Техническая информация
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Shell' = 'explorer.exe, wscript.exe //B "%APPDATA%\safe.vbs"'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Userinit' = '<SYSTEM32>\userinit.exe,wscript.exe //B "%APPDATA%\safe.vbs"'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 'safe' = 'wscript.exe //B "%APPDATA%\safe.vbs"'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'safe' = 'wscript.exe //B "%APPDATA%\safe.vbs"'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'safe' = 'wscript.exe //B "%APPDATA%\safe.vbs"'
- '<SYSTEM32>\schtasks.exe' /create /sc ONLOGON /RL HIGHEST /tn safe.vbs /tr "%APPDATA%\safe.vbs"
- 'de####evel.hol.es':80
- 'localhost':1038
- de####evel.hol.es/level1/gate.php
- DNS ASK de####evel.hol.es
- ClassName: 'Indicator' WindowName: '(null)'