Техническая информация
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'winlogon' = '%WINDIR%\win_sp.exe'
- %TEMP%\FileTmp.exe
- %TEMP%\CD.exe
- %TEMP%\CD.exe (загружен из сети Интернет)
- %APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-2052111302-484763869-725345543-1003\699c4b9cdebca7aaea5193cae8a50098_23ef5514-3059-436f-a4a7-4cefaab20eb1
- %APPDATA%\Microsoft\Protect\S-1-5-21-2052111302-484763869-725345543-1003\Preferred
- %WINDIR%\win_sp.exe
- %TEMP%\FileTmp.exe
- %TEMP%\CD.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\CD[1].exe
- %APPDATA%\Microsoft\Protect\S-1-5-21-2052111302-484763869-725345543-1003\70d5638f-31af-4df4-9c60-64e90bbd8580
- 'es####u.no-ip.org':5001
- 'es####u.no-ip.org':8080
- 'localhost':1036
- 'li#####aellector.com':80
- li#####aellector.com/CD.exe
- DNS ASK es####u.no-ip.org
- DNS ASK li#####aellector.com