Техническая информация
- [<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN] 'overdrive' = '%TEMP%\overdrive.exe'
- %TEMP%\overdrive.exe
- http://re#.space/checkin?ho###############
- http://re#.space/command?id###############
- http://re#.space/result
- DNS ASK re#.space
- '<SYSTEM32>\cmd.exe' /c "net user 'jmaldive' /add"
- '<SYSTEM32>\net.exe' user 'jmaldive' /add
- '<SYSTEM32>\net1.exe' user 'jmaldive' /add
- '<SYSTEM32>\cmd.exe' /c tasklist
- '<SYSTEM32>\tasklist.exe'