Техническая информация
- [<HKCU>\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] 'shell' = 'explorer.exe,"<SYSTEM32>\Application Services\appsvc.exe"'
- скрытых файлов
- Компонент восстановления системы (SR)
- '%TEMP%\l3.exe'
- '<SYSTEM32>\Application Services\appsvc.exe'
- '%TEMP%\l2.exe'
- '%TEMP%\UnRAR.exe' x OlKsxD2.rar -ppayload
- '%TEMP%\l1.exe'
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\unrar.bat" "
- '<SYSTEM32>\wscript.exe' "%TEMP%\boot.vbs"
- <SYSTEM32>\cmd.exe
- %TEMP%\l3.exe
- %TEMP%\l2.exe
- %APPDATA%\%USERNAME%.txt
- <SYSTEM32>\Application Services\appsvc.exe
- %TEMP%\l1.exe
- %TEMP%\unrar.bat
- %TEMP%\boot.vbs
- %TEMP%\OlKsxD2.rar
- %TEMP%\UnRAR.exe
- %TEMP%\l2.exe
- <SYSTEM32>\Application Services\appsvc.exe
- %TEMP%\l2.exe в %TEMP%\1179
- 'wp#d':80
- 'ta####ref.zapto.org':2912
- 'do####ykid.noip.me':1604
- wp#d/wpad.dat
- DNS ASK fr###eoip.net
- DNS ASK cr#####da.no-ip.info
- DNS ASK wp#d
- DNS ASK do####ykid.noip.me
- DNS ASK ta####ref.zapto.org
- ClassName: 'Shell_TrayWnd' WindowName: '(null)'
- ClassName: 'EDIT' WindowName: '(null)'