Technical Information
- [<HKLM>\SOFTWARE\Microsoft\Active Setup\Installed Components\{9D71D88C-C598-4935-C5D1-43AA4DB90836}] 'stubpath' = '%ProgramFiles%\system32\win32.exe s'
- %WINDIR%\explorer.exe
- %TEMP%\safed.exe
- %APPDATA%\addons.dat
- %ProgramFiles%\system32\win32.exe
- %ProgramFiles%\system32\win32.exe
- %APPDATA%\addons.dat
- DNS ASK hf##.no-ip.biz
- '%TEMP%\safed.exe'
- '%TEMP%\safed.exe' ' (with hidden window)