Техническая информация
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Userinit' = '<SYSTEM32>\userinit.exe,<SYSTEM32>\RTHDCPL.exe'
- <SYSTEM32>\xcopy.exe /y sqlite3.dll <SYSTEM32>
- <SYSTEM32>\xcopy.exe /y zlib1.dll <SYSTEM32>
- <SYSTEM32>\xcopy.exe /y mpk64.exe <SYSTEM32>
- <SYSTEM32>\xcopy.exe /y ssleay32.dll <SYSTEM32>
- <SYSTEM32>\xcopy.exe /y RTHDCPL.exe <SYSTEM32>
- <SYSTEM32>\ping.exe -n 4 127.0.0.1
- <SYSTEM32>\xcopy.exe /y Mpk.dll <SYSTEM32>
- <SYSTEM32>\xcopy.exe /y RTHD.EXE <SYSTEM32>
- <SYSTEM32>\reg.exe add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" /v %WINDIR%\explorer.exe /t REG_SZ /d DisableNXShowUI /f
- <SYSTEM32>\taskkill.exe /IM RTHD.EXE
- <SYSTEM32>\reg.exe add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /t REG_SZ /d <SYSTEM32>\userinit.exe,<SYSTEM32>\RTHDCPL.exe /f
- <SYSTEM32>\reg.exe add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" /v <SYSTEM32>\RTHD.EXE /t REG_SZ /d DisableNXShowUI /f
- <SYSTEM32>\xcopy.exe /y libeay32.dll <SYSTEM32>
- <SYSTEM32>\xcopy.exe /y Mpk64.dll <SYSTEM32>
- <SYSTEM32>\xcopy.exe /y key.bin <SYSTEM32>
- <SYSTEM32>\xcopy.exe /y mpk.db <SYSTEM32>
- %TEMP%\~1.bat
- %TEMP%\~1.bat
- ClassName: 'Shell_TrayWnd' WindowName: ''
- ClassName: '' WindowName: ''