Техническая информация
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'Client Monitor' = 'cmd /c "start "Client Monitor" "%ProgramFiles(x86)%\Defender \Windows.exe"'
- <SYSTEM32>\tasks\client monitor
- %WINDIR%\syswow64\reg.exe
- iexplore.exe
- %APPDATA%\monitor\screenshots\03-21-2020\6.03 pm
- из <Полный путь к файлу> в %ProgramFiles(x86)%\defender\windows.exe
- 'ss####r.duckdns.org':9090
- DNS ASK ss####r.duckdns.org
- '%WINDIR%\syswow64\reg.exe' ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """%ProgramFiles(x86)%\Defender \Windows.exe"""" /f /reg:64' (со скрытым окном)
- '%WINDIR%\syswow64\schtasks.exe' /create /NP /sc onlogon /tn "Client Monitor" /rl highest /tr "'%ProgramFiles(x86)%\Defender \Windows.exe' /startup" /f' (со скрытым окном)
- '%WINDIR%\syswow64\reg.exe' ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """%ProgramFiles(x86)%\Defender \Windows.exe"""" /f /reg:64
- '%WINDIR%\syswow64\schtasks.exe' /create /NP /sc onlogon /tn "Client Monitor" /rl highest /tr "'%ProgramFiles(x86)%\Defender \Windows.exe' /startup" /f