Technical Information
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'A6F1F5BF2723BE87016A5DB0B8C9FBEA450E3A9F' = '%LOCALAPPDATA%\Microsoft\Windows\A6F1F5BF2723BE87016A5DB0B8C9FBEA450E3A9F.exe'
- <SYSTEM32>\tasks\svchost
- %HOMEPATH%\documents\idf.txt
- %LOCALAPPDATA%\bf80581621283eea64b5c5c1007d0083a17c2c8d.png
- from <Full path to file> to %LOCALAPPDATA%\microsoft\windows\a6f1f5bf2723be87016a5db0b8c9fbea450e3a9f.exe
- 'ix##re.biz':443
- 'ip#####.#hatismyipaddress.com':443
- 'di##ord.com':443
- DNS ASK ix##re.biz
- DNS ASK ip#####.#hatismyipaddress.com
- DNS ASK di##ord.com
- '<SYSTEM32>\schtasks.exe' /create /tn "svchost" /sc ONLOGON /tr "%LOCALAPPDATA%\Microsoft\Windows\A6F1F5BF2723BE87016A5DB0B8C9FBEA450E3A9F.exe" /rl HIGHEST /f