Technical Information
- %TEMP%\1850jqyzwt-bywtromj.krye.tmp
- %WINDIR%\server.exe
- %WINDIR%\syswow64\server.exe
- %TEMP%\1850jqyzwt-bywtromj.krye.tmp
- %WINDIR%\server.exe
- %LOCALAPPDATA%\Microsoft\Windows\<INETFILES>\desktop.ini
- %LOCALAPPDATA%\Microsoft\Windows\<INETFILES>\Content.IE5\desktop.ini
- '82.##6.175.243':735
- 'ip##8.com':80
- 'ip##8.com':443
- '82.##6.175.243':2255
- 'ba##u.com':443
- '12#.#2.63.151':3321
- http://82.###.175.243:735/op/zzyb7359.php?ty######### via 82.##6.175.243
- http://82.###.175.243:735/ooop/op.exe via 82.##6.175.243
- http://www.ip##8.com/
- http://82.###.175.243:735/op/evttip via 82.##6.175.243
- http://20##.ip138.com/
- http://82.###.175.243:735/ooop/oop.exe via 82.##6.175.243
- 'ip##8.com':443
- '82.##6.175.243':2255
- 'ba##u.com':443
- DNS ASK ip##8.com
- DNS ASK 20##.ip138.com
- DNS ASK ba##u.com
- '%TEMP%\1850jqyzwt-bywtromj.krye.tmp'
- '%WINDIR%\server.exe'
- '%WINDIR%\syswow64\server.exe'
- '%WINDIR%\syswow64\cmd.exe' /c del %WINDIR%\Server.exe > nul' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c del %WINDIR%\Server.exe > nul