Техническая информация
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\BITS] 'Startup' = 'ServiceMain'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\BITS] 'DllName' = ''
- [<HKLM>\SYSTEM\ControlSet001\Services\BITS] 'Start' = '00000002'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%WINDIR%\Explorer.EXE' = '%WINDIR%\Explorer.EXE:*:Enabled:Thunder'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '<SYSTEM32>\svchost.exe' = '<SYSTEM32>\svchost.exe:*:Enabled:Thunder'
- '<SYSTEM32>\cmd.exe' /c %WINDIR%\171328.bat
- '<SYSTEM32>\svchost.exe' -k 167578
- %WINDIR%\171328.bat
- <SYSTEM32>\Systen.dll
- %WINDIR%\164109.dll
- %WINDIR%\164109.dll в %HOMEPATH%\181312.log
- <SYSTEM32>\Systen.dll в %HOMEPATH%\181156.log
- 'zh####.go.3322.org':80
- 'zh###e.vicp.net':8000
- zh####.go.3322.org/
- DNS ASK zh####.go.3322.org
- DNS ASK zh###e.vicp.net
- DNS ASK up####.microsoft.com