Техническая информация
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Microsoft' = '%APPDATA%\vdmcpo\WsWnNI.vbs'
- svchost.exe
- %APPDATA%\vdmcpo\hvtwEr.exe
- %TEMP%\Svchost.exe
- %APPDATA%\vdmcpo\iLEIbL.txt
- %APPDATA%\vdmcpo\VdMcpo
- %APPDATA%\vdmcpo\WsWnNI.vbs
- %TEMP%\VdMcpo
- %TEMP%\hvtwEr.exe
- %TEMP%\aut1.tmp
- %TEMP%\aut2.tmp
- %TEMP%\aut3.tmp
- %TEMP%\iLEIbL.txt
- %TEMP%\VdMcpo
- %TEMP%\iLEIbL.txt
- %TEMP%\Svchost.exe
- %TEMP%\aut1.tmp
- %TEMP%\aut2.tmp
- %TEMP%\aut3.tmp
- %TEMP%\hvtwEr.exe в %TEMP%\hvtwEr.exe
- %TEMP%\Svchost.exe
- %TEMP%\iLEIbL.txt
- %TEMP%\VdMcpo
- 'an####.dyndns.org':30302
- DNS ASK an####.dyndns.org
- '%TEMP%\hvtwEr.exe' VdMcpo
- '<SYSTEM32>\cmd.exe' /c icacls "\vdmcpo" /deny %username%:F
- '<SYSTEM32>\cmd.exe' /c %TEMP%\hvtwEr.exe VdMcpo