Technical Information
Malicious functions:
Executes the following:
- '<SYSTEM32>\conhost.exe'
Modifies file system :
Creates the following files:
- C:\ProgramData\Microsoft\Windows\WER\ReportQueue\NonCritical_80070422_76a4385aa7fdcd3dc476f7ea51e8ea5565f02fd_07045225\Report.wer
- %WINDIR%\Temp\MPTelemetrySubmit\watson_manifest.txt
- %WINDIR%\Temp\MPTelemetrySubmit\client_manifest.txt
Deletes the following files:
- %WINDIR%\Temp\MPTelemetrySubmit\client_manifest.txt
- %WINDIR%\Temp\MPTelemetrySubmit\watson_manifest.txt
Network activity:
Connects to:
- '20#.#6.232.182':80
TCP:
HTTP GET requests:
- 20#.#6.232.182/fwlink/?Li######################################################################################################
UDP:
- DNS ASK go.###rosoft.com
- DNS ASK wa####.microsoft.com
- '22#.0.0.252':5355