Technical Information
- %WINDIR%\syswow64\wscript.exe
- iexplore.exe
- iexplore.exe process, wininet.dll module
- firefox.exe process, wininet.dll module
- from <Full path to file> to %TEMP%\1352216\....\temporaryfile
- 'pv.#ohu.com':80
- '61.##7.96.143':8056
- '61.##7.96.143':8055
- http://pv.#ohu.com/cityjson
- http://61.###.96.143:8056/api/admin/getPolicy?ex############################ via 61.##7.96.143
- http://61.###.96.143:8056/api/v2/listFollowExtra?fo############ via 61.##7.96.143
- DNS ASK pv.#ohu.com
- '%WINDIR%\syswow64\cmd.exe' /c del /f <Full path to file>' (with hidden window)
- '%WINDIR%\syswow64\wscript.exe'
- '%WINDIR%\syswow64\cmd.exe' /c del /f <Full path to file>