Technical Information
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Userinit' = 'userinit.exe,"<SYSTEM32>\clientmon.exe"'
- '<SYSTEM32>\schtasks.exe' /Create /TN "Update\Security" /XML "%TEMP%\1666056481.xml"
- '<SYSTEM32>\schtasks.exe' /create /sc onlogon /tn "Client" /rl highest /tr "'\186261\client.exe' /startup" /f
- '<SYSTEM32>\schtasks.exe' /Delete /TN "Update\Security" /F
- '<SYSTEM32>\schtasks.exe' /Create /TN "Update\Security" /XML "%TEMP%\333961166.xml"
- C:\186261\client.exe
- <SYSTEM32>\clientmon.exe
- %TEMP%\1119283038.xml
- %TEMP%\333961166.xml
- %TEMP%\1666056481.xml
- C:\6e51c0a75192689cc948e1d8baa69222c0c047a6
- C:\6e51c0a75192689cc948e1d8baa69222c0c047a6
- %TEMP%\1666056481.xml
- %TEMP%\333961166.xml
- from <Full path to file> to %APPDATA%\Security.exe
- 'localhost':19318
- 'wa#####n1.ddnsking.com':19318
- DNS ASK wa#####n1.ddnsking.com