Technical Information
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'PreviewHandler' = 'cmd /c "start "PreviewHandler" "%ProgramFiles%\Administrative\prevhost.exe"'
- '<SYSTEM32>\schtasks.exe' /create /NP /sc onlogon /tn "PreviewHandler" /rl highest /tr "'%ProgramFiles%\Administrative\prevhost.exe' /startup" /f
- '<SYSTEM32>\reg.exe' ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "PreviewHandler" /d "cmd /c """start """PreviewHandler""" """%ProgramFiles%\Administrative\prevhost.exe"""" /f"
- <SYSTEM32>\reg.exe
- %ProgramFiles%\Administrative\prevhost.exe
- %APPDATA%\MWResources9\Screenshots\03-14-2017\7.21 AM
- %TEMP%\aut1.tmp
- %TEMP%\vZEF06V8.25
- %TEMP%\aut1.tmp
- 'pu###c2.zzzz.io':9188
- DNS ASK pu###c2.zzzz.io