Technical Information
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'C14FA8' = '%WINDIR%\SysWOW64\41c1cb\WDF4424.EXE'
- %APPDATA%\microsoft\windows\start menu\programs\startup\62beaf.lnk
- %TEMP%\e_n4\krnln.fnr
- %TEMP%\e_n4\dp1.fne
- %WINDIR%\syswow64\41c1cb\dp1.fne
- %WINDIR%\syswow64\41c1cb\krnln.fnr
- %WINDIR%\syswow64\41c1cb\wdf4424.exe
- %WINDIR%\syswow64\41c1cb\eapi.fne
- %WINDIR%\syswow64\41c1cb\htmlview.fne
- %WINDIR%\syswow64\41c1cb\internet.fne
- %WINDIR%\syswow64\41c1cb\wdf4424.txt
- %WINDIR%\syswow64\41c1cb\bebfbd89.txt
- %WINDIR%\syswow64\41c1cb\nt-8784393a.exe
- %WINDIR%\syswow64\41c1cb\nt-8784393a.exe
- 'ba##u.com':80
- http://www.ba##u.com/
- DNS ASK ba##u.com
- '%WINDIR%\syswow64\41c1cb\wdf4424.exe'
- '%WINDIR%\syswow64\41c1cb\nt-8784393a.exe' 4|-|SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C14FA8|-|%WINDIR%\SysWOW64\41c1cb\WDF4424.EXE|-|0
- '%WINDIR%\syswow64\explorer.exe' <Current directory>\