Technical Information
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Yhutba' = '%APPDATA%\hlv\lioku.exe'
- [<HKLM>\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] 'DisableNotifications' = '00000001'
- [<HKLM>\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DisableNotifications' = '00000001'
- '%WINDIR%\syswow64\netsh.exe' firewall set notifications mode=disable profile=all
- '%WINDIR%\syswow64\netsh.exe' firewall set notifications mode=disable profile=current
- '%WINDIR%\syswow64\netsh.exe' advfirewall firewall add rule name="allow" dir=in action=allow program="%WINDIR%\SysWOW64\msiexec.exe"
- %WINDIR%\syswow64\msiexec.exe
- %APPDATA%\hlv\afgpb.dat
- %APPDATA%\hlv\lioku.exe
- %APPDATA%\hlv\umwoa.dat
- http://ch####p.dyndns.org/
- DNS ASK ch####p.dyndns.org
- '72.#4.187.9':53
- '45.#3.15.60':53
- '19#.#8.102.14':53
- '%WINDIR%\syswow64\msiexec.exe' "<Full path to file>"