Technical Information
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'dmrclayx' = '%APPDATA%\api-an32\auth9_29.exe'
- %WINDIR%\explorer.exe
- iexplore.exe
- firefox.exe process, nss3.dll module
- iexplore.exe process, advapi32.dll module
- iexplore.exe process, urlmon.dll module
- iexplore.exe process, wininet.dll module
- %APPDATA%\api-an32\auth9_29.exe
- %TEMP%\6a3c\23.bat
- ClassName: 'ProgMan' WindowName: ''
- '%APPDATA%\api-an32\auth9_29.exe' "<Full path to file>"
- '%WINDIR%\syswow64\cmd.exe' /c ""%TEMP%\6A3C\23.bat" "%APPDATA%\api-an32\auth9_29.exe" "<Full path to file>""' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c ""%TEMP%\6A3C\23.bat" "%APPDATA%\api-an32\auth9_29.exe" "<Full path to file>""
- '%WINDIR%\syswow64\cmd.exe' /C ""%APPDATA%\api-an32\auth9_29.exe" "<Full path to file>""
- '<SYSTEM32>\svchost.exe'