Technical Information
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\RunOnce] 'pCPLHatKML' = '%APPDATA%\oZESZgCsFn\gKWSjYpJYD.exe'
- %WINDIR%\syswow64\notepad.exe
- %APPDATA%\ozeszgcsfn\gkwsjypjyd.exe
- <Full path to file>
- 'mu###.duckdns.org':1604
- DNS ASK mu###.duckdns.org
- '%WINDIR%\syswow64\cmd.exe' /k attrib "<Full path to file>" +s +h' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /k attrib "<Current directory>" +s +h' (with hidden window)
- '%WINDIR%\syswow64\notepad.exe' ' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /k attrib "<Full path to file>" +s +h
- '%WINDIR%\syswow64\cmd.exe' /k attrib "<Current directory>" +s +h
- '%WINDIR%\syswow64\notepad.exe'
- '%WINDIR%\syswow64\attrib.exe' "<Full path to file>" +s +h
- '%WINDIR%\syswow64\attrib.exe' "<Current directory>" +s +h