Техническая информация
- [<HKLM>\System\CurrentControlSet\Services\abc2.0] 'ImagePath' = '%TEMP%\~abcm9q8P.sys'
- [<HKLM>\System\CurrentControlSet\Services\abc2.0] 'ImagePath' = '%TEMP%\~abcykATe.sys'
- [<HKLM>\System\CurrentControlSet\Services\abc2.0] 'ImagePath' = '%TEMP%\~abcgMN1l.sys'
- [<HKLM>\System\CurrentControlSet\Services\abc2.0] 'ImagePath' = '%TEMP%\~abcXFOFa.sys'
- 'abc2.0' %TEMP%\~abcm9q8P.sys
- 'abc2.0' %TEMP%\~abcykATe.sys
- 'abc2.0' %TEMP%\~abcgMN1l.sys
- 'abc2.0' %TEMP%\~abcXFOFa.sys
- %TEMP%\~abcm9q8P.sys
- %WINDIR%\temp\udd9f3c.tmp
- %TEMP%\~abcykATe.sys
- %TEMP%\4l37z0e2ex04i.exe
- %TEMP%\~abcgMN1l.sys
- %TEMP%\~abcXFOFa.sys
- %TEMP%\~abcm9q8P.sys
- %TEMP%\~abcykATe.sys
- %TEMP%\~abcgMN1l.sys
- %TEMP%\~abcXFOFa.sys
- %WINDIR%\temp\udd9f3c.tmp
- %TEMP%\~abcm9q8P.sys
- %TEMP%\~abcykATe.sys
- %TEMP%\~abcgMN1l.sys
- %TEMP%\~abcXFOFa.sys
- %TEMP%\4l37z0e2ex04i.exe
- 'cs.###ove123.com':80
- http://sp.###ove123.com/NIP.dat
- http://sp.###ove123.com/yzxy.txt
- http://cs.###ove123.com/mtmd-v3.php
- DNS ASK sp.###ove123.com
- DNS ASK cs.###ove123.com
- ClassName: '' WindowName: 'TPHelper.exe'
- '%TEMP%\4l37z0e2ex04i.exe'
- '%WINDIR%\syswow64\cmd.exe' /c start %TEMP%\4L37Z0e2Ex04I.exe' (со скрытым окном)
- '%WINDIR%\syswow64\cmd.exe' /c start %TEMP%\4L37Z0e2Ex04I.exe