Technical Information
- [<HKLM>\System\CurrentControlSet\Services\fastuserswitchingcompatibility] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\fastuserswitchingcompatibility] 'ImagePath' = '%<SYSTEM32>\svchost.exe -k netsvcs'
- [<HKLM>\System\CurrentControlSet\Services\RemoteRegistry] 'Start' = '00000002'
- C:\fcpgej
- <Current directory>\ithbmoxdyv
- %TEMP%\mltscuwtsd.dat
- <Current directory>\delnruhhvi
- %TEMP%\gpedwfnrix.dat
- <Current directory>\iuuonewunv
- %TEMP%\pjvidxikpo.dat
- <Current directory>\ithbmoxdyv
- %ProgramFiles(x86)%\google\%sessionname%\ffpkq.pic
- <Current directory>\delnruhhvi
- <Current directory>\iuuonewunv
- from %TEMP%\mltscuwtsd.dat to %ProgramFiles(x86)%\google\%sessionname%\ffpkq.pic
- %ProgramFiles(x86)%\google\%sessionname%\ffpkq.pic
- from <Full path to file> to C:\fcpgej70
- DNS ASK
- 'C:\fcpgej' a -s
- '<SYSTEM32>\svchost.exe' -k regsvc