Technical Information
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Airline5' = '%APPDATA%\Whiteseam2.exe'
- %WINDIR%\Tasks\Airline5.job
- %WINDIR%\win.ini
- %APPDATA%\23EF5514-3059-436F-A4A7-4CEFAAB20EB1\run.dat
- %APPDATA%\Whiteseam2.exe
- 'hu#####elp.duckdns.org':5050
- DNS ASK hu#####elp.duckdns.org
- '<Full path to file>'
- '<SYSTEM32>\reg.exe' add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "Airline5" /f /t REG_SZ /d "%APPDATA%\Whiteseam2.exe
- '<SYSTEM32>\schtasks.exe' /run /tn "Airline5"
- '<SYSTEM32>\schtasks.exe' /Create /SC HOURLY /MO 12 /TN "Airline5" /TR "reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "\""Airline5"\"" /f /t REG_SZ /d "\""%APPDATA%\Whiteseam2.exe" /RU SYSTEM