Техническая информация
- <SYSTEM32>\tasks\u-6-4-23-1115341240-1364349867-1310312127-9733\{c8vq4suz-aopm-5puv-iwp4-4w2m2smypl74}
- из <Полный путь к файлу> в %PROGRAMDATA%\msil_microsoft.powershell.gpowershell_31bf3856ad364e35_10.0.18362.1_none_3d9c35163560158d\kbda3.exe
- '%WINDIR%\syswow64\cmd.exe' /c icacls "%PROGRAMDATA%\msil_microsoft.powershell.gpowershell_31bf3856ad364e35_10.0.18362.1_none_3d9c35163560158d" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)" & icacls "%PROGRAMDATA%\msil_mi...' (со скрытым окном)
- '%PROGRAMDATA%\msil_microsoft.powershell.gpowershell_31bf3856ad364e35_10.0.18362.1_none_3d9c35163560158d\kbda3.exe' ' (со скрытым окном)
- '%WINDIR%\syswow64\cmd.exe' /c icacls "%PROGRAMDATA%\msil_microsoft.powershell.gpowershell_31bf3856ad364e35_10.0.18362.1_none_3d9c35163560158d" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)" & icacls "%PROGRAMDATA%\msil_mi...
- '%WINDIR%\syswow64\icacls.exe' "%PROGRAMDATA%\msil_microsoft.powershell.gpowershell_31bf3856ad364e35_10.0.18362.1_none_3d9c35163560158d" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
- '%WINDIR%\syswow64\icacls.exe' "%PROGRAMDATA%\msil_microsoft.powershell.gpowershell_31bf3856ad364e35_10.0.18362.1_none_3d9c35163560158d" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
- '<SYSTEM32>\taskeng.exe' {E00896BE-EA83-4EC7-BDF8-80BA4C95E3A8} S-1-5-21-1960123792-2022915161-3775307078-1001:nzqoqvbu\user:Interactive:[1]
- '%WINDIR%\syswow64\icacls.exe' "%PROGRAMDATA%\msil_microsoft.powershell.gpowershell_31bf3856ad364e35_10.0.18362.1_none_3d9c35163560158d" /inheritance:e /deny "user:(R,REA,RA,RD)"