Техническая информация
- <SYSTEM32>\tasks\microsoft\windows\upnpcwmipcnew\services
- <SYSTEM32>\tasks\microsoft\windows\upnpcwmiob32\services
- 'ne#.##gpuco.club':80
- http://ne#.##gpuco.club/basemsf.jpg
- http://ne#.##gpuco.club/powershell.jpg
- http://ne#.##gpuco.club/msf.jpg
- DNS ASK ne#.##gpuco.club
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy Bypass -File C:\Users\Public\msf.ps1' (со скрытым окном)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy Bypass -File C:\Users\Public\msf.ps1' (со скрытым окном)
- '<SYSTEM32>\schtasks.exe' /create /ru system /sc MINUTE /tn \Microsoft\Windows\UPnPcwmipcnew\Services /tr "%WINDIR%\SysWOW64\WindowsPowerShell\v1.0\PowerShell.exe -ExecutionPolicy Bypass -File C:\Users\Public\msf.ps1"
- '<SYSTEM32>\schtasks.exe' /create /ru system /sc MINUTE /tn \Microsoft\Windows\UPnPcwmiob32\Services /tr "<SYSTEM32>\WindowsPowerShell\v1.0\PowerShell.exe -ExecutionPolicy Bypass -File C:\Users\Public\msf.ps1"
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy Bypass -File C:\Users\Public\msf.ps1
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy Bypass -File C:\Users\Public\msf.ps1