Malware Analysis Report

2024-11-30 05:59

Sample ID 240614-gbh25s1bmn
Target e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3
SHA256 e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3
Tags
spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3

Threat Level: Shows suspicious behavior

The file e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3 was found to be: Shows suspicious behavior.

Malicious Activity Summary

spyware stealer

Loads dropped DLL

Reads user/profile data of web browsers

Deletes itself

Executes dropped EXE

Enumerates connected drives

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Program crash

Runs net.exe

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-14 05:37

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 05:37

Reported

2024-06-14 05:40

Platform

win7-20240611-en

Max time kernel

149s

Max time network

122s

Command Line

C:\Windows\Explorer.EXE

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Indian\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Checkers\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Mail\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\Help\1031\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Journal\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BREEZE\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\gui\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\Install\{9DE7027D-B8EC-4BBC-9990-0AF535C09D17}\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows NT\Accessories\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\stream_out\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Media Player\Visualizations\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ky\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Help\en_US\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Publisher.en-us\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Games\Hearts\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\wa\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\1033\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Games\Mahjong\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Help\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Purble Place\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Checkers\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\InfoPathOMFormServicesV12\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\Help\1033\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Mail\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\pt_PT\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\sk\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\en-US\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Mozilla Firefox\fonts\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Reference Assemblies\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\1.7\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SoftBlue\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Games\Solitaire\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECHO\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
File created C:\Windows\Dll.dll C:\Windows\Logo1_.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1912 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe C:\Windows\SysWOW64\cmd.exe
PID 1912 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe C:\Windows\SysWOW64\cmd.exe
PID 1912 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe C:\Windows\SysWOW64\cmd.exe
PID 1912 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe C:\Windows\SysWOW64\cmd.exe
PID 1912 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe C:\Windows\Logo1_.exe
PID 1912 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe C:\Windows\Logo1_.exe
PID 1912 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe C:\Windows\Logo1_.exe
PID 1912 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe C:\Windows\Logo1_.exe
PID 1320 wrote to memory of 2704 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 1320 wrote to memory of 2704 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 1320 wrote to memory of 2704 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 1320 wrote to memory of 2704 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 3064 wrote to memory of 2600 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
PID 3064 wrote to memory of 2600 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
PID 3064 wrote to memory of 2600 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
PID 3064 wrote to memory of 2600 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
PID 2600 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2668 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2704 wrote to memory of 2668 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2704 wrote to memory of 2668 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2704 wrote to memory of 2668 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2728 wrote to memory of 2536 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
PID 2728 wrote to memory of 2536 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
PID 2728 wrote to memory of 2536 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
PID 2728 wrote to memory of 2536 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
PID 2536 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe C:\Windows\SysWOW64\cmd.exe
PID 2536 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe C:\Windows\SysWOW64\cmd.exe
PID 2536 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe C:\Windows\SysWOW64\cmd.exe
PID 2536 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 1952 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
PID 2612 wrote to memory of 1952 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
PID 2612 wrote to memory of 1952 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
PID 2612 wrote to memory of 1952 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
PID 1952 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe C:\Windows\SysWOW64\cmd.exe
PID 1952 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe C:\Windows\SysWOW64\cmd.exe
PID 1952 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe C:\Windows\SysWOW64\cmd.exe
PID 1952 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe C:\Windows\SysWOW64\cmd.exe
PID 1320 wrote to memory of 1192 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 1320 wrote to memory of 1192 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 2848 wrote to memory of 3004 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
PID 2848 wrote to memory of 3004 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
PID 2848 wrote to memory of 3004 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
PID 2848 wrote to memory of 3004 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
PID 3004 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe C:\Windows\SysWOW64\cmd.exe
PID 3004 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe C:\Windows\SysWOW64\cmd.exe
PID 3004 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe C:\Windows\SysWOW64\cmd.exe
PID 3004 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe C:\Windows\SysWOW64\cmd.exe
PID 1968 wrote to memory of 316 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
PID 1968 wrote to memory of 316 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
PID 1968 wrote to memory of 316 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
PID 1968 wrote to memory of 316 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
PID 316 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe C:\Windows\SysWOW64\cmd.exe
PID 316 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe C:\Windows\SysWOW64\cmd.exe
PID 316 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe C:\Windows\SysWOW64\cmd.exe
PID 316 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe C:\Windows\SysWOW64\cmd.exe
PID 2360 wrote to memory of 800 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
PID 2360 wrote to memory of 800 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
PID 2360 wrote to memory of 800 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
PID 2360 wrote to memory of 800 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
PID 800 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe C:\Windows\SysWOW64\cmd.exe
PID 800 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe

"C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a1DAE.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe

"C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a1E3A.bat

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe

"C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a2156.bat

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe

"C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a22FB.bat

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe

"C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a255C.bat

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe

"C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a276E.bat

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe

"C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a2848.bat

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe

"C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a29DE.bat

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe

"C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a2B83.bat

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe

"C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a2E60.bat

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe

"C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a2F5A.bat

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe

"C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a3266.bat

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe

"C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a340B.bat

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe

"C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a34B7.bat

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe

"C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a3514.bat

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe

"C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a3582.bat

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe

"C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a35EF.bat

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe

"C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a363D.bat

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe

"C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a36D9.bat

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe

"C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a3765.bat

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe

"C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a3811.bat

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe

"C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a38DC.bat

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe

"C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a3949.bat

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe

"C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a3A04.bat

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe

"C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a3A90.bat

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe

"C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a3B0D.bat

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe

"C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a3BE8.bat

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe

"C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a3C36.bat

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe

"C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a3C93.bat

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe

"C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a3CE1.bat

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe

"C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a3D3F.bat

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe

"C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a3D9C.bat

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe

"C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a3DEA.bat

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe

"C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a3E38.bat

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe

"C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"

Network

N/A

Files

memory/1912-0-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a1DAE.bat

MD5 7fd25f830e516b82443bf7ef6f5fbc8a
SHA1 18af66283e905f5ef4a0e584599d6f68c0bfd847
SHA256 9be21d0e376e011d18b2c0cddc4eda49316396e6ef5aa6b7e8fd1f7ad760f77f
SHA512 e9effe35977830aacde1cb7fe283c95e931f2958ad429f9d01588766b8addb2d3d6aa8ba81b19f30a29c2b66d78a77255572cfcb4d02c01e044827877d0eb2bb

C:\Windows\Logo1_.exe

MD5 4db33aca198f9e9afcc012cd7ea077e1
SHA1 6b4b21442dd5091b5d3f586dbf860e0d674f60f9
SHA256 c1d47f6a5ba1a75b76b8826c21596cc74e342b014b7b559e9d20a403d2bbe1d9
SHA512 9a6f36bc295d81e866ac2c2105efff604d1ff065f5bd86e361d1f7538fdba5b32ae6faf671f1b6aff13b112aa7bc8011bca842d554e1091b1aa073c58f3d3a78

memory/1912-17-0x0000000000400000-0x000000000044D000-memory.dmp

memory/1320-19-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe.exe

MD5 3df9284a7a827e96c982aa7dbb0a3449
SHA1 2364b9dfdf30587617efdecedf30752aaf1f2c72
SHA256 91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4
SHA512 f90a6a0ed4973f63dbc467c8d954b559cd297873899d98468e88b13d3bf4b922303ebafb732cd532178ca17b192831e5629480382e23add180c2345a4b4f17d0

memory/3064-25-0x0000000000110000-0x000000000015D000-memory.dmp

memory/2600-38-0x0000000000400000-0x000000000044D000-memory.dmp

memory/2600-29-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a1E3A.bat

MD5 202e011d9ecc462b02e1eb221ad42ecb
SHA1 92ffa5b2c0b3796cce556c3bde14a727d46c4cb2
SHA256 15dc93fc9cd5852f84f4f91e673a80215397f780219613ce98b4d45bc9240a0d
SHA512 caaa44bfca6bade47268d6322b2e52cbe938f2765e3ab9858a25b14084c04a380c215d3d52bc1da633ec9980fbfceea6197dcf24a6c535a45042567e61e6af87

memory/3064-28-0x0000000000110000-0x000000000015D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe.exe

MD5 f2c91ec5a712982aa22be52f8d7f2755
SHA1 716c4feb2523cbdf1ede42ca0f2cbd1318d79d24
SHA256 91a00511132f54629ff39f85651dff382d09572f5270060f1d11da33489279fc
SHA512 d0434ddfc8dc21019db99c423eda22f5aae3e3a377d9b719fb57ad77aa7c81c4eae734213d6665f2b828ebe12fe1c5b945e758b99395c97f103fc0276abe672a

memory/2728-42-0x0000000000260000-0x00000000002AD000-memory.dmp

memory/2536-45-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a2156.bat

MD5 a87e9ef485ab5b2494c0eb8cd275ef56
SHA1 9cbe856048c8f1a5cbb94af6cc1424941ceb3472
SHA256 aa80c4628e9b53dd7a4fd36800baee84bcd5ea597f68e8a05ac19186c03acf84
SHA512 659165ed7ed969b8336f49607a74d17a456aad92fed51f9222d31ab81085abd5c5d53e7a7345a3b13c98940c469b199bd7b858a5e42fabe23739c90eee23d229

memory/2536-55-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe.exe

MD5 e0a2a952b40cd65b09b9687e6c38d4d6
SHA1 729e185aa0d874f30f53cd6887b6b07d657ba403
SHA256 c41b1a583ee13a59c30ba021535121768346236b30d600a9fa425c861c64c80b
SHA512 5eca4c4fc005d57620d67a175db3705f52e344b3bfdbbb1b1e6c23c21cca2d0866332b361dca4f9cc5b7c3a917aee28147a759e800700b1ff99109316f410297

C:\Users\Admin\AppData\Local\Temp\$$a22FB.bat

MD5 2be3424d8be3e3ba96c9358273c6f423
SHA1 caf7c61c893e693a7c68773936ac4c2b2d46d1d3
SHA256 1807da6bda1eb5ccf328f6e8a21956ef95a702dec24cbfd4683b0e9114a063af
SHA512 8bd7177c1c3070226e0f03629dbfd7bc2529e0022d6c45e3df37f013a1e2c6d7adaec7788e97faaaead07b8b5e4011238ea35bef8a6a11c4197723732a87d1b2

memory/1952-72-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe.exe

MD5 960bdf3af50b67e8949e51fef440063c
SHA1 2601eeddc1104f9a03264dc5775c26bd3e5c67ee
SHA256 9a62439938a78c883a7339dd331f2a6968be4d587109597f998030f35c44c0e9
SHA512 7f6d050122b3262a47494e28d7ac8419f834351ad90c6d2695da1b0601eae91d367ed81d4fe1ce8c32a4a76c8054009ead94e0df61d336d7e3d9047fd309d05b

memory/1192-76-0x00000000024C0000-0x00000000024C1000-memory.dmp

memory/2848-80-0x0000000000400000-0x000000000044D000-memory.dmp

memory/2848-83-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a255C.bat

MD5 c9b6bcffef7ae3e2965fb998c8aa6a46
SHA1 62024ac6a438bd66055b4095ab82e874c5ccb694
SHA256 dd4afdf7ef37273335fa33a33b9c3238599d81d715a27e7e228ed8cc6da3b68b
SHA512 3887d652cbe982c0d3d27fa855415a5b413cc5ede9b1e1bc849a8086798b8118621982cdeee42a27a15184a3f7494cbe313219d1fd1f0632daf032bef7a0ac3d

memory/3004-92-0x0000000000400000-0x000000000044D000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-1340930862-1405011213-2821322012-1000\_desktop.ini

MD5 03c36dbecb7f35761f80ba5fc5566da6
SHA1 159b7733006187467bda251a1bbb278c141dceb6
SHA256 85a53f5b976fb1c26ce14c31e93c1f68997d2d8b09ab9aa2b7e0d32b8e50ec3b
SHA512 fe573085d2abef34adcede2f89b1c2810875ab00ef9ba27a1d95ed1dbe93e182fc53d981901a0b8048dd4eb5fdc852b8f0e0c3a0e1a404cbbe70e13a7a14104a

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe.exe

MD5 70682aa162f988242c6c43dc229440a4
SHA1 7340d30a395f6d8972ead90822e871cc9ab98e63
SHA256 ab1cc4d7870bcbdc6596c3a3a74459c85c7ded14732a7fe989cc0540957861ab
SHA512 9eb94dad31f6bad53e95e9420002253b5d6893a85ae59639a952d9b51a2c6ca30d858231224b4df017d04b036cc7d0a36d29c5c34e75377b6e14bb2430603eaa

memory/1320-104-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a276E.bat

MD5 5a18dc1a7226ff0a9d576eec84b0f1c9
SHA1 f443d721dc1a5b4adb2a4636288ba9379b7759f7
SHA256 e20e42b75ce6b6d94426d6aeecb8b617841c08d57f65bc948f6699d75dab3f40
SHA512 81cbb5de9c35c80a6e80f000d673d26e5f43e4940e652fe042983d76b83cd7037344bea322d41478183fe3f11e6b376b5ac69a948a22dbe55274fe9196a90974

memory/316-114-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe.exe

MD5 15d42442c0ad97c6db1af59024293e36
SHA1 912a692291d0c4eda041f1c423978739c5380585
SHA256 6ca7a0c9f3e9383ff5512a05422eab5b740b5b02f65a79df177aa8658557f371
SHA512 fa83623a4472e94edf6602310265906634f2b6d6cedf76840d830d82403a7af4f6de351df08abf1adfb162374e9b8ef28c2d03eb8ff54d53afd937411d019378

C:\Users\Admin\AppData\Local\Temp\$$a2848.bat

MD5 874f536e8585fcb0c9a2e361f6c3ae3c
SHA1 14a7ed93ddde798ff5e0db2461bd8e6431f7b881
SHA256 23fa6836224e2f4ae47873f63fecfe994e3bbedae51f873752abc7bffcb75ec8
SHA512 62675787bf3fd81b287ea01f9d267ff98acc734710bc757c792dbe21705da458a5b5490ea9db6488c7ade15e3a262d633d1d91562c0b7d26cfa7f8804d048cad

memory/800-128-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe.exe

MD5 8a23794c3ca60b8647fd9bc6d1c0ec95
SHA1 1746dbd9a43ab61cd8c1bf882a864a42a86436a0
SHA256 01cb843f82dbdc3d1caf47c3a41fd01dc0dc4ac028cbcb7050c7020e73542b53
SHA512 b3ecb49ced0984140734afe14cc7887c865386454c8891be1f14f0ae21690379da7fdbebe6ba6f45f43c2b7d6d934c9bf384bc5bab733bd8b1a40d3d9117a554

memory/2092-146-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a29DE.bat

MD5 b8f11dea506f63c57e9634bc226ee87c
SHA1 f6ac88a6c3deb32b784bad5a4697d3d0d6c151da
SHA256 3f986503a39b71e5ff445bc43ff2bd7a08ac0b9762154d87a1a7afbd08250d9b
SHA512 b530a5849e9dce5991f6e6fbfd42b5b45a13f5515ae7387f8644216c6fc7c62f1ea4d3372e2b78242290dd11f647d236769e9f6136f3c7824811319c1a50c532

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe.exe

MD5 3678d22d597811c8c241c18ae51d826a
SHA1 5b68eb3ea0db72cca60f09321e8592c3d1b01107
SHA256 8f59ab94c1cca3315f84864afabe9d348bc7ec79ce7723d3e195e5140d1f98ec
SHA512 9a0f2d50cfc58613439d7f5ad80390a112f5f9e160e356f911cd89f32bedb52d8543e6d4849dd61c036342cf98f96cdd497c9104a5b50c945d7ec3f855e3bfda

C:\Users\Admin\AppData\Local\Temp\$$a2B83.bat

MD5 075b9651460a67b7a054d9665fe90065
SHA1 1eb05aa80f53a7b27c81f2a254607ff472e436b5
SHA256 9f3a39e9eb970e57b27b5fc8858cc30ee1dffa5c4f878f6fd2630a84bfff01ff
SHA512 2da60fcc06e529e85886e9cf96e29877437246130ab2dfd39a0e818ba879987c85d86c4634d863cf2190f765492747d3b230dc01b578831753b1344a5602bb9c

memory/2276-161-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe.exe

MD5 e1742b7f3dcc8ff7142d041edab0c33d
SHA1 d3c738b7723a34c56b557dbe0b596e174619bc72
SHA256 cd36cf506835c5b3f7f79364e66fa077843d0335639236bd6322a17f456fd43c
SHA512 8c3f7ed952d576957e65a99af3ccbf532ddf3465e426ac851178777220dbe279546dac7499c2c60624f324031a5b36adddc665ed24233f537b852010f1b14464

C:\Users\Admin\AppData\Local\Temp\$$a2E60.bat

MD5 adba8048b98dbc9be85e4a08339c1513
SHA1 9e3da61ad82a44b4d8dcf8d50c97d2b90baba66a
SHA256 019c0afa9ab57e492c02e5c51f6c95633555ed52d1855c15cb0b9504b0d42c1d
SHA512 60fdab6f654c68a94c22153894f4d566f40e06b1955aa7cb69796601435b69aad4b2d85d7ce17229f5c1aa19932e1a3ac232217e7fe5218e51e0937e4d28202e

memory/1096-217-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe.exe

MD5 c7f6fb6839fe5c06d91f7b24bd1d3099
SHA1 fd7c2ca06bb0cdf05786ebdd1a6ed2dd41bb5ab0
SHA256 2192d2448c01035c4ceb65155662b2d7cc2676533cf911f5fbb913109b8f52aa
SHA512 c3e72b304fccddf7cb1efd7594860d0df58cea591b110cad11187b0d02e3adc522971a8716bbec9d107badb5d962a4277e03e27a1e2db53ee49630a661b9d40b

C:\Users\Admin\AppData\Local\Temp\$$a2F5A.bat

MD5 a1172a27b1365b163d63329723556a57
SHA1 6dffb9513166abd3007221b24ae66369f0086db9
SHA256 54f2ac072d67a731642fff42c2b695898b0b975e032c2c4473db135b5b1f1378
SHA512 040e1a90d1159c26e8fc6ca4055319d5771754cbeab5298f85ef1b427bfae51a8834e5eb76fb430edfb6d015e15f0ede282220a05d3fec49bbf2b27f59532d55

memory/696-231-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe.exe

MD5 1db37b80d69fb40b0df0269245159f9a
SHA1 416a3299e061acef6e3e73ea6ebb038dff1e695c
SHA256 7d8a946c3b4aceb222ba6399d21ddfaca7f878572c468c50a40758d95e2161ad
SHA512 f2f2aa9de278a1b0dff1dbf18f2044d48332006c29fce72a1446d5a0b00714197fc04c070b61aefd8267b790815a3732e40fd5b319bf73102611b651867e4348

memory/2196-238-0x0000000000190000-0x00000000001DD000-memory.dmp

memory/2196-237-0x0000000000190000-0x00000000001DD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a3266.bat

MD5 4a95213d9ebf6ea708c967ef195ca2e6
SHA1 24de15759d6ffba5a41c5d741bc1037929e630d3
SHA256 e39e7fa792a6579de2da678b98c92f1565e37d8f5778da7fa0620837c4f0f997
SHA512 0e4ad2821d53572e82897b5db5a66dde9ff59c7cc03550d73973926e921aa8c9ff34f28403b1becf3dc777911a9d8186a150349ccf8e04d1b89df4cda0df6474

memory/3044-252-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe.exe

MD5 9c750c4af543bee211e93b57e99bec7c
SHA1 b975eaf950c2677761dea3d849da372579801156
SHA256 a0ab3788218682f7494c0a84e43ed1aaa58a84e96b50680a365da1fba6c1e9d2
SHA512 a14aaa21c6032a436ab16ff821dc7b8e8dd3795787964dc36691c9bad26ff07be28bc23c626dab782c733e6877050d1f817c2b2d653da7eacb82eccd0c353e5b

memory/840-258-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a340B.bat

MD5 1e5b0739b7cac0c483d60583be34ab66
SHA1 cd149d5363b50a59e0a476142271ebac5dc5548c
SHA256 97f6300e79945f7c27050ef45d5dd0aeada6fa87956eb454662646844318be46
SHA512 4b9e8f1f92af885f826ae6998737ba7791445b19d994fbd87c4578beb4ef43d163b6909a99d63cbcc358eac1fb7375b6cd41a4b7f4cd6013a9efd01e9263b025

memory/840-268-0x0000000000400000-0x000000000044D000-memory.dmp

memory/1696-270-0x0000000000280000-0x00000000002CD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a34B7.bat

MD5 96abb8659fb29c5f747507079bf6f791
SHA1 1fdbaebf0368d8df0faf600fb8cf709864ac65af
SHA256 98155a8647ae6749f486e41f2bb290b8b54fdfa8b275a9538b278edda5cd1a3f
SHA512 a316f756dd4b8eddd11a8b624093684413c58becfb96727901f5e79f8153e989e92087bf9ffa297361ac438e75f43884391c7a71951ff9386ddb2659903659a8

memory/1672-280-0x0000000000400000-0x000000000044D000-memory.dmp

memory/2812-281-0x00000000001F0000-0x000000000023D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a3514.bat

MD5 62acf112d86a64f8a200035c864ff0f5
SHA1 ab114a709e8b2a6babe550cd9c19c869ae9d6994
SHA256 759a6e7a6a87640a3c84cd5ce445d33aabbbd5bde268f115e0e14d3ada5a5b76
SHA512 067842d632c0aaac22dc66d0e5326c6610263aee08eccfe3a51d9614075e59af96990730b78a5de2230c0dbaf84de0891e034e0472bbf6e0317155c1c7c6ae44

memory/2424-290-0x0000000000400000-0x000000000044D000-memory.dmp

memory/2600-292-0x0000000000400000-0x000000000044D000-memory.dmp

memory/2708-291-0x0000000000200000-0x000000000024D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a3582.bat

MD5 91fa98ad734dbdb4e364b5c0196f17cc
SHA1 b4df8b63cc840cba51bcc9fa6fbc4e4e24c9f359
SHA256 db24e2afb12d17189e15d93ccfea15369cc0de3eb3698c57606f2165976fbbe1
SHA512 eec37b0b835d7ac1618eafd8bd81c9a47c7b2ecec7a8a8ff21e81d90d716956431ef32785aa3bd9644f97b97a9e227dfbca9135823c1a6d719916c868f619219

memory/2600-301-0x0000000000400000-0x000000000044D000-memory.dmp

memory/2768-302-0x0000000000330000-0x000000000037D000-memory.dmp

memory/2756-303-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a35EF.bat

MD5 b5d4ac79666cae7be87b49685dfa5ad9
SHA1 f2819d0e3564e2d65a29522e0a1ce390da45c645
SHA256 0ded0ca5b402cd59db59bc72e210a1ac1bc6aa514b34dc398bc679b9f913d949
SHA512 3b8d473c8c16d0ba26f13d968104578d799056ca50f84d752e1ae1017c08063eb80e905eba2f11d4e9f4fbfff552b0e4cef9a690b040a66baddbeab6c6a376d1

memory/2756-312-0x0000000000400000-0x000000000044D000-memory.dmp

memory/2568-314-0x0000000000400000-0x000000000044D000-memory.dmp

memory/328-313-0x0000000000270000-0x00000000002BD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a363D.bat

MD5 fe96cf944e0a1a9f3a1b76530974039a
SHA1 83a8cfb06e13f67794644c14ec6e31123d26864e
SHA256 5045d704eaf75db2de27f8da5c59b2f3c4410b43e76a6477804e749dff423b36
SHA512 f23bcd9aa0c3a2b7fbdf0e093cdd4a605146db5a59586f7df3af4a83b2720e834424d1603effa4e1bfc1bd55628030e899ef7de11f5a3b4b597dd757f1587503

memory/2568-359-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a36D9.bat

MD5 3b65763601318569bd22238b90759059
SHA1 7b49f569d2db66527a2defea98e406ee20c9a6ec
SHA256 e2a6bef7375caba569a5b7f9f0525f69092f6827eb9f83547bbde82566c8c485
SHA512 563724115d842a883a4b32cb273e22128f2a7f5153075e25e33b773b9c14d12f2d9e5e5dcb49dedeac2c561229dd280c60cd2e6e3c8b8158c99b06bef918abb6

memory/2020-566-0x0000000000400000-0x000000000044D000-memory.dmp

memory/1284-659-0x0000000000400000-0x000000000044D000-memory.dmp

memory/1284-702-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a3765.bat

MD5 12ac1459e7a9d55fbd8429c74d2aa305
SHA1 2cdd96fdc7c46f3711ec8807ae5cf77133c82020
SHA256 5e81b33d4d83e08a0c0ea94d73b0b5c682968fc79858461188f963318d44b87e
SHA512 2ab150c115638bfb16de44b78a92390fc285ac43732731a355cbb38d6476a70b85865bc6a5f952ca67019d4a358661cbd7ea3d4a72caeae9786e31b5d257de74

memory/1240-812-0x00000000022E0000-0x000000000232D000-memory.dmp

memory/1240-813-0x00000000022E0000-0x000000000232D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a3811.bat

MD5 6c427b6ac1bf9d33a2caca4db6bb6c86
SHA1 6e1ba11b73b1f98d216878a2d3fb8b9efc0591e4
SHA256 c75d26280acc079c4d3acad62e4a7819027c7d152454da0ed118fc4881072b16
SHA512 4497f2e7ea61a06801e66695309b5055f18f85642ff1c1714debd0c8ce62d774c8d0a23f94ee7a92bfaf17cfd754eb4e3253339dbd315ea3e1023f0075280276

memory/2112-1040-0x0000000000400000-0x000000000044D000-memory.dmp

memory/1160-1494-0x0000000000400000-0x000000000044D000-memory.dmp

memory/2356-1481-0x0000000000220000-0x000000000026D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a38DC.bat

MD5 be12cf02d6b467c3acbd4bf265ec40bd
SHA1 bccf1b27c8ab481e260d290226fa77d883264f3d
SHA256 734b658a2f0767164dbcba21e340999ebd6df93553680b6b28519b74bfd6c694
SHA512 3405f58b248a967bb658676016a50d8683988a5a0c85eef9784f4f1e817cda9280446344701f1cdf13d54285a4d93aaab924859e708593968234fd3b04d3570f

memory/1160-1528-0x0000000000400000-0x000000000044D000-memory.dmp

memory/1960-1631-0x00000000001F0000-0x000000000023D000-memory.dmp

memory/2100-1634-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a3949.bat

MD5 ff84259ccb52e37ea46f08dcc070bc9e
SHA1 39d94a20077d73321500cd66e2ded9f5b5da7785
SHA256 da3f378d7edfd8b880e8d1627fa2edc60bfa517dd3ddc4a4454272d442b8d35e
SHA512 b116dd23dd31ceeb87ffba7651e4bf6302037298bbd3d233db378a823fb654497692794e2487ceca01ed012b22e687bed4156a3dd23fcf5c89796d5126809b5a

memory/2100-1752-0x0000000000400000-0x000000000044D000-memory.dmp

memory/2516-1920-0x0000000000400000-0x000000000044D000-memory.dmp

memory/888-1919-0x0000000000110000-0x000000000015D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a3A04.bat

MD5 4b5491f2b661770f2e1130965c22843f
SHA1 588696e506b154954200da5546c887f939b5f304
SHA256 b09fe9f85de5ffaa74c36f383c8eedd103b4d6c57f1fc0057f312148dd899a09
SHA512 cef4c67d72bf9eeb45ecbe492f8eecdf6601dd4b996c032ca38b21f7ebb428b0b86c3e48567f05ef988624f8f6737699a732507637f62dbb2ca26621ca72aba5

memory/2516-2026-0x0000000000400000-0x000000000044D000-memory.dmp

memory/1236-2086-0x0000000000400000-0x000000000044D000-memory.dmp

memory/1132-2085-0x0000000000130000-0x000000000017D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a3A90.bat

MD5 d990e615d820bb1e8c2d3111a79adf26
SHA1 2393756343f77497e55a2b8396b84a548512d226
SHA256 b5dc1bfa77dee31ce7021905009325b6f206d9ddbb69997560793bd1bdb49656
SHA512 022b30dc1fe3b31bc7a57864e51b5096d49ca3211cf0c39a46d8714fc50b82bf3330b32ce4637cd889fad27b84b5a96877e74c8572601397db7aae2e55fb040e

memory/1236-2095-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a3B0D.bat

MD5 7bba0ce7ef423ec29616c7fc14043df4
SHA1 4b18fecb5155f48fffa209d09cb414ab842621b7
SHA256 8559a97009612da930de9eb74abfd9b4859430b66d21f7176b1aa37ea6609bd3
SHA512 5cc21a5a5332980996f6dd98b2571c4fb3e334e1caecbd5d1a93f673511f6e67612e29bb48e870c3e7ae8d1a0962451f8f7ff894bde0cce76053609f9eb60a1b

memory/2196-2097-0x0000000000400000-0x000000000044D000-memory.dmp

memory/2020-2096-0x0000000000280000-0x00000000002CD000-memory.dmp

memory/2196-2106-0x0000000000400000-0x000000000044D000-memory.dmp

memory/2208-2107-0x0000000000300000-0x000000000034D000-memory.dmp

memory/2208-2108-0x0000000000300000-0x000000000034D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a3BE8.bat

MD5 0453bedcfc2dafbc59efd29d003bcb36
SHA1 8d75accb961e787da33dbff6e24554158a4e5c2f
SHA256 2ea97a75fa4a4b2669ab260f99eee5d4d79515e1e505fcd4e98b1a67f4803585
SHA512 d289e9cee432df9ef573ebf4b284ca3e1a4eee9fce1cda2d368c5899445b064419f581457a0a52a44c40ec7d9f23f05720a011c553538acc655d03b75ed06434

memory/2400-2117-0x0000000000400000-0x000000000044D000-memory.dmp

memory/2576-2118-0x0000000000870000-0x00000000008BD000-memory.dmp

memory/2684-2119-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a3C36.bat

MD5 87163aa528cd8a10f6bf40d8d0eb858c
SHA1 048c2a90057735b966e46dc3f46ed68ea1a51df1
SHA256 0b2b30b485e0db0b88fe97e8601a57a6531272d81e3e4aaf489849996cfd1639
SHA512 0a71352745b639e0287555b443d73b631db9d659d5c895d02f1f32e41cb9fa6c8c3eab961eb1cf7876d5464ffb1527745a2c3033fb9346fc9770c0ced341ed24

memory/2684-2128-0x0000000000400000-0x000000000044D000-memory.dmp

memory/3060-2129-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a3C93.bat

MD5 441dd060d5a9865a8316fdaf7a6a396c
SHA1 4412c9cecd02ccbc0ebe94d793870068869dee80
SHA256 1a803cb1911a10f908f0d8025e2230234c208e642979765c95bcabc4d1bf3a75
SHA512 ab3092169d77fc186e7bb084ff7766c3870c7bb081bdeb0a0302d8fe85291458f285a52ac16a77ff315ca34a2b544dffbfb239c61ed66d74b7de4239ca2a3e45

memory/3060-2138-0x0000000000400000-0x000000000044D000-memory.dmp

memory/2608-2139-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a3CE1.bat

MD5 b45c3d281dd8e2a9e58e1cf67bdc0791
SHA1 b4307943b8c44fd239ccf19ebc76ead54aee7536
SHA256 22a4f2587252ba85f6a6c794f67119ded33bf04475f884b7e8e1d878157b00c8
SHA512 a32fbf92d0a8756e8cbd6c44c42cfaf8235a6d7b7d8ace49ec9fefe6ef71a3ae9f5b01fb847ef9441e7c651b12da89ad2d4f0514ffa3275de449aa4e96263e8a

memory/2608-2148-0x0000000000400000-0x000000000044D000-memory.dmp

memory/2704-2149-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a3D3F.bat

MD5 c51035102e96fdd2dd430d807640f7c9
SHA1 81deba3a82f164dc3185771159e4e17288b4b30f
SHA256 1bcc45ccd2958dcbb6c9e4e2bdebc1bdcae7e16c1b3d8effdf77ebe29641dc9d
SHA512 3ca265db259c13cebd61dea72dcb51fd58b0941bce678dd90d0d42e9ced993f2dd0bc64cf0c3c635f5ca488fa45339759d71b1569ef81d2f395df63f6a1d6507

memory/2704-2158-0x0000000000400000-0x000000000044D000-memory.dmp

memory/2768-2159-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a3D9C.bat

MD5 3d0ca2411f27b80557210df455b02166
SHA1 07d6979c21010f85426bc9e95b19ee5002a41326
SHA256 6d1c7159131a5f7a2b6f5cfd839488a12646d672a4f2e4fe97638007f2e96bd1
SHA512 91812c40b71e10c76d4bfcbc6288b42741005e4d1dfeca7105805dad203dfa4cf522f2d8c3dfecfa59d18e63461070eed57050398cee33900727faed4dbcfd93

memory/2768-2168-0x0000000000400000-0x000000000044D000-memory.dmp

memory/1284-2169-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a3DEA.bat

MD5 44b1a5189f24bda17ffc5aee6fcff5cf
SHA1 f9dd7b893b7fa9746b3e93b77e3647d692e06e4e
SHA256 3695fa4c51a1d8211271fc6397495433c8ad0829e2579598b1d24955f601ea4f
SHA512 91c83ece436c762a40ccd417dc6814072730fcf544433e96eb219d483799797f77647876f085df0097b6a08efabc1a2ad018604330975ac9c734ffe3ca2d8662

memory/1284-2178-0x0000000000400000-0x000000000044D000-memory.dmp

memory/1952-2179-0x0000000000130000-0x000000000017D000-memory.dmp

memory/2820-2180-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a3E38.bat

MD5 dc3630e281380613c9c33cc737168a0d
SHA1 306b89ecd1b53cf4571320a6550af4245b723f0e
SHA256 a0a920659bdf490dd79408a9e20572e4773ce8931f95a05887de2d6732bc3a06
SHA512 3b0c2894c736172aca43384532171f7f453a5d8f70d7591460f1c2ae979e71ce1882d0b2d31ecbb2a9cdf23c2051934be90a8e8c57f3548283f19dfb251d52b0

memory/2820-2205-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\~3F63.tmp

MD5 1533ce34575752aaf9a3020599c131ba
SHA1 24c1e2313276a40de717fc556240e4199701b19a
SHA256 25675678c980d33a1db21fee21bb8ba75354f3403f26c2a25e8c5c3ce37da0ba
SHA512 46c22e96abd4a8b03acb05a8e0aba5ba42ab026707dccb80538e50c8f4ad625a01b6808840f1801912b4bc8ff33f00d8354283d3b0dfc9591c8279fd9de4e1a1

C:\Users\Admin\AppData\Local\Temp\_is3F85.tmp

MD5 5453343afefb32307659574a4da803bf
SHA1 b01072bdcc799391c510054447a6a8cbab71abd3
SHA256 02eedbc35423bf428545f27b5575528ee996e75a0cf8157f47cf3e302547d508
SHA512 99c4d5731ebba9ea659d30956d60beb6c1be5e9872ee027eb7174ba08e7fa2ad8bd9d91c82313a27577f3e9c5eb49b46b8929c7f29491d0db15d3e1cd803eafa

C:\Users\Admin\AppData\Local\Temp\{0F90AE3F-B818-4860-B20F-B6783173A698}\0x0409.ini

MD5 be345d0260ae12c5f2f337b17e07c217
SHA1 0976ba0982fe34f1c35a0974f6178e15c238ed7b
SHA256 e994689a13b9448c074f9b471edeec9b524890a0d82925e98ab90b658016d8f3
SHA512 77040dbee29be6b136a83b9e444d8b4f71ff739f7157e451778fb4fccb939a67ff881a70483de16bcb6ae1fea64a89e00711a33ec26f4d3eea8e16c9e9553eff

memory/1320-3953-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{0F90AE3F-B818-4860-B20F-B6783173A698}\_ISMSIDEL.INI

MD5 db9af7503f195df96593ac42d5519075
SHA1 1b487531bad10f77750b8a50aca48593379e5f56
SHA256 0a33c5dffabcf31a1f6802026e9e2eef4b285e57fd79d52fdcd98d6502d14b13
SHA512 6839264e14576fe190260a4b82afc11c88e50593a20113483851bf4abfdb7cca9986bef83f4c6b8f98ef4d426f07024cf869e8ab393df6d2b743b9b8e2544e1b

memory/1320-4781-0x0000000000400000-0x000000000044D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 05:37

Reported

2024-06-14 05:40

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

157s

Command Line

C:\Windows\Explorer.EXE

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\default_apps\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\jdk\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Extensions\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\shared\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Google\Chrome\Application\110.0.5481.104\VisualElements\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\management\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\dotnet\host\fxr\7.0.16\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\swidtag\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\ext\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Google\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\deploy\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\7-Zip\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\legal\javafx\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Internet Explorer\uk-UA\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\server\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\security\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Google\Chrome\Application\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\javafx\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\cmm\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\WidevineCdm\_platform_specific\win_x64\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Internet Explorer\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Internet Explorer\images\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\security\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\dtplugin\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\javafx\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\jdk\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jre-1.8\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\javafx\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\applet\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
File created C:\Windows\Dll.dll C:\Windows\Logo1_.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
File opened for modification C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
File created C:\Windows\Dll.dll C:\Windows\Logo1_.exe N/A
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4456 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe C:\Windows\SysWOW64\cmd.exe
PID 4456 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe C:\Windows\SysWOW64\cmd.exe
PID 4456 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe C:\Windows\SysWOW64\cmd.exe
PID 4456 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe C:\Windows\Logo1_.exe
PID 4456 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe C:\Windows\Logo1_.exe
PID 4456 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe C:\Windows\Logo1_.exe
PID 1104 wrote to memory of 4596 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 1104 wrote to memory of 4596 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 1104 wrote to memory of 4596 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 4596 wrote to memory of 5060 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4596 wrote to memory of 5060 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4596 wrote to memory of 5060 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2892 wrote to memory of 4320 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
PID 2892 wrote to memory of 4320 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
PID 2892 wrote to memory of 4320 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
PID 4320 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe C:\Windows\SysWOW64\cmd.exe
PID 4320 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe C:\Windows\SysWOW64\cmd.exe
PID 4320 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe C:\Windows\SysWOW64\cmd.exe
PID 4624 wrote to memory of 3096 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
PID 4624 wrote to memory of 3096 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
PID 4624 wrote to memory of 3096 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
PID 3096 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe C:\Windows\SysWOW64\cmd.exe
PID 3096 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe C:\Windows\SysWOW64\cmd.exe
PID 3096 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe C:\Windows\SysWOW64\cmd.exe
PID 4852 wrote to memory of 3672 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
PID 4852 wrote to memory of 3672 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
PID 4852 wrote to memory of 3672 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
PID 3672 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe C:\Windows\SysWOW64\cmd.exe
PID 3672 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe C:\Windows\SysWOW64\cmd.exe
PID 3672 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe C:\Windows\SysWOW64\cmd.exe
PID 1916 wrote to memory of 2648 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
PID 1916 wrote to memory of 2648 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
PID 1916 wrote to memory of 2648 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
PID 2648 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe C:\Windows\SysWOW64\cmd.exe
PID 2648 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe C:\Windows\SysWOW64\cmd.exe
PID 2648 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe C:\Windows\SysWOW64\cmd.exe
PID 4304 wrote to memory of 1360 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
PID 4304 wrote to memory of 1360 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
PID 4304 wrote to memory of 1360 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
PID 1360 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe C:\Windows\SysWOW64\cmd.exe
PID 1360 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe C:\Windows\SysWOW64\cmd.exe
PID 1360 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe C:\Windows\SysWOW64\cmd.exe
PID 1104 wrote to memory of 3468 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 1104 wrote to memory of 3468 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 2640 wrote to memory of 548 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
PID 2640 wrote to memory of 548 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
PID 2640 wrote to memory of 548 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
PID 548 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe C:\Windows\SysWOW64\cmd.exe
PID 548 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe C:\Windows\SysWOW64\cmd.exe
PID 548 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe C:\Windows\SysWOW64\cmd.exe
PID 4760 wrote to memory of 748 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
PID 4760 wrote to memory of 748 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
PID 4760 wrote to memory of 748 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
PID 748 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe C:\Windows\SysWOW64\cmd.exe
PID 748 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe C:\Windows\SysWOW64\cmd.exe
PID 748 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe C:\Windows\SysWOW64\cmd.exe
PID 560 wrote to memory of 1444 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
PID 560 wrote to memory of 1444 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
PID 560 wrote to memory of 1444 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
PID 1444 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe C:\Windows\SysWOW64\cmd.exe
PID 1444 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe C:\Windows\SysWOW64\cmd.exe
PID 1444 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe C:\Windows\SysWOW64\cmd.exe
PID 4592 wrote to memory of 3132 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
PID 4592 wrote to memory of 3132 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe

"C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a347D.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe

"C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a35E5.bat

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe

"C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a373C.bat

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe

"C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a38B3.bat

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe

"C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a39BD.bat

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe

"C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a3AF6.bat

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe

"C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a3C3E.bat

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe

"C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a3D28.bat

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe

"C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a3E80.bat

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe

"C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a3F6A.bat

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe

"C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4093.bat

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe

"C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a416E.bat

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe

"C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a42F4.bat

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe

"C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a43C0.bat

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe

"C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a44C9.bat

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe

"C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a45A4.bat

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe

"C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a46BD.bat

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe

"C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4798.bat

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe

"C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4873.bat

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe

"C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4A19.bat

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe

"C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4AB5.bat

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe

"C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4C0D.bat

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe

"C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1104 -ip 1104

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4CB8.bat

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1104 -s 984

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe

"C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4D74.bat

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe

"C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4E10.bat

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe

"C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4EFB.bat

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe

"C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4F78.bat

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe

"C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4FD5.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe

"C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a50B0.bat

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe

"C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a510E.bat

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe

"C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a517B.bat

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe

"C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a51C9.bat

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe

"C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a5217.bat

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe

"C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a5266.bat

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe

"C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 35.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 52.111.227.11:443 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 9.173.189.20.in-addr.arpa udp

Files

memory/4456-0-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Windows\Logo1_.exe

MD5 4db33aca198f9e9afcc012cd7ea077e1
SHA1 6b4b21442dd5091b5d3f586dbf860e0d674f60f9
SHA256 c1d47f6a5ba1a75b76b8826c21596cc74e342b014b7b559e9d20a403d2bbe1d9
SHA512 9a6f36bc295d81e866ac2c2105efff604d1ff065f5bd86e361d1f7538fdba5b32ae6faf671f1b6aff13b112aa7bc8011bca842d554e1091b1aa073c58f3d3a78

memory/4456-8-0x0000000000400000-0x000000000044D000-memory.dmp

memory/1104-10-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a347D.bat

MD5 291e9f95e54344c90e089c10a39bec86
SHA1 91249b11242e7ae73ad19fc4c09ea35423b494bb
SHA256 2c96ffac3504377cb437cd8e1b32e4be9f0bd4b7ef1186218502c8d5db3a4d91
SHA512 3f0b9b5df48d93b24b5a92881441adaac28c17bb24a93330382a8227dd21a5551a388625d2022c2e4fdba3ee194a1e9845cc9e970da0cc41ea58c056f63ee941

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe.exe

MD5 3df9284a7a827e96c982aa7dbb0a3449
SHA1 2364b9dfdf30587617efdecedf30752aaf1f2c72
SHA256 91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4
SHA512 f90a6a0ed4973f63dbc467c8d954b559cd297873899d98468e88b13d3bf4b922303ebafb732cd532178ca17b192831e5629480382e23add180c2345a4b4f17d0

memory/4320-19-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a35E5.bat

MD5 ce4ee6378638dd335d049e2b7fa3a5dc
SHA1 d62508b150acea4dbb8a235d4abf55fd5b58e76e
SHA256 876b2239a8cbddd830335aace3580eb94d46083a6407a8a158fb41782bd2bc71
SHA512 5e65a69bd0c99250b27da49d0d9c25e8a9a366d1f1deb0a9a1611e24f6b30df92e0e897f55815094c86c6178495602639ec583774bf3b96c4f7abd3e7f2bbd7d

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe.exe

MD5 f2c91ec5a712982aa22be52f8d7f2755
SHA1 716c4feb2523cbdf1ede42ca0f2cbd1318d79d24
SHA256 91a00511132f54629ff39f85651dff382d09572f5270060f1d11da33489279fc
SHA512 d0434ddfc8dc21019db99c423eda22f5aae3e3a377d9b719fb57ad77aa7c81c4eae734213d6665f2b828ebe12fe1c5b945e758b99395c97f103fc0276abe672a

memory/3096-26-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a373C.bat

MD5 175ab80b235565020b470d97f407fab9
SHA1 9e0367eadcd721a004ad85aa0a8a72a38013a7ea
SHA256 eb099f95c64c26c3fed3c54ea9fe4119440d88f5249fd44148065c390f2fea28
SHA512 59257ef97471a88d830767255cc6ecea0e0a9e26f08539b43f1ad78164c7f765b99b198c68133f01e9a6049dec15a425b0662fbfbc45b61ac007dcc5cbf71754

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe.exe

MD5 e0a2a952b40cd65b09b9687e6c38d4d6
SHA1 729e185aa0d874f30f53cd6887b6b07d657ba403
SHA256 c41b1a583ee13a59c30ba021535121768346236b30d600a9fa425c861c64c80b
SHA512 5eca4c4fc005d57620d67a175db3705f52e344b3bfdbbb1b1e6c23c21cca2d0866332b361dca4f9cc5b7c3a917aee28147a759e800700b1ff99109316f410297

memory/3672-31-0x0000000000400000-0x000000000044D000-memory.dmp

memory/3672-35-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a38B3.bat

MD5 234814137609b9486048de64d61ff0ac
SHA1 0d62e2b7ab58bd783abb95ee00c5b05b46270264
SHA256 479afbb699a5611863b1d0d19f7ffa2b9ed5ded6a5eceb704c70abfe579f2fc0
SHA512 578aaa298d12be6bc03050474e4eec7cb0334d431c74b71f2e2775b46410c289255f4be5aff996d5053025ebce851e5cf7a4366c4c7c926b1bf0f613c5bd5491

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe.exe

MD5 960bdf3af50b67e8949e51fef440063c
SHA1 2601eeddc1104f9a03264dc5775c26bd3e5c67ee
SHA256 9a62439938a78c883a7339dd331f2a6968be4d587109597f998030f35c44c0e9
SHA512 7f6d050122b3262a47494e28d7ac8419f834351ad90c6d2695da1b0601eae91d367ed81d4fe1ce8c32a4a76c8054009ead94e0df61d336d7e3d9047fd309d05b

memory/2648-44-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a39BD.bat

MD5 952cd02f795c2ea7426c769d1fa773fe
SHA1 fb4840c30d722347894b8374d335863f19d6266c
SHA256 cfe47d63f59f0a05c34e06c3e44299276102acda0f7c2bfe011816b9c7d51345
SHA512 2dff491bfb28afba5c2e240bec7b99dd3fafd980c71cfe3b83286dc8a22203da76a2b6f321e82cfddfe6c5e4c5dd8018b14f81169472fed0923b2f27a5d5d9ab

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe.exe

MD5 70682aa162f988242c6c43dc229440a4
SHA1 7340d30a395f6d8972ead90822e871cc9ab98e63
SHA256 ab1cc4d7870bcbdc6596c3a3a74459c85c7ded14732a7fe989cc0540957861ab
SHA512 9eb94dad31f6bad53e95e9420002253b5d6893a85ae59639a952d9b51a2c6ca30d858231224b4df017d04b036cc7d0a36d29c5c34e75377b6e14bb2430603eaa

memory/1360-53-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a3AF6.bat

MD5 1c8f03f1f044fee4adc2ecc25239d059
SHA1 da97fe6e0a620168c5dcb757625b44b51379fcf3
SHA256 fcbe27371b850521017b0766aa1ab7252a871b527b6dbd0efa689d96fd6a51d9
SHA512 efa0b79878c99bebd2557caa8124a35258338553fcfc357c52100b7650dc39907c2f3b75ce43d3a78b80b8f3dab111d41a3aaf5e0c871873297ab9b7315b1878

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe.exe

MD5 15d42442c0ad97c6db1af59024293e36
SHA1 912a692291d0c4eda041f1c423978739c5380585
SHA256 6ca7a0c9f3e9383ff5512a05422eab5b740b5b02f65a79df177aa8658557f371
SHA512 fa83623a4472e94edf6602310265906634f2b6d6cedf76840d830d82403a7af4f6de351df08abf1adfb162374e9b8ef28c2d03eb8ff54d53afd937411d019378

memory/548-61-0x0000000000400000-0x000000000044D000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-2080292272-204036150-2159171770-1000\_desktop.ini

MD5 03c36dbecb7f35761f80ba5fc5566da6
SHA1 159b7733006187467bda251a1bbb278c141dceb6
SHA256 85a53f5b976fb1c26ce14c31e93c1f68997d2d8b09ab9aa2b7e0d32b8e50ec3b
SHA512 fe573085d2abef34adcede2f89b1c2810875ab00ef9ba27a1d95ed1dbe93e182fc53d981901a0b8048dd4eb5fdc852b8f0e0c3a0e1a404cbbe70e13a7a14104a

C:\Users\Admin\AppData\Local\Temp\$$a3C3E.bat

MD5 6f8345ec9559d73da9cba358a0f36c52
SHA1 22bb14a1e314a3abf7585948e635cce00fd15f96
SHA256 f2abfaa83fabb4f4e01fd9399f1aa30fbdb7369963000ff6a29c3a315a3a99ee
SHA512 c0f30c0c9bad244551b3833833b041045cd847549cdd64f559fb3adac6286731801ede851eb816ff7607ad34c662337f0f4a5b1b69d510ebcba8a835f30fa696

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe.exe

MD5 8a23794c3ca60b8647fd9bc6d1c0ec95
SHA1 1746dbd9a43ab61cd8c1bf882a864a42a86436a0
SHA256 01cb843f82dbdc3d1caf47c3a41fd01dc0dc4ac028cbcb7050c7020e73542b53
SHA512 b3ecb49ced0984140734afe14cc7887c865386454c8891be1f14f0ae21690379da7fdbebe6ba6f45f43c2b7d6d934c9bf384bc5bab733bd8b1a40d3d9117a554

memory/748-75-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a3D28.bat

MD5 45839bd5dd2dfa90205c9c52776c06b2
SHA1 4d4f91437b90f2ad78c4e051c71f16e25fb8c518
SHA256 e9646a40af29fd0f8c1799197920361a1ef622ec1084f4c90090d668b38d3a35
SHA512 2e9e6536dcc2fe39c25f2e18c3cc24622a9ffefa676dab93756a430a7963b018799be061c553ffe83dec4feb08d92ac785d552370ad7d7355202ff46b213000f

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe.exe

MD5 3678d22d597811c8c241c18ae51d826a
SHA1 5b68eb3ea0db72cca60f09321e8592c3d1b01107
SHA256 8f59ab94c1cca3315f84864afabe9d348bc7ec79ce7723d3e195e5140d1f98ec
SHA512 9a0f2d50cfc58613439d7f5ad80390a112f5f9e160e356f911cd89f32bedb52d8543e6d4849dd61c036342cf98f96cdd497c9104a5b50c945d7ec3f855e3bfda

memory/1444-83-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a3E80.bat

MD5 de1736d377b2501f2a7ce152722f9fff
SHA1 3b6bde2e71eef9757bd048113fcb0fb2a4877784
SHA256 56240fbf5c6ef92657182cc499678403d3bfa314223fcc6d12b86716efd4d990
SHA512 b27980de8a0499c5d104750edbadadc5d68137aec5345971b11c06c11997e947f2549d8b1258344201b7685c1c508cde87234fb646d2a81bbd29682233f6440d

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe.exe

MD5 e1742b7f3dcc8ff7142d041edab0c33d
SHA1 d3c738b7723a34c56b557dbe0b596e174619bc72
SHA256 cd36cf506835c5b3f7f79364e66fa077843d0335639236bd6322a17f456fd43c
SHA512 8c3f7ed952d576957e65a99af3ccbf532ddf3465e426ac851178777220dbe279546dac7499c2c60624f324031a5b36adddc665ed24233f537b852010f1b14464

memory/3132-87-0x0000000000400000-0x000000000044D000-memory.dmp

memory/3132-91-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a3F6A.bat

MD5 b93f1a84bc6c28e95d809c4e785b276c
SHA1 815eaf6ae765f47d25def401a85ef7e37a04c01c
SHA256 519294eaeb0bb9102405382b1db1f88264752df273f023e69680cf0f5928df7d
SHA512 f16772478ccff68c2bee39070a099a470e8e8e38b645a1c54ec6f8fed0a240ab9a6252a7ab84987b5b5c0cf6053a9fb2187925b789f2d1f9f10cdd0ebacb51a3

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe.exe

MD5 c7f6fb6839fe5c06d91f7b24bd1d3099
SHA1 fd7c2ca06bb0cdf05786ebdd1a6ed2dd41bb5ab0
SHA256 2192d2448c01035c4ceb65155662b2d7cc2676533cf911f5fbb913109b8f52aa
SHA512 c3e72b304fccddf7cb1efd7594860d0df58cea591b110cad11187b0d02e3adc522971a8716bbec9d107badb5d962a4277e03e27a1e2db53ee49630a661b9d40b

memory/3832-96-0x0000000000400000-0x000000000044D000-memory.dmp

memory/1104-95-0x0000000000400000-0x000000000044D000-memory.dmp

memory/3832-100-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a4093.bat

MD5 93ca7a4932e3f16e966d09d4b104f215
SHA1 ba64cc57c59e0314570e07a2ef4e3776bf5d7e67
SHA256 bad47a74338937409ac15535551fbc8e05ce28376e6f7dd3e7d045188a617ba8
SHA512 a0e0bdeff41f01742486acc61274564df18cb7edcffcea54fc323314f82289f933c23684746c9fb26f996be343cce1d73f600b43b4b02200b277c56df473b127

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe.exe

MD5 1db37b80d69fb40b0df0269245159f9a
SHA1 416a3299e061acef6e3e73ea6ebb038dff1e695c
SHA256 7d8a946c3b4aceb222ba6399d21ddfaca7f878572c468c50a40758d95e2161ad
SHA512 f2f2aa9de278a1b0dff1dbf18f2044d48332006c29fce72a1446d5a0b00714197fc04c070b61aefd8267b790815a3732e40fd5b319bf73102611b651867e4348

memory/3180-111-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a416E.bat

MD5 741cc668a2f222bd7862f138981aa216
SHA1 3e406e58e3a3678ee3fa3683da11e7960b03b55f
SHA256 4bf51fcda557b88189af79c4097098a18554969c2060abb034f5abf0c1f8ad04
SHA512 b7d98362c712755af51aca5be1e1ebc3ba0977058f9565af1b0cb9a721202ba9777f87bfe40ddcba89a2bf75154efc80da05ee4f366a8a000278cacd82b09caf

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe.exe

MD5 9c750c4af543bee211e93b57e99bec7c
SHA1 b975eaf950c2677761dea3d849da372579801156
SHA256 a0ab3788218682f7494c0a84e43ed1aaa58a84e96b50680a365da1fba6c1e9d2
SHA512 a14aaa21c6032a436ab16ff821dc7b8e8dd3795787964dc36691c9bad26ff07be28bc23c626dab782c733e6877050d1f817c2b2d653da7eacb82eccd0c353e5b

memory/760-115-0x0000000000400000-0x000000000044D000-memory.dmp

memory/760-119-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a42F4.bat

MD5 ca4582b7087313bed1da93194c571e55
SHA1 3ec6f150dc084d8cb98e6b8dd74cd71766f68d95
SHA256 36c2e1b268b656cc9c7831cef77314744ddd44de784c1890cddb23380240bd65
SHA512 3bbdea6d606f28999c1afa9cb511177148666b16bed44701e1aa866cf9df9868bfe3f452ee8c1abeb76e0d230b0dcc03316047de9be304b5347d7b27dbcc17f7

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe.exe

MD5 080b508382f4e2a62d3aa72debd7cf36
SHA1 3a741bc765be25edafc2e8866e08a0c31768359c
SHA256 233a945f3a8884504d35d6f0cc2a7f38989f3c3e4cfa8e4ad392e319720e15b4
SHA512 3455ddca2882006ebd0243044e5952e610d7bd358deecb80a83c935a2ca2d1f3bb660152f4e6e64d040f540b75ac9fe34ab052b714f9c1f7d2b660c0cd94107c

memory/1180-126-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a43C0.bat

MD5 a985dc3c876cc1a4db9b769394605a3b
SHA1 2983b8485d5e3e81ff3810b6de5ba3d7be9b3515
SHA256 0587cf6bd2e222ef9bcbf1ab99c89382bc886117600a2f808b43ae2bc45cd79a
SHA512 141e7aaa42ea89c64cb11af26662e7dce8979420c2211d9238f6641668978b1bd6f13a115433fdca6fd965420703c6a3f1d3156861d926267c2641e62b3dc1cf

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe.exe

MD5 e196371c438d6228c3bdf7c8dbe6a1a8
SHA1 60d1812736b5a5e3faed09d2042b92fda1b088b2
SHA256 3716ed2493356a69a594f0a1c527d143abc862fd4ffc12c874c189847c97831b
SHA512 711d2e6e6aca20ebf767549cee4b594a0354aba602f6def3f5e9d741ed93b98aa1571734a57e8a8839cfe1a431a5e1c51b4f2dd664b171ea76197fd89b8fd874

C:\Users\Admin\AppData\Local\Temp\$$a44C9.bat

MD5 5963cb738cee9f3946bd6f1b51f99c59
SHA1 aaeaacdd6fb565dd608139c01934d3f7b984e652
SHA256 316a7da3d6218ab3f563bcc1348bbd694bdf345bd401cc0774f0439de12d5a55
SHA512 6a39a0137ef613e10fadff7d54d3e04bba986e810f024b52fd6142949c2e3d230cf89ae0e67dc241716fc4b91ae2d9564ca0b834587c9f6588133f754c53a186

memory/2888-133-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe.exe

MD5 408b20e16a98e43459906847e0191efa
SHA1 1f9dbbe3475b4c93cf66c1da7db556405da0c101
SHA256 cac256071bc6666638ee6622bc7376710fb6077718c058c1a1615915eaf4f0e8
SHA512 c1546e7bf15917ed434d45bf2a9dff5c8f43b0f93211b82fb4f43ce5191ae6ede1d6381c8fc9325c7f3134085d1a4ecef1c46eec78abdd206e167e22734f6aa0

memory/3192-143-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a45A4.bat

MD5 88fffae85d7aebc8c728df74d227e1da
SHA1 54921367d36aeea1ceae6d1db4daf90e5ada4d7a
SHA256 8b21d76fc9e56ce0d0e5a849d8641a514a248f57b551d75f365a61fd254bf4f0
SHA512 02a0bdeffee12c1c9e677868aec4c9098a8221476c11832c3ae65a89e2271ad7a10c981a84067819294a1a45bebc95a18cf3d98445c2d851b60960371bf859ed

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe.exe

MD5 0f7b190e259ba553527ed9fb4e70061b
SHA1 2257157880ac52fe6e0eb2fc7de2c752468dfa9b
SHA256 9ea905825aaa08dddcbf76ebc691a15390a56426d9642a4cbf5373d133042059
SHA512 0ba911f992f1cd55507959ba4a8da0d263667baace0deb6086382adbae9d05513cb832df5d7d0a64503565b79b4a024e88d431bc852e755580d8f1bd913e0f2e

memory/4336-151-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a46BD.bat

MD5 67ec8ced025364cd4ce0e5d422b3bc93
SHA1 d9cc60290255f05e2751e701be8cf06f411d7594
SHA256 3ff10c06c236758ce43edd5149e9bf76c742747de45708e21c24c2b4e99e1d5f
SHA512 34fbc2ce88835afb28681cf5d192765cbf76ba35b0372c42ddb4fbb6cd9fb1fd5c8d48ca8d2cdd5f9538a93e36e8dab28cfd08054ab0d04f4dd3cde714d4b1d8

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe.exe

MD5 9a6ee4318ea0c32484f2d650ba80ce7e
SHA1 e6ebce53915a6c291d21740b29126675eaacc76b
SHA256 9d59bec06ad62dce146eff3a7d334f0625ce06bdd065f12ba58beaf63d8d4426
SHA512 f07c33831b89835f8957a093833b93ec35881760b6e21bf7ad5ef567df3a3b5c92af2317a1e6a94ea154930f991c8ec3541a314f66040ce548d2b8e8527350ba

memory/4940-158-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a4798.bat

MD5 54d6e9955d7a235623efc136e7cef4db
SHA1 8d701ae57d20b28724ed22724033ddf89e60f10c
SHA256 b6959b11ac0afb0949ea406e73495cc354a17228e3ae6a9bb0fe298ee7925e22
SHA512 4a4a432953def4217a1d39a9ced6ff670393dd5c9b1eb5c8a326d8eb30fcde72438301ec921f6f674acfbf2906dab0a495add3975836b7b00a3341462d84519a

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe.exe

MD5 7eeaca39dd4fa393458297e323eaf2ff
SHA1 1513685d3b5f4766eb8f31c8ba82e0f5139220f7
SHA256 2e05fa5661c2d4eddd4ce6779fc8865d140c7638fbbe32e7eb4c60b49c63d5db
SHA512 c3e4171e120b0fbf7564369cb36613bdfdf7b12af7d0e339a6a82753caa3d8018b5117e5636bb7b07e582133c032cc704bbb0e446bc023e5e67518ef2a69913b

memory/1628-165-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a4873.bat

MD5 5c179dcbe10cf97a171067f8c1742eee
SHA1 3c97a4a360542bede3dc52d54b26ea77b5249791
SHA256 33959723c9a6f2b6c3802dbc4c631656504d75cf0c35ffee2bf39909e24fdb37
SHA512 514a06a448e399f9ffc166fd7065a549e72581c1b993e9e89fff59b108d033551abfeff5e83244231e84180c97cce8d6a045931908f09dae4d087a55049f642b

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe.exe

MD5 77ea4ac4f8ad8c6a6cc1e11fcbef1cee
SHA1 9a7b042d75d4dc836de7390046f15907baffe828
SHA256 69814cc92ae1d7f046a22b76d4bc6711e16b8b42871606beffa47ce720a365e7
SHA512 d19620e01a7562cd49e0a43c4c272d3f2efeed9143afb4d64cc37d92849a4c7fdce6973322e1f101d4a5b946974760298cec83ea55a74053c7f809afd2662edc

memory/664-270-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a4A19.bat

MD5 2de18e8a4029f1b8b4db1339c3e83982
SHA1 b43c080d302ff9e864c0112b44093d04609480a0
SHA256 95328145f130314555cc52e9584b2fae1e0f517eba2cb15b4646e532b7daa9b8
SHA512 a673274a56def7b6aac93f41ecb0b6baf7ea345e46565bedac1048061a761308634076b04129665ad84f13116f0814ab4852160e5d6097369408535de7c34bf1

C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe.exe

MD5 a1efe2405eb43a47d76fd20cd72ef766
SHA1 af8a9492855d430a8fcc9ab58249c3c097a981ac
SHA256 6f658213093ba204e684cf00e67e85751a3d3135d0188101f49dcd0184a1c33e
SHA512 58097f0de64f86d03d9bc61ecbef5c9c1377f86979857f431a2b47eefa39059102a6ee39d6f40e4ae84a7e3c607d64977b11785acfd5d11d69c7fea481e0d676

memory/2788-314-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a4AB5.bat

MD5 bfadc6b5fa81462d9462e612b24933a4
SHA1 04fc2abb9af0b3ca0b19ce78dd61ba2bf148b8b2
SHA256 3e34c6e3dc9189bc32bdaff6548c5c5a80550d7d958abdbfb28ba40760c5481d
SHA512 9f6ded820f2289591e986df72bedd3bf9c47091c44bd753d2295d25931e0059e31b690c6067db924c1e75b7783c88d5869c58da50fbdc2d97121af4e371b3f9f

memory/4244-380-0x0000000000400000-0x000000000044D000-memory.dmp

memory/4244-406-0x0000000000400000-0x000000000044D000-memory.dmp

memory/2632-462-0x0000000000400000-0x000000000044D000-memory.dmp

memory/1636-466-0x0000000000400000-0x000000000044D000-memory.dmp

memory/1684-467-0x0000000000400000-0x000000000044D000-memory.dmp

memory/1684-471-0x0000000000400000-0x000000000044D000-memory.dmp

memory/3932-475-0x0000000000400000-0x000000000044D000-memory.dmp

memory/1000-476-0x0000000000400000-0x000000000044D000-memory.dmp

memory/1104-478-0x0000000000400000-0x000000000044D000-memory.dmp

memory/1000-482-0x0000000000400000-0x000000000044D000-memory.dmp

memory/2316-483-0x0000000000400000-0x000000000044D000-memory.dmp

memory/2560-490-0x0000000000400000-0x000000000044D000-memory.dmp

memory/2316-491-0x0000000000400000-0x000000000044D000-memory.dmp

memory/768-493-0x0000000000400000-0x000000000044D000-memory.dmp

memory/768-497-0x0000000000400000-0x000000000044D000-memory.dmp

memory/3880-498-0x0000000000400000-0x000000000044D000-memory.dmp

memory/3880-502-0x0000000000400000-0x000000000044D000-memory.dmp

memory/852-503-0x0000000000400000-0x000000000044D000-memory.dmp

memory/852-504-0x0000000000400000-0x000000000044D000-memory.dmp

memory/2436-505-0x0000000000400000-0x000000000044D000-memory.dmp

memory/2436-509-0x0000000000400000-0x000000000044D000-memory.dmp

memory/2936-510-0x0000000000400000-0x000000000044D000-memory.dmp

memory/2936-514-0x0000000000400000-0x000000000044D000-memory.dmp

memory/3980-515-0x0000000000400000-0x000000000044D000-memory.dmp

memory/3980-519-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\~52F4.tmp

MD5 1533ce34575752aaf9a3020599c131ba
SHA1 24c1e2313276a40de717fc556240e4199701b19a
SHA256 25675678c980d33a1db21fee21bb8ba75354f3403f26c2a25e8c5c3ce37da0ba
SHA512 46c22e96abd4a8b03acb05a8e0aba5ba42ab026707dccb80538e50c8f4ad625a01b6808840f1801912b4bc8ff33f00d8354283d3b0dfc9591c8279fd9de4e1a1

C:\Users\Admin\AppData\Local\Temp\_is52F7.tmp

MD5 5453343afefb32307659574a4da803bf
SHA1 b01072bdcc799391c510054447a6a8cbab71abd3
SHA256 02eedbc35423bf428545f27b5575528ee996e75a0cf8157f47cf3e302547d508
SHA512 99c4d5731ebba9ea659d30956d60beb6c1be5e9872ee027eb7174ba08e7fa2ad8bd9d91c82313a27577f3e9c5eb49b46b8929c7f29491d0db15d3e1cd803eafa

C:\Users\Admin\AppData\Local\Temp\{D1BE5726-C3B0-4891-8026-062B3B080FE4}\0x0409.ini

MD5 be345d0260ae12c5f2f337b17e07c217
SHA1 0976ba0982fe34f1c35a0974f6178e15c238ed7b
SHA256 e994689a13b9448c074f9b471edeec9b524890a0d82925e98ab90b658016d8f3
SHA512 77040dbee29be6b136a83b9e444d8b4f71ff739f7157e451778fb4fccb939a67ff881a70483de16bcb6ae1fea64a89e00711a33ec26f4d3eea8e16c9e9553eff

C:\Users\Admin\AppData\Local\Temp\{D1BE5726-C3B0-4891-8026-062B3B080FE4}\_ISMSIDEL.INI

MD5 db9af7503f195df96593ac42d5519075
SHA1 1b487531bad10f77750b8a50aca48593379e5f56
SHA256 0a33c5dffabcf31a1f6802026e9e2eef4b285e57fd79d52fdcd98d6502d14b13
SHA512 6839264e14576fe190260a4b82afc11c88e50593a20113483851bf4abfdb7cca9986bef83f4c6b8f98ef4d426f07024cf869e8ab393df6d2b743b9b8e2544e1b

memory/2560-578-0x0000000000400000-0x000000000044D000-memory.dmp

memory/2560-579-0x0000000000400000-0x000000000044D000-memory.dmp

memory/2560-580-0x0000000000400000-0x000000000044D000-memory.dmp