Техническая информация
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Kernel' = '%WINDIR%\sychost.exe'
- %WINDIR%\sychost.exe
- <SYSTEM32>\sc.exe delete runsysleveltmpshortcut.lnk
- <SYSTEM32>\sc.exe start runsysleveltmpshortcut.lnk
- <SYSTEM32>\sc.exe create runsysleveltmpshortcut.lnk binpath= "cmd /C start tmpshortcut.lnk" type= own type= interact
- %WINDIR%\sychost.exe
- <SYSTEM32>\tmpshortcut.lnk
- <SYSTEM32>\tmpshortcut.lnk
- 'ir#.##eenode.net':6667
- DNS ASK ir#.##eenode.net