Technical Information
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Client-Server-Runtime' = '%APPDATA%\runtime\csrss.exe'
- %APPDATA%\runtime\csrss.exe
- <SYSTEM32>\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Client-Server-Runtime" /t REG_SZ /d "%APPDATA%\runtime\csrss.exe" /f
- <SYSTEM32>\cmd.exe /c ""%TEMP%\lMekH.bat" "
- firefox.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\grab_ff[1].raw
- %TEMP%\B7FnGvIMeHJ0EP3O3KO9.dll
- %TEMP%\lMekH.bat
- %APPDATA%\runtime\csrss.exe
- %APPDATA%\runtime\csrss.exe
- %TEMP%\lMekH.bat
- 'localhost':1039
- 'wa####ens.xvps.biz':80
- wa####ens.xvps.biz/kerb/dll/grab_ff.raw
- wa####ens.xvps.biz/kerb/gate.php?id##########################################################
- DNS ASK wa####ens.xvps.biz
- '<Private IP address>':1037
- ClassName: 'Indicator' WindowName: ''