Техническая информация
- '%WINDIR%\temp\atjxwdhcpebgzlle\uaktmq.exe' /S /UPDATE
- %WINDIR%\temp\atjxwdhcpebgzlle\uaktmq.exe
- 'te###pdate.info':80
- http://www.te###pdate.info/updates/ya/wrtzr_ytab_a_1/win/version.txt
- http://www.te###pdate.info/updates/ya/wrtzr_ytab_a_1/win/update_e.jpg
- DNS ASK te###pdate.info
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==' (со скрытым окном)
- '<SYSTEM32>\gpupdate.exe' /force' (со скрытым окном)
- '%WINDIR%\syswow64\schtasks.exe' /CREATE /TN "gkyzOYosH" /SC once /ST 01:27:30 /F /RU "user" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZ...
- '%WINDIR%\syswow64\schtasks.exe' /run /I /tn "gkyzOYosH"
- '<SYSTEM32>\taskeng.exe' {FA96E45F-7E5B-40CE-B6CA-C0D645F93C59} S-1-5-21-1238866942-1249195528-555854008-1000:tihxzxtswp\user:Interactive:[1]
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
- '<SYSTEM32>\gpupdate.exe' /force