Technical Information
- '<SYSTEM32>\find.exe' query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v SoftwareHelper
- '<SYSTEM32>\reg.exe' query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v EoEngine
- '<SYSTEM32>\reg.exe' query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v EoWeather
- '<SYSTEM32>\find.exe' query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v eorezo
- '<SYSTEM32>\reg.exe' query HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run /v comeo
- '<SYSTEM32>\reg.exe' query HKEY_CURRENT_USER\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run /v comeo
- '<SYSTEM32>\find.exe' query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /v eorezo
- '<SYSTEM32>\reg.exe' query HKLM\SOFTWARE\Classes\*\shell\smonkcli
- '<SYSTEM32>\reg.exe' query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v SkyMonk
- '<SYSTEM32>\reg.exe' /pid=3108
- '<SYSTEM32>\reg.exe' query HKLM\SOFTWARE\SkyMonk
- '<SYSTEM32>\reg.exe' query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v comeo
- '<SYSTEM32>\reg.exe' query HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v comeo
- '<SYSTEM32>\reg.exe' query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SkyMonk Client"
- '<SYSTEM32>\reg.exe' query HKLM\SOFTWARE\EoRezo
- '<SYSTEM32>\reg.exe' /pid=3076
- '<SYSTEM32>\reg.exe' query HKLM\SOFTWARE\Classes\EoEngineBHO.EOBHO
- '<SYSTEM32>\reg.exe' query HKLM\SOFTWARE\Classes\TypeLib\{18AF7201-4F14-4BCF-93FE-45617CF259FF}
- '<SYSTEM32>\reg.exe' query HKLM\SOFTWARE\Classes\CLSID\{C10DC1F4-CCDF-4224-A24D-B23AFC3573C8}
- '<SYSTEM32>\reg.exe' query HKLM\SOFTWARE\Classes\AppID\{AFBB7970-789A-4264-BA70-E8127DECE400}
- '<SYSTEM32>\reg.exe' query HKLM\SOFTWARE\Classes\AppID\EoEngineBHO.DLL
- '<SYSTEM32>\reg.exe' query HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run /v SoftwareHelper
- '<SYSTEM32>\reg.exe' query HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run /v EoEngine
- '<SYSTEM32>\reg.exe' query HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run /v EoWeather
- '<SYSTEM32>\reg.exe' /pid=3280
- '<SYSTEM32>\reg.exe' query HKLM\SOFTWARE\Classes\Interface\{DF76E9B7-35EC-46FC-AF56-5B79DED9D64F}
- '<SYSTEM32>\reg.exe' query HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce /v eorezo
- '<SYSTEM32>\reg.exe' query HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run /v eorezo
- '<SYSTEM32>\sc.exe' query HKCR\CLSID\{8673BF7F-05D4-47BF-A318-89D09CC26A63}
- '<SYSTEM32>\find.exe' /pid=3904
- '<SYSTEM32>\sc.exe' query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7D5E0AE5-6118-454F-89F1-298CE5A8A458}"
- '<SYSTEM32>\find.exe' /pid=3936
- '<SYSTEM32>\reg.exe' query HKCR\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}
- '<SYSTEM32>\ping.exe' /pid=3980
- '<SYSTEM32>\reg.exe' query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8673BF7F-05D4-47BF-A318-89D09CC26A63}"
- '<SYSTEM32>\reg.exe' query HKLM\SOFTWARE\Classes\Interface\{77777777-7777-7777-7777-770077047735}
- '<SYSTEM32>\reg.exe' query HKLM\SOFTWARE\Classes\Interface\{66666666-6666-6666-6666-660066046635}
- '<SYSTEM32>\taskkill.exe' /pid=3640
- '<SYSTEM32>\reg.exe' query HKLM\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440044044435}
- '<SYSTEM32>\reg.exe' query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7D5E0AE5-6118-454F-89F1-298CE5A8A458}"
- '<SYSTEM32>\reg.exe' query HKCR\CLSID\{7D5E0AE5-6118-454F-89F1-298CE5A8A458}
- '<SYSTEM32>\reg.exe' query HHKLM\SOFTWARE\Classes\CLSID\{11111111-1111-1111-1111-110011041135}
- '<SYSTEM32>\reg.exe' query HKCR\CrossriderApp0000435.BHO
- '<SYSTEM32>\reg.exe' query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2EF17083-57D4-4D64-AE4F-55F32A2C4571}
- '<SYSTEM32>\reg.exe' query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{FAEEB0FA-3DD7-44E4-8CBB-54B3577E6858}
- '<SYSTEM32>\reg.exe' query HKCR\CrossriderApp0000435.FBApi
- '<SYSTEM32>\reg.exe' query HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v SkyMonk
- '<SYSTEM32>\reg.exe' query HKCR\CrossriderApp0000435.Sandbox
- '<SYSTEM32>\reg.exe' query HKCR\CrossriderApp0000435.FBApi.1
- '<SYSTEM32>\reg.exe' query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{8673BF7F-05D4-47BF-A318-89D09CC26A63}
- '<SYSTEM32>\reg.exe' query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{8673BF7F-05D4-47BF-A318-89D09CC26A63}
- '<SYSTEM32>\reg.exe' query HKCR\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}
- '<SYSTEM32>\reg.exe' query HKCR\CLSID\{FAEEB0FA-3DD7-44E4-8CBB-54B3577E6858}
- '<SYSTEM32>\reg.exe' query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{FAEEB0FA-3DD7-44E4-8CBB-54B3577E6858}
- '<SYSTEM32>\reg.exe' query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FAEEB0FA-3DD7-44E4-8CBB-54B3577E6858}"
- '<SYSTEM32>\reg.exe' query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FAEEB0FA-3DD7-44E4-8CBB-54B3577E6858}"
- '<SYSTEM32>\reg.exe' query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\eoEngine_is1
- '<SYSTEM32>\reg.exe' query HKEY_CURRENT_USER\Software\Mail.Ru
- '<SYSTEM32>\reg.exe' query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Guard.Mail.ru
- '<SYSTEM32>\findstr.exe' query HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Guard.Mail.ru
- '<SYSTEM32>\reg.exe' /pid=500
- '<SYSTEM32>\reg.exe' query HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v BabylonToolbar
- '<SYSTEM32>\reg.exe' query HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MailRu.MailRuSputnikObj
- '<SYSTEM32>\reg.exe' query HKEY_LOCAL_MACHINE\SOFTWARE\Mail.Ru
- '<SYSTEM32>\reg.exe' query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /v {8984B388-A5BB-4DF7-B274-77B879E179DB}
- '<SYSTEM32>\reg.exe' query HKCU\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run /v SpyBrowser
- '<SYSTEM32>\reg.exe' query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v SpyBrowser
- '<SYSTEM32>\reg.exe' query "HKCU\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /v {8984B388-A5BB-4DF7-B274-77B879E179DB}
- '<SYSTEM32>\reg.exe' query HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run /v Guard.Mail.ru.gui
- '<SYSTEM32>\reg.exe' query HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v Guard.Mail.ru.gui
- '<SYSTEM32>\reg.exe' query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar" /v {09900DE8-1DCA-443F-9243-26FF581438AF}
- '<SYSTEM32>\reg.exe' /pid=3564
- '<SYSTEM32>\reg.exe' query HKEY_CLASSES_ROOT\TypeLib\{09C554C3-109B-483C-A06B-F14172F1A947}
- '<SYSTEM32>\reg.exe' query HKEY_CLASSES_ROOT\AppID\escort.DLL
- '<SYSTEM32>\reg.exe' query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2EECD738-5844-4a99-B4B6-146BF802613B}"
- '<SYSTEM32>\reg.exe' query "HKCU\SOFTWARE\Microsoft\Internet Explorer\Toolbar" /v {98889811-442D-49dd-99D7-DC866BE87DBC}
- '<SYSTEM32>\reg.exe' query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar" /v {98889811-442D-49dd-99D7-DC866BE87DBC}
- '<SYSTEM32>\reg.exe' query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2EECD738-5844-4a99-B4B6-146BF802613B}"
- '<SYSTEM32>\reg.exe' query HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run /v facemoods
- '<SYSTEM32>\reg.exe' query HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v facemoods
- '<SYSTEM32>\reg.exe' query HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run /v BabylonToolbar
- '<SYSTEM32>\reg.exe' query HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "Babylon Client"
- '<SYSTEM32>\reg.exe' query HKEY_CURRENT_USER\Software\cacaoweb
- '<SYSTEM32>\reg.exe' query HKCU\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run /v cacaoweb
- '<SYSTEM32>\reg.exe' query HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run /v "Babylon Client"
- '<SYSTEM32>\sc.exe' query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{37F4A335-D085-423e-A425-0370799166FB}"
- '<SYSTEM32>\reg.exe' query KEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{ED85AEBE-F834-4088-B5D3-97EB2478A6CD}
- '<SYSTEM32>\reg.exe' query HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6612AFDD-34AD-4B89-A236-7E6D07C3FDCD}
- '<SYSTEM32>\sc.exe' query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FC0D62C2-9640-4AEB-A5D5-CF25DF11FA8C}"
- '<SYSTEM32>\reg.exe' query HKEY_LOCAL_MACHINE\SOFTWARE\Classes\OfferBox.OfferBoxServer
- '<SYSTEM32>\reg.exe' query HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions\bjeikeheijdjdfjbmknpefojickbkmom
- '<SYSTEM32>\reg.exe' query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OfferBox Browser"
- '<SYSTEM32>\reg.exe' query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v OfferBox
- '<SYSTEM32>\reg.exe' /pid=3844
- '<SYSTEM32>\reg.exe' query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\eoRezo_is1
- '<SYSTEM32>\reg.exe' query HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v OfferBox
- '<SYSTEM32>\reg.exe' query HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FC0D62C2-9640-4AEB-A5D5-CF25DF11FA8C}
- '<SYSTEM32>\reg.exe' query HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A7E8C343-7860-4A95-9AA8-AAF30D0F6D1E}
- '<SYSTEM32>\reg.exe' query HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run /v OfferBox
- '<SYSTEM32>\reg.exe' query "HKLM\Software\Microsoft\Internet Explorer\URLSearchHooks\{E312764E-7706-43F1-8DAB-FCDD2B1E416D}"
- '<SYSTEM32>\reg.exe' query "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks\{E312764E-7706-43F1-8DAB-FCDD2B1E416D}"
- '<SYSTEM32>\reg.exe' query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OfferBox
- '<SYSTEM32>\reg.exe' query HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v SearchSettings
- '<SYSTEM32>\reg.exe' /pid=4076
- '<SYSTEM32>\reg.exe' query HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run /v SpyBrowser
- '<SYSTEM32>\reg.exe' query HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run /v SearchSettings
- '<SYSTEM32>\reg.exe' /pid=1432
- '<SYSTEM32>\reg.exe' query HKEY_LOCAL_MACHINE\SOFTWARE\OfferBox
- '<SYSTEM32>\reg.exe' query HKEY_LOCAL_MACHINE\SOFTWARE\Classes\OfferBox.OfferBoxServer.1
- '<SYSTEM32>\reg.exe' query HKEY_CURRENT_USER\Software\OfferBox
- '<SYSTEM32>\reg.exe' query HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\OfferBox.exe
- '<SYSTEM32>\reg.exe' query HKEY_CLASSES_ROOT\TypeLib\{8ABB9FA2-0740-4AD9-8F54-1192254B3CF4}
- '<SYSTEM32>\reg.exe' query HKEY_CLASSES_ROOT\Applications\OfferBox.exe
- '<SYSTEM32>\ping.exe' -n 1 localhost
- '<SYSTEM32>\ping.exe' -n 5 localhost
- '<SYSTEM32>\taskkill.exe' /f /im facemoods.exe
- '<SYSTEM32>\ping.exe' -n 3 localhost
- '<SYSTEM32>\find.exe' /i "OfferBox update service"
- '<SYSTEM32>\find.exe' /i "Guard.Mail.ru"
- '<SYSTEM32>\sc.exe' query
- '<SYSTEM32>\taskkill.exe' /f /im installer.exe
- '<SYSTEM32>\taskkill.exe' /f /im iexplore.exe
- '<SYSTEM32>\taskkill.exe' /f /im cacaoweb.exe
- '<SYSTEM32>\taskkill.exe' /f /im BabylonToolbar.EXE
- '<SYSTEM32>\taskkill.exe' /f /im facemoodssrv.exe
- '<SYSTEM32>\taskkill.exe' /f /im setup.exe
- '<SYSTEM32>\taskkill.exe' /f /im Babylon.exe
- '<SYSTEM32>\reg.exe' query HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SearchQUIEHelper.DNSGuard
- '<SYSTEM32>\reg.exe' query HKEY_CLASSES_ROOT\SearchQUIEHelper.DNSGuard.1
- '<SYSTEM32>\reg.exe' query HKEY_CLASSES_ROOT\SearchQUIEHelper.DNSGuard
- '<SYSTEM32>\reg.exe' query HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SearchQUIEHelper.DNSGuard.1
- '<SYSTEM32>\reg.exe' query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar" /v {99079a25-328f-4bd4-be04-00955acaa0a7}
- '<SYSTEM32>\reg.exe' query HKEY_LOCAL_MACHINE\SOFTWARE\ilivid
- '<SYSTEM32>\reg.exe' query HKEY_CURRENT_USER\Software\ilivid
- '<SYSTEM32>\reg.exe' query HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v DATAMNGR
- '<SYSTEM32>\reg.exe' query HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v DATAMNGR
- '<SYSTEM32>\ping.exe' -n 4 localhost
- '<SYSTEM32>\reg.exe' query HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run /v DATAMNGR
- '<SYSTEM32>\reg.exe' query HKEY_LOCAL_MACHINE\SOFTWARE\DataMngr
- '<SYSTEM32>\reg.exe' query HKEY_CURRENT_USER\Software\DataMngr_Toolbar
- '<SYSTEM32>\reg.exe' query HKEY_CURRENT_USER\Software\DataMngr
- '<SYSTEM32>\find.exe' /i "7"
- '<SYSTEM32>\find.exe' /i "vista"
- '<SYSTEM32>\findstr.exe' /v "REG.EXE VERSION" "%TEMP%\version.txt"
- '<SYSTEM32>\find.exe' /c "86"
- '<SYSTEM32>\taskkill.exe' /f /im BandooV6.exe
- '<SYSTEM32>\taskkill.exe' /f /im DATAMNGR.exe
- '<SYSTEM32>\taskkill.exe' /f /im explorer.exe
- '<SYSTEM32>\find.exe' /i "xp"
- '<SYSTEM32>\reg.exe' query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\1.tmp\AT-Destroyer.bat""
- '<SYSTEM32>\reg.exe' query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v CSDVersion
- '<SYSTEM32>\reg.exe' QUERY "HKLM\SOFTWARE\Microsoft\Internet Explorer" /v Version
- '<SYSTEM32>\findstr.exe' /v "Version 3.0" "%TEMP%\Fix.txt"
- '<SYSTEM32>\reg.exe' query HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node
- '<SYSTEM32>\taskkill.exe' /f /im SpyBro.exe
- '<SYSTEM32>\taskkill.exe' /f /im GuardMailRu.exe
- '<SYSTEM32>\taskkill.exe' /f /im offerbox.exe
- '<SYSTEM32>\taskkill.exe' /f /im SearchSettings.exe
- '<SYSTEM32>\taskkill.exe' /f /im chrome.exe
- '<SYSTEM32>\taskkill.exe' /f /im Firefox.exe
- '<SYSTEM32>\taskkill.exe' /f /im OfferBoxHTTPProxy.exe
- '<SYSTEM32>\taskkill.exe' /f /im comeo.exe
- '<SYSTEM32>\taskkill.exe' /f /im SkyMonk.EXE
- '<SYSTEM32>\taskkill.exe' /f /im DATAMN~1.EXE
- '<SYSTEM32>\taskkill.exe' /f /im softwareupdatehp.exe
- '<SYSTEM32>\taskkill.exe' /f /im EoEngine.exe
- '<SYSTEM32>\taskkill.exe' /f /im EoWeather.exe
- '<SYSTEM32>\taskkill.exe' /f /im eorezo.exe
- '<SYSTEM32>\reg.exe' query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /v {99079a25-328f-4bd4-be04-00955acaa0a7}
- '<SYSTEM32>\reg.exe' query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /v {9a95b751-bf3e-4ea8-a938-2d4d84cd4964}
- '<SYSTEM32>\reg.exe' query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Windows Searchqu Toolbar"
- '<SYSTEM32>\taskkill.exe' /pid=3056
- '<SYSTEM32>\reg.exe' query HKLM\SOFTWARE\Classes\CrossriderApp0000435.BHO
- '<SYSTEM32>\reg.exe' query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110011041135}"
- '<SYSTEM32>\reg.exe' query "HKLM\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow" /v *.crossrider.com
- '<SYSTEM32>\reg.exe' query "HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9a5bfd40-08bc-012f-81b7-073cf1b8f7c6}"
- '<SYSTEM32>\find.exe' query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F7C17237-6C01-4076-BD42-478F645C2BD9}"
- '<SYSTEM32>\reg.exe' /pid=2944
- '<SYSTEM32>\find.exe' query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7C3AF5C-4A26-414D-BDBA-3BF0AA2986A1}"
- '<SYSTEM32>\find.exe' query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F9BA6598-6217-40C3-A33C-6B56EEDEC4E6}"
- '<SYSTEM32>\reg.exe' query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Searchqu 406 MediaBar"
- '<SYSTEM32>\reg.exe' query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FBA755C5-9B2F-4C82-A4E8-59F4651AA948}"
- '<SYSTEM32>\reg.exe' query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FEF3AD0A-D478-4041-9201-7FE9648AC38B}"
- '<SYSTEM32>\taskkill.exe' "S-1-5-21" %TEMP%\hkus2.txt
- '<SYSTEM32>\findstr.exe' /v "Classes" MM.TXT
- '<SYSTEM32>\findstr.exe' /n "Classes" MM.TXT
- '<SYSTEM32>\reg.exe' query HKLM\SOFTWARE\Classes\CLSID\{11111111-1111-1111-1111-110011041135}
- '<SYSTEM32>\reg.exe' query HKLM\SOFTWARE\Classes\Interface\{55555555-5555-5555-5555-550055045535}
- '<SYSTEM32>\reg.exe' query HKLM\SOFTWARE\Classes\CLSID\{33333333-3333-3333-3333-330033043335}
- '<SYSTEM32>\reg.exe' query HKLM\SOFTWARE\Classes\CLSID\{22222222-2222-2222-2222-220022042235}
- '<SYSTEM32>\reg.exe' query HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\jpnbdefcbnoefmmcpelplabbkfmfhlho
- '<SYSTEM32>\reg.exe' query HKLM\SOFTWARE\Google\Chrome\Extensions\jpnbdefcbnoefmmcpelplabbkfmfhlho
- '<SYSTEM32>\reg.exe' query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{11111111-1111-1111-1111-110011041135}
- '<SYSTEM32>\reg.exe' query HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{11111111-1111-1111-1111-110011041135}
- '<SYSTEM32>\reg.exe' query HKU
- '<SYSTEM32>\reg.exe' query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Codec-V"
- '<SYSTEM32>\reg.exe' query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3A55293A-4780-D754-BADF-453211D07665}
- '<SYSTEM32>\reg.exe' query HKEY_CLASSES_ROOT\TypeLib\{6A4BCABA-C437-4C76-A54E-AF31B8A76CB9}
- '<SYSTEM32>\reg.exe' query HKEY_CLASSES_ROOT\TypeLib\{5B4144E1-B61D-495A-9A50-CD1A95D86D15}
- '<SYSTEM32>\reg.exe' query HKEY_CLASSES_ROOT\CLSID\{FEFD3AF5-A346-4451-AA23-A3AD54915515}
- '<SYSTEM32>\reg.exe' query HKEY_CLASSES_ROOT\TypeLib\{841D5A49-E48D-413C-9C28-EB3D9081D705}
- '<SYSTEM32>\reg.exe' query HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A40DC6C5-79D0-4ca8-A185-8FF989AF1115}
- '<SYSTEM32>\reg.exe' query HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9D717F81-9148-4f12-8568-69135F087DB0}
- '<SYSTEM32>\reg.exe' query HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{99079a25-328f-4bd4-be04-00955acaa0a7}
- '<SYSTEM32>\reg.exe' query HKEY_CLASSES_ROOT\AppID\BrowserConnection.DLL
- '<SYSTEM32>\reg.exe' query HKEY_LOCAL_MACHINE\SOFTWARE\SearchquMediabarTb
- '<SYSTEM32>\reg.exe' query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /v {9D717F81-9148-4f12-8568-69135F087DB0}
- '<SYSTEM32>\reg.exe' query HKEY_CLASSES_ROOT\AppID\DnsBHO.DLL
- '<SYSTEM32>\reg.exe' query HKEY_CLASSES_ROOT\CLSID\{CC1AC828-BB47-4361-AFB5-96EEE259DD87}
- '<SYSTEM32>\reg.exe' query HKEY_CLASSES_ROOT\CLSID\{9D717F81-9148-4f12-8568-69135F087DB0}
- '<SYSTEM32>\reg.exe' query HKEY_CLASSES_ROOT\CLSID\{99079a25-328f-4bd4-be04-00955acaa0a7}
- '<SYSTEM32>\reg.exe' query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8AC156D-8C47-4A83-B8D2-FD8577EA8442}"
- '<SYSTEM32>\reg.exe' query HKEY_CLASSES_ROOT\BrowserConnection.Loader.1
- '<SYSTEM32>\reg.exe' query HKEY_CLASSES_ROOT\BrowserConnection.Loader
- '<SYSTEM32>\findstr.exe' query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{CBCAC8C4-5CC8-492E-9D7F-71B62296051B}"
- '<SYSTEM32>\reg.exe' /pid=2920
- '<SYSTEM32>\findstr.exe' query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D001F40D-7A7F-410E-AEEC-58EB00DC5943}"
- '<SYSTEM32>\reg.exe' /pid=2888
- '<SYSTEM32>\reg.exe' query HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{6A4BCABA-C437-4C76-A54E-AF31B8A76CB9}
- '<SYSTEM32>\reg.exe' query HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{5B4144E1-B61D-495A-9A50-CD1A95D86D15}
- '<SYSTEM32>\reg.exe' query HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CC1AC828-BB47-4361-AFB5-96EEE259DD87}
- '<SYSTEM32>\reg.exe' query HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{841D5A49-E48D-413C-9C28-EB3D9081D705}
- '<SYSTEM32>\find.exe' query HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BrowserConnection.Loader.1
- '<SYSTEM32>\reg.exe' /pid=1156
- '<SYSTEM32>\reg.exe' query HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BrowserConnection.Loader
- <SYSTEM32>\taskkill.exe
- <SYSTEM32>\sc.exe
- <SYSTEM32>\wbem\wmiprvse.exe
- <SYSTEM32>\find.exe
- <SYSTEM32>\reg.exe
- <SYSTEM32>\findstr.exe
- iexplore.exe
- %WINDIR%\Explorer.EXE
- iexplore.exe
- chrome.exe
- firefox.exe
- %TEMP%\version2.txt
- %TEMP%\version.txt
- %TEMP%\MM.TXT
- %TEMP%\architecture.txt
- C:\AT-Destroyer.txt
- %TEMP%\1.tmp\AT-Destroyer.bat
- %TEMP%\Fix.txt
- %TEMP%\sistema.txt
- %TEMP%\architecture.txt
- ClassName: '(null)' WindowName: '(null)'