Malware Analysis Report

2025-08-05 14:55

Sample ID 250704-w875vsej5x
Target e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372
SHA256 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372
Tags
discovery spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372

Threat Level: Shows suspicious behavior

The file e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery spyware stealer

Executes dropped EXE

Reads user/profile data of web browsers

Enumerates connected drives

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Runs net.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-07-04 18:36

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-07-04 18:36

Reported

2025-07-04 18:39

Platform

win10v2004-20250610-en

Max time kernel

149s

Max time network

140s

Command Line

C:\Windows\Explorer.EXE

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Windows Defender\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hr-hr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\pt-br\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\de-de\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ko-kr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\zh-cn\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\da-dk\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\fr-ma\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ko-kr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ar-ae\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\hr-hr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\nl-nl\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\DESIGNER\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\packetizer\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-fr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ja-jp\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\pl-pl\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\sl-sl\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Media Player\Media Renderer\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\plugins\rhp\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files-select\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\nl-nl\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Media Player\Network Sharing\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\es-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\PrivacySandboxAttestationsPreloaded\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\zu\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\hr-hr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\uk-ua\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\nl-nl\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\61CBB2EE-940A-4E67-80FB-1509B77AA286\root\vfs\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\br\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\it-it\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows NT\Accessories\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\ja-jp\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\nb-no\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\Crashpad\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\edge_BITS_4736_1827048842\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\de\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sl-si\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sv-se\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\cs-cz\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\en-gb\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\nl-nl\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
File created C:\Windows\Dll.dll C:\Windows\Logo1_.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Logo1_.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5552 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe C:\Windows\SysWOW64\cmd.exe
PID 5552 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe C:\Windows\SysWOW64\cmd.exe
PID 5552 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe C:\Windows\SysWOW64\cmd.exe
PID 5552 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe C:\Windows\Logo1_.exe
PID 5552 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe C:\Windows\Logo1_.exe
PID 5552 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe C:\Windows\Logo1_.exe
PID 3064 wrote to memory of 1996 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 3064 wrote to memory of 1996 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 3064 wrote to memory of 1996 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 1996 wrote to memory of 5548 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1996 wrote to memory of 5548 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1996 wrote to memory of 5548 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3640 wrote to memory of 5864 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe
PID 3640 wrote to memory of 5864 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe
PID 3640 wrote to memory of 5864 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe
PID 5864 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe C:\Windows\SysWOW64\cmd.exe
PID 5864 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe C:\Windows\SysWOW64\cmd.exe
PID 5864 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 1956 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe
PID 2228 wrote to memory of 1956 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe
PID 2228 wrote to memory of 1956 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe
PID 1956 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe C:\Windows\SysWOW64\cmd.exe
PID 1956 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe C:\Windows\SysWOW64\cmd.exe
PID 1956 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe C:\Windows\SysWOW64\cmd.exe
PID 4416 wrote to memory of 3636 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe
PID 4416 wrote to memory of 3636 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe
PID 4416 wrote to memory of 3636 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe
PID 3636 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe C:\Windows\SysWOW64\cmd.exe
PID 3636 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe C:\Windows\SysWOW64\cmd.exe
PID 3636 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe C:\Windows\SysWOW64\cmd.exe
PID 4540 wrote to memory of 4644 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe
PID 4540 wrote to memory of 4644 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe
PID 4540 wrote to memory of 4644 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe
PID 4644 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe C:\Windows\SysWOW64\cmd.exe
PID 4644 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe C:\Windows\SysWOW64\cmd.exe
PID 4644 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe C:\Windows\SysWOW64\cmd.exe
PID 4572 wrote to memory of 5832 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe
PID 4572 wrote to memory of 5832 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe
PID 4572 wrote to memory of 5832 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe
PID 5832 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe C:\Windows\SysWOW64\cmd.exe
PID 5832 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe C:\Windows\SysWOW64\cmd.exe
PID 5832 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe C:\Windows\SysWOW64\cmd.exe
PID 5048 wrote to memory of 4708 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe
PID 5048 wrote to memory of 4708 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe
PID 5048 wrote to memory of 4708 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe
PID 4708 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe C:\Windows\SysWOW64\cmd.exe
PID 4708 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe C:\Windows\SysWOW64\cmd.exe
PID 4708 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe C:\Windows\SysWOW64\cmd.exe
PID 3064 wrote to memory of 3424 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 3064 wrote to memory of 3424 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 4768 wrote to memory of 4904 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe
PID 4768 wrote to memory of 4904 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe
PID 4768 wrote to memory of 4904 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe
PID 4904 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe C:\Windows\SysWOW64\cmd.exe
PID 4904 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe C:\Windows\SysWOW64\cmd.exe
PID 4904 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe C:\Windows\SysWOW64\cmd.exe
PID 3000 wrote to memory of 4692 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe
PID 3000 wrote to memory of 4692 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe
PID 3000 wrote to memory of 4692 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe
PID 4692 wrote to memory of 5576 N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe C:\Windows\SysWOW64\cmd.exe
PID 4692 wrote to memory of 5576 N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe C:\Windows\SysWOW64\cmd.exe
PID 4692 wrote to memory of 5576 N/A C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe C:\Windows\SysWOW64\cmd.exe
PID 5576 wrote to memory of 2980 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe
PID 5576 wrote to memory of 2980 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe

"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a32F3.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe

"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a342C.bat

C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe

"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a3545.bat

C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe

"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a35F1.bat

C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe

"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a3778.bat

C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe

"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a3833.bat

C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe

"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a390E.bat

C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe

"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a3A46.bat

C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe

"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a3B7F.bat

C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe

"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a3C0B.bat

C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe

"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a3D34.bat

C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe

"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a3E2E.bat

C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe

"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a3F76.bat

C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe

"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a40ED.bat

C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe

"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a41E7.bat

C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe

"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a43BC.bat

C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe

"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a442A.bat

C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe

"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4514.bat

C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe

"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a46AA.bat

C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe

"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4727.bat

C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe

"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a47B4.bat

C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe

"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a487F.bat

C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe

"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a491B.bat

C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe

"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4969.bat

C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe

"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a49B7.bat

C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe

"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a49F6.bat

C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe

"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4A44.bat

C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe

"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4A92.bat

C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe

"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4AF0.bat

C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe

"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4B2E.bat

C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe

"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4B8C.bat

C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe

"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4BDA.bat

C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe

"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4C19.bat

C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe

"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4C57.bat

C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe

"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4CB5.bat

C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe

"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4D03.bat

C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe

"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4D51.bat

C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe

"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4D9F.bat

C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe

"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4DEE.bat

C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe

"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4E3C.bat

C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe

"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4E7A.bat

C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe

"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4EC8.bat

C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe

"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4F07.bat

C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe

"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4F45.bat

C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe

"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4F93.bat

C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe

"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4FE2.bat

C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe

"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a5030.bat

C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe

"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a50AD.bat

C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe

"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a510A.bat

C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe

"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a5197.bat

C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe

"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a5224.bat

C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe

"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a52B0.bat

C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe

"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a539B.bat

C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe

"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a5466.bat

C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe

"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a5531.bat

C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe

"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a55DD.bat

C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe

"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a565A.bat

C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe

"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a56C7.bat

C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe

"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a5725.bat

C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe

"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a5773.bat

C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe

"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a57C1.bat

C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe

"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a581F.bat

C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe

"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a586D.bat

C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe

"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a58CB.bat

C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe

"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a59D4.bat

C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe

"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a5A51.bat

C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe

"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a5AEE.bat

C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe

"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a5B6B.bat

C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe

"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a5BF7.bat

C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe

"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
GB 2.18.27.76:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp

Files

memory/5552-0-0x0000000000400000-0x0000000000445000-memory.dmp

C:\Windows\Logo1_.exe

MD5 4f07b7c07db3deeaef154a2f2c9646b0
SHA1 6ada698575fd2ce3b8041f85d04dad5bd846a03f
SHA256 5c6ca16525876afba9f88ae6809b550793501ed5c5a73b8a800d4029ff92c98c
SHA512 35d71140bddbe016fe55a1e9328b3d284b3c9d5ebe9225b062b994bff4c70555fdf81378a299ab70f1c4d37b60a18a5f8a411e63fe4562299863bb1378616a90

memory/3064-8-0x0000000000400000-0x0000000000445000-memory.dmp

memory/5552-9-0x0000000000400000-0x0000000000445000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a32F3.bat

MD5 237a5aa07bc1086092b925bc6d3ca493
SHA1 c1a01b7203034bd7add110600476b3ac09c1d15d
SHA256 6611a341c68e2311647f059bf15ea1d5a2d0edab53773f29e4ba73e3e5436725
SHA512 6dd8af822cdf47e619f7249fed4a355b50aafe6346b9e0386b1beb0a5ecd87cf642442b2de59687b167c14cdea6703f13ef013b749535b89350b2e4ccfd89d42

C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe.exe

MD5 1e0a5523e45babc3142e36e4160dbdd5
SHA1 991aa5ac5c0d74575b7368289fe903227c6ce8d7
SHA256 1325b7a21b1a11dabbd4a3f3b08b1f8fe69558ec32668e86e54d1227bad665d2
SHA512 ddfb85787321bdc28b273f0ed16cb3960307bf59ac8a02ccd53e19994ac3b062701e72d2472aa54f3f2a80a2779c8732f50310d59b7c5f2c713100fdc4669450

memory/5864-19-0x0000000000400000-0x0000000000445000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a342C.bat

MD5 6a93ebcbb2fef0365967a2d98b9d243d
SHA1 86f2dfd7979a35592e2d6b4f9f8e79cd2a82a127
SHA256 afb23ae89bdae4b8d032f3e647101f3aaa514aaf9341998fde71ef09c1c25d98
SHA512 ff3babc39be995e8fae9c12f1164b3d0bf83f0a4a6227f9ae1086ca37deae8c9a45ebd97fe1c210d5d94e7e3463351718cafb5bad6bb4b45ac9a42f8b10230f8

C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe.exe

MD5 6c8dc2463e29ebd45779cbb988949c42
SHA1 9aad8e23f888cd03065caba6c017219f03dc6698
SHA256 258e3e7d48ecc700c78b897c32c7d80223bfe026e3970648a151d352751aaaa2
SHA512 ae5f4cc4c65885d841656db24a9dc6a506e52fb6789bde06d19f746d0f8cd3f84adb837fb0fb2a624e22a475d8ddac3c76dc5b6f32af640ec7f3c75d4feeb2db

memory/1956-26-0x0000000000400000-0x0000000000445000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a3545.bat

MD5 ecabe7b31aaf6f44ec1f240e5fef1e61
SHA1 e6acb162f98527f6edd79491280802907a25f313
SHA256 9bf0de2db4d255b63fc4afd329c9e390c1dfccd0ee7671d37ff5b22fd2446dfb
SHA512 da7a129b2423f480a0769bfe4268378d6728436b136d82daa9fbe7a68818da37bf5dacc18971128051c2edd48e92fcf3007f245f89235e3ec3d7ea9fe85ce3aa

C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe.exe

MD5 4368a1172131176ef840ed8b19b0cf19
SHA1 38aef8a93eddfbf212f67b4b5473dd2b1e0f1e64
SHA256 d123b092e058054b7ebedfc7336ab8154adf227ac4490002ce2e3c162199681e
SHA512 1bb562a3264471b5759fc89624605628f1b4da787214ae703d04180eed3449a50c9cb3fc548aa1e600efde2498dabee06eb8f8abf398448b8c7cd36b9f7333f9

memory/3636-33-0x0000000000400000-0x0000000000445000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe.exe

MD5 1cd9814c5338f08557ff6466f64ad5ec
SHA1 69cf85fda51386c90c661dcb2f50d8a5499a147f
SHA256 ed1c668ce03a25f5762781d3a1d1dc235f34256cd7dbb20110fbd02625d4b7b1
SHA512 861514154228ed88b3c6048b9660674432cac5fab171385e55a4351dae1cc11bc0442f353b48f606aaac8ec594b1e64aa6de31dbb87965bf55b9743e3498dbe6

C:\Users\Admin\AppData\Local\Temp\$$a35F1.bat

MD5 2e6d90f7f18f42863256c68fe1ec2c12
SHA1 03a6c0dd0e5bdc7cef0ee8e2affbcc8c9f89d85e
SHA256 79ab32706f87bded9589759a54f3287baa430aee5bc4923122eb9a99f79c28b5
SHA512 a98b4b96d0012a17b26cfaa38c5034ace35f22037b3dc1d9b2555875be7f254c806678423cb24ececb8a298a3db125224d3f5edeceeb6735c88694a7913940ea

memory/4644-40-0x0000000000400000-0x0000000000445000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a3778.bat

MD5 f0a21b92208409748598b3e2138aa65b
SHA1 2a369d5a0f59c7f683654e1d11095965c75ab274
SHA256 105a8b9658389e7000851b9069399d9c0dd550b7324196f7c7e920b2e860bcbf
SHA512 7f2d511802b1fa130746047fa52bdf5dcb21ff8a031d48ecc7758402c2dda7d18c5e6b2b0497b13964ce63ccae3dce4b6f906e58a1ac8fbbd82946121097f186

C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe.exe

MD5 16fb0169f3f5252aa0b5fee0af10d296
SHA1 3d6605a58a13c4a4c2eed8dc2f118fb71f02cd7f
SHA256 b862daf4adf7e8ce0de943d1f3f390bcbd1069f8453bdd013fd14277c8f9b57b
SHA512 e071b1dc48066de0635699c638083196c416c0567ea94c93c9b7085814d3f51ace007fb7d8d1a2f4c7921f177d71eed52d28d432605ea6a9ab6ab8ee56a3464d

memory/5832-49-0x0000000000400000-0x0000000000445000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a3833.bat

MD5 8de8b196df6770b7b5e0c76592050a73
SHA1 6f64a6ed171a73ef1136329d43e61a61c1f7dfed
SHA256 c8bd496c6c9bcd9b45df3e6117d92952358dbca43c51323a3e4fc989cfe1c5cb
SHA512 534d88d7fcd3f03925d1e355d761fe0cee83d63ca98d43509dff66f7332a4625ace2797a58bdf0b728c447bffa14fd03e00f73f5272c714957ec9b119ec81bfd

C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe.exe

MD5 7ce13849ba917269fe859bb408b5b586
SHA1 b67e0d9d204b44b6cacd99c799dd04a2195d6957
SHA256 4fe518c8871aa94541e0972853e391ac0220b2ae052610f7a05eb3c68f98ad8e
SHA512 69bf904c7d61b780acecc1b062df393dafbb15970a3b9d87ff68f273dc0cc0da7298967d35193fa51338cfe5fa366b235507491aebe02dd38bbe78141fbbc9ef

memory/4708-56-0x0000000000400000-0x0000000000445000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a390E.bat

MD5 b6c3f716f1fad3b1deb35f0de407ab4e
SHA1 dddf69feddba9c52b8945b7cdd312982f250bb2d
SHA256 fc4f4765cc1a961f291b867010d89eb436a55b73391d5ca0696ea7b9bfad8f1f
SHA512 8335e0eddf8380a744570977e62c82c581d99513799e37319d84b397d9e9cf46b527017da0d282bad650c39df3e6c78c78a9bbb77fa71848597394e447aad30f

C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe.exe

MD5 a292ea767d6e57a97e057a798c0ed3d1
SHA1 72a9fa3fac6220fc124019d3c2481d77a1d303da
SHA256 628dff2778a4bab46c34636bdc109d86b9779cb6b269763696b74ef2272749fe
SHA512 1f9d1516c2096b42612024374f677ba929447ec9d8ecf311f46285acf0ceacf85c86c10e06dee9ec34fda4ba4f84816d8f451a7d0cda2ccb63a2475549592398

memory/4904-64-0x0000000000400000-0x0000000000445000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a3A46.bat

MD5 177d9f6209d4cdd351c730bb4c336f3b
SHA1 d3c79c940d60359f5f783b88132f1c039c1d12ed
SHA256 493ba96c3d4214a1d189757bfec3412a7d8f464baad521d6fdc27d95983c5858
SHA512 36839a41375215023636c0ba9748a76a368279a7034dc2e3507323f6134246e029d566f5edb80e812a71fdad87a8ccfd59771c0026e59e8272915b150eef723f

C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe.exe

MD5 78bdbbb29943e0eb2cecd328dc13fd16
SHA1 d20d3df828d039fc2d2ed96847c26cc64aa67d14
SHA256 c100533597cea236940126415add4b1579f901796a6540ea82b4433eb2740f10
SHA512 006db357eec0049c532be58d576285e1943562e59a8cbfca4cb2162df4d0a614c0f6489c5f8ecd5ae103453b107f46dbf185d1b69e65f4edaa4ff0164019f1f6

memory/4692-71-0x0000000000400000-0x0000000000445000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-3001560346-2020497773-4190896137-1000\_desktop.ini

MD5 6ef23bccadc81fb82d7eeecab7166eed
SHA1 379fb55375f791483209d02402c6c359fe6afc12
SHA256 da5498ac44fd5b5f97353e6f28c673c28985ae25330f183b90a1a20b4bf4e85a
SHA512 6e10f0bfc5983272d128dfe59f9868a59098e8ae388e55a0ab9f25d85b1c979728b295f39bef985bb7ef8ff1bc9b14c5f315ead269b8cefb4aaa2e82ca0cf5b1

C:\Users\Admin\AppData\Local\Temp\$$a3B7F.bat

MD5 beb059a5df1acc60df64746cb08617e9
SHA1 bcf7ff21405e5c48cd484a895fc45681eec116d3
SHA256 177beefa6938a3b379df18df561dca484d7af89776ad8f6442488d95867cfe91
SHA512 3208a9f915d5afaed069aa2cc9468368789a01cf734149ea664374bdc2f618f8051ae55cc8e2dc1d0beaf3f997c4b7011206614c4285580582336e51239299b6

C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe.exe

MD5 e762e31e231ea5f521dc5a8ab1dffeae
SHA1 48633650c37cd40fe73f59a4ffbc283570a1370f
SHA256 f7e20f3c472bbc224a037b04523b5d405bd65af0101373ea75733ca50d3702cb
SHA512 c0b58343da7b9f6ff784c2dd7e71ea250dba9fbf334ff11b4ab5c6bfc4d19c2c174d131ae138717b519344b01edea4905a17dd1c39fbbd5dd5db9616d59e4c6d

memory/2980-84-0x0000000000400000-0x0000000000445000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a3C0B.bat

MD5 a2271db7087144989ac4c9bd00b0b820
SHA1 3cb289a5e11e2ef8315af759b44351a5ff607746
SHA256 101d66482895417ec243073b66c8ad2ea9ba8ec78153844fb66cc249f8785082
SHA512 b35c0552a19240ff1a9316dacb335464e9297f3c582e383107917fc53da76452c5cc0b731e4e93fc0dade16fac513ed56f6033169955ef94d6eab30f6bbeec40

C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe.exe

MD5 fe78a574ddecd45db11ee67f714d4acf
SHA1 788da06e7b988e604ab73e8ef1b9b81c81daea3e
SHA256 82e1cc24afb6bf3a1968e3dfe604bb40441a123528a7afb28d465d33bc8e2ffe
SHA512 9063c83ffee2906ec7d331dc90126899e456aa294b5042037024fe120c0ab33b07daaf58a6ded5cfea814e75b8a88af55b89f75111240a10d71c5633a51c02a8

memory/3064-88-0x0000000000400000-0x0000000000445000-memory.dmp

memory/5952-92-0x0000000000400000-0x0000000000445000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a3D34.bat

MD5 32bdabe17ae0bf62bc99e184c47974c2
SHA1 3c79f9db15cb74012ac9d2b918feacfa063d2b12
SHA256 78e7cfec73fc74dcd22145d6ac5045570683560bb6dd8bff85a61e0130d628f1
SHA512 fa771c770cb02c48f8caa707775e4386abca61256be5f643d2eb0568fc144c617bd3af0d2c24cd2f5659ac45f7a41661779637e763543e2e0fbc8b8396129e2d

C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe.exe

MD5 d331eb189e3a84f89d756ceba78cce34
SHA1 6f01a1808a62fcdb43066259a915d336930f6bb9
SHA256 212833dcdc84d3ab69c6ed2a67547f5fb267fa620f373734887376758d9111c9
SHA512 daf152f89d6e4c2f3afc94ec804333fee86795a7a0b861af515a4293130c5bda8995bf72b5b8705d22dbea63085ff564166ac807a3eb424005349448bf5d6fb9

memory/2388-99-0x0000000000400000-0x0000000000445000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a3E2E.bat

MD5 af98b40cf23665eab9686628c9772205
SHA1 87782ee1caea1b3d488137bb78fec5db5b5e5f0b
SHA256 015be87a5bb10ecae722b1fb4019d9b68de8058387be889c14c6f4635c34048e
SHA512 534426dfd73eea0243c767d6eb79af82aa89b360fc4e0988ecdf82feb16157a90384074929a2341f08f9f777359294f9869b002550061d349c59574c977a825f

C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe.exe

MD5 2f1d6a074bc8aabef88d8c74263295a3
SHA1 a1d3d2b1f81855556e429d0141c89eff81f83c25
SHA256 b2ef6ee3e396ca758eacdbffa58540a31028c4bcdaac85a1e75a0c750033af68
SHA512 fe5caaf9b06924e179f502bdaafd9ea332f8b4cb3fb0d9867d4aaab232701649c439bf91989a3e5fa995297a3c58af7e48bebba297206a6a55087600e97138c4

memory/4208-106-0x0000000000400000-0x0000000000445000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a3F76.bat

MD5 c42a477147a8275fb1b262eab327681f
SHA1 74c0a079c4bc224ecf3a3b4092b0fea875108c33
SHA256 1ebef5006b361fed8d4c9d221d3667cda252cfd18846d97eb677a2aa16ee3029
SHA512 12aaae1fad1da3610a5a9b7c1667b901826c90305cddcaa0b112ed389e500bd46f2d4a2fbe2459193cdeace282edde1df5f6fbb15d46babce20e0de7f1576552

C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe.exe

MD5 18d59a2804caf793d68cbefb7d3b7960
SHA1 1d22e8f4550e3a910ff922a68249438904005b02
SHA256 91bee9909392689f25b0545299a24c6bf02ea24c4ce55114315822553265a2d9
SHA512 4d3158a1a58dede9354eb0cfae08440273f60d950eb76bd505ade89e62b48a062db27f44d1a7d93c5144da3cef78bc1aaa5d713d235886d9d57cd73a186e37d8

memory/5000-117-0x0000000000400000-0x0000000000445000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a40ED.bat

MD5 fab74b301a4d5027805b0bd1f860fbac
SHA1 3831ebc450758838fd86fabbebb1769951145e38
SHA256 6e2bfd20d133174addf5a5c050827de2ee862fe5e040806cdda0e57c0bea2c11
SHA512 b9ec516c4ad72d2a1ad60a94d580d12ba8ffaa4466aa9cbd4592bac13ca07a6a3fe2d0041acf6e73ff2068d095257ea4bd313c260b243e4470dc352141849903

C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe.exe

MD5 901c97086ed57a2872a454c0e8e88ff8
SHA1 5e671ab08bd0bb410eb58dd69ea09fa6554e8060
SHA256 56dfc928211aff209850ab2a12d64d82087df2d9c39d2e385abbfee47359b482
SHA512 9809d50d53a36e7fdb858443e4cee05e31b65fac683c28a874e21991343a48b9088f4e5f3406c8190cad2072807e8f5a89385bb0c53352f0b77b8f29e9ef6ab1

memory/5112-124-0x0000000000400000-0x0000000000445000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a41E7.bat

MD5 e7245a53fed62a13f979f85c9e00cdcd
SHA1 f5e7e975faba2b60c27fd7509cbd02fbf1d8fa51
SHA256 8b3b00de2533da64ddf49809575730c5c4a332202e9647cfdbb76fc203e2faf8
SHA512 4f6654b9fdfe1e7da5e44251cb712564c7e41eaa6b46c8d147a8ed786f0e259edd8361c1e5ae310d364850a11a45304b37c73dc80fd0adad9689c851dcbd6566

C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe.exe

MD5 6b2be4444f38e438fd7e6ed1c06bace1
SHA1 ab773cc4dae11545fe09384748e947004489a34b
SHA256 8f33ce5f3739665f066dd14f8aeaecd7e07b1354ae6d5794d383d619363aecbb
SHA512 469d0a32f195bf37437d6def7df14c253ab0a09daac0abdcb8d4ae233728846ce739b10d45237ab3524fe16ed6c8c2acacfbfc9ca86eb5279871cd296c2fae7d

memory/760-131-0x0000000000400000-0x0000000000445000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a43BC.bat

MD5 634b3f68f68e2541469832e2cb395978
SHA1 4f8276ab6d00382376d6e5bbb4c276224ed18252
SHA256 06faaf4d5878d0734d56c95e302647125e4763016967ed21687a5f4f7fd33538
SHA512 ab7731454c648aa88839a2f66599e652b10055ec2485ad18a6215c6d875cfe4f1bc9b30d95e9da660274ae646590d5a4361d5dec7946d70dea610778c8f1737c

C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe.exe

MD5 b83c6feed8dddd69dfc03f3b6f3c7aa7
SHA1 96d25b9c3eeff821832ca8977ad67e1e03bd4abe
SHA256 d4a96e5bc8e0a811b0785a1ed39a62fcbf73a0d0c17db34ca0563a3c9460c7f3
SHA512 3a694bc9ff547cb1075c59562db1a8591a783515adf4c40bcf645d14fdbb48b78bcf0d3de1852f6e14cc8baada828b48cf5bf9db1d30c2aef05894c28b587468

memory/2392-140-0x0000000000400000-0x0000000000445000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a442A.bat

MD5 15f7f1d027a290fd8e5a514aa29130a1
SHA1 35f515b533f10979c81329fa1d9ae4c39f2ab9ba
SHA256 ed730f39a89b08e495108d79b715817229f0324ba054839f452181aaf68716b8
SHA512 b280137a3263282c163fb9eac52261382a56f5455b6928d603f82bd87c5a722cf5e478c1d904f8cd9b65b0b9eeb5d94a3e2122715642ea5e2f1c9d42dc47ebf0

C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe.exe

MD5 21cd478234863aa37c502dfa4b37fdde
SHA1 0c4b0bc91cda1f2856da0e950388f3183d5016bc
SHA256 67ab6ed469984c8f12dae23b9f8856b15fde356e30bd89e41b1a337a4311380e
SHA512 2824878ef8406e951075636d22682fb9bcd8beea3ef095e5928923334af766b73cdf0dc6f7f3a5239cb04732bb723c019c8508d01cc9cd773f21578c23b6d51a

memory/2500-147-0x0000000000400000-0x0000000000445000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a4514.bat

MD5 e9c6a68cd10a0303f548ef583c1f6d72
SHA1 fe9617b0f626e573a8aac1302683b97628b8b7af
SHA256 517b48681312d82b8611ce1bef694bf6d7edccaf8fed2be5a718e2643a3105be
SHA512 84ecc728288f3d78823ad17077578ba3addaa393535730553df9d36c2b009c3ba0f5098803e267dfe54646b7abfc92f09fc0fc76411fd3bf6a18370b19683a5b

C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe.exe

MD5 3cd1150bc5f1f8065176bab33f61766a
SHA1 5e133b17cbf554ae1a2644c106777888c745c5ec
SHA256 05e6d501fd9d6949604da5380f6df6e6fcfebf82a2afbf9be7439f7314bbfe7c
SHA512 a17ac53fca8a984acfad36b410ab78e1dded49ba99d99cb6c4b59e3fa425fd22ce39d8c557e0fd2173a45faa63cd863ed28f23b60602f8b2ba2827cf83894ba3

memory/1668-154-0x0000000000400000-0x0000000000445000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a46AA.bat

MD5 f1ca8fc44d15265a1b6daa389d4baf4d
SHA1 3bba61ca296500864d0cf10779aadc8aa2ae11a9
SHA256 71d11af704eb9f83266574ad9d638f5a21a6a5d3e1c207643c5ee65d8302651c
SHA512 1e67ba98bf05c17cb079bbf304f9362c16252f5e29a48c166b33d679a4f6fa73c0bb370d15a604c8e49fd5b116236d94a14bcf119fff1814b52fc06fc168b932

C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe.exe

MD5 3508da2b8eb2465d6e77a8d1b71d78c8
SHA1 0c708231603469c529b67597cae21c948c81820a
SHA256 39f6fe673ffbffdd9bad3df825ec3145536cc1e594fe8baa1cae74a8c9432e97
SHA512 f58e07b37878c9f32e8f6dfe0425eb662216224d142b831b66f5934c570c051a57466b48bf998adfb2fbf842326f160fae4608c5dda2f3258f817d07f94c82c9

memory/2980-158-0x0000000000400000-0x0000000000445000-memory.dmp

memory/2824-162-0x0000000000400000-0x0000000000445000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a4727.bat

MD5 e10afb5b413a8866cf18c149e605a194
SHA1 17f375ab3584f1ddb7a3986ce71e810d4866c668
SHA256 818602282dda83c6dfd1510e4529625ea007c281fe81c312c3a8e2e0fc423128
SHA512 a8d78379dfffde4c61a292610988738ed6d8feded448a1275a9377cb2d41dad5b5f213231cca672b3ebe6863c90a99a4013468b4a41b34ec6952cedfb20d27e4

C:\Users\Admin\AppData\Local\Temp\$$a47B4.bat

MD5 aab1aaed9af1d3a0e787887c24d7ba0a
SHA1 0f3a6441be636755dab3d5749ae446c4d0e63ba7
SHA256 a2c44bf9c5d9de0a454ba94e5d1a0c0180c5932075f782f69a9a82e3a58d4b89
SHA512 8ec56238633d10b7c6d1d9cccb51f07ac4956358ebdf0828bf0bd393953701672807013eeefd479b52bc6d08331efe266b138053a6b2ee9fdebb9d830eb3bde8

memory/1152-169-0x0000000000400000-0x0000000000445000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe

MD5 29b7786fea75b518b5e158fd5ee67f46
SHA1 591942b65e539cd5f383706569dba88b01e07781
SHA256 b3db9bba56345f60f7ca40641e442b6585b6b77a3fc487441a16ba3df4ceb8cf
SHA512 e74f2f93ff48799deaced5fea7905e17529fc6a0f38bc16d6c583cbf9532e2f398a6ce295e38f5c4d70cfaea870c089dc54c0e2fa5238172dd4f80d001029a67

memory/2736-176-0x0000000000400000-0x0000000000445000-memory.dmp

memory/4340-180-0x0000000000400000-0x0000000000445000-memory.dmp

memory/3628-184-0x0000000000400000-0x0000000000445000-memory.dmp

memory/5924-188-0x0000000000400000-0x0000000000445000-memory.dmp

memory/5976-192-0x0000000000400000-0x0000000000445000-memory.dmp

memory/3980-196-0x0000000000400000-0x0000000000445000-memory.dmp

memory/4532-200-0x0000000000400000-0x0000000000445000-memory.dmp

memory/1600-204-0x0000000000400000-0x0000000000445000-memory.dmp

memory/4356-208-0x0000000000400000-0x0000000000445000-memory.dmp

memory/4604-212-0x0000000000400000-0x0000000000445000-memory.dmp

memory/4108-216-0x0000000000400000-0x0000000000445000-memory.dmp

memory/4912-220-0x0000000000400000-0x0000000000445000-memory.dmp

memory/4832-226-0x0000000000400000-0x0000000000445000-memory.dmp

memory/4696-230-0x0000000000400000-0x0000000000445000-memory.dmp

memory/3256-234-0x0000000000400000-0x0000000000445000-memory.dmp

memory/5952-238-0x0000000000400000-0x0000000000445000-memory.dmp

memory/5636-242-0x0000000000400000-0x0000000000445000-memory.dmp

memory/2144-246-0x0000000000400000-0x0000000000445000-memory.dmp

memory/6000-250-0x0000000000400000-0x0000000000445000-memory.dmp

memory/5532-254-0x0000000000400000-0x0000000000445000-memory.dmp

memory/1724-258-0x0000000000400000-0x0000000000445000-memory.dmp

memory/1904-262-0x0000000000400000-0x0000000000445000-memory.dmp

memory/2256-266-0x0000000000400000-0x0000000000445000-memory.dmp

memory/5680-270-0x0000000000400000-0x0000000000445000-memory.dmp

memory/4360-274-0x0000000000400000-0x0000000000445000-memory.dmp

memory/3704-294-0x0000000000400000-0x0000000000445000-memory.dmp

memory/624-352-0x0000000000400000-0x0000000000445000-memory.dmp

memory/4084-448-0x0000000000400000-0x0000000000445000-memory.dmp

memory/5376-559-0x0000000000400000-0x0000000000445000-memory.dmp

memory/4092-672-0x0000000000400000-0x0000000000445000-memory.dmp

memory/3612-862-0x0000000000400000-0x0000000000445000-memory.dmp

memory/4396-1178-0x0000000000400000-0x0000000000445000-memory.dmp

memory/4604-1568-0x0000000000400000-0x0000000000445000-memory.dmp

memory/5336-1774-0x0000000000400000-0x0000000000445000-memory.dmp

memory/2988-1926-0x0000000000400000-0x0000000000445000-memory.dmp

memory/2684-2076-0x0000000000400000-0x0000000000445000-memory.dmp

memory/212-2108-0x0000000000400000-0x0000000000445000-memory.dmp

memory/4388-2112-0x0000000000400000-0x0000000000445000-memory.dmp

memory/180-2116-0x0000000000400000-0x0000000000445000-memory.dmp

memory/5292-2120-0x0000000000400000-0x0000000000445000-memory.dmp

memory/3748-2124-0x0000000000400000-0x0000000000445000-memory.dmp

memory/1640-2128-0x0000000000400000-0x0000000000445000-memory.dmp

memory/1020-2132-0x0000000000400000-0x0000000000445000-memory.dmp

memory/5484-2137-0x0000000000400000-0x0000000000445000-memory.dmp

memory/2060-2143-0x0000000000400000-0x0000000000445000-memory.dmp

memory/4860-2304-0x0000000000400000-0x0000000000445000-memory.dmp

memory/1632-2431-0x0000000000400000-0x0000000000445000-memory.dmp

memory/1324-2562-0x0000000000400000-0x0000000000445000-memory.dmp

memory/1324-2585-0x0000000000400000-0x0000000000445000-memory.dmp