Техническая информация
- [<HKLM>\SYSTEM\ControlSet001\services\EFS] 'Start' = '00000002'
- %APPDATA%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HpM3Util.exe
- '<SYSTEM32>\efsui.exe' /efs /keybackup
- '<SYSTEM32>\wermgr.exe' -queuereporting
- '<SYSTEM32>\Dwm.exe'
- C:\System Volume Information\EFS0.LOG
- %APPDATA%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EFS0.TMP
- %APPDATA%\Roaming\Microsoft\SystemCertificates\My\Certificates\330661D744D9DC441BB9AD3D54131FDA4A4B08F8
- %APPDATA%\Roaming\verison.dll
- %APPDATA%\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3525224950-2885160813-905547259-1000\ac0d0925e0d78e59ad14941fd2fd2d89_fdaad129-04df-4089-bb80-174ce725f721
- C:\System Volume Information\EFS0.LOG
- %APPDATA%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EFS0.TMP
- из <Полный путь к вирусу> в %APPDATA%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HpM3Util.exe
- 'uo#####sciscqaiu.org':80
- '74.##5.232.51':80
- 74.##5.232.51/
- uo#####sciscqaiu.org/
- DNS ASK uo#####sciscqaiu.org
- DNS ASK www.google.com
- ClassName: 'Shell_TrayWnd' WindowName: '(null)'