Technical Information
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'AhnUpadate' = '"%ALLUSERSPROFILE%\AhnLab\AhnSvc.exe" /run'
- ahnsvc.exe
- %ALLUSERSPROFILE%\ahnlab\ahnsvc.exe
- from %ALLUSERSPROFILE%\ahnlab\ahnsvc.exe to %ALLUSERSPROFILE%\ahnlab\ahnsvc.exe_
- %ALLUSERSPROFILE%\ahnlab\ahnsvc.exe
- 'he###betta.com':80
- 'ae##.co.kr':80
- http://www.he###betta.com/mall/flash/POPUP/1.php
- http://www.ae##.co.kr/mall/manual/parser/parser.php
- DNS ASK he###betta.com
- DNS ASK ae##.co.kr
- 'localhost':55158
- 'localhost':50229
- '%ALLUSERSPROFILE%\ahnlab\ahnsvc.exe' /run
- '%ALLUSERSPROFILE%\ahnlab\ahnsvc.exe' /run' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c del /q "<Full path to file>" >> NUL' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c del /q "<Full path to file>" >> NUL