Technical Information
- [<HKLM>\Software\Microsoft\Windows\CurrentVersion\Run] 'iexplore' = '"C:\totalcmd\LANGUAGE\iexplore.exe"'
- [<HKLM>\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Shell' = 'explorer.exe, "C:\totalcmd\LANGUAGE\iexplore.exe"'
- [<HKLM>\Software\Microsoft\Windows\CurrentVersion\Run] 'dwm' = '"C:\Users\Default\Desktop\dwm.exe"'
- [<HKLM>\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Shell' = 'explorer.exe, "C:\totalcmd\LANGUAGE\iexplore.exe", "C:\Users\Default\Desktop\dwm.exe"'
- [<HKLM>\Software\Microsoft\Windows\CurrentVersion\Run] 'audiodg' = '"C:\Documents and Settings\audiodg.exe"'
- [<HKLM>\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Shell' = 'explorer.exe, "C:\totalcmd\LANGUAGE\iexplore.exe", "C:\Users\Default\Desktop\dwm.exe", "C:\Documents and Settings\audio...
- [<HKLM>\Software\Microsoft\Windows\CurrentVersion\Run] 'Idle' = '"<Current directory>\Idle.exe"'
- [<HKLM>\Software\Microsoft\Windows\CurrentVersion\Run] 'WmiPrvSE' = '"C:\Users\Public\Pictures\Sample Pictures\WmiPrvSE.exe"'
- [<HKLM>\Software\Microsoft\Windows\CurrentVersion\Run] '<File name>' = '"C:\totalcmd\LANGUAGE\<File name>.exe"'
- <SYSTEM32>\tasks\sofsiexplore
- <SYSTEM32>\tasks\gw0ridle
- <SYSTEM32>\tasks\cbyzwmiprvse
- <SYSTEM32>\tasks\yvytidle
- <SYSTEM32>\tasks\audiodg
- <SYSTEM32>\tasks\e1ynaudiodg
- <SYSTEM32>\tasks\wwwwidle
- <SYSTEM32>\tasks\vaimaudiodg
- <SYSTEM32>\tasks\qmtd<File name>
- <SYSTEM32>\tasks\5jroaudiodg
- <SYSTEM32>\tasks\faei<File name>
- <SYSTEM32>\tasks\wmiprvse
- <SYSTEM32>\tasks\idle
- <SYSTEM32>\tasks\n23hwmiprvse
- <SYSTEM32>\tasks\nmr8dwm
- <SYSTEM32>\tasks\<File name>
- <SYSTEM32>\tasks\gstndwm
- <SYSTEM32>\tasks\dcl7iexplore
- <SYSTEM32>\tasks\iexplore
- <SYSTEM32>\tasks\dwm
- <SYSTEM32>\tasks\aurpdwm
- <SYSTEM32>\tasks\dyx0iexplore
- <SYSTEM32>\tasks\s95x<File name>
- <SYSTEM32>\tasks\zpbowmiprvse
- %ProgramFiles(x86)%\steam\config\config.vdf
- %ProgramFiles(x86)%\steam\config\dialogconfig.vdf
- %LOCALAPPDATA%\google\chrome\user data\default\cookies
- %APPDATA%\opera software\opera stable\login data
- %LOCALAPPDATA%\google\chrome\user data\default\login data
- %LOCALAPPDATA%\google\chrome\user data\default\web data
- C:\totalcmd\language\iexplore.exe
- %TEMP%\6xwvisadmd
- %TEMP%\pvmk9svtzi
- %TEMP%\ss7soypztf
- %TEMP%\q3uz2gcchf
- %TEMP%\jhbzudqbiy
- %TEMP%\lldfjtui98
- %TEMP%\pxstmnyfup
- %TEMP%\9tu3yj4mii
- %TEMP%\ftii3uwush
- %TEMP%\pjpuwlvh8k
- %TEMP%\fbncegtsgw
- %TEMP%\u8wdpn5pff
- %TEMP%\qrbepbjtkg
- %TEMP%\t0thrqzxhe
- %TEMP%\0poqlqlchk
- C:\totalcmd\language\97e0b3c5637185
- C:\totalcmd\language\<File name>.exe
- C:\users\public\pictures\sample pictures\24dbde2999530e
- C:\users\public\pictures\sample pictures\wmiprvse.exe
- <Current directory>\6ccacd8608530f
- <Current directory>\idle.exe
- C:\documents and settings\42af1c969fbb7b
- C:\documents and settings\audiodg.exe
- C:\users\default\desktop\6cb0b6c459d5d3
- C:\users\default\desktop\dwm.exe
- C:\totalcmd\language\9db6e019d4f04e
- %TEMP%\kranyb8dnz
- %TEMP%\xbhdjuqkaj
- %TEMP%\0poqlqlchk
- %TEMP%\6xwvisadmd
- %TEMP%\pvmk9svtzi
- %TEMP%\ss7soypztf
- %TEMP%\q3uz2gcchf
- %TEMP%\jhbzudqbiy
- %TEMP%\lldfjtui98
- %TEMP%\qrbepbjtkg
- %TEMP%\pxstmnyfup
- %TEMP%\ftii3uwush
- %TEMP%\pjpuwlvh8k
- %TEMP%\fbncegtsgw
- %TEMP%\u8wdpn5pff
- %TEMP%\t0thrqzxhe
- %TEMP%\kranyb8dnz
- %TEMP%\9tu3yj4mii
- %TEMP%\xbhdjuqkaj
- '62.##9.2.159':80
- 'ip##fo.io':443
- 'ap#.##legram.org':443
- http://62.##9.2.159/protectGame/PhpBetterauth/67Game/Dle/UploadsPrivate2/ImageEternalDump/HttpTrack/GeoTestSql/CpuUpdate77/1LineUploadsUpdate/BigloadJavascripteternalpublic/Asynctraffic.php?8H#...
- http://62.##9.2.159/protectGame/PhpBetterauth/67Game/Dle/UploadsPrivate2/ImageEternalDump/HttpTrack/GeoTestSql/CpuUpdate77/1LineUploadsUpdate/BigloadJavascripteternalpublic/Asynctraffic.php?pF#...
- 'ip##fo.io':443
- 'ap#.##legram.org':443
- DNS ASK ip##fo.io
- DNS ASK ap#.##legram.org
- 'C:\totalcmd\language\iexplore.exe'
- 'C:\totalcmd\language\iexplore.exe' ' (with hidden window)
- '<SYSTEM32>\schtasks.exe' /create /tn "soFsiexplore" /sc MINUTE /mo 7 /tr "'C:\totalcmd\LANGUAGE\iexplore.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "s95x<File name>" /sc ONLOGON /tr "'C:\totalcmd\LANGUAGE\<File name>.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "fAEi<File name>" /sc MINUTE /mo 7 /tr "'C:\totalcmd\LANGUAGE\<File name>.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "WmiPrvSE" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Pictures\Sample Pictures\WmiPrvSE.exe'" /f
- '<SYSTEM32>\schtasks.exe' /create /tn "cbYzWmiPrvSE" /sc ONSTART /tr "'C:\Users\Public\Pictures\Sample Pictures\WmiPrvSE.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "zPboWmiPrvSE" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\WmiPrvSE.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "N23HWmiPrvSE" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Pictures\Sample Pictures\WmiPrvSE.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "Idle" /sc MINUTE /mo 11 /tr "'<Current directory>\Idle.exe'" /f
- '<SYSTEM32>\schtasks.exe' /create /tn "gw0rIdle" /sc ONSTART /tr "'<Current directory>\Idle.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "WwWWIdle" /sc ONLOGON /tr "'<Current directory>\Idle.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "YVYtIdle" /sc MINUTE /mo 5 /tr "'<Current directory>\Idle.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "audiodg" /sc MINUTE /mo 11 /tr "'C:\Documents and Settings\audiodg.exe'" /f
- '<SYSTEM32>\schtasks.exe' /create /tn "E1ynaudiodg" /sc ONSTART /tr "'C:\Documents and Settings\audiodg.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "VAimaudiodg" /sc ONLOGON /tr "'C:\Documents and Settings\audiodg.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "5JRoaudiodg" /sc MINUTE /mo 13 /tr "'C:\Documents and Settings\audiodg.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "dwm" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Desktop\dwm.exe'" /f
- '<SYSTEM32>\schtasks.exe' /create /tn "Nmr8dwm" /sc ONSTART /tr "'C:\Users\Default\Desktop\dwm.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "AUrPdwm" /sc ONLOGON /tr "'C:\Users\Default\Desktop\dwm.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "gstndwm" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Desktop\dwm.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "iexplore" /sc MINUTE /mo 8 /tr "'C:\totalcmd\LANGUAGE\iexplore.exe'" /f
- '<SYSTEM32>\schtasks.exe' /create /tn "Dcl7iexplore" /sc ONSTART /tr "'C:\totalcmd\LANGUAGE\iexplore.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "dyX0iexplore" /sc ONLOGON /tr "'C:\totalcmd\LANGUAGE\iexplore.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "qMTd<File name>" /sc ONSTART /tr "'C:\totalcmd\LANGUAGE\<File name>.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "<File name>" /sc MINUTE /mo 9 /tr "'C:\totalcmd\LANGUAGE\<File name>.exe'" /f