Technical Information
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'microsoft_ms' = '%APPDATA%\system_lm.exe'
- '<SYSTEM32>\schtasks.exe' /create /tn "microsoft_ms" /sc ONLOGON /tr "%APPDATA%\system_lm.exe" /rl HIGHEST /f
- %APPDATA%\information.txt
- %APPDATA%\system_lm.exe
- %APPDATA%\GrabbedTxtFiles.zip
- %TEMP%\Costura\1C5261BF952F0DB07ED94CD88216B987\32\sqlite.interop.dll
- %APPDATA%\Passwords.txt
- 'cs##last.ru':80
- 'wp#d':80
- http://11#.#11.111.1/wpad.dat via wp#d
- http://cs##last.ru/?&n####################################################
- DNS ASK cs##last.ru
- DNS ASK wp#d