Technical Information
- [HKLM\System\CurrentControlSet\Services\sIDcaZtUE] 'ImagePath' = '%ALLUSERSPROFILE%\Sys.txt'
- [HKLM\SYSTEM\ControlSet001\services\sIDcaZtUE] 'Start' = '00000001'
- 'sIDcaZtUE' %ALLUSERSPROFILE%\Sys.txt
- %ALLUSERSPROFILE%\sys.txt
- %ProgramFiles(x86)%\telegramöðîä°æ.exe
- '12#.#9.68.36':280
- '12#.#9.68.34':8000
- http://12#.##.68.36:280/payload.bin via 12#.#9.68.36
- '12#.#9.68.34':8000