Technical Information
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'svchost.exe' = '<Full path to file>'
- <Current directory>\r8l9p6p3m8.txt
- <Current directory>\n2g5e3y9n8.txt
- <Current directory>\n2g5e3y9n8.txt_and deleteme.bat
- <Current directory>\r8l9p6p3m8.txt
- <Current directory>\n2g5e3y9n8.txt
- 'cr####3.3322.org':1993
- DNS ASK cr####3.3322.org
- '<Current directory>\n2g5e3y9n8.txt' <Full path to file>|<Current directory>\r8l9p6p3m8.txt|8
- '%WINDIR%\syswow64\cmd.exe' /c ""n2g5e3y9n8.txt_And DeleteMe.bat""' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c ""n2g5e3y9n8.txt_And DeleteMe.bat""