Pour les utilisateurs

Fermer

Bibliothèque
Ma bibliothèque

+ Ajouter à la bibliothèque

Recherche
Recherche

Contacter-nous !
Support 24/24 | Rules regarding submitting

Envoyer un message

Requête à l'aide du formulaire

Nous téléphoner

0 825 300 230

Forum

Vos requêtes

  • Toutes : -
  • Non clôturées : -
  • Dernière : le -
Créer une nouvelle requête

Nous téléphoner

0 825 300 230

Profil

FR

RU CN DE EN ES FR IT JP KZ UZ PL BY
Fermer
Services support
Scanners
Dr.Web vxCube
Démo
Bibliothèque virale
Base documentaire

TECHNOLOGIES

TERMINOLOGIE

COURS ET EDU

MYTHES

Actualités

Trojan.MulDrop11.19195

Added to the Dr.Web virus database: 2019-10-06

Virus description added:

Technical Information

Modifies file system
Creates the following files
  • %TEMP%\sce46195.tmp
  • %TEMP%\nsf{nsf_tm}_sec.log
  • %TEMP%\nsf{nsf_tm}_domainrole.txt
  • %TEMP%\nsf{nsf_tm}_wmiav.vbs
  • %TEMP%\nsf{nsf_tm}_nameav.vbs
  • %TEMP%\nsf{nsf_tm}_processav.bat
  • %TEMP%\nsf{nsf_tm}_sharecheck.vbs
  • %TEMP%\nsf{nsf_tm}_checkfirewall.vbs
  • %TEMP%\nsf{nsf_tm}_fscheck.vbs
  • %TEMP%\nsf{nsf_tm}_morelines.vbs
Deletes the following files
  • %TEMP%\sce46195.tmp
Miscellaneous
Creates and executes the following
  • '<SYSTEM32>\cscript.exe' %TEMP%\NSF{nsf_tm}_checkfirewall.vbs //Nologo
  • '<SYSTEM32>\cscript.exe' %TEMP%\NSF{nsf_tm}_sharecheck.vbs //Nologo
  • '<SYSTEM32>\cscript.exe' %TEMP%\NSF{nsf_tm}_nameav.vbs //Nologo
  • '<SYSTEM32>\cscript.exe' %TEMP%\NSF{nsf_tm}_wmiav.vbs //Nologo
  • '<SYSTEM32>\cscript.exe' %TEMP%\NSF{nsf_tm}_fscheck.vbs //Nologo
  • '<SYSTEM32>\cmd.exe' /c echo Else>>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo Wscript.Echo "NoFirewallWindows">>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo End If>>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo Else>>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo On Error Resume Next>>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo On Error Goto ^0>>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo ErrNum = Err.Number>>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo End If>>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo If 0 ^<^> ErrNum Then>>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo Wscript.Echo "Enabled">>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo On Error Resume Next>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo set objPolicy = objFirewall.LocalPolicy.CurrentProfile>>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo Wscript.Echo "Disabled">>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo Wscript.Echo "Enabled">>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo Next >> %TEMP%\NSF{nsf_tm}_sharecheck.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo If InStr(FwSvcOut, "Running") Then>>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo If InStr(FwSvcOut, "State") Then>>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo FwSvcOut = FwSvcExec.StdOut.ReadAll>>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo FwSvcExec.StdIn.Close>>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo set FwSvcExec = ws.Exec("wmic service where name=""SharedAccess"" get state")>>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo set ws = CreateObject("WScript.Shell")>>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo If 0 ^<^> ErrNum Then>>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo On Error Goto ^0>>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo ErrNum = Err.Number>>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo set objFirewall = CreateObject("HNetCfg.FwMgr")>>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo If True = objPolicy.FirewallEnabled Then>>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo Else>>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo End If>>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo Set objWMIService = GetObject("winmgmts:\\.\root\CIMV2")>>%TEMP%\NSF{nsf_tm}_fscheck.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo objFile.Close()>>%TEMP%\NSF{nsf_tm}_morelines.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo loop>>%TEMP%\NSF{nsf_tm}_morelines.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo end if>>%TEMP%\NSF{nsf_tm}_morelines.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo Wscript.Echo Line>>%TEMP%\NSF{nsf_tm}_morelines.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo EchoNumber = EchoNumber + ^1>>%TEMP%\NSF{nsf_tm}_morelines.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo if Trim(Line) ^<^> "" and EchoNumber ^< MoreNumber then>>%TEMP%\NSF{nsf_tm}_morelines.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo Line = objFile.ReadLine()>>%TEMP%\NSF{nsf_tm}_morelines.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo do while objFile.AtEndOfStream ^<^> True>>%TEMP%\NSF{nsf_tm}_morelines.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo EchoNumber = ^0>>%TEMP%\NSF{nsf_tm}_morelines.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo set objFile = objFSO.OpenTextFile(FileName, 1)>>%TEMP%\NSF{nsf_tm}_morelines.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo set objFSO = CreateObject("Scripting.FileSystemObject")>>%TEMP%\NSF{nsf_tm}_morelines.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo MoreNumber = CInt(Wscript.arguments(1))>>%TEMP%\NSF{nsf_tm}_morelines.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo ResultStr = "">%TEMP%\NSF{nsf_tm}_fscheck.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo FileName = Wscript.arguments(0)>%TEMP%\NSF{nsf_tm}_morelines.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo Wscript.Echo(Right(ResultStr, Len(ResultStr) - 1))>>%TEMP%\NSF{nsf_tm}_fscheck.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo Else>>%TEMP%\NSF{nsf_tm}_fscheck.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo Wscript.Echo("AllNTFS")>>%TEMP%\NSF{nsf_tm}_fscheck.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo If 0 = Len(ResultStr) Then>>%TEMP%\NSF{nsf_tm}_fscheck.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo Next>>%TEMP%\NSF{nsf_tm}_fscheck.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo End If>>%TEMP%\NSF{nsf_tm}_fscheck.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo End If>>%TEMP%\NSF{nsf_tm}_fscheck.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo ResultStr = ResultStr + "," + objItem.Name + "=" + objItem.FileSystem>>%TEMP%\NSF{nsf_tm}_fscheck.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo If 0 = InStr(objItem.FileSystem, "NTFS") Then>>%TEMP%\NSF{nsf_tm}_fscheck.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo If (3 = objItem.DriveType) and (0 ^<^> Len(objItem.FileSystem)) Then>>%TEMP%\NSF{nsf_tm}_fscheck.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo For Each objItem in colItems>>%TEMP%\NSF{nsf_tm}_fscheck.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo Set colItems = objWMIService.ExecQuery("SELECT * FROM Win32_LogicalDisk",,48)>>%TEMP%\NSF{nsf_tm}_fscheck.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo End If>>%TEMP%\NSF{nsf_tm}_fscheck.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo End if >> %TEMP%\NSF{nsf_tm}_nameav.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo End If >> %TEMP%\NSF{nsf_tm}_sharecheck.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo Exit For >> %TEMP%\NSF{nsf_tm}_sharecheck.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo For Each strkeyPath In arrKeyPath >> %TEMP%\NSF{nsf_tm}_nameav.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo If InStr(objItem.Trustee, "S-1-1-0") Then >> %TEMP%\NSF{nsf_tm}_sharecheck.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo End If >> %TEMP%\NSF{nsf_tm}_wmiav.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo Next >> %TEMP%\NSF{nsf_tm}_wmiav.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo End If >> %TEMP%\NSF{nsf_tm}_wmiav.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo Wscript.Echo "nsfocusyes" >> %TEMP%\NSF{nsf_tm}_wmiav.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo Wscript.Echo objItem.DisplayName >> %TEMP%\NSF{nsf_tm}_wmiav.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo If Not IsNull(objItem.DisplayName) Then >> %TEMP%\NSF{nsf_tm}_wmiav.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo For Each objItem in colItemsSC >> %TEMP%\NSF{nsf_tm}_wmiav.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo Set colItemsSC = objWMIServiceSC.ExecQuery("SELECT * FROM AntiVirusProduct",,48) >> %TEMP%\NSF{nsf_tm}_wmiav.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo If Err.Number = 0 Then >> %TEMP%\NSF{nsf_tm}_wmiav.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo Set objWMIServiceSC = GetObject(SCNameSpace) >> %TEMP%\NSF{nsf_tm}_wmiav.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo On Error Resume Next >> %TEMP%\NSF{nsf_tm}_wmiav.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo Set objReg = GetObject("winmgmts:\\.\root\default:StdRegProv") >> %TEMP%\NSF{nsf_tm}_nameav.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo Exit For >> %TEMP%\NSF{nsf_tm}_wmiav.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo Next >> %TEMP%\NSF{nsf_tm}_wmiav.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo For Each objItem in colItemsOS >> %TEMP%\NSF{nsf_tm}_wmiav.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo const HKEY_LOCAL_MACHINE = ^&H80000002 >> %TEMP%\NSF{nsf_tm}_nameav.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c wmic computersystem get domainrole | find /i /v "domainrole" > %TEMP%\NSF{nsf_tm}_domainrole.txt' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo SCNameSpace = "" > %TEMP%\NSF{nsf_tm}_wmiav.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo SCNameSpace = "winmgmts:\\.\root\SecurityCenter2" >> %TEMP%\NSF{nsf_tm}_wmiav.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo Set colItemsOS = objWMIServiceOS.ExecQuery("SELECT * FROM Win32_OperatingSystem",,48) >> %TEMP%\NSF{nsf_tm}_wmiav.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo Set objWMIServiceOS = GetObject("winmgmts:\\.\root\CIMV2") >> %TEMP%\NSF{nsf_tm}_wmiav.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo FirstNumber = Left(objItem.Version, 1) >> %TEMP%\NSF{nsf_tm}_wmiav.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo SecondNumber = Mid(objItem.Version, 2, 1) >> %TEMP%\NSF{nsf_tm}_wmiav.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo If FirstNumber ^<= "5" And SecondNumber = "." Then >> %TEMP%\NSF{nsf_tm}_wmiav.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo SCNameSpace = "winmgmts:\\.\root\SecurityCenter" >> %TEMP%\NSF{nsf_tm}_wmiav.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo ElseIf SecondNumber ^<^> "." Then>> %TEMP%\NSF{nsf_tm}_wmiav.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo End If >> %TEMP%\NSF{nsf_tm}_wmiav.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo arrKeyPath = Array("SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall", "SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall") >> %TEMP%\NSF{nsf_tm}_nameav.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo Set colItems = objWMIService.ExecQuery("SELECT * FROM Win32_LogicalShareAccess",,48) >> %TEMP%\NSF{nsf_tm}_sharecheck.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo For Each objItem in colItems >> %TEMP%\NSF{nsf_tm}_sharecheck.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo allKeys = Split("°²È«²¿¶Ó,ɱ¶¾,·´²¡¶¾,·À²¡¶¾,virus,Spyware,Symantec Endpoint Protection,µçÄԹܼÒ",",") > %TEMP%\NSF{nsf_tm}_nameav.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo Set objWMIService = GetObject("winmgmts:\\.\root\CIMV2") > %TEMP%\NSF{nsf_tm}_sharecheck.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c (echo wmic process where "name='360tray.exe' or name='ZhuDongFangYu.exe' or name = 'ds_agent' or name = 'ds_notifier' or name = 'QQPCTray.exe'" get name >> %TEMP%\NSF{nsf_tm}_processav.bat)' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c (echo wmic process where "name = 'spidernt.exe' or name = 'spiderml.exe' or name = 'drwebscd.exe' or name = 'spider.exe' or name = 'nod32kui.exe' or name = 'nod32krn.exe' or name = 'MPSVC.ex...' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c (echo wmic process where "name = 'Vstskmgr.exe' or name = 'Mcshield.exe' or name = 'Frameworkservice.exe' or name = 'naPrdMgr.exe' or name = 'mcafee.exe' or name = 'xcommsvr.exe' or name = '...' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c (echo wmic process where "name = 'ccSetMgr.exe' or name = 'defwatch.exe' or name = 'ISSVC.exe' or name = 'SPBBCSvc.exe' or name = 'SNDSrvc.exe' or name = 'KPFWSvc.exe' or name = 'KAVStart.ex...' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c (echo wmic process where "name = 'kvwsc.exe' or name = 'kvmonxp.exe' or name = 'ashserv.exe' or name = 'aswupdsv.exe' or name = 'ashdisp.exe' or name = 'ashwebsv.exe' or name = 'UpdaterUI.ex...' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo @echo off > %TEMP%\NSF{nsf_tm}_processav.bat' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo Exit For >> %TEMP%\NSF{nsf_tm}_nameav.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo WScript.Echo "nsfocusyes" >> %TEMP%\NSF{nsf_tm}_nameav.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo If InStr(allSoftNames, allKeys(i)) Then >> %TEMP%\NSF{nsf_tm}_nameav.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo For i = 0 To UBound(allKeys) >> %TEMP%\NSF{nsf_tm}_nameav.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo Wscript.Echo "Everyone" >> %TEMP%\NSF{nsf_tm}_sharecheck.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo Next >> %TEMP%\NSF{nsf_tm}_nameav.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo Next >> %TEMP%\NSF{nsf_tm}_nameav.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo End If >> %TEMP%\NSF{nsf_tm}_nameav.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo End If >> %TEMP%\NSF{nsf_tm}_nameav.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo allSoftNames = allSoftNames + sValue_Name + "," >> %TEMP%\NSF{nsf_tm}_nameav.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo If not IsNull(sValue_Name) and IsNull(sValue_PDName) and IsNull(sValue_PKName) Then >> %TEMP%\NSF{nsf_tm}_nameav.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo objReg.GetStringValue HKEY_LOCAL_MACHINE, strKeyPath + "\" + subkey, "ParentKeyName", sValue_PKName >> %TEMP%\NSF{nsf_tm}_nameav.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo objReg.GetStringValue HKEY_LOCAL_MACHINE, strKeyPath + "\" + subkey, "ParentDisplayName", sValue_PDName >> %TEMP%\NSF{nsf_tm}_nameav.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo objReg.GetStringValue HKEY_LOCAL_MACHINE, strKeyPath + "\" + subkey, "DisplayName", sValue_Name >> %TEMP%\NSF{nsf_tm}_nameav.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo If IsNull(dwValue) or 0 = dwValue Then >> %TEMP%\NSF{nsf_tm}_nameav.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo objReg.GetDWORDValue HKEY_LOCAL_MACHINE, strKeyPath + "\" + subkey, "SystemComponent", dwValue >> %TEMP%\NSF{nsf_tm}_nameav.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo For Each subkey In arrSubKeys >> %TEMP%\NSF{nsf_tm}_nameav.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo If not IsNull(arrSubKeys) Then >> %TEMP%\NSF{nsf_tm}_nameav.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo objReg.EnumKey HKEY_LOCAL_MACHINE, strKeyPath, arrSubKeys >> %TEMP%\NSF{nsf_tm}_nameav.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c echo allSoftNames = "" >> %TEMP%\NSF{nsf_tm}_nameav.vbs' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c secedit /export /cfg %TEMP%\NSF{nsf_tm}_sec.log' (with hidden window)
Executes the following
  • '<SYSTEM32>\cmd.exe' /c secedit /export /cfg %TEMP%\NSF{nsf_tm}_sec.log
  • '<SYSTEM32>\cmd.exe' /c (type %TEMP%\NSF{nsf_tm}_domainrole.txt | findstr "1 3 4 5" && echo 100) || (cmd /c wmic useraccount where "Disabled=FALSE and Domain='xjypmm'" get name | find /i /v "name" | findstr /n . | ...
  • '<SYSTEM32>\wbem\wmic.exe' group where Domain="xjypmm" get name,sid
  • '<SYSTEM32>\find.exe' /c ":"
  • '<SYSTEM32>\findstr.exe' /n .
  • '<SYSTEM32>\find.exe' /i /v "name"
  • '<SYSTEM32>\find.exe' /i /v "S-1-5-32-"
  • '<SYSTEM32>\cmd.exe' /c wmic group where Domain="xjypmm" get name,sid
  • '<SYSTEM32>\cmd.exe' /c wmic useraccount where "Disabled=FALSE and Domain='xjypmm'" get name
  • '<SYSTEM32>\findstr.exe' "1 3 4 5"
  • '<SYSTEM32>\find.exe' /i "LockoutDuration"
  • '<SYSTEM32>\cmd.exe' /c type %TEMP%\NSF{nsf_tm}_sec.log | find /i "LockoutDuration" || echo LockoutDuration = not config
  • '<SYSTEM32>\find.exe' /i "PasswordHistorySize"
  • '<SYSTEM32>\cmd.exe' /c type %TEMP%\NSF{nsf_tm}_sec.log | find /i "PasswordHistorySize" || echo PasswordHistorySize = not config
  • '<SYSTEM32>\find.exe' /i "MaximumPasswordAge"
  • '<SYSTEM32>\cmd.exe' /c type %TEMP%\NSF{nsf_tm}_sec.log | find /i "MaximumPasswordAge" || echo MaximumPasswordAge = not config
  • '<SYSTEM32>\find.exe' /i "NewAdministratorName"
  • '<SYSTEM32>\cmd.exe' /c (type %TEMP%\NSF{nsf_tm}_domainrole.txt | findstr "1 3 4 5" && echo 100) || (cmd /c wmic group where Domain="xjypmm" get name,sid | find /i /v "S-1-5-32-" | find /i /v "name" | findstr /n . ...
  • '<SYSTEM32>\reg.exe' query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System" /v MaxSize
  • '<SYSTEM32>\reg.exe' query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System" /v Retention
  • '<SYSTEM32>\find.exe' /i "MinimumPasswordAge"
  • '<SYSTEM32>\cmd.exe' /c reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System" /v Retention || echo Retention notfound not config
  • '<SYSTEM32>\reg.exe' query "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber
  • '<SYSTEM32>\cmd.exe' /c reg query "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber || echo PortNumber notfound not config
  • '<SYSTEM32>\cmd.exe' /c cscript %TEMP%\NSF{nsf_tm}_checkfirewall.vbs //Nologo
  • '<SYSTEM32>\reg.exe' query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application" /v MaxSize
  • '<SYSTEM32>\cmd.exe' /c reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application" /v MaxSize || echo MaxSize notfound not config
  • '<SYSTEM32>\find.exe' /i "AuditProcessTracking"
  • '<SYSTEM32>\cmd.exe' /c type %TEMP%\NSF{nsf_tm}_sec.log | find /i "NewAdministratorName" || echo NewAdministratorName = not config
  • '<SYSTEM32>\cmd.exe' /c type %TEMP%\NSF{nsf_tm}_sec.log | find /i "AuditProcessTracking" || echo AuditProcessTracking = not config
  • '<SYSTEM32>\cmd.exe' /c reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System" /v MaxSize || echo MaxSize notfound not config
  • '<SYSTEM32>\reg.exe' query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application" /v Retention
  • '<SYSTEM32>\cmd.exe' /c reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application" /v Retention || echo Retention notfound not config
  • '<SYSTEM32>\reg.exe' query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v TcpMaxConnectResponseRetransmissions
  • '<SYSTEM32>\cmd.exe' /c reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v TcpMaxConnectResponseRetransmissions || echo TcpMaxConnectResponseRetransmissions notfound not config
  • '<SYSTEM32>\reg.exe' query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v TcpMaxPortsExhausted
  • '<SYSTEM32>\cmd.exe' /c reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v TcpMaxPortsExhausted || echo TcpMaxPortsExhausted notfound not config
  • '<SYSTEM32>\wbem\wmic.exe' useraccount where "Disabled=FALSE and Domain='xjypmm'" get name
  • '<SYSTEM32>\cmd.exe' /c type %TEMP%\NSF{nsf_tm}_sec.log | find /i "MinimumPasswordAge" || echo MinimumPasswordAge = not config
  • '<SYSTEM32>\find.exe' /i "EnableGuestAccount"
  • '<SYSTEM32>\cmd.exe' /c (cscript %TEMP%\NSF{nsf_tm}_wmiav.vbs //Nologo | find "nsfocusyes") || (cscript %TEMP%\NSF{nsf_tm}_nameav.vbs //Nologo | find "nsfocusyes") || (%TEMP%\NSF{nsf_tm}_processav.bat | find /i "....
  • '<SYSTEM32>\find.exe' "$"
  • '<SYSTEM32>\net.exe' share /n
  • '<SYSTEM32>\findstr.exe' "0 2"
  • '<SYSTEM32>\cmd.exe' /c type %TEMP%\NSF{nsf_tm}_domainrole.txt | findstr "0 2" && net share /n | find "$"
  • '<SYSTEM32>\wbem\wmic.exe' os get DataExecutionPrevention_SupportPolicy
  • '<SYSTEM32>\find.exe' /i /v "DataExecutionPrevention_SupportPolicy"
  • '<SYSTEM32>\cmd.exe' /S /D /c" ( wmic os get DataExecutionPrevention_SupportPolicy || echo NoDEPWindows )"
  • '<SYSTEM32>\net1.exe' share /n
  • '<SYSTEM32>\cmd.exe' /c (wmic os get DataExecutionPrevention_SupportPolicy || echo NoDEPWindows) | find /i /v "DataExecutionPrevention_SupportPolicy"
  • '<SYSTEM32>\cmd.exe' /c reg query HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system /v DisableCAD || echo DisableCAD notfound not config
  • '<SYSTEM32>\cmd.exe' /c (type %TEMP%\NSF{nsf_tm}_domainrole.txt | findstr "0 2 4 5" && echo CachedLogonsCount notfound 0) || (reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v ...
  • '<SYSTEM32>\reg.exe' query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters /v enableforcedlogoff
  • '<SYSTEM32>\cmd.exe' /c reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters /v enableforcedlogoff || echo enableforcedlogoff notfound not config
  • '<SYSTEM32>\reg.exe' query "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaverIsSecure
  • '<SYSTEM32>\cmd.exe' /c reg query "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaverIsSecure || echo ScreenSaverIsSecure notfound not config
  • '<SYSTEM32>\reg.exe' query "HKEY_CURRENT_USER\Control Panel\Desktop" /v SCRNSAVE.EXE
  • '<SYSTEM32>\reg.exe' query HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system /v DisableCAD
  • '<SYSTEM32>\cmd.exe' /c type %TEMP%\NSF{nsf_tm}_sec.log | find /i "PasswordComplexity" || echo PasswordComplexity = not config
  • '<SYSTEM32>\find.exe' /i "ResetLockoutCount"
  • '<SYSTEM32>\find.exe' "nsfocusyes"
  • '<SYSTEM32>\cmd.exe' /c type %TEMP%\NSF{nsf_tm}_sec.log | find /i "ResetLockoutCount" || echo ResetLockoutCount = not config
  • '<SYSTEM32>\find.exe' /i "LockoutBadCount"
  • '<SYSTEM32>\cmd.exe' /c type %TEMP%\NSF{nsf_tm}_sec.log | find /i "LockoutBadCount" || echo LockoutBadCount = not config
  • '<SYSTEM32>\cmd.exe' /c (type %TEMP%\NSF{nsf_tm}_domainrole.txt | findstr "0 2 4 5" && echo RequireStrongKey REG_DWORD NotDomainMember) || (reg query HKEY_LOCAL_MACHINE\system\currentcontrolset\services\netlogon\pa...
  • '<SYSTEM32>\find.exe' /i "MinimumPasswordLength"
  • '<SYSTEM32>\cmd.exe' /c type %TEMP%\NSF{nsf_tm}_sec.log | find /i "MinimumPasswordLength" || echo MinimumPasswordLength = not config
  • '<SYSTEM32>\find.exe' /i "PasswordComplexity"
  • '<SYSTEM32>\cmd.exe' /c type %TEMP%\NSF{nsf_tm}_sec.log | find /i "EnableGuestAccount" || echo EnableGuestAccount = not config
  • '<SYSTEM32>\cmd.exe' /S /D /c" type %TEMP%\NSF{nsf_tm}_sec.log "
  • '<SYSTEM32>\wbem\wmic.exe' process where "name='360tray.exe' or name='ZhuDongFangYu.exe' or name = 'ds_agent' or name = 'ds_notifier' or name = 'QQPCTray.exe'" get name
  • '<SYSTEM32>\wbem\wmic.exe' process where "name = 'spidernt.exe' or name = 'spiderml.exe' or name = 'drwebscd.exe' or name = 'spider.exe' or name = 'nod32kui.exe' or name = 'nod32krn.exe' or name = 'MPSVC.exe' or name = '...
  • '<SYSTEM32>\wbem\wmic.exe' process where "name = 'Vstskmgr.exe' or name = 'Mcshield.exe' or name = 'Frameworkservice.exe' or name = 'naPrdMgr.exe' or name = 'mcafee.exe' or name = 'xcommsvr.exe' or name = 'bdss.exe' or n...
  • '<SYSTEM32>\wbem\wmic.exe' process where "name = 'ccSetMgr.exe' or name = 'defwatch.exe' or name = 'ISSVC.exe' or name = 'SPBBCSvc.exe' or name = 'SNDSrvc.exe' or name = 'KPFWSvc.exe' or name = 'KAVStart.exe' or name = '...
  • '<SYSTEM32>\wbem\wmic.exe' process where "name = 'kvwsc.exe' or name = 'kvmonxp.exe' or name = 'ashserv.exe' or name = 'aswupdsv.exe' or name = 'ashdisp.exe' or name = 'ashwebsv.exe' or name = 'UpdaterUI.exe' or name = '...
  • '<SYSTEM32>\find.exe' /i ".exe"
  • '<SYSTEM32>\cmd.exe' /S /D /c" %TEMP%\NSF{nsf_tm}_processav.bat "
  • '<SYSTEM32>\cmd.exe' /c (type %TEMP%\NSF{nsf_tm}_domainrole.txt | findstr "0 2" && echo ForceUnlockLogon REG_DWORD NotDomainRole) || (reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlo...
  • '<SYSTEM32>\reg.exe' query HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters /v NullSessionPipes
  • '<SYSTEM32>\cmd.exe' /c wmic service where name="MSMQ" get state | find /i /v "state"
  • '<SYSTEM32>\cmd.exe' /c reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security" /v Retention || echo Retention notfound not config
  • '<SYSTEM32>\reg.exe' query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v TcpMaxHalfOpen
  • '<SYSTEM32>\cmd.exe' /c reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v TcpMaxHalfOpen || echo TcpMaxHalfOpen notfound not config
  • '<SYSTEM32>\reg.exe' query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v TcpMaxHalfOpenRetried
  • '<SYSTEM32>\cmd.exe' /c reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v TcpMaxHalfOpenRetried || echo TcpMaxHalfOpenRetried notfound not config
  • '<SYSTEM32>\reg.exe' query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v SynAttackProtect
  • '<SYSTEM32>\cmd.exe' /c reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v SynAttackProtect || echo SynAttackProtect notfound not config
  • '<SYSTEM32>\reg.exe' query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v KeepAliveTime
  • '<SYSTEM32>\cmd.exe' /c (net start | find /i "SNMP Service" && (reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP\Parameters\ValidCommunities" /f "public" || echo NoPublic)) || echo NoSNMP
  • '<SYSTEM32>\cmd.exe' /c reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v KeepAliveTime || echo KeepAliveTime notfound not config
  • '<SYSTEM32>\cmd.exe' /c reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v EnableICMPRedirect || echo EnableICMPRedirect notfound not config
  • '<SYSTEM32>\reg.exe' query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v EnableDeadGWDetect
  • '<SYSTEM32>\cmd.exe' /c reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v EnableDeadGWDetect || echo EnableDeadGWDetect notfound not config
  • '<SYSTEM32>\reg.exe' query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v TcpMaxDataRetransmissions
  • '<SYSTEM32>\cmd.exe' /c reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v TcpMaxDataRetransmissions || echo TcpMaxDataRetransmissions notfound not config
  • '<SYSTEM32>\reg.exe' query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v PerformRouterDiscovery
  • '<SYSTEM32>\cmd.exe' /c reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v PerformRouterDiscovery || echo PerformRouterDiscovery notfound not config
  • '<SYSTEM32>\reg.exe' query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v EnableICMPRedirect
  • '<SYSTEM32>\reg.exe' query HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v DisableIPSourceRouting
  • '<SYSTEM32>\reg.exe' query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v EnableSecurityFilters
  • '<SYSTEM32>\net1.exe' start
  • '<SYSTEM32>\reg.exe' query "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon
  • '<SYSTEM32>\cmd.exe' /c reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon || echo AutoAdminLogon notfound 0
  • '<SYSTEM32>\wbem\wmic.exe' service where name="SimpTcp" get state
  • '<SYSTEM32>\cmd.exe' /c wmic service where name="SimpTcp" get state | find /i /v "state"
  • '<SYSTEM32>\wbem\wmic.exe' service where name="SMTPSVC" get state
  • '<SYSTEM32>\cmd.exe' /c wmic service where name="SMTPSVC" get state | find /i /v "state"
  • '<SYSTEM32>\wbem\wmic.exe' service where name="Dhcp" get state
  • '<SYSTEM32>\reg.exe' query HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths /v Machine
  • '<SYSTEM32>\cmd.exe' /c wmic service where name="Dhcp" get state | find /i /v "state"
  • '<SYSTEM32>\cmd.exe' /c reg query HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v DisableIPSourceRouting || echo DisableIPSourceRouting notfound not config
  • '<SYSTEM32>\find.exe' /i "SeRemoteShutdownPrivilege"
  • '<SYSTEM32>\cmd.exe' /c type %TEMP%\NSF{nsf_tm}_sec.log | find /i "SeRemoteShutdownPrivilege" || echo SeRemoteShutdownPrivilege = not config
  • '<SYSTEM32>\find.exe' /i "RestrictAnonymous"
  • '<SYSTEM32>\cmd.exe' /c type %TEMP%\NSF{nsf_tm}_sec.log | find /i "RestrictAnonymous" || echo RestrictAnonymous = not config
  • '<SYSTEM32>\reg.exe' query HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v EnablePMTUDiscovery
  • '<SYSTEM32>\cmd.exe' /c reg query HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v EnablePMTUDiscovery || echo EnablePMTUDiscovery notfound not config
  • '<SYSTEM32>\net.exe' start
  • '<SYSTEM32>\cmd.exe' /c reg query "HKEY_CURRENT_USER\Control Panel\Desktop" /v SCRNSAVE.EXE || echo SCRNSAVE.EXE notfound not config
  • '<SYSTEM32>\cmd.exe' /c reg query HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths /v Machine
  • '<SYSTEM32>\find.exe' /i "AuditLogonEvents"
  • '<SYSTEM32>\cmd.exe' /c type %TEMP%\NSF{nsf_tm}_sec.log | find /i "AuditSystemEvents" || echo AuditSystemEvents = not config
  • '<SYSTEM32>\find.exe' /i "AuditPrivilegeUse"
  • '<SYSTEM32>\cmd.exe' /c type %TEMP%\NSF{nsf_tm}_sec.log | find /i "AuditPrivilegeUse" || echo AuditPrivilegeUse = not config
  • '<SYSTEM32>\find.exe' /i "AuditAccountLogon"
  • '<SYSTEM32>\cmd.exe' /c type %TEMP%\NSF{nsf_tm}_sec.log | find /i "AuditAccountLogon" || echo AuditAccountLogon = not config
  • '<SYSTEM32>\find.exe' /i "AuditPolicyChange"
  • '<SYSTEM32>\cmd.exe' /c type %TEMP%\NSF{nsf_tm}_sec.log | find /i "AuditPolicyChange" || echo AuditPolicyChange = not config
  • '<SYSTEM32>\find.exe' /i "AuditSystemEvents"
  • '<SYSTEM32>\find.exe' /i "AuditObjectAccess"
  • '<SYSTEM32>\find.exe' /i "AuditDSAccess"
  • '<SYSTEM32>\cmd.exe' /c type %TEMP%\NSF{nsf_tm}_sec.log | find /i "AuditDSAccess" || echo AuditDSAccess = not config
  • '<SYSTEM32>\find.exe' /i "AuditAccountManage"
  • '<SYSTEM32>\cmd.exe' /c type %TEMP%\NSF{nsf_tm}_sec.log | find /i "AuditAccountManage" || echo AuditAccountManage = not config
  • '<SYSTEM32>\reg.exe' query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security" /v MaxSize
  • '<SYSTEM32>\cmd.exe' /c reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security" /v MaxSize || echo MaxSize notfound not config
  • '<SYSTEM32>\reg.exe' query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security" /v Retention
  • '<SYSTEM32>\cmd.exe' /c type %TEMP%\NSF{nsf_tm}_sec.log | find /i "AuditObjectAccess" || echo AuditObjectAccess = not config
  • '<SYSTEM32>\cmd.exe' /c reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v EnableSecurityFilters || echo EnableSecurityFilters notfound NoFilters
  • '<SYSTEM32>\cmd.exe' /c type %TEMP%\NSF{nsf_tm}_sec.log | find /i "restrictanonymoussam" || echo restrictanonymoussam = not config
  • '<SYSTEM32>\cmd.exe' /c type %TEMP%\NSF{nsf_tm}_sec.log | find /i "SeShutdownPrivilege" || echo SeShutdownPrivilege = not config
  • '<SYSTEM32>\find.exe' /i "SeTakeOwnershipPrivilege"
  • '<SYSTEM32>\cmd.exe' /c type %TEMP%\NSF{nsf_tm}_sec.log | find /i "SeTakeOwnershipPrivilege" || echo SeTakeOwnershipPrivilege = not config
  • '<SYSTEM32>\reg.exe' query HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths /v Machine
  • '<SYSTEM32>\find.exe' /i "Windows XP"
  • '<SYSTEM32>\cmd.exe' /S /D /c" ver "
  • '<SYSTEM32>\cmd.exe' /c (ver | find /i "Windows XP" && reg query HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths /v Machine) || (reg query HKEY_LOCAL_MACHINE\System\Current...
  • '<SYSTEM32>\reg.exe' query HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters /v NullSessionShares
  • '<SYSTEM32>\find.exe' /i "restrictanonymoussam"
  • '<SYSTEM32>\cmd.exe' /c (type %TEMP%\NSF{nsf_tm}_domainrole.txt | findstr "4 5") || (reg query HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters /v NullSessionShares)
  • '<SYSTEM32>\cmd.exe' /c (type %TEMP%\NSF{nsf_tm}_domainrole.txt | findstr "4 5") || (reg query HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters /v NullSessionPipes)
  • '<SYSTEM32>\find.exe' /i "SeInteractiveLogonRight"
  • '<SYSTEM32>\cmd.exe' /c type %TEMP%\NSF{nsf_tm}_sec.log | find /i "SeInteractiveLogonRight" || echo SeInteractiveLogonRight = not config
  • '<SYSTEM32>\find.exe' /i "SeNetworkLogonRight"
  • '<SYSTEM32>\cmd.exe' /c type %TEMP%\NSF{nsf_tm}_sec.log | find /i "SeNetworkLogonRight" || echo SeNetworkLogonRight = not config
  • '<SYSTEM32>\cmd.exe' /c (type %TEMP%\NSF{nsf_tm}_domainrole.txt | findstr "0 2" && echo DisablePasswordChange REG_DWORD NotDomainRole) || (reg query HKEY_LOCAL_MACHINE\system\currentcontrolset\services\netlogon\par...
  • '<SYSTEM32>\find.exe' /i "SeShutdownPrivilege"
  • '<SYSTEM32>\cmd.exe' /c type %TEMP%\NSF{nsf_tm}_sec.log | find /i "AuditLogonEvents" || echo AuditLogonEvents = not config
  • '<SYSTEM32>\find.exe' /i "SNMP Service"
  • '<SYSTEM32>\reg.exe' query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v AUOptions
  • '<SYSTEM32>\wbem\wmic.exe' service where name="w32time" get state
  • '<SYSTEM32>\cmd.exe' /c (echo wmic process where "name = 'ccSetMgr.exe' or name = 'defwatch.exe' or name = 'ISSVC.exe' or name = 'SPBBCSvc.exe' or name = 'SNDSrvc.exe' or name = 'KPFWSvc.exe' or name = 'KAVStart.ex...
  • '<SYSTEM32>\cmd.exe' /c (echo wmic process where "name = 'kvwsc.exe' or name = 'kvmonxp.exe' or name = 'ashserv.exe' or name = 'aswupdsv.exe' or name = 'ashdisp.exe' or name = 'ashwebsv.exe' or name = 'UpdaterUI.ex...
  • '<SYSTEM32>\cmd.exe' /c echo @echo off > %TEMP%\NSF{nsf_tm}_processav.bat
  • '<SYSTEM32>\cmd.exe' /c echo Exit For >> %TEMP%\NSF{nsf_tm}_nameav.vbs
  • '<SYSTEM32>\cmd.exe' /c echo WScript.Echo "nsfocusyes" >> %TEMP%\NSF{nsf_tm}_nameav.vbs
  • '<SYSTEM32>\cmd.exe' /c echo If InStr(allSoftNames, allKeys(i)) Then >> %TEMP%\NSF{nsf_tm}_nameav.vbs
  • '<SYSTEM32>\cmd.exe' /c echo For i = 0 To UBound(allKeys) >> %TEMP%\NSF{nsf_tm}_nameav.vbs
  • '<SYSTEM32>\cmd.exe' /c (echo wmic process where "name = 'Vstskmgr.exe' or name = 'Mcshield.exe' or name = 'Frameworkservice.exe' or name = 'naPrdMgr.exe' or name = 'mcafee.exe' or name = 'xcommsvr.exe' or name = '...
  • '<SYSTEM32>\cmd.exe' /c echo Next >> %TEMP%\NSF{nsf_tm}_nameav.vbs
  • '<SYSTEM32>\cmd.exe' /c echo Next >> %TEMP%\NSF{nsf_tm}_nameav.vbs
  • '<SYSTEM32>\cmd.exe' /c echo End If >> %TEMP%\NSF{nsf_tm}_nameav.vbs
  • '<SYSTEM32>\cmd.exe' /c echo End If >> %TEMP%\NSF{nsf_tm}_nameav.vbs
  • '<SYSTEM32>\cmd.exe' /c echo allSoftNames = allSoftNames + sValue_Name + "," >> %TEMP%\NSF{nsf_tm}_nameav.vbs
  • '<SYSTEM32>\cmd.exe' /c echo If not IsNull(sValue_Name) and IsNull(sValue_PDName) and IsNull(sValue_PKName) Then >> %TEMP%\NSF{nsf_tm}_nameav.vbs
  • '<SYSTEM32>\cmd.exe' /c echo objReg.GetStringValue HKEY_LOCAL_MACHINE, strKeyPath + "\" + subkey, "ParentKeyName", sValue_PKName >> %TEMP%\NSF{nsf_tm}_nameav.vbs
  • '<SYSTEM32>\cmd.exe' /c echo objReg.GetStringValue HKEY_LOCAL_MACHINE, strKeyPath + "\" + subkey, "ParentDisplayName", sValue_PDName >> %TEMP%\NSF{nsf_tm}_nameav.vbs
  • '<SYSTEM32>\cmd.exe' /c echo End if >> %TEMP%\NSF{nsf_tm}_nameav.vbs
  • '<SYSTEM32>\cmd.exe' /c echo On Error Resume Next>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs
  • '<SYSTEM32>\cmd.exe' /c echo If InStr(FwSvcOut, "State") Then>>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs
  • '<SYSTEM32>\cmd.exe' /c echo Set objWMIService = GetObject("winmgmts:\\.\root\CIMV2") > %TEMP%\NSF{nsf_tm}_sharecheck.vbs
  • '<SYSTEM32>\cmd.exe' /c echo FwSvcOut = FwSvcExec.StdOut.ReadAll>>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs
  • '<SYSTEM32>\cmd.exe' /c echo FwSvcExec.StdIn.Close>>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs
  • '<SYSTEM32>\cmd.exe' /c echo set FwSvcExec = ws.Exec("wmic service where name=""SharedAccess"" get state")>>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs
  • '<SYSTEM32>\cmd.exe' /c echo set ws = CreateObject("WScript.Shell")>>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs
  • '<SYSTEM32>\cmd.exe' /c echo If 0 ^<^> ErrNum Then>>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs
  • '<SYSTEM32>\cmd.exe' /c echo On Error Goto ^0>>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs
  • '<SYSTEM32>\cmd.exe' /c echo ErrNum = Err.Number>>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs
  • '<SYSTEM32>\cmd.exe' /c echo objReg.GetStringValue HKEY_LOCAL_MACHINE, strKeyPath + "\" + subkey, "DisplayName", sValue_Name >> %TEMP%\NSF{nsf_tm}_nameav.vbs
  • '<SYSTEM32>\cmd.exe' /c echo set objFirewall = CreateObject("HNetCfg.FwMgr")>>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs
  • '<SYSTEM32>\cmd.exe' /c echo Next >> %TEMP%\NSF{nsf_tm}_sharecheck.vbs
  • '<SYSTEM32>\cmd.exe' /c echo End If >> %TEMP%\NSF{nsf_tm}_sharecheck.vbs
  • '<SYSTEM32>\cmd.exe' /c echo Exit For >> %TEMP%\NSF{nsf_tm}_sharecheck.vbs
  • '<SYSTEM32>\cmd.exe' /c echo Wscript.Echo "Everyone" >> %TEMP%\NSF{nsf_tm}_sharecheck.vbs
  • '<SYSTEM32>\cmd.exe' /c echo If InStr(objItem.Trustee, "S-1-1-0") Then >> %TEMP%\NSF{nsf_tm}_sharecheck.vbs
  • '<SYSTEM32>\cmd.exe' /c echo For Each objItem in colItems >> %TEMP%\NSF{nsf_tm}_sharecheck.vbs
  • '<SYSTEM32>\cmd.exe' /c echo Set colItems = objWMIService.ExecQuery("SELECT * FROM Win32_LogicalShareAccess",,48) >> %TEMP%\NSF{nsf_tm}_sharecheck.vbs
  • '<SYSTEM32>\cmd.exe' /c (echo wmic process where "name = 'spidernt.exe' or name = 'spiderml.exe' or name = 'drwebscd.exe' or name = 'spider.exe' or name = 'nod32kui.exe' or name = 'nod32krn.exe' or name = 'MPSVC.ex...
  • '<SYSTEM32>\cmd.exe' /c (echo wmic process where "name='360tray.exe' or name='ZhuDongFangYu.exe' or name = 'ds_agent' or name = 'ds_notifier' or name = 'QQPCTray.exe'" get name >> %TEMP%\NSF{nsf_tm}_processav.bat)
  • '<SYSTEM32>\cmd.exe' /c echo If IsNull(dwValue) or 0 = dwValue Then >> %TEMP%\NSF{nsf_tm}_nameav.vbs
  • '<SYSTEM32>\cmd.exe' /c echo Set objWMIServiceSC = GetObject(SCNameSpace) >> %TEMP%\NSF{nsf_tm}_wmiav.vbs
  • '<SYSTEM32>\cmd.exe' /c echo Exit For >> %TEMP%\NSF{nsf_tm}_wmiav.vbs
  • '<SYSTEM32>\cmd.exe' /c echo End If >> %TEMP%\NSF{nsf_tm}_wmiav.vbs
  • '<SYSTEM32>\cmd.exe' /c echo SCNameSpace = "winmgmts:\\.\root\SecurityCenter2" >> %TEMP%\NSF{nsf_tm}_wmiav.vbs
  • '<SYSTEM32>\cmd.exe' /c echo ElseIf SecondNumber ^<^> "." Then>> %TEMP%\NSF{nsf_tm}_wmiav.vbs
  • '<SYSTEM32>\cmd.exe' /c echo SCNameSpace = "winmgmts:\\.\root\SecurityCenter" >> %TEMP%\NSF{nsf_tm}_wmiav.vbs
  • '<SYSTEM32>\cmd.exe' /c echo If FirstNumber ^<= "5" And SecondNumber = "." Then >> %TEMP%\NSF{nsf_tm}_wmiav.vbs
  • '<SYSTEM32>\cmd.exe' /c echo SecondNumber = Mid(objItem.Version, 2, 1) >> %TEMP%\NSF{nsf_tm}_wmiav.vbs
  • '<SYSTEM32>\cmd.exe' /c echo Next >> %TEMP%\NSF{nsf_tm}_wmiav.vbs
  • '<SYSTEM32>\cmd.exe' /c echo FirstNumber = Left(objItem.Version, 1) >> %TEMP%\NSF{nsf_tm}_wmiav.vbs
  • '<SYSTEM32>\cmd.exe' /c echo Set colItemsOS = objWMIServiceOS.ExecQuery("SELECT * FROM Win32_OperatingSystem",,48) >> %TEMP%\NSF{nsf_tm}_wmiav.vbs
  • '<SYSTEM32>\cmd.exe' /c echo Set objWMIServiceOS = GetObject("winmgmts:\\.\root\CIMV2") >> %TEMP%\NSF{nsf_tm}_wmiav.vbs
  • '<SYSTEM32>\cmd.exe' /c echo SCNameSpace = "" > %TEMP%\NSF{nsf_tm}_wmiav.vbs
  • '<SYSTEM32>\find.exe' /i /v "domainrole"
  • '<SYSTEM32>\wbem\wmic.exe' computersystem get domainrole
  • '<SYSTEM32>\cmd.exe' /c wmic computersystem get domainrole | find /i /v "domainrole" > %TEMP%\NSF{nsf_tm}_domainrole.txt
  • '<SYSTEM32>\secedit.exe' /export /cfg %TEMP%\NSF{nsf_tm}_sec.log
  • '<SYSTEM32>\cmd.exe' /c echo For Each objItem in colItemsOS >> %TEMP%\NSF{nsf_tm}_wmiav.vbs
  • '<SYSTEM32>\cmd.exe' /c echo End If >> %TEMP%\NSF{nsf_tm}_wmiav.vbs
  • '<SYSTEM32>\cmd.exe' /c echo For Each subkey In arrSubKeys >> %TEMP%\NSF{nsf_tm}_nameav.vbs
  • '<SYSTEM32>\cmd.exe' /c echo If Err.Number = 0 Then >> %TEMP%\NSF{nsf_tm}_wmiav.vbs
  • '<SYSTEM32>\cmd.exe' /c echo If not IsNull(arrSubKeys) Then >> %TEMP%\NSF{nsf_tm}_nameav.vbs
  • '<SYSTEM32>\cmd.exe' /c echo objReg.EnumKey HKEY_LOCAL_MACHINE, strKeyPath, arrSubKeys >> %TEMP%\NSF{nsf_tm}_nameav.vbs
  • '<SYSTEM32>\cmd.exe' /c echo For Each strkeyPath In arrKeyPath >> %TEMP%\NSF{nsf_tm}_nameav.vbs
  • '<SYSTEM32>\cmd.exe' /c echo arrKeyPath = Array("SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall", "SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall") >> %TEMP%\NSF{nsf_tm}_nameav.vbs
  • '<SYSTEM32>\cmd.exe' /c echo Set objReg = GetObject("winmgmts:\\.\root\default:StdRegProv") >> %TEMP%\NSF{nsf_tm}_nameav.vbs
  • '<SYSTEM32>\cmd.exe' /c echo const HKEY_LOCAL_MACHINE = ^&H80000002 >> %TEMP%\NSF{nsf_tm}_nameav.vbs
  • '<SYSTEM32>\cmd.exe' /c echo allSoftNames = "" >> %TEMP%\NSF{nsf_tm}_nameav.vbs
  • '<SYSTEM32>\cmd.exe' /c echo objReg.GetDWORDValue HKEY_LOCAL_MACHINE, strKeyPath + "\" + subkey, "SystemComponent", dwValue >> %TEMP%\NSF{nsf_tm}_nameav.vbs
  • '<SYSTEM32>\cmd.exe' /c echo allKeys = Split("°²È«²¿¶Ó,ɱ¶¾,·´²¡¶¾,·À²¡¶¾,virus,Spyware,Symantec Endpoint Protection,µçÄԹܼÒ",",") > %TEMP%\NSF{nsf_tm}_nameav.vbs
  • '<SYSTEM32>\cmd.exe' /c echo Next >> %TEMP%\NSF{nsf_tm}_wmiav.vbs
  • '<SYSTEM32>\cmd.exe' /c echo End If >> %TEMP%\NSF{nsf_tm}_wmiav.vbs
  • '<SYSTEM32>\cmd.exe' /c echo Wscript.Echo "nsfocusyes" >> %TEMP%\NSF{nsf_tm}_wmiav.vbs
  • '<SYSTEM32>\cmd.exe' /c echo Wscript.Echo objItem.DisplayName >> %TEMP%\NSF{nsf_tm}_wmiav.vbs
  • '<SYSTEM32>\cmd.exe' /c echo If Not IsNull(objItem.DisplayName) Then >> %TEMP%\NSF{nsf_tm}_wmiav.vbs
  • '<SYSTEM32>\cmd.exe' /c echo For Each objItem in colItemsSC >> %TEMP%\NSF{nsf_tm}_wmiav.vbs
  • '<SYSTEM32>\cmd.exe' /c echo Set colItemsSC = objWMIServiceSC.ExecQuery("SELECT * FROM AntiVirusProduct",,48) >> %TEMP%\NSF{nsf_tm}_wmiav.vbs
  • '<SYSTEM32>\cmd.exe' /c echo On Error Resume Next >> %TEMP%\NSF{nsf_tm}_wmiav.vbs
  • '<SYSTEM32>\cmd.exe' /c echo Wscript.Echo(Right(ResultStr, Len(ResultStr) - 1))>>%TEMP%\NSF{nsf_tm}_fscheck.vbs
  • '<SYSTEM32>\wbem\wmic.exe' os get caption
  • '<SYSTEM32>\cmd.exe' /c echo Else>>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs
  • '<SYSTEM32>\cmd.exe' /c reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\w32time\Parameters /v NtpServer || echo NtpServer notfound not config
  • '<SYSTEM32>\reg.exe' query "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v PasswordExpiryWarning
  • '<SYSTEM32>\cmd.exe' /c reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v PasswordExpiryWarning || echo PasswordExpiryWarning notfound not config
  • '<SYSTEM32>\find.exe' /i /v "startmode"
  • '<SYSTEM32>\wbem\wmic.exe' service where name="w32time" get startmode
  • '<SYSTEM32>\cmd.exe' /c wmic service where name="w32time" get startmode | find /i /v "startmode"
  • '<SYSTEM32>\cmd.exe' /c (type %TEMP%\NSF{nsf_tm}_domainrole.txt | findstr "0 2 4 5" && echo signsecurechannel REG_DWORD NotDomainMember) || (reg query HKEY_LOCAL_MACHINE\system\currentcontrolset\services\netlogon\p...
  • '<SYSTEM32>\reg.exe' query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\w32time\Parameters /v NtpServer
  • '<SYSTEM32>\cmd.exe' /c (type %TEMP%\NSF{nsf_tm}_domainrole.txt | findstr "0 2 4 5" && echo requiresignorseal REG_DWORD NotDomainMember) || (reg query HKEY_LOCAL_MACHINE\system\currentcontrolset\services\netlogon\p...
  • '<SYSTEM32>\findstr.exe' "4 5"
  • '<SYSTEM32>\cmd.exe' /c (type %TEMP%\NSF{nsf_tm}_domainrole.txt | findstr "4 5") || (cscript %TEMP%\NSF{nsf_tm}_sharecheck.vbs //Nologo | find /i "Everyone")
  • '<SYSTEM32>\findstr.exe' "0 2 4 5"
  • '<SYSTEM32>\cmd.exe' /S /D /c" type %TEMP%\NSF{nsf_tm}_domainrole.txt "
  • '<SYSTEM32>\cmd.exe' /c (type %TEMP%\NSF{nsf_tm}_domainrole.txt | findstr "0 2 4 5" && echo sealsecurechannel REG_DWORD NotDomainMember) || (reg query HKEY_LOCAL_MACHINE\system\currentcontrolset\services\netlogon\p...
  • '<SYSTEM32>\cmd.exe' /c echo objFile.Close()>>%TEMP%\NSF{nsf_tm}_morelines.vbs
  • '<SYSTEM32>\cmd.exe' /c echo loop>>%TEMP%\NSF{nsf_tm}_morelines.vbs
  • '<SYSTEM32>\find.exe' /i "Everyone"
  • '<SYSTEM32>\reg.exe' query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system /v DontDisplayLockedUserId
  • '<SYSTEM32>\cmd.exe' /c echo Wscript.Echo "Enabled">>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs
  • '<SYSTEM32>\find.exe' /i /v "state"
  • '<SYSTEM32>\cmd.exe' /c (wmic os get caption | findstr "2016" && (reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v AUOptions || "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Policie...
  • '<SYSTEM32>\find.exe' /i /c "disk"
  • '<SYSTEM32>\find.exe' /i /v "deviceid"
  • '<SYSTEM32>\wbem\wmic.exe' partition get deviceid
  • '<SYSTEM32>\cmd.exe' /c wmic partition get deviceid | find /i /v "deviceid" | find /i /c "disk"
  • '<SYSTEM32>\cmd.exe' /c cscript %TEMP%\NSF{nsf_tm}_fscheck.vbs //Nologo
  • '<SYSTEM32>\reg.exe' query HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system /v DontDisplayLastUserName
  • '<SYSTEM32>\cmd.exe' /c echo end if>>%TEMP%\NSF{nsf_tm}_morelines.vbs
  • '<SYSTEM32>\cmd.exe' /c reg query HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system /v DontDisplayLastUserName || echo DontDisplayLastUserName notfound not config
  • '<SYSTEM32>\cmd.exe' /c reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system /v DontDisplayLockedUserId || echo DontDisplayLockedUserId notfound not config
  • '<SYSTEM32>\reg.exe' query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters" /v autodisconnect
  • '<SYSTEM32>\cmd.exe' /c reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters" /v autodisconnect || echo autodisconnect notfound not config
  • '<SYSTEM32>\reg.exe' query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer" /v NoDriveTypeAutoRun
  • '<SYSTEM32>\cmd.exe' /c reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer" /v NoDriveTypeAutoRun || echo NoDriveTypeAutoRun notfound not config
  • '<SYSTEM32>\reg.exe' query "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaveTimeOut
  • '<SYSTEM32>\cmd.exe' /c reg query "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaveTimeOut || echo ScreenSaveTimeOut notfound not config
  • '<SYSTEM32>\cmd.exe' /c wmic service where name="w32time" get state | find /i /v "state"
  • '<SYSTEM32>\findstr.exe' "2016"
  • '<SYSTEM32>\cmd.exe' /c echo Wscript.Echo Line>>%TEMP%\NSF{nsf_tm}_morelines.vbs
  • '<SYSTEM32>\cmd.exe' /c echo If (3 = objItem.DriveType) and (0 ^<^> Len(objItem.FileSystem)) Then>>%TEMP%\NSF{nsf_tm}_fscheck.vbs
  • '<SYSTEM32>\cmd.exe' /c echo Set objWMIService = GetObject("winmgmts:\\.\root\CIMV2")>>%TEMP%\NSF{nsf_tm}_fscheck.vbs
  • '<SYSTEM32>\cmd.exe' /c echo ResultStr = "">%TEMP%\NSF{nsf_tm}_fscheck.vbs
  • '<SYSTEM32>\cmd.exe' /c echo End If>>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs
  • '<SYSTEM32>\cmd.exe' /c echo If True = objPolicy.FirewallEnabled Then>>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs
  • '<SYSTEM32>\cmd.exe' /c echo Wscript.Echo "Enabled">>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs
  • '<SYSTEM32>\cmd.exe' /c echo If 0 ^<^> ErrNum Then>>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs
  • '<SYSTEM32>\cmd.exe' /c echo On Error Goto ^0>>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs
  • '<SYSTEM32>\cmd.exe' /c echo Set colItems = objWMIService.ExecQuery("SELECT * FROM Win32_LogicalDisk",,48)>>%TEMP%\NSF{nsf_tm}_fscheck.vbs
  • '<SYSTEM32>\cmd.exe' /c echo ErrNum = Err.Number>>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs
  • '<SYSTEM32>\cmd.exe' /c echo On Error Resume Next>>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs
  • '<SYSTEM32>\cmd.exe' /c echo Else>>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs
  • '<SYSTEM32>\cmd.exe' /c echo End If>>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs
  • '<SYSTEM32>\cmd.exe' /c echo Wscript.Echo "NoFirewallWindows">>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs
  • '<SYSTEM32>\cmd.exe' /c echo Else>>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs
  • '<SYSTEM32>\cmd.exe' /c echo End If>>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs
  • '<SYSTEM32>\cmd.exe' /c echo Wscript.Echo "Disabled">>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs
  • '<SYSTEM32>\cmd.exe' /c echo set objPolicy = objFirewall.LocalPolicy.CurrentProfile>>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs
  • '<SYSTEM32>\cmd.exe' /c echo If InStr(FwSvcOut, "Running") Then>>%TEMP%\NSF{nsf_tm}_checkfirewall.vbs
  • '<SYSTEM32>\cmd.exe' /c echo if Trim(Line) ^<^> "" and EchoNumber ^< MoreNumber then>>%TEMP%\NSF{nsf_tm}_morelines.vbs
  • '<SYSTEM32>\cmd.exe' /c echo If 0 = InStr(objItem.FileSystem, "NTFS") Then>>%TEMP%\NSF{nsf_tm}_fscheck.vbs
  • '<SYSTEM32>\cmd.exe' /c echo Line = objFile.ReadLine()>>%TEMP%\NSF{nsf_tm}_morelines.vbs
  • '<SYSTEM32>\cmd.exe' /c echo do while objFile.AtEndOfStream ^<^> True>>%TEMP%\NSF{nsf_tm}_morelines.vbs
  • '<SYSTEM32>\cmd.exe' /c echo EchoNumber = ^0>>%TEMP%\NSF{nsf_tm}_morelines.vbs
  • '<SYSTEM32>\cmd.exe' /c echo set objFile = objFSO.OpenTextFile(FileName, 1)>>%TEMP%\NSF{nsf_tm}_morelines.vbs
  • '<SYSTEM32>\cmd.exe' /c echo set objFSO = CreateObject("Scripting.FileSystemObject")>>%TEMP%\NSF{nsf_tm}_morelines.vbs
  • '<SYSTEM32>\cmd.exe' /c echo MoreNumber = CInt(Wscript.arguments(1))>>%TEMP%\NSF{nsf_tm}_morelines.vbs
  • '<SYSTEM32>\cmd.exe' /c echo FileName = Wscript.arguments(0)>%TEMP%\NSF{nsf_tm}_morelines.vbs
  • '<SYSTEM32>\cmd.exe' /c echo EchoNumber = EchoNumber + ^1>>%TEMP%\NSF{nsf_tm}_morelines.vbs
  • '<SYSTEM32>\cmd.exe' /c echo End If>>%TEMP%\NSF{nsf_tm}_fscheck.vbs
  • '<SYSTEM32>\cmd.exe' /c echo Else>>%TEMP%\NSF{nsf_tm}_fscheck.vbs
  • '<SYSTEM32>\cmd.exe' /c echo Wscript.Echo("AllNTFS")>>%TEMP%\NSF{nsf_tm}_fscheck.vbs
  • '<SYSTEM32>\cmd.exe' /c echo If 0 = Len(ResultStr) Then>>%TEMP%\NSF{nsf_tm}_fscheck.vbs
  • '<SYSTEM32>\cmd.exe' /c echo Next>>%TEMP%\NSF{nsf_tm}_fscheck.vbs
  • '<SYSTEM32>\cmd.exe' /c echo End If>>%TEMP%\NSF{nsf_tm}_fscheck.vbs
  • '<SYSTEM32>\cmd.exe' /c echo End If>>%TEMP%\NSF{nsf_tm}_fscheck.vbs
  • '<SYSTEM32>\cmd.exe' /c echo ResultStr = ResultStr + "," + objItem.Name + "=" + objItem.FileSystem>>%TEMP%\NSF{nsf_tm}_fscheck.vbs
  • '<SYSTEM32>\cmd.exe' /c echo For Each objItem in colItems>>%TEMP%\NSF{nsf_tm}_fscheck.vbs
  • '<SYSTEM32>\wbem\wmic.exe' service where name="MSMQ" get state

Recommandations pour le traitement

  1. Si le système d'exploitation peut être démarré (en mode normal ou en mode sans échec), téléchargez Dr.Web Security Space et lancez un scan complet de votre ordinateur et de tous les supports amovibles que vous utilisez. En savoir plus sur Dr.Web Security Space.
  2. Si le démarrage du système d'exploitation est impossible, veuillez modifier les paramètres du BIOS de votre ordinateur pour démarrer votre ordinateur via CD/DVD ou clé USB. Téléchargez l'image du disque de secours de restauration du système Dr.Web® LiveDisk ou l'utilitaire pour enregistrer Dr.Web® LiveDisk sur une clé USB, puis préparez la clé USB appropriée. Démarrez l'ordinateur à l'aide de cette clé et lancez le scan complet et le traitement des menaces détectées.
Version démo gratuite

 

Télécharger Dr.Web

Par le numéro de série

Veuillez lancer le scan complet du système à l'aide de Dr.Web Antivirus pour Mac OS.

Version démo gratuite

 

Télécharger Dr.Web sur le site

Par le numéro de série

Télécharger Dr.Web sur l'Apple Store

Veuillez lancer le scan complet de toutes les partitions du disque à l'aide de Dr.Web Antivirus pour Linux.

Version démo gratuite

 

Télécharger Dr.Web

Par le numéro de série

  1. Si votre appareil mobile fonctionne correctement, veuillez télécharger et installer sur votre appareil mobile Dr.Web pour Android. Lancez un scan complet et suivez les recommandations sur la neutralisation des menaces détectées.
  2. Si l'appareil mobile est bloqué par le Trojan de la famille Android.Locker (un message sur la violation grave de la loi ou la demande d'une rançon est affiché sur l'écran de l'appareil mobile), procédez comme suit:
    • démarrez votre Smartphone ou votre tablette en mode sans échec (si vous ne savez pas comment faire, consultez la documentation de l'appareil mobile ou contactez le fabricant) ;
    • puis téléchargez et installez sur votre appareil mobile Dr.Web pour Android et lancez un scan complet puis suivez les recommandations sur la neutralisation des menaces détectées ;
    • Débranchez votre appareil et rebranchez-le.

En savoir plus sur Dr.Web pour Android

Free trial

14 days

Download now
Get it on Google Play