Technical Information
Malicious functions:
Executes the following:
- '<SYSTEM32>\conhost.exe'
Modifies file system :
Creates the following files:
- C:\ProgramData\Microsoft\Windows\WER\ReportQueue\NonCritical_80070422_76a4385aa7fdcd3dc476f7ea51e8ea5565f02fd_0a610d97\Report.wer
Deletes the following files:
- %WINDIR%\Temp\MPTelemetrySubmit\client_manifest.txt
- %WINDIR%\Temp\MPTelemetrySubmit\watson_manifest.txt
Network activity:
Connects to:
- '20#.#6.232.182':80
- '58###1.ddnsd.eu':443
UDP:
- DNS ASK dn#.##ftncsi.com
- DNS ASK wa####.microsoft.com
- DNS ASK 58###1.ddnsd.eu
- '22#.0.0.252':5355