Technical Information
- %WINDIR%\Tasks\SA.DAT
- [<HKLM>\SYSTEM\ControlSet001\Services\Nla] 'Start' = '00000002'
- [<HKLM>\SYSTEM\ControlSet001\Services\NtmsSvc] 'Start' = '00000002'
- [<HKLM>\SYSTEM\ControlSet001\Services\FastUserSwitchingCompatibility] 'Start' = '00000002'
- [<HKLM>\SYSTEM\ControlSet001\Services\Netman] 'Start' = '00000002'
- [<HKLM>\SYSTEM\ControlSet001\Services\TapiSrv] 'Start' = '00000002'
- [<HKLM>\SYSTEM\ControlSet001\Services\Wmi] 'Start' = '00000002'
- [<HKLM>\SYSTEM\ControlSet001\Services\RasAuto] 'Start' = '00000002'
- [<HKLM>\SYSTEM\ControlSet001\Services\RasMan] 'Start' = '00000002'
- [<HKLM>\SYSTEM\ControlSet001\Services\EventSystem] 'Start' = '00000002'
- [<HKLM>\SYSTEM\ControlSet001\Services\Messenger] 'Start' = '00000002'
- [<HKLM>\SYSTEM\ControlSet001\Services\RemoteAccess] 'Start' = '00000002'
- [<HKLM>\SYSTEM\ControlSet001\Services\AudioSrv] 'Start' = '00000002'
- [<HKLM>\SYSTEM\ControlSet001\Services\HidServ] 'Start' = '00000002'
- [<HKLM>\SYSTEM\ControlSet001\Services\helpsvc] 'Start' = '00000002'
- [<HKLM>\SYSTEM\ControlSet001\Services\AppMgmt] 'Start' = '00000002'
- [<HKLM>\SYSTEM\ControlSet001\Services\Themes] 'Start' = '00000002'
- [<HKLM>\SYSTEM\ControlSet001\Services\wuauserv] 'Start' = '00000002'
- 'C:\kycohwwief' a -sc:\server.exe
- 'C:\ghrychqjuw' a -sc:\server.exe
- 'C:\hxcbkmovtp' a -sc:\server.exe
- 'C:\jdhsmtfkjm' a -sc:\server.exe
- 'C:\kudybnyxhl' a -sc:\server.exe
- 'C:\jrnpekbxpy' a -sc:\server.exe
- 'C:\jbboxvfswh' a -sc:\server.exe
- 'C:\bqlkkyppyq' a -sc:\server.exe
- 'C:\DNFГв2ј¶ГЬВ빤ѕЯ.exe' /pid=3896
- 'C:\iydffsscsu' a -sc:\server.exe
- 'C:\ipgcbbrwhi' a -sc:\server.exe
- 'C:\jmbwuejucy' a -sc:\server.exe
- 'C:\iqwhxgjlso' a -sc:\server.exe
- 'C:\inywmdqhuc' a -sc:\server.exe
- 'C:\igpxnylfiu' a -sc:\server.exe
- 'C:\server.exe'
- 'C:\DNFГв2ј¶ГЬВ빤ѕЯ.exe'
- 'C:\hvhupxxqoi' a -sc:\server.exe
- 'C:\isfqhkohdb' a -sc:\server.exe
- 'C:\jxifgkibmt' a -sc:\server.exe
- 'C:\jrmlievtrt' a -sc:\server.exe
- 'C:\ixtfqsywmu' a -sc:\server.exe
- 'C:\iyyfjkujyu' a -sc:\server.exe
- 'C:\isellekcfu' a -sc:\server.exe
- '<SYSTEM32>\svchost.exe' -k netsvcs
- <SYSTEM32>\vdghcxbyio
- <SYSTEM32>\d2f5ca0e.rdb
- C:\iydffsscsu
- <SYSTEM32>\vusntuxbus
- <Current directory>\cfjlofdxr
- %TEMP%\bbkmeyivse.dat
- C:\hxcbkmovtp
- C:\ipgcbbrwhi
- %TEMP%\rgselsrqdh.dat
- <SYSTEM32>\4ef54a5d.rdb
- <Current directory>\svlvfgyou
- <Current directory>\igmyicomu
- <SYSTEM32>\vujsreftie
- %TEMP%\nbvsddbgub.dat
- <SYSTEM32>\73db5414.rdb
- <SYSTEM32>\b198415e.rdb
- <Current directory>\dvjxvqwbk
- %TEMP%\tutnewuqkn.dat
- <Current directory>\cojddhljn
- <SYSTEM32>\vnhfppyxtp
- <SYSTEM32>\1c84c2e8.rdb
- <SYSTEM32>\vmnpmiokum
- C:\ghrychqjuw
- <SYSTEM32>\vvciulqiii
- <SYSTEM32>\26e4c3b.rdb
- C:\kycohwwief
- <SYSTEM32>\41b22795.rdb
- %TEMP%\devnjfqpnc.dat
- <SYSTEM32>\a0504eb5.rdb
- %TEMP%\hvisdirskv.dat
- C:\icjonvxweh
- <SYSTEM32>\4ac26bd1.rdb
- <Current directory>\bwxfohjnq
- <SYSTEM32>\vreyjixeku
- %TEMP%\tskkjtqyvg.dat
- <SYSTEM32>\bc13122c.rdb
- <SYSTEM32>\vygmlweayj
- <SYSTEM32>\vhugtagxle
- <Current directory>\mlxsoklwif
- PARSE ERROR
- <SYSTEM32>\bc7b68b.rdb
- <SYSTEM32>\vinvwhrllh
- %WINDIR%\Sys39.968 [0x3F353DB7320CEDE8] *E_OpenKey: pid 0xeec, tid 0xa1
- C:\jmbwuejucy
- %TEMP%\cgvvpdqdps.dat
- <SYSTEM32>\dcbfa27a.rdb
- <Current directory>\nttyknjin
- <SYSTEM32>\vtqdpwugjb
- <Current directory>\dymfjxrxj
- %TEMP%\wockjggmek.dat
- %TEMP%\snhsiygqqk.dat
- <Current directory>\jnbvtpsin
- C:\bqlkkyppyq
- <Current directory>\pccmldcnv
- <SYSTEM32>\35172304.rdb
- <SYSTEM32>\vswompjrjx
- C:\jbboxvfswh
- C:\jxifgkibmt
- <Current directory>\njkqpyhmk
- <Current directory>\onheymtss
- <SYSTEM32>\51e92691.rdb
- <SYSTEM32>\vsqthhoeqj
- <SYSTEM32>\vbfmpkqbef
- C:\isfqhkohdb
- C:\jrmlievtrt
- <SYSTEM32>\vqeobsrcrd
- %TEMP%\nrqccygbkx.dat
- <Current directory>\ygtlfjykd
- %TEMP%\mwqhpytkij.dat
- %TEMP%\uxqhovlwhk.dat
- C:\inywmdqhuc
- <Current directory>\mglpfriio
- %TEMP%\vhtsvskciy.dat
- C:\iqwhxgjlso
- C:\server.exe
- C:\DNFГв2ј¶ГЬВ빤ѕЯ.exe
- C:\hvhupxxqoi
- C:\igpxnylfiu
- <SYSTEM32>\f5859b27.rdb
- C:\ixtfqsywmu
- %TEMP%\rixejlqjnr.dat
- C:\iyyfjkujyu
- C:\isellekcfu
- <Current directory>\rkfyyvyop
- C:\jdhsmtfkjm
- <Current directory>\orrpfqlwj
- <Current directory>\qbfpwmnok
- C:\kudybnyxhl
- <Current directory>\vmqjtrdmw
- <Current directory>\sdhgfbndrm
- <Current directory>\ypiwxbienr
- <Current directory>\tvkfmwlee
- <Current directory>\kmshfsplw
- <Current directory>\tvkfmwleer
- <Current directory>\lrvofgcqt
- %TEMP%\sdlvefhwiv.dat
- <Current directory>\rxunlqlec
- <Current directory>\qbfpwmnokw
- %TEMP%\wuqmiwfbpi.dat
- <Current directory>\onheymtssf
- %TEMP%\nbvvcvwovm.dat
- C:\jrnpekbxpy
- <Current directory>\owclpydvv
- <Current directory>\kkdlsiyid
- %TEMP%\cyjfmbnmjf.dat
- <SYSTEM32>\e22a4301.rdb
- %TEMP%\gidpwoomwi.dat
- <Current directory>\kkdlsiyido
- <SYSTEM32>\154232de.rdb
- %TEMP%\qpwilqpoeh.dat
- <Current directory>\ypiwxbien
- <Current directory>\sdhgfbndr
- <Current directory>\svlgqbqdd
- C:\DNFГв2ј¶ГЬВ빤ѕЯ.exe
- C:\server.exe
- <SYSTEM32>\vdghcxbyio
- C:\kud
- <SYSTEM32>\vusntuxbus
- C:\jrm
- <Current directory>\igmyicomu
- <Current directory>\svlvfgyou
- <SYSTEM32>\vtqdpwugjb
- C:\jrn
- <SYSTEM32>\vujsreftie
- <Current directory>\dvjxvqwbk
- C:\jxi
- <SYSTEM32>\vnhfppyxtp
- C:\igp
- <SYSTEM32>\vmnpmiokum
- C:\ise
- <Current directory>\cfjlofdxr
- C:\jdh
- <SYSTEM32>\vvciulqiii
- C:\kyc
- C:\jmb
- <SYSTEM32>\vinvwhrllh
- C:\ipg
- <Current directory>\bwxfohjnq
- C:\jbb
- <SYSTEM32>\vhugtagxle
- <Current directory>\mlxsoklwif
- C:\bql
- <SYSTEM32>\vygmlweayj
- C:\hxc
- <SYSTEM32>\vswompjrjx
- <Current directory>\dymfjxrxj
- <Current directory>\nttyknjin
- C:\ghr
- <SYSTEM32>\vreyjixeku
- C:\iyd
- <Current directory>\pccmldcnv
- <Current directory>\jnbvtpsin
- %ALLUSERSPROFILE%\Application Data\Storm\update\%SESSIONNAME%\gqmqk.cc3
- <SYSTEM32>\f5859b27.rdb
- <Current directory>\njkqpyhmk
- <Current directory>\onheymtss
- <Current directory>\ygtlfjykd
- <Current directory>\kkdlsiyid
- <Current directory>\owclpydvv
- C:\hvh
- <SYSTEM32>\vqeobsrcrd
- <Current directory>\rkfyyvyop
- <SYSTEM32>\config\AppEvent.Evt
- C:\server.exe
- <Current directory>\mglpfriio
- <SYSTEM32>\config\SecEvent.Evt
- C:\iqw
- <SYSTEM32>\vbfmpkqbef
- <SYSTEM32>\vsqthhoeqj
- <SYSTEM32>\config\SysEvent.Evt
- %ALLUSERSPROFILE%\Application Data\Storm\update\%SESSIONNAME%\ulchw.cc3
- <Current directory>\qbfpwmnok
- <Current directory>\rxunlqlec
- <Current directory>\vmqjtrdmw
- <Current directory>\orrpfqlwj
- <Current directory>\qbfpwmnokw
- <Current directory>\lrvofgcqt
- <Current directory>\cojddhljn
- <Current directory>\kmshfsplw
- <Current directory>\tvkfmwleer
- <Current directory>\sdhgfbndr
- <Current directory>\ypiwxbien
- <Current directory>\onheymtssf
- <SYSTEM32>\51e92691.rdb
- <Current directory>\svlgqbqdd
- <Current directory>\ypiwxbienr
- <Current directory>\tvkfmwlee
- <Current directory>\kkdlsiyido
- <Current directory>\sdhgfbndrm
- from C:\ghrychqjuw to C:\ghr
- from %TEMP%\bbkmeyivse.dat to %ALLUSERSPROFILE%\Application Data\Storm\update\%SESSIONNAME%\frmno.cc3
- from C:\hxcbkmovtp to C:\hxc
- from C:\iydffsscsu to C:\iyd
- from %TEMP%\nbvsddbgub.dat to %ALLUSERSPROFILE%\Application Data\Storm\update\%SESSIONNAME%\stgcn.cc3
- from C:\jrnpekbxpy to C:\jrn
- from %TEMP%\sdlvefhwiv.dat to %ALLUSERSPROFILE%\Application Data\Storm\update\%SESSIONNAME%\rdhms.cc3
- from %TEMP%\tutnewuqkn.dat to %ALLUSERSPROFILE%\Application Data\Storm\update\%SESSIONNAME%\exxdn.cc3
- from C:\kycohwwief to C:\kyc
- from %TEMP%\devnjfqpnc.dat to %ALLUSERSPROFILE%\Application Data\Storm\update\%SESSIONNAME%\kodrj.cc3
- from %TEMP%\rgselsrqdh.dat to %ALLUSERSPROFILE%\Application Data\Storm\update\%SESSIONNAME%\wfpdm.cc3
- from C:\bqlkkyppyq to C:\bql
- from %TEMP%\snhsiygqqk.dat to %ALLUSERSPROFILE%\Application Data\Storm\update\%SESSIONNAME%\dspqq.cc3
- from %TEMP%\tskkjtqyvg.dat to %ALLUSERSPROFILE%\Application Data\Storm\update\%SESSIONNAME%\lvgix.cc3
- from C:\icjonvxweh to C:\icj
- from %TEMP%\hvisdirskv.dat to %ALLUSERSPROFILE%\Application Data\Storm\update\%SESSIONNAME%\wtpdr.cc3
- from %TEMP%\wockjggmek.dat to %ALLUSERSPROFILE%\Application Data\Storm\update\%SESSIONNAME%\inbhp.cc3
- from C:\ipgcbbrwhi to C:\ipg
- from %TEMP%\cgvvpdqdps.dat to %ALLUSERSPROFILE%\Application Data\Storm\update\%SESSIONNAME%\osyrq.cc3
- from C:\jbboxvfswh to C:\jbb
- from C:\jmbwuejucy to C:\jmb
- from C:\kudybnyxhl to C:\kud
- from C:\ixtfqsywmu to C:\ixt
- from C:\igpxnylfiu to C:\igp
- from %TEMP%\uxqhovlwhk.dat to %ALLUSERSPROFILE%\Application Data\Storm\update\%SESSIONNAME%\rkjqt.cc3
- from C:\iyyfjkujyu to C:\iyy
- from %TEMP%\nrqccygbkx.dat to %ALLUSERSPROFILE%\Application Data\Storm\update\%SESSIONNAME%\vupwk.cc3
- from C:\iqwhxgjlso to C:\iqw
- from C:\hvhupxxqoi to C:\hvh
- from %TEMP%\rixejlqjnr.dat to %ALLUSERSPROFILE%\Application Data\Storm\update\%SESSIONNAME%\gqmqk.cc3
- from C:\inywmdqhuc to C:\iny
- from %TEMP%\vhtsvskciy.dat to %ALLUSERSPROFILE%\Application Data\Storm\update\%SESSIONNAME%\ulchw.cc3
- from C:\isellekcfu to C:\ise
- from %TEMP%\gidpwoomwi.dat to %ALLUSERSPROFILE%\Application Data\Storm\update\%SESSIONNAME%\wohds.cc3
- from %TEMP%\qpwilqpoeh.dat to %ALLUSERSPROFILE%\Application Data\Storm\update\%SESSIONNAME%\xnfdf.cc3
- from C:\jdhsmtfkjm to C:\jdh
- from %TEMP%\wuqmiwfbpi.dat to %ALLUSERSPROFILE%\Application Data\Storm\update\%SESSIONNAME%\fdqhr.cc3
- from %TEMP%\nbvvcvwovm.dat to %ALLUSERSPROFILE%\Application Data\Storm\update\%SESSIONNAME%\obioj.cc3
- from C:\isfqhkohdb to C:\isf
- from %TEMP%\mwqhpytkij.dat to %ALLUSERSPROFILE%\Application Data\Storm\update\%SESSIONNAME%\vwnwn.cc3
- from C:\jxifgkibmt to C:\jxi
- from %TEMP%\cyjfmbnmjf.dat to %ALLUSERSPROFILE%\Application Data\Storm\update\%SESSIONNAME%\onlms.cc3
- from C:\jrmlievtrt to C:\jrm
- 'xq#####8601.gicp.net':8000
- DNS ASK www.ba##u.com
- DNS ASK www.16#.com
- DNS ASK qu#.#.360.cn
- DNS ASK co##.f.360.cn
- DNS ASK xq#####8601.gicp.net
- ClassName: 'Shell_TrayWnd' WindowName: ''