eadaf26df948f0fd541f297e2f0bad435aa4bee5c97e4324ad767dacca77e29d

Analysis

max time kernel
35s
max time network
37s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
09-05-2023 19:16

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

AIDS_NT.exe
Size

924KB
MD5

14eefb80a0813abbf8710387a5383f08
SHA1

d3fa355cc1d184be20b441143fa34e4ae1a4bdb2
SHA256

61ee3bd82bed03dd0f3fb9bc9b76b7da972a90d3c12c8e4d5e967440a2f04c00
SHA512

a3174a80c47a02b6deed6eb390a999fa486f7a4cda7ab614d93589f614a60ba500aa8f42346e80cc53b7e1a5af0f0e515e4b014d23e5af90fabeae504f43f130
SSDEEP

12288:/GqN/XdctpVtkkKICgvDkBLab3Xldfr4oSsFsA0cO4KfRErkYzWaMSDncS:pNcBtkUHf9ace3sJTcS

Score

10^/10

evasion persistence ransomware upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Windows\\AIDS_NT_Instructions.txt, C:\\Windows\\aids.bat, C:\\Windows\\42.exe, C:\\Windows\\1.bat"	reg.exe

Nirsoft 1 IoCs

Processes:

resource	yara_rule
behavioral5/memory/1696-131-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft

Blocks application from running via registry modification 64 IoCs

Adds application to list of disallowed applications.

evasion

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\18 = "CCleaner.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\67 = "TOTALCMD32.EXE"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\77 = "7zFM.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\26 = "msconfig.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\113 = "opera_autoupdate.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\88 = "egui.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\16 = "CCleaner32.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\80 = "WinRAR.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\35 = "MfeAVSvc.exe "	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\49 = "uTorrent.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\102 = "AvastBrowserCrashHandler64.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\60 = "MBAMService.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\72 = "DiscoverySrv.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\17 = "CCleaner86.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\121 = "cmd.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\14 = "VirtualBox.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\34 = "McUICnt.exe "	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\37 = "mfevtps.exe "	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\115 = "MicrosoftEdge.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "MSASCui.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\84 = "bdagent.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\23 = "perfmon.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\39 = "ModuleCoreService.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\48 = "spideragent.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\116 = "MicrosoftEdgeCP.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

reg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	reg.exe

Disables Task Manager via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

1252 attrib.exe
Executes dropped EXE 1 IoCs

Processes:

nircmd.exe

pid process

1696 nircmd.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

1160 cmd.exe
1160 cmd.exe

pid	process
1252	attrib.exe

pid	process
1696	nircmd.exe

pid	process
1160	cmd.exe
1160	cmd.exe

Modifies system executable filetype association 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

reg.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "notepad.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "notepad.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	reg.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RarSFX0\42.exe	upx
C:\Windows\42.exe	upx
C:\Users\Admin\AppData\Local\Temp\RarSFX0\nircmd.exe	upx
C:\Windows\nircmd.exe	upx
\Users\Admin\AppData\Local\Temp\RarSFX0\nircmd.exe	upx
\Users\Admin\AppData\Local\Temp\RarSFX0\nircmd.exe	upx
C:\Users\Admin\AppData\Local\Temp\RarSFX0\nircmd.exe	upx
behavioral5/memory/1696-131-0x0000000000400000-0x000000000041C000-memory.dmp	upx

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\1.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\1.jpg"	reg.exe

Drops file in Windows directory 12 IoCs

Processes:

cmd.exe

description	ioc	process
File opened for modification	C:\Windows\1.jpg	cmd.exe
File created	C:\Windows\AIDS_NT_Instructions.txt	cmd.exe
File opened for modification	C:\Windows\AIDS_NT_Instructions.txt	cmd.exe
File created	C:\Windows\nircmd.exe	cmd.exe
File created	C:\Windows\aids.bat	cmd.exe
File created	C:\Windows\1.bat	cmd.exe
File opened for modification	C:\Windows\1.bat	cmd.exe
File opened for modification	C:\Windows\42.exe	cmd.exe
File opened for modification	C:\Windows\aids.bat	cmd.exe
File created	C:\Windows\42.exe	cmd.exe
File created	C:\Windows\1.jpg	cmd.exe
File opened for modification	C:\Windows\nircmd.exe	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

Processes:

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\zipfile\shell\open\command\ = "notepad.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\rarfile\shell\open\command\ = "notepad.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\dmgfile\shell\open\command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\allfile\shell\open\command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\open\command	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\gzfile\shell\open\command\ = "notepad.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\pdffile\shell\open	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\rarfile\shell\open	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tiffile	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\001file\shell\open	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bmpfile\shell\open\command\ = "notepad.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bmpfile\shell\open	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ctfile\shell	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\dllfile\shell	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bmpfile\shell\open\command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\csvfile\shell	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hfile\shell	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\jpegfile\shell\open\command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\001file\shell\open\command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\binfile	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\asmfile\shell\open	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mp4file\shell\open\command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mp4file	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hfile\shell\open	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\jpgfile\shell\open\command\ = "notepad.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\binfile\shell	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\dllfile	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mp3file\shell	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\zipfile\shell	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\jpgfile\shell\open\command	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\7zfile\shell\open\command\ = "notepad.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cppfile	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bmpfile	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmfile\shell	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AVIFile\shell	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\csvfile\shell\open\command\ = "notepad.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\docfile	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\open\command\ = "notepad.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\oggfile\shell\open\command\ = "notepad.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\curfile\shell\open\command\ = "notepad.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mp4file\shell\open	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cabfile\shell\open	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\xlsxfile\shell\open	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cfgfile\shell\open	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\csvfile	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\curfile	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\afile\shell	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\afile\shell\open	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\001file\shell\open\command\ = "notepad.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cfgfile\shell\open\command	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mp4file\shell\open\command\ = "notepad.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\slnfile	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\gzfile\shell	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hfile\shell\open\command\ = "notepad.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\7zfile\shell\open	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ctfile\shell\open\command\ = "notepad.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\7zfile\shell\open\command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\pptfile\shell\open\command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mkvfile	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\aafile\shell\open\command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\jsfile\shell\open\command	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\pngfile\shell\open\command\ = "notepad.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\dllfile\shell\open\command	reg.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

AIDS_NT.exeshutdown.exe

description	pid	process
Token: SeSecurityPrivilege	1444	AIDS_NT.exe
Token: SeRestorePrivilege	1444	AIDS_NT.exe
Token: SeShutdownPrivilege	2032	shutdown.exe
Token: SeRemoteShutdownPrivilege	2032	shutdown.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AIDS_NT.execmd.execmd.exenet.exe

description	pid	process	target process
PID 1444 wrote to memory of 1504	1444	AIDS_NT.exe	cmd.exe
PID 1444 wrote to memory of 1504	1444	AIDS_NT.exe	cmd.exe
PID 1444 wrote to memory of 1504	1444	AIDS_NT.exe	cmd.exe
PID 1444 wrote to memory of 1504	1444	AIDS_NT.exe	cmd.exe
PID 1504 wrote to memory of 952	1504	cmd.exe	reg.exe
PID 1504 wrote to memory of 952	1504	cmd.exe	reg.exe
PID 1504 wrote to memory of 952	1504	cmd.exe	reg.exe
PID 1504 wrote to memory of 952	1504	cmd.exe	reg.exe
PID 1504 wrote to memory of 1912	1504	cmd.exe	reg.exe
PID 1504 wrote to memory of 1912	1504	cmd.exe	reg.exe
PID 1504 wrote to memory of 1912	1504	cmd.exe	reg.exe
PID 1504 wrote to memory of 1912	1504	cmd.exe	reg.exe
PID 1504 wrote to memory of 1844	1504	cmd.exe	reg.exe
PID 1504 wrote to memory of 1844	1504	cmd.exe	reg.exe
PID 1504 wrote to memory of 1844	1504	cmd.exe	reg.exe
PID 1504 wrote to memory of 1844	1504	cmd.exe	reg.exe
PID 1444 wrote to memory of 1160	1444	AIDS_NT.exe	cmd.exe
PID 1444 wrote to memory of 1160	1444	AIDS_NT.exe	cmd.exe
PID 1444 wrote to memory of 1160	1444	AIDS_NT.exe	cmd.exe
PID 1444 wrote to memory of 1160	1444	AIDS_NT.exe	cmd.exe
PID 1160 wrote to memory of 1696	1160	cmd.exe	nircmd.exe
PID 1160 wrote to memory of 1696	1160	cmd.exe	nircmd.exe
PID 1160 wrote to memory of 1696	1160	cmd.exe	nircmd.exe
PID 1160 wrote to memory of 1696	1160	cmd.exe	nircmd.exe
PID 1160 wrote to memory of 1252	1160	cmd.exe	attrib.exe
PID 1160 wrote to memory of 1252	1160	cmd.exe	attrib.exe
PID 1160 wrote to memory of 1252	1160	cmd.exe	attrib.exe
PID 1160 wrote to memory of 1252	1160	cmd.exe	attrib.exe
PID 1160 wrote to memory of 1936	1160	cmd.exe	net.exe
PID 1160 wrote to memory of 1936	1160	cmd.exe	net.exe
PID 1160 wrote to memory of 1936	1160	cmd.exe	net.exe
PID 1160 wrote to memory of 1936	1160	cmd.exe	net.exe
PID 1936 wrote to memory of 1700	1936	net.exe	net1.exe
PID 1936 wrote to memory of 1700	1936	net.exe	net1.exe
PID 1936 wrote to memory of 1700	1936	net.exe	net1.exe
PID 1936 wrote to memory of 1700	1936	net.exe	net1.exe
PID 1160 wrote to memory of 1840	1160	cmd.exe	reg.exe
PID 1160 wrote to memory of 1840	1160	cmd.exe	reg.exe
PID 1160 wrote to memory of 1840	1160	cmd.exe	reg.exe
PID 1160 wrote to memory of 1840	1160	cmd.exe	reg.exe
PID 1160 wrote to memory of 916	1160	cmd.exe	reg.exe
PID 1160 wrote to memory of 916	1160	cmd.exe	reg.exe
PID 1160 wrote to memory of 916	1160	cmd.exe	reg.exe
PID 1160 wrote to memory of 916	1160	cmd.exe	reg.exe
PID 1160 wrote to memory of 1076	1160	cmd.exe	reg.exe
PID 1160 wrote to memory of 1076	1160	cmd.exe	reg.exe
PID 1160 wrote to memory of 1076	1160	cmd.exe	reg.exe
PID 1160 wrote to memory of 1076	1160	cmd.exe	reg.exe
PID 1160 wrote to memory of 932	1160	cmd.exe	reg.exe
PID 1160 wrote to memory of 932	1160	cmd.exe	reg.exe
PID 1160 wrote to memory of 932	1160	cmd.exe	reg.exe
PID 1160 wrote to memory of 932	1160	cmd.exe	reg.exe
PID 1160 wrote to memory of 1040	1160	cmd.exe	reg.exe
PID 1160 wrote to memory of 1040	1160	cmd.exe	reg.exe
PID 1160 wrote to memory of 1040	1160	cmd.exe	reg.exe
PID 1160 wrote to memory of 1040	1160	cmd.exe	reg.exe
PID 1160 wrote to memory of 844	1160	cmd.exe	reg.exe
PID 1160 wrote to memory of 844	1160	cmd.exe	reg.exe
PID 1160 wrote to memory of 844	1160	cmd.exe	reg.exe
PID 1160 wrote to memory of 844	1160	cmd.exe	reg.exe
PID 1160 wrote to memory of 900	1160	cmd.exe	reg.exe
PID 1160 wrote to memory of 900	1160	cmd.exe	reg.exe
PID 1160 wrote to memory of 900	1160	cmd.exe	reg.exe
PID 1160 wrote to memory of 900	1160	cmd.exe	reg.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

1252 attrib.exe

pid	process
1252	attrib.exe

C:\Users\Admin\AppData\Local\Temp\AIDS_NT.exe
"C:\Users\Admin\AppData\Local\Temp\AIDS_NT.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1444
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\start.bat" "
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1504
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v Shell
    3⤵
    - Modifies WinLogon for persistence
    PID:952
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v Shell /d "explorer.exe, C:\Windows\AIDS_NT_Instructions.txt, C:\Windows\aids.bat, C:\Windows\42.exe, C:\Windows\1.bat"
    3⤵
    - Modifies WinLogon for persistence
    PID:1912
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Windows\1.jpg /f
    3⤵
    - Sets desktop wallpaper using registry
    PID:1844
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\PkgMgr.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1160
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\nircmd.exe
    nircmd win hide title "C:\Windows\system32\cmd.exe"
    3⤵
    - Executes dropped EXE
    PID:1696
- - C:\Windows\SysWOW64\attrib.exe
    attrib C:\Windows\PkgMgr.bat +h +s +a +r
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:1252
- - C:\Windows\SysWOW64\net.exe
    net user ╨É╨┤╨╝╨╕╨╜╨╕╤ü╤é╤Ç╨░╤é╨╛╤Ç /active:no
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1936
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 user ╨É╨┤╨╝╨╕╨╜╨╕╤ü╤é╤Ç╨░╤é╨╛╤Ç /active:no
      4⤵
      PID:1700
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /f /v HideFastUserSwitching /t REG_DWORD /d "1"
    3⤵
    PID:1840
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun"
    3⤵
    PID:916
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /f /v "DisallowRun" /t REG_DWORD /d "1"
    3⤵
    PID:1076
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "1" /t REG_SZ /d "MSASCui.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:932
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "2" /t REG_SZ /d "msmpeng.exe" /f
    3⤵
    PID:1040
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "3" /t REG_SZ /d "msdt.exe" /f
    3⤵
    PID:844
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "4" /t REG_SZ /d "ProcessHacker.exe" /f
    3⤵
    PID:900
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "5" /t REG_SZ /d "spideragent.exe " /f
    3⤵
    PID:2028
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "6" /t REG_SZ /d "SbieSvc.exe " /f
    3⤵
    - Blocks application from running via registry modification
    PID:432
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "7" /t REG_SZ /d "SearchUI.exe " /f
    3⤵
    - Blocks application from running via registry modification
    PID:1572
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "8" /t REG_SZ /d "dwscanner.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:1596
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "9" /t REG_SZ /d "aswEngSrv.exe" /f
    3⤵
    PID:2000
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "10" /t REG_SZ /d "AvastSvc.exe" /f
    3⤵
    PID:1836
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "11" /t REG_SZ /d "AvastUI.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:1312
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "12" /t REG_SZ /d "AvastBrowserCrashHandler.exe" /f
    3⤵
    PID:1892
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "13" /t REG_SZ /d "chrome.exe" /f
    3⤵
    PID:1996
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "14" /t REG_SZ /d "VirtualBox.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:1456
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "15" /t REG_SZ /d "CCleaner64.exe" /f
    3⤵
    PID:1980
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "16" /t REG_SZ /d "CCleaner32.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:1236
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "17" /t REG_SZ /d "CCleaner86.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:2016
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "18" /t REG_SZ /d "CCleaner.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:664
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "19" /t REG_SZ /d "firefox.exe" /f
    3⤵
    PID:1176
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "20" /t REG_SZ /d "taskmgr.exe" /f
    3⤵
    PID:672
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "21" /t REG_SZ /d "opera.exe" /f
    3⤵
    PID:1736
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "22" /t REG_SZ /d "iexplore.exe" /f
    3⤵
    PID:1228
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "23" /t REG_SZ /d "perfmon.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:320
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "24" /t REG_SZ /d "msconfig.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:596
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "25" /t REG_SZ /d "WUDFHost.exe" /f
    3⤵
    PID:1620
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "26" /t REG_SZ /d "msconfig.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:1632
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "27" /t REG_SZ /d "SecurityHealthSystray.exe" /f
    3⤵
    PID:1244
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "28" /t REG_SZ /d "rstrui.exe" /f
    3⤵
    PID:1628
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "29" /t REG_SZ /d "mcapexe.exe" /f
    3⤵
    PID:808
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "30" /t REG_SZ /d "McCSPServiceHost.exe " /f
    3⤵
    - Blocks application from running via registry modification
    PID:1780
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "31" /t REG_SZ /d "McInstruTrack.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:540
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "32" /t REG_SZ /d "McPvTray.exe " /f
    3⤵
    PID:1032
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "33" /t REG_SZ /d "mcshield.exe " /f
    3⤵
    - Blocks application from running via registry modification
    PID:1924
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "34" /t REG_SZ /d "McUICnt.exe " /f
    3⤵
    - Blocks application from running via registry modification
    PID:2040
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "35" /t REG_SZ /d "MfeAVSvc.exe " /f
    3⤵
    - Blocks application from running via registry modification
    PID:272
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "36" /t REG_SZ /d "mfefire.exe " /f
    3⤵
    PID:1576
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "37" /t REG_SZ /d "mfevtps.exe " /f
    3⤵
    - Blocks application from running via registry modification
    PID:1808
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "38" /t REG_SZ /d "MMSSHOST.exe " /f
    3⤵
    PID:828
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "39" /t REG_SZ /d "ModuleCoreService.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:1720
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "40" /t REG_SZ /d "control.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:1452
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "41" /t REG_SZ /d "avp.exe " /f
    3⤵
    PID:1828
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "42" /t REG_SZ /d "avpui.exe " /f
    3⤵
    PID:676
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "43" /t REG_SZ /d "kav.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:1640
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "44" /t REG_SZ /d "vmware.exe" /f
    3⤵
    PID:1832
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "45" /t REG_SZ /d "msinfo32.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:1272
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "46" /t REG_SZ /d "RecoveryDrive.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:1688
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "47" /t REG_SZ /d "dwscanner.exe" /f
    3⤵
    PID:1900
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "48" /t REG_SZ /d "spideragent.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:708
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "49" /t REG_SZ /d "uTorrent.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:556
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "50" /t REG_SZ /d "firefox.exe" /f
    3⤵
    PID:876
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "51" /t REG_SZ /d "regedt32.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:1504
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "52" /t REG_SZ /d "resmon.exe" /f
    3⤵
    PID:884
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "53" /t REG_SZ /d "Defender.exe " /f
    3⤵
    - Blocks application from running via registry modification
    PID:1108
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "54" /t REG_SZ /d "DefenderDaemon.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:1568
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "55" /t REG_SZ /d "mbam.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:1580
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "56" /t REG_SZ /d "mbamtray.exe" /f
    3⤵
    PID:548
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "57" /t REG_SZ /d "MBAMWsc.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:1704
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "58" /t REG_SZ /d "mbuns.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:1916
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "59" /t REG_SZ /d "MbamPt.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:1212
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "60" /t REG_SZ /d "MBAMService.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:1684
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "61" /t REG_SZ /d "assistant.exe" /f
    3⤵
    PID:1224
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "62" /t REG_SZ /d "malwarebytes_assistant.exe" /f
    3⤵
    PID:1696
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "63" /t REG_SZ /d "ig.exe" /f
    3⤵
    PID:1216
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "64" /t REG_SZ /d "browser.exe" /f
    3⤵
    PID:1468
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "65" /t REG_SZ /d "am800.exe" /f
    3⤵
    PID:1700
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "66" /t REG_SZ /d "TOTALCMD64.EXE" /f
    3⤵
    PID:1936
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "67" /t REG_SZ /d "TOTALCMD32.EXE" /f
    3⤵
    - Blocks application from running via registry modification
    PID:1840
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "68" /t REG_SZ /d "TOTALCMD86.EXE" /f
    3⤵
    PID:916
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "69" /t REG_SZ /d "WatchDog.exe" /f
    3⤵
    PID:1076
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "70" /t REG_SZ /d "ProductAgentUI.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:932
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "71" /t REG_SZ /d "ProductAgentService.exe" /f
    3⤵
    PID:1040
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "72" /t REG_SZ /d "DiscoverySrv.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:844
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "73" /t REG_SZ /d "BDSubWiz.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:900
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "74" /t REG_SZ /d "bdreinit.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:1136
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "75" /t REG_SZ /d "agentpackage.exe" /f
    3⤵
    PID:292
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "76" /t REG_SZ /d "setuppackage.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:1396
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "77" /t REG_SZ /d "7zFM.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:1764
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "78" /t REG_SZ /d "procexp64.exe" /f
    3⤵
    PID:1500
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "79" /t REG_SZ /d "procexp.exe" /f
    3⤵
    PID:1540
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "80" /t REG_SZ /d "WinRAR.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:804
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "81" /t REG_SZ /d "BdVpnService.exe " /f
    3⤵
    PID:1532
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "82" /t REG_SZ /d "BdVpnApp.exe " /f
    3⤵
    - Blocks application from running via registry modification
    PID:872
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "83" /t REG_SZ /d "bdservicehost.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:1124
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "84" /t REG_SZ /d "bdagent.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:688
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "85" /t REG_SZ /d "bdredline.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:484
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "86" /t REG_SZ /d "ekrn.exe " /f
    3⤵
    PID:928
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "87" /t REG_SZ /d "eguiProxy.exe" /f
    3⤵
    PID:472
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "88" /t REG_SZ /d "egui.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:780
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "89" /t REG_SZ /d "AvastNM.exe" /f
    3⤵
    PID:268
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "90" /t REG_SZ /d "AVGBrowserCrashHandler.exe" /f
    3⤵
    PID:1888
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "91" /t REG_SZ /d "AVGBrowserCrashHandler64.exe" /f
    3⤵
    PID:524
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "92" /t REG_SZ /d "AVGUI.exe" /f
    3⤵
    PID:1228
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "93" /t REG_SZ /d "AVGSvc.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:320
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "94" /t REG_SZ /d "aswEngSrv.exe" /f
    3⤵
    PID:596
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "95" /t REG_SZ /d "wsc_proxy.exe" /f
    3⤵
    PID:1620
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "96" /t REG_SZ /d "am807.exe" /f
    3⤵
    PID:1632
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "97" /t REG_SZ /d "artmoney.exe" /f
    3⤵
    PID:1244
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "98" /t REG_SZ /d "chemax.exe" /f
    3⤵
    PID:1724
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "99" /t REG_SZ /d "Cheat Engine.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:1524
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "100" /t REG_SZ /d "aswidsagent.exe" /f
    3⤵
    PID:1788
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "101" /t REG_SZ /d "AvastBrowserCrashHandler.exe" /f
    3⤵
    PID:1756
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "102" /t REG_SZ /d "AvastBrowserCrashHandler64.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:1088
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "103" /t REG_SZ /d "AvastBrowserCrashHandler32.exe" /f
    3⤵
    PID:2044
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "104" /t REG_SZ /d "AvastBrowserCrashHandler86.exe" /f
    3⤵
    PID:2020
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "105" /t REG_SZ /d "MSASCui.exe" /f
    3⤵
    PID:1784
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "106" /t REG_SZ /d "msdt.exe" /f
    3⤵
    PID:1028
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "107" /t REG_SZ /d "MRT.exe" /f
    3⤵
    PID:340
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "108" /t REG_SZ /d "msiexec.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:1932
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "109" /t REG_SZ /d "msseces.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:1344
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "110" /t REG_SZ /d "control.exe" /f
    3⤵
    PID:832
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "111" /t REG_SZ /d "mmc.exe" /f
    3⤵
    PID:328
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "112" /t REG_SZ /d "opera_crashreporter.exe" /f
    3⤵
    PID:1528
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "113" /t REG_SZ /d "opera_autoupdate.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:1308
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "114" /t REG_SZ /d "opera.exe" /f
    3⤵
    PID:1188
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "115" /t REG_SZ /d "MicrosoftEdge.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:952
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "116" /t REG_SZ /d "MicrosoftEdgeCP.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:1912
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "117" /t REG_SZ /d "MicrosoftEdgeSH.exe" /f
    3⤵
    PID:1844
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "118" /t REG_SZ /d "launcher.exe" /f
    3⤵
    PID:1112
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "119" /t REG_SZ /d "regedit.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:1636
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Windows\1.jpg /f
    3⤵
    - Sets desktop wallpaper using registry
    PID:2032
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\mp3file\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:612
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\mp4file\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:884
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\exefile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies system executable filetype association
    - Modifies registry class
    PID:1108
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\pngfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:1652
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\icofile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    PID:784
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\pdffile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:1672
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\docxfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    PID:1092
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\docfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:1904
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\csvfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:2012
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\hfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:1512
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\cppfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:888
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\oggfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:1920
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\avifile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:1252
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\isofile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    PID:848
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\zipfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:568
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\rarfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:1968
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\pptfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:1020
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\mkvfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:1140
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\xlsxfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:1752
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\jpgfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:1392
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\jpegfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:2008
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\tiffile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:1600
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\tmpfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    PID:324
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\dmgfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:900
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\slnfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:1136
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\7zfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:1596
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\afile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:2000
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\aafile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:1836
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\001file\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:1312
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\allfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:1892
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\binfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:1996
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\asmfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:1456
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\svgfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    PID:1980
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\bmpfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:1236
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\gzfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:924
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\cabfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:2016
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\cfgfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:780
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\cmdfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    PID:268
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\comfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies system executable filetype association
    PID:1888
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\cplfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    PID:524
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\ctfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:1228
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\curfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:320
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\dllfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:596
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\htmfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:1620
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\htmlfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:1632
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\wshfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    PID:1244
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\vbsfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    PID:1724
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\jsfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:1524
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\logfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    PID:1788
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\wsffile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    PID:1756
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\jarfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    PID:1088
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\cplfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    PID:2044
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSecurityTab /t REG_DWORD /d "1" /f
    3⤵
    PID:2020
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoViewOnDrive /t REG_DWORD /d "67108863" /f
    3⤵
    PID:1784
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoDrives /t REG_DWORD /d "67108863" /f
    3⤵
    PID:1028
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFileMenu /t REG_DWORD /d "1" /f
    3⤵
    PID:340
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRun /t REG_DWORD /d "1" /f
    3⤵
    PID:1932
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d "1" /f
    3⤵
    PID:1344
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d "1" /f
    3⤵
    PID:832
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System" /v DisableCMD /t REG_DWORD /d "2" /f
    3⤵
    PID:328
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System" /v RestrictToPermittedSnapins /t REG_DWORD /d "1" /f
    3⤵
    PID:1528
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System" /v DisableCMD /t REG_DWORD /d "2" /f
    3⤵
    PID:1308
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "121" /t REG_SZ /d "cmd.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:1188
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "120" /t REG_SZ /d "powershell.exe" /f
    3⤵
    PID:952
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DisableCAD /d "0" /f
    3⤵
    PID:1912
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
    3⤵
    PID:1844
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
    3⤵
    PID:1112
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /t REG_DWORD /v "DisableRegistryTools" /d "1" /f
    3⤵
    - Disables RegEdit via registry modification
    PID:1636
- - C:\Windows\SysWOW64\shutdown.exe
    shutdown -r -t 20
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2032

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1684

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:900

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Hidden Files and Directories

T1158

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat

Filesize
848B

MD5
e59c7d9f080b068e3118e81385f467e7

SHA1
78ea57d55558847121cb70367d10dc9c6e833a26

SHA256
5c9bee6ecba73cda027b99dea013cd54f53524e35750da629f53c841d75b6e8f

SHA512
b452ccd1009f7976f4ba2f44c117bf2faee0768f22e9c55e41f16d4695cdcd296f0a4321de8dc4855536b364844dffad5df0d46cb711f1c49f024e3afc043475

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\42.exe

Filesize
27KB

MD5
daf9159a8fbc9510e9dc380c2cae924d

SHA1
5e1bf2dbe567ffc04c194b31de4f4e15c630cae5

SHA256
43118bc6f1c03b9f749efc244d7fd0553d45ec50ae2e4ea363e17f85f832290f

SHA512
88b01d7b3f76530124f8149668879b9cf66075f228e8c3000d75383bf10c11eb43bd5c83b445b19ec24de578415a26153d3fc0d329b6dd195f09f1226a960ea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\PkgMgr.00

Filesize
28KB

MD5
067ab27355743f95929213e08bc60ebb

SHA1
376436cef2b119a75cf29500e3efb37061b0fa16

SHA256
e621092e9b620bc589a4dd89d791352d266b139ceb9b3f13ddded5b536b52441

SHA512
97add0ebcee845d1c47eef6f91d990fccc025509c748e8d612716ac2342144578f4e29247f4824aeefaf5ee143b31837fb5eb487726855ed43a42ccd14431ba0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\PkgMgr.00

Filesize
28KB

MD5
067ab27355743f95929213e08bc60ebb

SHA1
376436cef2b119a75cf29500e3efb37061b0fa16

SHA256
e621092e9b620bc589a4dd89d791352d266b139ceb9b3f13ddded5b536b52441

SHA512
97add0ebcee845d1c47eef6f91d990fccc025509c748e8d612716ac2342144578f4e29247f4824aeefaf5ee143b31837fb5eb487726855ed43a42ccd14431ba0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\PkgMgr.bat

Filesize
28KB

MD5
fed4789f3fbd52e720ae7234600d5652

SHA1
273db24c6044f936359bdd272eb14c0fb2f6e117

SHA256
03dfd466366ffbe32e9e487cdc2136c62b4b4f57c365e255ef8e0c36991fb8b0

SHA512
ff2dc7069ea16bea767b1f9f6efa60b15cef3573a8de5e92d4766646e030f3db89fb4789cf51526b7d10d6d03b1348748d1f7c1162f7382e943261102f6d0435

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\cew.00

Filesize
344KB

MD5
9311b831777f14f7c81af8cb67259a3b

SHA1
8178284b89f5429f4ab6143a652944da563124c2

SHA256
1479da32b193676068062236730ce9a5dbcae727ec0eea63b18252f9cb744707

SHA512
86d334db1eca671d2af34786337316a6570236ad12c23fa3f84884776d550abcc6403100e17b23b97c761e97dedd8b8b135c4d49332623894c5f57a5e6eb1fc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\cew.01

Filesize
2KB

MD5
0f92fcbacb68fb014cfa248c31448e6b

SHA1
64d5dea54df6a03490849d04a174a7e8d690ebb4

SHA256
8b2d86fe88a75c0e0c312fdc7d1f54d113d33af729d2be52622f2b538a7a7049

SHA512
10f8f0fa7fdaede1b369e35e9bb0cf44ef7de02d4c7c3d644b5c2e80b405f9927acd167c996957e18f0a38fe41be4afdfd420bbe8a539332a93238565576236b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\nircmd.exe

Filesize
44KB

MD5
a1cd6a64e8f8ad5d4b6c07dc4113c7ec

SHA1
60e2f48a51c061bba72a08f34be781354f87aa49

SHA256
b994ae5cbfb5ad308656e9a8bf7a4a866fdeb9e23699f89f048d7f92e6bb8577

SHA512
87a42901a63793653d49f1c6d410a429cabb470b4c340c4553cbd9eccacb38d8543f85455465e0a432d737e950c590175dad744094861f7c3e575446a65b41e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\nircmd.exe

Filesize
44KB

MD5
a1cd6a64e8f8ad5d4b6c07dc4113c7ec

SHA1
60e2f48a51c061bba72a08f34be781354f87aa49

SHA256
b994ae5cbfb5ad308656e9a8bf7a4a866fdeb9e23699f89f048d7f92e6bb8577

SHA512
87a42901a63793653d49f1c6d410a429cabb470b4c340c4553cbd9eccacb38d8543f85455465e0a432d737e950c590175dad744094861f7c3e575446a65b41e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\start.bat

Filesize
1KB

MD5
9492f33971cfd6b77484342e42097731

SHA1
6cce167289894928d4bc6da2e263a354cbe2b174

SHA256
2f4637dd7a3125bf60d5651cc851c8ef9cf7c461dd89eed404dd9f5a381844e4

SHA512
c685295c91f2765ec3e3ab72fa7c124335d4d570df418427b11c7cd96e3cad5ad8563bc114052de0ecc9d909f671f72663c72015f5415f44c67d24ca21462dcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\start.bat

Filesize
1KB

MD5
9492f33971cfd6b77484342e42097731

SHA1
6cce167289894928d4bc6da2e263a354cbe2b174

SHA256
2f4637dd7a3125bf60d5651cc851c8ef9cf7c461dd89eed404dd9f5a381844e4

SHA512
c685295c91f2765ec3e3ab72fa7c124335d4d570df418427b11c7cd96e3cad5ad8563bc114052de0ecc9d909f671f72663c72015f5415f44c67d24ca21462dcc

Download Submit
C:\Windows\1.bat

Filesize
848B

MD5
e59c7d9f080b068e3118e81385f467e7

SHA1
78ea57d55558847121cb70367d10dc9c6e833a26

SHA256
5c9bee6ecba73cda027b99dea013cd54f53524e35750da629f53c841d75b6e8f

SHA512
b452ccd1009f7976f4ba2f44c117bf2faee0768f22e9c55e41f16d4695cdcd296f0a4321de8dc4855536b364844dffad5df0d46cb711f1c49f024e3afc043475

Download Submit
C:\Windows\1.jpg

Filesize
344KB

MD5
9311b831777f14f7c81af8cb67259a3b

SHA1
8178284b89f5429f4ab6143a652944da563124c2

SHA256
1479da32b193676068062236730ce9a5dbcae727ec0eea63b18252f9cb744707

SHA512
86d334db1eca671d2af34786337316a6570236ad12c23fa3f84884776d550abcc6403100e17b23b97c761e97dedd8b8b135c4d49332623894c5f57a5e6eb1fc4

Download Submit
C:\Windows\42.exe

Filesize
27KB

MD5
daf9159a8fbc9510e9dc380c2cae924d

SHA1
5e1bf2dbe567ffc04c194b31de4f4e15c630cae5

SHA256
43118bc6f1c03b9f749efc244d7fd0553d45ec50ae2e4ea363e17f85f832290f

SHA512
88b01d7b3f76530124f8149668879b9cf66075f228e8c3000d75383bf10c11eb43bd5c83b445b19ec24de578415a26153d3fc0d329b6dd195f09f1226a960ea8

Download Submit
C:\Windows\AIDS_NT_Instructions.txt

Filesize
2KB

MD5
0f92fcbacb68fb014cfa248c31448e6b

SHA1
64d5dea54df6a03490849d04a174a7e8d690ebb4

SHA256
8b2d86fe88a75c0e0c312fdc7d1f54d113d33af729d2be52622f2b538a7a7049

SHA512
10f8f0fa7fdaede1b369e35e9bb0cf44ef7de02d4c7c3d644b5c2e80b405f9927acd167c996957e18f0a38fe41be4afdfd420bbe8a539332a93238565576236b

Download Submit
C:\Windows\nircmd.exe

Filesize
44KB

MD5
a1cd6a64e8f8ad5d4b6c07dc4113c7ec

SHA1
60e2f48a51c061bba72a08f34be781354f87aa49

SHA256
b994ae5cbfb5ad308656e9a8bf7a4a866fdeb9e23699f89f048d7f92e6bb8577

SHA512
87a42901a63793653d49f1c6d410a429cabb470b4c340c4553cbd9eccacb38d8543f85455465e0a432d737e950c590175dad744094861f7c3e575446a65b41e8

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\nircmd.exe

Filesize
44KB

MD5
a1cd6a64e8f8ad5d4b6c07dc4113c7ec

SHA1
60e2f48a51c061bba72a08f34be781354f87aa49

SHA256
b994ae5cbfb5ad308656e9a8bf7a4a866fdeb9e23699f89f048d7f92e6bb8577

SHA512
87a42901a63793653d49f1c6d410a429cabb470b4c340c4553cbd9eccacb38d8543f85455465e0a432d737e950c590175dad744094861f7c3e575446a65b41e8

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\nircmd.exe

Filesize
44KB

MD5
a1cd6a64e8f8ad5d4b6c07dc4113c7ec

SHA1
60e2f48a51c061bba72a08f34be781354f87aa49

SHA256
b994ae5cbfb5ad308656e9a8bf7a4a866fdeb9e23699f89f048d7f92e6bb8577

SHA512
87a42901a63793653d49f1c6d410a429cabb470b4c340c4553cbd9eccacb38d8543f85455465e0a432d737e950c590175dad744094861f7c3e575446a65b41e8

Download Submit
memory/900-138-0x00000000026E0000-0x00000000026E1000-memory.dmp

Filesize
4KB

Download
memory/1160-134-0x0000000000130000-0x000000000014C000-memory.dmp

Filesize
112KB

Download
memory/1684-137-0x00000000028C0000-0x00000000028C1000-memory.dmp

Filesize
4KB

Download
memory/1696-131-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads