Техническая информация
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Version2' = 'C:\tmp\PowerTCP.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'WarnOnOpen' = '<Полный путь к файлу>'
- '<SYSTEM32>\at.exe' 17:03:57 PM"<SYSTEM32>\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -NoP -W Hidden -EncodedCommand QwA6AFwAVwBpAG4AZABvAHcAcwBcAFMAeQBzAHQAZQBtADMAMgBcAHYAcwBzAGEAZABtAGkAbgAu...
- '<SYSTEM32>\cmd.exe' /c at 17:03:57 PM"<SYSTEM32>\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -NoP -W Hidden -EncodedCommand QwA6AFwAVwBpAG4AZABvAHcAcwBcAFMAeQBzAHQAZQBtADMAMgBcAHYAcwBzAGEAZABtAG...
- '<SYSTEM32>\cmd.exe' /c %WINDIR%\Microsoft.NET\Framework64\v4.0.30319\csc.exe /unsafe /out:PowerTCP.exe c:\tmp\shell4444.cs & C:\tmp\PowerTCP.exe
- %HOMEPATH%\Desktop\READ_ME_For_decrypt.txt
- 'ra#.####ubusercontent.com':443
- 'im####.alphacoders.com':443
- 'wp#d':80
- 'oh##.##0webhostapp.com':80
- http://oh##.##0webhostapp.com/cnc.php?tx########
- http://11#.#11.111.1/wpad.dat via wp#d
- DNS ASK ra#.####ubusercontent.com
- DNS ASK im####.alphacoders.com
- DNS ASK wp#d
- DNS ASK oh##.##0webhostapp.com