Technical Information
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '<File name>' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '<File name>' = 'C:\Users\Windows offer.exe'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '<File name>' = '%ProgramFiles%\Windows Offer\Windows offer.exe'
- %APPDATA%\microsoft\windows\start menu\programs\startup\windows offer.lnk
- %ALLUSERSPROFILE%\microsoft\windows\start menu\programs\startup\windows offer.lnk
- %APPDATA%\microsoft\crypto\rsa\s-1-5-21-1960123792-2022915161-3775307078-1001\699c4b9cdebca7aaea5193cae8a50098_36d1130a-ac2e-44f7-9dc1-e424fbcbe0ee
- 'vi#.web.tr':80
- http://www.vi#.web.tr/destek/anabilgisayar.php
- http://www.vi#.web.tr/destek/versiyon.php
- DNS ASK vi#.web.tr