File name:

AIDS_NT.exe

Full analysis: https://app.any.run/tasks/354cca04-def4-419c-9231-1637366f5df8
Verdict: Malicious activity
Analysis date: March 24, 2025, 16:38:39
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

14EEFB80A0813ABBF8710387A5383F08

SHA1:

D3FA355CC1D184BE20B441143FA34E4AE1A4BDB2

SHA256:

61EE3BD82BED03DD0F3FB9BC9B76B7DA972A90D3C12C8E4D5E967440A2F04C00

SSDEEP:

12288:/GqN/XdctpVtkkKICgvDkBLab3Xldfr4oSsFsA0cO4KfRErkYzWaMSDncS:pNcBtkUHf9ace3sJTcS

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts NET.EXE to view/add/change user profiles

      • cmd.exe (PID: 7340)
      • net.exe (PID: 7448)

    • Antivirus name has been found in the command line (generic signature)

      • reg.exe (PID: 7584)
      • reg.exe (PID: 7848)
      • reg.exe (PID: 7448)
      • reg.exe (PID: 7520)
      • reg.exe (PID: 7660)
      • reg.exe (PID: 7560)
      • reg.exe (PID: 5960)
      • reg.exe (PID: 5124)

    • Disables task manager

      • reg.exe (PID: 5720)
      • reg.exe (PID: 812)

    • Disables the Run the Start menu

      • reg.exe (PID: 6476)

    • Task Manager has been disabled (taskmgr)

      • reg.exe (PID: 812)

  • SUSPICIOUS

    • The executable file from the user directory is run by the CMD process

      • nircmd.exe (PID: 7400)

    • Uses ATTRIB.EXE to modify file attributes

      • cmd.exe (PID: 7340)

    • The process creates files with name similar to system file names

      • AIDS_NT.exe (PID: 4880)
      • cmd.exe (PID: 7208)

    • Executable content was dropped or overwritten

      • AIDS_NT.exe (PID: 4880)
      • cmd.exe (PID: 7208)

    • The system shut down or reboot

      • cmd.exe (PID: 7340)

    • There is functionality for taking screenshot (YARA)

      • AIDS_NT.exe (PID: 4880)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 7340)
      • cmd.exe (PID: 7208)

    • Changes the desktop background image

      • reg.exe (PID: 7548)
      • reg.exe (PID: 7308)

    • Reads security settings of Internet Explorer

      • AIDS_NT.exe (PID: 4880)

    • Executing commands from a ".bat" file

      • AIDS_NT.exe (PID: 4880)

    • Starts CMD.EXE for commands execution

      • AIDS_NT.exe (PID: 4880)

  • INFO

    • Reads the computer name

      • AIDS_NT.exe (PID: 4880)

    • Checks supported languages

      • nircmd.exe (PID: 7400)
      • AIDS_NT.exe (PID: 4880)

    • NirSoft software is detected

      • nircmd.exe (PID: 7400)

    • Create files in a temporary directory

      • AIDS_NT.exe (PID: 4880)

    • The sample compiled with english language support

      • AIDS_NT.exe (PID: 4880)
      • cmd.exe (PID: 7208)

    • Process checks computer location settings

      • AIDS_NT.exe (PID: 4880)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (43.5)
.exe | Win32 EXE Yoda's Crypter (42.7)
.exe | Win32 Executable (generic) (7.2)
.exe | Generic Win/DOS Executable (3.2)
.exe | DOS Executable Generic (3.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2019:12:05 07:37:23+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14
CodeSize: 198656
InitializedDataSize: 256000
UninitializedDataSize: -
EntryPoint: 0x1e239
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
345
Monitored processes
207
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start aids_nt.exe cmd.exe conhost.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs nircmd.exe no specs attrib.exe no specs net.exe no specs net1.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs sppextcomobj.exe no specs reg.exe no specs slui.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs shutdown.exe no specs aids_nt.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
516REG ADD "HKEY_CLASSES_ROOT\jarfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /fC:\Windows\SysWOW64\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
680REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "53" /t REG_SZ /d "Defender.exe " /f C:\Windows\SysWOW64\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
680REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "93" /t REG_SZ /d "AVGSvc.exe" /f C:\Windows\SysWOW64\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
728REG ADD "HKEY_CLASSES_ROOT\bmpfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /fC:\Windows\SysWOW64\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
812REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f C:\Windows\SysWOW64\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1180REG ADD "HKEY_CLASSES_ROOT\xlsxfile\shell\open\command" /ve /t REG_SZ /d "notepad.exe" /fC:\Windows\SysWOW64\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1184REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "91" /t REG_SZ /d "AVGBrowserCrashHandler64.exe" /f C:\Windows\SysWOW64\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1324REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "115" /t REG_SZ /d "MicrosoftEdge.exe" /f C:\Windows\SysWOW64\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1532REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "84" /t REG_SZ /d "bdagent.exe" /f C:\Windows\SysWOW64\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2088REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "90" /t REG_SZ /d "AVGBrowserCrashHandler.exe" /f C:\Windows\SysWOW64\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
3 231
Read events
3 093
Write events
138
Delete events
0

Modification events

(PID) Process:(7308) reg.exeKey:HKEY_CURRENT_USER\Control Panel\Desktop
Operation:writeName:Wallpaper
Value:
C:\WINDOWS\1.jpg
(PID) Process:(7560) reg.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
Operation:writeName:1
Value:
MSASCui.exe
(PID) Process:(7604) reg.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
Operation:writeName:3
Value:
msdt.exe
(PID) Process:(7660) reg.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
Operation:writeName:5
Value:
spideragent.exe
(PID) Process:(7764) reg.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
Operation:writeName:7
Value:
SearchUI.exe
(PID) Process:(7804) reg.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
Operation:writeName:9
Value:
aswEngSrv.exe
(PID) Process:(7824) reg.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
Operation:writeName:10
Value:
AvastSvc.exe
(PID) Process:(7872) reg.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
Operation:writeName:12
Value:
AvastBrowserCrashHandler.exe
(PID) Process:(7916) reg.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
Operation:writeName:14
Value:
VirtualBox.exe
(PID) Process:(7964) reg.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
Operation:writeName:16
Value:
CCleaner32.exe
Executable files
4
Suspicious files
0
Text files
11
Unknown types
0

Dropped files

PID
Process
Filename
Type
4880AIDS_NT.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\1.battext
MD5:E59C7D9F080B068E3118E81385F467E7
SHA256:5C9BEE6ECBA73CDA027B99DEA013CD54F53524E35750DA629F53C841D75B6E8F
4880AIDS_NT.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\cew.00image
MD5:9311B831777F14F7C81AF8CB67259A3B
SHA256:1479DA32B193676068062236730CE9A5DBCAE727EC0EEA63B18252F9CB744707
4880AIDS_NT.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\start.battext
MD5:9492F33971CFD6B77484342E42097731
SHA256:2F4637DD7A3125BF60D5651CC851C8EF9CF7C461DD89EED404DD9F5A381844E4
4880AIDS_NT.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\42.exeexecutable
MD5:DAF9159A8FBC9510E9DC380C2CAE924D
SHA256:43118BC6F1C03B9F749EFC244D7FD0553D45EC50AE2E4EA363E17F85F832290F
4880AIDS_NT.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\PkgMgr.00text
MD5:067AB27355743F95929213E08BC60EBB
SHA256:E621092E9B620BC589A4DD89D791352D266B139CEB9B3F13DDDED5B536B52441
4880AIDS_NT.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\PkgMgr.battext
MD5:FED4789F3FBD52E720AE7234600D5652
SHA256:03DFD466366FFBE32E9E487CDC2136C62B4B4F57C365E255EF8E0C36991FB8B0
7208cmd.exeC:\Windows\42.exeexecutable
MD5:DAF9159A8FBC9510E9DC380C2CAE924D
SHA256:43118BC6F1C03B9F749EFC244D7FD0553D45EC50AE2E4EA363E17F85F832290F
7208cmd.exeC:\Windows\1.battext
MD5:E59C7D9F080B068E3118E81385F467E7
SHA256:5C9BEE6ECBA73CDA027B99DEA013CD54F53524E35750DA629F53C841D75B6E8F
4880AIDS_NT.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\nircmd.exeexecutable
MD5:A1CD6A64E8F8AD5D4B6C07DC4113C7EC
SHA256:B994AE5CBFB5AD308656E9A8BF7A4A866FDEB9E23699F89F048D7F92E6BB8577
7208cmd.exeC:\Windows\1.jpgimage
MD5:9311B831777F14F7C81AF8CB67259A3B
SHA256:1479DA32B193676068062236730CE9A5DBCAE727EC0EEA63B18252F9CB744707
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
AIDS_NT.exe