Техническая информация
- [<HKLM>\System\CurrentControlSet\Services\abc2.0] 'ImagePath' = '%TEMP%\~abcZQ9o5.sys'
- [<HKLM>\System\CurrentControlSet\Services\abc2.0] 'ImagePath' = '%TEMP%\~abcRyVCK.sys'
- [<HKLM>\System\CurrentControlSet\Services\abc2.0] 'ImagePath' = '%TEMP%\~abcIVz1b.sys'
- [<HKLM>\System\CurrentControlSet\Services\abc2.0] 'ImagePath' = '%TEMP%\~abcWFNMx.sys'
- %TEMP%\~abcZQ9o5.sys
- %WINDIR%\temp\uddef77.tmp
- %TEMP%\~abcRyVCK.sys
- %TEMP%\jj8knpm9f5.exe
- %TEMP%\~abcIVz1b.sys
- %TEMP%\~abcWFNMx.sys
- %TEMP%\~abcZQ9o5.sys
- %TEMP%\~abcRyVCK.sys
- %TEMP%\~abcIVz1b.sys
- %TEMP%\~abcWFNMx.sys
- %WINDIR%\temp\uddef77.tmp
- %TEMP%\~abcZQ9o5.sys
- %TEMP%\~abcRyVCK.sys
- %TEMP%\~abcIVz1b.sys
- %TEMP%\~abcWFNMx.sys
- %TEMP%\jj8knpm9f5.exe
- DNS ASK sp.###ove123.com
- DNS ASK cs.###ove123.com
- ClassName: '' WindowName: 'TPHelper.exe'
- '%TEMP%\jj8knpm9f5.exe'
- '%WINDIR%\syswow64\cmd.exe' /c start %TEMP%\jj8knPm9F5.exe' (со скрытым окном)
- '%WINDIR%\syswow64\cmd.exe' /c start %TEMP%\jj8knPm9F5.exe