Техническая информация
- [<HKLM>\SYSTEM\ControlSet001\services\CknobK] 'Start' = '00000002'
- '<SYSTEM32>\takeown.exe' /f "%WINDIR%\winsxs\x86_microsoft-windows-scripting_31bf3856ad364e35_6.1.7600.16385_none_483ea93961ad86ec\wscript.exe"
- '<SYSTEM32>\takeown.exe' /f "%WINDIR%\winsxs\x86_microsoft-windows-ftp_31bf3856ad364e35_6.1.7601.17514_none_aef2c7dbb6cc16c1\ftp.exe"
- '<SYSTEM32>\takeown.exe' /f "%WINDIR%\winsxs\x86_microsoft-windows-commandprompt_31bf3856ad364e35_6.1.7601.17514_none_8d1430a8789ea27a\cmd.exe"
- '<SYSTEM32>\conhost.exe' /pid=264
- '<SYSTEM32>\icacls.exe' /f "%WINDIR%\winsxs\x86_microsoft-windows-scripting_31bf3856ad364e35_6.1.7600.16385_none_483ea93961ad86ec\cscript.exe"
- '<SYSTEM32>\takeown.exe' /f "%WINDIR%\winsxs\x86_microsoft-windows-scripting_31bf3856ad364e35_6.1.7600.16385_none_483ea93961ad86ec\cscript.exe"
- '<SYSTEM32>\conhost.exe' "" /grant Users:F
- '<SYSTEM32>\takeown.exe' /f "<SYSTEM32>\cmd.exe"
- '<SYSTEM32>\icacls.exe' "<SYSTEM32>\tdavx.exe" /grant SYSTEM:F
- '<SYSTEM32>\takeown.exe' /f "<SYSTEM32>\tdavx.exe"
- '<SYSTEM32>\icacls.exe' "" /grant Users:F
- '<SYSTEM32>\takeown.exe' /f "<SYSTEM32>\cscript.exe"
- '<SYSTEM32>\takeown.exe' /f "<SYSTEM32>\wscript.exe"
- '<SYSTEM32>\takeown.exe' /f "<SYSTEM32>\ftp.exe"
- <SYSTEM32>\tdavx.exe
- 'www.xp##22.com':80
- www.xp##22.com/s/2.txt
- DNS ASK www.xp##22.com