Technical Information
- %APPDATA%\microsoft\windows\start menu\programs\startup\projectx.lnk
- %APPDATA%\microsoft\windows\start menu\programs\cocbuilder server's\projectx\projectx.lnk
- %HOMEPATH%\desktop\projectx.lnk
- %TEMP%\tmpb1ed.tmp
- %TEMP%\tmpb1fd.tmp
- %TEMP%\tmpb22b.tmp
- %TEMP%\tmpbb92.tmp
- %TEMP%\tmpb1ed.tmp
- %TEMP%\tmpb1fd.tmp
- %TEMP%\tmpb22b.tmp
- %TEMP%\tmpbb92.tmp
- http://os##.#ocbuilder.su/CodeSigning/1/RevokeList.crl
- http://os##.#ocbuilder.su/Main/RevokeList.crl
- http://oc##.thawte.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD%2Fyl6nWPkczAQUe1tFz6%2FOy3r9MZIaarbzRutXSFACEEeXTXhzpbyrDS%2BzcBkvzl4%3D
- DNS ASK os##.#ocbuilder.su
- DNS ASK ap#.##cbuilder.su
- DNS ASK ga###.#ytescience.pro
- DNS ASK oc##.thawte.com
- '<SYSTEM32>\wisptis.exe' /ManualLaunch;' (with hidden window)
- '<SYSTEM32>\wisptis.exe' /ManualLaunch;
- '<SYSTEM32>\route.exe' delete 85.119.149.111
- '<SYSTEM32>\netsh.exe' advfirewall firewall delete rule remoteip=85.119.149.111 name=all
- '<SYSTEM32>\netsh.exe' advfirewall firewall delete rule remoteip=85.119.149.111/31 name=all
- '<SYSTEM32>\netsh.exe' advfirewall firewall delete rule dir=out name=all