Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Sometimes js dropper
- C:\Users\<user>\AppData\Roaming\Microsoft\Internet Explorer\<characters>.inf
- C:\Users\<user>\AppData\Local\Temp\<digits>.bat
- may check:
- C:\Users\<user>\AppData\Local\FileZilla\sitemanager.xml
- C:\Users\<users>\AppData\Local\GlobalSCAPE\CuteFTP\sm.dat
- HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts
- HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
- HKEY_LOCAL_MACHINE\Software\Ghisler\Windows Commander
- HKEY_LOCAL_MACHINE\Software\Ghisler\Total Commander
- HKEY_LOCAL_MACHINE\Software\FileZilla
- sets:
- HKEY_CURRENT_USER\Software\AppDataLow\binaryImage32 <- many of these
- mutex:
- ServiceEntryPointThread
- network:
- Links like:
- /rpersist4/-327594751
- /rbody320
- /rpersist4/-1008320073
- May start servers listening on 127.0.0.1:6443, 127.0.0.1:6080
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
