Technical Information
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Internet Security' = '%ALLUSERSPROFILE%\Application Data\amsecure.exe'
- [<HKLM>\SYSTEM\ControlSet001\Control\Print\Providers\258b1] 'Name' = '%TEMP%\4.tmp'
- '%ALLUSERSPROFILE%\Application Data\amsecure.exe'
- <SYSTEM32>\spoolsv.exe
- <SYSTEM32>\cscript.exe
- <SYSTEM32>\cmd.exe
- %WINDIR%\Temp\<INETFILES>\Content.IE5\03EBIXAN\desktop.ini
- %WINDIR%\Temp\<INETFILES>\Content.IE5\A1OP8LGZ\desktop.ini
- %WINDIR%\Temp\<INETFILES>\Content.IE5\HH3BTF3A\desktop.ini
- %WINDIR%\Temp\History\History.IE5\desktop.ini
- %WINDIR%\Temp\History\History.IE5\index.dat
- %WINDIR%\Temp\Cookies\index.dat
- %WINDIR%\Temp\~DFA09E.tmp
- %ALLUSERSPROFILE%\Application Data\amsecure
- %TEMP%\4.tmp
- %WINDIR%\Temp\<INETFILES>\Content.IE5\0XAJ4DIF\desktop.ini
- %WINDIR%\Temp\<INETFILES>\Content.IE5\desktop.ini
- %WINDIR%\Temp\<INETFILES>\Content.IE5\index.dat
- %WINDIR%\Temp\<INETFILES>\Content.IE5\A1OP8LGZ\desktop.ini
- %WINDIR%\Temp\<INETFILES>\Content.IE5\03EBIXAN\desktop.ini
- %WINDIR%\Temp\History\History.IE5\desktop.ini
- %WINDIR%\Temp\<INETFILES>\Content.IE5\desktop.ini
- %WINDIR%\Temp\<INETFILES>\Content.IE5\0XAJ4DIF\desktop.ini
- %WINDIR%\Temp\<INETFILES>\Content.IE5\HH3BTF3A\desktop.ini
- from %ALLUSERSPROFILE%\Application Data\amsecure to %ALLUSERSPROFILE%\Application Data\amsecure.exe
- from <Full path to file> to %TEMP%\8.tmp
- 'sa###rboy.com':80
- http://sa###rboy.com/images/m.php?id####
- DNS ASK sa###rboy.com
- ClassName: 'Shell_TrayWnd' WindowName: ''