Technical Information
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Userinit' = '<SYSTEM32>\userinit.exe,<SYSTEM32>\winlogin.exe'
- '' (downloaded from the Internet)
- %TEMP%\skid11.dll
- %TEMP%\winlogin.exe
- <SYSTEM32>\winlogin.exe
- <SYSTEM32>\servicehost.exe
- <SYSTEM32>\pcre.dll
- <SYSTEM32>\pocofoundation.dll
- <SYSTEM32>\pocozip.dll
- <SYSTEM32>\zlib1.dll
- <SYSTEM32>\fileapihook.dll
- %TEMP%\winlogin.exe
- http://71.##.146.15/jah/servicehost.exe
- http://71.##.146.15/jah/pcre.dll
- http://71.##.146.15/jah/PocoFoundation.dll
- http://71.##.146.15/jah/PocoZip.dll
- http://71.##.146.15/jah/zlib1.dll
- http://71.##.146.15/phdll/FileApiHook.dll
- http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt
- DNS ASK te###oolbox.com
- DNS ASK ap#.#pify.org
- DNS ASK microsoft.com
- '%TEMP%\winlogin.exe'
- '<SYSTEM32>\winlogin.exe'
- '<SYSTEM32>\servicehost.exe' 472546
- '<SYSTEM32>\cmd.exe' /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "<SYSTEM32>"
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "<SYSTEM32>"