Technical Information
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'Temp' = 'C:\$loading\Word\Pepper.exe'
- User Account Control (UAC)
- <Current directory>\tt.jpg
- %TEMP%\tall.zip
- C:\$loading\word\default.xml
- C:\$loading\word\enginedp.bat
- C:\$loading\word\hi.exe
- C:\$loading\word\pepper.exe
- <Full path to file>
- from <Full path to file> to %TEMP%\11555781234594240\....\temporaryfile
- 'a1#####4495a.oicp.vip':1527
- DNS ASK a1#####4495a.oicp.vip
- 'C:\$loading\word\hi.exe'
- 'C:\$loading\word\hi.exe' ' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c C:\$loading\Word\EngineDP.bat' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c C:\$loading\Word\EngineDP.bat