Technical Information
- [<HKCU>\software\microsoft\windows\currentversion\run] 'kYsYYsgU.exe' = '%HOMEPATH%\zwAgUAYk\kYsYYsgU.exe'
- [<HKLM>\software\Wow6432Node\microsoft\windows\currentversion\run] 'dkowUgIE.exe' = '%ALLUSERSPROFILE%\NOYsAYYM\dkowUgIE.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Userinit' = '<SYSTEM32>\userinit.exe,%ALLUSERSPROFILE%\NOYsAYYM\dkowUgIE.exe,'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Userinit' = 'userinit.exe,%ALLUSERSPROFILE%\NOYsAYYM\dkowUgIE.exe,'
- [<HKLM>\System\CurrentControlSet\Services\tsUcYERn] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\tsUcYERn] 'ImagePath' = '%ALLUSERSPROFILE%\cAMUkwIs\LOUgQMcM.exe'
- 'tsUcYERn' %ALLUSERSPROFILE%\cAMUkwIs\LOUgQMcM.exe
- %HOMEPATH%\zwaguayk\kysyysgu
- %ALLUSERSPROFILE%\noysayym\dkowugie
- %HOMEPATH%\zwaguayk\kysyysgu.exe
- %ALLUSERSPROFILE%\noysayym\dkowugie.exe
- %ALLUSERSPROFILE%\camukwis\lougqmcm.exe
- %WINDIR%\syswow64\config\systemprofile\zwaguayk\kysyysgu
- 'bl##k.io':443
- DNS ASK bl##k.io
- '%HOMEPATH%\zwaguayk\kysyysgu.exe'
- '%ALLUSERSPROFILE%\noysayym\dkowugie.exe'
- '%ALLUSERSPROFILE%\camukwis\lougqmcm.exe'