Technical Information
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '' = '%WINDIR%\cftmon.vbs'
- %TEMP%\bt4533.bat
- %WINDIR%\cftmon.vbs
- %TEMP%\bt4533.bat
- DNS ASK jt###.pcllw.cn
- '%WINDIR%\syswow64\wscript.exe' "%WINDIR%\cftmon.vbs"
- '%WINDIR%\syswow64\cmd.exe' /c %TEMP%\bt4533.bat "<Full path to file>"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c %TEMP%\bt4533.bat "<Full path to file>"
- '%WINDIR%\syswow64\reg.exe' add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /ve /d "%WINDIR%\cftmon.vbs" /f