JavaScript support is required for our site to be fully operational in your browser.
Win32.HLLW.Autoruner2.56150
Added to the Dr.Web virus database:
2019-08-07
Virus description added:
2019-08-09
Technical Information
To ensure autorun and distribution
Modifies the following registry keys
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'w' = '"%TEMP%\MUNYNAYDANRZMN1XIXDA1KPFNKN8DDME..EXE"'
Creates or modifies the following files
Creates the following services
[<HKLM>\System\CurrentControlSet\Services\WindowsInput] 'Start' = '00000002'
[<HKLM>\System\CurrentControlSet\Services\WindowsInput] 'ImagePath' = '"<SYSTEM32>\WindowsInput.exe"'
Modifies file system
Creates the following files
%TEMP%\4swnr7bawirhmhachask78mxow751q5x..exe
%TEMP%\yna3yig1.dll
%TEMP%\res4.tmp
%TEMP%\csc3.tmp
%TEMP%\yna3yig1.out
%TEMP%\yna3yig1.cmdline
%TEMP%\yna3yig1.0.cs
%ProgramFiles%\s\s.exe.config
%ProgramFiles%\s\s.exe
<SYSTEM32>\windowsinput.installstate
%TEMP%\og.exe
<SYSTEM32>\windowsinput.exe.config
%TEMP%\b2ds25jg.dll
%TEMP%\res2.tmp
%TEMP%\csc1.tmp
%TEMP%\b2ds25jg.out
%TEMP%\b2ds25jg.cmdline
%TEMP%\b2ds25jg.0.cs
%TEMP%\zxopg9caxi6a3rh8fjrg3ztcvonqoyui..exe
%TEMP%\xgcxxdowaeveabqhn9cscp8oreinfvif..exe
%TEMP%\munynaydanrzmn1xixda1kpfnkn8ddme..exe
<SYSTEM32>\windowsinput.exe
%APPDATA%\subdir\s.exe
Sets the 'hidden' attribute to the following files
%ProgramFiles%\s\s.exe
%APPDATA%\subdir\s.exe
Deletes the following files
%TEMP%\res2.tmp
%TEMP%\csc1.tmp
%TEMP%\b2ds25jg.cmdline
%TEMP%\b2ds25jg.0.cs
%TEMP%\b2ds25jg.out
%TEMP%\b2ds25jg.dll
%TEMP%\res4.tmp
%TEMP%\csc3.tmp
%TEMP%\yna3yig1.dll
%TEMP%\yna3yig1.0.cs
%TEMP%\yna3yig1.cmdline
%TEMP%\yna3yig1.out
%TEMP%\og.exe
Substitutes the following files
Network activity
UDP
DNS ASK ip##pi.com
DNS ASK pt###p.mypi.co
DNS ASK fr###eoip.net
DNS ASK my######tblock.001www.com
DNS ASK ap#.#pify.org
Miscellaneous
Creates and executes the following
'%TEMP%\4swnr7bawirhmhachask78mxow751q5x..exe'
'%TEMP%\munynaydanrzmn1xixda1kpfnkn8ddme..exe'
'%TEMP%\xgcxxdowaeveabqhn9cscp8oreinfvif..exe'
'%TEMP%\zxopg9caxi6a3rh8fjrg3ztcvonqoyui..exe'
'<SYSTEM32>\windowsinput.exe' --install
'<SYSTEM32>\windowsinput.exe'
'%ProgramFiles%\s\s.exe'
'%APPDATA%\subdir\s.exe'
'%WINDIR%\microsoft.net\framework\v4.0.30319\csc.exe' /noconfig /fullpaths @"%TEMP%\b2ds25jg.cmdline"' (with hidden window)
'%WINDIR%\microsoft.net\framework\v4.0.30319\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES2.tmp" "%TEMP%\CSC1.tmp"' (with hidden window)
'%WINDIR%\microsoft.net\framework\v4.0.30319\csc.exe' /noconfig /fullpaths @"%TEMP%\yna3yig1.cmdline"' (with hidden window)
'%WINDIR%\microsoft.net\framework\v4.0.30319\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES4.tmp" "%TEMP%\CSC3.tmp"' (with hidden window)
Executes the following
'%WINDIR%\microsoft.net\framework\v4.0.30319\csc.exe' /noconfig /fullpaths @"%TEMP%\b2ds25jg.cmdline"
'%WINDIR%\microsoft.net\framework\v4.0.30319\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES2.tmp" "%TEMP%\CSC1.tmp"
'%WINDIR%\microsoft.net\framework\v4.0.30319\csc.exe' /noconfig /fullpaths @"%TEMP%\yna3yig1.cmdline"
'%WINDIR%\microsoft.net\framework\v4.0.30319\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES4.tmp" "%TEMP%\CSC3.tmp"
'<SYSTEM32>\schtasks.exe' /create /tn "w" /sc ONLOGON /tr "%TEMP%\MUNYNAYDANRZMN1XIXDA1KPFNKN8DDME..EXE" /rl HIGHEST /f
Download Dr.Web for Android
Free three-month trial
All protection features available
Renew your trial license in AppGallery/on Google Pay
By continuing to use this website, you are consenting to Doctor Web’s use of cookies and other technologies related to the collection of visitor statistics. Learn more
OK