Technical Information
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] '7c28331bf5b655df8606f544ff3f7342' = '"%TEMP%\tangt.exe" ..'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '7c28331bf5b655df8606f544ff3f7342' = '"%TEMP%\tangt.exe" ..'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] '8514adfeb2758c40bfb1b2bb27525ae3' = '"%TEMP%\tanyp.exe" ..'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '8514adfeb2758c40bfb1b2bb27525ae3' = '"%TEMP%\tanyp.exe" ..'
- %APPDATA%\microsoft\windows\start menu\programs\startup\server.exe
- '%WINDIR%\syswow64\netsh.exe' firewall add allowedprogram "%TEMP%\tangt.exe" "tangt.exe" ENABLE
- '%WINDIR%\syswow64\netsh.exe' firewall add allowedprogram "%TEMP%\tanyp.exe" "tanyp.exe" ENABLE
- %TEMP%\tangt.exe
- %TEMP%\tanyp.exe
- 'ah####32.ddns.net':2487
- DNS ASK ah####32.ddns.net
- '%TEMP%\tangt.exe'
- '%APPDATA%\microsoft\windows\start menu\programs\startup\server.exe'
- '%TEMP%\tanyp.exe'
- '%WINDIR%\syswow64\netsh.exe' firewall add allowedprogram "%TEMP%\tangt.exe" "tangt.exe" ENABLE' (with hidden window)
- '%WINDIR%\syswow64\netsh.exe' firewall add allowedprogram "%TEMP%\tanyp.exe" "tanyp.exe" ENABLE' (with hidden window)