Technical Information
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Userinit' = '<SYSTEM32>\userinit.exe,'
- [<HKLM>\System\CurrentControlSet\Services\NetManagerSer] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\NetManagerSer] 'ImagePath' = '<SYSTEM32>\ResMs\PcManager.exe'
- [<HKLM>\System\CurrentControlSet\Services\NetManagerMon] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\NetManagerMon] 'ImagePath' = '<SYSTEM32>\ResMs\SerManager.exe'
- [<HKLM>\System\CurrentControlSet\Services\myFWDrv] 'ImagePath' = '<SYSTEM32>\ResMs\myFWDrv.sys'
- [<HKLM>\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '<SYSTEM32>\ResMs\MONMANAGER.EXE' = '<SYSTEM32>\ResMs\MONMANAGER.EX...
- [<HKLM>\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '<SYSTEM32>\ResMs\PCMANAGER.EXE' = '<SYSTEM32>\ResMs\PCMANAGER.EXE:...
- '<SYSTEM32>\netsh.exe' firewall add allowedprogram <SYSTEM32>\ResMs\MonManager.exe UDP ENABLE
- '<SYSTEM32>\netsh.exe' firewall add portopening UDP 9099 UDP2 ENABLE ALL
- '<SYSTEM32>\netsh.exe' firewall add allowedprogram <SYSTEM32>\ResMs\rsvwin.exe PING ENABLE
- '<SYSTEM32>\netsh.exe' firewall add portopening TCP 5051 TCP2 ENABLE ALL
- '<SYSTEM32>\netsh.exe' firewall add portopening TCP 8055 TCP3 ENABLE ALL
- '<SYSTEM32>\netsh.exe' firewall add portopening TCP 9055 TCP0 ENABLE ALL
- '<SYSTEM32>\netsh.exe' firewall set icmpsetting 8 ENABLE
- '<SYSTEM32>\netsh.exe' firewall add portopening UDP 8099 UDP1 ENABLE ALL
- '<SYSTEM32>\netsh.exe' firewall add portopening TCP 5050 TCP1 ENABLE ALL
- '<SYSTEM32>\netsh.exe' firewall add allowedprogram <SYSTEM32>\ResMs\PcManager.exe TCP ENABLE
- %TEMP%\rarsfx0\installmanager.exe
- <SYSTEM32>\resms\terminalaudit.dll
- <SYSTEM32>\resms\winpcap.exe
- <SYSTEM32>\resms\winpcap_4_1_2.exe
- <SYSTEM32>\resms\winpcap\wpcap.dll
- <SYSTEM32>\resms\winpcap\wpcap.inf
- <SYSTEM32>\resms\winpcap\inswpcap2.exe
- <SYSTEM32>\resms\monhardware.dll
- <SYSTEM32>\resms\winpcap\npf.sys
- <SYSTEM32>\resms\winpcap\pthreadvc.dll
- <SYSTEM32>\resms\winpcap\wanpacket.dll
- <SYSTEM32>\packet.dll
- <SYSTEM32>\wpcap.dll
- <SYSTEM32>\wanpacket.dll
- <SYSTEM32>\pthreadvc.dll
- <SYSTEM32>\resms\sermanager.exe
- <SYSTEM32>\resms\smtzmonlog.exe
- <SYSTEM32>\resms\securitymanager.dll
- <SYSTEM32>\resms\qchain.exe
- <SYSTEM32>\resms\pcmanager.exe
- <SYSTEM32>\resms\pcmanager.config
- <SYSTEM32>\resms\authenmanager.dll
- <SYSTEM32>\resms\cabxmldll.dll
- <SYSTEM32>\resms\changeservice.exe
- <SYSTEM32>\resms\devicemanager.dll
- <SYSTEM32>\resms\devmonlib.dll
- <DRIVERS>\npf.sys
- <SYSTEM32>\resms\winpcap\packet.dll
- <SYSTEM32>\resms\mainmanager.dll
- <SYSTEM32>\resms\monmanager.exe
- <SYSTEM32>\resms\monoutercon.dll
- <SYSTEM32>\resms\myfwdrv.sys
- <SYSTEM32>\resms\myfwforv.dll
- <SYSTEM32>\resms\npptools.dll
- <SYSTEM32>\resms\patchmanager.dll
- %TEMP%\rarsfx0\pcmanager.config
- <SYSTEM32>\resms\monlanhost.dll
- <SYSTEM32>\resback\smtzbackup.exe
- <SYSTEM32>\resms\pcmanager.config
- %TEMP%\rarsfx0\installmanager.exe
- %TEMP%\rarsfx0\pcmanager.config
- <SYSTEM32>\resms\pcmanager.config
- '10.#2.1.6':80
- '23#.79.0.10':8099
- ClassName: 'EDIT' WindowName: ''
- '%TEMP%\rarsfx0\installmanager.exe'
- '<SYSTEM32>\resms\winpcap\inswpcap2.exe'
- '<SYSTEM32>\resms\pcmanager.exe' -i
- '<SYSTEM32>\resms\pcmanager.exe' -s
- '<SYSTEM32>\resms\winpcap.exe'
- '<SYSTEM32>\resms\sermanager.exe' -i
- '<SYSTEM32>\resms\pcmanager.exe'
- '<SYSTEM32>\resms\sermanager.exe' -s
- '<SYSTEM32>\resms\sermanager.exe'
- '<SYSTEM32>\resms\changeservice.exe'
- '<SYSTEM32>\resms\monmanager.exe'
- '<SYSTEM32>\cmd.exe' /c netsh firewall add portopening TCP 5050 TCP1 ENABLE ALL' (with hidden window)
- '<SYSTEM32>\resms\sermanager.exe' -s' (with hidden window)
- '<SYSTEM32>\resms\pcmanager.exe' -s' (with hidden window)
- '<SYSTEM32>\resms\pcmanager.exe' -i' (with hidden window)
- '<SYSTEM32>\resms\winpcap\inswpcap2.exe' ' (with hidden window)
- '<SYSTEM32>\resms\changeservice.exe' ' (with hidden window)
- '<SYSTEM32>\resms\winpcap.exe' ' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c netsh firewall add allowedprogram <SYSTEM32>\ResMs\rsvwin.exe PING ENABLE' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c move <SYSTEM32>\ResMs\ <SYSTEM32>\ResBack\' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c del /q <SYSTEM32>\ResMs\' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c netsh firewall add allowedprogram <SYSTEM32>\ResMs\PcManager.exe TCP ENABLE' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c netsh firewall set icmpsetting 8 ENABLE' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c netsh firewall add portopening TCP 5051 TCP2 ENABLE ALL' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c netsh firewall add portopening TCP 9055 TCP0 ENABLE ALL' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c rd /q <SYSTEM32>\ResMs\' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c netsh firewall add portopening TCP 8055 TCP3 ENABLE ALL' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c netsh firewall add allowedprogram <SYSTEM32>\ResMs\MonManager.exe UDP ENABLE' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c del /q <SYSTEM32>\Update\' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c netsh firewall add portopening UDP 8099 UDP1 ENABLE ALL' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c rd /q <SYSTEM32>\Update\' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c del /q <SYSTEM32>\ResBack\' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c rd /q <SYSTEM32>\ResBack\' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c netsh firewall add portopening UDP 9099 UDP2 ENABLE ALL' (with hidden window)
- '<SYSTEM32>\resms\sermanager.exe' -i' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c arp -d' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c netsh firewall add portopening TCP 5050 TCP1 ENABLE ALL
- '<SYSTEM32>\cmd.exe' /c move <SYSTEM32>\ResMs\ <SYSTEM32>\ResBack\
- '<SYSTEM32>\cmd.exe' /c rd /q <SYSTEM32>\ResMs\
- '<SYSTEM32>\cmd.exe' /c del /q <SYSTEM32>\ResMs\
- '<SYSTEM32>\cmd.exe' /c rd /q <SYSTEM32>\ResBack\
- '<SYSTEM32>\cmd.exe' /c del /q <SYSTEM32>\ResBack\
- '<SYSTEM32>\cmd.exe' /c rd /q <SYSTEM32>\Update\
- '<SYSTEM32>\cmd.exe' /c netsh firewall add portopening UDP 8099 UDP1 ENABLE ALL
- '<SYSTEM32>\cmd.exe' /c arp -d
- '<SYSTEM32>\cmd.exe' /c del /q <SYSTEM32>\Update\
- '<SYSTEM32>\cmd.exe' /c netsh firewall add allowedprogram <SYSTEM32>\ResMs\rsvwin.exe PING ENABLE
- '<SYSTEM32>\cmd.exe' /c netsh firewall add portopening TCP 8055 TCP3 ENABLE ALL
- '<SYSTEM32>\cmd.exe' /c netsh firewall add portopening TCP 9055 TCP0 ENABLE ALL
- '<SYSTEM32>\cmd.exe' /c netsh firewall add portopening UDP 9099 UDP2 ENABLE ALL
- '<SYSTEM32>\cmd.exe' /c netsh firewall add portopening TCP 5051 TCP2 ENABLE ALL
- '<SYSTEM32>\cmd.exe' /c netsh firewall add allowedprogram <SYSTEM32>\ResMs\MonManager.exe UDP ENABLE
- '<SYSTEM32>\cmd.exe' /c netsh firewall add allowedprogram <SYSTEM32>\ResMs\PcManager.exe TCP ENABLE
- '<SYSTEM32>\cmd.exe' /c netsh firewall set icmpsetting 8 ENABLE
- '<SYSTEM32>\arp.exe' -d