Technical Information
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'System' = '"%APPDATA%\System.exe"'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'System' = '"%APPDATA%\System.exe"'
- %APPDATA%\microsoft\windows\start menu\programs\startup\system.exe
- %APPDATA%\system.exe
- %TEMP%\b03b.tmp.bat
- 'dr#######-with-your-cum.site':80
- http://dr#######-with-your-cum.site/nig/Script.php
- DNS ASK dr#######-with-your-cum.site
- '%WINDIR%\syswow64\cmd.exe' /c "%TEMP%\B03B.tmp.bat"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c "%TEMP%\B03B.tmp.bat"
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -Command Set-MpPreference -DisableRealtimeMonitoring $true
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -Command Add-MpPreference -ExclusionExtension "@AppDataDir\System.exe"
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -Command Add-MpPreference -ExclusionPath ΓÇ£%HOMEPATH%ΓÇ¥