Technical Information
- %HOMEPATH%\Start Menu\Programs\Startup\.lnk
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%HOMEPATH%\KB4982143\vnc\vnc.exe' = '%HOMEPATH%\KB4982143\vnc\vnc.exe:*:Enabled:Update Service'
- '%HOMEPATH%\KB4982143\svchost.exe' Default
- '<SYSTEM32>\attrib.exe' +s +h "\Documents and Settings\%USERNAME%\KB4982143\*"
- '<SYSTEM32>\netsh.exe' firewall add allowedprogram "\Documents and Settings\%USERNAME%\KB4982143\vnc\vnc.exe" "Update Service" ENABLE
- '<SYSTEM32>\wscript.exe' "\Documents and Settings\%USERNAME%\KB4982143\_..vbs"
- '<SYSTEM32>\wscript.exe' "%TEMP%\7zS1.tmp\install.vbs"
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\7zS1.tmp\install.cmd" %TEMP%\7zS1.tmp"
- '<SYSTEM32>\attrib.exe' +s +h "\Documents and Settings\%USERNAME%\KB4982143"
- %HOMEPATH%\KB4982143\_!swapcore.cmd
- %HOMEPATH%\KB4982143\_!tget.cmd
- %HOMEPATH%\KB4982143\_!split.cmd
- %HOMEPATH%\KB4982143\_!restart.cmd
- %HOMEPATH%\KB4982143\_!screen.cmd
- %HOMEPATH%\KB4982143\_!tput.cmd
- %HOMEPATH%\KB4982143\_.cmd
- %HOMEPATH%\KB4982143\_.]
- %HOMEPATH%\KB4982143\_..vbs
- %HOMEPATH%\KB4982143\_!unpack.cmd
- %HOMEPATH%\KB4982143\_!vnc.cmd
- %HOMEPATH%\KB4982143\_!rename.cmd
- %HOMEPATH%\KB4982143\_!clone.cmd
- %HOMEPATH%\KB4982143\_!download.cmd
- %HOMEPATH%\KB4982143\_!camgrab.cmd
- %HOMEPATH%\KB4982143\svchost.exe
- %HOMEPATH%\KB4982143\_!.vbs
- %HOMEPATH%\KB4982143\_!erase.cmd
- %HOMEPATH%\KB4982143\_!port.cmd
- %HOMEPATH%\KB4982143\_!record.cmd
- %HOMEPATH%\KB4982143\_!panic.cmd
- %HOMEPATH%\KB4982143\_!ftp.cmd
- %HOMEPATH%\KB4982143\_!pack.cmd
- %HOMEPATH%\KB4982143\!kill.cmd
- %HOMEPATH%\KB4982143\{A2A}.b
- %HOMEPATH%\KB4982143\{BB7}.b
- %HOMEPATH%\KB4982143\{8E3}.b
- %HOMEPATH%\KB4982143\{3F2}.b
- %HOMEPATH%\KB4982143\{5DF}.b
- %HOMEPATH%\KB4982143\{C17}.b
- %HOMEPATH%\KB4982143\startLink.ico
- %HOMEPATH%\KB4982143\pid
- %HOMEPATH%\KB4982143\id
- %HOMEPATH%\KB4982143\{EE6}.b
- %HOMEPATH%\KB4982143\[.]
- %HOMEPATH%\KB4982143\{2CB}.b
- %HOMEPATH%\KB4982143\!sleep.cmd
- %HOMEPATH%\KB4982143\!start.cmd
- %HOMEPATH%\KB4982143\!prep.cmd
- %HOMEPATH%\KB4982143\!lock.cmd
- %HOMEPATH%\KB4982143\!msgbox.cmd
- %HOMEPATH%\KB4982143\!unlock.cmd
- %HOMEPATH%\KB4982143\{17B}.b
- %HOMEPATH%\KB4982143\{19C}.b
- %HOMEPATH%\KB4982143\{0EC}.b
- %HOMEPATH%\KB4982143\!update.cmd
- %HOMEPATH%\KB4982143\!ver.cmd
- %TEMP%\7zS1.tmp\_!ftp.cmd
- %TEMP%\7zS1.tmp\_!pack.cmd
- %TEMP%\7zS1.tmp\_!erase.cmd
- %TEMP%\7zS1.tmp\_!clone.cmd
- %TEMP%\7zS1.tmp\_!download.cmd
- %TEMP%\7zS1.tmp\_!panic.cmd
- %TEMP%\7zS1.tmp\_!restart.cmd
- %TEMP%\7zS1.tmp\_!screen.cmd
- %TEMP%\7zS1.tmp\_!rename.cmd
- %TEMP%\7zS1.tmp\_!port.cmd
- %TEMP%\7zS1.tmp\_!record.cmd
- %TEMP%\7zS1.tmp\_!camgrab.cmd
- %TEMP%\7zS1.tmp\!msgbox.cmd
- %TEMP%\7zS1.tmp\!prep.cmd
- %TEMP%\7zS1.tmp\!lock.cmd
- %TEMP%\7zS1.tmp\startLink.ico
- %TEMP%\7zS1.tmp\!kill.cmd
- %TEMP%\7zS1.tmp\!sleep.cmd
- %TEMP%\7zS1.tmp\!ver.cmd
- %TEMP%\7zS1.tmp\install.cmd
- %TEMP%\7zS1.tmp\!update.cmd
- %TEMP%\7zS1.tmp\!start.cmd
- %TEMP%\7zS1.tmp\!unlock.cmd
- %TEMP%\7zS1.tmp\_!split.cmd
- %TEMP%\7zS1.tmp\{8E3}.b
- %TEMP%\7zS1.tmp\{A2A}.b
- %TEMP%\7zS1.tmp\{5DF}.b
- %TEMP%\7zS1.tmp\{2CB}.b
- %TEMP%\7zS1.tmp\{3F2}.b
- %TEMP%\7zS1.tmp\{BB7}.b
- %TEMP%\7zS1.tmp\[.]
- %TEMP%\7zS1.tmp\svchost.exe
- %TEMP%\7zS1.tmp\startLink.lnk
- %TEMP%\7zS1.tmp\{C17}.b
- %TEMP%\7zS1.tmp\{EE6}.b
- %TEMP%\7zS1.tmp\{19C}.b
- %TEMP%\7zS1.tmp\_!unpack.cmd
- %TEMP%\7zS1.tmp\_!vnc.cmd
- %TEMP%\7zS1.tmp\_!tput.cmd
- %TEMP%\7zS1.tmp\_!swapcore.cmd
- %TEMP%\7zS1.tmp\_!tget.cmd
- %TEMP%\7zS1.tmp\_.cmd
- %TEMP%\7zS1.tmp\{0EC}.b
- %TEMP%\7zS1.tmp\{17B}.b
- %TEMP%\7zS1.tmp\_..vbs
- %TEMP%\7zS1.tmp\install.vbs
- %TEMP%\7zS1.tmp\_!.vbs
- %HOMEPATH%\KB4982143\_!unpack.cmd
- %HOMEPATH%\KB4982143\_!tput.cmd
- %HOMEPATH%\KB4982143\_!vnc.cmd
- %HOMEPATH%\KB4982143\_.cmd
- %HOMEPATH%\KB4982143\_..vbs
- %HOMEPATH%\KB4982143\_!tget.cmd
- %HOMEPATH%\KB4982143\_!restart.cmd
- %HOMEPATH%\KB4982143\_!rename.cmd
- %HOMEPATH%\KB4982143\_!screen.cmd
- %HOMEPATH%\KB4982143\_!swapcore.cmd
- %HOMEPATH%\KB4982143\_!split.cmd
- %HOMEPATH%\KB4982143\_.]
- %HOMEPATH%\KB4982143\{A2A}.b
- %HOMEPATH%\KB4982143\{8E3}.b
- %HOMEPATH%\KB4982143\{BB7}.b
- %HOMEPATH%\KB4982143\{EE6}.b
- %HOMEPATH%\KB4982143\{C17}.b
- %HOMEPATH%\KB4982143\{5DF}.b
- %HOMEPATH%\KB4982143\{17B}.b
- %HOMEPATH%\KB4982143\{0EC}.b
- %HOMEPATH%\KB4982143\{19C}.b
- %HOMEPATH%\KB4982143\{3F2}.b
- %HOMEPATH%\KB4982143\{2CB}.b
- %HOMEPATH%\KB4982143\!update.cmd
- %HOMEPATH%\KB4982143\!unlock.cmd
- %HOMEPATH%\KB4982143\!ver.cmd
- %HOMEPATH%\KB4982143\startLink.ico
- %HOMEPATH%\KB4982143\id
- %HOMEPATH%\KB4982143\!start.cmd
- %HOMEPATH%\KB4982143\!lock.cmd
- %HOMEPATH%\KB4982143\!kill.cmd
- %HOMEPATH%\KB4982143\!msgbox.cmd
- %HOMEPATH%\KB4982143\!sleep.cmd
- %HOMEPATH%\KB4982143\!prep.cmd
- %HOMEPATH%\KB4982143\svchost.exe
- %HOMEPATH%\KB4982143\_!pack.cmd
- %HOMEPATH%\KB4982143\_!ftp.cmd
- %HOMEPATH%\KB4982143\_!panic.cmd
- %HOMEPATH%\KB4982143\_!record.cmd
- %HOMEPATH%\KB4982143\_!port.cmd
- %HOMEPATH%\KB4982143\_!erase.cmd
- %HOMEPATH%\KB4982143\_!.vbs
- %HOMEPATH%\KB4982143\[.]
- %HOMEPATH%\KB4982143\_!camgrab.cmd
- %HOMEPATH%\KB4982143\_!download.cmd
- %HOMEPATH%\KB4982143\_!clone.cmd
- %TEMP%\7zS1.tmp\_!tput.cmd
- %TEMP%\7zS1.tmp\_!tget.cmd
- %TEMP%\7zS1.tmp\_!unpack.cmd
- %TEMP%\7zS1.tmp\_..vbs
- %TEMP%\7zS1.tmp\_!vnc.cmd
- %TEMP%\7zS1.tmp\_!swapcore.cmd
- %TEMP%\7zS1.tmp\_!rename.cmd
- %TEMP%\7zS1.tmp\_!record.cmd
- %TEMP%\7zS1.tmp\_!restart.cmd
- %TEMP%\7zS1.tmp\_!split.cmd
- %TEMP%\7zS1.tmp\_!screen.cmd
- %TEMP%\7zS1.tmp\_.cmd
- %TEMP%\7zS1.tmp\{A2A}.b
- %TEMP%\7zS1.tmp\{8E3}.b
- %TEMP%\7zS1.tmp\{BB7}.b
- %TEMP%\7zS1.tmp\{EE6}.b
- %TEMP%\7zS1.tmp\{C17}.b
- %TEMP%\7zS1.tmp\{5DF}.b
- %TEMP%\7zS1.tmp\{17B}.b
- %TEMP%\7zS1.tmp\{0EC}.b
- %TEMP%\7zS1.tmp\{19C}.b
- %TEMP%\7zS1.tmp\{3F2}.b
- %TEMP%\7zS1.tmp\{2CB}.b
- %TEMP%\7zS1.tmp\_!port.cmd
- %TEMP%\7zS1.tmp\!update.cmd
- %TEMP%\7zS1.tmp\!unlock.cmd
- %TEMP%\7zS1.tmp\!ver.cmd
- %TEMP%\7zS1.tmp\install.vbs
- %TEMP%\7zS1.tmp\install.cmd
- %TEMP%\7zS1.tmp\!start.cmd
- %TEMP%\7zS1.tmp\!lock.cmd
- %TEMP%\7zS1.tmp\!kill.cmd
- %TEMP%\7zS1.tmp\!msgbox.cmd
- %TEMP%\7zS1.tmp\!sleep.cmd
- %TEMP%\7zS1.tmp\!prep.cmd
- %TEMP%\7zS1.tmp\startLink.ico
- %TEMP%\7zS1.tmp\_!erase.cmd
- %TEMP%\7zS1.tmp\_!download.cmd
- %TEMP%\7zS1.tmp\_!ftp.cmd
- %TEMP%\7zS1.tmp\_!panic.cmd
- %TEMP%\7zS1.tmp\_!pack.cmd
- %TEMP%\7zS1.tmp\_!clone.cmd
- %TEMP%\7zS1.tmp\svchost.exe
- %TEMP%\7zS1.tmp\startLink.lnk
- %TEMP%\7zS1.tmp\[.]
- %TEMP%\7zS1.tmp\_!camgrab.cmd
- %TEMP%\7zS1.tmp\_!.vbs
- 'lo####ck.webhop.net':80
- DNS ASK lo####ck.webhop.net