Техническая информация
- [<HKLM>\SYSTEM\ControlSet001\Services\prvdisk] 'Start' = '00000001'
- [<HKLM>\SYSTEM\ControlSet001\Services\idcloudsrvtoup] 'Start' = '00000002'
- [<HKLM>\SYSTEM\ControlSet001\Services\PolicyAgent] 'Start' = '00000002'
- %TEMP%\nsxA.tmp\nsD.tmp sc start idcloudsrvtoup
- %CommonProgramFiles%\sougou\icloud.exe
- %TEMP%\nsxA.tmp\nsB.tmp sc create idcloudsrvtoup binpath= "%CommonProgramFiles%\sougou\icloud.exe" type= share start= auto displayname= "Ianno Web Cache Services"
- %TEMP%\nsxA.tmp\nsC.tmp sc description idcloudsrvtoup "К№УГICould CahceјјКхМṩЅшРР»ҐБЄНшдЇААФ¤¶БјУЛЩ·юОсЎЈИз№ыНЈЦ№ёГ·юОсЈ¬ФтјЖЛг»ъЅ«І»ѕЯ±ёХвР©јјКхМṩµДјУЛЩ№¦ДЬЎЈ"
- %PROGRAM_FILES%\eksirkmzts\un0701185600514.exe
- %TEMP%\~nsu.tmp\Au_.exe _?=%PROGRAM_FILES%\eksirkmzts\
- %TEMP%\nsxA.tmp\nsE.tmp sc create prvdisk binpath= <SYSTEM32>\PrvMon\prvdisk.sys type= kernel start= system group= Base tag= yes
- %TEMP%\nsn2.tmp\nsF.tmp cmd /c "<Текущая директория>\regdllt.bat"
- %TEMP%\nsn2.tmp\ns5.tmp cmd /c "<Текущая директория>\regdllc.bat"
- %TEMP%\nsn2.tmp\ns6.tmp sc start PolicyAgent
- %TEMP%\nsn2.tmp\ns3.tmp cmd /c ipconfig /all >"<Текущая директория>\ip.txt"
- %TEMP%\nsn2.tmp\ns4.tmp cmd /c arp -a >"<Текущая директория>\ft.txt"
- %PROGRAM_FILES%\eksirkmzts\rytrlnye.exe -file ahnrq8qzg6ev3t.txt
- %PROGRAM_FILES%\eksirkmzts\mysetup.exe
- %TEMP%\nsn2.tmp\ns7.tmp sc config PolicyAgent start= auto
- %TEMP%\nsn2.tmp\ns8.tmp "rytrlnye.exe" -file ahnrq8qzg6ev3t.txt
- <SYSTEM32>\sc.exe create prvdisk binpath= <SYSTEM32>\PrvMon\prvdisk.sys type= kernel start= system group= Base tag= yes
- <SYSTEM32>\sc.exe start idcloudsrvtoup
- <SYSTEM32>\sc.exe description idcloudsrvtoup "К№УГICould CahceјјКхМṩЅшРР»ҐБЄНшдЇААФ¤¶БјУЛЩ·юОсЎЈИз№ыНЈЦ№ёГ·юОсЈ¬ФтјЖЛг»ъЅ«І»ѕЯ±ёХвР©јјКхМṩµДјУЛЩ№¦ДЬЎЈ"
- <SYSTEM32>\arp.exe -s 10.0.1.1 00-01-02-03-04-05 10.0.1.2
- <SYSTEM32>\cmd.exe /c "<Текущая директория>\regdllt.bat"
- <SYSTEM32>\wscript.exe "%CommonProgramFiles%\sougou\note.vbs"
- <SYSTEM32>\sc.exe create idcloudsrvtoup binpath= "%CommonProgramFiles%\sougou\icloud.exe" type= share start= auto displayname= "Ianno Web Cache Services"
- <SYSTEM32>\cmd.exe /c "<Текущая директория>\regdllc.bat"
- <SYSTEM32>\arp.exe -a
- <SYSTEM32>\ipconfig.exe /all
- <SYSTEM32>\sc.exe config PolicyAgent start= auto
- <SYSTEM32>\sc.exe start PolicyAgent
- <SYSTEM32>\arp.exe -s 10.0.1.1 00-00-00-00-00-01 10.0.1.2
- %CommonProgramFiles%\sougou\suject.db
- %CommonProgramFiles%\sougou\icloud.exe
- %CommonProgramFiles%\sougou\vison.txt
- %CommonProgramFiles%\sougou\config-n.xml
- %CommonProgramFiles%\sougou\config-s.xml
- %CommonProgramFiles%\sougou\prvdisk.sys
- %PROGRAM_FILES%\eksirkmzts\mysetup.exe
- %TEMP%\nsn2.tmp\ns8.tmp
- %TEMP%\nsn2.tmp\ns7.tmp
- %CommonProgramFiles%\sougou\note.txt
- %CommonProgramFiles%\sougou\ypac.txt
- %CommonProgramFiles%\sougou\sqlite3.dll
- %TEMP%\nsxA.tmp\nsE.tmp
- <SYSTEM32>\PrvMon\prvdisk.sys
- %CommonProgramFiles%\sougou\newsousuo.pac
- %TEMP%\~nsu.tmp\Au_.exe
- %TEMP%\nsn2.tmp\nsF.tmp
- %CommonProgramFiles%\sougou\note.vbs
- %TEMP%\nsxA.tmp\nsExec.dll
- %TEMP%\nsxA.tmp\System.dll
- %TEMP%\nsxA.tmp\AccessControl.dll
- %TEMP%\nsxA.tmp\nsD.tmp
- %TEMP%\nsxA.tmp\nsC.tmp
- %TEMP%\nsxA.tmp\nsB.tmp
- %TEMP%\nsn2.tmp\InetLoad.dll
- %TEMP%\nsn2.tmp\nsRandom.dll
- %PROGRAM_FILES%\eksirkmzts\un0701185600514.exe
- <Текущая директория>\op.ini
- %TEMP%\nsn2.tmp\nsplugin.dll
- %TEMP%\nsn2.tmp\Internet.dll
- %PROGRAM_FILES%\eksirkmzts\reginfo.xml
- %PROGRAM_FILES%\eksirkmzts\s0001.xml
- %PROGRAM_FILES%\eksirkmzts\menu.xml
- %PROGRAM_FILES%\eksirkmzts\temp0701185600514.ini
- %TEMP%\nsn2.tmp\System.dll
- %PROGRAM_FILES%\eksirkmzts\ser000.xml
- <Текущая директория>\regdllc.bat
- <Текущая директория>\ft.txt
- %TEMP%\nsn2.tmp\ns4.tmp
- %TEMP%\nsn2.tmp\ns6.tmp
- %TEMP%\nsn2.tmp\ns5.tmp
- <Текущая директория>\regdllt.bat
- %PROGRAM_FILES%\eksirkmzts\ahnrq8qzg6ev3t.txt
- <Текущая директория>\tx.ini
- %PROGRAM_FILES%\eksirkmzts\rytrlnye.exe
- <Текущая директория>\ip.txt
- %TEMP%\nsn2.tmp\ns3.tmp
- %TEMP%\nsn2.tmp\nsExec.dll
- %TEMP%\nsn2.tmp\nsF.tmp
- <Текущая директория>\regdllc.bat
- %TEMP%\nsn2.tmp\InetLoad.dll
- <Текущая директория>\regdllt.bat
- <Текущая директория>\ft.txt
- %PROGRAM_FILES%\eksirkmzts\reginfo.xml
- %PROGRAM_FILES%\eksirkmzts\menu.xml
- <Текущая директория>\ip.txt
- %PROGRAM_FILES%\eksirkmzts\rytrlnye.exe
- %PROGRAM_FILES%\eksirkmzts\temp0701185600514.ini
- %PROGRAM_FILES%\eksirkmzts\un0701185600514.exe
- %CommonProgramFiles%\sougou\note.vbs
- %PROGRAM_FILES%\eksirkmzts\ahnrq8qzg6ev3t.txt
- %TEMP%\nsn2.tmp\System.dll
- %TEMP%\nsn2.tmp\nsExec.dll
- %TEMP%\nsn2.tmp\Internet.dll
- %TEMP%\nsn2.tmp\nsRandom.dll
- %TEMP%\nsn2.tmp\nsplugin.dll
- %PROGRAM_FILES%\eksirkmzts\s0001.xml
- %TEMP%\nsn2.tmp\ns7.tmp
- %TEMP%\nsn2.tmp\ns6.tmp
- %TEMP%\nsxA.tmp\nsB.tmp
- %TEMP%\nsn2.tmp\ns8.tmp
- %TEMP%\nsn2.tmp\ns5.tmp
- <Текущая директория>\tx.ini
- <Текущая директория>\op.ini
- %TEMP%\nsn2.tmp\ns4.tmp
- %TEMP%\nsn2.tmp\ns3.tmp
- %TEMP%\nsxA.tmp\System.dll
- %TEMP%\nsxA.tmp\nsExec.dll
- %PROGRAM_FILES%\eksirkmzts\ser000.xml
- %PROGRAM_FILES%\eksirkmzts\mysetup.exe
- %TEMP%\nsxA.tmp\AccessControl.dll
- %TEMP%\nsxA.tmp\nsD.tmp
- %TEMP%\nsxA.tmp\nsC.tmp
- %CommonProgramFiles%\sougou\prvdisk.sys
- %TEMP%\nsxA.tmp\nsE.tmp
- 'localhost':1037
- 'g.###ips.com':82
- 'm.###nong.com':888
- 'www.39##.com':80
- www.39##.com/svr.asp?c=########################################
- DNS ASK www.39##.com
- DNS ASK g.###ips.com
- DNS ASK m.###nong.com
- '<IP-адрес в локальной сети>':1034
- ClassName: 'Shell_TrayWnd' WindowName: ''