It creates scheduled tasks or registry keys to ensure it runs every time the computer starts. Data Theft Capabilities
Sends stolen data back to a Command and Control (C2) server via SMTP, FTP, or Telegram API. Indicators of Compromise (IoCs) PL_BFRn.rar
The malware often uses "Process Hollowing" to inject code into legitimate Windows processes (like vbc.exe or RegAsm.exe ). It creates scheduled tasks or registry keys to
Check %AppData% or %Temp% for randomly named .exe files. and clipboard data.
Stealing credentials, keystrokes, and clipboard data.