Техническая информация
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Winlogon' = '%APPDATA%\Roaming\winlogon.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Winlogon' = '%APPDATA%\Roaming\winlogon.exe'
- 'C:\ProgramData\BCU'
- '%APPDATA%\Roaming\csrss.exe' -reg %APPDATA%\Roaming\winlogon.exe -proc 4028 %APPDATA%\Roaming\winlogon.exe
- '%APPDATA%\Roaming\winlogon.exe'
- '<SYSTEM32>\taskhost.exe'
- '%WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe'
- %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe
- C:\ProgramData\BCU
- %APPDATA%\Roaming\csrss.exe
- %APPDATA%\Roaming\winlogon.exe
- %APPDATA%\Roaming\csrss.exe
- C:\ProgramData\BCU
- 'th###xynet.com':80
- th###xynet.com/gate.php
- DNS ASK th###xynet.com
- ClassName: '#32770' WindowName: 'Windows Task Manager'
- ClassName: 'Indicator' WindowName: '(null)'