Malware Analysis Report

2025-08-10 19:57

Sample ID 250630-wafb7atnw9
Target d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91
SHA256 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91
Tags
defense_evasion discovery persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91

Threat Level: Known bad

The file d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91 was found to be: Known bad.

Malicious Activity Summary

defense_evasion discovery persistence spyware stealer

Modifies visibility of file extensions in Explorer

Drops startup file

Reads user/profile data of web browsers

Executes dropped EXE

Adds Run key to start application

Enumerates connected drives

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Program crash

System Location Discovery: System Language Discovery

Suspicious use of SetWindowsHookEx

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-06-30 17:42

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-06-30 17:42

Reported

2025-06-30 17:45

Platform

win10v2004-20250619-en

Max time kernel

149s

Max time network

137s

Command Line

C:\Windows\Explorer.EXE

Signatures

Modifies visibility of file extensions in Explorer

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\WINDOWS\FONTS\0BC3D.com N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
N/A N/A C:\WINDOWS\FONTS\0BC3D.com N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TempCom = "C:\\WINDOWS\\FONTS\\0BC3D.com" C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jdk-1.8\jre\lib\fonts\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Configuration\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\hu-hu\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\edge_BITS_4564_616499314\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\setup.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\Office16\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\visualization\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk-1.8\lib\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\SystemX86\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\keystore\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ko-kr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\dc-annotations\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\de-de\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\nb-no\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\images\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\lt\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\misc\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-ma\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\themes\dark\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\uk\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\es-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\it-it\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\MsEdgeCrashpad\attachments\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ja-jp\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\da\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\JOURNAL\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-gb\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\epdf\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\swidtag\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\1.1.1\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\sl-sl\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ar-ae\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sl-sl\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\pl-pl\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sv-se\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\cs-cz\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\hy\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\sk\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\pt-br\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\en-gb\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\hr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nb-no\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\eu-es\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\WINDOWS\FONTS\0BC3D.com C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
File opened for modification C:\WINDOWS\FONTS\0BC3D.com C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
File created C:\Windows\Dll.dll C:\Windows\Logo1_.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Logo1_.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Logo1_.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\WINDOWS\FONTS\0BC3D.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\WINDOWS\FONTS\0BC3D.com N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
N/A N/A C:\WINDOWS\FONTS\0BC3D.com N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1884 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe C:\Windows\SysWOW64\cmd.exe
PID 1884 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe C:\Windows\SysWOW64\cmd.exe
PID 1884 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe C:\Windows\SysWOW64\cmd.exe
PID 1884 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe C:\Windows\Logo1_.exe
PID 1884 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe C:\Windows\Logo1_.exe
PID 1884 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe C:\Windows\Logo1_.exe
PID 1412 wrote to memory of 6036 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 1412 wrote to memory of 6036 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 1412 wrote to memory of 6036 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 224 wrote to memory of 552 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe
PID 224 wrote to memory of 552 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe
PID 224 wrote to memory of 552 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe
PID 6036 wrote to memory of 5948 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 6036 wrote to memory of 5948 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 6036 wrote to memory of 5948 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 552 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe C:\Windows\SysWOW64\cmd.exe
PID 552 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe C:\Windows\SysWOW64\cmd.exe
PID 552 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe C:\Windows\SysWOW64\cmd.exe
PID 1692 wrote to memory of 5804 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe
PID 1692 wrote to memory of 5804 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe
PID 1692 wrote to memory of 5804 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe
PID 5804 wrote to memory of 5184 N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe C:\Windows\SysWOW64\cmd.exe
PID 5804 wrote to memory of 5184 N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe C:\Windows\SysWOW64\cmd.exe
PID 5804 wrote to memory of 5184 N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe C:\Windows\SysWOW64\cmd.exe
PID 5184 wrote to memory of 3244 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe
PID 5184 wrote to memory of 3244 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe
PID 5184 wrote to memory of 3244 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe
PID 3244 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe C:\Windows\SysWOW64\cmd.exe
PID 3244 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe C:\Windows\SysWOW64\cmd.exe
PID 3244 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe C:\Windows\SysWOW64\cmd.exe
PID 4596 wrote to memory of 4692 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe
PID 4596 wrote to memory of 4692 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe
PID 4596 wrote to memory of 4692 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe
PID 4692 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe C:\Windows\SysWOW64\cmd.exe
PID 4692 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe C:\Windows\SysWOW64\cmd.exe
PID 4692 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe C:\Windows\SysWOW64\cmd.exe
PID 4732 wrote to memory of 4928 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe
PID 4732 wrote to memory of 4928 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe
PID 4732 wrote to memory of 4928 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe
PID 4928 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe C:\Windows\SysWOW64\cmd.exe
PID 4928 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe C:\Windows\SysWOW64\cmd.exe
PID 4928 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe C:\Windows\SysWOW64\cmd.exe
PID 5108 wrote to memory of 3632 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe
PID 5108 wrote to memory of 3632 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe
PID 5108 wrote to memory of 3632 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe
PID 3632 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe C:\Windows\SysWOW64\cmd.exe
PID 3632 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe C:\Windows\SysWOW64\cmd.exe
PID 3632 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe C:\Windows\SysWOW64\cmd.exe
PID 3008 wrote to memory of 4948 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe
PID 3008 wrote to memory of 4948 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe
PID 3008 wrote to memory of 4948 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe
PID 4948 wrote to memory of 5368 N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe C:\Windows\SysWOW64\cmd.exe
PID 4948 wrote to memory of 5368 N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe C:\Windows\SysWOW64\cmd.exe
PID 4948 wrote to memory of 5368 N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe C:\Windows\SysWOW64\cmd.exe
PID 5368 wrote to memory of 4996 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe
PID 5368 wrote to memory of 4996 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe
PID 5368 wrote to memory of 4996 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe
PID 4996 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe C:\Windows\SysWOW64\cmd.exe
PID 4996 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe C:\Windows\SysWOW64\cmd.exe
PID 4996 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe C:\Windows\SysWOW64\cmd.exe
PID 2644 wrote to memory of 3328 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe
PID 2644 wrote to memory of 3328 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe
PID 2644 wrote to memory of 3328 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe
PID 3328 wrote to memory of 5796 N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe

"C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a61B7.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe

"C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a62F0.bat

C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe

"C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a63CB.bat

C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe

"C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6486.bat

C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe

"C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6503.bat

C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe

"C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6590.bat

C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe

"C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a665B.bat

C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe

"C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6755.bat

C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe

"C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a67B3.bat

C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe

"C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6820.bat

C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe

"C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a68CC.bat

C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe

"C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6939.bat

C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe

"C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6997.bat

C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe

"C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6A04.bat

C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe

"C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6A81.bat

C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe

"C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6AEF.bat

C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe

"C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\FONTS\0BC3D.com

C:\WINDOWS\FONTS\0BC3D.com

C:\WINDOWS\FONTS\0BC3D.com

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1412 -ip 1412

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1412 -s 1052

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.179.227:80 c.pki.goog tcp

Files

memory/1884-0-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Windows\Logo1_.exe

MD5 cdaabb480b7d3c10c6f4f451c8c08d69
SHA1 667ce007c73b1d663decd86d730227569d23acbb
SHA256 f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842
SHA512 389083da42235678a2d2b3420729fd46be6c0139b9177dc39108252cbbc24881d610e0637f12980f86c042ec79abcf0bdbac7d94610ab11269f8b0f44a6bbc31

memory/1412-11-0x0000000000400000-0x0000000000444000-memory.dmp

memory/1884-9-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a61B7.bat

MD5 f8115e6abd9518589ecf4b7679a6fa7d
SHA1 a7831927705a64f880de2dacbc4bf1ef23bb4c7c
SHA256 12767504d0d168f9543afd23a524d68e2102efbedd8786acaee2e32bf11b47b4
SHA512 80c81128497405fe588a26fa60be600c8767a67d7e04e3c04628e0fd047e27c88bed0df6d2d9cf012e7e9a63cf62b58d4783748a7ae4af2e3c882ada80aef2e9

C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe.exe

MD5 0137dec43c77f401659bcd7a4032702c
SHA1 e40ab90e560caa2734ba3e46c5cd5aaa684b3eea
SHA256 6cb9ea30ccbbd5f19396010e30c7e4aca6cba55894014a64412a43511ada433d
SHA512 c434bcd9e0beb61137a55fdb11b17d3ce0445f058791923bac3dd326d658db319b35f2226d7c450d1b7baad6f24c53637b14fede37b173cb672ffc5a46e9e740

memory/552-20-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a62F0.bat

MD5 c36bdc98acac740ed90ce67a0014a16f
SHA1 79a97a31d9c5cf08fbe6b2d15339bcf1b539a6f5
SHA256 24a147b606209d80e96f82e56b385ad4968e9711674d3722613d5144776a9267
SHA512 897ad13ff1c7a4a72ba3a6fd1e9ad9ff81a42d8cabbd6a12267719e93b5ec1602541b5ae0ee6438e57ce4c1d8aac58ced8d0fcc6eb029eb0aad15c17acc2f36c

C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe.exe

MD5 f0866c2d2ab43b833b957787b4a08526
SHA1 1410b5b5faf130cf22160968238aab93bb3c960b
SHA256 ebd70e789f272064e045929c7d1d0bce6f64a5a5c056ea2e70ab1542ab3ce1ae
SHA512 6a4813362a23f390922388eb8123aa81af797cb6435dbe6ded1dc281d54135c93ee5b6567f55586210808384f27052e76eb07bcc3641a9906294f88f4a499a2c

memory/5804-27-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a63CB.bat

MD5 c34a4ab0abf8b068b2eb58d420c70e46
SHA1 c690ff1bb344d5e3166537161f4aeeabe7d2256d
SHA256 7693a8a462c12935383742d3922d19e88a3f46f5d4185da02dfc01d3c868c7b0
SHA512 06ce7e69fdf205ab93feb29cb6e5521e7bdd7b37d46dc7580f82a29b398cba29ad5697bf1bf5a3bb0666e05b1e589d2abf102598980f540a23fbe1f266f46739

C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe.exe

MD5 47db56aa979056f9beba80adc63e72ea
SHA1 1dc36f048b9ed9f98f7f9ef069f26193dea713b8
SHA256 bc1183cf270c5164bd3e4c6ad4c1fc32a729fe5aba53784e52d76238d7f873e8
SHA512 f2f520e95283a73a009eb3b8be439c386dd921cd008b68a78594df744053611057b7e7f6794388edf63d93cc4ba1349d2cca9415a9c2e317fcd5047d0e12adb9

memory/3244-34-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a6486.bat

MD5 4c141f9647c4075e28bf6793334659e3
SHA1 d3a9c5769c234bf51b2da147a5df82018ab2f0e5
SHA256 178b2a4dc49986e274d3fd9f12512f8eda66f7b724992a252478e0f1419a737f
SHA512 205a93a371b97dfb293f7ca1fed70e441550b5563e1dbac358e67d88233ac3f6329bdc3d90320819af57c444e7b049c8470b30ec7f3537aaf6cbb9670a3cf89b

C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe.exe

MD5 6d9545c6556a236a67207db368fcdce2
SHA1 b44856864eeb77f2d73d71fbfd323f006363c3fb
SHA256 27d02f0a88d28829a83f1cb05a90fd47798e1ff91591029793a9ccfb6d8d14da
SHA512 344bb66f4200dc7b91ec12c6dd73f8a5c9bf6f0942fa12ba65be2d8f7081efa723defad4f604a4b907a39282fe80ed97433b84601f5e4abb40ed09905da72a5f

memory/4692-41-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a6503.bat

MD5 a47b9503b1e3247394304c8bd8facf33
SHA1 b66f53d0f48acff6a3f067b8ecfc1bbde21a6d0d
SHA256 c5aac0c0309484daac453c2f72e90e711167c8f615da9683804dfa43ea68a7c6
SHA512 360cfcd25e0b225f6ee5fa2202617ce1c8be886d8ce92dda94e9587fe3c03b290fbb7ffe8b4bbe3a1489e14729d27d0e00e7ae42ba1988dfad3be71eae2ca953

C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe.exe

MD5 a5e603ffd2f00e966f2230590c221c66
SHA1 297c2d9fdc76fefca09dac5bf5b20b7ab9510890
SHA256 9bf22ad59d805cd058457dc980c7d66388923ef0c00bf60fbd2d28933f621737
SHA512 632725977a5452af0cb57085bb49833cd9f99c05f81c3477bdbc39c1d3198b8227a862f711e95740729e2c7fdef1ceb1562da8bab5dad4da7df932dafe9b0f2f

memory/4928-48-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a6590.bat

MD5 5f2bd2f005c0d9fc402711c144f6b5a8
SHA1 f9e56748d6e28d131f4b3a752795983fe82a0c72
SHA256 2374f617a044c5dc5f93e15b5b68d1787b66eee6e6f021ecd7f2fe7404c85544
SHA512 4595c369f7370e071ef660eb18fc80a2d1c5ffac8c57add148af531e087e28951a3b2fcaa55c708edf82f3ed675d76e6bc6210c1adcdb61e586fee29cc9d7af7

C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe.exe

MD5 a353218f7897ca4ea7b1ff4416fe1817
SHA1 84d8a5c89b0193eac2f74bd315811c68022946d2
SHA256 ff4695e69b9c508b085d5dedf5fd3cac436076f56dc5b098920713418dac3c89
SHA512 df38221aa63a6c0d4575dddcb51ae00373dfcd566f09d90748aa4aec661359f64e81ac4feffa8280068abc35c512dc15f343989ce769074d88b5f744e03aaaac

memory/3632-57-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a665B.bat

MD5 895629218ecb5413c409561af738fe78
SHA1 73dea6239e651b253322539573ade90021277076
SHA256 f28fbc17d100d2fc451587d92c7cebcd42df1c479b0276d126743c9f96e35aef
SHA512 ba7ddef0f31f224dbba28b8c48858dc4db56155ddef2c3535a35e0073fc350056f756022530210f0a72b31ffaff2a6b7dcfe85f408fffd31d00dbb514854471a

C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe.exe

MD5 00428256f70551c84c7321970cdc53cd
SHA1 ea6d64e78c991a1978fc8018928b4a82a4d1564d
SHA256 41b8de82fa304213245bbaf54a95d9bf62a621478b8918576309fb6e89eda97c
SHA512 b9c20a134a1fadf59fdf7ad6638f6ef7882c68f8d68b539e2bd75ce4df31430ced6cc270b4dba47fa037faefce4209374d27118bd759e6d81aa5091d1bdae1be

memory/4948-64-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a6755.bat

MD5 9f5c24b3cd94a2584b56f997fc2ba88e
SHA1 ae9e05f41a66e32e4bd6d33707c261a98c7c1fa2
SHA256 4099e0c8d014d48fd25a5ab1a452ea2ee20dd31b8bb0ba596fbdf3ee48fa7dfd
SHA512 e1697cce846e5b480b75146a71e66f2b41f464422c0a30c4836c91b13507b64d294e4bf4cd87920883c0a14613684f9ad9fb2988fb9d7d8a10661c1508c3f2c5

C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe.exe

MD5 e9d499bb915d58a3a58429209eb00b7d
SHA1 8715af16ec2efe464f486eefd15a5d248e3caebb
SHA256 f6baf3ee157e1e1798836bbd3ef63de56d4573c6c81f1fb68a3f64c8d5fdf992
SHA512 b9a408171b0827496f81490e9351401943e5de79c19c3da234b05fc543dde913c0f2928f73d5a207d8e5df30954b320f5006faf70a5591ae93de84ca659fcce6

memory/4996-71-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe

MD5 56cf1234d82b459b0d4b0e91312d62da
SHA1 18c24408609bb6546b66e41bd6e8dfbd013563fe
SHA256 c11d5b1dc931fd3aaf644df9fd7d8febb921c71a918a221202d0f48a105831d0
SHA512 57d70544604eda2438d4a18cc3a87fdb948ff62e15296a8525bf127e1758ae045bf3fe2b4c46c3196d07ae5ad50ef296169c99fec8c93f2bb93b39798feea6f3

C:\Users\Admin\AppData\Local\Temp\$$a67B3.bat

MD5 123914acc04b86df443862f7d3942d80
SHA1 489203cc9342ddd152c70234c6cb8f605382154d
SHA256 254066de58276eb955facd100f2fcf084e9490cd6b4891762af59f6e41d7fdd8
SHA512 b7e1c7b682bedcc47281929430d4f7027db24984f4018cd30d4b8c7d697ef04f966d1f2c9906a49d72ec85128e250243f40db5a7577a1ce022b0c5361bd38854

memory/3328-78-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a6820.bat

MD5 eab8e15a41fb5638be5f72a428c371d6
SHA1 493542028e0188c8063c390cc219cca5a070a52a
SHA256 1198705363bbb05c6e033d523acca90b8aafc2c9874be3ecfa5fa3e3d800c6fa
SHA512 ac3dd8b3089d45eb2dc808deb81e67028a41810c4e9344fe8f1376d88896c92dc252f1b69ae814015501eed48b1bc0037a67c40bba21da7b0fdd640fb9f13168

C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe.exe

MD5 7d5a6de393b9a9d8b97e5f85f8d96ef6
SHA1 27ee54c58fd5133e5e53dfdc09bcc4a921cac422
SHA256 4af8e75dfddfde4ce118b847e95e77fad7f775aa6e0824e586932c4807059e7f
SHA512 ac397a542daa97822d06b763217b55da2663c4c73c01b70a335844278a4fe60e4b1b00a31fe2f7b5954cc9ac4d46f0a8cd5f9d639ad64b260e5f4cfb2642550e

memory/1412-83-0x0000000000400000-0x0000000000444000-memory.dmp

memory/6108-87-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a68CC.bat

MD5 ab5000203fb9810bc4c37937dc0395f9
SHA1 32df5c6156a81dd11b1c44d5223406edb2eb26b4
SHA256 7f30f147744e14b1173012160787d745accc17c7bca48afbc7bc462e59978b73
SHA512 e486cfe8e64140ad8c1421ecf312d7ab925eafeeb242929c56c4847c6c78ae0b1b269718cbf9a82848e16e45e4224cee69c6e13cf742602975494126de689a54

C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe.exe

MD5 6a063093130a94dde2ed4ed5190f4591
SHA1 14a584a3198ce15445293c447b64e40f175778b2
SHA256 ec166e0c3a4b1d10e131ef693df960038a838e853993e554157e25902710f7d5
SHA512 52abb8a99086804f5d119aec5e2d3e65c60e8b24a18e774b7513ea2da80f10b0e4a00f3be8c79ac82249da3eb53d8a0b0c1957f502d8ec316f898de80501948d

memory/412-94-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a6939.bat

MD5 e0fdf05be61eadb47ad729ddf4351976
SHA1 00d200f7a52d93915b66285239713636dab8c1a4
SHA256 699cbec6354b8e913136c24f2e86e3694b52bc5c4c59bc2af0b136ac14b5ac42
SHA512 06a8006f24cd712e4ed10407d0e211d4b24496cc2e98f093f7f6bd9aafd4ca2d40eb0febb6459e6093449fc55ee45aa5b609377d087e2c780b8d6ec8604529fa

C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe.exe

MD5 24521e0e4ff80ec026b26bd91fb35814
SHA1 1cf942e47978651e2007d6bcfa0858ae8e061a09
SHA256 a8988f6abaf68f2de8ec718b12647c0c1d3eaec8d6b7da90bb54b52d790308d4
SHA512 83a95155ff8f5cae0a8f51217a846b99f15e565983a9adf25f0eae9e5776b33ac8ca2532098012dc3a8117593ac4173d4f4a7faadc3fb73297a2ee1bc2e0fc9f

memory/4020-101-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a6997.bat

MD5 689ef6fa6c685faada62de8dea624216
SHA1 3a93d747e531576d891d391b4f85fb3f1e944d7b
SHA256 5a27dd4b53036804bed6a65b2a4bbffd06a5ec303b988709f746ea93d5b3476a
SHA512 cfa749b46107d0afe485d2d08d72bbbf6993a837b15f4eea685c010a27e1b0ff3c724692f19bd2418810aff8888c22ce94490e7db9993da480e545aba02b41ac

C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe.exe

MD5 72fe255af046de79ac4650cb4a4332fa
SHA1 f4908b352614c56263742f28152579b5f3099693
SHA256 a72d5f83151a25cb339c78fd98048d9779b50529ece3e8a38ac93bc294645f5d
SHA512 1bafa57faa6168588db7aa79ac3b234b6c89f985d62aacb8581f7cdf51226698ba6efa538d0e5759167dab8a07d475f08731706ecd3c9a481ce5be107edafee7

memory/1400-108-0x0000000000400000-0x0000000000444000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-4144907350-1836498122-2806216936-1000\_desktop.ini

MD5 8d5d367ed8a2afc1fc0b8fc7d14da98c
SHA1 fddfad39cd8b448d0d3dbb6e9c67752999568783
SHA256 93740c0db50f557803e16032194380e92e586f9cd845c4543eae2c3aa97d95f6
SHA512 3215518f650fe697fa80054e2e7e98a55a23832309347704985d502ecf46726048291ace0a619b669726fda404c9235047a21563971a238864ee3523f5bbe96b

C:\Users\Admin\AppData\Local\Temp\$$a6A04.bat

MD5 cc6d4b80a9d1d4caec77b917cec970d7
SHA1 20a5a23090e00a75a81801e43380355e12606eee
SHA256 864d50c979efa73678d1c4859b9930946fc255123547cf13a8eb71a0ebe209cd
SHA512 6bddbc03e64a27b851a07a4c4811754aea37979962d098251fe88c072720fbf4a8f645213502c503a930325dc82657eca98399aa39dd508f40154c5ce0a0ddff

C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe.exe

MD5 bec23ed6f40d2d0aa004ba48bdddd1f0
SHA1 ccac53c8c930a857bd8ddad248a16d5f601efd47
SHA256 90e041311b6fc3b92306ba38e98431d874c77369e1e3cffe1e7247948fe78a4e
SHA512 d8ec7da14addc5ca5d5bc22c1aa5b54f4ef66cbf8102342a2818b9456e5cb8b8461b83523f0b6b9c46ccf09d2e3b0585382acf0b39dbe7eb8d408123094225c5

memory/4464-121-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe.exe

MD5 c3c940432ca2448b87397ac5dfaf98ef
SHA1 1e569cee32fcc218269305aaffd71f1c257a8eab
SHA256 9bc1dda9d5b4bdaf8156830b0199fd580cd80a7d19b91041e72b5be0b1d47bbd
SHA512 be7ca7f7dd31167198243e9007a0e772f8899c411ee0574af7757efd87464e604a58a827826f4ae179d36f20b5d4cdca08ddbb686215b7887c8d2f580e2400e6

C:\Users\Admin\AppData\Local\Temp\$$a6A81.bat

MD5 1acbcc3cb99774ace144712c685b5fea
SHA1 17f5554b81ce08041c80d2f6f796fe8f54615044
SHA256 ecf79ed9406b62a875cde24f1558fea55f1bee90eb2fd35c9d8b35dfc392fb32
SHA512 5875ee990930642ceb1e1fd4f2286b0ff9faa7708dde262e29b875c9226bc9389f7e3afd36f2d5f6b3fdec0652da80afe12b4942112cd628927f404adf914fee

memory/3996-125-0x0000000000400000-0x0000000000444000-memory.dmp

memory/3996-129-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a6AEF.bat

MD5 1910bded7f9460f6f8fbbefce57fcf1f
SHA1 1d4643ae848f9c9bb493f1f961f3e8f04dbcc365
SHA256 e16ad08173af1c429c11ac430446a17b0f7be49fe95b7ae219878633086ef5db
SHA512 3c5f8fdbab3e4faced2ff5373e280832aa982a2170a5282327c7a2b311833f757044965dc1b66589d22cd576af43f09d16aa929403410c22d39b84b066975f95

C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe

MD5 73d597a2b90c7d4d2e90ca08c39d2f99
SHA1 d6788d79477f3f0da9b0c5229ce6834136d91a59
SHA256 d45bba35a13db84260f7981f247ff1a75cf3065ac993ae1a13708a542a19280e
SHA512 ec5e70b7db46d6c298052ffe9a7c89c5b7ba6de67551e36262d84fcd3e4930dfde9ab29b23845bcc54d76d67530b6455a3f422b3349032ab41915676730a01ce

memory/2448-133-0x0000000000400000-0x0000000000410000-memory.dmp

memory/2448-138-0x0000000000400000-0x0000000000410000-memory.dmp

memory/5060-142-0x0000000000400000-0x0000000000410000-memory.dmp

memory/1412-2917-0x0000000000400000-0x0000000000444000-memory.dmp

memory/1412-3129-0x0000000000400000-0x0000000000444000-memory.dmp

memory/5060-3130-0x0000000000400000-0x0000000000410000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-06-30 17:42

Reported

2025-06-30 17:45

Platform

win11-20250619-en

Max time kernel

150s

Max time network

102s

Command Line

C:\Windows\Explorer.EXE

Signatures

Modifies visibility of file extensions in Explorer

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-707770698-2523217751-1187874351-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-707770698-2523217751-1187874351-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\WINDOWS\FONTS\C9862.com N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini C:\Windows\Logo1_.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
N/A N/A C:\WINDOWS\FONTS\C9862.com N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TempCom = "C:\\WINDOWS\\FONTS\\C9862.com" C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ko-kr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\en\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ro-ro\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\fi-fi\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\root\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\edge_feedback\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\1033\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\images\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\Extensions\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example1.Diagnostics\Diagnostics\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\7-Zip\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\extensions\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\da-dk\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\pl\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\my\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-gb\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\eu-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ja-jp\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\en-gb\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\sv-se\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\INDUST\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\si\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\access_output\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example1.Diagnostics\Diagnostics\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\2.0.1\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\sl-sl\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\loc\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\et\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\zh_TW\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\pt-br\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\hu-hu\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\bn_IN\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ja-jp\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ca-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\meta\art\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\da-dk\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\he-il\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account-select\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\hu-hu\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\sl-si\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\de-de\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ko-kr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\nl-nl\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\MSBuild\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\sl-si\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\nl-nl\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\Crashpad\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ru-ru\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\sv-se\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
File created C:\WINDOWS\FONTS\C9862.com C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
File opened for modification C:\WINDOWS\FONTS\C9862.com C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
File created C:\Windows\Dll.dll C:\Windows\Logo1_.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Logo1_.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\WINDOWS\FONTS\C9862.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\WINDOWS\FONTS\C9862.com N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe N/A
N/A N/A C:\WINDOWS\FONTS\C9862.com N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5840 wrote to memory of 5372 N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe C:\Windows\SysWOW64\cmd.exe
PID 5840 wrote to memory of 5372 N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe C:\Windows\SysWOW64\cmd.exe
PID 5840 wrote to memory of 5372 N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe C:\Windows\SysWOW64\cmd.exe
PID 5840 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe C:\Windows\Logo1_.exe
PID 5840 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe C:\Windows\Logo1_.exe
PID 5840 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe C:\Windows\Logo1_.exe
PID 2736 wrote to memory of 5348 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2736 wrote to memory of 5348 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2736 wrote to memory of 5348 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 5348 wrote to memory of 2856 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 5348 wrote to memory of 2856 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 5348 wrote to memory of 2856 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 5372 wrote to memory of 3400 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe
PID 5372 wrote to memory of 3400 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe
PID 5372 wrote to memory of 3400 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe
PID 3400 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe C:\Windows\SysWOW64\cmd.exe
PID 3400 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe C:\Windows\SysWOW64\cmd.exe
PID 3400 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe C:\Windows\SysWOW64\cmd.exe
PID 3512 wrote to memory of 3452 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe
PID 3512 wrote to memory of 3452 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe
PID 3512 wrote to memory of 3452 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe
PID 3452 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe C:\Windows\SysWOW64\cmd.exe
PID 3452 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe C:\Windows\SysWOW64\cmd.exe
PID 3452 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe C:\Windows\SysWOW64\cmd.exe
PID 3404 wrote to memory of 3368 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe
PID 3404 wrote to memory of 3368 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe
PID 3404 wrote to memory of 3368 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe
PID 3368 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe C:\Windows\SysWOW64\cmd.exe
PID 3368 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe C:\Windows\SysWOW64\cmd.exe
PID 3368 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe C:\Windows\SysWOW64\cmd.exe
PID 4636 wrote to memory of 4936 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe
PID 4636 wrote to memory of 4936 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe
PID 4636 wrote to memory of 4936 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe
PID 4936 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe C:\Windows\SysWOW64\cmd.exe
PID 4936 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe C:\Windows\SysWOW64\cmd.exe
PID 4936 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe C:\Windows\SysWOW64\cmd.exe
PID 4900 wrote to memory of 4140 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe
PID 4900 wrote to memory of 4140 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe
PID 4900 wrote to memory of 4140 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe
PID 4140 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe C:\Windows\SysWOW64\cmd.exe
PID 4140 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe C:\Windows\SysWOW64\cmd.exe
PID 4140 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe C:\Windows\SysWOW64\cmd.exe
PID 4440 wrote to memory of 5328 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe
PID 4440 wrote to memory of 5328 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe
PID 4440 wrote to memory of 5328 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe
PID 5328 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe C:\Windows\SysWOW64\cmd.exe
PID 5328 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe C:\Windows\SysWOW64\cmd.exe
PID 5328 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe C:\Windows\SysWOW64\cmd.exe
PID 5036 wrote to memory of 3328 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe
PID 5036 wrote to memory of 3328 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe
PID 5036 wrote to memory of 3328 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe
PID 3328 wrote to memory of 5624 N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe C:\Windows\SysWOW64\cmd.exe
PID 3328 wrote to memory of 5624 N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe C:\Windows\SysWOW64\cmd.exe
PID 3328 wrote to memory of 5624 N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe C:\Windows\SysWOW64\cmd.exe
PID 5624 wrote to memory of 4968 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe
PID 5624 wrote to memory of 4968 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe
PID 5624 wrote to memory of 4968 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe
PID 4968 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe C:\Windows\SysWOW64\cmd.exe
PID 4968 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe C:\Windows\SysWOW64\cmd.exe
PID 4968 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe C:\Windows\SysWOW64\cmd.exe
PID 4836 wrote to memory of 4620 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe
PID 4836 wrote to memory of 4620 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe
PID 4836 wrote to memory of 4620 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe
PID 4620 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe

"C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a72DE.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe

"C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7445.bat

C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe

"C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a74A3.bat

C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe

"C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7511.bat

C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe

"C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a754F.bat

C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe

"C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a759D.bat

C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe

"C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7649.bat

C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe

"C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a76B6.bat

C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe

"C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7743.bat

C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe

"C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a77DF.bat

C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe

"C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a781E.bat

C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe

"C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a78AA.bat

C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe

"C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7918.bat

C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe

"C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7985.bat

C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe

"C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a79D3.bat

C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe

"C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7A21.bat

C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe

"C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\FONTS\C9862.com

C:\WINDOWS\FONTS\C9862.com

C:\WINDOWS\FONTS\C9862.com

Network

Files

memory/5840-0-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Windows\Logo1_.exe

MD5 cdaabb480b7d3c10c6f4f451c8c08d69
SHA1 667ce007c73b1d663decd86d730227569d23acbb
SHA256 f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842
SHA512 389083da42235678a2d2b3420729fd46be6c0139b9177dc39108252cbbc24881d610e0637f12980f86c042ec79abcf0bdbac7d94610ab11269f8b0f44a6bbc31

memory/2736-8-0x0000000000400000-0x0000000000444000-memory.dmp

memory/5840-11-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a72DE.bat

MD5 dde91f3e7e39fc387353686479ccd8f2
SHA1 128a9427001d4f774f3af8a7f4865773e2dc2202
SHA256 bb2d94ec9deb84694f01262efc87519b3cd977448a6b297ecc1c05961ea279a8
SHA512 8446c00ccac0ec43eb4c5b7cb78f8368e36cac6f4b49684f3baa587b0ab00a9a8d38ec231b0c9b91d3f41a477d661ed6ce6153a58b3340e0cfb0719257e11792

C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe.exe

MD5 0137dec43c77f401659bcd7a4032702c
SHA1 e40ab90e560caa2734ba3e46c5cd5aaa684b3eea
SHA256 6cb9ea30ccbbd5f19396010e30c7e4aca6cba55894014a64412a43511ada433d
SHA512 c434bcd9e0beb61137a55fdb11b17d3ce0445f058791923bac3dd326d658db319b35f2226d7c450d1b7baad6f24c53637b14fede37b173cb672ffc5a46e9e740

memory/3400-20-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a7445.bat

MD5 1713312160f6571f0c77e4642714c011
SHA1 ef8d6a7392f9310ca87730bec09c8079fef2c90d
SHA256 9a7e3cf524f3dc34a5833b33415864e3d8eaa2be90a824fa40d510b6c8ac2299
SHA512 fff9e25d2daf24f900a05611b810090959733b8094131cfbe5702ac88c9f4552514301bd13e5d04a1e45a3d08fb740b7a9690322eb4e22b8ed4a2d8106ff73c6

C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe.exe

MD5 f0866c2d2ab43b833b957787b4a08526
SHA1 1410b5b5faf130cf22160968238aab93bb3c960b
SHA256 ebd70e789f272064e045929c7d1d0bce6f64a5a5c056ea2e70ab1542ab3ce1ae
SHA512 6a4813362a23f390922388eb8123aa81af797cb6435dbe6ded1dc281d54135c93ee5b6567f55586210808384f27052e76eb07bcc3641a9906294f88f4a499a2c

memory/3452-27-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a74A3.bat

MD5 4f4226a825f10b87ad6e60ea21d40cb1
SHA1 86cfe56952d22d2a6ed19f4f6390bf5d058e018f
SHA256 a3266b9d9d46c1785ccf81192d1dd96db91f8fdf45b3abc77e649e0e3a3a3495
SHA512 0dbf4f19dc5c3275900c90020fc76c8fe14b97493459ef61476701a6eee9b212d7b5905bf441d692cd7c49b5a3a67eb26343e376eed695bcb4479b53edeec62f

C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe.exe

MD5 47db56aa979056f9beba80adc63e72ea
SHA1 1dc36f048b9ed9f98f7f9ef069f26193dea713b8
SHA256 bc1183cf270c5164bd3e4c6ad4c1fc32a729fe5aba53784e52d76238d7f873e8
SHA512 f2f520e95283a73a009eb3b8be439c386dd921cd008b68a78594df744053611057b7e7f6794388edf63d93cc4ba1349d2cca9415a9c2e317fcd5047d0e12adb9

memory/3368-34-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a7511.bat

MD5 bd61413cb7272deb724607bbc474d5c3
SHA1 4a81f8e4bf53a20dcbb1aa223f6ab4882b53fbcf
SHA256 76db142c98ebb07620fef2ebe6d126350e9250109e5837ec3ef692cc241b0061
SHA512 ec8f7ef56534d1c77d66abaaa865f416ccbec352c5407cf2ba443ecef0b23bb8ec976d726e034df030e7e1901f48bf28658e3a6222f6efdad4816f854c09de9d

C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe.exe

MD5 6d9545c6556a236a67207db368fcdce2
SHA1 b44856864eeb77f2d73d71fbfd323f006363c3fb
SHA256 27d02f0a88d28829a83f1cb05a90fd47798e1ff91591029793a9ccfb6d8d14da
SHA512 344bb66f4200dc7b91ec12c6dd73f8a5c9bf6f0942fa12ba65be2d8f7081efa723defad4f604a4b907a39282fe80ed97433b84601f5e4abb40ed09905da72a5f

memory/4936-41-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a754F.bat

MD5 d87f8eaa4b5342bec7493e02a2b91e2d
SHA1 5ca9d706fbd544fe9b8db2d238e409b5c73c49de
SHA256 94fbfe40345b81ea7aa3713ccf863a1a6485aa0ae365d7d5ad6571f284d60308
SHA512 1a9884d84929ab649ba326be17d2b52cb85168d0fca402e744e57af88ab16c943e4fe6db703117fcd0ebdaf4a037b25c0fefe282cce0c90ac149939d891fca79

C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe.exe

MD5 a5e603ffd2f00e966f2230590c221c66
SHA1 297c2d9fdc76fefca09dac5bf5b20b7ab9510890
SHA256 9bf22ad59d805cd058457dc980c7d66388923ef0c00bf60fbd2d28933f621737
SHA512 632725977a5452af0cb57085bb49833cd9f99c05f81c3477bdbc39c1d3198b8227a862f711e95740729e2c7fdef1ceb1562da8bab5dad4da7df932dafe9b0f2f

memory/4140-48-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a759D.bat

MD5 7a1d9a49adc58989c92b55710baf1d6d
SHA1 b8c267f686297a239173461fd617839e088ac91c
SHA256 cf05c9cf1e0de80cea18907b74780da2f1694b65ba4f3675b30daf1e1f5d010a
SHA512 1f80229a62bb4e55d73afb257f18bc133e0c95bc22c3e92767c209af4c06081c09383f1b28ebef2fd9947ec0bd5005a87b888cbbb4cf437633e9388ecd7d2120

C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe.exe

MD5 a353218f7897ca4ea7b1ff4416fe1817
SHA1 84d8a5c89b0193eac2f74bd315811c68022946d2
SHA256 ff4695e69b9c508b085d5dedf5fd3cac436076f56dc5b098920713418dac3c89
SHA512 df38221aa63a6c0d4575dddcb51ae00373dfcd566f09d90748aa4aec661359f64e81ac4feffa8280068abc35c512dc15f343989ce769074d88b5f744e03aaaac

memory/5328-55-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a7649.bat

MD5 83f616e4aa04205bff600b5b04a3d4ef
SHA1 91ecf3bcb5eb2188050d8cb9f73cec5bfeb96b03
SHA256 d3176abdf80e4165a56a8816ea3c8aae2b68ea0f569c97e1c1aa32892661b38f
SHA512 dc5fc5851ea8ded28dc286e39fc4ba3e3124467ddff3acace08162eef20ac6b1ae2c6fa31f52e7794765931e04a8d82458994c517dd4b21e65b201ce020064b3

C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe.exe

MD5 00428256f70551c84c7321970cdc53cd
SHA1 ea6d64e78c991a1978fc8018928b4a82a4d1564d
SHA256 41b8de82fa304213245bbaf54a95d9bf62a621478b8918576309fb6e89eda97c
SHA512 b9c20a134a1fadf59fdf7ad6638f6ef7882c68f8d68b539e2bd75ce4df31430ced6cc270b4dba47fa037faefce4209374d27118bd759e6d81aa5091d1bdae1be

memory/3328-62-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a76B6.bat

MD5 72d85dcc0bf812ec72bfc34467667652
SHA1 d420e0254b3aa9778ef6b015a495ec8fa2de0f08
SHA256 50184d9c1e0d5d4793f3a6277180c46c17ebd3bb5e570e5d1cd2cb400769e876
SHA512 25e89a96d896c086ae0f3568d3cafc2481cc26cff690fc97ba027ade431bf8221e7037ed44dd19cb8beb16c61e48c39bafacd5d8a33f3f004c824d7f1bdf763c

C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe.exe

MD5 e9d499bb915d58a3a58429209eb00b7d
SHA1 8715af16ec2efe464f486eefd15a5d248e3caebb
SHA256 f6baf3ee157e1e1798836bbd3ef63de56d4573c6c81f1fb68a3f64c8d5fdf992
SHA512 b9a408171b0827496f81490e9351401943e5de79c19c3da234b05fc543dde913c0f2928f73d5a207d8e5df30954b320f5006faf70a5591ae93de84ca659fcce6

memory/4968-71-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a7743.bat

MD5 77e483938bc45b10d8b87d2808ec9c11
SHA1 73b58486710c75c6c0f16309d395809669f46f5e
SHA256 bb36536c525698eab004ac98e999388483febc08fec7f1eff2ae7e03f342b6ae
SHA512 92a65b352a6233225e8e0d9bab45d098472bee1f507bc77872469addce45ed015cac079b37473d8c00cdc8e9c87c88d9546d3db57396c611cce9ca050f8d8d22

C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe.exe

MD5 56cf1234d82b459b0d4b0e91312d62da
SHA1 18c24408609bb6546b66e41bd6e8dfbd013563fe
SHA256 c11d5b1dc931fd3aaf644df9fd7d8febb921c71a918a221202d0f48a105831d0
SHA512 57d70544604eda2438d4a18cc3a87fdb948ff62e15296a8525bf127e1758ae045bf3fe2b4c46c3196d07ae5ad50ef296169c99fec8c93f2bb93b39798feea6f3

memory/4620-78-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a77DF.bat

MD5 37f39737e5bd8020155c54c39c418b1b
SHA1 408e0b0190004eca4869e96a62ef8472a362fff0
SHA256 8c34cfa7a7b9ff6085c122157f7f00a0444221e5280954958b27480cc995d2e0
SHA512 a41f75ee4ec3df681edf70f4a73dce5f40895816a1aaf811960464f5ea748c15fdde000a317973ab156e07c0f1a6258ca9b22acd126fd75af934be289fdb5a65

C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe.exe

MD5 7d5a6de393b9a9d8b97e5f85f8d96ef6
SHA1 27ee54c58fd5133e5e53dfdc09bcc4a921cac422
SHA256 4af8e75dfddfde4ce118b847e95e77fad7f775aa6e0824e586932c4807059e7f
SHA512 ac397a542daa97822d06b763217b55da2663c4c73c01b70a335844278a4fe60e4b1b00a31fe2f7b5954cc9ac4d46f0a8cd5f9d639ad64b260e5f4cfb2642550e

memory/4252-86-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2736-82-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a781E.bat

MD5 894f8ab14aec4c01c6f52a9c8872d66f
SHA1 eb9e4b35c456e063302f7bbfef3aefb725db5ed2
SHA256 eae8e3a7e9825f85b32c27cf2d024705947584cafd50873806c7bf6b78b25820
SHA512 2079e73f795ce8def610ec0b1a839a03d7e9d7608ca4805312cd868b173bba8411682816bfd34c9c644102ac9b49b4115111cce137c71d083a6d51ec9ccc8a33

C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe.exe

MD5 6a063093130a94dde2ed4ed5190f4591
SHA1 14a584a3198ce15445293c447b64e40f175778b2
SHA256 ec166e0c3a4b1d10e131ef693df960038a838e853993e554157e25902710f7d5
SHA512 52abb8a99086804f5d119aec5e2d3e65c60e8b24a18e774b7513ea2da80f10b0e4a00f3be8c79ac82249da3eb53d8a0b0c1957f502d8ec316f898de80501948d

memory/5320-93-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a78AA.bat

MD5 3a990b85816b2b6a08e1dd674df27811
SHA1 59b9b735d227e789859c18b46ed567e0a8b6c645
SHA256 18a7e0eadadb317f19e1ab27e7c63667f57676c16afb877a670ae3f0dd319c85
SHA512 26bc4c68a0266acc545b2268cf888bd23aaf4932006738bb683fae2ac0e34b687a3321bb1a5b82adf53a0abc189911f8adbfa7187b618539c201f8765524d8d8

C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe.exe

MD5 24521e0e4ff80ec026b26bd91fb35814
SHA1 1cf942e47978651e2007d6bcfa0858ae8e061a09
SHA256 a8988f6abaf68f2de8ec718b12647c0c1d3eaec8d6b7da90bb54b52d790308d4
SHA512 83a95155ff8f5cae0a8f51217a846b99f15e565983a9adf25f0eae9e5776b33ac8ca2532098012dc3a8117593ac4173d4f4a7faadc3fb73297a2ee1bc2e0fc9f

memory/3460-100-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a7918.bat

MD5 10c628e560dc222ff817c4d29731163f
SHA1 97b3ef2e30935fee7cc067fa56cfaa7c44eaecc3
SHA256 1c57102251383103cf5df4b72112ee33c70b5e9a72723334131fa59c77c93623
SHA512 f3882441d2f7f2e0a24e7e32c3990fc54f920fa66b30c07af4fcf6177902c766897f22dfac4344514abfbfa6e98d2cac9ec98d51767df412dc851ef5bc5abe4a

C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe.exe

MD5 72fe255af046de79ac4650cb4a4332fa
SHA1 f4908b352614c56263742f28152579b5f3099693
SHA256 a72d5f83151a25cb339c78fd98048d9779b50529ece3e8a38ac93bc294645f5d
SHA512 1bafa57faa6168588db7aa79ac3b234b6c89f985d62aacb8581f7cdf51226698ba6efa538d0e5759167dab8a07d475f08731706ecd3c9a481ce5be107edafee7

memory/1856-108-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a7985.bat

MD5 04ad59c5dac859befa79e464b48303a5
SHA1 d1d7bcb97a4d717c3e32b6dce1cd7cb318245f4e
SHA256 0ac90ff8030653a7b918ff7cddd0dd7a627f0dedcf8e96043ed35b9af7d93cb1
SHA512 00efa386e8cc5642fddacece5fb57f53de8f4c90b1ad10768960627a1a257fa26afa98ef97300cb55bdd6fee56792ae8878d258af80c136f4785513c37b85dc9

C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe.exe

MD5 bec23ed6f40d2d0aa004ba48bdddd1f0
SHA1 ccac53c8c930a857bd8ddad248a16d5f601efd47
SHA256 90e041311b6fc3b92306ba38e98431d874c77369e1e3cffe1e7247948fe78a4e
SHA512 d8ec7da14addc5ca5d5bc22c1aa5b54f4ef66cbf8102342a2818b9456e5cb8b8461b83523f0b6b9c46ccf09d2e3b0585382acf0b39dbe7eb8d408123094225c5

memory/5268-112-0x0000000000400000-0x0000000000444000-memory.dmp

memory/5268-116-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a79D3.bat

MD5 07d7343ee6acd92cdf84b4fd433f1c31
SHA1 1665537c2d792496bc964d3bfbdb5459c542f777
SHA256 953855d61a090a44b12b8b8774714302490b0d1fc12ded639d936eab53e7b1af
SHA512 529047ea83c9878eb71a5303da9a19bd8afb1356c4bbf7ee5c3a4edb3d750661b49c7961118f72007bd812c56ee64a21887defdc9680e6d3c21159758348bbc4

C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe.exe

MD5 c3c940432ca2448b87397ac5dfaf98ef
SHA1 1e569cee32fcc218269305aaffd71f1c257a8eab
SHA256 9bc1dda9d5b4bdaf8156830b0199fd580cd80a7d19b91041e72b5be0b1d47bbd
SHA512 be7ca7f7dd31167198243e9007a0e772f8899c411ee0574af7757efd87464e604a58a827826f4ae179d36f20b5d4cdca08ddbb686215b7887c8d2f580e2400e6

memory/5896-120-0x0000000000400000-0x0000000000444000-memory.dmp

memory/5896-124-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a7A21.bat

MD5 c707156727041046cac029c3c74f1f03
SHA1 f1a976493eb9a2855bef856e552f2b1e37172bbc
SHA256 380c5b6c859651b9016224b829d656173ed891dbd60760d265c6f801259f0921
SHA512 d9e97f912ae15d8401e5a1a31bd411b28d9cab296a60a72fae255d897824d5ecbd8eeb6e754c9e8f9dff07ea0fdaa9e06b05402f40fd481b9b97d3ae0e7e6c01

C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe.exe

MD5 73d597a2b90c7d4d2e90ca08c39d2f99
SHA1 d6788d79477f3f0da9b0c5229ce6834136d91a59
SHA256 d45bba35a13db84260f7981f247ff1a75cf3065ac993ae1a13708a542a19280e
SHA512 ec5e70b7db46d6c298052ffe9a7c89c5b7ba6de67551e36262d84fcd3e4930dfde9ab29b23845bcc54d76d67530b6455a3f422b3349032ab41915676730a01ce

memory/5152-128-0x0000000000400000-0x0000000000410000-memory.dmp

memory/5152-133-0x0000000000400000-0x0000000000410000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-707770698-2523217751-1187874351-1000\_desktop.ini

MD5 8d5d367ed8a2afc1fc0b8fc7d14da98c
SHA1 fddfad39cd8b448d0d3dbb6e9c67752999568783
SHA256 93740c0db50f557803e16032194380e92e586f9cd845c4543eae2c3aa97d95f6
SHA512 3215518f650fe697fa80054e2e7e98a55a23832309347704985d502ecf46726048291ace0a619b669726fda404c9235047a21563971a238864ee3523f5bbe96b

memory/2736-2739-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2736-10238-0x0000000000400000-0x0000000000444000-memory.dmp

memory/748-10245-0x0000000000400000-0x0000000000410000-memory.dmp