Technical Information
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'vbe' = '%TEMP%\gg\screen.vbe'
- %TEMP%\gg\regadd.vbe
- %TEMP%\gg\nircmd.exe
- %TEMP%\gg\screen.vbe
- %TEMP%\gg\send.vbe
- %TEMP%\gg\screen.jpg
- 'po####.interia.pl':587
- DNS ASK po####.interia.pl
- ClassName: 'EDIT' WindowName: ''
- '<SYSTEM32>\wscript.exe' "%TEMP%\gg\regadd.vbe"
- '<SYSTEM32>\wscript.exe' "%TEMP%\gg\screen.vbe"
- '%TEMP%\gg\nircmd.exe' savescreenshot %TEMP%\gg\screen.jpg
- '<SYSTEM32>\wscript.exe' "%TEMP%\gg\send.vbe"
- '<SYSTEM32>\cmd.exe' /C reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v vbe /d %TEMP%\gg\screen.vbe
- '<SYSTEM32>\cmd.exe' /c "mkdir %TEMP%\gg"
- '<SYSTEM32>\reg.exe' add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v vbe /d %TEMP%\gg\screen.vbe
- '<SYSTEM32>\cmd.exe' /C %TEMP%\gg\nircmd.exe savescreenshot %TEMP%\gg\screen.jpg
- '<SYSTEM32>\cmd.exe' /C %TEMP%\gg\send.vbe