Техническая информация
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\logondll] 'DllName' = 'fly543.dll'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\logondll] 'Startup' = 'EventStartup'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\run] '2651' = '%TEMP%\RarSFX0\n036.exe'
- %TEMP%\rarsfx0\small.exe
- %TEMP%\rarsfx0\n036.exe
- %WINDIR%\syswow64\feimain.dll
- %WINDIR%\syswow64\feiplug.dll
- %WINDIR%\syswow64\fly543.dll
- %WINDIR%\syswow64\flymain543.dll
- C:\tmpqq10000.dat
- C:\tmpqq10000.dat
- C:\tmpqq10000.dat
- ClassName: 'EDIT' WindowName: ''
- '%TEMP%\rarsfx0\small.exe'
- '%TEMP%\rarsfx0\n036.exe'
- '%WINDIR%\syswow64\attrib.exe' -s -h "<DRIVERS>\etc\hosts"' (со скрытым окном)
- '%WINDIR%\syswow64\attrib.exe' +s +h "<DRIVERS>\etc\hosts"' (со скрытым окном)
- '%WINDIR%\syswow64\regsvr32.exe' /s <SYSTEM32>\feiplug.dll
- '%WINDIR%\syswow64\attrib.exe' -s -h "<DRIVERS>\etc\hosts"
- '%WINDIR%\syswow64\attrib.exe' +s +h "<DRIVERS>\etc\hosts"