Technical Information
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'cred' = 'rundll32 %TEMP%\cred.dll, Main'
- %PROGRAMDATA%\0
- %PROGRAMDATA%\21a93ef9b3\dsnnt.exe
- %TEMP%\cred.dll
- http://tr####csystem.site/mBvqpgE3/cred.dll
- http://tr####csystem.site/mBvqpgE3/index.php
- http://te####rms.online/vCsxpG/index.php
- http://tr###accion.ga/bHn4Df/index.php
- DNS ASK tr####csystem.site
- DNS ASK te####rms.online
- DNS ASK tr###accion.ga
- '%PROGRAMDATA%\21a93ef9b3\dsnnt.exe'
- '%WINDIR%\syswow64\reg.exe' ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d %PROGRAMDATA%\21a93ef9b3
- '%WINDIR%\syswow64\reg.exe' ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v cred /t REG_SZ /d "rundll32 %TEMP%\cred.dll, Main"
- '%WINDIR%\syswow64\rundll32.exe' %TEMP%\cred.dll, Main