Technical Information
- [HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 'ahi69xsp2x3vq' = '%ALLUSERSPROFILE%\633GDEBWT1R1Q1O5GTHLP\ahi69xsp2x3vq.exe'
- %TEMP%\e_n60005\krnln.fnr
- %ALLUSERSPROFILE%\633gdebwt1r1q1o5gthlp\ahi69xsp2x3vq.exe
- %ALLUSERSPROFILE%\633gdebwt1r1q1o5gthlp\ahi69xsp2x3vq.txt
- %LOCALAPPDATA%\178bfbff000406f1
- %ALLUSERSPROFILE%\633gdebwt1r1q1o5gthlp\key
- 'xd##.selfip.com':8080
- 'xd##.selfip.com':12345
- http://xd##.##lfip.com:8080/9x.dll via xd##.selfip.com
- 'xd##.selfip.com':12345
- DNS ASK xd##.selfip.com
- '%ALLUSERSPROFILE%\633gdebwt1r1q1o5gthlp\ahi69xsp2x3vq.exe'
- '%WINDIR%\syswow64\cmd.exe' /c echo 647B00004CD350BB36D2968B49A2908B54F96F7DF1FE2B7558440A945061B087D53BCD54199DCF663F540655F32A28D07B6F159296A64762BC18C0D56427C399F691E86BA8106BC56F41BB697E3261FDEC1972583AE1F6D9688FD202A...' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c echo 647B00004CD350BB36D2968B49A2908B54F96F7DF1FE2B7558440A945061B087D53BCD54199DCF663F540655F32A28D07B6F159296A64762BC18C0D56427C399F691E86BA8106BC56F41BB697E3261FDEC1972583AE1F6D9688FD202A...