Technical Information
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] '<File name>' = '"<Full path to file>" -mini'
- [<HKLM>\System\CurrentControlSet\Services\kaoy] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\kaoy] 'ImagePath' = '"<Full path to file>" -service'
- '<File name>' "<Full path to file>" -service
- '%WINDIR%\syswow64\net.exe' stop vss
- <Current directory>\log\log-2020-11-16.txt
- 'cp.###fecloud.com':443
- DNS ASK cp.###fecloud.com
- '%WINDIR%\syswow64\wbem\wmic.exe' computersystem set AutomaticManagedPagefile=False
- '%WINDIR%\syswow64\wbem\wmic.exe' pagefileset where name="D:\pagefile.sys" delete
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' "disable-computerrestore -drive C:\"
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' "disable-computerrestore -drive D:\"
- '%WINDIR%\syswow64\net1.exe' stop vss
- '%WINDIR%\syswow64\reg.exe' ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v RPSessionInterval /t REG_DWORD /d 0 /f
- '%WINDIR%\syswow64\reg.exe' DELETE "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP\Clients" /f
- '%WINDIR%\syswow64\reg.exe' ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP\Clients" /f