Technical Information
- [<HKLM>\Software\Classes\.exe] '' = '<SYSTEM32>\Windows.HAHA_NIWANLE'
- [<HKLM>\Software\Classes\.exe\Shell\Open\Command] '' = '<SYSTEM32>\Windows.HAHA_NIWANLE'
- [<HKLM>\Software\Classes\.HAHA_NIWANLE\Shell\Open\Command] '' = 'exefile'
- %HOMEPATH%\desktop\1.bat
- %HOMEPATH%\desktop\2.bat
- %HOMEPATH%\desktop\3.bat
- <SYSTEM32>\windows.haha_niwanle
- <SYSTEM32>\haha.haha_nimeile
- C:\restart.txt
- ClassName: 'MS_AutodialMonitor' WindowName: ''
- ClassName: 'MS_WebCheckMonitor' WindowName: ''
- '<SYSTEM32>\cmd.exe' /C "<PATH_SAMPLE>.bat" ::' (with hidden window)
- '<SYSTEM32>\cmd.exe' /K 1.bat
- '<SYSTEM32>\cmd.exe' /K 2.bat
- '<SYSTEM32>\cmd.exe' /K 3.bat
- '<SYSTEM32>\cmd.exe' /K <PATH_SAMPLE>.bat
- '<SYSTEM32>\shutdown.exe' -r -t0
- '<SYSTEM32>\mshta.exe' vbscript:createobject("shell.application").shellexecute("""<PATH_SAMPLE>.bat""","::",,"runas",0)(window.close)
- '<SYSTEM32>\cmd.exe' /C "<PATH_SAMPLE>.bat" :
- '<SYSTEM32>\rundll32.exe' <SYSTEM32>\shell32.dll,OpenAs_RunDLL <SYSTEM32>\HAHA.HAHA_NIMEILE