Technical Information
- <SYSTEM32>\tasks\rrbqes.exe
- %APPDATA%\windata\sdiyjg.exe
- %TEMP%\rrbqes.vbs
- 'al####.hopto.org':4000
- DNS ASK al####.hopto.org
- '%WINDIR%\syswow64\wscript.exe' %TEMP%\RRBQES.vbs
- '%APPDATA%\windata\sdiyjg.exe'
- '%WINDIR%\syswow64\cmd.exe' /c schtasks /create /tn RRBQES.exe /tr %APPDATA%\Windata\SDIYJG.exe /sc minute /mo 1' (with hidden window)
- '%APPDATA%\windata\sdiyjg.exe' ' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c schtasks /create /tn RRBQES.exe /tr %APPDATA%\Windata\SDIYJG.exe /sc minute /mo 1
- '%WINDIR%\syswow64\schtasks.exe' /create /tn RRBQES.exe /tr %APPDATA%\Windata\SDIYJG.exe /sc minute /mo 1
- '<SYSTEM32>\taskeng.exe' {76E47A30-CE70-424F-A27F-6920194B8723} S-1-5-21-1960123792-2022915161-3775307078-1001:udskhknydaa\user:Interactive:[1]