Technical Information
- [HKLM\System\CurrentControlSet\Services\AMZxTRoTK] 'ImagePath' = '%ALLUSERSPROFILE%\Sys.txt'
- [HKLM\SYSTEM\ControlSet001\services\AMZxTRoTK] 'Start' = '00000001'
- 'AMZxTRoTK' %ALLUSERSPROFILE%\Sys.txt
- %ALLUSERSPROFILE%\sys.txt
- %WINDIR%\temp\uddefab.tmp
- %WINDIR%\temp\uddefab.tmp
- '15#.#45.19.172':280
- '15#.#45.19.165':8000
- http://15#.##5.19.172:280/payload.bin via 15#.#45.19.172
- '15#.#45.19.165':8000