Para el funcionamiento correcto del sitio web, debe activar el soporte de JavaScript en su navegador.
Win32.HLLW.Autohit.16767
Added to the Dr.Web virus database:
2017-12-27
Virus description added:
2017-12-27
Technical Information
Malicious functions:
Injects code into
the following system processes:
%WINDIR%\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
Searches for registry branches where third party applications store passwords:
[<HKCU>\Software\SimonTatham\PuTTY\Sessions]
[<HKCU>\Software\NCH Software\ClassicFTP\FTPAccounts]
[<HKLM>\Software\NCH Software\ClassicFTP\FTPAccounts]
[<HKCU>\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook]
[<HKLM>\Software\Martin Prikryl]
[<HKLM>\Software\SimonTatham\PuTTY\Sessions]
[<HKCU>\Software\NCH Software\Fling\Accounts]
[<HKCU>\Software\Far\Plugins\FTP\Hosts]
[<HKCU>\Software\Martin Prikryl]
[<HKCU>\Software\Ghisler\Total Commander]
[<HKLM>\Software\NCH Software\Fling\Accounts]
[<HKCU>\Software\VanDyke\SecureFX]
[<HKCU>\Software\Far2\Plugins\FTP\Hosts]
Modifies file system:
Creates the following files:
%APPDATA%\Microsoft\Protect\CREDHIST
%APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-2052111302-484763869-725345543-1003\ec702f375e1b12d218f67ab9ef19ca23_23ef5514-3059-436f-a4a7-4cefaab20eb1
%APPDATA%\517D9D\DE2515.lck
%TEMP%\QLORMW.exe
%TEMP%\aut1.tmp
%TEMP%\hdeoaxv
%TEMP%\aut2.tmp
Deletes the following files:
%APPDATA%\517D9D\DE2515.lck
%APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-2052111302-484763869-725345543-1003\ec702f375e1b12d218f67ab9ef19ca23_23ef5514-3059-436f-a4a7-4cefaab20eb1
%TEMP%\aut2.tmp
%TEMP%\aut1.tmp
%TEMP%\hdeoaxv
Moves the following system files:
from %WINDIR%\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe to %APPDATA%\517D9D\DE2515.exe
Substitutes the following files:
%APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-2052111302-484763869-725345543-1003\ec702f375e1b12d218f67ab9ef19ca23_23ef5514-3059-436f-a4a7-4cefaab20eb1
Network activity:
Connects to:
'18#.#65.29.132':80
'78.##0.176.208':1339
TCP:
HTTP POST requests:
http://18#.#65.29.132/fhgtxrfg/Panel/five/fre.php
Miscellaneous:
Creates and executes the following:
Executes the following:
'%WINDIR%\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe'
Descargue Dr.Web para Android
Gratis por 3 meses
Todos los componentes de protección
Renovación de la demo a través de AppGallery/Google Pay
Si Vd. continúa usando este sitio web, esto significa que Vd. acepta el uso de archivos Cookie y otras tecnologías para que recabemos las estadísticas sobre los visitantes. Más información
OK