Техническая информация
- [<HKLM>\System\CurrentControlSet\Services\dlgsmisc] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\dlgsmisc] 'ImagePath' = '"%WINDIR%\SysWOW64\dlgsmisc.exe"'
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -enc PAAjACAASQB3AGoAZQBzAG0AcgBwAGMAbgAgAGgAdAB0AHAAcwA6AC8ALwB3AHcAdwAuAG0AaQBjAHIAbwBzAG8AZgB0AC4AYwBvAG0ALwBKAHUAZQBvAHgAcgBvAG8AIAAjAD4AIAAkAFQAeABlAHAAcABpAGQAagBnAHMAeQBqAHgAPQAnAEcAegBp...
- %HOMEPATH%\640.exe
- %HOMEPATH%\640.exe в %WINDIR%\syswow64\dlgsmisc.exe
- '14.##0.93.230':80
- '14#.#39.158.155':80
- '46.##.183.211':8080
- http://ev###.#zurewebsites.net/wp-admin/8gbfyr9/
- http://46.##.183.211:8080/entries/
- DNS ASK ev###.#zurewebsites.net
- DNS ASK pr#####.groupemfadel.com
- '%HOMEPATH%\640.exe'
- '%WINDIR%\syswow64\dlgsmisc.exe'
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -enc PAAjACAASQB3AGoAZQBzAG0AcgBwAGMAbgAgAGgAdAB0AHAAcwA6AC8ALwB3AHcAdwAuAG0AaQBjAHIAbwBzAG8AZgB0AC4AYwBvAG0ALwBKAHUAZQBvAHgAcgBvAG8AIAAjAD4AIAAkAFQAeABlAHAAcABpAGQAagBnAHMAeQBqAHgAPQAnAEcAegBp...' (со скрытым окном)