Техническая информация
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%TEMP%\3sauwehj.kov\csrss.exe' = '%TEMP%\3sauwehj.kov\csrss.exe:*:Enabled:Product Key Explorer'
- '%TEMP%\3sauwehj.kov\csrss.exe' /remote 127.0.0.1 /f "%TEMP%\~635336784922812500.tmp" /exit
- '%TEMP%\3sauwehj.kov\lsass.exe' /stext "%TEMP%\~635336784888750000.tmp"
- [<HKLM>\SOFTWARE\Microsoft\MessengerService]
- %TEMP%\~635336784888750000.tmp
- \Device\LanmanRedirector\127.0.0.1\PIPE\wkssvc
- %TEMP%\~635336784922812500.tmp
- %TEMP%\3sauwehj.kov\csrss.exe
- %TEMP%\3sauwehj.kov\sqlite3.dll
- %TEMP%\3sauwehj.kov\lsass.exe
- 'localhost':445
- 'sm##.gmail.com':587
- 'wp#d':80
- 'ap#.##infodb.com':80
- ap#.##infodb.com/v2/ip_query.php?ke##################################################################
- wp#d/wpad.dat
- DNS ASK sm##.gmail.com
- DNS ASK ap#.##infodb.com
- DNS ASK wp#d
- ClassName: 'Shell_TrayWnd' WindowName: '(null)'