Technical Information
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'SettingSyncHost.exe' = '%APPDATA%\Microsoft\Windows\Start Menu\Programs\Windows\SettingSyncHost.exe'
- %WINDIR%\microsoft.net\framework\v4.0.30319\regasm.exe
- %APPDATA%\microsoft\windows\start menu\programs\windows\settingsynchost.exe
- %TEMP%\tmpa54f.tmp.bat
- %TEMP%\settingsynchost.exe
- nul
- 'va#####er.duckdns.org':2266
- DNS ASK va#####er.duckdns.org
- '%TEMP%\settingsynchost.exe'
- '%WINDIR%\syswow64\cmd.exe' /c ""%TEMP%\tmpA54F.tmp.bat" "' (with hidden window)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SettingSyncHost.exe' -Value '"%APPDATA%\Microsoft\Windows\Start Menu\Programs\Windows\SettingSyncHost.exe"' -...
- '%WINDIR%\syswow64\cmd.exe' /c ""%TEMP%\tmpA54F.tmp.bat" "
- '%WINDIR%\syswow64\timeout.exe' 5
- '%WINDIR%\microsoft.net\framework\v4.0.30319\regasm.exe'