Technical Information
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'IEMain' = '%APPDATA%\IEMain\IEMain.exe'
- %APPDATA%\iemain\iemain.exe
- %APPDATA%\pc28work\svchost.dll
- http://g.##ke.me/czapi/pc28/FileList.json
- http://g.##ke.me/czapi/pc28/down/pc001.dll
- http://g.##ke.me/czapi/exe/update.json
- DNS ASK g.##ke.me
- DNS ASK f.##ke.me
- ClassName: 'PC28iQStartForm2018' WindowName: ''
- ClassName: 'PC28PC_MainForm' WindowName: ''
- ClassName: 'PC28iQHostForm2018' WindowName: ''
- '%APPDATA%\iemain\iemain.exe'
- '%APPDATA%\iemain\iemain.exe' ' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c ping 127.0.0.1 -n 3&del /q "<Full path to file>"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c ping 127.0.0.1 -n 3&del /q "<Full path to file>"
- '%WINDIR%\syswow64\ping.exe' 127.0.0.1 -n 3