Technical Information
- [<HKLM>\Software\Classes\.exe] '' = '<SYSTEM32>\Windows.HAHA_NIWANLE'
- [<HKLM>\Software\Classes\.exe\Shell\Open\Command] '' = '<SYSTEM32>\Windows.HAHA_NIWANLE'
- [<HKLM>\Software\Classes\.HAHA_NIWANLE\Shell\Open\Command] '' = 'exefile'
- <SYSTEM32>\cmd.exe
- %TEMP%\1d01.tmp\1d22.tmp\1d23.bat
- %HOMEPATH%\desktop\1.bat
- %HOMEPATH%\desktop\2.bat
- %HOMEPATH%\desktop\3.bat
- %TEMP%\276d.tmp\276e.tmp\276f.bat
- <SYSTEM32>\windows.haha_niwanle
- <SYSTEM32>\haha.haha_nimeile
- C:\restart.txt
- %TEMP%\1d01.tmp\1d22.tmp\1d23.bat
- %TEMP%\276d.tmp\276e.tmp\276f.bat
- '<SYSTEM32>\cmd.exe' /c "%TEMP%\1D01.tmp\1D22.tmp\1D23.bat <Full path to file>"
- '<SYSTEM32>\cmd.exe' /K 1.bat
- '<SYSTEM32>\cmd.exe' /K 2.bat
- '<SYSTEM32>\cmd.exe' /K 3.bat
- '<SYSTEM32>\cmd.exe' /c "%TEMP%\276D.tmp\276E.tmp\276F.bat <Full path to file>"
- '<SYSTEM32>\shutdown.exe' -r -t0
- '<SYSTEM32>\mshta.exe' vbscript:createobject("shell.application").shellexecute("""<Full path to file>""","::",,"runas",0)(window.close)