Technical Information
- [<HKLM>\System\CurrentControlSet\Services\MsRkNrL] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\MsRkNrL] 'ImagePath' = '<SYSTEM32>\wscript.exe //B "C:\autoexec.vbs"'
- 'MsRkNrL' <SYSTEM32>\wscript.exe //B "C:\autoexec.vbs"
- '<SYSTEM32>\wscript.exe' //B "%TEMP%\rknrl.vbs"
- %TEMP%\dm6331.tmp
- %WINDIR%\temp\rad53bf6.tmp
- %WINDIR%\temp\radb7ec8.tmp
- %WINDIR%\temp\radce6ca.tmp
- %WINDIR%\temp\rad371d7.tmp
- %WINDIR%\temp\rad1f686.tmp
- <SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\t5levnel\url[1].htm
- <SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\59o0eoqa\api[1]
- %WINDIR%\temp\rad27f4a.tmp
- %WINDIR%\temp\rad7b1d7.tmp
- %WINDIR%\temp\rad6c6d3.tmp
- %WINDIR%\temp\rad69726.tmp
- %WINDIR%\temp\rade65e5.tmp
- %WINDIR%\temp\raddeff7.tmp
- %WINDIR%\temp\radd1979.tmp
- %WINDIR%\temp\rad5f5aa.tmp
- %WINDIR%\temp\rad19e64.tmp
- %WINDIR%\temp\rad5bc88.tmp
- <SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\0o42hqll\api[1]
- <SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\59o0eoqa\dm6331[1].tmp
- %WINDIR%\temp\rad18b15.tmp
- <SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\jh3iwefd\playback[1].php
- <SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\0o42hqll\rknrl[1].vbs
- <SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\t5levnel\dm6331[2].tmp
- <SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\t5levnel\dm6331[1].tmp
- <SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\t5levnel\playback[1].php
- <SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\jh3iwefd\rknrl[2].vbs
- <SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\jh3iwefd\rknrl[1].vbs
- %WINDIR%\temp\rad063f3.tmp
- <SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\0o42hqll\dm6331[1].tmp
- <SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\59o0eoqa\playback[1].php
- %WINDIR%\temp\rad67549.tmp
- %WINDIR%\temp\rad9e078.tmp
- %WINDIR%\temp\rad929c7.tmp
- %WINDIR%\temp\rad1d6bb.tmp
- %WINDIR%\temp\rad993e8.tmp
- %WINDIR%\temp\rade9d46.tmp
- %WINDIR%\temp\rad60505.tmp
- %WINDIR%\temp\rad0c048.tmp
- %WINDIR%\temp\rad1aeea.tmp
- <SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\59o0eoqa\url[1].htm
- %WINDIR%\temp\rada0535.tmp
- %WINDIR%\temp\rad59ec6.tmp
- %WINDIR%\temp\rad004f4.tmp
- <SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\jh3iwefd\url[1].htm
- <SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\jh3iwefd\api[1]
- <SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\t5levnel\api[1]
- %TEMP%\rad6737e.tmp
- %WINDIR%\temp\rad04e38.tmp
- %TEMP%\rad066e2.tmp
- %TEMP%\rad00184.tmp
- %TEMP%\radd8e55.tmp
- %WINDIR%\temp\rknrl.vbs
- %WINDIR%\temp\winstart.vbs
- %WINDIR%\temp\dm6331.tmp
- %TEMP%\winstart.vbs
- %TEMP%\rknrl.vbs
- %TEMP%\rad54db4.tmp
- %WINDIR%\temp\rad54476.tmp
- %WINDIR%\temp\rada26e7.tmp
- %WINDIR%\temp\rad36243.tmp
- %WINDIR%\temp\rad2f199.tmp
- %WINDIR%\temp\radd3ad7.tmp
- %WINDIR%\temp\rad3af56.tmp
- %WINDIR%\temp\rad35496.tmp
- %WINDIR%\temp\rad71992.tmp
- %WINDIR%\temp\rade9e69.tmp
- %WINDIR%\temp\radf8324.tmp
- %WINDIR%\temp\rad13704.tmp
- %WINDIR%\temp\rad54865.tmp
- %WINDIR%\temp\radbdbb3.tmp
- %WINDIR%\temp\rad02d79.tmp
- %WINDIR%\temp\radc8707.tmp
- %WINDIR%\temp\radc95f9.tmp
- %WINDIR%\temp\rad97a24.tmp
- %WINDIR%\temp\rad7fed3.tmp
- %WINDIR%\temp\rad4c5a2.tmp
- %WINDIR%\temp\rad92263.tmp
- <SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\t5levnel\rknrl[1].vbs
- %TEMP%\dm6332.tmp
- <SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\t5levnel\rknrl[1].vbs
- <SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\t5levnel\dm6331[2].tmp
- <SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\t5levnel\dm6331[1].tmp
- <SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\0o42hqll\rknrl[1].vbs
- <SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\jh3iwefd\rknrl[2].vbs
- <SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\0o42hqll\dm6331[1].tmp
- <SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\t5levnel\playback[1].php
- <SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\59o0eoqa\playback[1].php
- <SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\jh3iwefd\rknrl[1].vbs
- <SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\0o42hqll\api[1]
- <SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\t5levnel\url[1].htm
- <SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\59o0eoqa\api[1]
- <SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\59o0eoqa\url[1].htm
- <SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\jh3iwefd\url[1].htm
- %WINDIR%\temp\dm6332.tmp
- <SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\jh3iwefd\api[1]
- <SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\t5levnel\api[1]
- <SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\jh3iwefd\playback[1].php
- <SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\59o0eoqa\dm6331[1].tmp
- from %TEMP%\radd8e55.tmp to %TEMP%\dm6332.tmp
- from %WINDIR%\temp\rad004f4.tmp to %WINDIR%\temp\dm6332.tmp
- %TEMP%\dm6332.tmp
- <SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\t5levnel\api[1]
- <SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\jh3iwefd\api[1]
- %WINDIR%\temp\dm6332.tmp
- <SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\jh3iwefd\url[1].htm
- <SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\59o0eoqa\url[1].htm
- <SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\t5levnel\url[1].htm
- <SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\59o0eoqa\playback[1].php
- <SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\jh3iwefd\rknrl[1].vbs
- <SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\0o42hqll\rknrl[1].vbs
- <SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\t5levnel\playback[1].php
- http://ap#.##herscan.io/api?mo#############################################################################
- http://ai########ill.aigoingtokill.club/ctrl/url.html
- http://ai########ill.aigoingtokill.club/ctrl/playback.php
- http://ai########ill.aigoingtokill.club/ctrl/file/DM6331.TMP
- http://ai########ill.aigoingtokill.club/ctrl/file/rknrl.vbs
- DNS ASK ap#.##herscan.io
- DNS ASK ai########ill.aigoingtokill.club
- '<SYSTEM32>\wscript.exe' //B "%WINDIR%\TEMP\rknrl.vbs"
- '<SYSTEM32>\wscript.exe' //B "%TEMP%\winstart.vbs"
- '<SYSTEM32>\wscript.exe' //B "%WINDIR%\TEMP\winstart.vbs"
- '<SYSTEM32>\wscript.exe' //B "%TEMP%\rknrl.vbs"' (with hidden window)