Technical Information
- %WINDIR%\tasks\medwatch.job
- <SYSTEM32>\tasks\medwatch
- [<HKLM>\System\CurrentControlSet\Services\Involved Wisdom] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\Involved Wisdom] 'ImagePath' = '%APPDATA%\Involved Wisdom\Involved Wisdom.exe'
- 'Involved Wisdom' %APPDATA%\Involved Wisdom\Involved Wisdom.exe
- %ALLUSERSPROFILE%\{6205cea7-5adc-7f07-6205-5cea75ad3a9d}\<File name>.exe
- %APPDATA%\involved wisdom\involved wisdom.exe
- %ALLUSERSPROFILE%\{6205cea7-5adc-7f07-6205-5cea75ad3a9d}\<File name>.dat
- %APPDATA%\involved wisdom\5bodv.dat
- 'pa###tmodel.biz':80
- http://pa###tmodel.biz/?q=#######################################################################################################################################################################...
- DNS ASK pa###tmodel.biz
- '%APPDATA%\involved wisdom\involved wisdom.exe'