Technical Information
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Ballerup' = '%APPDATA%\Ballerup\vballerup.exe'
- '%APPDATA%\Ballerup\ballerup.exe' /pid=2812
- '%APPDATA%\Ballerup\ballerup.exe' /pid=3112
- '%APPDATA%\Ballerup\ballerup.exe' /pid=3512
- '%APPDATA%\Ballerup\ballerup.exe' /pid=4848
- '%APPDATA%\Ballerup\ballerup.exe' /pid=6048
- '%APPDATA%\Ballerup\ballerup.exe' /pid=5220
- '%APPDATA%\Ballerup\ballerup.exe' /pid=3728
- '%APPDATA%\Ballerup\ballerup.exe' /pid=5560
- '%APPDATA%\Ballerup\ballerup.exe' /pid=5420
- '%APPDATA%\Ballerup\ballerup.exe' -a sha256 -o http://1K###################AvHvQZoQzKmtW:tomasersej@stratum.mining.eligius.st:3334 -T 83 -l yes -t 2
- '%APPDATA%\Ballerup\ballerup.exe' /pid=5228
- '%APPDATA%\Ballerup\ballerup.exe' /pid=5048
- '%APPDATA%\Ballerup\ballerup.exe' /pid=1724
- '%APPDATA%\Ballerup\ballerup.exe' (downloaded from the Internet)
- %APPDATA%\Ballerup\ballerup.exe
- from <Full path to virus> to %APPDATA%\Ballerup\vballerup.exe
- '19#.#3.167.160':80
- 'wp#d':80
- 19#.#3.167.160/sil1001/UFA.exe
- wp#d/wpad.dat
- DNS ASK wp#d
- ClassName: 'Indicator' WindowName: '(null)'