Resolved [ bullguard09.wm01.to ] To [ 5.206.227.248 ]
Malware activity :
Reads terminal service related keys (often RDP related)
Sets a global windows hook to intercept keystrokes
Creates a fake system process
Modifies auto-execute functionality by setting/creating a value in the registry
Writes data to a remote process
Reads the active computer name
Reads the cryptographic machine GUID
Opens the MountPointManager (often used to detect additional infection locations)
Sample here hxxps://www.multiup.eu/b5f25a49310dc36ca128a3947f566ae6
Hosting Infos :
http://whois.domaintools.com/5.206.227.248