Technical Information
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\RunOnce] 'yBCKzRAFiS' = '%APPDATA%\iHPEnTKGoB\QkDLYpNmXH.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'b1c66b7cba95559eadb58ee929e5dddb' = '"%TEMP%\lsass.exe" ..'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'b1c66b7cba95559eadb58ee929e5dddb' = '"%TEMP%\lsass.exe" ..'
- %APPDATA%\microsoft\windows\start menu\programs\startup\b1c66b7cba95559eadb58ee929e5dddb.exe
- '%WINDIR%\syswow64\netsh.exe' firewall add allowedprogram "%TEMP%\lsass.exe" "lsass.exe" ENABLE
- lsass.exe
- %APPDATA%\ihpentkgob\qkdlypnmxh.exe
- %TEMP%\lsass.exe
- 'dd###.kro.kr':1
- DNS ASK dd###.kro.kr
- '%TEMP%\lsass.exe'
- '%WINDIR%\syswow64\netsh.exe' firewall add allowedprogram "%TEMP%\lsass.exe" "lsass.exe" ENABLE' (with hidden window)