Technical Information
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'TWLP' = '%APPDATA%\<File name>.exe'
- %APPDATA%\microsoft\windows\start menu\programs\startup\<File name>.exe
- %APPDATA%\<File name>.exe
- %TEMP%\cookie.vbs
- %APPDATA%\twlogs\debug.log
- 'ki####namics.net':443
- 'microsoft.com':80
- 'localhost':4446
- http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt
- 'ki####namics.net':443
- DNS ASK ki####namics.net
- DNS ASK microsoft.com
- '%APPDATA%\<File name>.exe'
- '%WINDIR%\syswow64\wscript.exe' %TEMP%\cookie.vbs