Technical Information
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Userinit' = '<SYSTEM32>\userinit.exe,'
- [<HKLM>\SYSTEM\ControlSet001\Services\MainLSyncHost] 'ImagePath' = '%ALLUSERSPROFILE%\application data\mpk\lsynchost.exe /startedbyscm:E4233B4F-40E3FE91-MPKService'
- [<HKLM>\SYSTEM\ControlSet001\Services\MainLSyncHost] 'Start' = '00000002'
- '%ALLUSERSPROFILE%\Application Data\MPK\lsynchost.exe' /install /silent
- '%ALLUSERSPROFILE%\Application Data\MPK\MPKInst.exe' /i /dr /cp
- '<SYSTEM32>\netsh.exe' firewall add allowedprogram program="%ALLUSERSPROFILE%\Application Data\MPK\Mpk.exe" name="TCP\IP"
- '%ALLUSERSPROFILE%\Application Data\MPK\lsynchost.exe' /startedbyscm:E4233B4F-40E3FE91-MPKService
- '%ALLUSERSPROFILE%\Application Data\MPK\lsynchost.exe' /runsrv \MID:D
- '%ALLUSERSPROFILE%\Application Data\MPK\MPK.exe'
- '%ALLUSERSPROFILE%\Application Data\MPK\lsynchost.exe' /runsrv
- '<SYSTEM32>\msiexec.exe' /i "%TEMP%\RarSFX1\MpkNetInstall_8.6.7.2650.msi"
- '%TEMP%\RarSFX0\srvtemp.exe' -p123 -d%HOMEPATH%\Local Settings\Temp
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\RarSFX0\inst.bat" "
- '<SYSTEM32>\msiexec.exe' /V
- '<SYSTEM32>\cmd.exe' /c netsh firewall add allowedprogram program="%ALLUSERSPROFILE%\Application Data\MPK\Mpk.exe" name="TCP\IP"
- '%TEMP%\is-QCK1A.tmp\mpk_emni_rfg_2650.tmp' /SL5="$2014E,4756734,119296,%ALLUSERSPROFILE%\Application Data\MPK\mpk_emni_rfg_2650.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SDIR "%TEMP%\RarSFX1\" /LOG="%ALLUSERSPROFILE%\Application Da...
- '%ALLUSERSPROFILE%\Application Data\MPK\mpk_emni_rfg_2650.exe' /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SDIR "%TEMP%\RarSFX1\" /LOG="%ALLUSERSPROFILE%\Application Data\MPK\mpk_em_log.txt"
- %ALLUSERSPROFILE%\Application Data\MPK\is-16CFH.tmp
- %ALLUSERSPROFILE%\Application Data\MPK\is-A5QPI.tmp
- %ALLUSERSPROFILE%\Application Data\MPK\is-FVF9C.tmp
- %ALLUSERSPROFILE%\Application Data\MPK\is-4K93D.tmp
- %ALLUSERSPROFILE%\Application Data\MPK\is-UPN26.tmp
- <SYSTEM32>\is-5CLOQ.tmp
- %ALLUSERSPROFILE%\Application Data\MPK\is-JHQ3A.tmp
- %ALLUSERSPROFILE%\Application Data\MPK\is-8GKKC.tmp
- %ALLUSERSPROFILE%\Application Data\MPK\is-H6O42.tmp
- %ALLUSERSPROFILE%\Application Data\MPK\is-8TVHO.tmp
- %ALLUSERSPROFILE%\Application Data\MPK\is-RGSFM.tmp
- %ALLUSERSPROFILE%\Application Data\MPK\mpk_emni_rfg_2650.exe
- %WINDIR%\Installer\29cd5.msi
- %TEMP%\Cab17.tmp
- %TEMP%\Cab13.tmp
- %TEMP%\Cab15.tmp
- %TEMP%\is-BKATU.tmp\_isetup\_isdecmp.dll
- %ALLUSERSPROFILE%\Application Data\MPK\is-01C56.tmp
- %TEMP%\is-BKATU.tmp\_isetup\_shfoldr.dll
- %TEMP%\is-QCK1A.tmp\mpk_emni_rfg_2650.tmp
- %ALLUSERSPROFILE%\Application Data\MPK\mpk_em_log.txt
- %ALLUSERSPROFILE%\Application Data\MPK\1\S0000
- %ALLUSERSPROFILE%\Application Data\MPK\1\D0000-journal
- %ALLUSERSPROFILE%\Application Data\MPK\key.bin
- %ALLUSERSPROFILE%\Application Data\MPK\M0000
- %ALLUSERSPROFILE%\Application Data\MPK\etilqs_eAUkkxiNwmk2Omn
- %ALLUSERSPROFILE%\Application Data\MPK\etilqs_w56acDBnKyo8NHq
- %ALLUSERSPROFILE%\Application Data\MPK\etilqs_942weyl6sYq5HTX
- %ALLUSERSPROFILE%\Application Data\MPK\etilqs_E4EtKTR144lqvUK
- %ALLUSERSPROFILE%\Application Data\MPK\1\D0000
- %ALLUSERSPROFILE%\Application Data\MPK\etilqs_oXEMJteBy8PChX6
- %ALLUSERSPROFILE%\Application Data\MPK\M0000-journal
- %ALLUSERSPROFILE%\Application Data\MPK\is-PU43N.tmp
- %ALLUSERSPROFILE%\Application Data\MPK\is-IUUU3.tmp
- %ALLUSERSPROFILE%\Application Data\MPK\is-AAT1T.tmp
- %ALLUSERSPROFILE%\Application Data\MPK\is-64GT2.tmp
- %ALLUSERSPROFILE%\Application Data\MPK\is-OCGO0.tmp
- %TEMP%\~DF3501.tmp
- %ALLUSERSPROFILE%\Application Data\MPK\S0000
- %ALLUSERSPROFILE%\Application Data\MPK\unins000.dat
- %ALLUSERSPROFILE%\Application Data\MPK\is-402O4.tmp
- %ALLUSERSPROFILE%\Application Data\MPK\is-KKI9I.tmp
- %TEMP%\Cab11.tmp
- %TEMP%\CabB.tmp
- %TEMP%\CabD.tmp
- %TEMP%\Cab9.tmp
- %WINDIR%\Installer\29cd2.msi
- %TEMP%\Cab7.tmp
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_USER_NTUSER_S-1-5-20
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-20
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-19
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_USER_NTUSER_S-1-5-18
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_USER_NTUSER_S-1-5-19
- %TEMP%\Cab5.tmp
- %TEMP%\27499.msi
- %APPDATA%\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004
- %TEMP%\RarSFX1\MpkNetInstall_8.6.7.2650.msi
- %TEMP%\RarSFX0\inst.bat
- %TEMP%\RarSFX0\srvtemp.exe
- %TEMP%\Cab1.tmp
- %TEMP%\Cab3.tmp
- %APPDATA%\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
- %APPDATA%\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004
- %APPDATA%\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\Repository\FS\MAPPING.VER
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\Repository\FS\MAPPING1.MAP
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\Repository\FS\INDEX.MAP
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\Repository\FS\INDEX.BTR
- %TEMP%\~DFA25A.tmp
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\Repository\FS\OBJECTS.MAP
- C:\Config.Msi\29cd4.rbs
- %WINDIR%\Installer\MSIF.tmp
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\Repository\FS\MAPPING2.MAP
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\Repository\FS\OBJECTS.DATA
- %WINDIR%\Installer\29cd3.ipi
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_MACHINE_SECURITY
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_MACHINE_SOFTWARE
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_USER_.DEFAULT
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2052111302-484763869-725345543-1003
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-2052111302-484763869-725345543-1003
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\domain.txt
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\Repository\$WinMgmt.CFG
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\ComDb.Dat
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_MACHINE_SYSTEM
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_MACHINE_SAM
- %WINDIR%\Installer\MSIF.tmp
- C:\Config.Msi\29cd4.rbs
- %TEMP%\is-QCK1A.tmp\mpk_emni_rfg_2650.tmp
- %TEMP%\is-BKATU.tmp\_isetup\_isdecmp.dll
- %TEMP%\is-BKATU.tmp\_isetup\_shfoldr.dll
- %WINDIR%\Installer\29cd2.msi
- %ALLUSERSPROFILE%\Application Data\MPK\1\D0000-journal
- %TEMP%\RarSFX1\MpkNetInstall_8.6.7.2650.msi
- %ALLUSERSPROFILE%\Application Data\MPK\M0000-journal
- %WINDIR%\Installer\29cd3.ipi
- %TEMP%\27499.msi
- %TEMP%\Cab7.tmp
- %TEMP%\Cab9.tmp
- %TEMP%\Cab5.tmp
- %TEMP%\Cab1.tmp
- %TEMP%\Cab3.tmp
- %TEMP%\CabB.tmp
- %TEMP%\Cab15.tmp
- %TEMP%\Cab17.tmp
- %TEMP%\Cab13.tmp
- %TEMP%\CabD.tmp
- %TEMP%\Cab11.tmp
- from %ALLUSERSPROFILE%\Application Data\MPK\is-64GT2.tmp to %ALLUSERSPROFILE%\Application Data\MPK\ogg.dll
- from %ALLUSERSPROFILE%\Application Data\MPK\is-OCGO0.tmp to %ALLUSERSPROFILE%\Application Data\MPK\Vorbis.dll
- from <SYSTEM32>\is-5CLOQ.tmp to <SYSTEM32>\inspect.exe
- from %ALLUSERSPROFILE%\Application Data\MPK\is-JHQ3A.tmp to %ALLUSERSPROFILE%\Application Data\MPK\MpkHCA.dll
- from %ALLUSERSPROFILE%\Application Data\MPK\is-AAT1T.tmp to %ALLUSERSPROFILE%\Application Data\MPK\vorbisfile.dll
- from %ALLUSERSPROFILE%\Application Data\MPK\is-402O4.tmp to %ALLUSERSPROFILE%\Application Data\MPK\lsynchost.exe
- from %ALLUSERSPROFILE%\Application Data\MPK\is-KKI9I.tmp to %ALLUSERSPROFILE%\Application Data\MPK\MPKInst.exe
- from %ALLUSERSPROFILE%\Application Data\MPK\is-PU43N.tmp to %ALLUSERSPROFILE%\Application Data\MPK\vorbisenc.dll
- from %ALLUSERSPROFILE%\Application Data\MPK\is-IUUU3.tmp to %ALLUSERSPROFILE%\Application Data\MPK\trial_net.ini
- from %ALLUSERSPROFILE%\Application Data\MPK\is-8GKKC.tmp to %ALLUSERSPROFILE%\Application Data\MPK\libeay32.dll
- from %ALLUSERSPROFILE%\Application Data\MPK\is-4K93D.tmp to %ALLUSERSPROFILE%\Application Data\MPK\Mpk.dll
- from %ALLUSERSPROFILE%\Application Data\MPK\is-UPN26.tmp to %ALLUSERSPROFILE%\Application Data\MPK\Mpk64.dll
- from %ALLUSERSPROFILE%\Application Data\MPK\is-01C56.tmp to %ALLUSERSPROFILE%\Application Data\MPK\unins000.exe
- from %ALLUSERSPROFILE%\Application Data\MPK\is-RGSFM.tmp to %ALLUSERSPROFILE%\Application Data\MPK\MPK.exe
- from %ALLUSERSPROFILE%\Application Data\MPK\is-FVF9C.tmp to %ALLUSERSPROFILE%\Application Data\MPK\MpkL64.exe
- from %ALLUSERSPROFILE%\Application Data\MPK\is-H6O42.tmp to %ALLUSERSPROFILE%\Application Data\MPK\zlib1.dll
- from %ALLUSERSPROFILE%\Application Data\MPK\is-8TVHO.tmp to %ALLUSERSPROFILE%\Application Data\MPK\ssleay32.dll
- from %ALLUSERSPROFILE%\Application Data\MPK\is-16CFH.tmp to %ALLUSERSPROFILE%\Application Data\MPK\cinfo.bin
- from %ALLUSERSPROFILE%\Application Data\MPK\is-A5QPI.tmp to %ALLUSERSPROFILE%\Application Data\MPK\sqlite3.dll
- 'sv.##mcb.com':80
- 'www.download.windowsupdate.com':80
- 'wp#d':80
- http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
- http://sv.##mcb.com/sv.crt
- http://11#.#11.111.1/wpad.dat via wp#d
- http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt
- DNS ASK sv.##mcb.com
- DNS ASK www.download.windowsupdate.com
- DNS ASK wp#d
- ClassName: 'TMpk_DebugForm_01' WindowName: ''
- ClassName: 'Shell_TrayWnd' WindowName: ''
- ClassName: 'EDIT' WindowName: ''