Техническая информация
- [<HKLM>\SYSTEM\ControlSet001\Services\r_server] 'Start' = '00000002'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '<SYSTEM32>\r_server.exe' = '<SYSTEM32>\r_server.exe:*:Enabled:RAdmin'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DoNotAllowExceptions' = '00000000'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] 'DoNotAllowExceptions' = '00000000'
- '<SYSTEM32>\r_server.exe' /silence /install
- '<SYSTEM32>\netsh.exe' firewall set multicastbroadcastresponse ENABLE ALL
- '<SYSTEM32>\netsh.exe' firewall set opmode ENABLE ENABLE ALL
- '%WINDIR%\regedit.exe' /s %WINDIR%\Temp\R_Server.reg
- '<SYSTEM32>\netsh.exe' firewall add allowedprogram "<SYSTEM32>\r_server.exe" RAdmin ENABLE ALL
- '<SYSTEM32>\netsh.exe' firewall set icmpsetting ALL ENABLE ALL
- '<SYSTEM32>\netsh.exe' firewall add portopening All 4899 RAdmin ENABLE ALL
- %WINDIR%\Temp\R_Server.reg
- <SYSTEM32>\r_server.exe
- <SYSTEM32>\raddrv.dll
- ClassName: 'RegEdit_RegEdit' WindowName: ''
- ClassName: 'Shell_TrayWnd' WindowName: ''
- ClassName: 'AutoHotkey' WindowName: '<Полный путь к вирусу>'