Technical Information
- '%TEMP%\dl-13771786398931657719479565459.exe'
- %APPDATA%\stwydksrmu.js
- %APPDATA%\czhlvnu.txt
- %TEMP%\dl-13771786398931657719479565459.exe
- '20#.#67.64.122':80
- http://20#.#67.64.122/Doswarz.exe
- http://20#.#67.64.122/Doswarz_Tnrllvml.bmp
- 'sn####.duckdns.org':3369
- DNS ASK sn####.duckdns.org
- '<SYSTEM32>\wscript.exe' "%APPDATA%\sTWydKSRmU.js"
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==' (with hidden window)
- '%ProgramFiles%\java\jre1.8.0_45\bin\javaw.exe' -jar "%APPDATA%\czhlvnu.txt"
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==