Technical Information
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'UDP Subsystem' = '%ProgramFiles(x86)%\UDP Subsystem\udpss.exe'
- <SYSTEM32>\tasks\nafifas
- %WINDIR%\microsoft.net\framework\v4.0.30319\vbc.exe
- %APPDATA%\36d1130a-ac2e-44f7-9dc1-e424fbcbe0ee\run.dat
- %ProgramFiles(x86)%\udp subsystem\udpss.exe
- from <Full path to file> to %TEMP%\iobo.exe
- 'ip###.duckdns.org':54984
- 'localhost':54984
- DNS ASK ip###.duckdns.org
- '%WINDIR%\microsoft.net\framework\v4.0.30319\vbc.exe'
- '%WINDIR%\syswow64\cmd.exe' /C mkdir "%APPDATA%\fghg"
- '%WINDIR%\syswow64\cmd.exe' /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'%APPDATA%\fghg\fghg.exe'" /f
- '%WINDIR%\syswow64\schtasks.exe' /create /sc minute /mo 1 /tn "Nafifas" /tr "'%APPDATA%\fghg\fghg.exe'" /f
- '%WINDIR%\syswow64\cmd.exe' /C copy "<Full path to file>" "%APPDATA%\fghg\fghg.exe"
- '<SYSTEM32>\taskeng.exe' {F2CB62E9-C914-417E-AB2E-678962B99324} S-1-5-21-1960123792-2022915161-3775307078-1001:jedazilei\user:Interactive:[1]