Technical Information
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'WinWOW64Services' = '%APPDATA%\WinServices\vstools.exe'
- %APPDATA%\MediaCache\7EBA.vbs
- %APPDATA%\MediaCache\7EBA502D.ps1
- %APPDATA%\WinServices\vstools.exe
- <Full path to file>
- 'ch####eforyou.ru':80
- 'fo####blogwick.com':80
- 'cr###ocfans.pw':80
- http://ch####eforyou.ru/blog/gate.php
- http://fo####blogwick.com/search/gate.php
- http://cr###ocfans.pw/line/gate.php
- DNS ASK ch####eforyou.ru
- DNS ASK fo####blogwick.com
- DNS ASK cr###ocfans.pw
- '<SYSTEM32>\wscript.exe' %APPDATA%\MediaCache\7EBA.vbs
- '%APPDATA%\WinServices\vstools.exe' <Full path to file>
- '<SYSTEM32>\schtasks.exe' /create /tn "WinWOW64Services" /tr "wscript.exe \"%APPDATA%\MediaCache\7EBA.vbs\"" /st 00:01 /du 9999:59 /sc daily /ri 5 /f