Technical Information
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'DefenderSync' = '%APPDATA%\Tzz.exe'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\run] 'bs_stealth' = '%APPDATA%\bs_stealth.exe'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run] 'bs_stealth' = '%APPDATA%\bs_stealth.exe'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\run] 'bs_stealth' = '%APPDATA%\bs_stealth.exe'
- processname.exe
- %APPDATA%\tzz.exe
- %APPDATA%\processname.exe
- %APPDATA%\bs_stealth.exe
- from %APPDATA%\processname.exe to %APPDATA%\bs_stealth.exe
- DNS ASK st#####4711.hopto.org
- '%APPDATA%\processname.exe'