Техническая информация
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] '90fa78f5-bad8-4265-a848-f2ec61045c8b' = '%APPDATA%\pacfr\pacfr.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '90fa78f5-bad8-4265-a848-f2ec61045c8b' = '%APPDATA%\pacfr\pacfr.exe'
- %HOMEPATH%\Start Menu\Programs\Startup\Doeoa.lnk
- '%ProgramFiles%\Internet Explorer\IEXPLORE.EXE'
- '<SYSTEM32>\cmd.exe' /c copy "%TEMP%\RarSFX0\*.*" "%APPDATA%\Irmkwhrrx" & exit
- '%TEMP%\RarSFX0\Doeoa.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0] '1806' = '00000000'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0] '1806' = '00000000'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Associations] 'LowRiskFileTypes' = '.exe;.bat;.reg;.vbs;'
- %APPDATA%\Irmkwhrrx\Doeoa.exe
- %APPDATA%\Irmkwhrrx\Echmbulmigrmkwh.png
- %APPDATA%\pacfr\pacfr.exe
- %APPDATA%\Irmkwhrrx\Alesvxamve.xml
- %TEMP%\RarSFX0\Doeoa.exe
- %TEMP%\RarSFX0\Echmbulmigrmkwh.png
- %TEMP%\RarSFX0\Alesvxamve.xml
- %TEMP%\RarSFX0\Echmbulmigrmkwh.png
- %TEMP%\RarSFX0\Alesvxamve.xml
- %TEMP%\RarSFX0\Doeoa.exe
- 'e0#.#0s3id0n.su':80
- http://e0#.#0s3id0n.su/images/gateway.php
- DNS ASK e0#.#0s3id0n.su
- ClassName: 'Indicator' WindowName: ''
- ClassName: 'Shell_TrayWnd' WindowName: ''
- ClassName: 'EDIT' WindowName: ''