Техническая информация
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'Ink' = 'cmd /c "start "Ink" "%ProgramFiles%\inkwire\inkmon.exe"'
- '%CommonProgramFiles%\Microsoft Shared\DW\DW20.EXE' -x -s 888
- '<SYSTEM32>\reg.exe' ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Ink" /d "cmd /c """start """Ink""" """%ProgramFiles%\inkwire\inkmon.exe"""" /f"
- '%ALLUSERSPROFILE%\Application Data\buildcrfin.exe'
- '<SYSTEM32>\schtasks.exe' /create /tn "Ink" /tr "'%ProgramFiles%\inkwire\inkmon.exe' /startup" /sc MINUTE /f /rl highest
- <SYSTEM32>\schtasks.exe
- %TEMP%\dw.log
- %TEMP%\296E7.dmp
- %APPDATA%\Monitor\Screenshots\03-18-2017\12.14 PM
- %ALLUSERSPROFILE%\Application Data\buildcrfin.exe
- %ProgramFiles%\inkwire\inkmon.exe
- 'cd#.#edsec.co':80
- 'aw#.moe':443
- 'bi####nrevolve.tk':7777
- 'wp#d':80
- http://cd#.#edsec.co/cryptonight/stop.txt
- http://11#.#11.111.2/wpad.dat via wp#d
- DNS ASK www.bi####nrevolve.tk
- DNS ASK aw#.moe
- DNS ASK cd#.#edsec.co
- DNS ASK bi####nrevolve.tk
- DNS ASK wp#d
- ClassName: 'Shell_TrayWnd' WindowName: ''