Техническая информация
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'HostMonitor' = 'cmd /c "start "HostMonitor" "%ProgramFiles%\Conhost\Conhost.exe"'
- '%WINDIR%\XXInstall\ps.exe' /create /tn "HostMonitor" /tr "'%ProgramFiles%\Conhost\Conhost.exe' /startup" /sc MINUTE /f /rl highest
- '<SYSTEM32>\reg.exe' ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "HostMonitor" /d "cmd /c """start """HostMonitor""" """%ProgramFiles%\Conhost\Conhost.exe"""" /f"
- '<SYSTEM32>\schtasks.exe' /create /tn "HostMonitor" /tr "'%ProgramFiles%\Conhost\Conhost.exe' /startup" /sc MINUTE /f /rl highest
- <SYSTEM32>\schtasks.exe
- %APPDATA%\Monitor\Screenshots\06-06-2017\4.06 PM
- из <Полный путь к файлу> в %ProgramFiles%\Conhost\Conhost.exe
- 'em####rll.dynu.com':6300
- 'zi####l.hopto.org':6300
- DNS ASK em####rll.dynu.com
- DNS ASK zi####l.hopto.org