Technical Information
- [<HKLM>\software\Wow6432Node\microsoft\windows\CurrentVersion\Run] 'IGHskhost' = '<Full path to file>'
- %WINDIR%\fonts\shua1.txt
- %WINDIR%\fonts\shua2.txt
- %WINDIR%\crlt1
- %WINDIR%\crlt2
- %WINDIR%\crlt1
- %WINDIR%\crlt2
- %WINDIR%\crlt1
- http://st#####.##gitalcertvalidation.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRJrF0xYA49jC3D83fgDGesaUkzIQQUf9OZ86BHDjEAVlYijrfMnt3KAYoCEAM1vOPn6z%2FWSpfCR%2B9hxg8%3D
- http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt
- http://www.yn##10.com/LGxz/%E6%98%9F%E6%9C%881025.exe?72#######
- http://do######.cdn.0343.78302.com/LGxz/%E6%98%9F%E6%9C%881025.exe?d=########################
- DNS ASK pe####.nanzimeng.com
- DNS ASK st#####.##gitalcertvalidation.com
- DNS ASK microsoft.com
- DNS ASK ji####.91ybs.com
- DNS ASK yn##10.com
- DNS ASK do######.cdn.0343.78302.com