PUA.Win64.PCHunter.A

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Elimina archivos para impedir la ejecución correcta de programas y aplicaciones.

Se conecta a un sitio Web para enviar y recibir información.

Detalles de entrada

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Instalación

Este malware infiltra el/los siguiente(s) archivo(s):

• {Malware Path}\{Malware Filename}ak.sys

Técnica de inicio automático

Elimina las siguientes claves de registro asociadas a aplicaciones antivirus y de seguridad:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
services\{Malware Filename}ak

Otras modificaciones del sistema

Elimina los archivos siguientes:

• {Malware Path}\{Malware Filename}ak.sys

Agrega las siguientes entradas de registro:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
services\{Malware Filename}ak
Type = 1

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
services\{Malware Filename}ak
ErrorControl = 1

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
services\{Malware Filename}ak
Start = 1

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
services\{Malware Filename}ak
ImagePath = \??\{Malware Path}\{Malware Filename}ak.sys

Rutina de puerta trasera

Se conecta a los sitios Web siguientes para enviar y recibir información:

• http://www.ep{BLOCKED}t.com
• http://www.e{BLOCKED}t.com/PCHunter_StandardV1.4={MAC Address}
• http://www.e{BLOCKED}t.com/pchunter/pchunter_free
• {BLOCKED}.{BLOCKED}.158.231

Robo de información

Recopila los siguientes datos:

• MAC Address
• Running Processes
• Computer Files
• User Accounts
• System Registries
• Process Modules
• Kernel Modules
• Startup Information
• Network Connections
• Firewall Rules

Otros detalles

Hace lo siguiente:

• It loads the dropped file as a driver
  • {Malware Path}\{Malware Filename}ak.sys
• It displays the following image:
  
• It can view and display system process and process threads
• It can terminate, suspend and resume processes and threads
• It displays current network connections, including the local and remote addresses and state of TCP connections
• It displays and can edit system registry
• It displays and can delete files and folders
• It can view file properties information
• It displays autorun entries
• It can delete and edit autorun entries
• It displays and can delete user accounts
• It displays affected machine’s firewall rules
• It can delete a firewall rule