Техническая информация
- [\REGISTRY\USER\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run] '772d3e1cf411932582ba4607caf9d2f7' = '"%WINDIR%\TEMP\ Explorer.exe" ..'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '772d3e1cf411932582ba4607caf9d2f7' = '"%WINDIR%\TEMP\ Explorer.exe" ..'
- <SYSTEM32>\tasks\microsoft\windows\windows printer manager\2
- <SYSTEM32>\tasks\microsoft\windows\windows printer manager\3
- <SYSTEM32>\tasks\microsoft\windows\windows printer manager\4
- <SYSTEM32>\tasks\microsoft\windows\windows printer manager\5
- '%WINDIR%\syswow64\netsh.exe' firewall add allowedprogram "%WINDIR%\TEMP\ Explorer.exe" " Explorer.exe" ENABLE
- %TEMP%\b721.tmp\bat.bat
- <LS_APPDATA>\dyna\loot\thunderbird\key3.db
- <LS_APPDATA>\dyna\loot\steam\config.vdf
- %TEMP%\mo378fm4.0.cs
- %TEMP%\mo378fm4.cmdline
- %TEMP%\mo378fm4.out
- %PROGRAMDATA%\helper.exe
- %PROGRAMDATA%\cwin.exe
- %PROGRAMDATA%\rec.exe
- <LS_APPDATA>\dyna\loot\firefox\places.sqlite
- <LS_APPDATA>\dyna\loot\thunderbird\cert8.db
- %TEMP%\cscb603.tmp
- %TEMP%\7ac7qdyh.0.cs
- %TEMP%\7ac7qdyh.cmdline
- %TEMP%\7ac7qdyh.out
- %TEMP%\csc2fb.tmp
- %TEMP%\res2fc.tmp
- %TEMP%\7ac7qdyh.dll
- %TEMP%\eo5-5pa8.0.cs
- %TEMP%\eo5-5pa8.cmdline
- %TEMP%\resb614.tmp
- %TEMP%\mo378fm4.dll
- <LS_APPDATA>\dyna\loot\firefox\key3.db
- <LS_APPDATA>\dyna\loot\chrome\history
- <LS_APPDATA>\dyna\loot\chrome\cookies
- %TEMP%\b721.tmp\t2.crt
- %TEMP%\b721.tmp\t3.crt
- %TEMP%\b721.tmp\t4.crt
- %TEMP%\b721.tmp\t5.crt
- %TEMP%\b721.tmp\res.crt
- %TEMP%\b721.tmp\kl.crt
- %TEMP%\b721.tmp\st.crt
- %TEMP%\b721.tmp\cry.crt
- <LS_APPDATA>\dyna\res
- %TEMP%\b721.tmp\bd.crt
- <LS_APPDATA>\dyna\kl.exe
- <LS_APPDATA>\dyna\cry.exe
- %TEMP%\t2.xml
- %TEMP%\t3.xml
- %TEMP%\t4.xml
- %TEMP%\t5.xml
- %PROGRAMDATA%\bd.exe
- %WINDIR%\temp\ explorer.exe
- C:\772d3e1cf411932582ba4607caf9d2f7.exe
- %PROGRAMDATA%\mspm5.exe
- <LS_APPDATA>\dyna\st.exe
- %TEMP%\eo5-5pa8.out
- %TEMP%\csc155a.tmp
- %TEMP%\t2.xml
- %TEMP%\csc2fb.tmp
- %TEMP%\7ac7qdyh.0.cs
- %TEMP%\7ac7qdyh.out
- %TEMP%\7ac7qdyh.dll
- %TEMP%\7ac7qdyh.pdb
- %TEMP%\7ac7qdyh.cmdline
- %TEMP%\csc155a.tmp
- %TEMP%\eo5-5pa8.out
- %TEMP%\eo5-5pa8.cmdline
- %TEMP%\eo5-5pa8.pdb
- %TEMP%\eo5-5pa8.0.cs
- %PROGRAMDATA%\mspm5.exe
- <LS_APPDATA>\dyna\loot\chrome\cookies
- <LS_APPDATA>\dyna\loot\chrome\history
- <LS_APPDATA>\dyna\loot\firefox\key3.db
- <LS_APPDATA>\dyna\loot\firefox\places.sqlite
- <LS_APPDATA>\dyna\loot\steam\config.vdf
- %TEMP%\res2fc.tmp
- <LS_APPDATA>\dyna\loot\thunderbird\cert8.db
- %TEMP%\mo378fm4.dll
- %TEMP%\mo378fm4.0.cs
- %TEMP%\t3.xml
- %TEMP%\t4.xml
- %TEMP%\t5.xml
- %TEMP%\b721.tmp\bd.crt
- %TEMP%\b721.tmp\t2.crt
- %TEMP%\b721.tmp\t3.crt
- %TEMP%\b721.tmp\t4.crt
- %TEMP%\b721.tmp\t5.crt
- %TEMP%\b721.tmp\res.crt
- %TEMP%\b721.tmp\kl.crt
- %TEMP%\b721.tmp\st.crt
- %TEMP%\b721.tmp\cry.crt
- %TEMP%\b721.tmp\bat.bat
- %TEMP%\resb614.tmp
- %TEMP%\cscb603.tmp
- %TEMP%\mo378fm4.cmdline
- %TEMP%\mo378fm4.pdb
- %TEMP%\mo378fm4.out
- <LS_APPDATA>\dyna\loot\thunderbird\key3.db
- 'localhost':5553
- '<LS_APPDATA>\dyna\kl.exe'
- '<LS_APPDATA>\dyna\st.exe'
- '<LS_APPDATA>\dyna\cry.exe'
- '%PROGRAMDATA%\mspm5.exe' -f <LS_APPDATA>\dyna\loot\browserpass.txt
- '%PROGRAMDATA%\bd.exe'
- '%WINDIR%\temp\ explorer.exe'
- '%PROGRAMDATA%\rec.exe' "<LS_APPDATA>\dyna\loot\MicRecording\7/19/2019.wav"
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\B721.tmp\bat.bat" "<Полный путь к файлу>""' (со скрытым окном)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES5070.tmp" "%TEMP%\CSC506F.tmp"' (со скрытым окном)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\k7l5_cr4.cmdline"' (со скрытым окном)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES155B.tmp" "%TEMP%\CSC155A.tmp"' (со скрытым окном)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\eo5-5pa8.cmdline"' (со скрытым окном)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES2FC.tmp" "%TEMP%\CSC2FB.tmp"' (со скрытым окном)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -win hidden -enc dwBoAGkAbABlACgAJAB0AHIAdQBlACkAewANAAoAIwBZADEAdwBlAHYAdAB1AHQAaQBsACAAZQBsACAAfAAgAEYAbwByAGUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAdwBlAHYAdAB1AHQAaQBsACAAYwBsACAAIgAkAF8AIgB9AA0A...' (со скрытым окном)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESB614.tmp" "%TEMP%\CSCB603.tmp"' (со скрытым окном)
- '%PROGRAMDATA%\rec.exe' "<LS_APPDATA>\dyna\loot\MicRecording\7/19/2019.wav"' (со скрытым окном)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -win hidden -enc IAAkAGwAbwBvAHQAIAA9ACAAKAAkAGUAbgB2ADoATABPAEMAQQBMAEEAUABQAEQAQQBUAEEAIAArACAAIgBcAGQAeQBuAGEAXABsAG8AbwB0AFwASwBlAHkAbABvAGcAXAAiACkAOwAgAG0AZAAgACQAbABvAG8AdAAKAGYAdQBuAGMA...' (со скрытым окном)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -win hidden -enc JABwAGEAcwBzAD0AKAAnACcAKQANAAoAJABkAHIAaQB2AGUAcwAgAD0AIAA2ADUALgAuADkAMAAgAHwAIABmAG8AcgBlAGEAYwBoACAAewBbAGMAaABhAHIAXQAkAF8AfQANAAoAIwBYADMAZgBvAHIAZQBhAGMAaAAgACgAJABkAHIA...' (со скрытым окном)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\oc5fjzhj.cmdline"' (со скрытым окном)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\mo378fm4.cmdline"' (со скрытым окном)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -win hidden -enc IwBYADEAJABmAHQAcAAgAD0AIAAiAGYAdABwADoALwAvAC8AIgANAAoAIwBYADEAJAB1AHMAZQByACAAPQAgACIAIgANAAoAIwBYADEAJABwAGEAcwBzACAAPQAgACIAIgANAAoAJABsAG8AbwB0ACAAPQAgACgAJABlAG4AdgA6AEwA...' (со скрытым окном)
- '%WINDIR%\syswow64\netsh.exe' firewall add allowedprogram "%WINDIR%\TEMP\ Explorer.exe" " Explorer.exe" ENABLE' (со скрытым окном)
- '%PROGRAMDATA%\bd.exe' ' (со скрытым окном)
- '<LS_APPDATA>\dyna\cry.exe' ' (со скрытым окном)
- '<LS_APPDATA>\dyna\st.exe' ' (со скрытым окном)
- '<LS_APPDATA>\dyna\kl.exe' ' (со скрытым окном)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\7ac7qdyh.cmdline"' (со скрытым окном)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES630D.tmp" "%TEMP%\CSC62FD.tmp"' (со скрытым окном)
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\B721.tmp\bat.bat" "<Полный путь к файлу>""
- '<SYSTEM32>\schtasks.exe' /run /TN "Microsoft\Windows\Windows Printer Manager\5"
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -win hidden -enc IwBYADEAJABmAHQAcAAgAD0AIAAiAGYAdABwADoALwAvAC8AIgANAAoAIwBYADEAJAB1AHMAZQByACAAPQAgACIAIgANAAoAIwBYADEAJABwAGEAcwBzACAAPQAgACIAIgANAAoAJABsAG8AbwB0ACAAPQAgACgAJABlAG4AdgA6AEwA...
- '<SYSTEM32>\reg.exe' export HKEY_CURRENT_USER\Software\Skype\ProtectedStorage <LS_APPDATA>\dyna\loot\\Skype\skype_regkeys.reg
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -win hidden -enc IAAkAGwAbwBvAHQAIAA9ACAAKAAkAGUAbgB2ADoATABPAEMAQQBMAEEAUABQAEQAQQBUAEEAIAArACAAIgBcAGQAeQBuAGEAXABsAG8AbwB0AFwASwBlAHkAbABvAGcAXAAiACkAOwAgAG0AZAAgACQAbABvAG8AdAAKAGYAdQBuAGMA...
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\mo378fm4.cmdline"
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -win hidden -enc JABwAGEAcwBzAD0AKAAnACcAKQANAAoAJABkAHIAaQB2AGUAcwAgAD0AIAA2ADUALgAuADkAMAAgAHwAIABmAG8AcgBlAGEAYwBoACAAewBbAGMAaABhAHIAXQAkAF8AfQANAAoAIwBYADMAZgBvAHIAZQBhAGMAaAAgACgAJABkAHIA...
- '<SYSTEM32>\certutil.exe' -decode t4.crt %TEMP%\t4.xml
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -win hidden -enc dwBoAGkAbABlACgAJAB0AHIAdQBlACkAewANAAoAIwBZADEAdwBlAHYAdAB1AHQAaQBsACAAZQBsACAAfAAgAEYAbwByAGUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAdwBlAHYAdAB1AHQAaQBsACAAYwBsACAAIgAkAF8AIgB9AA0A...
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\7ac7qdyh.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES2FC.tmp" "%TEMP%\CSC2FB.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\eo5-5pa8.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES155B.tmp" "%TEMP%\CSC155A.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\k7l5_cr4.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES5070.tmp" "%TEMP%\CSC506F.tmp"
- '<SYSTEM32>\schtasks.exe' /run /TN "Microsoft\Windows\Windows Printer Manager\3"
- '<SYSTEM32>\schtasks.exe' /run /TN "Microsoft\Windows\Windows Printer Manager\4"
- '<SYSTEM32>\taskeng.exe' {63545AA1-6576-4817-B049-8BE0269CB60A} S-1-5-21-1960123792-2022915161-3775307078-1001:qnxvubhhz\user:Interactive:[1]
- '<SYSTEM32>\schtasks.exe' /run /TN "Microsoft\Windows\Windows Printer Manager\2"
- '<SYSTEM32>\schtasks.exe' /run /TN "Microsoft\Windows\Windows Printer Manager\1"
- '<SYSTEM32>\certutil.exe' -decode res.crt <LS_APPDATA>\dyna\res
- '<SYSTEM32>\certutil.exe' -decode kl.crt <LS_APPDATA>\dyna\kl.exe
- '<SYSTEM32>\certutil.exe' -decode st.crt <LS_APPDATA>\dyna\st.exe
- '<SYSTEM32>\certutil.exe' -decode cry.crt <LS_APPDATA>\dyna\cry.exe
- '<SYSTEM32>\certutil.exe' -decode t1.crt %TEMP%\t1.xml
- '<SYSTEM32>\certutil.exe' -decode t2.crt %TEMP%\t2.xml
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\oc5fjzhj.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESB614.tmp" "%TEMP%\CSCB603.tmp"
- '<SYSTEM32>\certutil.exe' -decode t3.crt %TEMP%\t3.xml
- '<SYSTEM32>\certutil.exe' -decode bd.crt %PROGRAMDATA%\bd.exe
- '<SYSTEM32>\schtasks.exe' /create /TN "Microsoft\Windows\Windows Printer Manager\1" /XML %TEMP%\t1.xml
- '<SYSTEM32>\schtasks.exe' /create /TN "Microsoft\Windows\Windows Printer Manager\2" /XML %TEMP%\t2.xml
- '<SYSTEM32>\schtasks.exe' /create /TN "Microsoft\Windows\Windows Printer Manager\3" /XML %TEMP%\t3.xml
- '<SYSTEM32>\schtasks.exe' /create /TN "Microsoft\Windows\Windows Printer Manager\4" /XML %TEMP%\t4.xml
- '<SYSTEM32>\schtasks.exe' /create /TN "Microsoft\Windows\Windows Printer Manager\5" /XML %TEMP%\t5.xml
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -win hidden -enc JABsAG8AbwB0ACAAPQAgACgAJABlAG4AdgA6AEwATwBDAEEATABBAFAAUABEAEEAVABBACAAKwAgACIAXABkAHkAbgBhAFwAIgApADsAIABtAGQAIAAkAGwAbwBvAHQACgBjAGUAcgB0AHUAdABpAGwAIAAtAGQAZQBjAG8AZABlACAA...
- '<SYSTEM32>\certutil.exe' -decode t5.crt %TEMP%\t5.xml
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES630D.tmp" "%TEMP%\CSC62FD.tmp"