Техническая информация
- %ALLUSERSPROFILE%\Start Menu\Programs\Startup\m9W1.lnk
- %HOMEPATH%\Start Menu\Programs\Startup\m9W1.lnk
- <SYSTEM32>\Restore1\systems.exe
- <SYSTEM32>\xcopy.exe "%HOMEPATH%\Start Menu\Programs\Startup\m9W1.lnk" "%ALLUSERSPROFILE%\Start Menu\Programs\Startup" /Y
- <SYSTEM32>\rundll32.exe <SYSTEM32>\shimgvw.dll,ImageView_Fullscreen <SYSTEM32>\Restore1\Very_Powerful_weapons_have_been_invented.jpg
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\MZђ[1]
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\test[1].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\test[1].php
- %HOMEPATH%\MZђ.exe
- <SYSTEM32>\Restore1\systems.exe
- <SYSTEM32>\Restore1\Very_Powerful_weapons_have_been_invented.jpg
- %HOMEPATH%\Recent\Restore1.lnk
- %HOMEPATH%\Recent\Very_Powerful_weapons_have_been_invented.lnk
- 'localhost':1039
- 'so###icaton.com':80
- so###icaton.com/snowtime//test.php?cn################################
- so###icaton.com/snowtime/CRNJEUFU/MZ?
- so###icaton.com/snowtime/test.php?cn#########################
- DNS ASK so###icaton.com
- '<IP-адрес в локальной сети>':1037
- ClassName: 'ShImgVw:CPreviewWnd' WindowName: ''
- ClassName: 'Shell_TrayWnd' WindowName: ''
- ClassName: 'EDIT' WindowName: ''