Technical Information
- [<HKLM>\SYSTEM\ControlSet001\Services\Schedule] 'Start' = '00000002'
- DNS server to '8.8.8.8'
- DNS server to '223.5.5.5'
- '<SYSTEM32>\ping.exe' 127.0.0.1 -n 10
- '<SYSTEM32>\sc.exe' start xWinWpdSrv
- '<SYSTEM32>\cmd.exe' /c sc start xWinWpdSrv&ping 127.0.0.1 -n 10 && del <Full path to file> >> NUL
- %APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-2052111302-484763869-725345543-1003\cdc613e7d98771be476bd759960c4f3a_23ef5514-3059-436f-a4a7-4cefaab20eb1
- %APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-2052111302-484763869-725345543-1003\549b9b645cadfe6bb4bc69cf363c354c_23ef5514-3059-436f-a4a7-4cefaab20eb1
- %APPDATA%\Microsoft\Protect\CREDHIST
- 'bl##.#ina.com.cn':80
- http:///s/blog_16fb721c50102x6hx.html via bl##.#ina.com.cn
- DNS ASK bl##.#ina.com.cn