Техническая информация
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe] 'Debugger' = '<SYSTEM32>\config\SamEvent.dll'
- <SYSTEM32>\sethc.exe файлом <SYSTEM32>\sethc.exe
- <SYSTEM32>\dllcache\sethc.exe файлом <SYSTEM32>\dllcache\sethc.exe
- '<SYSTEM32>\attrib.exe' +s +a +h +r <SYSTEM32>\sethc.exe
- '<SYSTEM32>\attrib.exe' +s +a +h +r <SYSTEM32>\dllcache\sethc.exe
- '<SYSTEM32>\attrib.exe' +s +a +h +r %WINDIR%\ServicePackFiles\i386\sethc.exe
- '<SYSTEM32>\cacls.exe' <SYSTEM32>\sethc.exe /c /p everyone:r
- '%WINDIR%\regedit.exe' /s What.cgi
- '<SYSTEM32>\attrib.exe' +s +a +h +r <SYSTEM32>\config\SamEvent.dll
- '<SYSTEM32>\net1.exe' stop sharedaccess"
- '<SYSTEM32>\net1.exe' stop "Cryptographic Services"
- '<SYSTEM32>\cmd.exe' /c ""%WINDIR%\security\Flower.bat" "
- '<SYSTEM32>\attrib.exe' -s -a -h -r <SYSTEM32>\sethc.exe
- '<SYSTEM32>\attrib.exe' -s -a -h -r <SYSTEM32>\dllcache\sethc.exe
- '<SYSTEM32>\taskkill.exe' /IM sethc.exe /F
- %WINDIR%\security\What.cgi
- <SYSTEM32>\config\SamEvent.dll
- %WINDIR%\security\Flower.bat
- %WINDIR%\security\Security.exe
- <SYSTEM32>\config\SamEvent.dll
- %WINDIR%\security\What.cgi
- %WINDIR%\security\Security.exe
- <SYSTEM32>\sethc.exe
- <SYSTEM32>\dllcache\sethc.exe
- ClassName: '(null)' WindowName: '(null)'
- ClassName: 'RegEdit_RegEdit' WindowName: '(null)'
- ClassName: 'EDIT' WindowName: '(null)'
- ClassName: 'Shell_TrayWnd' WindowName: '(null)'