Technical Information
- [<HKLM>\System\CurrentControlSet\Services\balloonarchive] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\balloonarchive] 'ImagePath' = '"%WINDIR%\SysWOW64\balloonarchive.exe"'
- 'balloonarchive' "%WINDIR%\SysWOW64\balloonarchive.exe"
- 'balloonarchive' %WINDIR%\SysWOW64\balloonarchive.exe
- %WINDIR%\syswow64\balloonarchive.exe
- from <Full path to file> to %WINDIR%\syswow64\balloonarchive.exe
- '21#.#65.2.133':8443
- '98.#.40.86':8080
- '18#.#20.233.135':7080
- http://98.#.40.86:8080/ via 98.#.40.86