Technical Information
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\RunOnce] 'amCiShWWW' = '%APPDATA%\system.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'whelp' = '%APPDATA%\helper.exe'
- %HOMEPATH%\Start Menu\Programs\Startup\я
- %HOMEPATH%\Start Menu\Programs\Startup\desktop.ini
- %HOMEPATH%\Start Menu\Programs\Startup\HOW TO RECOVER ENCRYPTED FILES-fastrecovery@xmpp.jp.TXT
- %HOMEPATH%\Start Menu\Programs\Startup\Shortcut to startup_local.lnk
- <SYSTEM32>\cscript.exe
- %APPDATA%\system.exe
- C:\Far2\Plugins\AutoWrap\я
- C:\Far2\Plugins\arclite\HOW TO RECOVER ENCRYPTED FILES-fastrecovery@xmpp.jp.TXT
- C:\Far2\Plugins\arclite\я
- C:\Far2\Plugins\Align\HOW TO RECOVER ENCRYPTED FILES-fastrecovery@xmpp.jp.TXT
- C:\Far2\Plugins\Align\я
- C:\Far2\Plugins\7-Zip\HOW TO RECOVER ENCRYPTED FILES-fastrecovery@xmpp.jp.TXT
- C:\Far2\Plugins\7-Zip\я
- C:\Far2\FExcept\HOW TO RECOVER ENCRYPTED FILES-fastrecovery@xmpp.jp.TXT
- C:\Far2\FExcept\я
- C:\Far2\Encyclopedia\HOW TO RECOVER ENCRYPTED FILES-fastrecovery@xmpp.jp.TXT
- C:\Far2\Encyclopedia\я
- C:\Far2\Documentation\rus\HOW TO RECOVER ENCRYPTED FILES-fastrecovery@xmpp.jp.TXT
- C:\Far2\Documentation\rus\я
- C:\Far2\Documentation\eng\HOW TO RECOVER ENCRYPTED FILES-fastrecovery@xmpp.jp.TXT
- C:\Far2\Documentation\eng\я
- C:\Far2\Addons\XLat\Russian\HOW TO RECOVER ENCRYPTED FILES-fastrecovery@xmpp.jp.TXT
- C:\Far2\Addons\XLat\Russian\я
- C:\Far2\Addons\XLat\я
- C:\Far2\Addons\XLat\HOW TO RECOVER ENCRYPTED FILES-fastrecovery@xmpp.jp.TXT
- C:\Far2\Plugins\AutoWrap\HOW TO RECOVER ENCRYPTED FILES-fastrecovery@xmpp.jp.TXT
- C:\Far2\Plugins\Brackets\я
- C:\Far2\Plugins\Compare\я
- C:\Far2\Plugins\Colorer\hrd\console\contrib\HOW TO RECOVER ENCRYPTED FILES-fastrecovery@xmpp.jp.TXT
- C:\Far2\Plugins\Colorer\hrd\console\contrib\я
- C:\Far2\Plugins\Colorer\hrd\console\HOW TO RECOVER ENCRYPTED FILES-fastrecovery@xmpp.jp.TXT
- C:\Far2\Plugins\Colorer\hrd\console\я
- C:\Far2\Plugins\Colorer\hrd\HOW TO RECOVER ENCRYPTED FILES-fastrecovery@xmpp.jp.TXT
- C:\Far2\Plugins\Colorer\hrd\я
- C:\Far2\Plugins\Colorer\hrc\auto\types\HOW TO RECOVER ENCRYPTED FILES-fastrecovery@xmpp.jp.TXT
- C:\Far2\Plugins\Colorer\hrc\auto\HOW TO RECOVER ENCRYPTED FILES-fastrecovery@xmpp.jp.TXT
- C:\Far2\Addons\HOW TO RECOVER ENCRYPTED FILES-fastrecovery@xmpp.jp.TXT
- C:\Far2\Plugins\Colorer\hrc\auto\я
- C:\Far2\Plugins\Colorer\hrc\HOW TO RECOVER ENCRYPTED FILES-fastrecovery@xmpp.jp.TXT
- C:\Far2\Plugins\Colorer\hrc\я
- C:\Far2\Plugins\Colorer\bin\HOW TO RECOVER ENCRYPTED FILES-fastrecovery@xmpp.jp.TXT
- C:\Far2\Plugins\Colorer\bin\я
- C:\Far2\Plugins\Colorer\HOW TO RECOVER ENCRYPTED FILES-fastrecovery@xmpp.jp.TXT
- C:\Far2\Plugins\Colorer\я
- C:\Far2\Plugins\Brackets\HOW TO RECOVER ENCRYPTED FILES-fastrecovery@xmpp.jp.TXT
- C:\Far2\Addons\Shell\HOW TO RECOVER ENCRYPTED FILES-fastrecovery@xmpp.jp.TXT
- C:\Far2\Addons\Shell\я
- C:\Far2\Addons\SetUp\HOW TO RECOVER ENCRYPTED FILES-fastrecovery@xmpp.jp.TXT
- %HOMEPATH%\Start Menu\HOW TO RECOVER ENCRYPTED FILES-fastrecovery@xmpp.jp.TXT
- %HOMEPATH%\Start Menu\я
- %HOMEPATH%\My Documents\My Pictures\HOW TO RECOVER ENCRYPTED FILES-fastrecovery@xmpp.jp.TXT
- %HOMEPATH%\My Documents\My Pictures\я
- %HOMEPATH%\My Documents\My Music\HOW TO RECOVER ENCRYPTED FILES-fastrecovery@xmpp.jp.TXT
- %HOMEPATH%\My Documents\My Music\я
- %HOMEPATH%\My Documents\HOW TO RECOVER ENCRYPTED FILES-fastrecovery@xmpp.jp.TXT
- %HOMEPATH%\My Documents\я
- %HOMEPATH%\Favorites\Links\HOW TO RECOVER ENCRYPTED FILES-fastrecovery@xmpp.jp.TXT
- %HOMEPATH%\Favorites\Links\я
- %HOMEPATH%\Favorites\HOW TO RECOVER ENCRYPTED FILES-fastrecovery@xmpp.jp.TXT
- %HOMEPATH%\Favorites\я
- %HOMEPATH%\HOW TO RECOVER ENCRYPTED FILES-fastrecovery@xmpp.jp.TXT
- %HOMEPATH%\я
- %APPDATA%\helper.exe
- %TEMP%\~wtmp001.exe
- %HOMEPATH%\Start Menu\Programs\HOW TO RECOVER ENCRYPTED FILES-fastrecovery@xmpp.jp.TXT
- %HOMEPATH%\Start Menu\Programs\Accessories\я
- %HOMEPATH%\Start Menu\Programs\я
- %HOMEPATH%\Start Menu\Programs\Accessories\HOW TO RECOVER ENCRYPTED FILES-fastrecovery@xmpp.jp.TXT
- C:\Far2\Addons\SetUp\я
- %HOMEPATH%\Start Menu\Programs\Accessories\Accessibility\я
- C:\Far2\Addons\Macros\HOW TO RECOVER ENCRYPTED FILES-fastrecovery@xmpp.jp.TXT
- C:\Far2\Addons\Macros\я
- C:\Far2\Addons\Colors\Default Highlighting\HOW TO RECOVER ENCRYPTED FILES-fastrecovery@xmpp.jp.TXT
- C:\Far2\Addons\Colors\Default Highlighting\я
- C:\Far2\Addons\Colors\Custom Highlighting\HOW TO RECOVER ENCRYPTED FILES-fastrecovery@xmpp.jp.TXT
- C:\Far2\Addons\Colors\Custom Highlighting\я
- C:\Far2\Addons\Colors\HOW TO RECOVER ENCRYPTED FILES-fastrecovery@xmpp.jp.TXT
- C:\Far2\Plugins\Colorer\hrc\auto\types\я
- C:\Far2\Plugins\Compare\HOW TO RECOVER ENCRYPTED FILES-fastrecovery@xmpp.jp.TXT
- C:\Far2\Addons\я
- C:\Far2\HOW TO RECOVER ENCRYPTED FILES-fastrecovery@xmpp.jp.TXT
- C:\Far2\я
- C:\HOW TO RECOVER ENCRYPTED FILES-fastrecovery@xmpp.jp.TXT
- C:\я
- %HOMEPATH%\Start Menu\Programs\Accessories\Entertainment\HOW TO RECOVER ENCRYPTED FILES-fastrecovery@xmpp.jp.TXT
- %HOMEPATH%\Start Menu\Programs\Accessories\Entertainment\я
- %HOMEPATH%\Start Menu\Programs\Accessories\Accessibility\HOW TO RECOVER ENCRYPTED FILES-fastrecovery@xmpp.jp.TXT
- C:\Far2\Addons\Colors\я
- C:\Far2\Plugins\DrawLine\я
- %APPDATA%\system.exe
- C:\Far2\Addons\XLat\я
- C:\Far2\Addons\XLat\Russian\я
- C:\Far2\Documentation\eng\я
- C:\Far2\Documentation\rus\я
- C:\Far2\Encyclopedia\я
- C:\Far2\FExcept\я
- C:\Far2\Plugins\7-Zip\я
- C:\Far2\Plugins\Align\я
- C:\Far2\Plugins\arclite\я
- C:\Far2\Plugins\AutoWrap\я
- C:\Far2\Plugins\Brackets\я
- C:\Far2\Plugins\Colorer\я
- C:\Far2\Plugins\Colorer\bin\я
- C:\Far2\Plugins\Colorer\hrc\я
- C:\Far2\Plugins\Colorer\hrc\auto\я
- C:\Far2\Plugins\Colorer\hrc\auto\types\я
- C:\Far2\Plugins\Colorer\hrd\я
- C:\Far2\Plugins\Colorer\hrd\console\я
- C:\Far2\Plugins\Colorer\hrd\console\contrib\я
- C:\Far2\Addons\Shell\я
- C:\Far2\Plugins\Compare\я
- C:\Far2\Addons\SetUp\я
- C:\Far2\Addons\Colors\Default Highlighting\я
- <Full path to file>
- %APPDATA%\helper.exe
- %HOMEPATH%\я
- %HOMEPATH%\Favorites\я
- %HOMEPATH%\Favorites\Links\я
- %HOMEPATH%\My Documents\я
- %HOMEPATH%\My Documents\My Music\я
- %HOMEPATH%\My Documents\My Pictures\я
- %HOMEPATH%\Start Menu\я
- %HOMEPATH%\Start Menu\Programs\я
- %HOMEPATH%\Start Menu\Programs\Accessories\я
- %HOMEPATH%\Start Menu\Programs\Accessories\Accessibility\я
- %HOMEPATH%\Start Menu\Programs\Accessories\Entertainment\я
- %HOMEPATH%\Start Menu\Programs\Startup\я
- C:\я
- C:\Far2\я
- C:\Far2\Addons\я
- C:\Far2\Addons\Colors\я
- C:\Far2\Addons\Colors\Custom Highlighting\я
- C:\Far2\Addons\Macros\я
- C:\Far2\Plugins\DrawLine\я
- %HOMEPATH%\я
- ClassName: 'MS_AutodialMonitor' WindowName: ''
- ClassName: 'MS_WebcheckMonitor' WindowName: ''
- '%APPDATA%\system.exe'
- '%TEMP%\~wtmp001.exe'
- '%APPDATA%\helper.exe'
- '<SYSTEM32>\cmd.exe' /c copy /y "<Full path to file>" "%APPDATA%\system.exe"
- '<SYSTEM32>\mshta.exe' "javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('<File name>.exe');close()}catch(e){}},10);"
- '<SYSTEM32>\mshta.exe' "javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('system.exe').Path;o.RegWrite('HKCU\\Software\\Microsof...