Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Classes\CATFile\shell\open\command] '' = 'rundll32.exe cryptext.dll,CryptExtOpenCAT %1'
- [<HKLM>\SOFTWARE\Classes\CERFile\shell\open\command] '' = 'rundll32.exe cryptext.dll,CryptExtOpenCER %1'
- [<HKLM>\SOFTWARE\Classes\STLFile\shell\open\command] '' = 'rundll32.exe cryptext.dll,CryptExtOpenCTL %1'
- [<HKLM>\SOFTWARE\Classes\P7RFile\shell\open\command] '' = 'rundll32.exe cryptext.dll,CryptExtOpenP7R %1'
- [<HKLM>\SOFTWARE\Classes\CRLFile\shell\open\command] '' = 'rundll32.exe cryptext.dll,CryptExtOpenCRL %1'
- [<HKLM>\SOFTWARE\Classes\PROTOCOLS\Filter\gzip] 'CLSID' = '{8f6b0360-b80d-11d0-a9b3-006097942311}'
- [<HKLM>\SOFTWARE\Classes\PROTOCOLS\Filter\deflate] 'CLSID' = '{8f6b0360-b80d-11d0-a9b3-006097942311}'
- [<HKLM>\SOFTWARE\Classes\PROTOCOLS\Filter\Class Install Handler] 'CLSID' = '{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}'
- [<HKLM>\SOFTWARE\Classes\scriptletfile\Shell\Open\command] '' = '"%WINDIR%\NOTEPAD.EXE" "%1"'
- [<HKLM>\SOFTWARE\Classes\PROTOCOLS\Handler\cdl] 'CLSID' = '{3dd53d40-7b8b-11D0-b013-00aa0059ce02}'
- [<HKLM>\SOFTWARE\Classes\SPCFile\shell\open\command] '' = 'rundll32.exe cryptext.dll,CryptExtOpenPKCS7 %1'
- [<HKLM>\SOFTWARE\Classes\PROTOCOLS\Handler\its] 'CLSID' = '{9D148291-B9C8-11D0-A4CC-0000F80149F6}'
- [<HKLM>\SOFTWARE\Classes\chm.file\shell\open\command] '' = '"%WINDIR%\hh.exe" %1'
- [<HKLM>\SOFTWARE\Classes\PROTOCOLS\Handler\ms-its] 'CLSID' = '{9D148291-B9C8-11D0-A4CC-0000F80149F6}'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'mainpage' = 'http://10.209.3.222'
- [<HKLM>\SOFTWARE\Classes\PROTOCOLS\Handler\mhtml] 'CLSID' = '{05300401-BCBC-11d0-85E3-00C04FD85AB4}'
- [<HKLM>\SOFTWARE\Classes\CertificateStoreFile\shell\open\command] '' = 'rundll32.exe cryptext.dll,CryptExtOpenSTR %1'
- [<HKLM>\SOFTWARE\Classes\P7SFile\shell\open\command] '' = 'rundll32.exe cryptext.dll,CryptExtOpenPKCS7 %1'
- [<HKLM>\SOFTWARE\Classes\ChannelFile\Shell\Open\Command] '' = 'explorer /root,{f39a0dc0-9cc8-11d0-a599-00c04fd64433},%L'
- [<HKLM>\SOFTWARE\Classes\MSProgramGroup\Shell\Open\Command] '' = '<SYSTEM32>\grpconv.exe %1'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] 'WebCheck' = '{E6FB5E20-DE35-11CF-9C87-00AA005127ED}'
- [<HKLM>\SOFTWARE\Classes\ratfile\Shell\Open\Command] '' = 'rundll32.exe msrating.dll,ClickedOnRAT %1'
- [<HKLM>\SOFTWARE\Classes\prffile\Shell\Open\Command] '' = 'rundll32.exe msrating.dll,ClickedOnPRF %1'
- [<HKLM>\SOFTWARE\Classes\PROTOCOLS\Handler\javascript] 'CLSID' = '{3050F3B2-98B5-11CF-BB82-00AA00BDCE0B}'
- [<HKLM>\SOFTWARE\Classes\PROTOCOLS\Handler\about] 'CLSID' = '{3050F406-98B5-11CF-BB82-00AA00BDCE0B}'
- [<HKLM>\SOFTWARE\Classes\PROTOCOLS\Handler\vbscript] 'CLSID' = '{3050F3B2-98B5-11CF-BB82-00AA00BDCE0B}'
- [<HKLM>\SOFTWARE\Classes\InternetShortcut\shell\open\command] '' = 'rundll32.exe shdocvw.dll,OpenURL %l'
- [<HKLM>\SOFTWARE\Classes\InternetShortcut\shell\open\command] '' = 'rundll32.exe url.dll,OpenURL %l'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] '{AEB6717E-7E19-11d0-97EE-00C04FD91972}' = ''
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] '{8C7461EF-2B13-11d2-BE35-3078302C2030}' = 'Component Categories cache daemon'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] '{438755C2-A8BA-11D1-B96B-00A0C90312E1}' = 'Browseui preloader'
- [<HKLM>\SOFTWARE\Classes\PROTOCOLS\Handler\res] 'CLSID' = '{3050F3BC-98B5-11CF-BB82-00AA00BDCE0B}'
- [<HKLM>\SOFTWARE\Classes\PROTOCOLS\Handler\mk] 'CLSID' = '{79eac9e6-baf9-11ce-8c82-00aa004ba90b}'
- [<HKLM>\SOFTWARE\Classes\PROTOCOLS\Handler\https] 'CLSID' = '{79eac9e5-baf9-11ce-8c82-00aa004ba90b}'
- [<HKLM>\SOFTWARE\Classes\PROTOCOLS\Handler\file] 'CLSID' = '{79eac9e7-baf9-11ce-8c82-00aa004ba90b}'
- [<HKLM>\SOFTWARE\Classes\PROTOCOLS\Filter\lzdhtml] 'CLSID' = '{8f6b0360-b80d-11d0-a9b3-006097942311}'
- [<HKLM>\SOFTWARE\Classes\PROTOCOLS\Handler\local] 'CLSID' = '{79eac9e7-baf9-11ce-8c82-00aa004ba90b}'
- [<HKLM>\SOFTWARE\Classes\PROTOCOLS\Handler\sysimage] 'CLSID' = '{76E67A63-06E9-11D2-A840-006008059382}'
- [<HKLM>\SOFTWARE\Classes\PROTOCOLS\Handler\mailto] 'CLSID' = '{3050f3DA-98B5-11CF-BB82-00AA00BDCE0B}'
- [<HKLM>\SOFTWARE\Classes\PROTOCOLS\Handler\http] 'CLSID' = '{79eac9e2-baf9-11ce-8c82-00aa004ba90b}'
- [<HKLM>\SOFTWARE\Classes\PROTOCOLS\Handler\gopher] 'CLSID' = '{79eac9e4-baf9-11ce-8c82-00aa004ba90b}'
- [<HKLM>\SOFTWARE\Classes\PROTOCOLS\Handler\ftp] 'CLSID' = '{79eac9e3-baf9-11ce-8c82-00aa004ba90b}'
Creates the following services:
- [<HKLM>\SYSTEM\ControlSet001\Services\WMService] 'Start' = '00000002'
Malicious functions:
Creates and executes the following:
- '<DRIVERS>\sc.exe' config wuauserv depend= WMService
- '<DRIVERS>\sc.exe' description WMService "╬кWindows ╠с╣й╗∙▓у╕№╨┬░▓╚л▓╣╢б╡─╖■╬ёбг"
- '<DRIVERS>\pyjjsvr.exe' /service
- '<DRIVERS>\sc.exe' start WMService
- '<DRIVERS>\sc.exe' create WMService BinPath= "<DRIVERS>\pyjjsvr.exe /service" type= own type= interact start= auto DisplayName= "Windows Media Player of Control Driver Update"
- '<DRIVERS>\sc.exe' delete r_server
- '<DRIVERS>\sc.exe' stop r_server
- '<DRIVERS>\sc.exe' delete MPService
- '<DRIVERS>\sc.exe' stop MPService
Executes the following:
- '<SYSTEM32>\regsvr32.exe' /s directdb.dll
- '<SYSTEM32>\regsvr32.exe' /s inetcomm.dll
- '<SYSTEM32>\regsvr32.exe' /s oemiglib.dll
- '<SYSTEM32>\regsvr32.exe' /s wabimp.dll
- '<SYSTEM32>\regsvr32.exe' /s wabfind.dll
- '<SYSTEM32>\regsvr32.exe' /s dxmasf.dll
- '<SYSTEM32>\regsvr32.exe' /s laprxy.dll
- '<SYSTEM32>\regsvr32.exe' /s msdxm.ocx
- '<SYSTEM32>\regsvr32.exe' /s msoe.dll
- '<SYSTEM32>\regsvr32.exe' /s oeimport.dll
- '<SYSTEM32>\regsvr32.exe' /s MSR2C.DLL
- '<SYSTEM32>\regsvr32.exe' /s msident.dll
- '<SYSTEM32>\regsvr32.exe' /s tdc.ocx
- '<SYSTEM32>\regsvr32.exe' /s inetcfg.dll
- '<SYSTEM32>\regsvr32.exe' /s trialoc.dll
- '<SYSTEM32>\regsvr32.exe' /s msoeacct.dll
- '<SYSTEM32>\regsvr32.exe' /s wab32.dll
- '<SYSTEM32>\regsvr32.exe' /s ils.dll
- '<SYSTEM32>\regsvr32.exe' /s msieftp.dll
- '<SYSTEM32>\regsvr32.exe' /s xmsconf.ocx
- '<SYSTEM32>\regsvr32.exe' /s msnsspc.dll /SspcCreateSspiReg
- '<SYSTEM32>\regsvr32.exe' /s msapsspc.dll /SspcCreateSspiReg
- '<SYSTEM32>\regsvr32.exe' /s scrrun.dll mstinit.exe /setup
- '<SYSTEM32>\regsvr32.exe' /s wshext.dll
- '<SYSTEM32>\regsvr32.exe' /s vbscript.dll
- '<SYSTEM32>\attrib.exe' +h +r <DRIVERS>\admdll.dll
- '<SYSTEM32>\attrib.exe' +h +r <DRIVERS>\raddrv.dll
- '<SYSTEM32>\attrib.exe' +h +r <DRIVERS>\pyjjsvr.exe
- '%WINDIR%\regedit.exe' /s server.reg
- '%WINDIR%\regedit.exe' /s <DRIVERS>\DisFirewall.reg
- '<SYSTEM32>\regsvr32.exe' /s danim.dll
- '<SYSTEM32>\regsvr32.exe' /s Daxctle.ocx
- '<SYSTEM32>\regsvr32.exe' /s mpg4ds32.ax
- '<SYSTEM32>\regsvr32.exe' /s l3codecx.ax
- '<SYSTEM32>\regsvr32.exe' /s acelpdec.ax
- '<SYSTEM32>\regsvr32.exe' /s dxtmsft.dll
- '<SYSTEM32>\regsvr32.exe' /s wshom.ocx
- '<SYSTEM32>\regsvr32.exe' /s dxtrans.dll
- '<SYSTEM32>\regsvr32.exe' /s lmrt.dll
- '<SYSTEM32>\regsvr32.exe' /s datime.dll
- '<SYSTEM32>\regsvr32.exe' /s mshtml.dll
- '<SYSTEM32>\regsvr32.exe' /s mshtmled.dll
- '<SYSTEM32>\regsvr32.exe' /s hlink.dll
- '<SYSTEM32>\regsvr32.exe' /s msrating.dll
- '<SYSTEM32>\regsvr32.exe' /s mlang.dll
- '<SYSTEM32>\regsvr32.exe' /s mshtml.dll /i
- '<SYSTEM32>\regsvr32.exe' /s scrobj.dll
- '<SYSTEM32>\regsvr32.exe' /s sendmail.dll
- '<SYSTEM32>\regsvr32.exe' /s urlmon.dll
- '<SYSTEM32>\regsvr32.exe' /s plugin.ocx
- '<SYSTEM32>\regsvr32.exe' /s comcat.dll
- '<SYSTEM32>\regsvr32.exe' /s asctrls.ocx
- '<SYSTEM32>\rundll32.exe' advpack.dll /DelNodeRunDLL32 %WINDIR%\Catroot\icatalog.mdb
- '<SYSTEM32>\cmd.exe' /c ""<DRIVERS>\fixie.bat" "
- '<SYSTEM32>\rundll32.exe' advpack.dll /DelNodeRunDLL32 <SYSTEM32>\dacui.dll
- '<SYSTEM32>\regsvr32.exe' /s browseui.dll
- '<SYSTEM32>\regsvr32.exe' /s browseui.dll /I
- '<SYSTEM32>\regsvr32.exe' /s shdocvw.dll
- '<SYSTEM32>\regsvr32.exe' /s oleaut32.dll
- '<SYSTEM32>\regsvr32.exe' /s shdocvw.dll /I
- '<SYSTEM32>\regsvr32.exe' /s cdfview.dll
- '<SYSTEM32>\regsvr32.exe' /s webcheck.dll
- '<SYSTEM32>\regsvr32.exe' /s urlmon.dll /i
- '<SYSTEM32>\regsvr32.exe' /s occache.dll
- '<SYSTEM32>\regsvr32.exe' /s iepeers.dll
- '<SYSTEM32>\regsvr32.exe' /s licmgr10.dll
- '<SYSTEM32>\regsvr32.exe' /s hhctrl.ocx
- '<SYSTEM32>\regsvr32.exe' /s pngfilt.dll
- '<SYSTEM32>\regsvr32.exe' /s mobsync.dll
- '<SYSTEM32>\grpconv.exe' -o
- '<SYSTEM32>\regsvr32.exe' /s imgutil.dll
- '<SYSTEM32>\regsvr32.exe' /s cryptext.dll
- '<SYSTEM32>\regsvr32.exe' /s msxml.dll
- '<SYSTEM32>\regsvr32.exe' /s corpol.dll
- '<SYSTEM32>\regsvr32.exe' /s jscript.dll
- '<SYSTEM32>\regsvr32.exe' /s actxprxy.dll
- '<SYSTEM32>\regsvr32.exe' /s dispex.dll
- '<SYSTEM32>\regsvr32.exe' /s cryptdlg.dll
- '<SYSTEM32>\regsvr32.exe' /s inseng.dll
- '<SYSTEM32>\regsvr32.exe' /s iesetup.dll /i
Searches for windows to
detect analytical utilities:
- ClassName: 'PROCMON_WINDOW_CLASS' WindowName: '(null)'
- ClassName: 'RegMonClass' WindowName: '(null)'
- ClassName: 'FileMonClass' WindowName: '(null)'
Modifies settings of Windows Internet Explorer:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] 'RecommendedLevel' = '00011000'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] 'MinLevel' = '00011000'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] 'Flags' = '00000001'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4] '' = ''
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1805' = '00000001'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '' = ''
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] '1805' = '00000000'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] 'DisplayName' = 'Internet'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] 'Icon' = 'inetcpl.cpl#001313'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] 'Description' = 'This zone contains all Web sites you haven't placed in other zones'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4] '1805' = '00000001'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4] 'Flags' = '00000003'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings] 'ProxyEnable' = '00000001'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings] 'ProxyOverride' = '10.209.3.222'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings] 'ProxyServer' = 'http=10.209.3.222:808'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4] 'Description' = 'This zone contains Web sites that could potentially damage your computer or data.'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4] 'DisplayName' = 'Restricted sites'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4] 'Icon' = 'inetcpl.cpl#00004481'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4] 'RecommendedLevel' = '00012000'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4] 'MinLevel' = '00012000'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] 'Flags' = '00000047'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0] '1805' = '00000000'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0] 'Flags' = '00000021'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1] '' = ''
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1] 'Description' = 'This zone contains all Web sites that are on your organization's intranet.'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1] 'DisplayName' = 'Local intranet'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0] 'DisplayName' = 'My Computer'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0] '' = ''
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0] 'Description' = 'Your computer'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0] 'CurrentLevel' = '00000000'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0] 'Icon' = 'explorer.exe#0100'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] 'Description' = 'This zone contains Web sites that you trust not to damage your computer or data.'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] 'DisplayName' = 'Trusted sites'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] 'Icon' = 'inetcpl.cpl#00004480'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] 'RecommendedLevel' = '00010000'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] 'MinLevel' = '00010000'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1] 'MinLevel' = '00010000'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1] 'Icon' = 'shell32.dll#0018'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1] 'RecommendedLevel' = '00010500'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] '' = ''
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1] '1805' = '00000000'
Sets a new unauthorized home page for Windows Internet Explorer.
Modifies file system :
Creates the following files:
- %TEMP%\RGI1D.tmp
- %TEMP%\RGI1C.tmp
- %TEMP%\RGI1B.tmp
- %TEMP%\RGI1E.tmp
- %TEMP%\RGI21.tmp
- %TEMP%\RGI20.tmp
- %TEMP%\RGI1F.tmp
- %TEMP%\RGI16.tmp
- %TEMP%\RGI15.tmp
- %TEMP%\RGI14.tmp
- %TEMP%\RGI17.tmp
- %TEMP%\RGI1A.tmp
- %TEMP%\RGI19.tmp
- %TEMP%\RGI18.tmp
- %TEMP%\RGI2A.tmp
- %TEMP%\RGI29.tmp
- %TEMP%\RGI28.tmp
- %TEMP%\RGI2B.tmp
- %ALLUSERSPROFILE%\Application Data\TEMP:073341D1
- <DRIVERS>\DisFirewall.reg
- %TEMP%\RGI2C.tmp
- %TEMP%\RGI24.tmp
- %TEMP%\RGI23.tmp
- %TEMP%\RGI22.tmp
- %TEMP%\RGI25.tmp
- %TEMP%\RGI27.tmp
- %TEMP%\RGI26.tmp
- %WINDIR%\setup.ini
- %TEMP%\RGI13.tmp
- <DRIVERS>\fixie.bat
- <DRIVERS>\setacl.exe
- <DRIVERS>\servlces.exe
- %TEMP%\RGI1.tmp
- %TEMP%\RGI4.tmp
- %TEMP%\RGI3.tmp
- %TEMP%\RGI2.tmp
- <DRIVERS>\raddrv.dll
- <DRIVERS>\AdmDll.dll
- <DRIVERS>\update.bat
- <DRIVERS>\sc.exe
- <DRIVERS>\pyjjsvr.exe
- <DRIVERS>\update.vbs
- <DRIVERS>\server.reg
- %TEMP%\RGIE.tmp
- %TEMP%\RGID.tmp
- %TEMP%\RGIC.tmp
- %TEMP%\RGIF.tmp
- %TEMP%\RGI12.tmp
- %TEMP%\RGI11.tmp
- %TEMP%\RGI10.tmp
- %TEMP%\RGI7.tmp
- %TEMP%\RGI6.tmp
- %TEMP%\RGI5.tmp
- %TEMP%\RGI8.tmp
- %TEMP%\RGIB.tmp
- %TEMP%\RGIA.tmp
- %TEMP%\RGI9.tmp
Sets the 'hidden' attribute to the following files:
- <DRIVERS>\raddrv.dll
- <DRIVERS>\AdmDll.dll
- <DRIVERS>\pyjjsvr.exe
Deletes the following files:
- %TEMP%\RGI22.tmp
- %TEMP%\RGI21.tmp
- %TEMP%\RGI20.tmp
- %WINDIR%\setup.ini
- %TEMP%\RGI24.tmp
- %TEMP%\RGI23.tmp
- %TEMP%\RGI1C.tmp
- %TEMP%\RGI1B.tmp
- %TEMP%\RGI1A.tmp
- %TEMP%\RGI1F.tmp
- %TEMP%\RGI1E.tmp
- %TEMP%\RGI1D.tmp
- %TEMP%\RGI25.tmp
- <SYSTEM32>\nscompat.tlb
- <SYSTEM32>\amcompat.tlb
- %TEMP%\RGI2C.tmp
- <DRIVERS>\update.bat
- <DRIVERS>\update.vbs
- <DRIVERS>\server.reg
- %TEMP%\RGI28.tmp
- %TEMP%\RGI27.tmp
- %TEMP%\RGI26.tmp
- %TEMP%\RGI2B.tmp
- %TEMP%\RGI2A.tmp
- %TEMP%\RGI29.tmp
- %TEMP%\RGI9.tmp
- %TEMP%\RGI8.tmp
- %TEMP%\RGI7.tmp
- %TEMP%\RGIC.tmp
- %TEMP%\RGIB.tmp
- %TEMP%\RGIA.tmp
- %TEMP%\RGI3.tmp
- %TEMP%\RGI2.tmp
- %TEMP%\RGI1.tmp
- %TEMP%\RGI6.tmp
- %TEMP%\RGI5.tmp
- %TEMP%\RGI4.tmp
- %TEMP%\RGID.tmp
- %TEMP%\RGI16.tmp
- %TEMP%\RGI15.tmp
- %TEMP%\RGI14.tmp
- %TEMP%\RGI19.tmp
- %TEMP%\RGI18.tmp
- %TEMP%\RGI17.tmp
- %TEMP%\RGI10.tmp
- %TEMP%\RGIF.tmp
- %TEMP%\RGIE.tmp
- %TEMP%\RGI13.tmp
- %TEMP%\RGI12.tmp
- %TEMP%\RGI11.tmp
Miscellaneous:
Searches for the following windows:
- ClassName: 'ThunderRT6FormDC' WindowName: 'Shareware Cheater v 3.0'
- ClassName: 'ThunderRT6FormDC' WindowName: '(null)'
- ClassName: 'RegEdit_RegEdit' WindowName: '(null)'
- ClassName: 'EDIT' WindowName: '(null)'
- ClassName: 'Shell_TrayWnd' WindowName: '(null)'
