Technical Information
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'npomsxup' = '"C:\ProgramData\erak\ykxjjfup.exe"'
- '<SYSTEM32>\wermgr.exe' -queuereporting
- '%WINDIR%\explorer.exe'
- '<SYSTEM32>\attrib.exe'
- %WINDIR%\Explorer.EXE
- <SYSTEM32>\attrib.exe
- C:\ProgramData\anesytpk\eromtmsf.dat
- C:\ProgramData\Sun\ykhxolov.bkp
- C:\ProgramData\anesytpk\opazuwap.dat
- C:\ProgramData\erak\ykxjjfup.exe
- C:\ProgramData\anesytpk\irimixif.dat
- %APPDATA%\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3525224950-2885160813-905547259-1000\7ee83745df35bad5ccfc8cd8875de253_fdaad129-04df-4089-bb80-174ce725f721
- C:\ProgramData\anesytpk\ykhxolov.dat
- C:\ProgramData\Sun\irimixif.bkp
- '20#.#6.232.182':80
- 'do#####hoisrecord.co.uk':443
- 'fa###ook.com':80
- DNS ASK dn#.##ftncsi.com
- DNS ASK microsoft.com
- DNS ASK fa###ook.com
- DNS ASK do#####hoisrecord.co.uk
- ClassName: 'Indicator' WindowName: '(null)'
- ClassName: 'shell_traywnd' WindowName: '(null)'