Technical Information
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'Adobe_Reader' = '%TEMP%\\wmpscfgs.exe'
- %WINDIR%\tasks\at1.job
- <SYSTEM32>\tasks\at14
- %WINDIR%\tasks\at15.job
- <SYSTEM32>\tasks\at15
- %WINDIR%\tasks\at16.job
- <SYSTEM32>\tasks\at16
- %WINDIR%\tasks\at17.job
- <SYSTEM32>\tasks\at17
- %WINDIR%\tasks\at18.job
- <SYSTEM32>\tasks\at13
- %WINDIR%\tasks\at14.job
- <SYSTEM32>\tasks\at18
- %WINDIR%\tasks\at20.job
- <SYSTEM32>\tasks\at20
- %WINDIR%\tasks\at21.job
- <SYSTEM32>\tasks\at21
- %WINDIR%\tasks\at22.job
- <SYSTEM32>\tasks\at22
- %WINDIR%\tasks\at23.job
- <SYSTEM32>\tasks\at23
- %WINDIR%\tasks\at19.job
- <SYSTEM32>\tasks\at19
- %WINDIR%\tasks\at13.job
- <SYSTEM32>\tasks\at12
- %WINDIR%\tasks\at12.job
- %WINDIR%\tasks\at2.job
- <SYSTEM32>\tasks\at2
- %WINDIR%\tasks\at3.job
- <SYSTEM32>\tasks\at3
- %WINDIR%\tasks\at4.job
- <SYSTEM32>\tasks\at4
- %WINDIR%\tasks\at5.job
- <SYSTEM32>\tasks\at5
- %WINDIR%\tasks\at6.job
- <SYSTEM32>\tasks\at1
- <SYSTEM32>\tasks\at6
- <SYSTEM32>\tasks\at7
- %WINDIR%\tasks\at8.job
- <SYSTEM32>\tasks\at8
- %WINDIR%\tasks\at9.job
- <SYSTEM32>\tasks\at9
- %WINDIR%\tasks\at10.job
- <SYSTEM32>\tasks\at10
- %WINDIR%\tasks\at11.job
- <SYSTEM32>\tasks\at11
- %WINDIR%\tasks\at7.job
- %WINDIR%\tasks\at24.job
- <SYSTEM32>\tasks\at24
- %ProgramFiles(x86)%\adobe\acrotray .exe
- %ProgramFiles(x86)%\adobe\acrotray.exe
- %ProgramFiles(x86)%\internet explorer\wmpscfgs.exe
- %ALLUSERSPROFILE%\microsoft\crypto\rsa\s-1-5-18\d42cc0c3858a58db2db37658219e6400_0cb67e2f-dc95-45ca-8fb8-69bde8e3f814
- %TEMP%\wmpscfgs.exe
- %ProgramFiles(x86)%\804918.dat
- %ProgramFiles(x86)%\804949.dat
- %APPDATA%\microsoft\windows\privacie\index.dat
- %ProgramFiles(x86)%\804918.dat
- %WINDIR%\tasks\at21.job
- <SYSTEM32>\tasks\at21
- %WINDIR%\tasks\at22.job
- <SYSTEM32>\tasks\at22
- %WINDIR%\tasks\at23.job
- <SYSTEM32>\tasks\at23
- %WINDIR%\tasks\at24.job
- <SYSTEM32>\tasks\at24
- %WINDIR%\tasks\at3.job
- %WINDIR%\tasks\at14.job
- <SYSTEM32>\tasks\at3
- <SYSTEM32>\tasks\at4
- %WINDIR%\tasks\at5.job
- <SYSTEM32>\tasks\at5
- %WINDIR%\tasks\at6.job
- <SYSTEM32>\tasks\at6
- %WINDIR%\tasks\at7.job
- <SYSTEM32>\tasks\at7
- %WINDIR%\tasks\at8.job
- <SYSTEM32>\tasks\at8
- %WINDIR%\tasks\at20.job
- <SYSTEM32>\tasks\at20
- <SYSTEM32>\tasks\at2
- %WINDIR%\tasks\at2.job
- <SYSTEM32>\tasks\at19
- %WINDIR%\tasks\at1.job
- <SYSTEM32>\tasks\at1
- %WINDIR%\tasks\at10.job
- <SYSTEM32>\tasks\at10
- %WINDIR%\tasks\at11.job
- <SYSTEM32>\tasks\at11
- %WINDIR%\tasks\at12.job
- <SYSTEM32>\tasks\at12
- %WINDIR%\tasks\at13.job
- %WINDIR%\tasks\at9.job
- %WINDIR%\tasks\at4.job
- <SYSTEM32>\tasks\at13
- %WINDIR%\tasks\at15.job
- <SYSTEM32>\tasks\at15
- %WINDIR%\tasks\at16.job
- <SYSTEM32>\tasks\at16
- %WINDIR%\tasks\at17.job
- <SYSTEM32>\tasks\at17
- %WINDIR%\tasks\at18.job
- <SYSTEM32>\tasks\at18
- %WINDIR%\tasks\at19.job
- %ProgramFiles(x86)%\804949.dat
- <SYSTEM32>\tasks\at14
- <SYSTEM32>\tasks\at9
- from %TEMP%\wmpscfgs.exe to %TEMP%\wmpscfgs .exe
- %TEMP%\wmpscfgs.exe
- 'su####etforme.com':80
- '94.##.229.248':80
- http://www.su####etforme.com/dupe.php?q=###########################################################################################
- http://www.su####etforme.com/dupe.php?ch#########################################################################################################################################################...
- http://ww#.###ernetforme.com/
- http://ww#.###ernetforme.com/bnTniVwfH.js
- http://www.su####etforme.com/search.php?q=###########################################################################################
- http://www.su####etforme.com/search.php?ch#######################################################################################################################################################...
- http://ww#.###ernetforme.com/bITGQtTNE.js
- DNS ASK su####etforme.com
- DNS ASK ww#.###ernetforme.com
- ClassName: 'Static' WindowName: ''
- ClassName: 'MS_AutodialMonitor' WindowName: ''
- ClassName: 'MS_WebCheckMonitor' WindowName: ''
- '%TEMP%\wmpscfgs.exe'
- '%ProgramFiles(x86)%\internet explorer\wmpscfgs.exe' Explorer\wmpscfgs.exe
- '%TEMP%\wmpscfgs.exe' ' (with hidden window)
- '%ProgramFiles(x86)%\internet explorer\wmpscfgs.exe' Explorer\wmpscfgs.exe' (with hidden window)