Technical Information
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Wiseman' = 'C:\wiseman.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'EvtMgr' = '%WINDIR%\SysWOW64\rundll32.exe "d:\xzfgex\dzxie.zid",XML_MemFree'
- '%WINDIR%\syswow64\taskkill.exe' /f /im attrib.exe
- %TEMP%\uqbit.exe
- C:\wiseman.exe
- D:\xzfgex\dzxie.zid
- C:\1.txt
- %TEMP%\uqbit.exe
- '10#.#63.241.197':12354
- '10#.#63.241.198':6520
- http://ap#.###emansupport.com/wms/inf.php?pi#########################
- DNS ASK ap#.###emansupport.com
- ClassName: '' WindowName: ''
- '%TEMP%\uqbit.exe' "<Full path to file>"
- 'C:\wiseman.exe'
- '%WINDIR%\syswow64\cmd.exe' /c ping 127.0.0.1 -n 2&%TEMP%\\uqbit.exe "<Full path to file>"' (with hidden window)
- '%WINDIR%\syswow64\taskkill.exe' /f /im attrib.exe' (with hidden window)
- 'C:\wiseman.exe' ' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c ping 127.0.0.1 -n 2&%TEMP%\\uqbit.exe "<Full path to file>"
- '%WINDIR%\syswow64\ping.exe' 127.0.0.1 -n 2
- '%WINDIR%\syswow64\rundll32.exe' "d:\xzfgex\dzxie.zid",XML_MemFree %TEMP%\uqbit.exe