Technical Information
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\RunOnce] 'narkssuba' = '%HOMEPATH%\Badenevol6\Pomeswh6.vbs'
- pomeswh6.exe
- %HOMEPATH%\badenevol6\pomeswh6.exe
- %HOMEPATH%\badenevol6\pomeswh6.vbs
- %APPDATA%\remcos\logs.dat
- http://gm##dv.com/EYE/Billion$$_encrypted_2E179E0.bin
- DNS ASK gm##dv.com
- DNS ASK tw###g.ddns.net
- '%HOMEPATH%\badenevol6\pomeswh6.exe'