Technical Information
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Ordnz' = '"%APPDATA%\Zbqslrtxt\Ordnz.exe"'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'DBqQu' = '%APPDATA%\DBqQu\DBqQu.exe'
- %APPDATA%\zbqslrtxt\ordnz.exe
- %APPDATA%\dbqqu\dbqqu.exe
- 'fl####ipoil.info':80
- http://fl####ipoil.info/PYJXVozG/Fsfdvseb_Ilshunxb.png
- DNS ASK fl####ipoil.info
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwAA==' (with hidden window)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwAA==