ユーザー向け情報

閉じる

マイライブラリ
マイライブラリ

+ マイライブラリに追加

検索
検索

電話
テクニカルサポート利用方法

問い合わせ

新規お問い合わせ

電話(英語)

+7 (495) 789-45-86

フォーラム(英語)

お問い合わせ履歴

新規お問い合わせ

電話(英語)

+7 (495) 789-45-86

Profile

JP

RU CN DE EN ES FR IT JP KZ UZ PL BY
閉じる
サービス
スキャナー
Dr.Web vxCube
トライアル
ウイルスライブラリ
ナレッジベース

テクノロジー

用語

トレーニングコースおよび啓蒙プロジェクト

アンチウイルスに関する誤解と噂

ニュース

Trojan.MulDrop11.19195

Added to the Dr.Web virus database: 2019-10-06

Virus description added:

Technical Information

Modifies file system
Creates the following files
  • %TEMP%\sce46195.tmp
  • %TEMP%\nsf{nsf_tm}_sec.log
  • %TEMP%\nsf{nsf_tm}_domainrole.txt
  • %TEMP%\nsf{nsf_tm}_wmiav.vbs
  • %TEMP%\nsf{nsf_tm}_nameav.vbs
  • %TEMP%\nsf{nsf_tm}_processav.bat
  • %TEMP%\nsf{nsf_tm}_sharecheck.vbs
  • %TEMP%\nsf{nsf_tm}_checkfirewall.vbs
  • %TEMP%\nsf{nsf_tm}_fscheck.vbs
  • %TEMP%\nsf{nsf_tm}_morelines.vbs
Deletes the following files
  • %TEMP%\sce46195.tmp
Miscellaneous
Creates and executes the following
  • '<SYSTEM32>\cscript.exe' %TEMP%\NSF{nsf_tm}_checkfirewall.vbs //Nologo
  • '<SYSTEM32>\cscript.exe' %TEMP%\NSF{nsf_tm}_sharecheck.vbs //Nologo
  • '<SYSTEM32>\cscript.exe' %TEMP%\NSF{nsf_tm}_nameav.vbs //Nologo
  • '<SYSTEM32>\cscript.exe' %TEMP%\NSF{nsf_tm}_wmiav.vbs //Nologo
  • '<SYSTEM32>\cscript.exe' %TEMP%\NSF{nsf_tm}_fscheck.vbs //Nologo
  • '<SYSTEM32>\cmd.exe' /c echo Else>>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo Wscript.Echo "NoFirewallWindows">>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo End If>>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo Else>>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo On Error Resume Next>>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo On Error Goto ^0>>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo ErrNum = Err.Number>>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo End If>>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo If 0 ^<^> ErrNum Then>>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo Wscript.Echo "Enabled">>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo On Error Resume Next>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo set objPolicy = objFirewall.LocalPolicy.CurrentProfile>>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo Wscript.Echo "Disabled">>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo Wscript.Echo "Enabled">>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo Next >> %TEMP%\NSF{nsf_tm}_sharecheck.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo If InStr(FwSvcOut, "Running") Then>>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo If InStr(FwSvcOut, "State") Then>>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo FwSvcOut = FwSvcExec.StdOut.ReadAll>>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo FwSvcExec.StdIn.Close>>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo set FwSvcExec = ws.Exec("wmic service where name=""SharedAccess"" get state")>>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo set ws = CreateObject("WScript.Shell")>>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo If 0 ^<^> ErrNum Then>>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo On Error Goto ^0>>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo ErrNum = Err.Number>>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo set objFirewall = CreateObject("HNetCfg.FwMgr")>>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo If True = objPolicy.FirewallEnabled Then>>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo Else>>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo End If>>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo Set objWMIService = GetObject("winmgmts:\\.\root\CIMV2")>>%TEMP%\NSF{nsf_tm}_fscheck.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo objFile.Close()>>%TEMP%\NSF{nsf_tm}_morelines.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo loop>>%TEMP%\NSF{nsf_tm}_morelines.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo end if>>%TEMP%\NSF{nsf_tm}_morelines.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo Wscript.Echo Line>>%TEMP%\NSF{nsf_tm}_morelines.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo EchoNumber = EchoNumber + ^1>>%TEMP%\NSF{nsf_tm}_morelines.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo if Trim(Line) ^<^> "" and EchoNumber ^< MoreNumber then>>%TEMP%\NSF{nsf_tm}_morelines.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo Line = objFile.ReadLine()>>%TEMP%\NSF{nsf_tm}_morelines.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo do while objFile.AtEndOfStream ^<^> True>>%TEMP%\NSF{nsf_tm}_morelines.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo EchoNumber = ^0>>%TEMP%\NSF{nsf_tm}_morelines.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo set objFile = objFSO.OpenTextFile(FileName, 1)>>%TEMP%\NSF{nsf_tm}_morelines.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo set objFSO = CreateObject("Scripting.FileSystemObject")>>%TEMP%\NSF{nsf_tm}_morelines.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo MoreNumber = CInt(Wscript.arguments(1))>>%TEMP%\NSF{nsf_tm}_morelines.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo ResultStr = "">%TEMP%\NSF{nsf_tm}_fscheck.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo FileName = Wscript.arguments(0)>%TEMP%\NSF{nsf_tm}_morelines.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo Wscript.Echo(Right(ResultStr, Len(ResultStr) - 1))>>%TEMP%\NSF{nsf_tm}_fscheck.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo Else>>%TEMP%\NSF{nsf_tm}_fscheck.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo Wscript.Echo("AllNTFS")>>%TEMP%\NSF{nsf_tm}_fscheck.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo If 0 = Len(ResultStr) Then>>%TEMP%\NSF{nsf_tm}_fscheck.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo Next>>%TEMP%\NSF{nsf_tm}_fscheck.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo End If>>%TEMP%\NSF{nsf_tm}_fscheck.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo End If>>%TEMP%\NSF{nsf_tm}_fscheck.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo ResultStr = ResultStr + "," + objItem.Name + "=" + objItem.FileSystem>>%TEMP%\NSF{nsf_tm}_fscheck.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo If 0 = InStr(objItem.FileSystem, "NTFS") Then>>%TEMP%\NSF{nsf_tm}_fscheck.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo If (3 = objItem.DriveType) and (0 ^<^> Len(objItem.FileSystem)) Then>>%TEMP%\NSF{nsf_tm}_fscheck.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo For Each objItem in colItems>>%TEMP%\NSF{nsf_tm}_fscheck.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo Set colItems = objWMIService.ExecQuery("SELECT * FROM Win32_LogicalDisk",,48)>>%TEMP%\NSF{nsf_tm}_fscheck.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo End If>>%TEMP%\NSF{nsf_tm}_fscheck.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo End if >> %TEMP%\NSF{nsf_tm}_nameav.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo End If >> %TEMP%\NSF{nsf_tm}_sharecheck.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo Exit For >> %TEMP%\NSF{nsf_tm}_sharecheck.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo For Each strkeyPath In arrKeyPath >> %TEMP%\NSF{nsf_tm}_nameav.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo If InStr(objItem.Trustee, "S-1-1-0") Then >> %TEMP%\NSF{nsf_tm}_sharecheck.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo End If >> %TEMP%\NSF{nsf_tm}_wmiav.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo Next >> %TEMP%\NSF{nsf_tm}_wmiav.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo End If >> %TEMP%\NSF{nsf_tm}_wmiav.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo Wscript.Echo "nsfocusyes" >> %TEMP%\NSF{nsf_tm}_wmiav.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo Wscript.Echo objItem.DisplayName >> %TEMP%\NSF{nsf_tm}_wmiav.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo If Not IsNull(objItem.DisplayName) Then >> %TEMP%\NSF{nsf_tm}_wmiav.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo For Each objItem in colItemsSC >> %TEMP%\NSF{nsf_tm}_wmiav.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo Set colItemsSC = objWMIServiceSC.ExecQuery("SELECT * FROM AntiVirusProduct",,48) >> %TEMP%\NSF{nsf_tm}_wmiav.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo If Err.Number = 0 Then >> %TEMP%\NSF{nsf_tm}_wmiav.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo Set objWMIServiceSC = GetObject(SCNameSpace) >> %TEMP%\NSF{nsf_tm}_wmiav.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo On Error Resume Next >> %TEMP%\NSF{nsf_tm}_wmiav.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo Set objReg = GetObject("winmgmts:\\.\root\default:StdRegProv") >> %TEMP%\NSF{nsf_tm}_nameav.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo Exit For >> %TEMP%\NSF{nsf_tm}_wmiav.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo Next >> %TEMP%\NSF{nsf_tm}_wmiav.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo For Each objItem in colItemsOS >> %TEMP%\NSF{nsf_tm}_wmiav.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo const HKEY_LOCAL_MACHINE = ^&H80000002 >> %TEMP%\NSF{nsf_tm}_nameav.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c wmic computersystem get domainrole | find /i /v "domainrole" > %TEMP%\NSF{nsf_tm}_domainrole.txt' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo SCNameSpace = "" > %TEMP%\NSF{nsf_tm}_wmiav.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo SCNameSpace = "winmgmts:\\.\root\SecurityCenter2" >> %TEMP%\NSF{nsf_tm}_wmiav.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo Set colItemsOS = objWMIServiceOS.ExecQuery("SELECT * FROM Win32_OperatingSystem",,48) >> %TEMP%\NSF{nsf_tm}_wmiav.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo Set objWMIServiceOS = GetObject("winmgmts:\\.\root\CIMV2") >> %TEMP%\NSF{nsf_tm}_wmiav.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo FirstNumber = Left(objItem.Version, 1) >> %TEMP%\NSF{nsf_tm}_wmiav.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo SecondNumber = Mid(objItem.Version, 2, 1) >> %TEMP%\NSF{nsf_tm}_wmiav.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo If FirstNumber ^<= "5" And SecondNumber = "." Then >> %TEMP%\NSF{nsf_tm}_wmiav.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo SCNameSpace = "winmgmts:\\.\root\SecurityCenter" >> %TEMP%\NSF{nsf_tm}_wmiav.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo ElseIf SecondNumber ^<^> "." Then>> %TEMP%\NSF{nsf_tm}_wmiav.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo End If >> %TEMP%\NSF{nsf_tm}_wmiav.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo arrKeyPath = Array("SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall", "SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall") >> %TEMP%\NSF{nsf_tm}_nameav.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo Set colItems = objWMIService.ExecQuery("SELECT * FROM Win32_LogicalShareAccess",,48) >> %TEMP%\NSF{nsf_tm}_sharecheck.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo For Each objItem in colItems >> %TEMP%\NSF{nsf_tm}_sharecheck.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo allKeys = Split("°²È«²¿¶Ó,ɱ¶¾,·´²¡¶¾,·À²¡¶¾,virus,Spyware,Symantec Endpoint Protection,µçÄԹܼÒ",",") > %TEMP%\NSF{nsf_tm}_nameav.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo Set objWMIService = GetObject("winmgmts:\\.\root\CIMV2") > %TEMP%\NSF{nsf_tm}_sharecheck.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c (echo wmic process where "name='360tray.exe' or name='ZhuDongFangYu.exe' or name = 'ds_agent' or name = 'ds_notifier' or name = 'QQPCTray.exe'" get name >> %TEMP%\NSF{nsf_tm}_processav.bat)' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c (echo wmic process where "name = 'spidernt.exe' or name = 'spiderml.exe' or name = 'drwebscd.exe' or name = 'spider.exe' or name = 'nod32kui.exe' or name = 'nod32krn.exe' or name = 'MPSVC.ex...' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c (echo wmic process where "name = 'Vstskmgr.exe' or name = 'Mcshield.exe' or name = 'Frameworkservice.exe' or name = 'naPrdMgr.exe' or name = 'mcafee.exe' or name = 'xcommsvr.exe' or name = '...' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c (echo wmic process where "name = 'ccSetMgr.exe' or name = 'defwatch.exe' or name = 'ISSVC.exe' or name = 'SPBBCSvc.exe' or name = 'SNDSrvc.exe' or name = 'KPFWSvc.exe' or name = 'KAVStart.ex...' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c (echo wmic process where "name = 'kvwsc.exe' or name = 'kvmonxp.exe' or name = 'ashserv.exe' or name = 'aswupdsv.exe' or name = 'ashdisp.exe' or name = 'ashwebsv.exe' or name = 'UpdaterUI.ex...' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo @echo off > %TEMP%\NSF{nsf_tm}_processav.bat' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo Exit For >> %TEMP%\NSF{nsf_tm}_nameav.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo WScript.Echo "nsfocusyes" >> %TEMP%\NSF{nsf_tm}_nameav.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo If InStr(allSoftNames, allKeys(i)) Then >> %TEMP%\NSF{nsf_tm}_nameav.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo For i = 0 To UBound(allKeys) >> %TEMP%\NSF{nsf_tm}_nameav.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo Wscript.Echo "Everyone" >> %TEMP%\NSF{nsf_tm}_sharecheck.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo Next >> %TEMP%\NSF{nsf_tm}_nameav.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo Next >> %TEMP%\NSF{nsf_tm}_nameav.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo End If >> %TEMP%\NSF{nsf_tm}_nameav.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo End If >> %TEMP%\NSF{nsf_tm}_nameav.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo allSoftNames = allSoftNames + sValue_Name + "," >> %TEMP%\NSF{nsf_tm}_nameav.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo If not IsNull(sValue_Name) and IsNull(sValue_PDName) and IsNull(sValue_PKName) Then >> %TEMP%\NSF{nsf_tm}_nameav.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo objReg.GetStringValue HKEY_LOCAL_MACHINE, strKeyPath + "\" + subkey, "ParentKeyName", sValue_PKName >> %TEMP%\NSF{nsf_tm}_nameav.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo objReg.GetStringValue HKEY_LOCAL_MACHINE, strKeyPath + "\" + subkey, "ParentDisplayName", sValue_PDName >> %TEMP%\NSF{nsf_tm}_nameav.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo objReg.GetStringValue HKEY_LOCAL_MACHINE, strKeyPath + "\" + subkey, "DisplayName", sValue_Name >> %TEMP%\NSF{nsf_tm}_nameav.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo If IsNull(dwValue) or 0 = dwValue Then >> %TEMP%\NSF{nsf_tm}_nameav.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo objReg.GetDWORDValue HKEY_LOCAL_MACHINE, strKeyPath + "\" + subkey, "SystemComponent", dwValue >> %TEMP%\NSF{nsf_tm}_nameav.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo For Each subkey In arrSubKeys >> %TEMP%\NSF{nsf_tm}_nameav.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo If not IsNull(arrSubKeys) Then >> %TEMP%\NSF{nsf_tm}_nameav.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo objReg.EnumKey HKEY_LOCAL_MACHINE, strKeyPath, arrSubKeys >> %TEMP%\NSF{nsf_tm}_nameav.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo allSoftNames = "" >> %TEMP%\NSF{nsf_tm}_nameav.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c secedit /export /cfg %TEMP%\NSF{nsf_tm}_sec.log' (with hidden window)
Executes the following
  • '<SYSTEM32>\cmd.exe' /c secedit /export /cfg %TEMP%\NSF{nsf_tm}_sec.log
  • '<SYSTEM32>\cmd.exe' /c (type %TEMP%\NSF{nsf_tm}_domainrole.txt | findstr "1 3 4 5" && echo 100) || (cmd /c wmic useraccount where "Disabled=FALSE and Domain='xjypmm'" get name | find /i /v "name" | findstr /n . | ...
  • '<SYSTEM32>\wbem\wmic.exe' group where Domain="xjypmm" get name,sid
  • '<SYSTEM32>\find.exe' /c ":"
  • '<SYSTEM32>\findstr.exe' /n .
  • '<SYSTEM32>\find.exe' /i /v "name"
  • '<SYSTEM32>\find.exe' /i /v "S-1-5-32-"
  • '<SYSTEM32>\cmd.exe' /c wmic group where Domain="xjypmm" get name,sid
  • '<SYSTEM32>\cmd.exe' /c wmic useraccount where "Disabled=FALSE and Domain='xjypmm'" get name
  • '<SYSTEM32>\findstr.exe' "1 3 4 5"
  • '<SYSTEM32>\find.exe' /i "LockoutDuration"
  • '<SYSTEM32>\cmd.exe' /c type %TEMP%\NSF{nsf_tm}_sec.log | find /i "LockoutDuration" || echo LockoutDuration = not config
  • '<SYSTEM32>\find.exe' /i "PasswordHistorySize"
  • '<SYSTEM32>\cmd.exe' /c type %TEMP%\NSF{nsf_tm}_sec.log | find /i "PasswordHistorySize" || echo PasswordHistorySize = not config
  • '<SYSTEM32>\find.exe' /i "MaximumPasswordAge"
  • '<SYSTEM32>\cmd.exe' /c type %TEMP%\NSF{nsf_tm}_sec.log | find /i "MaximumPasswordAge" || echo MaximumPasswordAge = not config
  • '<SYSTEM32>\find.exe' /i "NewAdministratorName"
  • '<SYSTEM32>\cmd.exe' /c (type %TEMP%\NSF{nsf_tm}_domainrole.txt | findstr "1 3 4 5" && echo 100) || (cmd /c wmic group where Domain="xjypmm" get name,sid | find /i /v "S-1-5-32-" | find /i /v "name" | findstr /n . ...
  • '<SYSTEM32>\reg.exe' query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System" /v MaxSize
  • '<SYSTEM32>\reg.exe' query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System" /v Retention
  • '<SYSTEM32>\find.exe' /i "MinimumPasswordAge"
  • '<SYSTEM32>\cmd.exe' /c reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System" /v Retention || echo Retention notfound not config
  • '<SYSTEM32>\reg.exe' query "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber
  • '<SYSTEM32>\cmd.exe' /c reg query "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber || echo PortNumber notfound not config
  • '<SYSTEM32>\cmd.exe' /c cscript %TEMP%\NSF{nsf_tm}_checkfirewall.vbs //Nologo
  • '<SYSTEM32>\reg.exe' query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application" /v MaxSize
  • '<SYSTEM32>\cmd.exe' /c reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application" /v MaxSize || echo MaxSize notfound not config
  • '<SYSTEM32>\find.exe' /i "AuditProcessTracking"
  • '<SYSTEM32>\cmd.exe' /c type %TEMP%\NSF{nsf_tm}_sec.log | find /i "NewAdministratorName" || echo NewAdministratorName = not config
  • '<SYSTEM32>\cmd.exe' /c type %TEMP%\NSF{nsf_tm}_sec.log | find /i "AuditProcessTracking" || echo AuditProcessTracking = not config
  • '<SYSTEM32>\cmd.exe' /c reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System" /v MaxSize || echo MaxSize notfound not config
  • '<SYSTEM32>\reg.exe' query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application" /v Retention
  • '<SYSTEM32>\cmd.exe' /c reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application" /v Retention || echo Retention notfound not config
  • '<SYSTEM32>\reg.exe' query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v TcpMaxConnectResponseRetransmissions
  • '<SYSTEM32>\cmd.exe' /c reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v TcpMaxConnectResponseRetransmissions || echo TcpMaxConnectResponseRetransmissions notfound not config
  • '<SYSTEM32>\reg.exe' query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v TcpMaxPortsExhausted
  • '<SYSTEM32>\cmd.exe' /c reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v TcpMaxPortsExhausted || echo TcpMaxPortsExhausted notfound not config
  • '<SYSTEM32>\wbem\wmic.exe' useraccount where "Disabled=FALSE and Domain='xjypmm'" get name
  • '<SYSTEM32>\cmd.exe' /c type %TEMP%\NSF{nsf_tm}_sec.log | find /i "MinimumPasswordAge" || echo MinimumPasswordAge = not config
  • '<SYSTEM32>\find.exe' /i "EnableGuestAccount"
  • '<SYSTEM32>\cmd.exe' /c (cscript %TEMP%\NSF{nsf_tm}_wmiav.vbs //Nologo | find "nsfocusyes") || (cscript %TEMP%\NSF{nsf_tm}_nameav.vbs //Nologo | find "nsfocusyes") || (%TEMP%\NSF{nsf_tm}_processav.bat | find /i "....
  • '<SYSTEM32>\find.exe' "$"
  • '<SYSTEM32>\net.exe' share /n
  • '<SYSTEM32>\findstr.exe' "0 2"
  • '<SYSTEM32>\cmd.exe' /c type %TEMP%\NSF{nsf_tm}_domainrole.txt | findstr "0 2" && net share /n | find "$"
  • '<SYSTEM32>\wbem\wmic.exe' os get DataExecutionPrevention_SupportPolicy
  • '<SYSTEM32>\find.exe' /i /v "DataExecutionPrevention_SupportPolicy"
  • '<SYSTEM32>\cmd.exe' /S /D /c" ( wmic os get DataExecutionPrevention_SupportPolicy || echo NoDEPWindows )"
  • '<SYSTEM32>\net1.exe' share /n
  • '<SYSTEM32>\cmd.exe' /c (wmic os get DataExecutionPrevention_SupportPolicy || echo NoDEPWindows) | find /i /v "DataExecutionPrevention_SupportPolicy"
  • '<SYSTEM32>\cmd.exe' /c reg query HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system /v DisableCAD || echo DisableCAD notfound not config
  • '<SYSTEM32>\cmd.exe' /c (type %TEMP%\NSF{nsf_tm}_domainrole.txt | findstr "0 2 4 5" && echo CachedLogonsCount notfound 0) || (reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v ...
  • '<SYSTEM32>\reg.exe' query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters /v enableforcedlogoff
  • '<SYSTEM32>\cmd.exe' /c reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters /v enableforcedlogoff || echo enableforcedlogoff notfound not config
  • '<SYSTEM32>\reg.exe' query "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaverIsSecure
  • '<SYSTEM32>\cmd.exe' /c reg query "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaverIsSecure || echo ScreenSaverIsSecure notfound not config
  • '<SYSTEM32>\reg.exe' query "HKEY_CURRENT_USER\Control Panel\Desktop" /v SCRNSAVE.EXE
  • '<SYSTEM32>\reg.exe' query HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system /v DisableCAD
  • '<SYSTEM32>\cmd.exe' /c type %TEMP%\NSF{nsf_tm}_sec.log | find /i "PasswordComplexity" || echo PasswordComplexity = not config
  • '<SYSTEM32>\find.exe' /i "ResetLockoutCount"
  • '<SYSTEM32>\find.exe' "nsfocusyes"
  • '<SYSTEM32>\cmd.exe' /c type %TEMP%\NSF{nsf_tm}_sec.log | find /i "ResetLockoutCount" || echo ResetLockoutCount = not config
  • '<SYSTEM32>\find.exe' /i "LockoutBadCount"
  • '<SYSTEM32>\cmd.exe' /c type %TEMP%\NSF{nsf_tm}_sec.log | find /i "LockoutBadCount" || echo LockoutBadCount = not config
  • '<SYSTEM32>\cmd.exe' /c (type %TEMP%\NSF{nsf_tm}_domainrole.txt | findstr "0 2 4 5" && echo RequireStrongKey REG_DWORD NotDomainMember) || (reg query HKEY_LOCAL_MACHINE\system\currentcontrolset\services\netlogon\pa...
  • '<SYSTEM32>\find.exe' /i "MinimumPasswordLength"
  • '<SYSTEM32>\cmd.exe' /c type %TEMP%\NSF{nsf_tm}_sec.log | find /i "MinimumPasswordLength" || echo MinimumPasswordLength = not config
  • '<SYSTEM32>\find.exe' /i "PasswordComplexity"
  • '<SYSTEM32>\cmd.exe' /c type %TEMP%\NSF{nsf_tm}_sec.log | find /i "EnableGuestAccount" || echo EnableGuestAccount = not config
  • '<SYSTEM32>\cmd.exe' /S /D /c" type %TEMP%\NSF{nsf_tm}_sec.log "
  • '<SYSTEM32>\wbem\wmic.exe' process where "name='360tray.exe' or name='ZhuDongFangYu.exe' or name = 'ds_agent' or name = 'ds_notifier' or name = 'QQPCTray.exe'" get name
  • '<SYSTEM32>\wbem\wmic.exe' process where "name = 'spidernt.exe' or name = 'spiderml.exe' or name = 'drwebscd.exe' or name = 'spider.exe' or name = 'nod32kui.exe' or name = 'nod32krn.exe' or name = 'MPSVC.exe' or name = '...
  • '<SYSTEM32>\wbem\wmic.exe' process where "name = 'Vstskmgr.exe' or name = 'Mcshield.exe' or name = 'Frameworkservice.exe' or name = 'naPrdMgr.exe' or name = 'mcafee.exe' or name = 'xcommsvr.exe' or name = 'bdss.exe' or n...
  • '<SYSTEM32>\wbem\wmic.exe' process where "name = 'ccSetMgr.exe' or name = 'defwatch.exe' or name = 'ISSVC.exe' or name = 'SPBBCSvc.exe' or name = 'SNDSrvc.exe' or name = 'KPFWSvc.exe' or name = 'KAVStart.exe' or name = '...
  • '<SYSTEM32>\wbem\wmic.exe' process where "name = 'kvwsc.exe' or name = 'kvmonxp.exe' or name = 'ashserv.exe' or name = 'aswupdsv.exe' or name = 'ashdisp.exe' or name = 'ashwebsv.exe' or name = 'UpdaterUI.exe' or name = '...
  • '<SYSTEM32>\find.exe' /i ".exe"
  • '<SYSTEM32>\cmd.exe' /S /D /c" %TEMP%\NSF{nsf_tm}_processav.bat "
  • '<SYSTEM32>\cmd.exe' /c (type %TEMP%\NSF{nsf_tm}_domainrole.txt | findstr "0 2" && echo ForceUnlockLogon REG_DWORD NotDomainRole) || (reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlo...
  • '<SYSTEM32>\reg.exe' query HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters /v NullSessionPipes
  • '<SYSTEM32>\cmd.exe' /c wmic service where name="MSMQ" get state | find /i /v "state"
  • '<SYSTEM32>\cmd.exe' /c reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security" /v Retention || echo Retention notfound not config
  • '<SYSTEM32>\reg.exe' query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v TcpMaxHalfOpen
  • '<SYSTEM32>\cmd.exe' /c reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v TcpMaxHalfOpen || echo TcpMaxHalfOpen notfound not config
  • '<SYSTEM32>\reg.exe' query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v TcpMaxHalfOpenRetried
  • '<SYSTEM32>\cmd.exe' /c reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v TcpMaxHalfOpenRetried || echo TcpMaxHalfOpenRetried notfound not config
  • '<SYSTEM32>\reg.exe' query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v SynAttackProtect
  • '<SYSTEM32>\cmd.exe' /c reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v SynAttackProtect || echo SynAttackProtect notfound not config
  • '<SYSTEM32>\reg.exe' query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v KeepAliveTime
  • '<SYSTEM32>\cmd.exe' /c (net start | find /i "SNMP Service" && (reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP\Parameters\ValidCommunities" /f "public" || echo NoPublic)) || echo NoSNMP
  • '<SYSTEM32>\cmd.exe' /c reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v KeepAliveTime || echo KeepAliveTime notfound not config
  • '<SYSTEM32>\cmd.exe' /c reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v EnableICMPRedirect || echo EnableICMPRedirect notfound not config
  • '<SYSTEM32>\reg.exe' query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v EnableDeadGWDetect
  • '<SYSTEM32>\cmd.exe' /c reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v EnableDeadGWDetect || echo EnableDeadGWDetect notfound not config
  • '<SYSTEM32>\reg.exe' query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v TcpMaxDataRetransmissions
  • '<SYSTEM32>\cmd.exe' /c reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v TcpMaxDataRetransmissions || echo TcpMaxDataRetransmissions notfound not config
  • '<SYSTEM32>\reg.exe' query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v PerformRouterDiscovery
  • '<SYSTEM32>\cmd.exe' /c reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v PerformRouterDiscovery || echo PerformRouterDiscovery notfound not config
  • '<SYSTEM32>\reg.exe' query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v EnableICMPRedirect
  • '<SYSTEM32>\reg.exe' query HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v DisableIPSourceRouting
  • '<SYSTEM32>\reg.exe' query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v EnableSecurityFilters
  • '<SYSTEM32>\net1.exe' start
  • '<SYSTEM32>\reg.exe' query "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon
  • '<SYSTEM32>\cmd.exe' /c reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon || echo AutoAdminLogon notfound 0
  • '<SYSTEM32>\wbem\wmic.exe' service where name="SimpTcp" get state
  • '<SYSTEM32>\cmd.exe' /c wmic service where name="SimpTcp" get state | find /i /v "state"
  • '<SYSTEM32>\wbem\wmic.exe' service where name="SMTPSVC" get state
  • '<SYSTEM32>\cmd.exe' /c wmic service where name="SMTPSVC" get state | find /i /v "state"
  • '<SYSTEM32>\wbem\wmic.exe' service where name="Dhcp" get state
  • '<SYSTEM32>\reg.exe' query HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths /v Machine
  • '<SYSTEM32>\cmd.exe' /c wmic service where name="Dhcp" get state | find /i /v "state"
  • '<SYSTEM32>\cmd.exe' /c reg query HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v DisableIPSourceRouting || echo DisableIPSourceRouting notfound not config
  • '<SYSTEM32>\find.exe' /i "SeRemoteShutdownPrivilege"
  • '<SYSTEM32>\cmd.exe' /c type %TEMP%\NSF{nsf_tm}_sec.log | find /i "SeRemoteShutdownPrivilege" || echo SeRemoteShutdownPrivilege = not config
  • '<SYSTEM32>\find.exe' /i "RestrictAnonymous"
  • '<SYSTEM32>\cmd.exe' /c type %TEMP%\NSF{nsf_tm}_sec.log | find /i "RestrictAnonymous" || echo RestrictAnonymous = not config
  • '<SYSTEM32>\reg.exe' query HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v EnablePMTUDiscovery
  • '<SYSTEM32>\cmd.exe' /c reg query HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v EnablePMTUDiscovery || echo EnablePMTUDiscovery notfound not config
  • '<SYSTEM32>\net.exe' start
  • '<SYSTEM32>\cmd.exe' /c reg query "HKEY_CURRENT_USER\Control Panel\Desktop" /v SCRNSAVE.EXE || echo SCRNSAVE.EXE notfound not config
  • '<SYSTEM32>\cmd.exe' /c reg query HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths /v Machine
  • '<SYSTEM32>\find.exe' /i "AuditLogonEvents"
  • '<SYSTEM32>\cmd.exe' /c type %TEMP%\NSF{nsf_tm}_sec.log | find /i "AuditSystemEvents" || echo AuditSystemEvents = not config
  • '<SYSTEM32>\find.exe' /i "AuditPrivilegeUse"
  • '<SYSTEM32>\cmd.exe' /c type %TEMP%\NSF{nsf_tm}_sec.log | find /i "AuditPrivilegeUse" || echo AuditPrivilegeUse = not config
  • '<SYSTEM32>\find.exe' /i "AuditAccountLogon"
  • '<SYSTEM32>\cmd.exe' /c type %TEMP%\NSF{nsf_tm}_sec.log | find /i "AuditAccountLogon" || echo AuditAccountLogon = not config
  • '<SYSTEM32>\find.exe' /i "AuditPolicyChange"
  • '<SYSTEM32>\cmd.exe' /c type %TEMP%\NSF{nsf_tm}_sec.log | find /i "AuditPolicyChange" || echo AuditPolicyChange = not config
  • '<SYSTEM32>\find.exe' /i "AuditSystemEvents"
  • '<SYSTEM32>\find.exe' /i "AuditObjectAccess"
  • '<SYSTEM32>\find.exe' /i "AuditDSAccess"
  • '<SYSTEM32>\cmd.exe' /c type %TEMP%\NSF{nsf_tm}_sec.log | find /i "AuditDSAccess" || echo AuditDSAccess = not config
  • '<SYSTEM32>\find.exe' /i "AuditAccountManage"
  • '<SYSTEM32>\cmd.exe' /c type %TEMP%\NSF{nsf_tm}_sec.log | find /i "AuditAccountManage" || echo AuditAccountManage = not config
  • '<SYSTEM32>\reg.exe' query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security" /v MaxSize
  • '<SYSTEM32>\cmd.exe' /c reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security" /v MaxSize || echo MaxSize notfound not config
  • '<SYSTEM32>\reg.exe' query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security" /v Retention
  • '<SYSTEM32>\cmd.exe' /c type %TEMP%\NSF{nsf_tm}_sec.log | find /i "AuditObjectAccess" || echo AuditObjectAccess = not config
  • '<SYSTEM32>\cmd.exe' /c reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v EnableSecurityFilters || echo EnableSecurityFilters notfound NoFilters
  • '<SYSTEM32>\cmd.exe' /c type %TEMP%\NSF{nsf_tm}_sec.log | find /i "restrictanonymoussam" || echo restrictanonymoussam = not config
  • '<SYSTEM32>\cmd.exe' /c type %TEMP%\NSF{nsf_tm}_sec.log | find /i "SeShutdownPrivilege" || echo SeShutdownPrivilege = not config
  • '<SYSTEM32>\find.exe' /i "SeTakeOwnershipPrivilege"
  • '<SYSTEM32>\cmd.exe' /c type %TEMP%\NSF{nsf_tm}_sec.log | find /i "SeTakeOwnershipPrivilege" || echo SeTakeOwnershipPrivilege = not config
  • '<SYSTEM32>\reg.exe' query HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths /v Machine
  • '<SYSTEM32>\find.exe' /i "Windows XP"
  • '<SYSTEM32>\cmd.exe' /S /D /c" ver "
  • '<SYSTEM32>\cmd.exe' /c (ver | find /i "Windows XP" && reg query HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths /v Machine) || (reg query HKEY_LOCAL_MACHINE\System\Current...
  • '<SYSTEM32>\reg.exe' query HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters /v NullSessionShares
  • '<SYSTEM32>\find.exe' /i "restrictanonymoussam"
  • '<SYSTEM32>\cmd.exe' /c (type %TEMP%\NSF{nsf_tm}_domainrole.txt | findstr "4 5") || (reg query HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters /v NullSessionShares)
  • '<SYSTEM32>\cmd.exe' /c (type %TEMP%\NSF{nsf_tm}_domainrole.txt | findstr "4 5") || (reg query HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters /v NullSessionPipes)
  • '<SYSTEM32>\find.exe' /i "SeInteractiveLogonRight"
  • '<SYSTEM32>\cmd.exe' /c type %TEMP%\NSF{nsf_tm}_sec.log | find /i "SeInteractiveLogonRight" || echo SeInteractiveLogonRight = not config
  • '<SYSTEM32>\find.exe' /i "SeNetworkLogonRight"
  • '<SYSTEM32>\cmd.exe' /c type %TEMP%\NSF{nsf_tm}_sec.log | find /i "SeNetworkLogonRight" || echo SeNetworkLogonRight = not config
  • '<SYSTEM32>\cmd.exe' /c (type %TEMP%\NSF{nsf_tm}_domainrole.txt | findstr "0 2" && echo DisablePasswordChange REG_DWORD NotDomainRole) || (reg query HKEY_LOCAL_MACHINE\system\currentcontrolset\services\netlogon\par...
  • '<SYSTEM32>\find.exe' /i "SeShutdownPrivilege"
  • '<SYSTEM32>\cmd.exe' /c type %TEMP%\NSF{nsf_tm}_sec.log | find /i "AuditLogonEvents" || echo AuditLogonEvents = not config
  • '<SYSTEM32>\find.exe' /i "SNMP Service"
  • '<SYSTEM32>\reg.exe' query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v AUOptions
  • '<SYSTEM32>\wbem\wmic.exe' service where name="w32time" get state
  • '<SYSTEM32>\cmd.exe' /c (echo wmic process where "name = 'ccSetMgr.exe' or name = 'defwatch.exe' or name = 'ISSVC.exe' or name = 'SPBBCSvc.exe' or name = 'SNDSrvc.exe' or name = 'KPFWSvc.exe' or name = 'KAVStart.ex...
  • '<SYSTEM32>\cmd.exe' /c (echo wmic process where "name = 'kvwsc.exe' or name = 'kvmonxp.exe' or name = 'ashserv.exe' or name = 'aswupdsv.exe' or name = 'ashdisp.exe' or name = 'ashwebsv.exe' or name = 'UpdaterUI.ex...
  • '<SYSTEM32>\cmd.exe' /c echo @echo off > %TEMP%\NSF{nsf_tm}_processav.bat
  • '<SYSTEM32>\cmd.exe' /c echo Exit For >> %TEMP%\NSF{nsf_tm}_nameav.vbs
  • '<SYSTEM32>\cmd.exe' /c echo WScript.Echo "nsfocusyes" >> %TEMP%\NSF{nsf_tm}_nameav.vbs
  • '<SYSTEM32>\cmd.exe' /c echo If InStr(allSoftNames, allKeys(i)) Then >> %TEMP%\NSF{nsf_tm}_nameav.vbs
  • '<SYSTEM32>\cmd.exe' /c echo For i = 0 To UBound(allKeys) >> %TEMP%\NSF{nsf_tm}_nameav.vbs
  • '<SYSTEM32>\cmd.exe' /c (echo wmic process where "name = 'Vstskmgr.exe' or name = 'Mcshield.exe' or name = 'Frameworkservice.exe' or name = 'naPrdMgr.exe' or name = 'mcafee.exe' or name = 'xcommsvr.exe' or name = '...
  • '<SYSTEM32>\cmd.exe' /c echo Next >> %TEMP%\NSF{nsf_tm}_nameav.vbs
  • '<SYSTEM32>\cmd.exe' /c echo Next >> %TEMP%\NSF{nsf_tm}_nameav.vbs
  • '<SYSTEM32>\cmd.exe' /c echo End If >> %TEMP%\NSF{nsf_tm}_nameav.vbs
  • '<SYSTEM32>\cmd.exe' /c echo End If >> %TEMP%\NSF{nsf_tm}_nameav.vbs
  • '<SYSTEM32>\cmd.exe' /c echo allSoftNames = allSoftNames + sValue_Name + "," >> %TEMP%\NSF{nsf_tm}_nameav.vbs
  • '<SYSTEM32>\cmd.exe' /c echo If not IsNull(sValue_Name) and IsNull(sValue_PDName) and IsNull(sValue_PKName) Then >> %TEMP%\NSF{nsf_tm}_nameav.vbs
  • '<SYSTEM32>\cmd.exe' /c echo objReg.GetStringValue HKEY_LOCAL_MACHINE, strKeyPath + "\" + subkey, "ParentKeyName", sValue_PKName >> %TEMP%\NSF{nsf_tm}_nameav.vbs
  • '<SYSTEM32>\cmd.exe' /c echo objReg.GetStringValue HKEY_LOCAL_MACHINE, strKeyPath + "\" + subkey, "ParentDisplayName", sValue_PDName >> %TEMP%\NSF{nsf_tm}_nameav.vbs
  • '<SYSTEM32>\cmd.exe' /c echo End if >> %TEMP%\NSF{nsf_tm}_nameav.vbs
  • '<SYSTEM32>\cmd.exe' /c echo On Error Resume Next>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs
  • '<SYSTEM32>\cmd.exe' /c echo If InStr(FwSvcOut, "State") Then>>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs
  • '<SYSTEM32>\cmd.exe' /c echo Set objWMIService = GetObject("winmgmts:\\.\root\CIMV2") > %TEMP%\NSF{nsf_tm}_sharecheck.vbs
  • '<SYSTEM32>\cmd.exe' /c echo FwSvcOut = FwSvcExec.StdOut.ReadAll>>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs
  • '<SYSTEM32>\cmd.exe' /c echo FwSvcExec.StdIn.Close>>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs
  • '<SYSTEM32>\cmd.exe' /c echo set FwSvcExec = ws.Exec("wmic service where name=""SharedAccess"" get state")>>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs
  • '<SYSTEM32>\cmd.exe' /c echo set ws = CreateObject("WScript.Shell")>>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs
  • '<SYSTEM32>\cmd.exe' /c echo If 0 ^<^> ErrNum Then>>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs
  • '<SYSTEM32>\cmd.exe' /c echo On Error Goto ^0>>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs
  • '<SYSTEM32>\cmd.exe' /c echo ErrNum = Err.Number>>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs
  • '<SYSTEM32>\cmd.exe' /c echo objReg.GetStringValue HKEY_LOCAL_MACHINE, strKeyPath + "\" + subkey, "DisplayName", sValue_Name >> %TEMP%\NSF{nsf_tm}_nameav.vbs
  • '<SYSTEM32>\cmd.exe' /c echo set objFirewall = CreateObject("HNetCfg.FwMgr")>>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs
  • '<SYSTEM32>\cmd.exe' /c echo Next >> %TEMP%\NSF{nsf_tm}_sharecheck.vbs
  • '<SYSTEM32>\cmd.exe' /c echo End If >> %TEMP%\NSF{nsf_tm}_sharecheck.vbs
  • '<SYSTEM32>\cmd.exe' /c echo Exit For >> %TEMP%\NSF{nsf_tm}_sharecheck.vbs
  • '<SYSTEM32>\cmd.exe' /c echo Wscript.Echo "Everyone" >> %TEMP%\NSF{nsf_tm}_sharecheck.vbs
  • '<SYSTEM32>\cmd.exe' /c echo If InStr(objItem.Trustee, "S-1-1-0") Then >> %TEMP%\NSF{nsf_tm}_sharecheck.vbs
  • '<SYSTEM32>\cmd.exe' /c echo For Each objItem in colItems >> %TEMP%\NSF{nsf_tm}_sharecheck.vbs
  • '<SYSTEM32>\cmd.exe' /c echo Set colItems = objWMIService.ExecQuery("SELECT * FROM Win32_LogicalShareAccess",,48) >> %TEMP%\NSF{nsf_tm}_sharecheck.vbs
  • '<SYSTEM32>\cmd.exe' /c (echo wmic process where "name = 'spidernt.exe' or name = 'spiderml.exe' or name = 'drwebscd.exe' or name = 'spider.exe' or name = 'nod32kui.exe' or name = 'nod32krn.exe' or name = 'MPSVC.ex...
  • '<SYSTEM32>\cmd.exe' /c (echo wmic process where "name='360tray.exe' or name='ZhuDongFangYu.exe' or name = 'ds_agent' or name = 'ds_notifier' or name = 'QQPCTray.exe'" get name >> %TEMP%\NSF{nsf_tm}_processav.bat)
  • '<SYSTEM32>\cmd.exe' /c echo If IsNull(dwValue) or 0 = dwValue Then >> %TEMP%\NSF{nsf_tm}_nameav.vbs
  • '<SYSTEM32>\cmd.exe' /c echo Set objWMIServiceSC = GetObject(SCNameSpace) >> %TEMP%\NSF{nsf_tm}_wmiav.vbs
  • '<SYSTEM32>\cmd.exe' /c echo Exit For >> %TEMP%\NSF{nsf_tm}_wmiav.vbs
  • '<SYSTEM32>\cmd.exe' /c echo End If >> %TEMP%\NSF{nsf_tm}_wmiav.vbs
  • '<SYSTEM32>\cmd.exe' /c echo SCNameSpace = "winmgmts:\\.\root\SecurityCenter2" >> %TEMP%\NSF{nsf_tm}_wmiav.vbs
  • '<SYSTEM32>\cmd.exe' /c echo ElseIf SecondNumber ^<^> "." Then>> %TEMP%\NSF{nsf_tm}_wmiav.vbs
  • '<SYSTEM32>\cmd.exe' /c echo SCNameSpace = "winmgmts:\\.\root\SecurityCenter" >> %TEMP%\NSF{nsf_tm}_wmiav.vbs
  • '<SYSTEM32>\cmd.exe' /c echo If FirstNumber ^<= "5" And SecondNumber = "." Then >> %TEMP%\NSF{nsf_tm}_wmiav.vbs
  • '<SYSTEM32>\cmd.exe' /c echo SecondNumber = Mid(objItem.Version, 2, 1) >> %TEMP%\NSF{nsf_tm}_wmiav.vbs
  • '<SYSTEM32>\cmd.exe' /c echo Next >> %TEMP%\NSF{nsf_tm}_wmiav.vbs
  • '<SYSTEM32>\cmd.exe' /c echo FirstNumber = Left(objItem.Version, 1) >> %TEMP%\NSF{nsf_tm}_wmiav.vbs
  • '<SYSTEM32>\cmd.exe' /c echo Set colItemsOS = objWMIServiceOS.ExecQuery("SELECT * FROM Win32_OperatingSystem",,48) >> %TEMP%\NSF{nsf_tm}_wmiav.vbs
  • '<SYSTEM32>\cmd.exe' /c echo Set objWMIServiceOS = GetObject("winmgmts:\\.\root\CIMV2") >> %TEMP%\NSF{nsf_tm}_wmiav.vbs
  • '<SYSTEM32>\cmd.exe' /c echo SCNameSpace = "" > %TEMP%\NSF{nsf_tm}_wmiav.vbs
  • '<SYSTEM32>\find.exe' /i /v "domainrole"
  • '<SYSTEM32>\wbem\wmic.exe' computersystem get domainrole
  • '<SYSTEM32>\cmd.exe' /c wmic computersystem get domainrole | find /i /v "domainrole" > %TEMP%\NSF{nsf_tm}_domainrole.txt
  • '<SYSTEM32>\secedit.exe' /export /cfg %TEMP%\NSF{nsf_tm}_sec.log
  • '<SYSTEM32>\cmd.exe' /c echo For Each objItem in colItemsOS >> %TEMP%\NSF{nsf_tm}_wmiav.vbs
  • '<SYSTEM32>\cmd.exe' /c echo End If >> %TEMP%\NSF{nsf_tm}_wmiav.vbs
  • '<SYSTEM32>\cmd.exe' /c echo For Each subkey In arrSubKeys >> %TEMP%\NSF{nsf_tm}_nameav.vbs
  • '<SYSTEM32>\cmd.exe' /c echo If Err.Number = 0 Then >> %TEMP%\NSF{nsf_tm}_wmiav.vbs
  • '<SYSTEM32>\cmd.exe' /c echo If not IsNull(arrSubKeys) Then >> %TEMP%\NSF{nsf_tm}_nameav.vbs
  • '<SYSTEM32>\cmd.exe' /c echo objReg.EnumKey HKEY_LOCAL_MACHINE, strKeyPath, arrSubKeys >> %TEMP%\NSF{nsf_tm}_nameav.vbs
  • '<SYSTEM32>\cmd.exe' /c echo For Each strkeyPath In arrKeyPath >> %TEMP%\NSF{nsf_tm}_nameav.vbs
  • '<SYSTEM32>\cmd.exe' /c echo arrKeyPath = Array("SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall", "SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall") >> %TEMP%\NSF{nsf_tm}_nameav.vbs
  • '<SYSTEM32>\cmd.exe' /c echo Set objReg = GetObject("winmgmts:\\.\root\default:StdRegProv") >> %TEMP%\NSF{nsf_tm}_nameav.vbs
  • '<SYSTEM32>\cmd.exe' /c echo const HKEY_LOCAL_MACHINE = ^&H80000002 >> %TEMP%\NSF{nsf_tm}_nameav.vbs
  • '<SYSTEM32>\cmd.exe' /c echo allSoftNames = "" >> %TEMP%\NSF{nsf_tm}_nameav.vbs
  • '<SYSTEM32>\cmd.exe' /c echo objReg.GetDWORDValue HKEY_LOCAL_MACHINE, strKeyPath + "\" + subkey, "SystemComponent", dwValue >> %TEMP%\NSF{nsf_tm}_nameav.vbs
  • '<SYSTEM32>\cmd.exe' /c echo allKeys = Split("°²È«²¿¶Ó,ɱ¶¾,·´²¡¶¾,·À²¡¶¾,virus,Spyware,Symantec Endpoint Protection,µçÄԹܼÒ",",") > %TEMP%\NSF{nsf_tm}_nameav.vbs
  • '<SYSTEM32>\cmd.exe' /c echo Next >> %TEMP%\NSF{nsf_tm}_wmiav.vbs
  • '<SYSTEM32>\cmd.exe' /c echo End If >> %TEMP%\NSF{nsf_tm}_wmiav.vbs
  • '<SYSTEM32>\cmd.exe' /c echo Wscript.Echo "nsfocusyes" >> %TEMP%\NSF{nsf_tm}_wmiav.vbs
  • '<SYSTEM32>\cmd.exe' /c echo Wscript.Echo objItem.DisplayName >> %TEMP%\NSF{nsf_tm}_wmiav.vbs
  • '<SYSTEM32>\cmd.exe' /c echo If Not IsNull(objItem.DisplayName) Then >> %TEMP%\NSF{nsf_tm}_wmiav.vbs
  • '<SYSTEM32>\cmd.exe' /c echo For Each objItem in colItemsSC >> %TEMP%\NSF{nsf_tm}_wmiav.vbs
  • '<SYSTEM32>\cmd.exe' /c echo Set colItemsSC = objWMIServiceSC.ExecQuery("SELECT * FROM AntiVirusProduct",,48) >> %TEMP%\NSF{nsf_tm}_wmiav.vbs
  • '<SYSTEM32>\cmd.exe' /c echo On Error Resume Next >> %TEMP%\NSF{nsf_tm}_wmiav.vbs
  • '<SYSTEM32>\cmd.exe' /c echo Wscript.Echo(Right(ResultStr, Len(ResultStr) - 1))>>%TEMP%\NSF{nsf_tm}_fscheck.vbs
  • '<SYSTEM32>\wbem\wmic.exe' os get caption
  • '<SYSTEM32>\cmd.exe' /c echo Else>>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs
  • '<SYSTEM32>\cmd.exe' /c reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\w32time\Parameters /v NtpServer || echo NtpServer notfound not config
  • '<SYSTEM32>\reg.exe' query "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v PasswordExpiryWarning
  • '<SYSTEM32>\cmd.exe' /c reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v PasswordExpiryWarning || echo PasswordExpiryWarning notfound not config
  • '<SYSTEM32>\find.exe' /i /v "startmode"
  • '<SYSTEM32>\wbem\wmic.exe' service where name="w32time" get startmode
  • '<SYSTEM32>\cmd.exe' /c wmic service where name="w32time" get startmode | find /i /v "startmode"
  • '<SYSTEM32>\cmd.exe' /c (type %TEMP%\NSF{nsf_tm}_domainrole.txt | findstr "0 2 4 5" && echo signsecurechannel REG_DWORD NotDomainMember) || (reg query HKEY_LOCAL_MACHINE\system\currentcontrolset\services\netlogon\p...
  • '<SYSTEM32>\reg.exe' query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\w32time\Parameters /v NtpServer
  • '<SYSTEM32>\cmd.exe' /c (type %TEMP%\NSF{nsf_tm}_domainrole.txt | findstr "0 2 4 5" && echo requiresignorseal REG_DWORD NotDomainMember) || (reg query HKEY_LOCAL_MACHINE\system\currentcontrolset\services\netlogon\p...
  • '<SYSTEM32>\findstr.exe' "4 5"
  • '<SYSTEM32>\cmd.exe' /c (type %TEMP%\NSF{nsf_tm}_domainrole.txt | findstr "4 5") || (cscript %TEMP%\NSF{nsf_tm}_sharecheck.vbs //Nologo | find /i "Everyone")
  • '<SYSTEM32>\findstr.exe' "0 2 4 5"
  • '<SYSTEM32>\cmd.exe' /S /D /c" type %TEMP%\NSF{nsf_tm}_domainrole.txt "
  • '<SYSTEM32>\cmd.exe' /c (type %TEMP%\NSF{nsf_tm}_domainrole.txt | findstr "0 2 4 5" && echo sealsecurechannel REG_DWORD NotDomainMember) || (reg query HKEY_LOCAL_MACHINE\system\currentcontrolset\services\netlogon\p...
  • '<SYSTEM32>\cmd.exe' /c echo objFile.Close()>>%TEMP%\NSF{nsf_tm}_morelines.vbs
  • '<SYSTEM32>\cmd.exe' /c echo loop>>%TEMP%\NSF{nsf_tm}_morelines.vbs
  • '<SYSTEM32>\find.exe' /i "Everyone"
  • '<SYSTEM32>\reg.exe' query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system /v DontDisplayLockedUserId
  • '<SYSTEM32>\cmd.exe' /c echo Wscript.Echo "Enabled">>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs
  • '<SYSTEM32>\find.exe' /i /v "state"
  • '<SYSTEM32>\cmd.exe' /c (wmic os get caption | findstr "2016" && (reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v AUOptions || "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Policie...
  • '<SYSTEM32>\find.exe' /i /c "disk"
  • '<SYSTEM32>\find.exe' /i /v "deviceid"
  • '<SYSTEM32>\wbem\wmic.exe' partition get deviceid
  • '<SYSTEM32>\cmd.exe' /c wmic partition get deviceid | find /i /v "deviceid" | find /i /c "disk"
  • '<SYSTEM32>\cmd.exe' /c cscript %TEMP%\NSF{nsf_tm}_fscheck.vbs //Nologo
  • '<SYSTEM32>\reg.exe' query HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system /v DontDisplayLastUserName
  • '<SYSTEM32>\cmd.exe' /c echo end if>>%TEMP%\NSF{nsf_tm}_morelines.vbs
  • '<SYSTEM32>\cmd.exe' /c reg query HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system /v DontDisplayLastUserName || echo DontDisplayLastUserName notfound not config
  • '<SYSTEM32>\cmd.exe' /c reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system /v DontDisplayLockedUserId || echo DontDisplayLockedUserId notfound not config
  • '<SYSTEM32>\reg.exe' query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters" /v autodisconnect
  • '<SYSTEM32>\cmd.exe' /c reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters" /v autodisconnect || echo autodisconnect notfound not config
  • '<SYSTEM32>\reg.exe' query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer" /v NoDriveTypeAutoRun
  • '<SYSTEM32>\cmd.exe' /c reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer" /v NoDriveTypeAutoRun || echo NoDriveTypeAutoRun notfound not config
  • '<SYSTEM32>\reg.exe' query "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaveTimeOut
  • '<SYSTEM32>\cmd.exe' /c reg query "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaveTimeOut || echo ScreenSaveTimeOut notfound not config
  • '<SYSTEM32>\cmd.exe' /c wmic service where name="w32time" get state | find /i /v "state"
  • '<SYSTEM32>\findstr.exe' "2016"
  • '<SYSTEM32>\cmd.exe' /c echo Wscript.Echo Line>>%TEMP%\NSF{nsf_tm}_morelines.vbs
  • '<SYSTEM32>\cmd.exe' /c echo If (3 = objItem.DriveType) and (0 ^<^> Len(objItem.FileSystem)) Then>>%TEMP%\NSF{nsf_tm}_fscheck.vbs
  • '<SYSTEM32>\cmd.exe' /c echo Set objWMIService = GetObject("winmgmts:\\.\root\CIMV2")>>%TEMP%\NSF{nsf_tm}_fscheck.vbs
  • '<SYSTEM32>\cmd.exe' /c echo ResultStr = "">%TEMP%\NSF{nsf_tm}_fscheck.vbs
  • '<SYSTEM32>\cmd.exe' /c echo End If>>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs
  • '<SYSTEM32>\cmd.exe' /c echo If True = objPolicy.FirewallEnabled Then>>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs
  • '<SYSTEM32>\cmd.exe' /c echo Wscript.Echo "Enabled">>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs
  • '<SYSTEM32>\cmd.exe' /c echo If 0 ^<^> ErrNum Then>>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs
  • '<SYSTEM32>\cmd.exe' /c echo On Error Goto ^0>>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs
  • '<SYSTEM32>\cmd.exe' /c echo Set colItems = objWMIService.ExecQuery("SELECT * FROM Win32_LogicalDisk",,48)>>%TEMP%\NSF{nsf_tm}_fscheck.vbs
  • '<SYSTEM32>\cmd.exe' /c echo ErrNum = Err.Number>>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs
  • '<SYSTEM32>\cmd.exe' /c echo On Error Resume Next>>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs
  • '<SYSTEM32>\cmd.exe' /c echo Else>>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs
  • '<SYSTEM32>\cmd.exe' /c echo End If>>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs
  • '<SYSTEM32>\cmd.exe' /c echo Wscript.Echo "NoFirewallWindows">>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs
  • '<SYSTEM32>\cmd.exe' /c echo Else>>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs
  • '<SYSTEM32>\cmd.exe' /c echo End If>>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs
  • '<SYSTEM32>\cmd.exe' /c echo Wscript.Echo "Disabled">>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs
  • '<SYSTEM32>\cmd.exe' /c echo set objPolicy = objFirewall.LocalPolicy.CurrentProfile>>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs
  • '<SYSTEM32>\cmd.exe' /c echo If InStr(FwSvcOut, "Running") Then>>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs
  • '<SYSTEM32>\cmd.exe' /c echo if Trim(Line) ^<^> "" and EchoNumber ^< MoreNumber then>>%TEMP%\NSF{nsf_tm}_morelines.vbs
  • '<SYSTEM32>\cmd.exe' /c echo If 0 = InStr(objItem.FileSystem, "NTFS") Then>>%TEMP%\NSF{nsf_tm}_fscheck.vbs
  • '<SYSTEM32>\cmd.exe' /c echo Line = objFile.ReadLine()>>%TEMP%\NSF{nsf_tm}_morelines.vbs
  • '<SYSTEM32>\cmd.exe' /c echo do while objFile.AtEndOfStream ^<^> True>>%TEMP%\NSF{nsf_tm}_morelines.vbs
  • '<SYSTEM32>\cmd.exe' /c echo EchoNumber = ^0>>%TEMP%\NSF{nsf_tm}_morelines.vbs
  • '<SYSTEM32>\cmd.exe' /c echo set objFile = objFSO.OpenTextFile(FileName, 1)>>%TEMP%\NSF{nsf_tm}_morelines.vbs
  • '<SYSTEM32>\cmd.exe' /c echo set objFSO = CreateObject("Scripting.FileSystemObject")>>%TEMP%\NSF{nsf_tm}_morelines.vbs
  • '<SYSTEM32>\cmd.exe' /c echo MoreNumber = CInt(Wscript.arguments(1))>>%TEMP%\NSF{nsf_tm}_morelines.vbs
  • '<SYSTEM32>\cmd.exe' /c echo FileName = Wscript.arguments(0)>%TEMP%\NSF{nsf_tm}_morelines.vbs
  • '<SYSTEM32>\cmd.exe' /c echo EchoNumber = EchoNumber + ^1>>%TEMP%\NSF{nsf_tm}_morelines.vbs
  • '<SYSTEM32>\cmd.exe' /c echo End If>>%TEMP%\NSF{nsf_tm}_fscheck.vbs
  • '<SYSTEM32>\cmd.exe' /c echo Else>>%TEMP%\NSF{nsf_tm}_fscheck.vbs
  • '<SYSTEM32>\cmd.exe' /c echo Wscript.Echo("AllNTFS")>>%TEMP%\NSF{nsf_tm}_fscheck.vbs
  • '<SYSTEM32>\cmd.exe' /c echo If 0 = Len(ResultStr) Then>>%TEMP%\NSF{nsf_tm}_fscheck.vbs
  • '<SYSTEM32>\cmd.exe' /c echo Next>>%TEMP%\NSF{nsf_tm}_fscheck.vbs
  • '<SYSTEM32>\cmd.exe' /c echo End If>>%TEMP%\NSF{nsf_tm}_fscheck.vbs
  • '<SYSTEM32>\cmd.exe' /c echo End If>>%TEMP%\NSF{nsf_tm}_fscheck.vbs
  • '<SYSTEM32>\cmd.exe' /c echo ResultStr = ResultStr + "," + objItem.Name + "=" + objItem.FileSystem>>%TEMP%\NSF{nsf_tm}_fscheck.vbs
  • '<SYSTEM32>\cmd.exe' /c echo For Each objItem in colItems>>%TEMP%\NSF{nsf_tm}_fscheck.vbs
  • '<SYSTEM32>\wbem\wmic.exe' service where name="MSMQ" get state

Curing recommendations

  1. If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
  2. If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
Free trial

 

Download Dr.Web

Download by serial number

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

Free trial

 

Download Dr.Web

Download by serial number

Download on App Store

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

 

Download Dr.Web

Download by serial number

  1. If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android

Free trial

14 days

Download now
Get it on Google Play