Техническая информация
- [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Bhmohqam' = 'C:\Users\Public\Bhmohqam.url'
- %WINDIR%\syswow64\sndvol.exe
- C:\users\public\libraries\bhmohqam.pif
- C:\users\public\bhmohqam.url
- C:\users\public\libraries\null
- C:\users\public\libraries\easinvoker.exe
- C:\users\public\libraries\bhmohqamo.bat
- C:\users\public\libraries\netutils.dll
- C:\users\public\libraries\kdeco.bat
- %WINDIR% \system32\easinvoker.exe
- %ALLUSERSPROFILE%\remcos\logs.dat
- 'ws######ebwhevawe.ydns.eu':80
- 'to###do.ydns.eu':1972
- 'ge###ugin.net':80
- http://ws######ebwhevawe.ydns.eu/tygjhjhgvhbujyjhbuy/Bhmohqambcm
- http://ge###ugin.net/json.gp
- 'to###do.ydns.eu':1972
- DNS ASK ws######ebwhevawe.ydns.eu
- DNS ASK to###do.ydns.eu
- DNS ASK ge###ugin.net
- '%WINDIR%\syswow64\cmd.exe' /c ""C:\Users\Public\Libraries\BhmohqamO.bat" "' (со скрытым окном)
- '%WINDIR%\syswow64\sndvol.exe' ' (со скрытым окном)
- '%WINDIR%\syswow64\cmd.exe' /c ""C:\Users\Public\Libraries\BhmohqamO.bat" "
- '%WINDIR%\syswow64\cmd.exe' /c mkdir "\\?\%WINDIR% "
- '%WINDIR%\syswow64\cmd.exe' /c mkdir "\\?\%WINDIR% \System32"
- '%WINDIR%\syswow64\cmd.exe' /c ECHO F
- '%WINDIR%\syswow64\xcopy.exe' "easinvoker.exe" "%WINDIR% \System32\" /K /D /H /Y
- '%WINDIR%\syswow64\xcopy.exe' "netutils.dll" "%WINDIR% \System32\" /K /D /H /Y
- '%WINDIR%\syswow64\sndvol.exe'