To bypass firewall, removes or modifies the following registry keys:
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%WINDIR%\Debug\cosp86.exe' = '%WINDIR%\Debug\cosp86.exe:*:Enabled:KL'
Creates and executes the following:
- %WINDIR%\Debug\cosp86.exe /start
Executes the following:
- <SYSTEM32>\sc.exe delete 169953
Searches for registry branches where third party applications store passwords:
- [<HKCU>\SOFTWARE\FlashFXP\3]
- [<HKLM>\SOFTWARE\FlashFXP\3]