Technical Information
Malicious functions:
Executes the following:
- '<SYSTEM32>\slui.exe' -Embedding
Network activity:
Connects to:
- '20#.#6.232.182':80
- 'download.windowsupdate.com':80
UDP:
- DNS ASK do#####d.microsoft.com
- DNS ASK www.up####.microsoft.com
- DNS ASK download.windowsupdate.com
- DNS ASK dn#.##ftncsi.com
Miscellaneous:
Searches for the following windows:
- ClassName: 'Shell_TrayWnd' WindowName: '(null)'