Technical Information
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] '102b3bcad4053f1630a0d725fba934ba' = '"%TEMP%\%TEMP%.exe" ..'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '102b3bcad4053f1630a0d725fba934ba' = '"%TEMP%\%TEMP%.exe" ..'
- %APPDATA%\microsoft\windows\start menu\programs\startup\102b3bcad4053f1630a0d725fba934ba.exe
- '%WINDIR%\syswow64\netsh.exe' firewall add allowedprogram "%TEMP%\%TEMP%.exe" "%TEMP%.exe" ENABLE
- <Current directory>:{43007a00-3500-6500-3200-570047006100}
- %PROGRAMDATA%\isolated storage\{43007a00-3500-6500-3200-570047006100}
- %TEMP%\%temp%.exe
- %LOCALAPPDATA%\temp:{43007a00-3500-6500-3200-570047006100}
- DNS ASK le####s8.no-ip.biz
- '%TEMP%\%temp%.exe'
- '%WINDIR%\syswow64\netsh.exe' firewall add allowedprogram "%TEMP%\%TEMP%.exe" "%TEMP%.exe" ENABLE' (with hidden window)