Technical Information
- [<HKLM>\System\CurrentControlSet\Services\Device] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\Device] 'ImagePath' = '<SYSTEM32>\eimciu.exe'
- %TEMP%\ixp000.tmp\bwin.exe
- %TEMP%\ixp000.tmp\fwin.exe
- %WINDIR%\syswow64\eimciu.exe
- %TEMP%\ixp000.tmp\fwin.exe
- %TEMP%\ixp000.tmp\bwin.exe
- 'zs####28.gnway.net':1981
- DNS ASK zs####28.gnway.net
- '%TEMP%\ixp000.tmp\fwin.exe'
- '%TEMP%\ixp000.tmp\bwin.exe'
- '%WINDIR%\syswow64\eimciu.exe'
- '%TEMP%\ixp000.tmp\fwin.exe' ' (with hidden window)
- '%TEMP%\ixp000.tmp\bwin.exe' ' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c del %TEMP%\IXP000.TMP\bwin.exe > nul' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c del %TEMP%\IXP000.TMP\bwin.exe > nul