Technical Information
- [<HKLM>\System\CurrentControlSet\Services\fastuserswitchingcompatibility] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\fastuserswitchingcompatibility] 'ImagePath' = '<SYSTEM32>\svchost.exe -k netsvcs'
- 'fastuserswitchingcompatibility' <SYSTEM32>\svchost.exe -k netsvcs
- C:\hgbxxidciv
- <Current directory>\eeyldbbkno
- %TEMP%\niwsxxnemg.dat
- %WINDIR%\syswow64\alwqlvovgk
- %WINDIR%\syswow64\auljtyqttg
- <Current directory>\eeyldbbkno
- %WINDIR%\syswow64\alwqlvovgk
- C:\hgb
- %WINDIR%\syswow64\auljtyqttg
- from C:\hgbxxidciv to C:\hgb
- from %TEMP%\niwsxxnemg.dat to %PROGRAMDATA%\application data\storm\update\%sessionname%\bofup.cc3
- 'ai####5.3322.org':5555
- DNS ASK ai####5.3322.org
- DNS ASK co##.f.360.cn
- 'C:\hgbxxidciv' a -s<Full path to file>
- '%WINDIR%\syswow64\svchost.exe' -k netsvcs