Technical Information
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'WindowsSystem32' = '%ALLUSERSPROFILE%\Start Menu\Programs\Administrative Tools\unwise_.exe'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%ALLUSERSPROFILE%\Start Menu\Programs\Administrative Tools\unwise_.exe' = '%ALLUSERSPROFILE%\Start Menu\Programs\Administrative Tools\unwise_.exe:*:Enabled:WindowsSystem32'
- %ALLUSERSPROFILE%\Start Menu\Programs\Administrative Tools\unwise_.exe
- ClassName: 'PROCMON_WINDOW_CLASS' WindowName: ''
- ClassName: 'RegMonClass' WindowName: ''
- ClassName: 'FileMonClass' WindowName: ''
- %ALLUSERSPROFILE%\Application Data\TEMP:6E6FB9EE
- <Current directory>\autorun.inf
- %ALLUSERSPROFILE%\Start Menu\Programs\Administrative Tools\unwise_.exe
- %ALLUSERSPROFILE%\Start Menu\Programs\Administrative Tools\unwise_.exe
- '<Private IP address>':445
- 'ze####.weedns.com':65500
- '<Private IP address>':135
- DNS ASK ze####.weedns.com