Technical Information
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 'ADSL Dial' = '%TEMP%\\SQLAGENTSAH.exe'
- %TEMP%\sqlagentsah.exe
- %TEMP%\vbs.vbs
- %TEMP%\autorunapp.vbs
- <Full path to file>
- %TEMP%\sqlagentsah.exe
- %TEMP%\vbs.vbs
- %TEMP%\autorunapp.vbs
- '<LOCALNET>.13.22':9633
- '11#.#40.239.69':9633
- DNS ASK m.##o.buzz
- '%TEMP%\sqlagentsah.exe'
- '%WINDIR%\syswow64\wscript.exe' "%TEMP%\VBS.vbs"
- '%WINDIR%\syswow64\wscript.exe' "%TEMP%\AutoRunApp.vbs"
- '%WINDIR%\syswow64\cmd.exe' /c ping 1.1.1.1 -n 1 -w 1000 & start %TEMP%\SQLAGENTSAH.exe' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c ping 1.1.1.1 -n 1 -w 1000 & start %TEMP%\SQLAGENTSAH.exe
- '%WINDIR%\syswow64\ping.exe' 1.1.1.1 -n 1 -w 1000