File name:

AIDS_NT.exe

Full analysis: https://app.any.run/tasks/bca16dad-54a4-427f-8600-5c279c72f971
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: October 20, 2023, 00:44:42
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ransomware
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

14EEFB80A0813ABBF8710387A5383F08

SHA1:

D3FA355CC1D184BE20B441143FA34E4AE1A4BDB2

SHA256:

61EE3BD82BED03DD0F3FB9BC9B76B7DA972A90D3C12C8E4D5E967440A2F04C00

SSDEEP:

12288:/GqN/XdctpVtkkKICgvDkBLab3Xldfr4oSsFsA0cO4KfRErkYzWaMSDncS:pNcBtkUHf9ace3sJTcS

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the login/logoff helper path in the registry

      • reg.exe (PID: 2812)

    • Drops the executable file immediately after the start

      • AIDS_NT.exe (PID: 2356)
      • cmd.exe (PID: 3296)

    • Starts NET.EXE to view/add/change user profiles

      • cmd.exe (PID: 4064)
      • net.exe (PID: 2196)

    • Task Manager has been disabled (taskmgr)

      • reg.exe (PID: 3084)

    • Application was dropped or rewritten from another process

      • 42.exe (PID: 1764)
      • nircmd.exe (PID: 1536)
      • nircmd.exe (PID: 1684)
      • 42.exe (PID: 504)
      • nircmd.exe (PID: 1616)
      • nircmd.exe (PID: 420)
      • 42.exe (PID: 1364)
      • nircmd.exe (PID: 1700)
      • 42.exe (PID: 396)
      • 42.exe (PID: 312)
      • nircmd.exe (PID: 428)
      • 42.exe (PID: 1416)
      • nircmd.exe (PID: 1988)
      • 42.exe (PID: 912)
      • nircmd.exe (PID: 680)

  • SUSPICIOUS

    • Creates files like ransomware instruction

      • cmd.exe (PID: 3296)

    • Changes the desktop background image

      • reg.exe (PID: 1884)
      • reg.exe (PID: 3496)

    • The process creates files with name similar to system file names

      • cmd.exe (PID: 3296)
      • AIDS_NT.exe (PID: 2356)

    • Executing commands from a ".bat" file

      • AIDS_NT.exe (PID: 2356)

    • Starts CMD.EXE for commands execution

      • AIDS_NT.exe (PID: 2356)

    • Reads the Internet Settings

      • AIDS_NT.exe (PID: 2356)
      • sipnotify.exe (PID: 1036)
      • sipnotify.exe (PID: 1052)
      • sipnotify.exe (PID: 784)
      • sipnotify.exe (PID: 1316)
      • sipnotify.exe (PID: 356)
      • sipnotify.exe (PID: 2044)
      • sipnotify.exe (PID: 1072)

    • Uses ATTRIB.EXE to modify file attributes

      • cmd.exe (PID: 4064)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 3296)
      • cmd.exe (PID: 4064)

    • The system shut down or reboot

      • cmd.exe (PID: 4064)

    • The process executes via Task Scheduler

      • sipnotify.exe (PID: 1036)
      • sipnotify.exe (PID: 1052)
      • sipnotify.exe (PID: 784)
      • sipnotify.exe (PID: 1316)
      • sipnotify.exe (PID: 356)
      • sipnotify.exe (PID: 2044)
      • sipnotify.exe (PID: 1072)

    • Reads settings of System Certificates

      • sipnotify.exe (PID: 1036)
      • sipnotify.exe (PID: 1052)
      • sipnotify.exe (PID: 784)
      • sipnotify.exe (PID: 1316)
      • sipnotify.exe (PID: 356)
      • sipnotify.exe (PID: 2044)
      • sipnotify.exe (PID: 1072)

  • INFO

    • Reads the computer name

      • AIDS_NT.exe (PID: 2356)
      • wmpnscfg.exe (PID: 2332)
      • wmpnscfg.exe (PID: 2724)
      • wmpnscfg.exe (PID: 3648)
      • wmpnscfg.exe (PID: 3172)
      • wmpnscfg.exe (PID: 3844)
      • wmpnscfg.exe (PID: 3636)
      • wmpnscfg.exe (PID: 2284)
      • wmpnscfg.exe (PID: 3152)
      • wmpnscfg.exe (PID: 2528)
      • wmpnscfg.exe (PID: 2856)
      • wmpnscfg.exe (PID: 3424)
      • wmpnscfg.exe (PID: 3960)
      • wmpnscfg.exe (PID: 3344)
      • wmpnscfg.exe (PID: 4036)
      • wmpnscfg.exe (PID: 2948)
      • wmpnscfg.exe (PID: 3652)

    • Checks supported languages

      • AIDS_NT.exe (PID: 2356)
      • nircmd.exe (PID: 1536)
      • nircmd.exe (PID: 1684)
      • wmpnscfg.exe (PID: 3648)
      • wmpnscfg.exe (PID: 2332)
      • wmpnscfg.exe (PID: 2724)
      • wmpnscfg.exe (PID: 3172)
      • nircmd.exe (PID: 1616)
      • nircmd.exe (PID: 420)
      • wmpnscfg.exe (PID: 3844)
      • wmpnscfg.exe (PID: 3636)
      • wmpnscfg.exe (PID: 2284)
      • nircmd.exe (PID: 1700)
      • nircmd.exe (PID: 428)
      • wmpnscfg.exe (PID: 2528)
      • wmpnscfg.exe (PID: 3152)
      • wmpnscfg.exe (PID: 3424)
      • wmpnscfg.exe (PID: 3960)
      • wmpnscfg.exe (PID: 2856)
      • nircmd.exe (PID: 1988)
      • wmpnscfg.exe (PID: 3344)
      • wmpnscfg.exe (PID: 4036)
      • wmpnscfg.exe (PID: 2948)
      • nircmd.exe (PID: 680)
      • wmpnscfg.exe (PID: 3652)

    • Create files in a temporary directory

      • AIDS_NT.exe (PID: 2356)

    • The executable file from the user directory is run by the CMD process

      • nircmd.exe (PID: 1536)

    • NirSoft software is detected

      • nircmd.exe (PID: 1536)
      • nircmd.exe (PID: 1684)
      • nircmd.exe (PID: 1616)
      • nircmd.exe (PID: 420)
      • nircmd.exe (PID: 1700)
      • nircmd.exe (PID: 428)
      • nircmd.exe (PID: 1988)
      • nircmd.exe (PID: 680)

    • Manual execution by a user

      • notepad.exe (PID: 4060)
      • notepad.exe (PID: 3892)
      • reg.exe (PID: 2452)
      • reg.exe (PID: 2544)
      • reg.exe (PID: 2700)
      • reg.exe (PID: 2836)
      • reg.exe (PID: 2912)
      • reg.exe (PID: 3344)
      • reg.exe (PID: 3004)
      • reg.exe (PID: 3176)
      • reg.exe (PID: 300)
      • reg.exe (PID: 3260)
      • reg.exe (PID: 3648)
      • reg.exe (PID: 3496)
      • reg.exe (PID: 3596)
      • reg.exe (PID: 2336)
      • reg.exe (PID: 3932)
      • reg.exe (PID: 3836)
      • reg.exe (PID: 4036)
      • reg.exe (PID: 460)
      • reg.exe (PID: 2128)
      • reg.exe (PID: 2224)
      • reg.exe (PID: 2444)
      • reg.exe (PID: 2524)
      • reg.exe (PID: 2896)
      • reg.exe (PID: 2972)
      • reg.exe (PID: 3116)
      • reg.exe (PID: 3232)
      • reg.exe (PID: 4040)
      • reg.exe (PID: 3308)
      • reg.exe (PID: 3408)
      • reg.exe (PID: 3548)
      • reg.exe (PID: 3880)
      • reg.exe (PID: 3700)
      • reg.exe (PID: 3684)
      • reg.exe (PID: 4072)
      • reg.exe (PID: 3992)
      • reg.exe (PID: 2052)
      • reg.exe (PID: 2148)
      • reg.exe (PID: 2232)
      • reg.exe (PID: 2528)
      • reg.exe (PID: 2616)
      • reg.exe (PID: 2704)
      • reg.exe (PID: 672)
      • reg.exe (PID: 2548)
      • reg.exe (PID: 2360)
      • reg.exe (PID: 2644)
      • reg.exe (PID: 2832)
      • reg.exe (PID: 2888)
      • reg.exe (PID: 3252)
      • reg.exe (PID: 2904)
      • reg.exe (PID: 1560)
      • reg.exe (PID: 3220)
      • reg.exe (PID: 3404)
      • reg.exe (PID: 3552)
      • reg.exe (PID: 3704)
      • reg.exe (PID: 3772)
      • reg.exe (PID: 3916)
      • reg.exe (PID: 4004)
      • reg.exe (PID: 3904)
      • reg.exe (PID: 1616)
      • reg.exe (PID: 2340)
      • reg.exe (PID: 2976)
      • reg.exe (PID: 2340)
      • reg.exe (PID: 2052)
      • reg.exe (PID: 2232)
      • reg.exe (PID: 2112)
      • reg.exe (PID: 2148)
      • reg.exe (PID: 2832)
      • reg.exe (PID: 2644)
      • reg.exe (PID: 2360)
      • reg.exe (PID: 2548)
      • reg.exe (PID: 2888)
      • reg.exe (PID: 2976)
      • reg.exe (PID: 2904)
      • reg.exe (PID: 3252)
      • reg.exe (PID: 3404)
      • reg.exe (PID: 3220)
      • reg.exe (PID: 3548)
      • reg.exe (PID: 1560)
      • reg.exe (PID: 3704)
      • reg.exe (PID: 3916)
      • reg.exe (PID: 3884)
      • reg.exe (PID: 2232)
      • reg.exe (PID: 2904)
      • reg.exe (PID: 2360)
      • reg.exe (PID: 1620)
      • reg.exe (PID: 2696)
      • reg.exe (PID: 2796)
      • reg.exe (PID: 2892)
      • reg.exe (PID: 2972)
      • reg.exe (PID: 3300)
      • reg.exe (PID: 3220)
      • reg.exe (PID: 4000)
      • reg.exe (PID: 3904)
      • reg.exe (PID: 1616)
      • reg.exe (PID: 2052)
      • reg.exe (PID: 2112)
      • reg.exe (PID: 2236)
      • reg.exe (PID: 2340)
      • reg.exe (PID: 3704)
      • reg.exe (PID: 3900)
      • reg.exe (PID: 4072)
      • reg.exe (PID: 4000)
      • reg.exe (PID: 1616)
      • reg.exe (PID: 2540)
      • reg.exe (PID: 2112)
      • reg.exe (PID: 2232)
      • reg.exe (PID: 2236)
      • reg.exe (PID: 1620)
      • reg.exe (PID: 2360)
      • reg.exe (PID: 2796)
      • reg.exe (PID: 2888)
      • reg.exe (PID: 3404)
      • reg.exe (PID: 3548)
      • reg.exe (PID: 1560)
      • reg.exe (PID: 3884)
      • reg.exe (PID: 2052)
      • reg.exe (PID: 2696)
      • reg.exe (PID: 3900)
      • reg.exe (PID: 3300)
      • reg.exe (PID: 3220)
      • reg.exe (PID: 3404)
      • reg.exe (PID: 3548)
      • reg.exe (PID: 1560)
      • reg.exe (PID: 3884)
      • reg.exe (PID: 280)
      • reg.exe (PID: 2056)
      • reg.exe (PID: 2052)
      • reg.exe (PID: 1616)
      • reg.exe (PID: 2112)
      • reg.exe (PID: 2972)
      • reg.exe (PID: 2904)
      • reg.exe (PID: 3772)
      • wmpnscfg.exe (PID: 2332)
      • wmpnscfg.exe (PID: 2724)
      • reg.exe (PID: 2236)
      • reg.exe (PID: 2232)
      • reg.exe (PID: 2540)
      • shutdown.exe (PID: 2360)
      • wmpnscfg.exe (PID: 3648)
      • notepad.exe (PID: 3156)
      • notepad.exe (PID: 3380)
      • wmpnscfg.exe (PID: 3636)
      • wmpnscfg.exe (PID: 3172)
      • notepad.exe (PID: 2224)
      • wmpnscfg.exe (PID: 3844)
      • notepad.exe (PID: 1292)
      • notepad.exe (PID: 2720)
      • notepad.exe (PID: 2576)
      • wmpnscfg.exe (PID: 2284)
      • notepad.exe (PID: 3980)
      • notepad.exe (PID: 428)
      • wmpnscfg.exe (PID: 2528)
      • wmpnscfg.exe (PID: 3152)
      • wmpnscfg.exe (PID: 3960)
      • wmpnscfg.exe (PID: 2856)
      • wmpnscfg.exe (PID: 3424)
      • notepad.exe (PID: 3512)
      • notepad.exe (PID: 3708)
      • reg.exe (PID: 4008)
      • reg.exe (PID: 2124)
      • reg.exe (PID: 4068)
      • reg.exe (PID: 1836)
      • reg.exe (PID: 2332)
      • reg.exe (PID: 2244)
      • reg.exe (PID: 2844)
      • reg.exe (PID: 3180)
      • reg.exe (PID: 3212)
      • reg.exe (PID: 3400)
      • reg.exe (PID: 3228)
      • reg.exe (PID: 3460)
      • reg.exe (PID: 544)
      • reg.exe (PID: 3652)
      • reg.exe (PID: 3836)
      • reg.exe (PID: 420)
      • reg.exe (PID: 2436)
      • reg.exe (PID: 2520)
      • reg.exe (PID: 2660)
      • reg.exe (PID: 2556)
      • reg.exe (PID: 2980)
      • reg.exe (PID: 3104)
      • reg.exe (PID: 3736)
      • reg.exe (PID: 2372)
      • reg.exe (PID: 2364)
      • shutdown.exe (PID: 2328)
      • wmpnscfg.exe (PID: 3344)
      • wmpnscfg.exe (PID: 4036)
      • reg.exe (PID: 4088)
      • reg.exe (PID: 1352)
      • reg.exe (PID: 2112)
      • reg.exe (PID: 2224)
      • notepad.exe (PID: 3676)
      • wmpnscfg.exe (PID: 2948)
      • notepad.exe (PID: 3732)
      • wmpnscfg.exe (PID: 3652)

    • Reads security settings of Internet Explorer

      • sipnotify.exe (PID: 1036)
      • sipnotify.exe (PID: 1052)
      • sipnotify.exe (PID: 784)
      • sipnotify.exe (PID: 1316)
      • sipnotify.exe (PID: 356)
      • sipnotify.exe (PID: 2044)
      • sipnotify.exe (PID: 1072)

    • Reads the machine GUID from the registry

      • wmpnscfg.exe (PID: 3648)
      • wmpnscfg.exe (PID: 2724)
      • wmpnscfg.exe (PID: 2332)
      • wmpnscfg.exe (PID: 3172)
      • wmpnscfg.exe (PID: 3636)
      • wmpnscfg.exe (PID: 2284)
      • wmpnscfg.exe (PID: 3844)
      • wmpnscfg.exe (PID: 3152)
      • wmpnscfg.exe (PID: 2528)
      • wmpnscfg.exe (PID: 2856)
      • wmpnscfg.exe (PID: 3424)
      • wmpnscfg.exe (PID: 3960)
      • wmpnscfg.exe (PID: 3344)
      • wmpnscfg.exe (PID: 4036)
      • wmpnscfg.exe (PID: 2948)
      • wmpnscfg.exe (PID: 3652)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (43.5)
.exe | Win32 EXE Yoda's Crypter (42.7)
.exe | Win32 Executable (generic) (7.2)
.exe | Generic Win/DOS Executable (3.2)
.exe | DOS Executable Generic (3.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2019:12:05 08:37:23+01:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14
CodeSize: 198656
InitializedDataSize: 256000
UninitializedDataSize: -
EntryPoint: 0x1e239
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
2 022
Monitored processes
422
Malicious processes
13
Suspicious processes
4

Behavior graph

Click at the process to see the details
start start start aids_nt.exe cmd.exe no specs reg.exe reg.exe no specs reg.exe no specs cmd.exe no specs nircmd.exe no specs attrib.exe no specs net.exe no specs net1.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs shutdown.exe no specs 42.exe no specs sipnotify.exe no specs nircmd.exe no specs notepad.exe no specs notepad.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs shutdown.exe no specs wmpnscfg.exe no specs wmpnscfg.exe no specs wmpnscfg.exe no specs 42.exe no specs sipnotify.exe no specs nircmd.exe no specs notepad.exe no specs notepad.exe no specs wmpnscfg.exe no specs wmpnscfg.exe no specs 42.exe no specs sipnotify.exe no specs nircmd.exe no specs notepad.exe no specs notepad.exe no specs wmpnscfg.exe no specs wmpnscfg.exe no specs 42.exe no specs sipnotify.exe no specs nircmd.exe no specs notepad.exe no specs notepad.exe no specs wmpnscfg.exe no specs wmpnscfg.exe no specs 42.exe no specs sipnotify.exe no specs nircmd.exe no specs notepad.exe no specs notepad.exe no specs wmpnscfg.exe no specs wmpnscfg.exe no specs wmpnscfg.exe no specs 42.exe no specs sipnotify.exe no specs nircmd.exe no specs notepad.exe no specs notepad.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs shutdown.exe no specs wmpnscfg.exe no specs wmpnscfg.exe no specs 42.exe no specs sipnotify.exe no specs nircmd.exe no specs notepad.exe no specs notepad.exe no specs wmpnscfg.exe no specs wmpnscfg.exe no specs aids_nt.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
120REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "51" /t REG_SZ /d "regedt32.exe" /f C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
128REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "97" /t REG_SZ /d "artmoney.exe" /f C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
280REG ADD "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System" /v DisableCMD /t REG_DWORD /d "2" /f C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
300REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "19" /t REG_SZ /d "firefox.exe" /f C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\rpcrt4.dll
300REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "107" /t REG_SZ /d "MRT.exe" /f C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
300REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "65" /t REG_SZ /d "am800.exe" /f C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
312REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "39" /t REG_SZ /d "ModuleCoreService.exe" /f C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
312C:\Windows\42.exeC:\Windows\42.exeuserinit.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\windows\42.exe
c:\windows\system32\ntdll.dll
356C:\Windows\system32\sipnotify.exe -LogonOrUnlockC:\Windows\System32\sipnotify.exetaskeng.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
sipnotify
Exit code:
0
Version:
6.1.7602.20480 (win7sp1_ldr_escrow.191010-1716)
Modules
Images
c:\windows\system32\sipnotify.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll
372REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "25" /t REG_SZ /d "WUDFHost.exe" /f C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\reg.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
Total events
26 121
Read events
25 950
Write events
98
Delete events
73

Modification events

(PID) Process:(2356) AIDS_NT.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2356) AIDS_NT.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2356) AIDS_NT.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2356) AIDS_NT.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2812) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Operation:writeName:Shell
Value:
explorer.exe
(PID) Process:(1884) reg.exeKey:HKEY_CURRENT_USER\Control Panel\Desktop
Operation:writeName:Wallpaper
Value:
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
(PID) Process:(3496) reg.exeKey:HKEY_CURRENT_USER\Control Panel\Desktop
Operation:writeName:Wallpaper
Value:
C:\Windows\1.jpg
(PID) Process:(3580) reg.exeKey:HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
Operation:writeName:DisableCMD
Value:
2
(PID) Process:(4048) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Operation:writeName:DisableCAD
Value:
1
(PID) Process:(3084) reg.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:DisableTaskMgr
Value:
1
Executable files
4
Suspicious files
7
Text files
46
Unknown types
0

Dropped files

PID
Process
Filename
Type
2356AIDS_NT.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\1.battext
MD5:E59C7D9F080B068E3118E81385F467E7
SHA256:5C9BEE6ECBA73CDA027B99DEA013CD54F53524E35750DA629F53C841D75B6E8F
2356AIDS_NT.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\42.exeexecutable
MD5:DAF9159A8FBC9510E9DC380C2CAE924D
SHA256:43118BC6F1C03B9F749EFC244D7FD0553D45EC50AE2E4EA363E17F85F832290F
3296cmd.exeC:\Windows\nircmd.exeexecutable
MD5:A1CD6A64E8F8AD5D4B6C07DC4113C7EC
SHA256:B994AE5CBFB5AD308656E9A8BF7A4A866FDEB9E23699F89F048D7F92E6BB8577
2356AIDS_NT.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\cew.00image
MD5:9311B831777F14F7C81AF8CB67259A3B
SHA256:1479DA32B193676068062236730CE9A5DBCAE727EC0EEA63B18252F9CB744707
3296cmd.exeC:\Windows\AIDS_NT_Instructions.txttext
MD5:0F92FCBACB68FB014CFA248C31448E6B
SHA256:8B2D86FE88A75C0E0C312FDC7D1F54D113D33AF729D2BE52622F2B538A7A7049
2356AIDS_NT.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\cew.01text
MD5:0F92FCBACB68FB014CFA248C31448E6B
SHA256:8B2D86FE88A75C0E0C312FDC7D1F54D113D33AF729D2BE52622F2B538A7A7049
2356AIDS_NT.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\PkgMgr.battext
MD5:FED4789F3FBD52E720AE7234600D5652
SHA256:03DFD466366FFBE32E9E487CDC2136C62B4B4F57C365E255EF8E0C36991FB8B0
2356AIDS_NT.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\start.battext
MD5:9492F33971CFD6B77484342E42097731
SHA256:2F4637DD7A3125BF60D5651CC851C8EF9CF7C461DD89EED404DD9F5A381844E4
2356AIDS_NT.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\PkgMgr.00text
MD5:067AB27355743F95929213E08BC60EBB
SHA256:E621092E9B620BC589A4DD89D791352D266B139CEB9B3F13DDDED5B536B52441
2356AIDS_NT.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\nircmd.exeexecutable
MD5:A1CD6A64E8F8AD5D4B6C07DC4113C7EC
SHA256:B994AE5CBFB5AD308656E9A8BF7A4A866FDEB9E23699F89F048D7F92E6BB8577
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
48
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
HEAD
200
23.212.215.38:80
http://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2JgkA?v=133422399424060000
unknown
unknown
HEAD
200
23.212.215.38:80
http://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2JgkA?v=133422399839530000
unknown
unknown
HEAD
200
23.212.215.38:80
http://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2JgkA?v=133422400216400000
unknown
unknown
HEAD
200
23.212.215.38:80
http://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2JgkA?v=133422400593120000
unknown
unknown
HEAD
200
23.212.215.38:80
http://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2JgkA?v=133422400984680000
unknown
unknown
HEAD
200
23.212.215.38:80
http://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2JgkA?v=133422401372180000
unknown
unknown
HEAD
200
23.212.215.38:80
http://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2JgkA?v=133422401762930000
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2656
svchost.exe
239.255.255.250:1900
unknown
4
System
192.168.100.255:137
unknown
4
System
192.168.100.255:138
whitelisted
23.212.215.38:80
query.prod.cms.rt.microsoft.com
AKAMAI-AS
AU
unknown
224.0.0.252:5355
unknown
239.255.255.250:1900
unknown

DNS requests

Domain
IP
Reputation
query.prod.cms.rt.microsoft.com
  • 23.212.215.38
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
AIDS_NT.exe