FOR CUSTOMERS

Close

Library
My library

+ Add to library

Search
Search

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

A query form

Call us

+7 (495) 789-45-86

Forum

Your tickets

New ticket

Call us

+7 (495) 789-45-86

Profile

EN

RU CN DE EN ES FR IT JP KZ UZ PL BY
Close
Support services
Scanners
Dr.Web vxCube
Trial
VCI investigations
Virus library
Knowledge base

Technologies

Terminology

Training and education

Myths

News

Trojan.Encoder.35820

Added to the Dr.Web virus database: 2022-09-10

Virus description added:

Technical Information

To ensure autorun and distribution
Modifies the following registry keys
  • [<HKCU>\Software\Microsoft\Windows\CurrentVersion\RunOnce] 'WindowsUpdateCheck' = '%WINDIR%\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe'
Creates or modifies the following files
  • %HOMEPATH%\start menu\programs\startup\.b580e5043e45a7e4d097
  • %ALLUSERSPROFILE%\start menu\programs\startup\.b580e5043e45a7e4d097
Creates the following files on removable media
  • <Drive name for removable media>:\.b580e5043e45a7e4d097
  • <Drive name for removable media>:\sdkfailsafeemulator.cer
  • <Drive name for removable media>:\contoso_1.cer
  • <Drive name for removable media>:\contosoroot.cer
  • <Drive name for removable media>:\dashborder_144.bmp
  • <Drive name for removable media>:\dashborder_96.bmp
  • <Drive name for removable media>:\coffee.bmp
  • <Drive name for removable media>:\contosoroot_1.cer
  • <Drive name for removable media>:\dashborder_120.bmp
  • <Drive name for removable media>:\dashborder_192.bmp
  • <Drive name for removable media>:\dial.bmp
  • <Drive name for removable media>:\archer.avi
  • <Drive name for removable media>:\correct.avi
  • <Drive name for removable media>:\000814251_video_01.avi
  • <Drive name for removable media>:\delete.avi
  • <Drive name for removable media>:\toolbar.bmp
  • <Drive name for removable media>:\sdksampleprivdeveloper.cer
Malicious functions
To complicate detection of its presence in the operating system,
blocks execution of the following system utilities:
  • Windows Defender
Executes the following
  • '%WINDIR%\syswow64\net.exe' stop "SQLSERVERAGENT"
  • '%WINDIR%\syswow64\taskkill.exe' /F /IM Veeam.Backup.BrokerService.exe
  • '%WINDIR%\syswow64\net.exe' stop UIODetect
  • '%WINDIR%\syswow64\net.exe' stop "igfxCUIService2.0.0.0"
  • '%WINDIR%\syswow64\taskkill.exe' /IM pg_ctl.exe /F
  • '%WINDIR%\syswow64\net.exe' stop "ReportServer"
  • '%WINDIR%\syswow64\taskkill.exe' /IM ThunderPlatform.exe /F
  • '%WINDIR%\syswow64\taskkill.exe' /IM VBoxSDS.exe /F
  • '%WINDIR%\syswow64\taskkill.exe' /IM BackupExec.exe /F
  • '%WINDIR%\syswow64\net.exe' stop "NetBackup Client Service"
  • '%WINDIR%\syswow64\net.exe' stop U8WorkerService2
  • '%WINDIR%\syswow64\net.exe' stop "SQLAgent"
  • '%WINDIR%\syswow64\net.exe' stop Realtek11nSU
  • '%WINDIR%\syswow64\net.exe' stop "SQLTELEMETRY$HL"
  • '%WINDIR%\syswow64\net.exe' stop SQLWriter
  • '%WINDIR%\syswow64\net.exe' stop VMwareHostd
  • '%WINDIR%\syswow64\net.exe' stop xenlite
  • '%WINDIR%\syswow64\net.exe' stop "memcached Server"
  • '%WINDIR%\syswow64\net.exe' stop TeamViewer8
  • '%WINDIR%\syswow64\net.exe' stop "TMBMServer"
  • '%WINDIR%\syswow64\net.exe' stop Apache2.4
  • '%WINDIR%\syswow64\net.exe' stop XenSvc
  • '%WINDIR%\syswow64\net.exe' stop "MSSQL$PROGID"
  • '%WINDIR%\syswow64\net.exe' stop U8WorkerService1
  • '%WINDIR%\syswow64\net.exe' stop "SQLAgent$SHOPCONTROL9"
  • '%WINDIR%\syswow64\taskkill.exe' /IM ReportingServicesService.exe /F
  • '%WINDIR%\syswow64\net.exe' stop HaoZipSvc
  • '%WINDIR%\syswow64\net.exe' stop "MsDtsServer100"
  • '%WINDIR%\syswow64\net.exe' stop "SQLTELEMETRY"
  • '%WINDIR%\syswow64\net.exe' stop "MsDtsServer130"
  • '%WINDIR%\syswow64\net.exe' stop "SSISTELEMETRY130"
  • '%WINDIR%\syswow64\net.exe' stop "SQLWrite"
  • '%WINDIR%\syswow64\taskkill.exe' /F /IM U8WorkerService.exe
  • '%WINDIR%\syswow64\net.exe' stop MSSQL$
  • '%WINDIR%\syswow64\net.exe' stop "MSSQL$VEEAMSQL2012"
  • '%WINDIR%\syswow64\net.exe' stop "SQLAgent$VEEAMSQL2012"
  • '%WINDIR%\syswow64\taskkill.exe' /F /IM Veeam.Backup.Agent.ConfigurationService.exe
  • '%WINDIR%\syswow64\net.exe' stop SQLSERVERAGENT
  • '%WINDIR%\syswow64\net.exe' stop VMUSBArbService
  • '%WINDIR%\syswow64\taskkill.exe' /IM sqlservr.exe /F
  • '%WINDIR%\syswow64\net.exe' stop "MSSQL"
  • '%WINDIR%\syswow64\net.exe' stop "MSSQLServerADHelper100"
  • '%WINDIR%\syswow64\net.exe' stop "MSOLAP$SHOPCONTROL9"
  • '%WINDIR%\syswow64\net.exe' stop "MSSQL$SHOPCONTROL9"
  • '%WINDIR%\syswow64\net.exe' stop "MSSQLServerOLAPService"
  • '%WINDIR%\syswow64\taskkill.exe' /IM Tomcat7w.exe /F
  • '%WINDIR%\syswow64\net.exe' stop "MSSQLFDLauncher$SHOPCONTROL9"
  • '%WINDIR%\syswow64\taskkill.exe' /F /IM UFIDA.U8.ECE.UTU.Services.exe
  • '%WINDIR%\syswow64\taskkill.exe' /IM DDSoftPwsTomcat9.exe /F
  • '%WINDIR%\syswow64\net.exe' stop "ReportServer$SHOPCONTROL9"
  • '%WINDIR%\syswow64\net.exe' stop vss
  • '%WINDIR%\syswow64\net.exe' stop "SQLBrowser"
  • '%WINDIR%\syswow64\net.exe' stop SQLBrowser
  • '%WINDIR%\syswow64\net.exe' stop vmvss
Injects code into
the following system processes:
  • %WINDIR%\microsoft.net\framework\v4.0.30319\aspnet_compiler.exe
Modifies file system
Creates the following files
  • %TEMP%\cgykljgxsucddtuhbkiller.bat
  • %HOMEPATH%\recent\customdestinations\10a2479c877ca098.customdestinations-ms
  • %ALLUSERSPROFILE%\start menu\programs\k-lite codec pack\help\.b580e5043e45a7e4d097
  • %HOMEPATH%\recent\customdestinations\1b4dd67f29cb1962.customdestinations-ms
  • %HOMEPATH%\recent\customdestinations\28c8b86deab549a1.customdestinations-ms
  • %ALLUSERSPROFILE%\start menu\programs\k-lite codec pack\help\how to back your files.txt
  • %HOMEPATH%\recent\customdestinations\590aee7bdd69b59b.customdestinations-ms
  • %HOMEPATH%\recent\customdestinations\.b580e5043e45a7e4d097
  • %ALLUSERSPROFILE%\start menu\programs\k-lite codec pack\tools\how to back your files.txt
  • %ALLUSERSPROFILE%\start menu\programs\k-lite codec pack\configuration\.b580e5043e45a7e4d097
  • %HOMEPATH%\recent\customdestinations\5d696d521de238c3.customdestinations-ms
  • %ALLUSERSPROFILE%\start menu\programs\java\.b580e5043e45a7e4d097
  • %HOMEPATH%\recent\customdestinations\74d7f43c1561fc1e.customdestinations-ms
  • %LOCALAPPDATA%\.b580e5043e45a7e4d097
  • %ALLUSERSPROFILE%\start menu\programs\java\how to back your files.txt
  • %ALLUSERSPROFILE%\start menu\programs\google chrome\.b580e5043e45a7e4d097
  • %HOMEPATH%\recent\customdestinations\5afe4de1b92fc382.customdestinations-ms
  • %ALLUSERSPROFILE%\start menu\programs\k-lite codec pack\configuration\how to back your files.txt
  • %HOMEPATH%\recent\how to back your files.txt
  • %ALLUSERSPROFILE%\start menu\programs\k-lite codec pack\tools\.b580e5043e45a7e4d097
  • %ALLUSERSPROFILE%\start menu\programs\k-lite codec pack\uninstall\how to back your files.txt
  • %ALLUSERSPROFILE%\adobe\how to back your files.txt
  • %HOMEPATH%\sendto\mail recipient.mapimail
  • %ALLUSERSPROFILE%\start menu\programs\maintenance\.b580e5043e45a7e4d097
  • %ALLUSERSPROFILE%\adobe\setup\.b580e5043e45a7e4d097
  • %HOMEPATH%\sendto\how to back your files.txt
  • %HOMEPATH%\searches\.b580e5043e45a7e4d097
  • %ALLUSERSPROFILE%\adobe\setup\how to back your files.txt
  • %ALLUSERSPROFILE%\start menu\programs\microsoft .net framework sdk v1.1\how to back your files.txt
  • %ALLUSERSPROFILE%\start menu\programs\maintenance\how to back your files.txt
  • %ALLUSERSPROFILE%\adobe\setup\{ac76ba86-7ad7-1033-7b44-ac0f074e4100}\.b580e5043e45a7e4d097
  • %HOMEPATH%\searches\how to back your files.txt
  • %ALLUSERSPROFILE%\start menu\programs\k-lite codec pack\how to back your files.txt
  • %HOMEPATH%\saved games\.b580e5043e45a7e4d097
  • %ALLUSERSPROFILE%\start menu\programs\k-lite codec pack\uninstall\.b580e5043e45a7e4d097
  • %HOMEPATH%\saved games\how to back your files.txt
  • %HOMEPATH%\recent\.b580e5043e45a7e4d097
  • %ALLUSERSPROFILE%\start menu\programs\k-lite codec pack\.b580e5043e45a7e4d097
  • %ALLUSERSPROFILE%\start menu\programs\google chrome\how to back your files.txt
  • %ALLUSERSPROFILE%\start menu\programs\games\.b580e5043e45a7e4d097
  • %ALLUSERSPROFILE%\start menu\programs\games\how to back your files.txt
  • %ALLUSERSPROFILE%\start menu\programs\administrative tools\.b580e5043e45a7e4d097
  • %HOMEPATH%\recent\customdestinations\how to back your files.txt
  • %HOMEPATH%\recent\automaticdestinations\1b4dd67f29cb1962.automaticdestinations-ms
  • %ALLUSERSPROFILE%\package cache\{f0080ca2-80ae-4958-b6eb-e8fa916d744a}\how to back your files.txt
  • %HOMEPATH%\recent\automaticdestinations\74d7f43c1561fc1e.automaticdestinations-ms
  • %ALLUSERSPROFILE%\package cache\{e46eca4f-393b-40df-9f49-076faf788d83}\how to back your files.txt
  • %ALLUSERSPROFILE%\package cache\{dde2682b-961a-41ea-8d44-6005991b7947}\how to back your files.txt
  • %ALLUSERSPROFILE%\package cache\{ce085a78-074e-4823-8dc1-8a721b94b76d}\how to back your files.txt
  • %ALLUSERSPROFILE%\package cache\{be960c1c-7bad-3de6-8b1a-2616fe532845}v14.0.23026\how to back your files.txt
  • %ALLUSERSPROFILE%\package cache\{be960c1c-7bad-3de6-8b1a-2616fe532845}v14.0.23026\packages\how to back your files.txt
  • %HOMEPATH%\recent\automaticdestinations\7e4dca80246863e3.automaticdestinations-ms
  • %HOMEPATH%\recent\automaticdestinations\how to back your files.txt
  • %ALLUSERSPROFILE%\package cache\{be960c1c-7bad-3de6-8b1a-2616fe532845}v14.0.23026\packages\vcruntimeadditional_x86\how to back your files.txt
  • %HOMEPATH%\printhood\how to back your files.txt
  • %ALLUSERSPROFILE%\package cache\{bc958bd2-5dac-3862-bb1a-c1be0790438d}v14.0.23026\how to back your files.txt
  • %ALLUSERSPROFILE%\package cache\{bc958bd2-5dac-3862-bb1a-c1be0790438d}v14.0.23026\packages\how to back your files.txt
  • %HOMEPATH%\pictures\how to back your files.txt
  • %HOMEPATH%\nethood\how to back your files.txt
  • %ALLUSERSPROFILE%\package cache\{f65db027-aff3-4070-886a-0d87064aabb1}\how to back your files.txt
  • %HOMEPATH%\recent\customdestinations\c312e260e424ae76.customdestinations-ms
  • %HOMEPATH%\recent\customdestinations\d93f411851d7c929.customdestinations-ms
  • %HOMEPATH%\recent\customdestinations\bf8efb871eda5262.customdestinations-ms
  • %ALLUSERSPROFILE%\start menu\programs\administrative tools\how to back your files.txt
  • %ALLUSERSPROFILE%\start menu\programs\accessories\.b580e5043e45a7e4d097
  • %ALLUSERSPROFILE%\start menu\programs\accessories\accessibility\.b580e5043e45a7e4d097
  • %ALLUSERSPROFILE%\start menu\programs\accessories\how to back your files.txt
  • %ALLUSERSPROFILE%\start menu\programs\accessories\windows powershell\.b580e5043e45a7e4d097
  • %ALLUSERSPROFILE%\start menu\programs\accessories\windows powershell\how to back your files.txt
  • %ALLUSERSPROFILE%\start menu\programs\accessories\tablet pc\.b580e5043e45a7e4d097
  • %ALLUSERSPROFILE%\start menu\programs\accessories\tablet pc\how to back your files.txt
  • %ALLUSERSPROFILE%\start menu\programs\accessories\system tools\.b580e5043e45a7e4d097
  • %ALLUSERSPROFILE%\start menu\programs\accessories\system tools\how to back your files.txt
  • %ALLUSERSPROFILE%\package cache\.b580e5043e45a7e4d097
  • %ALLUSERSPROFILE%\package cache\how to back your files.txt
  • %ALLUSERSPROFILE%\package cache\{f65db027-aff3-4070-886a-0d87064aabb1}\.b580e5043e45a7e4d097
  • %HOMEPATH%\appdata\how to back your files.txt
  • %HOMEPATH%\recent\customdestinations\7e4dca80246863e3.customdestinations-ms
  • %HOMEPATH%\recent\customdestinations\9027fe24326910d2.customdestinations-ms
  • %HOMEPATH%\recent\customdestinations\969252ce11249fdd.customdestinations-ms
  • %HOMEPATH%\my documents\how to back your files.txt
  • %HOMEPATH%\sendto\desktop (create shortcut).desklink
  • %ALLUSERSPROFILE%\start menu\programs\microsoft .net framework sdk v1.1\.b580e5043e45a7e4d097
  • %ALLUSERSPROFILE%\start menu\programs\microsoft office\microsoft office 2010 tools\how to back your files.txt
  • %HOMEPATH%\how to back your files.txt
  • %ALLUSERSPROFILE%\sun\java\how to back your files.txt
  • %HOMEPATH%\voip\.b580e5043e45a7e4d097
  • %ALLUSERSPROFILE%\sun\java\java update\.b580e5043e45a7e4d097
  • %HOMEPATH%\voip\how to back your files.txt
  • %HOMEPATH%\videos\.b580e5043e45a7e4d097
  • %ALLUSERSPROFILE%\sun\how to back your files.txt
  • %ALLUSERSPROFILE%\sun\java\.b580e5043e45a7e4d097
  • %ALLUSERSPROFILE%\sun\java\java update\how to back your files.txt
  • %HOMEPATH%\templates\.b580e5043e45a7e4d097
  • %HOMEPATH%\templates\how to back your files.txt
  • %HOMEPATH%\start menu\.b580e5043e45a7e4d097
  • %ALLUSERSPROFILE%\start menu\how to back your files.txt
  • %ALLUSERSPROFILE%\start menu\programs\.b580e5043e45a7e4d097
  • %HOMEPATH%\start menu\how to back your files.txt
  • %ALLUSERSPROFILE%\start menu\.b580e5043e45a7e4d097
  • %HOMEPATH%\videos\how to back your files.txt
  • %ALLUSERSPROFILE%\sun\.b580e5043e45a7e4d097
  • %ALLUSERSPROFILE%\templates\how to back your files.txt
  • %ALLUSERSPROFILE%\templates\.b580e5043e45a7e4d097
  • %WINDIR%\microsoft.net\framework\v4.0.30319\ids.txt
  • D:\.b580e5043e45a7e4d097
  • z:\.b580e5043e45a7e4d097
  • C:\.b580e5043e45a7e4d097
  • D:\$recycle.bin\.b580e5043e45a7e4d097
  • z:\system volume information\.b580e5043e45a7e4d097
  • C:\how to back your files.txt
  • %ALLUSERSPROFILE%\local\.b580e5043e45a7e4d097
  • C:\users\.b580e5043e45a7e4d097
  • D:\system volume information\.b580e5043e45a7e4d097
  • C:\users\how to back your files.txt
  • %HOMEPATH%\.b580e5043e45a7e4d097
  • D:\$recycle.bin\s-1-5-21-1960123792-2022915161-3775307078-1001\.b580e5043e45a7e4d097
  • %HOMEPATH%\appdata\.b580e5043e45a7e4d097
  • %ALLUSERSPROFILE%\adobe\.b580e5043e45a7e4d097
  • %ALLUSERSPROFILE%\how to back your files.txt
  • %ALLUSERSPROFILE%\.b580e5043e45a7e4d097
  • %HOMEPATH%\start menu\programs\.b580e5043e45a7e4d097
  • %ALLUSERSPROFILE%\start menu\programs\how to back your files.txt
  • %HOMEPATH%\start menu\programs\how to back your files.txt
  • %ALLUSERSPROFILE%\start menu\programs\winrar\.b580e5043e45a7e4d097
  • %HOMEPATH%\start menu\programs\icq\.b580e5043e45a7e4d097
  • %HOMEPATH%\start menu\programs\icq\how to back your files.txt
  • %HOMEPATH%\start menu\programs\administrative tools\.b580e5043e45a7e4d097
  • %ALLUSERSPROFILE%\start menu\programs\qip 2012\how to back your files.txt
  • %ALLUSERSPROFILE%\start menu\programs\mirc\.b580e5043e45a7e4d097
  • %HOMEPATH%\start menu\programs\administrative tools\how to back your files.txt
  • %HOMEPATH%\start menu\programs\accessories\.b580e5043e45a7e4d097
  • %ALLUSERSPROFILE%\start menu\programs\mirc\how to back your files.txt
  • %ALLUSERSPROFILE%\start menu\programs\microsoft office\.b580e5043e45a7e4d097
  • %HOMEPATH%\start menu\programs\accessories\how to back your files.txt
  • %HOMEPATH%\start menu\programs\accessories\system tools\.b580e5043e45a7e4d097
  • %HOMEPATH%\start menu\programs\accessories\system tools\how to back your files.txt
  • %HOMEPATH%\start menu\programs\accessories\accessibility\.b580e5043e45a7e4d097
  • %ALLUSERSPROFILE%\start menu\programs\microsoft office\how to back your files.txt
  • %ALLUSERSPROFILE%\start menu\programs\microsoft office\microsoft office 2010 tools\.b580e5043e45a7e4d097
  • %HOMEPATH%\start menu\programs\accessories\accessibility\how to back your files.txt
  • %HOMEPATH%\sendto\.b580e5043e45a7e4d097
  • %ALLUSERSPROFILE%\start menu\programs\qip 2012\.b580e5043e45a7e4d097
  • %HOMEPATH%\start menu\programs\mail.ru\how to back your files.txt
  • %ALLUSERSPROFILE%\start menu\programs\sharepoint\how to back your files.txt
  • %ALLUSERSPROFILE%\start menu\programs\sharepoint\.b580e5043e45a7e4d097
  • %HOMEPATH%\start menu\programs\winrar\.b580e5043e45a7e4d097
  • %ALLUSERSPROFILE%\start menu\programs\winrar\how to back your files.txt
  • %HOMEPATH%\start menu\programs\winrar\how to back your files.txt
  • %ALLUSERSPROFILE%\start menu\programs\winamp\.b580e5043e45a7e4d097
  • %HOMEPATH%\start menu\programs\total commander\.b580e5043e45a7e4d097
  • %ALLUSERSPROFILE%\start menu\programs\winamp\how to back your files.txt
  • %ALLUSERSPROFILE%\start menu\programs\tablet pc\.b580e5043e45a7e4d097
  • %HOMEPATH%\start menu\programs\total commander\how to back your files.txt
  • %ALLUSERSPROFILE%\start menu\programs\tablet pc\how to back your files.txt
  • %HOMEPATH%\start menu\programs\telegram desktop\.b580e5043e45a7e4d097
  • %ALLUSERSPROFILE%\start menu\programs\steam\.b580e5043e45a7e4d097
  • %HOMEPATH%\start menu\programs\telegram desktop\how to back your files.txt
  • %ALLUSERSPROFILE%\start menu\programs\steam\steam support center.url
  • %ALLUSERSPROFILE%\start menu\programs\steam\how to back your files.txt
  • %HOMEPATH%\start menu\programs\maintenance\.b580e5043e45a7e4d097
  • %HOMEPATH%\start menu\programs\maintenance\how to back your files.txt
  • %HOMEPATH%\start menu\programs\mail.ru\.b580e5043e45a7e4d097
  • %HOMEPATH%\sendto\compressed (zipped) folder.zfsendtotarget
  • %HOMEPATH%\my documents\my music\how to back your files.txt
Sets the 'hidden' attribute to the following files
  • %ALLUSERSPROFILE%\local\.b580e5043e45a7e4d097
  • %ALLUSERSPROFILE%\adobe\setup\{ac76ba86-7ad7-1033-7b44-ac0f074e4100}\.b580e5043e45a7e4d097
  • %ALLUSERSPROFILE%\start menu\programs\k-lite codec pack\.b580e5043e45a7e4d097
  • %HOMEPATH%\searches\.b580e5043e45a7e4d097
  • %ALLUSERSPROFILE%\start menu\programs\maintenance\.b580e5043e45a7e4d097
  • %ALLUSERSPROFILE%\adobe\setup\.b580e5043e45a7e4d097
  • %ALLUSERSPROFILE%\start menu\programs\microsoft .net framework sdk v1.1\.b580e5043e45a7e4d097
  • %HOMEPATH%\start menu\programs\icq\.b580e5043e45a7e4d097
  • %HOMEPATH%\sendto\.b580e5043e45a7e4d097
  • %HOMEPATH%\start menu\programs\accessories\accessibility\.b580e5043e45a7e4d097
  • %HOMEPATH%\start menu\programs\accessories\system tools\.b580e5043e45a7e4d097
  • %ALLUSERSPROFILE%\start menu\programs\microsoft office\.b580e5043e45a7e4d097
  • %HOMEPATH%\start menu\programs\accessories\.b580e5043e45a7e4d097
  • %ALLUSERSPROFILE%\start menu\programs\mirc\.b580e5043e45a7e4d097
  • %HOMEPATH%\start menu\programs\administrative tools\.b580e5043e45a7e4d097
  • %ALLUSERSPROFILE%\start menu\programs\microsoft office\microsoft office 2010 tools\.b580e5043e45a7e4d097
  • %ALLUSERSPROFILE%\start menu\programs\qip 2012\.b580e5043e45a7e4d097
  • %HOMEPATH%\saved games\.b580e5043e45a7e4d097
  • %ALLUSERSPROFILE%\start menu\programs\google chrome\.b580e5043e45a7e4d097
  • %ALLUSERSPROFILE%\start menu\programs\accessories\system tools\.b580e5043e45a7e4d097
  • %ALLUSERSPROFILE%\start menu\programs\accessories\tablet pc\.b580e5043e45a7e4d097
  • %ALLUSERSPROFILE%\start menu\programs\accessories\windows powershell\.b580e5043e45a7e4d097
  • %ALLUSERSPROFILE%\start menu\programs\accessories\accessibility\.b580e5043e45a7e4d097
  • %ALLUSERSPROFILE%\start menu\programs\accessories\.b580e5043e45a7e4d097
  • %ALLUSERSPROFILE%\start menu\programs\administrative tools\.b580e5043e45a7e4d097
  • %HOMEPATH%\recent\.b580e5043e45a7e4d097
  • %ALLUSERSPROFILE%\start menu\programs\k-lite codec pack\uninstall\.b580e5043e45a7e4d097
  • %LOCALAPPDATA%\.b580e5043e45a7e4d097
  • %ALLUSERSPROFILE%\start menu\programs\java\.b580e5043e45a7e4d097
  • %ALLUSERSPROFILE%\start menu\programs\k-lite codec pack\configuration\.b580e5043e45a7e4d097
  • %ALLUSERSPROFILE%\start menu\programs\k-lite codec pack\help\.b580e5043e45a7e4d097
  • %HOMEPATH%\recent\customdestinations\.b580e5043e45a7e4d097
  • %ALLUSERSPROFILE%\start menu\programs\k-lite codec pack\tools\.b580e5043e45a7e4d097
  • %ALLUSERSPROFILE%\start menu\programs\games\.b580e5043e45a7e4d097
  • %ALLUSERSPROFILE%\start menu\programs\sharepoint\.b580e5043e45a7e4d097
  • %HOMEPATH%\start menu\programs\mail.ru\.b580e5043e45a7e4d097
  • %ALLUSERSPROFILE%\start menu\programs\startup\.b580e5043e45a7e4d097
  • %ALLUSERSPROFILE%\adobe\.b580e5043e45a7e4d097
  • %HOMEPATH%\appdata\.b580e5043e45a7e4d097
  • D:\$recycle.bin\s-1-5-21-1960123792-2022915161-3775307078-1001\.b580e5043e45a7e4d097
  • %HOMEPATH%\.b580e5043e45a7e4d097
  • %ALLUSERSPROFILE%\.b580e5043e45a7e4d097
  • %ALLUSERSPROFILE%\sun\.b580e5043e45a7e4d097
  • D:\system volume information\.b580e5043e45a7e4d097
  • z:\system volume information\.b580e5043e45a7e4d097
  • <Drive name for removable media>:\.b580e5043e45a7e4d097
  • D:\$recycle.bin\.b580e5043e45a7e4d097
  • C:\.b580e5043e45a7e4d097
  • z:\.b580e5043e45a7e4d097
  • D:\.b580e5043e45a7e4d097
  • C:\users\.b580e5043e45a7e4d097
  • %ALLUSERSPROFILE%\sun\java\.b580e5043e45a7e4d097
  • %ALLUSERSPROFILE%\templates\.b580e5043e45a7e4d097
  • %HOMEPATH%\voip\.b580e5043e45a7e4d097
  • %HOMEPATH%\start menu\programs\maintenance\.b580e5043e45a7e4d097
  • %HOMEPATH%\start menu\programs\winrar\.b580e5043e45a7e4d097
  • %HOMEPATH%\start menu\programs\startup\.b580e5043e45a7e4d097
  • %ALLUSERSPROFILE%\start menu\programs\steam\.b580e5043e45a7e4d097
  • %HOMEPATH%\start menu\programs\telegram desktop\.b580e5043e45a7e4d097
  • %ALLUSERSPROFILE%\start menu\programs\tablet pc\.b580e5043e45a7e4d097
  • %HOMEPATH%\start menu\programs\total commander\.b580e5043e45a7e4d097
  • %ALLUSERSPROFILE%\start menu\programs\winamp\.b580e5043e45a7e4d097
  • %ALLUSERSPROFILE%\start menu\programs\winrar\.b580e5043e45a7e4d097
  • %ALLUSERSPROFILE%\sun\java\java update\.b580e5043e45a7e4d097
  • %HOMEPATH%\start menu\programs\.b580e5043e45a7e4d097
  • %ALLUSERSPROFILE%\start menu\programs\.b580e5043e45a7e4d097
  • %HOMEPATH%\start menu\.b580e5043e45a7e4d097
  • %HOMEPATH%\templates\.b580e5043e45a7e4d097
  • %ALLUSERSPROFILE%\start menu\.b580e5043e45a7e4d097
  • %HOMEPATH%\videos\.b580e5043e45a7e4d097
  • %ALLUSERSPROFILE%\package cache\.b580e5043e45a7e4d097
  • %ALLUSERSPROFILE%\package cache\{f65db027-aff3-4070-886a-0d87064aabb1}\.b580e5043e45a7e4d097
Moves the following files
  • from %ALLUSERSPROFILE%\start menu\programs\steam\steam support center.url to %ALLUSERSPROFILE%\start menu\programs\steam\steam support center.url.globeimposter-alpha666qqz
  • from %HOMEPATH%\recent\automaticdestinations\1b4dd67f29cb1962.automaticdestinations-ms to %HOMEPATH%\recent\automaticdestinations\1b4dd67f29cb1962.automaticdestinations-ms.globeimposter-alpha666qqz
  • from %HOMEPATH%\recent\customdestinations\d93f411851d7c929.customdestinations-ms to %HOMEPATH%\recent\customdestinations\d93f411851d7c929.customdestinations-ms.globeimposter-alpha666qqz
  • from %HOMEPATH%\recent\customdestinations\c312e260e424ae76.customdestinations-ms to %HOMEPATH%\recent\customdestinations\c312e260e424ae76.customdestinations-ms.globeimposter-alpha666qqz
  • from %HOMEPATH%\recent\customdestinations\bf8efb871eda5262.customdestinations-ms to %HOMEPATH%\recent\customdestinations\bf8efb871eda5262.customdestinations-ms.globeimposter-alpha666qqz
  • from %HOMEPATH%\recent\customdestinations\969252ce11249fdd.customdestinations-ms to %HOMEPATH%\recent\customdestinations\969252ce11249fdd.customdestinations-ms.globeimposter-alpha666qqz
  • from %HOMEPATH%\recent\customdestinations\9027fe24326910d2.customdestinations-ms to %HOMEPATH%\recent\customdestinations\9027fe24326910d2.customdestinations-ms.globeimposter-alpha666qqz
  • from %HOMEPATH%\recent\customdestinations\7e4dca80246863e3.customdestinations-ms to %HOMEPATH%\recent\customdestinations\7e4dca80246863e3.customdestinations-ms.globeimposter-alpha666qqz
  • from %HOMEPATH%\recent\customdestinations\74d7f43c1561fc1e.customdestinations-ms to %HOMEPATH%\recent\customdestinations\74d7f43c1561fc1e.customdestinations-ms.globeimposter-alpha666qqz
  • from %HOMEPATH%\recent\customdestinations\5d696d521de238c3.customdestinations-ms to %HOMEPATH%\recent\customdestinations\5d696d521de238c3.customdestinations-ms.globeimposter-alpha666qqz
  • from %HOMEPATH%\recent\customdestinations\5afe4de1b92fc382.customdestinations-ms to %HOMEPATH%\recent\customdestinations\5afe4de1b92fc382.customdestinations-ms.globeimposter-alpha666qqz
  • from %HOMEPATH%\recent\customdestinations\590aee7bdd69b59b.customdestinations-ms to %HOMEPATH%\recent\customdestinations\590aee7bdd69b59b.customdestinations-ms.globeimposter-alpha666qqz
  • from %HOMEPATH%\recent\customdestinations\28c8b86deab549a1.customdestinations-ms to %HOMEPATH%\recent\customdestinations\28c8b86deab549a1.customdestinations-ms.globeimposter-alpha666qqz
  • from %HOMEPATH%\recent\customdestinations\1b4dd67f29cb1962.customdestinations-ms to %HOMEPATH%\recent\customdestinations\1b4dd67f29cb1962.customdestinations-ms.globeimposter-alpha666qqz
  • from %HOMEPATH%\recent\customdestinations\10a2479c877ca098.customdestinations-ms to %HOMEPATH%\recent\customdestinations\10a2479c877ca098.customdestinations-ms.globeimposter-alpha666qqz
  • from %HOMEPATH%\sendto\mail recipient.mapimail to %HOMEPATH%\sendto\mail recipient.mapimail.globeimposter-alpha666qqz
  • from %HOMEPATH%\sendto\desktop (create shortcut).desklink to %HOMEPATH%\sendto\desktop (create shortcut).desklink.globeimposter-alpha666qqz
  • from %HOMEPATH%\sendto\compressed (zipped) folder.zfsendtotarget to %HOMEPATH%\sendto\compressed (zipped) folder.zfsendtotarget.globeimposter-alpha666qqz
  • from %HOMEPATH%\recent\automaticdestinations\74d7f43c1561fc1e.automaticdestinations-ms to %HOMEPATH%\recent\automaticdestinations\74d7f43c1561fc1e.automaticdestinations-ms.globeimposter-alpha666qqz
  • from %HOMEPATH%\recent\automaticdestinations\7e4dca80246863e3.automaticdestinations-ms to %HOMEPATH%\recent\automaticdestinations\7e4dca80246863e3.automaticdestinations-ms.globeimposter-alpha666qqz
Modifies the following files
Modifies user data files (Trojan.Encoder).
Changes user data files extensions (Trojan.Encoder).
Miscellaneous
Searches for the following windows
  • ClassName: '' WindowName: ''
Creates and executes the following
  • '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwAA==' (with hidden window)
Executes the following
  • '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwAA==
  • '%WINDIR%\syswow64\sc.exe' delete ftnlses3
  • '%WINDIR%\syswow64\sc.exe' delete UI0Detect
  • '%WINDIR%\syswow64\net1.exe' stop "igfxCUIService2.0.0.0"
  • '%WINDIR%\syswow64\net1.exe' stop UIODetect
  • '%WINDIR%\syswow64\net1.exe' stop "ReportServer"
  • '%WINDIR%\syswow64\sc.exe' config vss start=disabled
  • '%WINDIR%\syswow64\sc.exe' delete OracleVssWriterORCL
  • '%WINDIR%\syswow64\sc.exe' delete REPLICA
  • '%WINDIR%\syswow64\sc.exe' delete EnergyDataService
  • '%WINDIR%\syswow64\sc.exe' delete ftnlsv3
  • '%WINDIR%\syswow64\sc.exe' delete SQLSERVERAGENT
  • '%WINDIR%\syswow64\net1.exe' stop U8WorkerService1
  • '%WINDIR%\syswow64\net1.exe' stop "MsDtsServer100"
  • '%WINDIR%\syswow64\sc.exe' delete SQLWriter
  • '%WINDIR%\syswow64\sc.exe' delete "UWS LoPriv Services"
  • '%WINDIR%\syswow64\sc.exe' delete OracleOraDb11g_home1TNSListener
  • '%WINDIR%\syswow64\sc.exe' delete "XT800Service_Personal"
  • '%WINDIR%\syswow64\sc.exe' delete MSCRMAsyncService
  • '%WINDIR%\syswow64\net1.exe' stop HaoZipSvc
  • '%WINDIR%\syswow64\sc.exe' delete eCardMPService
  • '%WINDIR%\syswow64\net1.exe' stop vss
  • '%WINDIR%\syswow64\sc.exe' delete OracleOraDb11g_home1ClrAgent
  • '%WINDIR%\syswow64\sc.exe' delete "eCard-TTransServer"
  • '%WINDIR%\syswow64\net1.exe' stop "ReportServer$SHOPCONTROL9"
  • '%WINDIR%\syswow64\sc.exe' delete "DAService_TCP"
  • '%WINDIR%\syswow64\net1.exe' stop "SQLAgent$SHOPCONTROL9"
  • '%WINDIR%\syswow64\sc.exe' config "ReportServer" start= disabled
  • '%WINDIR%\syswow64\sc.exe' delete RTCATS
  • '%WINDIR%\syswow64\net1.exe' stop XenSvc
  • '%WINDIR%\syswow64\sc.exe' delete ftusbrdsrv
  • '%WINDIR%\syswow64\sc.exe' delete UIODetect
  • '%WINDIR%\syswow64\sc.exe' delete ImeDictUpdateService
  • '%WINDIR%\syswow64\sc.exe' delete RTCMEETINGMCU
  • '%WINDIR%\syswow64\net1.exe' stop Apache2.4
  • '%WINDIR%\syswow64\sc.exe' delete WebAttendServer
  • '%WINDIR%\syswow64\sc.exe' delete ftusbrdwks
  • '%WINDIR%\syswow64\sc.exe' config SQLWriter start=disabled
  • '%WINDIR%\syswow64\net1.exe' stop TeamViewer8
  • '%WINDIR%\syswow64\net1.exe' stop "memcached Server"
  • '%WINDIR%\syswow64\sc.exe' delete JhTask
  • '%WINDIR%\syswow64\net1.exe' stop "MSSQLFDLauncher$SHOPCONTROL9"
  • '%WINDIR%\syswow64\sc.exe' delete OracleServiceORCL
  • '%WINDIR%\syswow64\sc.exe' delete "UtilDev Web Server Pro"
  • '%WINDIR%\syswow64\sc.exe' delete RTCAVMCU
  • '%WINDIR%\syswow64\net1.exe' stop xenlite
  • '%WINDIR%\syswow64\sc.exe' delete TCPIDDAService
  • '%WINDIR%\syswow64\net1.exe' stop SQLWriter
  • '%WINDIR%\syswow64\net1.exe' stop VMwareHostd
  • '%WINDIR%\syswow64\sc.exe' delete K3MobileService
  • '%WINDIR%\syswow64\net1.exe' stop "SQLTELEMETRY$HL"
  • '%WINDIR%\syswow64\sc.exe' delete aspnet_state @sc delete Redis
  • '%WINDIR%\syswow64\sc.exe' delete FxService
  • '%WINDIR%\syswow64\net1.exe' stop Realtek11nSU
  • '%WINDIR%\syswow64\net1.exe' stop U8WorkerService2
  • '%WINDIR%\syswow64\sc.exe' delete RtcQms
  • '%WINDIR%\syswow64\net1.exe' stop "NetBackup Client Service"
  • '%WINDIR%\syswow64\net1.exe' stop "MSSQLServerOLAPService"
  • '%WINDIR%\syswow64\net1.exe' stop "MSSQL$SHOPCONTROL9"
  • '%WINDIR%\syswow64\sc.exe' config SQLBrowser start=disabled
  • '%WINDIR%\syswow64\net1.exe' stop "SQLTELEMETRY"
  • '%WINDIR%\syswow64\sc.exe' config "SQLWriter" start= disabled
  • '%WINDIR%\syswow64\net1.exe' stop "SQLWrite"
  • '%WINDIR%\syswow64\cmd.exe' /c "@color b & sc delete MSCRMAsyncService & @sc delete REPLICA & @sc delete RTCATS & @sc delete RTCAVMCU & @sc delete RtcQms & @sc delete RTCMEETINGMCU & @sc delete RTCIMMCU & @sc delete RTCDA...
  • '%WINDIR%\syswow64\net1.exe' stop "SSISTELEMETRY130"
  • '%WINDIR%\syswow64\sc.exe' config "SQL Server (MSSQLSERVER)" start=disabled
  • '%WINDIR%\syswow64\cmd.exe' /c "color b & @sc delete "UWS LoPriv Services" & @sc delete ftnlsv3 & @sc delete ftnlses3 & @sc delete FxService & @sc delete "UtilDev Web Server Pro" & @sc delete ftusbrdwks & @sc delete ftusb...
  • '%WINDIR%\syswow64\cmd.exe' /c "color b & @sc delete OracleOraDb11g_home1ClrAgent & @sc delete OracleOraDb11g_home1TNSListener & @sc delete OracleVssWriterORCL & @sc delete OracleServiceORCL & @sc delete aspnet_state @sc ...
  • '%WINDIR%\syswow64\cmd.exe' /c "color b & @sc delete "DAService_TCP" & @sc delete "eCard-TTransServer" & @sc delete eCardMPService & @sc delete EnergyDataService & @sc delete UI0Detect & @sc delete K3MobileService & @sc d...
  • '%WINDIR%\syswow64\sc.exe' config MSSQLSERVER start=disabled
  • '%WINDIR%\syswow64\net1.exe' stop "MsDtsServer130"
  • '%WINDIR%\syswow64\cmd.exe' /c "color b & a & @sc delete "XT800Service_Personal" & @sc delete SQLSERVERAGENT & @sc delete SQLWriter & @sc delete SQLBrowser & @sc delete MSSQLFDLauncher & @sc delete MSSQLSERVER & @sc delet...
  • '%WINDIR%\syswow64\net1.exe' stop "MSSQL$PROGID"
  • '%WINDIR%\syswow64\sc.exe' config "MSSQL$VEEAMSQL2012" start= disabled
  • '%WINDIR%\syswow64\cmd.exe' /c "color b & a & @taskkill /IM Tomcat7w.exe /F & @taskkill /IM "UFSoft.U8.OC.QuartzScheduler.exe" /F & @taskkill /IM UFSoft.U8.OC.QuartzScheduler.exe /F & @taskkill /IM Launchpad.exe /F & @tas...
  • '%WINDIR%\syswow64\cmd.exe' /c @echo off sc config browser sc config browser start=enabled vssadmin delete shadows /all /quiet sc stop vss sc config vss start=disabled sc stop MongoDB sc config MongoDB start=disabl...
  • '%WINDIR%\syswow64\net1.exe' stop "SQLBrowser"
  • '%WINDIR%\syswow64\net1.exe' stop "SQLSERVERAGENT"
  • '%WINDIR%\microsoft.net\framework\v4.0.30319\aspnet_compiler.exe'
  • '%WINDIR%\syswow64\cmd.exe' /c "color b & a & net stop "MSOLAP$SHOPCONTROL9" & net stop "MSSQL$SHOPCONTROL9" & net stop "MSSQLFDLauncher$SHOPCONTROL9" & net stop "ReportServer$SHOPCONTROL9" & net stop "SQLAgent$SHOPCONTRO...
  • '%WINDIR%\syswow64\cmd.exe' /c "color b & a & taskkill /F /IM Veeam.Backup.Agent.ConfigurationService.exe & taskkill /F /IM Veeam.Backup.BrokerService.exe & taskkill /F /IM Veeam.Backup.CatalogDataService.exe & taskkill /...
  • '%WINDIR%\syswow64\cmd.exe' /c "color b & sc config MSSQLSERVER start=disabled & sc config "SQL Server (MSSQLSERVER)" start=disabled & net stop MSSQL$ & sc config MSSQL$ start=disabled & net stop SQLSERVERAGENT & sc confi...
  • '%WINDIR%\syswow64\cmd.exe' /c "color b & taskkill /F /IM U8WorkerService.exe & taskkill /F /IM UFIDA.U8.ECE.UTU.Services.exe & taskkill /F /IM UFIDA.U8.UAP.ReportService.exe & taskkill /F /IM U8AllAuthServer.exe & taskki...
  • '%WINDIR%\syswow64\cmd.exe' /c "color b & a & sc config "SQLWriter" start= disabled & sc config "MSSQL$VEEAMSQL2012" start= disabled & sc config "SQLAgent$VEEAMSQL2012" start= disabled & sc config "MSSQL" start= disabled ...
  • '%WINDIR%\syswow64\cmd.exe' /c "color b & a & net stop "SQLSERVERAGENT" & net stop "SQLBrowser" & net stop "SQLTELEMETRY" & net stop "MsDtsServer130" & net stop "SSISTELEMETRY130" & net stop "SQLWrite" & net stop "MSSQL$V...
  • '%WINDIR%\syswow64\cmd.exe' /c ""%TEMP%\Cgykljgxsucddtuhbkiller.bat" "
  • '%WINDIR%\syswow64\cmd.exe' /c "color b & a & @taskkill /IM DDSoftPwsTomcat9.exe /F & @taskkill /IM U8SmartClient.exe /F & @taskkill /IM U8SmartClientMonitor.exe /F & @taskkill /IM tomcat9.exe /F & @taskkill /IM SqlManage...
  • '%WINDIR%\syswow64\net1.exe' stop "TMBMServer"
  • '%WINDIR%\syswow64\cmd.exe' /c "color b & @taskkill /IM ReportingServicesService.exe /F & @sc delete "SQL Server Reporting Services" & @sc delete MSSQLFDLauncher & @taskkill /IM U8CEServer.exe /F & @taskkill /IM ServerNT....
  • '%WINDIR%\syswow64\sc.exe' config "SQLAgent" start= disabled
  • '%WINDIR%\syswow64\sc.exe' config "SQLAgent$VEEAMSQL2012" start= disabled
  • '%WINDIR%\syswow64\sc.exe' config "MSSQL$PROGID" start= disabled
  • '%WINDIR%\syswow64\net1.exe' stop "MSOLAP$SHOPCONTROL9"
  • '%WINDIR%\syswow64\net1.exe' stop "MSSQLServerADHelper100"
  • '%WINDIR%\syswow64\net1.exe' stop SQLBrowser
  • '%WINDIR%\syswow64\sc.exe' config "TMBMServer" start= disabled
  • '%WINDIR%\syswow64\cmd.exe' /c "color e & @taskkill /IM VBoxSDS.exe /F & @taskkill /IM mysqld.exe /F & @taskkill /IM TeamViewer_Service.exe /F & @taskkill /IM TeamViewer.exe /F & @taskkill /IM CasLicenceServer.exe /F & @t...
  • '%WINDIR%\syswow64\cmd.exe' /c "color e & @taskkill /IM BackupExec.exe /F & @taskkill /IM Att.exe /F & @taskkill /IM mdm.exe /F & @taskkill /IM BackupExecManagementService.exe /F & @taskkill /IM bengine.exe /F & @taskkill...
  • '%WINDIR%\syswow64\cmd.exe' /c "color e & @taskkill /IM pg_ctl.exe /F & @taskkill /IM rcrelay.exe /F & @taskkill /IM SogouImeBroker.exe /F & @taskkill /IM CCenter.exe /F & @taskkill /IM ScanFrm.exe /F & @taskkill /IM d_ma...
  • '%WINDIR%\syswow64\net1.exe' stop "SQLAgent"
  • '%WINDIR%\syswow64\sc.exe' config "SQLTELEMETRY$HL" start= disabled
  • '%WINDIR%\syswow64\cmd.exe' /c "color e & @taskkill /IM ThunderPlatform.exe /F & @taskkill /IM iexplore.exe /F & @taskkill /IM vm-agent.exe /F & @taskkill /IM vm-agent-daemon.exe /F & @taskkill /IM eSightService.exe /F & ...
  • '%WINDIR%\syswow64\sc.exe' config "MSSQL" start= disabled
  • '%WINDIR%\syswow64\sc.exe' config SQLSERVERAGENT start=disabled
  • '%WINDIR%\syswow64\net1.exe' stop MSSQL$
  • '%WINDIR%\syswow64\net1.exe' stop "MSSQL"
  • '%WINDIR%\syswow64\cmd.exe' /c "color a & @net stop UIODetect & @net stop VMwareHostd & @net stop TeamViewer8 & @net stop VMUSBArbService & @net stop VMAuthdService & @net stop wanxiao-monitor & @net stop WebAttendServer ...
  • '%WINDIR%\syswow64\sc.exe' config "MsDtsServer100" start= disabled
  • '%WINDIR%\syswow64\net1.exe' stop SQLSERVERAGENT
  • '%WINDIR%\syswow64\cmd.exe' /c "color a & @net stop HaoZipSvc & @net stop "igfxCUIService2.0.0.0" & @net stop Realtek11nSU & @net stop xenlite & @net stop XenSvc & @net stop Apache2.2 & @net stop "Synology Drive VSS Servi...
  • '%WINDIR%\syswow64\sc.exe' config "MSSQLServerOLAPService" start= disabled
  • '%WINDIR%\syswow64\net1.exe' stop "SQLAgent$VEEAMSQL2012"
  • '%WINDIR%\syswow64\sc.exe' config MSSQL$ start=disabled
  • '%WINDIR%\syswow64\cmd.exe' /c "color a & @net stop U8WorkerService1 & @net stop U8WorkerService2 & @net stop "memcached Server" & @net stop Apache2.4 & @net stop UFIDAWebService & @net stop MSComplianceAudit & @net stop ...
  • '%WINDIR%\syswow64\sc.exe' config "MSSQLServerADHelper100" start= disabled
  • '%WINDIR%\syswow64\net1.exe' stop "MSSQL$VEEAMSQL2012"
  • '%WINDIR%\syswow64\cmd.exe' /c "color e & @taskkill /IM sqlservr.exe /F & @taskkill /IM httpd.exe /F & @taskkill /IM java.exe /F & @taskkill /IM fdhost.exe /F & @taskkill /IM fdlauncher.exe /F & @taskkill /IM Veeam.Backup...
  • '%WINDIR%\syswow64\net1.exe' stop VMUSBArbService

Curing recommendations

  1. If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
  2. If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
Free trial

 

Download Dr.Web

Download by serial number

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

Free trial

 

Download Dr.Web

Download by serial number

Download on App Store

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

 

Download Dr.Web

Download by serial number

  1. If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android

Free trial

14 days

Download now
Get it on Google Play