Technical Information
- [<HKLM>\System\CurrentControlSet\Services\STJ0WKmfBOavwjul] 'ImagePath' = '<Full path to file>'
- [<HKLM>\System\CurrentControlSet\Services\TsDefense] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\TsDefense] 'ImagePath' = '%ProgramFiles%\TsDefense\TsDefense.exe'
- %WINDIR%\microsoft.net\netfxrepair.exe
- <SYSTEM32>\rundll32.exe
- <SYSTEM32>\dllhost.exe
- <SYSTEM32>\msdtc.exe
- <SYSTEM32>\wusa.exe
- <SYSTEM32>\wbem\wmiprvse.exe
- nul
- %ProgramFiles%\tsdefense\tsdefense.exe
- DNS ASK db.###kupdns.club
- DNS ASK to##ipdg.me
- DNS ASK ne##.####ouchauthentication.icu
- DNS ASK to###psr.xyz
- DNS ASK ne##.####ouchauthentication.xyz
- DNS ASK ne##.#####uchauthentication.online
- DNS ASK ne##.#####uchauthentication.club
- DNS ASK r.#######hauthentication.online
- '%WINDIR%\syswow64\cmd.exe' /c del "<Full path to file>" >> NUL' (with hidden window)
- '%WINDIR%\microsoft.net\netfxrepair.exe'
- '%WINDIR%\syswow64\cmd.exe' /c del "<Full path to file>" >> NUL
- '<SYSTEM32>\rundll32.exe'
- '<SYSTEM32>\dllhost.exe'
- '<SYSTEM32>\msdtc.exe'
- '<SYSTEM32>\wusa.exe'
- '<SYSTEM32>\wbem\wmiprvse.exe'
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\mscorsvw.exe'