Техническая информация
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce] 'cores' = '"<SYSTEM32>\cmd.exe" /c start "" "%WINDIR%\Setup\cores.exe" /A'
- %WINDIR%\syswow64\svchost.exe
- C:\-785654622-13301608491478068208.lnk
- %TEMP%\서현아 이력서.docx
- %WINDIR%\setup\cores.exe
- C:\-1711608957_-545871468.lnk
- C:\-1892318348_662431049.lnk
- %WINDIR%\setup\cores.kinf
- C:\-785654622-13301608491478068208.lnk
- C:\-1711608957_-545871468.lnk
- C:\-1892318348_662431049.lnk
- 'localhost':135
- DNS ASK ip#.#.gphi.site
- DNS ASK ip#.###i-gsaeyheq.top
- DNS ASK ip#.###i-adhaswe.xyz
- '%WINDIR%\setup\cores.exe'
- '%WINDIR%\syswow64\cmd.exe' /C "%WINDIR%\Setup\cores.exe"' (со скрытым окном)
- '%WINDIR%\syswow64\cmd.exe' /C "%TEMP%\서현아 이력서.docx"' (со скрытым окном)
- '%WINDIR%\syswow64\cmd.exe' /C "%TEMP%\서현아 이력서.docx"
- '%WINDIR%\syswow64\cmd.exe' /C "%WINDIR%\Setup\cores.exe"
- '%WINDIR%\syswow64\svchost.exe'
- '%ProgramFiles%\microsoft office\office14\winword.exe' /n "%TEMP%\서현아 이력서.docx"