Техническая информация
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'VolID' = 'true'
- <SYSTEM32>\ntvdm.exe
- %TEMP%\0541312479.exe
- %WINDIR%\temp\scs1.tmp
- %WINDIR%\temp\scs2.tmp
- %TEMP%\1023276251.exe
- %WINDIR%\temp\scs3.tmp
- %WINDIR%\temp\scs4.tmp
- %WINDIR%\temp\scs1.tmp
- %WINDIR%\temp\scs2.tmp
- %WINDIR%\temp\scs3.tmp
- %WINDIR%\temp\scs4.tmp
- http://3p####adkaeu.com/cgi-sys/suspendedpage.cgi
- http://ma##r.info/XGu48
- DNS ASK 3p####adkaeu.com
- DNS ASK ma##r.info
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-f28.f2c.370002'
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-f50.f54.390003'
- '<SYSTEM32>\cmd.exe' /c start /I "" "%TEMP%\0541312479.exe"' (со скрытым окном)
- '<SYSTEM32>\cmd.exe' /c start /I "" "%TEMP%\1023276251.exe"' (со скрытым окном)
- '<SYSTEM32>\cmd.exe' /c start /I "" "%TEMP%\0541312479.exe"
- '<SYSTEM32>\ntvdm.exe' -f -i1
- '<SYSTEM32>\cmd.exe' /c start /I "" "%TEMP%\1023276251.exe"
- '<SYSTEM32>\ntvdm.exe' -f -i2