Technical Information
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'c9f282e74a43b703d66c3537f0b88c41' = '"%TEMP%\img.exe" ..'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'c9f282e74a43b703d66c3537f0b88c41' = '"%TEMP%\img.exe" ..'
- '%WINDIR%\syswow64\netsh.exe' firewall add allowedprogram "%TEMP%\img.exe" "img.exe" ENABLE
- %TEMP%\img.exe
- 'localhost':1990
- http://pa###bin.com/raw.php?i=########
- http://pa###bin.com/raw/hzaPW5eu
- DNS ASK pa###bin.com
- '%TEMP%\img.exe'
- '%WINDIR%\syswow64\netsh.exe' firewall add allowedprogram "%TEMP%\img.exe" "img.exe" ENABLE' (with hidden window)