Техническая информация
- %WINDIR%\Tasks\At1.job
- [<HKLM>\SYSTEM\ControlSet001\Services\sr] 'Start' = '00000000'
- [<HKLM>\SYSTEM\ControlSet001\Services\srservice] 'Start' = '00000002'
- [<HKLM>\SYSTEM\ControlSet001\Services\wphhppqo] 'Start' = '00000002'
- Компонент восстановления системы (SR)
- <SYSTEM32>\at.exe 15:37:00 /every:Sunday,Monday,Tuesday,Wednesday,Thursday,Friday,Saturday "<SYSTEM32>\rundll32.exe" "<SYSTEM32>\FILEDLL2.dll",DllMain -
- <SYSTEM32>\rundll32.exe "<SYSTEM32>\FILEDLL2.dll",DllMain
- %WINDIR%\Explorer.EXE
- <SYSTEM32>\winlogon.exe
- iexplore.exe
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\drivetable.txt
- <SYSTEM32>\FILEDLL2.dll
- <SYSTEM32>\Restore\MachineGuid.txt
- DNS ASK tr####ecurity.com
- DNS ASK sa####-domain.info