Техническая информация
- '%APPDATA%\t.exe'
- %HOMEPATH%\desktop\adadsi.html
- %HOMEPATH%\desktop\archer.avi
- %HOMEPATH%\desktop\coffee.bmp
- %HOMEPATH%\desktop\default.bmp
- %HOMEPATH%\desktop\dial.bmp
- %HOMEPATH%\desktop\dialmap.bmp
- %HOMEPATH%\desktop\file_p_00000000_1371597592.docx
- %HOMEPATH%\desktop\ituneshelpunavailable.html
- %HOMEPATH%\desktop\lisp_success.doc
- %HOMEPATH%\desktop\thlps_keeper_mayer_1965.docx
- %HOMEPATH%\desktop\tileimage.bmp
- %HOMEPATH%\desktop\tree_view.htm
- %HOMEPATH%\desktop\trivial-merge.html
- %HOMEPATH%\desktop\uep_form_786_bulletin_1726i602.doc
- %APPDATA%\t.exe
- %HOMEPATH%\jdfg8e929.txt
- %HOMEPATH%\desktop\read_it_prp.txt
- %HOMEPATH%\desktop\read_it_prp.txt.prp
- %HOMEPATH%\desktop\read_it_prp.txt в %HOMEPATH%\desktop\read_it_prp.txt.prp
- http://nj######lp2eut2o.onion.ly/write.php?co############################################################################
- DNS ASK go##le.pl
- DNS ASK nj######lp2eut2o.onion.ly
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -WindowStyle hidden -command [IO.File]::WriteAllBytes('%APPDATA%\t.exe', [Convert]::FromBase64String('TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4...' (со скрытым окном)