Technical Information
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'vidhdw' = '%TEMP%\vidhdw.exe'
- [<HKLM>\SYSTEM\ControlSet001\services\Winmgmt] 'Start' = '00000002'
- [<HKLM>\SYSTEM\ControlSet001\services\WebClient] 'Start' = '00000002'
- [<HKLM>\SYSTEM\ControlSet001\services\wuauserv] 'Start' = '00000002'
- [<HKLM>\SYSTEM\ControlSet001\services\W32Time] 'Start' = '00000002'
- [<HKLM>\SYSTEM\ControlSet001\services\HTTPFilter] 'Start' = '00000002'
- [<HKLM>\SYSTEM\ControlSet001\services\CryptSvc] 'Start' = '00000002'
- [<HKLM>\SYSTEM\ControlSet001\services\SharedAccess] 'Start' = '00000002'
- [<HKLM>\SYSTEM\ControlSet001\services\ose] 'Start' = '00000002'
- [<HKLM>\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DisableNotifications' = '00000001'
- [<HKLM>\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DoNotAllowExceptions' = '00000000'
- [<HKLM>\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] 'DisableNotifications' = '00000001'
- [<HKLM>\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] 'DoNotAllowExceptions' = '00000000'
- User Account Control (UAC)
- Windows Security Center
- '%TEMP%\vidhdw.exe'
- '<SYSTEM32>\cacls.exe' "%PROGRAM_FILES%\Windows Defender\it-IT\MpEvMsg.dll.mui" /t /e /c /d users
- '<SYSTEM32>\cacls.exe' "%PROGRAM_FILES%\Windows Defender\it-IT\MpEvMsg.dll.mui" /t /e /c /d system
- '<SYSTEM32>\cacls.exe' "%PROGRAM_FILES%\Windows Defender\it-IT\MsMpRes.dll.mui" /t /e /c /d system
- '<SYSTEM32>\cacls.exe' "%PROGRAM_FILES%\Windows Defender\it-IT\MpEvMsg.dll.mui" /t /e /c /d %USERNAME%s
- '<SYSTEM32>\conhost.exe' "%PROGRAM_FILES%\Windows Defender\it-IT\MpAsDesc.dll.mui" /t /e /c /d users
- '<SYSTEM32>\conhost.exe' /pid=3564
- '<SYSTEM32>\conhost.exe' "%PROGRAM_FILES%\Windows Defender\it-IT\MpAsDesc.dll.mui" /t /e /c /d %USERNAME%s
- '<SYSTEM32>\conhost.exe' /pid=3472
- '<SYSTEM32>\cacls.exe' "%PROGRAM_FILES%\Windows Defender\fr-FR\MpEvMsg.dll.mui" /t /e /c /d system
- '<SYSTEM32>\cacls.exe' "%PROGRAM_FILES%\Windows Defender\fr-FR\MpAsDesc.dll.mui" /t /e /c /d %USERNAME%s
- '<SYSTEM32>\cacls.exe' "%PROGRAM_FILES%\Windows Defender\fr-FR\MpEvMsg.dll.mui" /t /e /c /d %USERNAME%s
- '<SYSTEM32>\cacls.exe' "%PROGRAM_FILES%\Windows Defender\fr-FR\MpEvMsg.dll.mui" /t /e /c /d users
- '<SYSTEM32>\cacls.exe' "%PROGRAM_FILES%\Windows Defender\it-IT\MsMpRes.dll.mui" /t /e /c /d %USERNAME%s
- '<SYSTEM32>\cacls.exe' "%PROGRAM_FILES%\Windows Defender\it-IT\MsMpRes.dll.mui" /t /e /c /d users
- '<SYSTEM32>\cacls.exe' "%PROGRAM_FILES%\Windows Defender\fr-FR\MpAsDesc.dll.mui" /t /e /c /d users
- '<SYSTEM32>\cacls.exe' "%PROGRAM_FILES%\Windows Defender\fr-FR\MpAsDesc.dll.mui" /t /e /c /d system
- '<SYSTEM32>\conhost.exe' "%PROGRAM_FILES%\Windows Defender\nl-NL\MpEvMsg.dll.mui" /t /e /c /d system
- '<SYSTEM32>\cacls.exe' "%PROGRAM_FILES%\Windows Defender\nl-NL\MpAsDesc.dll.mui" /t /e /c /d %USERNAME%s
- '<SYSTEM32>\cacls.exe' "%PROGRAM_FILES%\Windows Defender\nl-NL\MpEvMsg.dll.mui" /t /e /c /d %USERNAME%s
- '<SYSTEM32>\conhost.exe' "%PROGRAM_FILES%\Windows Defender\nl-NL\MpEvMsg.dll.mui" /t /e /c /d users
- '<SYSTEM32>\conhost.exe' /pid=3728
- '<SYSTEM32>\cacls.exe' "%PROGRAM_FILES%\Windows Defender\pt-BR\MsMpRes.dll.mui" /t /e /c /d %USERNAME%s
- '<SYSTEM32>\conhost.exe' "%PROGRAM_FILES%\Windows Defender\nl-NL\MpAsDesc.dll.mui" /t /e /c /d users
- '<SYSTEM32>\cacls.exe' "%PROGRAM_FILES%\Windows Defender\nl-NL\MpAsDesc.dll.mui" /t /e /c /d system
- '<SYSTEM32>\conhost.exe' "%PROGRAM_FILES%\Windows Defender\nl-NL\MsMpRes.dll.mui" /t /e /c /d %USERNAME%s
- '<SYSTEM32>\conhost.exe' /pid=1956
- '<SYSTEM32>\conhost.exe' "%PROGRAM_FILES%\Windows Defender\it-IT\MpAsDesc.dll.mui" /t /e /c /d system
- '<SYSTEM32>\conhost.exe' /pid=1856
- '<SYSTEM32>\cacls.exe' "%PROGRAM_FILES%\Windows Defender\nl-NL\MsMpRes.dll.mui" /t /e /c /d system
- '<SYSTEM32>\conhost.exe' /pid=3784
- '<SYSTEM32>\conhost.exe' "%PROGRAM_FILES%\Windows Defender\nl-NL\MsMpRes.dll.mui" /t /e /c /d users
- '<SYSTEM32>\conhost.exe' /pid=1904
- '<SYSTEM32>\cacls.exe' "%PROGRAM_FILES%\Windows Defender\de-DE\MpAsDesc.dll.mui" /t /e /c /d system
- '<SYSTEM32>\cacls.exe' "%PROGRAM_FILES%\Windows Defender\en-US\MsMpRes.dll.mui" /t /e /c /d %USERNAME%s
- '<SYSTEM32>\cacls.exe' "%PROGRAM_FILES%\Windows Defender\de-DE\MpAsDesc.dll.mui" /t /e /c /d %USERNAME%s
- '<SYSTEM32>\cacls.exe' "%PROGRAM_FILES%\Windows Defender\de-DE\MpAsDesc.dll.mui" /t /e /c /d users
- '<SYSTEM32>\cacls.exe' "%PROGRAM_FILES%\Windows Defender\en-US\MpEvMsg.dll.mui" /t /e /c /d %USERNAME%s
- '<SYSTEM32>\cacls.exe' "%PROGRAM_FILES%\Windows Defender\en-US\MpEvMsg.dll.mui" /t /e /c /d users
- '<SYSTEM32>\cacls.exe' "%PROGRAM_FILES%\Windows Defender\en-US\MsMpRes.dll.mui" /t /e /c /d users
- '<SYSTEM32>\cacls.exe' "%PROGRAM_FILES%\Windows Defender\en-US\MsMpRes.dll.mui" /t /e /c /d system
- '<SYSTEM32>\cacls.exe' "%PROGRAM_FILES%\Windows Defender\de-DE\MsMpRes.dll.mui" /t /e /c /d %USERNAME%s
- '<SYSTEM32>\cacls.exe' "%PROGRAM_FILES%\Windows Defender\de-DE\MsMpRes.dll.mui" /t /e /c /d users
- '<SYSTEM32>\wermgr.exe' -queuereporting
- '%WINDIR%\regedit.exe' /s "%TEMP%\BtXRdWd6gKQty0Jc8.reg"
- '<SYSTEM32>\cacls.exe' "%PROGRAM_FILES%\Windows Defender\de-DE\MpEvMsg.dll.mui" /t /e /c /d users
- '<SYSTEM32>\cacls.exe' "%PROGRAM_FILES%\Windows Defender\de-DE\MpEvMsg.dll.mui" /t /e /c /d system
- '<SYSTEM32>\cacls.exe' "%PROGRAM_FILES%\Windows Defender\de-DE\MsMpRes.dll.mui" /t /e /c /d system
- '<SYSTEM32>\cacls.exe' "%PROGRAM_FILES%\Windows Defender\de-DE\MpEvMsg.dll.mui" /t /e /c /d %USERNAME%s
- '<SYSTEM32>\cacls.exe' "%PROGRAM_FILES%\Windows Defender\es-ES\MpAsDesc.dll.mui" /t /e /c /d %USERNAME%s
- '<SYSTEM32>\cacls.exe' "%PROGRAM_FILES%\Windows Defender\es-ES\MpAsDesc.dll.mui" /t /e /c /d users
- '<SYSTEM32>\cacls.exe' "%PROGRAM_FILES%\Windows Defender\es-ES\MpEvMsg.dll.mui" /t /e /c /d users
- '<SYSTEM32>\cacls.exe' "%PROGRAM_FILES%\Windows Defender\es-ES\MpEvMsg.dll.mui" /t /e /c /d system
- '<SYSTEM32>\cacls.exe' "%PROGRAM_FILES%\Windows Defender\fr-FR\MsMpRes.dll.mui" /t /e /c /d users
- '<SYSTEM32>\cacls.exe' "%PROGRAM_FILES%\Windows Defender\fr-FR\MsMpRes.dll.mui" /t /e /c /d system
- '<SYSTEM32>\cacls.exe' "%PROGRAM_FILES%\Windows Defender\es-ES\MpAsDesc.dll.mui" /t /e /c /d system
- '<SYSTEM32>\cacls.exe' "%PROGRAM_FILES%\Windows Defender\fr-FR\MsMpRes.dll.mui" /t /e /c /d %USERNAME%s
- '<SYSTEM32>\cacls.exe' "%PROGRAM_FILES%\Windows Defender\en-US\MpAsDesc.dll.mui" /t /e /c /d users
- '<SYSTEM32>\cacls.exe' "%PROGRAM_FILES%\Windows Defender\en-US\MpAsDesc.dll.mui" /t /e /c /d system
- '<SYSTEM32>\cacls.exe' "%PROGRAM_FILES%\Windows Defender\en-US\MpEvMsg.dll.mui" /t /e /c /d system
- '<SYSTEM32>\cacls.exe' "%PROGRAM_FILES%\Windows Defender\en-US\MpAsDesc.dll.mui" /t /e /c /d %USERNAME%s
- '<SYSTEM32>\cacls.exe' "%PROGRAM_FILES%\Windows Defender\es-ES\MsMpRes.dll.mui" /t /e /c /d system
- '<SYSTEM32>\cacls.exe' "%PROGRAM_FILES%\Windows Defender\es-ES\MpEvMsg.dll.mui" /t /e /c /d %USERNAME%s
- '<SYSTEM32>\cacls.exe' "%PROGRAM_FILES%\Windows Defender\es-ES\MsMpRes.dll.mui" /t /e /c /d %USERNAME%s
- '<SYSTEM32>\cacls.exe' "%PROGRAM_FILES%\Windows Defender\es-ES\MsMpRes.dll.mui" /t /e /c /d users
- '<SYSTEM32>\cacls.exe' "%PROGRAM_FILES%\Windows Defender\MpOAV.dll" /t /e /c /d users
- '<SYSTEM32>\cacls.exe' "%PROGRAM_FILES%\Windows Defender\MpOAV.dll" /t /e /c /d system
- '<SYSTEM32>\cacls.exe' "%PROGRAM_FILES%\Windows Defender\MpRTP.dll" /t /e /c /d system
- '<SYSTEM32>\cacls.exe' "%PROGRAM_FILES%\Windows Defender\MpOAV.dll" /t /e /c /d %USERNAME%s
- '<SYSTEM32>\cacls.exe' "%PROGRAM_FILES%\Windows Defender\MpEvMsg.dll" /t /e /c /d system
- '<SYSTEM32>\cacls.exe' "%PROGRAM_FILES%\Windows Defender\MpCommu.dll" /t /e /c /d %USERNAME%s
- '<SYSTEM32>\cacls.exe' "%PROGRAM_FILES%\Windows Defender\MpEvMsg.dll" /t /e /c /d %USERNAME%s
- '<SYSTEM32>\cacls.exe' "%PROGRAM_FILES%\Windows Defender\MpEvMsg.dll" /t /e /c /d users
- '<SYSTEM32>\cacls.exe' "%PROGRAM_FILES%\Windows Defender\MSASCui.exe" /t /e /c /d system
- '<SYSTEM32>\cacls.exe' "%PROGRAM_FILES%\Windows Defender\MpSvc.dll" /t /e /c /d %USERNAME%s
- '<SYSTEM32>\cacls.exe' "%PROGRAM_FILES%\Windows Defender\MSASCui.exe" /t /e /c /d users
- '<SYSTEM32>\conhost.exe' /pid=2852
- '<SYSTEM32>\cacls.exe' "%PROGRAM_FILES%\Windows Defender\MpRTP.dll" /t /e /c /d %USERNAME%s
- '<SYSTEM32>\cacls.exe' "%PROGRAM_FILES%\Windows Defender\MpRTP.dll" /t /e /c /d users
- '<SYSTEM32>\cacls.exe' "%PROGRAM_FILES%\Windows Defender\MpSvc.dll" /t /e /c /d users
- '<SYSTEM32>\conhost.exe' "%PROGRAM_FILES%\Windows Defender\MpSvc.dll" /t /e /c /d system
- '<SYSTEM32>\cacls.exe' "%PROGRAM_FILES%\Windows Defender\MpAsDesc.dll" /t /e /c /d system
- '<SYSTEM32>\cacls.exe' "%PROGRAM_FILES%\Windows Defender" /t /e /c /r "FFPXOMEV"
- '<SYSTEM32>\cacls.exe' "%PROGRAM_FILES%\Windows Defender\MpAsDesc.dll" /t /e /c /d %USERNAME%s
- '<SYSTEM32>\cacls.exe' "%PROGRAM_FILES%\Windows Defender\MpAsDesc.dll" /t /e /c /d users
- '<SYSTEM32>\cacls.exe' "%PROGRAM_FILES%\Windows Defender" /t /e /c /g %USERNAME%s:f
- '%WINDIR%\regedit.exe' /s "%TEMP%\4mnX2oCwSTpJos5.reg"
- '<SYSTEM32>\cacls.exe' "%PROGRAM_FILES%\Windows Defender" /t /e /c /g system:f
- '<SYSTEM32>\cacls.exe' "%PROGRAM_FILES%\Windows Defender" /t /e /c /g users:f
- '<SYSTEM32>\cacls.exe' "%PROGRAM_FILES%\Windows Defender\MpCmdRun.exe" /t /e /c /d %USERNAME%s
- '<SYSTEM32>\cacls.exe' "%PROGRAM_FILES%\Windows Defender\MpCmdRun.exe" /t /e /c /d users
- '<SYSTEM32>\cacls.exe' "%PROGRAM_FILES%\Windows Defender\MpCommu.dll" /t /e /c /d users
- '<SYSTEM32>\cacls.exe' "%PROGRAM_FILES%\Windows Defender\MpCommu.dll" /t /e /c /d system
- '<SYSTEM32>\cacls.exe' "%PROGRAM_FILES%\Windows Defender\MpClient.dll" /t /e /c /d users
- '<SYSTEM32>\cacls.exe' "%PROGRAM_FILES%\Windows Defender\MpClient.dll" /t /e /c /d system
- '<SYSTEM32>\cacls.exe' "%PROGRAM_FILES%\Windows Defender\MpCmdRun.exe" /t /e /c /d system
- '<SYSTEM32>\cacls.exe' "%PROGRAM_FILES%\Windows Defender\MpClient.dll" /t /e /c /d %USERNAME%s
- '<SYSTEM32>\cacls.exe' "%PROGRAM_FILES%\Windows Defender\pt-BR\MpAsDesc.dll.mui" /t /e /c /d users
- '<SYSTEM32>\cacls.exe' "%PROGRAM_FILES%\Windows Defender\pt-BR\MpAsDesc.dll.mui" /t /e /c /d system
- '<SYSTEM32>\cacls.exe' "%PROGRAM_FILES%\Windows Defender\pt-BR\MpEvMsg.dll.mui" /t /e /c /d system
- '<SYSTEM32>\cacls.exe' "%PROGRAM_FILES%\Windows Defender\pt-BR\MpAsDesc.dll.mui" /t /e /c /d %USERNAME%s
- '<SYSTEM32>\conhost.exe' "%PROGRAM_FILES%\Windows Defender\pt-PT\MsMpRes.dll.mui" /t /e /c /d system
- '<SYSTEM32>\conhost.exe' "%PROGRAM_FILES%\Windows Defender\pt-PT\MpEvMsg.dll.mui" /t /e /c /d %USERNAME%s
- '<SYSTEM32>\conhost.exe' "%PROGRAM_FILES%\Windows Defender\pt-PT\MsMpRes.dll.mui" /t /e /c /d %USERNAME%s
- '<SYSTEM32>\cacls.exe' "%PROGRAM_FILES%\Windows Defender\pt-PT\MsMpRes.dll.mui" /t /e /c /d users
- '<SYSTEM32>\conhost.exe' /pid=3628
- '<SYSTEM32>\cacls.exe' "%PROGRAM_FILES%\Windows Defender\pt-BR\MsMpRes.dll.mui" /t /e /c /d system
- '<SYSTEM32>\conhost.exe' /pid=3540
- '<SYSTEM32>\cacls.exe' "%PROGRAM_FILES%\Windows Defender\pt-BR\MsMpRes.dll.mui" /t /e /c /d users
- '<SYSTEM32>\conhost.exe' /pid=1016
- '<SYSTEM32>\conhost.exe' "%PROGRAM_FILES%\Windows Defender\pt-BR\MpEvMsg.dll.mui" /t /e /c /d users
- '<SYSTEM32>\conhost.exe' /pid=3120
- '<SYSTEM32>\cacls.exe' "%PROGRAM_FILES%\Windows Defender\pt-BR\MpEvMsg.dll.mui" /t /e /c /d %USERNAME%s
- '<SYSTEM32>\cacls.exe' "%PROGRAM_FILES%\Windows Defender\MsMpLics.dll" /t /e /c /d users
- '<SYSTEM32>\cacls.exe' "%PROGRAM_FILES%\Windows Defender\MsMpLics.dll" /t /e /c /d system
- '<SYSTEM32>\cacls.exe' "%PROGRAM_FILES%\Windows Defender\MsMpRes.dll" /t /e /c /d system
- '<SYSTEM32>\cacls.exe' "%PROGRAM_FILES%\Windows Defender\MsMpLics.dll" /t /e /c /d %USERNAME%s
- '<SYSTEM32>\cacls.exe' "%PROGRAM_FILES%\Windows Defender\MsMpCom.dll" /t /e /c /d system
- '<SYSTEM32>\cacls.exe' "%PROGRAM_FILES%\Windows Defender\MSASCui.exe" /t /e /c /d %USERNAME%s
- '<SYSTEM32>\conhost.exe' "%PROGRAM_FILES%\Windows Defender\MsMpCom.dll" /t /e /c /d %USERNAME%s
- '<SYSTEM32>\cacls.exe' "%PROGRAM_FILES%\Windows Defender\MsMpCom.dll" /t /e /c /d users
- '<SYSTEM32>\cacls.exe' "%PROGRAM_FILES%\Windows Defender\pt-PT\MpAsDesc.dll.mui" /t /e /c /d %USERNAME%s
- '<SYSTEM32>\conhost.exe' "%PROGRAM_FILES%\Windows Defender\pt-PT\MpAsDesc.dll.mui" /t /e /c /d users
- '<SYSTEM32>\cacls.exe' "%PROGRAM_FILES%\Windows Defender\pt-PT\MpEvMsg.dll.mui" /t /e /c /d users
- '<SYSTEM32>\cacls.exe' "%PROGRAM_FILES%\Windows Defender\pt-PT\MpEvMsg.dll.mui" /t /e /c /d system
- '<SYSTEM32>\conhost.exe' /pid=4036
- '<SYSTEM32>\cacls.exe' "%PROGRAM_FILES%\Windows Defender\MsMpRes.dll" /t /e /c /d users
- '<SYSTEM32>\cacls.exe' "%PROGRAM_FILES%\Windows Defender\pt-PT\MpAsDesc.dll.mui" /t /e /c /d system
- '<SYSTEM32>\cacls.exe' "%PROGRAM_FILES%\Windows Defender\MsMpRes.dll" /t /e /c /d %USERNAME%s
- %TEMP%\BtXRdWd6gKQty0Jc8.reg
- %TEMP%\4mnX2oCwSTpJos5.reg
- %TEMP%\vidhdw.exe
- %TEMP%\BtXRdWd6gKQty0Jc8.reg
- %TEMP%\4mnX2oCwSTpJos5.reg
- ClassName: 'Shell_TrayWnd' WindowName: '(null)'
- ClassName: 'RegEdit_RegEdit' WindowName: '(null)'