Technical Information
- [<HKLM>\SYSTEM\ControlSet001\Services\prvdisk] 'Start' = '00000001'
- [<HKLM>\SYSTEM\ControlSet001\Services\sgcloudupsrv] 'Start' = '00000002'
- [<HKLM>\SYSTEM\ControlSet001\Services\PolicyAgent] 'Start' = '00000002'
- '%TEMP%\nsjA.tmp\nsD.tmp' sc start sgcloudupsrv
- '%CommonProgramFiles%\naviagou\sougoucloud.exe'
- '%TEMP%\nsjA.tmp\nsB.tmp' sc create sgcloudupsrv binpath= "%CommonProgramFiles%\naviagou\sougoucloud.exe" type= share start= auto displayname= "Navia Web Cache Services"
- '%TEMP%\nsjA.tmp\nsC.tmp' sc description sgcloudupsrv "К№УГNavia CahceјјКхМṩЅшРР»ҐБЄНшдЇААФ¤¶БјУЛЩ·юОсЎЈИз№ыНЈЦ№ёГ·юОсЈ¬ФтјЖЛг»ъЅ«І»ѕЯ±ёХвР©јјКхМṩµДјУЛЩ№¦ДЬЎЈ"
- '%PROGRAM_FILES%\idtxyxlo\un0804235600136.exe'
- '%TEMP%\~nsu.tmp\Au_.exe' _?=%PROGRAM_FILES%\idtxyxlo\
- '%TEMP%\nsjA.tmp\nsE.tmp' sc create prvdisk binpath= <SYSTEM32>\PrvMon\prvdisk.sys type= kernel start= system group= Base tag= yes
- '%TEMP%\nsk2.tmp\nsF.tmp' cmd /c "<Current directory>\regdllt.bat"
- '%TEMP%\nsk2.tmp\ns5.tmp' cmd /c "<Current directory>\regdllc.bat"
- '%TEMP%\nsk2.tmp\ns6.tmp' sc start PolicyAgent
- '%TEMP%\nsk2.tmp\ns3.tmp' cmd /c ipconfig /all >"<Current directory>\ip.txt"
- '%TEMP%\nsk2.tmp\ns4.tmp' cmd /c arp -a >"<Current directory>\ft.txt"
- '%PROGRAM_FILES%\idtxyxlo\fxnwiyh.exe' -file jgpzncbggfxrw.txt
- '%PROGRAM_FILES%\idtxyxlo\mysetup.exe'
- '%TEMP%\nsk2.tmp\ns7.tmp' sc config PolicyAgent start= auto
- '%TEMP%\nsk2.tmp\ns8.tmp' "fxnwiyh.exe" -file jgpzncbggfxrw.txt
- '<SYSTEM32>\sc.exe' start sgcloudupsrv
- '<SYSTEM32>\sc.exe' description sgcloudupsrv "К№УГNavia CahceјјКхМṩЅшРР»ҐБЄНшдЇААФ¤¶БјУЛЩ·юОсЎЈИз№ыНЈЦ№ёГ·юОсЈ¬ФтјЖЛг»ъЅ«І»ѕЯ±ёХвР©јјКхМṩµДјУЛЩ№¦ДЬЎЈ"
- '<SYSTEM32>\sc.exe' create sgcloudupsrv binpath= "%CommonProgramFiles%\naviagou\sougoucloud.exe" type= share start= auto displayname= "Navia Web Cache Services"
- '<SYSTEM32>\cmd.exe' /c "<Current directory>\regdllt.bat"
- '<SYSTEM32>\wscript.exe' "%CommonProgramFiles%\naviagou\note.vbs"
- '<SYSTEM32>\sc.exe' create prvdisk binpath= <SYSTEM32>\PrvMon\prvdisk.sys type= kernel start= system group= Base tag= yes
- '<SYSTEM32>\cmd.exe' /c "<Current directory>\regdllc.bat"
- '<SYSTEM32>\arp.exe' -a
- '<SYSTEM32>\ipconfig.exe' /all
- '<SYSTEM32>\sc.exe' config PolicyAgent start= auto
- '<SYSTEM32>\sc.exe' start PolicyAgent
- '<SYSTEM32>\arp.exe' -s 10.0.0.1 00-00-00-00-00-01 10.0.0.2
- %CommonProgramFiles%\naviagou\suject.db
- %CommonProgramFiles%\naviagou\sougoucloud.exe
- %CommonProgramFiles%\naviagou\vison.txt
- %CommonProgramFiles%\naviagou\config-n.xml
- %CommonProgramFiles%\naviagou\config-s.xml
- %CommonProgramFiles%\naviagou\prvdisk.sys
- %PROGRAM_FILES%\Common\ppscode.dat
- %PROGRAM_FILES%\idtxyxlo\mysetup.exe
- %TEMP%\nsk2.tmp\ns8.tmp
- %CommonProgramFiles%\naviagou\note.txt
- %CommonProgramFiles%\naviagou\ypac.txt
- %CommonProgramFiles%\naviagou\sqlite3.dll
- %TEMP%\nsjA.tmp\nsE.tmp
- <SYSTEM32>\PrvMon\prvdisk.sys
- %CommonProgramFiles%\naviagou\newsousuo.pac
- %TEMP%\~nsu.tmp\Au_.exe
- %TEMP%\nsk2.tmp\nsF.tmp
- %CommonProgramFiles%\naviagou\note.vbs
- %TEMP%\nsjA.tmp\nsExec.dll
- %TEMP%\nsjA.tmp\System.dll
- %TEMP%\nsjA.tmp\AccessControl.dll
- %TEMP%\nsjA.tmp\nsD.tmp
- %TEMP%\nsjA.tmp\nsC.tmp
- %TEMP%\nsjA.tmp\nsB.tmp
- %TEMP%\nsk2.tmp\InetLoad.dll
- %TEMP%\nsk2.tmp\nsRandom.dll
- %PROGRAM_FILES%\idtxyxlo\un0804235600136.exe
- <Current directory>\op.ini
- %TEMP%\nsk2.tmp\nsplugin.dll
- %TEMP%\nsk2.tmp\Internet.dll
- %PROGRAM_FILES%\idtxyxlo\reginfo.xml
- %PROGRAM_FILES%\idtxyxlo\s0001.xml
- %PROGRAM_FILES%\idtxyxlo\menu.xml
- %PROGRAM_FILES%\idtxyxlo\temp0804235600136.ini
- %TEMP%\nsk2.tmp\System.dll
- %PROGRAM_FILES%\idtxyxlo\ser000.xml
- <Current directory>\regdllc.bat
- <Current directory>\ft.txt
- %TEMP%\nsk2.tmp\ns4.tmp
- %TEMP%\nsk2.tmp\ns7.tmp
- %TEMP%\nsk2.tmp\ns6.tmp
- %TEMP%\nsk2.tmp\ns5.tmp
- %PROGRAM_FILES%\idtxyxlo\jgpzncbggfxrw.txt
- <Current directory>\tx.ini
- %PROGRAM_FILES%\idtxyxlo\fxnwiyh.exe
- <Current directory>\ip.txt
- %TEMP%\nsk2.tmp\ns3.tmp
- %TEMP%\nsk2.tmp\nsExec.dll
- <Current directory>\regdllc.bat
- <Current directory>\ft.txt
- %TEMP%\nsk2.tmp\InetLoad.dll
- %TEMP%\nsk2.tmp\nsF.tmp
- <Current directory>\ip.txt
- %PROGRAM_FILES%\idtxyxlo\menu.xml
- %PROGRAM_FILES%\idtxyxlo\s0001.xml
- %PROGRAM_FILES%\idtxyxlo\fxnwiyh.exe
- %PROGRAM_FILES%\idtxyxlo\reginfo.xml
- %PROGRAM_FILES%\idtxyxlo\temp0804235600136.ini
- %PROGRAM_FILES%\idtxyxlo\un0804235600136.exe
- %CommonProgramFiles%\naviagou\note.vbs
- %PROGRAM_FILES%\idtxyxlo\jgpzncbggfxrw.txt
- %TEMP%\nsk2.tmp\System.dll
- %TEMP%\nsk2.tmp\nsExec.dll
- %TEMP%\nsk2.tmp\Internet.dll
- %TEMP%\nsk2.tmp\nsRandom.dll
- %TEMP%\nsk2.tmp\nsplugin.dll
- %TEMP%\nsk2.tmp\ns7.tmp
- %TEMP%\nsk2.tmp\ns6.tmp
- %TEMP%\nsjA.tmp\nsB.tmp
- %TEMP%\nsk2.tmp\ns8.tmp
- %TEMP%\nsk2.tmp\ns5.tmp
- <Current directory>\tx.ini
- <Current directory>\op.ini
- %TEMP%\nsk2.tmp\ns4.tmp
- %TEMP%\nsk2.tmp\ns3.tmp
- %TEMP%\nsjA.tmp\System.dll
- %TEMP%\nsjA.tmp\nsExec.dll
- %PROGRAM_FILES%\idtxyxlo\ser000.xml
- %PROGRAM_FILES%\idtxyxlo\mysetup.exe
- %TEMP%\nsjA.tmp\AccessControl.dll
- %TEMP%\nsjA.tmp\nsD.tmp
- %TEMP%\nsjA.tmp\nsC.tmp
- %CommonProgramFiles%\naviagou\prvdisk.sys
- %TEMP%\nsjA.tmp\nsE.tmp
- 'localhost':1039
- 'g.###ips.com':82
- 'm.###nong.com':888
- 'www.39##.com':80
- www.39##.com/svr.asp?c=########################################
- DNS ASK g.###ips.com
- DNS ASK www.39##.com
- DNS ASK m.###nong.com
- ClassName: 'Shell_TrayWnd' WindowName: '(null)'