Technical Information
- [<HKLM>\System\CurrentControlSet\Services\fastuserswitchingcompatibility] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\fastuserswitchingcompatibility] 'ImagePath' = '<SYSTEM32>\svchost.exe -k netsvcs'
- C:\gjoerefite
- <Current directory>\pqnnohotyo
- %TEMP%\wcftxggfsb.dat
- %WINDIR%\syswow64\tcwniykugo
- <Current directory>\pqnnohotyo
- %WINDIR%\syswow64\tcwniykugo
- C:\gjoerefite
- from %TEMP%\wcftxggfsb.dat to %ProgramFiles(x86)%\stormii\%sessionname%\orvhe.cc3
- %WINDIR%\syswow64\tcwniykugo
- 'ze####ayu.3322.org':8000
- DNS ASK ze####ayu.3322.org
- DNS ASK co##.f.360.cn
- 'C:\gjoerefite' a -s<Full path to file>
- '%WINDIR%\syswow64\svchost.exe' -k netsvcs