Техническая информация
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Microsoft Driver Service' = '%ALLUSERSPROFILE%\MsDrvSrvc.exe'
- <SYSTEM32>\tasks\comsurrogate
- %HOMEPATH%\documents\windowspowershell\dllhost.exe
- %TEMP%\signed.exe
- %ALLUSERSPROFILE%\msdrvsrvc.exe
- %ALLUSERSPROFILE%\msdrvsrvc.exe
- 'zp##########edxtfcygvbgjkvgvcguygytfigj.cc':80
- '17#.#24.204.171':8000
- http://zp##########edxtfcygvbgjkvgvcguygytfigj.cc/gate.php?ty##################################
- http://17#.###.204.171:8000/signed.exe via 17#.#24.204.171
- http://zp##########edxtfcygvbgjkvgvcguygytfigj.cc/gate.php?ty###################################
- http://zp##########edxtfcygvbgjkvgvcguygytfigj.cc/gate.php?ty#################################
- DNS ASK zp##########edxtfcygvbgjkvgvcguygytfigj.cc
- '%HOMEPATH%\documents\windowspowershell\dllhost.exe'
- '%TEMP%\signed.exe'
- '%ALLUSERSPROFILE%\msdrvsrvc.exe'
- '%HOMEPATH%\documents\windowspowershell\dllhost.exe' ' (со скрытым окном)
- '%WINDIR%\syswow64\schtasks.exe' /create /tn COMSurrogate /st 00:00 /du 9999:59 /sc once /ri 1 /f /tr "%HOMEPATH%\Documents\WindowsPowerShell\dllhost.exe"
- '<SYSTEM32>\taskeng.exe' {90187A3E-F125-4C25-9692-DB91489B7B3A} S-1-5-21-1960123792-2022915161-3775307078-1001:udskhknydaa\user:Interactive:[1]