Technical Information
- [<HKLM>\SYSTEM\ControlSet001\Services\Telserver] 'Start' = '00000002'
- [<HKLM>\SYSTEM\ControlSet001\Services\SDserver] 'Start' = '00000002'
- [<HKLM>\SYSTEM\ControlSet001\Services\ipfw] 'Start' = '00000002'
- [<HKLM>\SYSTEM\ControlSet001\Services\Winvnc] 'Start' = '00000002'
- '<SYSTEM32>\vnm\winvnc.exe' -service
- '%TEMP%\nsf3.tmp\ns13.tmp' net start winvnc
- '<SYSTEM32>\vnm\vnm.exe' install
- '%TEMP%\nsf3.tmp\ns14.tmp' "<SYSTEM32>\vnm\vnm.exe" install
- '<SYSTEM32>\ipfw.exe'
- '%TEMP%\nsf3.tmp\ns11.tmp' net start ipfw
- '%TEMP%\nsf3.tmp\ns12.tmp' sc create Winvnc binPath= "<SYSTEM32>\vnm\winvnc.exe -service" start= auto"
- '<SYSTEM32>\ipfw.exe' sysctl dyn_ack_lifetime=1200 debug=0 verbose=1
- '%TEMP%\nsf3.tmp\ns18.tmp' sc create SDserver binPath= "<SYSTEM32>\vnm\sdservice.exe -service" start= auto"
- '<SYSTEM32>\vnm\smserver.exe' -service
- '<SYSTEM32>\vnm\sdservice.exe' -service
- '%TEMP%\nsf3.tmp\ns19.tmp' net start SDserver
- '<SYSTEM32>\vnm\winvnc.exe' -service_run
- '%TEMP%\nsf3.tmp\ns15.tmp' net start timeserver
- '%TEMP%\nsf3.tmp\ns17.tmp' net start Telserver
- '%TEMP%\nsf3.tmp\ns16.tmp' sc create Telserver binPath= "<SYSTEM32>\vnm\smserver.exe -service" start= auto"
- '%TEMP%\nsf3.tmp\ns9.tmp' net stop ipfw
- '%TEMP%\nsf3.tmp\ns8.tmp' sc stop uvnc_service
- '%TEMP%\nsf3.tmp\nsB.tmp' sc delete Telserver
- '%TEMP%\nsf3.tmp\nsA.tmp' net stop /y ip_fw
- '%TEMP%\nsf3.tmp\ns5.tmp' net stop winvnc
- '%TEMP%\nsf3.tmp\ns4.tmp' net stop timeserver
- '%TEMP%\nsf3.tmp\ns7.tmp' net stop Telserver
- '%TEMP%\nsf3.tmp\ns6.tmp' net stop winvnc4
- '<SYSTEM32>\ipfw.exe' install "ipfw sysctl dyn_ack_lifetime=1200 debug=0 verbose=1 > NUL"
- '%TEMP%\nsf3.tmp\nsF.tmp' ipfw install "ipfw sysctl dyn_ack_lifetime=1200 debug=0 verbose=1 > NUL"
- '<SYSTEM32>\ipfw.exe' -f flush
- '%TEMP%\nsf3.tmp\ns10.tmp' ipfw -f flush
- '%TEMP%\nsf3.tmp\nsD.tmp' ipfw install_drv <DRIVERS>\ip_fw.sys
- '%TEMP%\nsf3.tmp\nsC.tmp' cacls '<SYSTEM32>\vnm' /t /e /c /g everyone:f
- '%TEMP%\nsf3.tmp\nsE.tmp' net start ip_fw
- '<SYSTEM32>\ipfw.exe' install_drv <DRIVERS>\ip_fw.sys
- '<SYSTEM32>\net1.exe' start ip_fw
- '<SYSTEM32>\net1.exe' start ipfw
- '<SYSTEM32>\sc.exe' create Winvnc binPath= "<SYSTEM32>\vnm\winvnc.exe -service" start= auto"
- '<SYSTEM32>\net1.exe' stop /y ip_fw
- '<SYSTEM32>\sc.exe' delete Telserver
- '<SYSTEM32>\cacls.exe' '<SYSTEM32>\vnm' /t /e /c /g everyone:f
- '<SYSTEM32>\net1.exe' start Telserver
- '<SYSTEM32>\sc.exe' create SDserver binPath= "<SYSTEM32>\vnm\sdservice.exe -service" start= auto"
- '<SYSTEM32>\net1.exe' start SDserver
- '<SYSTEM32>\net1.exe' start winvnc
- '<SYSTEM32>\net1.exe' start timeserver
- '<SYSTEM32>\sc.exe' create Telserver binPath= "<SYSTEM32>\vnm\smserver.exe -service" start= auto"
- '<SYSTEM32>\net1.exe' stop winvnc
- '<SYSTEM32>\net.exe' stop winvnc4
- '<SYSTEM32>\net1.exe' stop winvnc4
- '<SYSTEM32>\net.exe' stop timeserver
- '<SYSTEM32>\net1.exe' stop timeserver
- '<SYSTEM32>\net.exe' stop winvnc
- '<SYSTEM32>\net.exe' stop ipfw
- '<SYSTEM32>\net1.exe' stop ipfw
- '<SYSTEM32>\net.exe' stop /y ip_fw
- '<SYSTEM32>\net.exe' stop Telserver
- '<SYSTEM32>\net1.exe' stop Telserver
- '<SYSTEM32>\sc.exe' stop uvnc_service
- %TEMP%\nsf3.tmp\nsE.tmp
- %TEMP%\nsf3.tmp\nsD.tmp
- <SYSTEM32>\vnm\sysaudit.dll
- %TEMP%\nsf3.tmp\ns11.tmp
- %TEMP%\nsf3.tmp\ns10.tmp
- %TEMP%\nsf3.tmp\nsF.tmp
- <SYSTEM32>\vnm\winfw_empty
- <SYSTEM32>\vnm\SCHook.dll
- <SYSTEM32>\vnm\cad.exe
- <SYSTEM32>\vnm\vnchooks.dll
- <SYSTEM32>\vnm\sdservice.exe
- <SYSTEM32>\vnm\smserver.exe
- <SYSTEM32>\vnm\ultravnc.ini
- %TEMP%\nsf3.tmp\ns12.tmp
- %TEMP%\nsf3.tmp\ns17.tmp
- %TEMP%\nsf3.tmp\ns16.tmp
- %TEMP%\nsf3.tmp\ns15.tmp
- <SYSTEM32>\vnm\sdservice.log
- %TEMP%\nsf3.tmp\ns19.tmp
- %TEMP%\nsf3.tmp\ns18.tmp
- <SYSTEM32>\vnm.log
- <SYSTEM32>\vnm\vnm-journal
- %TEMP%\nsf3.tmp\ns14.tmp
- %TEMP%\nsf3.tmp\ns13.tmp
- %TEMP%\etilqs_ps4Hul9FGf6Ui4iatRPC
- %TEMP%\etilqs_MTCW9j26V0z5u6WTxxWL
- %TEMP%\etilqs_F8cJjXKY4uQTp4Z2dL1F
- %TEMP%\nsf3.tmp\nsA.tmp
- %TEMP%\nsf3.tmp\ns9.tmp
- %TEMP%\nsf3.tmp\ns8.tmp
- %TEMP%\nsf3.tmp\nsB.tmp
- %TEMP%\nsf3.tmp\Processes.dll
- %TEMP%\nsf3.tmp\KillProcDLL.dll
- %TEMP%\nsf3.tmp\ns7.tmp
- %TEMP%\nsf3.tmp\nsExec.dll
- %TEMP%\nsf3.tmp\System.dll
- %TEMP%\nsp2.tmp
- %TEMP%\nsf3.tmp\ns6.tmp
- %TEMP%\nsf3.tmp\ns5.tmp
- %TEMP%\nsf3.tmp\ns4.tmp
- %TEMP%\nsf3.tmp\nsC.tmp
- <SYSTEM32>\vnm\log4cplus.dll
- <SYSTEM32>\vnm\vnm
- <SYSTEM32>\vnm\vnm.exe
- <SYSTEM32>\vnm\winvnc.exe
- <SYSTEM32>\vnm\update.exe
- <SYSTEM32>\vnm\vnmlog.config
- <SYSTEM32>\sqlite3.dll
- <DRIVERS>\ip_fw.sys
- <SYSTEM32>\wipfw.conf
- <SYSTEM32>\ipfw.exe
- <SYSTEM32>\vnmx.exe
- %WINDIR%\devcon.exe
- <DRIVERS>\usbsafeflt.sys
- %TEMP%\nsf3.tmp\ns13.tmp
- <SYSTEM32>\vnm\vnm-journal
- %TEMP%\nsf3.tmp\ns12.tmp
- %TEMP%\nsf3.tmp\ns10.tmp
- %TEMP%\nsf3.tmp\ns11.tmp
- %TEMP%\nsf3.tmp\ns14.tmp
- %TEMP%\nsf3.tmp\ns18.tmp
- %TEMP%\nsf3.tmp\ns19.tmp
- %TEMP%\nsf3.tmp\ns17.tmp
- %TEMP%\nsf3.tmp\ns15.tmp
- %TEMP%\nsf3.tmp\ns16.tmp
- %TEMP%\nsf3.tmp\nsF.tmp
- %TEMP%\nsf3.tmp\ns7.tmp
- %TEMP%\nsf3.tmp\ns8.tmp
- %TEMP%\nsf3.tmp\ns6.tmp
- %TEMP%\nsf3.tmp\ns4.tmp
- %TEMP%\nsf3.tmp\ns5.tmp
- %TEMP%\nsf3.tmp\ns9.tmp
- %TEMP%\nsf3.tmp\nsD.tmp
- %TEMP%\nsf3.tmp\nsE.tmp
- %TEMP%\nsf3.tmp\nsC.tmp
- %TEMP%\nsf3.tmp\nsA.tmp
- %TEMP%\nsf3.tmp\nsB.tmp
- ClassName: 'Shell_TrayWnd' WindowName: '(null)'