Technical Information
- [<HKLM>\SYSTEM\ControlSet001\Services\hiberfill] 'Start' = '00000001'
- [<HKLM>\SYSTEM\ControlSet001\Services\igfxSvrup] 'Start' = '00000002'
- '%TEMP%\nsn2.tmp\nsC.tmp' sc stop PolicyAgent
- '%TEMP%\nsn2.tmp\nsD.tmp' sc start PolicyAgent
- '%PROGRAM_FILES%\hnhfcmkvn\mysetup.exe'
- '%TEMP%\nsn2.tmp\nsA.tmp' "m5x3pk7l.exe" -p Block0815468 -r Block0815468 -f 118.*.*.*+0 -n BLOCK -x
- '%PROGRAM_FILES%\hnhfcmkvn\m5x3pk7l.exe' -p Block0815468 -r Block0815468 -f 118.*.*.*+0 -n BLOCK -x
- '%TEMP%\nsn2.tmp\nsB.tmp' regedit /s info.reg
- '%PROGRAM_FILES%\Common\igfxsvr.exe'
- '%TEMP%\nsoF.tmp\ns13.tmp' sc create hiberfill binpath= <SYSTEM32>\starmem\hiberfill.sys type= kernel start= system group= Base tag= yes
- '%TEMP%\nsoF.tmp\ns14.tmp' sc start hiberfill
- '%TEMP%\nsoF.tmp\ns10.tmp' sc create igfxSvrup binpath= "%PROGRAM_FILES%\Common\igfxsvr.exe" type= share start= auto displayname= "Web Teredos Cache Services"
- '%TEMP%\nsoF.tmp\ns11.tmp' sc description igfxSvrup "К№УГCahce TeredosјјКхМṩЅшРР»ҐБЄНшдЇААФ¤¶БјУЛЩ·юОсЎЈИз№ыНЈЦ№ёГ·юОсЈ¬ФтјЖЛг»ъЅ«І»ѕЯ±ёХвР©јјКхМṩµДјУЛЩ№¦ДЬЎЈ"
- '%TEMP%\nsoF.tmp\ns12.tmp' sc start igfxSvrup
- '%PROGRAM_FILES%\hnhfcmkvn\m5x3pk7l.exe' -p Block9815468 -r Block9815468 -f 221.*.*.*+0 -n BLOCK -x
- '%TEMP%\nsn2.tmp\ns5.tmp' "m5x3pk7l.exe" -p Block3815468 -r BlockTWO815468 -f 122.*.*.*+0 -n BLOCK -x
- '%PROGRAM_FILES%\hnhfcmkvn\m5x3pk7l.exe' -p Block3815468 -r BlockTWO815468 -f 122.*.*.*+0 -n BLOCK -x
- '%TEMP%\nsn2.tmp\ns6.tmp' "m5x3pk7l.exe" -p Block4815468 -r BlockTHREE815468 -f 124.*.*.*+0 -n BLOCK -x
- '%TEMP%\nsn2.tmp\ns3.tmp' sc start PolicyAgent
- '%TEMP%\nsn2.tmp\ns4.tmp' "m5x3pk7l.exe" -p Block1815468 -r BlockTCP815468 -f 119.*.*.*+0 -n BLOCK -x
- '%PROGRAM_FILES%\hnhfcmkvn\m5x3pk7l.exe' -p Block1815468 -r BlockTCP815468 -f 119.*.*.*+0 -n BLOCK -x
- '%TEMP%\nsn2.tmp\ns8.tmp' "m5x3pk7l.exe" -p Block8815468 -r Block8815468 -f 220.*.*.*+0 -n BLOCK -x
- '%PROGRAM_FILES%\hnhfcmkvn\m5x3pk7l.exe' -p Block8815468 -r Block8815468 -f 220.*.*.*+0 -n BLOCK -x
- '%TEMP%\nsn2.tmp\ns9.tmp' "m5x3pk7l.exe" -p Block9815468 -r Block9815468 -f 221.*.*.*+0 -n BLOCK -x
- '%PROGRAM_FILES%\hnhfcmkvn\m5x3pk7l.exe' -p Block4815468 -r BlockTHREE815468 -f 124.*.*.*+0 -n BLOCK -x
- '%TEMP%\nsn2.tmp\ns7.tmp' "m5x3pk7l.exe" -p Block6815468 -r Block6815468 -f 125.*.*.*+0 -n BLOCK -x
- '%PROGRAM_FILES%\hnhfcmkvn\m5x3pk7l.exe' -p Block6815468 -r Block6815468 -f 125.*.*.*+0 -n BLOCK -x
- '<SYSTEM32>\sc.exe' create hiberfill binpath= <SYSTEM32>\starmem\hiberfill.sys type= kernel start= system group= Base tag= yes
- '<SYSTEM32>\sc.exe' start igfxSvrup
- '<SYSTEM32>\wscript.exe' "%PROGRAM_FILES%\Common\note.vbs"
- '<SYSTEM32>\sc.exe' start hiberfill
- '<SYSTEM32>\sc.exe' description igfxSvrup "К№УГCahce TeredosјјКхМṩЅшРР»ҐБЄНшдЇААФ¤¶БјУЛЩ·юОсЎЈИз№ыНЈЦ№ёГ·юОсЈ¬ФтјЖЛг»ъЅ«І»ѕЯ±ёХвР©јјКхМṩµДјУЛЩ№¦ДЬЎЈ"
- '%WINDIR%\regedit.exe' /s info.reg
- '<SYSTEM32>\sc.exe' start PolicyAgent
- '<SYSTEM32>\sc.exe' create igfxSvrup binpath= "%PROGRAM_FILES%\Common\igfxsvr.exe" type= share start= auto displayname= "Web Teredos Cache Services"
- '<SYSTEM32>\sc.exe' stop PolicyAgent
- %PROGRAM_FILES%\Common\igfxsvr.exe
- %PROGRAM_FILES%\Common\hiberfill-nos.sys
- %PROGRAM_FILES%\Common\suject.db
- %TEMP%\nsoF.tmp\AccessControl.dll
- %PROGRAM_FILES%\Common\hiberfill.sys
- %PROGRAM_FILES%\Common\vison.txt
- %PROGRAM_FILES%\hnhfcmkvn\mysetup.exe
- %TEMP%\nsn2.tmp\nsD.tmp
- %PROGRAM_FILES%\Common\sqlite3.dll
- %PROGRAM_FILES%\Common\note.txt
- %PROGRAM_FILES%\Common\ypac.txt
- %TEMP%\nsoF.tmp\System.dll
- %TEMP%\nsoF.tmp\ns13.tmp
- <SYSTEM32>\starmem\hiberfill.sys
- %PROGRAM_FILES%\Common\note.vbs
- C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CJCTQ25G\ol[1].asp
- %TEMP%\nsoF.tmp\ns14.tmp
- %WINDIR%\tudouva.pac
- %TEMP%\nsoF.tmp\ns10.tmp
- %TEMP%\nsoF.tmp\nsExec.dll
- %TEMP%\nsoF.tmp\ns11.tmp
- %PROGRAM_FILES%\Common\pro.txt
- %TEMP%\nsoF.tmp\ns12.tmp
- %TEMP%\nsn2.tmp\nsC.tmp
- %TEMP%\nsn2.tmp\InetLoad.dll
- %TEMP%\nsn2.tmp\nsRandom.dll
- %TEMP%\nsn2.tmp\Internet.dll
- <Current directory>\op.ini
- %TEMP%\nsn2.tmp\nsplugin.dll
- %PROGRAM_FILES%\hnhfcmkvn\un0413155000193.exe
- %PROGRAM_FILES%\hnhfcmkvn\s0001.xml
- %PROGRAM_FILES%\hnhfcmkvn\menu.xml
- %PROGRAM_FILES%\hnhfcmkvn\reginfo.xml
- %PROGRAM_FILES%\hnhfcmkvn\temp0413155000193.ini
- %TEMP%\nsn2.tmp\System.dll
- %PROGRAM_FILES%\hnhfcmkvn\m5x3pk7l.exe
- %TEMP%\nsn2.tmp\ns9.tmp
- %TEMP%\nsn2.tmp\ns8.tmp
- %TEMP%\nsn2.tmp\nsA.tmp
- %TEMP%\nsn2.tmp\nsB.tmp
- %PROGRAM_FILES%\hnhfcmkvn\info.reg
- %TEMP%\nsn2.tmp\ns7.tmp
- %TEMP%\nsn2.tmp\ns3.tmp
- %TEMP%\nsn2.tmp\nsExec.dll
- %TEMP%\nsn2.tmp\ns4.tmp
- %TEMP%\nsn2.tmp\ns6.tmp
- %TEMP%\nsn2.tmp\ns5.tmp
- %PROGRAM_FILES%\Common\hiberfill-nos.sys
- %TEMP%\nsoF.tmp\AccessControl.dll
- %TEMP%\nsoF.tmp\nsExec.dll
- %TEMP%\nsoF.tmp\ns13.tmp
- %TEMP%\nsoF.tmp\ns14.tmp
- %PROGRAM_FILES%\Common\hiberfill.sys
- %TEMP%\nsoF.tmp\System.dll
- %PROGRAM_FILES%\hnhfcmkvn\reginfo.xml
- %PROGRAM_FILES%\hnhfcmkvn\info.reg
- %PROGRAM_FILES%\Common\note.vbs
- %PROGRAM_FILES%\hnhfcmkvn\mysetup.exe
- %PROGRAM_FILES%\hnhfcmkvn\s0001.xml
- %PROGRAM_FILES%\hnhfcmkvn\menu.xml
- %TEMP%\nsoF.tmp\ns12.tmp
- %TEMP%\nsn2.tmp\ns6.tmp
- %TEMP%\nsn2.tmp\ns7.tmp
- %TEMP%\nsn2.tmp\ns8.tmp
- %TEMP%\nsn2.tmp\ns3.tmp
- %TEMP%\nsn2.tmp\ns4.tmp
- %TEMP%\nsn2.tmp\ns5.tmp
- %TEMP%\nsn2.tmp\ns9.tmp
- %TEMP%\nsn2.tmp\nsD.tmp
- %TEMP%\nsoF.tmp\ns10.tmp
- %TEMP%\nsoF.tmp\ns11.tmp
- %TEMP%\nsn2.tmp\nsA.tmp
- %TEMP%\nsn2.tmp\nsB.tmp
- %TEMP%\nsn2.tmp\nsC.tmp
- 'localhost':1040
- 'tj.##osun.com':80
- 'm.###nong.com':888
- tj.##osun.com/ol.asp?c=###########################
- tj.##osun.com/svr.asp?c=########################################
- DNS ASK tj.##osun.com
- DNS ASK m.###nong.com
- ClassName: 'RegEdit_RegEdit' WindowName: '(null)'
- ClassName: 'Shell_TrayWnd' WindowName: '(null)'