Technical Information
- [<HKLM>\SYSTEM\ControlSet001\services\sppsvc] 'Start' = '00000002'
- hidden files
- '%CommonProgramFiles%\YoudaoDict_silent3.exe'
- '%CommonProgramFiles%\setup_s1020.exe'
- '%CommonProgramFiles%\setup_t10303.exe'
- '%CommonProgramFiles%\gqbb24_mt1.exe' /A
- '%CommonProgramFiles%\Microsoft Shared\autoinstall.exe'
- '%CommonProgramFiles%\kt_b_80213.exe'
- '%CommonProgramFiles%\gqbb24_mt1.exe'
- '%CommonProgramFiles%\tqrl_97_1957.exe'
- '%CommonProgramFiles%\appers_7_1958.exe'
- '%CommonProgramFiles%\kt_b_80213.exe' (downloaded from the Internet)
- '%CommonProgramFiles%\appers_7_1958.exe' (downloaded from the Internet)
- '%CommonProgramFiles%\gqbb24_mt1.exe' (downloaded from the Internet)
- '<SYSTEM32>\conhost.exe' (downloaded from the Internet)
- '%CommonProgramFiles%\setup_s1020.exe' (downloaded from the Internet)
- '%CommonProgramFiles%\setup_t10303.exe' (downloaded from the Internet)
- '%CommonProgramFiles%\YoudaoDict_silent3.exe' (downloaded from the Internet)
- '%CommonProgramFiles%\tqrl_97_1957.exe' (downloaded from the Internet)
- '<SYSTEM32>\Wat\WatAdminSvc.exe'
- '<SYSTEM32>\slui.exe' -Embedding
- '<SYSTEM32>\sppsvc.exe'
- '<SYSTEM32>\schtasks.exe' /run /I /TN "\Microsoft\Windows\Windows Activation Technologies\ValidationTask"
- '<SYSTEM32>\Wat\WatAdminSvc.exe' /run
- '<SYSTEM32>\conhost.exe'
- %CommonProgramFiles%\shanhu_7654_356.jpg
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\UEWNTWLX\3tb_140923192942q71f538987[1].jpg
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\23BUYPX5\3tb_141007222757xfui539918[1].jpg
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\3U23MFC9\p3_kbaidu888888_jg04OunlF483lZatm6Ir5_v14.7.1[1].exe
- %CommonProgramFiles%\bdsd.jpg
- %CommonProgramFiles%\Microsoft Shared\ppt.txt
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\YIF7DGLM\OfficeAssist.0195.80.1054[1].exe
- %CommonProgramFiles%\microsoft shared\dudukantu.txt
- %CommonProgramFiles%\OfficeAssist.0195.80.1054.exe
- %WINDIR%\ServiceProfiles\NetworkService\AppData\Local\Temp\Cab7FD.tmp
- %WINDIR%\ServiceProfiles\NetworkService\AppData\Local\Temp\Cab77F.tmp
- %CommonProgramFiles%\microsoft shared\p3_kbaidu888888_jg04OunlF483lZatm6Ir5_v14.7.1.exe
- %WINDIR%\ServiceProfiles\LocalService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C24EC5BDAF13613245B4CECC3DE91DC6
- %WINDIR%\ServiceProfiles\LocalService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C24EC5BDAF13613245B4CECC3DE91DC6
- %WINDIR%\Temp\tmp5447.tmp
- %WINDIR%\ServiceProfiles\NetworkService\AppData\Local\Temp\Cab787F.tmp
- %WINDIR%\ServiceProfiles\NetworkService\AppData\Local\Temp\Cab785E.tmp
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\UEWNTWLX\mail[1].asp
- %CommonProgramFiles%\microsoft shared\autoinstall.exe
- %CommonProgramFiles%\Microsoft Shared\2345pack.ini
- %CommonProgramFiles%\Microsoft Shared\2345.txt
- %CommonProgramFiles%\qhse_7654_5943.jpg
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\YIF7DGLM\3tb_140917191931o0a2538987[1].jpg
- %CommonProgramFiles%\tqrl_97_1957.exe
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\23BUYPX5\tqrl_97_1957[1].exe
- %CommonProgramFiles%\microsoft shared\tqrl.txt
- %CommonProgramFiles%\gqbb24_mt1.exe
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\3U23MFC9\gqbb24_mt1[1].exe
- %CommonProgramFiles%\Microsoft Shared\appers.txt
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\YIF7DGLM\173937imav9yvcycn3akua[1].jpg
- <SYSTEM32>\unrar.dll
- %CommonProgramFiles%\asdqw_3104-48740.JPG
- %CommonProgramFiles%\appers_7_1958.exe
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\UEWNTWLX\appers_7_1958[1].exe
- %CommonProgramFiles%\microsoft shared\gqbb24_mt1.txt
- %CommonProgramFiles%\YoudaoDict_silent3.exe
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\23BUYPX5\YoudaoDict_silent3[1].exe
- %CommonProgramFiles%\microsoft shared\YoudaoDict_silent3.txt
- %CommonProgramFiles%\kt_b_80213.exe
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\3U23MFC9\kt_b_80213[1].exe
- %CommonProgramFiles%\microsoft shared\setup_s1020.txt
- %CommonProgramFiles%\setup_t10303.exe
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\YIF7DGLM\setup_t10303[1].exe
- %CommonProgramFiles%\microsoft shared\setup_t10303.txt
- %CommonProgramFiles%\setup_s1020.exe
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\UEWNTWLX\setup_s1020[1].exe
- %WINDIR%\Temp\tmp5447.tmp
- %WINDIR%\ServiceProfiles\NetworkService\AppData\Local\Temp\Cab785E.tmp
- %WINDIR%\ServiceProfiles\NetworkService\AppData\Local\Temp\Cab787F.tmp
- %WINDIR%\ServiceProfiles\NetworkService\AppData\Local\Temp\Cab77F.tmp
- %WINDIR%\ServiceProfiles\NetworkService\AppData\Local\Temp\Cab7FD.tmp
- %CommonProgramFiles%\qhse_7654_5943.jpg
- 'ct###.#indowsupdate.com':80
- 'wd##.#ache.wps.cn':80
- 'do##.#unasou.com':80
- 'd3.#reep.cn':80
- '20#.#6.232.182':80
- 'www.3n##.com':80
- 'ji#####wnload.2345.cn':80
- 'do##.#ianyunxj.com':80
- 'do##.9vh.net':80
- 'cd#.#####a.attachment.inimc.com':80
- 'gu########.oss-cn-hangzhou.aliyuncs.com':80
- 'co####.youdao.com':80
- 'xz.###nxinshu.com':80
- 'do##.##aoxinrili.com':80
- ji#####wnload.2345.cn/jifen_2345/p3_kbaidu888888_jg04OunlF483lZatm6Ir5_v14.7.1.exe
- d3.#reep.cn/3tb_140917191931o0a2538987.jpg
- d3.#reep.cn/3tb_140923192942q71f538987.jpg
- d3.#reep.cn/3tb_141007222757xfui539918.jpg
- www.3n##.com/xin8/mail.asp?qq#######################################################################################################################################################################################################################
- 20#.#6.232.182/fwlink/?Li###########
- ct###.#indowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?73##############
- 20#.#6.232.182/pki/crl/products/microsoftrootcert.crl
- 20#.#6.232.182/pki/crl/products/WinPCA.crl
- ct###.#indowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?a7##############
- do##.#ianyunxj.com/tqrl_97_1957.exe
- gu########.oss-cn-hangzhou.aliyuncs.com/gqbb24_mt1.exe
- cd#.#####a.attachment.inimc.com/data/attachment/forum/201409/12/173937imav9yvcycn3akua.jpg
- do##.9vh.net/appers_7_1958.exe
- do##.##aoxinrili.com/hezi/jm/setup_t10303.exe
- do##.#unasou.com/kt/kt_b_80213.exe
- wd##.#ache.wps.cn/wps/download/OfficeAssist.0195.80.1054.exe
- xz.###nxinshu.com/download/setup_s1020.exe
- co####.youdao.com/cidian/YoudaoDict_silent3.exe
- DNS ASK d3.#reep.cn
- DNS ASK ji#####wnload.2345.cn
- DNS ASK wd##.#ache.wps.cn
- DNS ASK ct###.#indowsupdate.com
- DNS ASK www.microsoft.com
- DNS ASK go.###rosoft.com
- DNS ASK www.3n##.com
- DNS ASK crl.microsoft.com
- DNS ASK do##.#ianyunxj.com
- DNS ASK gu########.oss-cn-hangzhou.aliyuncs.com
- DNS ASK cd#.#####a.attachment.inimc.com
- DNS ASK do##.9vh.net
- DNS ASK co####.youdao.com
- DNS ASK do##.#unasou.com
- DNS ASK do##.##aoxinrili.com
- DNS ASK xz.###nxinshu.com
- ClassName: '' WindowName: 'frmProgress'
- ClassName: '' WindowName: 'ОҐ·ЁєНІ»БјРЕПўѕЩ±ЁЦРРД'
- ClassName: '' WindowName: 'Т»јь°ІЧ°єПјЇНкХы°ж 2014Дк10ФВµЪ1°ж'
- ClassName: '' WindowName: 'SusWnd'