Technical Information
- %WINDIR%\syswow64\wscript.exe
- iexplore.exe
- iexplore.exe process, wininet.dll module
- from <Full path to file> to %TEMP%\1168650\....\temporaryfile
- '61.##7.96.143':8055
- 'pv.#ohu.com':80
- '61.##7.96.143':8056
- http://61.###.96.143:8055/api/v1/listFollowWords?ex################## via 61.##7.96.143
- http://pv.#ohu.com/cityjson
- http://61.###.96.143:8056/api/v2/listFollowExtra?fo############ via 61.##7.96.143
- DNS ASK pv.#ohu.com
- '%WINDIR%\syswow64\cmd.exe' /c del /f <Full path to file>' (with hidden window)
- '%WINDIR%\syswow64\wscript.exe'
- '%WINDIR%\syswow64\cmd.exe' /c del /f <Full path to file>