Technical Information
- [<HKLM>\System\CurrentControlSet\Services\ctfmon] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\ctfmon] 'ImagePath' = '"%WINDIR%\SysWOW64\nshipsec\ctfmon.exe"'
- 'ctfmon' "%WINDIR%\SysWOW64\nshipsec\ctfmon.exe"
- 'ctfmon' %WINDIR%\SysWOW64\nshipsec\ctfmon.exe
- from <Full path to file> to %WINDIR%\syswow64\nshipsec\ctfmon.exe
- '22#.#47.247.145':80
- '45.##.16.230':7080
- http://45.##.16.230:7080/bDvRj/MWWRW3k7ZW0M/AKkLJiYDQjeBNnX/5Oh89a/8Z5yy7ihWm5783VsAHi/7CYf/ via 45.##.16.230