Техническая информация
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'Cleaning' = '%APPDATA%\Windows.bat'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'WindowsNT' = '%WINDIR%\sevenupd.exe'
- [<HKLM>\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] 'UserInit' = '<SYSTEM32>\userinit.exe,%WINDIR%\sevenupd.exe'
- sevenupd.exe
- %TEMP%\$inst\2.tmp
- %TEMP%\$inst\temp_0.tmp
- %APPDATA%\microsoft\windows\license\a.exe
- %APPDATA%\microsoft\windows\license\starter.cmd
- %APPDATA%\microsoft\windows\license\clear.exe
- %APPDATA%\microsoft\windows\license\img.exe
- %APPDATA%\windows.bat
- %APPDATA%\microsoft\windows\license\imageviewer.exe
- %APPDATA%\microsoft\windows\license\1.jpg
- %WINDIR%\sevenupd.exe
- %WINDIR%\sevenupd.exe
- %TEMP%\$inst\temp_0.tmp
- %TEMP%\$inst\2.tmp
- 'sn#####stries.myftp.org':2866
- DNS ASK sn#####stries.myftp.org
- ClassName: 'EDIT' WindowName: ''
- '%APPDATA%\microsoft\windows\license\a.exe'
- '%APPDATA%\microsoft\windows\license\clear.exe'
- '%APPDATA%\microsoft\windows\license\img.exe' -pSmallExperimentEUREKA
- '%APPDATA%\microsoft\windows\license\imageviewer.exe'
- '%WINDIR%\sevenupd.exe'
- '%WINDIR%\syswow64\cmd.exe' /c ""%APPDATA%\Microsoft\Windows\License\starter.cmd" "
- '%WINDIR%\syswow64\reg.exe' add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v Cleaning /t REG_SZ /d %APPDATA%\Windows.bat /f