Technical Information
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'sEwERSyWRC' = 'C:\Users\Public\sEwERSyWRC.vbs'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run\] 'remcos' = '"%APPDATA%\RemoteHost\remotehost.exe"'
- remotehost.exe
- %APPDATA%\assignedaccessproviderevents\assignedaccessruntime.bat
- %APPDATA%\remotehost\remotehost.exe
- %TEMP%\install.vbs
- %TEMP%\install.vbs
- '18#.#47.228.191':6677
- '18#.#47.228.191':6767
- '<SYSTEM32>\wscript.exe' "%TEMP%\install.vbs"
- '%APPDATA%\remotehost\remotehost.exe'
- '<SYSTEM32>\wscript.exe' "%TEMP%\install.vbs"' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c "%APPDATA%\RemoteHost\remotehost.exe"' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c "%APPDATA%\RemoteHost\remotehost.exe"