Technical Information
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\] 'Images' = '%ALLUSERSPROFILE%\images.exe'
- %WINDIR%\syswow64\cmd.exe
- images.exe
- %ALLUSERSPROFILE%\images.exe
- '18#.#19.132.157':5200
- 'sh####ongtinh.com':443
- DNS ASK sh####ongtinh.com
- '%ALLUSERSPROFILE%\images.exe'
- '%WINDIR%\syswow64\cmd.exe'