Technical Information
- <SYSTEM32>\tasks\defenderfire
- %TEMP%\b8e413d4-6c55-435a-9c6f-d2b9eed9a44c\agiledotnetrt64.dll
- %APPDATA%\system.exe
- 'microsoft.com':80
- 'ra#.####ubusercontent.com':443
- 'oc##.#tartssl.com':80
- http://oc##.#tartssl.com/sub/class2/code/ca/MEMwQTA%2FMD0wOzAJBgUrDgMCGgUABBQSOgrhRCSnWfKxoWTjWxhk8hga9AQU0E4PQJlsuEsZbzsouODjiAc0qrcCAhAV
- http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt
- 'ra#.####ubusercontent.com':443
- DNS ASK microsoft.com
- DNS ASK ra#.####ubusercontent.com
- DNS ASK oc##.#tartssl.com
- '%APPDATA%\system.exe'
- '<SYSTEM32>\schtasks.exe' /create /tn Defenderfire /tr %APPDATA%\system.exe /sc minute /mo 1' (with hidden window)
- '%APPDATA%\system.exe' ' (with hidden window)
- '<SYSTEM32>\schtasks.exe' /create /tn Defenderfire /tr %APPDATA%\system.exe /sc minute /mo 1
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\dw20.exe' -x -s 1636
- '<SYSTEM32>\taskeng.exe' {90703331-B24C-4B05-A4CD-D03DA05A1AB2} S-1-5-21-1960123792-2022915161-3775307078-1001:qvvqcrj\user:Interactive:[1]
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\dw20.exe' -x -s 1516