Техническая информация
- '%TEMP%\KMS\KMSServer.exe' LogLevel=0 Port=1688 RandomPID=1 ActivationInterval=43200 RenewalInterval=43200
- '<SYSTEM32>\findstr.exe' /i Windows
- '<SYSTEM32>\findstr.exe' /i Office
- '<SYSTEM32>\taskkill.exe' /f /IM KMSServer.exe
- '<SYSTEM32>\wbem\wmic.exe' path OfficeSoftwareProtectionService get version /format:list
- '<SYSTEM32>\wbem\wmic.exe' path SoftwareLicensingProduct where (Description like '%KMSCLIENT%') get Name /format:list
- '<SYSTEM32>\cscript.exe' //nologo "%TEMP%\2527325353ip.vbs"
- '<SYSTEM32>\wbem\wmic.exe' Path Win32_LocalTime get Year,Month,Day,Hour,Minute,Second /Format:List
- '<SYSTEM32>\findstr.exe' :1688
- '<SYSTEM32>\netstat.exe' -ano
- <Полный путь к вирусу>
- <SYSTEM32>\wbem\AutoRecover\23BDE61F1F4FACE17E9B0C01F2A1FD9B.mof
- %TEMP%\tmp6.tmp
- <SYSTEM32>\wbem\AutoRecover\C8463ECBE33BC240263A0B094E46D510.mof
- %TEMP%\KMS.log
- <SYSTEM32>\wbem\Logs\WMIC.LOG
- %TEMP%\2527325353ip.log
- %TEMP%\2527325353ip.vbs
- %TEMP%\KMS\KMS_VL_ALL.cmd
- %TEMP%\nso3.tmp\System.dll
- %TEMP%\nso2.tmp
- %TEMP%\KMS\KMSServer.exe
- %TEMP%\tmp5.tmp
- %TEMP%\tmp4.tmp
- %TEMP%\nso3.tmp\ExecCmd.dll
- %TEMP%\KMS\KMSServer.exe
- %TEMP%\KMS\KMS_VL_ALL.cmd
- %TEMP%\nso3.tmp\System.dll
- %TEMP%\nso3.tmp\ExecCmd.dll
- %TEMP%\2527325353ip.vbs
- %TEMP%\tmp5.tmp
- %TEMP%\tmp4.tmp
- %TEMP%\2527325353ip.log
- %TEMP%\tmp6.tmp
- ClassName: '' WindowName: ''