To bypass firewall, removes or modifies the following registry keys:
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '<SYSTEM32>\ftp.exe' = '<SYSTEM32>\ftp.exe:*:Enabled:Windows Updates'
To complicate detection of its presence in the operating system,
forces the system hide from view:
- hidden files
- file extensions
blocks the following features:
- User Account Control (UAC)
Creates and executes the following:
- C:\Users\%USERNAME%\AppData\Local\Google\Chrome\User Data\Default\Chrome\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\Install.exe
Executes the following:
- <SYSTEM32>\attrib.exe "%PROGRAM_FILES%\Google\Chrome\Application\chrome.exe" +s +h
- <SYSTEM32>\netsh.exe firewall add allowedprogram "%PROGRAM_FILES%\Google\Chrome\Application\chrome.exe" "Microsoft Essentials" ENABLE
- <SYSTEM32>\netsh.exe firewall add allowedprogram "<SYSTEM32>\ftp.exe" "Windows Updates" ENABLE
- <SYSTEM32>\shutdown.exe -r -f -t 00
- <SYSTEM32>\attrib.exe "C:\Users\%USERNAME%\AppData\Local\Google\Chrome\User Data\Default\Chrome" +s +h
- <SYSTEM32>\attrib.exe "C:\Users\%USERNAME%\AppData\Local\Google\Chrome\User Data\Default\Chrome\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}" +s +h
- <SYSTEM32>\taskkill.exe /f /im "chrome.exe"
- <SYSTEM32>\taskkill.exe /f /im "launcher.exe"
- <SYSTEM32>\attrib.exe +h %TEMP%\ztmp
- <SYSTEM32>\reg.exe DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft 20.0.12.2" /f
- <SYSTEM32>\reg.exe DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt /f /v CheckedValue
- <SYSTEM32>\reg.exe DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden /f /v CheckedValue
Terminates or attempts to terminate
the following user processes:
Attempts to shut down the Windows operating system.