Техническая информация
- [<HKLM>\SYSTEM\ControlSet001\services\EFS] 'Start' = '00000002'
- '<SYSTEM32>\wermgr.exe' -queuereporting
- '<SYSTEM32>\efsui.exe' /efs /keybackup
- '<SYSTEM32>\Dwm.exe'
- C:\System Volume Information\EFS0.LOG
- %APPDATA%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EFS0.TMP
- %APPDATA%\Roaming\Microsoft\SystemCertificates\My\Certificates\50BB49F023EB6D23A8AAD8254EED99D54D581FE9
- %APPDATA%\Roaming\verison.dll
- %APPDATA%\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3525224950-2885160813-905547259-1000\5d7b738a2e070555a46081429187ee4d_fdaad129-04df-4089-bb80-174ce725f721
- C:\System Volume Information\EFS0.LOG
- %APPDATA%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EFS0.TMP
- из <Полный путь к вирусу> в %APPDATA%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HpM3Util.exe
- 'uo#####sciscqaiu.org':80
- '74.##5.232.51':80
- 74.##5.232.51/
- uo#####sciscqaiu.org/
- DNS ASK uo#####sciscqaiu.org
- DNS ASK www.google.com
- ClassName: 'Shell_TrayWnd' WindowName: '(null)'