Техническая информация
- %APPDATA%\microsoft\windows\start menu\programs\startup\<Имя файла>.vbs
- %TEMP%\payload.ps1
- %TEMP%\bsymrpao.0.cs
- %TEMP%\bsymrpao.cmdline
- %TEMP%\bsymrpao.out
- %TEMP%\cscbfb8.tmp
- %TEMP%\resbfc8.tmp
- %TEMP%\bsymrpao.dll
- %TEMP%\resbfc8.tmp
- %TEMP%\cscbfb8.tmp
- %TEMP%\bsymrpao.pdb
- %TEMP%\bsymrpao.dll
- %TEMP%\bsymrpao.cmdline
- %TEMP%\bsymrpao.0.cs
- %TEMP%\bsymrpao.out
- 'bl#####9999.duckdns.org':7777
- DNS ASK bl#####9999.duckdns.org
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -executionpolicy bypass -windowstyle hidden -file %TEMP%\payload.ps1
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -executionpolicy bypass -windowstyle hidden -file %TEMP%\payload.ps1' (со скрытым окном)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\bsymrpao.cmdline"' (со скрытым окном)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESBFC8.tmp" "%TEMP%\CSCBFB8.tmp"' (со скрытым окном)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\bsymrpao.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESBFC8.tmp" "%TEMP%\CSCBFB8.tmp"