Malware Analysis Report

2025-08-05 14:33

Sample ID 221126-2xzx1aeh6y
Target a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA256 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
Tags
nanocore keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80

Threat Level: Known bad

The file a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80 was found to be: Known bad.

Malicious Activity Summary

nanocore keylogger persistence spyware stealer trojan

Modifies WinLogon for persistence

NanoCore

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

AutoIT Executable

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Suspicious behavior: GetForegroundWindowSpam

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-26 22:58

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-26 22:58

Reported

2022-11-27 16:36

Platform

win7-20220812-en

Max time kernel

154s

Max time network

178s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" C:\Users\Admin\AppData\Local\Temp\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A

NanoCore

keylogger trojan stealer spyware nanocore

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" C:\Users\Admin\AppData\Local\Temp\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1852 set thread context of 1000 N/A C:\Users\Admin\AppData\Local\Temp\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 604 set thread context of 784 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 360 set thread context of 928 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1520 set thread context of 1788 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2000 set thread context of 816 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1160 set thread context of 1628 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 788 set thread context of 1088 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 916 set thread context of 952 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1812 set thread context of 584 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1724 set thread context of 1264 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1500 set thread context of 2000 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1696 set thread context of 468 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1624 set thread context of 360 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 556 set thread context of 968 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1488 set thread context of 1520 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2024 set thread context of 1560 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1576 set thread context of 1664 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1348 set thread context of 1840 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 300 set thread context of 1052 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1700 set thread context of 1712 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2008 set thread context of 360 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 604 set thread context of 1488 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1036 set thread context of 1240 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1608 set thread context of 520 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1852 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\SysWOW64\WScript.exe
PID 1852 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\SysWOW64\WScript.exe
PID 1852 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\SysWOW64\WScript.exe
PID 1852 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\SysWOW64\WScript.exe
PID 940 wrote to memory of 604 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
PID 940 wrote to memory of 604 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
PID 940 wrote to memory of 604 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
PID 940 wrote to memory of 604 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
PID 1852 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1852 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1852 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1852 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1852 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1852 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1852 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1852 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1852 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1852 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1852 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1852 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 604 wrote to memory of 784 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 604 wrote to memory of 784 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 604 wrote to memory of 784 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 604 wrote to memory of 784 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 604 wrote to memory of 784 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 604 wrote to memory of 784 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 604 wrote to memory of 784 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 604 wrote to memory of 784 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 604 wrote to memory of 784 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 604 wrote to memory of 784 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 604 wrote to memory of 784 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 604 wrote to memory of 784 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 940 wrote to memory of 360 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
PID 940 wrote to memory of 360 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
PID 940 wrote to memory of 360 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
PID 940 wrote to memory of 360 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
PID 360 wrote to memory of 928 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 360 wrote to memory of 928 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 360 wrote to memory of 928 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 360 wrote to memory of 928 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 360 wrote to memory of 928 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 360 wrote to memory of 928 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 360 wrote to memory of 928 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 360 wrote to memory of 928 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 360 wrote to memory of 928 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 360 wrote to memory of 928 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 360 wrote to memory of 928 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 360 wrote to memory of 928 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 940 wrote to memory of 1520 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
PID 940 wrote to memory of 1520 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
PID 940 wrote to memory of 1520 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
PID 940 wrote to memory of 1520 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
PID 1520 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1520 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1520 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1520 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1520 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1520 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1520 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1520 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 940 wrote to memory of 2000 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
PID 940 wrote to memory of 2000 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
PID 940 wrote to memory of 2000 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
PID 940 wrote to memory of 2000 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

"C:\Users\Admin\AppData\Local\Temp\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cfcZa.vbs" 0

C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"

C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"

C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"

C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 mercipotobibi.crabdance.com udp
N/A 8.8.4.4:53 mercipotobibi.crabdance.com udp
N/A 8.8.8.8:53 mercipotobibi.crabdance.com udp
N/A 8.8.8.8:53 mercipotobibi.crabdance.com udp
N/A 8.8.4.4:53 mercipotobibi.crabdance.com udp
N/A 8.8.8.8:53 mercipotobibi.crabdance.com udp
N/A 8.8.4.4:53 mercipotobibi.crabdance.com udp
N/A 127.0.0.1:1337 tcp
N/A 127.0.0.1:1337 tcp
N/A 127.0.0.1:1337 tcp
N/A 8.8.8.8:53 mercipotobibi.crabdance.com udp
N/A 8.8.4.4:53 mercipotobibi.crabdance.com udp
N/A 8.8.8.8:53 mercipotobibi.crabdance.com udp
N/A 8.8.4.4:53 mercipotobibi.crabdance.com udp
N/A 8.8.8.8:53 mercipotobibi.crabdance.com udp
N/A 8.8.4.4:53 mercipotobibi.crabdance.com udp
N/A 127.0.0.1:1337 tcp
N/A 127.0.0.1:1337 tcp
N/A 127.0.0.1:1337 tcp
N/A 8.8.8.8:53 mercipotobibi.crabdance.com udp
N/A 8.8.4.4:53 mercipotobibi.crabdance.com udp
N/A 8.8.8.8:53 mercipotobibi.crabdance.com udp
N/A 8.8.4.4:53 mercipotobibi.crabdance.com udp
N/A 8.8.8.8:53 mercipotobibi.crabdance.com udp
N/A 8.8.4.4:53 mercipotobibi.crabdance.com udp
N/A 127.0.0.1:1337 tcp
N/A 127.0.0.1:1337 tcp
N/A 127.0.0.1:1337 tcp
N/A 8.8.8.8:53 mercipotobibi.crabdance.com udp
N/A 8.8.4.4:53 mercipotobibi.crabdance.com udp
N/A 8.8.8.8:53 mercipotobibi.crabdance.com udp
N/A 8.8.4.4:53 mercipotobibi.crabdance.com udp
N/A 8.8.8.8:53 mercipotobibi.crabdance.com udp
N/A 8.8.4.4:53 mercipotobibi.crabdance.com udp
N/A 127.0.0.1:1337 tcp

Files

memory/1852-54-0x0000000075521000-0x0000000075523000-memory.dmp

\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

MD5 fd3675162967550d15055b7e9ddccc25
SHA1 b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA512 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093

memory/940-56-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\cfcZa.vbs

MD5 7665a54f8c588928a9858e293a55e1bd
SHA1 97903e2edafcb1ce04435bc83bfe16bcf38e64a2
SHA256 c7fb59485d651db7826bcdc73036978b10007faa70f28010cd0125270d759bc0
SHA512 f7f24b1f150fe43322232f93d414a19bd52f592cdfcaac2a07c1d18cdc739dd916035581827e9804aeff782edbb59f4ad9edcd85aff102ef35ce647c5da29cb3

C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

MD5 fd3675162967550d15055b7e9ddccc25
SHA1 b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA512 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093

memory/604-61-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

MD5 fd3675162967550d15055b7e9ddccc25
SHA1 b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA512 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093

C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

MD5 fd3675162967550d15055b7e9ddccc25
SHA1 b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA512 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093

C:\Users\Admin\AppData\Local\Temp\Ind\boot.lnk

MD5 765ee1b400354c0c4952c0be768b99ff
SHA1 abe7597458ab5b70e63c6f6ef80cf647979464e2
SHA256 3769072c8bf980d4ce0f24788883d7e1e507a616812cf5da2bce31b151a46045
SHA512 7bc9944427bebc5056779c6b17a43ba08606b816aff2432823a8fb74446d2d366e35d2aa562e855fbc06404ea0a4662e20266983902d28463743ddafc612a0a3

\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

MD5 fd3675162967550d15055b7e9ddccc25
SHA1 b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA512 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093

memory/1000-66-0x0000000000400000-0x000000000043A000-memory.dmp

memory/1000-67-0x0000000000400000-0x000000000043A000-memory.dmp

memory/1000-69-0x0000000000400000-0x000000000043A000-memory.dmp

memory/1000-70-0x0000000000400000-0x000000000043A000-memory.dmp

memory/1000-72-0x0000000000400000-0x000000000043A000-memory.dmp

memory/1000-73-0x000000000041E792-mapping.dmp

memory/1000-75-0x0000000000400000-0x000000000043A000-memory.dmp

memory/1000-77-0x0000000000400000-0x000000000043A000-memory.dmp

memory/784-86-0x000000000041E792-mapping.dmp

memory/1000-92-0x0000000073DC0000-0x000000007436B000-memory.dmp

memory/784-93-0x0000000073DC0000-0x000000007436B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

MD5 fd3675162967550d15055b7e9ddccc25
SHA1 b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA512 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093

memory/360-94-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

MD5 fd3675162967550d15055b7e9ddccc25
SHA1 b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA512 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093

C:\Users\Admin\AppData\Local\Temp\Ind\boot.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/928-106-0x000000000041E792-mapping.dmp

memory/928-112-0x0000000073DC0000-0x000000007436B000-memory.dmp

memory/1520-113-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

MD5 fd3675162967550d15055b7e9ddccc25
SHA1 b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA512 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093

\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

MD5 fd3675162967550d15055b7e9ddccc25
SHA1 b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA512 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093

C:\Users\Admin\AppData\Local\Temp\Ind\boot.lnk

MD5 ab415bf1825c9042a9ea05dcde20a753
SHA1 b6fd6ce45d3d0e870310ffab8309d9f33907234f
SHA256 be4f038fb4170d3d9ce1a244bad69305e32482684c9201fc0a7fdd483f3b2721
SHA512 5610908d01accfe7fbc8f921d958dc8420f2550eac5b780d5dc47adf4c0bd491c8f113176f2d561ca267e3707d97c0bdaf0b201d2185e51b7e7228250dfa2c37

memory/1788-119-0x000000000041E792-mapping.dmp

memory/2000-120-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

MD5 fd3675162967550d15055b7e9ddccc25
SHA1 b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA512 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093

\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

MD5 fd3675162967550d15055b7e9ddccc25
SHA1 b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA512 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093

C:\Users\Admin\AppData\Local\Temp\Ind\boot.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/816-132-0x000000000041E792-mapping.dmp

memory/816-138-0x0000000073DC0000-0x000000007436B000-memory.dmp

memory/1160-139-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

MD5 fd3675162967550d15055b7e9ddccc25
SHA1 b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA512 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

MD5 fd3675162967550d15055b7e9ddccc25
SHA1 b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA512 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093

C:\Users\Admin\AppData\Local\Temp\Ind\boot.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1000-145-0x0000000073DC0000-0x000000007436B000-memory.dmp

memory/784-146-0x0000000073DC0000-0x000000007436B000-memory.dmp

memory/1628-148-0x000000000041E792-mapping.dmp

memory/784-149-0x0000000073DC0000-0x000000007436B000-memory.dmp

memory/788-150-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

MD5 fd3675162967550d15055b7e9ddccc25
SHA1 b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA512 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093

C:\Users\Admin\AppData\Local\Temp\Ind\boot.lnk

MD5 ab415bf1825c9042a9ea05dcde20a753
SHA1 b6fd6ce45d3d0e870310ffab8309d9f33907234f
SHA256 be4f038fb4170d3d9ce1a244bad69305e32482684c9201fc0a7fdd483f3b2721
SHA512 5610908d01accfe7fbc8f921d958dc8420f2550eac5b780d5dc47adf4c0bd491c8f113176f2d561ca267e3707d97c0bdaf0b201d2185e51b7e7228250dfa2c37

\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

MD5 fd3675162967550d15055b7e9ddccc25
SHA1 b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA512 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093

memory/928-155-0x0000000073DC0000-0x000000007436B000-memory.dmp

memory/928-158-0x0000000073DC0000-0x000000007436B000-memory.dmp

memory/1088-164-0x000000000041E792-mapping.dmp

memory/1088-170-0x0000000073DC0000-0x000000007436B000-memory.dmp

memory/1088-171-0x0000000073DC0000-0x000000007436B000-memory.dmp

memory/916-172-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

MD5 fd3675162967550d15055b7e9ddccc25
SHA1 b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA512 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

MD5 fd3675162967550d15055b7e9ddccc25
SHA1 b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA512 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093

C:\Users\Admin\AppData\Local\Temp\Ind\boot.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/816-178-0x0000000073DC0000-0x000000007436B000-memory.dmp

memory/952-186-0x000000000041E792-mapping.dmp

memory/816-192-0x0000000073DC0000-0x000000007436B000-memory.dmp

memory/952-193-0x0000000073DC0000-0x000000007436B000-memory.dmp

memory/1812-194-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

MD5 fd3675162967550d15055b7e9ddccc25
SHA1 b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA512 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093

\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

MD5 fd3675162967550d15055b7e9ddccc25
SHA1 b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA512 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093

C:\Users\Admin\AppData\Local\Temp\Ind\boot.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/584-206-0x000000000041E792-mapping.dmp

memory/584-212-0x0000000073DC0000-0x000000007436B000-memory.dmp

memory/1724-213-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

MD5 fd3675162967550d15055b7e9ddccc25
SHA1 b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA512 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1088-217-0x0000000073DC0000-0x000000007436B000-memory.dmp

\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

MD5 fd3675162967550d15055b7e9ddccc25
SHA1 b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA512 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093

C:\Users\Admin\AppData\Local\Temp\Ind\boot.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1088-220-0x0000000073DC0000-0x000000007436B000-memory.dmp

memory/1264-228-0x000000000041E792-mapping.dmp

memory/1264-234-0x0000000073DC0000-0x000000007436B000-memory.dmp

memory/1500-235-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

MD5 fd3675162967550d15055b7e9ddccc25
SHA1 b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA512 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093

\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

MD5 fd3675162967550d15055b7e9ddccc25
SHA1 b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA512 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093

C:\Users\Admin\AppData\Local\Temp\Ind\boot.lnk

MD5 ab415bf1825c9042a9ea05dcde20a753
SHA1 b6fd6ce45d3d0e870310ffab8309d9f33907234f
SHA256 be4f038fb4170d3d9ce1a244bad69305e32482684c9201fc0a7fdd483f3b2721
SHA512 5610908d01accfe7fbc8f921d958dc8420f2550eac5b780d5dc47adf4c0bd491c8f113176f2d561ca267e3707d97c0bdaf0b201d2185e51b7e7228250dfa2c37

memory/1696-240-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

MD5 fd3675162967550d15055b7e9ddccc25
SHA1 b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA512 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093

C:\Users\Admin\AppData\Local\Temp\Ind\boot.lnk

MD5 ab415bf1825c9042a9ea05dcde20a753
SHA1 b6fd6ce45d3d0e870310ffab8309d9f33907234f
SHA256 be4f038fb4170d3d9ce1a244bad69305e32482684c9201fc0a7fdd483f3b2721
SHA512 5610908d01accfe7fbc8f921d958dc8420f2550eac5b780d5dc47adf4c0bd491c8f113176f2d561ca267e3707d97c0bdaf0b201d2185e51b7e7228250dfa2c37

\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

MD5 fd3675162967550d15055b7e9ddccc25
SHA1 b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA512 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093

memory/2000-246-0x000000000041E792-mapping.dmp

memory/952-247-0x0000000073DC0000-0x000000007436B000-memory.dmp

memory/468-255-0x000000000041E792-mapping.dmp

memory/952-261-0x0000000073DC0000-0x000000007436B000-memory.dmp

memory/468-262-0x0000000073DC0000-0x000000007436B000-memory.dmp

memory/1624-263-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

MD5 fd3675162967550d15055b7e9ddccc25
SHA1 b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA512 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093

\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

MD5 fd3675162967550d15055b7e9ddccc25
SHA1 b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA512 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093

memory/584-267-0x0000000073DC0000-0x000000007436B000-memory.dmp

memory/584-268-0x0000000073DC0000-0x000000007436B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Ind\boot.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/556-270-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

MD5 fd3675162967550d15055b7e9ddccc25
SHA1 b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA512 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093

memory/360-281-0x000000000041E792-mapping.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

MD5 fd3675162967550d15055b7e9ddccc25
SHA1 b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA512 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093

C:\Users\Admin\AppData\Local\Temp\Ind\boot.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1264-289-0x0000000073DC0000-0x000000007436B000-memory.dmp

memory/360-290-0x0000000073DC0000-0x000000007436B000-memory.dmp

memory/1264-291-0x0000000073DC0000-0x000000007436B000-memory.dmp

memory/1488-292-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

MD5 fd3675162967550d15055b7e9ddccc25
SHA1 b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA512 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093

\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

MD5 fd3675162967550d15055b7e9ddccc25
SHA1 b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA512 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093

C:\Users\Admin\AppData\Local\Temp\Ind\boot.lnk

MD5 ab415bf1825c9042a9ea05dcde20a753
SHA1 b6fd6ce45d3d0e870310ffab8309d9f33907234f
SHA256 be4f038fb4170d3d9ce1a244bad69305e32482684c9201fc0a7fdd483f3b2721
SHA512 5610908d01accfe7fbc8f921d958dc8420f2550eac5b780d5dc47adf4c0bd491c8f113176f2d561ca267e3707d97c0bdaf0b201d2185e51b7e7228250dfa2c37

memory/2024-297-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

MD5 fd3675162967550d15055b7e9ddccc25
SHA1 b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA512 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093

memory/968-310-0x000000000041E792-mapping.dmp

memory/468-314-0x0000000073DC0000-0x000000007436B000-memory.dmp

memory/1520-320-0x000000000041E792-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Ind\boot.lnk

MD5 ab415bf1825c9042a9ea05dcde20a753
SHA1 b6fd6ce45d3d0e870310ffab8309d9f33907234f
SHA256 be4f038fb4170d3d9ce1a244bad69305e32482684c9201fc0a7fdd483f3b2721
SHA512 5610908d01accfe7fbc8f921d958dc8420f2550eac5b780d5dc47adf4c0bd491c8f113176f2d561ca267e3707d97c0bdaf0b201d2185e51b7e7228250dfa2c37

\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

MD5 fd3675162967550d15055b7e9ddccc25
SHA1 b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA512 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093

memory/968-329-0x0000000073DC0000-0x000000007436B000-memory.dmp

memory/1520-330-0x0000000073DC0000-0x000000007436B000-memory.dmp

memory/468-331-0x0000000073DC0000-0x000000007436B000-memory.dmp

memory/1560-339-0x000000000041E792-mapping.dmp

memory/1560-345-0x0000000073DC0000-0x000000007436B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

MD5 fd3675162967550d15055b7e9ddccc25
SHA1 b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA512 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093

memory/1576-346-0x0000000000000000-mapping.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

MD5 fd3675162967550d15055b7e9ddccc25
SHA1 b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA512 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093

C:\Users\Admin\AppData\Local\Temp\Ind\boot.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1664-359-0x000000000041E792-mapping.dmp

memory/1664-365-0x0000000073DC0000-0x000000007436B000-memory.dmp

memory/360-366-0x0000000073DC0000-0x000000007436B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

MD5 fd3675162967550d15055b7e9ddccc25
SHA1 b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA512 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093

memory/1348-367-0x0000000000000000-mapping.dmp

memory/360-370-0x0000000073DC0000-0x000000007436B000-memory.dmp

memory/1840-378-0x000000000041E792-mapping.dmp

memory/1840-384-0x0000000073DC0000-0x000000007436B000-memory.dmp

memory/300-385-0x0000000000000000-mapping.dmp

memory/1052-394-0x000000000041E792-mapping.dmp

memory/1052-400-0x0000000073DC0000-0x000000007436B000-memory.dmp

memory/1700-401-0x0000000000000000-mapping.dmp

memory/968-403-0x0000000073DC0000-0x000000007436B000-memory.dmp

memory/1520-404-0x0000000073DC0000-0x000000007436B000-memory.dmp

memory/1560-405-0x0000000073DC0000-0x000000007436B000-memory.dmp

memory/1520-406-0x0000000073DC0000-0x000000007436B000-memory.dmp

memory/1560-407-0x0000000073DC0000-0x000000007436B000-memory.dmp

memory/1712-415-0x000000000041E792-mapping.dmp

memory/1712-421-0x0000000073DC0000-0x000000007436B000-memory.dmp

memory/2008-422-0x0000000000000000-mapping.dmp

memory/360-431-0x000000000041E792-mapping.dmp

memory/1664-437-0x0000000073DC0000-0x000000007436B000-memory.dmp

memory/360-438-0x0000000073DC0000-0x000000007436B000-memory.dmp

memory/604-439-0x0000000000000000-mapping.dmp

memory/1840-441-0x0000000073DC0000-0x000000007436B000-memory.dmp

memory/1488-443-0x000000000041E792-mapping.dmp

memory/1840-444-0x0000000073DC0000-0x000000007436B000-memory.dmp

memory/1036-445-0x0000000000000000-mapping.dmp

memory/1052-447-0x0000000073DC0000-0x000000007436B000-memory.dmp

memory/1052-448-0x0000000073DC0000-0x000000007436B000-memory.dmp

memory/1240-456-0x000000000041E792-mapping.dmp

memory/1240-462-0x0000000073DC0000-0x000000007436B000-memory.dmp

memory/1608-463-0x0000000000000000-mapping.dmp

memory/1712-465-0x0000000073DC0000-0x000000007436B000-memory.dmp

memory/520-473-0x000000000041E792-mapping.dmp

memory/520-480-0x0000000073DC0000-0x000000007436B000-memory.dmp

memory/1712-479-0x0000000073DC0000-0x000000007436B000-memory.dmp

memory/1380-481-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-26 22:58

Reported

2022-11-27 16:36

Platform

win10v2004-20220812-en

Max time kernel

176s

Max time network

185s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" C:\Users\Admin\AppData\Local\Temp\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A

NanoCore

keylogger trojan stealer spyware nanocore

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" C:\Users\Admin\AppData\Local\Temp\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" C:\Users\Admin\AppData\Local\Temp\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 5012 set thread context of 4932 N/A C:\Users\Admin\AppData\Local\Temp\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4964 set thread context of 4860 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1744 set thread context of 2476 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2464 set thread context of 1120 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4100 set thread context of 240 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1532 set thread context of 4380 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 3536 set thread context of 3672 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4308 set thread context of 2284 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2272 set thread context of 4712 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 416 set thread context of 1540 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 3772 set thread context of 4124 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4208 set thread context of 3416 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 652 set thread context of 3448 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2328 set thread context of 3980 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2084 set thread context of 3780 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1268 set thread context of 2820 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4288 set thread context of 4072 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 3332 set thread context of 2212 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 5016 set thread context of 4860 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4912 set thread context of 228 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1704 set thread context of 4688 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 240 set thread context of 4572 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2288 set thread context of 3512 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 3540 set thread context of 4996 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4640 set thread context of 4356 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 3620 set thread context of 1612 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5012 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\SysWOW64\WScript.exe
PID 5012 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\SysWOW64\WScript.exe
PID 5012 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\SysWOW64\WScript.exe
PID 4868 wrote to memory of 4964 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
PID 4868 wrote to memory of 4964 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
PID 4868 wrote to memory of 4964 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
PID 5012 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 5012 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 5012 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 5012 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 5012 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 5012 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 5012 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 5012 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4964 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4964 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4964 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4964 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4964 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4964 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4964 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4964 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4868 wrote to memory of 1744 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
PID 4868 wrote to memory of 1744 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
PID 4868 wrote to memory of 1744 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
PID 1744 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1744 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1744 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1744 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1744 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1744 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1744 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1744 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4868 wrote to memory of 2464 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
PID 4868 wrote to memory of 2464 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
PID 4868 wrote to memory of 2464 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
PID 2464 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2464 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2464 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2464 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2464 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4868 wrote to memory of 4100 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
PID 4868 wrote to memory of 4100 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
PID 4868 wrote to memory of 4100 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
PID 4100 wrote to memory of 240 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4100 wrote to memory of 240 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4100 wrote to memory of 240 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4100 wrote to memory of 240 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4100 wrote to memory of 240 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4100 wrote to memory of 240 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4100 wrote to memory of 240 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4100 wrote to memory of 240 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4868 wrote to memory of 1532 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
PID 4868 wrote to memory of 1532 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
PID 4868 wrote to memory of 1532 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
PID 1532 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1532 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1532 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1532 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1532 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1532 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1532 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1532 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4868 wrote to memory of 3536 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

"C:\Users\Admin\AppData\Local\Temp\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\nDSfD.vbs" 0

C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1120 -ip 1120

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1120 -s 80

C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"

C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 3416 -ip 3416

C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 12

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3980 -ip 3980

C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"

C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4688 -ip 4688

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4688 -s 80

C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4572 -ip 4572

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4572 -s 80

C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3512 -ip 3512

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 80

C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4356 -ip 4356

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4356 -s 80

C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"

Network

Country Destination Domain Proto
N/A 8.238.21.126:80 tcp
N/A 93.184.221.240:80 tcp
N/A 40.77.2.164:443 tcp
N/A 20.42.65.90:443 tcp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp
N/A 8.8.8.8:53 151.122.125.40.in-addr.arpa udp
N/A 8.8.8.8:53 mercipotobibi.crabdance.com udp
N/A 8.8.4.4:53 mercipotobibi.crabdance.com udp
N/A 8.8.8.8:53 mercipotobibi.crabdance.com udp
N/A 8.8.8.8:53 mercipotobibi.crabdance.com udp
N/A 8.8.4.4:53 mercipotobibi.crabdance.com udp
N/A 8.8.8.8:53 mercipotobibi.crabdance.com udp
N/A 8.8.8.8:53 mercipotobibi.crabdance.com udp
N/A 8.8.4.4:53 mercipotobibi.crabdance.com udp
N/A 8.8.8.8:53 d.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.5.0.8.0.0.3.0.1.3.0.6.2.ip6.arpa udp
N/A 127.0.0.1:1337 tcp
N/A 127.0.0.1:1337 tcp
N/A 127.0.0.1:1337 tcp
N/A 8.8.8.8:53 mercipotobibi.crabdance.com udp
N/A 8.8.4.4:53 mercipotobibi.crabdance.com udp
N/A 8.8.8.8:53 mercipotobibi.crabdance.com udp
N/A 8.8.8.8:53 mercipotobibi.crabdance.com udp
N/A 8.8.4.4:53 mercipotobibi.crabdance.com udp
N/A 8.8.8.8:53 mercipotobibi.crabdance.com udp
N/A 8.8.4.4:53 mercipotobibi.crabdance.com udp
N/A 8.8.8.8:53 mercipotobibi.crabdance.com udp
N/A 127.0.0.1:1337 tcp
N/A 127.0.0.1:1337 tcp
N/A 127.0.0.1:1337 tcp
N/A 8.8.8.8:53 mercipotobibi.crabdance.com udp
N/A 8.8.4.4:53 mercipotobibi.crabdance.com udp
N/A 8.8.8.8:53 mercipotobibi.crabdance.com udp
N/A 8.8.8.8:53 mercipotobibi.crabdance.com udp
N/A 8.8.4.4:53 mercipotobibi.crabdance.com udp
N/A 8.8.8.8:53 mercipotobibi.crabdance.com udp
N/A 8.8.4.4:53 mercipotobibi.crabdance.com udp
N/A 8.8.8.8:53 mercipotobibi.crabdance.com udp
N/A 127.0.0.1:1337 tcp
N/A 127.0.0.1:1337 tcp
N/A 127.0.0.1:1337 tcp
N/A 8.8.8.8:53 mercipotobibi.crabdance.com udp
N/A 8.8.4.4:53 mercipotobibi.crabdance.com udp
N/A 8.8.8.8:53 mercipotobibi.crabdance.com udp
N/A 8.8.8.8:53 mercipotobibi.crabdance.com udp
N/A 8.8.4.4:53 mercipotobibi.crabdance.com udp
N/A 8.8.8.8:53 mercipotobibi.crabdance.com udp
N/A 8.8.4.4:53 mercipotobibi.crabdance.com udp
N/A 8.8.8.8:53 mercipotobibi.crabdance.com udp
N/A 127.0.0.1:1337 tcp

Files

memory/4868-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\nDSfD.vbs

MD5 7665a54f8c588928a9858e293a55e1bd
SHA1 97903e2edafcb1ce04435bc83bfe16bcf38e64a2
SHA256 c7fb59485d651db7826bcdc73036978b10007faa70f28010cd0125270d759bc0
SHA512 f7f24b1f150fe43322232f93d414a19bd52f592cdfcaac2a07c1d18cdc739dd916035581827e9804aeff782edbb59f4ad9edcd85aff102ef35ce647c5da29cb3

C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

MD5 fd3675162967550d15055b7e9ddccc25
SHA1 b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA512 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093

C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

MD5 fd3675162967550d15055b7e9ddccc25
SHA1 b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA512 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093

memory/4964-135-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Ind\boot.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/4932-138-0x0000000000000000-mapping.dmp

memory/4932-139-0x0000000000400000-0x000000000043A000-memory.dmp

memory/4860-140-0x0000000000000000-mapping.dmp

memory/1744-142-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

MD5 fd3675162967550d15055b7e9ddccc25
SHA1 b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA512 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093

C:\Users\Admin\AppData\Local\Temp\Ind\boot.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2476-145-0x0000000000000000-mapping.dmp

memory/2476-147-0x0000000073510000-0x0000000073AC1000-memory.dmp

memory/4860-148-0x0000000073510000-0x0000000073AC1000-memory.dmp

memory/4932-149-0x0000000073510000-0x0000000073AC1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

MD5 fd3675162967550d15055b7e9ddccc25
SHA1 b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA512 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093

memory/2464-150-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Ind\boot.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1120-153-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\RegSvcs.exe.log

MD5 5b4789d01bb4d7483b71e1a35bce6a8b
SHA1 de083f2131c9a763c0d1810c97a38732146cffbf
SHA256 e248cef9500ed6e0c9f99d72a2a6a36955a5f0cfc0725748ef25a733cc8282f6
SHA512 357e18ef30430e4b9cc4f2569b9735b1cd12f934c83162e4de78ac29ba9703b63ddb624ccc22afd5a5868f6e9d91a3c64581846abac22e9625f5b2e3d80b3ede

memory/4932-157-0x0000000073510000-0x0000000073AC1000-memory.dmp

memory/4860-156-0x0000000073510000-0x0000000073AC1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

MD5 fd3675162967550d15055b7e9ddccc25
SHA1 b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA512 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093

memory/4100-158-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Ind\boot.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/240-161-0x0000000000000000-mapping.dmp

memory/240-163-0x0000000073510000-0x0000000073AC1000-memory.dmp

memory/2476-164-0x0000000073510000-0x0000000073AC1000-memory.dmp

memory/1532-165-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

MD5 fd3675162967550d15055b7e9ddccc25
SHA1 b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA512 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093

C:\Users\Admin\AppData\Local\Temp\Ind\boot.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/4380-168-0x0000000000000000-mapping.dmp

memory/4380-170-0x0000000073510000-0x0000000073AC1000-memory.dmp

memory/240-171-0x0000000073510000-0x0000000073AC1000-memory.dmp

memory/3536-172-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

MD5 fd3675162967550d15055b7e9ddccc25
SHA1 b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA512 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093

C:\Users\Admin\AppData\Local\Temp\Ind\boot.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/3672-175-0x0000000000000000-mapping.dmp

memory/3672-177-0x0000000073510000-0x0000000073AC1000-memory.dmp

memory/4380-178-0x0000000073510000-0x0000000073AC1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

MD5 fd3675162967550d15055b7e9ddccc25
SHA1 b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA512 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093

memory/4308-179-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Ind\boot.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2284-182-0x0000000000000000-mapping.dmp

memory/2284-184-0x0000000073510000-0x0000000073AC1000-memory.dmp

memory/3672-185-0x0000000073510000-0x0000000073AC1000-memory.dmp

memory/2272-186-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

MD5 fd3675162967550d15055b7e9ddccc25
SHA1 b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA512 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093

C:\Users\Admin\AppData\Local\Temp\Ind\boot.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/4712-189-0x0000000000000000-mapping.dmp

memory/4712-191-0x0000000073510000-0x0000000073AC1000-memory.dmp

memory/2284-192-0x0000000073510000-0x0000000073AC1000-memory.dmp

memory/416-193-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

MD5 fd3675162967550d15055b7e9ddccc25
SHA1 b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA512 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093

C:\Users\Admin\AppData\Local\Temp\Ind\boot.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1540-196-0x0000000000000000-mapping.dmp

memory/1540-198-0x0000000073510000-0x0000000073AC1000-memory.dmp

memory/4712-199-0x0000000073510000-0x0000000073AC1000-memory.dmp

memory/3772-200-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

MD5 fd3675162967550d15055b7e9ddccc25
SHA1 b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA512 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093

memory/4208-202-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

MD5 fd3675162967550d15055b7e9ddccc25
SHA1 b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA512 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093

memory/1540-204-0x0000000073510000-0x0000000073AC1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Ind\boot.lnk

MD5 32915ebf0e709bc40254d3ebedffb6ed
SHA1 98f317e1c252e58b8a21e3a7de96f0e91769908f
SHA256 afcc5fefc188663a744b8d4cc395f76b51cf5ab48070709dbfef38bae9463b88
SHA512 fdca2cec060267641032e9012faa60d25783797b87a332d4dae1658e49df56fc5a92c5f6723f8ba746e2dda200d7333ae8bc2bde3d82077bc1b90e13de91dd37

C:\Users\Admin\AppData\Local\Temp\Ind\boot.lnk

MD5 019d8de83fae02c44629868000872e9f
SHA1 f8cb92397ec81d8762529cfc23b09a686463d7da
SHA256 0fe2c31b7812aada7aaace2d105694e34eecca2b480d949388c4bb242ed86942
SHA512 02febc111ee6f7d8bb6d0aa015683cbf3db2d5e468f52b113033d407dcdb309fa4222d9a09b448ca30c35a414e3d7828c9f467ddcc6283d31f9e0949ada0dfb2

memory/4124-207-0x0000000000000000-mapping.dmp

memory/3416-208-0x0000000000000000-mapping.dmp

memory/4124-211-0x0000000073510000-0x0000000073AC1000-memory.dmp

memory/652-212-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

MD5 fd3675162967550d15055b7e9ddccc25
SHA1 b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA512 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093

C:\Users\Admin\AppData\Local\Temp\Ind\boot.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/3448-215-0x0000000000000000-mapping.dmp

memory/3448-217-0x0000000073510000-0x0000000073AC1000-memory.dmp

memory/4124-218-0x0000000073510000-0x0000000073AC1000-memory.dmp

memory/2328-219-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

MD5 fd3675162967550d15055b7e9ddccc25
SHA1 b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA512 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093

C:\Users\Admin\AppData\Local\Temp\Ind\boot.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/3980-222-0x0000000000000000-mapping.dmp

memory/3448-224-0x0000000073510000-0x0000000073AC1000-memory.dmp

memory/1268-225-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

MD5 fd3675162967550d15055b7e9ddccc25
SHA1 b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA512 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093

memory/2084-227-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

MD5 fd3675162967550d15055b7e9ddccc25
SHA1 b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA512 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093

C:\Users\Admin\AppData\Local\Temp\Ind\boot.lnk

MD5 aa059277bdc7ee47e9c1ad5c9d6f0e81
SHA1 ccf33b2884e0c9aab9c947f0fbd09ed64baff426
SHA256 8b087a4deb140d432095e1e2dc1e2161ad51388df718437170108f4b3826a224
SHA512 0e4c08b9b50ddd5b4929f9ca93d1105bfdb5232e5649723c0d6bd76d6fb1d9a4c5345bc81085aab083407397bab2abf1e158677096fa01d43a022dba5b5bb741

memory/3780-230-0x0000000000000000-mapping.dmp

memory/2820-232-0x0000000000000000-mapping.dmp

memory/4288-234-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

MD5 fd3675162967550d15055b7e9ddccc25
SHA1 b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA512 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093

memory/2820-236-0x0000000073510000-0x0000000073AC1000-memory.dmp

memory/3780-237-0x0000000073510000-0x0000000073AC1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Ind\boot.lnk

MD5 139cd80467603efdc9576c90688dbf91
SHA1 1b57e4354756d734823c07d511398e08309b1782
SHA256 56981480fb250a50527aee5ac9ffc51312cd1f8446a6dd218c20517e521c84c9
SHA512 462ecba2b74e343d4ccfd0dd3134908d1d58e68754c2cc5754248204ab8cc400d37788d464bad5c23ded8372f22a5737fe07f66b162a6fd33fce0d8e4c63c57f

memory/4072-239-0x0000000000000000-mapping.dmp

memory/4072-241-0x0000000073510000-0x0000000073AC1000-memory.dmp

memory/3332-242-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

MD5 fd3675162967550d15055b7e9ddccc25
SHA1 b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA512 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093

C:\Users\Admin\AppData\Local\Temp\Ind\boot.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2212-245-0x0000000000000000-mapping.dmp

memory/2212-247-0x0000000073510000-0x0000000073AC1000-memory.dmp

memory/3780-248-0x0000000073510000-0x0000000073AC1000-memory.dmp

memory/2820-249-0x0000000073510000-0x0000000073AC1000-memory.dmp

memory/4072-250-0x0000000073510000-0x0000000073AC1000-memory.dmp

memory/5016-251-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

MD5 fd3675162967550d15055b7e9ddccc25
SHA1 b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA512 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093

C:\Users\Admin\AppData\Local\Temp\Ind\boot.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2212-254-0x0000000073510000-0x0000000073AC1000-memory.dmp

memory/4860-255-0x0000000000000000-mapping.dmp

memory/4912-257-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

MD5 fd3675162967550d15055b7e9ddccc25
SHA1 b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA512 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093

memory/4860-259-0x0000000073510000-0x0000000073AC1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Ind\boot.lnk

MD5 cec463991ae7d8138995ba98ff82b0d9
SHA1 f0b0bcd71658e98cc32469a8b8195a1fe2d919b6
SHA256 cf4226cb967a1b3474b4e65139aeaf5761b27ea0f408dce14527e3b6e11276e1
SHA512 efcd879abf2a909c834397bd7504b810da274529088b90422bda81f36e01bac873c9926f69d0d0edf701f3e5a03d17a564abcc164d0d29b667c35c349533eb81

memory/228-261-0x0000000000000000-mapping.dmp

memory/228-263-0x0000000073510000-0x0000000073AC1000-memory.dmp

memory/1704-264-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

MD5 fd3675162967550d15055b7e9ddccc25
SHA1 b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA512 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093

memory/4860-266-0x0000000073510000-0x0000000073AC1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Ind\boot.lnk

MD5 3aed3edcd54acd1762713b19bbd3d0e9
SHA1 f1bda063f8e9ca53b4d62f22158b4b28f3859d06
SHA256 3e6cb80558b16e279369579780f8a55ff79a045fd23148a771806da009bfc96f
SHA512 48de11b8a6441a9f6f52cd243a1298beb8e39d2bcd97a9ad4c4536267b493ec4ee9c7d04750f72291e63428565d2169b46b98adab084046126eb03222888ea78

memory/4688-268-0x0000000000000000-mapping.dmp

memory/228-270-0x0000000073510000-0x0000000073AC1000-memory.dmp

memory/240-271-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

MD5 fd3675162967550d15055b7e9ddccc25
SHA1 b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA512 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093

C:\Users\Admin\AppData\Local\Temp\Ind\boot.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/4572-274-0x0000000000000000-mapping.dmp

memory/2288-276-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe

MD5 fd3675162967550d15055b7e9ddccc25
SHA1 b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA512 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093

memory/3512-278-0x0000000000000000-mapping.dmp

memory/3540-280-0x0000000000000000-mapping.dmp

memory/4996-281-0x0000000000000000-mapping.dmp

memory/4996-283-0x0000000073510000-0x0000000073AC1000-memory.dmp

memory/4640-284-0x0000000000000000-mapping.dmp

memory/4356-285-0x0000000000000000-mapping.dmp

memory/4996-286-0x0000000073510000-0x0000000073AC1000-memory.dmp

memory/3620-288-0x0000000000000000-mapping.dmp

memory/1612-289-0x0000000000000000-mapping.dmp

memory/1612-291-0x0000000073510000-0x0000000073AC1000-memory.dmp

memory/4448-292-0x0000000000000000-mapping.dmp