Technical Information
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'MSTime' = '"%APPDATA%\svchost.exe"'
- ClassName: 'Tibiaclient', WindowName: ''
- %TEMP%\is-eab2m.tmp\<File name>.tmp
- %TEMP%\is-0ad77.tmp\_isetup\_shfoldr.dll
- %TEMP%\is-0ad77.tmp\_isetup\_iscrypt.dll
- %TEMP%\is-afj9s.tmp\<File name>.tmp
- %TEMP%\is-fbjj5.tmp\_isetup\_shfoldr.dll
- %TEMP%\is-fbjj5.tmp\_isetup\_iscrypt.dll
- %APPDATA%\is-dv0pp.tmp
- %APPDATA%\svchost.exe
- %TEMP%\is-0ad77.tmp\_isetup\_iscrypt.dll
- %TEMP%\is-0ad77.tmp\_isetup\_shfoldr.dll
- %TEMP%\is-eab2m.tmp\<File name>.tmp
- from %APPDATA%\is-dv0pp.tmp to %APPDATA%\svchost.exe
- DNS ASK ul#####e-recovery.pl
- '%TEMP%\is-eab2m.tmp\<File name>.tmp' /SL5="$4100C4,343877,56832,<Full path to file>"
- '%TEMP%\is-afj9s.tmp\<File name>.tmp' /SL5="$110126,343877,56832,<Full path to file>" /VERYSILENT /PASSWORD=13821
- '%APPDATA%\svchost.exe'