Technical Information
- '' (downloaded from the Internet)
- %ALLUSERSPROFILE%\homo\libcef.dll
- %ALLUSERSPROFILE%\homo\tonseny.exe
- %ALLUSERSPROFILE%\homo\letsvpn-latest.exe
- '38.##.187.246':7890
- http://38.##.187.246:7890/lkpydll.txt via 38.##.187.246
- http://38.##.187.246:7890/lukepengy.txt via 38.##.187.246
- http://38.##.187.246:7890/zijidll.txt via 38.##.187.246
- http://38.##.187.246:7890/svchost.txt via 38.##.187.246
- http://38.##.187.246:7890/letsvpn-latest.exe via 38.##.187.246
- '%ALLUSERSPROFILE%\homo\tonseny.exe'
- '%ALLUSERSPROFILE%\homo\letsvpn-latest.exe'
- '%ALLUSERSPROFILE%\homo\tonseny.exe' ' (with hidden window)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -inputformat none -ExecutionPolicy Bypass -Command "If ($env:PROCESSOR_ARCHITEW6432) { $env:PROCESSOR_ARCHITEW6432 } Else { $env:PROCESSOR_ARCHITECTURE }"' (with hidden window)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -inputformat none -ExecutionPolicy Bypass -Command "If ($env:PROCESSOR_ARCHITEW6432) { $env:PROCESSOR_ARCHITEW6432 } Else { $env:PROCESSOR_ARCHITECTURE }"