Technical Information
- '%TEMP%\winsks_main\winsks_ok\work_data\Asekbit\DoBest\ShortCut.exe' "<SYSTEM32>\kavmain.exe" /a "" /d "╨┬╖№╠ьBest" /s "1" /i "%WINDIR%\DeskAlax\TianIco\kumain.ico,0" /l "%HOMEPATH%\б╕┐к╩╝б╣▓╦╡е\│╠╨Є\╞Ї╢п\kavmain.lnk"
- '%TEMP%\winsks_main\winsks_ok\work_data\Asekbit\DoBest\ShortCut.exe' "<SYSTEM32>\kavmain.exe" /a "" /d "╨┬╖№╠ьBest" /s "1" /i "%WINDIR%\DeskAlax\TianIco\kumain.ico,0" /l "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\kavmain.lnk"
- '%TEMP%\kingsoftkonline\domain.exe' /s
- '<SYSTEM32>\kavmain.exe'
- '%TEMP%\winsks_main\winsks_ok\work_data\Asekbit\DoBest\ShortCut.exe' "%PROGRAM_FILES%\Internet Explorer\iexplore.exe" /a "<SYSTEM32>\winsks.html" /d "╨┬╖№╠ьBest" /s "2" /i "%PROGRAM_FILES%\Internet Explorer\iexplore.exe,0" /l "%HOMEPATH%\б╕┐к╩╝б╣▓╦╡е\│╠╨Є\╞Ї╢п\winsks.lnk"
- '%TEMP%\winsks_main\winsks_ok\work_data\Asekbit\DoBest\ShortCut.exe' "%PROGRAM_FILES%\Internet Explorer\iexplore.exe" /a "<SYSTEM32>\winsks.html" /d "╨┬╖№╠ьBest" /s "2" /i "%PROGRAM_FILES%\Internet Explorer\iexplore.exe,0" /l "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\winsks.lnk"
- '%TEMP%\kingsoftkonline\domain.exe' (downloaded from the Internet)
- '<SYSTEM32>\attrib.exe' "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\kavmain.lnk" +r +s
- '<SYSTEM32>\taskkill.exe' /f /im DownDuDu.exe
- '<SYSTEM32>\ping.exe' localhost -n 2.4
- '<SYSTEM32>\attrib.exe' "%HOMEPATH%\б╕┐к╩╝б╣▓╦╡е\│╠╨Є\╞Ї╢п\winsks.lnk" +r +s
- '<SYSTEM32>\attrib.exe' "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\winsks.lnk" +r +s
- '<SYSTEM32>\attrib.exe' "%HOMEPATH%\б╕┐к╩╝б╣▓╦╡е\│╠╨Є\╞Ї╢п\kavmain.lnk" +r +s
- '<SYSTEM32>\cmd.exe' /c ""%APPDATA%\SecMain\sec.bat" h"
- '<SYSTEM32>\ping.exe' localhost -n 4.8
- '<SYSTEM32>\taskkill.exe' /f /im domain.exe
- '<SYSTEM32>\cacls.exe' "..\..\winsks_main" /c /t /p Everyone:f
- '<SYSTEM32>\cacls.exe' "%TEMP%\winsks_main" /c /t /p Everyone:f
- '<SYSTEM32>\mshta.exe' vbscript:createobject("wscript.shell").run("""%APPDATA%\SecMain\sec.bat"" h",0)(window.close)
- '<SYSTEM32>\attrib.exe' "%WINDIR%\DeskAlax" +s +h +r +a
- '<SYSTEM32>\attrib.exe' "%APPDATA%\SecMain" +s +h +r +a
- '<SYSTEM32>\attrib.exe' "%APPDATA%\KuTiansoft" +s +h +r +a
- '<SYSTEM32>\attrib.exe' "..\..\winsks_main" +s +h +r +a
- '<SYSTEM32>\attrib.exe' "%TEMP%\winsks_main" +s +h +r +a
- '<SYSTEM32>\attrib.exe' "%APPDATA%\winsks_data" +s +h +r +a
- '<SYSTEM32>\cacls.exe' "%APPDATA%\winsks_data" /c /t /p Everyone:f
- '<SYSTEM32>\xcopy.exe' /c /e /h /k /r /s /x /y "work_data\Invisible\Driver_Data\AppData" "%APPDATA%\"
- '<SYSTEM32>\xcopy.exe' /c /e /h /k /r /s /x /y "work_data\ForAlax\DeskAlax" "%WINDIR%\DeskAlax\"
- '<SYSTEM32>\cacls.exe' "..\..\winsks_main" /d everyone
- '<SYSTEM32>\cacls.exe' "%TEMP%\winsks_main" /d everyone
- '<SYSTEM32>\cacls.exe' "%APPDATA%\winsks_data" /d everyone
- %TEMP%\winsks_main\winsks_ok\work_data\UpLoad\SebData\winsks_seb.html
- %TEMP%\aut10.tmp
- %TEMP%\aut11.tmp
- %TEMP%\aut12.tmp
- %TEMP%\winsks_main\winsks_ok\work_data\UpLoad\SebData\winsks_sec.html
- %TEMP%\winsks_main\winsks_ok\work_data\UpLoad\SebData\winsks_sea.html
- %TEMP%\winsks_main\winsks_ok\work_data\UpLoad\KuData\kavmain.exe
- %TEMP%\autD.tmp
- %TEMP%\autE.tmp
- %TEMP%\autF.tmp
- %TEMP%\winsks_main\winsks_ok\work_data\UpLoad\KuData\Main\Reserch.pfc
- %TEMP%\winsks_main\winsks_ok\work_data\UpLoad\SebData\winsks_sed.html
- %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\kavmain.lnk
- %HOMEPATH%\ᬬк¦-б¦-T¦е\¦¦¦Є\¦Ї¦п\kavmain.lnk
- %TEMP%\kingsoftkonline\domain.exe.tmp
- %APPDATA%\SecMain\sec.bat
- %TEMP%\kudown.pfc
- %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\winsks.lnk
- <SYSTEM32>\kavmain.exe
- %WINDIR%\DeskAlax\TianIco\kumain.ico
- %APPDATA%\SecMain\kudown.pfc
- %HOMEPATH%\ᬬк¦-б¦-T¦е\¦¦¦Є\¦Ї¦п\winsks.lnk
- <SYSTEM32>\winsks.html
- %TEMP%\winsks_main\winsks_ok\work_data\UpLoad\AppData\Main\SekReserch.pfc
- %TEMP%\winsks_main\winsks_ok\work_data\ForAlax\DeskAlax\TianIco\kumain.ico
- %TEMP%\aut4.tmp
- %TEMP%\aut5.tmp
- %TEMP%\aut6.tmp
- %TEMP%\winsks_main\winsks_ok\work_data\ForAlax\IEAlax\IElnk\Biger\winsks.lnk
- %TEMP%\winsks_main\winsks_ok\work_data\Asekbit\DoBest\ShortCut.exe
- %TEMP%\winsks_main\winsks_ok\domain.bat
- %TEMP%\aut1.tmp
- %TEMP%\aut2.tmp
- %TEMP%\aut3.tmp
- %TEMP%\winsks_main\winsks_ok\winsks.html
- %TEMP%\winsks_main\winsks_ok\work_data\ForAlax\IEAlax\IElnk\KuMain\kavmain.lnk
- %TEMP%\winsks_main\winsks_ok\work_data\UpLoad\AppData\kavmain_sec.exe
- %TEMP%\autA.tmp
- %TEMP%\autB.tmp
- %TEMP%\autC.tmp
- %TEMP%\winsks_main\winsks_ok\work_data\UpLoad\AppData\kavmain_sed.exe
- %TEMP%\winsks_main\winsks_ok\work_data\UpLoad\AppData\kavmain_seb.exe
- %TEMP%\winsks_main\winsks_ok\work_data\PorTable\variety.pfc
- %TEMP%\aut7.tmp
- %TEMP%\aut8.tmp
- %TEMP%\aut9.tmp
- %TEMP%\winsks_main\winsks_ok\work_data\UpLoad\AppData\kavmain_sea.exe
- %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\kavmain.lnk
- %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\winsks.lnk
- %TEMP%\winsks_main\winsks_ok\work_data\UpLoad\AppData\kavmain_seb.exe
- %TEMP%\winsks_main\winsks_ok\work_data\UpLoad\AppData\kavmain_sea.exe
- %TEMP%\winsks_main\winsks_ok\work_data\UpLoad\AppData\kavmain_sed.exe
- %TEMP%\winsks_main\winsks_ok\work_data\UpLoad\AppData\kavmain_sec.exe
- %TEMP%\winsks_main\winsks_ok\work_data\PorTable\variety.pfc
- %TEMP%\winsks_main\winsks_ok\work_data\ForAlax\DeskAlax\TianIco\kumain.ico
- %TEMP%\winsks_main\winsks_ok\work_data\Asekbit\DoBest\ShortCut.exe
- %TEMP%\winsks_main\winsks_ok\work_data\ForAlax\IEAlax\IElnk\KuMain\kavmain.lnk
- %TEMP%\winsks_main\winsks_ok\work_data\ForAlax\IEAlax\IElnk\Biger\winsks.lnk
- %TEMP%\winsks_main\winsks_ok\work_data\UpLoad\SebData\winsks_sed.html
- %TEMP%\winsks_main\winsks_ok\work_data\UpLoad\SebData\winsks_sec.html
- %TEMP%\kudown.pfc
- %TEMP%\kingsoftkonline\domain.exe
- %TEMP%\winsks_main\winsks_ok\work_data\UpLoad\SebData\winsks_seb.html
- %TEMP%\winsks_main\winsks_ok\work_data\UpLoad\KuData\kavmain.exe
- %TEMP%\winsks_main\winsks_ok\work_data\UpLoad\AppData\Main\SekReserch.pfc
- %TEMP%\winsks_main\winsks_ok\work_data\UpLoad\SebData\winsks_sea.html
- %TEMP%\winsks_main\winsks_ok\work_data\UpLoad\KuData\Main\Reserch.pfc
- %TEMP%\winsks_main\winsks_ok\winsks.html
- %TEMP%\aut7.tmp
- %TEMP%\aut6.tmp
- %TEMP%\aut9.tmp
- %TEMP%\aut8.tmp
- %TEMP%\aut5.tmp
- %TEMP%\aut2.tmp
- %TEMP%\aut1.tmp
- %TEMP%\aut4.tmp
- %TEMP%\aut3.tmp
- %TEMP%\aut10.tmp
- %TEMP%\autF.tmp
- %TEMP%\aut12.tmp
- %TEMP%\aut11.tmp
- %TEMP%\autE.tmp
- %TEMP%\autB.tmp
- %TEMP%\autA.tmp
- %TEMP%\autD.tmp
- %TEMP%\autC.tmp
- from %TEMP%\kingsoftkonline\domain.exe.tmp to %TEMP%\kingsoftkonline\domain.exe
- from %TEMP%\winsks_main\winsks_ok\work_data\PorTable\variety.pfc to %TEMP%\winsks_main\winsks_ok\work_data\PorTable\variety.pfc
- 'cd###.clanmark.com':80
- 'bo.###a.net:8080':80
- cd###.clanmark.com/kutian/updata/domain.exe
- bo.###a.net:8080/pagetracer2/duba/__utm.gif?01#########################################################################################################
- DNS ASK cd###.clanmark.com
- DNS ASK bo.###a.net:8080
- ClassName: 'MS_WebcheckMonitor' WindowName: '(null)'
- ClassName: 'Shell_TrayWnd' WindowName: '(null)'
- ClassName: '(null)' WindowName: '(null)'
- ClassName: 'MS_AutodialMonitor' WindowName: '(null)'