Technical Information
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '' = '%WINDIR%\orz.exe'
- [<HKLM>\System\CurrentControlSet\Services\hy5.5] 'ImagePath' = '%TEMP%\KslM12e.sys'
- Command Prompt (CMD)
- Windows Task Manager (Taskmgr)
- <SYSTEM32>\ctfmon.exe
- %TEMP%\fa96f.tmp
- %TEMP%\faa4d.tmp
- %TEMP%\fab34.tmp
- %TEMP%\kslm12e.sys
- <LS_APPDATA>\microsoft\windows\history\history.ie5\mshist012019081620190817\index.dat
- %WINDIR%\orz.exe
- %WINDIR%\fr.mp3
- %WINDIR%\help\windows\fz.exe
- %WINDIR%\help\windows\lpl.exe
- %WINDIR%\help\tz.ico
- %TEMP%\kslm12e.sys
- %WINDIR%\help\windows\fz.exe
- %WINDIR%\help\windows\lpl.exe
- %WINDIR%\help\tz.ico
- %TEMP%\fa96f.tmp
- %TEMP%\faa4d.tmp
- %TEMP%\fab34.tmp
- %TEMP%\kslm12e.sys
- 'localhost':3103
- http://mo######521.blog.163.com/blog/static/27250327320174622243849/
- http://p2.##img.com/d/dy_02b8060fab4e360230511ede12b04c40.jpg
- http://p6.##img.com/d/dy_3b05800503ba631e0229eadaeca63712.jpg
- http://p6.##img.com/d/dy_31cee8c75116a78d9d73744d04c30938.jpg
- http://p1.##img.com/d/dy_0afee3bcc91730e3fcebef7214a79610.jpg
- http://p1.##img.com/t01eed87bdecad68394.jpg
- http://p0.##img.com/d/dy_e32d5a683549845940bb33933488b7d7.
- http://p0.##img.com/d/dy_695e41b4208ee7f19ee1c741bb703d3d.
- http://www.mo##nyy.cn/js/main.js
- http://www.mo##nyy.cn/images/gouwu.png
- http://p0.##img.com/t016ac3d4c9b6a0be35.jpg
- http://p3.##img.com/d/dy_59f1e451d77d6905aab97d065dd5082c.jpg
- http://p0.##img.com/d/dy_205b041f5623ade58c7aad6d02ae5e4a.jpg
- http://www.mo##nyy.cn/images/dianshi.png
- http://p0.##img.com/t01ede1cb4706efef80.jpg
- http://www.mo##nyy.cn/images/video.png
- http://p2.##img.com/d/dy_4e8f72b7c04a30a3d917e400a75cccbd.jpg
- http://www.mo##nyy.cn/images/dianshiju.png
- http://p0.##img.com/d/dy_bdfec121ec8d69ec5eefee319e21be4f.jpg
- http://vo####.xiaodutv.com/657a757f894acd888ac5791787a7abf0
- http://p3.##img.com/d/dy_4884e2468ff02b7b44d647accca249f2.
- http://p0.##img.com/d/dy_d607793ab756a0f2cf8eb3b9ccd73768.jpg
- http://p6.##img.com/d/dy_cced938b674c06108fa560e0f5137ebe.
- http://p6.##img.com/d/dy_8dd3a5bc79b84be095a9a3ba8231ec50.
- http://p6.##img.com/d/dy_db49799cbc6da170dc28739259e245ce.jpg
- http://p3.##img.com/d/dy_b30e06cacadd5fd230d2387f17966ffc.
- http://p0.##img.com/d/dy_d06f281be8c8eb980133c4c7687ce0fd.
- http://p6.##img.com/d/dy_73e324a0bed416ed082d3894a61b2fa5.jpg
- http://p0.##img.com/t01c7b0b3391630e626.png
- http://p3.##img.com/d/dy_3c3c6ffa8e819361a2070f7a0a921ba4.jpg
- http://p6.##img.com/d/dy_22942f3b3442a6ceaf5bebcfa47e0121.jpg
- http://p6.##img.com/d/dy_fb6ed7ad29cab97c82c328e32eb8171b.jpg
- http://p1.##img.com/d/dy_95a8496928fd46497c7116a04be939e9.
- http://p1.##img.com/d/dy_c874b405bed9dc71fdec8a5f121131e1.jpg
- http://www.mo##nyy.cn/images/loading.gif
- http://p7.##img.com/d/dy_2d054b7bb31907604e8e041d2dee04f4.
- http://p3.##img.com/d/dy_21d87b92c3dfe3b906e41d41c8e4dffe.jpg
- http://p3.##img.com/d/dy_cf0fead9138a2d59c2ce5bea08af4f99.jpg
- http://p8.##img.com/d/dy_5258c1fce4488ce1b264eb22df67e4ee.jpg
- http://www.mo##nyy.cn/images/qrcode.png
- http://www.mo##nyy.cn/images/logo.png
- http://www.mo##nyy.cn/fonts/icomoon.eot?oz####
- http://www.mo##nyy.cn/js/view-history.js
- http://ap##.bdimg.com/libs/jquery/2.0.0/jquery.min.js?ve#####
- http://www.mo##nyy.cn/js/html5.js
- http://www.mo##nyy.cn/css/style.css
- http://www.mo##nyy.cn/css/index.css
- http://www.mo##nyy.cn/
- http://yu####n.6600.org/cansu521.txt
- http://www.mo###xie.win/cansu521.txt
- http://b.###.126.net/style/common/error/images/newtip/nologin.png
- http://b.###.126.net/style/common/error/images/sprite-404.png
- http://b.###.126.net/style/common/error/404.css
- http://bl##.163.com/login.do?er#####
- http://www.mo##nyy.cn/images/tubiao.png
- http://pi#.##uku778.com/upload/vod/2019-08-15/201908151565853325.png
- http://p0.##img.com/t014e821298dacb9dd4.jpg
- http://p8.##img.com/d/dy_544e8677d569f80717a7d3ad372bb61e.
- http://p5.##img.com/d/dy_8257d19b446007216afd4894ddaa0e10.jpg
- http://p5.##img.com/d/dy_6003ae87c604a1d5ea8104a09bf90d00.
- http://p7.##img.com/d/dy_de533abf4b3ed27257c94732a4cad891.
- http://p7.##img.com/d/dy_adc2093b909568ccd6f45607de903b84.jpg
- http://p4.##img.com/d/dy_10780d3f01a41d9d9ce62e38d016d028.
- http://p9.##img.com/t01704a44d25f50d55f.jpg
- http://p9.##img.com/d/dy_5b53df2005cba75f1fbd4b205e103912.
- http://p3.##img.com/t01f56980d3716025af.jpg
- http://p3.##img.com/d/dy_dfcd8c1b4ccce75edaa6861e50d9ca0f.
- http://p9.##img.com/d/dy_d9282caed7927a224404cea036eb52c1.jpg
- http://p8.##img.com/d/dy_753cbd31a7a10bc0dbfac852233cff03.
- http://p9.##img.com/d/dy_d259eafe2ec8d2bb853045f1c20c2952.jpg
- http://p9.##img.com/d/dy_460ce89dd3dab71536d0f53f534c9220.jpg
- http://www.mo##nyy.cn/images/index.png
- http://www.mo##nyy.cn/images/sologo.png
- http://p0.##img.com/t0114301be7703ede52.jpg
- http://p6.##img.com/d/dy_ebe110fd37516b75daa0e36376238c08.jpg
- DNS ASK mo######521.blog.163.com
- DNS ASK p2.##img.com
- DNS ASK p9.##img.com
- DNS ASK p4.##img.com
- DNS ASK p1.##img.com
- DNS ASK p8.##img.com
- DNS ASK p6.##img.com
- DNS ASK p0.##img.com
- DNS ASK p3.##img.com
- DNS ASK p5.##img.com
- DNS ASK p7.##img.com
- DNS ASK im#.##ngjiu7.com
- DNS ASK js.##ers.51.la
- DNS ASK rp#.##c-imges.com
- DNS ASK pi#.##uku778.com
- DNS ASK im#.###ian-zuida.com
- DNS ASK im#.##c-imges.com
- DNS ASK vo####.xiaodutv.com
- DNS ASK ap##.bdimg.com
- DNS ASK mo##nyy.cn
- DNS ASK yu####n.6600.org
- DNS ASK le########032746.file.myqcloud.com
- DNS ASK mo###xie.win
- DNS ASK b.###.126.net
- DNS ASK bl##.163.com
- DNS ASK im#.#252zy.com
- DNS ASK it##.taobao.com
- ClassName: 'ENewFrame' WindowName: ''
- ClassName: '' WindowName: ''
- ClassName: 'MS_AutodialMonitor' WindowName: ''
- ClassName: 'MS_WebCheckMonitor' WindowName: ''
- ClassName: '' WindowName: 'fz.exe'
- '%WINDIR%\help\windows\fz.exe'
- '<SYSTEM32>\ctfmon.exe'