Техническая информация
- [<HKLM>\SYSTEM\ControlSet001\Services\Microsoft.Protect] 'Start' = '00000002'
- [<HKLM>\SYSTEM\ControlSet001\Services\Microsoft.Protect] 'ImagePath' = '<SYSTEM32>\Microsoft.Protect.exe'
- %TEMP%\7ZipSfx.000\install.bat
- %TEMP%\7ZipSfx.000\dr\mypic.jpg
- %TEMP%\7ZipSfx.000\dr\nst.bat
- %TEMP%\7ZipSfx.000\dr\nst32.tmp
- %TEMP%\7ZipSfx.000\dr\nst64.tmp
- %TEMP%\7ZipSfx.000\dr\temp1.tmp
- %TEMP%\7ZipSfx.000\dr\Thumbs.db
- %TEMP%\mypic.jpg
- %TEMP%\nst.bat
- %TEMP%\nst32.tmp
- %TEMP%\nst64.tmp
- %TEMP%\temp1.tmp
- <SYSTEM32>\wget.exe
- %TEMP%\7ZipSfx.000\dr\Thumbs.db
- %TEMP%\7ZipSfx.000\dr\mypic.jpg
- %TEMP%\7ZipSfx.000\dr\nst.bat
- %TEMP%\7ZipSfx.000\dr\nst32.tmp
- %TEMP%\7ZipSfx.000\dr\nst64.tmp
- %TEMP%\7ZipSfx.000\dr\temp1.tmp
- %TEMP%\7ZipSfx.000\dr\Thumbs.db
- %TEMP%\7ZipSfx.000\install.bat
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\7ZipSfx.000\install.bat" "
- '<SYSTEM32>\cmd.exe' /K %TEMP%\nst.bat
- '<SYSTEM32>\sc.exe' stop Microsoft.Protect
- '<SYSTEM32>\sc.exe' delete Microsoft.Protect
- '<SYSTEM32>\sc.exe' create Microsoft.Protect binpath= "<SYSTEM32>\Microsoft.Protect.exe" start= auto
- '<SYSTEM32>\sc.exe' start Microsoft.Protect