Техническая информация
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run] 'Windows Defender' = '%TEMP%\OWnnRwgA.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Shell' = 'Explorer.exe "%TEMP%\OWnnRwgA.exe"'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 'UserInit' = '<SYSTEM32>\userinit.exe,"%TEMP%\OWnnRwgA.exe",'
- %TEMP%\OWnnRwgA.exe
- <SYSTEM32>\notepad.exe
- <SYSTEM32>\notepad.exe
- %APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-2052111302-484763869-725345543-1003\2e75411ab373122e2fd11721ffd7a5f2_23ef5514-3059-436f-a4a7-4cefaab20eb1
- %TEMP%\OWnnRwgA.exe
- %APPDATA%\Microsoft\Protect\S-1-5-21-2052111302-484763869-725345543-1003\Preferred
- %APPDATA%\Microsoft\Protect\S-1-5-21-2052111302-484763869-725345543-1003\ce444c3b-d1c9-4456-9235-fda72f812ab3
- 'www.cy#####clean-lp4500.com':80
- www.cy#####clean-lp4500.com/images/a/gate.php?&o######################
- DNS ASK www.cy#####clean-lp4500.com