Technical Information
- [<HKLM>\SYSTEM\ControlSet001\Services\SafeWall] 'Start' = '00000002'
- [<HKLM>\SYSTEM\ControlSet001\Services\SafeWall] 'ImagePath' = '<SYSTEM32>\SafeWall.sys'
- %WINDIR%\Temp\Config.dat
- <SYSTEM32>\SafeWall.sys
- <SYSTEM32>\SafeWall.sys
- 'localhost':1037
- 'x6.####yuanfalan.com':80
- 'x6.####yuanfalan.com':998
- http://x6.####yuanfalan.com/Config.rar
- DNS ASK x6.####yuanfalan.com
- '<SYSTEM32>\cmd.exe' /c del /f /s /q %WINDIR%\minidump\*.*