Technical Information
- [<HKLM>\System\CurrentControlSet\Services\g1odK3e3c] 'ImagePath' = 'C:\g1odK3e3c.sys'
- [<HKLM>\System\CurrentControlSet\Services\IKEEXT] 'Start' = '00000002'
- 'g1odK3e3c' C:\g1odK3e3c.sys
- [<HKLM>\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] 'EnableFirewall' = '00000000'
- [<HKLM>\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'EnableFirewall' = '00000000'
- C:\lhjzro503.exe
- C:\g1odk3e3c.sys
- <Current directory>\clean.vbs
- C:\lhjzro503.exe
- <Current directory>\clean.vbs
- http://21#.##0.218.154:808/xjg.bin via 21#.#50.218.154
- DNS ASK 16##.com
- DNS ASK re#####.fkchuanw.club
- DNS ASK cl####.fkchuanw.club
- 're#####.fkchuanw.club':23002
- '255.255.255.255':21215
- 'C:\lhjzro503.exe'
- '%WINDIR%\syswow64\wscript.exe' "<Current directory>\clean.vbs"
- '%WINDIR%\syswow64\wscript.exe' "<Current directory>\clean.vbs"' (with hidden window)