Technical Information
- <SYSTEM32>\tasks\updates\nlnnni
- <SYSTEM32>\tasks\updates\kflbfmhmeda
- wmin.exe
- %TEMP%\wmin.exe
- %APPDATA%\nlnnni.exe
- %TEMP%\tmpf7e5.tmp
- %APPDATA%\kflbfmhmeda.exe
- %TEMP%\tmp76f3.tmp
- %TEMP%\tmpf7e5.tmp
- %TEMP%\tmp76f3.tmp
- 'in####riasyuli.com':80
- DNS ASK in####riasyuli.com
- '%TEMP%\wmin.exe'
- '%WINDIR%\syswow64\schtasks.exe' /Create /TN "Updates\nlNNnI" /XML "%TEMP%\tmpF7E5.tmp"' (with hidden window)
- '%WINDIR%\syswow64\schtasks.exe' /Create /TN "Updates\KFLBFmhmeDA" /XML "%TEMP%\tmp76F3.tmp"' (with hidden window)
- '%WINDIR%\syswow64\schtasks.exe' /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'%APPDATA%\nin\698657.exe'"' (with hidden window)
- '%WINDIR%\syswow64\schtasks.exe' /Create /TN "Updates\nlNNnI" /XML "%TEMP%\tmpF7E5.tmp"
- '%WINDIR%\syswow64\schtasks.exe' /Create /TN "Updates\KFLBFmhmeDA" /XML "%TEMP%\tmp76F3.tmp"
- '%WINDIR%\syswow64\schtasks.exe' /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'%APPDATA%\nin\698657.exe'"