Техническая информация
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'c7d420f6966639937d32bd8e416d0cfe' = '"%PROGRAMDATA%\windows defender.exe" ..'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'c7d420f6966639937d32bd8e416d0cfe' = '"%PROGRAMDATA%\windows defender.exe" ..'
- %APPDATA%\microsoft\windows\start menu\programs\startup\c7d420f6966639937d32bd8e416d0cfe.exe
- '%WINDIR%\syswow64\netsh.exe' firewall add allowedprogram "%PROGRAMDATA%\windows defender.exe" "windows defender.exe" ENABLE
- %TEMP%\1a61.tmp\crypted.vbs
- %PROGRAMDATA%\windows.exe
- %PROGRAMDATA%\windows defender.exe
- %TEMP%\1a61.tmp\crypted.vbs
- 'kh#####gc.ddnsking.com':8989
- DNS ASK kh#####gc.ddnsking.com
- '<SYSTEM32>\wscript.exe' %TEMP%\1A61.tmp\Crypted.vbs
- '%PROGRAMDATA%\windows.exe'
- '%PROGRAMDATA%\windows defender.exe'
- '<SYSTEM32>\wscript.exe' %TEMP%\1A61.tmp\Crypted.vbs' (со скрытым окном)
- '%WINDIR%\syswow64\netsh.exe' firewall add allowedprogram "%PROGRAMDATA%\windows defender.exe" "windows defender.exe" ENABLE' (со скрытым окном)