Техническая информация
- [<HKLM>\SYSTEM\ControlSet001\Services\RemoteStorage] 'Start' = '00000002'
- [<HKLM>\SYSTEM\ControlSet001\Services\RemoteStorage] 'ImagePath' = '<SYSTEM32>\server.exe'
- [<HKLM>\SYSTEM\ControlSet001\Services\Hooking] 'Start' = '00000002'
- [<HKLM>\SYSTEM\ControlSet001\Services\Hooking] 'ImagePath' = '<DRIVERS>\GTHOOK.sys'
- '<SYSTEM32>\cmd.exe' /c del <Полный путь к файлу> > nul
- '<SYSTEM32>\server.exe'
- NtSetInformationFile, драйвер-обработчик: GTHOOK.sys
- NtQuerySystemInformation, драйвер-обработчик: GTHOOK.sys
- <SYSTEM32>\server.exe
- <SYSTEM32>\server.exe
- %WINDIR%\Temp\SE2.tmp
- %TEMP%\SE1.tmp
- <DRIVERS>\GTHOOK.sys
- <SYSTEM32>\server.exe
- %WINDIR%\Temp\SE2.tmp
- %TEMP%\SE1.tmp
- 'cd####86.codns.com':8000
- DNS ASK cd####86.codns.com