Техническая информация
- [<HKLM>\SOFTWARE\Wow6432Node\MICROSOFT\WINDOWS NT\CURRENTVERSION\Winlogon] 'Userinit' = '\WINDOWS\system32\userinit.exe,\WINDOWS\system32\Restore\svchost.exe'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'EnableFirewall' = '00000000'
- [<HKLM>\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'EnableFirewall' = '00000000'
- %WINDIR%\syswow64\msinet.ocx
- %WINDIR%\syswow64\restore\svchost.exe
- %WINDIR%\syswow64\sys.html
- %WINDIR%\syswow64\restore\svchost.exe
- %WINDIR%\syswow64\sys.html
- 'ft#.##ethost13.com':21
- DNS ASK ft#.##ethost13.com
- '%WINDIR%\syswow64\regsvr32.exe' /s msinet.ocx' (со скрытым окном)
- '%WINDIR%\syswow64\regsvr32.exe' /s msinet.ocx