Техническая информация
- [<HKLM>\System\CurrentControlSet\Services\handclient] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\handclient] 'ImagePath' = '"%WINDIR%\SysWOW64\handclient.exe"'
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -EncoD PAAjACAAWgBnAHcAYQB5AG4AawB5ACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvAFYAbwBlAGEAcwBwAHcAdgAgACMAPgAgACQASwBhAGcAaQBpAG0AeAB4AHAAcgA9ACcATgB4AGEAegBqAHAAZA...
- %HOMEPATH%\504.exe
- %HOMEPATH%\504.exe в %WINDIR%\syswow64\handclient.exe
- http://co#####.greenvines.com.tw/wp-content/i2122/
- http://19#.#17.1.149/dma/results/ringin/merge/
- http://45.##.79.249:443/usbccid/publish/ via 45.##.79.249
- DNS ASK te##ecn.com
- DNS ASK co#####.greenvines.com.tw
- '%HOMEPATH%\504.exe'
- '%WINDIR%\syswow64\handclient.exe'
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -EncoD PAAjACAAWgBnAHcAYQB5AG4AawB5ACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvAFYAbwBlAGEAcwBwAHcAdgAgACMAPgAgACQASwBhAGcAaQBpAG0AeAB4AHAAcgA9ACcATgB4AGEAegBqAHAAZA...' (со скрытым окном)