39d8e3eb492914e882fdcbd45ddaa0946632e295c075bcfab3c0734e821a3363

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
14/03/2024, 08:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c82e4186c76dd276ddeeae40bb38625d.exe
Size

307KB
MD5

c82e4186c76dd276ddeeae40bb38625d
SHA1

1b0c80b4977b1367464a0f7db9c4bf083fe295ec
SHA256

39d8e3eb492914e882fdcbd45ddaa0946632e295c075bcfab3c0734e821a3363
SHA512

0b7ba2ddf8f35df78204428e4a2ad676732cbd73c9e90e78a725407b0cf1bbe3132c1759eba9e314885dac037f18302d82def3bc4614ff5157d5905ffe4ce80d
SSDEEP

6144:jS8yBuXbsr+ygr/YbtdV5oVWTJbIBbboV7UXF6:jLyYsayRbHYxAn

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	c82e4186c76dd276ddeeae40bb38625d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	c82e4186c76dd276ddeeae40bb38625d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	c82e4186c76dd276ddeeae40bb38625d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	c82e4186c76dd276ddeeae40bb38625d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	c82e4186c76dd276ddeeae40bb38625d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	c82e4186c76dd276ddeeae40bb38625d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	c82e4186c76dd276ddeeae40bb38625d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	c82e4186c76dd276ddeeae40bb38625d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	c82e4186c76dd276ddeeae40bb38625d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	c82e4186c76dd276ddeeae40bb38625d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	c82e4186c76dd276ddeeae40bb38625d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	c82e4186c76dd276ddeeae40bb38625d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	c82e4186c76dd276ddeeae40bb38625d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	c82e4186c76dd276ddeeae40bb38625d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	c82e4186c76dd276ddeeae40bb38625d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	c82e4186c76dd276ddeeae40bb38625d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	c82e4186c76dd276ddeeae40bb38625d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	c82e4186c76dd276ddeeae40bb38625d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	c82e4186c76dd276ddeeae40bb38625d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	c82e4186c76dd276ddeeae40bb38625d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	c82e4186c76dd276ddeeae40bb38625d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	c82e4186c76dd276ddeeae40bb38625d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	c82e4186c76dd276ddeeae40bb38625d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	c82e4186c76dd276ddeeae40bb38625d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	c82e4186c76dd276ddeeae40bb38625d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	c82e4186c76dd276ddeeae40bb38625d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	c82e4186c76dd276ddeeae40bb38625d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	c82e4186c76dd276ddeeae40bb38625d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	c82e4186c76dd276ddeeae40bb38625d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	c82e4186c76dd276ddeeae40bb38625d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	c82e4186c76dd276ddeeae40bb38625d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	c82e4186c76dd276ddeeae40bb38625d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	c82e4186c76dd276ddeeae40bb38625d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	c82e4186c76dd276ddeeae40bb38625d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	c82e4186c76dd276ddeeae40bb38625d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	c82e4186c76dd276ddeeae40bb38625d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	c82e4186c76dd276ddeeae40bb38625d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	c82e4186c76dd276ddeeae40bb38625d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	c82e4186c76dd276ddeeae40bb38625d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	c82e4186c76dd276ddeeae40bb38625d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	c82e4186c76dd276ddeeae40bb38625d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	c82e4186c76dd276ddeeae40bb38625d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	c82e4186c76dd276ddeeae40bb38625d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	c82e4186c76dd276ddeeae40bb38625d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	c82e4186c76dd276ddeeae40bb38625d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	c82e4186c76dd276ddeeae40bb38625d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	c82e4186c76dd276ddeeae40bb38625d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	c82e4186c76dd276ddeeae40bb38625d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	c82e4186c76dd276ddeeae40bb38625d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	c82e4186c76dd276ddeeae40bb38625d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	c82e4186c76dd276ddeeae40bb38625d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	c82e4186c76dd276ddeeae40bb38625d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	c82e4186c76dd276ddeeae40bb38625d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	c82e4186c76dd276ddeeae40bb38625d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	c82e4186c76dd276ddeeae40bb38625d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	c82e4186c76dd276ddeeae40bb38625d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	c82e4186c76dd276ddeeae40bb38625d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	c82e4186c76dd276ddeeae40bb38625d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	c82e4186c76dd276ddeeae40bb38625d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	c82e4186c76dd276ddeeae40bb38625d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	c82e4186c76dd276ddeeae40bb38625d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	c82e4186c76dd276ddeeae40bb38625d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	c82e4186c76dd276ddeeae40bb38625d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	c82e4186c76dd276ddeeae40bb38625d.exe

Executes dropped EXE 64 IoCs

pid	Process
1672	cft_mon.exe
2840	c82e4186c76dd276ddeeae40bb38625d.exe
1244	c82e4186c76dd276ddeeae40bb38625d.exe
720	c82e4186c76dd276ddeeae40bb38625d.exe
4056	c82e4186c76dd276ddeeae40bb38625d.exe
2472	c82e4186c76dd276ddeeae40bb38625d.exe
980	c82e4186c76dd276ddeeae40bb38625d.exe
1252	c82e4186c76dd276ddeeae40bb38625d.exe
3588	c82e4186c76dd276ddeeae40bb38625d.exe
4332	c82e4186c76dd276ddeeae40bb38625d.exe
1988	c82e4186c76dd276ddeeae40bb38625d.exe
3100	c82e4186c76dd276ddeeae40bb38625d.exe
3868	c82e4186c76dd276ddeeae40bb38625d.exe
2364	c82e4186c76dd276ddeeae40bb38625d.exe
3704	c82e4186c76dd276ddeeae40bb38625d.exe
3312	c82e4186c76dd276ddeeae40bb38625d.exe
1288	c82e4186c76dd276ddeeae40bb38625d.exe
4204	c82e4186c76dd276ddeeae40bb38625d.exe
4544	c82e4186c76dd276ddeeae40bb38625d.exe
3920	c82e4186c76dd276ddeeae40bb38625d.exe
3432	c82e4186c76dd276ddeeae40bb38625d.exe
3140	c82e4186c76dd276ddeeae40bb38625d.exe
4688	c82e4186c76dd276ddeeae40bb38625d.exe
3372	c82e4186c76dd276ddeeae40bb38625d.exe
980	c82e4186c76dd276ddeeae40bb38625d.exe
1888	c82e4186c76dd276ddeeae40bb38625d.exe
2052	c82e4186c76dd276ddeeae40bb38625d.exe
4480	c82e4186c76dd276ddeeae40bb38625d.exe
4412	c82e4186c76dd276ddeeae40bb38625d.exe
980	c82e4186c76dd276ddeeae40bb38625d.exe
3580	c82e4186c76dd276ddeeae40bb38625d.exe
3456	c82e4186c76dd276ddeeae40bb38625d.exe
4908	c82e4186c76dd276ddeeae40bb38625d.exe
4852	c82e4186c76dd276ddeeae40bb38625d.exe
3176	c82e4186c76dd276ddeeae40bb38625d.exe
1848	c82e4186c76dd276ddeeae40bb38625d.exe
4368	c82e4186c76dd276ddeeae40bb38625d.exe
1148	c82e4186c76dd276ddeeae40bb38625d.exe
4548	c82e4186c76dd276ddeeae40bb38625d.exe
2784	c82e4186c76dd276ddeeae40bb38625d.exe
2352	c82e4186c76dd276ddeeae40bb38625d.exe
2664	c82e4186c76dd276ddeeae40bb38625d.exe
4436	c82e4186c76dd276ddeeae40bb38625d.exe
1468	c82e4186c76dd276ddeeae40bb38625d.exe
4652	c82e4186c76dd276ddeeae40bb38625d.exe
1288	c82e4186c76dd276ddeeae40bb38625d.exe
3344	c82e4186c76dd276ddeeae40bb38625d.exe
2268	c82e4186c76dd276ddeeae40bb38625d.exe
4864	c82e4186c76dd276ddeeae40bb38625d.exe
4484	c82e4186c76dd276ddeeae40bb38625d.exe
3320	c82e4186c76dd276ddeeae40bb38625d.exe
1956	c82e4186c76dd276ddeeae40bb38625d.exe
2648	c82e4186c76dd276ddeeae40bb38625d.exe
4932	c82e4186c76dd276ddeeae40bb38625d.exe
2148	c82e4186c76dd276ddeeae40bb38625d.exe
4356	c82e4186c76dd276ddeeae40bb38625d.exe
4380	c82e4186c76dd276ddeeae40bb38625d.exe
2024	c82e4186c76dd276ddeeae40bb38625d.exe
2380	c82e4186c76dd276ddeeae40bb38625d.exe
3600	c82e4186c76dd276ddeeae40bb38625d.exe
2648	c82e4186c76dd276ddeeae40bb38625d.exe
1320	c82e4186c76dd276ddeeae40bb38625d.exe
3192	c82e4186c76dd276ddeeae40bb38625d.exe
3236	c82e4186c76dd276ddeeae40bb38625d.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cft_mon = "\"C:\\RECYCLER\\cft_mon.exe\""	cft_mon.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	cft_mon.exe
File opened (read-only)	\??\I:	cft_mon.exe
File opened (read-only)	\??\J:	cft_mon.exe
File opened (read-only)	\??\K:	cft_mon.exe
File opened (read-only)	\??\L:	cft_mon.exe
File opened (read-only)	\??\R:	cft_mon.exe
File opened (read-only)	\??\U:	cft_mon.exe
File opened (read-only)	\??\E:	cft_mon.exe
File opened (read-only)	\??\Y:	cft_mon.exe
File opened (read-only)	\??\X:	cft_mon.exe
File opened (read-only)	\??\P:	cft_mon.exe
File opened (read-only)	\??\G:	cft_mon.exe
File opened (read-only)	\??\M:	cft_mon.exe
File opened (read-only)	\??\N:	cft_mon.exe
File opened (read-only)	\??\O:	cft_mon.exe
File opened (read-only)	\??\Q:	cft_mon.exe
File opened (read-only)	\??\S:	cft_mon.exe
File opened (read-only)	\??\T:	cft_mon.exe
File opened (read-only)	\??\V:	cft_mon.exe
File opened (read-only)	\??\B:	cft_mon.exe
File opened (read-only)	\??\Z:	cft_mon.exe
File opened (read-only)	\??\W:	cft_mon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings	c82e4186c76dd276ddeeae40bb38625d.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1936 wrote to memory of 1672	1936	c82e4186c76dd276ddeeae40bb38625d.exe	88
PID 1936 wrote to memory of 1672	1936	c82e4186c76dd276ddeeae40bb38625d.exe	88
PID 1936 wrote to memory of 1672	1936	c82e4186c76dd276ddeeae40bb38625d.exe	88
PID 1672 wrote to memory of 4776	1672	cft_mon.exe	89
PID 1672 wrote to memory of 4776	1672	cft_mon.exe	89
PID 1672 wrote to memory of 4776	1672	cft_mon.exe	89
PID 1936 wrote to memory of 2840	1936	c82e4186c76dd276ddeeae40bb38625d.exe	91
PID 1936 wrote to memory of 2840	1936	c82e4186c76dd276ddeeae40bb38625d.exe	91
PID 1936 wrote to memory of 2840	1936	c82e4186c76dd276ddeeae40bb38625d.exe	91
PID 1936 wrote to memory of 3712	1936	c82e4186c76dd276ddeeae40bb38625d.exe	92
PID 1936 wrote to memory of 3712	1936	c82e4186c76dd276ddeeae40bb38625d.exe	92
PID 1936 wrote to memory of 3712	1936	c82e4186c76dd276ddeeae40bb38625d.exe	92
PID 2840 wrote to memory of 1244	2840	c82e4186c76dd276ddeeae40bb38625d.exe	94
PID 2840 wrote to memory of 1244	2840	c82e4186c76dd276ddeeae40bb38625d.exe	94
PID 2840 wrote to memory of 1244	2840	c82e4186c76dd276ddeeae40bb38625d.exe	94
PID 2840 wrote to memory of 4328	2840	c82e4186c76dd276ddeeae40bb38625d.exe	95
PID 2840 wrote to memory of 4328	2840	c82e4186c76dd276ddeeae40bb38625d.exe	95
PID 2840 wrote to memory of 4328	2840	c82e4186c76dd276ddeeae40bb38625d.exe	95
PID 1244 wrote to memory of 720	1244	c82e4186c76dd276ddeeae40bb38625d.exe	97
PID 1244 wrote to memory of 720	1244	c82e4186c76dd276ddeeae40bb38625d.exe	97
PID 1244 wrote to memory of 720	1244	c82e4186c76dd276ddeeae40bb38625d.exe	97
PID 1244 wrote to memory of 2296	1244	c82e4186c76dd276ddeeae40bb38625d.exe	98
PID 1244 wrote to memory of 2296	1244	c82e4186c76dd276ddeeae40bb38625d.exe	98
PID 1244 wrote to memory of 2296	1244	c82e4186c76dd276ddeeae40bb38625d.exe	98
PID 720 wrote to memory of 4056	720	c82e4186c76dd276ddeeae40bb38625d.exe	99
PID 720 wrote to memory of 4056	720	c82e4186c76dd276ddeeae40bb38625d.exe	99
PID 720 wrote to memory of 4056	720	c82e4186c76dd276ddeeae40bb38625d.exe	99
PID 720 wrote to memory of 3760	720	c82e4186c76dd276ddeeae40bb38625d.exe	100
PID 720 wrote to memory of 3760	720	c82e4186c76dd276ddeeae40bb38625d.exe	100
PID 720 wrote to memory of 3760	720	c82e4186c76dd276ddeeae40bb38625d.exe	100
PID 4056 wrote to memory of 2472	4056	c82e4186c76dd276ddeeae40bb38625d.exe	101
PID 4056 wrote to memory of 2472	4056	c82e4186c76dd276ddeeae40bb38625d.exe	101
PID 4056 wrote to memory of 2472	4056	c82e4186c76dd276ddeeae40bb38625d.exe	101
PID 4056 wrote to memory of 4752	4056	c82e4186c76dd276ddeeae40bb38625d.exe	102
PID 4056 wrote to memory of 4752	4056	c82e4186c76dd276ddeeae40bb38625d.exe	102
PID 4056 wrote to memory of 4752	4056	c82e4186c76dd276ddeeae40bb38625d.exe	102
PID 2472 wrote to memory of 980	2472	c82e4186c76dd276ddeeae40bb38625d.exe	107
PID 2472 wrote to memory of 980	2472	c82e4186c76dd276ddeeae40bb38625d.exe	107
PID 2472 wrote to memory of 980	2472	c82e4186c76dd276ddeeae40bb38625d.exe	107
PID 2472 wrote to memory of 3980	2472	c82e4186c76dd276ddeeae40bb38625d.exe	108
PID 2472 wrote to memory of 3980	2472	c82e4186c76dd276ddeeae40bb38625d.exe	108
PID 2472 wrote to memory of 3980	2472	c82e4186c76dd276ddeeae40bb38625d.exe	108
PID 980 wrote to memory of 1252	980	c82e4186c76dd276ddeeae40bb38625d.exe	109
PID 980 wrote to memory of 1252	980	c82e4186c76dd276ddeeae40bb38625d.exe	109
PID 980 wrote to memory of 1252	980	c82e4186c76dd276ddeeae40bb38625d.exe	109
PID 980 wrote to memory of 1540	980	c82e4186c76dd276ddeeae40bb38625d.exe	110
PID 980 wrote to memory of 1540	980	c82e4186c76dd276ddeeae40bb38625d.exe	110
PID 980 wrote to memory of 1540	980	c82e4186c76dd276ddeeae40bb38625d.exe	110
PID 1252 wrote to memory of 3588	1252	c82e4186c76dd276ddeeae40bb38625d.exe	111
PID 1252 wrote to memory of 3588	1252	c82e4186c76dd276ddeeae40bb38625d.exe	111
PID 1252 wrote to memory of 3588	1252	c82e4186c76dd276ddeeae40bb38625d.exe	111
PID 1252 wrote to memory of 928	1252	c82e4186c76dd276ddeeae40bb38625d.exe	112
PID 1252 wrote to memory of 928	1252	c82e4186c76dd276ddeeae40bb38625d.exe	112
PID 1252 wrote to memory of 928	1252	c82e4186c76dd276ddeeae40bb38625d.exe	112
PID 3588 wrote to memory of 4332	3588	c82e4186c76dd276ddeeae40bb38625d.exe	113
PID 3588 wrote to memory of 4332	3588	c82e4186c76dd276ddeeae40bb38625d.exe	113
PID 3588 wrote to memory of 4332	3588	c82e4186c76dd276ddeeae40bb38625d.exe	113
PID 3588 wrote to memory of 2812	3588	c82e4186c76dd276ddeeae40bb38625d.exe	114
PID 3588 wrote to memory of 2812	3588	c82e4186c76dd276ddeeae40bb38625d.exe	114
PID 3588 wrote to memory of 2812	3588	c82e4186c76dd276ddeeae40bb38625d.exe	114
PID 4332 wrote to memory of 1988	4332	c82e4186c76dd276ddeeae40bb38625d.exe	116
PID 4332 wrote to memory of 1988	4332	c82e4186c76dd276ddeeae40bb38625d.exe	116
PID 4332 wrote to memory of 1988	4332	c82e4186c76dd276ddeeae40bb38625d.exe	116
PID 4332 wrote to memory of 3832	4332	c82e4186c76dd276ddeeae40bb38625d.exe	117

C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
"C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1936
- C:\RECYCLER\cft_mon.exe
  C:\RECYCLER\cft_mon.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Enumerates connected drives
  - Suspicious use of WriteProcessMemory
  PID:1672
- - C:\Windows\SysWOW64\cmd.exe
    /c dir "C:\Program Files (x86)\*" /s >> "C:\RECYCLER\DBXSZVGV\240610796.log"
    3⤵
    PID:4776
- C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
  "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
    "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1244
  - - C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
      "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:720
    - - C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4056
      - C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:980
        
        C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1252
        
        C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3588
        
        C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4332
        
        C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        12⤵
        Executes dropped EXE
        
        PID:3100
        
        C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        13⤵
        Executes dropped EXE
        
        PID:3868
        
        C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2364
        
        C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3704
        
        C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3312
        
        C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1288
        
        C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4204
        
        C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4544
        
        C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3920
        
        C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        21⤵
        Executes dropped EXE
        
        PID:3432
        
        C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3140
        
        C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        23⤵
        Executes dropped EXE
        
        PID:4688
        
        C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3372
        
        C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:980
        
        C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        26⤵
        Executes dropped EXE
        
        PID:1888
        
        C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2052
        
        C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4480
        
        C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4412
        
        C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        30⤵
        Executes dropped EXE
        
        PID:980
        
        C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3580
        
        C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        32⤵
        Executes dropped EXE
        
        PID:3456
        
        C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4908
        
        C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        34⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        35⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3176
        
        C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        36⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1848
        
        C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        37⤵
        Executes dropped EXE
        
        PID:4368
        
        C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        38⤵
        Executes dropped EXE
        
        PID:1148
        
        C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        39⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        40⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        41⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2352
        
        C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        42⤵
        Executes dropped EXE
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        43⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        44⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        45⤵
        Executes dropped EXE
        
        PID:4652
        
        C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        46⤵
        Executes dropped EXE
        
        PID:1288
        
        C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        47⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3344
        
        C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        48⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        49⤵
        Executes dropped EXE
        
        PID:4864
        
        C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        50⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4484
        
        C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        51⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3320
        
        C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        52⤵
        Executes dropped EXE
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        53⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2648
        
        C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        54⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4932
        
        C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        55⤵
        Executes dropped EXE
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        56⤵
        Executes dropped EXE
        
        PID:4356
        
        C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        57⤵
        Executes dropped EXE
        
        PID:4380
        
        C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        58⤵
        Executes dropped EXE
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        59⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        60⤵
        Executes dropped EXE
        
        PID:3600
        
        C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        61⤵
        Executes dropped EXE
        
        PID:2648
        
        C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        62⤵
        Executes dropped EXE
        
        PID:1320
        
        C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        63⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3192
        
        C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        64⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3236
        
        C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        65⤵
        Checks computer location settings
        
        PID:4792
        
        C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        66⤵
        Checks computer location settings
        
        PID:4672
        
        C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        67⤵
        Checks computer location settings
        
        PID:964
        
        C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        68⤵
        Checks computer location settings
        
        PID:1004
        
        C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        69⤵
        
        PID:4596
        
        C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        70⤵
        Checks computer location settings
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        71⤵
        
        PID:3572
        
        C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        72⤵
        
        PID:644
        
        C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        73⤵
        
        PID:4604
        
        C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        74⤵
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        75⤵
        Checks computer location settings
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        76⤵
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        77⤵
        
        PID:4688
        
        C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        78⤵
        
        PID:4288
        
        C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        79⤵
        Checks computer location settings
        
        PID:4180
        
        C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        80⤵
        Checks computer location settings
        
        PID:4380
        
        C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        81⤵
        
        PID:4864
        
        C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        82⤵
        Checks computer location settings
        
        PID:3728
        
        C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        83⤵
        Checks computer location settings
        
        PID:3180
        
        C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        84⤵
        Checks computer location settings
        
        PID:4292
        
        C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        85⤵
        Checks computer location settings
        
        PID:3104
        
        C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        86⤵
        
        PID:2648
        
        C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        87⤵
        Checks computer location settings
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        88⤵
        Checks computer location settings
        
        PID:1896
        
        C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        89⤵
        
        PID:3600
        
        C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        90⤵
        Checks computer location settings
        
        PID:2748
        
        C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        91⤵
        
        PID:4292
        
        C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        92⤵
        
        PID:4880
        
        C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        93⤵
        Checks computer location settings
        
        PID:3984
        
        C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        94⤵
        
        PID:1156
        
        C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        95⤵
        Checks computer location settings
        
        PID:4368
        
        C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        96⤵
        Checks computer location settings
        
        PID:4320
        
        C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        97⤵
        Checks computer location settings
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        98⤵
        Checks computer location settings
        
        PID:936
        
        C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        99⤵
        
        PID:368
        
        C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        100⤵
        Checks computer location settings
        
        PID:4688
        
        C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        101⤵
        Checks computer location settings
        
        PID:3664
        
        C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        102⤵
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        103⤵
        Checks computer location settings
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        104⤵
        
        PID:2436
        
        C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        105⤵
        Checks computer location settings
        
        PID:4060
        
        C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d.exe"
        106⤵
        Modifies registry class
        
        PID:1572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        107⤵
        
        PID:2012
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        108⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        106⤵
        
        PID:3096
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        107⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        105⤵
        
        PID:4372
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        106⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        104⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        103⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        102⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        101⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        100⤵
        
        PID:916
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        101⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        99⤵
        
        PID:4428
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        100⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        98⤵
        
        PID:3908
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        99⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        97⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        96⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        95⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        94⤵
        
        PID:980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        93⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        92⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        91⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        90⤵
        
        PID:2432
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        91⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        89⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        88⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        87⤵
        
        PID:916
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        88⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        86⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        85⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        84⤵
        
        PID:644
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        85⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        83⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        82⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        81⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        80⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        79⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        78⤵
        
        PID:2148
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        79⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        77⤵
        
        PID:3252
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        78⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        76⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        75⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        74⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        73⤵
        
        PID:2648
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        74⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        72⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        71⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        70⤵
        
        PID:4828
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        71⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        69⤵
        
        PID:2012
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        70⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        68⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        67⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        66⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        65⤵
        
        PID:4180
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        66⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        64⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        63⤵
        
        PID:540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        62⤵
        
        PID:2168
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        63⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        61⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        60⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        59⤵
        
        PID:4124
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        60⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        58⤵
        
        PID:4880
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        59⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        57⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        56⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        55⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        54⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        53⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        52⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        51⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        50⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        49⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        48⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        47⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        46⤵
        
        PID:4760
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        47⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        45⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        44⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        43⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        42⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        41⤵
        
        PID:916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        40⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        39⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        38⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        37⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        36⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        35⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        34⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        33⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        32⤵
        
        PID:3812
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        33⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        31⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        30⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        29⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        28⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        27⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        26⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        25⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        24⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        23⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        22⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        21⤵
        
        PID:816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        20⤵
        
        PID:696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        19⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        18⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        17⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        16⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        15⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        14⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        13⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        12⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        11⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        10⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        9⤵
        
        PID:928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        8⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        7⤵
        
        PID:3980
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        6⤵
        
        PID:4752
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
        5⤵
        
        PID:3760
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
      4⤵
      PID:2296
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
    3⤵
    PID:4328
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82E41~1.EXE
  2⤵
  PID:3712

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:4544

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:1148

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:2108

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4816

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv qwD6LC8gVkGioZFu/OSGjg.0.2
1⤵
PID:3824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\RECYCLER\DBXSZVGV\dhcpinit.dll

Filesize
5KB

MD5
f2068efa276e1ab5f6e00cf6404be0c7

SHA1
899036248d6dd3e934287e95b190976d078e0af9

SHA256
f86db337fc7090db729d55b6db711abae0681babbed69283d28ac3b921539e73

SHA512
7802dca7ab4df9f788588fbfc96a5832b0f9fde26f09670eb1a9709513b5d75c651ad80fdd0e1e8c6c2c567baba65bdb8517b615c70f225fdc5ceb6f4e89ffb9

Download Submit
C:\RECYCLER\cft_mon.exe

Filesize
307KB

MD5
c82e4186c76dd276ddeeae40bb38625d

SHA1
1b0c80b4977b1367464a0f7db9c4bf083fe295ec

SHA256
39d8e3eb492914e882fdcbd45ddaa0946632e295c075bcfab3c0734e821a3363

SHA512
0b7ba2ddf8f35df78204428e4a2ad676732cbd73c9e90e78a725407b0cf1bbe3132c1759eba9e314885dac037f18302d82def3bc4614ff5157d5905ffe4ce80d

Download Submit
C:\Users\Admin\AppData\Local\Temp\c82e4186c76dd276ddeeae40bb38625d

Filesize
15KB

MD5
22e08f71493915bf4b5506ad00058b2f

SHA1
c6edd61d2864e1f68620c2831490bc699c773be3

SHA256
976004774d815996499e95dbdf011caec83f58407a94a81c7ff38f427515e21f

SHA512
754c3d7fd56d3960fb8a5691085d0bf35e85e61fc7e285940d201ba0603faaa13e79f1d2c9bc4bbf5921d83051c3778f1593b712cfd70caf76a501035ae252c6

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads