Техническая информация
- [<HKLM>\System\CurrentControlSet\Services\abc2.0] 'ImagePath' = '%TEMP%\~abcCYiZk.sys'
- [<HKLM>\System\CurrentControlSet\Services\abc2.0] 'ImagePath' = '%TEMP%\~abcm0zjM.sys'
- [<HKLM>\System\CurrentControlSet\Services\abc2.0] 'ImagePath' = '%TEMP%\~abchv54n.sys'
- [<HKLM>\System\CurrentControlSet\Services\abc2.0] 'ImagePath' = '%TEMP%\~abcQx0mW.sys'
- %TEMP%\~abcCYiZk.sys
- %WINDIR%\temp\udd25ca.tmp
- %TEMP%\~abcm0zjM.sys
- %TEMP%\7b3ifh3yu1.exe
- %TEMP%\~abchv54n.sys
- %TEMP%\~abcQx0mW.sys
- %TEMP%\~abcCYiZk.sys
- %TEMP%\~abcm0zjM.sys
- %TEMP%\~abchv54n.sys
- %TEMP%\~abcQx0mW.sys
- %WINDIR%\temp\udd25ca.tmp
- %TEMP%\~abcCYiZk.sys
- %TEMP%\~abcm0zjM.sys
- %TEMP%\~abchv54n.sys
- %TEMP%\~abcQx0mW.sys
- %TEMP%\7b3ifh3yu1.exe
- DNS ASK sp.###ove123.com
- DNS ASK cs.###ove123.com
- ClassName: '' WindowName: 'TPHelper.exe'
- '%TEMP%\7b3ifh3yu1.exe'
- '%WINDIR%\syswow64\cmd.exe' /c start %TEMP%\7b3IFh3yu1.exe' (со скрытым окном)
- '%WINDIR%\syswow64\cmd.exe' /c start %TEMP%\7b3IFh3yu1.exe