Техническая информация
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'wextract_cleanup0' = 'rundll32.exe <SYSTEM32>\advpack.dll,DelNodeRunDLL32 "%TEMP%\IXP000.TMP\"'
- %TEMP%\IXP000.TMP\7za.dll
- %TEMP%\IXP000.TMP\7za.exe
- %TEMP%\IXP000.TMP\7zxa.dll
- %TEMP%\IXP000.TMP\KBIkQEQnFy.7z
- %TEMP%\IXP000.TMP\run.cmd
- %TEMP%\IXP000.TMP\run.exe
- %TEMP%\IXP000.TMP\kYCps4brBe.vbe
- %TEMP%\IXP000.TMP\laA2d4zpy2.vbe
- %TEMP%\IXP000.TMP\rN7rlXj8HL.pfx
- %TEMP%\IXP000.TMP\rr.vbe
- %TEMP%\IXP000.TMP\RxbFCxF3ft.reg
- %TEMP%\IXP000.TMP\wGWT4Sa8VR.bat
- %TEMP%\IXP000.TMP\ww.json
- %TEMP%\IXP000.TMP\XCYK6sU1qn.crt
- %TEMP%\IXP000.TMP\Ijh4NGsQL6.exe
- %TEMP%\IXP000.TMP\ww.exe
- 'localhost':1037
- 'ev##tz.win':13463
- DNS ASK ev##tz.win
- '%TEMP%\IXP000.TMP\7za.exe' e -pVzkR3tWk4yGrUHo2 KBIkQEQnFy.7z
- '<SYSTEM32>\cmd.exe' /c run.cmd
- '<SYSTEM32>\cscript.exe' kYCps4brBe.vbe 0
- '<SYSTEM32>\cmd.exe' /c certutil -store Root | find "InvoiceSmash"
- '<SYSTEM32>\cmd.exe' /c certutil -store TRUSTEDPEOPLE | find "InvoiceSmash"
- '<SYSTEM32>\cmd.exe' /c type <DRIVERS>\etc\hosts | find "104.251.211.173 clients2.google.com"
- '<SYSTEM32>\cmd.exe' /S /D /c" type <DRIVERS>\etc\hosts "
- '<SYSTEM32>\find.exe' "104.251.211.173 clients2.google.com"