Technical Information
- [<HKLM>\software\Wow6432Node\microsoft\windows\CurrentVersion\Run] 'OperatingSystem' = '%WINDIR%\UserInfo.exe'
- %WINDIR%\userinfo.exe
- %APPDATA%\hijack.dll
- %WINDIR%\userinfo.exe
- '47.##.187.46':54328
- http://www.a1##5.com/sq/gengxin.txt
- DNS ASK a1##5.com
- '%WINDIR%\userinfo.exe'