Техническая информация
- [<HKLM>\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command] '' = '"<LS_APPDATA>\iem.exe" -a "%ProgramFiles%\Internet Explorer\iexplore.exe"'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] '1577711687' = '<LS_APPDATA>\iem.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'ctfmon.exe' = '<SYSTEM32>\ctfmon.exe'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] 'EnableFirewall' = '00000000'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] 'DoNotAllowExceptions' = '00000000'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] 'DisableNotifications' = '00000001'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'EnableFirewall' = '00000000'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DoNotAllowExceptions' = '00000000'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DisableNotifications' = '00000001'
- Обновления системы (Windows Update)
- Центр обеспечения безопасности (Security Center)
- '%TEMP%\d2AitUHDL.exe' (загружен из сети Интернет)
- '%TEMP%\d2AitUHDL.exe'
- '<LS_APPDATA>\iem.exe' -gav <Полный путь к вирусу>
- safari.exe
- opera.exe
- chrome.exe
- iexplore.exe
- firefox.exe
- [<HKCU>\Software\VanDyke\SecureFX]
- [<HKCU>\Software\FTPWare\COREFTP\Sites]
- [<HKCU>\Software\Cryer\WebSitePublisher]
- [<HKLM>\Software\NCH Software\ClassicFTP\FTPAccounts]
- [<HKCU>\Software\ExpanDrive\Sessions]
- [<HKCU>\Software\CoffeeCup Software\Internet\Profiles]
- [<HKCU>\Software\BPFTP]
- [<HKCU>\Software\BulletProof Software\BulletProof FTP Client\Options]
- [<HKCU>\Software\TurboFTP]
- [<HKCU>\Software\Sota\FFFTP\Options]
- [<HKCU>\Software\Sota\FFFTP]
- [<HKCU>\Software\NCH Software\ClassicFTP\FTPAccounts]
- [<HKLM>\Software\Martin Prikryl]
- [<HKCU>\Software\Martin Prikryl]
- [<HKCU>\Software\South River Technologies\WebDrive\Connections]
- [<HKCU>\Software\Microsoft\Internet Explorer\IntelliForms\Storage2]
- [<HKLM>\Software\South River Technologies\WebDrive\Connections]
- [<HKLM>\Software\SoftX.org\FTPClient\Sites]
- [<HKLM>\SOFTWARE\NCH Software\Fling\Accounts]
- [<HKCU>\SOFTWARE\NCH Software\Fling\Accounts]
- [<HKCU>\Software\FTPClient\Sites]
- [<HKCU>\Software\SoftX.org\FTPClient\Sites]
- [<HKLM>\Software\FTPClient\Sites]
- [<HKCU>\Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar]
- [<HKCU>\Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar]
- [<HKCU>\Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar]
- [<HKCU>\Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar]
- [<HKCU>\Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar]
- [<HKLM>\Software\Ghisler\Total Commander]
- [<HKCU>\Software\Far2\SavedDialogHistory\FTPHost]
- [<HKCU>\Software\Far\SavedDialogHistory\FTPHost]
- [<HKCU>\Software\Ghisler\Windows Commander]
- [<HKLM>\Software\Ghisler\Windows Commander]
- [<HKCU>\Software\Ghisler\Total Commander]
- [<HKCU>\Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar]
- [<HKLM>\Software\FileZilla Client]
- [<HKLM>\Software\FileZilla]
- [<HKCU>\Software\BPFTP\Bullet Proof FTP\Main]
- [<HKCU>\Software\BPFTP\Bullet Proof FTP\Options]
- [<HKCU>\Software\BulletProof Software\BulletProof FTP Client\Main]
- [<HKCU>\Software\FileZilla Client]
- [<HKCU>\Software\FlashFXP]
- [<HKCU>\Software\FlashFXP\3]
- [<HKLM>\Software\FlashFXP\3]
- [<HKCU>\Software\FileZilla]
- [<HKLM>\Software\FlashFXP]
- %TEMP%\pki19.tmp
- <LS_APPDATA>\suam.exe
- %TEMP%\pki18.tmp
- %ALLUSERSPROFILE%\Application Data\vgic.exe
- %TEMP%\pki1B.tmp
- %TEMP%\ktqk.exe
- %TEMP%\pki1A.tmp
- %ALLUSERSPROFILE%\Application Data\qxkg.exe
- %TEMP%\pki15.tmp
- <LS_APPDATA>\wcsm.exe
- %TEMP%\pki16.tmp
- %HOMEPATH%\Templates\fmab.exe
- %TEMP%\pki17.tmp
- %TEMP%\yxut.exe
- %HOMEPATH%\Templates\gcen.exe
- <LS_APPDATA>\afe6lel3t068u8005ke6yj56dq5wn6f0h486l501cj0s54
- %TEMP%\pki24.tmp
- %TEMP%\pki23.tmp
- %ALLUSERSPROFILE%\Application Data\afe6lel3t068u8005ke6yj56dq5wn6f0h486l501cj0s54
- %TEMP%\d2AitUHDL.exe
- %HOMEPATH%\Templates\afe6lel3t068u8005ke6yj56dq5wn6f0h486l501cj0s54
- %TEMP%\afe6lel3t068u8005ke6yj56dq5wn6f0h486l501cj0s54
- %TEMP%\pki1E.tmp
- %TEMP%\pki1D.tmp
- %TEMP%\pki1C.tmp
- %TEMP%\pki1F.tmp
- %TEMP%\pki22.tmp
- %TEMP%\pki21.tmp
- %TEMP%\pki20.tmp
- %TEMP%\pkiA.tmp
- %TEMP%\pki9.tmp
- %TEMP%\pki8.tmp
- %TEMP%\pkiB.tmp
- %TEMP%\pkiE.tmp
- %TEMP%\pkiD.tmp
- %TEMP%\pkiC.tmp
- %TEMP%\pki3.tmp
- %TEMP%\pki2.tmp
- %TEMP%\pki1.tmp
- %TEMP%\pki4.tmp
- %TEMP%\pki7.tmp
- %TEMP%\pki6.tmp
- %TEMP%\pki5.tmp
- %TEMP%\pkiF.tmp
- %ALLUSERSPROFILE%\Application Data\oysp.exe
- <LS_APPDATA>\cjsd.exe
- %HOMEPATH%\Templates\qtpi.exe
- %TEMP%\xxxl.exe
- %TEMP%\pki14.tmp
- %HOMEPATH%\Templates\ktfx.exe
- %TEMP%\pki13.tmp
- %TEMP%\pki12.tmp
- %TEMP%\pki11.tmp
- %TEMP%\pki10.tmp
- <LS_APPDATA>\iem.exe
- %TEMP%\vpae.exe
- %ALLUSERSPROFILE%\Application Data\yhxu.exe
- <LS_APPDATA>\pgvw.exe
- %TEMP%\pki19.tmp
- %TEMP%\pki18.tmp
- %TEMP%\pki1B.tmp
- %TEMP%\pki1A.tmp
- %TEMP%\pki17.tmp
- %TEMP%\pki14.tmp
- %TEMP%\pki13.tmp
- %TEMP%\pki16.tmp
- %TEMP%\pki15.tmp
- %TEMP%\pki22.tmp
- %TEMP%\pki21.tmp
- %TEMP%\pki24.tmp
- %TEMP%\pki23.tmp
- %TEMP%\pki20.tmp
- %TEMP%\pki1D.tmp
- %TEMP%\pki1C.tmp
- %TEMP%\pki1F.tmp
- %TEMP%\pki1E.tmp
- %TEMP%\pki7.tmp
- %TEMP%\pki6.tmp
- %TEMP%\pki9.tmp
- %TEMP%\pki8.tmp
- %TEMP%\pki5.tmp
- %TEMP%\pki2.tmp
- %TEMP%\pki1.tmp
- %TEMP%\pki4.tmp
- %TEMP%\pki3.tmp
- %TEMP%\pki10.tmp
- %TEMP%\pkiF.tmp
- %TEMP%\pki12.tmp
- %TEMP%\pki11.tmp
- %TEMP%\pkiE.tmp
- %TEMP%\pkiB.tmp
- %TEMP%\pkiA.tmp
- %TEMP%\pkiD.tmp
- %TEMP%\pkiC.tmp
- 'cy####jyvidiwi.com':80
- 'di###akiri.com':80
- 'tu####kenuqi.com':80
- 'xo###ipowu.com':80
- 'na####hohuly.com':80
- 'ly####wotucoh.com':80
- 'zo####kimewut.com':80
- 'za####dixahok.com':80
- 'nb#####nsn89m0nk.com':80
- 'xo####fehonog.com':80
- 'di####jubeka.com':80
- 'ro####zanasi.com':80
- 'fi####gymeba.com':80
- 'zy####movyxy.com':80
- http://nb#####nsn89m0nk.com/setup.exe
- http://xo####fehonog.com/
- DNS ASK da###ufigaj.com
- DNS ASK hi###umala.com
- DNS ASK ne###ezyjih.com
- DNS ASK xe####wunikyle.com
- DNS ASK pi####caciqil.com
- DNS ASK ny####wafyfa.com
- DNS ASK dy####gymasasu.com
- DNS ASK xy###yquk.com
- DNS ASK co###irebu.com
- DNS ASK lo####hosywaw.com
- DNS ASK ce####zugyky.com
- DNS ASK ro###ymici.com
- DNS ASK di####mydupi.com
- DNS ASK vu###uzuxil.com
- DNS ASK microsoft.com
- DNS ASK pu####pageta.com
- DNS ASK ve###utuk.com
- DNS ASK ly####fotoqy.com
- DNS ASK xa###iwehiw.com
- DNS ASK ro####zanasi.com
- DNS ASK fi####gymeba.com
- DNS ASK di###akiri.com
- DNS ASK tu####kenuqi.com
- DNS ASK zy####movyxy.com
- DNS ASK nb#####nsn89m0nk.com
- DNS ASK xo####fehonog.com
- DNS ASK di####jubeka.com
- DNS ASK za####dixahok.com
- DNS ASK cy####jyvidiwi.com
- DNS ASK ku###idewar.com
- DNS ASK mu###ahyxar.com
- DNS ASK pe###ukos.com
- DNS ASK wu###osux.com
- DNS ASK wa###opani.com
- DNS ASK zo####kimewut.com
- DNS ASK xo###ipowu.com
- DNS ASK na####hohuly.com
- DNS ASK ly####wotucoh.com
- ClassName: 'msascui_class' WindowName: ''
- ClassName: 'Indicator' WindowName: ''