Introduction Fox_threatintel tweeted recently about an open directory on 91.215.85.18:9380/. I downloaded all the files from this directory and stumbled upon a ‘cleaner’ script, which we will examine in this short blog post. The original script is available on VirusTotal. Figure 1: Tweet from Fox_threatintel Find installed software First, the script defines an array ($uninstallKeys), holding two registry keys: $uninstallKeys = @( "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"...
