Trojan.Siggen18.63260

Technical Information

To ensure autorun and distribution

Creates or modifies the following files

%APPDATA%\microsoft\windows\start menu\programs\startup\obs studio.lnk
<SYSTEM32>\tasks\ar

Malicious functions

To complicate detection of its presence in the operating system,

adds antivirus exclusion with following registry keys:

[<HKLM>\SOFtWare\mICrosoFt\WindowS deFender\excluSionS\eXTeNsIonS] 'dLL' = '00000000'
[<HKLM>\sOfTWAre\MiCrOSofT\WINdOWs deFender\eXCLuSIONS\extenSiONs] 'SCr' = '00000000'
[<HKLM>\SOFTWare\micrOsOfT\WIndOWS defeNder\excLUsions\exTensiOnS] 'Cmd' = '00000000'
[<HKLM>\SOFTwAre\MIcroSoFT\windOWs deFeNder\exClusIOnS\eXtenSiOnS] 'eXe' = '00000000'
[<HKLM>\SOFTware\microSofT\WindOwS deFender\eXCluSIONS\pAThS] '<DRIVERS>\eTc\hOstS' = '00000000'

Executes the following

'%WINDIR%\syswow64\taskkill.exe' /f /im "obs64.scr"

Searches for windows to

detect analytical utilities:

ClassName: 'RegmonClass', WindowName: ''
ClassName: 'FilemonClass', WindowName: ''
ClassName: 'PROCMON_WINDOW_CLASS', WindowName: ''

Modifies file system

Creates the following files

%TEMP%\is-n3mbv.tmp\<File name>.tmp
%TEMP%\aut6671.tmp
%TEMP%\1l5o4l0j.tmp
%TEMP%\aut6660.tmp
%WINDIR%\temp\aut646f.tmp
%WINDIR%\temp\aut645e.tmp
%WINDIR%\temp\1l5o8l4j.tmp
%WINDIR%\temp\aut645d.tmp
%TEMP%\aut58cb.tmp
%TEMP%\aut58bb.tmp
%TEMP%\2x7f8x4p.tmp
%TEMP%\aut585c.tmp
%WINDIR%\temp\aut6b6f.tmp
%TEMP%\aut696e.tmp
%WINDIR%\temp\1x4f6x0p.tmp
%WINDIR%\temp\aut57df.tmp
%WINDIR%\temp\aut52f2.tmp
%WINDIR%\temp\aut52e1.tmp
%WINDIR%\temp\2d1q7s6l.tmp
%WINDIR%\temp\aut5282.tmp
%TEMP%\aut4693.tmp
%TEMP%\aut45f6.tmp
%TEMP%\1t6e9t6u.tmp
%TEMP%\aut45d6.tmp
%WINDIR%\temp\aut4396.tmp
%WINDIR%\temp\aut5810.tmp
%APPDATA%\obs-studio\bin\64bit\is-b1n5o.tmp
%WINDIR%\temp\2y8z2y8h.tmp
%WINDIR%\temp\2m8m3r2t.tmp
%WINDIR%\temp\aut98d5.tmp
%APPDATA%\obs-studio\bin\64bit\.vbs
%APPDATA%\obs-studio\bin\64bit\.cmd
%WINDIR%\temp\aut8c59.tmp
%WINDIR%\temp\aut8beb.tmp
%WINDIR%\temp\1g7t6t8q.tmp
%WINDIR%\temp\aut8bca.tmp
%WINDIR%\temp\aut891e.tmp
%WINDIR%\temp\aut88ee.tmp
%WINDIR%\temp\2l4f8r4s.tmp
%WINDIR%\temp\aut88ce.tmp
%WINDIR%\temp\aut7a30.tmp
%WINDIR%\temp\aut7983.tmp
%WINDIR%\temp\2o8s8f4v.tmp
%WINDIR%\temp\aut7973.tmp
%TEMP%\aut783d.tmp
%TEMP%\aut782c.tmp
%TEMP%\2o9s8f4v.tmp
%TEMP%\aut781c.tmp
%WINDIR%\temp\aut75dc.tmp
%WINDIR%\temp\aut75cc.tmp
%WINDIR%\temp\0slr8m4q.tmp
%WINDIR%\temp\aut75bb.tmp
%WINDIR%\temp\aut6b90.tmp
%WINDIR%\temp\aut4386.tmp
%WINDIR%\temp\aut57ff.tmp
%WINDIR%\temp\8csh8m6x.tmp
%WINDIR%\temp\aut42e9.tmp
%TEMP%\aut3506.tmp
%APPDATA%\obs-studio\bin\64bit\is-6h0a8.tmp
%APPDATA%\obs-studio\bin\64bit\platforms\is-bar12.tmp
%APPDATA%\obs-studio\bin\64bit\imageformats\is-7h3m2.tmp
%APPDATA%\obs-studio\bin\64bit\imageformats\is-brs2n.tmp
%APPDATA%\obs-studio\bin\64bit\imageformats\is-gkgma.tmp
%APPDATA%\obs-studio\bin\64bit\iconengines\is-cbh7s.tmp
C:\tmp\is-46b6e.tmp
%APPDATA%\obs-studio\bin\64bit\is-bdvfd.tmp
%APPDATA%\obs-studio\bin\64bit\is-t2f68.tmp
%APPDATA%\obs-studio\bin\64bit\is-iqbcf.tmp
%APPDATA%\obs-studio\bin\64bit\is-8btco.tmp
%APPDATA%\obs-studio\bin\64bit\is-41igf.tmp
%APPDATA%\obs-studio\bin\64bit\is-gmp52.tmp
%APPDATA%\obs-studio\bin\64bit\is-o9fu6.tmp
%APPDATA%\obs-studio\bin\64bit\is-9frq9.tmp
%APPDATA%\obs-studio\bin\64bit\is-6r0m5.tmp
%APPDATA%\obs-studio\bin\64bit\is-gob5j.tmp
%APPDATA%\obs-studio\bin\64bit\is-juqbu.tmp
%APPDATA%\obs-studio\bin\64bit\is-slhk8.tmp
%APPDATA%\obs-studio\bin\64bit\is-clako.tmp
%TEMP%\is-qu1fg.tmp\_isetup\_shfoldr.dll
%TEMP%\is-qu1fg.tmp\_isetup\_setup64.tmp
%TEMP%\is-vpk2i.tmp\<File name>.tmp
%TEMP%\is-uk07p.tmp\_isetup\_shfoldr.dll
%TEMP%\is-uk07p.tmp\_isetup\_setup64.tmp
%WINDIR%\temp\aut9905.tmp
%WINDIR%\temp\aut6b70.tmp
%APPDATA%\obs-studio\bin\64bit\is-8f4ud.tmp
%APPDATA%\obs-studio\bin\64bit\is-4sjpi.tmp
%APPDATA%\obs-studio\bin\64bit\styles\is-tbeb6.tmp
%TEMP%\aut3479.tmp
%TEMP%\4enc5r8e.tmp
%TEMP%\aut342a.tmp
%TEMP%\is-qu1fg.tmp\temp\.cmd
C:\tmp\.vbs
C:\tmp\.cmd
%APPDATA%\obs-studio\bin\64bit\is-a7h37.tmp
%APPDATA%\obs-studio\bin\64bit\is-st5it.tmp
%APPDATA%\obs-studio\bin\64bit\is-63pct.tmp
%APPDATA%\obs-studio\bin\64bit\is-ntlub.tmp
%APPDATA%\obs-studio\bin\64bit\is-sream.tmp
%APPDATA%\obs-studio\bin\64bit\is-g7u9q.tmp
%APPDATA%\obs-studio\bin\64bit\is-o5dkf.tmp
%APPDATA%\obs-studio\bin\64bit\is-0aiq2.tmp
%APPDATA%\obs-studio\bin\64bit\is-pfjue.tmp
%APPDATA%\obs-studio\bin\64bit\is-1aij5.tmp
%APPDATA%\obs-studio\bin\64bit\is-dso2u.tmp
%APPDATA%\obs-studio\bin\64bit\is-8f6qb.tmp
%APPDATA%\obs-studio\bin\64bit\is-8easm.tmp
C:\tmp\is-t6s86.tmp
%APPDATA%\obs-studio\bin\64bit\is-cgfgi.tmp
%APPDATA%\obs-studio\bin\64bit\is-flraf.tmp
%TEMP%\is-qu1fg.tmp\temp\is-ou07n.tmp
%APPDATA%\obs-studio\bin\64bit\is-od2m7.tmp
%APPDATA%\obs-studio\bin\64bit\is-3s89m.tmp
%WINDIR%\temp\aut9954.tmp

Sets the 'hidden' attribute to the following files

%APPDATA%\obs-studio\bin\64bit\ar.xml
C:\tmp\mainicon.ico
%TEMP%\is-qu1fg.tmp\temp\r.exe
C:\tmp\obs32.dll
%APPDATA%\obs-studio\bin\64bit\obs64.scr
%APPDATA%\obs-studio\bin\64bit\.cmd
%APPDATA%\obs-studio\bin\64bit\.vbs

Deletes the following files

%TEMP%\is-uk07p.tmp\_isetup\_setup64.tmp
%WINDIR%\temp\2o8s8f4v.tmp
%WINDIR%\temp\aut7a30.tmp
%WINDIR%\temp\aut7983.tmp
%WINDIR%\temp\aut7973.tmp
%TEMP%\2o9s8f4v.tmp
%TEMP%\aut783d.tmp
%WINDIR%\temp\aut88ce.tmp
%TEMP%\aut782c.tmp
%WINDIR%\temp\0slr8m4q.tmp
%WINDIR%\temp\aut75dc.tmp
%WINDIR%\temp\aut75cc.tmp
%WINDIR%\temp\aut75bb.tmp
%WINDIR%\temp\2y8z2y8h.tmp
%WINDIR%\temp\aut6b90.tmp
%TEMP%\aut781c.tmp
%WINDIR%\temp\aut9905.tmp
%TEMP%\is-qu1fg.tmp\_isetup\_shfoldr.dll
%WINDIR%\temp\2l4f8r4s.tmp
%TEMP%\is-qu1fg.tmp\_isetup\_setup64.tmp
%TEMP%\is-qu1fg.tmp\temp\r.exe
C:\tmp\obs32.dll
C:\tmp\mainicon.ico
%APPDATA%\obs-studio\bin\64bit\ar.xml
%WINDIR%\temp\2m8m3r2t.tmp
%WINDIR%\temp\aut6b70.tmp
%WINDIR%\temp\aut9954.tmp
%WINDIR%\temp\aut98d5.tmp
%WINDIR%\temp\1g7t6t8q.tmp
%WINDIR%\temp\aut8c59.tmp
%WINDIR%\temp\aut8beb.tmp
%WINDIR%\temp\aut8bca.tmp
%TEMP%\is-qu1fg.tmp\temp\.cmd
%WINDIR%\temp\aut88ee.tmp
%WINDIR%\temp\aut891e.tmp
%WINDIR%\temp\aut6b6f.tmp
%WINDIR%\temp\aut52f2.tmp
%TEMP%\1t6e9t6u.tmp
%TEMP%\aut4693.tmp
%TEMP%\aut45f6.tmp
%TEMP%\aut45d6.tmp
%WINDIR%\temp\8csh8m6x.tmp
%WINDIR%\temp\aut4396.tmp
%WINDIR%\temp\aut5282.tmp
%WINDIR%\temp\aut4386.tmp
%TEMP%\4enc5r8e.tmp
%TEMP%\aut3506.tmp
%TEMP%\aut3479.tmp
%TEMP%\aut342a.tmp
%TEMP%\is-n3mbv.tmp\<File name>.tmp
%TEMP%\is-uk07p.tmp\_isetup\_shfoldr.dll
%WINDIR%\temp\aut42e9.tmp
%TEMP%\aut58cb.tmp
%TEMP%\aut696e.tmp
%WINDIR%\temp\2d1q7s6l.tmp
%TEMP%\aut6671.tmp
%TEMP%\aut6660.tmp
%WINDIR%\temp\1l5o8l4j.tmp
%WINDIR%\temp\aut646f.tmp
%WINDIR%\temp\aut645e.tmp
%WINDIR%\temp\aut645d.tmp
%TEMP%\1l5o4l0j.tmp
%TEMP%\2x7f8x4p.tmp
%TEMP%\aut58bb.tmp
%TEMP%\aut585c.tmp
%WINDIR%\temp\1x4f6x0p.tmp
%WINDIR%\temp\aut5810.tmp
%WINDIR%\temp\aut57ff.tmp
%WINDIR%\temp\aut57df.tmp
%WINDIR%\temp\aut52e1.tmp
%TEMP%\is-vpk2i.tmp\<File name>.tmp

Moves the following files

from %APPDATA%\obs-studio\bin\64bit\is-clako.tmp to %APPDATA%\obs-studio\bin\64bit\libx264-164.dll
from %APPDATA%\obs-studio\bin\64bit\is-3s89m.tmp to %APPDATA%\obs-studio\bin\64bit\libmbedx509.dll
from %APPDATA%\obs-studio\bin\64bit\is-4sjpi.tmp to %APPDATA%\obs-studio\bin\64bit\libobs-d3d11.dll
from %APPDATA%\obs-studio\bin\64bit\is-od2m7.tmp to %APPDATA%\obs-studio\bin\64bit\libobs-d3d11.pdb
from %TEMP%\is-qu1fg.tmp\temp\is-ou07n.tmp to %TEMP%\is-qu1fg.tmp\temp\r.exe
from %APPDATA%\obs-studio\bin\64bit\is-flraf.tmp to %APPDATA%\obs-studio\bin\64bit\libobs-opengl.dll
from %APPDATA%\obs-studio\bin\64bit\is-cgfgi.tmp to %APPDATA%\obs-studio\bin\64bit\libobs-opengl.pdb
from C:\tmp\is-t6s86.tmp to C:\tmp\obs32.dll
from %APPDATA%\obs-studio\bin\64bit\is-8easm.tmp to %APPDATA%\obs-studio\bin\64bit\libobs-winrt.dll
from %APPDATA%\obs-studio\bin\64bit\is-dso2u.tmp to %APPDATA%\obs-studio\bin\64bit\obs64.scr
from %APPDATA%\obs-studio\bin\64bit\is-st5it.tmp to %APPDATA%\obs-studio\bin\64bit\w32-pthreads.pdb
from %APPDATA%\obs-studio\bin\64bit\is-1aij5.tmp to %APPDATA%\obs-studio\bin\64bit\librist.dll
from %APPDATA%\obs-studio\bin\64bit\is-pfjue.tmp to %APPDATA%\obs-studio\bin\64bit\libsrt.dll
from %APPDATA%\obs-studio\bin\64bit\is-0aiq2.tmp to %APPDATA%\obs-studio\bin\64bit\obsglad.dll
from %APPDATA%\obs-studio\bin\64bit\is-o5dkf.tmp to %APPDATA%\obs-studio\bin\64bit\obsglad.pdb
from %APPDATA%\obs-studio\bin\64bit\is-g7u9q.tmp to %APPDATA%\obs-studio\bin\64bit\qt6xml.dll
from %APPDATA%\obs-studio\bin\64bit\is-sream.tmp to %APPDATA%\obs-studio\bin\64bit\swresample-4.dll
from %APPDATA%\obs-studio\bin\64bit\is-ntlub.tmp to %APPDATA%\obs-studio\bin\64bit\swscale-6.dll
from %APPDATA%\obs-studio\bin\64bit\is-63pct.tmp to %APPDATA%\obs-studio\bin\64bit\w32-pthreads.dll
from %APPDATA%\obs-studio\bin\64bit\is-b1n5o.tmp to %APPDATA%\obs-studio\bin\64bit\libmbedtls.dll
from %APPDATA%\obs-studio\bin\64bit\is-8f6qb.tmp to %APPDATA%\obs-studio\bin\64bit\libobs-winrt.pdb
from %APPDATA%\obs-studio\bin\64bit\is-8f4ud.tmp to %APPDATA%\obs-studio\bin\64bit\libmbedcrypto.dll
from %APPDATA%\obs-studio\bin\64bit\is-8btco.tmp to %APPDATA%\obs-studio\bin\64bit\obs-scripting.pdb
from %APPDATA%\obs-studio\bin\64bit\is-slhk8.tmp to %APPDATA%\obs-studio\bin\64bit\lua51.dll
from %APPDATA%\obs-studio\bin\64bit\is-juqbu.tmp to %APPDATA%\obs-studio\bin\64bit\obs-amf-test.exe
from %APPDATA%\obs-studio\bin\64bit\is-gob5j.tmp to %APPDATA%\obs-studio\bin\64bit\obs-amf-test.pdb
from %APPDATA%\obs-studio\bin\64bit\is-6r0m5.tmp to %APPDATA%\obs-studio\bin\64bit\obs-ffmpeg-mux.exe
from %APPDATA%\obs-studio\bin\64bit\is-9frq9.tmp to %APPDATA%\obs-studio\bin\64bit\obs-ffmpeg-mux.pdb
from %APPDATA%\obs-studio\bin\64bit\is-gmp52.tmp to %APPDATA%\obs-studio\bin\64bit\obs-frontend-api.dll
from %APPDATA%\obs-studio\bin\64bit\is-6h0a8.tmp to %APPDATA%\obs-studio\bin\64bit\obs-frontend-api.pdb
from %APPDATA%\obs-studio\bin\64bit\is-41igf.tmp to %APPDATA%\obs-studio\bin\64bit\obs-scripting.dll
from %APPDATA%\obs-studio\bin\64bit\is-iqbcf.tmp to %APPDATA%\obs-studio\bin\64bit\ar.xml
from %APPDATA%\obs-studio\bin\64bit\styles\is-tbeb6.tmp to %APPDATA%\obs-studio\bin\64bit\styles\qwindowsvistastyle.dll
from %APPDATA%\obs-studio\bin\64bit\is-t2f68.tmp to %APPDATA%\obs-studio\bin\64bit\obs.pdb
from %APPDATA%\obs-studio\bin\64bit\is-bdvfd.tmp to %APPDATA%\obs-studio\bin\64bit\obs64.pdb
from C:\tmp\is-46b6e.tmp to C:\tmp\mainicon.ico
from %APPDATA%\obs-studio\bin\64bit\iconengines\is-cbh7s.tmp to %APPDATA%\obs-studio\bin\64bit\iconengines\qsvgicon.dll
from %APPDATA%\obs-studio\bin\64bit\imageformats\is-gkgma.tmp to %APPDATA%\obs-studio\bin\64bit\imageformats\qgif.dll
from %APPDATA%\obs-studio\bin\64bit\imageformats\is-brs2n.tmp to %APPDATA%\obs-studio\bin\64bit\imageformats\qjpeg.dll
from %APPDATA%\obs-studio\bin\64bit\imageformats\is-7h3m2.tmp to %APPDATA%\obs-studio\bin\64bit\imageformats\qsvg.dll
from %APPDATA%\obs-studio\bin\64bit\platforms\is-bar12.tmp to %APPDATA%\obs-studio\bin\64bit\platforms\qwindows.dll
from %APPDATA%\obs-studio\bin\64bit\is-o9fu6.tmp to %APPDATA%\obs-studio\bin\64bit\libcurl.dll
from %APPDATA%\obs-studio\bin\64bit\is-a7h37.tmp to %APPDATA%\obs-studio\bin\64bit\zlib.dll

Substitutes the following files

%TEMP%\is-qu1fg.tmp\temp\.cmd

Miscellaneous

Searches for the following windows

ClassName: '' WindowName: ''
ClassName: 'Registry Monitor - Sysinternals: www.sysinternals.com' WindowName: ''
ClassName: '18467-41' WindowName: ''
ClassName: 'File Monitor - Sysinternals: www.sysinternals.com' WindowName: ''
ClassName: 'Process Monitor - Sysinternals: www.sysinternals.com' WindowName: ''

Creates and executes the following

'%TEMP%\is-n3mbv.tmp\<File name>.tmp' /SL5="$11022C,14041309,160256,<Full path to file>"
'%APPDATA%\obs-studio\bin\64bit\obs64.scr'
'%TEMP%\is-qu1fg.tmp\temp\r.exe' /TI/ /Sw:0 reg.eXe Add "hklm\SOFTwAre\MIcroSoFT\windOWs deFeNder\exClusIOnS\eXtenSiOnS" /v eXe /T reg_dWord /d 0 /f
'%TEMP%\is-qu1fg.tmp\temp\r.exe' /Sw:0 reg.eXe Add "hKlm\SOFTware\microSofT\WindOwS deFender\eXCluSIONS\pAThS" /V "<DRIVERS>\eTc\hOstS" /t "reG_dWOrd" /d "0" /F
'%TEMP%\is-qu1fg.tmp\temp\r.exe' /TI/ /sW:0 reG.eXe add "hklm\SOFTWare\micrOsOfT\WIndOWS defeNder\excLUsions\exTensiOnS" /v Cmd /T reg_dwOrd /d 0 /F
'%TEMP%\is-qu1fg.tmp\temp\r.exe' /TI/ /sw:0 reg.eXe add "hKLM\sOfTWAre\MiCrOSofT\WINdOWs deFender\eXCLuSIONS\extenSiONs" /v SCr /t reg_dWord /d 0 /f
'%TEMP%\is-qu1fg.tmp\temp\r.exe' /TI/ /Sw:0 reg.eXe Add "hKlm\SOFTware\microSofT\WindOwS deFender\eXCluSIONS\pAThS" /V "<DRIVERS>\eTc\hOstS" /t "reG_dWOrd" /d "0" /F
'%TEMP%\is-qu1fg.tmp\temp\r.exe' /sW:0 reG.eXe add "hklm\SOFTWare\micrOsOfT\WIndOWS defeNder\excLUsions\exTensiOnS" /v Cmd /T reg_dwOrd /d 0 /F
'%TEMP%\is-qu1fg.tmp\temp\r.exe' /Sw:0 reg.eXe Add "hklm\SOFTwAre\MIcroSoFT\windOWs deFeNder\exClusIOnS\eXtenSiOnS" /v eXe /T reg_dWord /d 0 /f
'%TEMP%\is-qu1fg.tmp\temp\r.exe' /sw:0 reg.eXe add "hKLM\sOfTWAre\MiCrOSofT\WINdOWs deFender\eXCLuSIONS\extenSiONs" /v SCr /t reg_dWord /d 0 /f
'%TEMP%\is-qu1fg.tmp\temp\r.exe' /Sw:0 reg.eXe Add "hkLM\SOFtWare\mICrosoFt\WindowS deFender\excluSionS\eXTeNsIonS" /v dLL /T reg_dWOrd /d 0 /F
'%TEMP%\is-qu1fg.tmp\temp\r.exe' /TI/ /Sw:0 reg.eXe Add "hkLM\SOFtWare\mICrosoFt\WindowS deFender\excluSionS\eXTeNsIonS" /v dLL /T reg_dWOrd /d 0 /F
'%TEMP%\is-vpk2i.tmp\<File name>.tmp' /SL5="$C021E,14041309,160256,<Full path to file>" /verysilent /sp-
'<SYSTEM32>\reg.exe' Add "hklm\SOFTwAre\MIcroSoFT\windOWs deFeNder\exClusIOnS\eXtenSiOnS" /v eXe /T reg_dWord /d 0 /f' (with hidden window)
'<SYSTEM32>\reg.exe' Add "hKlm\SOFTware\microSofT\WindOwS deFender\eXCluSIONS\pAThS" /V "<DRIVERS>\eTc\hOstS" /t "reG_dWOrd" /d "0" /F' (with hidden window)
'<SYSTEM32>\reg.exe' Add "hkLM\SOFtWare\mICrosoFt\WindowS deFender\excluSionS\eXTeNsIonS" /v dLL /T reg_dWOrd /d 0 /F' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /C ""%TEMP%\is-QU1FG.tmp\temp\.cmd""' (with hidden window)
'%WINDIR%\syswow64\rundll32.exe' C:\tmp\obs32.dll, Uaby' (with hidden window)
'%WINDIR%\syswow64\taskkill.exe' /f /im "obs64.scr"' (with hidden window)
'<SYSTEM32>\reg.exe' add "hKLM\sOfTWAre\MiCrOSofT\WINdOWs deFender\eXCLuSIONS\extenSiONs" /v SCr /t reg_dWord /d 0 /f' (with hidden window)
'<SYSTEM32>\reg.exe' add "hklm\SOFTWare\micrOsOfT\WIndOWS defeNder\excLUsions\exTensiOnS" /v Cmd /T reg_dwOrd /d 0 /F' (with hidden window)
'<Full path to file>' /verysilent /sp-' (with hidden window)
'%APPDATA%\obs-studio\bin\64bit\obs64.scr' ' (with hidden window)

Executes the following

'%WINDIR%\syswow64\rundll32.exe' C:\tmp\obs32.dll, Uaby
'<SYSTEM32>\rundll32.exe' C:\tmp\obs32.dll, Uaby
'%WINDIR%\syswow64\cmd.exe' /C ""%TEMP%\is-QU1FG.tmp\temp\.cmd""
'<SYSTEM32>\reg.exe' Add "hkLM\SOFtWare\mICrosoFt\WindowS deFender\excluSionS\eXTeNsIonS" /v dLL /T reg_dWOrd /d 0 /F
'<SYSTEM32>\reg.exe' add "hKLM\sOfTWAre\MiCrOSofT\WINdOWs deFender\eXCLuSIONS\extenSiONs" /v SCr /t reg_dWord /d 0 /f
'<SYSTEM32>\reg.exe' add "hklm\SOFTWare\micrOsOfT\WIndOWS defeNder\excLUsions\exTensiOnS" /v Cmd /T reg_dwOrd /d 0 /F
'<SYSTEM32>\reg.exe' Add "hklm\SOFTwAre\MIcroSoFT\windOWs deFeNder\exClusIOnS\eXtenSiOnS" /v eXe /T reg_dWord /d 0 /f
'<SYSTEM32>\reg.exe' Add "hKlm\SOFTware\microSofT\WindOwS deFender\eXCluSIONS\pAThS" /V "<DRIVERS>\eTc\hOstS" /t "reG_dWOrd" /d "0" /F
'%WINDIR%\syswow64\cmd.exe' /c cUrL -s ipINFO.io/Ip
'%WINDIR%\syswow64\cmd.exe' /c cuRL -s IPINfo.Io/city
'%WINDIR%\syswow64\cmd.exe' /c cUrl -s IPiNfo.io/country
'%WINDIR%\syswow64\attrib.exe' +s +H %APPDATA%\obs-studio\bin\64bit\.cmD
'%WINDIR%\syswow64\attrib.exe' +s +h %APPDATA%\obs-studio\bin\64bit\.vbs

テクノロジー

用語

トレーニングコースおよび啓蒙プロジェクト

アンチウイルスに関する誤解と噂

Technical Information

Curing recommendations

Free trial