Technical Information
- <SYSTEM32>\tasks\audiodg
- <SYSTEM32>\tasks\dwm
- <SYSTEM32>\tasks\csrss
- <SYSTEM32>\tasks\explorer
- <SYSTEM32>\tasks\svchost
- <SYSTEM32>\tasks\cmd
- <SYSTEM32>\tasks\mdm
- %LOCALAPPDATA%\google\chrome\user data\default\cookies
- %LOCALAPPDATA%\google\chrome\user data\default\login data
- %APPDATA%\opera software\opera stable\login data
- %LOCALAPPDATA%\google\chrome\user data\default\web data
- %TEMP%\7zipsfx.000\dcrust.exe
- %TEMP%\fxkudhgifi
- %TEMP%\igb8osliva
- %TEMP%\pjg12y5n96
- %TEMP%\inu1gqdcqd
- %TEMP%\riyo2xz7cj
- %TEMP%\euaopgmsgc
- %TEMP%\1ptbzl8ube
- %TEMP%\kukrvlgoao
- %TEMP%\fnmfmaeu6n
- %TEMP%\llpwoqzfg7
- %TEMP%\r17o5g46uw
- %ProgramFiles%\fpwin\886983d96e3d3e31032c679b2d4ea91b6c05afef
- %TEMP%\npo6l82rbk
- %TEMP%\liddnwpbrd
- %ALLUSERSPROFILE%\microsoft\vault\ac658cb4-9126-49bd-b877-31eedab3f204\policy.vpol
- %ALLUSERSPROFILE%\microsoft\vault\ac658cb4-9126-49bd-b877-31eedab3f204\3ccd5499-87a8-4b10-a215-608888dd3b55.vsch
- %ALLUSERSPROFILE%\microsoft\vault\ac658cb4-9126-49bd-b877-31eedab3f204\2f1a6504-0641-44cf-8bb5-3612d865f2e5.vsch
- %LOCALAPPDATA%\microsoft\vault\4bf4c442-9b8a-41a0-b380-dd4a704ddb28\policy.vpol
- %TEMP%\xl17wlzcs6
- %TEMP%\xew9alep0s
- %TEMP%\1c8ufvltzt
- %TEMP%\ba7aypy4md
- %TEMP%\bmzxdgdwvk
- %TEMP%\w0ksvng2kz
- %TEMP%\qx3cvbamy0
- %TEMP%\7fgzp0mggb
- %TEMP%\e5aaumkkrn
- %ALLUSERSPROFILE%\package cache\{a2563e55-3bec-3828-8d67-e5e8b9e8b675}v14.0.23026\packages\vcruntimeminimum_x86\559fba5f8e44108851927af432f0edac6117c574
- %ALLUSERSPROFILE%\package cache\{a2563e55-3bec-3828-8d67-e5e8b9e8b675}v14.0.23026\packages\vcruntimeminimum_x86\mdm.exe
- C:\fonthost\jz9apblnvqgpt8nqr6bs.exe
- C:\fonthost\z1savtr8kucgxhky8nau9j4dvdpbms.vbe
- C:\fonthost\3cgvdhtpx9972ythl0ze9vayfqddnb.bat
- C:\fonthost\am0ogkelqj88chlbunokxddmx5jzzt.bat
- C:\fonthost\drivermonitor.exe
- C:\fonthost\3slv9uddidmd9muvqirq8xf2qnsxxa.vbe
- %ProgramFiles(x86)%\pidgin\gtk\etc\fonts\audiodg.exe
- %ProgramFiles(x86)%\pidgin\gtk\etc\fonts\42af1c969fbb7b2ae36b0e06bea61fc9a154b4af
- %TEMP%\d8fca658c5cf599bcd97a30568d18884.dat
- %ALLUSERSPROFILE%\start menu\dwm.exe
- %ALLUSERSPROFILE%\start menu\6cb0b6c459d5d3455a3da700e713f2e2529862ff
- %TEMP%\pm8fxgwklm
- %TEMP%\m0p29endew
- %ProgramFiles%\fpwin\csrss.exe
- %WINDIR%\vss\6cb0b6c459d5d3455a3da700e713f2e2529862ff
- %WINDIR%\softwaredistribution\scanfile\explorer.exe
- %WINDIR%\softwaredistribution\scanfile\7a0fd90576e08807bde2cc57bcf9854bbce05fe3
- C:\totalcmd\language\svchost.exe
- C:\totalcmd\language\f4d236fdec2fd03914189c3b26e5cb0dfea9d761
- C:\far2\addons\colors\default_highlighting\explorer.exe
- C:\far2\addons\colors\default_highlighting\7a0fd90576e08807bde2cc57bcf9854bbce05fe3
- C:\fonthost\cmd.exe
- C:\fonthost\ebf1f9fa8afd6d1932bd65bc4cc3af89a4c8e228
- <Current directory>\svchost.exe
- <Current directory>\f4d236fdec2fd03914189c3b26e5cb0dfea9d761
- %TEMP%\7zipsfx.000\dcrust_up.exe
- %WINDIR%\vss\dwm.exe
- %TEMP%\kcwe0pi7bo
- %TEMP%\7zipsfx.000\dcrust.exe
- %TEMP%\w0ksvng2kz
- %TEMP%\bmzxdgdwvk
- %TEMP%\ba7aypy4md
- %TEMP%\1c8ufvltzt
- %TEMP%\xew9alep0s
- %TEMP%\xl17wlzcs6
- %TEMP%\liddnwpbrd
- %TEMP%\m0p29endew
- %TEMP%\npo6l82rbk
- %TEMP%\r17o5g46uw
- %TEMP%\llpwoqzfg7
- %TEMP%\pm8fxgwklm
- %TEMP%\fnmfmaeu6n
- %TEMP%\1ptbzl8ube
- %TEMP%\euaopgmsgc
- %TEMP%\riyo2xz7cj
- %TEMP%\inu1gqdcqd
- %TEMP%\pjg12y5n96
- %TEMP%\igb8osliva
- %TEMP%\fxkudhgifi
- %TEMP%\7fgzp0mggb
- %TEMP%\qx3cvbamy0
- %TEMP%\e5aaumkkrn
- %TEMP%\7zipsfx.000\dcrust_up.exe
- %TEMP%\kukrvlgoao
- %TEMP%\kcwe0pi7bo
- http://f0####83.xsph.ru/uhujztbevrmuczvv83c1cxn34f3ieh29p9rl5a5y64hjnl064cxy0zehq19xp/3r7p4b1px3efv4/de0599418f1bcc4409e05bf4f636fe8b2b6e8e07.php?f1#############################################...
- http://f0####83.xsph.ru/uhujztbevrmuczvv83c1cxn34f3ieh29p9rl5a5y64hjnl064cxy0zehq19xp/3r7p4b1px3efv4/de0599418f1bcc4409e05bf4f636fe8b2b6e8e07.php?ca#############################################...
- http://f0####83.xsph.ru/uhujztbevrmuczvv83c1cxn34f3ieh29p9rl5a5y64hjnl064cxy0zehq19xp/3r7p4b1px3efv4/rccn33ta095h62d2/fdc90f44a530abe6be0c06e9ca8318b8.php?c3####################################...
- DNS ASK f0####83.xsph.ru
- DNS ASK ip##fo.io
- ClassName: 'EDIT' WindowName: ''
- '%TEMP%\7zipsfx.000\dcrust_up.exe'
- '%WINDIR%\syswow64\wscript.exe' "C:\fonthost\Z1saVTR8KUcGXhkY8nAU9J4DvDpBMS.vbe"
- '%TEMP%\7zipsfx.000\dcrust.exe'
- 'C:\fonthost\jz9apblnvqgpt8nqr6bs.exe' -p2a4e5ffde495aad50b95cab7854842ecf7b9f505
- '%WINDIR%\syswow64\wscript.exe' "C:\fonthost\3slv9UddIDmd9muvQirq8xf2QnsXxa.vbe"
- 'C:\fonthost\drivermonitor.exe'
- '%ALLUSERSPROFILE%\package cache\{a2563e55-3bec-3828-8d67-e5e8b9e8b675}v14.0.23026\packages\vcruntimeminimum_x86\mdm.exe'
- '%TEMP%\7zipsfx.000\dcrust_up.exe' ' (with hidden window)
- '%TEMP%\7zipsfx.000\dcrust.exe' ' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c ""C:\fonthost\3CGVdhtPX9972yTHl0ze9VAyfqdDNB.bat" "' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c ""C:\fonthost\AM0ogkElqJ88CHlbuNokxDdmx5jZZT.bat" "' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c ""C:\fonthost\3CGVdhtPX9972yTHl0ze9VAyfqdDNB.bat" "
- '%WINDIR%\syswow64\cmd.exe' /c ""C:\fonthost\AM0ogkElqJ88CHlbuNokxDdmx5jZZT.bat" "
- '<SYSTEM32>\schtasks.exe' /create /tn "audiodg" /sc ONLOGON /tr "'%ProgramFiles(x86)%\Pidgin\Gtk\etc\fonts\audiodg.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "dwm" /sc ONLOGON /tr "'%ALLUSERSPROFILE%\Start Menu\dwm.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "csrss" /sc ONLOGON /tr "'%ProgramFiles%\FPWin\csrss.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "dwm" /sc ONLOGON /tr "'%WINDIR%\Vss\dwm.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "explorer" /sc ONLOGON /tr "'%WINDIR%\SoftwareDistribution\ScanFile\explorer.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "svchost" /sc ONLOGON /tr "'C:\totalcmd\LANGUAGE\svchost.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "explorer" /sc ONLOGON /tr "'C:\Far2\Addons\Colors\Default_Highlighting\explorer.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "cmd" /sc ONLOGON /tr "'C:\fonthost\cmd.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "svchost" /sc ONLOGON /tr "'<Current directory>\svchost.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "mdm" /sc ONLOGON /tr "'%ALLUSERSPROFILE%\Package Cache\{A2563E55-3BEC-3828-8D67-E5E8B9E8B675}v14.0.23026\packages\vcRuntimeMinimum_x86\mdm.exe'" /rl HIGHEST /f