Техническая информация
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Userinit' = '<SYSTEM32>\userinit.exe,D:\Downloadss\iep1orer.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Userinit' = '<SYSTEM32>\userinit.exe,D:\Downloadss\iep1orer.exe'
- D:\downloadss\iep1orer.exe
- %TEMP%\fcab9.tmp
- %TEMP%\fcab9.tmp
- '18#.#50.0.31':45521
- http://11#.###.141.194:8080/docs/funcspecs/client.jpg via 11#.#42.141.194
- http://pv.#ohu.com/cityjson?ie#######
- http://11#.###.141.194:8080/docs/funcspecs/down.txt via 11#.#42.141.194
- DNS ASK pv.#ohu.com
- ClassName: 'RegEdit_RegEdit' WindowName: ''
- '%WINDIR%\syswow64\cmd.exe' /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /t REG_SZ /d <SYSTEM32>\userinit.exe,D:\Downloadss\iep1orer.exe /f' (со скрытым окном)
- '%WINDIR%\regedit.exe' /s %TEMP%\fcab9.tmp' (со скрытым окном)
- '%WINDIR%\syswow64\cmd.exe' /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /t REG_SZ /d <SYSTEM32>\userinit.exe,D:\Downloadss\iep1orer.exe /f
- '%WINDIR%\syswow64\reg.exe' add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /t REG_SZ /d <SYSTEM32>\userinit.exe,D:\Downloadss\iep1orer.exe /f
- '%WINDIR%\regedit.exe' /s %TEMP%\fcab9.tmp