Technical Information
- '' (downloaded from the Internet)
- [<HKCU>\Software\Far\SavedDialogHistory\FTPHost]
- [<HKCU>\Software\CoffeeCup Software\Internet\Profiles]
- [<HKCU>\Software\FTPWare\COREFTP\Sites]
- [<HKCU>\Software\FTP Explorer\FTP Explorer\Workspace\MFCToolBar-224]
- [<HKCU>\Software\VanDyke\SecureFX]
- [<HKCU>\Software\Cryer\WebSitePublisher]
- [<HKCU>\Software\ExpanDrive\Sessions]
- [<HKLM>\Software\NCH Software\ClassicFTP\FTPAccounts]
- [<HKCU>\Software\NCH Software\ClassicFTP\FTPAccounts]
- [<HKCU>\SOFTWARE\NCH Software\Fling\Accounts]
- [<HKLM>\SOFTWARE\NCH Software\Fling\Accounts]
- [<HKCU>\Software\FTPClient\Sites]
- [<HKCU>\Software\SoftX.org\FTPClient\Sites]
- [<HKCU>\Software\SimonTatham\PuTTY\Sessions]
- [<HKLM>\Software\SoftX.org\FTPClient\Sites]
- [<HKCU>\Software\Martin Prikryl]
- [<HKLM>\Software\Martin Prikryl]
- [<HKCU>\Software\South River Technologies\WebDrive\Connections]
- [<HKLM>\Software\South River Technologies\WebDrive\Connections]
- [<HKCU>\Software\FlashPeak\BlazeFtp\Settings]
- [<HKCU>\SOFTWARE\Robo-FTP 3.7\FTPServers]
- [<HKLM>\SOFTWARE\Robo-FTP 3.7\FTPServers]
- [<HKCU>\SOFTWARE\Robo-FTP 3.7\Scripts]
- [<HKLM>\SOFTWARE\Robo-FTP 3.7\Scripts]
- [<HKCU>\Software\LinasFTP\Site Manager]
- [<HKCU>\Software\Sota\FFFTP\Options]
- [<HKLM>\Software\FTPClient\Sites]
- [<HKCU>\Software\Sota\FFFTP]
- [<HKCU>\Software\FlashFXP\3]
- [<HKCU>\Software\Far2\SavedDialogHistory\FTPHost]
- [<HKCU>\Software\Ghisler\Windows Commander]
- [<HKLM>\Software\Ghisler\Windows Commander]
- [<HKCU>\Software\Ghisler\Total Commander]
- [<HKLM>\Software\Ghisler\Total Commander]
- [<HKCU>\Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar]
- [<HKCU>\Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar]
- [<HKCU>\Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar]
- [<HKCU>\Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar]
- [<HKCU>\Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar]
- [<HKCU>\Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar]
- [<HKCU>\Software\FlashFXP]
- [<HKCU>\Software\TurboFTP]
- [<HKLM>\Software\FlashFXP\3]
- [<HKLM>\Software\FlashFXP]
- [<HKCU>\Software\FileZilla]
- [<HKCU>\Software\FileZilla Client]
- [<HKLM>\Software\FileZilla]
- [<HKLM>\Software\FileZilla Client]
- [<HKCU>\Software\BPFTP\Bullet Proof FTP\Main]
- [<HKCU>\Software\BulletProof Software\BulletProof FTP Client\Main]
- [<HKCU>\Software\BPFTP\Bullet Proof FTP\Options]
- [<HKCU>\Software\BulletProof Software\BulletProof FTP Client\Options]
- [<HKCU>\Software\BPFTP]
- [<HKLM>\Software\TurboFTP]
- [<HKLM>\Software\SimonTatham\PuTTY\Sessions]
- %TEMP%\146343.exe
- %TEMP%\148578.exe
- %TEMP%\150875.exe
- %TEMP%\153796.exe
- %TEMP%\156265.exe
- %TEMP%\158531.exe
- %TEMP%\ytk.bat
- <Full path to file>
- 'bi####tadier.com':80
- 'bi####tblazer.com':80
- 'bi####tchief.com':80
- 'bi####tmajor.com':80
- 'bi###dimple.com':80
- 'co###pod.com':80
- 'co###pride.com':80
- 'ma###sale.com':80
- 'bi####tovator.com':80
- 'ip####ase-shop.de':80
- 'be####rbistro.com':80
- 'di###expo.com':80
- 'es########.bne102u.server-web.com':80
- 'ar######omasbecker.com.au':80
- 'ev###tions.com':80
- http://ip####ase-shop.de/Br8Pz.exe
- http://be####rbistro.com/miQyZhM.exe
- http://di###expo.com/ek4.exe
- http://es########.bne102u.server-web.com/rub
- http://ar######omasbecker.com.au/SuL.exe
- http://ev###tions.com/Ahyi.exe
- http://bi####tadier.com/pony/gate.php
- http://bi####tblazer.com/pony/gate.php
- http://bi####tchief.com/pony/gate.php
- http://bi####tmajor.com/pony/gate.php
- http://bi###dimple.com/pony/gate.php
- http://co###pod.com/pony/gate.php
- http://co###pride.com/pony/gate.php
- http://ma###sale.com/pony/gate.php
- http://bi####tovator.com/pony/gate.php
- DNS ASK bi####tadier.com
- DNS ASK bi####tblazer.com
- DNS ASK bi####tchief.com
- DNS ASK bi####tmajor.com
- DNS ASK bi###dimple.com
- DNS ASK co###pod.com
- DNS ASK co###pride.com
- DNS ASK ma###sale.com
- DNS ASK bi####tovator.com
- DNS ASK ip####ase-shop.de
- DNS ASK be####rbistro.com
- DNS ASK di###expo.com
- DNS ASK es########.bne102u.server-web.com
- DNS ASK ar######omasbecker.com.au
- DNS ASK ev###tions.com
- '%TEMP%\146343.exe'
- '%TEMP%\148578.exe'
- '%TEMP%\150875.exe'
- '%TEMP%\153796.exe'
- '%TEMP%\156265.exe'
- '%TEMP%\158531.exe'
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\ytk.bat" "<Full path to file>" "