Technical Information
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'lynbye' = '<Full path to file>'
- [<HKLM>\System\CurrentControlSet\Services\Abcdef] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\Abcdef] 'ImagePath' = '%WINDIR%\kkqqkk.exe'
- '' (downloaded from the Internet)
- %TEMP%\svchost.exe
- %WINDIR%\kkqqkk.exe
- from %TEMP%\svchost.exe to %WINDIR%\syswow64\1097828.bak
- '39.##6.214.210':443
- 're#.#bfull.com':15950
- '<LOCALNET>.58.33':52011
- http://39.###.214.210:8080/svchost.exe via 39.##6.214.210
- http://39.###.214.210:8080/SecurityCenter.exe via 39.##6.214.210
- DNS ASK re#.#bfull.com
- '%TEMP%\svchost.exe'
- '%WINDIR%\kkqqkk.exe'
- '%WINDIR%\kkqqkk.exe' Win7