Техническая информация
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Shell' = 'Explorer.exe'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'naqiodukvhixkf' = '%TEMP%\lcwscvqkzpunedsuqf.exe .'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'mynejxncmxxlx' = 'vkcwevogthkbqnaa.exe'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'mynejxncmxxlx' = 'lcwscvqkzpunedsuqf.exe'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce] 'naqiodukvhixkf' = 'cslgphbuixbtjhvwr.exe .'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 'qevovldugtvlzvh' = 'yspobxvskdlhbdvazrlih.exe'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 'qevovldugtvlzvh' = 'jcywidawnfmhabswulea.exe'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'vkcwevogthkbqnaa' = 'wojgrlhcsjpjbbrurhz.exe'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'cslgphbuixbtjhvwr' = 'wojgrlhcsjpjbbrurhz.exe .'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'cslgphbuixbtjhvwr' = 'jcywidawnfmhabswulea.exe .'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce] 'lcwscvqkzpunedsuqf' = '%TEMP%\lcwscvqkzpunedsuqf.exe .'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 'nymcgtiwfpob' = '%TEMP%\yspobxvskdlhbdvazrlih.exe'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 'nymcgtiwfpob' = '%TEMP%\cslgphbuixbtjhvwr.exe'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'mynejxncmxxlx' = '%TEMP%\wojgrlhcsjpjbbrurhz.exe'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'naqiodukvhixkf' = '%TEMP%\vkcwevogthkbqnaa.exe .'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'naqiodukvhixkf' = '%TEMP%\cslgphbuixbtjhvwr.exe .'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'mynejxncmxxlx' = 'jcywidawnfmhabswulea.exe'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'vkcwevogthkbqnaa' = 'lcwscvqkzpunedsuqf.exe'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'cslgphbuixbtjhvwr' = 'yspobxvskdlhbdvazrlih.exe .'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'wojgrlhcsjpjbbrurhz' = '%TEMP%\vkcwevogthkbqnaa.exe'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'wojgrlhcsjpjbbrurhz' = '%TEMP%\cslgphbuixbtjhvwr.exe'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce] 'lcwscvqkzpunedsuqf' = '%TEMP%\vkcwevogthkbqnaa.exe .'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce] 'naqiodukvhixkf' = 'jcywidawnfmhabswulea.exe .'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'mynejxncmxxlx' = '%TEMP%\vkcwevogthkbqnaa.exe'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 'nymcgtiwfpob' = '%TEMP%\vkcwevogthkbqnaa.exe'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'mynejxncmxxlx' = '%TEMP%\cslgphbuixbtjhvwr.exe'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'mynejxncmxxlx' = 'wojgrlhcsjpjbbrurhz.exe'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'mynejxncmxxlx' = 'yspobxvskdlhbdvazrlih.exe'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce] 'naqiodukvhixkf' = 'vkcwevogthkbqnaa.exe .'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 'qevovldugtvlzvh' = 'lcwscvqkzpunedsuqf.exe'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'vkcwevogthkbqnaa' = 'yspobxvskdlhbdvazrlih.exe'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'cslgphbuixbtjhvwr' = 'vkcwevogthkbqnaa.exe .'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'wojgrlhcsjpjbbrurhz' = '%TEMP%\lcwscvqkzpunedsuqf.exe'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce] 'lcwscvqkzpunedsuqf' = '%TEMP%\cslgphbuixbtjhvwr.exe .'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 'nymcgtiwfpob' = '%TEMP%\jcywidawnfmhabswulea.exe'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'mynejxncmxxlx' = '%TEMP%\jcywidawnfmhabswulea.exe'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'naqiodukvhixkf' = '%TEMP%\wojgrlhcsjpjbbrurhz.exe .'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'mynejxncmxxlx' = 'cslgphbuixbtjhvwr.exe'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 'nymcgtiwfpob' = '%TEMP%\lcwscvqkzpunedsuqf.exe'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce] 'naqiodukvhixkf' = 'wojgrlhcsjpjbbrurhz.exe .'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce] 'naqiodukvhixkf' = 'lcwscvqkzpunedsuqf.exe .'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 'qevovldugtvlzvh' = 'vkcwevogthkbqnaa.exe'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'vkcwevogthkbqnaa' = 'vkcwevogthkbqnaa.exe'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'cslgphbuixbtjhvwr' = 'lcwscvqkzpunedsuqf.exe .'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'cslgphbuixbtjhvwr' = 'cslgphbuixbtjhvwr.exe .'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'wojgrlhcsjpjbbrurhz' = '%TEMP%\wojgrlhcsjpjbbrurhz.exe'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'wojgrlhcsjpjbbrurhz' = '%TEMP%\yspobxvskdlhbdvazrlih.exe'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce] 'lcwscvqkzpunedsuqf' = '%TEMP%\wojgrlhcsjpjbbrurhz.exe .'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce] 'lcwscvqkzpunedsuqf' = '%TEMP%\yspobxvskdlhbdvazrlih.exe .'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 'nymcgtiwfpob' = '%TEMP%\wojgrlhcsjpjbbrurhz.exe'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'naqiodukvhixkf' = '%TEMP%\yspobxvskdlhbdvazrlih.exe .'
- скрытых файлов
- Редактора реестра (RegEdit)
- Средство контроля пользовательских учетных записей (UAC)
- %TEMP%\bnxpxshamwo.exe
- <LS_APPDATA>\qevovldugtvlzvhgzlzqjqgypboqguqcbugul.lbt
- %ProgramFiles(x86)%\qevovldugtvlzvhgzlzqjqgypboqguqcbugul.lbt
- %WINDIR%\syswow64\qevovldugtvlzvhgzlzqjqgypboqguqcbugul.lbt
- %TEMP%\psygchouvxotwhiwefiowsxekl.ejm
- %WINDIR%\psygchouvxotwhiwefiowsxekl.ejm
- <LS_APPDATA>\psygchouvxotwhiwefiowsxekl.ejm
- %ProgramFiles(x86)%\psygchouvxotwhiwefiowsxekl.ejm
- %WINDIR%\syswow64\psygchouvxotwhiwefiowsxekl.ejm
- %TEMP%\ycjsp.exe
- %TEMP%\pkiiwtsqjdmjehaggzussg.exe
- %TEMP%\yspobxvskdlhbdvazrlih.exe
- %TEMP%\jcywidawnfmhabswulea.exe
- %TEMP%\wojgrlhcsjpjbbrurhz.exe
- %TEMP%\lcwscvqkzpunedsuqf.exe
- %WINDIR%\qevovldugtvlzvhgzlzqjqgypboqguqcbugul.lbt
- %TEMP%\cslgphbuixbtjhvwr.exe
- %WINDIR%\pkiiwtsqjdmjehaggzussg.exe
- %WINDIR%\yspobxvskdlhbdvazrlih.exe
- %WINDIR%\jcywidawnfmhabswulea.exe
- %WINDIR%\wojgrlhcsjpjbbrurhz.exe
- %WINDIR%\lcwscvqkzpunedsuqf.exe
- %WINDIR%\cslgphbuixbtjhvwr.exe
- %WINDIR%\vkcwevogthkbqnaa.exe
- %WINDIR%\syswow64\pkiiwtsqjdmjehaggzussg.exe
- %WINDIR%\syswow64\yspobxvskdlhbdvazrlih.exe
- %WINDIR%\syswow64\jcywidawnfmhabswulea.exe
- %WINDIR%\syswow64\wojgrlhcsjpjbbrurhz.exe
- %WINDIR%\syswow64\lcwscvqkzpunedsuqf.exe
- %WINDIR%\syswow64\cslgphbuixbtjhvwr.exe
- %WINDIR%\syswow64\vkcwevogthkbqnaa.exe
- %TEMP%\vkcwevogthkbqnaa.exe
- %TEMP%\qevovldugtvlzvhgzlzqjqgypboqguqcbugul.lbt
- %WINDIR%\syswow64\vkcwevogthkbqnaa.exe
- <LS_APPDATA>\qevovldugtvlzvhgzlzqjqgypboqguqcbugul.lbt
- %ProgramFiles(x86)%\qevovldugtvlzvhgzlzqjqgypboqguqcbugul.lbt
- %WINDIR%\syswow64\qevovldugtvlzvhgzlzqjqgypboqguqcbugul.lbt
- %TEMP%\psygchouvxotwhiwefiowsxekl.ejm
- %WINDIR%\psygchouvxotwhiwefiowsxekl.ejm
- <LS_APPDATA>\psygchouvxotwhiwefiowsxekl.ejm
- %ProgramFiles(x86)%\psygchouvxotwhiwefiowsxekl.ejm
- %WINDIR%\syswow64\psygchouvxotwhiwefiowsxekl.ejm
- %TEMP%\pkiiwtsqjdmjehaggzussg.exe
- %TEMP%\yspobxvskdlhbdvazrlih.exe
- %TEMP%\jcywidawnfmhabswulea.exe
- %TEMP%\wojgrlhcsjpjbbrurhz.exe
- %TEMP%\lcwscvqkzpunedsuqf.exe
- %WINDIR%\qevovldugtvlzvhgzlzqjqgypboqguqcbugul.lbt
- %TEMP%\cslgphbuixbtjhvwr.exe
- %WINDIR%\pkiiwtsqjdmjehaggzussg.exe
- %WINDIR%\yspobxvskdlhbdvazrlih.exe
- %WINDIR%\jcywidawnfmhabswulea.exe
- %WINDIR%\wojgrlhcsjpjbbrurhz.exe
- %WINDIR%\lcwscvqkzpunedsuqf.exe
- %WINDIR%\cslgphbuixbtjhvwr.exe
- %WINDIR%\vkcwevogthkbqnaa.exe
- %WINDIR%\syswow64\pkiiwtsqjdmjehaggzussg.exe
- %WINDIR%\syswow64\yspobxvskdlhbdvazrlih.exe
- %WINDIR%\syswow64\jcywidawnfmhabswulea.exe
- %WINDIR%\syswow64\wojgrlhcsjpjbbrurhz.exe
- %WINDIR%\syswow64\lcwscvqkzpunedsuqf.exe
- %WINDIR%\syswow64\cslgphbuixbtjhvwr.exe
- %TEMP%\vkcwevogthkbqnaa.exe
- %TEMP%\qevovldugtvlzvhgzlzqjqgypboqguqcbugul.lbt
- DNS ASK wh#####yipaddress.com
- DNS ASK wh###smyip.com
- DNS ASK wh#####yip.everdot.org
- '%TEMP%\bnxpxshamwo.exe' "<Полный путь к файлу>*"
- '%TEMP%\ycjsp.exe' "-%TEMP%\vkcwevogthkbqnaa.exe"