Technical Information
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '5cd8f17f4086744065eb0992a09e05a2' = '"%TEMP%\Trojan.exe" ..'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] '5cd8f17f4086744065eb0992a09e05a2' = '"%TEMP%\Trojan.exe" ..'
- [<HKLM>\SOFTWARE\Classes\.exe] '' = 'exefile'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%TEMP%\Trojan.exe' = '%TEMP%\Trojan.exe:*:Enabled:Trojan.exe'
- '<SYSTEM32>\netsh.exe' firewall add allowedprogram "%TEMP%\Trojan.exe" "Trojan.exe" ENABLE
- '%TEMP%\Trojan.exe'
- '%TEMP%\<Virus name>.exe'
- %ProgramFiles%\officeplugin\plgskype.dll
- %ProgramFiles%\officeplugin\plgskype32.dll
- %ProgramFiles%\officeplugin\plgavbug.dll
- %ProgramFiles%\officeplugin\plgcmd32.dll
- %ProgramFiles%\officeplugin\plgurl.dll
- %ProgramFiles%\officeplugin\plgurl32.dll
- %ProgramFiles%\officeplugin\plgavbug32.dll
- %ProgramFiles%\officeplugin\plgfsflt32.dll
- %TEMP%\<Virus name>.exe
- %TEMP%\Trojan.exe
- %ProgramFiles%\officeplugin\plgusrstl.dll
- %ProgramFiles%\officeplugin\plgusrstl32.dll
- %ProgramFiles%\officeplugin\plgfsflt.dll
- %TEMP%\offplug.cfg
- %ProgramFiles%\officeplugin\zulib32.dll
- %TEMP%\zulib32.dll
- %ProgramFiles%\officeplugin\officeplugin
- %TEMP%\~znms.tmp
- %ProgramFiles%\officeplugin\offplug.cfg
- %ProgramFiles%\officeplugin\zcore.dll
- %ProgramFiles%\officeplugin\plginput.dll
- %ProgramFiles%\officeplugin\plginput32.dll
- %ProgramFiles%\officeplugin\plgcmd.dll
- %ProgramFiles%\officeplugin\zcore32.dll
- %ProgramFiles%\officeplugin\plgcomm.dll
- %ProgramFiles%\officeplugin\plgcomm32.dll
- %TEMP%\000257bb000257ca.tmp
- %TEMP%\0002542100025431.tmp
- %TEMP%\0002510400025114.tmp
- from %TEMP%\0002540200025411.tmp to %TEMP%\0002542100025431.tmp
- from %TEMP%\zulib32.dll to %TEMP%\000254cd000254dc.tmp
- from %TEMP%\000253c3000253d3.tmp to %TEMP%\000253e2000253f2.tmp
- from %TEMP%\000253e2000253f2.tmp to %TEMP%\0002540200025411.tmp
- from %TEMP%\000254cd000254dc.tmp to %TEMP%\000254dc000254ec.tmp
- from %TEMP%\0002550b0002551b.tmp to %TEMP%\0002552b0002553a.tmp
- from %TEMP%\0002552b0002553a.tmp to %TEMP%\0002554a00025559.tmp
- from %TEMP%\000254dc000254ec.tmp to %TEMP%\000254ec000254fc.tmp
- from %TEMP%\000254ec000254fc.tmp to %TEMP%\0002550b0002551b.tmp
- from %TEMP%\000253a4000253b4.tmp to %TEMP%\000253c3000253d3.tmp
- from %TEMP%\000252d9000252e8.tmp to %TEMP%\000252f800025308.tmp
- from %TEMP%\000252f800025308.tmp to %TEMP%\0002530800025317.tmp
- from %TEMP%\000252aa000252ba.tmp to %TEMP%\000252ba000252c9.tmp
- from %TEMP%\000252ba000252c9.tmp to %TEMP%\000252d9000252e8.tmp
- from %TEMP%\0002530800025317.tmp to %TEMP%\0002532700025337.tmp
- from %TEMP%\0002536500025375.tmp to %TEMP%\0002538500025394.tmp
- from %TEMP%\0002538500025394.tmp to %TEMP%\000253a4000253b4.tmp
- from %TEMP%\0002532700025337.tmp to %TEMP%\0002534600025356.tmp
- from %TEMP%\0002534600025356.tmp to %TEMP%\0002536500025375.tmp
- from %TEMP%\0002554a00025559.tmp to %TEMP%\0002556900025579.tmp
- from %TEMP%\000256e0000256f0.tmp to %TEMP%\000256ff0002570f.tmp
- from %TEMP%\000256ff0002570f.tmp to %TEMP%\0002571f0002572e.tmp
- from %TEMP%\000256a2000256b1.tmp to %TEMP%\000256c1000256d0.tmp
- from %TEMP%\000256c1000256d0.tmp to %TEMP%\000256e0000256f0.tmp
- from %TEMP%\0002571f0002572e.tmp to %TEMP%\0002573e0002574d.tmp
- from %TEMP%\0002577c0002578c.tmp to %TEMP%\0002579c000257ab.tmp
- from %TEMP%\0002579c000257ab.tmp to %TEMP%\000257bb000257ca.tmp
- from %TEMP%\0002573e0002574d.tmp to %TEMP%\0002575d0002576d.tmp
- from %TEMP%\0002575d0002576d.tmp to %TEMP%\0002577c0002578c.tmp
- from %TEMP%\0002568200025692.tmp to %TEMP%\000256a2000256b1.tmp
- from %TEMP%\000255a8000255b7.tmp to %TEMP%\000255c7000255d6.tmp
- from %TEMP%\000255c7000255d6.tmp to %TEMP%\000255e6000255f6.tmp
- from %TEMP%\0002556900025579.tmp to %TEMP%\0002558800025598.tmp
- from %TEMP%\0002558800025598.tmp to %TEMP%\000255a8000255b7.tmp
- from %TEMP%\000255e6000255f6.tmp to %TEMP%\0002560500025615.tmp
- from %TEMP%\0002564400025653.tmp to %TEMP%\0002566300025673.tmp
- from %TEMP%\0002566300025673.tmp to %TEMP%\0002568200025692.tmp
- from %TEMP%\0002560500025615.tmp to %TEMP%\0002562500025634.tmp
- from %TEMP%\0002562500025634.tmp to %TEMP%\0002564400025653.tmp
- from %TEMP%\00024f4f00024f5e.tmp to %TEMP%\00024f6e00024f7d.tmp
- from %TEMP%\00024f6e00024f7d.tmp to %TEMP%\00024f8d00024f9d.tmp
- from %TEMP%\00024f1000024f20.tmp to %TEMP%\00024f2f00024f3f.tmp
- from %TEMP%\00024f2f00024f3f.tmp to %TEMP%\00024f4f00024f5e.tmp
- from %TEMP%\00024f8d00024f9d.tmp to %TEMP%\00024fac00024fbc.tmp
- from %TEMP%\00024feb00024ffa.tmp to %TEMP%\0002500a0002501a.tmp
- from %TEMP%\0002500a0002501a.tmp to %TEMP%\0002502900025039.tmp
- from %TEMP%\00024fac00024fbc.tmp to %TEMP%\00024fcc00024fdb.tmp
- from %TEMP%\00024fcc00024fdb.tmp to %TEMP%\00024feb00024ffa.tmp
- from %TEMP%\00024ef100024f00.tmp to %TEMP%\00024f1000024f20.tmp
- from %TEMP%\00024e5500024e64.tmp to %TEMP%\00024e7400024e83.tmp
- from %TEMP%\00024e7400024e83.tmp to %TEMP%\00024e9300024ea3.tmp
- from %TEMP%\~znms.tmp to %TEMP%\00024e3500024e45.tmp
- from %TEMP%\00024e3500024e45.tmp to %TEMP%\00024e5500024e64.tmp
- from %TEMP%\00024e9300024ea3.tmp to %TEMP%\00024eb200024ec2.tmp
- from %TEMP%\00024ed200024ee1.tmp to %TEMP%\00024ee100024ef1.tmp
- from %TEMP%\00024ee100024ef1.tmp to %TEMP%\00024ef100024f00.tmp
- from %TEMP%\00024eb200024ec2.tmp to %TEMP%\00024ec200024ed2.tmp
- from %TEMP%\00024ec200024ed2.tmp to %TEMP%\00024ed200024ee1.tmp
- from %TEMP%\0002502900025039.tmp to %TEMP%\0002504900025058.tmp
- from %TEMP%\000251cf000251df.tmp to %TEMP%\000251ee000251fe.tmp
- from %TEMP%\000251ee000251fe.tmp to %TEMP%\0002520e0002521d.tmp
- from %TEMP%\00025191000251a0.tmp to %TEMP%\000251b0000251c0.tmp
- from %TEMP%\000251b0000251c0.tmp to %TEMP%\000251cf000251df.tmp
- from %TEMP%\0002520e0002521d.tmp to %TEMP%\0002522d0002523d.tmp
- from %TEMP%\0002526b0002527b.tmp to %TEMP%\0002528b0002529a.tmp
- from %TEMP%\0002528b0002529a.tmp to %TEMP%\000252aa000252ba.tmp
- from %TEMP%\0002522d0002523d.tmp to %TEMP%\0002524c0002525c.tmp
- from %TEMP%\0002524c0002525c.tmp to %TEMP%\0002526b0002527b.tmp
- from %TEMP%\0002517100025181.tmp to %TEMP%\00025191000251a0.tmp
- from %TEMP%\0002508700025097.tmp to %TEMP%\000250a6000250b6.tmp
- from %TEMP%\000250a6000250b6.tmp to %TEMP%\000250c6000250d5.tmp
- from %TEMP%\0002504900025058.tmp to %TEMP%\0002506800025077.tmp
- from %TEMP%\0002506800025077.tmp to %TEMP%\0002508700025097.tmp
- from %TEMP%\000250c6000250d5.tmp to %TEMP%\000250e5000250f4.tmp
- from %TEMP%\0002513300025143.tmp to %TEMP%\0002515200025162.tmp
- from %TEMP%\0002515200025162.tmp to %TEMP%\0002517100025181.tmp
- from %TEMP%\000250e5000250f4.tmp to %TEMP%\0002510400025114.tmp
- from %TEMP%\offplug.cfg to %TEMP%\0002513300025143.tmp
- 'av###.does-it.net':1177
- DNS ASK av###.does-it.net
- ClassName: 'Indicator' WindowName: ''
- ClassName: '{BCCBDD36-2455-48bc-8075-5BDCB359124F}' WindowName: '{EB4CB7C4-F2E5-46db-B49C-6E63F3C043CE}'