Technical Information
- %APPDATA%\microsoft\crypto\rsa\s-1-5-21-1238866942-1249195528-555854008-1000\f58155b4b1d5a524ca0261c3ee99fb50_d4602615-9d50-4880-be41-678935e93eaa
- '18#.#17.75.111':80
- http://18#.#17.75.111/sin.png
- '%WINDIR%\syswow64\cmd.exe' PowerShell "Start-Sleep 10; Remove-Item <Full path to file>"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' PowerShell "Start-Sleep 10; Remove-Item <Full path to file>"
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' "Start-Sleep 10; Remove-Item <Full path to file>"