Technical Information
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Userinit' = '<SYSTEM32>\userinit.exe,<SYSTEM32>\installer.exe'
- <SYSTEM32>\installer.exe
- %WINDIR%\userinit.exe
- <SYSTEM32>\installer.exe
- 'fa####andish.com':80
- http://www.fa####andish.com/cmd.zip via fa####andish.com
- DNS ASK www.fa####andish.com
- '%WINDIR%\userinit.exe'