Техническая информация
Для обеспечения автозапуска и распространения
Модифицирует следующие ключи реестра
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'gqdbs8q' = 'c:\users\public\netstates.exe'
Изменения в файловой системе
Создает следующие файлы
- C:\users\public\netstates.exe
- %LOCALAPPDATA%\microsoft\windows\history\history.ie5\mshist012020020320200204\index.dat
Сетевая активность
TCP
Запросы HTTP GET
- http://ma####.bootstrapcdn.com/font-awesome/4.1.0/css/font-awesome.min.css
- http://ma######.img47.makeshop.co.kr/_public/uploadFiles/editor/1701/20170119144221_gecbeubz.jpg
- http://www.al###egate.com/hyosung/download/images/image_escrow.gif
- http://www.hc###sic.com/shopimages/mariehan/template/work/32889/scroll.css?t=############
- http://www.hc###sic.com/design/mariehan/images/banner_arrow_up.gif
- http://www.hc###sic.com/design/mariehan/images/_public/sk_bg_btm.gif
- http://www.hc###sic.com/shopimages/mariehan/0050010000103.jpg?15########
- http://www.hc###sic.com/shopimages/mariehan/template/work/32889/shopdetail.js?t=############
- http://www.hc###sic.com/design/mariehan/images/banner_arrow_down.gif
- http://www.hc###sic.com/design/mariehan/images/icon_banner_arrow.gif
- http://www.hc###sic.com/design/mariehan/images/codi_arrow_next.png
- http://www.hc###sic.com/css/shopdetail.css
- http://www.hc###sic.com/board/images/btn_ok.gif
- http://www.hc###sic.com/board/images/btn_close.gif
- http://www.hc###sic.com/js/jquery.language.js
- http://www.hc###sic.com/design/mariehan/images/codi_arrow_prev.png
- http://www.hc###sic.com/js/jquery.multi_option.js
- http://ma######.img47.makeshop.co.kr/_public/uploadFiles/editor/1701/20170119144250_kksnxwkp.jpg
- http://www.hc###sic.com/js/lib.js
- http://www.hc###sic.com/shop/shopdetail.html?br#######################################################################################
- http://www.hc###sic.com/js/cookie.js
- http://lo###.#akeshop.co.kr/js/mslog.js?r=###################
- http://www.hc###sic.com/template_common/shop/basic_simple/common.js?r=##########
- http://www.hc###sic.com/images/common/basket_up.gif
- http://lo###.#akeshop.co.kr/ms.log?do############################################################################################################################################################...
- http://www.hc###sic.com/images/common/basket_down.gif
- http://ma######.img47.makeshop.co.kr/_public/uploadFiles/editor/1701/20170119144335_srkaludl.jpg
- http://www.hc###sic.com/favicon.ico
- http://ma######.img47.makeshop.co.kr/_public/uploadFiles/editor/1701/20170119144157_eozkrziy.jpg
- http://ma######.img47.makeshop.co.kr/_public/uploadFiles/editor/1701/20170119144134_yivfheec.jpg
- http://fo###.#oogleapis.com/earlyaccess/nanumgothic.css
- http://fo###.#oogleapis.com/earlyaccess/nanummyeongjo.css
- http://www.hc###sic.com/shopimages/mariehan/template/work/32889/common.css?r=##########
- http://www.hc###sic.com/js/jquery-1.7.2.min.js
- http://ma####.bootstrapcdn.com/font-awesome/4.1.0/fonts/fontawesome-webfont.eot?
- http://fo###.gstatic.com/s/nanumgothic/v17/PN_3Rfi-oW3hYwmKDpxS7F_D-dja.eot
- http://fo###.gstatic.com/s/nanummyeongjo/v15/9Btx3DZF0dXLMZlywRbVRNhxy2LscnE.eot
- http://www.hc###sic.com/js/lazyload.min.js
- http://www.hc###sic.com/js/flash.js
- http://www.hc###sic.com/js/neodesign/rightbanner.js
- http://www.hc###sic.com/js/bookmark.js
- http://www.hc###sic.com/shopimages/mariehan/template/work/32889/shopdetail.css?t=############
- http://www.hc###sic.com/shopimages/mariehan/template/work/32889/header.1.css?t=############
- http://www.hc###sic.com/design/mariehan/images/icon_blog.png
- http://www.hc###sic.com/design/mariehan/images/icon_insta.png
- http://www.hc###sic.com/design/mariehan/images/logo.png
- http://www.hc###sic.com/design/mariehan/images/box_arrow.gif
- http://www.hc###sic.com/shopimages/mariehan/template/work/32889/header.1.js?t=############
- http://www.hc###sic.com/design/mariehan/images/_public/menu_navi.png
- http://www.hc###sic.com/design/mariehan/images/icon_search.png
- http://www.hc###sic.com/shopimages/mariehan/0050010000102.jpg?15########
- http://www.hc###sic.com/shopimages/mariehan/0020010000122.jpg?15########
- http://www.hc###sic.com/shopimages/mariehan/template/work/32889/footer.1.css?t=############
- http://www.hc###sic.com/html/shopRbanner.html?pa######
- http://ma######.img47.makeshop.co.kr/_public/uploadFiles/editor/1701/20170119144107_pdxnwsjo.jpg
- http://ma######.img47.makeshop.co.kr/_public/uploadFiles/editor/1701/20170119144313_acsrdpnf.jpg
- http://im###.#akeshop.co.kr/makeshop/d3/basic_simple/common/sp_qty.gif
Запросы HTTP POST
- http://www.as####er.co.kr:80/skin15/css/fire.php via as###ter.co.kr
UDP
- DNS ASK as###ter.co.kr
- DNS ASK hc###sic.com
- DNS ASK ma####.bootstrapcdn.com
- DNS ASK cd#.##delivr.net
- DNS ASK fo###.#oogleapis.com
- DNS ASK fo###.gstatic.com
- DNS ASK ma######.img47.makeshop.co.kr
- DNS ASK al###egate.com
- DNS ASK lo###.#akeshop.co.kr
- DNS ASK im###.#akeshop.co.kr
Другое
Ищет следующие окна
- ClassName: 'DDEMLMom' WindowName: ''
- ClassName: 'IEFrame' WindowName: ''
- ClassName: 'Static' WindowName: ''
- ClassName: 'MS_AutodialMonitor' WindowName: ''
- ClassName: 'MS_WebCheckMonitor' WindowName: ''
Создает и запускает на исполнение
- 'C:\users\public\netstates.exe'
- '%WINDIR%\syswow64\cmd.exe' /c copy>"c:\users\public\netstates.exe"' (со скрытым окном)
- 'C:\users\public\netstates.exe' ' (со скрытым окном)
Запускает на исполнение
- '%WINDIR%\syswow64\cmd.exe' /c copy>"c:\users\public\netstates.exe"
