Technical Information
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'drvsyskit' = '%APPDATA%\drivers\winupgro.exe'
- [<HKLM>\SYSTEM\ControlSet001\Services\srosa] 'Start' = '00000001'
- [<HKLM>\SYSTEM\ControlSet001\Services\srosa] 'ImagePath' = '<SYSTEM32>\wfsintwq.sys'
- [<HKLM>\SYSTEM\ControlSet001\Services\sK9Ou0s] 'Start' = '00000001'
- [<HKLM>\SYSTEM\ControlSet001\Services\sK9Ou0s] 'ImagePath' = '<SYSTEM32>\srosa2.sys'
- Windows Update
- Windows Security Center
- User Account Control (UAC)
- '%APPDATA%\drivers\winupgro.exe'
- ClassName: '' WindowName: 'Process Monitor - Sysinternals: www.sysinternals.com'
- ClassName: 'PROCMON_WINDOW_CLASS' WindowName: ''
- ClassName: '' WindowName: 'Registry Monitor - Sysinternals: www.sysinternals.com'
- ClassName: 'RegmonClass' WindowName: ''
- ClassName: '' WindowName: 'File Monitor - Sysinternals: www.sysinternals.com'
- ClassName: 'GBDYLLO' WindowName: ''
- ClassName: 'OLLYDBG' WindowName: ''
- ClassName: 'FilemonClass' WindowName: ''
- ClassName: 'pediy06' WindowName: ''
- %APPDATA%\drivers\winupgro.exe
- %APPDATA%\drivers\downld\198781.exe
- %APPDATA%\drivers\downld\198500.exe
- %APPDATA%\drivers\downld\200953.exe
- %APPDATA%\drivers\downld\203984.exe
- %APPDATA%\drivers\downld\202078.exe
- %APPDATA%\drivers\downld\197312.exe
- %APPDATA%\drivers\downld\192828.exe
- %APPDATA%\drivers\downld\192500.exe
- %APPDATA%\drivers\downld\194281.exe
- %APPDATA%\drivers\downld\196937.exe
- %APPDATA%\drivers\downld\195687.exe
- %APPDATA%\drivers\downld\218437.exe
- %APPDATA%\drivers\downld\215687.exe
- %APPDATA%\drivers\downld\219515.exe
- %APPDATA%\drivers\downld\221937.exe
- %APPDATA%\drivers\downld\221093.exe
- %APPDATA%\drivers\downld\213687.exe
- %APPDATA%\drivers\downld\207171.exe
- %APPDATA%\drivers\downld\205296.exe
- %APPDATA%\drivers\downld\208171.exe
- %APPDATA%\drivers\downld\211640.exe
- %APPDATA%\drivers\downld\210656.exe
- %APPDATA%\drivers\downld\168687.exe
- %APPDATA%\drivers\downld\167875.exe
- %APPDATA%\drivers\downld\171421.exe
- %APPDATA%\drivers\downld\174640.exe
- %APPDATA%\drivers\downld\173218.exe
- %APPDATA%\drivers\downld\165812.exe
- <SYSTEM32>\srosa2.sys
- %APPDATA%\drivers\winupgro.exe
- <SYSTEM32>\wfsintwq.sys
- %APPDATA%\drivers\downld\165296.exe
- %APPDATA%\drivers\downld\163312.exe
- %APPDATA%\drivers\downld\188546.exe
- %APPDATA%\drivers\downld\185906.exe
- %APPDATA%\drivers\downld\189468.exe
- %APPDATA%\drivers\downld\191171.exe
- %APPDATA%\drivers\downld\190781.exe
- %APPDATA%\drivers\downld\183968.exe
- %APPDATA%\drivers\downld\177203.exe
- %APPDATA%\drivers\downld\175125.exe
- %APPDATA%\drivers\downld\177765.exe
- %APPDATA%\drivers\downld\181750.exe
- %APPDATA%\drivers\downld\180796.exe
- 'www.di#####nline-world.com':80
- 'www.re####aoyc.com.ar':80
- 'ca#####edeibcn.com.br':80
- 'el####ng.aab-net.dk':80
- 'ht###.com.br':80
- 'www.vi#####ioilgabbiano.com':80
- 'vd##uad.be':80
- 'www.pi###tuvida.com':80
- 's2######72.onlinehome.fr':80
- 'so##ere.fr':80
- 'ap####tware.com.br':80
- 'www.si###chland.net':80
- 'tr####ardan.com.ar':80
- 'www.ge##elp.gr':80
- '74.##5.232.51':80
- 'ne###zone.com':80
- 'es####emos.com.br':80
- 'ge###t.com.br':80
- 'in######astodoflex.com.ar':80
- 'sa####guros.com.br':80
- 'bi##pe.dk':80
- 'www.vi###aweb.ch':80
- http://www.re####aoyc.com.ar/images/abcm.php?cr#####
- http://www.vi#####ioilgabbiano.com/images/abcm.php?cr#####
- http://www.di#####nline-world.com/images/abcm.php?cr#####
- http://ht###.com.br/images/abcm.php?cr#####
- http://ca#####edeibcn.com.br/images/abcm.php?cr#####
- http://vd##uad.be/images/abcm.php?cr#####
- http://www.pi###tuvida.com/images/abcm.php?cr#####
- http://s2######72.onlinehome.fr/images/abcm.php?cr#####
- http://so##ere.fr/images/abcm.php?cr#####
- http://ap####tware.com.br/images/abcm.php?cr#####
- http://el####ng.aab-net.dk/images/abcm.php?cr#####
- http://tr####ardan.com.ar/images/abcm.php?cr#####
- http://es####emos.com.br/images/abcm.php?cr#####
- http://www.si###chland.net/images/abcm.php?cr#####
- http://ne###zone.com/images/abcm.php?cr#####
- http://www.ge##elp.gr/images/abcm.php?cr#####
- http://ge###t.com.br/images/abcm.php?cr#####
- http://in######astodoflex.com.ar/images/abcm.php?cr#####
- http://sa####guros.com.br/images/abcm.php?cr#####
- http://bi##pe.dk/images/abcm.php?cr#####
- http://www.vi###aweb.ch/images/abcm.php?cr#####
- DNS ASK www.di#####nline-world.com
- DNS ASK www.re####aoyc.com.ar
- DNS ASK ca#####edeibcn.com.br
- DNS ASK el####ng.aab-net.dk
- DNS ASK ht###.com.br
- DNS ASK www.vi#####ioilgabbiano.com
- DNS ASK vd##uad.be
- DNS ASK www.pi###tuvida.com
- DNS ASK s2######72.onlinehome.fr
- DNS ASK so##ere.fr
- DNS ASK ap####tware.com.br
- DNS ASK www.si###chland.net
- DNS ASK tr####ardan.com.ar
- DNS ASK www.ge##elp.gr
- DNS ASK google.com
- DNS ASK ne###zone.com
- DNS ASK es####emos.com.br
- DNS ASK ge###t.com.br
- DNS ASK in######astodoflex.com.ar
- DNS ASK sa####guros.com.br
- DNS ASK bi##pe.dk
- DNS ASK www.vi###aweb.ch
- ClassName: 'Shell_TrayWnd' WindowName: ''
- ClassName: 'AavmMessageClass' WindowName: ''
- ClassName: '18467-41' WindowName: ''