Техническая информация
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Orcus' = '"%ProgramFiles%\Orcus\Orcus.exe"'
- %TEMP%\vjwzoxpbgzalc.exe
- %TEMP%\rstsvyez.0.cs
- %TEMP%\rstsvyez.cmdline
- %TEMP%\rstsvyez.out
- %TEMP%\csca0bb.tmp
- %TEMP%\resa0bc.tmp
- %TEMP%\rstsvyez.dll
- %ProgramFiles%\orcus\orcus.exe
- %ProgramFiles%\orcus\orcus.exe.config
- %ProgramFiles%\orcus\orcus.exe
- %TEMP%\resa0bc.tmp
- %TEMP%\csca0bb.tmp
- %TEMP%\rstsvyez.cmdline
- %TEMP%\rstsvyez.0.cs
- %TEMP%\rstsvyez.dll
- %TEMP%\rstsvyez.out
- '26.##.71.137':5601
- '%TEMP%\vjwzoxpbgzalc.exe'
- '%ProgramFiles%\orcus\orcus.exe'
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\rstsvyez.cmdline"' (со скрытым окном)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESA0BC.tmp" "%TEMP%\CSCA0BB.tmp"' (со скрытым окном)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\rstsvyez.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESA0BC.tmp" "%TEMP%\CSCA0BB.tmp"