Search

file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. Installation This Trojan adds the following processes: "%System%\cmd.exe" /c "_\_\_\_\_\_

file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. Installation This spyware creates the following folders: %User Temp%\_$Df (Note: %User Temp% is

that creates the following specific mutex: .exeM_[0-9][0-9][0-9].*_ .exeM_[0-9][0-9][0-9][0-9].*_ uxJLpe1m Ap1mutx7

drops and executes the following files: %Windows%\Temp\_$Cf\osk.exe - detected as PE_COSVAR.A-O (Note: %Windows% is the Windows folder, which is usually C:\Windows.) It drops the following non-malicious

{garbage characters} open=bakredm.bat {garbage characters} shell\open\Command=hiudstenw.bat _ {garbage characters} shell\open\Default=1 shell\explore\Default=2 {garbage characters} shell\explore\Command

analysis system. Trojan:Win32/Tracur.AH, Trojan:Win32/Tracur.AH, Trojan:Win32/Tracur.AH, Trojan:Win32/Tracur.AH, Troj (Microsoft); [2.nsis]:Downloader-BMN.gen.i, [3.nsis]:Downloader-BMN.gen.i, [4.nsis

file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. Other Details This Trojan does the following: Executes "_\DeviceConfigManager.exe" if found

\dd_vcredistMSI5DA7.txt %User Temp%\dd_vcredistMSI6BB9.txt %User Temp%\dd_vcredistUI5DA7.txt %User Temp%\dd_vcredistUI6BB9.txt %User Temp%\Perflib_Perfdata_42c.dat %User Temp%\Perflib_Perfdata_740.dat %User Temp%\_$Df

\Windows on all Windows operating system versions.) It creates the following folders: %Windows%\M-{random numbers} {Removable Drive Letter}:\_ (Note: %Windows% is the Windows folder, where it usually is C:

file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. Other System Modifications This backdoor deletes the following files: LMNOPQRSTUVWXYZ[\]^_

file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. Installation This backdoor creates the following folders: %User Temp%\_$Df %User Temp%\DF51.tmp

%MpsXNpCnns.bin %Current%\_$sbinLop.bin %Current%\_$NosTsh.bin %Current%\Temp.bin (Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on

file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. Installation This Trojan creates the following folders: %Temp%\_$Cf (Note: %Temp% is the Windows

to the file name of the encrypted files: {random}.satan_pro It drops the following file(s) as ransom note: _如何解密我的文件_.txt

to the file name of the encrypted files: {random}.evopro It drops the following file(s) as ransom note: _如何解密我的文件_.txt

(Symantec); PAK:PECrypt32.Kila, PAK:ASPack, Trojan-Banker.Win32.Banker.etk, Trojan-Banker.Win32.Banker.etk, Troj (Kaspersky); Infostealer.Banpaes (Sunbelt); Trojan.Spy.Banker.ANV (FSecure)

Temp%\_$Df\DF6Wks.sib (Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\

SYSTeM.io.sTREAMreADer($_ ,[TeXt.eNcODinG]::Ascii ) }).readTOeND()" TrojanDownloader:O97M/Powdow.ARJ!MTB (Microsoft); RDN/Generic Downloader.x (NAI); VBA/TrojanDownloader.Agent.SFS trojan (NOD32)

https://discordapp.com/api/webhooks/292933102060437504/6dkH6MUyHmo9IZ0ImsKH7Z-Xo7CdG_EGTQGfj8RDzJPgkyIA5FTUWKZCf6gSO9UqagzN --> NOTES: The message sent to discord is in the following format: _|WARNING:-DO-NOT-SHARE-THIS.--Sharing-this-will-allow-someone-to-log-in-as-you-and-to-steal-your-ROBUX-and-items.|_{random hex

\DD_VCR~2.TXT %User Temp%\DD_VCR~4.TXT %User Temp%\DD_VCR~1.TXT %User Temp%\DD_VCR~3.TXT %User Temp%\PERFLI~1.DAT %User Temp%\PERFLI~2.DAT %User Temp%\_$Df\DF6Wks.sib (Note: %System% is the Windows system folder,