Technical Information
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Microsoft' = '"%TEMP%\taskmgr.exe" ..'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'Microsoft' = '"%TEMP%\taskmgr.exe" ..'
- <SYSTEM32>\tasks\server
- %APPDATA%\microsoft\windows\start menu\programs\startup\microsoft.exe
- '%WINDIR%\syswow64\netsh.exe' firewall add allowedprogram "%TEMP%\taskmgr.exe" "taskmgr.exe" ENABLE
- %TEMP%\taskmgr.exe
- %LOCALAPPDATA%\tempmicrosoft.exe
- %TEMP%\taskmgr.exe
- '11#.#4.131.56':6666
- '%TEMP%\taskmgr.exe'
- '%LOCALAPPDATA%\tempmicrosoft.exe'
- '%WINDIR%\syswow64\netsh.exe' firewall add allowedprogram "%TEMP%\taskmgr.exe" "taskmgr.exe" ENABLE' (with hidden window)
- '%WINDIR%\syswow64\schtasks.exe' /create /sc minute /mo 1 /tn server /tr %LOCALAPPDATA%\TempMicrosoft.exe' (with hidden window)
- '%LOCALAPPDATA%\tempmicrosoft.exe' ' (with hidden window)
- '%WINDIR%\syswow64\schtasks.exe' /create /sc minute /mo 1 /tn server /tr %LOCALAPPDATA%\TempMicrosoft.exe
- '<SYSTEM32>\taskeng.exe' {29D55051-3C35-440F-BB46-7562356D9AFD} S-1-5-21-1960123792-2022915161-3775307078-1001:usgprox\user:Interactive:[1]