As you can observe, the host argument is constructed using Substring() function, which extracts the IP address from the long string.
Conclusion: Our code is used to initiate a remote connection and open a process with the “CmD.eXE” executable that is being hosted on that server.
The user was supposed to create the configuration of the ransomware implant from the command line, by completing the C2 details, language of the implant (PowerShell, C#, Python), Persistence mode (None, Scheduled Task, New Account Creation), Password for Decryption and the list of file extensions to be encrypted.
The activities were done in a simulated environment. No illegal hacking attempts were performed and I strictly discourage any such actions.