Malware Analysis Report

2025-08-05 14:55

Sample ID 250704-vy3lyscp4t
Target 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5
SHA256 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5
Tags
discovery spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5

Threat Level: Shows suspicious behavior

The file 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery spyware stealer

Drops startup file

Executes dropped EXE

Reads user/profile data of web browsers

Enumerates connected drives

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-07-04 17:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-07-04 17:24

Reported

2025-07-04 17:27

Platform

win10v2004-20250610-en

Max time kernel

150s

Max time network

139s

Command Line

C:\Windows\Explorer.EXE

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini C:\Windows\Logo1_.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\fr-ma\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeUpdate_disable\Install\{02C940F5-79D4-4B0D-9F60-3476E3E73CC9}\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\pa\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ko-kr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\EBWebView\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\root\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\en-ae\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\hr-hr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\sl-sl\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\pt-br\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\zh-cn\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\sv-se\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\ResiliencyLinks\WidevineCdm\_platform_specific\win_x64\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\edge_BITS_4560_31636808\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\pa\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\eu-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\nl-nl\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\sv-se\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\sv-se\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sl-si\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\en-il\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\pt\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-ma\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ar-ae\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\root\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\root\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ro-ro\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\ja-jp\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ja-jp\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\EBWebView\x86\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Locales\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\WidevineCdm\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\1.0.1\Diagnostics\Simple\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Media Player\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\Simple\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sl-sl\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\es-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\mr\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Defender\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\images\themeless\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\fr-fr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\da-dk\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 6076 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe C:\Windows\SysWOW64\cmd.exe
PID 6076 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe C:\Windows\SysWOW64\cmd.exe
PID 6076 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe C:\Windows\SysWOW64\cmd.exe
PID 6076 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe C:\Windows\Logo1_.exe
PID 6076 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe C:\Windows\Logo1_.exe
PID 6076 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe C:\Windows\Logo1_.exe
PID 1568 wrote to memory of 5388 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 1568 wrote to memory of 5388 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 1568 wrote to memory of 5388 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 5388 wrote to memory of 3852 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 5388 wrote to memory of 3852 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 5388 wrote to memory of 3852 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1744 wrote to memory of 1576 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe
PID 1744 wrote to memory of 1576 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe
PID 1744 wrote to memory of 1576 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe
PID 1576 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe C:\Windows\SysWOW64\cmd.exe
PID 1576 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe C:\Windows\SysWOW64\cmd.exe
PID 1576 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe C:\Windows\SysWOW64\cmd.exe
PID 1568 wrote to memory of 3312 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 1568 wrote to memory of 3312 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 4532 wrote to memory of 4736 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe
PID 4532 wrote to memory of 4736 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe
PID 4532 wrote to memory of 4736 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe
PID 4736 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe C:\Windows\SysWOW64\cmd.exe
PID 4736 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe C:\Windows\SysWOW64\cmd.exe
PID 4736 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe C:\Windows\SysWOW64\cmd.exe
PID 4720 wrote to memory of 3552 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe
PID 4720 wrote to memory of 3552 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe
PID 4720 wrote to memory of 3552 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe
PID 3552 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe C:\Windows\SysWOW64\cmd.exe
PID 3552 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe C:\Windows\SysWOW64\cmd.exe
PID 3552 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe C:\Windows\SysWOW64\cmd.exe
PID 4264 wrote to memory of 1956 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe
PID 4264 wrote to memory of 1956 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe
PID 4264 wrote to memory of 1956 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe
PID 1956 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe C:\Windows\System32\Conhost.exe
PID 1956 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe C:\Windows\System32\Conhost.exe
PID 1956 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe C:\Windows\System32\Conhost.exe
PID 1780 wrote to memory of 1360 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe
PID 1780 wrote to memory of 1360 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe
PID 1780 wrote to memory of 1360 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe
PID 1360 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe C:\Windows\SysWOW64\cmd.exe
PID 1360 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe C:\Windows\SysWOW64\cmd.exe
PID 1360 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe C:\Windows\SysWOW64\cmd.exe
PID 1628 wrote to memory of 3388 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe
PID 1628 wrote to memory of 3388 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe
PID 1628 wrote to memory of 3388 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe
PID 3388 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe C:\Windows\SysWOW64\cmd.exe
PID 3388 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe C:\Windows\SysWOW64\cmd.exe
PID 3388 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe C:\Windows\SysWOW64\cmd.exe
PID 4296 wrote to memory of 5220 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe
PID 4296 wrote to memory of 5220 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe
PID 4296 wrote to memory of 5220 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe
PID 5220 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe C:\Windows\SysWOW64\cmd.exe
PID 5220 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe C:\Windows\SysWOW64\cmd.exe
PID 5220 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe C:\Windows\SysWOW64\cmd.exe
PID 3032 wrote to memory of 4404 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe
PID 3032 wrote to memory of 4404 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe
PID 3032 wrote to memory of 4404 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe
PID 4404 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe C:\Windows\SysWOW64\cmd.exe
PID 4404 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe C:\Windows\SysWOW64\cmd.exe
PID 4404 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe C:\Windows\SysWOW64\cmd.exe
PID 1692 wrote to memory of 4548 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe
PID 1692 wrote to memory of 4548 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9470.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a952B.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9C11.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA2F7.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA8C3.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aAD57.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB229.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB630.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aBA09.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aBE4F.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC1AA.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC5B1.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC861.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aCAD2.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aCCF5.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aCF08.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD1B7.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD438.bat

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD68A.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD92A.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aDBBA.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aDD9E.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aDE89.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aDFD1.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aE0BB.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aE167.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aE203.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aE280.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aE32C.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aE3C8.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aE445.bat

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aE4C2.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aE510.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aE56E.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aE5FB.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aE668.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aE6E5.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aE743.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aE7D0.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aE86C.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aE8E9.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aE985.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aE9F2.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aEA60.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aEAEC.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aEB69.bat

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aEBF6.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aEC63.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aED00.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aED9C.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aEE09.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aEE67.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aEEC5.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aEF42.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aEFAF.bat

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aF02C.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aF117.bat

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aF1B3.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aF25F.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aF2DC.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aF397.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aF405.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aF482.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aF4DF.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aF56C.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aF608.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aF685.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aF6E3.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aF750.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aF7BE.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aF82B.bat

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aF8B8.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aF935.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aF9A2.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aFA0F.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aFA9C.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aFB09.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aFB67.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aFBD5.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aFC42.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aFCAF.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aFD0D.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aFD8A.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aFDE8.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aFE46.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aFEB3.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aFF40.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aFFAD.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a68.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD6.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a134.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a191.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a20E.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a26C.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a2CA.bat

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a356.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a3B4.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a431.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4AE.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a50C.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a56A.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a606.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a683.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a700.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a77D.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7DB.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a838.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8B5.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a942.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9DE.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA5B.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aAD8.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB65.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aBD2.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC40.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aCBD.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD3A.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD88.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aE05.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aE82.bat

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe

"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"

Network

Country Destination Domain Proto
GB 2.18.27.76:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp

Files

memory/6076-0-0x0000000000400000-0x0000000000445000-memory.dmp

C:\Windows\Logo1_.exe

MD5 4f07b7c07db3deeaef154a2f2c9646b0
SHA1 6ada698575fd2ce3b8041f85d04dad5bd846a03f
SHA256 5c6ca16525876afba9f88ae6809b550793501ed5c5a73b8a800d4029ff92c98c
SHA512 35d71140bddbe016fe55a1e9328b3d284b3c9d5ebe9225b062b994bff4c70555fdf81378a299ab70f1c4d37b60a18a5f8a411e63fe4562299863bb1378616a90

memory/6076-11-0x0000000000400000-0x0000000000445000-memory.dmp

memory/1568-8-0x0000000000400000-0x0000000000445000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a9470.bat

MD5 6059e7dc46a6ecb484e43c2a1594a5dc
SHA1 ad1d0afe17f29455e9248aef1f1b414257c3b1be
SHA256 cae0fad362517ac22ec30049a49bb29eebcfd19cb41b797c7b08f8e52a91adbe
SHA512 5f6348aa995098ddfbf82d30ec77877ae8e1fc9b956c609d1e9476d88544b74fb43e93194c0e5a93993036316e519e51be9c03e0935f99da3d15ce2fddccd047

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe.exe

MD5 90432b7ffbc66d45a57f10c2455cdd06
SHA1 c18c26e82e723839372762dce4c2db3e597802c0
SHA256 c3d6449bd1f5a68cc80ed2c2a0f553023c6fa81feb9a624f46ea555eec1faa34
SHA512 fc9f163e43ef2db6c2784a4272e1db3f741d0a71ba874872c14c0a9c976f035331496e28ead3170463623c318be0578d3f5649f36251fd4de19aa7a33e794a68

memory/1576-20-0x0000000000400000-0x0000000000445000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a952B.bat

MD5 31cf8b4e82eb39d712ce8d7ec26f326c
SHA1 9bef11196364a8a13d0fc79b4d354fc7fc807d00
SHA256 6478b1d28e0e6e52cc080912dd1b40877e9250d0000ee51658a3b2aad3e04dbe
SHA512 b71604b861d3918208d7d6ed97c11e573ca0f1474503ff642d4922f9122bb29dfc489f8ed8874a86e1cd9926ed27a2ac4065a8b301be637d5d8f359fc2c794bb

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe.exe

MD5 622ff6aba44e303d8c373f122a6d5a1e
SHA1 affcd71c6d7fffcc17f3734cdd76bdcef18d796e
SHA256 df16cb5ed617b5fce6a370b7deb625070859b806e64e4b35af4810297e20a529
SHA512 2c3d82f6b68a616cfdd5470812828ed0fbda2b56d6373b672909aa1d4574e45efefec18d952affb644710c9ae2090df3430e1b0611736d6ef20e4d427be2dfbf

memory/4736-30-0x0000000000400000-0x0000000000445000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a9C11.bat

MD5 160840e864cba31d5d082b9be58fae1f
SHA1 1965f1ca059439b6ec2e405270a6fbd088a80616
SHA256 02a0ccf9b1405e2816ec2f180bfbbedac21e567c859ecf7014a8c69f1415fc36
SHA512 e5dad376970df8655b2da65a4d87e15466b36e7da5ff9704bb8c452a082d084d4cf693fe674d3d4967247d9c8156ff16d08d806756edacae02f11a0bc3ed4ae0

F:\$RECYCLE.BIN\S-1-5-21-2012121138-1878458325-808874697-1000\_desktop.ini

MD5 6ef23bccadc81fb82d7eeecab7166eed
SHA1 379fb55375f791483209d02402c6c359fe6afc12
SHA256 da5498ac44fd5b5f97353e6f28c673c28985ae25330f183b90a1a20b4bf4e85a
SHA512 6e10f0bfc5983272d128dfe59f9868a59098e8ae388e55a0ab9f25d85b1c979728b295f39bef985bb7ef8ff1bc9b14c5f315ead269b8cefb4aaa2e82ca0cf5b1

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe.exe

MD5 de29e16ff16ef413bcb509057ecb1a2a
SHA1 77361fa0e1e9c7a2412aa97562795e23169e2721
SHA256 ec3c61d1526cc39a222b16ecfa670c34be2702dcbb5cc440cd93c7a7a6cc56f5
SHA512 fb7dd76cf7ecf44bbf8fc0f9343ab4f249f7b31164550d2b71b3913d75849ffeeba1a26e8e2deb4f99182050fd87c0d65f6f80a987fe3ea13f016d5e4c23047a

memory/3552-47-0x0000000000400000-0x0000000000445000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$aA2F7.bat

MD5 1214eca462e9c1977c2f13bf3fca44e0
SHA1 1b18d86afd6f6a5d5aed7570b0140cf49655f2ce
SHA256 3aa01ff0a43824f36d1977d9d615b305215c99c47f387fa63ed356d8624b561c
SHA512 c74adf14d5017ee8237db1433c32758bde98dda8cfd253a656294ce3dd384c7a7a55ab429fb736881efc28557cbc20b1630cfa21695019b749f52390695fdbc2

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe.exe

MD5 a4dd8ad11952ae91643e0836ee5bb5cf
SHA1 384e03638222d9718bf05df5e4f54ff935de2a13
SHA256 8ea4b3d521a6bb00ca5fe78b5b4de1953fdb435f352c9953eafe9f7362ce83b9
SHA512 dc9afa10d6d5e4dc7fec9be86d7807fac3bbf18ba03d24f5c53cdf3bbd73822e51717a5cd294c618047c38a763a2257cb00365024314112fb2109d1402580771

memory/1956-58-0x0000000000400000-0x0000000000445000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$aA8C3.bat

MD5 d476ca243a793b0ce780bc736098cb8d
SHA1 ba096e79c29c7725a1be374a61f0f6678b566577
SHA256 3558f157db407077053b5c48dc5b2fd01417d6a0a9e0e710f68a346695ec14d8
SHA512 dd937a26034c5e835fde3a0790bcec95dc4d554e0172c09e2391ba716e14c9826255ddea37d6914e5ef1d21dcc5b13de8d51c635228e14149279b492fb8f0e45

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe.exe

MD5 92c2c07dd618ff5a49850904e91efee0
SHA1 833b75c65a14f9059bb2877629b4c53990f6e0ae
SHA256 c6202afde3aab89bc67bf8c5440d63b7928174a983580a81652f9484a96a0f91
SHA512 480bdb768df07e01ef4ac0af68442e3a32cdc0a4fb798b0ea4b94782f4134be243c7d7596d117c48516247d7f5ca1300da21ceba4f5f386ebd679b57e7c16ecb

memory/1360-67-0x0000000000400000-0x0000000000445000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$aAD57.bat

MD5 b8eb5c6fb803bd2dfe8ccef8ae2ca9d6
SHA1 5744ae67fb9e9c2b28ea0abf828a96dd2305daca
SHA256 9e6aa1f2f81445dda7e8df85c772109a5db44a5eb41320f3386fe9542466c330
SHA512 2037479e1b63a04e8e074a4d2ef9a02c18813fa658f3cf780cc147d0e855328268215cce98a1b128ecdc206be8c9350cf9e9c5ec07c932b1094b36caa02ae901

memory/1568-245-0x0000000000400000-0x0000000000445000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe.exe

MD5 bf941cd565d44a96c28ed2f5382e2c8a
SHA1 76bec16653acc6dbc85a5aa23c3978d1ee7d14d2
SHA256 72617fa28f1b3c06f1922fab4c10a018c549aee9d63b2b7b2b869ed61440d01b
SHA512 f17cf4db3cdf368583ec502d10c965fd764b4c76f1d8283e7d38e908753d1cfa5ca178e1f697b8f50b45720a223e5145310dda9d24264919915a9fc922a14389

memory/3388-687-0x0000000000400000-0x0000000000445000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$aB229.bat

MD5 2094cb325aa404568876707a62e2726d
SHA1 7a0f5d7c41a213ef515119c020e119ae58c53827
SHA256 5c1358489b7a972da256f4142686182cd4bc82fb3669087cb6b94ddb82e1528a
SHA512 e4d59001c30f64c3cca752c67c896a8345109038fafccc25f6fd2f3a663bf05b5bbaa55280ed76faee116b004b4b3f7d29a5fc63a2b55fa15878a565bfb1f37e

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe.exe

MD5 f6cb951ffe4961dcec9b90514b1df3bf
SHA1 de40007ce81b878f438e875dce3125fc64c96fc2
SHA256 f7735351e1061799a0c65e4c4a14cff295d088f5603de3271f4d08c4b351107d
SHA512 4b9c45100a3c860f55b2aa694be2b3c3bf2db4afd7e2342ecbb192ffcfbe56dcbd4bf902dafab97fc0f4c84ea006602f93bdea8bb7baaafc3b84bb23a3927dae

memory/5220-1862-0x0000000000400000-0x0000000000445000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$aB630.bat

MD5 edaa8bc547e29a58089abd919dae5ba8
SHA1 79ee5d6d0d720e9a433c2a68430eb78c505f0f80
SHA256 c287b4f7b7f63a659a9f4af7172ace1e39b46ab57153c0f99fc737a0186194f2
SHA512 a4bedd2d15bef1b91e61fe171768322e360e050fed5490aba63a8f30f6c99fbffcb321cda0594846f1bb9f7f47d0dfa6c3189a2ce1a55406d3580082a9a205b3

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe.exe

MD5 25388899a3204d581e54103ef88a9f5f
SHA1 340e90eed473c53e63b310521ffb5006b51cb113
SHA256 840090d33d9d4ce3bb27500f74bc322f78579d46b9b7c409137d3476e05f523b
SHA512 699844c11e6f4a2f63f7076a8e51ccbe60c535e5981ecf9de98263da4ba8b50b8781683fd364af3dc68c2909b0b41845de5176a0641999d411a4abe3f6094dd0

memory/4404-2265-0x0000000000400000-0x0000000000445000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$aBA09.bat

MD5 37ca80a0c92e23550e8ca7af34ef511f
SHA1 c6c0802a48b20ae3f81f845b9cf1400391a29163
SHA256 92be158ba40eba9b2cff823df00c72026a94d9103708b89debc70a6457b3113c
SHA512 e7cd5d53112e92f4532cf8973675cf1827be2856a05b28f6ed6848a51015a5eb11d4cb1ac770e7f96479b2ec43060bdd30faf95ad2e00263bd729ca5edd1518a

memory/1568-3149-0x0000000000400000-0x0000000000445000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe.exe

MD5 be530dabf575b8d7dad89be20e99a29d
SHA1 3f730a9adcb23a51be7bda935966b5e43699f43d
SHA256 dacbc31da9c6508353f5bcaa9f86e308ef8b070dfef0ac3299e7c364c64aa11b
SHA512 279926be3af9d783b3040a16393c63c9213a215907cdfa5f0a4ac0e83488301060ce46998e592568eb38deb73122b144ab087e583d3d3b96319bb3e02ee73647

memory/4548-3345-0x0000000000400000-0x0000000000445000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$aBE4F.bat

MD5 92720288971abd18c21d18eb200521a4
SHA1 8c529b6f5861345177a73e578631a77f2e66e5de
SHA256 adf7b96acaff857c97026e44e34331491731922fa3d67106fd21f858f9687ee3
SHA512 15c39eef1843f6240135e2e2bf6bd253995b71788f4bfeee9c29dad2f49d56634989694127df39dcd480a4af3e8fec3fae5accbb9a15269696c5b4b8ee7c5137

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe.exe

MD5 a8f42e73295f0ec68bb6ea0e251f7c48
SHA1 c14c55ad0d7008d15c399452c1822e1e1e0e9703
SHA256 00666056871c425860c001c9288abed1a0518fd98a532f2c41085c1e2ad62ec4
SHA512 454dfc3d9716e4d416a366eb0cfe710cded348db5762515e78b840d5e5e3a86b968b347e1c924679dbdc77e4c599600d7e3c2b73f5ce9d3664888ec575439051

memory/2604-4769-0x0000000000400000-0x0000000000445000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$aC1AA.bat

MD5 accefc7c6141c6324c22bfe425cde984
SHA1 4bb4b19ab73c9e92ab37a0e911d2978a5149e3d9
SHA256 1412744bdef2e00a251903b604420daafcade2daea13101d9aaa13fef270ddef
SHA512 174a0ba2bf6626d7bf4e2f372b1f496b8bf2fddf2445527e5dbba1fdfbe10bc97b1b062fa9c7e6eaee1838553fd9d448011ca9c2a75d22ccd7b12fe0a67b12b6

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe.exe

MD5 b2cb65f9c07196289b1d8913dd9862fc
SHA1 beb8a200fa21d297e6cc40c36ef0c8e038c9def2
SHA256 4ba166eb4680e35d77bb22b9bdbb165a92f50546fde6b8e61cc4539c075c68cd
SHA512 4799f8d6b9f12fce04f17e967765abac9672d235ba4a22ee0b56836c477a12b1deaa9e38db71de3b16dd1fbd428483bc0148fd3d6d35615d3c4a9d7395af08d6

memory/704-5590-0x0000000000400000-0x0000000000445000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$aC5B1.bat

MD5 14571f35770bbe4fd24bb03596ad8437
SHA1 327c4125e6c0cb314259c402a03bea7436a1b96d
SHA256 ca2deaa280ee044dccbf9855b2964f6c2d02dbd51f5993e86dee7a474d1468a6
SHA512 9f457d16953b74e4a3a727b013b2de5e83928ead73dcea2dd55e72f802dbe216bc3a1f8be4dd5a915641395f8017a5ca4216cbbab4c1663289cb1da482ccbf61

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe.exe

MD5 59c4c475646895d11e2ec0ffa472d699
SHA1 008012cba9c1db4c0400134b84a6ac0fad652d62
SHA256 f286678a4cc71150c70f80000f32082ccef51e30cc049fe969a26a53b836a0e9
SHA512 e4a43a590177fbceb3b9db46bd4709ae7e050db0115903d0ca65b837a23e6308f203d93f67c37457d08888188b36a17f0a43024175f311159de5ec3514e4ed86

memory/5376-5597-0x0000000000400000-0x0000000000445000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$aC861.bat

MD5 65f4b7a803b968e47ed71f3b7d7ec8e6
SHA1 43b49daf2392256f664df02e859665e1f04f0e50
SHA256 fed7f081ceccc9c57d005ef844eeec166611b93697e087b40878262cbb4909c5
SHA512 8e0f2142dd3a23b50cf402624e6fafaa59137494ec2a5d41e7dd257f346326d2abe78b8ecc7950e83fa387b8797e1364a513c707e8f7aa137ed776e573935389

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe.exe

MD5 651d8c3d65021437cdedee2f183152ae
SHA1 6891f0f12be2bd7908fdb857ab96a8582a83a4e6
SHA256 282795853628eaa5bd9a2537644b86c9ca07e277edf4b1d3ee28c79fc7c42f4a
SHA512 a7cba0cec395ccff5534b0ee1cd9ef2fe49ccda08af24a01a17f7b2d9c3534988e1f12bc274a4a1e6e5a26ed4ee69c1fa1231c268fb3f0207e015c4832189d79

memory/4092-6107-0x0000000000400000-0x0000000000445000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$aCAD2.bat

MD5 5278e4b21084a40d014a8b4fc552ce53
SHA1 9302ee932c7d5c499b50142e20a13159163eedb3
SHA256 551bf1b0f6609b8bdbbaae261b076f988ebb7a7d12450fa61dc7aaa7560ef805
SHA512 0b7a8ca7bb67882bae5beb65373452a9315f2d98047de9df3abf62e152fe235fdf8648eb529eee8cd0ec50bd05305b1aad1ad1e02d00c0923c32cbfd6b4a5e8f

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe.exe

MD5 19b12f31092afc1918c520024ff78cd6
SHA1 0e69b04e95e4c35597f2101dfc6aa2c380f3fe7b
SHA256 1912801018967705841a256651e7eac8b9103cdc543bef3dbbc90243bab9edd9
SHA512 9f672bc7f7e44d8d25652a53ef56f471c965df7e2edb1d7df9a00cbd134aa309a7af0b4e81ef06ea4201c634a655cc4ea9653a39ea402063e47e9b966ba9159e

memory/3768-6114-0x0000000000400000-0x0000000000445000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$aCCF5.bat

MD5 ff997e221da6e7db8e4816311a39a654
SHA1 8f1968cc117dd01784f88286da3a61394eb26f2f
SHA256 98078c447a717934fe4f613d21609da6f435b814a8cc42588cc810613f2b07f0
SHA512 30cd4314cd62cf13118ad009332a792810dc3f9b391d15dbebeb82bc5bf3919ff8528296f50163a011dc76cec7c58bbeeebb411b95bbd397c068955ed5152d58

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe.exe

MD5 276df3325be2dab17512cb1a3a07ffa4
SHA1 075bd76d44f165e316e02c7c72bf0cd4d6ceff6e
SHA256 43728040d2f39ea28fc26ed437464c390c7d2d53306706b94ef144cee723a717
SHA512 ba196b46ebd7f1edbe61837acb02239428ee0a0da26a2d57bb3b6c8a6da685ca573226d86cde54dd7781ea330b40e2bcffaa8bbf0e668ff76fa975783dbe22c9

memory/4976-6125-0x0000000000400000-0x0000000000445000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$aCF08.bat

MD5 e0f467b208fd064a125457d6bcd52698
SHA1 108629f7da573c267bc5096572589e3208e62c1b
SHA256 0b1a61293fc100f2b65e3e2f592d65a95709864caa776f7a6de7d3e01dd3676a
SHA512 c3ad83f750013db6255c847176107a4998b234289a7f092f2f6652ad59f77a340f8681e0da270e859e228d945786d177855a36902cec35dbd65691a441a63b03

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe.exe

MD5 b9a1f4b2997127adfd307d5256ee4b2d
SHA1 e08ad192d94341d83e5fe930cccdd47a06af24ef
SHA256 8bc565469350567f66203c735af9c9fe77b6e84a526a8685863fd61705d66912
SHA512 6ea2659faca5ad64c6f84c4c7fae87ae6d06388cbd55b612108f936007d864ac5c4daa36d3f89d99eb1e320853ab120a95779643ca29b1a413b4e0d0ad4b3e2f

memory/4964-6132-0x0000000000400000-0x0000000000445000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$aD1B7.bat

MD5 63c10cdbe34f7cc1ec56803f7626f03a
SHA1 80191bc46fd9149cd90a83f16523f6a86ed297c8
SHA256 4c048eacb2d07c3c2fb13be7568329b9ca3b2d4ba1a07180226583a58ad87e8c
SHA512 0f04efca79afc02a35b61afce322fd44afa1fead014f7845206613e0aa916b0b38b74db63fe17f737a864e10340e7e2bbe2cbd3a2165fbc4f0eba0776e5da5cb

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe.exe

MD5 59b3c6c2c00210a0ec53b2aa2fc8896c
SHA1 8aa62946649acc5e3c6fb16309c4e87507d0e5a5
SHA256 d6ff87062583584b4860bf725ca617f488674fbd93bcc3868799f3d9879cbaac
SHA512 7a89584477ff44209fedf51e9566253857d7cd880a14a62bfc2dd3391a9f2c313bbdeef575c24fbdbe3def5856dd128491b964c14e0297a024b698cd8e2cf84b

memory/2768-6767-0x0000000000400000-0x0000000000445000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$aD438.bat

MD5 98053654d2fd3b5d3ea6255b521bca52
SHA1 00f9b9d6ef53482259f748e21d783b9fdb81f757
SHA256 8d76d7fe57f6536f64bef9a16f228ce40f6a20dd455d9b30cb178e0b185ab7a3
SHA512 2d646d8c8cd4ea8c9a7b77f428a694231faa7a5566962e0fcb1b009ee330cea25165f7e6c516490391e1aacd71312f8c888dfc3abae6b02ae11cbcefea342401

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe.exe

MD5 785a389841a2fca8d5c25688da7ddd3f
SHA1 23dc56dd37f03b93bbec9a78d17436514f9652ba
SHA256 5dbeb5bf935b0e65aafe6f884cfc1ccaab34f4d2b5e7c702e691af611ceeccae
SHA512 fc2ce08d864d11409d0becbfa77c1233292274e25f7ef938d3f3adf8f9ee12b01418ed088896df300363df97abd301a10b431f40e52f8345e8b6f8d1d1f22568

memory/2720-7716-0x0000000000400000-0x0000000000445000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$aD68A.bat

MD5 77aa52b22119648966fac12b3285cd39
SHA1 5ce941d6f9f9044267449fcc413941aabbe28942
SHA256 aba528a8c0091e405a310057028a2664977f04909af4b428d5ea9062069b76dc
SHA512 d07ebe5c91cc335db417b4cc76b778df9372215b267dfa123de076f8ed6b2317879175d46759caa7558f2b25bf3bf57acc16f1cddbdf2d33be77b4ffd834a9a4

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe.exe

MD5 5b7090a7ee18062a3f236e7cfcf766a0
SHA1 588574da46d02911dc22bf5c7056f1368a1ccb33
SHA256 d53e252f072c2094f96c4d7e6f7055503a1d1026da77ebf9a02b67d0b64ed183
SHA512 d3bebab9b58999917143dd446508084baaa0511862135eaff9f2e063818f5568b82e337d93fb38b9bda28253aff5dab2bcc823c7e8f6b41957dbf620484bc89a

memory/1796-8607-0x0000000000400000-0x0000000000445000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$aD92A.bat

MD5 b2891727a94725eb4f1ecb2c12d7c7c8
SHA1 46d2687aa720cd2db658e0d684d1fad6205f3442
SHA256 922bd206960ac9845a17235f9f1dc10ee18040b809a4001487278125cdfafb72
SHA512 63c145a00ae8f87135049e967fa91311d6f3ee39d157bd1f87dce269302ebaeef06261c7412b49597d8d244a1e4c7208a5e10547dd450055912c708d67bb7cde

C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe.exe

MD5 572c48b94b0b01e0321ebdf4776c0ec0
SHA1 fb27c67a1fcb2f8bb51004ee086d243137ca10a7
SHA256 0f41e394d3be551e6986d52f4157335f9bd71aa0ade49409f474fbe0428e4ba5
SHA512 21e09a4d023cc09683a8153ac0820042846a88f92c9616596d4db565861ac63fd174397b9de6ace8d2d997d2ed18106014c6536b8cd19c588b01f5a3f342ea6e

memory/1612-8740-0x0000000000400000-0x0000000000445000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$aDBBA.bat

MD5 415ea6e496420eb17bc5be321ab8cfb9
SHA1 dba7fbee1ecf07411a2a0fcdd0d5b2af533be9f4
SHA256 3a974b0ce35ff2e24101224bd6eedffbe27a02442ea441a65533c3d5beda2931
SHA512 8fe07a70a38b45aeedaa3aac49ce2d11b8df8df5fce64bdb2292ea6214f4519abce413aa646f54760284df03d5b52b015de0876c392a77349746c624d7056166

memory/1464-9434-0x0000000000400000-0x0000000000445000-memory.dmp

memory/3380-9825-0x0000000000400000-0x0000000000445000-memory.dmp

memory/5388-10305-0x0000000000400000-0x0000000000445000-memory.dmp

memory/6076-10344-0x0000000000400000-0x0000000000445000-memory.dmp

memory/4240-10348-0x0000000000400000-0x0000000000445000-memory.dmp

memory/2720-10352-0x0000000000400000-0x0000000000445000-memory.dmp

memory/3924-10356-0x0000000000400000-0x0000000000445000-memory.dmp

memory/1568-10357-0x0000000000400000-0x0000000000445000-memory.dmp

memory/2928-10361-0x0000000000400000-0x0000000000445000-memory.dmp

memory/6100-10365-0x0000000000400000-0x0000000000445000-memory.dmp

memory/2712-10369-0x0000000000400000-0x0000000000445000-memory.dmp

memory/2460-10373-0x0000000000400000-0x0000000000445000-memory.dmp

memory/4156-10377-0x0000000000400000-0x0000000000445000-memory.dmp

memory/1916-10381-0x0000000000400000-0x0000000000445000-memory.dmp

memory/1332-10385-0x0000000000400000-0x0000000000445000-memory.dmp

memory/2260-10389-0x0000000000400000-0x0000000000445000-memory.dmp

memory/872-10393-0x0000000000400000-0x0000000000445000-memory.dmp

memory/5840-10397-0x0000000000400000-0x0000000000445000-memory.dmp

memory/4600-10401-0x0000000000400000-0x0000000000445000-memory.dmp

memory/3860-10405-0x0000000000400000-0x0000000000445000-memory.dmp

memory/1992-10409-0x0000000000400000-0x0000000000445000-memory.dmp

memory/1404-10413-0x0000000000400000-0x0000000000445000-memory.dmp

memory/5132-10417-0x0000000000400000-0x0000000000445000-memory.dmp

memory/1028-10421-0x0000000000400000-0x0000000000445000-memory.dmp

memory/4072-10425-0x0000000000400000-0x0000000000445000-memory.dmp

memory/5376-10429-0x0000000000400000-0x0000000000445000-memory.dmp

memory/1260-10433-0x0000000000400000-0x0000000000445000-memory.dmp

memory/732-10437-0x0000000000400000-0x0000000000445000-memory.dmp

memory/2212-10441-0x0000000000400000-0x0000000000445000-memory.dmp

memory/980-10445-0x0000000000400000-0x0000000000445000-memory.dmp

memory/4944-10449-0x0000000000400000-0x0000000000445000-memory.dmp

memory/3704-10453-0x0000000000400000-0x0000000000445000-memory.dmp

memory/1772-10457-0x0000000000400000-0x0000000000445000-memory.dmp

memory/4584-10461-0x0000000000400000-0x0000000000445000-memory.dmp

memory/540-10465-0x0000000000400000-0x0000000000445000-memory.dmp

memory/3844-10469-0x0000000000400000-0x0000000000445000-memory.dmp

memory/1928-10473-0x0000000000400000-0x0000000000445000-memory.dmp

memory/6100-10477-0x0000000000400000-0x0000000000445000-memory.dmp

memory/2712-10481-0x0000000000400000-0x0000000000445000-memory.dmp

memory/2460-10485-0x0000000000400000-0x0000000000445000-memory.dmp

memory/4084-10489-0x0000000000400000-0x0000000000445000-memory.dmp

memory/528-10493-0x0000000000400000-0x0000000000445000-memory.dmp

memory/1332-10497-0x0000000000400000-0x0000000000445000-memory.dmp

memory/2260-10502-0x0000000000400000-0x0000000000445000-memory.dmp

memory/6116-10507-0x0000000000400000-0x0000000000445000-memory.dmp

memory/1496-10512-0x0000000000400000-0x0000000000445000-memory.dmp

memory/4600-10517-0x0000000000400000-0x0000000000445000-memory.dmp

memory/2188-10522-0x0000000000400000-0x0000000000445000-memory.dmp

memory/4032-10527-0x0000000000400000-0x0000000000445000-memory.dmp

memory/1040-10532-0x0000000000400000-0x0000000000445000-memory.dmp

memory/3392-10537-0x0000000000400000-0x0000000000445000-memory.dmp

memory/704-10542-0x0000000000400000-0x0000000000445000-memory.dmp

memory/6040-10547-0x0000000000400000-0x0000000000445000-memory.dmp

memory/4684-10552-0x0000000000400000-0x0000000000445000-memory.dmp

memory/5024-10557-0x0000000000400000-0x0000000000445000-memory.dmp

memory/2232-10562-0x0000000000400000-0x0000000000445000-memory.dmp

memory/3016-10567-0x0000000000400000-0x0000000000445000-memory.dmp

memory/5296-10572-0x0000000000400000-0x0000000000445000-memory.dmp

memory/2264-10577-0x0000000000400000-0x0000000000445000-memory.dmp

memory/1868-10582-0x0000000000400000-0x0000000000445000-memory.dmp

memory/4760-10587-0x0000000000400000-0x0000000000445000-memory.dmp

memory/4140-10592-0x0000000000400000-0x0000000000445000-memory.dmp

memory/4540-10597-0x0000000000400000-0x0000000000445000-memory.dmp

memory/5156-10602-0x0000000000400000-0x0000000000445000-memory.dmp

memory/5128-10607-0x0000000000400000-0x0000000000445000-memory.dmp

memory/5424-10612-0x0000000000400000-0x0000000000445000-memory.dmp

memory/4080-10617-0x0000000000400000-0x0000000000445000-memory.dmp

memory/2096-10622-0x0000000000400000-0x0000000000445000-memory.dmp

memory/4716-10627-0x0000000000400000-0x0000000000445000-memory.dmp

memory/4392-10632-0x0000000000400000-0x0000000000445000-memory.dmp

memory/4640-10637-0x0000000000400000-0x0000000000445000-memory.dmp

memory/2744-10642-0x0000000000400000-0x0000000000445000-memory.dmp

memory/5244-10647-0x0000000000400000-0x0000000000445000-memory.dmp

memory/4936-10652-0x0000000000400000-0x0000000000445000-memory.dmp

memory/2360-10657-0x0000000000400000-0x0000000000445000-memory.dmp

memory/2468-10662-0x0000000000400000-0x0000000000445000-memory.dmp

memory/4912-10667-0x0000000000400000-0x0000000000445000-memory.dmp

memory/2292-10672-0x0000000000400000-0x0000000000445000-memory.dmp

memory/4188-10677-0x0000000000400000-0x0000000000445000-memory.dmp

memory/5092-10682-0x0000000000400000-0x0000000000445000-memory.dmp

memory/5780-10687-0x0000000000400000-0x0000000000445000-memory.dmp

memory/400-10692-0x0000000000400000-0x0000000000445000-memory.dmp

memory/1612-10697-0x0000000000400000-0x0000000000445000-memory.dmp

memory/2408-10702-0x0000000000400000-0x0000000000445000-memory.dmp

memory/4944-10707-0x0000000000400000-0x0000000000445000-memory.dmp

memory/3680-10712-0x0000000000400000-0x0000000000445000-memory.dmp

memory/2648-10717-0x0000000000400000-0x0000000000445000-memory.dmp

memory/4584-10722-0x0000000000400000-0x0000000000445000-memory.dmp

memory/2548-10727-0x0000000000400000-0x0000000000445000-memory.dmp

memory/5904-10732-0x0000000000400000-0x0000000000445000-memory.dmp

memory/1540-10738-0x0000000000400000-0x0000000000445000-memory.dmp

memory/1304-10743-0x0000000000400000-0x0000000000445000-memory.dmp

memory/5888-10748-0x0000000000400000-0x0000000000445000-memory.dmp

memory/2284-10753-0x0000000000400000-0x0000000000445000-memory.dmp

memory/2884-10758-0x0000000000400000-0x0000000000445000-memory.dmp

memory/3792-10763-0x0000000000400000-0x0000000000445000-memory.dmp

memory/2056-10768-0x0000000000400000-0x0000000000445000-memory.dmp

memory/808-10773-0x0000000000400000-0x0000000000445000-memory.dmp

memory/5652-10778-0x0000000000400000-0x0000000000445000-memory.dmp

memory/1780-10783-0x0000000000400000-0x0000000000445000-memory.dmp

memory/6128-10784-0x0000000000400000-0x0000000000445000-memory.dmp

memory/6128-10789-0x0000000000400000-0x0000000000445000-memory.dmp