Техническая информация
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\RunOnce] 'frm_Kaisers5' = 'wscript "%HOMEPATH%\frm_ARBEJDSORGANISERINGENS\frm_Succinylcholine8.vbs"'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\] 'Image' = '%PROGRAMDATA%\WinLogs.exe'
- %WINDIR%\win.ini
- frm_succinylcholine8.exe
- winlogs.exe
- %HOMEPATH%\frm_arbejdsorganiseringens\frm_succinylcholine8.exe
- %HOMEPATH%\frm_arbejdsorganiseringens\frm_succinylcholine8.vbs
- %PROGRAMDATA%\winlogs.exe
- '%HOMEPATH%\frm_arbejdsorganiseringens\frm_succinylcholine8.exe'
- '%PROGRAMDATA%\winlogs.exe'
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath C:\' (со скрытым окном)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath C:\