Техническая информация
Для обеспечения автозапуска и распространения
Создает следующие файлы на съемном носителе
- <Имя диска съемного носителя>:\correct.avi
- <Имя диска съемного носителя>:\!!! all your files are encrypted !!!.txt
- <Имя диска съемного носителя>:\dial.bmp
- <Имя диска съемного носителя>:\dashborder_192.bmp
- <Имя диска съемного носителя>:\toolbar.bmp
- <Имя диска съемного носителя>:\dashborder_120.bmp
- <Имя диска съемного носителя>:\dialmap.bmp
- <Имя диска съемного носителя>:\dashborder_96.bmp
- <Имя диска съемного носителя>:\pmd.cer
- <Имя диска съемного носителя>:\sdksampleunprivdeveloper.cer
- <Имя диска съемного носителя>:\contosoroot_1.cer
- <Имя диска съемного носителя>:\asaprojectcompetition.pptx
- <Имя диска съемного носителя>:\stoc13_ml_quoc_le.pptx
- <Имя диска съемного носителя>:\middaugh_keynote.pptx
- <Имя диска съемного носителя>:\iso27k_isms_implementation_and_certification_process_overview_v2.pptx
Вредоносные функции
Для затруднения выявления своего присутствия в системе
удаляет теневые копии разделов.
Читает файлы, отвечающие за хранение паролей сторонними программами
- %HOMEPATH%\desktop\contosoroot.cer
- %HOMEPATH%\desktop\dashborder_120.bmp
- %HOMEPATH%\desktop\dashborder_144.bmp
- %HOMEPATH%\desktop\dial.bmp
- %HOMEPATH%\desktop\dialmap.bmp
- %HOMEPATH%\desktop\february_catalogue__2015.doc
- %HOMEPATH%\desktop\hadac_newsletter_july_2010_final.docx
- %HOMEPATH%\desktop\hanni_umami_chapter.doc
- %HOMEPATH%\desktop\sdksampleprivdeveloper.cer
- %HOMEPATH%\desktop\split.avi
- %HOMEPATH%\desktop\testcertificate.cer
- %HOMEPATH%\desktop\thlps_keeper_mayer_1965.docx
- %HOMEPATH%\desktop\tileimage.bmp
- %HOMEPATH%\desktop\weeklysheet1215.doc
Изменения в файловой системе
Создает следующие файлы
- C:\documents and settings\default user\cookies\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\translations\ml\lc_messages\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\translations\mk\lc_messages\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\translations\lv\lc_messages\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\translations\lt\lc_messages\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\translations\ku\lc_messages\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\translations\ko\lc_messages\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\translations\kn\lc_messages\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\translations\kk\lc_messages\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\translations\kab\lc_messages\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\translations\ka\lc_messages\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\translations\jv\lc_messages\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\translations\ja\lc_messages\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\translations\it\lc_messages\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\translations\is\lc_messages\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\translations\id\lc_messages\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\translations\hu\lc_messages\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\translations\hr\lc_messages\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\translations\hi\lc_messages\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\translations\he\lc_messages\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\translations\gu\lc_messages\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\translations\gl\lc_messages\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\translations\fy\lc_messages\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\translations\fr\lc_messages\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\translations\fi\lc_messages\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\translations\fa\lc_messages\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\translations\eu\lc_messages\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\translations\et\lc_messages\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\translations\es\lc_messages\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\translations\eo\lc_messages\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\translations\mo\lc_messages\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\translations\mr\lc_messages\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\translations\ms\lc_messages\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\translations\mt\lc_messages\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\translations\zh_hk\lc_messages\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\translations\zh_cn\lc_messages\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\translations\wae\lc_messages\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\translations\vi\lc_messages\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\translations\uz\lc_messages\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\translations\ur\lc_messages\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\translations\uk\lc_messages\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\translations\ug\lc_messages\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\translations\tw\lc_messages\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\translations\tr\lc_messages\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\translations\th\lc_messages\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\translations\te\lc_messages\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\translations\ta\lc_messages\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\translations\sv\lc_messages\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\translations\sq\lc_messages\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\translations\sr\lc_messages\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\translations\sl\lc_messages\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\translations\sk\lc_messages\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\translations\shn\lc_messages\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\translations\ru\lc_messages\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\translations\ro\lc_messages\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\translations\pt_br\lc_messages\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\translations\pt\lc_messages\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\translations\pl\lc_messages\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\translations\oc\lc_messages\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\translations\nn\lc_messages\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\translations\nl\lc_messages\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\translations\ne\lc_messages\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\translations\nb\lc_messages\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\translations\my\lc_messages\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\translations\zh_tw\lc_messages\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\translations\en_gb\lc_messages\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\translations\en_ca\lc_messages\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\translations\en_au\lc_messages\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\lib\encodings\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\lib\ctypes\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\lib\crypto\util\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\lib\crypto\publickey\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\lib\crypto\hash\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\lib\crypto\cipher\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\lib\crypto\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\lib\bittorrent\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\lib\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\data\images\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\data\custom-installation\hooks\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\data\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\!!! all your files are encrypted !!!.txt
- %TEMP%\history\history.ie5\!!! all your files are encrypted !!!.txt
- %TEMP%\cookies\!!! all your files are encrypted !!!.txt
- %TEMP%\2.9.0.1467 (partner)\chrome\en-gb\locale\browser-region\!!! all your files are encrypted !!!.txt
- %TEMP%\2.9.0.1467 (partner)\chrome\en-gb\locale\branding\!!! all your files are encrypted !!!.txt
- %TEMP%\!!! all your files are encrypted !!!.txt
- %HOMEPATH%\local settings\history\history.ie5\mshist012017042620170427\!!! all your files are encrypted !!!.txt
- %HOMEPATH%\favorites\links\яндекс.url
- %HOMEPATH%\favorites\links\почта.url
- %HOMEPATH%\favorites\links\!!! all your files are encrypted !!!.txt
- %HOMEPATH%\favorites\!!! all your files are encrypted !!!.txt
- %HOMEPATH%\desktop\!!! all your files are encrypted !!!.txt
- %HOMEPATH%\cookies\!!! all your files are encrypted !!!.txt
- %HOMEPATH%\!!! all your files are encrypted !!!.txt
- C:\documents and settings\default user\templates\!!! all your files are encrypted !!!.txt
- C:\documents and settings\default user\local settings\<INETFILES>\content.ie5\!!! all your files are encrypted !!!.txt
- C:\documents and settings\default user\local settings\history\history.ie5\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\lib\logging\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\lib\openpgp\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\lib\openpgp\sap\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\lib\openpgp\sap\msg\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\translations\el\lc_messages\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\translations\de\lc_messages\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\translations\da\lc_messages\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\translations\cy\lc_messages\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\translations\csb\lc_messages\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\translations\cs\lc_messages\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\translations\crh\lc_messages\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\translations\ca\lc_messages\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\translations\bs\lc_messages\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\translations\br\lc_messages\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\translations\bo\lc_messages\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\translations\bg\lc_messages\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\translations\ast\lc_messages\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\translations\as\lc_messages\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\translations\af\lc_messages\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\translations\ar\lc_messages\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\lib\xml\sax\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\lib\xml\parsers\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\lib\xml\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\lib\wubi\frontends\win32\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\lib\wubi\frontends\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\lib\wubi\backends\win32\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\lib\wubi\backends\common\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\lib\wubi\backends\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\lib\wubi\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\lib\winui\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\lib\urlgrabber\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\lib\sets\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\lib\openpgp\sap\util\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\lib\openpgp\sap\pkt\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\translations\en\lc_messages\!!! all your files are encrypted !!!.txt
- %TEMP%\pyl1.tmp\winboot\!!! all your files are encrypted !!!.txt
Перемещает следующие файлы
- %HOMEPATH%\favorites\links\почта.url в %HOMEPATH%\favorites\links\почта.url.{ae69a703-1d00-5d48-d891-050ff469713d}
- %TEMP%\dd_wcf_retca4a2a.txt в %TEMP%\dd_wcf_retca4a2a.txt.{ae69a703-1d00-5d48-d891-050ff469713d}
- %TEMP%\dd_net_framework35_msi77c4.txt в %TEMP%\dd_net_framework35_msi77c4.txt.{ae69a703-1d00-5d48-d891-050ff469713d}
- %TEMP%\dd_net_framework30_setup7762.txt в %TEMP%\dd_net_framework30_setup7762.txt.{ae69a703-1d00-5d48-d891-050ff469713d}
- %TEMP%\dd_net_framework20_setup74f9.txt в %TEMP%\dd_net_framework20_setup74f9.txt.{ae69a703-1d00-5d48-d891-050ff469713d}
- %TEMP%\dd_ndp452-kb2901907-x86-x64-allos-enu_decompression_log.txt в %TEMP%\dd_ndp452-kb2901907-x86-x64-allos-enu_decompression_log.txt.{ae69a703-1d00-5d48-d891-050ff469713d}
- %TEMP%\dd_dotnetfx45_full_setup_decompression_log.txt в %TEMP%\dd_dotnetfx45_full_setup_decompression_log.txt.{ae69a703-1d00-5d48-d891-050ff469713d}
- %TEMP%\dd_xps.txt в %TEMP%\dd_xps.txt.{ae69a703-1d00-5d48-d891-050ff469713d}
- %TEMP%\dd_dotnetfx40_full_x86_x64_decompression_log.txt в %TEMP%\dd_dotnetfx40_full_x86_x64_decompression_log.txt.{ae69a703-1d00-5d48-d891-050ff469713d}
- %TEMP%\dd_dotnetfx20install.txt в %TEMP%\dd_dotnetfx20install.txt.{ae69a703-1d00-5d48-d891-050ff469713d}
- %TEMP%\dd_depcheck_netfx_exp_35.txt в %TEMP%\dd_depcheck_netfx_exp_35.txt.{ae69a703-1d00-5d48-d891-050ff469713d}
- %TEMP%\dd_depcheck_netfx20_exp_35.txt в %TEMP%\dd_depcheck_netfx20_exp_35.txt.{ae69a703-1d00-5d48-d891-050ff469713d}
- %TEMP%\dd_clwireg.txt в %TEMP%\dd_clwireg.txt.{ae69a703-1d00-5d48-d891-050ff469713d}
- %TEMP%\aucheck_parser.txt в %TEMP%\aucheck_parser.txt.{ae69a703-1d00-5d48-d891-050ff469713d}
- %HOMEPATH%\favorites\links\яндекс.url в %HOMEPATH%\favorites\links\яндекс.url.{ae69a703-1d00-5d48-d891-050ff469713d}
- %TEMP%\dd_dotnetfx35install.txt в %TEMP%\dd_dotnetfx35install.txt.{ae69a703-1d00-5d48-d891-050ff469713d}
- %TEMP%\uxeventlog.txt в %TEMP%\uxeventlog.txt.{ae69a703-1d00-5d48-d891-050ff469713d}
Изменяет множество файлов пользовательских данных (Trojan.Encoder).
Изменяет расширения файлов пользовательских данных (Trojan.Encoder).
Сетевая активность
UDP
- DNS ASK ge###tool.com
- DNS ASK ip##gger.ru
Другое
Создает и запускает на исполнение
- '<SYSTEM32>\cmd.exe' /C bcdedit /set {default} bootstatuspolicy ignoreallfailures' (со скрытым окном)
- '<SYSTEM32>\cmd.exe' /C wevtutil.exe clear-log System' (со скрытым окном)
- '<SYSTEM32>\cmd.exe' /C wevtutil.exe clear-log Security' (со скрытым окном)
- '<SYSTEM32>\cmd.exe' /C wevtutil.exe clear-log Application' (со скрытым окном)
- '<SYSTEM32>\cmd.exe' /C del "%userprofile%\documents\Default.rdp"' (со скрытым окном)
- '<SYSTEM32>\cmd.exe' /C attrib "%userprofile%\documents\Default.rdp" -s -h' (со скрытым окном)
- '<SYSTEM32>\cmd.exe' /C reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers"' (со скрытым окном)
- '<SYSTEM32>\cmd.exe' /C reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f' (со скрытым окном)
- '<SYSTEM32>\cmd.exe' /C reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f' (со скрытым окном)
- '<SYSTEM32>\cmd.exe' /C vssadmin delete shadows /all /quiet' (со скрытым окном)
- '<SYSTEM32>\cmd.exe' /C wmic shadowcopy delete' (со скрытым окном)
- '<SYSTEM32>\cmd.exe' /C wbadmin delete backup' (со скрытым окном)
- '<SYSTEM32>\cmd.exe' /C wbadmin delete systemstatebackup -keepversions:0' (со скрытым окном)
- '<SYSTEM32>\cmd.exe' /C wbadmin delete systemstatebackup' (со скрытым окном)
- '<SYSTEM32>\cmd.exe' /C wbadmin delete catalog -quiet' (со скрытым окном)
- '<SYSTEM32>\cmd.exe' /C bcdedit /set {default} recoveryenabled no' (со скрытым окном)
- '<SYSTEM32>\cmd.exe' /C sc config eventlog start=disabled' (со скрытым окном)
- '<SYSTEM32>\cmd.exe' /C chcp 1250 && net view' (со скрытым окном)
Запускает на исполнение
- '<SYSTEM32>\cmd.exe' /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
- '<SYSTEM32>\cmd.exe' /C chcp 1250 && net view
- '<SYSTEM32>\sc.exe' config eventlog start=disabled
- '<SYSTEM32>\cmd.exe' /C sc config eventlog start=disabled
- '<SYSTEM32>\cmd.exe' /C wevtutil.exe clear-log System
- '<SYSTEM32>\cmd.exe' /C wevtutil.exe clear-log Security
- '<SYSTEM32>\cmd.exe' /C wevtutil.exe clear-log Application
- '<SYSTEM32>\cmd.exe' /C del "%userprofile%\documents\Default.rdp"
- '<SYSTEM32>\attrib.exe' "%HOMEPATH%\documents\Default.rdp" -s -h
- '<SYSTEM32>\cmd.exe' /C attrib "%userprofile%\documents\Default.rdp" -s -h
- '<SYSTEM32>\reg.exe' add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers"
- '<SYSTEM32>\chcp.com' 1250
- '<SYSTEM32>\cmd.exe' /C reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers"
- '<SYSTEM32>\cmd.exe' /C reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f
- '<SYSTEM32>\reg.exe' delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f
- '<SYSTEM32>\cmd.exe' /C reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f
- '<SYSTEM32>\cmd.exe' /C vssadmin delete shadows /all /quiet
- '<SYSTEM32>\cmd.exe' /C wmic shadowcopy delete
- '<SYSTEM32>\cmd.exe' /C wbadmin delete backup
- '<SYSTEM32>\cmd.exe' /C wbadmin delete systemstatebackup -keepversions:0
- '<SYSTEM32>\cmd.exe' /C wbadmin delete systemstatebackup
- '<SYSTEM32>\cmd.exe' /C wbadmin delete catalog -quiet
- '<SYSTEM32>\cmd.exe' /C bcdedit /set {default} recoveryenabled no
- '<SYSTEM32>\reg.exe' delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f
- '<SYSTEM32>\net.exe' view
