Техническая информация
- [<HKLM>\SYSTEM\ControlSet001\Services\Microsoft.Protect] 'Start' = '00000002'
- [<HKLM>\SYSTEM\ControlSet001\Services\Microsoft.Protect] 'ImagePath' = '<SYSTEM32>\Microsoft.Protect.exe'
- %TEMP%\7ZipSfx.000\install.bat
- <SYSTEM32>\Microsoft.Protect.exe
- <SYSTEM32>\myjpg.jpg
- %TEMP%\2\myjpg.jpg
- %TEMP%\2\temp.tmp
- %TEMP%\2\Microsoft.Protect.exe
- %TEMP%\2\wget.exe
- %TEMP%\2\install.bat
- %TEMP%\mmchelp64.dll
- %TEMP%\mmchelp32.dll
- %TEMP%\dataapp.dat
- %TEMP%\data.dat
- %TEMP%\1.exe
- %TEMP%\7ZipSfx.000\MusicTop.2018\mmchelp64.dll
- %TEMP%\7ZipSfx.000\MusicTop.2018\mmchelp32.dll
- %TEMP%\7ZipSfx.000\MusicTop.2018\1.exe
- %TEMP%\7ZipSfx.000\MusicTop.2018\dataapp.dat
- %TEMP%\7ZipSfx.000\MusicTop.2018\data.dat
- <SYSTEM32>\temp.tmp
- <SYSTEM32>\wget.exe
- %TEMP%\7ZipSfx.000\install.bat
- %TEMP%\7ZipSfx.000\MusicTop.2018\1.exe
- %TEMP%\7ZipSfx.000\MusicTop.2018\data.dat
- %TEMP%\7ZipSfx.000\MusicTop.2018\dataapp.dat
- %TEMP%\7ZipSfx.000\MusicTop.2018\mmchelp32.dll
- %TEMP%\7ZipSfx.000\MusicTop.2018\mmchelp64.dll
- ClassName: 'ShImgVw:CPreviewWnd' WindowName: ''
- '%TEMP%\1.exe'
- '%TEMP%\dataapp.dat'
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\7ZipSfx.000\install.bat" "
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\2\install.bat" "
- '<SYSTEM32>\rundll32.exe' <SYSTEM32>\shimgvw.dll,ImageView_Fullscreen <SYSTEM32>\myjpg.jpg
- '<SYSTEM32>\sc.exe' stop Microsoft.Protect
- '<SYSTEM32>\sc.exe' delete Microsoft.Protect
- '<SYSTEM32>\sc.exe' create Microsoft.Protect binpath= "<SYSTEM32>\Microsoft.Protect.exe" start= auto