Technical Information
Malicious functions
Creates and executes the following (exploit)
- 'C:\users\public\dahost.exe'
Modifies file system
Creates the following files
- C:\users\public\dahost.exe
- %TEMP%\barokstilens\tangentialarmens\satiated\aftener139\genii\undercapitalisation.uni
- %TEMP%\barokstilens\tangentialarmens\satiated\aftener139\genii\airways_12.bmp
- %TEMP%\barokstilens\tangentialarmens\satiated\bondmanship\ompostere\dkkeserviettens\stvlekngtens\edit-clear-symbolic.svg
- %TEMP%\nsc3821.tmp\system.dll
Network activity
Connects to
- '18#.#52.179.254':80
TCP
HTTP GET requests
- http://18#.#52.179.254/data/loki.exe
Other
- '34.##9.100.209':443
Miscellaneous
Searches for the following windows
- ClassName: '#32770' WindowName: ''
Executes the following
- '%CommonProgramFiles%\microsoft shared\equation\eqnedt32.exe' -Embedding
