Adds a root certificate
Modifies value of AutoConfigURL parameter to 'http://jk45rm4hao4ff6h2.onion/7KJD5x17.js?ip=95.211.190.199'
Modifies value of AutoConfigURL parameter to 'http://jk45rm4hao4ff6h2.onion/NmCvyudf.js?ip=95.211.190.199'
Modifies value of AutoConfigURL parameter to 'http://jk45rm4hao4ff6h2.onion/aQnf0WRl.js?ip=95.211.190.199'
Modifies value of AutoConfigURL parameter to 'http://jk45rm4hao4ff6h2.onion/90vGpUoW.js?ip=95.211.190.199'
Modifies value of AutoConfigURL parameter to 'http://jk45rm4hao4ff6h2.onion/OcFMETI0.js?ip=95.211.190.199'
Searches for the following windows
- ClassName: '' WindowName: ''
Creates and executes the following
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy Unrestricted -File "%TEMP%\7rKUAPZT.ps1"
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy Unrestricted -File "%TEMP%\6LV5RZKG.ps1"
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy Unrestricted -File "%TEMP%\oP7a6bmw.ps1"
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy Unrestricted -File "%TEMP%\7rKUAPZT.ps1"' (with hidden window)
- '<SYSTEM32>\taskkill.exe' /F /im iexplore.exe' (with hidden window)
- '<SYSTEM32>\taskkill.exe' /F /im firefox.exe' (with hidden window)
- '<SYSTEM32>\taskkill.exe' /F /im chrome.exe' (with hidden window)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy Unrestricted -File "%TEMP%\6LV5RZKG.ps1"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\hp-yg5xs.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESB498.tmp" "%TEMP%\CSCB488.tmp"' (with hidden window)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy Unrestricted -File "%TEMP%\oP7a6bmw.ps1"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\siyfmtdb.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES2E1E.tmp" "%TEMP%\CSC2DFD.tmp"' (with hidden window)
Executes the following
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\hp-yg5xs.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESB498.tmp" "%TEMP%\CSCB488.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\siyfmtdb.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES2E1E.tmp" "%TEMP%\CSC2DFD.tmp"