Technical Information
- [<HKLM>\SYSTEM\ControlSet001\Services\SliceDisk5] 'ImagePath' = '%TEMP%\HKBoot\FindAndMount\slicedisk.sys'
- %TEMP%\HKBoot\FindAndMount\encodings\aliases.py
- %TEMP%\HKBoot\FindAndMount\encodings\tis_620.py
- %TEMP%\HKBoot\FindAndMount\encodings\undefined.py
- %TEMP%\HKBoot\FindAndMount\encodings\unicode_escape.py
- %TEMP%\HKBoot\FindAndMount\encodings\unicode_internal.py
- %TEMP%\HKBoot\FindAndMount\encodings\utf_16.py
- %TEMP%\HKBoot\FindAndMount\encodings\shift_jis_2004.py
- %TEMP%\HKBoot\FindAndMount\encodings\string_escape.py
- %TEMP%\HKBoot\FindAndMount\encodings\utf_16_be.py
- %TEMP%\HKBoot\FindAndMount\encodings\utf_8.py
- %TEMP%\HKBoot\FindAndMount\encodings\uu_codec.py
- %TEMP%\HKBoot\FindAndMount\encodings\zlib_codec.py
- %TEMP%\HKBoot\FindAndMount\encodings\__init__.py
- %TEMP%\HKBoot\FindAndMount\encodings\aliases.pyc
- %TEMP%\HKBoot\FindAndMount\encodings\utf_16_le.py
- %TEMP%\HKBoot\FindAndMount\encodings\utf_7.py
- %TEMP%\HKBoot\FindAndMount\encodings\shift_jisx0213.py
- %TEMP%\HKBoot\FindAndMount\encodings\rot_13.py
- %TEMP%\HKBoot\FindAndMount\dslib\boot.pyc
- %TEMP%\HKBoot\FindAndMount\encodings\latin_1.py
- %TEMP%\HKBoot\FindAndMount\encodings\mac_cyrillic.py
- %TEMP%\HKBoot\FindAndMount\encodings\mac_greek.py
- %TEMP%\HKBoot\FindAndMount\encodings\mac_iceland.py
- %TEMP%\HKBoot\FindAndMount\encodings\mac_latin2.py
- %TEMP%\HKBoot\FindAndMount\encodings\mac_roman.py
- %TEMP%\HKBoot\FindAndMount\encodings\mac_turkish.py
- %TEMP%\HKBoot\FindAndMount\encodings\mbcs.py
- %TEMP%\HKBoot\FindAndMount\encodings\palmos.py
- %TEMP%\HKBoot\FindAndMount\encodings\ptcp154.py
- %TEMP%\HKBoot\FindAndMount\encodings\punycode.py
- %TEMP%\HKBoot\FindAndMount\encodings\quopri_codec.py
- %TEMP%\HKBoot\FindAndMount\encodings\raw_unicode_escape.py
- %TEMP%\HKBoot\FindAndMount\atexit.pyc
- %TEMP%\HKBoot\FindAndMount\encodings\koi8_r.py
- %TEMP%\HKBoot\FindAndMount\encodings\shift_jis.py
- %TEMP%\HKBoot\FindAndMount\encodings\iso2022_jp_1.py
- %TEMP%\HKBoot\FindAndMount\codecs.pyc
- %TEMP%\HKBoot\FindAndMount\stat.pyc
- %TEMP%\HKBoot\FindAndMount\string.pyc
- %TEMP%\HKBoot\FindAndMount\threading.pyc
- %TEMP%\HKBoot\FindAndMount\traceback.pyc
- %TEMP%\HKBoot\FindAndMount\types.pyc
- %TEMP%\HKBoot\FindAndMount\UserDict.pyc
- %TEMP%\HKBoot\FindAndMount\dslib\validate.pyc
- %TEMP%\HKBoot\FindAndMount\volumes.pyc
- %TEMP%\HKBoot\FindAndMount\dslib\__init__.pyc
- %TEMP%\HKBoot\FindAndMount\encodings\__init__.pyc
- %TEMP%\HKBoot\FindAndMount\FindAndMount.exe
- %TEMP%\HKBoot\FindAndMount\msvcr71.dll
- %TEMP%\HKBoot\FindAndMount\python24.dll
- %TEMP%\HKBoot\FindAndMount\_fstools.dll
- %TEMP%\HKBoot\FindAndMount\slicedisk-x64.sys
- %TEMP%\HKBoot\FindAndMount\sre_parse.pyc
- %TEMP%\HKBoot\FindAndMount\encodings\johab.py
- %TEMP%\HKBoot\FindAndMount\encodings\koi8_u.py
- %TEMP%\HKBoot\FindAndMount\site.pyc
- %TEMP%\HKBoot\FindAndMount\encodings\cp1252.pyc
- %TEMP%\HKBoot\FindAndMount\encodings\cp1258.pyc
- %TEMP%\HKBoot\FindAndMount\dslib\err_ranges.pyc
- %TEMP%\HKBoot\FindAndMount\fat.pyc
- %TEMP%\HKBoot\FindAndMount\fstools.pyc
- %TEMP%\HKBoot\FindAndMount\dslib\ldecon.pyc
- %TEMP%\HKBoot\FindAndMount\linecache.pyc
- %TEMP%\HKBoot\FindAndMount\locale.pyc
- %TEMP%\HKBoot\FindAndMount\dslib\lstruct.pyc
- %TEMP%\HKBoot\FindAndMount\new.pyc
- %TEMP%\HKBoot\FindAndMount\ntfs.pyc
- %TEMP%\HKBoot\FindAndMount\ntpath.pyc
- %TEMP%\HKBoot\FindAndMount\os.pyc
- %TEMP%\HKBoot\FindAndMount\re.pyc
- %TEMP%\HKBoot\FindAndMount\runtime.pyc
- %TEMP%\HKBoot\FindAndMount\sre_compile.pyc
- %TEMP%\HKBoot\FindAndMount\copy_reg.pyc
- %TEMP%\HKBoot\FindAndMount\encodings\iso8859_9.py
- %TEMP%\HKBoot\FindAndMount\encodings\iso8859_8.py
- %TEMP%\HKBoot\FindAndMount\encodings\iso8859_7.py
- %TEMP%\HKBoot\FindAndMount\encodings\cp500.py
- %TEMP%\HKBoot\FindAndMount\encodings\cp737.py
- %TEMP%\HKBoot\FindAndMount\encodings\cp775.py
- %TEMP%\HKBoot\FindAndMount\encodings\cp850.py
- %TEMP%\HKBoot\FindAndMount\encodings\cp852.py
- %TEMP%\HKBoot\FindAndMount\encodings\cp855.py
- %TEMP%\HKBoot\FindAndMount\encodings\cp856.py
- %TEMP%\HKBoot\FindAndMount\encodings\cp857.py
- %TEMP%\HKBoot\FindAndMount\encodings\cp860.py
- %TEMP%\HKBoot\FindAndMount\encodings\cp861.py
- %TEMP%\HKBoot\FindAndMount\encodings\cp862.py
- %TEMP%\HKBoot\FindAndMount\encodings\cp863.py
- %TEMP%\HKBoot\FindAndMount\encodings\cp864.py
- %TEMP%\HKBoot\FindAndMount\encodings\cp1258.py
- %TEMP%\HKBoot\FindAndMount\encodings\cp1256.py
- %TEMP%\HKBoot\FindAndMount\encodings\cp437.py
- %TEMP%\HKBoot\FindAndMount\slicedisk.sys
- %TEMP%\HKBoot\FindAndMount\encodings\cp865.py
- %TEMP%\HKBoot\FindAndMount\encodings\cp1255.py
- %TEMP%\HKBoot\FindAndMount\encodings\base64_codec.py
- %TEMP%\HKBoot\FindAndMount\encodings\big5.py
- %TEMP%\HKBoot\FindAndMount\encodings\big5hkscs.py
- %TEMP%\HKBoot\FindAndMount\encodings\bz2_codec.py
- %TEMP%\HKBoot\FindAndMount\encodings\charmap.py
- %TEMP%\HKBoot\FindAndMount\encodings\cp037.py
- %TEMP%\HKBoot\FindAndMount\encodings\ascii.py
- %TEMP%\HKBoot\FindAndMount\encodings\cp1006.py
- %TEMP%\HKBoot\FindAndMount\encodings\cp1140.py
- %TEMP%\HKBoot\FindAndMount\encodings\cp1250.py
- %TEMP%\HKBoot\FindAndMount\encodings\cp1251.py
- %TEMP%\HKBoot\FindAndMount\encodings\cp1252.py
- %TEMP%\HKBoot\FindAndMount\encodings\cp1253.py
- %TEMP%\HKBoot\FindAndMount\encodings\cp1254.py
- %TEMP%\HKBoot\FindAndMount\encodings\cp1026.py
- %TEMP%\HKBoot\FindAndMount\encodings\cp1257.py
- %TEMP%\HKBoot\FindAndMount\sre_constants.pyc
- %TEMP%\HKBoot\FindAndMount\encodings\cp866.py
- %TEMP%\HKBoot\FindAndMount\encodings\cp875.py
- %TEMP%\HKBoot\FindAndMount\encodings\iso2022_jp_ext.py
- %TEMP%\HKBoot\FindAndMount\encodings\iso2022_kr.py
- %TEMP%\HKBoot\FindAndMount\encodings\iso8859_1.py
- %TEMP%\HKBoot\FindAndMount\encodings\iso8859_10.py
- %TEMP%\HKBoot\FindAndMount\encodings\iso8859_11.py
- %TEMP%\HKBoot\FindAndMount\encodings\iso8859_13.py
- %TEMP%\HKBoot\FindAndMount\encodings\iso8859_14.py
- %TEMP%\HKBoot\FindAndMount\encodings\iso8859_15.py
- %TEMP%\HKBoot\FindAndMount\encodings\iso8859_16.py
- %TEMP%\HKBoot\FindAndMount\encodings\iso8859_2.py
- %TEMP%\HKBoot\FindAndMount\encodings\iso8859_3.py
- %TEMP%\HKBoot\FindAndMount\encodings\iso8859_4.py
- %TEMP%\HKBoot\FindAndMount\encodings\iso8859_5.py
- %TEMP%\HKBoot\FindAndMount\encodings\iso8859_6.py
- %TEMP%\HKBoot\FindAndMount\encodings\cp869.py
- %TEMP%\HKBoot\FindAndMount\encodings\iso2022_jp_3.py
- %TEMP%\HKBoot\FindAndMount\encodings\cp874.py
- %TEMP%\HKBoot\FindAndMount\encodings\iso2022_jp_2004.py
- %TEMP%\HKBoot\FindAndMount\encodings\cp424.py
- %TEMP%\HKBoot\FindAndMount\encodings\cp932.py
- %TEMP%\HKBoot\FindAndMount\encodings\cp949.py
- %TEMP%\HKBoot\FindAndMount\encodings\cp950.py
- %TEMP%\HKBoot\FindAndMount\encodings\euc_jisx0213.py
- %TEMP%\HKBoot\FindAndMount\encodings\euc_jis_2004.py
- %TEMP%\HKBoot\FindAndMount\encodings\euc_jp.py
- %TEMP%\HKBoot\FindAndMount\encodings\euc_kr.py
- %TEMP%\HKBoot\FindAndMount\encodings\gb18030.py
- %TEMP%\HKBoot\FindAndMount\encodings\gb2312.py
- %TEMP%\HKBoot\FindAndMount\encodings\gbk.py
- %TEMP%\HKBoot\FindAndMount\encodings\hex_codec.py
- %TEMP%\HKBoot\FindAndMount\encodings\hp_roman8.py
- %TEMP%\HKBoot\FindAndMount\encodings\hz.py
- %TEMP%\HKBoot\FindAndMount\encodings\idna.py
- %TEMP%\HKBoot\FindAndMount\encodings\iso2022_jp.py
- %TEMP%\HKBoot\FindAndMount\encodings\iso2022_jp_2.py
- %TEMP%\HKBoot\FindAndMount\encodings\cp1251.pyc
- %TEMP%\HKBoot\FindAndMount\encodings\__init__.pyc
- %TEMP%\HKBoot\FindAndMount\encodings\aliases.pyc
- %TEMP%\HKBoot\FindAndMount\encodings\__init__.pyc
- %TEMP%\HKBoot\FindAndMount\encodings\aliases.pyc
- '%TEMP%\HKBoot\FindAndMount\FindAndMount.exe'
- '<SYSTEM32>\reg.exe' Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /f /v "RegisteredOrganization" /t REG_SZ /d "TEL: 0984 103 119"
- '<SYSTEM32>\reg.exe' Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /f /v "RegisteredOwner" /t REG_SZ /d "HOANG KHIEN"
- '<SYSTEM32>\reg.exe' Add "HKCU\Software\Atola\FindAndMount\LicInfo" /f /v "LicKey" /t REG_SZ /d "RFFF-DKJ-F372-9HBU"
- '<SYSTEM32>\reg.exe' Add "HKCU\Software\Atola\FindAndMount\LicInfo" /f /v "RegTo" /t REG_SZ /d "ts83dnk@outlook.com"