Technical Information
- [<HKLM>\SYSTEM\ControlSet001\Services\WMIUpdateService] 'ImagePath' = '%WINDIR%\conhost\conhost.exe'
- [<HKLM>\SYSTEM\ControlSet001\Services\WMIUpdateService] 'Start' = '00000002'
- %WINDIR%\conhost\conhost.exe
- C:\start.cmd
- %WINDIR%\Fonts\config.json
- %WINDIR%\Fonts\svchost.exe
- C:\update.bat
- C:\svchost.exe
- C:\conhost.exe
- C:\config.json
- 'mo###ohash.com':80
- DNS ASK mo###ohash.com
- ClassName: 'EDIT' WindowName: ''
- '%WINDIR%\Fonts\svchost.exe'
- '%WINDIR%\conhost\conhost.exe'
- '%WINDIR%\conhost\conhost.exe' install WMIUpdateService %WINDIR%\Fonts\svchost.exe
- '<SYSTEM32>\xcopy.exe' config.json %WINDIR%\Fonts\ /Y /Q
- '<SYSTEM32>\sc.exe' config WMIUpdateService start= auto
- '<SYSTEM32>\sc.exe' start WMIUpdateService
- '<SYSTEM32>\cmd.exe' /c ""C:\start.cmd" "
- '<SYSTEM32>\xcopy.exe' conhost.exe %WINDIR%\conhost /Y /Q
- '<SYSTEM32>\xcopy.exe' svchost.exe %WINDIR%\Fonts\ /Y /Q