Техническая информация
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Shell' = '%WINDIR%\explorer.exe %WINDIR%\ \winlogon.exe'
- %WINDIR%\Tasks\At1.job
- <SYSTEM32>\schtasks.exe /run /tn at1
- <SYSTEM32>\at.exe 00:00 /interactive "%WINDIR%\ \winlogon.exe"
- <SYSTEM32>\ntvdm.exe -f -i1
- <SYSTEM32>\schtasks.exe /delete /tn at1 /F
- <SYSTEM32>\ping.exe -w 10 127.0.0.1
- <SYSTEM32>\attrib.exe +S +H +R %WINDIR%\ \Desktop.ini /S /D
- <SYSTEM32>\cmd.exe /c ""%WINDIR%\pendrive.bat" "
- <SYSTEM32>\xcopy.exe /h /y pendrive "%WINDIR%\ \winlogon.exe"
- <SYSTEM32>\attrib.exe +S +H +R %WINDIR%\ /S /D
- <SYSTEM32>\reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /t REG_SZ /d "%WINDIR%\explorer.exe %WINDIR%\ \winlogon.exe" /f"
- %WINDIR%\Temp\scs1.tmp
- %WINDIR%\Temp\scs2.tmp
- %WINDIR%\ \desktop.ini
- %WINDIR%\pendrive.bat
- %WINDIR%\ \winlogon.exe
- %WINDIR%\ \desktop.ini
- %WINDIR%\Tasks\At1.job
- %WINDIR%\Temp\scs2.tmp
- %WINDIR%\Temp\scs1.tmp
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-bac.bb8.380002'
- ClassName: '' WindowName: ''