Техническая информация
- [<HKLM>\System\CurrentControlSet\Services\MsRkNrL] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\MsRkNrL] 'ImagePath' = '<SYSTEM32>\wscript.exe //B "C:\autoexec.vbs"'
- 'MsRkNrL' <SYSTEM32>\wscript.exe //B "C:\autoexec.vbs"
- '<SYSTEM32>\wscript.exe' //B "%TEMP%\rknrl.vbs"
- %TEMP%\dm6331.tmp
- %TEMP%\rknrl.vbs
- %TEMP%\winstart.vbs
- 'ra#.####ubusercontent.com':443
- 'ai########ill.airobotheworld.com':80
- 'ne#####.airobotheworld.com':80
- 'ra#.####ubusercontent.com':443
- DNS ASK ra#.####ubusercontent.com
- DNS ASK ai########ill.airobotheworld.com
- DNS ASK ne#####.airobotheworld.com
- '<SYSTEM32>\wscript.exe' //B "%TEMP%\winstart.vbs"
- '<SYSTEM32>\wscript.exe' //B "%TEMP%\rknrl.vbs"' (со скрытым окном)