Malware Analysis Report

2025-08-10 19:57

Sample ID 250630-wajpls1xbt
Target 29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5
SHA256 29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5
Tags
defense_evasion discovery persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5

Threat Level: Known bad

The file 29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5 was found to be: Known bad.

Malicious Activity Summary

defense_evasion discovery persistence spyware stealer

Modifies visibility of file extensions in Explorer

Reads user/profile data of web browsers

Drops startup file

Executes dropped EXE

Adds Run key to start application

Enumerates connected drives

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

Runs net.exe

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-06-30 17:43

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2025-06-30 17:43

Reported

2025-06-30 17:45

Platform

win11-20250610-en

Max time kernel

149s

Max time network

105s

Command Line

C:\Windows\Explorer.EXE

Signatures

Modifies visibility of file extensions in Explorer

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2238466657-712128251-1221219315-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2238466657-712128251-1221219315-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\WINDOWS\FONTS\1DF55.com N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini C:\Windows\Logo1_.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
N/A N/A C:\WINDOWS\FONTS\1DF55.com N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TempCom = "C:\\WINDOWS\\FONTS\\1DF55.com" C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\WindowsPowerShell\Modules\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\sk-sk\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\SAMPLES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\JOURNAL\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\FREN\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\eo\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nl-nl\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\fr-ma\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\cs-cz\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows NT\Accessories\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\fre\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\zh-cn\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\it-it\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\d3d11\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\sm\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\pt-br\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\sv-se\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\ResiliencyLinks\Locales\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\Extensions\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\1033\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\sq\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Photo Viewer\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\1.0.1\Diagnostics\Simple\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\sl-sl\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\de-de\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\en-il\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\pa\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ro-ro\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\de-de\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\133.0.6943.60\WidevineCdm\_platform_specific\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\zh_TW\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Photo Viewer\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\da-dk\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\fr-fr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\es-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\sk-sk\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CANYON\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\sw\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\uk-ua\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\sl-sl\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\root\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\it\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\te\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\sl-sl\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Installer\setup.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\edge_game_assist\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Document Parts\1033\16\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\es-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\EBWebView\x86\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
File opened for modification C:\WINDOWS\FONTS\1DF55.com C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
File created C:\Windows\Dll.dll C:\Windows\Logo1_.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
File created C:\WINDOWS\FONTS\1DF55.com C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Logo1_.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\WINDOWS\FONTS\1DF55.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\WINDOWS\FONTS\1DF55.com N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
N/A N/A C:\WINDOWS\FONTS\1DF55.com N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2868 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe C:\Windows\Logo1_.exe
PID 2868 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe C:\Windows\Logo1_.exe
PID 2868 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe C:\Windows\Logo1_.exe
PID 4892 wrote to memory of 5688 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 4892 wrote to memory of 5688 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 4892 wrote to memory of 5688 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 5688 wrote to memory of 1928 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 5688 wrote to memory of 1928 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 5688 wrote to memory of 1928 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4816 wrote to memory of 6068 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe
PID 4816 wrote to memory of 6068 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe
PID 4816 wrote to memory of 6068 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe
PID 6068 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe C:\Windows\SysWOW64\cmd.exe
PID 6068 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe C:\Windows\SysWOW64\cmd.exe
PID 6068 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe C:\Windows\SysWOW64\cmd.exe
PID 4192 wrote to memory of 3536 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe
PID 4192 wrote to memory of 3536 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe
PID 4192 wrote to memory of 3536 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe
PID 3536 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe C:\Windows\SysWOW64\cmd.exe
PID 3536 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe C:\Windows\SysWOW64\cmd.exe
PID 3536 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe C:\Windows\SysWOW64\cmd.exe
PID 2012 wrote to memory of 2456 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe
PID 2012 wrote to memory of 2456 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe
PID 2012 wrote to memory of 2456 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe
PID 2456 wrote to memory of 5864 N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 5864 N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 5864 N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe C:\Windows\SysWOW64\cmd.exe
PID 5864 wrote to memory of 3400 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe
PID 5864 wrote to memory of 3400 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe
PID 5864 wrote to memory of 3400 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe
PID 3400 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe C:\Windows\SysWOW64\cmd.exe
PID 3400 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe C:\Windows\SysWOW64\cmd.exe
PID 3400 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe C:\Windows\SysWOW64\cmd.exe
PID 2680 wrote to memory of 4232 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe
PID 2680 wrote to memory of 4232 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe
PID 2680 wrote to memory of 4232 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe
PID 4232 wrote to memory of 5240 N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe C:\Windows\SysWOW64\cmd.exe
PID 4232 wrote to memory of 5240 N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe C:\Windows\SysWOW64\cmd.exe
PID 4232 wrote to memory of 5240 N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe C:\Windows\SysWOW64\cmd.exe
PID 5240 wrote to memory of 5036 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe
PID 5240 wrote to memory of 5036 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe
PID 5240 wrote to memory of 5036 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe
PID 5036 wrote to memory of 3328 N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe C:\Windows\SysWOW64\cmd.exe
PID 5036 wrote to memory of 3328 N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe C:\Windows\SysWOW64\cmd.exe
PID 5036 wrote to memory of 3328 N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe C:\Windows\SysWOW64\cmd.exe
PID 3328 wrote to memory of 2240 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe
PID 3328 wrote to memory of 2240 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe
PID 3328 wrote to memory of 2240 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe
PID 2240 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe C:\Windows\SysWOW64\cmd.exe
PID 2240 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe C:\Windows\SysWOW64\cmd.exe
PID 2240 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe C:\Windows\SysWOW64\cmd.exe
PID 1676 wrote to memory of 2432 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe
PID 1676 wrote to memory of 2432 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe
PID 1676 wrote to memory of 2432 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe
PID 2432 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe C:\Windows\SysWOW64\cmd.exe
PID 2432 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe C:\Windows\SysWOW64\cmd.exe
PID 2432 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe C:\Windows\SysWOW64\cmd.exe
PID 3380 wrote to memory of 5728 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe
PID 3380 wrote to memory of 5728 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe
PID 3380 wrote to memory of 5728 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe
PID 5728 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe

"C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a48B1.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe

"C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a49DA.bat

C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe

"C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4A38.bat

C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe

"C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4AC4.bat

C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe

"C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4B32.bat

C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe

"C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4BCE.bat

C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe

"C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4C4B.bat

C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe

"C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4CC8.bat

C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe

"C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4D45.bat

C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe

"C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4DA3.bat

C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe

"C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4DF1.bat

C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe

"C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4E6E.bat

C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe

"C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4EBC.bat

C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe

"C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4F0A.bat

C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe

"C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4F97.bat

C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe

"C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4FF5.bat

C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe

"C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a5052.bat

C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe

"C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a50B0.bat

C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe

"C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a510E.bat

C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe

"C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a517B.bat

C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe

"C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a51E9.bat

C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe

"C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a5266.bat

C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe

"C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a52B4.bat

C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe

"C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a5321.bat

C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe

"C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a537F.bat

C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe

"C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a53CD.bat

C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe

"C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\FONTS\1DF55.com

C:\WINDOWS\FONTS\1DF55.com

C:\WINDOWS\FONTS\1DF55.com

Network

Files

memory/2868-0-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Windows\Logo1_.exe

MD5 cdaabb480b7d3c10c6f4f451c8c08d69
SHA1 667ce007c73b1d663decd86d730227569d23acbb
SHA256 f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842
SHA512 389083da42235678a2d2b3420729fd46be6c0139b9177dc39108252cbbc24881d610e0637f12980f86c042ec79abcf0bdbac7d94610ab11269f8b0f44a6bbc31

memory/4892-8-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2868-11-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a48B1.bat

MD5 4a2fd41e9890f3d4dc4ff56600ce494f
SHA1 74dada022eccbc615b42addb8803307cae027c7b
SHA256 aaeb46a032ab82dcdc523af5546b1a5104d909c6ba992afc735e6ac728cbcaa1
SHA512 d61844780b91ebd4fdde7763999d40c284773ff66d2a7f70b12ced36e978ac97383777e8111163d8cb53efed6f309c7d5765ba7d762d256d61d02b8ce79bc30d

C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe.exe

MD5 b7ef4ac77f450bdd50764ff7fb40e83d
SHA1 d46c294f7a5c420f3e2eb953f801badc1c39e47c
SHA256 a5c6ae4e19893f62a5a1c617ffaf6de4c3798a29c104bd762f751ced5bc37e2c
SHA512 bc3ad0c91fd347c70a14f1372194d783c039150b8b8cc60fba162758fc8d18a5cccd22f52dc896a5d8b7e2f8ac34007016b823254c91937e3a1e30fadad65b06

memory/6068-20-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a49DA.bat

MD5 04698ab1677b500474434215d1b260a3
SHA1 7036b4fc642a3902f65a3a32c98ef2320e6349cc
SHA256 0105adecb794207027c98c846327094540fbc0a46dae3a676222fda390c3ae2a
SHA512 b28affb25f9ae6dc666dbc4d7cdbb74b5a6ebe440b73f6c947d3c03a2e0c450933a099aa295ef458e727cc274ca1c465dd4fde71cd14806e4deb974cd6759f51

C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe.exe

MD5 4b9090bbfb7f607d3f882346eb71a169
SHA1 e8f4ba0d869ae0cee44be9614fae66a0f747e82e
SHA256 845c138b1678dc87cc210759b3f24392641998e1ccca50ab900308f2adb61737
SHA512 2944f9c9fe1a402c8698de350d671b2579d163e0f4f0e605e98e7b1796ee1285bdbe4f3bd0556fe3dd5fba320b4887b1f53ac17cb9f825bd9bb12984eaf97dfc

memory/3536-27-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a4A38.bat

MD5 b73fb5588cc214630c046d5aa1d214f7
SHA1 a3ff2699ae3e1156097808a189255cd14e78601c
SHA256 305ddf3b07983231dccd49118561d62e4e617d8480e524293c71526c9e6fab7b
SHA512 63bf42814d6270d3a98601d2be6716c6496c38442a0905e6e7eeaf7a801433f51efef165bbc5fc74348b0be8f26d9c0d0fbb8ae7b2ccf6ca99b095eecac390ab

C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe.exe

MD5 0aa288c5b3ca45282e87c439a49b5c0c
SHA1 99f8e63ee28874a2c0f2fff016258e5a3505a192
SHA256 9bbe58bc26f108090bd120292fb2aac65c17fc037e3fbe063403958bd46a8149
SHA512 d71c82261d06806e8df7bed5448221fe7e6d3f3d7543f5454112e81359238cb13f262038437fe7e907e934cc828f8bec8feb2783d51622bac5115075ca83ba12

memory/2456-34-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a4AC4.bat

MD5 5e75a53caccd4897a8a4d7fed8f3ba2e
SHA1 1ac54f93f0f486f22809602d288abebbea5b2298
SHA256 ec216e6596013a2a9d280fbef9562e4f8d0aa1a5dd65946d9416324579229bd2
SHA512 0c79150a7f7ee186853dc9b70cab27d60f7818f02c9db3b7eb6be9f4b6149dc3df1a422f3773814f08b512c6fc61edabb95ba90c62b2aa30482da6ce39557150

C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe.exe

MD5 7a0a4cc842cc4d8f9ce9fbb050ff7cfb
SHA1 2abef4041ba3f639fcb365a9427df2d1685f5d32
SHA256 2b3131d58f0175abc9cf7bbfacef4870821db3fc9855c876706200d18824d761
SHA512 9a764930c0fc4b8fe796952c857d8c786664267c5e760bb1c3c22cf51584dcd6c1e2da214a0b66c6cca187578b24d60408911fa2cf00ced0545a4732938cf898

memory/3400-41-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a4B32.bat

MD5 fb455267415a09a2aadac7245997e449
SHA1 0174a1a784e1260a1463eff3874255884f15679b
SHA256 d1f2b91de70a5169964562b367ba5e0b29858d6cbd2766ca5ce50a18c916ee6e
SHA512 c40640e5dd1dcbfa4cdd5cbaf27336ff4562abae4dfe1212c00e99dcef6dec044ff886e65c0dcbf9416a7a30b5763b351c4dcae2d93194722086c49954fb6cf1

C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe.exe

MD5 36fdfa112c8964f87fe6ea00dfbaf13f
SHA1 184f2afcf27e086cbe5ad066d51fa9ea45b465b8
SHA256 16efba4ff6d80842fac37d2e135e97a215502d7f6fe1bf897993f68f129beeea
SHA512 d7b0a155fc5ad3a67cf8a7310f120a947753c6f35f6d9aca661a5e64ede5918667298380942f85bc3acde87a2b4ed5127f5bc047a76e22a2ae37032e2f9ffbb7

memory/4232-48-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a4BCE.bat

MD5 d3de69590b0551f47e8e1b8e8f3cb636
SHA1 475d3e8c74d0f0db379cae00763dae4b23479b46
SHA256 b0ed7ded5388d3ae00195e3b2817fdb2bd7d11c452ce46937d3d9d0ac517ac2d
SHA512 0d2007e18f796911c6cedf8c2ebf6b4044f1145b802be26f7c60acb0762657d1a92b2618a4475394f30e2f763a8c3992bfe6a330ade5b56af24188fb98d131bd

C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe.exe

MD5 94e7a7c4097a8be425e43e8374b3e07c
SHA1 9afcc2b390e850aa4c0eb03c8e6c9a2220731fe4
SHA256 c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8
SHA512 7e8a07547f37a6a238a8b6ed35ab05b79e4a3b205b90839887f7bae2a355a5a736272646a8b8432336598322e9e6e765f6088cf76e8112870539fe03b6b37d18

memory/5036-55-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a4C4B.bat

MD5 c179d9c70789f3daebad719cfd8c1605
SHA1 66fa6ad4db4874198d0408e51eeaf8fd14259340
SHA256 fe3ad47fa2b80d072a09504d5bf11627c43385a448778cc7c6810221f9a8426e
SHA512 73d8e5ea84118656a182657ef1d40420d3d8dacf3f392f4f2a56d6af60ab3f33c77cb84897cf06b8df7c48d4d4f08655f4be329af2bc7b7f9e9bd758593d6e4a

C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe.exe

MD5 bf21200d0730b76ed14331c26efd6f9a
SHA1 e50ad28d7eeff0af91450b1baa57324cd5c07e8d
SHA256 31de1be72fdd7aca5a430396c3e8bfed2642ca160020b56348e54302098280ca
SHA512 3811b7fe345953504e8001cfdc48e53d0672b0e29cdaeb67a0ea58468313e2889483b6b8677e68fcdcfac0ac9f724ce769a955f4a66179141374b55a2259636e

memory/2240-62-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a4CC8.bat

MD5 e139cd8b5c4d96e86b447be2cfd35208
SHA1 2c40341e937302659678f0312d662bf46b722388
SHA256 8da6244e112c9156fd37f68e7f1eaeca50079a9bfc94e7e2af961e1afc4eb12d
SHA512 139ee5f22f7c72c57172f22d4b20b142bdc512103fc6f9967ed3684b2850394958e422dd8ac58164690955ee5a502416fd17d97b0866587a54bc4e8debeca432

C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe.exe

MD5 4d08c3836fddb6ff034253da2ddd8212
SHA1 5448488a994ae7de593802e9d55074848f7482cf
SHA256 9fed7013f9c4f5cae66f7f6fb7fa21ea8d801b203fcd224cc2a0a7994accfae7
SHA512 8a27a34fd77cdf05ff35c63524be0b2c6de8a7add0affe104468f01eabf52739add080aea2f550bca2ebff1b95d5b0e66a3bcce00dd43797dbba645447cf9e30

memory/2432-71-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a4D45.bat

MD5 d18d66f8cf51d425702372e75681e912
SHA1 b5156526c03aa005ba020cab74a2d0fa84fa8d6c
SHA256 6e58103a2f51744be45999f3ecf9b79267bedfc4ecdecbd415bae97526459a8b
SHA512 c5e0a30b6f665e6a2cd6c94ee7b03625ff892b09bb667585fd7f7f0ecda1d5856ba5c5b88a893c5eb452548ff8addaa228d1ba387fa30773bad5cf7a322ce15c

C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe.exe

MD5 80cb0a885f223c77b49eb94535f29be0
SHA1 c631c770d41d0b6043521c3b16838d02554ee952
SHA256 214996f8328d42c20b13e8a847d8b0b33100e5180e0a748a220e24a84ea4ceda
SHA512 91ecef3a67a184fe531e1ca7616553153c0585bf2262373a4d167b911bda73704b106c688c560a1c82cc076cc3762b2481f02ceaf31b89892f90a6fcf01f92f0

memory/5728-78-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a4DA3.bat

MD5 0167fa7d59c347db19cb756d199e4a48
SHA1 67b7ce4235a7ac24540f8c3c468f3bfc1ff04523
SHA256 62249fba382fc1480d9d242771b5288271d437184d07452693899d9fa91811bb
SHA512 2a2637c33cfdea3dfcd18061e301c5fd693070ed482f2e190521eab1d0163e06e9e9c6e6e765380be9331bfb2aad60dd341c373e7a0a17333ca00029ceef938f

C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe.exe

MD5 28bd5c3abf0b5b887d65baf1994b56a6
SHA1 86102826cbdc7e7801eae5ab3c51f67c88411eef
SHA256 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91
SHA512 1e2446e3e68c6038a9a8ead218942dde6bec49cd3d311ccd94f15c94a769fcea5d8433d22ec8ea9ab065acdeeea8ad30be9bd9daf4f9ffa50fa28fd06e38c186

memory/4892-82-0x0000000000400000-0x0000000000444000-memory.dmp

memory/4732-86-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a4DF1.bat

MD5 aa6201e7a86308e7a31e691e3e7de60a
SHA1 0fed3af8033b0a991cf74d767ab1a37405f4c5df
SHA256 48b2557f438ff1b85e5592088a531525505a765f4ac8d6e37c6afa15f95d14e0
SHA512 337081ccb042ce41e7fcfd6edba367676aaa654cca77197eede10e91b55978456261dcf61890dfb612f0c720126d8bf7d7c538f5432b08945c8e31d8982377fd

C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe.exe

MD5 0137dec43c77f401659bcd7a4032702c
SHA1 e40ab90e560caa2734ba3e46c5cd5aaa684b3eea
SHA256 6cb9ea30ccbbd5f19396010e30c7e4aca6cba55894014a64412a43511ada433d
SHA512 c434bcd9e0beb61137a55fdb11b17d3ce0445f058791923bac3dd326d658db319b35f2226d7c450d1b7baad6f24c53637b14fede37b173cb672ffc5a46e9e740

memory/2476-93-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a4E6E.bat

MD5 1fd9ae1973c081a479fd6f250154f23e
SHA1 111969bb4617820ea3b6d7782659665d506be059
SHA256 258b28ed6641051703cd6cd9cd52646da60bab69717cdc360d2a8d299efca5b4
SHA512 c515ef77d04b4cb6a3687eec4fd42f1a6cceb080b18a48a1aa70f1b92f35b733d5e81633104a73a84729c9859ab65061abf0b44a2e1bd71aaf5cbfc120acdcfe

C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe.exe

MD5 f0866c2d2ab43b833b957787b4a08526
SHA1 1410b5b5faf130cf22160968238aab93bb3c960b
SHA256 ebd70e789f272064e045929c7d1d0bce6f64a5a5c056ea2e70ab1542ab3ce1ae
SHA512 6a4813362a23f390922388eb8123aa81af797cb6435dbe6ded1dc281d54135c93ee5b6567f55586210808384f27052e76eb07bcc3641a9906294f88f4a499a2c

memory/1672-100-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a4EBC.bat

MD5 a0c214b7126db4f88c05b8ff27275218
SHA1 025ef8be4b13038d0111f655bfc0cd1313999cb5
SHA256 25bb3820bba686746104e3aa409be1f4cbd24a0513370d46b5614fe020628212
SHA512 2d0d8f08be86943e7a4f19f1fa68627748439016e4edb974302056e666d98dbf5a679260a1167a6bf3cb23e19cd3360e8c569575916d9dbcd59bab52c8469e5d

C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe.exe

MD5 47db56aa979056f9beba80adc63e72ea
SHA1 1dc36f048b9ed9f98f7f9ef069f26193dea713b8
SHA256 bc1183cf270c5164bd3e4c6ad4c1fc32a729fe5aba53784e52d76238d7f873e8
SHA512 f2f520e95283a73a009eb3b8be439c386dd921cd008b68a78594df744053611057b7e7f6794388edf63d93cc4ba1349d2cca9415a9c2e317fcd5047d0e12adb9

memory/1316-108-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a4F0A.bat

MD5 5389d795f4bd3ee9639be115664652c8
SHA1 647837eded7ba92900ca3a74b4cbe67abaa2eeb4
SHA256 91c5439f3fa097b2975a40e02b5c3da6c95b3e7d6d4286c283973644dbf16954
SHA512 55b0e1cf5bf32a387c30029cc50f69004b33e6ffaf59f6ce2ed4cbff2e5ad632c3382c6bdba3a7ac9dedaae563748262e3fecd2c2bc116f10c62e484fa768236

C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe.exe

MD5 6d9545c6556a236a67207db368fcdce2
SHA1 b44856864eeb77f2d73d71fbfd323f006363c3fb
SHA256 27d02f0a88d28829a83f1cb05a90fd47798e1ff91591029793a9ccfb6d8d14da
SHA512 344bb66f4200dc7b91ec12c6dd73f8a5c9bf6f0942fa12ba65be2d8f7081efa723defad4f604a4b907a39282fe80ed97433b84601f5e4abb40ed09905da72a5f

memory/4700-115-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a4F97.bat

MD5 285e1d1fa77b9c911aade9f8b50ae1b2
SHA1 9b3058bace8173ded3f024c994889f30b1296e4f
SHA256 bb8b18b9e2a28b275aabfcbcf9c2369162f1cb1029feca3e82985fa38489ecfc
SHA512 db08293e9de2599939f936b595887a8c0a2f8869d4143f418e9d2ae68048730e7e12cf13142650576dc1b34296702650243955910069eaf718d9ab506fcd4c1b

C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe.exe

MD5 a5e603ffd2f00e966f2230590c221c66
SHA1 297c2d9fdc76fefca09dac5bf5b20b7ab9510890
SHA256 9bf22ad59d805cd058457dc980c7d66388923ef0c00bf60fbd2d28933f621737
SHA512 632725977a5452af0cb57085bb49833cd9f99c05f81c3477bdbc39c1d3198b8227a862f711e95740729e2c7fdef1ceb1562da8bab5dad4da7df932dafe9b0f2f

memory/104-122-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a4FF5.bat

MD5 0a6e1e30b4637b2b5bb0885567ddfde8
SHA1 8555bbeca21725c93e0fec02e1a97df5ecfe47fb
SHA256 d29702e0f902a106559e75be7c986123f7f8549ed118e1f01c3d99e1ac56a2b7
SHA512 b87afd107b0689bfbdecb6e17ea48a24cf09829267709c6bc9d53adcb6608f69ccf68a3c2f83f0c3a92319fd1707f76c019e56af7b7b229d4b862cff7bb1ef5d

C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe.exe

MD5 a353218f7897ca4ea7b1ff4416fe1817
SHA1 84d8a5c89b0193eac2f74bd315811c68022946d2
SHA256 ff4695e69b9c508b085d5dedf5fd3cac436076f56dc5b098920713418dac3c89
SHA512 df38221aa63a6c0d4575dddcb51ae00373dfcd566f09d90748aa4aec661359f64e81ac4feffa8280068abc35c512dc15f343989ce769074d88b5f744e03aaaac

memory/1004-129-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a5052.bat

MD5 6e02362ca67e5efc8787f7fda48abde0
SHA1 1aa1cfdd61f44f46086b718718e84e9bf722f980
SHA256 6580d4675573bb65ba59bf448909787ecbb12dc44cfc5547cb5068f2d430c3b8
SHA512 46ab4a5e41950b2cc898e82500b5b399c1964596fb36a0eaefcaab70dd2d39a81996402a1fa953e22aebdc2b4f0285c5cc56c48468133a2dd942ecdbd74f9906

C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe.exe

MD5 00428256f70551c84c7321970cdc53cd
SHA1 ea6d64e78c991a1978fc8018928b4a82a4d1564d
SHA256 41b8de82fa304213245bbaf54a95d9bf62a621478b8918576309fb6e89eda97c
SHA512 b9c20a134a1fadf59fdf7ad6638f6ef7882c68f8d68b539e2bd75ce4df31430ced6cc270b4dba47fa037faefce4209374d27118bd759e6d81aa5091d1bdae1be

memory/1612-136-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a50B0.bat

MD5 ac224a083f13b58defba5d93d1d18f9b
SHA1 2bdfc20d6015c80ee3c76935c6f8e9ba47bfa72b
SHA256 9d02ac2e0d3c38b5ba9c65fb20269a38bbd5d71d60882f76800e1562261e2e2b
SHA512 6eb976885cd0deb5b06984a3a1645201cb9c0206fcac72513c341099f1d17496b10fdae37c6ea73c06b69c9d4c772c377c14ada8e7989a1edaaf07ee4630ecb7

C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe.exe

MD5 e9d499bb915d58a3a58429209eb00b7d
SHA1 8715af16ec2efe464f486eefd15a5d248e3caebb
SHA256 f6baf3ee157e1e1798836bbd3ef63de56d4573c6c81f1fb68a3f64c8d5fdf992
SHA512 b9a408171b0827496f81490e9351401943e5de79c19c3da234b05fc543dde913c0f2928f73d5a207d8e5df30954b320f5006faf70a5591ae93de84ca659fcce6

F:\$RECYCLE.BIN\S-1-5-21-2238466657-712128251-1221219315-1000\_desktop.ini

MD5 8d5d367ed8a2afc1fc0b8fc7d14da98c
SHA1 fddfad39cd8b448d0d3dbb6e9c67752999568783
SHA256 93740c0db50f557803e16032194380e92e586f9cd845c4543eae2c3aa97d95f6
SHA512 3215518f650fe697fa80054e2e7e98a55a23832309347704985d502ecf46726048291ace0a619b669726fda404c9235047a21563971a238864ee3523f5bbe96b

memory/4908-149-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a510E.bat

MD5 b1341653fa68532ee381dedb67f3bf44
SHA1 e58b691eaedded9370391a295e47910cc891a122
SHA256 5cae226237de33a29793aa51bc9d2dd529b0d649036a545c4ccc10a785fe9c5e
SHA512 1ab51fbc8beede662905f7c41e25be00bd61b58c54bf302863a296015047bb3f34462fc48d2f966deb8fdaca186b44ae6893a6235033d881f54015d12f3dcdb4

C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe.exe

MD5 56cf1234d82b459b0d4b0e91312d62da
SHA1 18c24408609bb6546b66e41bd6e8dfbd013563fe
SHA256 c11d5b1dc931fd3aaf644df9fd7d8febb921c71a918a221202d0f48a105831d0
SHA512 57d70544604eda2438d4a18cc3a87fdb948ff62e15296a8525bf127e1758ae045bf3fe2b4c46c3196d07ae5ad50ef296169c99fec8c93f2bb93b39798feea6f3

memory/2324-156-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a517B.bat

MD5 b4ccf659a939dfb914ac38e56ccfe943
SHA1 b00f1dc61a37397ca868fb0760ecf382a538b17f
SHA256 c0a3ec8196d9e5cedde76b83f82e39aa66322283f245c59e9467bdd2d33fd899
SHA512 d9cded0515a88aad901867562dc985191b7f2cfc80bdbf1d3431b58b9392cf625556ac673b5cb642533fbb5627fe2a71e3cfda8723949472fd7fe33ca65775c6

C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe.exe

MD5 7d5a6de393b9a9d8b97e5f85f8d96ef6
SHA1 27ee54c58fd5133e5e53dfdc09bcc4a921cac422
SHA256 4af8e75dfddfde4ce118b847e95e77fad7f775aa6e0824e586932c4807059e7f
SHA512 ac397a542daa97822d06b763217b55da2663c4c73c01b70a335844278a4fe60e4b1b00a31fe2f7b5954cc9ac4d46f0a8cd5f9d639ad64b260e5f4cfb2642550e

memory/3820-163-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a51E9.bat

MD5 0d8a53773806992882ee1e462ecfb7d7
SHA1 8841e704d5293ea8cad86c6fd3fc39ec48aab55a
SHA256 2ab5324fcaf0544375f50ffe22e3322b92c824361f3fb3de2ea58210cab7c835
SHA512 6b9340496825b6e334e7099f587c697cd5d95cb556aae20dcb6d8f5432359c64ce1e545ee55813fe448740ed07891278361708673c6f9abd6c5ec122a02daaf5

memory/3900-168-0x0000000000400000-0x0000000000444000-memory.dmp

memory/3064-172-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2348-176-0x0000000000400000-0x0000000000444000-memory.dmp

memory/1092-180-0x0000000000400000-0x0000000000444000-memory.dmp

memory/4996-181-0x0000000000400000-0x0000000000444000-memory.dmp

memory/4996-185-0x0000000000400000-0x0000000000444000-memory.dmp

memory/4688-186-0x0000000000400000-0x0000000000410000-memory.dmp

memory/4688-191-0x0000000000400000-0x0000000000410000-memory.dmp

memory/4892-2655-0x0000000000400000-0x0000000000444000-memory.dmp

memory/4892-10233-0x0000000000400000-0x0000000000444000-memory.dmp

memory/5168-10240-0x0000000000400000-0x0000000000410000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2025-06-30 17:43

Reported

2025-06-30 17:45

Platform

win10v2004-20250610-en

Max time kernel

149s

Max time network

132s

Command Line

C:\Windows\Explorer.EXE

Signatures

Modifies visibility of file extensions in Explorer

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\WINDOWS\FONTS\150F6.com N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini C:\Windows\Logo1_.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
N/A N/A C:\WINDOWS\FONTS\150F6.com N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TempCom = "C:\\WINDOWS\\FONTS\\150F6.com" C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\sk\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\sq\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\zh_CN\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\it-it\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\security\policy\unlimited\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\zh-CN\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\uz\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\zu\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Internet Explorer\SIGNUP\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\en-ae\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\nb-no\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example1.Diagnostics\Diagnostics\Simple\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\Extensions\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\XLSTART\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\hr-hr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\sv-se\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\uk-ua\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Multimedia Platform\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\nb-no\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\fr-fr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ro-ro\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\root\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\bn\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\da-dk\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\es-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\hr-hr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\sv-se\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\hi\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\de-de\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\da-dk\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\1033\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECLIPSE\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\nn\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\pt_PT\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\plugins\rhp\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\zh-cn\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\themes\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\hr-hr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\BORDERS\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\zh-tw\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\es-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\pt-br\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ca-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\hu-hu\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\WidevineCdm\_platform_specific\win_x64\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\lua\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ca-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\plugins\rhp\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
File opened for modification C:\WINDOWS\FONTS\150F6.com C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
File created C:\Windows\Dll.dll C:\Windows\Logo1_.exe N/A
File created C:\WINDOWS\FONTS\150F6.com C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\WINDOWS\FONTS\150F6.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Logo1_.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\WINDOWS\FONTS\150F6.com N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe N/A
N/A N/A C:\WINDOWS\FONTS\150F6.com N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3760 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe C:\Windows\SysWOW64\cmd.exe
PID 3760 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe C:\Windows\SysWOW64\cmd.exe
PID 3760 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe C:\Windows\SysWOW64\cmd.exe
PID 3760 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe C:\Windows\Logo1_.exe
PID 3760 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe C:\Windows\Logo1_.exe
PID 3760 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe C:\Windows\Logo1_.exe
PID 3184 wrote to memory of 3180 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 3184 wrote to memory of 3180 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 3184 wrote to memory of 3180 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 3180 wrote to memory of 3548 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3180 wrote to memory of 3548 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3180 wrote to memory of 3548 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3992 wrote to memory of 3896 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe
PID 3992 wrote to memory of 3896 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe
PID 3992 wrote to memory of 3896 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe
PID 3896 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe C:\Windows\SysWOW64\cmd.exe
PID 3896 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe C:\Windows\SysWOW64\cmd.exe
PID 3896 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe C:\Windows\SysWOW64\cmd.exe
PID 1868 wrote to memory of 1716 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe
PID 1868 wrote to memory of 1716 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe
PID 1868 wrote to memory of 1716 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe
PID 1716 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe C:\Windows\SysWOW64\cmd.exe
PID 1716 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe C:\Windows\SysWOW64\cmd.exe
PID 1716 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe C:\Windows\SysWOW64\cmd.exe
PID 1560 wrote to memory of 3256 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe
PID 1560 wrote to memory of 3256 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe
PID 1560 wrote to memory of 3256 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe
PID 3256 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe C:\Windows\SysWOW64\cmd.exe
PID 3256 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe C:\Windows\SysWOW64\cmd.exe
PID 3256 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe C:\Windows\SysWOW64\cmd.exe
PID 2608 wrote to memory of 4264 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe
PID 2608 wrote to memory of 4264 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe
PID 2608 wrote to memory of 4264 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe
PID 4264 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe C:\Windows\SysWOW64\cmd.exe
PID 4264 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe C:\Windows\SysWOW64\cmd.exe
PID 4264 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe C:\Windows\SysWOW64\cmd.exe
PID 1688 wrote to memory of 3392 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe
PID 1688 wrote to memory of 3392 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe
PID 1688 wrote to memory of 3392 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe
PID 3392 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe C:\Windows\SysWOW64\cmd.exe
PID 3392 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe C:\Windows\SysWOW64\cmd.exe
PID 3392 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe C:\Windows\SysWOW64\cmd.exe
PID 1884 wrote to memory of 2016 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe
PID 1884 wrote to memory of 2016 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe
PID 1884 wrote to memory of 2016 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe
PID 2016 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe C:\Windows\SysWOW64\cmd.exe
PID 2016 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe C:\Windows\SysWOW64\cmd.exe
PID 2016 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe C:\Windows\SysWOW64\cmd.exe
PID 3184 wrote to memory of 3516 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 3184 wrote to memory of 3516 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 2268 wrote to memory of 264 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe
PID 2268 wrote to memory of 264 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe
PID 2268 wrote to memory of 264 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe
PID 264 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe C:\Windows\SysWOW64\cmd.exe
PID 264 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe C:\Windows\SysWOW64\cmd.exe
PID 264 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe C:\Windows\SysWOW64\cmd.exe
PID 3976 wrote to memory of 4644 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe
PID 3976 wrote to memory of 4644 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe
PID 3976 wrote to memory of 4644 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe
PID 4644 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe C:\Windows\SysWOW64\cmd.exe
PID 4644 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe C:\Windows\SysWOW64\cmd.exe
PID 4644 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe C:\Windows\SysWOW64\cmd.exe
PID 680 wrote to memory of 2684 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe
PID 680 wrote to memory of 2684 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe

"C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aBDA3.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe

"C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aBF58.bat

C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe

"C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC081.bat

C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe

"C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC12D.bat

C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe

"C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC265.bat

C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe

"C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC38E.bat

C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe

"C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC479.bat

C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe

"C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC544.bat

C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe

"C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC5F0.bat

C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe

"C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC69C.bat

C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe

"C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC728.bat

C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe

"C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC7E4.bat

C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe

"C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC851.bat

C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe

"C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC91C.bat

C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe

"C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC97A.bat

C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe

"C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC9F7.bat

C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe

"C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aCA74.bat

C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe

"C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aCB01.bat

C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe

"C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aCBBC.bat

C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe

"C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aCC58.bat

C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe

"C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aCCE5.bat

C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe

"C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aCDA0.bat

C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe

"C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aCE6C.bat

C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe

"C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aCEE9.bat

C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe

"C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aCF85.bat

C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe

"C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD011.bat

C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe

"C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\FONTS\150F6.com

C:\WINDOWS\FONTS\150F6.com

C:\WINDOWS\FONTS\150F6.com

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 20.42.65.85:443 tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.179.227:80 c.pki.goog tcp

Files

memory/3760-0-0x0000000000400000-0x0000000000444000-memory.dmp

memory/3760-8-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Windows\Logo1_.exe

MD5 cdaabb480b7d3c10c6f4f451c8c08d69
SHA1 667ce007c73b1d663decd86d730227569d23acbb
SHA256 f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842
SHA512 389083da42235678a2d2b3420729fd46be6c0139b9177dc39108252cbbc24881d610e0637f12980f86c042ec79abcf0bdbac7d94610ab11269f8b0f44a6bbc31

memory/3184-9-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$aBDA3.bat

MD5 6e67babb0b5202defba8aeb444a6db02
SHA1 85851594ba319d11c0feeea9db0220ec914b633c
SHA256 9792b9a5af1950ec7645375cca65bceaf45af21e5ea35fae0b13285eda7f9d04
SHA512 43b69aa1d9e43038542793cca25fe9af4d67b8c99df9abe9c85cdada6214b5d09a1b769a11ce6bbf0a868c1de6ae161c388923d944acf770939901bdb4063f3f

C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe.exe

MD5 b7ef4ac77f450bdd50764ff7fb40e83d
SHA1 d46c294f7a5c420f3e2eb953f801badc1c39e47c
SHA256 a5c6ae4e19893f62a5a1c617ffaf6de4c3798a29c104bd762f751ced5bc37e2c
SHA512 bc3ad0c91fd347c70a14f1372194d783c039150b8b8cc60fba162758fc8d18a5cccd22f52dc896a5d8b7e2f8ac34007016b823254c91937e3a1e30fadad65b06

memory/3896-19-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$aBF58.bat

MD5 b16999d22a2b38c4f2c7df9010530265
SHA1 aaa3220763d1718b11846cdd6d23d75188d46a8f
SHA256 ac3b839c6aeb319367d151346ece030d08b5e790b660bfece8f3ba796cb2a813
SHA512 190db4c363e562eedb1511591bd26b3d6f908e39fdd6a1720fc3dc63b55c8acd24db5c8dac3d7b4704b48af7838a26dfd46926d435e809567d8bc749b7aa8040

C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe.exe

MD5 4b9090bbfb7f607d3f882346eb71a169
SHA1 e8f4ba0d869ae0cee44be9614fae66a0f747e82e
SHA256 845c138b1678dc87cc210759b3f24392641998e1ccca50ab900308f2adb61737
SHA512 2944f9c9fe1a402c8698de350d671b2579d163e0f4f0e605e98e7b1796ee1285bdbe4f3bd0556fe3dd5fba320b4887b1f53ac17cb9f825bd9bb12984eaf97dfc

memory/1716-26-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$aC081.bat

MD5 136c76150998f1db1c95ee466bb7c0cd
SHA1 b7ea93ed43cec960400729dc0cadd0f3795bbb6a
SHA256 343f4ce057ef7257e7c06d8a7278a0cbee9295b533ad5b65f7e201a6a1b6ce92
SHA512 da1ed082a1eb72b39baa455e30fa9b4f30c38b1490192ca3fd38fa0e75e45817be4f8366a967b27f60811d5908da1761be8c680d58a6c06bfe8d6ec6d8817198

C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe.exe

MD5 0aa288c5b3ca45282e87c439a49b5c0c
SHA1 99f8e63ee28874a2c0f2fff016258e5a3505a192
SHA256 9bbe58bc26f108090bd120292fb2aac65c17fc037e3fbe063403958bd46a8149
SHA512 d71c82261d06806e8df7bed5448221fe7e6d3f3d7543f5454112e81359238cb13f262038437fe7e907e934cc828f8bec8feb2783d51622bac5115075ca83ba12

memory/3256-33-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$aC12D.bat

MD5 5636f2a29b48b16db2561040584c48ed
SHA1 008d81289b50a131365938a51565365e7428184f
SHA256 643aa03dc48b8363545ac74f5a8d5756e2039ca76f04cab8d0e2c327bbb0293d
SHA512 170939edbd18fc68cd229ea5fd46143a001b65b73fb2344e076093c9407dbe669fc63d8f8be8af56191eb3570c824e84ed7008b91b7b948f11e48b1f494349c3

C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe.exe

MD5 7a0a4cc842cc4d8f9ce9fbb050ff7cfb
SHA1 2abef4041ba3f639fcb365a9427df2d1685f5d32
SHA256 2b3131d58f0175abc9cf7bbfacef4870821db3fc9855c876706200d18824d761
SHA512 9a764930c0fc4b8fe796952c857d8c786664267c5e760bb1c3c22cf51584dcd6c1e2da214a0b66c6cca187578b24d60408911fa2cf00ced0545a4732938cf898

memory/4264-42-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$aC265.bat

MD5 7c980e3d113500f61a007bbb6771e7fd
SHA1 40d1de0c73412884ae0a8c5277535a0601db6080
SHA256 007f32264f355836598424355e1f8ada2b58f89f77658e147cb4738f5b6f00b1
SHA512 e5d29feb6e820c9cb11baccfab36c415cf481efc959d3747916ce91ca77b5fc82ca099d8aa15b0e0c46e8a48aef68c76ba12de8665ce1aa4b114dbc97faff527

C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe.exe

MD5 36fdfa112c8964f87fe6ea00dfbaf13f
SHA1 184f2afcf27e086cbe5ad066d51fa9ea45b465b8
SHA256 16efba4ff6d80842fac37d2e135e97a215502d7f6fe1bf897993f68f129beeea
SHA512 d7b0a155fc5ad3a67cf8a7310f120a947753c6f35f6d9aca661a5e64ede5918667298380942f85bc3acde87a2b4ed5127f5bc047a76e22a2ae37032e2f9ffbb7

memory/3392-49-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$aC38E.bat

MD5 0b22acc5ffedf6f4662bcb64fbf11c34
SHA1 056a07c0bf6e780b8915db1f2c86a6ce1ea4c1ff
SHA256 ee097c66d21187e05e0a578420d363945b17068c9f0ed84b9a391a7384244cac
SHA512 1225ca0dbdc4e328d3c62c66b9ebe8d93ef38847f65815db62052a68295d79c0279169c33cae0d6e26ed9d05de0a62d86ee78c50eaa7d075b6c21f3dc6e21207

C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe.exe

MD5 94e7a7c4097a8be425e43e8374b3e07c
SHA1 9afcc2b390e850aa4c0eb03c8e6c9a2220731fe4
SHA256 c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8
SHA512 7e8a07547f37a6a238a8b6ed35ab05b79e4a3b205b90839887f7bae2a355a5a736272646a8b8432336598322e9e6e765f6088cf76e8112870539fe03b6b37d18

memory/2016-57-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$aC479.bat

MD5 c7e1eb2577ec72860f7d61c4a98ded10
SHA1 fd7a61011bbb923c9bcc6ab7cbf49f2cbfda296f
SHA256 14afe2b0f8aaeb6f164b8a87a132e9f3e9d487354b441435a80edbcb6bc20a08
SHA512 b00958baa500b60e5701525a3542730fe09737e4b8e2f29fb85ef628cf153786eaaf4d67104072e24a0bb104c3183872c9d4dc4006c821d98c3db863f971609e

C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe.exe

MD5 bf21200d0730b76ed14331c26efd6f9a
SHA1 e50ad28d7eeff0af91450b1baa57324cd5c07e8d
SHA256 31de1be72fdd7aca5a430396c3e8bfed2642ca160020b56348e54302098280ca
SHA512 3811b7fe345953504e8001cfdc48e53d0672b0e29cdaeb67a0ea58468313e2889483b6b8677e68fcdcfac0ac9f724ce769a955f4a66179141374b55a2259636e

memory/264-64-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$aC544.bat

MD5 e4a5d69bb1a88be6c9999a8fe7b947e6
SHA1 b860aee434a87c80f5f179ae4e913d2a375c7287
SHA256 265b4bfe000e4fad26035d1eb3a587c0a93bd600ab5e8b0f3d14f5942bbc4642
SHA512 6e5d5883bdd687e1a03ef3de1b343612da6c0aef7fc93bd63ab375ee8228f7a0cd0f61163ff4eb61474387233b7b6e5b89bae2a5cf5f05033f23b0f2ce12c3d9

C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe.exe

MD5 4d08c3836fddb6ff034253da2ddd8212
SHA1 5448488a994ae7de593802e9d55074848f7482cf
SHA256 9fed7013f9c4f5cae66f7f6fb7fa21ea8d801b203fcd224cc2a0a7994accfae7
SHA512 8a27a34fd77cdf05ff35c63524be0b2c6de8a7add0affe104468f01eabf52739add080aea2f550bca2ebff1b95d5b0e66a3bcce00dd43797dbba645447cf9e30

memory/4644-71-0x0000000000400000-0x0000000000444000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-2866795425-63786011-2927312124-1000\_desktop.ini

MD5 8d5d367ed8a2afc1fc0b8fc7d14da98c
SHA1 fddfad39cd8b448d0d3dbb6e9c67752999568783
SHA256 93740c0db50f557803e16032194380e92e586f9cd845c4543eae2c3aa97d95f6
SHA512 3215518f650fe697fa80054e2e7e98a55a23832309347704985d502ecf46726048291ace0a619b669726fda404c9235047a21563971a238864ee3523f5bbe96b

C:\Users\Admin\AppData\Local\Temp\$$aC5F0.bat

MD5 6432415e8b53eeea2dbcfd05aeeee825
SHA1 2d80530337805c15bb40d34001e16a37a35c3882
SHA256 c5d43e55efcfde36c506820c218da58f3cb293ac8a4006af754e8af705b86868
SHA512 be650e612ddf55b195a6f50196e402372ebd5324d0ef74bfb3c01504ed73fc721019531430b750c7074c02e70a209d69c91344080983bddb541a8e9f9b6bf2d6

C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe.exe

MD5 80cb0a885f223c77b49eb94535f29be0
SHA1 c631c770d41d0b6043521c3b16838d02554ee952
SHA256 214996f8328d42c20b13e8a847d8b0b33100e5180e0a748a220e24a84ea4ceda
SHA512 91ecef3a67a184fe531e1ca7616553153c0585bf2262373a4d167b911bda73704b106c688c560a1c82cc076cc3762b2481f02ceaf31b89892f90a6fcf01f92f0

memory/2684-84-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$aC69C.bat

MD5 a17ff4028ef5b91416831396b616110f
SHA1 29c0d2ae9184d4aa7df4e0dca8535c9c089a44d4
SHA256 dd25dbd825bfc460f0c751ad7874308904188eb7f38b22686a689442594ed129
SHA512 d76f6488dbfe8df4ca59c48ec77b9c61ecd6cb505928ec53e35d81202a7495e4653eab288b55c2eb98c5437ef135e1fff7a90c2f8e0efba805ec2acf7f095406

C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe.exe

MD5 28bd5c3abf0b5b887d65baf1994b56a6
SHA1 86102826cbdc7e7801eae5ab3c51f67c88411eef
SHA256 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91
SHA512 1e2446e3e68c6038a9a8ead218942dde6bec49cd3d311ccd94f15c94a769fcea5d8433d22ec8ea9ab065acdeeea8ad30be9bd9daf4f9ffa50fa28fd06e38c186

memory/3184-88-0x0000000000400000-0x0000000000444000-memory.dmp

memory/1876-92-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$aC728.bat

MD5 2ddbb331c08a8324dbe3d3c87e1b47fc
SHA1 f72608dbaf4222c593856177c2d5eb2ca4056574
SHA256 6d65ed0059f16dae62b3a7a1efc4efb93e75b9b0e92de73ebfcbca7c5004bb23
SHA512 29a6dfe4f3ae2b000d51d2df923caab143f37992927f0dcc3f69a8324905d15ae403bae5196c5b57da26c0eeb83884708307bfc4e073387fb89341183a7bfd79

C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe.exe

MD5 0137dec43c77f401659bcd7a4032702c
SHA1 e40ab90e560caa2734ba3e46c5cd5aaa684b3eea
SHA256 6cb9ea30ccbbd5f19396010e30c7e4aca6cba55894014a64412a43511ada433d
SHA512 c434bcd9e0beb61137a55fdb11b17d3ce0445f058791923bac3dd326d658db319b35f2226d7c450d1b7baad6f24c53637b14fede37b173cb672ffc5a46e9e740

memory/3308-99-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$aC7E4.bat

MD5 2eb44e8ba5c3a87695b1bd4198fe4846
SHA1 d6b6db828e5ceecf5c8f89eb9fff0f94401c0704
SHA256 000bed5f95fe6e6525e7d10f1c1fafb02abc48803b18ba438b8f929ef2dae636
SHA512 58b5c4e9ed49f11a130a3730caf8b1495454d47fabc87eb523f4d73a4cabbaf92b6805e5dc112276250022dfea45854cc4b754ec3f48df07b9b5ff0e5472c006

C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe.exe

MD5 f0866c2d2ab43b833b957787b4a08526
SHA1 1410b5b5faf130cf22160968238aab93bb3c960b
SHA256 ebd70e789f272064e045929c7d1d0bce6f64a5a5c056ea2e70ab1542ab3ce1ae
SHA512 6a4813362a23f390922388eb8123aa81af797cb6435dbe6ded1dc281d54135c93ee5b6567f55586210808384f27052e76eb07bcc3641a9906294f88f4a499a2c

memory/2272-106-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$aC851.bat

MD5 8077df0cffd46041230a29519b51835f
SHA1 9fd0f4f69afef0c677b01a40ae62e2701cccb892
SHA256 e187f0a881016794cdc8b2ce0c8c8d6ee1ac767c470326fca4e61c8cc41ffb72
SHA512 43f4ee9346aa78d43e7d702e9c88b0f933a017e476d08d8b581579a0296e2cc3012fce948c63b93a1e880b43ab2ee55faf18f402494c3dec489221930d1a8b68

C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe.exe

MD5 47db56aa979056f9beba80adc63e72ea
SHA1 1dc36f048b9ed9f98f7f9ef069f26193dea713b8
SHA256 bc1183cf270c5164bd3e4c6ad4c1fc32a729fe5aba53784e52d76238d7f873e8
SHA512 f2f520e95283a73a009eb3b8be439c386dd921cd008b68a78594df744053611057b7e7f6794388edf63d93cc4ba1349d2cca9415a9c2e317fcd5047d0e12adb9

memory/3204-113-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$aC91C.bat

MD5 1ce260c770034d7b5fbdcee8f1c63b24
SHA1 eed5d19a34ddddc957b2254dece96a502c6a1c2f
SHA256 9a4ab06f1962e9d6e809e8543cf7be22eee994f2f486e23ab62bca99dc3db370
SHA512 69483f7cb6364d41e7651a2dc0e55d434b383c217eda398c42d5358255cb3cba8096084460a65ea525871824b27dd0f51ffca820b0d09b4cc09068fa73204b03

C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe.exe

MD5 6d9545c6556a236a67207db368fcdce2
SHA1 b44856864eeb77f2d73d71fbfd323f006363c3fb
SHA256 27d02f0a88d28829a83f1cb05a90fd47798e1ff91591029793a9ccfb6d8d14da
SHA512 344bb66f4200dc7b91ec12c6dd73f8a5c9bf6f0942fa12ba65be2d8f7081efa723defad4f604a4b907a39282fe80ed97433b84601f5e4abb40ed09905da72a5f

memory/4356-120-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$aC97A.bat

MD5 8f76eec909117cb77154f1bbc70662bf
SHA1 94791e3f09eabbf8a99b3cbe25db3b800af6d93d
SHA256 882c0ac76d3b8d3c911dddc80485f87eb7e355be84d1daa9ad17b256d7af9567
SHA512 5da68cd9109d0f401416f3e24d146182a7204de7ca618a98ad0e775d656adac09412b1ab14d23e63fe52dbdc02956cef70dd95a8692426e358534a5814ad489c

C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe.exe

MD5 a5e603ffd2f00e966f2230590c221c66
SHA1 297c2d9fdc76fefca09dac5bf5b20b7ab9510890
SHA256 9bf22ad59d805cd058457dc980c7d66388923ef0c00bf60fbd2d28933f621737
SHA512 632725977a5452af0cb57085bb49833cd9f99c05f81c3477bdbc39c1d3198b8227a862f711e95740729e2c7fdef1ceb1562da8bab5dad4da7df932dafe9b0f2f

memory/2248-127-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$aC9F7.bat

MD5 1facee5320a0f47bb247fedb7af2fd10
SHA1 383c1000a5209453ea335b5c0c2baaf7699b26c4
SHA256 1e6733145c3211c20623953dcc432d5ea5d9c0e3d2259392d3bbe3ec2f674dca
SHA512 a7d54d94cbfa3eaca128d16572b4c71cd8e131ab4569c4178bee05808b3cfc57f96e9e6afd7cc3a4c0df817dc2778ec978c478b2d5128705f756110bf7ce65af

C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe.exe

MD5 a353218f7897ca4ea7b1ff4416fe1817
SHA1 84d8a5c89b0193eac2f74bd315811c68022946d2
SHA256 ff4695e69b9c508b085d5dedf5fd3cac436076f56dc5b098920713418dac3c89
SHA512 df38221aa63a6c0d4575dddcb51ae00373dfcd566f09d90748aa4aec661359f64e81ac4feffa8280068abc35c512dc15f343989ce769074d88b5f744e03aaaac

memory/3964-138-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$aCA74.bat

MD5 02cddda873bab2401d04269ded1bc6c1
SHA1 2a287e57679e9622ce6eaa44681b5237bd921588
SHA256 b46fc57686ba6b19e91591734c0f4b484f1888e81eb92f2c13495af76894d99a
SHA512 8cf3358a22adebe87d018d3ea70c2e35948af4d05662dfc4395df7b92001712d250b2b81917ffc9dcfb381f695ec0711e95c1f6dcb55c4d053705b62d4b84be7

C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe.exe

MD5 00428256f70551c84c7321970cdc53cd
SHA1 ea6d64e78c991a1978fc8018928b4a82a4d1564d
SHA256 41b8de82fa304213245bbaf54a95d9bf62a621478b8918576309fb6e89eda97c
SHA512 b9c20a134a1fadf59fdf7ad6638f6ef7882c68f8d68b539e2bd75ce4df31430ced6cc270b4dba47fa037faefce4209374d27118bd759e6d81aa5091d1bdae1be

memory/4100-145-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$aCB01.bat

MD5 9ecba342b58092303b3274f9fd6fb8a4
SHA1 5247c9aa6b629b5eb2af7b6234e12ef33ff0e0bc
SHA256 cb1df5a2f725d4bfe9a8cdc55abbf416f6a484c9e432192672cc8b98625ac59c
SHA512 ca57a7df83c990b0791c43e1e90bc91ac90e8bcf2c52659c72f7aa852cdd83904511feb32a911ab7e6813bcc836009b1d8f53a10012c42df31b201f4f36025bf

C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe.exe

MD5 e9d499bb915d58a3a58429209eb00b7d
SHA1 8715af16ec2efe464f486eefd15a5d248e3caebb
SHA256 f6baf3ee157e1e1798836bbd3ef63de56d4573c6c81f1fb68a3f64c8d5fdf992
SHA512 b9a408171b0827496f81490e9351401943e5de79c19c3da234b05fc543dde913c0f2928f73d5a207d8e5df30954b320f5006faf70a5591ae93de84ca659fcce6

memory/3792-152-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$aCBBC.bat

MD5 3cf90c0b22071ac8e277c18689447503
SHA1 348aac3ccc968e9992669e9411229144ca6ba1c2
SHA256 ee57096bd04dde47da0c107d9e3abd1a49ef90d636ce0dfcb9ab04e9f1d94716
SHA512 9612e126be6479dafa17f516113099666d04c24e7d2c949c2cd5229910c63909682672773d15cc3f91e9db3005e37b36db0fcd6447bde2ab66a4c89912a04b68

C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe.exe

MD5 56cf1234d82b459b0d4b0e91312d62da
SHA1 18c24408609bb6546b66e41bd6e8dfbd013563fe
SHA256 c11d5b1dc931fd3aaf644df9fd7d8febb921c71a918a221202d0f48a105831d0
SHA512 57d70544604eda2438d4a18cc3a87fdb948ff62e15296a8525bf127e1758ae045bf3fe2b4c46c3196d07ae5ad50ef296169c99fec8c93f2bb93b39798feea6f3

memory/2808-159-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$aCC58.bat

MD5 54855f7e2c5a3f1945f76f24cd28d937
SHA1 163de415f8686d8527c8c31c41fbdf0e0d8b2bad
SHA256 b970f656542814d40d199181fb5e88fe28027d7ebccb0e6f4afdd679ba56f3f2
SHA512 4fa0057e6021ad1bca39a26d1a6d0ffe205bf0ee6b20a3ed289d89ae0d698d387533696efaceec6ae929c1338f2d85ab9928ba7d41503135945baf3387e88b3a

C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe.exe

MD5 7d5a6de393b9a9d8b97e5f85f8d96ef6
SHA1 27ee54c58fd5133e5e53dfdc09bcc4a921cac422
SHA256 4af8e75dfddfde4ce118b847e95e77fad7f775aa6e0824e586932c4807059e7f
SHA512 ac397a542daa97822d06b763217b55da2663c4c73c01b70a335844278a4fe60e4b1b00a31fe2f7b5954cc9ac4d46f0a8cd5f9d639ad64b260e5f4cfb2642550e

memory/4496-166-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$aCCE5.bat

MD5 310c7984a9d97812e32cee5095b14c11
SHA1 b2b888887e4b52432661600f6743d80dca2262a2
SHA256 a40fe6bbfbc39eade23b1b2fde17c318473a9626e8acc1393dce74cffbfb9810
SHA512 17404aae96855482ddfb6f65f71e1d2325c1882dc9ad211603cde07f1a55ddd44c05f62a2d8c426330803168aa24163fab257d7f1794d5c3fbe6e9b54602fdda

memory/2920-171-0x0000000000400000-0x0000000000444000-memory.dmp

memory/4876-177-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2008-181-0x0000000000400000-0x0000000000444000-memory.dmp

memory/3672-185-0x0000000000400000-0x0000000000444000-memory.dmp

memory/1788-186-0x0000000000400000-0x0000000000444000-memory.dmp

memory/1788-190-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2700-191-0x0000000000400000-0x0000000000410000-memory.dmp

memory/2700-196-0x0000000000400000-0x0000000000410000-memory.dmp

memory/3184-2110-0x0000000000400000-0x0000000000444000-memory.dmp

memory/3184-8279-0x0000000000400000-0x0000000000444000-memory.dmp

memory/3184-9927-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2228-9933-0x0000000000400000-0x0000000000410000-memory.dmp