Malware Analysis Report

2025-08-10 19:58

Sample ID 250630-wafmys1xaz
Target c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8
SHA256 c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8
Tags
defense_evasion discovery persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8

Threat Level: Known bad

The file c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8 was found to be: Known bad.

Malicious Activity Summary

defense_evasion discovery persistence spyware stealer

Modifies visibility of file extensions in Explorer

Executes dropped EXE

Reads user/profile data of web browsers

Drops startup file

Adds Run key to start application

Enumerates connected drives

Drops file in Windows directory

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-06-30 17:42

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-06-30 17:42

Reported

2025-06-30 17:45

Platform

win10v2004-20250502-en

Max time kernel

150s

Max time network

150s

Command Line

C:\Windows\Explorer.EXE

Signatures

Modifies visibility of file extensions in Explorer

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\WINDOWS\FONTS\6FC85.com N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini C:\Windows\Logo1_.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
N/A N/A C:\WINDOWS\FONTS\6FC85.com N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TempCom = "C:\\WINDOWS\\FONTS\\6FC85.com" C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\plugins\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\eu-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\it\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\nl-nl\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\sv-se\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\edge_BITS_4460_996353194\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SATIN\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\sv\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\tr-tr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\sv-se\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ca-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\2.0.1\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ja-jp\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ar-ae\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\hu-hu\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RIPPLE\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\uk-ua\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\images\themes\dark\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\zh-cn\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\cs-cz\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\eu-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\plugins\rhp\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\cs-cz\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\uk-ua\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\tr-tr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\it-it\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\eu-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\pt\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\es-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\sk-sk\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Trust Protection Lists\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CONCRETE\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\cgg\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\sl-si\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ar-ae\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\root\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\ResiliencyLinks\VisualElements\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themes\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\Locales\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\SubsetList\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LEVEL\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\fur\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\is\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\zh-tw\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\hr-hr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\en-il\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\ink\uk-UA\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
File created C:\Windows\Dll.dll C:\Windows\Logo1_.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
File created C:\WINDOWS\FONTS\6FC85.com C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
File opened for modification C:\WINDOWS\FONTS\6FC85.com C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\WINDOWS\FONTS\6FC85.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Logo1_.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\WINDOWS\FONTS\6FC85.com N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
N/A N/A C:\WINDOWS\FONTS\6FC85.com N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4092 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe C:\Windows\SysWOW64\cmd.exe
PID 4092 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe C:\Windows\SysWOW64\cmd.exe
PID 4092 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe C:\Windows\SysWOW64\cmd.exe
PID 4092 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe C:\Windows\Logo1_.exe
PID 4092 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe C:\Windows\Logo1_.exe
PID 4092 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe C:\Windows\Logo1_.exe
PID 2216 wrote to memory of 5780 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2216 wrote to memory of 5780 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2216 wrote to memory of 5780 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 5780 wrote to memory of 5088 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 5780 wrote to memory of 5088 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 5780 wrote to memory of 5088 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3384 wrote to memory of 2880 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe
PID 3384 wrote to memory of 2880 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe
PID 3384 wrote to memory of 2880 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe
PID 2880 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe C:\Windows\SysWOW64\cmd.exe
PID 2880 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe C:\Windows\SysWOW64\cmd.exe
PID 2880 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe C:\Windows\SysWOW64\cmd.exe
PID 4648 wrote to memory of 224 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe
PID 4648 wrote to memory of 224 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe
PID 4648 wrote to memory of 224 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe
PID 224 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe C:\Windows\SysWOW64\cmd.exe
PID 224 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe C:\Windows\SysWOW64\cmd.exe
PID 224 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe C:\Windows\SysWOW64\cmd.exe
PID 3840 wrote to memory of 5716 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe
PID 3840 wrote to memory of 5716 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe
PID 3840 wrote to memory of 5716 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe
PID 5716 wrote to memory of 5460 N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe C:\Windows\SysWOW64\cmd.exe
PID 5716 wrote to memory of 5460 N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe C:\Windows\SysWOW64\cmd.exe
PID 5716 wrote to memory of 5460 N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe C:\Windows\SysWOW64\cmd.exe
PID 5460 wrote to memory of 412 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe
PID 5460 wrote to memory of 412 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe
PID 5460 wrote to memory of 412 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe
PID 412 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe C:\Windows\SysWOW64\cmd.exe
PID 412 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe C:\Windows\SysWOW64\cmd.exe
PID 412 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe C:\Windows\SysWOW64\cmd.exe
PID 3408 wrote to memory of 5204 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe
PID 3408 wrote to memory of 5204 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe
PID 3408 wrote to memory of 5204 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe
PID 5204 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe C:\Windows\SysWOW64\cmd.exe
PID 5204 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe C:\Windows\SysWOW64\cmd.exe
PID 5204 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe C:\Windows\SysWOW64\cmd.exe
PID 3460 wrote to memory of 5532 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe
PID 3460 wrote to memory of 5532 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe
PID 3460 wrote to memory of 5532 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe
PID 5532 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe C:\Windows\SysWOW64\cmd.exe
PID 5532 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe C:\Windows\SysWOW64\cmd.exe
PID 5532 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe C:\Windows\SysWOW64\cmd.exe
PID 4916 wrote to memory of 4556 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe
PID 4916 wrote to memory of 4556 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe
PID 4916 wrote to memory of 4556 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe
PID 4556 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe C:\Windows\SysWOW64\cmd.exe
PID 4556 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe C:\Windows\SysWOW64\cmd.exe
PID 4556 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe C:\Windows\SysWOW64\cmd.exe
PID 4660 wrote to memory of 4792 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe
PID 4660 wrote to memory of 4792 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe
PID 4660 wrote to memory of 4792 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe
PID 4792 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe C:\Windows\SysWOW64\cmd.exe
PID 4792 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe C:\Windows\SysWOW64\cmd.exe
PID 4792 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe C:\Windows\SysWOW64\cmd.exe
PID 4928 wrote to memory of 4640 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe
PID 4928 wrote to memory of 4640 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe
PID 4928 wrote to memory of 4640 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe
PID 4640 wrote to memory of 6048 N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe

"C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4F39.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe

"C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a50B0.bat

C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe

"C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a510E.bat

C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe

"C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a51AA.bat

C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe

"C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a5227.bat

C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe

"C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a52A4.bat

C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe

"C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a5311.bat

C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe

"C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a539E.bat

C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe

"C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a5469.bat

C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe

"C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a5505.bat

C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe

"C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a5573.bat

C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe

"C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a55F0.bat

C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe

"C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a565D.bat

C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe

"C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a56BB.bat

C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe

"C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a5728.bat

C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe

"C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a5776.bat

C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe

"C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a57E4.bat

C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe

"C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a5851.bat

C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe

"C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a58AF.bat

C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe

"C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a590D.bat

C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe

"C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\FONTS\6FC85.com

C:\WINDOWS\FONTS\6FC85.com

C:\WINDOWS\FONTS\6FC85.com

Network

Country Destination Domain Proto
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.179.227:80 c.pki.goog tcp

Files

memory/4092-0-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Windows\Logo1_.exe

MD5 cdaabb480b7d3c10c6f4f451c8c08d69
SHA1 667ce007c73b1d663decd86d730227569d23acbb
SHA256 f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842
SHA512 389083da42235678a2d2b3420729fd46be6c0139b9177dc39108252cbbc24881d610e0637f12980f86c042ec79abcf0bdbac7d94610ab11269f8b0f44a6bbc31

memory/4092-8-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2216-9-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a4F39.bat

MD5 0dec45fb43a975d0c28f9f501bd4c661
SHA1 b0d431ae44de3e1dd1fa2ae9bcc7cff211b030bb
SHA256 c60f4f50e0f86c3cb11a46ffb7e5abdaa832c01bb8c9ff72f5e1aa5d03e802fb
SHA512 229a8e067190a796a7d7c74c0df8d344e3cd7cd24dc7dba82659cbe710247af2b43cc8ae90f9f1930709b6520a9bd4aae9033e5dbc038570e8534a9aaea1cf99

C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe.exe

MD5 bf21200d0730b76ed14331c26efd6f9a
SHA1 e50ad28d7eeff0af91450b1baa57324cd5c07e8d
SHA256 31de1be72fdd7aca5a430396c3e8bfed2642ca160020b56348e54302098280ca
SHA512 3811b7fe345953504e8001cfdc48e53d0672b0e29cdaeb67a0ea58468313e2889483b6b8677e68fcdcfac0ac9f724ce769a955f4a66179141374b55a2259636e

memory/2880-19-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a50B0.bat

MD5 86261ef25328f6ecb254ef5cd97966e2
SHA1 1a82a58cc4daba5eae7aeb24c02fbf6243e3890d
SHA256 68271939e4bf8ed94dcb7e1978b4f55c841d4a25772de5d13022896f7a5b0e2d
SHA512 b3819f220689b22444a66811075ebd0b6dfad6fc54419ebe3126bb1eff1dfaac0e3d826f7ffc1a35acc87abe3f3bd04e812c57a1c09af990326a855dcc927897

C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe.exe

MD5 4d08c3836fddb6ff034253da2ddd8212
SHA1 5448488a994ae7de593802e9d55074848f7482cf
SHA256 9fed7013f9c4f5cae66f7f6fb7fa21ea8d801b203fcd224cc2a0a7994accfae7
SHA512 8a27a34fd77cdf05ff35c63524be0b2c6de8a7add0affe104468f01eabf52739add080aea2f550bca2ebff1b95d5b0e66a3bcce00dd43797dbba645447cf9e30

C:\Users\Admin\AppData\Local\Temp\$$a510E.bat

MD5 48e8bd70453ef68dae2c9542b4b22eef
SHA1 883aa1e2629a90f580245e8793f5f9efadff3e60
SHA256 4f4f3fe92a69cab6f836f6d1b1da5cb49ac329bc6c79f406552036385ddc4f77
SHA512 31125ebc124c0c36631d37dc9275abddca72eda2fd2a52819093644f4831ccf328fe608c6fe19fd0713c119e1f3091b0cfe95678dab61441283507d3edfe9ee0

memory/224-26-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe.exe

MD5 80cb0a885f223c77b49eb94535f29be0
SHA1 c631c770d41d0b6043521c3b16838d02554ee952
SHA256 214996f8328d42c20b13e8a847d8b0b33100e5180e0a748a220e24a84ea4ceda
SHA512 91ecef3a67a184fe531e1ca7616553153c0585bf2262373a4d167b911bda73704b106c688c560a1c82cc076cc3762b2481f02ceaf31b89892f90a6fcf01f92f0

memory/5716-33-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a51AA.bat

MD5 aaa65ba332abd3b763bf7359c0f07d6f
SHA1 b79f2c63c7f79d80df865d9c72b2849430599050
SHA256 01d8b9f3dd97f75da0f0159383003ffc7cb3104d7991e1003c2468fbfb07263b
SHA512 400028188340d87acb72595a2ee97fb60384bd687ba17b563c0d843f1680f72d3b3867f71bdc68ed1871f686cf7b5393f2e7c30e3e9ff31708ea57b4196e0e4f

C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe.exe

MD5 28bd5c3abf0b5b887d65baf1994b56a6
SHA1 86102826cbdc7e7801eae5ab3c51f67c88411eef
SHA256 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91
SHA512 1e2446e3e68c6038a9a8ead218942dde6bec49cd3d311ccd94f15c94a769fcea5d8433d22ec8ea9ab065acdeeea8ad30be9bd9daf4f9ffa50fa28fd06e38c186

memory/412-40-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a5227.bat

MD5 d058cbafb2286930f0707cc2c60c0ef4
SHA1 27165ea37d7c0de02d1f28e1dcb34df02a0bba4a
SHA256 42c0f50b351aa63ad92f275b08c8690e2538bab4ac5f72a2d6d5a39d3ddf517e
SHA512 83236d94eac07456359471333703bad207ffdf0f9c2b192d126091bbf1a2fc7c05b85c18e780ace0626c2e1f89a6caa0b0f0d0d118f5c33714c279611ccca181

C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe.exe

MD5 0137dec43c77f401659bcd7a4032702c
SHA1 e40ab90e560caa2734ba3e46c5cd5aaa684b3eea
SHA256 6cb9ea30ccbbd5f19396010e30c7e4aca6cba55894014a64412a43511ada433d
SHA512 c434bcd9e0beb61137a55fdb11b17d3ce0445f058791923bac3dd326d658db319b35f2226d7c450d1b7baad6f24c53637b14fede37b173cb672ffc5a46e9e740

memory/5204-47-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a52A4.bat

MD5 aca2c162706f61f633ecfa895d0606ae
SHA1 822c1900938db63689834777c142e23c62909ad0
SHA256 fb048ca5e6605dd5bc4733d53c4d8d7b74266ba993256582e2e84ee56103cafe
SHA512 28f557843c7fc6918b5cfbb0e61ad2e8c8048d8d74d49941da9b38ff5dbeadb3829c76302d660e14e84c8a67144e6ed4f61ad5a5c5e2c6a9b6eeb2b583482085

C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe.exe

MD5 f0866c2d2ab43b833b957787b4a08526
SHA1 1410b5b5faf130cf22160968238aab93bb3c960b
SHA256 ebd70e789f272064e045929c7d1d0bce6f64a5a5c056ea2e70ab1542ab3ce1ae
SHA512 6a4813362a23f390922388eb8123aa81af797cb6435dbe6ded1dc281d54135c93ee5b6567f55586210808384f27052e76eb07bcc3641a9906294f88f4a499a2c

memory/5532-54-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a5311.bat

MD5 1d439686a2715e6e5b8c0f3d703d1366
SHA1 fd49dc2df7e0da7fe8cd788ba5bf5d30ae6d9938
SHA256 a9f0a4f0b7dab0d813d57d9b43b9d207c7e007c0b8721d84688203a01fcec93c
SHA512 fbe6515c3c3e035e535f2d7aaa262c0653957fa6ba34d4683667cc2a0881af46dfc3919e3c30eab619029f87b5ad8e08e74e0f255fe0de986f07cc518a9846b0

C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe.exe

MD5 47db56aa979056f9beba80adc63e72ea
SHA1 1dc36f048b9ed9f98f7f9ef069f26193dea713b8
SHA256 bc1183cf270c5164bd3e4c6ad4c1fc32a729fe5aba53784e52d76238d7f873e8
SHA512 f2f520e95283a73a009eb3b8be439c386dd921cd008b68a78594df744053611057b7e7f6794388edf63d93cc4ba1349d2cca9415a9c2e317fcd5047d0e12adb9

memory/4556-63-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a539E.bat

MD5 92a36913a03168390b21daa60019d803
SHA1 6f27d93046ac08154c73b702bb4585d8cec94555
SHA256 34123e14943dd8a34e2c3a2dbf90ed1f7372ae1189837f649852f86c7cd969ad
SHA512 ae6f65967a3696d99585d9edc43fe6e666f63908d0dbba3969fe428c9d8498d6e0c2afaa0d32ba59075956c627700b07768c0e553f398c23fa5503034b2467c3

C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe.exe

MD5 6d9545c6556a236a67207db368fcdce2
SHA1 b44856864eeb77f2d73d71fbfd323f006363c3fb
SHA256 27d02f0a88d28829a83f1cb05a90fd47798e1ff91591029793a9ccfb6d8d14da
SHA512 344bb66f4200dc7b91ec12c6dd73f8a5c9bf6f0942fa12ba65be2d8f7081efa723defad4f604a4b907a39282fe80ed97433b84601f5e4abb40ed09905da72a5f

memory/4792-70-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a5469.bat

MD5 54efd0928f7add5e706c7fbaf1eebc6b
SHA1 75f00620592bea0c7ec42db0916e24a6fc5f33b4
SHA256 dfddcd30609ec45f10c2ef86ada32525692fc9d39e494f119942f849a246c321
SHA512 c6a186783c80f1d113f6eee5afbb119b1cdb09bd7a6f201e6fff90c6f85c36b4cd55c006b92de8d0475beca29aa11dc1b2976b7971bb148daf79af69182d1f03

C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe.exe

MD5 a5e603ffd2f00e966f2230590c221c66
SHA1 297c2d9fdc76fefca09dac5bf5b20b7ab9510890
SHA256 9bf22ad59d805cd058457dc980c7d66388923ef0c00bf60fbd2d28933f621737
SHA512 632725977a5452af0cb57085bb49833cd9f99c05f81c3477bdbc39c1d3198b8227a862f711e95740729e2c7fdef1ceb1562da8bab5dad4da7df932dafe9b0f2f

memory/4640-77-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a5505.bat

MD5 e70d844b7681bd7fc1b7a58e7540e5cf
SHA1 585464af3c2bdf4758b4ff8c11bd0e141662bc63
SHA256 49dc8dd992ba03069334e05e10bb8e318e6fb514d3d94b664edf0dc380497244
SHA512 970f37bd18add5678f0dfcaee2f88acf52259989a14e9f4585379c96b1b50d05eae7147b17e5074218f95d363ba961bf3a966f93b8652e77c4f43678e25cd255

C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe.exe

MD5 a353218f7897ca4ea7b1ff4416fe1817
SHA1 84d8a5c89b0193eac2f74bd315811c68022946d2
SHA256 ff4695e69b9c508b085d5dedf5fd3cac436076f56dc5b098920713418dac3c89
SHA512 df38221aa63a6c0d4575dddcb51ae00373dfcd566f09d90748aa4aec661359f64e81ac4feffa8280068abc35c512dc15f343989ce769074d88b5f744e03aaaac

memory/2216-81-0x0000000000400000-0x0000000000444000-memory.dmp

memory/5856-85-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a5573.bat

MD5 068ce2de966ef3f12559f1f89697b994
SHA1 41adc68eb0ccf59e23d1e4d7aa4ed60bbcf854fc
SHA256 19081ca461e45ce5d85a1a778d36b86110a1581799393bfbdf3143944bf27bc6
SHA512 065691c1d9540e80f7bb8077399555cf30dff0c2a498c40349ed4295ded42e6ec44d5b464a342f8de774db39bde282d22a8b7def45b3e9863cbce0198e64b437

C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe.exe

MD5 00428256f70551c84c7321970cdc53cd
SHA1 ea6d64e78c991a1978fc8018928b4a82a4d1564d
SHA256 41b8de82fa304213245bbaf54a95d9bf62a621478b8918576309fb6e89eda97c
SHA512 b9c20a134a1fadf59fdf7ad6638f6ef7882c68f8d68b539e2bd75ce4df31430ced6cc270b4dba47fa037faefce4209374d27118bd759e6d81aa5091d1bdae1be

memory/4824-93-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a55F0.bat

MD5 aa9e21de64b35c9e771f5fc91913a67e
SHA1 a21116867520ad8754c47838d1ebd161b28dfa72
SHA256 60d14fef7fa105af3f6f16b592bf4dc8f776a62556260e47916ac103d3c9d077
SHA512 083d2b179b5fbfc08d7230c4950a42f95a67379b76d2c82d7897cf8044a3c09c437ceeeeb6c11b968c9f442fa9777dc48746180c95c64b9719b7973762e9f224

C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe.exe

MD5 e9d499bb915d58a3a58429209eb00b7d
SHA1 8715af16ec2efe464f486eefd15a5d248e3caebb
SHA256 f6baf3ee157e1e1798836bbd3ef63de56d4573c6c81f1fb68a3f64c8d5fdf992
SHA512 b9a408171b0827496f81490e9351401943e5de79c19c3da234b05fc543dde913c0f2928f73d5a207d8e5df30954b320f5006faf70a5591ae93de84ca659fcce6

memory/5304-100-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a565D.bat

MD5 fc6053ae116c6aa0a02d3e0bbcb6aeb3
SHA1 ce5c22e2beb3682aacc73d91b303859ee0b6cffe
SHA256 8740d67591bf76e9c6dc981391e026bbe0d6bc78c838658c78316e5dda5ce251
SHA512 7969f13ad9fc80f9e1c2251a1f8594af3c053a1f64217255c3eeccf2bdeffba48d2f72d6566a91bc84796ac0f836483142b2f27ccecac0e9e7ce8e669f9dbec6

C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe.exe

MD5 56cf1234d82b459b0d4b0e91312d62da
SHA1 18c24408609bb6546b66e41bd6e8dfbd013563fe
SHA256 c11d5b1dc931fd3aaf644df9fd7d8febb921c71a918a221202d0f48a105831d0
SHA512 57d70544604eda2438d4a18cc3a87fdb948ff62e15296a8525bf127e1758ae045bf3fe2b4c46c3196d07ae5ad50ef296169c99fec8c93f2bb93b39798feea6f3

memory/6092-107-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a56BB.bat

MD5 866f40f4c985e4d4d9cfd01956508dda
SHA1 9bb3065a0cd219e234419b1dd2189a34cb6d2935
SHA256 5091d4b5973efad986f403379bb66edc08c486681417f37c3674a64159c4242e
SHA512 934aa7a4b33141f3652c14dbf062255225c170c9236b589d765e51588802c6bfeb1f2a0d9a1172a1260aedd575652cc3e751382717d97ed2b273e8c250d5f667

C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe.exe

MD5 7d5a6de393b9a9d8b97e5f85f8d96ef6
SHA1 27ee54c58fd5133e5e53dfdc09bcc4a921cac422
SHA256 4af8e75dfddfde4ce118b847e95e77fad7f775aa6e0824e586932c4807059e7f
SHA512 ac397a542daa97822d06b763217b55da2663c4c73c01b70a335844278a4fe60e4b1b00a31fe2f7b5954cc9ac4d46f0a8cd5f9d639ad64b260e5f4cfb2642550e

memory/4580-114-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a5728.bat

MD5 cd4bcf0063b22b37b2dc54a81addf699
SHA1 f259a73432832c3b6b06faa21ade7e18c0ae1f3f
SHA256 89dcd1d02d05f29b7f183435368ec43fea7099b0e4ab737b6d899dbf2b9c26a8
SHA512 5ad8da3ad0579a3f64f857963576b5408b94d34e73cc05bb4c2ffcaf9526cba2074bd476cd66359ffd03bff4427fccfca1af32a3fc17c27ad67ed07e1eab80da

C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe.exe

MD5 6a063093130a94dde2ed4ed5190f4591
SHA1 14a584a3198ce15445293c447b64e40f175778b2
SHA256 ec166e0c3a4b1d10e131ef693df960038a838e853993e554157e25902710f7d5
SHA512 52abb8a99086804f5d119aec5e2d3e65c60e8b24a18e774b7513ea2da80f10b0e4a00f3be8c79ac82249da3eb53d8a0b0c1957f502d8ec316f898de80501948d

F:\$RECYCLE.BIN\S-1-5-21-1153236273-2212388449-1493869963-1000\_desktop.ini

MD5 8d5d367ed8a2afc1fc0b8fc7d14da98c
SHA1 fddfad39cd8b448d0d3dbb6e9c67752999568783
SHA256 93740c0db50f557803e16032194380e92e586f9cd845c4543eae2c3aa97d95f6
SHA512 3215518f650fe697fa80054e2e7e98a55a23832309347704985d502ecf46726048291ace0a619b669726fda404c9235047a21563971a238864ee3523f5bbe96b

memory/1376-122-0x0000000000400000-0x0000000000444000-memory.dmp

memory/1376-128-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a5776.bat

MD5 8d3252573620542c582dd884ffe71207
SHA1 0bb8f57b9d05bca610d702d76c310dc573eff0d4
SHA256 733cc180c6746238d298b6e003959f5a7c5eececf83a57e605b7fedd439bd49b
SHA512 471bdcb3f4d5756096ea5ab37774d2d5391e434861c4e94f88a77adaf0210f2cc9a38e82e7df5f30331af71d561f0af13dee463ed0c20247bfcdb17328288050

C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe.exe

MD5 24521e0e4ff80ec026b26bd91fb35814
SHA1 1cf942e47978651e2007d6bcfa0858ae8e061a09
SHA256 a8988f6abaf68f2de8ec718b12647c0c1d3eaec8d6b7da90bb54b52d790308d4
SHA512 83a95155ff8f5cae0a8f51217a846b99f15e565983a9adf25f0eae9e5776b33ac8ca2532098012dc3a8117593ac4173d4f4a7faadc3fb73297a2ee1bc2e0fc9f

memory/5604-135-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a57E4.bat

MD5 6c897f2a54fb6bb817b7818e8378f37a
SHA1 c911883fa2fbdeeececbb6f0d8d5f0fb8a8e7f8c
SHA256 8ffa1f3fff52a10ccf20aa8e5216c7a65f04271c9ce680ff9038b39b96efb705
SHA512 3113269118fd6ee13d67a7025ff52691f2de97467959f0404474a036f00e1ca4003003db770b203ab8cb03a3e5c874442dc6c190dd5fb71c78a8e727843375bc

C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe.exe

MD5 72fe255af046de79ac4650cb4a4332fa
SHA1 f4908b352614c56263742f28152579b5f3099693
SHA256 a72d5f83151a25cb339c78fd98048d9779b50529ece3e8a38ac93bc294645f5d
SHA512 1bafa57faa6168588db7aa79ac3b234b6c89f985d62aacb8581f7cdf51226698ba6efa538d0e5759167dab8a07d475f08731706ecd3c9a481ce5be107edafee7

memory/4024-142-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a5851.bat

MD5 909c903e9889fb488d0f42e954997ae4
SHA1 dbc302fe4ce52d4b076fae27468147b382e855ba
SHA256 62afb3cb5b3685ca869087394065f34589f7979968078394e9ae3cea15489052
SHA512 f18970e3bf0fe4ea1ef5ab15f07832d9e46cd39f8a60cd7450f2a7226c696e249c20b60ac5eff70ecf479cb2d4570ed5383ac553f13aa6d601a19154fd01803d

C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe.exe

MD5 bec23ed6f40d2d0aa004ba48bdddd1f0
SHA1 ccac53c8c930a857bd8ddad248a16d5f601efd47
SHA256 90e041311b6fc3b92306ba38e98431d874c77369e1e3cffe1e7247948fe78a4e
SHA512 d8ec7da14addc5ca5d5bc22c1aa5b54f4ef66cbf8102342a2818b9456e5cb8b8461b83523f0b6b9c46ccf09d2e3b0585382acf0b39dbe7eb8d408123094225c5

memory/3476-149-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a58AF.bat

MD5 fd2d45693d90e4f3c4a9500f8fa940e1
SHA1 ed0237302d8d4f55caae257b28be187fcefa9d97
SHA256 e59faee0a8b14156f1fc275ff96afdfaa0c30de117d16833496e48449a50bcfd
SHA512 6ec4eef01c4f53cc9960abecb0b82c08352ca2f7e3051f9faa67f4b3937d881d01d5bec4f3c9062adf968481bd38fb28b1da9292a47d2eccbcb9b67ee921d057

C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe.exe

MD5 c3c940432ca2448b87397ac5dfaf98ef
SHA1 1e569cee32fcc218269305aaffd71f1c257a8eab
SHA256 9bc1dda9d5b4bdaf8156830b0199fd580cd80a7d19b91041e72b5be0b1d47bbd
SHA512 be7ca7f7dd31167198243e9007a0e772f8899c411ee0574af7757efd87464e604a58a827826f4ae179d36f20b5d4cdca08ddbb686215b7887c8d2f580e2400e6

memory/3612-153-0x0000000000400000-0x0000000000444000-memory.dmp

memory/3612-157-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a590D.bat

MD5 90f4851341c5d6bfb2e5487f37a08e0f
SHA1 20036cb7aeb39c52b5f02691ecc0852a2cb8b315
SHA256 a16e564866cabfdcd8f5407e9aff4dcd4e63117e7d022efb76028856d53666ab
SHA512 ccad5deaa63b40a6975a0b4d41f5dfd9b9bcd6c7222a75149ab6935e9ee2436a882bfb807733e5c7f0b4e05088a9280c0c0ddb4cf086b6ef6821f9aac7c3d15b

C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe.exe

MD5 73d597a2b90c7d4d2e90ca08c39d2f99
SHA1 d6788d79477f3f0da9b0c5229ce6834136d91a59
SHA256 d45bba35a13db84260f7981f247ff1a75cf3065ac993ae1a13708a542a19280e
SHA512 ec5e70b7db46d6c298052ffe9a7c89c5b7ba6de67551e36262d84fcd3e4930dfde9ab29b23845bcc54d76d67530b6455a3f422b3349032ab41915676730a01ce

memory/2344-161-0x0000000000400000-0x0000000000410000-memory.dmp

memory/2344-166-0x0000000000400000-0x0000000000410000-memory.dmp

memory/2216-3273-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2216-10077-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2696-10084-0x0000000000400000-0x0000000000410000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-06-30 17:42

Reported

2025-06-30 17:45

Platform

win11-20250610-en

Max time kernel

149s

Max time network

104s

Command Line

C:\Windows\Explorer.EXE

Signatures

Modifies visibility of file extensions in Explorer

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2340264150-4060318110-2688614100-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2340264150-4060318110-2688614100-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\WINDOWS\FONTS\ACEA2.com N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
N/A N/A C:\WINDOWS\FONTS\ACEA2.com N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TempCom = "C:\\WINDOWS\\FONTS\\ACEA2.com" C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\Office16\Library\SOLVER\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\de\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\QUAD\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Defender\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\es\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\mn\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\tr-tr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ff\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\nl\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\jdk\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ta\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\it\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\libs\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Resources\1033\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\fr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\host\fxr\6.0.27\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\uk-ua\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\legal\javafx\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\PackageManifests\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BREEZE\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\features\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ja\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_mixer\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\ja\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk-1.8\include\win32\bridge\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CONCRETE\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\am_ET\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ie\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\nb\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\de-de\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\cs\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f3\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\mr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\ENFR\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\te\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
File created C:\WINDOWS\FONTS\ACEA2.com C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
File opened for modification C:\WINDOWS\FONTS\ACEA2.com C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
File created C:\Windows\Dll.dll C:\Windows\Logo1_.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Logo1_.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\WINDOWS\FONTS\ACEA2.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Logo1_.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\WINDOWS\FONTS\ACEA2.com N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe N/A
N/A N/A C:\WINDOWS\FONTS\ACEA2.com N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3888 wrote to memory of 5192 N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe C:\Windows\SysWOW64\cmd.exe
PID 3888 wrote to memory of 5192 N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe C:\Windows\SysWOW64\cmd.exe
PID 3888 wrote to memory of 5192 N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe C:\Windows\SysWOW64\cmd.exe
PID 3888 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe C:\Windows\Logo1_.exe
PID 3888 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe C:\Windows\Logo1_.exe
PID 3888 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe C:\Windows\Logo1_.exe
PID 4460 wrote to memory of 5684 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 4460 wrote to memory of 5684 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 4460 wrote to memory of 5684 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 5684 wrote to memory of 4036 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 5684 wrote to memory of 4036 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 5684 wrote to memory of 4036 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 5192 wrote to memory of 3184 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe
PID 5192 wrote to memory of 3184 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe
PID 5192 wrote to memory of 3184 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe
PID 3184 wrote to memory of 5816 N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe C:\Windows\SysWOW64\cmd.exe
PID 3184 wrote to memory of 5816 N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe C:\Windows\SysWOW64\cmd.exe
PID 3184 wrote to memory of 5816 N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe C:\Windows\SysWOW64\cmd.exe
PID 5816 wrote to memory of 4100 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe
PID 5816 wrote to memory of 4100 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe
PID 5816 wrote to memory of 4100 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe
PID 4100 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe C:\Windows\SysWOW64\cmd.exe
PID 4100 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe C:\Windows\SysWOW64\cmd.exe
PID 4100 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe C:\Windows\SysWOW64\cmd.exe
PID 4452 wrote to memory of 5992 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe
PID 4452 wrote to memory of 5992 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe
PID 4452 wrote to memory of 5992 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe
PID 5992 wrote to memory of 5636 N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe C:\Windows\SysWOW64\cmd.exe
PID 5992 wrote to memory of 5636 N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe C:\Windows\SysWOW64\cmd.exe
PID 5992 wrote to memory of 5636 N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe C:\Windows\SysWOW64\cmd.exe
PID 5636 wrote to memory of 5064 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe
PID 5636 wrote to memory of 5064 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe
PID 5636 wrote to memory of 5064 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe
PID 5064 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe C:\Windows\SysWOW64\cmd.exe
PID 5064 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe C:\Windows\SysWOW64\cmd.exe
PID 5064 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe C:\Windows\SysWOW64\cmd.exe
PID 4876 wrote to memory of 5016 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe
PID 4876 wrote to memory of 5016 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe
PID 4876 wrote to memory of 5016 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe
PID 5016 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe C:\Windows\SysWOW64\cmd.exe
PID 5016 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe C:\Windows\SysWOW64\cmd.exe
PID 5016 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe C:\Windows\SysWOW64\cmd.exe
PID 5080 wrote to memory of 4900 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe
PID 5080 wrote to memory of 4900 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe
PID 5080 wrote to memory of 4900 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe
PID 4900 wrote to memory of 5856 N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe C:\Windows\SysWOW64\cmd.exe
PID 4900 wrote to memory of 5856 N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe C:\Windows\SysWOW64\cmd.exe
PID 4900 wrote to memory of 5856 N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe C:\Windows\SysWOW64\cmd.exe
PID 5856 wrote to memory of 3020 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe
PID 5856 wrote to memory of 3020 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe
PID 5856 wrote to memory of 3020 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe
PID 3020 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe C:\Windows\SysWOW64\cmd.exe
PID 3020 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe C:\Windows\SysWOW64\cmd.exe
PID 3020 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe C:\Windows\SysWOW64\cmd.exe
PID 3264 wrote to memory of 4512 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe
PID 3264 wrote to memory of 4512 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe
PID 3264 wrote to memory of 4512 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe
PID 4512 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe C:\Windows\SysWOW64\cmd.exe
PID 4512 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe C:\Windows\SysWOW64\cmd.exe
PID 4512 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe C:\Windows\SysWOW64\cmd.exe
PID 4444 wrote to memory of 4596 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe
PID 4444 wrote to memory of 4596 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe
PID 4444 wrote to memory of 4596 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe
PID 4596 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe

"C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a800D.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe

"C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8184.bat

C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe

"C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a81E2.bat

C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe

"C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8230.bat

C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe

"C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a82AD.bat

C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe

"C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a833A.bat

C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe

"C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a83D6.bat

C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe

"C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8462.bat

C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe

"C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a84EF.bat

C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe

"C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a854D.bat

C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe

"C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a85CA.bat

C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe

"C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8628.bat

C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe

"C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a86A5.bat

C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe

"C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8712.bat

C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe

"C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a878F.bat

C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe

"C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a87FC.bat

C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe

"C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a886A.bat

C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe

"C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a88D7.bat

C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe

"C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8944.bat

C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe

"C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a89D1.bat

C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe

"C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\FONTS\ACEA2.com

C:\WINDOWS\FONTS\ACEA2.com

C:\WINDOWS\FONTS\ACEA2.com

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 4460 -ip 4460

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 988

Network

Files

memory/3888-0-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Windows\Logo1_.exe

MD5 cdaabb480b7d3c10c6f4f451c8c08d69
SHA1 667ce007c73b1d663decd86d730227569d23acbb
SHA256 f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842
SHA512 389083da42235678a2d2b3420729fd46be6c0139b9177dc39108252cbbc24881d610e0637f12980f86c042ec79abcf0bdbac7d94610ab11269f8b0f44a6bbc31

memory/4460-8-0x0000000000400000-0x0000000000444000-memory.dmp

memory/3888-9-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a800D.bat

MD5 1fb5ff0849bae2d9702dafd7827c0480
SHA1 a40c8bb540968700e1ab9580377befad0427bf04
SHA256 fb3999000977f8aaaacec19d28d34aaadfac198edf4591f6a6763df2614c3175
SHA512 424f36290abc5f1790489f19b72f1de71a26efbc2962c6a3149815252ee034604267e9289bd1b5235b42e576e47f20a8652552d054b6ab2e724b2aa804418ce4

C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe.exe

MD5 bf21200d0730b76ed14331c26efd6f9a
SHA1 e50ad28d7eeff0af91450b1baa57324cd5c07e8d
SHA256 31de1be72fdd7aca5a430396c3e8bfed2642ca160020b56348e54302098280ca
SHA512 3811b7fe345953504e8001cfdc48e53d0672b0e29cdaeb67a0ea58468313e2889483b6b8677e68fcdcfac0ac9f724ce769a955f4a66179141374b55a2259636e

memory/3184-19-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a8184.bat

MD5 cfad333d75af1d63255e25d76f56e01e
SHA1 146a087530881c632d0abf651badaeb3a68b72fe
SHA256 9c65b2800209ed47b0c109c2aed276ce3c9d8dbbf9106248cb96e5de13fa8d41
SHA512 af36e31a68ca515be4046305af13ac213a8a9962e18c7b839c9c64302669f9de458008389d0d1f5178f252202f862b529b92e5298c49c398b74b0e2a384902fe

C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe.exe

MD5 4d08c3836fddb6ff034253da2ddd8212
SHA1 5448488a994ae7de593802e9d55074848f7482cf
SHA256 9fed7013f9c4f5cae66f7f6fb7fa21ea8d801b203fcd224cc2a0a7994accfae7
SHA512 8a27a34fd77cdf05ff35c63524be0b2c6de8a7add0affe104468f01eabf52739add080aea2f550bca2ebff1b95d5b0e66a3bcce00dd43797dbba645447cf9e30

memory/4100-26-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a81E2.bat

MD5 f0f2885f807655ebeedae59370fd8f4d
SHA1 a1ea6e99c098eaf90bec7286e8d9f427469f6549
SHA256 0efbbbf202fae576446847f9fb231548750dc4778fbac89e29659fc46bd4aa4f
SHA512 c4ab6ae4bf3bc0bb196b6287c88b02e63ae0216db978e6a5fb6b703abbddb2e816d551003ab4b8fd07652e3ac4e6d550d3dcb3db9eba1bdda5f5203e10ca6bac

C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe.exe

MD5 80cb0a885f223c77b49eb94535f29be0
SHA1 c631c770d41d0b6043521c3b16838d02554ee952
SHA256 214996f8328d42c20b13e8a847d8b0b33100e5180e0a748a220e24a84ea4ceda
SHA512 91ecef3a67a184fe531e1ca7616553153c0585bf2262373a4d167b911bda73704b106c688c560a1c82cc076cc3762b2481f02ceaf31b89892f90a6fcf01f92f0

memory/5992-33-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a8230.bat

MD5 69a11c9e500ccf6b04dabf3d439ecbec
SHA1 e5fb2575b8a0dbdfdab0bd48909bf5997ce0f475
SHA256 1e44b4dce3a5abff0204585822026dbaed99d000777aab7e8e126e7dcf44fdfe
SHA512 6e6c2d63675939ff9383262732af516fe491158c66182affbf3f462f74de11015bbb704f2111197f3cc64c29909686683c57833d4582e171aaa79fe5a7b5ef34

C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe.exe

MD5 28bd5c3abf0b5b887d65baf1994b56a6
SHA1 86102826cbdc7e7801eae5ab3c51f67c88411eef
SHA256 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91
SHA512 1e2446e3e68c6038a9a8ead218942dde6bec49cd3d311ccd94f15c94a769fcea5d8433d22ec8ea9ab065acdeeea8ad30be9bd9daf4f9ffa50fa28fd06e38c186

memory/5064-40-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a82AD.bat

MD5 852a88a768f57ae59081947dc74e2e25
SHA1 b4d5f94ce27922381a6a81ed88bb043c0fda2a32
SHA256 4b43ba523712c57141c5cfafa77fd935053e2f6d1216289c538f57b62dd1ceb4
SHA512 ccf0c3ccbdb44d2f7f7e04050fbbff8f7291febf1250effb7b99d9fc10a563009f74f74d7ad72be89811b215cba7925ade8eb6906da76598c3ccd70e29296e7f

C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe.exe

MD5 0137dec43c77f401659bcd7a4032702c
SHA1 e40ab90e560caa2734ba3e46c5cd5aaa684b3eea
SHA256 6cb9ea30ccbbd5f19396010e30c7e4aca6cba55894014a64412a43511ada433d
SHA512 c434bcd9e0beb61137a55fdb11b17d3ce0445f058791923bac3dd326d658db319b35f2226d7c450d1b7baad6f24c53637b14fede37b173cb672ffc5a46e9e740

memory/5016-47-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a833A.bat

MD5 e328c65adb3413920fe2905d521f829e
SHA1 e559413b3951654ea49a38d8e220f0bbaf728cdf
SHA256 360e01b0801e460866952923fa3933157dc557df3d798b46bad45b19f1140297
SHA512 1e9407cc6815d4effcf0030ea0bf0ea0087af92ee87be60fd0f7a69da3436cf2d434985a6727d365d309d42fb567df967f002c732948de383fb905d125590b62

C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe.exe

MD5 f0866c2d2ab43b833b957787b4a08526
SHA1 1410b5b5faf130cf22160968238aab93bb3c960b
SHA256 ebd70e789f272064e045929c7d1d0bce6f64a5a5c056ea2e70ab1542ab3ce1ae
SHA512 6a4813362a23f390922388eb8123aa81af797cb6435dbe6ded1dc281d54135c93ee5b6567f55586210808384f27052e76eb07bcc3641a9906294f88f4a499a2c

memory/4900-54-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a83D6.bat

MD5 8b087be99e83615793804f762a9618d1
SHA1 52c55d31ad07b7a411dd0af072299050746502f9
SHA256 36b2c5329f144670f28c1d5145b9e8a2d55ea53c0f72ee15de508f46d460b8f3
SHA512 3b61a236165697be5e378b6cf42335c3d652e1c61fa3f58d8620f44abcacafc7d550d41b39c4fc1ee70622905d72ca38383400bb3fcef89b34a68f5305f3b6e5

C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe.exe

MD5 47db56aa979056f9beba80adc63e72ea
SHA1 1dc36f048b9ed9f98f7f9ef069f26193dea713b8
SHA256 bc1183cf270c5164bd3e4c6ad4c1fc32a729fe5aba53784e52d76238d7f873e8
SHA512 f2f520e95283a73a009eb3b8be439c386dd921cd008b68a78594df744053611057b7e7f6794388edf63d93cc4ba1349d2cca9415a9c2e317fcd5047d0e12adb9

memory/3020-63-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a8462.bat

MD5 d3dc06d3316d7e28bc4c14676361c918
SHA1 687c4cc17886abc0053bc662cba169edb72ffbd7
SHA256 ee9a5d4cdc2cf243217826fcdffdde7ce20e9a91d7fbcfa775ae8103da3075f0
SHA512 c85ac675bc2072d930bbe33d7f19cab65ae0d5932072b1461a462e631f4acddc0828b619320e4e7be9affbd87b4bc6d0743ae88a286392218dfacaca97c16353

C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe.exe

MD5 6d9545c6556a236a67207db368fcdce2
SHA1 b44856864eeb77f2d73d71fbfd323f006363c3fb
SHA256 27d02f0a88d28829a83f1cb05a90fd47798e1ff91591029793a9ccfb6d8d14da
SHA512 344bb66f4200dc7b91ec12c6dd73f8a5c9bf6f0942fa12ba65be2d8f7081efa723defad4f604a4b907a39282fe80ed97433b84601f5e4abb40ed09905da72a5f

memory/4512-70-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a84EF.bat

MD5 c6323c0a1b55cf51059696b5c67dd275
SHA1 a01b239b8bb7f56147a9b1eab790e0c6ddc2fdcc
SHA256 b59af94f3d03aa98a35777ce7c6dd27158fd43d65f379a05aeacfafe786ebbbe
SHA512 8b745b2162144a2316069b491913220a3acf8fafcc0af9917e9aa90cc60e2fddcc7abc4ad3eba4ded821e9b7b311a7cf052e092ba1d3d90b3fc00fcc94431952

C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe.exe

MD5 a5e603ffd2f00e966f2230590c221c66
SHA1 297c2d9fdc76fefca09dac5bf5b20b7ab9510890
SHA256 9bf22ad59d805cd058457dc980c7d66388923ef0c00bf60fbd2d28933f621737
SHA512 632725977a5452af0cb57085bb49833cd9f99c05f81c3477bdbc39c1d3198b8227a862f711e95740729e2c7fdef1ceb1562da8bab5dad4da7df932dafe9b0f2f

memory/4596-77-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a854D.bat

MD5 7aec65108c75f44aebd1ea3484e9f72b
SHA1 9c585b43fa12aeff01f7121c5010b4173126bc96
SHA256 6a5aec292f829a7c1bf295bdeb947f34d024039a89d8f16ecbd10229ef83e1a7
SHA512 84ecbd8508e4769327cbc6054e3954ea54578f3748c4aa5f0454950e9726c6d83bed92fb4d9de1e5b7208ab6553fb445c69649cb9493b3b93d29f1db93b933ac

C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe.exe

MD5 a353218f7897ca4ea7b1ff4416fe1817
SHA1 84d8a5c89b0193eac2f74bd315811c68022946d2
SHA256 ff4695e69b9c508b085d5dedf5fd3cac436076f56dc5b098920713418dac3c89
SHA512 df38221aa63a6c0d4575dddcb51ae00373dfcd566f09d90748aa4aec661359f64e81ac4feffa8280068abc35c512dc15f343989ce769074d88b5f744e03aaaac

memory/4460-81-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2884-85-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a85CA.bat

MD5 60579ecf8d500409fdf79b043c25ab19
SHA1 2b7ae2b3e5c69fa5887093242fa6d30b724f3903
SHA256 3acd8f120f5744e8d99cd941376ab0d55f60b0425bf8c5b5214b8782f85b3052
SHA512 05b80937c9e0d268664c22cfc283e6aea8b5814bac8862d078be55de552ef062602e335cd63015e3244f3da97b1da9fcd0bdb77837fa5124270138f450071918

C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe.exe

MD5 00428256f70551c84c7321970cdc53cd
SHA1 ea6d64e78c991a1978fc8018928b4a82a4d1564d
SHA256 41b8de82fa304213245bbaf54a95d9bf62a621478b8918576309fb6e89eda97c
SHA512 b9c20a134a1fadf59fdf7ad6638f6ef7882c68f8d68b539e2bd75ce4df31430ced6cc270b4dba47fa037faefce4209374d27118bd759e6d81aa5091d1bdae1be

memory/2328-92-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a8628.bat

MD5 94e326e083f21e1e06d7534196efad08
SHA1 6b8ae9d1a77c59fd956146fcd008af4f4c941cb0
SHA256 305f11554748d5f7fabbced9367d81c8ea89c30bb3df34e45f34423c83a8ec95
SHA512 92826cca0d055c824692b63199bd3161ccd68a8424e2230de45ef3365554f8757ecc1dba865cb158973f857dfb69df9690b6e27ce2e139461fde0242f1f6d910

C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe.exe

MD5 e9d499bb915d58a3a58429209eb00b7d
SHA1 8715af16ec2efe464f486eefd15a5d248e3caebb
SHA256 f6baf3ee157e1e1798836bbd3ef63de56d4573c6c81f1fb68a3f64c8d5fdf992
SHA512 b9a408171b0827496f81490e9351401943e5de79c19c3da234b05fc543dde913c0f2928f73d5a207d8e5df30954b320f5006faf70a5591ae93de84ca659fcce6

memory/5068-100-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a86A5.bat

MD5 f9abf501c1013c67b00df4584fc078d7
SHA1 87a0bd4dd9f093bbbd5640f43ee8a57598af3d81
SHA256 cd6f266cd45391a3fc47dfc87c7380efe58d3c2fbf632d68aadd35ffee962417
SHA512 88e025e79578635958d348bfe35df620d4b205f0d6205867110730770d64a144b67621ffae5f21063cb6190849ffb4acaf161cd3fd02ad404163d22f9580305c

C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe.exe

MD5 56cf1234d82b459b0d4b0e91312d62da
SHA1 18c24408609bb6546b66e41bd6e8dfbd013563fe
SHA256 c11d5b1dc931fd3aaf644df9fd7d8febb921c71a918a221202d0f48a105831d0
SHA512 57d70544604eda2438d4a18cc3a87fdb948ff62e15296a8525bf127e1758ae045bf3fe2b4c46c3196d07ae5ad50ef296169c99fec8c93f2bb93b39798feea6f3

memory/2652-104-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2652-108-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a8712.bat

MD5 825a039053c3264593df8db224a1e97a
SHA1 94da1bd97feabe1d8140abcbf508fa3f0f329f30
SHA256 4c7e36437241ab38fbadb8f08d150a75168b247fa16048330fa15be731f46b70
SHA512 6627c546d46433c86beb88a5acf663ed948914e9b72c4b283f9a3a57d5fe0d3ee560d3d70fa4c6f0a52ad687e0acf8533a61b616679c7448120db61ba6618266

C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe.exe

MD5 7d5a6de393b9a9d8b97e5f85f8d96ef6
SHA1 27ee54c58fd5133e5e53dfdc09bcc4a921cac422
SHA256 4af8e75dfddfde4ce118b847e95e77fad7f775aa6e0824e586932c4807059e7f
SHA512 ac397a542daa97822d06b763217b55da2663c4c73c01b70a335844278a4fe60e4b1b00a31fe2f7b5954cc9ac4d46f0a8cd5f9d639ad64b260e5f4cfb2642550e

memory/3204-115-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a878F.bat

MD5 1d429786d126eb039ee3d27774eba5ff
SHA1 b9b524c7576045c4054272e000af3ed14a004c28
SHA256 5421a5102cefc3e7a229363b102cef1daf068d3cf40dde6135aba777fc30ac18
SHA512 61b54d7f1efa3ca832bb41a4d3a0cdf53a4e0822f044a54f5c7f04a1d1bcf71fe8069046265225e06cd6d288f391be6f3d0808f6d7a91372ba03e1a5ea30d70f

C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe.exe

MD5 6a063093130a94dde2ed4ed5190f4591
SHA1 14a584a3198ce15445293c447b64e40f175778b2
SHA256 ec166e0c3a4b1d10e131ef693df960038a838e853993e554157e25902710f7d5
SHA512 52abb8a99086804f5d119aec5e2d3e65c60e8b24a18e774b7513ea2da80f10b0e4a00f3be8c79ac82249da3eb53d8a0b0c1957f502d8ec316f898de80501948d

memory/1848-119-0x0000000000400000-0x0000000000444000-memory.dmp

memory/1848-123-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a87FC.bat

MD5 f70f896c3124e99c0b3e29a33e8f5f78
SHA1 964087eb49f4491f6da8cc5fc269a259e99d0516
SHA256 9ec784b186f3493f5bc388f128ff349d70e418e77255bee106d3fa9c7c920412
SHA512 35f00313583d0d1f036cabf7416393e72506795996d3e78d03490b85502d9fa292238527ff38bc34844794aacd19bcf3c8515288e22d971ba1eced13ee148f59

C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe.exe

MD5 24521e0e4ff80ec026b26bd91fb35814
SHA1 1cf942e47978651e2007d6bcfa0858ae8e061a09
SHA256 a8988f6abaf68f2de8ec718b12647c0c1d3eaec8d6b7da90bb54b52d790308d4
SHA512 83a95155ff8f5cae0a8f51217a846b99f15e565983a9adf25f0eae9e5776b33ac8ca2532098012dc3a8117593ac4173d4f4a7faadc3fb73297a2ee1bc2e0fc9f

F:\$RECYCLE.BIN\S-1-5-21-2340264150-4060318110-2688614100-1000\_desktop.ini

MD5 8d5d367ed8a2afc1fc0b8fc7d14da98c
SHA1 fddfad39cd8b448d0d3dbb6e9c67752999568783
SHA256 93740c0db50f557803e16032194380e92e586f9cd845c4543eae2c3aa97d95f6
SHA512 3215518f650fe697fa80054e2e7e98a55a23832309347704985d502ecf46726048291ace0a619b669726fda404c9235047a21563971a238864ee3523f5bbe96b

memory/4768-136-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a886A.bat

MD5 c11b24feada9e650486cf7f8bc1605be
SHA1 07274371187097984f3785c24a8ace63a0358e0b
SHA256 9eb90c1bfa9f96625ee12696b575723cff17e5ea4a0aab7776a7bace81d6d0ef
SHA512 d19854dc66d0c3ad59c0b0d8c034644f6a40db69db8a8840e978d1aa6d1461e526a5d4b1f2ee668ad1dd3f75e6fc0f8850d80524aeedaabe8daa3c81db417bc6

C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe.exe

MD5 72fe255af046de79ac4650cb4a4332fa
SHA1 f4908b352614c56263742f28152579b5f3099693
SHA256 a72d5f83151a25cb339c78fd98048d9779b50529ece3e8a38ac93bc294645f5d
SHA512 1bafa57faa6168588db7aa79ac3b234b6c89f985d62aacb8581f7cdf51226698ba6efa538d0e5759167dab8a07d475f08731706ecd3c9a481ce5be107edafee7

memory/1636-143-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a88D7.bat

MD5 e645b96bc94751098835e36732813c07
SHA1 e554c7722f1c812914fb2e9ab33043bb14f655e9
SHA256 6ed654d16df4b916571550b909b8c14a3fa0e3a455808e95ba4e356d8a3583c2
SHA512 de77d248207588b885d6f897fdad8947785f2643b0638cc3863d94f60e1ebd2dd47c7dfce18b52596eb2d5f59fa4a6ffe52097c9e762247134ac188809d912a2

C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe.exe

MD5 bec23ed6f40d2d0aa004ba48bdddd1f0
SHA1 ccac53c8c930a857bd8ddad248a16d5f601efd47
SHA256 90e041311b6fc3b92306ba38e98431d874c77369e1e3cffe1e7247948fe78a4e
SHA512 d8ec7da14addc5ca5d5bc22c1aa5b54f4ef66cbf8102342a2818b9456e5cb8b8461b83523f0b6b9c46ccf09d2e3b0585382acf0b39dbe7eb8d408123094225c5

memory/5480-150-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a8944.bat

MD5 d09c30764f3e43c415b6bd14982612d7
SHA1 f696a133c7f2a0d37b963a919dd5fda37ecd7481
SHA256 80fdd64a285f5778da161e27a248ebdb4df749fd6487f56acb8b546d156a6635
SHA512 bbc031775d10794294b4640338b39a78192bd163965f325e7c7f4ec8fc587f99f89a0de752463ec336bc37b2c4b3e0fbfbd64cdf8bfcb9ab921f147c6b4eda5a

C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe.exe

MD5 c3c940432ca2448b87397ac5dfaf98ef
SHA1 1e569cee32fcc218269305aaffd71f1c257a8eab
SHA256 9bc1dda9d5b4bdaf8156830b0199fd580cd80a7d19b91041e72b5be0b1d47bbd
SHA512 be7ca7f7dd31167198243e9007a0e772f8899c411ee0574af7757efd87464e604a58a827826f4ae179d36f20b5d4cdca08ddbb686215b7887c8d2f580e2400e6

memory/5672-154-0x0000000000400000-0x0000000000444000-memory.dmp

memory/5672-158-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a89D1.bat

MD5 445b3dc4147bf6c0e9bf51529f89d04f
SHA1 a3902987b9d7d46f48b995b895d7a3d2ede2c866
SHA256 41a23551589db54b2f8a4d6d128eac85a212a97dc3e15e918c64dd233e85aab4
SHA512 6e14aa273681bd0db2a125fc550f42d9fa5eb5126fe3b6507ee9204805d851bee737427d79262f76236eb1f2fae204a6768018121da7c354896b2bc709e3b3d6

C:\Users\Admin\AppData\Local\Temp\c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8.exe.exe

MD5 73d597a2b90c7d4d2e90ca08c39d2f99
SHA1 d6788d79477f3f0da9b0c5229ce6834136d91a59
SHA256 d45bba35a13db84260f7981f247ff1a75cf3065ac993ae1a13708a542a19280e
SHA512 ec5e70b7db46d6c298052ffe9a7c89c5b7ba6de67551e36262d84fcd3e4930dfde9ab29b23845bcc54d76d67530b6455a3f422b3349032ab41915676730a01ce

memory/3400-162-0x0000000000400000-0x0000000000410000-memory.dmp

memory/3400-167-0x0000000000400000-0x0000000000410000-memory.dmp

memory/2652-178-0x0000000000400000-0x0000000000444000-memory.dmp

memory/4460-2411-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2384-2412-0x0000000000400000-0x0000000000410000-memory.dmp