Technical Information
- [<HKCU>\SOFTWARE\Microsoft\Command Processor] 'Autorun' = 'start %APPDATA%\OneDrive.exe'
- %APPDATA%\microsoft\windows\start menu\programs\startup\startupname.vbs
- %WINDIR%\microsoft.net\framework\v2.0.50727\vbc.exe
- %APPDATA%\onedrive.exe
- %APPDATA%\remcos\logs.dat
- DNS ASK we####grace.ddns.me
- '%WINDIR%\syswow64\cscript.exe' //B //Nologo %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\startupname.vbs' (with hidden window)
- '%WINDIR%\syswow64\cscript.exe' //B //Nologo %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\startupname.vbs
- '%WINDIR%\microsoft.net\framework\v2.0.50727\vbc.exe'