Technical Information
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] 'iexplore' = '"C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\iexplore.exe"'
- [HKLM\Software\Microsoft\Windows\CurrentVersion\Run] 'iexplore' = '"C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\iexplore.exe"'
- [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Shell' = 'explorer.exe, "C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\iexplore.exe"'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] 'spoolsv' = '"%WINDIR%\Branding\spoolsv.exe"'
- [HKLM\Software\Microsoft\Windows\CurrentVersion\Run] 'spoolsv' = '"%WINDIR%\Branding\spoolsv.exe"'
- [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Shell' = 'explorer.exe, "C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\iexplore.exe", "%WINDIR%\Branding\spoolsv.e...
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] 'rundll32' = '"C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\rundll32.exe"'
- [HKLM\Software\Microsoft\Windows\CurrentVersion\Run] 'rundll32' = '"C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\rundll32.exe"'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] 'iexplore' = '"%ProgramFiles%\Windows Sidebar\Shared Gadgets\iexplore.exe"'
- [HKLM\Software\Microsoft\Windows\CurrentVersion\Run] 'iexplore' = '"%ProgramFiles%\Windows Sidebar\Shared Gadgets\iexplore.exe"'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] 'iexplore' = '"C:\Users\Default User\iexplore.exe"'
- [HKLM\Software\Microsoft\Windows\CurrentVersion\Run] 'iexplore' = '"C:\Users\Default User\iexplore.exe"'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '<File name>' = '"<Full path to file>"'
- [HKLM\Software\Microsoft\Windows\CurrentVersion\Run] '<File name>' = '"<Full path to file>"'
- <SYSTEM32>\tasks\iexplore
- <SYSTEM32>\tasks\iexplorei
- <SYSTEM32>\tasks\spoolsvs
- <SYSTEM32>\tasks\spoolsv
- <SYSTEM32>\tasks\rundll32r
- <SYSTEM32>\tasks\rundll32
- <SYSTEM32>\tasks\<File name>j
- <SYSTEM32>\tasks\<File name>
- %LOCALAPPDATA%\google\chrome\user data\default\cookies
- %LOCALAPPDATA%\google\chrome\user data\default\login data
- %LOCALAPPDATA%\google\chrome\user data\default\web data
- <Current directory>\e410f39eeeb6ab
- %HOMEPATH%\desktop\pcrhtvaf.log
- %HOMEPATH%\desktop\xppcazfq.log
- %HOMEPATH%\desktop\vuugwbft.log
- %HOMEPATH%\desktop\lwqwjjpp.log
- %HOMEPATH%\desktop\kggbfuft.log
- %HOMEPATH%\desktop\rotvlpue.log
- %HOMEPATH%\desktop\bmoqslfq.log
- %HOMEPATH%\desktop\hpqkyxfa.log
- %TEMP%\9vtniimvhn
- %TEMP%\yfqh2azose
- %TEMP%\0assrkcwlw
- %TEMP%\jdfngrybtn
- %TEMP%\xpr8brkvqc
- %TEMP%\ewzsjlifdo
- %TEMP%\cy5pglstq9
- %TEMP%\jhgjsxoxe5
- %TEMP%\j27fhk0v7h
- %TEMP%\sgugaf0umh
- %TEMP%\2yodeyhpnn
- %TEMP%\pczpkjazh6
- %TEMP%\uxwjrdxkim
- %TEMP%\64ugdvn4as
- %TEMP%\clstcprf50
- %TEMP%\xfbfvlbhga
- %TEMP%\mzgfzz4ion
- %HOMEPATH%\desktop\qsbcxklb.log
- %TEMP%\qcvrosh5se
- %HOMEPATH%\desktop\snxxajly.log
- %HOMEPATH%\desktop\muuyydgj.log
- C:\users\default user\iexplore.exe
- C:\users\default user\9db6e019d4f04e
- %ProgramFiles%\windows sidebar\shared gadgets\iexplore.exe
- %ProgramFiles%\windows sidebar\shared gadgets\9db6e019d4f04e
- C:\msocache\all users\{90140000-001a-0409-1000-0000000ff1ce}-c\rundll32.exe
- C:\msocache\all users\{90140000-001a-0409-1000-0000000ff1ce}-c\3d4d5fa006b533
- %WINDIR%\branding\spoolsv.exe
- %WINDIR%\branding\f3b6ecef712a24
- C:\msocache\all users\{90140000-00a1-0409-1000-0000000ff1ce}-c\iexplore.exe
- C:\msocache\all users\{90140000-00a1-0409-1000-0000000ff1ce}-c\9db6e019d4f04e
- %TEMP%\src0qoda.0.cs
- %TEMP%\src0qoda.cmdline
- %TEMP%\src0qoda.out
- %TEMP%\ohnlbt6tqs
- %TEMP%\2r8ood8qzz.bat
- nul
- %HOMEPATH%\desktop\ggdfvdck.log
- %HOMEPATH%\desktop\twzvtixn.log
- %HOMEPATH%\desktop\jngfjgsg.log
- %HOMEPATH%\desktop\tlaapccr.log
- %HOMEPATH%\desktop\qluemvmu.log
- %HOMEPATH%\desktop\jnwpckmo.log
- %HOMEPATH%\desktop\oqyjiwmy.log
- %HOMEPATH%\desktop\gcrzvxbv.log
- %HOMEPATH%\desktop\mfttbjbf.log
- %HOMEPATH%\desktop\tdhseywu.log
- %TEMP%\shtijzqees
- %TEMP%\src0qoda.0.cs
- %TEMP%\src0qoda.out
- %TEMP%\src0qoda.cmdline
- %TEMP%\ohnlbt6tqs
- %TEMP%\9vtniimvhn
- %TEMP%\clstcprf50
- %TEMP%\xfbfvlbhga
- from %ProgramFiles%\microsoft office\office14\bcssync.exe to %ProgramFiles%\microsoft office\office14\bcssync.exe.exe
- '25#####m.nyashnyash.top':80
- http://25#####m.nyashnyash.top/_pollHttpprocessorDbtrafficdatalifewp.php
- DNS ASK 25#####m.nyashnyash.top
- 'localhost':123
- '%ProgramFiles%\windows sidebar\shared gadgets\iexplore.exe'
- '<SYSTEM32>\cmd.exe' /C "%TEMP%\2r8Ood8qzz.bat"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @"%TEMP%\src0qoda.cmdline"' (with hidden window)
- '<SYSTEM32>\schtasks.exe' /create /tn "iexplorei" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\iexplore.exe'" /f
- '<SYSTEM32>\cmd.exe' /C "%TEMP%\2r8Ood8qzz.bat"
- '<SYSTEM32>\schtasks.exe' /create /tn "<File name>j" /sc MINUTE /mo 6 /tr "'<Full path to file>'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "<File name>" /sc ONLOGON /tr "'<Full path to file>'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "<File name>j" /sc MINUTE /mo 6 /tr "'<Full path to file>'" /f
- '<SYSTEM32>\schtasks.exe' /create /tn "iexplorei" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\iexplore.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "iexplore" /sc ONLOGON /tr "'C:\Users\Default User\iexplore.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "iexplorei" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\iexplore.exe'" /f
- '<SYSTEM32>\schtasks.exe' /create /tn "iexplorei" /sc MINUTE /mo 10 /tr "'%ProgramFiles%\Windows Sidebar\Shared Gadgets\iexplore.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "iexplore" /sc ONLOGON /tr "'%ProgramFiles%\Windows Sidebar\Shared Gadgets\iexplore.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "iexplorei" /sc MINUTE /mo 13 /tr "'%ProgramFiles%\Windows Sidebar\Shared Gadgets\iexplore.exe'" /f
- '<SYSTEM32>\schtasks.exe' /create /tn "rundll32r" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\rundll32.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "rundll32" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\rundll32.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "rundll32r" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\rundll32.exe'" /f
- '<SYSTEM32>\schtasks.exe' /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'%WINDIR%\Branding\spoolsv.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "spoolsv" /sc ONLOGON /tr "'%WINDIR%\Branding\spoolsv.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'%WINDIR%\Branding\spoolsv.exe'" /f
- '%WINDIR%\microsoft.net\framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @"%TEMP%\src0qoda.cmdline"
- '<SYSTEM32>\schtasks.exe' /create /tn "iexplorei" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\iexplore.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "iexplore" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\iexplore.exe'" /rl HIGHEST /f
- '<SYSTEM32>\chcp.com' 65001
- '<SYSTEM32>\w32tm.exe' /stripchart /computer:localhost /period:5 /dataonly /samples:2