Technical Information
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 'userinit' = '<SYSTEM32>\userinit.exe,<SYSTEM32>\sdra64.exe,'
- %APPDATA%\Microsoft\Protect\Credentials\wininit.exe (downloaded from the Internet)
- <SYSTEM32>\sdra64.exe
- %APPDATA%\Microsoft\Protect\Credentials\wininit.exe
- %APPDATA%\Microsoft\Protect\Credentials\svcchost.exe
- <SYSTEM32>\sdra64.exe
- %APPDATA%\Microsoft\Protect\Credentials\svcchost.exe
- 'mn####zstr.hi2.ro':80
- mn####zstr.hi2.ro/wininit.exe
- DNS ASK mn####zstr.hi2.ro