Analysis Overview
SHA256
a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
Threat Level: Known bad
The file a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80 was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
NanoCore
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Adds Run key to start application
AutoIT Executable
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
Suspicious behavior: GetForegroundWindowSpam
Modifies registry class
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-11-26 22:58
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-11-26 22:58
Reported
2022-11-27 16:36
Platform
win7-20220812-en
Max time kernel
154s
Max time network
178s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" | C:\Users\Admin\AppData\Local\Temp\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
NanoCore
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" | C:\Users\Admin\AppData\Local\Temp\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
"C:\Users\Admin\AppData\Local\Temp\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cfcZa.vbs" 0
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | mercipotobibi.crabdance.com | udp |
| N/A | 8.8.4.4:53 | mercipotobibi.crabdance.com | udp |
| N/A | 8.8.8.8:53 | mercipotobibi.crabdance.com | udp |
| N/A | 8.8.8.8:53 | mercipotobibi.crabdance.com | udp |
| N/A | 8.8.4.4:53 | mercipotobibi.crabdance.com | udp |
| N/A | 8.8.8.8:53 | mercipotobibi.crabdance.com | udp |
| N/A | 8.8.4.4:53 | mercipotobibi.crabdance.com | udp |
| N/A | 127.0.0.1:1337 | tcp | |
| N/A | 127.0.0.1:1337 | tcp | |
| N/A | 127.0.0.1:1337 | tcp | |
| N/A | 8.8.8.8:53 | mercipotobibi.crabdance.com | udp |
| N/A | 8.8.4.4:53 | mercipotobibi.crabdance.com | udp |
| N/A | 8.8.8.8:53 | mercipotobibi.crabdance.com | udp |
| N/A | 8.8.4.4:53 | mercipotobibi.crabdance.com | udp |
| N/A | 8.8.8.8:53 | mercipotobibi.crabdance.com | udp |
| N/A | 8.8.4.4:53 | mercipotobibi.crabdance.com | udp |
| N/A | 127.0.0.1:1337 | tcp | |
| N/A | 127.0.0.1:1337 | tcp | |
| N/A | 127.0.0.1:1337 | tcp | |
| N/A | 8.8.8.8:53 | mercipotobibi.crabdance.com | udp |
| N/A | 8.8.4.4:53 | mercipotobibi.crabdance.com | udp |
| N/A | 8.8.8.8:53 | mercipotobibi.crabdance.com | udp |
| N/A | 8.8.4.4:53 | mercipotobibi.crabdance.com | udp |
| N/A | 8.8.8.8:53 | mercipotobibi.crabdance.com | udp |
| N/A | 8.8.4.4:53 | mercipotobibi.crabdance.com | udp |
| N/A | 127.0.0.1:1337 | tcp | |
| N/A | 127.0.0.1:1337 | tcp | |
| N/A | 127.0.0.1:1337 | tcp | |
| N/A | 8.8.8.8:53 | mercipotobibi.crabdance.com | udp |
| N/A | 8.8.4.4:53 | mercipotobibi.crabdance.com | udp |
| N/A | 8.8.8.8:53 | mercipotobibi.crabdance.com | udp |
| N/A | 8.8.4.4:53 | mercipotobibi.crabdance.com | udp |
| N/A | 8.8.8.8:53 | mercipotobibi.crabdance.com | udp |
| N/A | 8.8.4.4:53 | mercipotobibi.crabdance.com | udp |
| N/A | 127.0.0.1:1337 | tcp |
Files
memory/1852-54-0x0000000075521000-0x0000000075523000-memory.dmp
\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
| MD5 | fd3675162967550d15055b7e9ddccc25 |
| SHA1 | b0dcd0b5ebb171635dacb69951df5f85f2c47e61 |
| SHA256 | a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80 |
| SHA512 | 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093 |
memory/940-56-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\cfcZa.vbs
| MD5 | 7665a54f8c588928a9858e293a55e1bd |
| SHA1 | 97903e2edafcb1ce04435bc83bfe16bcf38e64a2 |
| SHA256 | c7fb59485d651db7826bcdc73036978b10007faa70f28010cd0125270d759bc0 |
| SHA512 | f7f24b1f150fe43322232f93d414a19bd52f592cdfcaac2a07c1d18cdc739dd916035581827e9804aeff782edbb59f4ad9edcd85aff102ef35ce647c5da29cb3 |
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
| MD5 | fd3675162967550d15055b7e9ddccc25 |
| SHA1 | b0dcd0b5ebb171635dacb69951df5f85f2c47e61 |
| SHA256 | a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80 |
| SHA512 | 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093 |
memory/604-61-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
| MD5 | fd3675162967550d15055b7e9ddccc25 |
| SHA1 | b0dcd0b5ebb171635dacb69951df5f85f2c47e61 |
| SHA256 | a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80 |
| SHA512 | 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093 |
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
| MD5 | fd3675162967550d15055b7e9ddccc25 |
| SHA1 | b0dcd0b5ebb171635dacb69951df5f85f2c47e61 |
| SHA256 | a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80 |
| SHA512 | 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093 |
C:\Users\Admin\AppData\Local\Temp\Ind\boot.lnk
| MD5 | 765ee1b400354c0c4952c0be768b99ff |
| SHA1 | abe7597458ab5b70e63c6f6ef80cf647979464e2 |
| SHA256 | 3769072c8bf980d4ce0f24788883d7e1e507a616812cf5da2bce31b151a46045 |
| SHA512 | 7bc9944427bebc5056779c6b17a43ba08606b816aff2432823a8fb74446d2d366e35d2aa562e855fbc06404ea0a4662e20266983902d28463743ddafc612a0a3 |
\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
| MD5 | fd3675162967550d15055b7e9ddccc25 |
| SHA1 | b0dcd0b5ebb171635dacb69951df5f85f2c47e61 |
| SHA256 | a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80 |
| SHA512 | 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093 |
memory/1000-66-0x0000000000400000-0x000000000043A000-memory.dmp
memory/1000-67-0x0000000000400000-0x000000000043A000-memory.dmp
memory/1000-69-0x0000000000400000-0x000000000043A000-memory.dmp
memory/1000-70-0x0000000000400000-0x000000000043A000-memory.dmp
memory/1000-72-0x0000000000400000-0x000000000043A000-memory.dmp
memory/1000-73-0x000000000041E792-mapping.dmp
memory/1000-75-0x0000000000400000-0x000000000043A000-memory.dmp
memory/1000-77-0x0000000000400000-0x000000000043A000-memory.dmp
memory/784-86-0x000000000041E792-mapping.dmp
memory/1000-92-0x0000000073DC0000-0x000000007436B000-memory.dmp
memory/784-93-0x0000000073DC0000-0x000000007436B000-memory.dmp
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
| MD5 | fd3675162967550d15055b7e9ddccc25 |
| SHA1 | b0dcd0b5ebb171635dacb69951df5f85f2c47e61 |
| SHA256 | a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80 |
| SHA512 | 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093 |
memory/360-94-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
| MD5 | fd3675162967550d15055b7e9ddccc25 |
| SHA1 | b0dcd0b5ebb171635dacb69951df5f85f2c47e61 |
| SHA256 | a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80 |
| SHA512 | 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093 |
C:\Users\Admin\AppData\Local\Temp\Ind\boot.lnk
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/928-106-0x000000000041E792-mapping.dmp
memory/928-112-0x0000000073DC0000-0x000000007436B000-memory.dmp
memory/1520-113-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
| MD5 | fd3675162967550d15055b7e9ddccc25 |
| SHA1 | b0dcd0b5ebb171635dacb69951df5f85f2c47e61 |
| SHA256 | a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80 |
| SHA512 | 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093 |
\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
| MD5 | fd3675162967550d15055b7e9ddccc25 |
| SHA1 | b0dcd0b5ebb171635dacb69951df5f85f2c47e61 |
| SHA256 | a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80 |
| SHA512 | 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093 |
C:\Users\Admin\AppData\Local\Temp\Ind\boot.lnk
| MD5 | ab415bf1825c9042a9ea05dcde20a753 |
| SHA1 | b6fd6ce45d3d0e870310ffab8309d9f33907234f |
| SHA256 | be4f038fb4170d3d9ce1a244bad69305e32482684c9201fc0a7fdd483f3b2721 |
| SHA512 | 5610908d01accfe7fbc8f921d958dc8420f2550eac5b780d5dc47adf4c0bd491c8f113176f2d561ca267e3707d97c0bdaf0b201d2185e51b7e7228250dfa2c37 |
memory/1788-119-0x000000000041E792-mapping.dmp
memory/2000-120-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
| MD5 | fd3675162967550d15055b7e9ddccc25 |
| SHA1 | b0dcd0b5ebb171635dacb69951df5f85f2c47e61 |
| SHA256 | a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80 |
| SHA512 | 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093 |
\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
| MD5 | fd3675162967550d15055b7e9ddccc25 |
| SHA1 | b0dcd0b5ebb171635dacb69951df5f85f2c47e61 |
| SHA256 | a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80 |
| SHA512 | 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093 |
C:\Users\Admin\AppData\Local\Temp\Ind\boot.lnk
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/816-132-0x000000000041E792-mapping.dmp
memory/816-138-0x0000000073DC0000-0x000000007436B000-memory.dmp
memory/1160-139-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
| MD5 | fd3675162967550d15055b7e9ddccc25 |
| SHA1 | b0dcd0b5ebb171635dacb69951df5f85f2c47e61 |
| SHA256 | a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80 |
| SHA512 | 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093 |
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
| MD5 | fd3675162967550d15055b7e9ddccc25 |
| SHA1 | b0dcd0b5ebb171635dacb69951df5f85f2c47e61 |
| SHA256 | a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80 |
| SHA512 | 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093 |
C:\Users\Admin\AppData\Local\Temp\Ind\boot.lnk
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/1000-145-0x0000000073DC0000-0x000000007436B000-memory.dmp
memory/784-146-0x0000000073DC0000-0x000000007436B000-memory.dmp
memory/1628-148-0x000000000041E792-mapping.dmp
memory/784-149-0x0000000073DC0000-0x000000007436B000-memory.dmp
memory/788-150-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
| MD5 | fd3675162967550d15055b7e9ddccc25 |
| SHA1 | b0dcd0b5ebb171635dacb69951df5f85f2c47e61 |
| SHA256 | a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80 |
| SHA512 | 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093 |
C:\Users\Admin\AppData\Local\Temp\Ind\boot.lnk
| MD5 | ab415bf1825c9042a9ea05dcde20a753 |
| SHA1 | b6fd6ce45d3d0e870310ffab8309d9f33907234f |
| SHA256 | be4f038fb4170d3d9ce1a244bad69305e32482684c9201fc0a7fdd483f3b2721 |
| SHA512 | 5610908d01accfe7fbc8f921d958dc8420f2550eac5b780d5dc47adf4c0bd491c8f113176f2d561ca267e3707d97c0bdaf0b201d2185e51b7e7228250dfa2c37 |
\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
| MD5 | fd3675162967550d15055b7e9ddccc25 |
| SHA1 | b0dcd0b5ebb171635dacb69951df5f85f2c47e61 |
| SHA256 | a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80 |
| SHA512 | 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093 |
memory/928-155-0x0000000073DC0000-0x000000007436B000-memory.dmp
memory/928-158-0x0000000073DC0000-0x000000007436B000-memory.dmp
memory/1088-164-0x000000000041E792-mapping.dmp
memory/1088-170-0x0000000073DC0000-0x000000007436B000-memory.dmp
memory/1088-171-0x0000000073DC0000-0x000000007436B000-memory.dmp
memory/916-172-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
| MD5 | fd3675162967550d15055b7e9ddccc25 |
| SHA1 | b0dcd0b5ebb171635dacb69951df5f85f2c47e61 |
| SHA256 | a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80 |
| SHA512 | 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093 |
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
| MD5 | fd3675162967550d15055b7e9ddccc25 |
| SHA1 | b0dcd0b5ebb171635dacb69951df5f85f2c47e61 |
| SHA256 | a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80 |
| SHA512 | 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093 |
C:\Users\Admin\AppData\Local\Temp\Ind\boot.lnk
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/816-178-0x0000000073DC0000-0x000000007436B000-memory.dmp
memory/952-186-0x000000000041E792-mapping.dmp
memory/816-192-0x0000000073DC0000-0x000000007436B000-memory.dmp
memory/952-193-0x0000000073DC0000-0x000000007436B000-memory.dmp
memory/1812-194-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
| MD5 | fd3675162967550d15055b7e9ddccc25 |
| SHA1 | b0dcd0b5ebb171635dacb69951df5f85f2c47e61 |
| SHA256 | a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80 |
| SHA512 | 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093 |
\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
| MD5 | fd3675162967550d15055b7e9ddccc25 |
| SHA1 | b0dcd0b5ebb171635dacb69951df5f85f2c47e61 |
| SHA256 | a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80 |
| SHA512 | 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093 |
C:\Users\Admin\AppData\Local\Temp\Ind\boot.lnk
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/584-206-0x000000000041E792-mapping.dmp
memory/584-212-0x0000000073DC0000-0x000000007436B000-memory.dmp
memory/1724-213-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
| MD5 | fd3675162967550d15055b7e9ddccc25 |
| SHA1 | b0dcd0b5ebb171635dacb69951df5f85f2c47e61 |
| SHA256 | a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80 |
| SHA512 | 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093 |
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/1088-217-0x0000000073DC0000-0x000000007436B000-memory.dmp
\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
| MD5 | fd3675162967550d15055b7e9ddccc25 |
| SHA1 | b0dcd0b5ebb171635dacb69951df5f85f2c47e61 |
| SHA256 | a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80 |
| SHA512 | 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093 |
C:\Users\Admin\AppData\Local\Temp\Ind\boot.lnk
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/1088-220-0x0000000073DC0000-0x000000007436B000-memory.dmp
memory/1264-228-0x000000000041E792-mapping.dmp
memory/1264-234-0x0000000073DC0000-0x000000007436B000-memory.dmp
memory/1500-235-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
| MD5 | fd3675162967550d15055b7e9ddccc25 |
| SHA1 | b0dcd0b5ebb171635dacb69951df5f85f2c47e61 |
| SHA256 | a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80 |
| SHA512 | 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093 |
\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
| MD5 | fd3675162967550d15055b7e9ddccc25 |
| SHA1 | b0dcd0b5ebb171635dacb69951df5f85f2c47e61 |
| SHA256 | a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80 |
| SHA512 | 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093 |
C:\Users\Admin\AppData\Local\Temp\Ind\boot.lnk
| MD5 | ab415bf1825c9042a9ea05dcde20a753 |
| SHA1 | b6fd6ce45d3d0e870310ffab8309d9f33907234f |
| SHA256 | be4f038fb4170d3d9ce1a244bad69305e32482684c9201fc0a7fdd483f3b2721 |
| SHA512 | 5610908d01accfe7fbc8f921d958dc8420f2550eac5b780d5dc47adf4c0bd491c8f113176f2d561ca267e3707d97c0bdaf0b201d2185e51b7e7228250dfa2c37 |
memory/1696-240-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
| MD5 | fd3675162967550d15055b7e9ddccc25 |
| SHA1 | b0dcd0b5ebb171635dacb69951df5f85f2c47e61 |
| SHA256 | a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80 |
| SHA512 | 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093 |
C:\Users\Admin\AppData\Local\Temp\Ind\boot.lnk
| MD5 | ab415bf1825c9042a9ea05dcde20a753 |
| SHA1 | b6fd6ce45d3d0e870310ffab8309d9f33907234f |
| SHA256 | be4f038fb4170d3d9ce1a244bad69305e32482684c9201fc0a7fdd483f3b2721 |
| SHA512 | 5610908d01accfe7fbc8f921d958dc8420f2550eac5b780d5dc47adf4c0bd491c8f113176f2d561ca267e3707d97c0bdaf0b201d2185e51b7e7228250dfa2c37 |
\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
| MD5 | fd3675162967550d15055b7e9ddccc25 |
| SHA1 | b0dcd0b5ebb171635dacb69951df5f85f2c47e61 |
| SHA256 | a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80 |
| SHA512 | 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093 |
memory/2000-246-0x000000000041E792-mapping.dmp
memory/952-247-0x0000000073DC0000-0x000000007436B000-memory.dmp
memory/468-255-0x000000000041E792-mapping.dmp
memory/952-261-0x0000000073DC0000-0x000000007436B000-memory.dmp
memory/468-262-0x0000000073DC0000-0x000000007436B000-memory.dmp
memory/1624-263-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
| MD5 | fd3675162967550d15055b7e9ddccc25 |
| SHA1 | b0dcd0b5ebb171635dacb69951df5f85f2c47e61 |
| SHA256 | a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80 |
| SHA512 | 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093 |
\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
| MD5 | fd3675162967550d15055b7e9ddccc25 |
| SHA1 | b0dcd0b5ebb171635dacb69951df5f85f2c47e61 |
| SHA256 | a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80 |
| SHA512 | 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093 |
memory/584-267-0x0000000073DC0000-0x000000007436B000-memory.dmp
memory/584-268-0x0000000073DC0000-0x000000007436B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Ind\boot.lnk
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/556-270-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
| MD5 | fd3675162967550d15055b7e9ddccc25 |
| SHA1 | b0dcd0b5ebb171635dacb69951df5f85f2c47e61 |
| SHA256 | a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80 |
| SHA512 | 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093 |
memory/360-281-0x000000000041E792-mapping.dmp
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
| MD5 | fd3675162967550d15055b7e9ddccc25 |
| SHA1 | b0dcd0b5ebb171635dacb69951df5f85f2c47e61 |
| SHA256 | a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80 |
| SHA512 | 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093 |
C:\Users\Admin\AppData\Local\Temp\Ind\boot.lnk
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/1264-289-0x0000000073DC0000-0x000000007436B000-memory.dmp
memory/360-290-0x0000000073DC0000-0x000000007436B000-memory.dmp
memory/1264-291-0x0000000073DC0000-0x000000007436B000-memory.dmp
memory/1488-292-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
| MD5 | fd3675162967550d15055b7e9ddccc25 |
| SHA1 | b0dcd0b5ebb171635dacb69951df5f85f2c47e61 |
| SHA256 | a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80 |
| SHA512 | 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093 |
\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
| MD5 | fd3675162967550d15055b7e9ddccc25 |
| SHA1 | b0dcd0b5ebb171635dacb69951df5f85f2c47e61 |
| SHA256 | a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80 |
| SHA512 | 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093 |
C:\Users\Admin\AppData\Local\Temp\Ind\boot.lnk
| MD5 | ab415bf1825c9042a9ea05dcde20a753 |
| SHA1 | b6fd6ce45d3d0e870310ffab8309d9f33907234f |
| SHA256 | be4f038fb4170d3d9ce1a244bad69305e32482684c9201fc0a7fdd483f3b2721 |
| SHA512 | 5610908d01accfe7fbc8f921d958dc8420f2550eac5b780d5dc47adf4c0bd491c8f113176f2d561ca267e3707d97c0bdaf0b201d2185e51b7e7228250dfa2c37 |
memory/2024-297-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
| MD5 | fd3675162967550d15055b7e9ddccc25 |
| SHA1 | b0dcd0b5ebb171635dacb69951df5f85f2c47e61 |
| SHA256 | a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80 |
| SHA512 | 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093 |
memory/968-310-0x000000000041E792-mapping.dmp
memory/468-314-0x0000000073DC0000-0x000000007436B000-memory.dmp
memory/1520-320-0x000000000041E792-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Ind\boot.lnk
| MD5 | ab415bf1825c9042a9ea05dcde20a753 |
| SHA1 | b6fd6ce45d3d0e870310ffab8309d9f33907234f |
| SHA256 | be4f038fb4170d3d9ce1a244bad69305e32482684c9201fc0a7fdd483f3b2721 |
| SHA512 | 5610908d01accfe7fbc8f921d958dc8420f2550eac5b780d5dc47adf4c0bd491c8f113176f2d561ca267e3707d97c0bdaf0b201d2185e51b7e7228250dfa2c37 |
\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
| MD5 | fd3675162967550d15055b7e9ddccc25 |
| SHA1 | b0dcd0b5ebb171635dacb69951df5f85f2c47e61 |
| SHA256 | a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80 |
| SHA512 | 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093 |
memory/968-329-0x0000000073DC0000-0x000000007436B000-memory.dmp
memory/1520-330-0x0000000073DC0000-0x000000007436B000-memory.dmp
memory/468-331-0x0000000073DC0000-0x000000007436B000-memory.dmp
memory/1560-339-0x000000000041E792-mapping.dmp
memory/1560-345-0x0000000073DC0000-0x000000007436B000-memory.dmp
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
| MD5 | fd3675162967550d15055b7e9ddccc25 |
| SHA1 | b0dcd0b5ebb171635dacb69951df5f85f2c47e61 |
| SHA256 | a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80 |
| SHA512 | 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093 |
memory/1576-346-0x0000000000000000-mapping.dmp
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
| MD5 | fd3675162967550d15055b7e9ddccc25 |
| SHA1 | b0dcd0b5ebb171635dacb69951df5f85f2c47e61 |
| SHA256 | a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80 |
| SHA512 | 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093 |
C:\Users\Admin\AppData\Local\Temp\Ind\boot.lnk
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/1664-359-0x000000000041E792-mapping.dmp
memory/1664-365-0x0000000073DC0000-0x000000007436B000-memory.dmp
memory/360-366-0x0000000073DC0000-0x000000007436B000-memory.dmp
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
| MD5 | fd3675162967550d15055b7e9ddccc25 |
| SHA1 | b0dcd0b5ebb171635dacb69951df5f85f2c47e61 |
| SHA256 | a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80 |
| SHA512 | 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093 |
memory/1348-367-0x0000000000000000-mapping.dmp
memory/360-370-0x0000000073DC0000-0x000000007436B000-memory.dmp
memory/1840-378-0x000000000041E792-mapping.dmp
memory/1840-384-0x0000000073DC0000-0x000000007436B000-memory.dmp
memory/300-385-0x0000000000000000-mapping.dmp
memory/1052-394-0x000000000041E792-mapping.dmp
memory/1052-400-0x0000000073DC0000-0x000000007436B000-memory.dmp
memory/1700-401-0x0000000000000000-mapping.dmp
memory/968-403-0x0000000073DC0000-0x000000007436B000-memory.dmp
memory/1520-404-0x0000000073DC0000-0x000000007436B000-memory.dmp
memory/1560-405-0x0000000073DC0000-0x000000007436B000-memory.dmp
memory/1520-406-0x0000000073DC0000-0x000000007436B000-memory.dmp
memory/1560-407-0x0000000073DC0000-0x000000007436B000-memory.dmp
memory/1712-415-0x000000000041E792-mapping.dmp
memory/1712-421-0x0000000073DC0000-0x000000007436B000-memory.dmp
memory/2008-422-0x0000000000000000-mapping.dmp
memory/360-431-0x000000000041E792-mapping.dmp
memory/1664-437-0x0000000073DC0000-0x000000007436B000-memory.dmp
memory/360-438-0x0000000073DC0000-0x000000007436B000-memory.dmp
memory/604-439-0x0000000000000000-mapping.dmp
memory/1840-441-0x0000000073DC0000-0x000000007436B000-memory.dmp
memory/1488-443-0x000000000041E792-mapping.dmp
memory/1840-444-0x0000000073DC0000-0x000000007436B000-memory.dmp
memory/1036-445-0x0000000000000000-mapping.dmp
memory/1052-447-0x0000000073DC0000-0x000000007436B000-memory.dmp
memory/1052-448-0x0000000073DC0000-0x000000007436B000-memory.dmp
memory/1240-456-0x000000000041E792-mapping.dmp
memory/1240-462-0x0000000073DC0000-0x000000007436B000-memory.dmp
memory/1608-463-0x0000000000000000-mapping.dmp
memory/1712-465-0x0000000073DC0000-0x000000007436B000-memory.dmp
memory/520-473-0x000000000041E792-mapping.dmp
memory/520-480-0x0000000073DC0000-0x000000007436B000-memory.dmp
memory/1712-479-0x0000000073DC0000-0x000000007436B000-memory.dmp
memory/1380-481-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-11-26 22:58
Reported
2022-11-27 16:36
Platform
win10v2004-20220812-en
Max time kernel
176s
Max time network
185s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" | C:\Users\Admin\AppData\Local\Temp\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
NanoCore
Executes dropped EXE
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" | C:\Users\Admin\AppData\Local\Temp\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" | C:\Users\Admin\AppData\Local\Temp\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
"C:\Users\Admin\AppData\Local\Temp\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\nDSfD.vbs" 0
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1120 -ip 1120
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1120 -s 80
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 3416 -ip 3416
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 12
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3980 -ip 3980
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4688 -ip 4688
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4688 -s 80
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4572 -ip 4572
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4572 -s 80
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3512 -ip 3512
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 80
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4356 -ip 4356
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4356 -s 80
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.238.21.126:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 40.77.2.164:443 | tcp | |
| N/A | 20.42.65.90:443 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 8.8.8.8:53 | 151.122.125.40.in-addr.arpa | udp |
| N/A | 8.8.8.8:53 | mercipotobibi.crabdance.com | udp |
| N/A | 8.8.4.4:53 | mercipotobibi.crabdance.com | udp |
| N/A | 8.8.8.8:53 | mercipotobibi.crabdance.com | udp |
| N/A | 8.8.8.8:53 | mercipotobibi.crabdance.com | udp |
| N/A | 8.8.4.4:53 | mercipotobibi.crabdance.com | udp |
| N/A | 8.8.8.8:53 | mercipotobibi.crabdance.com | udp |
| N/A | 8.8.8.8:53 | mercipotobibi.crabdance.com | udp |
| N/A | 8.8.4.4:53 | mercipotobibi.crabdance.com | udp |
| N/A | 8.8.8.8:53 | d.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.5.0.8.0.0.3.0.1.3.0.6.2.ip6.arpa | udp |
| N/A | 127.0.0.1:1337 | tcp | |
| N/A | 127.0.0.1:1337 | tcp | |
| N/A | 127.0.0.1:1337 | tcp | |
| N/A | 8.8.8.8:53 | mercipotobibi.crabdance.com | udp |
| N/A | 8.8.4.4:53 | mercipotobibi.crabdance.com | udp |
| N/A | 8.8.8.8:53 | mercipotobibi.crabdance.com | udp |
| N/A | 8.8.8.8:53 | mercipotobibi.crabdance.com | udp |
| N/A | 8.8.4.4:53 | mercipotobibi.crabdance.com | udp |
| N/A | 8.8.8.8:53 | mercipotobibi.crabdance.com | udp |
| N/A | 8.8.4.4:53 | mercipotobibi.crabdance.com | udp |
| N/A | 8.8.8.8:53 | mercipotobibi.crabdance.com | udp |
| N/A | 127.0.0.1:1337 | tcp | |
| N/A | 127.0.0.1:1337 | tcp | |
| N/A | 127.0.0.1:1337 | tcp | |
| N/A | 8.8.8.8:53 | mercipotobibi.crabdance.com | udp |
| N/A | 8.8.4.4:53 | mercipotobibi.crabdance.com | udp |
| N/A | 8.8.8.8:53 | mercipotobibi.crabdance.com | udp |
| N/A | 8.8.8.8:53 | mercipotobibi.crabdance.com | udp |
| N/A | 8.8.4.4:53 | mercipotobibi.crabdance.com | udp |
| N/A | 8.8.8.8:53 | mercipotobibi.crabdance.com | udp |
| N/A | 8.8.4.4:53 | mercipotobibi.crabdance.com | udp |
| N/A | 8.8.8.8:53 | mercipotobibi.crabdance.com | udp |
| N/A | 127.0.0.1:1337 | tcp | |
| N/A | 127.0.0.1:1337 | tcp | |
| N/A | 127.0.0.1:1337 | tcp | |
| N/A | 8.8.8.8:53 | mercipotobibi.crabdance.com | udp |
| N/A | 8.8.4.4:53 | mercipotobibi.crabdance.com | udp |
| N/A | 8.8.8.8:53 | mercipotobibi.crabdance.com | udp |
| N/A | 8.8.8.8:53 | mercipotobibi.crabdance.com | udp |
| N/A | 8.8.4.4:53 | mercipotobibi.crabdance.com | udp |
| N/A | 8.8.8.8:53 | mercipotobibi.crabdance.com | udp |
| N/A | 8.8.4.4:53 | mercipotobibi.crabdance.com | udp |
| N/A | 8.8.8.8:53 | mercipotobibi.crabdance.com | udp |
| N/A | 127.0.0.1:1337 | tcp |
Files
memory/4868-132-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\nDSfD.vbs
| MD5 | 7665a54f8c588928a9858e293a55e1bd |
| SHA1 | 97903e2edafcb1ce04435bc83bfe16bcf38e64a2 |
| SHA256 | c7fb59485d651db7826bcdc73036978b10007faa70f28010cd0125270d759bc0 |
| SHA512 | f7f24b1f150fe43322232f93d414a19bd52f592cdfcaac2a07c1d18cdc739dd916035581827e9804aeff782edbb59f4ad9edcd85aff102ef35ce647c5da29cb3 |
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
| MD5 | fd3675162967550d15055b7e9ddccc25 |
| SHA1 | b0dcd0b5ebb171635dacb69951df5f85f2c47e61 |
| SHA256 | a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80 |
| SHA512 | 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093 |
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
| MD5 | fd3675162967550d15055b7e9ddccc25 |
| SHA1 | b0dcd0b5ebb171635dacb69951df5f85f2c47e61 |
| SHA256 | a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80 |
| SHA512 | 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093 |
memory/4964-135-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Ind\boot.lnk
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/4932-138-0x0000000000000000-mapping.dmp
memory/4932-139-0x0000000000400000-0x000000000043A000-memory.dmp
memory/4860-140-0x0000000000000000-mapping.dmp
memory/1744-142-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
| MD5 | fd3675162967550d15055b7e9ddccc25 |
| SHA1 | b0dcd0b5ebb171635dacb69951df5f85f2c47e61 |
| SHA256 | a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80 |
| SHA512 | 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093 |
C:\Users\Admin\AppData\Local\Temp\Ind\boot.lnk
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2476-145-0x0000000000000000-mapping.dmp
memory/2476-147-0x0000000073510000-0x0000000073AC1000-memory.dmp
memory/4860-148-0x0000000073510000-0x0000000073AC1000-memory.dmp
memory/4932-149-0x0000000073510000-0x0000000073AC1000-memory.dmp
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
| MD5 | fd3675162967550d15055b7e9ddccc25 |
| SHA1 | b0dcd0b5ebb171635dacb69951df5f85f2c47e61 |
| SHA256 | a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80 |
| SHA512 | 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093 |
memory/2464-150-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Ind\boot.lnk
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/1120-153-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\RegSvcs.exe.log
| MD5 | 5b4789d01bb4d7483b71e1a35bce6a8b |
| SHA1 | de083f2131c9a763c0d1810c97a38732146cffbf |
| SHA256 | e248cef9500ed6e0c9f99d72a2a6a36955a5f0cfc0725748ef25a733cc8282f6 |
| SHA512 | 357e18ef30430e4b9cc4f2569b9735b1cd12f934c83162e4de78ac29ba9703b63ddb624ccc22afd5a5868f6e9d91a3c64581846abac22e9625f5b2e3d80b3ede |
memory/4932-157-0x0000000073510000-0x0000000073AC1000-memory.dmp
memory/4860-156-0x0000000073510000-0x0000000073AC1000-memory.dmp
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
| MD5 | fd3675162967550d15055b7e9ddccc25 |
| SHA1 | b0dcd0b5ebb171635dacb69951df5f85f2c47e61 |
| SHA256 | a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80 |
| SHA512 | 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093 |
memory/4100-158-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Ind\boot.lnk
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/240-161-0x0000000000000000-mapping.dmp
memory/240-163-0x0000000073510000-0x0000000073AC1000-memory.dmp
memory/2476-164-0x0000000073510000-0x0000000073AC1000-memory.dmp
memory/1532-165-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
| MD5 | fd3675162967550d15055b7e9ddccc25 |
| SHA1 | b0dcd0b5ebb171635dacb69951df5f85f2c47e61 |
| SHA256 | a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80 |
| SHA512 | 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093 |
C:\Users\Admin\AppData\Local\Temp\Ind\boot.lnk
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/4380-168-0x0000000000000000-mapping.dmp
memory/4380-170-0x0000000073510000-0x0000000073AC1000-memory.dmp
memory/240-171-0x0000000073510000-0x0000000073AC1000-memory.dmp
memory/3536-172-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
| MD5 | fd3675162967550d15055b7e9ddccc25 |
| SHA1 | b0dcd0b5ebb171635dacb69951df5f85f2c47e61 |
| SHA256 | a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80 |
| SHA512 | 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093 |
C:\Users\Admin\AppData\Local\Temp\Ind\boot.lnk
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/3672-175-0x0000000000000000-mapping.dmp
memory/3672-177-0x0000000073510000-0x0000000073AC1000-memory.dmp
memory/4380-178-0x0000000073510000-0x0000000073AC1000-memory.dmp
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
| MD5 | fd3675162967550d15055b7e9ddccc25 |
| SHA1 | b0dcd0b5ebb171635dacb69951df5f85f2c47e61 |
| SHA256 | a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80 |
| SHA512 | 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093 |
memory/4308-179-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Ind\boot.lnk
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2284-182-0x0000000000000000-mapping.dmp
memory/2284-184-0x0000000073510000-0x0000000073AC1000-memory.dmp
memory/3672-185-0x0000000073510000-0x0000000073AC1000-memory.dmp
memory/2272-186-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
| MD5 | fd3675162967550d15055b7e9ddccc25 |
| SHA1 | b0dcd0b5ebb171635dacb69951df5f85f2c47e61 |
| SHA256 | a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80 |
| SHA512 | 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093 |
C:\Users\Admin\AppData\Local\Temp\Ind\boot.lnk
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/4712-189-0x0000000000000000-mapping.dmp
memory/4712-191-0x0000000073510000-0x0000000073AC1000-memory.dmp
memory/2284-192-0x0000000073510000-0x0000000073AC1000-memory.dmp
memory/416-193-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
| MD5 | fd3675162967550d15055b7e9ddccc25 |
| SHA1 | b0dcd0b5ebb171635dacb69951df5f85f2c47e61 |
| SHA256 | a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80 |
| SHA512 | 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093 |
C:\Users\Admin\AppData\Local\Temp\Ind\boot.lnk
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/1540-196-0x0000000000000000-mapping.dmp
memory/1540-198-0x0000000073510000-0x0000000073AC1000-memory.dmp
memory/4712-199-0x0000000073510000-0x0000000073AC1000-memory.dmp
memory/3772-200-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
| MD5 | fd3675162967550d15055b7e9ddccc25 |
| SHA1 | b0dcd0b5ebb171635dacb69951df5f85f2c47e61 |
| SHA256 | a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80 |
| SHA512 | 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093 |
memory/4208-202-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
| MD5 | fd3675162967550d15055b7e9ddccc25 |
| SHA1 | b0dcd0b5ebb171635dacb69951df5f85f2c47e61 |
| SHA256 | a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80 |
| SHA512 | 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093 |
memory/1540-204-0x0000000073510000-0x0000000073AC1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Ind\boot.lnk
| MD5 | 32915ebf0e709bc40254d3ebedffb6ed |
| SHA1 | 98f317e1c252e58b8a21e3a7de96f0e91769908f |
| SHA256 | afcc5fefc188663a744b8d4cc395f76b51cf5ab48070709dbfef38bae9463b88 |
| SHA512 | fdca2cec060267641032e9012faa60d25783797b87a332d4dae1658e49df56fc5a92c5f6723f8ba746e2dda200d7333ae8bc2bde3d82077bc1b90e13de91dd37 |
C:\Users\Admin\AppData\Local\Temp\Ind\boot.lnk
| MD5 | 019d8de83fae02c44629868000872e9f |
| SHA1 | f8cb92397ec81d8762529cfc23b09a686463d7da |
| SHA256 | 0fe2c31b7812aada7aaace2d105694e34eecca2b480d949388c4bb242ed86942 |
| SHA512 | 02febc111ee6f7d8bb6d0aa015683cbf3db2d5e468f52b113033d407dcdb309fa4222d9a09b448ca30c35a414e3d7828c9f467ddcc6283d31f9e0949ada0dfb2 |
memory/4124-207-0x0000000000000000-mapping.dmp
memory/3416-208-0x0000000000000000-mapping.dmp
memory/4124-211-0x0000000073510000-0x0000000073AC1000-memory.dmp
memory/652-212-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
| MD5 | fd3675162967550d15055b7e9ddccc25 |
| SHA1 | b0dcd0b5ebb171635dacb69951df5f85f2c47e61 |
| SHA256 | a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80 |
| SHA512 | 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093 |
C:\Users\Admin\AppData\Local\Temp\Ind\boot.lnk
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/3448-215-0x0000000000000000-mapping.dmp
memory/3448-217-0x0000000073510000-0x0000000073AC1000-memory.dmp
memory/4124-218-0x0000000073510000-0x0000000073AC1000-memory.dmp
memory/2328-219-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
| MD5 | fd3675162967550d15055b7e9ddccc25 |
| SHA1 | b0dcd0b5ebb171635dacb69951df5f85f2c47e61 |
| SHA256 | a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80 |
| SHA512 | 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093 |
C:\Users\Admin\AppData\Local\Temp\Ind\boot.lnk
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/3980-222-0x0000000000000000-mapping.dmp
memory/3448-224-0x0000000073510000-0x0000000073AC1000-memory.dmp
memory/1268-225-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
| MD5 | fd3675162967550d15055b7e9ddccc25 |
| SHA1 | b0dcd0b5ebb171635dacb69951df5f85f2c47e61 |
| SHA256 | a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80 |
| SHA512 | 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093 |
memory/2084-227-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
| MD5 | fd3675162967550d15055b7e9ddccc25 |
| SHA1 | b0dcd0b5ebb171635dacb69951df5f85f2c47e61 |
| SHA256 | a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80 |
| SHA512 | 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093 |
C:\Users\Admin\AppData\Local\Temp\Ind\boot.lnk
| MD5 | aa059277bdc7ee47e9c1ad5c9d6f0e81 |
| SHA1 | ccf33b2884e0c9aab9c947f0fbd09ed64baff426 |
| SHA256 | 8b087a4deb140d432095e1e2dc1e2161ad51388df718437170108f4b3826a224 |
| SHA512 | 0e4c08b9b50ddd5b4929f9ca93d1105bfdb5232e5649723c0d6bd76d6fb1d9a4c5345bc81085aab083407397bab2abf1e158677096fa01d43a022dba5b5bb741 |
memory/3780-230-0x0000000000000000-mapping.dmp
memory/2820-232-0x0000000000000000-mapping.dmp
memory/4288-234-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
| MD5 | fd3675162967550d15055b7e9ddccc25 |
| SHA1 | b0dcd0b5ebb171635dacb69951df5f85f2c47e61 |
| SHA256 | a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80 |
| SHA512 | 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093 |
memory/2820-236-0x0000000073510000-0x0000000073AC1000-memory.dmp
memory/3780-237-0x0000000073510000-0x0000000073AC1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Ind\boot.lnk
| MD5 | 139cd80467603efdc9576c90688dbf91 |
| SHA1 | 1b57e4354756d734823c07d511398e08309b1782 |
| SHA256 | 56981480fb250a50527aee5ac9ffc51312cd1f8446a6dd218c20517e521c84c9 |
| SHA512 | 462ecba2b74e343d4ccfd0dd3134908d1d58e68754c2cc5754248204ab8cc400d37788d464bad5c23ded8372f22a5737fe07f66b162a6fd33fce0d8e4c63c57f |
memory/4072-239-0x0000000000000000-mapping.dmp
memory/4072-241-0x0000000073510000-0x0000000073AC1000-memory.dmp
memory/3332-242-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
| MD5 | fd3675162967550d15055b7e9ddccc25 |
| SHA1 | b0dcd0b5ebb171635dacb69951df5f85f2c47e61 |
| SHA256 | a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80 |
| SHA512 | 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093 |
C:\Users\Admin\AppData\Local\Temp\Ind\boot.lnk
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2212-245-0x0000000000000000-mapping.dmp
memory/2212-247-0x0000000073510000-0x0000000073AC1000-memory.dmp
memory/3780-248-0x0000000073510000-0x0000000073AC1000-memory.dmp
memory/2820-249-0x0000000073510000-0x0000000073AC1000-memory.dmp
memory/4072-250-0x0000000073510000-0x0000000073AC1000-memory.dmp
memory/5016-251-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
| MD5 | fd3675162967550d15055b7e9ddccc25 |
| SHA1 | b0dcd0b5ebb171635dacb69951df5f85f2c47e61 |
| SHA256 | a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80 |
| SHA512 | 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093 |
C:\Users\Admin\AppData\Local\Temp\Ind\boot.lnk
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2212-254-0x0000000073510000-0x0000000073AC1000-memory.dmp
memory/4860-255-0x0000000000000000-mapping.dmp
memory/4912-257-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
| MD5 | fd3675162967550d15055b7e9ddccc25 |
| SHA1 | b0dcd0b5ebb171635dacb69951df5f85f2c47e61 |
| SHA256 | a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80 |
| SHA512 | 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093 |
memory/4860-259-0x0000000073510000-0x0000000073AC1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Ind\boot.lnk
| MD5 | cec463991ae7d8138995ba98ff82b0d9 |
| SHA1 | f0b0bcd71658e98cc32469a8b8195a1fe2d919b6 |
| SHA256 | cf4226cb967a1b3474b4e65139aeaf5761b27ea0f408dce14527e3b6e11276e1 |
| SHA512 | efcd879abf2a909c834397bd7504b810da274529088b90422bda81f36e01bac873c9926f69d0d0edf701f3e5a03d17a564abcc164d0d29b667c35c349533eb81 |
memory/228-261-0x0000000000000000-mapping.dmp
memory/228-263-0x0000000073510000-0x0000000073AC1000-memory.dmp
memory/1704-264-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
| MD5 | fd3675162967550d15055b7e9ddccc25 |
| SHA1 | b0dcd0b5ebb171635dacb69951df5f85f2c47e61 |
| SHA256 | a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80 |
| SHA512 | 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093 |
memory/4860-266-0x0000000073510000-0x0000000073AC1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Ind\boot.lnk
| MD5 | 3aed3edcd54acd1762713b19bbd3d0e9 |
| SHA1 | f1bda063f8e9ca53b4d62f22158b4b28f3859d06 |
| SHA256 | 3e6cb80558b16e279369579780f8a55ff79a045fd23148a771806da009bfc96f |
| SHA512 | 48de11b8a6441a9f6f52cd243a1298beb8e39d2bcd97a9ad4c4536267b493ec4ee9c7d04750f72291e63428565d2169b46b98adab084046126eb03222888ea78 |
memory/4688-268-0x0000000000000000-mapping.dmp
memory/228-270-0x0000000073510000-0x0000000073AC1000-memory.dmp
memory/240-271-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
| MD5 | fd3675162967550d15055b7e9ddccc25 |
| SHA1 | b0dcd0b5ebb171635dacb69951df5f85f2c47e61 |
| SHA256 | a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80 |
| SHA512 | 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093 |
C:\Users\Admin\AppData\Local\Temp\Ind\boot.lnk
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/4572-274-0x0000000000000000-mapping.dmp
memory/2288-276-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
| MD5 | fd3675162967550d15055b7e9ddccc25 |
| SHA1 | b0dcd0b5ebb171635dacb69951df5f85f2c47e61 |
| SHA256 | a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80 |
| SHA512 | 06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093 |
memory/3512-278-0x0000000000000000-mapping.dmp
memory/3540-280-0x0000000000000000-mapping.dmp
memory/4996-281-0x0000000000000000-mapping.dmp
memory/4996-283-0x0000000073510000-0x0000000073AC1000-memory.dmp
memory/4640-284-0x0000000000000000-mapping.dmp
memory/4356-285-0x0000000000000000-mapping.dmp
memory/4996-286-0x0000000073510000-0x0000000073AC1000-memory.dmp
memory/3620-288-0x0000000000000000-mapping.dmp
memory/1612-289-0x0000000000000000-mapping.dmp
memory/1612-291-0x0000000073510000-0x0000000073AC1000-memory.dmp
memory/4448-292-0x0000000000000000-mapping.dmp