WINDOWS.EXE – Trojan Delf removal

WINDOWS.EXE size: 282624 bytes
WINDOWS.EXE hash: 004837E51ED876657D3F3C2E50D53A49

Created files:

%SysDir%\windows64\windows.exe
%Temp%\UuU.uUu
%Temp%\XxX.xXx

Autostart registry keys:

HKLM\Software\Microsoft\Active Setup\Installed Components\{3M5O840L-5652-LF0C-0AIK-GK61S328TSBR}\StubPath: %WinDir%\System32\windows64\windows.exe Restart
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies: 43003A005C00570049004E0044004F00570053005C00730079007300740065006D00330032005C00770069006E0064006F0077007300360034005C00770069006E0064006F00770073002E006500780065000000
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\HKLM: 43003A005C00570049004E0044004F00570053005C00730079007300740065006D00330032005C00770069006E0064006F0077007300360034005C00770069006E0064006F00770073002E006500780065000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies: 43003A005C00570049004E0044004F00570053005C00730079007300740065006D00330032005C00770069006E0064006F0077007300360034005C00770069006E0064006F00770073002E006500780065000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\HKCU: 43003A005C00570049004E0044004F00570053005C00730079007300740065006D00330032005C00770069006E0064006F0077007300360034005C00770069006E0064006F00770073002E006500780065000000

Detected by UnHackMe:

WINDOWS.EXE
Default location: %SYSDIR%\WINDOWS64\WINDOWS.EXE

Dropper information:
MD5: 004837e51ed876657d3f3c2e50d53a49
File size: 282624 bytes