Technical Information
- <SYSTEM32>\tasks\nvstwiz
- %TEMP%\aut11fa.tmp
- %TEMP%\power.exe
- %TEMP%\aut1297.tmp
- %TEMP%\fateh.doc
- %TEMP%\aut1c58.tmp
- %LOCALAPPDATA%\update\power.exe
- %TEMP%\aut11fa.tmp
- %TEMP%\aut1297.tmp
- %TEMP%\aut1c58.tmp
- 'my####rnalip.com':80
- http://my####rnalip.com/raw
- DNS ASK my####rnalip.com
- DNS ASK si####.#pdatesforme.club
- '%TEMP%\power.exe'
- '%LOCALAPPDATA%\update\power.exe'
- '%WINDIR%\syswow64\cmd.exe' /c %LOCALAPPDATA%\Temp/fateh.doc' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c mkdir %localappdata%\update' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c schtasks /create /sc minute /mo 1 /tn NVStWiz /tr %localappdata%\update\power.exe' (with hidden window)
- '%LOCALAPPDATA%\update\power.exe' ' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c %LOCALAPPDATA%\Temp/fateh.doc
- '%WINDIR%\syswow64\cmd.exe' /c mkdir %localappdata%\update
- '%WINDIR%\syswow64\cmd.exe' /c schtasks /create /sc minute /mo 1 /tn NVStWiz /tr %localappdata%\update\power.exe
- '%WINDIR%\syswow64\schtasks.exe' /create /sc minute /mo 1 /tn NVStWiz /tr %LOCALAPPDATA%\update\power.exe
- '%ProgramFiles%\microsoft office\office14\winword.exe' /n "%TEMP%\fateh.doc"
- '<SYSTEM32>\taskeng.exe' {F2AF74FD-BB81-4AB7-A478-267DB79EBD3F} S-1-5-21-1960123792-2022915161-3775307078-1001:rtotphltorsq\user:Interactive:[1]