Technical Information
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'System Driver Component' = '"<SYSTEM32>\drvhost.exe"'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'HJG4VHE80VXL4' = '%APPDATA%\D0W1NLCGCKAA.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'HJG4VHE80VXL4' = '%APPDATA%\D0W1NLCGCKAA.exe'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\policies\Explorer\run] 'HJG4VHE80VXL4' = '%APPDATA%\D0W1NLCGCKAA.exe'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run] 'HJG4VHE80VXL4' = '%APPDATA%\D0W1NLCGCKAA.exe'
- syshost.exe
- %PROGRAMDATA%\syshost.exe
- %WINDIR%\syswow64\drvhost.exe
- %TEMP%\d0w1nlcgckaa.exe.jpg
- %APPDATA%\7tbunruj0r3i
- %WINDIR%\syswow64\drvhost.exe
- from %PROGRAMDATA%\syshost.exe to %APPDATA%\d0w1nlcgckaa.exe
- DNS ASK in###tekbot.tk
- DNS ASK in####ekbot.info
- DNS ASK in###tekbot.com
- '%WINDIR%\syswow64\drvhost.exe'
- '%PROGRAMDATA%\syshost.exe'
- '%WINDIR%\syswow64\drvhost.exe' ' (with hidden window)