Technical Information
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Userinit' = '<SYSTEM32>\userinit.exe,"%LOCALAPPDATA%\PIipw5HJik\I2mrlYBtPZ.exe" -s'
- %LOCALAPPDATA%\piipw5hjik\i2mrlybtpz.exe
- %TEMP%\wg3citzlhd.exe
- %LOCALAPPDATA%\piipw5hjik\i2mrlybtpz.exe
- 'localhost':1865
- '%TEMP%\wg3citzlhd.exe'