Техническая информация
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\RunOnce] '*VaultBackup' = '"<Полный путь к вирусу>"'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Vault' = '"<Полный путь к вирусу>"'
- '<SYSTEM32>\wbem\wmic.exe' shadowcopy delete
- '<SYSTEM32>\wbem\wmiadap.exe' /R /T
- '<SYSTEM32>\vssadmin.exe' Delete Shadows /All /Quiet
- '%WINDIR%\Microsoft.NET\Framework\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\s22totk4.cmdline"
- '%WINDIR%\Microsoft.NET\Framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES2.tmp" "%TEMP%\CSC1.tmp"
- <SYSTEM32>\wbem\AutoRecover\C8463ECBE33BC240263A0B094E46D510.mof
- %TEMP%\tmp4.tmp
- %TEMP%\tmp3.tmp
- <SYSTEM32>\wbem\Logs\WMIC.LOG
- <SYSTEM32>\wbem\AutoRecover\23BDE61F1F4FACE17E9B0C01F2A1FD9B.mof
- %TEMP%\tmp5.tmp
- %TEMP%\s22totk4.out
- %TEMP%\s22totk4.cmdline
- %TEMP%\s22totk4.0.cs
- %TEMP%\s22totk4.dll
- %TEMP%\RES2.tmp
- %TEMP%\CSC1.tmp
- %TEMP%\tmp3.tmp
- %TEMP%\s22totk4.cmdline
- %TEMP%\tmp5.tmp
- %TEMP%\tmp4.tmp
- %TEMP%\s22totk4.out
- %TEMP%\CSC1.tmp
- %TEMP%\RES2.tmp
- %TEMP%\s22totk4.dll
- %TEMP%\s22totk4.0.cs
- 'sa####ndfussball.de':80
- 'www.cw##rs.nl':80
- 'wp#d':80
- sa####ndfussball.de/content/redirect.php?lo####
- www.cw##rs.nl/wp-admin/includes/redirect.php?lo####
- wp#d/wpad.dat
- www.cw##rs.nl/wp-admin/includes/redirect.php?lo####
- DNS ASK sa####ndfussball.de
- DNS ASK www.cw##rs.nl
- DNS ASK wp#d
- ClassName: 'Shell_TrayWnd' WindowName: ''
- ClassName: 'Indicator' WindowName: ''