Trojan.Siggen32.12413

Техническая информация

Вредоносные функции

Запускает на исполнение

'<SYSTEM32>\net.exe' stop GoodbyeZapret
'<SYSTEM32>\taskkill.exe' /F /IM winws.exe
'<SYSTEM32>\net.exe' stop "WinDivert"
'<SYSTEM32>\net.exe' stop "WinDivert14"
'<SYSTEM32>\net.exe' stop "monkey"
'<SYSTEM32>\taskkill.exe' /F /IM GoodbyeZapretTray.exe

Запускает большое число процессов

Завершает или пытается завершить

следующие системные процессы:

<SYSTEM32>\cmd.exe

Изменяет следующие настройки браузера Windows Internet Explorer

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations] 'LowRiskFileTypes' = '.exe;.reg;.bat;.vbs;.cmd;.ps1;.zip;.rar;.msi;.msu;.lnk;.7z;.tar.gz;.doc;.docx;.pdf;'

Изменения в файловой системе

Создает следующие файлы

%TEMP%\613b.tmp\613c.tmp\613d.bat
nul
C:\log.txt
C:\goodbyezapret.zip
C:\gz_temp\bin\cygwin1.dll
C:\gz_temp\bin\fake\fake_quic_1.bin
C:\gz_temp\bin\fake\fake_quic_2.bin
C:\gz_temp\bin\fake\fake_quic_3.bin
C:\gz_temp\bin\fake\fake_quic_4.bin
C:\gz_temp\bin\fake\fake_syndata.bin
C:\gz_temp\bin\fake\fake_tls_1.bin
C:\gz_temp\bin\fake\fake_tls_2.bin
C:\gz_temp\bin\fake\fake_tls_3.bin
C:\gz_temp\bin\fake\fake_tls_4.bin
C:\gz_temp\bin\fake\fake_tls_5.bin
C:\gz_temp\bin\fake\fake_tls_6.bin
C:\gz_temp\bin\fake\fake_tls_7.bin
C:\gz_temp\bin\fake\fake_tls_8.bin
C:\gz_temp\bin\fake\http_fake_ms.bin
C:\gz_temp\bin\fake\http_iana_org.bin
C:\gz_temp\bin\fake\quic_1.bin
C:\gz_temp\bin\fake\quic_2.bin
C:\gz_temp\bin\fake\quic_3.bin
C:\gz_temp\bin\fake\quic_4.bin
C:\gz_temp\bin\fake\quic_5.bin
C:\gz_temp\bin\fake\quic_6.bin
C:\gz_temp\bin\fake\quic_7.bin
C:\gz_temp\bin\fake\quic_initial_fonts_google_com.bin
C:\gz_temp\bin\fake\quic_initial_www_google_com.bin
C:\gz_temp\bin\fake\syn_packet.bin
C:\gz_temp\bin\fake\tls_clienthello_1.bin
C:\gz_temp\bin\fake\tls_clienthello_11.bin
C:\gz_temp\bin\fake\tls_clienthello_12.bin
C:\gz_temp\bin\fake\tls_clienthello_14.bin
C:\gz_temp\bin\fake\tls_clienthello_15.bin
C:\gz_temp\bin\fake\tls_clienthello_16.bin
C:\gz_temp\bin\fake\tls_clienthello_17.bin
C:\gz_temp\bin\fake\tls_clienthello_18.bin
C:\gz_temp\bin\fake\tls_clienthello_2.bin
C:\gz_temp\bin\fake\tls_clienthello_24.bin
C:\gz_temp\bin\fake\tls_clienthello_3.bin
C:\gz_temp\bin\fake\tls_clienthello_312.bin
C:\gz_temp\bin\fake\tls_clienthello_4.bin
C:\gz_temp\bin\fake\tls_clienthello_5.bin
C:\gz_temp\bin\fake\tls_clienthello_6.bin
C:\gz_temp\bin\fake\tls_clienthello_7.bin
C:\gz_temp\bin\fake\tls_clienthello_9.bin
C:\gz_temp\bin\fake\tls_clienthello_edge-106_google.com.bin
C:\gz_temp\bin\fake\tls_clienthello_edge-85_google.com.bin
C:\gz_temp\bin\fake\tls_clienthello_www_google_com.bin
C:\gz_temp\bin\killall.exe
C:\gz_temp\bin\monkey64.sys
C:\gz_temp\bin\stop_and_delete_all_in_folder.bat
C:\gz_temp\bin\windivert.dll
C:\gz_temp\bin\windivert.filter\windivert.discord_media+stun.txt
C:\gz_temp\bin\windivert.filter\windivert.discord_media.txt
C:\gz_temp\bin\windivert.filter\windivert.stun.txt
C:\gz_temp\bin\windivert.filter\windivert_part.discord_media.txt
C:\gz_temp\bin\windivert.filter\windivert_part.stun.txt
C:\gz_temp\bin\windivert_delete.cmd
C:\gz_temp\bin\winws.exe
C:\gz_temp\configs\custom\customfix.bat
C:\gz_temp\configs\custom\helpers\download_helpers.bat
C:\gz_temp\configs\preset\multifix.bat
C:\gz_temp\configs\preset\multifix_10.bat
C:\gz_temp\configs\preset\multifix_2.bat
C:\gz_temp\configs\preset\multifix_3.bat
C:\gz_temp\configs\preset\multifix_4.bat
C:\gz_temp\configs\preset\multifix_5.bat
C:\gz_temp\configs\preset\multifix_6.bat
C:\gz_temp\configs\preset\multifix_7.bat
C:\gz_temp\configs\preset\multifix_8.bat
C:\gz_temp\configs\preset\multifix_9.bat
C:\gz_temp\configs\preset\multifix_ts.bat
C:\gz_temp\configs\preset\old_configs\multifixamazone.bat
C:\gz_temp\configs\preset\old_configs\multifixamazone_2.bat
C:\gz_temp\configs\preset\old_configs\multifixamazone_3.bat
C:\gz_temp\configs\preset\old_configs\multifix_5_test.bat
C:\gz_temp\configs\preset\old_configs\ultimatefix_amaizing.bat
C:\gz_temp\configs\preset\old_configs\ultimatefix_amaizing_2.bat
C:\gz_temp\configs\preset\old_configs\ultimatefix_amaizing_3.bat
C:\gz_temp\configs\preset\old_configs\ultimatefix_amaizing_4.bat
C:\gz_temp\configs\preset\old_configs\ultimatefix_amaizing_5.bat
C:\gz_temp\configs\preset\old_configs\ultimatefix_amaizing_6.bat
C:\gz_temp\configs\preset\old_configs\ultimatefix_amaizing_7.bat
C:\gz_temp\configs\preset\old_configs\ultimatefix_amaizing_7_ip-v6.bat
C:\gz_temp\configs\preset\old_configs\webunlock.bat
C:\gz_temp\configs\preset\old_configs\webunlock_2.bat
C:\gz_temp\configs\preset\old_configs\webunlock_3.bat
C:\gz_temp\configs\preset\old_configs\webunlock_x-ip.bat
C:\gz_temp\configs\preset\old_configs\webunlock_x-ip_2.bat
C:\gz_temp\configs\preset\old_configs\webunlock_x-ip_3.bat
C:\gz_temp\configs\preset\ultimatefix.bat
C:\gz_temp\configs\preset\ultimatefix_2.bat
C:\gz_temp\configs\preset\ultimatefix_3.bat
C:\gz_temp\configs\preset\ultimatefix_allport.bat
C:\gz_temp\configs\preset\ultimatefix_lab.bat
C:\gz_temp\configs\preset\ultimatefix_unreal.bat
C:\gz_temp\configs\preset\warp.bat
C:\gz_temp\lists\anomaly_site.txt
C:\gz_temp\lists\autohostlist.txt
C:\gz_temp\lists\cloudflare-ipset_v6.txt
C:\gz_temp\lists\custom-hostlist.txt
C:\gz_temp\lists\exclude-autohostlist.txt
C:\gz_temp\lists\exclude-cloudflare.txt
C:\gz_temp\lists\exclude-cloudflare_ip.txt
C:\gz_temp\lists\exclude.txt
C:\gz_temp\lists\ipset-amazon.txt
C:\gz_temp\lists\ipset-cloudflare.txt
C:\gz_temp\lists\ipset-cloudflare2.txt
C:\gz_temp\lists\ipset-cloudflare3.txt
C:\gz_temp\lists\ipset-cloudflare4.txt
C:\gz_temp\lists\ipset-cloudflare_ipv6.txt
C:\gz_temp\lists\ipset-cloudflare_off.txt
C:\gz_temp\lists\ipset-dns.txt
C:\gz_temp\lists\ipset-facebook_instagram.txt
C:\gz_temp\lists\list-cloudflare.txt
C:\gz_temp\lists\list-facebook_instagram.txt
C:\gz_temp\lists\list-general.txt
C:\gz_temp\lists\list-instagram.txt
C:\gz_temp\lists\list-nvidia.txt
C:\gz_temp\lists\list-quick_ttl.txt
C:\gz_temp\lists\list-rutracker.txt
C:\gz_temp\lists\list-speedtest.txt
C:\gz_temp\lists\list-steam.txt
C:\gz_temp\lists\list-telegram.txt
C:\gz_temp\lists\list-twitch.txt
C:\gz_temp\lists\list-youtube.txt
C:\gz_temp\lists\list-youtubewithoutgv.txt
C:\gz_temp\lists\mycdnlist.txt
C:\gz_temp\lists\netrogat.txt
C:\gz_temp\lists\netrogat_custom.txt
C:\gz_temp\lists\netrogat_ip.txt
C:\gz_temp\lists\netrogat_ip2.txt
C:\gz_temp\lists\netrogat_ip_custom.txt
C:\gz_temp\lists\other.txt
C:\gz_temp\lists\russia-blacklist.txt
C:\gz_temp\lists\russia-discord-ipset.txt
C:\gz_temp\lists\russia-discord.txt
C:\gz_temp\lists\russia-youtube-rtmps.txt
C:\gz_temp\lists\russia-youtube.txt
C:\gz_temp\lists\russia-youtube2.txt
C:\gz_temp\lists\russia-youtubeq.txt
C:\gz_temp\lists\youtube.txt
C:\gz_temp\lists\youtubeq.txt
C:\gz_temp\lists\youtube_googlevideo.txt
C:\gz_temp\lists\youtube_video-chanel-preview.txt
C:\gz_temp\tools\config_check\auto_find_working_config.exe
C:\gz_temp\tools\config_check\config_check.exe
C:\gz_temp\tools\config_check\delete_services_for_finder.bat
C:\gz_temp\tools\config_check\domains.txt
C:\gz_temp\tools\curl\curl.exe
C:\gz_temp\tools\delete_services.bat
C:\gz_temp\tools\dns_config.bat
C:\gz_temp\tools\host_unlock.bat
C:\gz_temp\tools\reset_network.bat
C:\gz_temp\tools\tray\goodbyezaprettray.exe
C:\gz_temp\tools\updater.exe
C:\gz_temp\tools\updater_for_zip-ver.bat
C:\gz_temp\tools\update_blacklist.bat
C:\gz_temp\tools\update_netrogat_list.bat
C:\gz_temp\tools\update_winws.bat
C:\gz_temp\instructions.html
C:\gz_temp\launcher.bat
C:\tools\delete_services.bat
C:\tools\dns_config.bat
C:\tools\host_unlock.bat
C:\tools\reset_network.bat
C:\tools\updater.exe
C:\tools\updater_for_zip-ver.bat
C:\tools\update_blacklist.bat
C:\tools\update_netrogat_list.bat
C:\tools\update_winws.bat
C:\tools\tray\goodbyezaprettray.exe
C:\tools\curl\curl.exe
C:\lists\anomaly_site.txt
C:\lists\autohostlist.txt
C:\lists\cloudflare-ipset_v6.txt
C:\lists\custom-hostlist.txt
C:\lists\exclude-autohostlist.txt
C:\lists\exclude-cloudflare.txt
C:\lists\exclude-cloudflare_ip.txt
C:\lists\exclude.txt
C:\lists\ipset-amazon.txt
C:\lists\ipset-cloudflare.txt
C:\lists\ipset-cloudflare2.txt
C:\lists\ipset-cloudflare3.txt
C:\lists\ipset-cloudflare4.txt
C:\lists\ipset-cloudflare_ipv6.txt
C:\lists\ipset-cloudflare_off.txt
C:\lists\ipset-dns.txt
C:\lists\ipset-facebook_instagram.txt
C:\lists\list-cloudflare.txt
C:\lists\list-facebook_instagram.txt
C:\lists\list-general.txt
C:\lists\list-instagram.txt
C:\lists\list-nvidia.txt
C:\lists\list-quick_ttl.txt
C:\lists\list-rutracker.txt
C:\lists\list-speedtest.txt
C:\lists\list-steam.txt
C:\lists\list-telegram.txt
C:\lists\list-twitch.txt
C:\lists\list-youtube.txt
C:\lists\list-youtubewithoutgv.txt
C:\lists\mycdnlist.txt
C:\lists\netrogat.txt
C:\lists\netrogat_ip.txt
C:\lists\netrogat_ip2.txt
C:\lists\other.txt
C:\lists\russia-blacklist.txt
C:\lists\russia-discord-ipset.txt
C:\lists\russia-discord.txt
C:\lists\russia-youtube-rtmps.txt
C:\lists\russia-youtube.txt
C:\lists\russia-youtube2.txt
C:\lists\russia-youtubeq.txt
C:\lists\youtube.txt
C:\lists\youtubeq.txt
C:\lists\youtube_googlevideo.txt
C:\lists\youtube_video-chanel-preview.txt
C:\lists\netrogat_ip_custom.txt
C:\lists\netrogat_custom.txt
C:\configs\preset\multifix.bat
C:\configs\preset\multifix_10.bat
C:\configs\preset\multifix_2.bat
C:\configs\preset\multifix_3.bat
C:\configs\preset\multifix_4.bat
C:\configs\preset\multifix_5.bat
C:\configs\preset\multifix_6.bat
C:\configs\preset\multifix_7.bat
C:\configs\preset\multifix_8.bat
C:\configs\preset\multifix_9.bat
C:\configs\preset\multifix_ts.bat
C:\configs\preset\ultimatefix.bat
C:\configs\preset\ultimatefix_2.bat
C:\configs\preset\ultimatefix_3.bat
C:\configs\preset\ultimatefix_allport.bat
C:\configs\preset\ultimatefix_lab.bat
C:\configs\preset\ultimatefix_unreal.bat
C:\configs\preset\warp.bat
C:\configs\preset\old_configs\multifixamazone.bat
C:\configs\preset\old_configs\multifixamazone_2.bat
C:\configs\preset\old_configs\multifixamazone_3.bat
C:\configs\preset\old_configs\multifix_5_test.bat
C:\configs\preset\old_configs\ultimatefix_amaizing.bat
C:\configs\preset\old_configs\ultimatefix_amaizing_2.bat
C:\configs\preset\old_configs\ultimatefix_amaizing_3.bat
C:\configs\preset\old_configs\ultimatefix_amaizing_4.bat
C:\configs\preset\old_configs\ultimatefix_amaizing_5.bat
C:\configs\preset\old_configs\ultimatefix_amaizing_6.bat
C:\configs\preset\old_configs\ultimatefix_amaizing_7.bat
C:\configs\preset\old_configs\ultimatefix_amaizing_7_ip-v6.bat
C:\configs\preset\old_configs\webunlock.bat
C:\configs\preset\old_configs\webunlock_2.bat
C:\configs\preset\old_configs\webunlock_3.bat
C:\configs\preset\old_configs\webunlock_x-ip.bat
C:\configs\preset\old_configs\webunlock_x-ip_2.bat
C:\configs\preset\old_configs\webunlock_x-ip_3.bat
C:\launcher.bat
C:\config_temp.txt

Удаляет файлы, которые сам же создал

%TEMP%\613b.tmp\613c.tmp\613d.bat

Перемещает следующие файлы

C:\config_temp.txt в %APPDATA%\goodbyezapret\config.txt

Подменяет следующие файлы

C:\config_temp.txt
%APPDATA%\goodbyezapret\config.txt

Сетевая активность

Подключается к

'gi##ub.com':443
'oc##.#ectigo.com':80
'ra#.####ubusercontent.com':443

TCP

Запросы HTTP GET

http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?02##############

Другие

'gi##ub.com':443
'ra#.####ubusercontent.com':443

UDP

DNS ASK gi##ub.com
DNS ASK oc##.#ectigo.com
DNS ASK ra#.####ubusercontent.com

Другое

Ищет следующие окна

ClassName: '' WindowName: ''

Создает и запускает на исполнение

'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoProfile -Command "Split-Path -Parent 'C:\Launcher.bat'"
'C:\tools\tray\goodbyezaprettray.exe'

Запускает на исполнение

'<SYSTEM32>\cmd.exe' /c "%TEMP%\613B.tmp\613C.tmp\613D.bat <Полный путь к файлу>"
'<SYSTEM32>\cmd.exe' /c powershell -NoProfile -Command "(Get-Item '<Текущая директория>\').Parent.FullName"
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoProfile -Command "(Get-Item '<Текущая директория>\').Parent.FullName"
'<SYSTEM32>\net.exe' session
'<SYSTEM32>\net1.exe' session
'<SYSTEM32>\chcp.com' 65001
'<SYSTEM32>\mode.com' con: cols=80 lines=25
'<SYSTEM32>\cmd.exe' /c "prompt #$H#$E# & echo on & for %b in (1) do rem"
'<SYSTEM32>\timeout.exe' /t 1
'<SYSTEM32>\net1.exe' stop GoodbyeZapret
'<SYSTEM32>\sc.exe' delete GoodbyeZapret
'<SYSTEM32>\net1.exe' stop "WinDivert"
'<SYSTEM32>\sc.exe' delete "WinDivert"
'<SYSTEM32>\net1.exe' stop "WinDivert14"
'<SYSTEM32>\sc.exe' delete "WinDivert14"
'<SYSTEM32>\net1.exe' stop "monkey"
'<SYSTEM32>\sc.exe' delete "monkey"
'<SYSTEM32>\cmd.exe' /c reg query "HKCU\Software\ALFiX inc.\GoodbyeZapret" /v "WinVer" 2>nul
'<SYSTEM32>\reg.exe' query "HKCU\Software\ALFiX inc.\GoodbyeZapret" /v "WinVer"
'<SYSTEM32>\cmd.exe' /c reg query "HKCU\Software\ALFiX inc.\GoodbyeZapret" /v "FirstLaunch" 2>nul
'<SYSTEM32>\reg.exe' query "HKCU\Software\ALFiX inc.\GoodbyeZapret" /v "FirstLaunch"
'<SYSTEM32>\cmd.exe' /c reg query "HKCU\Software\ALFiX inc.\GoodbyeZapret" /v "GoodbyeZapret_Version" 2>nul
'<SYSTEM32>\reg.exe' query "HKCU\Software\ALFiX inc.\GoodbyeZapret" /v "GoodbyeZapret_Version"
'<SYSTEM32>\cmd.exe' /c reg query "HKCU\Software\ALFiX inc.\GoodbyeZapret" /v "GoodbyeZapret_Config" 2>nul
'<SYSTEM32>\reg.exe' query "HKCU\Software\ALFiX inc.\GoodbyeZapret" /v "GoodbyeZapret_Config"
'<SYSTEM32>\cmd.exe' /c reg query "HKCU\Software\ALFiX inc.\GoodbyeZapret" /v "GoodbyeZapret_ConfigPatch" 2>nul
'<SYSTEM32>\reg.exe' query "HKCU\Software\ALFiX inc.\GoodbyeZapret" /v "GoodbyeZapret_ConfigPatch"
'<SYSTEM32>\cmd.exe' /c reg query "HKCU\Software\ALFiX inc.\GoodbyeZapret" /v "GoodbyeZapret_LastStartConfig" 2>nul
'<SYSTEM32>\reg.exe' query "HKCU\Software\ALFiX inc.\GoodbyeZapret" /v "GoodbyeZapret_LastStartConfig"
'<SYSTEM32>\cmd.exe' /c reg query "HKCU\Software\ALFiX inc.\GoodbyeZapret" /v "GoodbyeZapret_LastWorkConfig" 2>nul
'<SYSTEM32>\reg.exe' query "HKCU\Software\ALFiX inc.\GoodbyeZapret" /v "GoodbyeZapret_LastWorkConfig"
'<SYSTEM32>\cmd.exe' /c reg query "HKCU\Software\ALFiX inc.\GoodbyeZapret" /v "GoodbyeZapret_OldConfig" 2>nul
'<SYSTEM32>\reg.exe' query "HKCU\Software\ALFiX inc.\GoodbyeZapret" /v "GoodbyeZapret_OldConfig"
'<SYSTEM32>\cmd.exe' /c reg query "HKCU\Software\ALFiX inc.\GoodbyeZapret" /v "GoodbyeZapret_Version_code" 2>nul
'<SYSTEM32>\reg.exe' query "HKCU\Software\ALFiX inc.\GoodbyeZapret" /v "GoodbyeZapret_Version_code"
'<SYSTEM32>\curl.exe' -f -L -# -o "C:\\GoodbyeZapret.zip" "https://github.com/ALFiX01/GoodbyeZapret/raw/refs/heads/main/Files/GoodbyeZapret.zip"
'<SYSTEM32>\chcp.com' 850
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoProfile -Command "try { Expand-Archive -Path 'C:\\GoodbyeZapret.zip' -DestinationPath 'C:\\GZ_Temp' -Force -ErrorAction Stop } catch { exit 1 }"
'<SYSTEM32>\robocopy.exe' "C:\\GZ_Temp" "C:\" /E /XD "tools" "configs" "lists"
'<SYSTEM32>\robocopy.exe' "C:\\GZ_Temp\tools" "C:\\tools" *.* /NFL /NDL /NJH /NJS /NC /R:0 /W:0
'<SYSTEM32>\robocopy.exe' "C:\\GZ_Temp\tools\tray" "C:\\tools\tray" *.* /NFL /NDL /NJH /NJS /NC /R:0 /W:0
'<SYSTEM32>\robocopy.exe' "C:\\GZ_Temp\tools\curl" "C:\\tools\curl" *.* /NFL /NDL /NJH /NJS /NC /R:0 /W:0
'<SYSTEM32>\robocopy.exe' "C:\\GZ_Temp\lists" "C:\\lists" *.* /XF "netrogat_ip_custom.txt" "netrogat_custom.txt" /NFL /NDL /NJH /NJS /NC /R:0 /W:0
'<SYSTEM32>\robocopy.exe' "C:\\GZ_Temp\configs\Preset" "C:\\configs\Preset" /E
'<SYSTEM32>\tasklist.exe'
'<SYSTEM32>\find.exe' /i "Winws"
'<SYSTEM32>\timeout.exe' /t 2
'<SYSTEM32>\cmd.exe' /K "C:\\Launcher.bat"
'<SYSTEM32>\cmd.exe' /c powershell -NoProfile -Command "Split-Path -Parent \"C:\Launcher.bat\""
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoProfile -Command "Split-Path -Parent \"C:\Launcher.bat\""
'<SYSTEM32>\cmd.exe' /S /D /c" echo."""
'<SYSTEM32>\findstr.exe' /c:" "
'<SYSTEM32>\fsutil.exe' dirty query C
'<SYSTEM32>\cmd.exe' /c powershell -NoProfile -Command "Split-Path -Parent 'C:\Launcher.bat'"
'<SYSTEM32>\cmd.exe' /c powershell -NoProfile -Command "$Host.UI.RawUI.WindowSize.Width"
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoProfile -Command "$Host.UI.RawUI.WindowSize.Width"
'<SYSTEM32>\cmd.exe' /c reg query "HKEY_CURRENT_USER\Console" /v "FaceName" 2>nul | findstr /i "FaceName"
'<SYSTEM32>\reg.exe' query "HKEY_CURRENT_USER\Console" /v "FaceName"
'<SYSTEM32>\findstr.exe' /i "FaceName"
'<SYSTEM32>\reg.exe' query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin"
'<SYSTEM32>\cmd.exe' /c reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" 2>nul | find /i "ConsentPromptBehaviorAdmin"
'<SYSTEM32>\find.exe' /i "ConsentPromptBehaviorAdmin"
'<SYSTEM32>\reg.exe' query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorUser"
'<SYSTEM32>\cmd.exe' /c reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorUser" 2>nul | find /i "ConsentPromptBehaviorUser"
'<SYSTEM32>\find.exe' /i "ConsentPromptBehaviorUser"
'<SYSTEM32>\reg.exe' query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableInstallerDetection"
'<SYSTEM32>\cmd.exe' /c reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableInstallerDetection" 2>nul | find /i "EnableInstallerDetection"
'<SYSTEM32>\find.exe' /i "EnableInstallerDetection"
'<SYSTEM32>\reg.exe' query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA"
'<SYSTEM32>\cmd.exe' /c reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" 2>nul | find /i "EnableLUA"
'<SYSTEM32>\find.exe' /i "EnableLUA"
'<SYSTEM32>\reg.exe' query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableSecureUIAPaths"
'<SYSTEM32>\cmd.exe' /c reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableSecureUIAPaths" 2>nul | find /i "EnableSecureUIAPaths"
'<SYSTEM32>\find.exe' /i "EnableSecureUIAPaths"
'<SYSTEM32>\reg.exe' query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "FilterAdministratorToken"
'<SYSTEM32>\reg.exe' add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "FilterAdministratorToken" /t REG_DWORD /d 0 /f
'<SYSTEM32>\reg.exe' query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "PromptOnSecureDesktop"
'<SYSTEM32>\cmd.exe' /c reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "PromptOnSecureDesktop" 2>nul | find /i "PromptOnSecureDesktop"
'<SYSTEM32>\find.exe' /i "PromptOnSecureDesktop"
'<SYSTEM32>\reg.exe' query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "ValidateAdminCodeSignatures"
'<SYSTEM32>\cmd.exe' /c reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "ValidateAdminCodeSignatures" 2>nul | find /i "ValidateAdminCodeSignatures"
'<SYSTEM32>\find.exe' /i "ValidateAdminCodeSignatures"
'<SYSTEM32>\reg.exe' query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v SaveZoneInformation
'<SYSTEM32>\find.exe' "0x1"
'<SYSTEM32>\reg.exe' query "HKLM\SOFTWARE\Microsoft\Internet Explorer\Security" /v "DisableSecuritySettingsCheck"
'<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Microsoft\Internet Explorer\Security" /f /v "DisableSecuritySettingsCheck" /t REG_DWORD /d 1
'<SYSTEM32>\cmd.exe' /c reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" 2>nul
'<SYSTEM32>\reg.exe' query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes"
'<SYSTEM32>\reg.exe' add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /v LowRiskFileTypes /t REG_SZ /d ".exe;.reg;.bat;.vbs;.cmd;.ps1;.zip;.rar;.msi;.msu;.lnk;.7z;.tar.gz;.doc;.docx;.pdf;"...
'<SYSTEM32>\reg.exe' query "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" /v "1806"
'<SYSTEM32>\find.exe' "0x0"
'<SYSTEM32>\cmd.exe' /c powershell -Command "(Get-CimInstance Win32_OperatingSystem).Caption"
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -Command "(Get-CimInstance Win32_OperatingSystem).Caption"
'<SYSTEM32>\cmd.exe' /S /D /c" echo Microsoft Windows 10 Pro "
'<SYSTEM32>\find.exe' /i "11"
'<SYSTEM32>\find.exe' /i "10"
'<SYSTEM32>\cmd.exe' /c reg query "HKCU\Control Panel\International" /v "LocaleName" | findstr /i "LocaleName"
'<SYSTEM32>\reg.exe' query "HKCU\Control Panel\International" /v "LocaleName"
'<SYSTEM32>\findstr.exe' /i "LocaleName"
'<SYSTEM32>\timeout.exe' /t 5
'<SYSTEM32>\nslookup.exe' google.com
'<SYSTEM32>\curl.exe' -4 -s -I --fail --connect-timeout 1 --max-time 1 -o nul "https://raw.githubusercontent.com"
'<SYSTEM32>\curl.exe' -4 -s -I --fail --connect-timeout 1 --max-time 1 -o nul "https://raw.githubusercontent.com/ALFiX01/GoodbyeZapret/refs/heads/main/GoodbyeZapret_Version"
'<SYSTEM32>\curl.exe' -s -o "%TEMP%\GZ_Updater.bat" "https://raw.githubusercontent.com/ALFiX01/GoodbyeZapret/refs/heads/main/GoodbyeZapret_Version"
'<SYSTEM32>\cmd.exe' /S /D /c" echo "26NV01" "
'<SYSTEM32>\findstr.exe' /i "26NV01"
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq GoodbyeZapretTray.exe"
'<SYSTEM32>\find.exe' /I /N "GoodbyeZapretTray.exe"
'<SYSTEM32>\reg.exe' query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\GoodbyeZapret" /v Description
'<SYSTEM32>\sc.exe' query BFE
'<SYSTEM32>\findstr.exe' "STATE"
'<SYSTEM32>\cmd.exe' /c sc query BFE 2>nul | findstr "STATE"
'<SYSTEM32>\sc.exe' qc BFE
'<SYSTEM32>\findstr.exe' "START_TYPE"
'<SYSTEM32>\cmd.exe' /c sc qc BFE 2>nul | findstr "START_TYPE"
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq AdguardSvc.exe"
'<SYSTEM32>\find.exe' /I "AdguardSvc.exe"
'<SYSTEM32>\cmd.exe' /c sc query 2>NUL | findstr /I "SERVICE_NAME:" | findstr /I "Killer"
'<SYSTEM32>\sc.exe' query
'<SYSTEM32>\findstr.exe' /I "SERVICE_NAME:"
'<SYSTEM32>\findstr.exe' /I "Killer"
'<SYSTEM32>\cmd.exe' /c sc query 2>NUL | findstr /I "SERVICE_NAME:" | findstr /I "Intel" | findstr /I "Connectivity" | findstr /I "Network"
'<SYSTEM32>\findstr.exe' /I "Intel"
'<SYSTEM32>\findstr.exe' /I "Connectivity"
'<SYSTEM32>\findstr.exe' /I "Network"
'<SYSTEM32>\sc.exe' query "TracSrvWrapper"
'<SYSTEM32>\findstr.exe' /I "SERVICE_NAME"
'<SYSTEM32>\sc.exe' query "EPWD"
'<SYSTEM32>\cmd.exe' /c sc query 2>NUL | findstr /I "SERVICE_NAME:" | findstr /I "SmartByte"
'<SYSTEM32>\findstr.exe' /I "SmartByte"
'<SYSTEM32>\cmd.exe' /c sc query 2>NUL | findstr /I "SERVICE_NAME:" | findstr /I "VPN"
'<SYSTEM32>\findstr.exe' /I "VPN"
'<SYSTEM32>\cmd.exe' /c wmic nicconfig where "IPEnabled=true" get DNSServerSearchOrder /format:table 2>NUL
'<SYSTEM32>\wbem\wmic.exe' nicconfig where "IPEnabled=true" get DNSServerSearchOrder /format:table
'<SYSTEM32>\cmd.exe' /S /D /c" echo {"8.#.8.8", "8.#.4.4"} "
'<SYSTEM32>\findstr.exe' /r /c:"[0-9]"
'<SYSTEM32>\findstr.exe' /i "192\.168\."
'<SYSTEM32>\cmd.exe' /S /D /c" echo "
'<SYSTEM32>\cmd.exe' /c dir /b /a:-d "C:\\configs\Preset\*.bat" 2>nul | find /v /c ""
'<SYSTEM32>\cmd.exe' /S /D /c" dir /b /a:-d "C:\\configs\Preset\*.bat" 2>nul"
'<SYSTEM32>\find.exe' /v /c ""
'<SYSTEM32>\cmd.exe' /c dir /b /a:-d "C:\\configs\Custom\*.bat" 2>nul | find /v /c ""
'<SYSTEM32>\cmd.exe' /S /D /c" dir /b /a:-d "C:\\configs\Custom\*.bat" 2>nul"
'<SYSTEM32>\sc.exe' query "GoodbyeZapret"
'<SYSTEM32>\sc.exe' query WinDivert
'<SYSTEM32>\find.exe' /I "RUNNING"
'<SYSTEM32>\sc.exe' query WinDivert14
'<SYSTEM32>\sc.exe' query monkey
'<SYSTEM32>\mode.com' con: cols=92 lines=27

Технологии

Термины

Обучение и просвещение

Мифы

Техническая информация

Рекомендации по лечению

Демо бесплатно на 14 дней