Technical Information
- [<HKLM>\SYSTEM\ControlSet001\Services\sr] 'Start' = '00000000'
- [<HKLM>\SYSTEM\ControlSet001\Services\srservice] 'Start' = '00000002'
- System Restore (SR)
- '%TEMP%\PEVZ.EXE' -rtd "<SYSTEM32>\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\SystemCache\6.0"
- '%TEMP%\PEVZ.EXE' -rtd "C:\Documents and Settings\Default User\Application Data\Sun\Java\Deployment\cache\6.0"
- '%TEMP%\PEVZ.EXE' -rtd "%HOMEPATH%\AppData\LocalLow\Sun\Java\Deployment\SystemCache\6.0"
- '%TEMP%\PEVZ.EXE' -rtd "<SYSTEM32>\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0"
- '%TEMP%\PEVZ.EXE' -rtd "C:\Documents and Settings\LocalService\Application Data\Sun\Java\Deployment\SystemCache\6.0"
- '%TEMP%\PEVZ.EXE' -rtd "C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0"
- '%TEMP%\PEVZ.EXE' -rtd "C:\Documents and Settings\Default User\Application Data\Sun\Java\Deployment\SystemCache\6.0"
- '%TEMP%\PEVZ.EXE' -rtd "C:\Documents and Settings\LocalService\Application Data\Sun\Java\Deployment\cache\6.0"
- '%TEMP%\PEVZ.EXE' -rtd "%HOMEPATH%\AppData\LocalLow\Sun\Java\Deployment\cache\6.0"
- '%TEMP%\wget.exe' /S /D /c" type users1.txt "
- '%TEMP%\PEVZ.EXE' /pid=3248
- '%TEMP%\PEVZ.EXE' -rtd "%WINDIR%\serviceprofiles\networkservice\Application Data\Roaming\Mozilla\Firefox\Profiles\*"
- '%TEMP%\PEVZ.EXE' -rtd "%WINDIR%\serviceprofiles\Localservice\Application Data\Roaming\Mozilla\Firefox\Profiles\*"
- '%TEMP%\PEVZ.EXE' -rtd "C:\Documents and Settings\Default User\AppData\LocalLow\Sun\Java\Deployment\SystemCache\6.0"
- '%TEMP%\PEVZ.EXE' -rtd "C:\Documents and Settings\NetworkService\AppData\LocalLow\Sun\Java\Deployment\SystemCache\6.0"
- '%TEMP%\PEVZ.EXE' -rtd "%ALLUSERSPROFILE%\Application Data\Sun\Java\Deployment\SystemCache\6.0"
- '%TEMP%\PEVZ.EXE' -rtd "C:\Documents and Settings\Default User\AppData\LocalLow\Sun\Java\Deployment\cache\6.0"
- '%TEMP%\PEVZ.EXE' -rtd "C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\SystemCache\6.0"
- '%TEMP%\PEVZ.EXE' "s/^[ \t]*//;s/[ \t]*$//" input.txt
- '%TEMP%\PEVZ.EXE' /I /M ";virustotal"
- '%TEMP%\PEVZ.EXE' -rtd "<LS_APPDATA>\Sun\Java\Deployment\SystemCache\6.0"
- '%TEMP%\PEVZ.EXE' -rtd "<SYSTEM32>\config\systemprofile\Local Settings\Application Data\Sun\Java\Deployment\SystemCache\6.0"
- '%TEMP%\wget.exe' /S /D /c" type input.txt "
- '%TEMP%\PEVZ.EXE' /pid=3464
- '%TEMP%\PEVZ.EXE' /S /D /c" type input.txt "
- '%TEMP%\PEVZ.EXE' /pid=3156
- '%TEMP%\PEVZ.EXE' -rtd "<LS_APPDATA>\Sun\Java\Deployment\cache\6.0"
- '%TEMP%\PEVZ.EXE' -rtd "<SYSTEM32>\config\systemprofile\Application Data\Sun\Java\Deployment\SystemCache\6.0"
- '%TEMP%\PEVZ.EXE' -rtd "C:\Documents and Settings\Default User\Local Settings\Application Data\Sun\Java\Deployment\SystemCache\6.0"
- '%TEMP%\PEVZ.EXE' -rtd "%APPDATA%\Sun\Java\Deployment\cache\6.0"
- '%TEMP%\PEVZ.EXE' -rtd "<SYSTEM32>\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0"
- '%TEMP%\PEVZ.EXE' -rtd "C:\Documents and Settings\NetworkService\Local Settings\Application Data\Sun\Java\Deployment\cache\6.0"
- '%TEMP%\sed.exe' -rtd "C:\Documents and Settings\NetworkService\Local Settings\Application Data\Sun\Java\Deployment\SystemCache\6.0"
- '%TEMP%\PEVZ.EXE' -rtd "C:\Documents and Settings\LocalService\Local Settings\Application Data\Sun\Java\Deployment\cache\6.0"
- '%TEMP%\PEVZ.EXE' -rtd "C:\Documents and Settings\LocalService\Local Settings\Application Data\Sun\Java\Deployment\SystemCache\6.0"
- '%TEMP%\PEVZ.EXE' -td "C:\Documents and Settings\Default User\Downloads"
- '%TEMP%\PEVZ.EXE' -td "C:\Documents and Settings\LocalService\Downloads"
- '%TEMP%\PEVZ.EXE' -rtd "C:\Documents and Settings\*"
- '%TEMP%\PEVZ.EXE' -td "%ALLUSERSPROFILE%\Downloads"
- '%TEMP%\PEVZ.EXE' -rtd "%ALLUSERSPROFILE%\Desktop"
- '%TEMP%\PEVZ.EXE' -rtd "C:\Documents and Settings\Default User\Desktop"
- '%TEMP%\PEVZ.EXE' -td "C:\Documents and Settings\NetworkService\Downloads"
- '%TEMP%\PEVZ.EXE' -td "%HOMEPATH%\Downloads"
- '%TEMP%\PEVZ.EXE' -k cscript.exe
- '%TEMP%\RarSFX0\PEVZ.EXE' PLIST
- '%TEMP%\RarSFX0\PEVZ.EXE' -rtd "%HOMEPATH%"
- '%TEMP%\RarSFX0\PEVZ.EXE' exec cmd.exe /c zoek-install.bat
- '%TEMP%\RarSFX0\PEVZ.EXE' clist
- '%TEMP%\PEVZ.EXE' MOVEEX "%TEMP%\zoek.com"
- '%TEMP%\PEVZ.EXE' -k wscript.exe
- '%TEMP%\wget.exe' http://www.hi###kthis.nl/smeenk/sample/download7.bat
- '%TEMP%\PEVZ.EXE' -rtd "%HOMEPATH%"
- '%TEMP%\PEVZ.EXE' -rtd "C:\Documents and Settings\LocalService\Desktop"
- '%TEMP%\PEVZ.EXE' -rtd "C:\Documents and Settings\Default User\Application Data\Mozilla\Firefox\Profiles\*"
- '%TEMP%\PEVZ.EXE' -rtd "C:\Documents and Settings\Default User\Application Data\Roaming\Mozilla\Firefox\Profiles\*"
- '%TEMP%\PEVZ.EXE' -rtd "%ALLUSERSPROFILE%\Application Data\Mozilla\Firefox\Profiles\*"
- '%TEMP%\PEVZ.EXE' -rtd "%ALLUSERSPROFILE%\Application Data\Roaming\Mozilla\Firefox\Profiles\*"
- '%TEMP%\PEVZ.EXE' -rtd "C:\Documents and Settings\NetworkService\Application Data\Roaming\Mozilla\Firefox\Profiles\*"
- '%TEMP%\PEVZ.EXE' -rtd "<SYSTEM32>\config\systemprofile\Application Data\Roaming\Mozilla\Firefox\Profiles\*"
- '%TEMP%\PEVZ.EXE' -rtd "C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\*"
- '%TEMP%\PEVZ.EXE' -rtd "C:\Documents and Settings\LocalService\Application Data\Roaming\Mozilla\Firefox\Profiles\*"
- '%TEMP%\PEVZ.EXE' -rtd "<LS_APPDATA>"
- '%TEMP%\PEVZ.EXE' exec cmd /c zoekrun.bat
- '%TEMP%\NirCmd.exe' infobox "--- Information !! ---~n~nZ-Analyse.exe is running now.~n~nDo not open your browsers, they will be closed automatically.~nPlease wait! This window will close when finished.~nA logfile will open afterwards and can also be found on your systemdrive as zoek-results.log" "Z-Analyse.exe v1.0.0.1 by Smeenk"
- '%TEMP%\PEVZ.EXE' -rtd "C:\Documents and Settings\NetworkService\Desktop"
- '%TEMP%\PEVZ.EXE' -rtd "%HOMEPATH%\Desktop"
- '%TEMP%\sed.exe' "s/=/@/g" logje1.txt
- '%TEMP%\PEVZ.EXE' -rtd "%HOMEPATH%\Start Menu\Programs"
- '%TEMP%\PEVZ.EXE' -rtd "%ALLUSERSPROFILE%\Start Menu\Programs"
- '%TEMP%\PEVZ.EXE' -rtd "%APPDATA%"
- '<SYSTEM32>\findstr.exe' -rtd "%ALLUSERSPROFILE%\Application Data\Sun\Java\Deployment\cache\6.0"
- '<SYSTEM32>\findstr.exe' /pid=3336
- '<SYSTEM32>\findstr.exe' /S /D /c" VER"
- '<SYSTEM32>\cscript.exe' -rtd "C:\Documents and Settings\LocalService\AppData\LocalLow\Sun\Java\Deployment\cache\6.0"
- '<SYSTEM32>\reg.exe' /pid=4072
- '<SYSTEM32>\findstr.exe' -rtd "%APPDATA%\Sun\Java\Deployment\SystemCache\6.0"
- '<SYSTEM32>\cscript.exe' -rtd "C:\Documents and Settings\LocalService\AppData\LocalLow\Sun\Java\Deployment\SystemCache\6.0"
- '<SYSTEM32>\findstr.exe' -rtd "%APPDATA%\Mozilla\Firefox\Profiles\*"
- '<SYSTEM32>\find.exe' "REG_SZ"
- '<SYSTEM32>\reg.exe' query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v "Local AppData"
- '<SYSTEM32>\findstr.exe' -rtd "%WINDIR%\serviceprofiles\networkservice\Application Data\Mozilla\Firefox\Profiles\*"
- '<SYSTEM32>\cscript.exe' /pid=3316
- '<SYSTEM32>\findstr.exe' /V /I /C:"all users"
- '<SYSTEM32>\findstr.exe' /pid=3128
- '<SYSTEM32>\findstr.exe' /pid=2320
- '<SYSTEM32>\findstr.exe' /I /M "standardsearch;"
- '<SYSTEM32>\findstr.exe' /S /D /c" type tmp1.txt "
- '<SYSTEM32>\findstr.exe' /pid=3036
- '<SYSTEM32>\findstr.exe' /I /M "iedefaults;"
- '<SYSTEM32>\cscript.exe' /pid=3236
- '<SYSTEM32>\findstr.exe' /V /I "http:"
- '<SYSTEM32>\findstr.exe' /M /I "http:"
- '<SYSTEM32>\findstr.exe' /I /M ";r"
- '<SYSTEM32>\find.exe' -rtd "<SYSTEM32>\config\systemprofile\Local Settings\Application Data\Sun\Java\Deployment\cache\6.0"
- '<SYSTEM32>\reg.exe' /pid=236
- '<SYSTEM32>\findstr.exe' /pid=1148
- '<SYSTEM32>\findstr.exe' /S /D /c" type ffsetstartpage.zoek "
- '<SYSTEM32>\findstr.exe' /M /I "ffdefaults;http"
- '<SYSTEM32>\findstr.exe' /S /D /c" type input.txt "
- '<SYSTEM32>\cmd.exe' /c zoek.bat
- '<SYSTEM32>\findstr.exe' /M /I ".exe"
- '<SYSTEM32>\findstr.exe' /M /I ".scr"
- '<SYSTEM32>\reg.exe' Query HKLM\Hardware\Description\System\CentralProcessor\0
- '<SYSTEM32>\cscript.exe' //I //nologo test.vbs
- '<SYSTEM32>\cscript.exe' //I //nologo os.vbs
- '<SYSTEM32>\find.exe' /i "x86"
- '<SYSTEM32>\findstr.exe' /M /I "mshta.exe"
- '<SYSTEM32>\findstr.exe' -RIV "C:\\WINDOWS\\system32\\svchost.exe C:\\WINDOWS\\system32\\cmd.exe \\PEVZ.exe" ProcessList.txt
- '<SYSTEM32>\findstr.exe' /M /I "zoek.bat"
- '<SYSTEM32>\findstr.exe' /M /I "zoek"
- '<SYSTEM32>\findstr.exe' /M /I ".pif"
- '<SYSTEM32>\findstr.exe' /M /I ".com"
- '<SYSTEM32>\findstr.exe' /M /I "z-analyse"
- '<SYSTEM32>\cscript.exe' //I //nologo drt.vbs
- '<SYSTEM32>\findstr.exe' /M /I /C:"Common Programs"
- '<SYSTEM32>\reg.exe' export "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" logwww.tx#
- '<SYSTEM32>\findstr.exe' /M /I /C:"Common appdata"
- '<SYSTEM32>\reg.exe' export "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" logje.txt
- '<SYSTEM32>\find.exe' "6."
- '<SYSTEM32>\findstr.exe' /M /I /C:"Programs@"
- '<SYSTEM32>\findstr.exe' /M /I /C:"Programs"
- '<SYSTEM32>\findstr.exe' /M /I /C:"Common Desktop"
- '<SYSTEM32>\findstr.exe' /M "="
- '<SYSTEM32>\reg.exe' export "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" elog.txt
- '<SYSTEM32>\findstr.exe' /V " ( "
- '<SYSTEM32>\reg.exe' export "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" logje.txt
- '<SYSTEM32>\cmd.exe' /c zoekrun.bat
- '<SYSTEM32>\findstr.exe' /M " ( "
- <SYSTEM32>\cscript.exe
- <SYSTEM32>\find.exe
- <SYSTEM32>\findstr.exe
- <SYSTEM32>\cmd.exe
- <SYSTEM32>\cscript.exe
- %TEMP%\zoekrun.bat
- %TEMP%\logje.txt
- %TEMP%\tmp.txt
- %TEMP%\downloads.txt
- %TEMP%\desktop.txt
- %TEMP%\path.txt
- %TEMP%\logwww.txt
- %TEMP%\logje3.txt
- %TEMP%\logje1.txt
- %TEMP%\logje2.txt
- %TEMP%\tmp1.txt
- %TEMP%\drt.vbs
- %TEMP%\test.vbs
- %TEMP%\os.vbs
- %TEMP%\ostmp.tmp
- %TEMP%\audesktop.txt
- %TEMP%\users.txt
- %TEMP%\exportit.txt
- %TEMP%\elog.txt
- %TEMP%\elog1.txt
- %TEMP%\appdata.txt
- %TEMP%\appdata.zoek
- %TEMP%\users.zoek
- %TEMP%\path2.txt
- %TEMP%\ffprofiles.zoek
- %TEMP%\tempfolders.zoek
- %TEMP%\createsrpoint.zoek
- %TEMP%\tempfolders.txt
- %TEMP%\localappdata.txt
- %TEMP%\localappdata.zoek
- %TEMP%\pathwww.txt
- %TEMP%\in-put.txt
- %TEMP%\logwww3.txt
- %TEMP%\logwww1.txt
- %TEMP%\logwww2.txt
- %TEMP%\logje6.txt
- %TEMP%\path1.txt
- %TEMP%\logje5.txt
- %TEMP%\users1.txt
- %TEMP%\logje4.txt
- %TEMP%\StringCheck.txt
- %TEMP%\RarSFX0\ze.scf
- %TEMP%\RarSFX0\PEVZ.EXE
- %TEMP%\RarSFX0\zd.scf
- %TEMP%\RarSFX0\zb.scf
- %TEMP%\RarSFX0\zc.scf
- %TEMP%\RarSFX0\logje.txt
- %TEMP%\RarSFX0\test.txt
- %TEMP%\RarSFX0\ProcessList.txt
- %TEMP%\RarSFX0\zoek-install.bat
- %TEMP%\RarSFX0\clist.txt
- %TEMP%\RarSFX0\z3.scf
- %TEMP%\RarSFX0\z5.scf
- %TEMP%\RarSFX0\z2.scf
- %TEMP%\RarSFX0\z0.scf
- %TEMP%\RarSFX0\z1.scf
- %TEMP%\RarSFX0\z9.scf
- %TEMP%\RarSFX0\za.scf
- %TEMP%\RarSFX0\z8.scf
- %TEMP%\RarSFX0\z6.scf
- %TEMP%\RarSFX0\z7.scf
- %TEMP%\7za.exe
- %TEMP%\hijackthis.exe
- %TEMP%\swxcacls.exe
- %TEMP%\NirCmd.exe
- %TEMP%\sed.exe
- %TEMP%\log.txt
- %TEMP%\checkOS.txt
- %TEMP%\log2
- %TEMP%\shortcut.exe
- %TEMP%\test.txt
- %TEMP%\zoek.bat
- %TEMP%\swreg.exe
- %TEMP%\zoek.hta
- %TEMP%\urlzoek
- %TEMP%\RarSFX0\log.txt
- %TEMP%\zoekrun.hta
- %TEMP%\zoek-delete.exe
- %TEMP%\remove.exe
- %TEMP%\PEVZ.EXE
- %TEMP%\wget.exe
- %TEMP%\logje3.txt
- %TEMP%\logje2.txt
- %TEMP%\logje1.txt
- %TEMP%\logwww1.txt
- %TEMP%\logwww.txt
- %TEMP%\tmp.txt
- %TEMP%\logje.txt
- %TEMP%\elog1.txt
- %TEMP%\elog.txt
- %TEMP%\ostmp.tmp
- %TEMP%\users.txt
- %TEMP%\audesktop.txt
- %TEMP%\exportit.txt
- %TEMP%\logwww2.txt
- %TEMP%\appdata.txt
- %TEMP%\users1.txt
- %TEMP%\path1.txt
- %TEMP%\PEVZ.EXE
- %TEMP%\tempfolders.txt
- %TEMP%\localappdata.txt
- %TEMP%\path2.txt
- %TEMP%\in-put.txt
- %TEMP%\pathwww.txt
- %TEMP%\logwww3.txt
- %TEMP%\logje6.txt
- %TEMP%\logje5.txt
- %TEMP%\logje4.txt
- %TEMP%\drt.vbs
- %TEMP%\RarSFX0\z6.scf
- %TEMP%\RarSFX0\z5.scf
- %TEMP%\RarSFX0\z3.scf
- %TEMP%\RarSFX0\z9.scf
- %TEMP%\RarSFX0\z8.scf
- %TEMP%\RarSFX0\z7.scf
- %TEMP%\RarSFX0\z2.scf
- %TEMP%\RarSFX0\test.txt
- %TEMP%\RarSFX0\ProcessList.txt
- %TEMP%\RarSFX0\clist.txt
- %TEMP%\RarSFX0\z1.scf
- %TEMP%\RarSFX0\z0.scf
- %TEMP%\RarSFX0\logje.txt
- %TEMP%\RarSFX0\za.scf
- %TEMP%\checkOS.txt
- %TEMP%\StringCheck.txt
- %TEMP%\log2
- %TEMP%\tmp1.txt
- %TEMP%\test.vbs
- %TEMP%\os.vbs
- %TEMP%\test.txt
- %TEMP%\RarSFX0\zd.scf
- %TEMP%\RarSFX0\zc.scf
- %TEMP%\RarSFX0\zb.scf
- %TEMP%\RarSFX0\PEVZ.EXE
- %TEMP%\RarSFX0\log.txt
- %TEMP%\RarSFX0\ze.scf
- 'www.hi###kthis.nl':80
- www.hi###kthis.nl/smeenk/sample/download7.bat
- DNS ASK www.hi###kthis.nl
- ClassName: 'Shell_TrayWnd' WindowName: '(null)'