Техническая информация
- http://s4#.##lefactory.com/get/f/4rziogwgkvp4/18093791aa8de71c/main.zip as %localappdata%\microsoft\main.zip
- %TEMP%\rarsfx0\movee.bat
- %TEMP%\rarsfx0\securityupdate.bat
- %TEMP%\rarsfx0\securityupdate.exe
- %TEMP%\67a8.tmp\67c8.bat
- %LOCALAPPDATA%\microsoft\main.zip
- %TEMP%\_.vbs
- %TEMP%\_.vbs
- %TEMP%\67a8.tmp\67c8.bat
- %TEMP%\rarsfx0\movee.bat
- %TEMP%\rarsfx0\securityupdate.bat
- %TEMP%\rarsfx0\securityupdate.exe
- 's4#.##lefactory.com':80
- 'fi###actory.com':443
- 'microsoft.com':80
- http://s4#.##lefactory.com/get/f/4rziogwgkvp4/18093791aa8de71c/main.zip
- http://www.fi###actory.com/file/4rziogwgkvp4/?co######
- 'fi###actory.com':443
- DNS ASK s4#.##lefactory.com
- DNS ASK fi###actory.com
- DNS ASK microsoft.com
- ClassName: 'EDIT' WindowName: ''
- '%TEMP%\rarsfx0\securityupdate.exe'
- '<SYSTEM32>\cscript.exe' //nologo "%TEMP%\_.vbs"
- '<SYSTEM32>\cmd.exe' /c "%TEMP%\67A8.tmp\67C8.bat %TEMP%\RarSFX0\SecurityUpdate.exe"' (со скрытым окном)
- '<SYSTEM32>\cmd.exe' /c "%TEMP%\67A8.tmp\67C8.bat %TEMP%\RarSFX0\SecurityUpdate.exe"