File name:

AIDS_NT.exe

Full analysis: https://app.any.run/tasks/bca16dad-54a4-427f-8600-5c279c72f971
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: October 20, 2023, 00:44:42
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ransomware
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

14EEFB80A0813ABBF8710387A5383F08

SHA1:

D3FA355CC1D184BE20B441143FA34E4AE1A4BDB2

SHA256:

61EE3BD82BED03DD0F3FB9BC9B76B7DA972A90D3C12C8E4D5E967440A2F04C00

SSDEEP:

12288:/GqN/XdctpVtkkKICgvDkBLab3Xldfr4oSsFsA0cO4KfRErkYzWaMSDncS:pNcBtkUHf9ace3sJTcS

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • nircmd.exe (PID: 1536)
      • 42.exe (PID: 1764)
      • nircmd.exe (PID: 1684)
      • 42.exe (PID: 504)
      • nircmd.exe (PID: 1616)
      • nircmd.exe (PID: 420)
      • 42.exe (PID: 1364)
      • 42.exe (PID: 396)
      • nircmd.exe (PID: 1700)
      • 42.exe (PID: 312)
      • nircmd.exe (PID: 428)
      • 42.exe (PID: 1416)
      • nircmd.exe (PID: 1988)
      • 42.exe (PID: 912)
      • nircmd.exe (PID: 680)

    • Task Manager has been disabled (taskmgr)

      • reg.exe (PID: 3084)

    • Drops the executable file immediately after the start

      • cmd.exe (PID: 3296)
      • AIDS_NT.exe (PID: 2356)

    • Changes the login/logoff helper path in the registry

      • reg.exe (PID: 2812)

    • Starts NET.EXE to view/add/change user profiles

      • cmd.exe (PID: 4064)
      • net.exe (PID: 2196)

  • SUSPICIOUS

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 3296)
      • cmd.exe (PID: 4064)

    • The process creates files with name similar to system file names

      • AIDS_NT.exe (PID: 2356)
      • cmd.exe (PID: 3296)

    • Starts CMD.EXE for commands execution

      • AIDS_NT.exe (PID: 2356)

    • Changes the desktop background image

      • reg.exe (PID: 1884)
      • reg.exe (PID: 3496)

    • The system shut down or reboot

      • cmd.exe (PID: 4064)

    • Reads the Internet Settings

      • AIDS_NT.exe (PID: 2356)
      • sipnotify.exe (PID: 1036)
      • sipnotify.exe (PID: 1052)
      • sipnotify.exe (PID: 784)
      • sipnotify.exe (PID: 1316)
      • sipnotify.exe (PID: 356)
      • sipnotify.exe (PID: 2044)
      • sipnotify.exe (PID: 1072)

    • Executing commands from a ".bat" file

      • AIDS_NT.exe (PID: 2356)

    • Creates files like ransomware instruction

      • cmd.exe (PID: 3296)

    • Uses ATTRIB.EXE to modify file attributes

      • cmd.exe (PID: 4064)

    • Reads settings of System Certificates

      • sipnotify.exe (PID: 1036)
      • sipnotify.exe (PID: 1052)
      • sipnotify.exe (PID: 784)
      • sipnotify.exe (PID: 1316)
      • sipnotify.exe (PID: 356)
      • sipnotify.exe (PID: 2044)
      • sipnotify.exe (PID: 1072)

    • The process executes via Task Scheduler

      • sipnotify.exe (PID: 1036)
      • sipnotify.exe (PID: 1052)
      • sipnotify.exe (PID: 784)
      • sipnotify.exe (PID: 1316)
      • sipnotify.exe (PID: 356)
      • sipnotify.exe (PID: 2044)
      • sipnotify.exe (PID: 1072)

  • INFO

    • Checks supported languages

      • AIDS_NT.exe (PID: 2356)
      • nircmd.exe (PID: 1536)
      • nircmd.exe (PID: 1684)
      • wmpnscfg.exe (PID: 2332)
      • wmpnscfg.exe (PID: 3648)
      • wmpnscfg.exe (PID: 2724)
      • nircmd.exe (PID: 1616)
      • wmpnscfg.exe (PID: 3172)
      • wmpnscfg.exe (PID: 3636)
      • nircmd.exe (PID: 420)
      • wmpnscfg.exe (PID: 2284)
      • nircmd.exe (PID: 1700)
      • wmpnscfg.exe (PID: 3844)
      • wmpnscfg.exe (PID: 3152)
      • wmpnscfg.exe (PID: 2528)
      • nircmd.exe (PID: 428)
      • wmpnscfg.exe (PID: 3424)
      • wmpnscfg.exe (PID: 3960)
      • wmpnscfg.exe (PID: 2856)
      • nircmd.exe (PID: 1988)
      • wmpnscfg.exe (PID: 3344)
      • wmpnscfg.exe (PID: 4036)
      • wmpnscfg.exe (PID: 2948)
      • nircmd.exe (PID: 680)
      • wmpnscfg.exe (PID: 3652)

    • Reads the computer name

      • AIDS_NT.exe (PID: 2356)
      • wmpnscfg.exe (PID: 3648)
      • wmpnscfg.exe (PID: 2332)
      • wmpnscfg.exe (PID: 2724)
      • wmpnscfg.exe (PID: 3172)
      • wmpnscfg.exe (PID: 3636)
      • wmpnscfg.exe (PID: 2284)
      • wmpnscfg.exe (PID: 3844)
      • wmpnscfg.exe (PID: 3152)
      • wmpnscfg.exe (PID: 2528)
      • wmpnscfg.exe (PID: 2856)
      • wmpnscfg.exe (PID: 3424)
      • wmpnscfg.exe (PID: 3960)
      • wmpnscfg.exe (PID: 4036)
      • wmpnscfg.exe (PID: 3344)
      • wmpnscfg.exe (PID: 2948)
      • wmpnscfg.exe (PID: 3652)

    • Create files in a temporary directory

      • AIDS_NT.exe (PID: 2356)

    • The executable file from the user directory is run by the CMD process

      • nircmd.exe (PID: 1536)

    • NirSoft software is detected

      • nircmd.exe (PID: 1536)
      • nircmd.exe (PID: 1684)
      • nircmd.exe (PID: 1616)
      • nircmd.exe (PID: 420)
      • nircmd.exe (PID: 1700)
      • nircmd.exe (PID: 428)
      • nircmd.exe (PID: 1988)
      • nircmd.exe (PID: 680)

    • Reads security settings of Internet Explorer

      • sipnotify.exe (PID: 1036)
      • sipnotify.exe (PID: 1052)
      • sipnotify.exe (PID: 784)
      • sipnotify.exe (PID: 1316)
      • sipnotify.exe (PID: 356)
      • sipnotify.exe (PID: 2044)
      • sipnotify.exe (PID: 1072)

    • Manual execution by a user

      • notepad.exe (PID: 3892)
      • reg.exe (PID: 2700)
      • notepad.exe (PID: 4060)
      • reg.exe (PID: 2452)
      • reg.exe (PID: 3176)
      • reg.exe (PID: 2544)
      • reg.exe (PID: 2912)
      • reg.exe (PID: 2836)
      • reg.exe (PID: 3260)
      • reg.exe (PID: 3004)
      • reg.exe (PID: 300)
      • reg.exe (PID: 3596)
      • reg.exe (PID: 3932)
      • reg.exe (PID: 3648)
      • reg.exe (PID: 2528)
      • reg.exe (PID: 3836)
      • reg.exe (PID: 2444)
      • reg.exe (PID: 4036)
      • reg.exe (PID: 2336)
      • reg.exe (PID: 2128)
      • reg.exe (PID: 2224)
      • reg.exe (PID: 2896)
      • reg.exe (PID: 2524)
      • reg.exe (PID: 2704)
      • reg.exe (PID: 2616)
      • reg.exe (PID: 3344)
      • reg.exe (PID: 3496)
      • reg.exe (PID: 460)
      • reg.exe (PID: 672)
      • reg.exe (PID: 3232)
      • reg.exe (PID: 3548)
      • reg.exe (PID: 3308)
      • reg.exe (PID: 3408)
      • reg.exe (PID: 2644)
      • reg.exe (PID: 2360)
      • reg.exe (PID: 3700)
      • reg.exe (PID: 3684)
      • reg.exe (PID: 3992)
      • reg.exe (PID: 4072)
      • reg.exe (PID: 2148)
      • reg.exe (PID: 4040)
      • reg.exe (PID: 2052)
      • reg.exe (PID: 2232)
      • reg.exe (PID: 2340)
      • reg.exe (PID: 2972)
      • reg.exe (PID: 3116)
      • reg.exe (PID: 3880)
      • reg.exe (PID: 2832)
      • reg.exe (PID: 2888)
      • reg.exe (PID: 3220)
      • reg.exe (PID: 3252)
      • reg.exe (PID: 2976)
      • reg.exe (PID: 2904)
      • reg.exe (PID: 3552)
      • reg.exe (PID: 3404)
      • reg.exe (PID: 4004)
      • reg.exe (PID: 3704)
      • reg.exe (PID: 3772)
      • reg.exe (PID: 3904)
      • reg.exe (PID: 1616)
      • reg.exe (PID: 2112)
      • reg.exe (PID: 2052)
      • reg.exe (PID: 2148)
      • reg.exe (PID: 2548)
      • reg.exe (PID: 1560)
      • reg.exe (PID: 3916)
      • reg.exe (PID: 2340)
      • reg.exe (PID: 2232)
      • reg.exe (PID: 3252)
      • reg.exe (PID: 2976)
      • reg.exe (PID: 2904)
      • reg.exe (PID: 2888)
      • reg.exe (PID: 2832)
      • reg.exe (PID: 2548)
      • reg.exe (PID: 2644)
      • reg.exe (PID: 2360)
      • reg.exe (PID: 3220)
      • reg.exe (PID: 3404)
      • reg.exe (PID: 3548)
      • reg.exe (PID: 1560)
      • reg.exe (PID: 2236)
      • reg.exe (PID: 2232)
      • reg.exe (PID: 2340)
      • reg.exe (PID: 2360)
      • reg.exe (PID: 1620)
      • reg.exe (PID: 2696)
      • reg.exe (PID: 2796)
      • reg.exe (PID: 2892)
      • reg.exe (PID: 3916)
      • reg.exe (PID: 3704)
      • reg.exe (PID: 3884)
      • reg.exe (PID: 3904)
      • reg.exe (PID: 4000)
      • reg.exe (PID: 2052)
      • reg.exe (PID: 1616)
      • reg.exe (PID: 2112)
      • reg.exe (PID: 3404)
      • reg.exe (PID: 3548)
      • reg.exe (PID: 3900)
      • reg.exe (PID: 3704)
      • reg.exe (PID: 3884)
      • reg.exe (PID: 4072)
      • reg.exe (PID: 4000)
      • reg.exe (PID: 2112)
      • reg.exe (PID: 1616)
      • reg.exe (PID: 2052)
      • reg.exe (PID: 2972)
      • reg.exe (PID: 2904)
      • reg.exe (PID: 3300)
      • reg.exe (PID: 3220)
      • reg.exe (PID: 1560)
      • reg.exe (PID: 2696)
      • reg.exe (PID: 3404)
      • reg.exe (PID: 2972)
      • reg.exe (PID: 3220)
      • reg.exe (PID: 2904)
      • reg.exe (PID: 3300)
      • reg.exe (PID: 1560)
      • reg.exe (PID: 3548)
      • reg.exe (PID: 2236)
      • reg.exe (PID: 2232)
      • reg.exe (PID: 2540)
      • reg.exe (PID: 2360)
      • reg.exe (PID: 1620)
      • reg.exe (PID: 2796)
      • reg.exe (PID: 2888)
      • reg.exe (PID: 1616)
      • reg.exe (PID: 2112)
      • reg.exe (PID: 2232)
      • reg.exe (PID: 2236)
      • shutdown.exe (PID: 2360)
      • reg.exe (PID: 2540)
      • wmpnscfg.exe (PID: 3648)
      • wmpnscfg.exe (PID: 2332)
      • reg.exe (PID: 3772)
      • reg.exe (PID: 3884)
      • reg.exe (PID: 3900)
      • reg.exe (PID: 2056)
      • reg.exe (PID: 280)
      • reg.exe (PID: 2052)
      • notepad.exe (PID: 3380)
      • wmpnscfg.exe (PID: 3172)
      • wmpnscfg.exe (PID: 2724)
      • notepad.exe (PID: 3156)
      • notepad.exe (PID: 1292)
      • wmpnscfg.exe (PID: 3844)
      • wmpnscfg.exe (PID: 3636)
      • notepad.exe (PID: 2224)
      • wmpnscfg.exe (PID: 2284)
      • notepad.exe (PID: 2720)
      • notepad.exe (PID: 2576)
      • wmpnscfg.exe (PID: 3152)
      • notepad.exe (PID: 3980)
      • wmpnscfg.exe (PID: 2528)
      • wmpnscfg.exe (PID: 3960)
      • notepad.exe (PID: 428)
      • wmpnscfg.exe (PID: 2856)
      • wmpnscfg.exe (PID: 3424)
      • reg.exe (PID: 2124)
      • notepad.exe (PID: 3708)
      • reg.exe (PID: 4008)
      • reg.exe (PID: 4068)
      • reg.exe (PID: 1836)
      • reg.exe (PID: 2244)
      • reg.exe (PID: 2436)
      • reg.exe (PID: 2332)
      • reg.exe (PID: 2556)
      • reg.exe (PID: 2520)
      • reg.exe (PID: 2660)
      • notepad.exe (PID: 3512)
      • reg.exe (PID: 3180)
      • reg.exe (PID: 3228)
      • reg.exe (PID: 3400)
      • reg.exe (PID: 3460)
      • reg.exe (PID: 3736)
      • reg.exe (PID: 3652)
      • reg.exe (PID: 3836)
      • reg.exe (PID: 420)
      • reg.exe (PID: 4088)
      • reg.exe (PID: 1352)
      • reg.exe (PID: 2844)
      • reg.exe (PID: 2980)
      • reg.exe (PID: 3104)
      • reg.exe (PID: 3212)
      • reg.exe (PID: 544)
      • wmpnscfg.exe (PID: 3344)
      • wmpnscfg.exe (PID: 4036)
      • reg.exe (PID: 2112)
      • reg.exe (PID: 2224)
      • reg.exe (PID: 2372)
      • reg.exe (PID: 2364)
      • shutdown.exe (PID: 2328)
      • wmpnscfg.exe (PID: 2948)
      • notepad.exe (PID: 3676)
      • notepad.exe (PID: 3732)
      • wmpnscfg.exe (PID: 3652)

    • Reads the machine GUID from the registry

      • wmpnscfg.exe (PID: 3648)
      • wmpnscfg.exe (PID: 2332)
      • wmpnscfg.exe (PID: 2724)
      • wmpnscfg.exe (PID: 3172)
      • wmpnscfg.exe (PID: 3636)
      • wmpnscfg.exe (PID: 3844)
      • wmpnscfg.exe (PID: 2284)
      • wmpnscfg.exe (PID: 3152)
      • wmpnscfg.exe (PID: 2528)
      • wmpnscfg.exe (PID: 3424)
      • wmpnscfg.exe (PID: 3960)
      • wmpnscfg.exe (PID: 2856)
      • wmpnscfg.exe (PID: 3344)
      • wmpnscfg.exe (PID: 4036)
      • wmpnscfg.exe (PID: 2948)
      • wmpnscfg.exe (PID: 3652)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (43.5)
.exe | Win32 EXE Yoda's Crypter (42.7)
.exe | Win32 Executable (generic) (7.2)
.exe | Generic Win/DOS Executable (3.2)
.exe | DOS Executable Generic (3.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2019:12:05 08:37:23+01:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14
CodeSize: 198656
InitializedDataSize: 256000
UninitializedDataSize: -
EntryPoint: 0x1e239
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
2 022
Monitored processes
422
Malicious processes
13
Suspicious processes
4

Behavior graph

Click at the process to see the details
start start start aids_nt.exe cmd.exe no specs reg.exe reg.exe no specs reg.exe no specs cmd.exe no specs nircmd.exe no specs attrib.exe no specs net.exe no specs net1.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs shutdown.exe no specs 42.exe no specs sipnotify.exe no specs nircmd.exe no specs notepad.exe no specs notepad.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs shutdown.exe no specs wmpnscfg.exe no specs wmpnscfg.exe no specs wmpnscfg.exe no specs 42.exe no specs sipnotify.exe no specs nircmd.exe no specs notepad.exe no specs notepad.exe no specs wmpnscfg.exe no specs wmpnscfg.exe no specs 42.exe no specs sipnotify.exe no specs nircmd.exe no specs notepad.exe no specs notepad.exe no specs wmpnscfg.exe no specs wmpnscfg.exe no specs 42.exe no specs sipnotify.exe no specs nircmd.exe no specs notepad.exe no specs notepad.exe no specs wmpnscfg.exe no specs wmpnscfg.exe no specs 42.exe no specs sipnotify.exe no specs nircmd.exe no specs notepad.exe no specs notepad.exe no specs wmpnscfg.exe no specs wmpnscfg.exe no specs wmpnscfg.exe no specs 42.exe no specs sipnotify.exe no specs nircmd.exe no specs notepad.exe no specs notepad.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs shutdown.exe no specs wmpnscfg.exe no specs wmpnscfg.exe no specs 42.exe no specs sipnotify.exe no specs nircmd.exe no specs notepad.exe no specs notepad.exe no specs wmpnscfg.exe no specs wmpnscfg.exe no specs aids_nt.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
120REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "51" /t REG_SZ /d "regedt32.exe" /f C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
128REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "97" /t REG_SZ /d "artmoney.exe" /f C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
280REG ADD "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System" /v DisableCMD /t REG_DWORD /d "2" /f C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
300REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "19" /t REG_SZ /d "firefox.exe" /f C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\rpcrt4.dll
300REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "107" /t REG_SZ /d "MRT.exe" /f C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
300REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "65" /t REG_SZ /d "am800.exe" /f C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
312REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "39" /t REG_SZ /d "ModuleCoreService.exe" /f C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
312C:\Windows\42.exeC:\Windows\42.exeuserinit.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\windows\42.exe
c:\windows\system32\ntdll.dll
356C:\Windows\system32\sipnotify.exe -LogonOrUnlockC:\Windows\System32\sipnotify.exetaskeng.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
sipnotify
Exit code:
0
Version:
6.1.7602.20480 (win7sp1_ldr_escrow.191010-1716)
Modules
Images
c:\windows\system32\sipnotify.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll
372REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "25" /t REG_SZ /d "WUDFHost.exe" /f C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\reg.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
Total events
26 121
Read events
25 950
Write events
98
Delete events
73

Modification events

(PID) Process:(2356) AIDS_NT.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2356) AIDS_NT.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2356) AIDS_NT.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2356) AIDS_NT.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2812) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Operation:writeName:Shell
Value:
explorer.exe
(PID) Process:(1884) reg.exeKey:HKEY_CURRENT_USER\Control Panel\Desktop
Operation:writeName:Wallpaper
Value:
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
(PID) Process:(3496) reg.exeKey:HKEY_CURRENT_USER\Control Panel\Desktop
Operation:writeName:Wallpaper
Value:
C:\Windows\1.jpg
(PID) Process:(3580) reg.exeKey:HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
Operation:writeName:DisableCMD
Value:
2
(PID) Process:(4048) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Operation:writeName:DisableCAD
Value:
1
(PID) Process:(3084) reg.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:DisableTaskMgr
Value:
1
Executable files
4
Suspicious files
7
Text files
46
Unknown types
0

Dropped files

PID
Process
Filename
Type
2356AIDS_NT.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\nircmd.exeexecutable
MD5:A1CD6A64E8F8AD5D4B6C07DC4113C7EC
SHA256:B994AE5CBFB5AD308656E9A8BF7A4A866FDEB9E23699F89F048D7F92E6BB8577
2356AIDS_NT.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\PkgMgr.00text
MD5:067AB27355743F95929213E08BC60EBB
SHA256:E621092E9B620BC589A4DD89D791352D266B139CEB9B3F13DDDED5B536B52441
1036sipnotify.exeC:\Users\admin\AppData\Local\microsoft\windows\SipNotify\eoscontent\microsoft-logo.pngimage
MD5:B7C73A0CFBA68CC70C35EF9C63703CE4
SHA256:1D8B27A0266FF526CF95447F3701592A908848467D37C09A00A2516C1F29A013
3296cmd.exeC:\Windows\1.jpgimage
MD5:9311B831777F14F7C81AF8CB67259A3B
SHA256:1479DA32B193676068062236730CE9A5DBCAE727EC0EEA63B18252F9CB744707
3296cmd.exeC:\Windows\1.battext
MD5:E59C7D9F080B068E3118E81385F467E7
SHA256:5C9BEE6ECBA73CDA027B99DEA013CD54F53524E35750DA629F53C841D75B6E8F
3296cmd.exeC:\Windows\AIDS_NT_Instructions.txttext
MD5:0F92FCBACB68FB014CFA248C31448E6B
SHA256:8B2D86FE88A75C0E0C312FDC7D1F54D113D33AF729D2BE52622F2B538A7A7049
3296cmd.exeC:\Windows\42.exeexecutable
MD5:DAF9159A8FBC9510E9DC380C2CAE924D
SHA256:43118BC6F1C03B9F749EFC244D7FD0553D45EC50AE2E4EA363E17F85F832290F
1036sipnotify.exeC:\Users\admin\AppData\Local\microsoft\windows\SipNotify\eoscontent\en-us.htmlhtml
MD5:9752942B57692148B9F614CF4C119A36
SHA256:E31B834DD53FA6815F396FC09C726636ABF98F3367F0CF1590EF5EB3801C75D1
3296cmd.exeC:\Windows\nircmd.exeexecutable
MD5:A1CD6A64E8F8AD5D4B6C07DC4113C7EC
SHA256:B994AE5CBFB5AD308656E9A8BF7A4A866FDEB9E23699F89F048D7F92E6BB8577
3296cmd.exeC:\Users\admin\Desktop\AIDS_NT_Instructions.txttext
MD5:0F92FCBACB68FB014CFA248C31448E6B
SHA256:8B2D86FE88A75C0E0C312FDC7D1F54D113D33AF729D2BE52622F2B538A7A7049
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
48
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
HEAD
200
23.212.215.38:80
http://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2JgkA?v=133422399424060000
unknown
unknown
HEAD
200
23.212.215.38:80
http://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2JgkA?v=133422399839530000
unknown
unknown
HEAD
200
23.212.215.38:80
http://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2JgkA?v=133422400216400000
unknown
unknown
HEAD
200
23.212.215.38:80
http://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2JgkA?v=133422400593120000
unknown
unknown
HEAD
200
23.212.215.38:80
http://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2JgkA?v=133422401372180000
unknown
unknown
HEAD
200
23.212.215.38:80
http://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2JgkA?v=133422400984680000
unknown
unknown
HEAD
200
23.212.215.38:80
http://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2JgkA?v=133422401762930000
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2656
svchost.exe
239.255.255.250:1900
unknown
4
System
192.168.100.255:137
unknown
4
System
192.168.100.255:138
whitelisted
23.212.215.38:80
query.prod.cms.rt.microsoft.com
AKAMAI-AS
AU
unknown
224.0.0.252:5355
unknown
239.255.255.250:1900
unknown

DNS requests

Domain
IP
Reputation
query.prod.cms.rt.microsoft.com
  • 23.212.215.38
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
AIDS_NT.exe