Техническая информация
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\TrkWks] 'Startup' = 'ServiceMain'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\TrkWks] 'DllName' = ''
- [<HKLM>\SYSTEM\ControlSet001\Services\TrkWks] 'Start' = '00000002'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '<SYSTEM32>\svchost.exe' = '<SYSTEM32>\svchost.exe:*:Enabled:Thunder'
- '%WINDIR%\Temp\windows.exe'
- '<SYSTEM32>\svchost.exe' -k 278953
- '<SYSTEM32>\rundll32.exe' sw.dll,Setup
- <SYSTEM32>\fengyin.dll
- <SYSTEM32>\fengyin0.dll
- %WINDIR%\Temp\sw.dll
- %WINDIR%\Temp\windows.exe
- <SYSTEM32>\fengyin0.dll в <SYSTEM32>\fengyin2.dll
- <SYSTEM32>\fengyin.dll в <SYSTEM32>\fengyin1.dll
- 'fy####.go.3322.org':80
- 'fy###0.3322.org':8008
- 'ge####.go.8866.org':80
- fy####.go.3322.org/
- ge####.go.8866.org/
- DNS ASK fy###0.3322.org
- DNS ASK fy####.go.3322.org
- DNS ASK up####.microsoft.com
- DNS ASK ge####.go.8866.org
- ClassName: 'Shell_TrayWnd' WindowName: '(null)'
- ClassName: 'EDIT' WindowName: '(null)'