Technical Information
- %APPDATA%\microsoft\windows\start menu\programs\startup\unntjipely.url
- %TEMP%\ixp000.tmp\sorridente.ppsx
- %TEMP%\ixp000.tmp\avvelenate.bmp
- %TEMP%\ixp000.tmp\inespresso.xlsm
- %TEMP%\ixp000.tmp\pensai.xll
- %TEMP%\ixp000.tmp\indicibile.com
- %APPDATA%\dacxuutoil\qgijxdbnr
- %APPDATA%\dacxuutoil\unntjipely.com
- %APPDATA%\dacxuutoil\inespresso.xlsm
- %APPDATA%\dacxuutoil\tlraxi.js
- %TEMP%\ixp000.tmp\avvelenate.bmp
- %TEMP%\ixp000.tmp\inespresso.xlsm
- %TEMP%\ixp000.tmp\pensai.xll
- %TEMP%\ixp000.tmp\sorridente.ppsx
- %TEMP%\ixp000.tmp\indicibile.com
- DNS ASK Ka###########hYVQOxUUSj.KaSzjoLsQdHHRhYVQOxUUSj
- '%TEMP%\ixp000.tmp\indicibile.com' Avvelenate.bmp
- '%WINDIR%\syswow64\cmd.exe' /c cmd < Pensai.xll' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c kWVICA' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c kWVICA
- '%WINDIR%\syswow64\cmd.exe' /c cmd < Pensai.xll
- '%WINDIR%\syswow64\cmd.exe'
- '%WINDIR%\syswow64\findstr.exe' /V /R "^PezDHcDOyTUXYowHLWSjrrYddvoFPhAhfJxUvPVlMOxeagyDNUFZYqeLrejkhYZRzHIgNukWwHmfIVYedESUHBf$" Sorridente.ppsx
- '%WINDIR%\syswow64\ping.exe' 127.0.0.1 -n 30