Technical Information
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Explorer' = '%APPDATA%\IExplore\svhost.exe'
- '%APPDATA%\IExplore\svhost.exe'
- '%APPDATA%\IExplore\svhost.exe' (downloaded from the Internet)
- '<SYSTEM32>\schtasks.exe' /create /sc daily /tn WindowsUpdate /tr %APPDATA%\IExplore\svhost.exe /st 18:00 /f
- '<SYSTEM32>\cmd.exe' /c ""%APPDATA%\IExplore\main.bat" "
- %APPDATA%\IExplore\conf.txt
- %APPDATA%\IExplore\main.txt
- %APPDATA%\IExplore\123.bak
- from %APPDATA%\IExplore\123.bak to %APPDATA%\IExplore\file.data
- from %APPDATA%\IExplore\main.txt to %APPDATA%\IExplore\main.bat
- from %APPDATA%\IExplore\123.bak to %APPDATA%\IExplore\svhost.exe
- from %APPDATA%\IExplore\123.bak to %APPDATA%\IExplore\Internet_Explorer.exe
- %APPDATA%\IExplore\123.bak
- 'ip##gger.co':80
- 'le########oney.000webhostapp.com':80
- http://le########oney.000webhostapp.com/3.data
- http://ip##gger.co/1BiR27
- http://le########oney.000webhostapp.com/1.data
- http://le########oney.000webhostapp.com/2.data
- DNS ASK ip##gger.co
- DNS ASK le########oney.000webhostapp.com
- ClassName: 'MS_WINHELP' WindowName: ''