Technical Information
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] '<File name>' = '"<Full path to file>" -mini'
- [<HKLM>\System\CurrentControlSet\Services\dfcvizlf] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\dfcvizlf] 'ImagePath' = '"<Full path to file>" -service'
- '<File name>' "<Full path to file>" -service
- '<SYSTEM32>\net.exe' stop vss
- <Current directory>\log\log-2020-11-16.txt
- 'cp.###fecloud.com':443
- DNS ASK cp.###fecloud.com
- '<SYSTEM32>\wbem\wmic.exe' computersystem set AutomaticManagedPagefile=False
- '<SYSTEM32>\wbem\wmic.exe' pagefileset where name="D:\pagefile.sys" delete
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' "disable-computerrestore -drive C:\"
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' "disable-computerrestore -drive D:\"
- '<SYSTEM32>\net1.exe' stop vss
- '<SYSTEM32>\reg.exe' ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v RPSessionInterval /t REG_DWORD /d 0 /f
- '<SYSTEM32>\reg.exe' DELETE "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP\Clients" /f
- '<SYSTEM32>\reg.exe' ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP\Clients" /f