Add to startup on various versions of Windows

[mvrozanti]

This issue is dedicated to show what circumstances cause a specific version, architecture and/or AV to not add the RAT to the startup. This is where to post it.

I've not seen anybody complain but I just had it happen to me on Win7 after installing, uninstalling (/self_destruct) and trying to install again.

Removing registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SharedTools\MSConfig\startupfolder worked but that's HKLM.

[X3eRo0]

I have tried the rat on various OS like 7, 10, and 8 as well for 7 I had build 7601 and for 10 10586 both 32bit and 64bit. I didn't faced this problem. There are 6 VMs running different Windows OS but there was no problem in Adding RAT to startup folder. I didn't checked if it is effected by different antiviruses. Can you tell which build of win7 are you testing it on?

[mvrozanti]

@PulkitSingh256 I'm on a VM using Version 6.1.7601 SP1. Old service pack?

[X3eRo0]

I am also using VM windows 7 build 7601 of both 32bit and 64bit. I didn't faced this issue. My question is to you that tell me more about your VM what antivirus you are running which Architecture 32bit or 64bit to reproduce the issue. It definitely is not a bug in the code. Please help us reproduce the issue and then we can debug it.

See if it happens with running python script like python rat_attack.py or is it only with exe

[mvrozanti]

I see what happens now. I didn't actually use /self_destruct the first time. I disabled the startup checkbox on msconfig. That's what's messing up with adding to startup, I think. I'm going to try and see if I can write to registry on that key to prevent changes

[ghost]

yes if you disable it from startup in task mgr it can't add again to start up . and after end exe task it stop forever

[mvrozanti]

@dudeisbrendan03 "add to startup" should be a required freature. I wonder if we can test it with Travis.

[dudeisbrendan03]

You can create shortcuts to applications in a user-owned folder for apps to start when that user signs in. You could evaluate if you have admin perms and then you can either: set up to start w/ windows or if you aren't elevated create a shortcut in the users 'sign-in' folder.