Technical Information
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '<File name>.exe' = '%APPDATA%\<File name>.exe'
- %APPDATA%\microsoft\windows\start menu\programs\startup\winder.lnk
- C:\systemprogram\<File name>.exe
- %APPDATA%\microsoft\vbs1.vbs
- C:\systemprogram\<File name>.exe
- %APPDATA%\microsoft\vbs1.vbs
- from <Full path to file> to %APPDATA%\<File name>.exe
- '49.##5.201.86':4465
- '<LOCALNET>.2.29':0
- ClassName: '' WindowName: 'wscript.exe'
- ClassName: '#32770' WindowName: 'ÊÓƵԴ'
- '%WINDIR%\syswow64\wscript.exe' "%APPDATA%\Microsoft\VBS1.vbs"