-kzqevf\7b557c097c162c9ba04985ab822f92a176bf848c34ca38e54f061057ad0d8bd0
%TEMP%\pkg\7fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01\sqlite3\deps\common-sqlite.gypi
%TEMP%\pkg-kzqevf\5be353d29c0fabea29cfd34448c196da9506009c0b20fde55e01d4191941dd74
%TEMP%\pkg\7fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01\sqlite3\deps\extract.js
%TEMP%\pkg-kzqevf\6172ffa4ed88aaea47b8345c247b75baba4df6f25e070a6b9dcd12c3f37b3e34
%TEMP%\pkg\7fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01\sqlite3\deps\sqlite-autoconf-3410100.tar.gz
%TEMP%\pkg-kzqevf\8793f62b1133892ba376d18a15f552ef12b1e016f7e5df32ffb7279b760c11bd
%TEMP%\pkg\7fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01\sqlite3\deps\sqlite3.gyp
%TEMP%\pkg-kzqevf\049b7b1b10417274be6c3e6a9518ac364729354435298d70abf834c35e8f3bf3
%TEMP%\pkg\7fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01\sqlite3\lib\sqlite3-binding.js
%TEMP%\pkg-kzqevf\a39db87a3a3aa954ac3f6553b9fbfc642eb22bef7586cc1f0559e676aa073fa8
%TEMP%\pkg\7fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01\sqlite3\lib\sqlite3.d.ts
%TEMP%\pkg-kzqevf\8d6b400ae7f69a80d0cdd37a968d7b9a913661fa53475e5b8de49dda21684973
%TEMP%\pkg\7fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01\sqlite3\lib\sqlite3.js
%TEMP%\pkg-kzqevf\d06caec6136120c6fb7ee3681b1ca949e8b634e747ea8d3080c90f35aeb7728f
%TEMP%\pkg\7fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01\sqlite3\lib\trace.js
%TEMP%\pkg-kzqevf\3cb442a7039ddcad2aac3f8bd5bfd6a4f9ff253ce47c1616b3a4495f11a5d0b9
%TEMP%\pkg\7fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01\sqlite3\lib\binding\napi-v6-win32-unknown-x64\node_sqlite3.node
%TEMP%\pkg\7fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01\sqlite3\lib\binding\napi-v6-win32-unknown-x64\node_sqlite3.node.bak
%TEMP%\pkg-kzqevf\b6e86bf43d74c8ee2c2f57eb1947be6ce5d8c258c4866609571ed6c97b58b53c
%TEMP%\pkg\7fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01\sqlite3\src\async.h
%TEMP%\pkg-kzqevf\c011d2d4e3ac82c55a8f9a9af39d4adea144ab5f1d2dc259299fbf6107b8a6d0
%TEMP%\pkg\7fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01\sqlite3\src\backup.cc
%TEMP%\pkg-kzqevf\d3956cdbb650e1ecff8c94fe4e8645f80e10088156d409703c19f186a9c41aa8
%TEMP%\pkg\7fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01\sqlite3\src\backup.h
%TEMP%\pkg-kzqevf\9b799ccdcf9649a9b79d78dcc2882f60e1a9bfbac98949ad18cef97cb433b22b
%TEMP%\pkg\7fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01\sqlite3\src\database.cc
%TEMP%\pkg-kzqevf\8c5bcd084dddab2f2994b6cddc9b69a8f78a1034588b765e7bd859f27868fe43
%TEMP%\pkg\7fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01\sqlite3\src\database.h
%TEMP%\pkg-kzqevf\9d4264bb1dcbef8d927bb3a1809a01b0b89d726c217cee99ea9ccfdc7d456b6f
%TEMP%\pkg\7fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01\sqlite3\src\gcc-preinclude.h
%TEMP%\pkg-kzqevf\8d1afb5d27eab8302de08aca87eb6edc1b99ae963a854d3bd652a4fc61cbe3c6
%TEMP%\pkg\7fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01\sqlite3\src\macros.h
%TEMP%\pkg-kzqevf\e80fae190ace1a5153a397ae9fe55d6d28651471fb7bebf9bbb5528095d70f44
%TEMP%\pkg\7fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01\sqlite3\src\node_sqlite3.cc
%TEMP%\pkg-kzqevf\f868e9b32074053bdb621d6d1ffc8d8dbe65d14f95b273d57d97b0479741731a
%TEMP%\pkg\7fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01\sqlite3\src\statement.cc
%TEMP%\pkg-kzqevf\2c99d9cef21876db64b610dd9baba8de1f7c94028d6d1c463eb3db213745b3bf
%TEMP%\pkg\7fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01\sqlite3\src\statement.h
%TEMP%\pkg-kzqevf\e0ab4f798bccb877548b0ab0f3d98c051b36cde240fdf424c70ace7daf0ffd36
%TEMP%\pkg\7fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01\sqlite3\src\threading.h
%LOCALAPPDATA%\mlog\1772417646223\1772417646232.txt
%LOCALAPPDATA%\mlog\1772417646223\1772417646235.txt
%LOCALAPPDATA%\mlog\1772417646223\1772417646253.txt
%LOCALAPPDATA%\mlog\1772417646223\1772417646259.txt
%LOCALAPPDATA%\mlog\1772417646223\1772417646277.txt
%LOCALAPPDATA%\mlog\1772417646223\1772417646294.txt
%LOCALAPPDATA%\mlog\1772417646223\1772417646302.txt
%LOCALAPPDATA%\mlog\1772417646223\1772417646307.txt
%LOCALAPPDATA%\mlog\1772417646223\1772417646335.txt
%LOCALAPPDATA%\mlog\1772417646223\1772417646340.txt
%LOCALAPPDATA%\mlog\1772417646223\1772417646355.txt
%LOCALAPPDATA%\mlog\1772417646223\1772417652463.txt
%LOCALAPPDATA%\microsoft\edge\user data\default\login data_
%LOCALAPPDATA%\mlog\1772417646223\1772417652579.txt
%LOCALAPPDATA%\mlog\1772417646223\1772417652591.txt
%LOCALAPPDATA%\mlog\1772417646223\1772417652594.txt
%LOCALAPPDATA%\mlog\1772417646223\1772417652625.txt
%LOCALAPPDATA%\mlog\1772417646223\1772417652627.txt
%LOCALAPPDATA%\mlog\1772417646223\1772417652630.txt
%LOCALAPPDATA%\mlog\1772417646223\1772417652643.txt
%LOCALAPPDATA%\mlog\1772417646223\1772417652644.txt
%LOCALAPPDATA%\mlog\1772417646223\1772417652646.txt
%LOCALAPPDATA%\mlog\1772417646223\1772417652649.txt
%LOCALAPPDATA%\mlog\1772417646223\1772417652654.txt
%LOCALAPPDATA%\mlog\1772417646223\1772417653096.txt
%TEMP%\screencapture\screencapture_1.3.2.bat
%TEMP%\screencapture\app.manifest
%TEMP%\screencapture\csc228501681784432f803eb8f646a5ec23.tmp
%TEMP%\resb91f.tmp
%TEMP%\screencapture\screencapture_1.3.2.exe
%LOCALAPPDATA%\microsoft\clr_v4.0\usagelogs\screencapture_1.3.2.exe.log
%TEMP%\202621-3608-1qj8tpe.63d8.jpg
%LOCALAPPDATA%\user-185-93-40-66-sy\screen-1.jpg
%LOCALAPPDATA%\mlog\1772417646223\1772417662129.txt
%LOCALAPPDATA%\mlog\1772417646223\1772417662130.txt
%LOCALAPPDATA%\user-185-93-40-66-sy\passwords.txt
%LOCALAPPDATA%\mlog\1772417646223\1772417662154.txt
%LOCALAPPDATA%\user-185-93-40-66-sy\logs_exception.txt
%LOCALAPPDATA%\user-185-93-40-66-sy\system information.txt
%LOCALAPPDATA%\user-185-93-40-66-sy.zip
%LOCALAPPDATA%\mlog\1772417646223\1772417662648.txt
%LOCALAPPDATA%\mlog\1772417646223\1772417663088.txt
%LOCALAPPDATA%\mlog\1772417646223\1772417663104.txt
%LOCALAPPDATA%\mlog\1772417646223\1772417663106.txt
%LOCALAPPDATA%\mlog\1772417646223\1772417663109.txt
%LOCALAPPDATA%\mlog\1772417646223\1772417714951.txt
%LOCALAPPDATA%\mlog\1772417646223\1772417714958.txt
%LOCALAPPDATA%\mlog\1772417646223\1772417714960.txt
%LOCALAPPDATA%\mlog\1772417646223\1772417715428.txt
%LOCALAPPDATA%\mlog\1772417646223\1772417715480.txt
<Current directory>\system-error.txt

Deletes following files that it created itself

%TEMP%\resb91f.tmp
%TEMP%\screencapture\csc228501681784432f803eb8f646a5ec23.tmp
%TEMP%\202621-3608-1qj8tpe.63d8.jpg
%LOCALAPPDATA%\user-185-93-40-66-sy\logs_exception.txt
%LOCALAPPDATA%\user-185-93-40-66-sy\passwords.txt
%LOCALAPPDATA%\user-185-93-40-66-sy\screen-1.jpg
%LOCALAPPDATA%\user-185-93-40-66-sy\system information.txt
%TEMP%\pkg-kzqevf\049b7b1b10417274be6c3e6a9518ac364729354435298d70abf834c35e8f3bf3
%TEMP%\pkg-kzqevf\2c99d9cef21876db64b610dd9baba8de1f7c94028d6d1c463eb3db213745b3bf
%TEMP%\pkg-kzqevf\33fea1cb73771c2e0dab8c567d57b25a5c8e2ef0432615ce32dccf243d4d8b90
%TEMP%\pkg-kzqevf\3cb442a7039ddcad2aac3f8bd5bfd6a4f9ff253ce47c1616b3a4495f11a5d0b9
%TEMP%\pkg-kzqevf\5be353d29c0fabea29cfd34448c196da9506009c0b20fde55e01d4191941dd74
%TEMP%\pkg-kzqevf\6172ffa4ed88aaea47b8345c247b75baba4df6f25e070a6b9dcd12c3f37b3e34
%TEMP%\pkg-kzqevf\7686f81e580cd6774f609a2d8a41b2cebdf79bc30e6b46c3efff5a656158981c
%TEMP%\pkg-kzqevf\7b557c097c162c9ba04985ab822f92a176bf848c34ca38e54f061057ad0d8bd0
%TEMP%\pkg-kzqevf\82567c55bb0ba88de564bbc66e7e4557b1747caff6bb950ce568c87f73050e8e
%TEMP%\pkg-kzqevf\8793f62b1133892ba376d18a15f552ef12b1e016f7e5df32ffb7279b760c11bd
%TEMP%\pkg-kzqevf\8c5bcd084dddab2f2994b6cddc9b69a8f78a1034588b765e7bd859f27868fe43
%TEMP%\pkg-kzqevf\8d1afb5d27eab8302de08aca87eb6edc1b99ae963a854d3bd652a4fc61cbe3c6
%TEMP%\pkg-kzqevf\8d6b400ae7f69a80d0cdd37a968d7b9a913661fa53475e5b8de49dda21684973
%TEMP%\pkg-kzqevf\9b799ccdcf9649a9b79d78dcc2882f60e1a9bfbac98949ad18cef97cb433b22b
%TEMP%\pkg-kzqevf\9d4264bb1dcbef8d927bb3a1809a01b0b89d726c217cee99ea9ccfdc7d456b6f
%TEMP%\pkg-kzqevf\a39db87a3a3aa954ac3f6553b9fbfc642eb22bef7586cc1f0559e676aa073fa8
%TEMP%\pkg-kzqevf\b6e86bf43d74c8ee2c2f57eb1947be6ce5d8c258c4866609571ed6c97b58b53c
%TEMP%\pkg-kzqevf\c011d2d4e3ac82c55a8f9a9af39d4adea144ab5f1d2dc259299fbf6107b8a6d0
%TEMP%\pkg-kzqevf\d06caec6136120c6fb7ee3681b1ca949e8b634e747ea8d3080c90f35aeb7728f
%TEMP%\pkg-kzqevf\d3956cdbb650e1ecff8c94fe4e8645f80e10088156d409703c19f186a9c41aa8
%TEMP%\pkg-kzqevf\e0ab4f798bccb877548b0ab0f3d98c051b36cde240fdf424c70ace7daf0ffd36
%TEMP%\pkg-kzqevf\e54f3930ed2f0f54a318e25094ff51f7f8faaac345d1a813ee96f8d9f98b4021
%TEMP%\pkg-kzqevf\e80fae190ace1a5153a397ae9fe55d6d28651471fb7bebf9bbb5528095d70f44
%TEMP%\pkg-kzqevf\f868e9b32074053bdb621d6d1ffc8d8dbe65d14f95b273d57d97b0479741731a

Modifies the following files

Network activity

Connects to

'ip##fo.io':443
'84.##7.145.80':80
'ap#.##legram.org':443

TCP

HTTP POST requests

http://84.##7.145.80/FileUpload/upload

Other

'ip##fo.io':443
'84.##7.145.80':80
'ap#.##legram.org':443

UDP

DNS ASK ip##fo.io
DNS ASK ap#.##legram.org

Miscellaneous

Creates and executes the following

'%TEMP%\screencapture\screencapture_1.3.2.exe' /list
'%TEMP%\screencapture\screencapture_1.3.2.exe' "%TEMP%\202621-3608-1qj8tpe.63d8.jpg" /d "\\.\DISPLAY1"

Executes the following

'<SYSTEM32>\cmd.exe' /d /s /c "powershell.exe -WindowStyle Hidden Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,12...
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -WindowStyle Hidden Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,...
'<SYSTEM32>\cmd.exe' /d /s /c ""%TEMP%\screenCapture\screenCapture_1.3.2.bat" /list"
'%WINDIR%\microsoft.net\framework\v4.0.30319\csc.exe' \nologo \r:"Microsoft.VisualBasic.dll" \win32manifest:"app.manifest" \out:"screenCapture_1.3.2.exe" "%TEMP%\SCREEN~1\SCREEN~1.BAT"
'%WINDIR%\microsoft.net\framework\v4.0.30319\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESB91F.tmp" "%TEMP%\screenCapture\CSC228501681784432F803EB8F646A5EC23.TMP"
'<SYSTEM32>\cmd.exe' /d /s /c ""%TEMP%\screenCapture\screenCapture_1.3.2.bat" "%TEMP%\202621-3608-1qj8tpe.63d8.jpg" /d "\\.\DISPLAY1""
'<SYSTEM32>\cmd.exe' /d /s /c "powershell.exe -WindowStyle Hidden Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,12...' (with hidden window)
'<SYSTEM32>\cmd.exe' /d /s /c ""%TEMP%\screenCapture\screenCapture_1.3.2.bat" /list"' (with hidden window)
'%WINDIR%\microsoft.net\framework\v4.0.30319\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESB91F.tmp" "%TEMP%\screenCapture\CSC228501681784432F803EB8F646A5EC23.TMP"' (with hidden window)
'<SYSTEM32>\cmd.exe' /d /s /c ""%TEMP%\screenCapture\screenCapture_1.3.2.bat" "%TEMP%\202621-3608-1qj8tpe.63d8.jpg" /d "\\.\DISPLAY1""' (with hidden window)

技术

术语

教育培训

误区

Technical Information

Curing recommendations

Free trial