Technical Information
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'COMSurrogate.exe' = '"%TEMP%\Ajbo.exe"'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'COMSurrogate.exe' = '"%APPDATA%\SubDir\COMSurrogate.exe"'
- <SYSTEM32>\tasks\comsurrogate.exe
- %TEMP%\ajbo.exe
- %TEMP%\sgbupcq.exe
- %APPDATA%\subdir\comsurrogate.exe
- %APPDATA%\logs\06-28-2022
- %APPDATA%\subdir\comsurrogate.exe
- 'ip##pi.com':80
- 'sy#####.freeddns.org':1234
- http://ip##pi.com/json/
- DNS ASK ip##pi.com
- DNS ASK sy#####.freeddns.org
- '%TEMP%\ajbo.exe'
- '%TEMP%\sgbupcq.exe'
- '%APPDATA%\subdir\comsurrogate.exe'
- '%WINDIR%\syswow64\schtasks.exe' /create /tn "COMSurrogate.exe" /sc ONLOGON /tr "%TEMP%\Ajbo.exe" /rl HIGHEST /f
- '%WINDIR%\syswow64\schtasks.exe' /create /tn "COMSurrogate.exe" /sc ONLOGON /tr "%APPDATA%\SubDir\COMSurrogate.exe" /rl HIGHEST /f