Техническая информация
- [<HKCU>\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Shell' = 'explorer.exe,"%LOCALAPPDATA%\System32\RuntimeBroker.exe",'
- %LOCALAPPDATA%\system32\runtimebroker.exe
- '85.##9.33.24':1337
- 'gi##ub.com':443
- 'ra#.####ubusercontent.com':443
- '85.##9.33.24':1337
- 'gi##ub.com':443
- 'ra#.####ubusercontent.com':443
- DNS ASK gi##ub.com
- DNS ASK ra#.####ubusercontent.com
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==' (со скрытым окном)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==