Trojan.DownLoader33.3439

Technical Information

To ensure autorun and distribution

Creates or modifies the following files

%WINDIR%\tasks\header.job
<SYSTEM32>\tasks\header
<SYSTEM32>\tasks\main

Modifies file system

Creates the following files

%PROGRAMDATA%\chrome\bitoreen.exe
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\deploy\messages_fr.properties
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\deploy\messages_it.properties
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\deploy\messages_ja.properties
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\deploy\messages_ko.properties
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\deploy\messages_pt_br.properties
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\deploy\messages_sv.properties
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\deploy\messages_zh_cn.properties
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\deploy\messages_zh_hk.properties
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\deploy\messages_zh_tw.properties
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\deploy\splash.gif
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\deploy\splash@2x.gif
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\deploy\splash_11-lic.gif
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\deploy\splash_11@2x-lic.gif
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\deploy\ffjcext.zip
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\deploy.jar.pack
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\ext\cldrdata.jar.pack
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\ext\dnsns.jar.pack
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\ext\jaccess.jar.pack
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\ext\localedata.jar.pack
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\ext\meta-index
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\ext\nashorn.jar.pack
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\ext\sunec.jar
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\ext\sunjce_provider.jar
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\ext\sunmscapi.jar
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\ext\sunpkcs11.jar
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\ext\zipfs.jar.pack
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\flavormap.properties
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\fontconfig.bfc
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\deploy\messages_de.properties
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\deploy\messages_es.properties
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\deploy\messages.properties
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\currency.data
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\fonts\lucidabrightdemibold.ttf
%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\server\jvm.dll
%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\server\xusage.txt
%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\servertool.exe
%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\splashscreen.dll
%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\ssv.dll
%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\ssvagent.exe
%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\sunec.dll
%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\sunmscapi.dll
%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\t2k.dll
%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\tnameserv.exe
%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\unpack.dll
%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\unpack200.exe
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\fontconfig.properties.src
%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\rmid.exe
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\ext\access-bridge-64.jar.pack
%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\verify.dll
%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\zip.dll
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\accessibility.properties
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\amd64\jvm.cfg
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\calendars.properties
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\charsets.jar.pack
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\classlist
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\cmm\ciexyz.pf
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\cmm\gray.pf
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\cmm\linear_rgb.pf
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\cmm\pycc.pf
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\cmm\srgb.pf
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\content-types.properties
%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\w2k_lsa_auth.dll
%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\windowsaccessbridge-64.dll
%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\wsdetect.dll
%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\bci.dll
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\fonts\lucidabrightdemiitalic.ttf
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\security\blacklisted.certs
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\security\cacerts
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\security\java.policy
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\security\java.security
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\security\javaws.policy
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\security\local_policy.jar
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\security\us_export_policy.jar
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\sound.properties
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\tzdb.dat
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\tzmappings
%TEMP%\e4jbd28.tmp_dir1581972570\jre\release
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\charsets.jar
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\deploy.jar
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\jfr.jar
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\security\blacklist
%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\resource.dll
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\rt.jar.pack
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\resources.jar
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\rt.jar
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\ext\access-bridge-64.jar
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\ext\cldrdata.jar
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\ext\dnsns.jar
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\ext\jaccess.jar
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\ext\localedata.jar
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\ext\nashorn.jar
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\ext\zipfs.jar
%TEMP%\hsperfdata_user\2652
%PROGRAMDATA%\oracle\java\.oracle_jre_usage\8182e42a46f68ba4.timestamp
%TEMP%\e4j465f.tmp
%TEMP%\e4jbd28.tmp_dir1581972570\user.jar
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\management-agent.jar
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\jsse.jar
%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\rmiregistry.exe
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\psfontj2d.properties
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\jfr\profile.jfc
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\fonts\lucidasansdemibold.ttf
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\fonts\lucidasansregular.ttf
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\fonts\lucidatypewriterbold.ttf
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\fonts\lucidatypewriterregular.ttf
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\hijrah-config-umalqura.properties
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\images\cursors\cursors.properties
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\images\cursors\invalid32x32.gif
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\images\cursors\win32_copydrop32x32.gif
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\images\cursors\win32_copynodrop32x32.gif
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\images\cursors\win32_linkdrop32x32.gif
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\images\cursors\win32_linknodrop32x32.gif
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\images\cursors\win32_movedrop32x32.gif
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\images\cursors\win32_movenodrop32x32.gif
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\resources.jar.pack
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\fonts\lucidabrightitalic.ttf
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\fonts\lucidabrightregular.ttf
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\jfr.jar.pack
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\jsse.jar.pack
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\jvm.hprof.txt
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\logging.properties
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\management\jmxremote.access
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\management\jmxremote.password.template
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\management\management.properties
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\management\snmp.acl.template
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\management-agent.jar.pack
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\meta-index
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\net.properties
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\plugin.jar.pack
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\psfont.properties.ja
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\jfr\default.jfc
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\jce.jar
%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\policytool.exe
%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\pack200.exe
%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\orbd.exe
%TEMP%\e4jbd28.tmp_dir1581972570\i4j_extf_25_5p83tu.properties
%TEMP%\e4jbd28.tmp_dir1581972570\i4j_extf_18_5p83tu.properties
%TEMP%\e4jbd28.tmp_dir1581972570\i4j_extf_38_5p83tu_1jaybna.png
%TEMP%\e4jbd28.tmp_dir1581972570\i4j_extf_2_5p83tu.utf8
%TEMP%\e4jbd28.tmp_dir1581972570\i4j_extf_36_5p83tu_141ij3m.png
%TEMP%\e4jbd28.tmp_dir1581972570\i4j_extf_4_5p83tu.utf8
%TEMP%\e4jbd28.tmp_dir1581972570\i4j_extf_11_5p83tu.properties
%TEMP%\e4jbd28.tmp_dir1581972570\messagesdefault
%TEMP%\e4jbd28.tmp_dir1581972570\i4j_extf_16_5p83tu.properties
%TEMP%\e4jbd28.tmp_dir1581972570\user.jar.pack
%TEMP%\e4jbd28.tmp_dir1581972570\stats.properties
%TEMP%\e4jbd28.tmp_dir1581972570\i4j_extf_32_5p83tu.txt
%TEMP%\e4jbd28.tmp_dir1581972570\i4j_extf_22_5p83tu.utf8
%TEMP%\e4jbd28.tmp_dir1581972570\i4j_extf_26_5p83tu_12q8bqh.png
%TEMP%\e4jbd28.tmp_dir1581972570\i4j_extf_12_5p83tu.properties
%TEMP%\e4jbd28.tmp_dir1581972570\i4j_extf_0_5p83tu.utf8
%TEMP%\e4jbd28.tmp_dir1581972570\user\avast_nl.jpg
%TEMP%\e4jbd28.tmp_dir1581972570\user\avast_de.jpg
%TEMP%\e4jbd28.tmp_dir1581972570\user\avast_br.jpg
%TEMP%\e4jbd28.tmp_dir1581972570\user\avg_en_01.png
%TEMP%\e4jbd28.tmp_dir1581972570\user\avast_mac_en_a3.jpg
%TEMP%\e4jbd28.tmp_dir1581972570\user\vmdetector
%TEMP%\e4jbd28.tmp_dir1581972570\user\avg_en_03.png
%TEMP%\e4jbd28.tmp_dir1581972570\user\avast_mac_en_a.jpg
%TEMP%\e4jbd28.tmp_dir1581972570\user\avast_en.jpg
%TEMP%\e4jbd28.tmp_dir1581972570\user\avast_jp.jpg
%TEMP%\e4jbd28.tmp_dir1581972570\user\avast_se.jpg
%TEMP%\e4jbd28.tmp_dir1581972570\user\avg_en_03b.png
%TEMP%\e4jbd28.tmp_dir1581972570\i4j_extf_20_5p83tu.properties
%TEMP%\e4jbd28.tmp_dir1581972570\installer.ico
%TEMP%\e4jbd28.tmp_dir1581972570\user\ya_distr_171x255.png
%TEMP%\e4jbd28.tmp_dir1581972570\user\vuze_custom.jar
%TEMP%\e4jbd28.tmp_dir1581972570\user\avast_mac_en_1.jpg
%TEMP%\e4jbd28.tmp_dir1581972570\i4j_extf_35_5p83tu.txt
%PROGRAMDATA%\chrome\vvss3333.xml
%PROGRAMDATA%\chrome\mybundle.exe
%PROGRAMDATA%\deep.txt
%TEMP%\nsxa2ea.tmp
%TEMP%\nsxa2eb.tmp\system.dll
%TEMP%\nsxa2eb.tmp\inetc.dll
%TEMP%\vuzeinstall\vuzeinstaller.exe
%TEMP%\i4j_nlog_1.log
%TEMP%\e4jbd28.tmp_dir1581972570\i4jruntime.jar
%TEMP%\e4jbd28.tmp_dir1581972570\i4j_extf_13_5p83tu.utf8
%TEMP%\e4jbd28.tmp_dir1581972570\i4jparams.conf
%TEMP%\e4jbd28.tmp_dir1581972570\i4j_extf_15_5p83tu.utf8
%TEMP%\e4jbd28.tmp_dir1581972570\i4j_extf_1_5p83tu.properties
%TEMP%\e4jbd28.tmp_dir1581972570\i4j_extf_31_5p83tu.txt
%TEMP%\e4jbd28.tmp_dir1581972570\i4j_extf_37_5p83tu_bm8amj.ico
%TEMP%\e4jbd28.tmp_dir1581972570\i4j_extf_19_5p83tu.utf8
%TEMP%\e4jbd28.tmp_dir1581972570\i4j_extf_29_5p83tu_1rv17he.png
%TEMP%\e4jbd28.tmp_dir1581972570\i4j_extf_33_5p83tu.txt
%TEMP%\e4jbd28.tmp_dir1581972570\i4j_extf_17_5p83tu.utf8
%TEMP%\e4jbd28.tmp_dir1581972570\i4j_extf_14_5p83tu.properties
%TEMP%\e4jbd28.tmp_dir1581972570\i4j_extf_8_5p83tu.utf8
%TEMP%\e4jbd28.tmp_dir1581972570\i4j_extf_27_5p83tu_1a89bbn.png
%TEMP%\e4jbd28.tmp_dir1581972570\i4j_extf_3_5p83tu.properties
%TEMP%\e4jbd28.tmp_dir1581972570\i4j_extf_6_5p83tu.utf8
%TEMP%\e4jbd28.tmp_dir1581972570\i4j_extf_30_5p83tu_1uj26g4.png
%TEMP%\e4jbd28.tmp_dir1581972570\i4j_extf_23_5p83tu.properties
%TEMP%\e4jbd28.tmp_dir1581972570\i4j_extf_28_5p83tu_x2womb.png
%TEMP%\e4jbd28.tmp_dir1581972570\i4j_extf_34_5p83tu_10qu06u.png
%TEMP%\e4jbd28.tmp_dir1581972570\i4j_extf_9_5p83tu.properties
%PROGRAMDATA%\chrome\goopdate.dll
%TEMP%\e4jbd28.tmp_dir1581972570\i4j_extf_7_5p83tu.properties
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\plugin.jar
%TEMP%\e4jbd28.tmp_dir1581972570\user\vuze_custom.jar.pack
%TEMP%\e4jbd28.tmp_dir1581972570\user\avast_mac_en_b.jpg
%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\java_crw_demo.dll
%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\jawt.dll
%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\jawtaccessbridge-64.dll
%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\jdwp.dll
%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\jfr.dll
%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\jjs.exe
%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\jli.dll
%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\jp2iexp.dll
%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\jp2launcher.exe
%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\jp2native.dll
%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\jp2ssv.dll
%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\jpeg.dll
%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\jsdt.dll
%TEMP%\e4jbd28.tmp_dir1581972570\user\cocoawindowcentercoordinates
%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\javaw.exe
%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\javacpl.exe
%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\keytool.exe
%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\kinit.exe
%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\klist.exe
%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\ktab.exe
%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\lcms.dll
%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\management.dll
%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\mlib_image.dll
%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\msvcp120.dll
%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\msvcr100.dll
%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\msvcr120.dll
%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\net.dll
%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\nio.dll
%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\npt.dll
%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\jsound.dll
%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\kcms.dll
%TEMP%\e4jbd28.tmp_dir1581972570\user\avg_en_02.png
%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\jsoundds.dll
%TEMP%\e4jbd28.tmp_dir1581972570\i4j_extf_24_5p83tu.utf8
%TEMP%\e4jbd28.tmp_dir1581972570\user\avast_es.jpg
%TEMP%\e4jbd28.tmp_dir1581972570\user\avast_hi.jpg
%TEMP%\e4jbd28.tmp_dir1581972570\user\avast_fr.jpg
%TEMP%\e4jbd28.tmp_dir1581972570\i4j_extf_5_5p83tu.properties
%TEMP%\e4jbd28.tmp_dir1581972570\i4j_extf_10_5p83tu.utf8
%TEMP%\e4jbd28.tmp_dir1581972570\i4j_extf_21_5p83tu.utf8
%TEMP%\e4jbfe8.tmp
%TEMP%\e4jbd28.tmp_dir1581972570\jre.tar.gz
%TEMP%\e4jbd28.tmp_dir1581972570\jre\copyright
%TEMP%\e4jbd28.tmp_dir1581972570\jre\license
%TEMP%\e4jbd28.tmp_dir1581972570\jre\readme.txt
%TEMP%\e4jbd28.tmp_dir1581972570\jre\thirdpartylicensereadme.txt
%TEMP%\e4jbd28.tmp_dir1581972570\jre\welcome.html
%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\java.exe
%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\javacpl.cpl
%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\javaaccessbridge-64.dll
%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\deploy.dll
%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\dt_shmem.dll
%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\dt_socket.dll
%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\eula.dll
%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\fontmanager.dll
%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\hprof.dll
%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\instrument.dll
%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\j2pcsc.dll
%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\j2pkcs11.dll
%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\jaas_nt.dll
%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\jabswitch.exe
%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\java-rmi.exe
%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\java.dll
%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\awt.dll
%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\dcpr.dll
%TEMP%\hsperfdata_user\988

Sets the 'hidden' attribute to the following files

%PROGRAMDATA%\chrome\goopdate.dll
%PROGRAMDATA%\chrome\vvss3333.xml
%PROGRAMDATA%\chrome\mybundle.exe
%PROGRAMDATA%\deep.txt

Deletes the following files

%TEMP%\e4jbfe8.tmp
%TEMP%\e4j465f.tmp
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\ext\zipfs.jar.pack
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\ext\nashorn.jar.pack
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\ext\localedata.jar.pack
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\ext\jaccess.jar.pack
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\ext\dnsns.jar.pack
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\ext\cldrdata.jar.pack
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\ext\access-bridge-64.jar.pack
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\rt.jar.pack
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\resources.jar.pack
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\plugin.jar.pack
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\management-agent.jar.pack
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\jsse.jar.pack
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\jfr.jar.pack
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\deploy.jar.pack
%TEMP%\e4jbd28.tmp_dir1581972570\jre\lib\charsets.jar.pack
%TEMP%\e4jbd28.tmp_dir1581972570\jre.tar.gz
%TEMP%\e4jbd28.tmp_dir1581972570\user.jar.pack
%TEMP%\e4jbd28.tmp_dir1581972570\user\vuze_custom.jar.pack

Network activity

TCP

HTTP GET requests

http://cf#.#uze.com/files/Vuze_Installer64.exe
http://cf#.#uze.com/files/windows-amd64-jre8.tar.gz

'ki###torrent.ru':1001

UDP

DNS ASK cf#.#uze.com
DNS ASK ki###torrent.ru
DNS ASK YA##O.Com
DNS ASK mt##.##0.yahoodns.net

Miscellaneous

Searches for the following windows

ClassName: '#32770' WindowName: ''

Creates and executes the following

'%PROGRAMDATA%\chrome\bitoreen.exe'
'%PROGRAMDATA%\chrome\mybundle.exe'
'%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\unpack200.exe' "jre\lib\ext\dnsns.jar.pack" "jre\lib\ext\dnsns.jar"
'%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\unpack200.exe' "jre\lib\ext\jaccess.jar.pack" "jre\lib\ext\jaccess.jar"
'%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\unpack200.exe' "%TEMP%\e4jBD28.tmp_dir1581972570\user.jar.pack" "%TEMP%\e4jBD28.tmp_dir1581972570\user.jar"
'%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\unpack200.exe' "jre\lib\ext\localedata.jar.pack" "jre\lib\ext\localedata.jar"
'%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\unpack200.exe' "jre\lib\ext\zipfs.jar.pack" "jre\lib\ext\zipfs.jar"
'%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\unpack200.exe' "%TEMP%\e4jBD28.tmp_dir1581972570\user\vuze_custom.jar.pack" "%TEMP%\e4jBD28.tmp_dir1581972570\user\vuze_custom.jar"
'%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\unpack200.exe' "jre\lib\ext\cldrdata.jar.pack" "jre\lib\ext\cldrdata.jar"
'%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\unpack200.exe' "jre\lib\management-agent.jar.pack" "jre\lib\management-agent.jar"
'%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\unpack200.exe' "jre\lib\ext\nashorn.jar.pack" "jre\lib\ext\nashorn.jar"
'%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\unpack200.exe' "jre\lib\resources.jar.pack" "jre\lib\resources.jar"
'%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\unpack200.exe' "jre\lib\rt.jar.pack" "jre\lib\rt.jar"
'%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\unpack200.exe' "jre\lib\charsets.jar.pack" "jre\lib\charsets.jar"
'%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\unpack200.exe' "jre\lib\jfr.jar.pack" "jre\lib\jfr.jar"
'%TEMP%\vuzeinstall\vuzeinstaller.exe'
'%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\unpack200.exe' "jre\lib\deploy.jar.pack" "jre\lib\deploy.jar"
'%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\unpack200.exe' "jre\lib\ext\access-bridge-64.jar.pack" "jre\lib\ext\access-bridge-64.jar"
'%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\unpack200.exe' "jre\lib\plugin.jar.pack" "jre\lib\plugin.jar"
'%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\unpack200.exe' "jre\lib\jsse.jar.pack" "jre\lib\jsse.jar"
'%PROGRAMDATA%\chrome\mybundle.exe' ' (with hidden window)
'%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\unpack200.exe' "jre\lib\charsets.jar.pack" "jre\lib\charsets.jar"' (with hidden window)
'%PROGRAMDATA%\chrome\bitoreen.exe' ' (with hidden window)
'%TEMP%\e4jbd2~1.tmp\jre\bin\java.exe' -version' (with hidden window)
'%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\unpack200.exe' "jre\lib\ext\zipfs.jar.pack" "jre\lib\ext\zipfs.jar"' (with hidden window)
'%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\unpack200.exe' "jre\lib\ext\nashorn.jar.pack" "jre\lib\ext\nashorn.jar"' (with hidden window)
'%ProgramFiles%\Java\jre1.8.0_45\bin\java.exe' -version' (with hidden window)
'%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\unpack200.exe' "jre\lib\ext\localedata.jar.pack" "jre\lib\ext\localedata.jar"' (with hidden window)
'%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\unpack200.exe' "jre\lib\ext\jaccess.jar.pack" "jre\lib\ext\jaccess.jar"' (with hidden window)
'%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\unpack200.exe' "jre\lib\deploy.jar.pack" "jre\lib\deploy.jar"' (with hidden window)
'%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\unpack200.exe' "jre\lib\ext\dnsns.jar.pack" "jre\lib\ext\dnsns.jar"' (with hidden window)
'%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\unpack200.exe' "jre\lib\ext\cldrdata.jar.pack" "jre\lib\ext\cldrdata.jar"' (with hidden window)
'%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\unpack200.exe' "jre\lib\ext\access-bridge-64.jar.pack" "jre\lib\ext\access-bridge-64.jar"' (with hidden window)
'%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\unpack200.exe' "jre\lib\jfr.jar.pack" "jre\lib\jfr.jar"' (with hidden window)
'%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\unpack200.exe' "jre\lib\rt.jar.pack" "jre\lib\rt.jar"' (with hidden window)
'%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\unpack200.exe' "jre\lib\resources.jar.pack" "jre\lib\resources.jar"' (with hidden window)
'%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\unpack200.exe' "jre\lib\jsse.jar.pack" "jre\lib\jsse.jar"' (with hidden window)
'%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\unpack200.exe' "jre\lib\plugin.jar.pack" "jre\lib\plugin.jar"' (with hidden window)
'%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\unpack200.exe' "jre\lib\management-agent.jar.pack" "jre\lib\management-agent.jar"' (with hidden window)
'%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\unpack200.exe' "%TEMP%\e4jBD28.tmp_dir1581972570\user.jar.pack" "%TEMP%\e4jBD28.tmp_dir1581972570\user.jar"' (with hidden window)
'%TEMP%\e4jbd28.tmp_dir1581972570\jre\bin\unpack200.exe' "%TEMP%\e4jBD28.tmp_dir1581972570\user\vuze_custom.jar.pack" "%TEMP%\e4jBD28.tmp_dir1581972570\user\vuze_custom.jar"' (with hidden window)

Executes the following

'%WINDIR%\syswow64\schtasks.exe' /create /tn Header /XML %PROGRAMDATA%\Chrome\vvss3333.xml
'%WINDIR%\syswow64\schtasks.exe' /create /tn main /tr %PROGRAMDATA%\Chrome\bitoreen.exe /SC ONCE /ST 00:00
'%WINDIR%\syswow64\schtasks.exe' /run /tn main
'<SYSTEM32>\taskeng.exe' {D77C3964-AC76-4800-B73C-DA5614E7636B} S-1-5-21-1960123792-2022915161-3775307078-1001:cxbazagi\user:Interactive:[1]
'%ProgramFiles%\Java\jre1.8.0_45\bin\java.exe' -version
'<SYSTEM32>\icacls.exe' %PROGRAMDATA%\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
'<SYSTEM32>\icacls.exe' %PROGRAMDATA%\Oracle\Java\.oracle_jre_usage\8182e42a46f68ba4.timestamp /grant "everyone":(OI)(CI)M

Технології

Терміни

Навчання

Міфи

Technical Information

Рекомендации по лечению

Демо бесплатно на 14 дней