Техническая информация
- [<HKLM>\SYSTEM\ControlSet001\Services\ZcsServices] 'Start' = '00000002'
- [<HKLM>\SYSTEM\ControlSet001\Services\ZcsKernelService] 'Start' = '00000002'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%TEMP%\4yt4\certsrv.exe' = '%TEMP%\4yt4\certsrv.exe:*:Enabled:10002'
- %TEMP%\4yt4\certsrv.exe
- %TEMP%\4yt4\certsrv.exe -install -hide -run -name "Diangostic Seruer Host" -title "Diangostic Seruer Host" -desc "Хп¶ПІЯВФ·юОсУГАґіРФШРиТЄФЪ±ѕµШ·юОсЙППВОДЦРФЛРРµДХп¶ПЎЈИз№ыНЈЦ№ёГ·юОсЈ¬ФтТААµУЪёГ·юОсµДИОєОХп¶ПЅ«І»ФЩФЛРРЎЈ" -p1 "1007" -p2 "10002" -p3 "120502" -p4 "4yt4" -p5 "432" -p6 "12" -MD5 "39644df65a9a730a3121fe18aca28f44"
- <SYSTEM32>\ipconfig.exe /all
- <SYSTEM32>\net1.exe start ZcsServices
- <SYSTEM32>\netsh.exe firewall set allowedprogram "%TEMP%\4yt4\certsrv.exe" 10002 enable
- <SYSTEM32>\netsh.exe firewall set allowedprogram "%PROGRAM_FILES%\120502\log.exe" 120502 enable
- %TEMP%\nsw2.tmp\GetVersion.dll
- <DRIVERS>\zcsKernelService.sys
- %TEMP%\nsw2.tmp\System.dll
- %TEMP%\4yt4\certsrv.exe
- %TEMP%\nsw2.tmp\System.dll
- %TEMP%\nsw2.tmp\GetVersion.dll
- 'p.###yx8.com':8783
- DNS ASK p.###yx8.com