Malware Analysis Report

2024-11-30 06:00

Sample ID 240614-gbhrdaxalh
Target 91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4
SHA256 91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4
Tags
spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4

Threat Level: Shows suspicious behavior

The file 91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4 was found to be: Shows suspicious behavior.

Malicious Activity Summary

spyware stealer

Deletes itself

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Enumerates connected drives

Drops file in Windows directory

Drops file in Program Files directory

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

Runs net.exe

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-14 05:37

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 05:37

Reported

2024-06-14 05:40

Platform

win7-20240508-en

Max time kernel

149s

Max time network

125s

Command Line

C:\Windows\Explorer.EXE

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Photo Viewer\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMV12\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\pt_BR\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\EURO\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\lo\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Slate\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jre7\lib\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Media Player\Network Sharing\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\ext\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\pa\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ICE\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Europe\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\es\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\nn\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Media Player\Network Sharing\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\VisualElements\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\cy\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\7-Zip\Lang\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\amd64\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\mr\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\sk\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\7-Zip\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\DVD Maker\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Checkers\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\packetizer\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\COMPASS\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
File created C:\Windows\Dll.dll C:\Windows\Logo1_.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2488 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe C:\Windows\SysWOW64\cmd.exe
PID 2488 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe C:\Windows\SysWOW64\cmd.exe
PID 2488 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe C:\Windows\SysWOW64\cmd.exe
PID 2488 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe C:\Windows\SysWOW64\cmd.exe
PID 2488 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe C:\Windows\Logo1_.exe
PID 2488 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe C:\Windows\Logo1_.exe
PID 2488 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe C:\Windows\Logo1_.exe
PID 2488 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe C:\Windows\Logo1_.exe
PID 2848 wrote to memory of 2668 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2848 wrote to memory of 2668 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2848 wrote to memory of 2668 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2848 wrote to memory of 2668 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 1872 wrote to memory of 2776 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe
PID 1872 wrote to memory of 2776 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe
PID 1872 wrote to memory of 2776 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe
PID 1872 wrote to memory of 2776 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe
PID 2668 wrote to memory of 2528 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2668 wrote to memory of 2528 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2668 wrote to memory of 2528 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2668 wrote to memory of 2528 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2776 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe C:\Windows\SysWOW64\cmd.exe
PID 2760 wrote to memory of 2532 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe
PID 2760 wrote to memory of 2532 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe
PID 2760 wrote to memory of 2532 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe
PID 2760 wrote to memory of 2532 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe
PID 2532 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 1220 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 2848 wrote to memory of 1220 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 2572 wrote to memory of 1552 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe
PID 2572 wrote to memory of 1552 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe
PID 2572 wrote to memory of 1552 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe
PID 2572 wrote to memory of 1552 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe
PID 1552 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe C:\Windows\SysWOW64\cmd.exe
PID 1552 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe C:\Windows\SysWOW64\cmd.exe
PID 1552 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe C:\Windows\SysWOW64\cmd.exe
PID 1552 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe C:\Windows\SysWOW64\cmd.exe
PID 2764 wrote to memory of 1072 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe
PID 2764 wrote to memory of 1072 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe
PID 2764 wrote to memory of 1072 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe
PID 2764 wrote to memory of 1072 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe
PID 1072 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe C:\Windows\SysWOW64\cmd.exe
PID 1072 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe C:\Windows\SysWOW64\cmd.exe
PID 1072 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe C:\Windows\SysWOW64\cmd.exe
PID 1072 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe C:\Windows\SysWOW64\cmd.exe
PID 1640 wrote to memory of 1284 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe
PID 1640 wrote to memory of 1284 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe
PID 1640 wrote to memory of 1284 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe
PID 1640 wrote to memory of 1284 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe
PID 1284 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe C:\Windows\SysWOW64\cmd.exe
PID 1284 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe C:\Windows\SysWOW64\cmd.exe
PID 1284 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe C:\Windows\SysWOW64\cmd.exe
PID 1284 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe C:\Windows\SysWOW64\cmd.exe
PID 3052 wrote to memory of 2180 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe
PID 3052 wrote to memory of 2180 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe
PID 3052 wrote to memory of 2180 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe
PID 3052 wrote to memory of 2180 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe
PID 2180 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe C:\Windows\SysWOW64\cmd.exe
PID 2180 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe

"C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a3ACF.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe

"C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a3BD8.bat

C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe

"C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a4116.bat

C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe

"C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a4634.bat

C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe

"C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a4BEE.bat

C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe

"C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a51B8.bat

C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe

"C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a5744.bat

C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe

"C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a5CA1.bat

C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe

"C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a6114.bat

C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe

"C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a649D.bat

C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe

"C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a6893.bat

C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe

"C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a6BFC.bat

C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe

"C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a706F.bat

C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe

"C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a7455.bat

C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe

"C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a7511.bat

C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe

"C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a75AD.bat

C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe

"C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a76B6.bat

C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe

"C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a7742.bat

C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe

"C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a784B.bat

C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe

"C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a7907.bat

C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe

"C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a7A7D.bat

C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe

"C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a7CAF.bat

C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe

"C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a7E63.bat

C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe

"C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a7F0F.bat

C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe

"C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a7F9B.bat

C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe

"C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a8028.bat

C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe

"C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a80D3.bat

C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe

"C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a816F.bat

C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe

"C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a821B.bat

C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe

"C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a82F5.bat

C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe

"C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a8382.bat

C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe

"C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a840E.bat

C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe

"C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a846C.bat

C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe

"C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe"

Network

N/A

Files

memory/2488-0-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a3ACF.bat

MD5 9ac99917d4f954536202445fd803e337
SHA1 e2b6b3e18ed1cfe1ca77263edebb08c8135bb5b0
SHA256 c03541a0b1e26cd829fd0c8d04781f46613e3ed2c46185a7ef650097b63be9f8
SHA512 c2355a2a21a9ef729b02e7b015a481076523427fdddf2006d8fb0518ab94a2348a908c59686dacf30c9eaa710f78dc8b782ae9d7cd71a574a7b6627e5b3c8571

memory/2488-17-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Windows\Logo1_.exe

MD5 4db33aca198f9e9afcc012cd7ea077e1
SHA1 6b4b21442dd5091b5d3f586dbf860e0d674f60f9
SHA256 c1d47f6a5ba1a75b76b8826c21596cc74e342b014b7b559e9d20a403d2bbe1d9
SHA512 9a6f36bc295d81e866ac2c2105efff604d1ff065f5bd86e361d1f7538fdba5b32ae6faf671f1b6aff13b112aa7bc8011bca842d554e1091b1aa073c58f3d3a78

memory/2848-19-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe.exe

MD5 f2c91ec5a712982aa22be52f8d7f2755
SHA1 716c4feb2523cbdf1ede42ca0f2cbd1318d79d24
SHA256 91a00511132f54629ff39f85651dff382d09572f5270060f1d11da33489279fc
SHA512 d0434ddfc8dc21019db99c423eda22f5aae3e3a377d9b719fb57ad77aa7c81c4eae734213d6665f2b828ebe12fe1c5b945e758b99395c97f103fc0276abe672a

memory/2776-29-0x0000000000400000-0x000000000044D000-memory.dmp

memory/1872-28-0x00000000001B0000-0x00000000001FD000-memory.dmp

memory/1872-27-0x00000000001B0000-0x00000000001FD000-memory.dmp

memory/2776-38-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a3BD8.bat

MD5 e83e54d60636acd6d502294e5235d6a7
SHA1 96cbf92e9fe9cd8310192cd3c74bc5f99fef8bd2
SHA256 e8d0eca86f21203bab3e2c378378c2de8b05101abeebb0806c87c8c65470fa43
SHA512 8528e8cd2cbb7720cd3ee01e5bdeeb59536ba2d53d3e5d52efd7418c7150a3cb041c3a4ae85e864ea2cbe206f0db89f8aac514a54da4ca3a32c0ff8942fc2275

C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe.exe

MD5 e0a2a952b40cd65b09b9687e6c38d4d6
SHA1 729e185aa0d874f30f53cd6887b6b07d657ba403
SHA256 c41b1a583ee13a59c30ba021535121768346236b30d600a9fa425c861c64c80b
SHA512 5eca4c4fc005d57620d67a175db3705f52e344b3bfdbbb1b1e6c23c21cca2d0866332b361dca4f9cc5b7c3a917aee28147a759e800700b1ff99109316f410297

memory/2760-46-0x0000000000400000-0x000000000044D000-memory.dmp

memory/2532-55-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a4116.bat

MD5 def6c333b654224b48a3e84fa3ed0414
SHA1 14cc88c2c795b514438c0a1fe2a81768c039e428
SHA256 b3e01329ac717d8c50dbb43d20c2992fdbd4ccaf7236177a9e0123a1c420f374
SHA512 73e33127c5fe7492ca6e59fb4862c6730d06351ddbd7623648936ca4e09e8bc277a4b54eff47aae2fbf60a90493d2fdfb5cc10daac551b2600c6802a722ac478

memory/1220-58-0x0000000002E20000-0x0000000002E21000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-268080393-3149932598-1824759070-1000\_desktop.ini

MD5 03c36dbecb7f35761f80ba5fc5566da6
SHA1 159b7733006187467bda251a1bbb278c141dceb6
SHA256 85a53f5b976fb1c26ce14c31e93c1f68997d2d8b09ab9aa2b7e0d32b8e50ec3b
SHA512 fe573085d2abef34adcede2f89b1c2810875ab00ef9ba27a1d95ed1dbe93e182fc53d981901a0b8048dd4eb5fdc852b8f0e0c3a0e1a404cbbe70e13a7a14104a

C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe.exe

MD5 960bdf3af50b67e8949e51fef440063c
SHA1 2601eeddc1104f9a03264dc5775c26bd3e5c67ee
SHA256 9a62439938a78c883a7339dd331f2a6968be4d587109597f998030f35c44c0e9
SHA512 7f6d050122b3262a47494e28d7ac8419f834351ad90c6d2695da1b0601eae91d367ed81d4fe1ce8c32a4a76c8054009ead94e0df61d336d7e3d9047fd309d05b

memory/2572-72-0x00000000001C0000-0x000000000020D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a4634.bat

MD5 b65ca41f9ffe43d697369c2245d240ff
SHA1 bfca27bdd4101c29c48e64613cb5510365e39f17
SHA256 acd9148f306e651f8e4c3537e58315a131e6ab89403e56d2370b19a9ad258c21
SHA512 f5a6e97fd853a75a10252e782f00719fa40abf385abfee37d00de852f47a3ecc1e272e8d74d6ff96405e97b3d73b8f651f7d7f054d814c4a65320b7580883af6

memory/1552-81-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe.exe

MD5 70682aa162f988242c6c43dc229440a4
SHA1 7340d30a395f6d8972ead90822e871cc9ab98e63
SHA256 ab1cc4d7870bcbdc6596c3a3a74459c85c7ded14732a7fe989cc0540957861ab
SHA512 9eb94dad31f6bad53e95e9420002253b5d6893a85ae59639a952d9b51a2c6ca30d858231224b4df017d04b036cc7d0a36d29c5c34e75377b6e14bb2430603eaa

memory/2764-132-0x0000000000130000-0x000000000017D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a4BEE.bat

MD5 8426aa41fc76310d15df5ce665e4868a
SHA1 79b31d35e508f9f1e83f0a4d5740734e234b7271
SHA256 5ea2cc43d67743fa0c887358b89572f15224807e2998927e25c1334ad5355907
SHA512 f365978d1d48ed7e14566c5255598487dfa3102877540d6d7482e71f1349616debc9e06ecd936589ec6a28256f7e1d781cd36c0d9715390d363389dde2bfd9c4

memory/1072-142-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe.exe

MD5 15d42442c0ad97c6db1af59024293e36
SHA1 912a692291d0c4eda041f1c423978739c5380585
SHA256 6ca7a0c9f3e9383ff5512a05422eab5b740b5b02f65a79df177aa8658557f371
SHA512 fa83623a4472e94edf6602310265906634f2b6d6cedf76840d830d82403a7af4f6de351df08abf1adfb162374e9b8ef28c2d03eb8ff54d53afd937411d019378

memory/1640-152-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a51B8.bat

MD5 ea8c202f75b51c8527ad502aeb37f035
SHA1 4d2ebd24c33f3b3e817a607774585067db6a832c
SHA256 d4a07591064b3e67e83764d3109d7db2e93c112d8a4cbd7fa1555a7109166640
SHA512 32532a3f96d92322764590644b04b5a01093ade2e0515f8943f8a27e4047a7448b0486a6bff44800b9c1be6cd766b94a66ae9f22cc0b426d641871a4f51a8d60

memory/1284-162-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe.exe

MD5 8a23794c3ca60b8647fd9bc6d1c0ec95
SHA1 1746dbd9a43ab61cd8c1bf882a864a42a86436a0
SHA256 01cb843f82dbdc3d1caf47c3a41fd01dc0dc4ac028cbcb7050c7020e73542b53
SHA512 b3ecb49ced0984140734afe14cc7887c865386454c8891be1f14f0ae21690379da7fdbebe6ba6f45f43c2b7d6d934c9bf384bc5bab733bd8b1a40d3d9117a554

memory/2180-1771-0x0000000000400000-0x000000000044D000-memory.dmp

memory/3052-1770-0x0000000000130000-0x000000000017D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a5744.bat

MD5 b6a5ae1ebcf4a6b1167fd1e0d76ea332
SHA1 6d8561d73786b847437b9d3e107354b687b18643
SHA256 f818b9cc0bf4960d0a4295f519982402b5d193cf4a9aa7a77f7be54ec73e9d68
SHA512 fa5a0f467987d21f6ba0d397bd4253a91487a970f2185487c0f9e043a578b62881bcd0ae1f4ac2e6c8235acfe26fd80b6ca0c0ace33bec924b9f582a62097be7

memory/2180-1832-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe.exe

MD5 3678d22d597811c8c241c18ae51d826a
SHA1 5b68eb3ea0db72cca60f09321e8592c3d1b01107
SHA256 8f59ab94c1cca3315f84864afabe9d348bc7ec79ce7723d3e195e5140d1f98ec
SHA512 9a0f2d50cfc58613439d7f5ad80390a112f5f9e160e356f911cd89f32bedb52d8543e6d4849dd61c036342cf98f96cdd497c9104a5b50c945d7ec3f855e3bfda

memory/3068-1996-0x0000000000220000-0x000000000026D000-memory.dmp

memory/3068-1995-0x0000000000220000-0x000000000026D000-memory.dmp

memory/672-2144-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a5CA1.bat

MD5 e9586048425d855f65a42416bae593b7
SHA1 1ded24ca3e7ffe13338947aac04ca950b35272b2
SHA256 0765af2574ca79280aeac074180f31b1e5ff15ee08fba639ef676b710fe57927
SHA512 6b8652c7c7b84d040212bc151ee931b1e8c0c44f08cef936b513e076c07a22e38af3fae9cd4ce8900d6d4b35ebcee99ee1a5327eb5efacaacfcb3c0b146a11f4

C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe.exe

MD5 e1742b7f3dcc8ff7142d041edab0c33d
SHA1 d3c738b7723a34c56b557dbe0b596e174619bc72
SHA256 cd36cf506835c5b3f7f79364e66fa077843d0335639236bd6322a17f456fd43c
SHA512 8c3f7ed952d576957e65a99af3ccbf532ddf3465e426ac851178777220dbe279546dac7499c2c60624f324031a5b36adddc665ed24233f537b852010f1b14464

memory/2848-3279-0x0000000000400000-0x000000000044D000-memory.dmp

memory/1064-3282-0x00000000001B0000-0x00000000001FD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a6114.bat

MD5 709bf79899ed643b82b0709b0f7f0374
SHA1 75d0ee678ca259f6743f8bb6287e2a05b47f0375
SHA256 73958b49c5c42be6187d131c4f956753647d030ebef9a141574eb47dfb2cb034
SHA512 4fe5c88902a424c6fd07c116ac0e43b06b92cb33fc5f1ae679338973f2307de785239242ea4e358a3b0df335662b761949c429b9ffc4a04613a635a757a007ce

memory/1920-3291-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe.exe

MD5 c7f6fb6839fe5c06d91f7b24bd1d3099
SHA1 fd7c2ca06bb0cdf05786ebdd1a6ed2dd41bb5ab0
SHA256 2192d2448c01035c4ceb65155662b2d7cc2676533cf911f5fbb913109b8f52aa
SHA512 c3e72b304fccddf7cb1efd7594860d0df58cea591b110cad11187b0d02e3adc522971a8716bbec9d107badb5d962a4277e03e27a1e2db53ee49630a661b9d40b

memory/2848-3455-0x0000000000400000-0x000000000044D000-memory.dmp

memory/1000-3459-0x0000000000130000-0x000000000017D000-memory.dmp

memory/1000-3456-0x0000000000130000-0x000000000017D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a649D.bat

MD5 8797810d74f1d9824429713d970cdbe3
SHA1 e03784a3e5667b7b4d8bff98432b7d3f88e51657
SHA256 313c4c061ff8c6bb8e739991ceb3046e895d09f66529d17e5bff4977f8bcb54b
SHA512 54d4a968af7af080da88b2ad16d47d4b36e92ede7541ddb6adf41707e03ebd23b8d1a2e4196bba39f5cd44ad48aa67330266703f732f45623d6dc9efb6bfb763

memory/780-3538-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe.exe

MD5 1db37b80d69fb40b0df0269245159f9a
SHA1 416a3299e061acef6e3e73ea6ebb038dff1e695c
SHA256 7d8a946c3b4aceb222ba6399d21ddfaca7f878572c468c50a40758d95e2161ad
SHA512 f2f2aa9de278a1b0dff1dbf18f2044d48332006c29fce72a1446d5a0b00714197fc04c070b61aefd8267b790815a3732e40fd5b319bf73102611b651867e4348

memory/1456-3648-0x00000000002F0000-0x000000000033D000-memory.dmp

memory/1456-3651-0x00000000002F0000-0x000000000033D000-memory.dmp

memory/2092-3652-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a6893.bat

MD5 c771b7ac21dc432167e51ede85d043c6
SHA1 6f3dddc2ae9399f56d6feb2689d974ba24a7d299
SHA256 cd2fc613ff85cbbf37b6d6c80e7b3787c8df097e6c7e7a3f899dd64193bfd998
SHA512 136bd610791c1dc2c14bf5b87590098f208cf70241d6c5a0fa8e0841853d7628be4d0650f9fdbf1ca8545203260a57ce708a481af011e6cd01fce3d3a549cf04

memory/2092-3661-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe.exe

MD5 9c750c4af543bee211e93b57e99bec7c
SHA1 b975eaf950c2677761dea3d849da372579801156
SHA256 a0ab3788218682f7494c0a84e43ed1aaa58a84e96b50680a365da1fba6c1e9d2
SHA512 a14aaa21c6032a436ab16ff821dc7b8e8dd3795787964dc36691c9bad26ff07be28bc23c626dab782c733e6877050d1f817c2b2d653da7eacb82eccd0c353e5b

memory/2360-3669-0x0000000000170000-0x00000000001BD000-memory.dmp

memory/2468-3673-0x0000000000400000-0x000000000044D000-memory.dmp

memory/2360-3672-0x0000000000170000-0x00000000001BD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a6BFC.bat

MD5 fbc7b7b18ceddabf8ee5264b83444839
SHA1 b0a22f8aa3d1bc313989f78e371170afc45699ab
SHA256 cfa77fd31dedb566f9f15f5038d6383b7e140bed1c60b7183a462f7bb0596517
SHA512 25857739ebdde37c8889f118e74e4836e4963dc26f2e4283665f470655c8d0bc415229137bc59c016f64ebb516066ff7227637851fe54bacfa9df4df8be4c547

memory/2468-3683-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe.exe

MD5 080b508382f4e2a62d3aa72debd7cf36
SHA1 3a741bc765be25edafc2e8866e08a0c31768359c
SHA256 233a945f3a8884504d35d6f0cc2a7f38989f3c3e4cfa8e4ad392e319720e15b4
SHA512 3455ddca2882006ebd0243044e5952e610d7bd358deecb80a83c935a2ca2d1f3bb660152f4e6e64d040f540b75ac9fe34ab052b714f9c1f7d2b660c0cd94107c

memory/2488-4511-0x0000000000850000-0x000000000089D000-memory.dmp

memory/2812-4520-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a706F.bat

MD5 ce3857a6f22951d76244d55d96abab7d
SHA1 97f1ab92d16a20b2f602cbdcbd2ea08101767bbd
SHA256 383723a169be93bce9c23f7c3a07ff3020c74ab8bdca0127c95c80b77c84f231
SHA512 09440f04c850887678b4a2b714af4e5d10c4f149cc96b3c9c9204c08159ccbf562abef8cbb08cc275b8ec6e0be971fca5512125cb7e99a52adc5da03f55c50ba

memory/2412-4522-0x0000000000270000-0x00000000002BD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a7455.bat

MD5 2cbd986a59b47cca9bd2a224eb2844c7
SHA1 fef49b2298dae955295a9fc6eeb815e891832404
SHA256 366305a12d9de690e1ba94152828aa887dcc4ee7415167cd8c31a7d8cb6725fa
SHA512 7990f1d9d649bcedaf36127f293235f4bc64635aa91cddd99ba631e7e960e852426079aa058d48366ac19286b5fecd0c11eef4c2a4228a03f16592d58c03c1f5

memory/2592-4532-0x0000000000400000-0x000000000044D000-memory.dmp

memory/2968-4533-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a7511.bat

MD5 62a4354d4b263d3b9e03051881103ff7
SHA1 7e61fdbff17635aafdca90384b6e3d9a32bd7161
SHA256 09264cfbe07729e0b271d5c1394916df8eb406c72c1a682dc09691f6e9ae2e64
SHA512 a28d26d02462ad91ca7e5585431cd5e19d344180afe21a628b4774ade50975c2fd4209541c5f69bd54075a73f697f73e7e725852f9a4ef2b28f320a469c9e5b5

memory/1068-4542-0x0000000000400000-0x000000000044D000-memory.dmp

memory/1944-4545-0x0000000000400000-0x000000000044D000-memory.dmp

memory/2196-4544-0x0000000000150000-0x000000000019D000-memory.dmp

memory/2196-4543-0x0000000000150000-0x000000000019D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a75AD.bat

MD5 f65ae16997014f16acf303b89d71b826
SHA1 f3db4db04bff6f4716750ac9b6d3a9683696b6ea
SHA256 5accf27cfea5bd0094140f527c826467a873560a5725d38b1b5e887c7ccbbf95
SHA512 5fe6ba5056c53d247d7f7885010dbbc30655f5b8e8634e16101c71f7aa767a17bdd92203ba15b7a5f9aa14a10b144eff36cce5dd8cda963047b98d9114330fab

memory/1944-4555-0x0000000000400000-0x000000000044D000-memory.dmp

memory/2228-4556-0x0000000000320000-0x000000000036D000-memory.dmp

memory/2068-4557-0x0000000000400000-0x000000000044D000-memory.dmp

memory/2068-4566-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a76B6.bat

MD5 926bd8aa0822447afbdbcda82de593c7
SHA1 822242bf01219cddfd51206d0aa0f0321bd77016
SHA256 74e3ee0adc62592fcdcee38ea97942d14166fffe1e427cc68d7004136b104bb4
SHA512 97d67b8e69402eafe06acbda0efbf95c3832607b6a6072ae17801cf74e125db6fe4c86d016b24be55b3aee7a604e55fa30436aa496a29f40f0915abd13f4628e

memory/1404-4568-0x0000000000400000-0x000000000044D000-memory.dmp

memory/1940-4567-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a7742.bat

MD5 31416adcca310f76fda3457ca63d77e5
SHA1 833a63202dc05e4bb8d2722b57678ddb71014e58
SHA256 342145c961346f2870483d542743e57dd9c93da3e20dce8ad2b574ac8f3eef1c
SHA512 74bfeb92311f3740abe095a0274f554e0c6b14518654f99e8f9e9f5abe65db600511501167151dc399522d462100be72a94e8642fb6357b25ea7c7b95e15bdd6

memory/1404-4577-0x0000000000400000-0x000000000044D000-memory.dmp

memory/2288-4578-0x0000000000560000-0x00000000005AD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a784B.bat

MD5 fd58a530ffa356b1a975754a54e4f39e
SHA1 348e7fe72de5c6bb01b3114ee5931b74113bba9b
SHA256 7efbd585978b7cf1c0f9de0540f29f8e6e40e32ac7e4414004e8635b5f5f3564
SHA512 6698dde809b9211542602b6979d71fda5faeadf8e6609f524a39deef6a845c20699f1fc107f8c983ae9c321cd402c0ba131807c690e9dd461faadb7061843901

memory/2240-4587-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a7907.bat

MD5 aef2034102a6c390fa919edebd36c959
SHA1 e2ce86b95e95a639bcc555ca9518b2dfb75b0a8d
SHA256 1b24a91ccde0d878515f85e3d5d718ea82247110f5e0f92d4982a257e3a9753f
SHA512 b5e875f5f6d90ff3714efc384eb70b631661dea559447472706d9623897a9a63b98cfff2afe771afc57547f83fb30c7aa0b40d1ae20856c42fd9f5be0d7c491d

memory/2064-4597-0x0000000000400000-0x000000000044D000-memory.dmp

memory/2324-4598-0x0000000000130000-0x000000000017D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a7A7D.bat

MD5 7d0c8eefc98fa862ef524da77fff920b
SHA1 0542a2967f17d026f69e4ae3557d7a663f4b41c0
SHA256 4bd898db0c3cb5bdffd7a3ca65f66f906c5ebcbc778563399a910b8ac5d5b3e0
SHA512 55d6658148bae5f043cb3f8a8932de048b012d7c415e6b734b3cc2b71cee937b51e6b60e9cf6d1d0a90297a98aba009613ca944e618b46499414e02cdfa31d5f

memory/1492-4607-0x0000000000400000-0x000000000044D000-memory.dmp

memory/1820-4609-0x0000000000400000-0x000000000044D000-memory.dmp

memory/3008-4608-0x0000000000130000-0x000000000017D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a7CAF.bat

MD5 de4ebb0336bc10f97edb186bebff5f99
SHA1 33b400acd4cb28563b4016958d42baecbb41ddbf
SHA256 2e9e4e4bc956696b2be3b878fa1902da2c333d3829c082094132495eb8f56259
SHA512 64d9b524ed57f541ece5ed4b79ac78ac42d3063e6d44fed8f05fcb55235226b450c6075ea545e89103093739f3beb47be27f5e2ec2c26e4c33a322676fd8f8a7

memory/1820-4619-0x0000000000400000-0x000000000044D000-memory.dmp

memory/1148-4620-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a7E63.bat

MD5 ce90b153de4ab3562ed378b688bea785
SHA1 1bcc61275c270f3bac1c74513286feba699758c7
SHA256 0e9ca1cdda7519fadc2ed194bd6c46461b771dfe130d3fe911f41c3070271662
SHA512 1ba21c2c946ca66fc2c84d6267be33571c3721b2b86f383297c70058ddb8438cb5806cf7fd7043612b23a7864bbe92bc2956f9d3cd3ca1d5cde8e0a53fabcf85

memory/1148-4629-0x0000000000400000-0x000000000044D000-memory.dmp

memory/964-4630-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a7F0F.bat

MD5 04744e74930d1d4c68cdc8ca29cef615
SHA1 71a4787ed109cea32bcaf249d1a2a2bc77f1a0ad
SHA256 55f57bd7e5aa2d378c7d786253473f4a5e62e15b7a4421d8dc838d9639a1ecc7
SHA512 d0fa5f8dededccc6c8dd5d3bbc30b8305eb039b717dc81cb5cdf0c7d963947ea4dc6d0550dcce5734a9d0422a6e49dd7db5eaa27a6e6c50cd669d4e6089757fd

memory/964-4640-0x0000000000400000-0x000000000044D000-memory.dmp

memory/1824-4641-0x0000000000270000-0x00000000002BD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a7F9B.bat

MD5 91dbb6e3addd43f9a43bee78e6941bb9
SHA1 f6c33a2dd21fe2787ed5d3db4f4d8ff3aea62833
SHA256 961d18e37dc28cc96b863c53103fc6ef36e5c09769944553dd08cc257c36851e
SHA512 6067f6db895d3db9dbc88c3615ba081a13bf2b2d38c5625b950fa376a1cc4ed3da0ccad5f9f414262680a4b4cf0cda7b6bc939fc8c4bef224c0c95b6a15b9629

memory/2140-4650-0x0000000000400000-0x000000000044D000-memory.dmp

memory/600-4651-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a8028.bat

MD5 983757fb2f69ab79ebf6e3a77e4227c7
SHA1 41f566c74568b3cf18284ad7a1d74f00845eeb7f
SHA256 0f4fb8557800049f154fc8f9db00adde65063c7d809469b5b6305b1128ff3afd
SHA512 db780530022e0ee27cf90173f153cbf1de68dd84a16b0e44dc7521e812cf4baed062e295ee0e515bdf3b171c48251d0e477437a7d1ee2ae61f558270061d25d3

memory/600-4661-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a80D3.bat

MD5 9193a7714cc7209f50681713d08c7766
SHA1 bd5b83b715f0e247fd5bc9582f8f5ce641c59031
SHA256 2410e37b2ed291be2bb458573e9be953f049894969a7484f01500283c4e195df
SHA512 2fd1c6c8c7f010a8544e5ab06eac644123b11f3fa45cf0fb5fe5800e19bb64cf9598a259070ae0b6415644e7f32fed2a44356a62d5dea13ac520c93d9c501554

memory/1688-4670-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a816F.bat

MD5 82c14a30d8f498d3b426c2c1bf7ad41f
SHA1 e30f75f595dde5b9766329587c312fd2c402d9e4
SHA256 8f7a021c8b818fd93a6a7db0bb99b91984cd29a879eeb3fdf1a0333e84825607
SHA512 171a2037acc58af3efa63bc926d9298437bfb1c7693d8ca2e06be6fe611e5d2895e7d06d6387b54d8a1f1889eca7eb378bd7d47f4634b106a0d9f855917e56de

memory/2136-4672-0x0000000000400000-0x000000000044D000-memory.dmp

memory/1296-4671-0x0000000000330000-0x000000000037D000-memory.dmp

memory/2136-4682-0x0000000000400000-0x000000000044D000-memory.dmp

memory/2468-4683-0x0000000000130000-0x000000000017D000-memory.dmp

memory/1448-4684-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a821B.bat

MD5 51a6346e4646ff913b98b93b2e157d5a
SHA1 5af37f51962f54052cfe861f32ffa565144f21a2
SHA256 9cfe5e51a026d5c79682b29292c2a0e7ddcc95b900b6a39e309e5735d17e3e2d
SHA512 79b7a28c6c4d15aa3eb771a2f9895367654637aaf35a25d73209103fbd85366c05a82aa6738b0f894af419c282b6f351f677aeb598b253bdbbb4b2791cdf74f6

memory/1448-4694-0x0000000000400000-0x000000000044D000-memory.dmp

memory/2792-4695-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a82F5.bat

MD5 a155baaeb72d86af963b59a7bfd02851
SHA1 1ffd3c39114bf4da0699e967d4f73faa72f03809
SHA256 cae26bc746c5d56f9fa1bff44212f8489ea9e0f7fe3144ce7096bbe5f514399e
SHA512 c527c4eb221e121feab9158d0b7cb5a5c208594ae49d53bccaffe3dd522749700b294957ac381c8f672f3240177212198892e862524d787cec5678ebcb127839

memory/2792-4705-0x0000000000400000-0x000000000044D000-memory.dmp

memory/2776-4707-0x00000000001C0000-0x000000000020D000-memory.dmp

memory/2776-4706-0x00000000001C0000-0x000000000020D000-memory.dmp

memory/3044-4708-0x0000000000400000-0x000000000044D000-memory.dmp

memory/3044-4717-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a8382.bat

MD5 b1900dddd8b69f3e1e59602b610358b7
SHA1 89309d759389567511a8290df685f4be303ac659
SHA256 acbf345d9c3d723300f45af2cdea9941dcba6612acf0b62c52df3f59332f383a
SHA512 34b7eed0050846b81d694b5948685228d629a606b80efba333a7b27621e6813be8ba5cae1f2b71a07b9a55e6d99dc8a0e171be3fe8ccf5d568e4a194585f53e1

C:\Users\Admin\AppData\Local\Temp\$$a840E.bat

MD5 d49ec7bf3f2d8a664203e1e071f04337
SHA1 c68085018ecbb7bb9e185a2c43b7c5fb3242ed41
SHA256 df235945a9ad6a87c3d24b060ed45265ffeb06d2b272731131fb7a546ba35dca
SHA512 2d619287872bbbe7619ad95d3097f767370ca1e469bcc0ed37b48ff5a574634cef64f09a8b55ee94298cf5e49e425adbadb89eac5cdcf144bd05b2e29e393c96

memory/2596-4727-0x0000000000400000-0x000000000044D000-memory.dmp

memory/1988-4729-0x0000000000270000-0x00000000002BD000-memory.dmp

memory/1988-4728-0x0000000000270000-0x00000000002BD000-memory.dmp

memory/776-4730-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a846C.bat

MD5 2896a44731ee865615c84a474dbcbfba
SHA1 0bb94c94ec9764edec95ddd4c16503aed98f2bac
SHA256 bb6adf3d116ef1a28edb1af85084fbbad0d8f7c987bdcd06acab43176242fb79
SHA512 a4962f28a9aa402ba3ab143b695eee3d2f2abe384afceffe0b33e4a4d0d034859101dc2976a2ee58773b7cf28ccaf28944db62f010ab4f93e744cfa0ee7978f4

memory/776-4739-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\~8529.tmp

MD5 1533ce34575752aaf9a3020599c131ba
SHA1 24c1e2313276a40de717fc556240e4199701b19a
SHA256 25675678c980d33a1db21fee21bb8ba75354f3403f26c2a25e8c5c3ce37da0ba
SHA512 46c22e96abd4a8b03acb05a8e0aba5ba42ab026707dccb80538e50c8f4ad625a01b6808840f1801912b4bc8ff33f00d8354283d3b0dfc9591c8279fd9de4e1a1

C:\Users\Admin\AppData\Local\Temp\_is852C.tmp

MD5 5453343afefb32307659574a4da803bf
SHA1 b01072bdcc799391c510054447a6a8cbab71abd3
SHA256 02eedbc35423bf428545f27b5575528ee996e75a0cf8157f47cf3e302547d508
SHA512 99c4d5731ebba9ea659d30956d60beb6c1be5e9872ee027eb7174ba08e7fa2ad8bd9d91c82313a27577f3e9c5eb49b46b8929c7f29491d0db15d3e1cd803eafa

C:\Users\Admin\AppData\Local\Temp\{EF2B079B-837F-4B72-9185-D43A1AAD2234}\0x0409.ini

MD5 be345d0260ae12c5f2f337b17e07c217
SHA1 0976ba0982fe34f1c35a0974f6178e15c238ed7b
SHA256 e994689a13b9448c074f9b471edeec9b524890a0d82925e98ab90b658016d8f3
SHA512 77040dbee29be6b136a83b9e444d8b4f71ff739f7157e451778fb4fccb939a67ff881a70483de16bcb6ae1fea64a89e00711a33ec26f4d3eea8e16c9e9553eff

memory/2848-4780-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{EF2B079B-837F-4B72-9185-D43A1AAD2234}\_ISMSIDEL.INI

MD5 db9af7503f195df96593ac42d5519075
SHA1 1b487531bad10f77750b8a50aca48593379e5f56
SHA256 0a33c5dffabcf31a1f6802026e9e2eef4b285e57fd79d52fdcd98d6502d14b13
SHA512 6839264e14576fe190260a4b82afc11c88e50593a20113483851bf4abfdb7cca9986bef83f4c6b8f98ef4d426f07024cf869e8ab393df6d2b743b9b8e2544e1b

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 05:37

Reported

2024-06-14 05:40

Platform

win10v2004-20240226-en

Max time kernel

155s

Max time network

158s

Command Line

C:\Windows\Explorer.EXE

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\PackageManifests\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\et\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Google\Chrome\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\server\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\sk\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AFTRNOON\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\BIN\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\bn_IN\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\cs\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\cmm\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\ODBC\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ia\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ko\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CAPSULES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\br\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\eu\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\assets\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\Templates\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\defaults\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\amd64\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\fa\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EXPEDITN\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\fonts\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ca\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\cy\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\sv\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Internet Explorer\SIGNUP\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\images\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\LISTS\1033\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\javafx\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\applet\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\JOURNAL\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\EFDFFF65-1A55-4E3F-ADB6-89E563AD2004\root\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\MSBuild\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\fr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\gd\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\kn\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\zh-Hant\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BOLDSTRI\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
File opened for modification C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
File created C:\Windows\Dll.dll C:\Windows\Logo1_.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
File created C:\Windows\Dll.dll C:\Windows\Logo1_.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4780 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe C:\Windows\SysWOW64\cmd.exe
PID 4780 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe C:\Windows\SysWOW64\cmd.exe
PID 4780 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe C:\Windows\SysWOW64\cmd.exe
PID 4780 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe C:\Windows\Logo1_.exe
PID 4780 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe C:\Windows\Logo1_.exe
PID 4780 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe C:\Windows\Logo1_.exe
PID 4548 wrote to memory of 4600 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 4548 wrote to memory of 4600 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 4548 wrote to memory of 4600 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 4104 wrote to memory of 1784 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe
PID 4104 wrote to memory of 1784 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe
PID 4104 wrote to memory of 1784 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe
PID 4600 wrote to memory of 5104 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4600 wrote to memory of 5104 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4600 wrote to memory of 5104 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1784 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe C:\Windows\SysWOW64\cmd.exe
PID 1784 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe C:\Windows\SysWOW64\cmd.exe
PID 1784 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe C:\Windows\SysWOW64\cmd.exe
PID 4548 wrote to memory of 3512 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 4548 wrote to memory of 3512 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 1592 wrote to memory of 1596 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe
PID 1592 wrote to memory of 1596 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe
PID 1592 wrote to memory of 1596 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe
PID 1596 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe C:\Windows\System32\Conhost.exe
PID 1596 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe C:\Windows\System32\Conhost.exe
PID 1596 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe C:\Windows\System32\Conhost.exe
PID 4672 wrote to memory of 3712 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe
PID 4672 wrote to memory of 3712 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe
PID 4672 wrote to memory of 3712 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe
PID 3712 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe C:\Windows\SysWOW64\cmd.exe
PID 3712 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe C:\Windows\SysWOW64\cmd.exe
PID 3712 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe C:\Windows\SysWOW64\cmd.exe
PID 1608 wrote to memory of 2772 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe
PID 1608 wrote to memory of 2772 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe
PID 1608 wrote to memory of 2772 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe
PID 2772 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe C:\Windows\System32\Conhost.exe
PID 2772 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe C:\Windows\System32\Conhost.exe
PID 2772 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe C:\Windows\System32\Conhost.exe
PID 2472 wrote to memory of 2460 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe
PID 2472 wrote to memory of 2460 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe
PID 2472 wrote to memory of 2460 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe
PID 2460 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe C:\Windows\SysWOW64\cmd.exe
PID 2460 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe C:\Windows\SysWOW64\cmd.exe
PID 2460 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe C:\Windows\SysWOW64\cmd.exe
PID 5064 wrote to memory of 2816 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe
PID 5064 wrote to memory of 2816 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe
PID 5064 wrote to memory of 2816 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe
PID 2816 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
PID 2816 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
PID 2816 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
PID 4820 wrote to memory of 1640 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe
PID 4820 wrote to memory of 1640 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe
PID 4820 wrote to memory of 1640 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe
PID 1640 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe C:\Windows\SysWOW64\cmd.exe
PID 1640 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe C:\Windows\SysWOW64\cmd.exe
PID 1640 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe C:\Windows\SysWOW64\cmd.exe
PID 1156 wrote to memory of 4780 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe
PID 1156 wrote to memory of 4780 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe
PID 1156 wrote to memory of 4780 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe
PID 4780 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe C:\Windows\SysWOW64\cmd.exe
PID 4780 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe C:\Windows\SysWOW64\cmd.exe
PID 4780 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe C:\Windows\SysWOW64\cmd.exe
PID 1784 wrote to memory of 4104 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe
PID 1784 wrote to memory of 4104 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe

"C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aF0B9.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe

"C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aF433.bat

C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe

"C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aFD3C.bat

C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe

"C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a673.bat

C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe

"C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a10F3.bat

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe

"C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a1A49.bat

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4548 -ip 4548

C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe

"C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a245C.bat

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4548 -s 792

C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe

"C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a2D93.bat

C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe

"C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a3592.bat

C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe

"C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a3CC6.bat

C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe

"C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a431F.bat

C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe

"C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4BD9.bat

C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe

"C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a52CE.bat

C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe

"C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a5772.bat

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe

"C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a5C34.bat

C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe

"C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a61F1.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe

"C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a681B.bat

C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe

"C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6E45.bat

C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe

"C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a74DD.bat

C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe

"C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7C4F.bat

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe

"C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7D68.bat

C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe

"C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7E05.bat

C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe

"C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7EC0.bat

C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe

"C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7FD9.bat

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe

"C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8122.bat

C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe

"C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a81FC.bat

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe

"C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a82F6.bat

C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe

"C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a83C1.bat

C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe

"C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a85E4.bat

C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe

"C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a86A0.bat

C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe

"C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a874C.bat

C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe

"C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8807.bat

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe

"C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a88B3.bat

C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe

"C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2276,i,5697607538120380977,9987005253899555344,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 76.234.34.23.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
GB 142.250.187.234:443 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp

Files

memory/4780-0-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Windows\Logo1_.exe

MD5 4db33aca198f9e9afcc012cd7ea077e1
SHA1 6b4b21442dd5091b5d3f586dbf860e0d674f60f9
SHA256 c1d47f6a5ba1a75b76b8826c21596cc74e342b014b7b559e9d20a403d2bbe1d9
SHA512 9a6f36bc295d81e866ac2c2105efff604d1ff065f5bd86e361d1f7538fdba5b32ae6faf671f1b6aff13b112aa7bc8011bca842d554e1091b1aa073c58f3d3a78

memory/4548-9-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$aF0B9.bat

MD5 709a499446c3c071b0db7f9dfe77a79e
SHA1 bb84e26ce6d87bf5046aa129650ea81888afca99
SHA256 0f00f4c54b8ef6fe1d30570f59c360dd6760a7cf59a570838078fbd01b2b1009
SHA512 bd61375230454aa93a17cfd59d4c5d74795bf76b9d5fa6195d30a83e6b8feba94919aa3909ba17fca01a2660e300584ccb4d2386b8c1fccea83a74b77c14dcc9

memory/4780-13-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe.exe

MD5 f2c91ec5a712982aa22be52f8d7f2755
SHA1 716c4feb2523cbdf1ede42ca0f2cbd1318d79d24
SHA256 91a00511132f54629ff39f85651dff382d09572f5270060f1d11da33489279fc
SHA512 d0434ddfc8dc21019db99c423eda22f5aae3e3a377d9b719fb57ad77aa7c81c4eae734213d6665f2b828ebe12fe1c5b945e758b99395c97f103fc0276abe672a

memory/1784-16-0x0000000000400000-0x000000000044D000-memory.dmp

memory/1784-20-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$aF433.bat

MD5 11088147093a533a1ff203f140b30a98
SHA1 7ee239614ae4d14ac7d25d7bcb8f92cdafd5997a
SHA256 7a78c8ef0d7334e74350e1069addb19223c34846c7843c9c1a3dcea829583336
SHA512 517d8e00f23709a41498e89611a3338f043fb0198bba73515f6e5928154711ef912e8495b30359f2390b0b05149e5bf32f4b41977f1c4eb34977a1016704e4ad

F:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\_desktop.ini

MD5 03c36dbecb7f35761f80ba5fc5566da6
SHA1 159b7733006187467bda251a1bbb278c141dceb6
SHA256 85a53f5b976fb1c26ce14c31e93c1f68997d2d8b09ab9aa2b7e0d32b8e50ec3b
SHA512 fe573085d2abef34adcede2f89b1c2810875ab00ef9ba27a1d95ed1dbe93e182fc53d981901a0b8048dd4eb5fdc852b8f0e0c3a0e1a404cbbe70e13a7a14104a

C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe.exe

MD5 e0a2a952b40cd65b09b9687e6c38d4d6
SHA1 729e185aa0d874f30f53cd6887b6b07d657ba403
SHA256 c41b1a583ee13a59c30ba021535121768346236b30d600a9fa425c861c64c80b
SHA512 5eca4c4fc005d57620d67a175db3705f52e344b3bfdbbb1b1e6c23c21cca2d0866332b361dca4f9cc5b7c3a917aee28147a759e800700b1ff99109316f410297

memory/1596-36-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$aFD3C.bat

MD5 c36b7c776a625332eb003057e1261fe3
SHA1 3720ba26ce0a357447f35c0337bc9aa5084ba464
SHA256 d69b05ecaab40b0eb3e4c961650d75ba0be434cc330d379f4b6b3304a8cbe688
SHA512 9b4984060298bd0aa0cf267ec6ba5f0d44dd6cfa1a4d0fcb8f298c84350faf39ab7576174e9ef3c6232a894ca04c1cd11ca955f9d0cfa6086382ccaa49337afd

C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe.exe

MD5 960bdf3af50b67e8949e51fef440063c
SHA1 2601eeddc1104f9a03264dc5775c26bd3e5c67ee
SHA256 9a62439938a78c883a7339dd331f2a6968be4d587109597f998030f35c44c0e9
SHA512 7f6d050122b3262a47494e28d7ac8419f834351ad90c6d2695da1b0601eae91d367ed81d4fe1ce8c32a4a76c8054009ead94e0df61d336d7e3d9047fd309d05b

memory/3712-46-0x0000000000400000-0x000000000044D000-memory.dmp

memory/3712-50-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a673.bat

MD5 7ef94263ad266126ea9b040a378b4bda
SHA1 79f0461ff62764dc6934ad2993e6edeaa5250ce8
SHA256 5c34defe4b684dd45b986932cd77bc7ba4db94dcb7368e1081d00e3a290abfad
SHA512 53a8443748ed06e2d516b78c104c6af76aa0e12f488f89fa615ec7ec74fe42b23f82da95e377cf1e7478478a9a8e898de886ab30fa9926a5bcd66f496e5e5f9a

C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe.exe

MD5 70682aa162f988242c6c43dc229440a4
SHA1 7340d30a395f6d8972ead90822e871cc9ab98e63
SHA256 ab1cc4d7870bcbdc6596c3a3a74459c85c7ded14732a7fe989cc0540957861ab
SHA512 9eb94dad31f6bad53e95e9420002253b5d6893a85ae59639a952d9b51a2c6ca30d858231224b4df017d04b036cc7d0a36d29c5c34e75377b6e14bb2430603eaa

memory/2772-167-0x0000000000400000-0x000000000044D000-memory.dmp

memory/2772-197-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a10F3.bat

MD5 762bdc9dc48bc21e863c88c999335f5d
SHA1 bc6b6766a0a6c58addc5f4eff136b8236df64845
SHA256 b3dfb5dce5ec5a8e3abfb85ae612bf594363ac60e397116be4d647436dde54fc
SHA512 68d2b7b7f3ed687b842b1de532ff9e31b5bdc96198533a6f0423911b300e5fd0b770e2e2c3a2fe4e26fde42a11eda0d0d6e4031f550eefb9f910b8a3a5e17c5c

C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe.exe

MD5 15d42442c0ad97c6db1af59024293e36
SHA1 912a692291d0c4eda041f1c423978739c5380585
SHA256 6ca7a0c9f3e9383ff5512a05422eab5b740b5b02f65a79df177aa8658557f371
SHA512 fa83623a4472e94edf6602310265906634f2b6d6cedf76840d830d82403a7af4f6de351df08abf1adfb162374e9b8ef28c2d03eb8ff54d53afd937411d019378

memory/2460-981-0x0000000000400000-0x000000000044D000-memory.dmp

memory/2460-985-0x0000000000400000-0x000000000044D000-memory.dmp

memory/4548-978-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a1A49.bat

MD5 3ec6bb2a0122b4bc5e7474b306563bad
SHA1 417a8dc809c1babaf110846a8ec6b4023d37a1d9
SHA256 39d0f50db9bb123e5431d0756eb9de4c42b43f557dc8c272c4e8616371ea4154
SHA512 65f485816cf8eea997284c4498c1a24cb385fe876c95ca726d101335a343dae9d87d735e82ad071fb10d74e2fc1b5af32e810874bb491a99328ffa4f2e108783

C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe.exe

MD5 8a23794c3ca60b8647fd9bc6d1c0ec95
SHA1 1746dbd9a43ab61cd8c1bf882a864a42a86436a0
SHA256 01cb843f82dbdc3d1caf47c3a41fd01dc0dc4ac028cbcb7050c7020e73542b53
SHA512 b3ecb49ced0984140734afe14cc7887c865386454c8891be1f14f0ae21690379da7fdbebe6ba6f45f43c2b7d6d934c9bf384bc5bab733bd8b1a40d3d9117a554

memory/2816-1228-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a245C.bat

MD5 c6fcb8fc4e21a3606f9f79d516a91249
SHA1 bb7c41c1462fc0c0dd928fe8da96cda04943334d
SHA256 f3e6ae47251dcebe2f04c8e4aa85adbe5101a2a53addd04c61122a1ba104cea8
SHA512 a3e547a5f9f868ee317d36b069cd4665a14c4f30ab2488fa1ef2db07594ceccbf60f96f7d7b8b517f8b42b6bb719dd67dc6a871bc1b8950b530be7c40b598073

C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe.exe

MD5 3678d22d597811c8c241c18ae51d826a
SHA1 5b68eb3ea0db72cca60f09321e8592c3d1b01107
SHA256 8f59ab94c1cca3315f84864afabe9d348bc7ec79ce7723d3e195e5140d1f98ec
SHA512 9a0f2d50cfc58613439d7f5ad80390a112f5f9e160e356f911cd89f32bedb52d8543e6d4849dd61c036342cf98f96cdd497c9104a5b50c945d7ec3f855e3bfda

memory/1640-1232-0x0000000000400000-0x000000000044D000-memory.dmp

memory/1640-1236-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a2D93.bat

MD5 4cabcf755f6d9349f2ba216cd300494b
SHA1 18967542b5228f48e94c1aab1f6a9059f0dc5f42
SHA256 4de07d8cb796787e73bee7a1c5db7e8a41a4dee275ab545d8e974743ba67b29e
SHA512 208f78c7c1300e07aed5d632adcdb025cc77d6fe5d5944915671db1358ec3bb8e4d598546b88e2a9aeda36b090fd96bdcaae82e92c76117fff2531bf05402131

C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe.exe

MD5 e1742b7f3dcc8ff7142d041edab0c33d
SHA1 d3c738b7723a34c56b557dbe0b596e174619bc72
SHA256 cd36cf506835c5b3f7f79364e66fa077843d0335639236bd6322a17f456fd43c
SHA512 8c3f7ed952d576957e65a99af3ccbf532ddf3465e426ac851178777220dbe279546dac7499c2c60624f324031a5b36adddc665ed24233f537b852010f1b14464

memory/4780-1241-0x0000000000400000-0x000000000044D000-memory.dmp

memory/4780-1245-0x0000000000400000-0x000000000044D000-memory.dmp

memory/4548-1240-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a3592.bat

MD5 14ac358060faf17fc76c8ae79eab4462
SHA1 c4230f8d09201baf59baa2640ac4fd928b7332b1
SHA256 1d5640b0c1d83bf533ea8566c3c36038d3557087d64ea2644ba6eb89dfaa2035
SHA512 8c06b841cb06e4e4861d32dfa47691eb9740ccaecda666ba1c36de5f2c8d44cdb8499f103551de7d0882ef262e8c24967ad78847068ba3d3af2f4f93b1d1383a

C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe.exe

MD5 c7f6fb6839fe5c06d91f7b24bd1d3099
SHA1 fd7c2ca06bb0cdf05786ebdd1a6ed2dd41bb5ab0
SHA256 2192d2448c01035c4ceb65155662b2d7cc2676533cf911f5fbb913109b8f52aa
SHA512 c3e72b304fccddf7cb1efd7594860d0df58cea591b110cad11187b0d02e3adc522971a8716bbec9d107badb5d962a4277e03e27a1e2db53ee49630a661b9d40b

memory/4104-1252-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a3CC6.bat

MD5 14154248894e8c869956c69379e2166e
SHA1 2d56b904bc522d5948f9f148c016707281259e9d
SHA256 8fb58bb3dd51405d4334e7dedafc578ee49d5bf977b43517b5c4233f5a8ec186
SHA512 59e1e4f9cfe66e133ecef11bcfba72d3758fc5a41027c4fd4862465d411126c4d1223fcc80299097cb66211eeb5732ff8006a485cf8fa0bef5a3d62594deea7b

C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe.exe

MD5 1db37b80d69fb40b0df0269245159f9a
SHA1 416a3299e061acef6e3e73ea6ebb038dff1e695c
SHA256 7d8a946c3b4aceb222ba6399d21ddfaca7f878572c468c50a40758d95e2161ad
SHA512 f2f2aa9de278a1b0dff1dbf18f2044d48332006c29fce72a1446d5a0b00714197fc04c070b61aefd8267b790815a3732e40fd5b319bf73102611b651867e4348

memory/864-1257-0x0000000000400000-0x000000000044D000-memory.dmp

memory/864-1261-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a431F.bat

MD5 4ea9d62d020c903e4c1288731a5ab33b
SHA1 3b077f68bea5fdce9ff50fc5ab79f996edf02001
SHA256 5704395b48d1b6cc2062c15b4aa3129f737b5e4ead0caf11e47af1031bae654f
SHA512 21682f94a128df42a553e4a2bb1bcafff683d4bdb856437f2b63bc80f296700131144c7f2e240676e4ce75864bd88289f893695f82b16ca8603ea4741d073e50

C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe.exe

MD5 9c750c4af543bee211e93b57e99bec7c
SHA1 b975eaf950c2677761dea3d849da372579801156
SHA256 a0ab3788218682f7494c0a84e43ed1aaa58a84e96b50680a365da1fba6c1e9d2
SHA512 a14aaa21c6032a436ab16ff821dc7b8e8dd3795787964dc36691c9bad26ff07be28bc23c626dab782c733e6877050d1f817c2b2d653da7eacb82eccd0c353e5b

memory/2496-1265-0x0000000000400000-0x000000000044D000-memory.dmp

memory/2496-1269-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a4BD9.bat

MD5 2f939178f3379d51788122d905fb8d00
SHA1 a3a9828a2885f2159d1415d8d56809425dbf1be9
SHA256 a4ff9f27288bcf346fda4435863e4c6c106d00ad359af36fc0fc59f912b0331e
SHA512 e8c2ad2c0bde6c6f860e96da15c7ef8238aafbaae7f2d8d9bab1e20e531f47bf8a42c1afaa7296171e136002585cd63918ad7d459fe3b3080b39fd2193c51fd3

C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe.exe

MD5 080b508382f4e2a62d3aa72debd7cf36
SHA1 3a741bc765be25edafc2e8866e08a0c31768359c
SHA256 233a945f3a8884504d35d6f0cc2a7f38989f3c3e4cfa8e4ad392e319720e15b4
SHA512 3455ddca2882006ebd0243044e5952e610d7bd358deecb80a83c935a2ca2d1f3bb660152f4e6e64d040f540b75ac9fe34ab052b714f9c1f7d2b660c0cd94107c

memory/216-1276-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a52CE.bat

MD5 cc40258d5781714dc4c31defc45e9195
SHA1 d86b7e2b6f221ec23111e8eada48da45a1c25f54
SHA256 3d68a971776da37d5f0c8877056796aa16bb87daf00a0a5641a5ab0d0fe309bd
SHA512 6f605621122f61e54e8e75a25c4b904330296b58d211456b685648dd4bc8d649ad2a8d811608ec276629c20bc891d5acb0668a0210f7d6f5932c07076aa795f6

C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe.exe

MD5 e196371c438d6228c3bdf7c8dbe6a1a8
SHA1 60d1812736b5a5e3faed09d2042b92fda1b088b2
SHA256 3716ed2493356a69a594f0a1c527d143abc862fd4ffc12c874c189847c97831b
SHA512 711d2e6e6aca20ebf767549cee4b594a0354aba602f6def3f5e9d741ed93b98aa1571734a57e8a8839cfe1a431a5e1c51b4f2dd664b171ea76197fd89b8fd874

memory/3532-1283-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a5772.bat

MD5 b7a1a64a486f2b3c3af17391c48bca6b
SHA1 dafa769ba17f58367f6884456aa48114f09f1984
SHA256 aab98cfb6fc47d06f465f2afa51d0ee1094868f0e5cfff72864c1fb188f55839
SHA512 bba9bcf5c20315ceba5b584a4e317b88f4120de0fef722a8f8c1e252c45ad6c620fb4ff60e73c5649a4c1596a13bb50f483cf13e48dcdc5d4e49a9bf88a697b4

C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe.exe

MD5 408b20e16a98e43459906847e0191efa
SHA1 1f9dbbe3475b4c93cf66c1da7db556405da0c101
SHA256 cac256071bc6666638ee6622bc7376710fb6077718c058c1a1615915eaf4f0e8
SHA512 c1546e7bf15917ed434d45bf2a9dff5c8f43b0f93211b82fb4f43ce5191ae6ede1d6381c8fc9325c7f3134085d1a4ecef1c46eec78abdd206e167e22734f6aa0

memory/3164-1287-0x0000000000400000-0x000000000044D000-memory.dmp

memory/3164-1291-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a5C34.bat

MD5 1b6f7c13c45787f0495ab601138cc7bc
SHA1 f1a76940e2851cd73f9fe555aba8e50de26a55bc
SHA256 c1f3220b9124dd5a1c1d241b2a4dff3018a967100fe9ad8146bc4b86c2a5e4b6
SHA512 2c5bd26d9055121fa2fa6b3046bca27ce59b92990a7d0b737678b2565163281368d155a989338ddc2be6f3f1abfac7764a29be2a4ff337c4985f380829934760

memory/4548-1293-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe.exe

MD5 0f7b190e259ba553527ed9fb4e70061b
SHA1 2257157880ac52fe6e0eb2fc7de2c752468dfa9b
SHA256 9ea905825aaa08dddcbf76ebc691a15390a56426d9642a4cbf5373d133042059
SHA512 0ba911f992f1cd55507959ba4a8da0d263667baace0deb6086382adbae9d05513cb832df5d7d0a64503565b79b4a024e88d431bc852e755580d8f1bd913e0f2e

memory/1716-1304-0x0000000000400000-0x000000000044D000-memory.dmp

memory/2492-1305-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a61F1.bat

MD5 eaff79649fc3f79737fa5aea4fdc8377
SHA1 1ba212dfbcbf44c6542ddb8815f6a07216d3ccab
SHA256 558cd23ffc4cb3acbdcb953f060d0e080230c02115d9d990ac7244006d92666a
SHA512 01a9ad186b4fced169b4443095ade56efc2e79cb32814c05b579da16a0c37db6c857027538a0e9a527d9cfbb20c9f808d74dd2add4e57bbc5adc9ede010636f1

C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe.exe

MD5 9a6ee4318ea0c32484f2d650ba80ce7e
SHA1 e6ebce53915a6c291d21740b29126675eaacc76b
SHA256 9d59bec06ad62dce146eff3a7d334f0625ce06bdd065f12ba58beaf63d8d4426
SHA512 f07c33831b89835f8957a093833b93ec35881760b6e21bf7ad5ef567df3a3b5c92af2317a1e6a94ea154930f991c8ec3541a314f66040ce548d2b8e8527350ba

memory/4160-1317-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a681B.bat

MD5 fde28c6657afa0bb7389c522e95af30b
SHA1 bec674a78dbfe22c6f5d6d036c8d7f4e1582a692
SHA256 09d7bbe730a6c49bf737e5db27152722a0cb3b6e1f48d8ee1e9816ff6056fdde
SHA512 1f5af88dc34357b5cdd9438174ae52a3caf9c2d93b151e22c47a7fbf016fd28d903482270bfbfe5777d0cdd505b7e230cffa02bd2384f45dddf92e397f264285

C:\Windows\Dll.dll

MD5 4013279ba9e12a3f6e6d4e288fc1568d
SHA1 25d149e740adeaf4f750acf8945cee2814628bb9
SHA256 684282aad338a0db114734088a571275ead2c04db6cb94c4fc90dcff70b398e7
SHA512 953050813b9849f242b419c89b0f014f3547214262e669b130fc7c13d1d66794b696a95665718e43ca9a099a9e264fe59a3d11c39ebd9bad497a85fd759e5889

C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe.exe

MD5 7eeaca39dd4fa393458297e323eaf2ff
SHA1 1513685d3b5f4766eb8f31c8ba82e0f5139220f7
SHA256 2e05fa5661c2d4eddd4ce6779fc8865d140c7638fbbe32e7eb4c60b49c63d5db
SHA512 c3e4171e120b0fbf7564369cb36613bdfdf7b12af7d0e339a6a82753caa3d8018b5117e5636bb7b07e582133c032cc704bbb0e446bc023e5e67518ef2a69913b

memory/4924-1326-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a6E45.bat

MD5 aff3e1008ba5b1288f79fdf2b8924dc4
SHA1 2e4efdeb948b4ebe47b62e85acb834fb04a6bcd5
SHA256 628d1308b5ca43b0fda95e2540e4f5b46f8d78d48114702fa9965c996b5f118f
SHA512 29304482194a6b0bbc044885a1a8a723e9f0c5e1968019dbbb51eb0f78162f67ea95ead77b979c7a08e71b5c9ee4ea98c2dd93cd1aba0e36e5d87e4ffaa36d2f

C:\Users\Admin\AppData\Local\Temp\91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4.exe.exe

MD5 77ea4ac4f8ad8c6a6cc1e11fcbef1cee
SHA1 9a7b042d75d4dc836de7390046f15907baffe828
SHA256 69814cc92ae1d7f046a22b76d4bc6711e16b8b42871606beffa47ce720a365e7
SHA512 d19620e01a7562cd49e0a43c4c272d3f2efeed9143afb4d64cc37d92849a4c7fdce6973322e1f101d4a5b946974760298cec83ea55a74053c7f809afd2662edc

memory/3460-1333-0x0000000000400000-0x000000000044D000-memory.dmp

memory/1852-1337-0x0000000000400000-0x000000000044D000-memory.dmp

memory/4544-1341-0x0000000000400000-0x000000000044D000-memory.dmp

memory/3252-1345-0x0000000000400000-0x000000000044D000-memory.dmp

memory/4124-1350-0x0000000000400000-0x000000000044D000-memory.dmp

memory/4124-1346-0x0000000000400000-0x000000000044D000-memory.dmp

memory/3984-1355-0x0000000000400000-0x000000000044D000-memory.dmp

memory/3984-1351-0x0000000000400000-0x000000000044D000-memory.dmp

memory/2152-1356-0x0000000000400000-0x000000000044D000-memory.dmp

memory/2152-1360-0x0000000000400000-0x000000000044D000-memory.dmp

memory/1716-1361-0x0000000000400000-0x000000000044D000-memory.dmp

memory/4160-1365-0x0000000000400000-0x000000000044D000-memory.dmp

memory/3692-1369-0x0000000000400000-0x000000000044D000-memory.dmp

memory/2304-1373-0x0000000000400000-0x000000000044D000-memory.dmp

memory/1412-1377-0x0000000000400000-0x000000000044D000-memory.dmp

memory/1640-1378-0x0000000000400000-0x000000000044D000-memory.dmp

memory/1640-1382-0x0000000000400000-0x000000000044D000-memory.dmp

memory/1828-1383-0x0000000000400000-0x000000000044D000-memory.dmp

memory/1828-1387-0x0000000000400000-0x000000000044D000-memory.dmp

memory/416-1388-0x0000000000400000-0x000000000044D000-memory.dmp

memory/416-1392-0x0000000000400000-0x000000000044D000-memory.dmp

memory/3340-1393-0x0000000000400000-0x000000000044D000-memory.dmp

memory/3340-1397-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_is8B19.tmp

MD5 5453343afefb32307659574a4da803bf
SHA1 b01072bdcc799391c510054447a6a8cbab71abd3
SHA256 02eedbc35423bf428545f27b5575528ee996e75a0cf8157f47cf3e302547d508
SHA512 99c4d5731ebba9ea659d30956d60beb6c1be5e9872ee027eb7174ba08e7fa2ad8bd9d91c82313a27577f3e9c5eb49b46b8929c7f29491d0db15d3e1cd803eafa

C:\Users\Admin\AppData\Local\Temp\~8B07.tmp

MD5 1533ce34575752aaf9a3020599c131ba
SHA1 24c1e2313276a40de717fc556240e4199701b19a
SHA256 25675678c980d33a1db21fee21bb8ba75354f3403f26c2a25e8c5c3ce37da0ba
SHA512 46c22e96abd4a8b03acb05a8e0aba5ba42ab026707dccb80538e50c8f4ad625a01b6808840f1801912b4bc8ff33f00d8354283d3b0dfc9591c8279fd9de4e1a1

C:\Users\Admin\AppData\Local\Temp\{2C0AD61B-8381-4167-89B0-0B7AABDEF0F3}\0x0409.ini

MD5 be345d0260ae12c5f2f337b17e07c217
SHA1 0976ba0982fe34f1c35a0974f6178e15c238ed7b
SHA256 e994689a13b9448c074f9b471edeec9b524890a0d82925e98ab90b658016d8f3
SHA512 77040dbee29be6b136a83b9e444d8b4f71ff739f7157e451778fb4fccb939a67ff881a70483de16bcb6ae1fea64a89e00711a33ec26f4d3eea8e16c9e9553eff

memory/1716-1438-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{2C0AD61B-8381-4167-89B0-0B7AABDEF0F3}\_ISMSIDEL.INI

MD5 db9af7503f195df96593ac42d5519075
SHA1 1b487531bad10f77750b8a50aca48593379e5f56
SHA256 0a33c5dffabcf31a1f6802026e9e2eef4b285e57fd79d52fdcd98d6502d14b13
SHA512 6839264e14576fe190260a4b82afc11c88e50593a20113483851bf4abfdb7cca9986bef83f4c6b8f98ef4d426f07024cf869e8ab393df6d2b743b9b8e2544e1b