Technical Information
- [<HKLM>\Software\Microsoft\Windows\CurrentVersion\Run] 'winlogon' = '"%ProgramFiles(x86)%\Windows Defender\en-US\winlogon.exe"'
- [<HKLM>\Software\Microsoft\Windows\CurrentVersion\Run] 'dwm' = '"<Current directory>\dwm.exe"'
- [<HKLM>\Software\Microsoft\Windows\CurrentVersion\Run] 'dwm' = '"%ProgramFiles%\vrrw32\dwm.exe"'
- [<HKLM>\Software\Microsoft\Windows\CurrentVersion\Run] 'System' = '"%WINDIR%\Cursors\System.exe"'
- [<HKLM>\Software\Microsoft\Windows\CurrentVersion\Run] 'System' = '"%ProgramFiles%\Windows Defender\en-US\System.exe"'
- [<HKLM>\Software\Microsoft\Windows\CurrentVersion\Run] 'services' = '"C:\totalcmd\LANGUAGE\services.exe"'
- [<HKLM>\Software\Microsoft\Windows\CurrentVersion\Run] 'csrss' = '"C:\Users\Default\NetHood\csrss.exe"'
- [<HKLM>\Software\Microsoft\Windows\CurrentVersion\Run] 'iexplore' = '"C:\Users\Default\Application Data\iexplore.exe"'
- [<HKLM>\Software\Microsoft\Windows\CurrentVersion\Run] 'wininit' = '"C:\MSOCache\All Users\wininit.exe"'
- [<HKLM>\Software\Microsoft\Windows\CurrentVersion\Run] 'mdm' = '"C:\sessionsvc\mdm.exe"'
- [<HKLM>\Software\Microsoft\Windows\CurrentVersion\Run] 'WUDFHost' = '"C:\Far2\Plugins\EMenu\WUDFHost.exe"'
- [<HKLM>\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Shell' = 'explorer.exe, "%ProgramFiles(x86)%\Windows Defender\en-US\winlogon.exe", "C:\Documents and Settings\csrss.exe", "C:\Rec...
- [<HKLM>\Software\Microsoft\Windows\CurrentVersion\Run] 'System' = '"C:\Recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\System.exe"'
- [<HKLM>\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Shell' = 'explorer.exe, "%ProgramFiles(x86)%\Windows Defender\en-US\winlogon.exe", "C:\Documents and Settings\csrss.exe"'
- [<HKLM>\Software\Microsoft\Windows\CurrentVersion\Run] 'csrss' = '"C:\Documents and Settings\csrss.exe"'
- [<HKLM>\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Shell' = 'explorer.exe, "%ProgramFiles(x86)%\Windows Defender\en-US\winlogon.exe"'
- [<HKLM>\Software\Microsoft\Windows\CurrentVersion\Run] 'WUDFHost' = '"<SYSTEM32>\fi-FI\WUDFHost.exe"'
- [<HKLM>\Software\Microsoft\Windows\CurrentVersion\Run] 'iexplore' = '"C:\sessionsvc\iexplore.exe"'
- <SYSTEM32>\tasks\nofywinlogon
- <SYSTEM32>\tasks\dk7ewininit
- <SYSTEM32>\tasks\bgdgiexplore
- <SYSTEM32>\tasks\oag8iexplore
- <SYSTEM32>\tasks\b1mxcsrss
- <SYSTEM32>\tasks\7tyfsystem
- <SYSTEM32>\tasks\sx3gsystem
- <SYSTEM32>\tasks\1hytservices
- <SYSTEM32>\tasks\lxrssystem
- <SYSTEM32>\tasks\2hkqwudfhost
- <SYSTEM32>\tasks\kts4system
- <SYSTEM32>\tasks\dklvsystem
- <SYSTEM32>\tasks\fia2dwm
- <SYSTEM32>\tasks\dwm
- <SYSTEM32>\tasks\3o3hdwm
- <SYSTEM32>\tasks\cxwadwm
- <SYSTEM32>\tasks\fwfusystem
- <SYSTEM32>\tasks\r8pfsystem
- <SYSTEM32>\tasks\ozo2dwm
- <SYSTEM32>\tasks\4xdldwm
- <SYSTEM32>\tasks\0arnwudfhost
- <SYSTEM32>\tasks\4lc7wudfhost
- <SYSTEM32>\tasks\fheyiexplore
- <SYSTEM32>\tasks\dtuoservices
- <SYSTEM32>\tasks\rdj5mdm
- <SYSTEM32>\tasks\x0gicsrss
- <SYSTEM32>\tasks\h2ccmdm
- <SYSTEM32>\tasks\iiehiexplore
- <SYSTEM32>\tasks\pb7awinlogon
- <SYSTEM32>\tasks\winlogon
- <SYSTEM32>\tasks\system
- <SYSTEM32>\tasks\vnulcsrss
- <SYSTEM32>\tasks\h7zewudfhost
- <SYSTEM32>\tasks\csrss
- <SYSTEM32>\tasks\ozhycsrss
- <SYSTEM32>\tasks\hyvasystem
- <SYSTEM32>\tasks\liinsystem
- <SYSTEM32>\tasks\j3ndwudfhost
- <SYSTEM32>\tasks\oibeiexplore
- <SYSTEM32>\tasks\bugidwm
- <SYSTEM32>\tasks\tjdecsrss
- <SYSTEM32>\tasks\auziwininit
- <SYSTEM32>\tasks\mdm
- <SYSTEM32>\tasks\wininit
- <SYSTEM32>\tasks\iexplore
- <SYSTEM32>\tasks\wudfhost
- <SYSTEM32>\tasks\xycscsrss
- <SYSTEM32>\tasks\qhltwudfhost
- <SYSTEM32>\tasks\services
- <SYSTEM32>\tasks\4urswininit
- <SYSTEM32>\tasks\tvbgservices
- <SYSTEM32>\tasks\ggrswinlogon
- <SYSTEM32>\tasks\nyndmdm
- <SYSTEM32>\tasks\in34iexplore
- %TEMP%\chromehandler.exe
- C:\totalcmd\language\services.exe
- C:\totalcmd\language\c5b4cb5e9653cc
- %ProgramFiles%\windows defender\en-us\system.exe
- %ProgramFiles%\windows defender\en-us\27d1bcfc3c54e0
- %WINDIR%\cursors\system.exe
- %WINDIR%\cursors\27d1bcfc3c54e0
- %ProgramFiles%\vrrw32\dwm.exe
- %ProgramFiles%\vrrw32\6cb0b6c459d5d3
- <Current directory>\dwm.exe
- <Current directory>\6cb0b6c459d5d3
- <SYSTEM32>\fi-fi\wudfhost.exe
- <SYSTEM32>\fi-fi\480b7989c529f6
- C:\sessionsvc\iexplore.exe
- C:\sessionsvc\9db6e019d4f04e
- %TEMP%\mipps95oox
- C:\users\default\nethood\886983d96e3d3e
- %TEMP%\ytd0ykszbm.bat
- C:\users\default\nethood\csrss.exe
- C:\users\default\application data\iexplore.exe
- C:\sessionsvc\ots6ykizlnmutbygo43dr8.bat
- C:\sessionsvc\sessionsvcdriverdhcp.exe
- C:\sessionsvc\n3lhv6uqfhthgofz1o.vbe
- %ProgramFiles(x86)%\windows defender\en-us\winlogon.exe
- %ProgramFiles(x86)%\windows defender\en-us\cc11b995f2a76d
- C:\documents and settings\csrss.exe
- C:\documents and settings\886983d96e3d3e
- C:\recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\system.exe
- C:\recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\27d1bcfc3c54e0
- C:\far2\plugins\emenu\wudfhost.exe
- C:\far2\plugins\emenu\480b7989c529f6
- C:\sessionsvc\mdm.exe
- C:\sessionsvc\559fba5f8e4410
- C:\msocache\all users\wininit.exe
- C:\msocache\all users\56085415360792
- C:\users\default\application data\9db6e019d4f04e
- nul
- %TEMP%\mipps95oox
- '18#.#20.235.237':80
- http://18#.#20.235.237/Vm2Javascript/24/0Dump2Voiddb/mariadbprocessor/mariadbCentral/5api/javascriptmulti/4/locallowtraffic/Generator/Linuxupdatesql/Traffichttp/geoflowerpublicdownloads.php?q3#...
- http://18#.#20.235.237/Vm2Javascript/24/0Dump2Voiddb/mariadbprocessor/mariadbCentral/5api/javascriptmulti/4/locallowtraffic/Generator/Linuxupdatesql/Traffichttp/geoflowerpublicdownloads.php?j8#...
- 'localhost':123
- ClassName: 'EDIT' WindowName: ''
- '%TEMP%\chromehandler.exe'
- '%WINDIR%\syswow64\wscript.exe' "C:\sessionsvc\n3lHv6UqfHthgOFZ1O.vbe"
- 'C:\sessionsvc\sessionsvcdriverdhcp.exe'
- '%ProgramFiles%\windows defender\en-us\system.exe'
- '%WINDIR%\syswow64\cmd.exe' /c ""C:\sessionsvc\OTS6ykizlNMUTbYgo43Dr8.bat" "' (with hidden window)
- '<SYSTEM32>\cmd.exe' /C "%TEMP%\YTd0ykSzBm.bat"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c ""C:\sessionsvc\OTS6ykizlNMUTbYgo43Dr8.bat" "
- '<SYSTEM32>\schtasks.exe' /create /tn "DtUoservices" /sc MINUTE /mo 14 /tr "'C:\totalcmd\LANGUAGE\services.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "TvBgservices" /sc ONLOGON /tr "'C:\totalcmd\LANGUAGE\services.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "1HyTservices" /sc ONSTART /tr "'C:\totalcmd\LANGUAGE\services.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "services" /sc MINUTE /mo 9 /tr "'C:\totalcmd\LANGUAGE\services.exe'" /f
- '<SYSTEM32>\schtasks.exe' /create /tn "sX3GSystem" /sc MINUTE /mo 9 /tr "'%ProgramFiles%\Windows Defender\en-US\System.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "lxrSSystem" /sc ONLOGON /tr "'%ProgramFiles%\Windows Defender\en-US\System.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "FwFUSystem" /sc ONSTART /tr "'%ProgramFiles%\Windows Defender\en-US\System.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "System" /sc MINUTE /mo 9 /tr "'%ProgramFiles%\Windows Defender\en-US\System.exe'" /f
- '<SYSTEM32>\schtasks.exe' /create /tn "r8pFSystem" /sc MINUTE /mo 10 /tr "'%WINDIR%\Cursors\System.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "7tyfSystem" /sc ONLOGON /tr "'%WINDIR%\Cursors\System.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "kTS4System" /sc ONSTART /tr "'%WINDIR%\Cursors\System.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "System" /sc MINUTE /mo 10 /tr "'%WINDIR%\Cursors\System.exe'" /f
- '<SYSTEM32>\schtasks.exe' /create /tn "FIA2dwm" /sc MINUTE /mo 10 /tr "'%ProgramFiles%\vrrw32\dwm.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "4Xdldwm" /sc ONSTART /tr "'%ProgramFiles%\vrrw32\dwm.exe'" /rl HIGHEST /f
- '<SYSTEM32>\cmd.exe' /C "%TEMP%\YTd0ykSzBm.bat"
- '<SYSTEM32>\schtasks.exe' /create /tn "dwm" /sc MINUTE /mo 11 /tr "'%ProgramFiles%\vrrw32\dwm.exe'" /f
- '<SYSTEM32>\schtasks.exe' /create /tn "bugIdwm" /sc MINUTE /mo 10 /tr "'<Current directory>\dwm.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "3o3Hdwm" /sc ONLOGON /tr "'<Current directory>\dwm.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "cxWAdwm" /sc ONSTART /tr "'<Current directory>\dwm.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "dwm" /sc MINUTE /mo 7 /tr "'<Current directory>\dwm.exe'" /f
- '<SYSTEM32>\schtasks.exe' /create /tn "4lC7WUDFHost" /sc MINUTE /mo 12 /tr "'<SYSTEM32>\fi-FI\WUDFHost.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "2HKQWUDFHost" /sc ONLOGON /tr "'<SYSTEM32>\fi-FI\WUDFHost.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "0ARnWUDFHost" /sc ONSTART /tr "'<SYSTEM32>\fi-FI\WUDFHost.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "WUDFHost" /sc MINUTE /mo 6 /tr "'<SYSTEM32>\fi-FI\WUDFHost.exe'" /f
- '<SYSTEM32>\schtasks.exe' /create /tn "fhEyiexplore" /sc MINUTE /mo 12 /tr "'C:\sessionsvc\iexplore.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "iN34iexplore" /sc ONLOGON /tr "'C:\sessionsvc\iexplore.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "oibeiexplore" /sc ONSTART /tr "'C:\sessionsvc\iexplore.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "iexplore" /sc MINUTE /mo 7 /tr "'C:\sessionsvc\iexplore.exe'" /f
- '<SYSTEM32>\schtasks.exe' /create /tn "csrss" /sc MINUTE /mo 12 /tr "'C:\Users\Default\NetHood\csrss.exe'" /f
- '<SYSTEM32>\schtasks.exe' /create /tn "Ozo2dwm" /sc ONLOGON /tr "'%ProgramFiles%\vrrw32\dwm.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "b1mXcsrss" /sc ONSTART /tr "'C:\Users\Default\NetHood\csrss.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "j3NDWUDFHost" /sc ONLOGON /tr "'C:\Far2\Plugins\EMenu\WUDFHost.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "ggRswinlogon" /sc MINUTE /mo 5 /tr "'%ProgramFiles(x86)%\Windows Defender\en-US\winlogon.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "NOFywinlogon" /sc ONLOGON /tr "'%ProgramFiles(x86)%\Windows Defender\en-US\winlogon.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "PB7Awinlogon" /sc ONSTART /tr "'%ProgramFiles(x86)%\Windows Defender\en-US\winlogon.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "winlogon" /sc MINUTE /mo 11 /tr "'%ProgramFiles(x86)%\Windows Defender\en-US\winlogon.exe'" /f
- '<SYSTEM32>\schtasks.exe' /create /tn "ozHycsrss" /sc MINUTE /mo 14 /tr "'C:\Documents and Settings\csrss.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "tJdEcsrss" /sc ONLOGON /tr "'C:\Documents and Settings\csrss.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "vnuLcsrss" /sc ONSTART /tr "'C:\Documents and Settings\csrss.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "csrss" /sc MINUTE /mo 10 /tr "'C:\Documents and Settings\csrss.exe'" /f
- '<SYSTEM32>\schtasks.exe' /create /tn "DklVSystem" /sc MINUTE /mo 9 /tr "'C:\Recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\System.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "hYvASystem" /sc ONLOGON /tr "'C:\Recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\System.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "LiiNSystem" /sc ONSTART /tr "'C:\Recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\System.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "System" /sc MINUTE /mo 5 /tr "'C:\Recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\System.exe'" /f
- '<SYSTEM32>\schtasks.exe' /create /tn "H7zEWUDFHost" /sc MINUTE /mo 6 /tr "'C:\Far2\Plugins\EMenu\WUDFHost.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "qhLTWUDFHost" /sc ONSTART /tr "'C:\Far2\Plugins\EMenu\WUDFHost.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "X0Gicsrss" /sc MINUTE /mo 7 /tr "'C:\Users\Default\NetHood\csrss.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "WUDFHost" /sc MINUTE /mo 12 /tr "'C:\Far2\Plugins\EMenu\WUDFHost.exe'" /f
- '<SYSTEM32>\schtasks.exe' /create /tn "RdJ5mdm" /sc MINUTE /mo 8 /tr "'C:\sessionsvc\mdm.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "nYndmdm" /sc ONLOGON /tr "'C:\sessionsvc\mdm.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "H2Ccmdm" /sc ONSTART /tr "'C:\sessionsvc\mdm.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "mdm" /sc MINUTE /mo 5 /tr "'C:\sessionsvc\mdm.exe'" /f
- '<SYSTEM32>\schtasks.exe' /create /tn "4URswininit" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\wininit.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "aUzIwininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\wininit.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "dK7Ewininit" /sc ONSTART /tr "'C:\MSOCache\All Users\wininit.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "wininit" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\wininit.exe'" /f
- '<SYSTEM32>\schtasks.exe' /create /tn "oaG8iexplore" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Application Data\iexplore.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "iieHiexplore" /sc ONLOGON /tr "'C:\Users\Default\Application Data\iexplore.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "bgDgiexplore" /sc ONSTART /tr "'C:\Users\Default\Application Data\iexplore.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "iexplore" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Application Data\iexplore.exe'" /f
- '<SYSTEM32>\schtasks.exe' /create /tn "xYCscsrss" /sc ONLOGON /tr "'C:\Users\Default\NetHood\csrss.exe'" /rl HIGHEST /f
- '<SYSTEM32>\w32tm.exe' /stripchart /computer:localhost /period:5 /dataonly /samples:2