Техническая информация
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run] 'Host Service' = '%APPDATA%\hostsvc.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run] 'Host Service' = '%APPDATA%\hostsvc.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Host Service' = '%APPDATA%\hostsvc.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'HTTP' = ''
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Host Service' = '%APPDATA%\hostsvc.exe'
- %APPDATA%\hostsvc.exe файлом %WINDIR%\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
- %WINDIR%\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
- %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe
- <SYSTEM32>\wscript.exe "%TEMP%\Mp3Aio.vbs"
- %WINDIR%\Microsoft.NET\Framework\v2.0.50727\csc.exe
- %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe
- %TEMP%\hostsvc.exe.jpg
- %TEMP%\Mp3Aio.vbs
- %APPDATA%\HTTP.tempcodec
- %TEMP%\Mp3Aio.vbs
- %WINDIR%\Microsoft.NET\Framework\v2.0.50727\csc.exe в %APPDATA%\hostsvc.exe
- %APPDATA%\HTTP.tempcodec в %APPDATA%\HTTP.exe
- 'mo###music.net':80
- mo###music.net/blackshades//cmd.php?ke############################
- mo###music.net/blackshades//alive.php?ke##################################################################################
- DNS ASK mo###music.net
- ClassName: 'Indicator' WindowName: ''