Technical Information
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Extension_Service' = '"%APPDATA%\ServiceApp.exe" -b'
- User Account Control (UAC)
- %APPDATA%\pzip.dll
- %APPDATA%\serviceapp.exe
- from %ProgramFiles%\google\update\googleupdate.exe to %ProgramFiles%\google\update\googleupdate.exe_
- from %ProgramFiles%\google\update\1.3.28.1\googleupdate.exe to %ProgramFiles%\google\update\1.3.28.1\googleupdate.exe_
- from %ProgramFiles%\opera\31.0.1889.174\opera_autoupdate.exe to %ProgramFiles%\opera\31.0.1889.174\opera_autoupdate.exe_
- from %ProgramFiles%\opera\35.0.2066.92\opera_autoupdate.exe to %ProgramFiles%\opera\35.0.2066.92\opera_autoupdate.exe_
- DNS ASK google.com
- ClassName: 'AutoHotkey' WindowName: '<Full path to file>'
- ClassName: 'AutoHotkey' WindowName: '%APPDATA%\ServiceApp.exe'
- '%APPDATA%\serviceapp.exe' -b
- '<SYSTEM32>\sc.exe' stop windefend' (with hidden window)
- '<SYSTEM32>\sc.exe' delete windefend' (with hidden window)
- '<SYSTEM32>\sc.exe' stop windefend
- '<SYSTEM32>\sc.exe' delete windefend