Technical Information
- [<HKLM>\System\CurrentControlSet\Services\PassProtect] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\PassProtect] 'ImagePath' = '%WINDIR%\PassProtect64.sys'
- 'PassProtect' %WINDIR%\PassProtect64.sys
- %WINDIR%\passprotect64.sys
- %WINDIR%\temp\first.html
- %WINDIR%\temp\udd4cf7.tmp
- C:\sys.ini
- %WINDIR%\temp\udd4cf7.tmp
- 'vi#.#868lm.com':80
- 'mm#.#bjj888.com':20000
- DNS ASK vi#.#868lm.com
- DNS ASK mm#.#bjj888.com