darkcomet | a92da5f4be8e9765ace3961ffc07677f0645589dade7fa271a2dc453f751cb68

Analysis

max time kernel
151s
max time network
52s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
29-11-2022 13:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a92da5f4be8e9765ace3961ffc07677f0645589dade7fa271a2dc453f751cb68.exe
Size

1.3MB
MD5

5818b9c7e1e4f408f28f5a6c6d0a7565
SHA1

b18ddaf0338af454365b5acd9d5d3ac7a6a890e0
SHA256

a92da5f4be8e9765ace3961ffc07677f0645589dade7fa271a2dc453f751cb68
SHA512

9fbc0219849c3735c35972cb323a393341f2691913676bf1d01159579fe28198db310b6738113550874e14b8c43b050d633c63b34c0a4e1f00fbe53ba4beb057
SSDEEP

24576:UJE8PA1dmGeDye5Dt3c2kFOoJU8PaTRFmYvQ49sMZ5D34zvXjycTZPVP6:qtPA8f+e5DpAc6wfmYvXZ5cjZPVP6

Score

10^/10

darkcomet thenthacker evasion persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

THENTHACKER

thenthacker.no-ip.org:1604

Mutex

DC_MUTEX-WPNYUQ7

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
92Uc0EZwdkTP
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 37 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

Java.exeJava.exeJava.exeJava.exeJava.exeJava.exeJava.exeJava.exeJava.exeJava.exeJava.exeJava.exeJava.exeJava.exeJava.exeJava.exeJava.exeJava.exeJava.exeJava.exeJava.exeJava.exeJava.exeJava.exeJava.exeJava.exeJava.exeJava.exeJava.exeJava.exeJava.exeJava.exeJava.exeJava.exeJava.exeJava.exeJava.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe"	Java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe"	Java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe"	Java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe"	Java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe"	Java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe"	Java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe"	Java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe"	Java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe"	Java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe"	Java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe"	Java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe"	Java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe"	Java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe"	Java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe"	Java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\msdcsc.exe"	Java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe"	Java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe"	Java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	Java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe"	Java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe"	Java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe"	Java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe"	Java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe"	Java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe"	Java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe"	Java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe"	Java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe"	Java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe"	Java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe"	Java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe"	Java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe"	Java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe"	Java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe"	Java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe"	Java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe"	Java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe"	Java.exe

Executes dropped EXE 64 IoCs

Processes:

Java.exemsdcsc.exeJava.exemsdcsc.exeJava.exemsdcsc.exeJava.exemsdcsc.exeJava.exemsdcsc.exeJava.exemsdcsc.exeJava.exemsdcsc.exeJava.exemsdcsc.exeJava.exemsdcsc.exeJava.exemsdcsc.exeJava.exemsdcsc.exeJava.exemsdcsc.exeJava.exemsdcsc.exeJava.exemsdcsc.exeJava.exemsdcsc.exeJava.exemsdcsc.exeJava.exemsdcsc.exeJava.exemsdcsc.exeJava.exemsdcsc.exeJava.exemsdcsc.exeJava.exemsdcsc.exeJava.exemsdcsc.exeJava.exemsdcsc.exeJava.exemsdcsc.exeJava.exemsdcsc.exeJava.exemsdcsc.exeJava.exemsdcsc.exeJava.exemsdcsc.exeJava.exemsdcsc.exeJava.exemsdcsc.exeJava.exemsdcsc.exeJava.exemsdcsc.exe

pid	process
2036	Java.exe
1676	msdcsc.exe
604	Java.exe
1688	msdcsc.exe
1240	Java.exe
1896	msdcsc.exe
1660	Java.exe
1548	msdcsc.exe
2032	Java.exe
1828	msdcsc.exe
1412	Java.exe
2344	msdcsc.exe
2420	Java.exe
2660	msdcsc.exe
2716	Java.exe
2944	msdcsc.exe
2996	Java.exe
2276	msdcsc.exe
2332	Java.exe
2464	msdcsc.exe
2692	Java.exe
1540	msdcsc.exe
2240	Java.exe
2492	msdcsc.exe
2860	Java.exe
2524	msdcsc.exe
2896	Java.exe
2584	msdcsc.exe
2144	Java.exe
3196	msdcsc.exe
3248	Java.exe
3480	msdcsc.exe
3528	Java.exe
3756	msdcsc.exe
3808	Java.exe
4040	msdcsc.exe
4088	Java.exe
1672	msdcsc.exe
3252	Java.exe
3788	msdcsc.exe
3912	Java.exe
3160	msdcsc.exe
3316	Java.exe
3084	msdcsc.exe
3136	Java.exe
3432	msdcsc.exe
3476	Java.exe
3568	msdcsc.exe
4040	Java.exe
4256	msdcsc.exe
4308	Java.exe
4532	msdcsc.exe
4580	Java.exe
4800	msdcsc.exe
4852	Java.exe
5076	msdcsc.exe
4184	Java.exe
4512	msdcsc.exe
4308	Java.exe
4884	msdcsc.exe
5044	Java.exe
4152	msdcsc.exe
4512	Java.exe
4484	msdcsc.exe

Sets file to hidden 1 TTPs 64 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1158

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid	process
2392	attrib.exe
3576	attrib.exe
3684	attrib.exe
4992	attrib.exe
4256	attrib.exe
5188	attrib.exe
1032	attrib.exe
3256	attrib.exe
3196	attrib.exe
2032	attrib.exe
2232	attrib.exe
2356	attrib.exe
3380	attrib.exe
3672	attrib.exe
1300	attrib.exe
1072	attrib.exe
3416	attrib.exe
5488	attrib.exe
684	attrib.exe
4744	attrib.exe
2976	attrib.exe
5472	attrib.exe
3272	attrib.exe
4180	attrib.exe
4440	attrib.exe
1128	attrib.exe
1768	attrib.exe
2860	attrib.exe
1344	attrib.exe
2576	attrib.exe
4328	attrib.exe
4416	attrib.exe
2592	attrib.exe
2264	attrib.exe
3568	attrib.exe
5020	attrib.exe
4316	attrib.exe
5756	attrib.exe
360	attrib.exe
2576	attrib.exe
4040	attrib.exe
4256	attrib.exe
4704	attrib.exe
2736	attrib.exe
2484	attrib.exe
3104	attrib.exe
3132	attrib.exe
3196	attrib.exe
4732	attrib.exe
3840	attrib.exe
4168	attrib.exe
5088	attrib.exe
2876	attrib.exe
1680	attrib.exe
2528	attrib.exe
2064	attrib.exe
3756	attrib.exe
5744	attrib.exe
4820	attrib.exe
996	attrib.exe
1828	attrib.exe
2152	attrib.exe
2204	attrib.exe
3948	attrib.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd	upx
C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd	upx
C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd	upx
C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd	upx
C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd	upx
C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd	upx
C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd	upx
C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd	upx
C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd	upx
C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd	upx
C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd	upx
C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd	upx

Loads dropped DLL 64 IoCs

Processes:

a92da5f4be8e9765ace3961ffc07677f0645589dade7fa271a2dc453f751cb68.exeJava.execmd.exeJava.exemsdcsc.exeJava.exemsdcsc.exeJava.exemsdcsc.exeJava.exemsdcsc.exeJava.exemsdcsc.exeJava.exemsdcsc.exeJava.exemsdcsc.exeJava.exemsdcsc.exeJava.exemsdcsc.exeJava.exemsdcsc.exeJava.exemsdcsc.exeJava.exemsdcsc.exeJava.exemsdcsc.exeJava.exemsdcsc.exeJava.exe

pid	process
1416	a92da5f4be8e9765ace3961ffc07677f0645589dade7fa271a2dc453f751cb68.exe
1416	a92da5f4be8e9765ace3961ffc07677f0645589dade7fa271a2dc453f751cb68.exe
2036	Java.exe
2036	Java.exe
1676	cmd.exe
1676	cmd.exe
604	Java.exe
604	Java.exe
1688	msdcsc.exe
1688	msdcsc.exe
1240	Java.exe
1240	Java.exe
1896	msdcsc.exe
1896	msdcsc.exe
1660	Java.exe
1660	Java.exe
1548	msdcsc.exe
1548	msdcsc.exe
2032	Java.exe
2032	Java.exe
1828	msdcsc.exe
1828	msdcsc.exe
1412	Java.exe
1412	Java.exe
2344	msdcsc.exe
2344	msdcsc.exe
2420	Java.exe
2420	Java.exe
2660	msdcsc.exe
2660	msdcsc.exe
2716	Java.exe
2716	Java.exe
2944	msdcsc.exe
2944	msdcsc.exe
2996	Java.exe
2996	Java.exe
2276	msdcsc.exe
2276	msdcsc.exe
2332	Java.exe
2332	Java.exe
2464	msdcsc.exe
2464	msdcsc.exe
2692	Java.exe
2692	Java.exe
1540	msdcsc.exe
1540	msdcsc.exe
2240	Java.exe
2240	Java.exe
2492	msdcsc.exe
2492	msdcsc.exe
2860	Java.exe
2860	Java.exe
2524	msdcsc.exe
2524	msdcsc.exe
2896	Java.exe
2896	Java.exe
2584	msdcsc.exe
2584	msdcsc.exe
2144	Java.exe
2144	Java.exe
3196	msdcsc.exe
3196	msdcsc.exe
3248	Java.exe
3248	Java.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msdcsc.execmd.exeJava.exemsdcsc.exeJava.exeJava.exemsdcsc.exeJava.exemsdcsc.exemsdcsc.exemsdcsc.exeJava.exeJava.exeJava.exemsdcsc.exeJava.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exeJava.exemsdcsc.exeJava.exeJava.exemsdcsc.exeJava.exeJava.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exeJava.exeJava.exeJava.exemsdcsc.exeJava.exeJava.exemsdcsc.exeJava.exeJava.exeJava.exeJava.exeJava.exeJava.exemsdcsc.exeJava.exeJava.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exeJava.exemsdcsc.exemsdcsc.exeJava.exemsdcsc.exeJava.exeJava.exemsdcsc.exemsdcsc.exeJava.exeJava.exemsdcsc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java Runtime = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Java.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java Runtime = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Java.exe"	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe"	Java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java Runtime = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Java.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe"	Java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe"	Java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java Runtime = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Java.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe"	Java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java Runtime = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Java.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java Runtime = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Java.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java Runtime = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Java.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe"	Java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe"	Java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe"	Java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java Runtime = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Java.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe"	Java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java Runtime = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Java.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java Runtime = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Java.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java Runtime = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Java.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java Runtime = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Java.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe"	Java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java Runtime = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Java.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe"	Java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe"	Java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java Runtime = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Java.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe"	Java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe"	Java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java Runtime = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Java.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java Runtime = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Java.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java Runtime = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Java.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java Runtime = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Java.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe"	Java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe"	Java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe"	Java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java Runtime = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Java.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe"	Java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	Java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java Runtime = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Java.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe"	Java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe"	Java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe"	Java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe"	Java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe"	Java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe"	Java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java Runtime = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Java.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe"	Java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe"	Java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java Runtime = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Java.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java Runtime = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Java.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java Runtime = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Java.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java Runtime = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Java.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java Runtime = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Java.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe"	Java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java Runtime = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Java.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java Runtime = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Java.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe"	Java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java Runtime = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Java.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe"	Java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe"	Java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java Runtime = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Java.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java Runtime = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Java.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe"	Java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\92Uc0EZwdkTP\\92Uc0EZwdkTP\\msdcsc.exe"	Java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java Runtime = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Java.exe"	msdcsc.exe

Drops file in System32 directory 64 IoCs

Processes:

description	ioc	process
File created	C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe	Java.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\	Java.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe	Java.exe
File created	C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe	Java.exe
File created	C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe	Java.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe	Java.exe
File created	C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe	Java.exe
File created	C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\msdcsc.exe	Java.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe	Java.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe	Java.exe
File created	C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\msdcsc.exe	Java.exe
File created	C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe	Java.exe
File created	C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\msdcsc.exe	Java.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\	Java.exe
File created	C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe	Java.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\	Java.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe	Java.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe	Java.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\	Java.exe
File created	C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\msdcsc.exe	Java.exe
File created	C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\msdcsc.exe	Java.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe	Java.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\	Java.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\	Java.exe
File created	C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\msdcsc.exe	Java.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe	Java.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe	Java.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\	Java.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe	Java.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\	Java.exe
File created	C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\msdcsc.exe	Java.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\	Java.exe
File created	C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe	Java.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe	Java.exe
File created	C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe	Java.exe
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	Java.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe	Java.exe
File created	C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\msdcsc.exe	Java.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe	Java.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe	Java.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe	Java.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe	Java.exe
File created	C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\msdcsc.exe	Java.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe	Java.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe	Java.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\	Java.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe	Java.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe	Java.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\msdcsc.exe	Java.exe
File created	C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\msdcsc.exe	Java.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe	Java.exe
File created	C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\msdcsc.exe	Java.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\	Java.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\	Java.exe
File created	C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\msdcsc.exe	Java.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\	Java.exe
File created	C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\msdcsc.exe	Java.exe
File created	C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\msdcsc.exe	Java.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\	Java.exe
File created	C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\msdcsc.exe	Java.exe
File created	C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\msdcsc.exe	Java.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\	Java.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe	Java.exe
File created	C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe	Java.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 64 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\Local Settings	rundll32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Java.exeJava.exeJava.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2036	Java.exe
Token: SeSecurityPrivilege	2036	Java.exe
Token: SeTakeOwnershipPrivilege	2036	Java.exe
Token: SeLoadDriverPrivilege	2036	Java.exe
Token: SeSystemProfilePrivilege	2036	Java.exe
Token: SeSystemtimePrivilege	2036	Java.exe
Token: SeProfSingleProcessPrivilege	2036	Java.exe
Token: SeIncBasePriorityPrivilege	2036	Java.exe
Token: SeCreatePagefilePrivilege	2036	Java.exe
Token: SeBackupPrivilege	2036	Java.exe
Token: SeRestorePrivilege	2036	Java.exe
Token: SeShutdownPrivilege	2036	Java.exe
Token: SeDebugPrivilege	2036	Java.exe
Token: SeSystemEnvironmentPrivilege	2036	Java.exe
Token: SeChangeNotifyPrivilege	2036	Java.exe
Token: SeRemoteShutdownPrivilege	2036	Java.exe
Token: SeUndockPrivilege	2036	Java.exe
Token: SeManageVolumePrivilege	2036	Java.exe
Token: SeImpersonatePrivilege	2036	Java.exe
Token: SeCreateGlobalPrivilege	2036	Java.exe
Token: 33	2036	Java.exe
Token: 34	2036	Java.exe
Token: 35	2036	Java.exe
Token: SeIncreaseQuotaPrivilege	604	Java.exe
Token: SeSecurityPrivilege	604	Java.exe
Token: SeTakeOwnershipPrivilege	604	Java.exe
Token: SeLoadDriverPrivilege	604	Java.exe
Token: SeSystemProfilePrivilege	604	Java.exe
Token: SeSystemtimePrivilege	604	Java.exe
Token: SeProfSingleProcessPrivilege	604	Java.exe
Token: SeIncBasePriorityPrivilege	604	Java.exe
Token: SeCreatePagefilePrivilege	604	Java.exe
Token: SeBackupPrivilege	604	Java.exe
Token: SeRestorePrivilege	604	Java.exe
Token: SeShutdownPrivilege	604	Java.exe
Token: SeDebugPrivilege	604	Java.exe
Token: SeSystemEnvironmentPrivilege	604	Java.exe
Token: SeChangeNotifyPrivilege	604	Java.exe
Token: SeRemoteShutdownPrivilege	604	Java.exe
Token: SeUndockPrivilege	604	Java.exe
Token: SeManageVolumePrivilege	604	Java.exe
Token: SeImpersonatePrivilege	604	Java.exe
Token: SeCreateGlobalPrivilege	604	Java.exe
Token: 33	604	Java.exe
Token: 34	604	Java.exe
Token: 35	604	Java.exe
Token: SeIncreaseQuotaPrivilege	1240	Java.exe
Token: SeSecurityPrivilege	1240	Java.exe
Token: SeTakeOwnershipPrivilege	1240	Java.exe
Token: SeLoadDriverPrivilege	1240	Java.exe
Token: SeSystemProfilePrivilege	1240	Java.exe
Token: SeSystemtimePrivilege	1240	Java.exe
Token: SeProfSingleProcessPrivilege	1240	Java.exe
Token: SeIncBasePriorityPrivilege	1240	Java.exe
Token: SeCreatePagefilePrivilege	1240	Java.exe
Token: SeBackupPrivilege	1240	Java.exe
Token: SeRestorePrivilege	1240	Java.exe
Token: SeShutdownPrivilege	1240	Java.exe
Token: SeDebugPrivilege	1240	Java.exe
Token: SeSystemEnvironmentPrivilege	1240	Java.exe
Token: SeChangeNotifyPrivilege	1240	Java.exe
Token: SeRemoteShutdownPrivilege	1240	Java.exe
Token: SeUndockPrivilege	1240	Java.exe
Token: SeManageVolumePrivilege	1240	Java.exe

Suspicious use of FindShellTrayWindow 37 IoCs

Processes:

DllHost.exe

pid	process
1432	DllHost.exe
1432	DllHost.exe
1432	DllHost.exe
1432	DllHost.exe
1432	DllHost.exe
1432	DllHost.exe
1432	DllHost.exe
1432	DllHost.exe
1432	DllHost.exe
1432	DllHost.exe
1432	DllHost.exe
1432	DllHost.exe
1432	DllHost.exe
1432	DllHost.exe
1432	DllHost.exe
1432	DllHost.exe
1432	DllHost.exe
1432	DllHost.exe
1432	DllHost.exe
1432	DllHost.exe
1432	DllHost.exe
1432	DllHost.exe
1432	DllHost.exe
1432	DllHost.exe
1432	DllHost.exe
1432	DllHost.exe
1432	DllHost.exe
1432	DllHost.exe
1432	DllHost.exe
1432	DllHost.exe
1432	DllHost.exe
1432	DllHost.exe
1432	DllHost.exe
1432	DllHost.exe
1432	DllHost.exe
1432	DllHost.exe
1432	DllHost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

AcroRd32.exe

pid process

1208 AcroRd32.exe
1208 AcroRd32.exe

pid	process
1208	AcroRd32.exe
1208	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a92da5f4be8e9765ace3961ffc07677f0645589dade7fa271a2dc453f751cb68.exeJava.execmd.execmd.exerundll32.exemsdcsc.exe

description	pid	process	target process
PID 1416 wrote to memory of 2020	1416	a92da5f4be8e9765ace3961ffc07677f0645589dade7fa271a2dc453f751cb68.exe	rundll32.exe
PID 1416 wrote to memory of 2020	1416	a92da5f4be8e9765ace3961ffc07677f0645589dade7fa271a2dc453f751cb68.exe	rundll32.exe
PID 1416 wrote to memory of 2020	1416	a92da5f4be8e9765ace3961ffc07677f0645589dade7fa271a2dc453f751cb68.exe	rundll32.exe
PID 1416 wrote to memory of 2020	1416	a92da5f4be8e9765ace3961ffc07677f0645589dade7fa271a2dc453f751cb68.exe	rundll32.exe
PID 1416 wrote to memory of 2020	1416	a92da5f4be8e9765ace3961ffc07677f0645589dade7fa271a2dc453f751cb68.exe	rundll32.exe
PID 1416 wrote to memory of 2020	1416	a92da5f4be8e9765ace3961ffc07677f0645589dade7fa271a2dc453f751cb68.exe	rundll32.exe
PID 1416 wrote to memory of 2020	1416	a92da5f4be8e9765ace3961ffc07677f0645589dade7fa271a2dc453f751cb68.exe	rundll32.exe
PID 1416 wrote to memory of 2036	1416	a92da5f4be8e9765ace3961ffc07677f0645589dade7fa271a2dc453f751cb68.exe	Java.exe
PID 1416 wrote to memory of 2036	1416	a92da5f4be8e9765ace3961ffc07677f0645589dade7fa271a2dc453f751cb68.exe	Java.exe
PID 1416 wrote to memory of 2036	1416	a92da5f4be8e9765ace3961ffc07677f0645589dade7fa271a2dc453f751cb68.exe	Java.exe
PID 1416 wrote to memory of 2036	1416	a92da5f4be8e9765ace3961ffc07677f0645589dade7fa271a2dc453f751cb68.exe	Java.exe
PID 1416 wrote to memory of 2036	1416	a92da5f4be8e9765ace3961ffc07677f0645589dade7fa271a2dc453f751cb68.exe	Java.exe
PID 1416 wrote to memory of 2036	1416	a92da5f4be8e9765ace3961ffc07677f0645589dade7fa271a2dc453f751cb68.exe	Java.exe
PID 1416 wrote to memory of 2036	1416	a92da5f4be8e9765ace3961ffc07677f0645589dade7fa271a2dc453f751cb68.exe	Java.exe
PID 2036 wrote to memory of 316	2036	Java.exe	rundll32.exe
PID 2036 wrote to memory of 316	2036	Java.exe	rundll32.exe
PID 2036 wrote to memory of 316	2036	Java.exe	rundll32.exe
PID 2036 wrote to memory of 316	2036	Java.exe	rundll32.exe
PID 2036 wrote to memory of 316	2036	Java.exe	rundll32.exe
PID 2036 wrote to memory of 316	2036	Java.exe	rundll32.exe
PID 2036 wrote to memory of 316	2036	Java.exe	rundll32.exe
PID 2036 wrote to memory of 520	2036	Java.exe	cmd.exe
PID 2036 wrote to memory of 520	2036	Java.exe	cmd.exe
PID 2036 wrote to memory of 520	2036	Java.exe	cmd.exe
PID 2036 wrote to memory of 520	2036	Java.exe	cmd.exe
PID 2036 wrote to memory of 1172	2036	Java.exe	cmd.exe
PID 2036 wrote to memory of 1172	2036	Java.exe	cmd.exe
PID 2036 wrote to memory of 1172	2036	Java.exe	cmd.exe
PID 2036 wrote to memory of 1172	2036	Java.exe	cmd.exe
PID 1172 wrote to memory of 824	1172	cmd.exe	attrib.exe
PID 1172 wrote to memory of 824	1172	cmd.exe	attrib.exe
PID 1172 wrote to memory of 824	1172	cmd.exe	attrib.exe
PID 1172 wrote to memory of 824	1172	cmd.exe	attrib.exe
PID 520 wrote to memory of 1300	520	cmd.exe	attrib.exe
PID 520 wrote to memory of 1300	520	cmd.exe	attrib.exe
PID 520 wrote to memory of 1300	520	cmd.exe	attrib.exe
PID 520 wrote to memory of 1300	520	cmd.exe	attrib.exe
PID 316 wrote to memory of 1208	316	rundll32.exe	AcroRd32.exe
PID 316 wrote to memory of 1208	316	rundll32.exe	AcroRd32.exe
PID 316 wrote to memory of 1208	316	rundll32.exe	AcroRd32.exe
PID 316 wrote to memory of 1208	316	rundll32.exe	AcroRd32.exe
PID 2036 wrote to memory of 1920	2036	Java.exe	notepad.exe
PID 2036 wrote to memory of 1920	2036	Java.exe	notepad.exe
PID 2036 wrote to memory of 1920	2036	Java.exe	notepad.exe
PID 2036 wrote to memory of 1920	2036	Java.exe	notepad.exe
PID 2036 wrote to memory of 1920	2036	Java.exe	notepad.exe
PID 2036 wrote to memory of 1920	2036	Java.exe	notepad.exe
PID 2036 wrote to memory of 1920	2036	Java.exe	notepad.exe
PID 2036 wrote to memory of 1920	2036	Java.exe	notepad.exe
PID 2036 wrote to memory of 1920	2036	Java.exe	notepad.exe
PID 2036 wrote to memory of 1920	2036	Java.exe	notepad.exe
PID 2036 wrote to memory of 1920	2036	Java.exe	notepad.exe
PID 2036 wrote to memory of 1920	2036	Java.exe	notepad.exe
PID 2036 wrote to memory of 1920	2036	Java.exe	notepad.exe
PID 2036 wrote to memory of 1920	2036	Java.exe	notepad.exe
PID 2036 wrote to memory of 1920	2036	Java.exe	notepad.exe
PID 2036 wrote to memory of 1920	2036	Java.exe	notepad.exe
PID 2036 wrote to memory of 1920	2036	Java.exe	notepad.exe
PID 2036 wrote to memory of 1920	2036	Java.exe	notepad.exe
PID 2036 wrote to memory of 1676	2036	Java.exe	msdcsc.exe
PID 2036 wrote to memory of 1676	2036	Java.exe	msdcsc.exe
PID 2036 wrote to memory of 1676	2036	Java.exe	msdcsc.exe
PID 2036 wrote to memory of 1676	2036	Java.exe	msdcsc.exe
PID 1676 wrote to memory of 1584	1676	msdcsc.exe	rundll32.exe

Views/modifies file attributes 1 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Processes:

pid	process
1128	attrib.exe
1768	attrib.exe
4256	attrib.exe
5196	attrib.exe
684	attrib.exe
2356	attrib.exe
3104	attrib.exe
3380	attrib.exe
4992	attrib.exe
2976	attrib.exe
2716	attrib.exe
2576	attrib.exe
3272	attrib.exe
4040	attrib.exe
1032	attrib.exe
3840	attrib.exe
2484	attrib.exe
3576	attrib.exe
4744	attrib.exe
4328	attrib.exe
4416	attrib.exe
5188	attrib.exe
1072	attrib.exe
1344	attrib.exe
3256	attrib.exe
4180	attrib.exe
2264	attrib.exe
2524	attrib.exe
2152	attrib.exe
2204	attrib.exe
4316	attrib.exe
4256	attrib.exe
2860	attrib.exe
1540	attrib.exe
3132	attrib.exe
3416	attrib.exe
3684	attrib.exe
4468	attrib.exe
5472	attrib.exe
2232	attrib.exe
2868	attrib.exe
3948	attrib.exe
1680	attrib.exe
2192	attrib.exe
2064	attrib.exe
2876	attrib.exe
4440	attrib.exe
1464	attrib.exe
3672	attrib.exe
3756	attrib.exe
5488	attrib.exe
2032	attrib.exe
2592	attrib.exe
3568	attrib.exe
5756	attrib.exe
1300	attrib.exe
824	attrib.exe
360	attrib.exe
2392	attrib.exe
3956	attrib.exe
3196	attrib.exe
4168	attrib.exe
4820	attrib.exe
5088	attrib.exe

C:\Users\Admin\AppData\Local\Temp\a92da5f4be8e9765ace3961ffc07677f0645589dade7fa271a2dc453f751cb68.exe
"C:\Users\Admin\AppData\Local\Temp\a92da5f4be8e9765ace3961ffc07677f0645589dade7fa271a2dc453f751cb68.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1416

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd
2⤵
- Modifies registry class
PID:2020

C:\Users\Admin\AppData\Roaming\Adobe\Java.exe
"C:\Users\Admin\AppData\Roaming\Adobe\Java.exe"
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd
3⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:316

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd"
4⤵
- Suspicious use of SetWindowsHookEx
PID:1208

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\Adobe\Java.exe" +s +h
3⤵
- Suspicious use of WriteProcessMemory
PID:520

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Roaming\Adobe\Java.exe" +s +h
4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1300

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\Adobe" +s +h
3⤵
- Suspicious use of WriteProcessMemory
PID:1172

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Roaming\Adobe" +s +h
4⤵
- Views/modifies file attributes
PID:824

C:\Windows\SysWOW64\notepad.exe
notepad
3⤵
PID:1920

C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
"C:\Windows\system32\MSDCSC\msdcsc.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1676

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd
4⤵
- Modifies registry class
PID:1584

C:\Users\Admin\AppData\Roaming\Adobe\Java.exe
"C:\Users\Admin\AppData\Roaming\Adobe\Java.exe"
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:604

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd
5⤵
PID:2024

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd"
6⤵
PID:2012

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\Adobe" +s +h
5⤵
PID:844

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Roaming\Adobe" +s +h
6⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1128

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\Adobe\Java.exe" +s +h
5⤵
PID:2000

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Roaming\Adobe\Java.exe" +s +h
6⤵
- Views/modifies file attributes
PID:1464

C:\Windows\SysWOW64\notepad.exe
notepad
5⤵
PID:1776

C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\msdcsc.exe
"C:\Windows\system32\MSDCSC\92Uc0EZwdkTP\msdcsc.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:1688

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd
6⤵
PID:1532

C:\Users\Admin\AppData\Roaming\Adobe\Java.exe
"C:\Users\Admin\AppData\Roaming\Adobe\Java.exe"
6⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1240

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd
7⤵
PID:1996

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd"
8⤵
PID:1828

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\Adobe\Java.exe" +s +h
7⤵
PID:1212

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Roaming\Adobe\Java.exe" +s +h
8⤵
- Sets file to hidden
- Views/modifies file attributes
PID:684

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\Adobe" +s +h
7⤵
- Loads dropped DLL
- Adds Run key to start application
PID:1676

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Roaming\Adobe" +s +h
8⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2032

C:\Windows\SysWOW64\notepad.exe
notepad
7⤵
PID:952

C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe
"C:\Windows\system32\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe"
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:1896

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd
8⤵
- Modifies registry class
PID:924

C:\Users\Admin\AppData\Roaming\Adobe\Java.exe
"C:\Users\Admin\AppData\Roaming\Adobe\Java.exe"
8⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:1660

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd
9⤵
- Modifies registry class
PID:1596

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd"
10⤵
PID:1224

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\Adobe" +s +h
9⤵
PID:1180

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Roaming\Adobe" +s +h
10⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1072

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\Adobe\Java.exe" +s +h
9⤵
PID:900

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Roaming\Adobe\Java.exe" +s +h
10⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1768

C:\Windows\SysWOW64\notepad.exe
notepad
9⤵
PID:1608

C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe
"C:\Windows\system32\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe"
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:1548

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd
10⤵
- Modifies registry class
PID:1028

C:\Users\Admin\AppData\Roaming\Adobe\Java.exe
"C:\Users\Admin\AppData\Roaming\Adobe\Java.exe"
10⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:2032

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd
11⤵
- Modifies registry class
PID:1516

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\Adobe\Java.exe" +s +h
11⤵
PID:432

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Roaming\Adobe\Java.exe" +s +h
12⤵
- Sets file to hidden
PID:1828

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\Adobe" +s +h
11⤵
PID:1204

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Roaming\Adobe" +s +h
12⤵
- Sets file to hidden
- Views/modifies file attributes
PID:360

C:\Windows\SysWOW64\notepad.exe
notepad
11⤵
PID:1892

C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe
"C:\Windows\system32\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe"
11⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:1828

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd
12⤵
- Modifies registry class
PID:1564

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd"
13⤵
PID:2088

C:\Users\Admin\AppData\Roaming\Adobe\Java.exe
"C:\Users\Admin\AppData\Roaming\Adobe\Java.exe"
12⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:1412

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd
13⤵
- Modifies registry class
PID:2136

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\Adobe\Java.exe" +s +h
13⤵
PID:2156

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Roaming\Adobe\Java.exe" +s +h
14⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2232

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\Adobe" +s +h
13⤵
PID:2176

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Roaming\Adobe" +s +h
14⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2264

C:\Windows\SysWOW64\notepad.exe
notepad
13⤵
PID:2324

C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe
"C:\Windows\system32\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe"
13⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:2344

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd
14⤵
- Modifies registry class
PID:2408

C:\Users\Admin\AppData\Roaming\Adobe\Java.exe
"C:\Users\Admin\AppData\Roaming\Adobe\Java.exe"
14⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:2420

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd
15⤵
- Modifies registry class
PID:2476

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\Adobe\Java.exe" +s +h
15⤵
PID:2496

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Roaming\Adobe\Java.exe" +s +h
16⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2592

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\Adobe" +s +h
15⤵
PID:2508

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Roaming\Adobe" +s +h
16⤵
- Sets file to hidden
PID:2576

C:\Windows\SysWOW64\notepad.exe
notepad
15⤵
PID:2644

C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe
"C:\Windows\system32\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe"
15⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:2660

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd
16⤵
PID:2708

C:\Users\Admin\AppData\Roaming\Adobe\Java.exe
"C:\Users\Admin\AppData\Roaming\Adobe\Java.exe"
16⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:2716

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd
17⤵
- Modifies registry class
PID:2772

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\Adobe\Java.exe" +s +h
17⤵
PID:2804

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Roaming\Adobe\Java.exe" +s +h
18⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2860

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\Adobe" +s +h
17⤵
PID:2820

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Roaming\Adobe" +s +h
18⤵
- Views/modifies file attributes
PID:2868

C:\Windows\SysWOW64\notepad.exe
notepad
17⤵
PID:2928

C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe
"C:\Windows\system32\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe"
17⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:2944

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd
18⤵
- Modifies registry class
PID:2988

C:\Users\Admin\AppData\Roaming\Adobe\Java.exe
"C:\Users\Admin\AppData\Roaming\Adobe\Java.exe"
18⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:2996

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd
19⤵
PID:3056

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\Adobe\Java.exe" +s +h
19⤵
PID:1924

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Roaming\Adobe\Java.exe" +s +h
20⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2064

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\Adobe" +s +h
19⤵
PID:1764

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Roaming\Adobe" +s +h
20⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1344

C:\Windows\SysWOW64\notepad.exe
notepad
19⤵
PID:2184

C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe
"C:\Windows\system32\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe"
19⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:2276

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd
20⤵
- Modifies registry class
PID:2304

C:\Users\Admin\AppData\Roaming\Adobe\Java.exe
"C:\Users\Admin\AppData\Roaming\Adobe\Java.exe"
20⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2332

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd
21⤵
- Modifies registry class
PID:2360

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\Adobe\Java.exe" +s +h
21⤵
PID:2380

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Roaming\Adobe\Java.exe" +s +h
22⤵
- Views/modifies file attributes
PID:2524

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\Adobe" +s +h
21⤵
PID:2388

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Roaming\Adobe" +s +h
22⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2484

C:\Windows\SysWOW64\notepad.exe
notepad
21⤵
PID:1960

C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe
"C:\Windows\system32\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe"
21⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:2464

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd
22⤵
- Modifies registry class
PID:2700

C:\Users\Admin\AppData\Roaming\Adobe\Java.exe
"C:\Users\Admin\AppData\Roaming\Adobe\Java.exe"
22⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:2692

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd
23⤵
- Modifies registry class
PID:2840

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\Adobe\Java.exe" +s +h
23⤵
PID:2868

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Roaming\Adobe\Java.exe" +s +h
24⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2876

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\Adobe" +s +h
23⤵
PID:2900

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Roaming\Adobe" +s +h
24⤵
- Views/modifies file attributes
PID:2716

C:\Windows\SysWOW64\notepad.exe
notepad
23⤵
PID:3048

C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe
"C:\Windows\system32\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe"
23⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:1540

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd
24⤵
- Modifies registry class
PID:2128

C:\Users\Admin\AppData\Roaming\Adobe\Java.exe
"C:\Users\Admin\AppData\Roaming\Adobe\Java.exe"
24⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:2240

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd
25⤵
- Modifies registry class
PID:2292

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\Adobe" +s +h
25⤵
PID:2312

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Roaming\Adobe" +s +h
26⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2576

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\Adobe\Java.exe" +s +h
25⤵
PID:2296

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Roaming\Adobe\Java.exe" +s +h
26⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2356

C:\Windows\SysWOW64\notepad.exe
notepad
25⤵
PID:2468

C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe
"C:\Windows\system32\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe"
25⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:2492

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd
26⤵
- Modifies registry class
PID:2752

C:\Users\Admin\AppData\Roaming\Adobe\Java.exe
"C:\Users\Admin\AppData\Roaming\Adobe\Java.exe"
26⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:2860

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd
27⤵
- Modifies registry class
PID:1128

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\Adobe\Java.exe" +s +h
27⤵
PID:2872

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Roaming\Adobe\Java.exe" +s +h
28⤵
- Views/modifies file attributes
PID:1540

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\Adobe" +s +h
27⤵
PID:2852

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Roaming\Adobe" +s +h
28⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2152

C:\Windows\SysWOW64\notepad.exe
notepad
27⤵
PID:2404

C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe
"C:\Windows\system32\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe"
27⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:2524

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd
28⤵
- Modifies registry class
PID:2460

C:\Users\Admin\AppData\Roaming\Adobe\Java.exe
"C:\Users\Admin\AppData\Roaming\Adobe\Java.exe"
28⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:2896

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd
29⤵
PID:2268

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\Adobe" +s +h
29⤵
PID:2260

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Roaming\Adobe" +s +h
30⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2204

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\Adobe\Java.exe" +s +h
29⤵
PID:2092

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Roaming\Adobe\Java.exe" +s +h
30⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2392

C:\Windows\SysWOW64\notepad.exe
notepad
29⤵
PID:2152

C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe
"C:\Windows\system32\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe"
29⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:2584

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd
30⤵
- Modifies registry class
PID:2392

C:\Users\Admin\AppData\Roaming\Adobe\Java.exe
"C:\Users\Admin\AppData\Roaming\Adobe\Java.exe"
30⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:2144

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd
31⤵
- Modifies registry class
PID:2416

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\Adobe\Java.exe" +s +h
31⤵
PID:3040

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Roaming\Adobe\Java.exe" +s +h
32⤵
- Sets file to hidden
- Views/modifies file attributes
PID:3104

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\Adobe" +s +h
31⤵
PID:2768

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Roaming\Adobe" +s +h
32⤵
- Sets file to hidden
- Views/modifies file attributes
PID:3132

C:\Windows\SysWOW64\notepad.exe
notepad
31⤵
PID:3180

C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe
"C:\Windows\system32\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe"
31⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:3196

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd
32⤵
PID:3240

C:\Users\Admin\AppData\Roaming\Adobe\Java.exe
"C:\Users\Admin\AppData\Roaming\Adobe\Java.exe"
32⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:3248

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd
33⤵
- Modifies registry class
PID:3304

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\Adobe\Java.exe" +s +h
33⤵
PID:3320

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Roaming\Adobe\Java.exe" +s +h
34⤵
- Sets file to hidden
- Views/modifies file attributes
PID:3380

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\Adobe" +s +h
33⤵
PID:3328

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Roaming\Adobe" +s +h
34⤵
- Sets file to hidden
- Views/modifies file attributes
PID:3416

C:\Windows\SysWOW64\notepad.exe
notepad
33⤵
PID:3464

C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe
"C:\Windows\system32\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe"
33⤵
- Executes dropped EXE
PID:3480

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd
34⤵
- Modifies registry class
PID:3520

C:\Users\Admin\AppData\Roaming\Adobe\Java.exe
"C:\Users\Admin\AppData\Roaming\Adobe\Java.exe"
34⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:3528

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd
35⤵
- Modifies registry class
PID:3580

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\Adobe\Java.exe" +s +h
35⤵
PID:3596

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Roaming\Adobe\Java.exe" +s +h
36⤵
- Sets file to hidden
- Views/modifies file attributes
PID:3672

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\Adobe" +s +h
35⤵
PID:3612

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Roaming\Adobe" +s +h
36⤵
- Sets file to hidden
- Views/modifies file attributes
PID:3684

C:\Windows\SysWOW64\notepad.exe
notepad
35⤵
PID:3740

C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe
"C:\Windows\system32\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe"
35⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3756

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd
36⤵
- Modifies registry class
PID:3800

C:\Users\Admin\AppData\Roaming\Adobe\Java.exe
"C:\Users\Admin\AppData\Roaming\Adobe\Java.exe"
36⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:3808

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd
37⤵
- Modifies registry class
PID:3864

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\Adobe" +s +h
37⤵
PID:3888

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Roaming\Adobe" +s +h
38⤵
- Views/modifies file attributes
PID:3956

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\Adobe\Java.exe" +s +h
37⤵
PID:3880

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Roaming\Adobe\Java.exe" +s +h
38⤵
- Sets file to hidden
- Views/modifies file attributes
PID:3948

C:\Windows\SysWOW64\notepad.exe
notepad
37⤵
PID:4020

C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe
"C:\Windows\system32\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe"
37⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4040

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd
38⤵
- Modifies registry class
PID:4080

C:\Users\Admin\AppData\Roaming\Adobe\Java.exe
"C:\Users\Admin\AppData\Roaming\Adobe\Java.exe"
38⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Drops file in System32 directory
PID:4088

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd
39⤵
- Modifies registry class
PID:3176

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\Adobe\Java.exe" +s +h
39⤵
PID:1692

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Roaming\Adobe\Java.exe" +s +h
40⤵
- Sets file to hidden
- Views/modifies file attributes
PID:3196

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\Adobe" +s +h
39⤵
PID:3096

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Roaming\Adobe" +s +h
40⤵
- Sets file to hidden
- Views/modifies file attributes
PID:3272

C:\Windows\SysWOW64\notepad.exe
notepad
39⤵
PID:3448

C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe
"C:\Windows\system32\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe"
39⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1672

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd
40⤵
- Modifies registry class
PID:3376

C:\Users\Admin\AppData\Roaming\Adobe\Java.exe
"C:\Users\Admin\AppData\Roaming\Adobe\Java.exe"
40⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:3252

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd
41⤵
- Modifies registry class
PID:3572

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\Adobe" +s +h
41⤵
PID:3672

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Roaming\Adobe" +s +h
42⤵
- Sets file to hidden
- Views/modifies file attributes
PID:3576

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\Adobe\Java.exe" +s +h
41⤵
PID:3636

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Roaming\Adobe\Java.exe" +s +h
42⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1032

C:\Windows\SysWOW64\notepad.exe
notepad
41⤵
PID:1836

C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe
"C:\Windows\system32\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe"
41⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3788

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd
42⤵
PID:3872

C:\Users\Admin\AppData\Roaming\Adobe\Java.exe
"C:\Users\Admin\AppData\Roaming\Adobe\Java.exe"
42⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:3912

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd
43⤵
- Modifies registry class
PID:3876

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\Adobe\Java.exe" +s +h
43⤵
PID:3964

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Roaming\Adobe\Java.exe" +s +h
44⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4040

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\Adobe" +s +h
43⤵
PID:4052

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Roaming\Adobe" +s +h
44⤵
- Sets file to hidden
- Views/modifies file attributes
PID:3256

C:\Windows\SysWOW64\notepad.exe
notepad
43⤵
PID:3436

C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe
"C:\Windows\system32\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe"
43⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3160

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd
44⤵
- Modifies registry class
PID:3288

C:\Users\Admin\AppData\Roaming\Adobe\Java.exe
"C:\Users\Admin\AppData\Roaming\Adobe\Java.exe"
44⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:3316

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd
45⤵
- Modifies registry class
PID:3752

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\Adobe\Java.exe" +s +h
45⤵
PID:3652

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Roaming\Adobe\Java.exe" +s +h
46⤵
- Sets file to hidden
- Views/modifies file attributes
PID:3756

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\Adobe" +s +h
45⤵
PID:1784

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Roaming\Adobe" +s +h
46⤵
- Sets file to hidden
- Views/modifies file attributes
PID:3840

C:\Windows\SysWOW64\notepad.exe
notepad
45⤵
PID:4004

C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe
"C:\Windows\system32\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe"
45⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3084

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd
46⤵
PID:3132

C:\Users\Admin\AppData\Roaming\Adobe\Java.exe
"C:\Users\Admin\AppData\Roaming\Adobe\Java.exe"
46⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:3136

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd
47⤵
- Modifies registry class
PID:4088

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\Adobe\Java.exe" +s +h
47⤵
PID:4092

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Roaming\Adobe\Java.exe" +s +h
48⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1680

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\Adobe" +s +h
47⤵
PID:3496

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Roaming\Adobe" +s +h
48⤵
- Sets file to hidden
PID:3196

C:\Windows\SysWOW64\notepad.exe
notepad
47⤵
PID:1240

C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe
"C:\Windows\system32\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe"
47⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3432

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd
48⤵
- Modifies registry class
PID:3292

C:\Users\Admin\AppData\Roaming\Adobe\Java.exe
"C:\Users\Admin\AppData\Roaming\Adobe\Java.exe"
48⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:3476

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd
49⤵
- Modifies registry class
PID:3384

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\Adobe" +s +h
49⤵
PID:3300

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Roaming\Adobe" +s +h
50⤵
- Sets file to hidden
- Views/modifies file attributes
PID:3568

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\Adobe\Java.exe" +s +h
49⤵
PID:3152

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Roaming\Adobe\Java.exe" +s +h
50⤵
- Views/modifies file attributes
PID:2192

C:\Windows\SysWOW64\notepad.exe
notepad
49⤵
PID:3712

C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe
"C:\Windows\system32\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe"
49⤵
- Executes dropped EXE
PID:3568

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd
50⤵
- Modifies registry class
PID:3588

C:\Users\Admin\AppData\Roaming\Adobe\Java.exe
"C:\Users\Admin\AppData\Roaming\Adobe\Java.exe"
50⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:4040

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd
51⤵
- Modifies registry class
PID:3084

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\Adobe\Java.exe" +s +h
51⤵
PID:3568

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Roaming\Adobe\Java.exe" +s +h
52⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4168

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\Adobe" +s +h
51⤵
PID:4104

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Roaming\Adobe" +s +h
52⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4180

C:\Windows\SysWOW64\notepad.exe
notepad
51⤵
PID:4236

C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe
"C:\Windows\system32\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe"
51⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4256

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd
52⤵
- Modifies registry class
PID:4300

C:\Users\Admin\AppData\Roaming\Adobe\Java.exe
"C:\Users\Admin\AppData\Roaming\Adobe\Java.exe"
52⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:4308

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd
53⤵
- Modifies registry class
PID:4364

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\Adobe\Java.exe" +s +h
53⤵
PID:4380

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Roaming\Adobe\Java.exe" +s +h
54⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4440

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\Adobe" +s +h
53⤵
PID:4396

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Roaming\Adobe" +s +h
54⤵
- Views/modifies file attributes
PID:4468

C:\Windows\SysWOW64\notepad.exe
notepad
53⤵
PID:4516

C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe
"C:\Windows\system32\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe"
53⤵
- Executes dropped EXE
PID:4532

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd
54⤵
- Modifies registry class
PID:4572

C:\Users\Admin\AppData\Roaming\Adobe\Java.exe
"C:\Users\Admin\AppData\Roaming\Adobe\Java.exe"
54⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:4580

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd
55⤵
- Modifies registry class
PID:4632

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\Adobe\Java.exe" +s +h
55⤵
PID:4648

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Roaming\Adobe\Java.exe" +s +h
56⤵
- Sets file to hidden
PID:4732

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\Adobe" +s +h
55⤵
PID:4656

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Roaming\Adobe" +s +h
56⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4744

C:\Windows\SysWOW64\notepad.exe
notepad
55⤵
PID:4784

C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe
"C:\Windows\system32\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe"
55⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4800

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd
56⤵
PID:4844

C:\Users\Admin\AppData\Roaming\Adobe\Java.exe
"C:\Users\Admin\AppData\Roaming\Adobe\Java.exe"
56⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:4852

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd
57⤵
- Modifies registry class
PID:4908

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\Adobe\Java.exe" +s +h
57⤵
PID:4924

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Roaming\Adobe\Java.exe" +s +h
58⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4992

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\Adobe" +s +h
57⤵
PID:4932

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Roaming\Adobe" +s +h
58⤵
- Sets file to hidden
PID:5020

C:\Windows\SysWOW64\notepad.exe
notepad
57⤵
PID:5060

C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe
"C:\Windows\system32\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe"
57⤵
- Executes dropped EXE
- Adds Run key to start application
PID:5076

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd
58⤵
- Modifies registry class
PID:4128

C:\Users\Admin\AppData\Roaming\Adobe\Java.exe
"C:\Users\Admin\AppData\Roaming\Adobe\Java.exe"
58⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:4184

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd
59⤵
- Modifies registry class
PID:4188

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\Adobe\Java.exe" +s +h
59⤵
PID:3476

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Roaming\Adobe\Java.exe" +s +h
60⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4256

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\Adobe" +s +h
59⤵
PID:3684

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Roaming\Adobe" +s +h
60⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4328

C:\Windows\SysWOW64\notepad.exe
notepad
59⤵
PID:4496

C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe
"C:\Windows\system32\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe"
59⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4512

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd
60⤵
- Modifies registry class
PID:4428

C:\Users\Admin\AppData\Roaming\Adobe\Java.exe
"C:\Users\Admin\AppData\Roaming\Adobe\Java.exe"
60⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:4308

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd
61⤵
- Modifies registry class
PID:4640

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\Adobe\Java.exe" +s +h
61⤵
PID:4740

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Roaming\Adobe\Java.exe" +s +h
62⤵
- Sets file to hidden
PID:4704

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\Adobe" +s +h
61⤵
PID:4664

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Roaming\Adobe" +s +h
62⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4820

C:\Windows\SysWOW64\notepad.exe
notepad
61⤵
PID:4860

C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe
"C:\Windows\system32\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe"
61⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4884

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd
62⤵
- Modifies registry class
PID:5020

C:\Users\Admin\AppData\Roaming\Adobe\Java.exe
"C:\Users\Admin\AppData\Roaming\Adobe\Java.exe"
62⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
PID:5044

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd
63⤵
- Modifies registry class
PID:4856

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\Adobe\Java.exe" +s +h
63⤵
PID:5112

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Roaming\Adobe\Java.exe" +s +h
64⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4416

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\Adobe" +s +h
63⤵
PID:5108

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Roaming\Adobe" +s +h
64⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4316

C:\Windows\SysWOW64\notepad.exe
notepad
63⤵
PID:4372

C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe
"C:\Windows\system32\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe"
63⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4152

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd
64⤵
- Modifies registry class
PID:4424

C:\Users\Admin\AppData\Roaming\Adobe\Java.exe
"C:\Users\Admin\AppData\Roaming\Adobe\Java.exe"
64⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:4512

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd
65⤵
- Modifies registry class
PID:4828

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\Adobe\Java.exe" +s +h
65⤵
PID:4824

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Roaming\Adobe\Java.exe" +s +h
66⤵
- Sets file to hidden
PID:2528

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\Adobe" +s +h
65⤵
PID:4800

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Roaming\Adobe" +s +h
66⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2976

C:\Windows\SysWOW64\notepad.exe
notepad
65⤵
PID:4316

C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe
"C:\Windows\system32\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe"
65⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4484

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd
66⤵
- Modifies registry class
PID:4904

C:\Users\Admin\AppData\Roaming\Adobe\Java.exe
"C:\Users\Admin\AppData\Roaming\Adobe\Java.exe"
66⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
PID:4920

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd
67⤵
- Modifies registry class
PID:4360

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\Adobe\Java.exe" +s +h
67⤵
PID:4560

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Roaming\Adobe\Java.exe" +s +h
68⤵
- Sets file to hidden
- Views/modifies file attributes
PID:5088

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\Adobe" +s +h
67⤵
PID:4812

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Roaming\Adobe" +s +h
68⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4256

C:\Windows\SysWOW64\notepad.exe
notepad
67⤵
PID:4580

C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe
"C:\Windows\system32\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe"
67⤵
- Adds Run key to start application
PID:4488

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd
68⤵
- Modifies registry class
PID:2436

C:\Users\Admin\AppData\Roaming\Adobe\Java.exe
"C:\Users\Admin\AppData\Roaming\Adobe\Java.exe"
68⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
PID:5044

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd
69⤵
- Modifies registry class
PID:4832

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\Adobe" +s +h
69⤵
PID:4352

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Roaming\Adobe" +s +h
70⤵
- Sets file to hidden
PID:996

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\Adobe\Java.exe" +s +h
69⤵
PID:4704

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Roaming\Adobe\Java.exe" +s +h
70⤵
- Sets file to hidden
PID:2736

C:\Windows\SysWOW64\notepad.exe
notepad
69⤵
PID:4340

C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe
"C:\Windows\system32\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe"
69⤵
PID:996

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd
70⤵
- Modifies registry class
PID:3012

C:\Users\Admin\AppData\Roaming\Adobe\Java.exe
"C:\Users\Admin\AppData\Roaming\Adobe\Java.exe"
70⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
PID:5092

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd
71⤵
- Modifies registry class
PID:2800

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\Adobe\Java.exe" +s +h
71⤵
PID:996

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Roaming\Adobe\Java.exe" +s +h
72⤵
- Sets file to hidden
- Views/modifies file attributes
PID:5188

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\Adobe" +s +h
71⤵
PID:4884

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Roaming\Adobe" +s +h
72⤵
- Views/modifies file attributes
PID:5196

C:\Windows\SysWOW64\notepad.exe
notepad
71⤵
PID:5244

C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe
"C:\Windows\system32\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe"
71⤵
- Adds Run key to start application
PID:5260

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd
72⤵
PID:5304

C:\Users\Admin\AppData\Roaming\Adobe\Java.exe
"C:\Users\Admin\AppData\Roaming\Adobe\Java.exe"
72⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
PID:5312

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd
73⤵
- Modifies registry class
PID:5364

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\Adobe\Java.exe" +s +h
73⤵
PID:5380

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Roaming\Adobe\Java.exe" +s +h
74⤵
- Sets file to hidden
- Views/modifies file attributes
PID:5472

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\Adobe" +s +h
73⤵
PID:5396

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Roaming\Adobe" +s +h
74⤵
- Sets file to hidden
- Views/modifies file attributes
PID:5488

C:\Windows\SysWOW64\notepad.exe
notepad
73⤵
PID:5516

C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe
"C:\Windows\system32\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe"
73⤵
- Adds Run key to start application
PID:5532

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd
74⤵
- Modifies registry class
PID:5576

C:\Users\Admin\AppData\Roaming\Adobe\Java.exe
"C:\Users\Admin\AppData\Roaming\Adobe\Java.exe"
74⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
PID:5584

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd
75⤵
- Modifies registry class
PID:5644

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\Adobe\Java.exe" +s +h
75⤵
PID:5660

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Roaming\Adobe\Java.exe" +s +h
76⤵
- Sets file to hidden
PID:5744

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\Adobe" +s +h
75⤵
PID:5668

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Roaming\Adobe" +s +h
76⤵
- Sets file to hidden
- Views/modifies file attributes
PID:5756

C:\Windows\SysWOW64\notepad.exe
notepad
75⤵
PID:5796

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:1432

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DI-TDR7.JPG
Filesize
690KB

MD5
14f0e088c890ad590f84ae2170e6a94d

SHA1
4fa31298a2824081738ab90d17aaaa03353e1b0e

SHA256
56adf781705c9cb171f965d6dd31a07aca27ced68f4d2e6c9d37dab2d1fb909c

SHA512
88ece7985fec461e599f126e68b92daf1228e8057a40a3d9675a53867d613c059fa1b33da7c33f068db5b114da05401a8bef0b6856df9a9287d02d68d071c75d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DI-TDR7.JPG
Filesize
690KB

MD5
14f0e088c890ad590f84ae2170e6a94d

SHA1
4fa31298a2824081738ab90d17aaaa03353e1b0e

SHA256
56adf781705c9cb171f965d6dd31a07aca27ced68f4d2e6c9d37dab2d1fb909c

SHA512
88ece7985fec461e599f126e68b92daf1228e8057a40a3d9675a53867d613c059fa1b33da7c33f068db5b114da05401a8bef0b6856df9a9287d02d68d071c75d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DI-TDR7.JPG
Filesize
690KB

MD5
14f0e088c890ad590f84ae2170e6a94d

SHA1
4fa31298a2824081738ab90d17aaaa03353e1b0e

SHA256
56adf781705c9cb171f965d6dd31a07aca27ced68f4d2e6c9d37dab2d1fb909c

SHA512
88ece7985fec461e599f126e68b92daf1228e8057a40a3d9675a53867d613c059fa1b33da7c33f068db5b114da05401a8bef0b6856df9a9287d02d68d071c75d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DI-TDR7.JPG
Filesize
690KB

MD5
14f0e088c890ad590f84ae2170e6a94d

SHA1
4fa31298a2824081738ab90d17aaaa03353e1b0e

SHA256
56adf781705c9cb171f965d6dd31a07aca27ced68f4d2e6c9d37dab2d1fb909c

SHA512
88ece7985fec461e599f126e68b92daf1228e8057a40a3d9675a53867d613c059fa1b33da7c33f068db5b114da05401a8bef0b6856df9a9287d02d68d071c75d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DI-TDR7.JPG
Filesize
690KB

MD5
14f0e088c890ad590f84ae2170e6a94d

SHA1
4fa31298a2824081738ab90d17aaaa03353e1b0e

SHA256
56adf781705c9cb171f965d6dd31a07aca27ced68f4d2e6c9d37dab2d1fb909c

SHA512
88ece7985fec461e599f126e68b92daf1228e8057a40a3d9675a53867d613c059fa1b33da7c33f068db5b114da05401a8bef0b6856df9a9287d02d68d071c75d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DI-TDR7.JPG
Filesize
690KB

MD5
14f0e088c890ad590f84ae2170e6a94d

SHA1
4fa31298a2824081738ab90d17aaaa03353e1b0e

SHA256
56adf781705c9cb171f965d6dd31a07aca27ced68f4d2e6c9d37dab2d1fb909c

SHA512
88ece7985fec461e599f126e68b92daf1228e8057a40a3d9675a53867d613c059fa1b33da7c33f068db5b114da05401a8bef0b6856df9a9287d02d68d071c75d

Download Submit
C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd
Filesize
34KB

MD5
46f30194bd5792c73072d6cd782820d6

SHA1
367635e048ba13741b461b864b8adc76841ae476

SHA256
8bc9f898a96c6c90517a24919a45888f68d92232a8592b3cae8610c2d279cfa3

SHA512
888aec428b266b4aed6e895d0c075c56780548396f678720423de01a173911e3d00229bd1672bf073de54323043d44277974f15852393b4d97b915561a5ca510

Download Submit
C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd
Filesize
34KB

MD5
46f30194bd5792c73072d6cd782820d6

SHA1
367635e048ba13741b461b864b8adc76841ae476

SHA256
8bc9f898a96c6c90517a24919a45888f68d92232a8592b3cae8610c2d279cfa3

SHA512
888aec428b266b4aed6e895d0c075c56780548396f678720423de01a173911e3d00229bd1672bf073de54323043d44277974f15852393b4d97b915561a5ca510

Download Submit
C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd
Filesize
34KB

MD5
46f30194bd5792c73072d6cd782820d6

SHA1
367635e048ba13741b461b864b8adc76841ae476

SHA256
8bc9f898a96c6c90517a24919a45888f68d92232a8592b3cae8610c2d279cfa3

SHA512
888aec428b266b4aed6e895d0c075c56780548396f678720423de01a173911e3d00229bd1672bf073de54323043d44277974f15852393b4d97b915561a5ca510

Download Submit
C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd
Filesize
34KB

MD5
46f30194bd5792c73072d6cd782820d6

SHA1
367635e048ba13741b461b864b8adc76841ae476

SHA256
8bc9f898a96c6c90517a24919a45888f68d92232a8592b3cae8610c2d279cfa3

SHA512
888aec428b266b4aed6e895d0c075c56780548396f678720423de01a173911e3d00229bd1672bf073de54323043d44277974f15852393b4d97b915561a5ca510

Download Submit
C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd
Filesize
34KB

MD5
46f30194bd5792c73072d6cd782820d6

SHA1
367635e048ba13741b461b864b8adc76841ae476

SHA256
8bc9f898a96c6c90517a24919a45888f68d92232a8592b3cae8610c2d279cfa3

SHA512
888aec428b266b4aed6e895d0c075c56780548396f678720423de01a173911e3d00229bd1672bf073de54323043d44277974f15852393b4d97b915561a5ca510

Download Submit
C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd
Filesize
34KB

MD5
46f30194bd5792c73072d6cd782820d6

SHA1
367635e048ba13741b461b864b8adc76841ae476

SHA256
8bc9f898a96c6c90517a24919a45888f68d92232a8592b3cae8610c2d279cfa3

SHA512
888aec428b266b4aed6e895d0c075c56780548396f678720423de01a173911e3d00229bd1672bf073de54323043d44277974f15852393b4d97b915561a5ca510

Download Submit
C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd
Filesize
34KB

MD5
46f30194bd5792c73072d6cd782820d6

SHA1
367635e048ba13741b461b864b8adc76841ae476

SHA256
8bc9f898a96c6c90517a24919a45888f68d92232a8592b3cae8610c2d279cfa3

SHA512
888aec428b266b4aed6e895d0c075c56780548396f678720423de01a173911e3d00229bd1672bf073de54323043d44277974f15852393b4d97b915561a5ca510

Download Submit
C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd
Filesize
34KB

MD5
46f30194bd5792c73072d6cd782820d6

SHA1
367635e048ba13741b461b864b8adc76841ae476

SHA256
8bc9f898a96c6c90517a24919a45888f68d92232a8592b3cae8610c2d279cfa3

SHA512
888aec428b266b4aed6e895d0c075c56780548396f678720423de01a173911e3d00229bd1672bf073de54323043d44277974f15852393b4d97b915561a5ca510

Download Submit
C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd
Filesize
34KB

MD5
46f30194bd5792c73072d6cd782820d6

SHA1
367635e048ba13741b461b864b8adc76841ae476

SHA256
8bc9f898a96c6c90517a24919a45888f68d92232a8592b3cae8610c2d279cfa3

SHA512
888aec428b266b4aed6e895d0c075c56780548396f678720423de01a173911e3d00229bd1672bf073de54323043d44277974f15852393b4d97b915561a5ca510

Download Submit
C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd
Filesize
34KB

MD5
46f30194bd5792c73072d6cd782820d6

SHA1
367635e048ba13741b461b864b8adc76841ae476

SHA256
8bc9f898a96c6c90517a24919a45888f68d92232a8592b3cae8610c2d279cfa3

SHA512
888aec428b266b4aed6e895d0c075c56780548396f678720423de01a173911e3d00229bd1672bf073de54323043d44277974f15852393b4d97b915561a5ca510

Download Submit
C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd
Filesize
34KB

MD5
46f30194bd5792c73072d6cd782820d6

SHA1
367635e048ba13741b461b864b8adc76841ae476

SHA256
8bc9f898a96c6c90517a24919a45888f68d92232a8592b3cae8610c2d279cfa3

SHA512
888aec428b266b4aed6e895d0c075c56780548396f678720423de01a173911e3d00229bd1672bf073de54323043d44277974f15852393b4d97b915561a5ca510

Download Submit
C:\Users\Admin\AppData\Local\Temp\bl4ckb4nd
Filesize
34KB

MD5
46f30194bd5792c73072d6cd782820d6

SHA1
367635e048ba13741b461b864b8adc76841ae476

SHA256
8bc9f898a96c6c90517a24919a45888f68d92232a8592b3cae8610c2d279cfa3

SHA512
888aec428b266b4aed6e895d0c075c56780548396f678720423de01a173911e3d00229bd1672bf073de54323043d44277974f15852393b4d97b915561a5ca510

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Java.exe
Filesize
1.3MB

MD5
5818b9c7e1e4f408f28f5a6c6d0a7565

SHA1
b18ddaf0338af454365b5acd9d5d3ac7a6a890e0

SHA256
a92da5f4be8e9765ace3961ffc07677f0645589dade7fa271a2dc453f751cb68

SHA512
9fbc0219849c3735c35972cb323a393341f2691913676bf1d01159579fe28198db310b6738113550874e14b8c43b050d633c63b34c0a4e1f00fbe53ba4beb057

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Java.exe
Filesize
1.3MB

MD5
5818b9c7e1e4f408f28f5a6c6d0a7565

SHA1
b18ddaf0338af454365b5acd9d5d3ac7a6a890e0

SHA256
a92da5f4be8e9765ace3961ffc07677f0645589dade7fa271a2dc453f751cb68

SHA512
9fbc0219849c3735c35972cb323a393341f2691913676bf1d01159579fe28198db310b6738113550874e14b8c43b050d633c63b34c0a4e1f00fbe53ba4beb057

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Java.exe
Filesize
1.3MB

MD5
5818b9c7e1e4f408f28f5a6c6d0a7565

SHA1
b18ddaf0338af454365b5acd9d5d3ac7a6a890e0

SHA256
a92da5f4be8e9765ace3961ffc07677f0645589dade7fa271a2dc453f751cb68

SHA512
9fbc0219849c3735c35972cb323a393341f2691913676bf1d01159579fe28198db310b6738113550874e14b8c43b050d633c63b34c0a4e1f00fbe53ba4beb057

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Java.exe
Filesize
1.3MB

MD5
5818b9c7e1e4f408f28f5a6c6d0a7565

SHA1
b18ddaf0338af454365b5acd9d5d3ac7a6a890e0

SHA256
a92da5f4be8e9765ace3961ffc07677f0645589dade7fa271a2dc453f751cb68

SHA512
9fbc0219849c3735c35972cb323a393341f2691913676bf1d01159579fe28198db310b6738113550874e14b8c43b050d633c63b34c0a4e1f00fbe53ba4beb057

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Java.exe
Filesize
1.3MB

MD5
5818b9c7e1e4f408f28f5a6c6d0a7565

SHA1
b18ddaf0338af454365b5acd9d5d3ac7a6a890e0

SHA256
a92da5f4be8e9765ace3961ffc07677f0645589dade7fa271a2dc453f751cb68

SHA512
9fbc0219849c3735c35972cb323a393341f2691913676bf1d01159579fe28198db310b6738113550874e14b8c43b050d633c63b34c0a4e1f00fbe53ba4beb057

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Java.exe
Filesize
1.3MB

MD5
5818b9c7e1e4f408f28f5a6c6d0a7565

SHA1
b18ddaf0338af454365b5acd9d5d3ac7a6a890e0

SHA256
a92da5f4be8e9765ace3961ffc07677f0645589dade7fa271a2dc453f751cb68

SHA512
9fbc0219849c3735c35972cb323a393341f2691913676bf1d01159579fe28198db310b6738113550874e14b8c43b050d633c63b34c0a4e1f00fbe53ba4beb057

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Java.exe
Filesize
1.3MB

MD5
5818b9c7e1e4f408f28f5a6c6d0a7565

SHA1
b18ddaf0338af454365b5acd9d5d3ac7a6a890e0

SHA256
a92da5f4be8e9765ace3961ffc07677f0645589dade7fa271a2dc453f751cb68

SHA512
9fbc0219849c3735c35972cb323a393341f2691913676bf1d01159579fe28198db310b6738113550874e14b8c43b050d633c63b34c0a4e1f00fbe53ba4beb057

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Java.exe
Filesize
1.3MB

MD5
5818b9c7e1e4f408f28f5a6c6d0a7565

SHA1
b18ddaf0338af454365b5acd9d5d3ac7a6a890e0

SHA256
a92da5f4be8e9765ace3961ffc07677f0645589dade7fa271a2dc453f751cb68

SHA512
9fbc0219849c3735c35972cb323a393341f2691913676bf1d01159579fe28198db310b6738113550874e14b8c43b050d633c63b34c0a4e1f00fbe53ba4beb057

Download Submit
C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe
Filesize
1.3MB

MD5
5818b9c7e1e4f408f28f5a6c6d0a7565

SHA1
b18ddaf0338af454365b5acd9d5d3ac7a6a890e0

SHA256
a92da5f4be8e9765ace3961ffc07677f0645589dade7fa271a2dc453f751cb68

SHA512
9fbc0219849c3735c35972cb323a393341f2691913676bf1d01159579fe28198db310b6738113550874e14b8c43b050d633c63b34c0a4e1f00fbe53ba4beb057

Download Submit
C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe
Filesize
1.3MB

MD5
5818b9c7e1e4f408f28f5a6c6d0a7565

SHA1
b18ddaf0338af454365b5acd9d5d3ac7a6a890e0

SHA256
a92da5f4be8e9765ace3961ffc07677f0645589dade7fa271a2dc453f751cb68

SHA512
9fbc0219849c3735c35972cb323a393341f2691913676bf1d01159579fe28198db310b6738113550874e14b8c43b050d633c63b34c0a4e1f00fbe53ba4beb057

Download Submit
C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe
Filesize
1.3MB

MD5
5818b9c7e1e4f408f28f5a6c6d0a7565

SHA1
b18ddaf0338af454365b5acd9d5d3ac7a6a890e0

SHA256
a92da5f4be8e9765ace3961ffc07677f0645589dade7fa271a2dc453f751cb68

SHA512
9fbc0219849c3735c35972cb323a393341f2691913676bf1d01159579fe28198db310b6738113550874e14b8c43b050d633c63b34c0a4e1f00fbe53ba4beb057

Download Submit
C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe
Filesize
1.3MB

MD5
5818b9c7e1e4f408f28f5a6c6d0a7565

SHA1
b18ddaf0338af454365b5acd9d5d3ac7a6a890e0

SHA256
a92da5f4be8e9765ace3961ffc07677f0645589dade7fa271a2dc453f751cb68

SHA512
9fbc0219849c3735c35972cb323a393341f2691913676bf1d01159579fe28198db310b6738113550874e14b8c43b050d633c63b34c0a4e1f00fbe53ba4beb057

Download Submit
C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe
Filesize
1.3MB

MD5
5818b9c7e1e4f408f28f5a6c6d0a7565

SHA1
b18ddaf0338af454365b5acd9d5d3ac7a6a890e0

SHA256
a92da5f4be8e9765ace3961ffc07677f0645589dade7fa271a2dc453f751cb68

SHA512
9fbc0219849c3735c35972cb323a393341f2691913676bf1d01159579fe28198db310b6738113550874e14b8c43b050d633c63b34c0a4e1f00fbe53ba4beb057

Download Submit
C:\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\msdcsc.exe
Filesize
1.3MB

MD5
5818b9c7e1e4f408f28f5a6c6d0a7565

SHA1
b18ddaf0338af454365b5acd9d5d3ac7a6a890e0

SHA256
a92da5f4be8e9765ace3961ffc07677f0645589dade7fa271a2dc453f751cb68

SHA512
9fbc0219849c3735c35972cb323a393341f2691913676bf1d01159579fe28198db310b6738113550874e14b8c43b050d633c63b34c0a4e1f00fbe53ba4beb057

Download Submit
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
Filesize
1.3MB

MD5
5818b9c7e1e4f408f28f5a6c6d0a7565

SHA1
b18ddaf0338af454365b5acd9d5d3ac7a6a890e0

SHA256
a92da5f4be8e9765ace3961ffc07677f0645589dade7fa271a2dc453f751cb68

SHA512
9fbc0219849c3735c35972cb323a393341f2691913676bf1d01159579fe28198db310b6738113550874e14b8c43b050d633c63b34c0a4e1f00fbe53ba4beb057

Download Submit
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
Filesize
1.3MB

MD5
5818b9c7e1e4f408f28f5a6c6d0a7565

SHA1
b18ddaf0338af454365b5acd9d5d3ac7a6a890e0

SHA256
a92da5f4be8e9765ace3961ffc07677f0645589dade7fa271a2dc453f751cb68

SHA512
9fbc0219849c3735c35972cb323a393341f2691913676bf1d01159579fe28198db310b6738113550874e14b8c43b050d633c63b34c0a4e1f00fbe53ba4beb057

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Roaming\Adobe\Java.exe
Filesize
1.3MB

MD5
5818b9c7e1e4f408f28f5a6c6d0a7565

SHA1
b18ddaf0338af454365b5acd9d5d3ac7a6a890e0

SHA256
a92da5f4be8e9765ace3961ffc07677f0645589dade7fa271a2dc453f751cb68

SHA512
9fbc0219849c3735c35972cb323a393341f2691913676bf1d01159579fe28198db310b6738113550874e14b8c43b050d633c63b34c0a4e1f00fbe53ba4beb057

Download Submit
\Users\Admin\AppData\Roaming\Adobe\Java.exe
Filesize
1.3MB

MD5
5818b9c7e1e4f408f28f5a6c6d0a7565

SHA1
b18ddaf0338af454365b5acd9d5d3ac7a6a890e0

SHA256
a92da5f4be8e9765ace3961ffc07677f0645589dade7fa271a2dc453f751cb68

SHA512
9fbc0219849c3735c35972cb323a393341f2691913676bf1d01159579fe28198db310b6738113550874e14b8c43b050d633c63b34c0a4e1f00fbe53ba4beb057

Download Submit
\Users\Admin\AppData\Roaming\Adobe\Java.exe
Filesize
1.3MB

MD5
5818b9c7e1e4f408f28f5a6c6d0a7565

SHA1
b18ddaf0338af454365b5acd9d5d3ac7a6a890e0

SHA256
a92da5f4be8e9765ace3961ffc07677f0645589dade7fa271a2dc453f751cb68

SHA512
9fbc0219849c3735c35972cb323a393341f2691913676bf1d01159579fe28198db310b6738113550874e14b8c43b050d633c63b34c0a4e1f00fbe53ba4beb057

Download Submit
\Users\Admin\AppData\Roaming\Adobe\Java.exe
Filesize
1.3MB

MD5
5818b9c7e1e4f408f28f5a6c6d0a7565

SHA1
b18ddaf0338af454365b5acd9d5d3ac7a6a890e0

SHA256
a92da5f4be8e9765ace3961ffc07677f0645589dade7fa271a2dc453f751cb68

SHA512
9fbc0219849c3735c35972cb323a393341f2691913676bf1d01159579fe28198db310b6738113550874e14b8c43b050d633c63b34c0a4e1f00fbe53ba4beb057

Download Submit
\Users\Admin\AppData\Roaming\Adobe\Java.exe
Filesize
1.3MB

MD5
5818b9c7e1e4f408f28f5a6c6d0a7565

SHA1
b18ddaf0338af454365b5acd9d5d3ac7a6a890e0

SHA256
a92da5f4be8e9765ace3961ffc07677f0645589dade7fa271a2dc453f751cb68

SHA512
9fbc0219849c3735c35972cb323a393341f2691913676bf1d01159579fe28198db310b6738113550874e14b8c43b050d633c63b34c0a4e1f00fbe53ba4beb057

Download Submit
\Users\Admin\AppData\Roaming\Adobe\Java.exe
Filesize
1.3MB

MD5
5818b9c7e1e4f408f28f5a6c6d0a7565

SHA1
b18ddaf0338af454365b5acd9d5d3ac7a6a890e0

SHA256
a92da5f4be8e9765ace3961ffc07677f0645589dade7fa271a2dc453f751cb68

SHA512
9fbc0219849c3735c35972cb323a393341f2691913676bf1d01159579fe28198db310b6738113550874e14b8c43b050d633c63b34c0a4e1f00fbe53ba4beb057

Download Submit
\Users\Admin\AppData\Roaming\Adobe\Java.exe
Filesize
1.3MB

MD5
5818b9c7e1e4f408f28f5a6c6d0a7565

SHA1
b18ddaf0338af454365b5acd9d5d3ac7a6a890e0

SHA256
a92da5f4be8e9765ace3961ffc07677f0645589dade7fa271a2dc453f751cb68

SHA512
9fbc0219849c3735c35972cb323a393341f2691913676bf1d01159579fe28198db310b6738113550874e14b8c43b050d633c63b34c0a4e1f00fbe53ba4beb057

Download Submit
\Users\Admin\AppData\Roaming\Adobe\Java.exe
Filesize
1.3MB

MD5
5818b9c7e1e4f408f28f5a6c6d0a7565

SHA1
b18ddaf0338af454365b5acd9d5d3ac7a6a890e0

SHA256
a92da5f4be8e9765ace3961ffc07677f0645589dade7fa271a2dc453f751cb68

SHA512
9fbc0219849c3735c35972cb323a393341f2691913676bf1d01159579fe28198db310b6738113550874e14b8c43b050d633c63b34c0a4e1f00fbe53ba4beb057

Download Submit
\Users\Admin\AppData\Roaming\Adobe\Java.exe
Filesize
1.3MB

MD5
5818b9c7e1e4f408f28f5a6c6d0a7565

SHA1
b18ddaf0338af454365b5acd9d5d3ac7a6a890e0

SHA256
a92da5f4be8e9765ace3961ffc07677f0645589dade7fa271a2dc453f751cb68

SHA512
9fbc0219849c3735c35972cb323a393341f2691913676bf1d01159579fe28198db310b6738113550874e14b8c43b050d633c63b34c0a4e1f00fbe53ba4beb057

Download Submit
\Users\Admin\AppData\Roaming\Adobe\Java.exe
Filesize
1.3MB

MD5
5818b9c7e1e4f408f28f5a6c6d0a7565

SHA1
b18ddaf0338af454365b5acd9d5d3ac7a6a890e0

SHA256
a92da5f4be8e9765ace3961ffc07677f0645589dade7fa271a2dc453f751cb68

SHA512
9fbc0219849c3735c35972cb323a393341f2691913676bf1d01159579fe28198db310b6738113550874e14b8c43b050d633c63b34c0a4e1f00fbe53ba4beb057

Download Submit
\Users\Admin\AppData\Roaming\Adobe\Java.exe
Filesize
1.3MB

MD5
5818b9c7e1e4f408f28f5a6c6d0a7565

SHA1
b18ddaf0338af454365b5acd9d5d3ac7a6a890e0

SHA256
a92da5f4be8e9765ace3961ffc07677f0645589dade7fa271a2dc453f751cb68

SHA512
9fbc0219849c3735c35972cb323a393341f2691913676bf1d01159579fe28198db310b6738113550874e14b8c43b050d633c63b34c0a4e1f00fbe53ba4beb057

Download Submit
\Users\Admin\AppData\Roaming\Adobe\Java.exe
Filesize
1.3MB

MD5
5818b9c7e1e4f408f28f5a6c6d0a7565

SHA1
b18ddaf0338af454365b5acd9d5d3ac7a6a890e0

SHA256
a92da5f4be8e9765ace3961ffc07677f0645589dade7fa271a2dc453f751cb68

SHA512
9fbc0219849c3735c35972cb323a393341f2691913676bf1d01159579fe28198db310b6738113550874e14b8c43b050d633c63b34c0a4e1f00fbe53ba4beb057

Download Submit
\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe
Filesize
1.3MB

MD5
5818b9c7e1e4f408f28f5a6c6d0a7565

SHA1
b18ddaf0338af454365b5acd9d5d3ac7a6a890e0

SHA256
a92da5f4be8e9765ace3961ffc07677f0645589dade7fa271a2dc453f751cb68

SHA512
9fbc0219849c3735c35972cb323a393341f2691913676bf1d01159579fe28198db310b6738113550874e14b8c43b050d633c63b34c0a4e1f00fbe53ba4beb057

Download Submit
\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe
Filesize
1.3MB

MD5
5818b9c7e1e4f408f28f5a6c6d0a7565

SHA1
b18ddaf0338af454365b5acd9d5d3ac7a6a890e0

SHA256
a92da5f4be8e9765ace3961ffc07677f0645589dade7fa271a2dc453f751cb68

SHA512
9fbc0219849c3735c35972cb323a393341f2691913676bf1d01159579fe28198db310b6738113550874e14b8c43b050d633c63b34c0a4e1f00fbe53ba4beb057

Download Submit
\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe
Filesize
1.3MB

MD5
5818b9c7e1e4f408f28f5a6c6d0a7565

SHA1
b18ddaf0338af454365b5acd9d5d3ac7a6a890e0

SHA256
a92da5f4be8e9765ace3961ffc07677f0645589dade7fa271a2dc453f751cb68

SHA512
9fbc0219849c3735c35972cb323a393341f2691913676bf1d01159579fe28198db310b6738113550874e14b8c43b050d633c63b34c0a4e1f00fbe53ba4beb057

Download Submit
\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe
Filesize
1.3MB

MD5
5818b9c7e1e4f408f28f5a6c6d0a7565

SHA1
b18ddaf0338af454365b5acd9d5d3ac7a6a890e0

SHA256
a92da5f4be8e9765ace3961ffc07677f0645589dade7fa271a2dc453f751cb68

SHA512
9fbc0219849c3735c35972cb323a393341f2691913676bf1d01159579fe28198db310b6738113550874e14b8c43b050d633c63b34c0a4e1f00fbe53ba4beb057

Download Submit
\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe
Filesize
1.3MB

MD5
5818b9c7e1e4f408f28f5a6c6d0a7565

SHA1
b18ddaf0338af454365b5acd9d5d3ac7a6a890e0

SHA256
a92da5f4be8e9765ace3961ffc07677f0645589dade7fa271a2dc453f751cb68

SHA512
9fbc0219849c3735c35972cb323a393341f2691913676bf1d01159579fe28198db310b6738113550874e14b8c43b050d633c63b34c0a4e1f00fbe53ba4beb057

Download Submit
\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe
Filesize
1.3MB

MD5
5818b9c7e1e4f408f28f5a6c6d0a7565

SHA1
b18ddaf0338af454365b5acd9d5d3ac7a6a890e0

SHA256
a92da5f4be8e9765ace3961ffc07677f0645589dade7fa271a2dc453f751cb68

SHA512
9fbc0219849c3735c35972cb323a393341f2691913676bf1d01159579fe28198db310b6738113550874e14b8c43b050d633c63b34c0a4e1f00fbe53ba4beb057

Download Submit
\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe
Filesize
1.3MB

MD5
5818b9c7e1e4f408f28f5a6c6d0a7565

SHA1
b18ddaf0338af454365b5acd9d5d3ac7a6a890e0

SHA256
a92da5f4be8e9765ace3961ffc07677f0645589dade7fa271a2dc453f751cb68

SHA512
9fbc0219849c3735c35972cb323a393341f2691913676bf1d01159579fe28198db310b6738113550874e14b8c43b050d633c63b34c0a4e1f00fbe53ba4beb057

Download Submit
\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\92Uc0EZwdkTP\msdcsc.exe
Filesize
1.3MB

MD5
5818b9c7e1e4f408f28f5a6c6d0a7565

SHA1
b18ddaf0338af454365b5acd9d5d3ac7a6a890e0

SHA256
a92da5f4be8e9765ace3961ffc07677f0645589dade7fa271a2dc453f751cb68

SHA512
9fbc0219849c3735c35972cb323a393341f2691913676bf1d01159579fe28198db310b6738113550874e14b8c43b050d633c63b34c0a4e1f00fbe53ba4beb057

Download Submit
\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\msdcsc.exe
Filesize
1.3MB

MD5
5818b9c7e1e4f408f28f5a6c6d0a7565

SHA1
b18ddaf0338af454365b5acd9d5d3ac7a6a890e0

SHA256
a92da5f4be8e9765ace3961ffc07677f0645589dade7fa271a2dc453f751cb68

SHA512
9fbc0219849c3735c35972cb323a393341f2691913676bf1d01159579fe28198db310b6738113550874e14b8c43b050d633c63b34c0a4e1f00fbe53ba4beb057

Download Submit
\Windows\SysWOW64\MSDCSC\92Uc0EZwdkTP\msdcsc.exe
Filesize
1.3MB

MD5
5818b9c7e1e4f408f28f5a6c6d0a7565

SHA1
b18ddaf0338af454365b5acd9d5d3ac7a6a890e0

SHA256
a92da5f4be8e9765ace3961ffc07677f0645589dade7fa271a2dc453f751cb68

SHA512
9fbc0219849c3735c35972cb323a393341f2691913676bf1d01159579fe28198db310b6738113550874e14b8c43b050d633c63b34c0a4e1f00fbe53ba4beb057

Download Submit
\Windows\SysWOW64\MSDCSC\msdcsc.exe
Filesize
1.3MB

MD5
5818b9c7e1e4f408f28f5a6c6d0a7565

SHA1
b18ddaf0338af454365b5acd9d5d3ac7a6a890e0

SHA256
a92da5f4be8e9765ace3961ffc07677f0645589dade7fa271a2dc453f751cb68

SHA512
9fbc0219849c3735c35972cb323a393341f2691913676bf1d01159579fe28198db310b6738113550874e14b8c43b050d633c63b34c0a4e1f00fbe53ba4beb057

Download Submit
\Windows\SysWOW64\MSDCSC\msdcsc.exe
Filesize
1.3MB

MD5
5818b9c7e1e4f408f28f5a6c6d0a7565

SHA1
b18ddaf0338af454365b5acd9d5d3ac7a6a890e0

SHA256
a92da5f4be8e9765ace3961ffc07677f0645589dade7fa271a2dc453f751cb68

SHA512
9fbc0219849c3735c35972cb323a393341f2691913676bf1d01159579fe28198db310b6738113550874e14b8c43b050d633c63b34c0a4e1f00fbe53ba4beb057

Download Submit
memory/316-65-0x0000000000000000-mapping.dmp

Download
memory/360-190-0x0000000000000000-mapping.dmp

Download
memory/432-186-0x0000000000000000-mapping.dmp

Download
memory/520-68-0x0000000000000000-mapping.dmp

Download
memory/604-108-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/604-102-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/604-90-0x0000000000000000-mapping.dmp

Download
memory/684-128-0x0000000000000000-mapping.dmp

Download
memory/824-70-0x0000000000000000-mapping.dmp

Download
memory/844-98-0x0000000000000000-mapping.dmp

Download
memory/900-158-0x0000000000000000-mapping.dmp

Download
memory/924-144-0x0000000000000000-mapping.dmp

Download
memory/952-131-0x0000000000000000-mapping.dmp

Download
memory/1028-176-0x0000000000000000-mapping.dmp

Download
memory/1072-161-0x0000000000000000-mapping.dmp

Download
memory/1128-101-0x0000000000000000-mapping.dmp

Download
memory/1172-69-0x0000000000000000-mapping.dmp

Download
memory/1180-159-0x0000000000000000-mapping.dmp

Download
memory/1204-188-0x0000000000000000-mapping.dmp

Download
memory/1208-74-0x0000000000000000-mapping.dmp

Download
memory/1212-125-0x0000000000000000-mapping.dmp

Download
memory/1224-174-0x0000000000000000-mapping.dmp

Download
memory/1240-138-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/1240-130-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/1240-118-0x0000000000000000-mapping.dmp

Download
memory/1300-71-0x0000000000000000-mapping.dmp

Download
memory/1412-220-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/1412-206-0x0000000000000000-mapping.dmp

Download
memory/1412-227-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/1416-54-0x0000000074DC1000-0x0000000074DC3000-memory.dmp

Filesize
8KB

Download
memory/1416-57-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/1464-100-0x0000000000000000-mapping.dmp

Download
memory/1516-184-0x0000000000000000-mapping.dmp

Download
memory/1532-115-0x0000000000000000-mapping.dmp

Download
memory/1548-169-0x0000000000000000-mapping.dmp

Download
memory/1564-202-0x0000000000000000-mapping.dmp

Download
memory/1584-84-0x0000000000000000-mapping.dmp

Download
memory/1596-155-0x0000000000000000-mapping.dmp

Download
memory/1608-165-0x0000000000000000-mapping.dmp

Download
memory/1660-164-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/1660-153-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/1660-147-0x0000000000000000-mapping.dmp

Download
memory/1660-171-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/1676-80-0x0000000000000000-mapping.dmp

Download
memory/1676-126-0x0000000000000000-mapping.dmp

Download
memory/1688-114-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/1688-107-0x0000000000000000-mapping.dmp

Download
memory/1768-162-0x0000000000000000-mapping.dmp

Download
memory/1776-103-0x0000000000000000-mapping.dmp

Download
memory/1828-197-0x0000000000000000-mapping.dmp

Download
memory/1828-142-0x0000000000000000-mapping.dmp

Download
memory/1828-189-0x0000000000000000-mapping.dmp

Download
memory/1892-193-0x0000000000000000-mapping.dmp

Download
memory/1896-136-0x0000000000000000-mapping.dmp

Download
memory/1896-140-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/1896-150-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/1920-76-0x0000000000000000-mapping.dmp

Download
memory/1996-123-0x0000000000000000-mapping.dmp

Download
memory/2000-97-0x0000000000000000-mapping.dmp

Download
memory/2012-112-0x0000000000000000-mapping.dmp

Download
memory/2020-55-0x0000000000000000-mapping.dmp

Download
memory/2024-95-0x0000000000000000-mapping.dmp

Download
memory/2032-180-0x0000000000000000-mapping.dmp

Download
memory/2032-199-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/2032-192-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/2032-129-0x0000000000000000-mapping.dmp

Download
memory/2036-60-0x0000000000000000-mapping.dmp

Download
memory/2036-82-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/2036-67-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/2088-210-0x0000000000000000-mapping.dmp

Download
memory/2136-212-0x0000000000000000-mapping.dmp

Download
memory/2144-303-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/2144-301-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/2156-214-0x0000000000000000-mapping.dmp

Download
memory/2176-215-0x0000000000000000-mapping.dmp

Download
memory/2232-217-0x0000000000000000-mapping.dmp

Download
memory/2240-279-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/2240-277-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/2264-218-0x0000000000000000-mapping.dmp

Download
memory/2324-221-0x0000000000000000-mapping.dmp

Download
memory/2332-261-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/2332-265-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/2332-263-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/2344-229-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/2344-225-0x0000000000000000-mapping.dmp

Download
memory/2408-231-0x0000000000000000-mapping.dmp

Download
memory/2420-233-0x0000000000000000-mapping.dmp

Download
memory/2420-239-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/2420-241-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/2476-235-0x0000000000000000-mapping.dmp

Download
memory/2492-282-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/2496-237-0x0000000000000000-mapping.dmp

Download
memory/2508-238-0x0000000000000000-mapping.dmp

Download
memory/2524-289-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/2584-297-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/2692-270-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/2692-272-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/2716-247-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/2716-245-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/2716-249-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/2860-285-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/2860-287-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/2896-293-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/2896-295-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/2944-252-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/2996-255-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/2996-257-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/3136-356-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/3136-358-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/3248-310-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/3248-308-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/3252-336-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/3316-349-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/3316-351-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/3476-367-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/3476-365-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/3476-362-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/3528-318-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/3528-316-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/3528-315-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/3568-370-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/3788-339-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/3808-324-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/3912-344-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/3912-342-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/4040-373-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/4040-375-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/4088-330-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/4088-364-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads