Technical Information
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'iweufh' = '%TEMP%\92794675\qhv.exe %TEMP%\92794675\kdg=mns'
- '' (downloaded from the Internet)
- %WINDIR%\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
- %TEMP%\92794675\gxp.docx
- %TEMP%\92794675\oht.bmp
- %TEMP%\92794675\hpn.ppt
- %TEMP%\92794675\ogv.ppt
- %TEMP%\92794675\mxh.mp3
- %TEMP%\92794675\uei.ppt
- %TEMP%\92794675\iwo.docx
- %TEMP%\92794675\onv.icm
- %TEMP%\92794675\poe.xl
- %TEMP%\92794675\vxk.icm
- %TEMP%\92794675\dls.xl
- %TEMP%\92794675\fsu.txt
- %TEMP%\92794675\khr.jpg
- %TEMP%\92794675\ohh.mp3
- %TEMP%\92794675\ako.mp3
- %TEMP%\92794675\fcm.mp4
- %TEMP%\92794675\kej.dat
- %TEMP%\92794675\meo.txt
- %TEMP%\92794675\uqs.pdf
- %TEMP%\92794675\uro.jpg
- %TEMP%\92794675\vcb.ppt
- %TEMP%\92794675\OEZBJ
- %HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\KHMHGZ4F\d0bfl465[1].exe
- %TEMP%\92794675\ixr.txt
- %TEMP%\92794675\ebb.pdf
- %TEMP%\92794675\bui.ppt
- %TEMP%\92794675\nuq.txt
- %TEMP%\92794675\mwh.pdf
- %TEMP%\92794675\qhv.exe
- %TEMP%\92794675\sgd.ico
- %TEMP%\92794675\ift.icm
- %TEMP%\92794675\jmi.mp3
- %TEMP%\92794675\vfh.xl
- %TEMP%\92794675\erg.txt
- %TEMP%\92794675\oxh.dat
- %TEMP%\92794675\btm.mp3
- %TEMP%\92794675\qdo.icm
- %TEMP%\92794675\gvl.ico
- %TEMP%\d0bfl465.exe
- %TEMP%\92794675\gog.docx
- %TEMP%\92794675\hsb.ppt
- %TEMP%\92794675\jkg.pdf
- %TEMP%\92794675\tfs.ico
- %TEMP%\92794675\hhf.jpg
- %TEMP%\92794675\mhm.jpg
- %TEMP%\92794675\onp.dat
- %TEMP%\92794675\ulc.pdf
- %TEMP%\92794675\jxf.icm
- %TEMP%\92794675\gai.icm
- %TEMP%\92794675\vrf.icm
- %TEMP%\92794675\qqb.bmp
- %TEMP%\92794675\kdg=mns
- %TEMP%\92794675\shc.txt
- %APPDATA%\STHHshjo\logs.dat
- %TEMP%\92794675\ako.mp3
- %TEMP%\92794675\nuq.txt
- %TEMP%\92794675\ogv.ppt
- %TEMP%\92794675\ohh.mp3
- %TEMP%\92794675\oht.bmp
- %TEMP%\92794675\onp.dat
- %TEMP%\92794675\onv.icm
- %TEMP%\92794675\oxh.dat
- %TEMP%\92794675\poe.xl
- %TEMP%\92794675\qdo.icm
- %TEMP%\92794675\hhf.jpg
- %TEMP%\92794675\qhv.exe
- %TEMP%\92794675\sgd.ico
- %TEMP%\92794675\shc.txt
- %TEMP%\92794675\tfs.ico
- %TEMP%\92794675\uei.ppt
- %TEMP%\92794675\ulc.pdf
- %TEMP%\92794675\uqs.pdf
- %TEMP%\92794675\uro.jpg
- %TEMP%\92794675\vcb.ppt
- %TEMP%\92794675\vfh.xl
- %TEMP%\92794675\mwh.pdf
- %TEMP%\92794675\mxh.mp3
- %TEMP%\92794675\mhm.jpg
- %TEMP%\92794675\meo.txt
- %TEMP%\92794675\khr.jpg
- %TEMP%\92794675\bui.ppt
- %TEMP%\92794675\dls.xl
- %TEMP%\92794675\ebb.pdf
- %TEMP%\92794675\erg.txt
- %TEMP%\92794675\fcm.mp4
- %TEMP%\92794675\fsu.txt
- %TEMP%\92794675\gai.icm
- %TEMP%\92794675\gog.docx
- %TEMP%\92794675\gvl.ico
- %TEMP%\92794675\vrf.icm
- %TEMP%\92794675\qqb.bmp
- %TEMP%\92794675\gxp.docx
- %TEMP%\92794675\hsb.ppt
- %TEMP%\92794675\ift.icm
- %TEMP%\92794675\iwo.docx
- %TEMP%\92794675\ixr.txt
- %TEMP%\92794675\jkg.pdf
- %TEMP%\92794675\jmi.mp3
- %TEMP%\92794675\jxf.icm
- %TEMP%\92794675\kdg=mns
- %TEMP%\92794675\kej.dat
- %TEMP%\92794675\btm.mp3
- %TEMP%\92794675\hpn.ppt
- %TEMP%\92794675\vxk.icm
- %TEMP%\92794675\OEZBJ
- 'up#####dovesettings.io':80
- 'ca####as.hicam.net':2404
- 'ca#######x.chickenkiller.com':2404
- 'ca#####s45.hopto.org':2404
- 'ca#####s.libfoobar.so':2404
- 'du#####ute.sendsmtp.com':2404
- 'se#####s.wifizone.org':2404
- 'wi##.con-ip.com':2404
- 'rs######r.jumpingcrab.com':2404
- http://up#####dovesettings.io/d0bfl465.exe
- DNS ASK www.google.com
- DNS ASK up#####dovesettings.io
- DNS ASK ca####as.hicam.net
- DNS ASK ca#######x.chickenkiller.com
- DNS ASK ca#####s45.hopto.org
- DNS ASK ca#####s.libfoobar.so
- DNS ASK du#####ute.sendsmtp.com
- DNS ASK se#####s.wifizone.org
- DNS ASK wi##.con-ip.com
- DNS ASK rs######r.jumpingcrab.com
- ClassName: 'EDIT' WindowName: ''
- '%TEMP%\92794675\qhv.exe' kdg=mns
- '%TEMP%\92794675\qhv.exe' %TEMP%\92794675\OEZBJ
- '%TEMP%\d0bfl465.exe'
- '<SYSTEM32>\cmd.exe' /C Start %TEMP%\d0bfl465.exe
- '%WINDIR%\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'