Техническая информация
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'wextract_cleanup0' = 'rundll32.exe <SYSTEM32>\advpack.dll,DelNodeRunDLL32 "%TEMP%\IXP000.TMP\"'
- [<HKLM>\SYSTEM\ControlSet001\Services\oreans32] 'Start' = '00000001'
- '%TEMP%\IXP000.TMP\server.exe'
- '%TEMP%\IXP000.TMP\Stub.exe'
- ClassName: 'pediy06' WindowName: '(null)'
- ClassName: 'GBDYLLO' WindowName: '(null)'
- ClassName: 'OLLYDBG' WindowName: '(null)'
- %APPDATA%\Microsoft\Protect\S-1-5-21-2052111302-484763869-725345543-1003\829f8efd-ba85-409e-84c3-42619eee672f
- %APPDATA%\Microsoft\Protect\S-1-5-21-2052111302-484763869-725345543-1003\Preferred
- %APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-2052111302-484763869-725345543-1003\699c4b9cdebca7aaea5193cae8a50098_23ef5514-3059-436f-a4a7-4cefaab20eb1
- %TEMP%\IXP000.TMP\server.exe
- %TEMP%\IXP000.TMP\Stub.exe
- <DRIVERS>\oreans32.sys
- %TEMP%\IXP000.TMP\server.exe
- %TEMP%\IXP000.TMP\Stub.exe