Once the user extracts and runs the file inside the archive, it executes a script [5].
The malware connects to a Command and Control (C2) server to receive instructions or upload stolen data [2, 3]. Recommended Actions 039-ch0c0l0.7z
It creates registry keys or scheduled tasks to ensure the malware runs every time the computer starts [3]. Once the user extracts and runs the file
An file that downloads the final payload from a remote server [4, 6]. Typical Behavior (Infection Chain) 6]. Typical Behavior (Infection Chain)