Техническая информация
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'ctfmon.exe' = '<SYSTEM32>\ctfmon.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] '949742095' = '<LS_APPDATA>\gwu.exe'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'EnableFirewall' = '00000000'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DoNotAllowExceptions' = '00000000'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DisableNotifications' = '00000001'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] 'EnableFirewall' = '00000000'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] 'DoNotAllowExceptions' = '00000000'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] 'DisableNotifications' = '00000001'
- Обновления системы (Windows Update)
- Центр обеспечения безопасности (Security Center)
- [<HKCU>\Software\Far\SavedDialogHistory\FTPHost]
- [<HKCU>\Software\BPFTP]
- [<HKCU>\Software\TurboFTP]
- [<HKCU>\Software\Sota\FFFTP]
- [<HKCU>\Software\Sota\FFFTP\Options]
- [<HKCU>\Software\CoffeeCup Software\Internet\Profiles]
- [<HKCU>\Software\FTPWare\COREFTP\Sites]
- [<HKCU>\Software\VanDyke\SecureFX]
- [<HKCU>\Software\Cryer\WebSitePublisher]
- [<HKCU>\Software\ExpanDrive\Sessions]
- [<HKLM>\Software\NCH Software\ClassicFTP\FTPAccounts]
- [<HKCU>\Software\NCH Software\ClassicFTP\FTPAccounts]
- [<HKCU>\SOFTWARE\NCH Software\Fling\Accounts]
- [<HKLM>\SOFTWARE\NCH Software\Fling\Accounts]
- [<HKCU>\Software\FTPClient\Sites]
- [<HKLM>\Software\FTPClient\Sites]
- [<HKCU>\Software\SoftX.org\FTPClient\Sites]
- [<HKLM>\Software\SoftX.org\FTPClient\Sites]
- [<HKCU>\Software\Martin Prikryl]
- [<HKLM>\Software\Martin Prikryl]
- [<HKCU>\Software\BulletProof Software\BulletProof FTP Client\Options]
- [<HKCU>\Software\South River Technologies\WebDrive\Connections]
- [<HKCU>\Software\BPFTP\Bullet Proof FTP\Options]
- [<HKCU>\Software\BPFTP\Bullet Proof FTP\Main]
- [<HKCU>\Software\Far2\SavedDialogHistory\FTPHost]
- [<HKCU>\Software\Ghisler\Windows Commander]
- [<HKCU>\Software\Ghisler\Total Commander]
- [<HKLM>\Software\Ghisler\Windows Commander]
- [<HKLM>\Software\Ghisler\Total Commander]
- [<HKCU>\Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar]
- [<HKCU>\Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar]
- [<HKCU>\Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar]
- [<HKCU>\Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar]
- [<HKCU>\Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar]
- [<HKCU>\Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar]
- [<HKCU>\Software\FlashFXP\3]
- [<HKCU>\Software\FlashFXP]
- [<HKLM>\Software\FlashFXP\3]
- [<HKLM>\Software\FlashFXP]
- [<HKCU>\Software\FileZilla]
- [<HKCU>\Software\FileZilla Client]
- [<HKLM>\Software\FileZilla]
- [<HKLM>\Software\FileZilla Client]
- [<HKCU>\Software\BulletProof Software\BulletProof FTP Client\Main]
- [<HKLM>\Software\South River Technologies\WebDrive\Connections]
- %TEMP%\iil1.tmp
- %TEMP%\djyy.exe
- %TEMP%\iilA.tmp
- %HOMEPATH%\Templates\qdiu.exe
- <LS_APPDATA>\cpwv.exe
- %TEMP%\iilB.tmp
- %ALLUSERSPROFILE%\Application Data\nxcr.exe
- %TEMP%\iilC.tmp
- %TEMP%\vwgh.exe
- %TEMP%\iilD.tmp
- %HOMEPATH%\Templates\xvhr.exe
- %TEMP%\iilE.tmp
- %TEMP%\iilF.tmp
- %TEMP%\iil10.tmp
- <LS_APPDATA>\n88kou6fl7n8y
- %ALLUSERSPROFILE%\Application Data\n88kou6fl7n8y
- %ALLUSERSPROFILE%\Application Data\igne.exe
- %TEMP%\n88kou6fl7n8y
- %TEMP%\iil9.tmp
- %HOMEPATH%\Templates\ggvg.exe
- %TEMP%\iil2.tmp
- %TEMP%\iil3.tmp
- %TEMP%\iil4.tmp
- %TEMP%\iil5.tmp
- %TEMP%\iil6.tmp
- %TEMP%\iil7.tmp
- %TEMP%\iil8.tmp
- <LS_APPDATA>\gwu.exe
- <LS_APPDATA>\dxdm.exe
- %ALLUSERSPROFILE%\Application Data\xoud.exe
- %TEMP%\pkgy.exe
- %HOMEPATH%\Templates\gajd.exe
- <LS_APPDATA>\rdhi.exe
- %ALLUSERSPROFILE%\Application Data\bnbu.exe
- %TEMP%\iwtc.exe
- <LS_APPDATA>\lxcb.exe
- %HOMEPATH%\Templates\n88kou6fl7n8y
- %TEMP%\iil1.tmp
- %TEMP%\iilF.tmp
- %TEMP%\iilE.tmp
- %TEMP%\iilD.tmp
- %TEMP%\iilC.tmp
- %TEMP%\iilB.tmp
- %TEMP%\iilA.tmp
- %TEMP%\iil10.tmp
- %TEMP%\iil9.tmp
- %TEMP%\iil7.tmp
- %TEMP%\iil6.tmp
- %TEMP%\iil5.tmp
- %TEMP%\iil4.tmp
- %TEMP%\iil3.tmp
- %TEMP%\iil2.tmp
- %TEMP%\iil8.tmp
- <Полный путь к файлу>
- 'dy###owid.com':80
- 'gi####fopupygy.com':80
- 'bi###ebij.com':80
- 'ma####vadorode.com':80
- 'qu###ewyqa.com':80
- 'ko####lepehavy.com':80
- 'me####pulafod.com':80
- 'ko###inamu.com':80
- 'wu####litezum.com':80
- 'he####bufusoz.com':80
- 'di####mydupi.com':80
- 'vu###uzuxil.com':80
- 'ce####zugyky.com':80
- 'ro###ymici.com':80
- 'ly####fotoqy.com':80
- 'so###yzev.com':80
- 'wu###omovom.com':80
- 'xe####kawuhady.com':80
- 'so###urepu.com':80
- 'vo####dacyfyki.com':80
- 'zo###ymiz.com':80
- 'qa####pojewiv.com':80
- 'nu####jilamipu.com':80
- 'vu####hevixaf.com':80
- 'se####wytuzek.com':80
- 'lo###ejav.com':80
- 'bo####lawiqo.com':80
- 'vi###oxis.com':80
- 'co####tijixik.com':80
- 'xo####mevotequ.com':80
- http://dy###owid.com/1003000312
- http://gi####fopupygy.com/1003000312
- http://bi###ebij.com/1003000312
- http://ma####vadorode.com/1003000312
- http://qu###ewyqa.com/1003000312
- http://ko####lepehavy.com/1003000312
- http://me####pulafod.com/1003000312
- http://ko###inamu.com/1003000312
- http://wu####litezum.com/1003000312
- http://he####bufusoz.com/1003000312
- http://di####mydupi.com/1003000312
- http://vu###uzuxil.com/1003000312
- http://ce####zugyky.com/1003000312
- http://ro###ymici.com/1003000312
- http://ly####fotoqy.com/1003000312
- http://so###yzev.com/1003000312
- http://wu###omovom.com/1003000312
- http://xe####kawuhady.com/1003000312
- http://so###urepu.com/1003000312
- http://vo####dacyfyki.com/1003000312
- http://zo###ymiz.com/1003000312
- http://qa####pojewiv.com/1003000312
- http://nu####jilamipu.com/1003000312
- http://vu####hevixaf.com/1003000312
- http://se####wytuzek.com/1003000312
- http://lo###ejav.com/1003000312
- http://bo####lawiqo.com/1003000312
- http://vi###oxis.com/1003000312
- http://co####tijixik.com/1003000312
- http://xo####mevotequ.com/1003000312
- DNS ASK dy###owid.com
- DNS ASK gi####fopupygy.com
- DNS ASK bi###ebij.com
- DNS ASK ma####vadorode.com
- DNS ASK qu###ewyqa.com
- DNS ASK ko####lepehavy.com
- DNS ASK me####pulafod.com
- DNS ASK ko###inamu.com
- DNS ASK wu####litezum.com
- DNS ASK he####bufusoz.com
- DNS ASK di####mydupi.com
- DNS ASK vu###uzuxil.com
- DNS ASK ce####zugyky.com
- DNS ASK ro###ymici.com
- DNS ASK ly####fotoqy.com
- DNS ASK so###yzev.com
- DNS ASK wu###omovom.com
- DNS ASK xe####kawuhady.com
- DNS ASK so###urepu.com
- DNS ASK vo####dacyfyki.com
- DNS ASK zo###ymiz.com
- DNS ASK qa####pojewiv.com
- DNS ASK nu####jilamipu.com
- DNS ASK vu####hevixaf.com
- DNS ASK se####wytuzek.com
- DNS ASK lo###ejav.com
- DNS ASK bo####lawiqo.com
- DNS ASK vi###oxis.com
- DNS ASK co####tijixik.com
- DNS ASK xo####mevotequ.com
- ClassName: 'g' WindowName: 'mo'
- '<LS_APPDATA>\gwu.exe' -gav <Полный путь к файлу>