Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
152s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
20/10/2022, 02:11
Static task
static1
Behavioral task
behavioral1
Sample
e4c13e304ed59bf52f1ec0dc2cad2f905d3f48ebad56bba4f28a58e51c90d631.exe
Resource
win7-20220812-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
e4c13e304ed59bf52f1ec0dc2cad2f905d3f48ebad56bba4f28a58e51c90d631.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
e4c13e304ed59bf52f1ec0dc2cad2f905d3f48ebad56bba4f28a58e51c90d631.exe
-
Size
447KB
-
MD5
58ae815d5b7ad4577317beffcae3d580
-
SHA1
fea4373e6988f5f4f09304550c2e3210dcd6b34c
-
SHA256
e4c13e304ed59bf52f1ec0dc2cad2f905d3f48ebad56bba4f28a58e51c90d631
-
SHA512
c86b724d3e237c361592f297085477fb89fa91f690b31d1bd7c20c6f474ba2e87085028fd81704c3139b16e876c615d71a96eb351e4352f7e504b2485829dc68
-
SSDEEP
6144:EXhCRhrDPqNSDyDRO1thpwNSDyDIkFthphZX:vR9PySDyo1tjUSDyTFtjhZ
Score
8/10
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 3600 notpad.exe 2368 tmp240586421.exe 2860 tmp240586546.exe 3408 notpad.exe 4984 tmp240586890.exe 3976 tmp240587031.exe 4820 notpad.exe 4832 tmp240587421.exe 4100 tmp240587500.exe 5048 notpad.exe 4620 tmp240587812.exe 5052 tmp240587937.exe 4576 notpad.exe 4256 tmp240588281.exe 4280 tmp240588468.exe 3908 notpad.exe 5016 tmp240588843.exe 4252 tmp240588984.exe 4480 notpad.exe 4352 tmp240589328.exe 544 tmp240589421.exe 4588 notpad.exe 4396 tmp240589796.exe 4596 tmp240589906.exe 1792 notpad.exe 1196 tmp240590296.exe 2348 tmp240590437.exe 4944 notpad.exe 2768 tmp240590906.exe 3244 tmp240591031.exe 5004 notpad.exe 1504 tmp240591375.exe 1308 tmp240591453.exe 4224 notpad.exe 3664 tmp240591750.exe 992 tmp240591812.exe 1852 notpad.exe 4344 tmp240592062.exe 932 tmp240592125.exe 1736 notpad.exe 4928 tmp240592359.exe 2232 tmp240592671.exe 2420 notpad.exe 4948 tmp240592953.exe 4776 tmp240593078.exe 2684 notpad.exe 4940 tmp240593328.exe 3740 tmp240593375.exe 3208 notpad.exe 1896 tmp240593640.exe 3600 tmp240593937.exe 4648 notpad.exe 688 tmp240594171.exe 3124 tmp240594203.exe 1968 notpad.exe 928 tmp240594437.exe 4444 tmp240594484.exe 3564 notpad.exe 8 tmp240594750.exe 2080 tmp240594781.exe 4468 notpad.exe 2384 tmp240595046.exe 3188 tmp240595078.exe 5048 notpad.exe -
resource yara_rule behavioral2/files/0x0007000000022f58-133.dat upx behavioral2/files/0x0007000000022f58-134.dat upx behavioral2/files/0x000a000000022f3a-138.dat upx behavioral2/memory/3600-142-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/files/0x0007000000022f58-144.dat upx behavioral2/memory/3408-152-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/files/0x000a000000022f3a-148.dat upx behavioral2/files/0x0007000000022f58-154.dat upx behavioral2/memory/4820-162-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/files/0x000a000000022f3a-159.dat upx behavioral2/files/0x0007000000022f58-164.dat upx behavioral2/memory/5048-165-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/files/0x000a000000022f3a-169.dat upx behavioral2/memory/5048-173-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/files/0x0007000000022f58-175.dat upx behavioral2/files/0x000a000000022f3a-179.dat upx behavioral2/memory/4576-183-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/files/0x0007000000022f58-185.dat upx behavioral2/memory/3908-187-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/files/0x000a000000022f3a-190.dat upx behavioral2/memory/3908-194-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/files/0x0007000000022f58-196.dat upx behavioral2/memory/4480-204-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/files/0x000a000000022f3a-201.dat upx behavioral2/files/0x0007000000022f58-206.dat upx behavioral2/files/0x000a000000022f3a-211.dat upx behavioral2/memory/4588-210-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/4588-215-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/files/0x0007000000022f58-217.dat upx behavioral2/files/0x000a000000022f3a-221.dat upx behavioral2/memory/1792-225-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/files/0x0007000000022f58-227.dat upx behavioral2/memory/4944-234-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/files/0x000a000000022f3a-232.dat upx behavioral2/memory/4944-236-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/files/0x0007000000022f58-238.dat upx behavioral2/memory/5004-243-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/4224-247-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/1852-251-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/1736-255-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/2420-259-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/2684-263-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/3208-268-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/4648-271-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/1968-275-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/3564-279-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/4468-283-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/5048-285-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/4512-286-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/2436-287-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/3192-288-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/336-289-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/776-290-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/3200-291-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/312-292-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/2956-293-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/3884-294-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/1680-295-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/1704-296-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/1312-297-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/2428-298-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/2424-299-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/2316-300-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/4112-301-0x0000000000400000-0x000000000041F000-memory.dmp upx -
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation tmp240608968.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation tmp240633906.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation tmp240675843.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation tmp240599812.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation tmp240661875.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation tmp240670265.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation tmp240640906.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation tmp240647781.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation tmp240677859.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation tmp240613734.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation tmp240662625.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation tmp240629984.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation tmp240665562.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation tmp240634140.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation tmp240636703.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation tmp240644968.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation tmp240653546.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation tmp240647546.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation tmp240652531.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation tmp240587421.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation tmp240678734.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation tmp240599281.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation tmp240654437.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation tmp240640218.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation tmp240677390.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation tmp240680765.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation tmp240678531.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation tmp240651375.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation tmp240594437.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation tmp240605796.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation tmp240609640.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation tmp240622812.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation tmp240616500.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation tmp240633218.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation tmp240660265.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation tmp240678109.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation tmp240673250.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation tmp240598296.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation tmp240610125.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation tmp240612734.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation tmp240655578.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation Process not Found -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\notpad.exe tmp240592953.exe File opened for modification C:\Windows\SysWOW64\fsb.tmp Process not Found File opened for modification C:\Windows\SysWOW64\fsb.tmp Process not Found File opened for modification C:\Windows\SysWOW64\fsb.stb tmp240617625.exe File created C:\Windows\SysWOW64\notpad.exe- Process not Found File created C:\Windows\SysWOW64\notpad.exe tmp240620359.exe File created C:\Windows\SysWOW64\notpad.exe- Process not Found File created C:\Windows\SysWOW64\notpad.exe- Process not Found File created C:\Windows\SysWOW64\notpad.exe Process not Found File created C:\Windows\SysWOW64\notpad.exe tmp240620609.exe File created C:\Windows\SysWOW64\notpad.exe tmp240622375.exe File created C:\Windows\SysWOW64\notpad.exe Process not Found File created C:\Windows\SysWOW64\notpad.exe- Process not Found File created C:\Windows\SysWOW64\notpad.exe Process not Found File opened for modification C:\Windows\SysWOW64\fsb.stb Process not Found File created C:\Windows\SysWOW64\notpad.exe tmp240643609.exe File created C:\Windows\SysWOW64\notpad.exe tmp240644453.exe File created C:\Windows\SysWOW64\notpad.exe- tmp240672515.exe File opened for modification C:\Windows\SysWOW64\fsb.stb Process not Found File opened for modification C:\Windows\SysWOW64\fsb.tmp Process not Found File created C:\Windows\SysWOW64\notpad.exe tmp240606656.exe File created C:\Windows\SysWOW64\notpad.exe tmp240661437.exe File created C:\Windows\SysWOW64\notpad.exe Process not Found File created C:\Windows\SysWOW64\notpad.exe Process not Found File opened for modification C:\Windows\SysWOW64\fsb.stb Process not Found File opened for modification C:\Windows\SysWOW64\fsb.stb tmp240603625.exe File created C:\Windows\SysWOW64\notpad.exe- tmp240641640.exe File opened for modification C:\Windows\SysWOW64\fsb.stb Process not Found File created C:\Windows\SysWOW64\notpad.exe tmp240601140.exe File created C:\Windows\SysWOW64\notpad.exe- tmp240607718.exe File opened for modification C:\Windows\SysWOW64\fsb.tmp tmp240674500.exe File created C:\Windows\SysWOW64\notpad.exe Process not Found File created C:\Windows\SysWOW64\notpad.exe- tmp240616000.exe File opened for modification C:\Windows\SysWOW64\fsb.tmp tmp240617625.exe File created C:\Windows\SysWOW64\notpad.exe tmp240677140.exe File opened for modification C:\Windows\SysWOW64\fsb.stb Process not Found File opened for modification C:\Windows\SysWOW64\fsb.stb tmp240614625.exe File opened for modification C:\Windows\SysWOW64\fsb.stb tmp240679421.exe File opened for modification C:\Windows\SysWOW64\fsb.tmp tmp240680281.exe File opened for modification C:\Windows\SysWOW64\fsb.stb tmp240662625.exe File created C:\Windows\SysWOW64\notpad.exe- Process not Found File created C:\Windows\SysWOW64\notpad.exe tmp240649406.exe File created C:\Windows\SysWOW64\notpad.exe Process not Found File opened for modification C:\Windows\SysWOW64\fsb.tmp Process not Found File opened for modification C:\Windows\SysWOW64\fsb.stb tmp240623125.exe File opened for modification C:\Windows\SysWOW64\fsb.stb tmp240668953.exe File opened for modification C:\Windows\SysWOW64\fsb.tmp Process not Found File opened for modification C:\Windows\SysWOW64\fsb.tmp tmp240613109.exe File opened for modification C:\Windows\SysWOW64\fsb.tmp tmp240679421.exe File opened for modification C:\Windows\SysWOW64\fsb.tmp Process not Found File created C:\Windows\SysWOW64\notpad.exe- Process not Found File created C:\Windows\SysWOW64\notpad.exe Process not Found File created C:\Windows\SysWOW64\notpad.exe- Process not Found File created C:\Windows\SysWOW64\notpad.exe tmp240590906.exe File opened for modification C:\Windows\SysWOW64\fsb.stb tmp240649406.exe File opened for modification C:\Windows\SysWOW64\fsb.stb tmp240657203.exe File opened for modification C:\Windows\SysWOW64\fsb.stb Process not Found File opened for modification C:\Windows\SysWOW64\fsb.stb Process not Found File created C:\Windows\SysWOW64\notpad.exe tmp240588281.exe File created C:\Windows\SysWOW64\notpad.exe tmp240606093.exe File opened for modification C:\Windows\SysWOW64\fsb.stb tmp240622625.exe File created C:\Windows\SysWOW64\notpad.exe- tmp240632781.exe File created C:\Windows\SysWOW64\notpad.exe- tmp240678531.exe File created C:\Windows\SysWOW64\notpad.exe- tmp240604859.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" tmp240612734.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" tmp240613406.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" tmp240648750.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" tmp240619453.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" tmp240621843.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" tmp240597875.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" tmp240616265.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" tmp240648000.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" tmp240607265.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" tmp240678937.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" tmp240596656.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" tmp240636937.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" tmp240641640.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" tmp240648500.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" tmp240600812.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" tmp240619078.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" tmp240621593.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" tmp240668187.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" tmp240610125.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" tmp240624265.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" tmp240652796.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" tmp240626859.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" tmp240599281.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" tmp240654015.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" tmp240659765.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" tmp240669187.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" tmp240670062.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" tmp240671359.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" tmp240677656.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" tmp240615765.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" tmp240629718.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" tmp240641156.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" tmp240679421.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" tmp240606406.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" tmp240642171.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1896 wrote to memory of 3600 1896 e4c13e304ed59bf52f1ec0dc2cad2f905d3f48ebad56bba4f28a58e51c90d631.exe 77 PID 1896 wrote to memory of 3600 1896 e4c13e304ed59bf52f1ec0dc2cad2f905d3f48ebad56bba4f28a58e51c90d631.exe 77 PID 1896 wrote to memory of 3600 1896 e4c13e304ed59bf52f1ec0dc2cad2f905d3f48ebad56bba4f28a58e51c90d631.exe 77 PID 3600 wrote to memory of 2368 3600 notpad.exe 78 PID 3600 wrote to memory of 2368 3600 notpad.exe 78 PID 3600 wrote to memory of 2368 3600 notpad.exe 78 PID 3600 wrote to memory of 2860 3600 notpad.exe 79 PID 3600 wrote to memory of 2860 3600 notpad.exe 79 PID 3600 wrote to memory of 2860 3600 notpad.exe 79 PID 2368 wrote to memory of 3408 2368 tmp240586421.exe 80 PID 2368 wrote to memory of 3408 2368 tmp240586421.exe 80 PID 2368 wrote to memory of 3408 2368 tmp240586421.exe 80 PID 3408 wrote to memory of 4984 3408 notpad.exe 81 PID 3408 wrote to memory of 4984 3408 notpad.exe 81 PID 3408 wrote to memory of 4984 3408 notpad.exe 81 PID 3408 wrote to memory of 3976 3408 notpad.exe 82 PID 3408 wrote to memory of 3976 3408 notpad.exe 82 PID 3408 wrote to memory of 3976 3408 notpad.exe 82 PID 4984 wrote to memory of 4820 4984 tmp240586890.exe 83 PID 4984 wrote to memory of 4820 4984 tmp240586890.exe 83 PID 4984 wrote to memory of 4820 4984 tmp240586890.exe 83 PID 4820 wrote to memory of 4832 4820 notpad.exe 84 PID 4820 wrote to memory of 4832 4820 notpad.exe 84 PID 4820 wrote to memory of 4832 4820 notpad.exe 84 PID 4820 wrote to memory of 4100 4820 notpad.exe 85 PID 4820 wrote to memory of 4100 4820 notpad.exe 85 PID 4820 wrote to memory of 4100 4820 notpad.exe 85 PID 4832 wrote to memory of 5048 4832 tmp240587421.exe 86 PID 4832 wrote to memory of 5048 4832 tmp240587421.exe 86 PID 4832 wrote to memory of 5048 4832 tmp240587421.exe 86 PID 5048 wrote to memory of 4620 5048 notpad.exe 87 PID 5048 wrote to memory of 4620 5048 notpad.exe 87 PID 5048 wrote to memory of 4620 5048 notpad.exe 87 PID 5048 wrote to memory of 5052 5048 notpad.exe 88 PID 5048 wrote to memory of 5052 5048 notpad.exe 88 PID 5048 wrote to memory of 5052 5048 notpad.exe 88 PID 4620 wrote to memory of 4576 4620 tmp240587812.exe 89 PID 4620 wrote to memory of 4576 4620 tmp240587812.exe 89 PID 4620 wrote to memory of 4576 4620 tmp240587812.exe 89 PID 4576 wrote to memory of 4256 4576 notpad.exe 90 PID 4576 wrote to memory of 4256 4576 notpad.exe 90 PID 4576 wrote to memory of 4256 4576 notpad.exe 90 PID 4576 wrote to memory of 4280 4576 notpad.exe 91 PID 4576 wrote to memory of 4280 4576 notpad.exe 91 PID 4576 wrote to memory of 4280 4576 notpad.exe 91 PID 4256 wrote to memory of 3908 4256 tmp240588281.exe 92 PID 4256 wrote to memory of 3908 4256 tmp240588281.exe 92 PID 4256 wrote to memory of 3908 4256 tmp240588281.exe 92 PID 3908 wrote to memory of 5016 3908 notpad.exe 93 PID 3908 wrote to memory of 5016 3908 notpad.exe 93 PID 3908 wrote to memory of 5016 3908 notpad.exe 93 PID 3908 wrote to memory of 4252 3908 notpad.exe 94 PID 3908 wrote to memory of 4252 3908 notpad.exe 94 PID 3908 wrote to memory of 4252 3908 notpad.exe 94 PID 5016 wrote to memory of 4480 5016 tmp240588843.exe 95 PID 5016 wrote to memory of 4480 5016 tmp240588843.exe 95 PID 5016 wrote to memory of 4480 5016 tmp240588843.exe 95 PID 4480 wrote to memory of 4352 4480 notpad.exe 96 PID 4480 wrote to memory of 4352 4480 notpad.exe 96 PID 4480 wrote to memory of 4352 4480 notpad.exe 96 PID 4480 wrote to memory of 544 4480 notpad.exe 97 PID 4480 wrote to memory of 544 4480 notpad.exe 97 PID 4480 wrote to memory of 544 4480 notpad.exe 97 PID 4352 wrote to memory of 4588 4352 tmp240589328.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\e4c13e304ed59bf52f1ec0dc2cad2f905d3f48ebad56bba4f28a58e51c90d631.exe"C:\Users\Admin\AppData\Local\Temp\e4c13e304ed59bf52f1ec0dc2cad2f905d3f48ebad56bba4f28a58e51c90d631.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3600 -
C:\Users\Admin\AppData\Local\Temp\tmp240586421.exeC:\Users\Admin\AppData\Local\Temp\tmp240586421.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3408 -
C:\Users\Admin\AppData\Local\Temp\tmp240586890.exeC:\Users\Admin\AppData\Local\Temp\tmp240586890.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4820 -
C:\Users\Admin\AppData\Local\Temp\tmp240587421.exeC:\Users\Admin\AppData\Local\Temp\tmp240587421.exe7⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4832 -
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Users\Admin\AppData\Local\Temp\tmp240587812.exeC:\Users\Admin\AppData\Local\Temp\tmp240587812.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4576 -
C:\Users\Admin\AppData\Local\Temp\tmp240588281.exeC:\Users\Admin\AppData\Local\Temp\tmp240588281.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4256 -
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3908 -
C:\Users\Admin\AppData\Local\Temp\tmp240588843.exeC:\Users\Admin\AppData\Local\Temp\tmp240588843.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4480 -
C:\Users\Admin\AppData\Local\Temp\tmp240589328.exeC:\Users\Admin\AppData\Local\Temp\tmp240589328.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4352 -
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"16⤵
- Executes dropped EXE
PID:4588 -
C:\Users\Admin\AppData\Local\Temp\tmp240589796.exeC:\Users\Admin\AppData\Local\Temp\tmp240589796.exe17⤵
- Executes dropped EXE
PID:4396 -
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"18⤵
- Executes dropped EXE
PID:1792 -
C:\Users\Admin\AppData\Local\Temp\tmp240590296.exeC:\Users\Admin\AppData\Local\Temp\tmp240590296.exe19⤵
- Executes dropped EXE
PID:1196 -
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"20⤵
- Executes dropped EXE
PID:4944 -
C:\Users\Admin\AppData\Local\Temp\tmp240590906.exeC:\Users\Admin\AppData\Local\Temp\tmp240590906.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2768 -
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"22⤵
- Executes dropped EXE
PID:5004 -
C:\Users\Admin\AppData\Local\Temp\tmp240591375.exeC:\Users\Admin\AppData\Local\Temp\tmp240591375.exe23⤵
- Executes dropped EXE
PID:1504 -
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"24⤵
- Executes dropped EXE
PID:4224 -
C:\Users\Admin\AppData\Local\Temp\tmp240591750.exeC:\Users\Admin\AppData\Local\Temp\tmp240591750.exe25⤵
- Executes dropped EXE
PID:3664 -
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"26⤵
- Executes dropped EXE
PID:1852 -
C:\Users\Admin\AppData\Local\Temp\tmp240592062.exeC:\Users\Admin\AppData\Local\Temp\tmp240592062.exe27⤵
- Executes dropped EXE
PID:4344 -
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"28⤵
- Executes dropped EXE
PID:1736 -
C:\Users\Admin\AppData\Local\Temp\tmp240592359.exeC:\Users\Admin\AppData\Local\Temp\tmp240592359.exe29⤵
- Executes dropped EXE
PID:4928 -
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"30⤵
- Executes dropped EXE
PID:2420 -
C:\Users\Admin\AppData\Local\Temp\tmp240592953.exeC:\Users\Admin\AppData\Local\Temp\tmp240592953.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4948 -
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"32⤵
- Executes dropped EXE
PID:2684 -
C:\Users\Admin\AppData\Local\Temp\tmp240593328.exeC:\Users\Admin\AppData\Local\Temp\tmp240593328.exe33⤵
- Executes dropped EXE
PID:4940 -
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"34⤵
- Executes dropped EXE
PID:3208 -
C:\Users\Admin\AppData\Local\Temp\tmp240593640.exeC:\Users\Admin\AppData\Local\Temp\tmp240593640.exe35⤵
- Executes dropped EXE
PID:1896 -
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"36⤵
- Executes dropped EXE
PID:4648 -
C:\Users\Admin\AppData\Local\Temp\tmp240594171.exeC:\Users\Admin\AppData\Local\Temp\tmp240594171.exe37⤵
- Executes dropped EXE
PID:688 -
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"38⤵
- Executes dropped EXE
PID:1968 -
C:\Users\Admin\AppData\Local\Temp\tmp240594437.exeC:\Users\Admin\AppData\Local\Temp\tmp240594437.exe39⤵
- Executes dropped EXE
- Checks computer location settings
PID:928 -
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"40⤵
- Executes dropped EXE
PID:3564 -
C:\Users\Admin\AppData\Local\Temp\tmp240594750.exeC:\Users\Admin\AppData\Local\Temp\tmp240594750.exe41⤵
- Executes dropped EXE
PID:8 -
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"42⤵
- Executes dropped EXE
PID:4468 -
C:\Users\Admin\AppData\Local\Temp\tmp240595046.exeC:\Users\Admin\AppData\Local\Temp\tmp240595046.exe43⤵
- Executes dropped EXE
PID:2384 -
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"44⤵
- Executes dropped EXE
PID:5048 -
C:\Users\Admin\AppData\Local\Temp\tmp240595343.exeC:\Users\Admin\AppData\Local\Temp\tmp240595343.exe45⤵PID:1988
-
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"46⤵PID:4512
-
C:\Users\Admin\AppData\Local\Temp\tmp240595593.exeC:\Users\Admin\AppData\Local\Temp\tmp240595593.exe47⤵PID:4184
-
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"48⤵PID:2436
-
C:\Users\Admin\AppData\Local\Temp\tmp240595828.exeC:\Users\Admin\AppData\Local\Temp\tmp240595828.exe49⤵PID:1924
-
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"50⤵PID:3192
-
C:\Users\Admin\AppData\Local\Temp\tmp240596109.exeC:\Users\Admin\AppData\Local\Temp\tmp240596109.exe51⤵PID:3092
-
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"52⤵PID:336
-
C:\Users\Admin\AppData\Local\Temp\tmp240596375.exeC:\Users\Admin\AppData\Local\Temp\tmp240596375.exe53⤵PID:220
-
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"54⤵PID:776
-
C:\Users\Admin\AppData\Local\Temp\tmp240596656.exeC:\Users\Admin\AppData\Local\Temp\tmp240596656.exe55⤵
- Modifies registry class
PID:3184 -
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"56⤵PID:3200
-
C:\Users\Admin\AppData\Local\Temp\tmp240596953.exeC:\Users\Admin\AppData\Local\Temp\tmp240596953.exe57⤵PID:4596
-
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"58⤵PID:312
-
C:\Users\Admin\AppData\Local\Temp\tmp240597234.exeC:\Users\Admin\AppData\Local\Temp\tmp240597234.exe59⤵PID:3592
-
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"60⤵PID:2956
-
C:\Users\Admin\AppData\Local\Temp\tmp240597515.exeC:\Users\Admin\AppData\Local\Temp\tmp240597515.exe61⤵PID:5056
-
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"62⤵PID:3884
-
C:\Users\Admin\AppData\Local\Temp\tmp240597875.exeC:\Users\Admin\AppData\Local\Temp\tmp240597875.exe63⤵
- Modifies registry class
PID:3244 -
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"64⤵PID:1680
-
C:\Users\Admin\AppData\Local\Temp\tmp240598296.exeC:\Users\Admin\AppData\Local\Temp\tmp240598296.exe65⤵
- Checks computer location settings
PID:3052 -
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"66⤵PID:1704
-
C:\Users\Admin\AppData\Local\Temp\tmp240598609.exeC:\Users\Admin\AppData\Local\Temp\tmp240598609.exe67⤵PID:1504
-
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"68⤵PID:1312
-
C:\Users\Admin\AppData\Local\Temp\tmp240599281.exeC:\Users\Admin\AppData\Local\Temp\tmp240599281.exe69⤵
- Checks computer location settings
- Modifies registry class
PID:4692 -
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"70⤵PID:2428
-
C:\Users\Admin\AppData\Local\Temp\tmp240599531.exeC:\Users\Admin\AppData\Local\Temp\tmp240599531.exe71⤵PID:3736
-
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"72⤵PID:2424
-
C:\Users\Admin\AppData\Local\Temp\tmp240599812.exeC:\Users\Admin\AppData\Local\Temp\tmp240599812.exe73⤵
- Checks computer location settings
PID:4948 -
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"74⤵PID:2316
-
C:\Users\Admin\AppData\Local\Temp\tmp240600187.exeC:\Users\Admin\AppData\Local\Temp\tmp240600187.exe75⤵PID:4116
-
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"76⤵PID:4112
-
C:\Users\Admin\AppData\Local\Temp\tmp240600437.exeC:\Users\Admin\AppData\Local\Temp\tmp240600437.exe77⤵PID:3044
-
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"78⤵PID:3684
-
C:\Users\Admin\AppData\Local\Temp\tmp240600812.exeC:\Users\Admin\AppData\Local\Temp\tmp240600812.exe79⤵
- Modifies registry class
PID:3996 -
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"80⤵PID:5032
-
C:\Users\Admin\AppData\Local\Temp\tmp240601140.exeC:\Users\Admin\AppData\Local\Temp\tmp240601140.exe81⤵
- Drops file in System32 directory
PID:4860 -
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"82⤵PID:3564
-
C:\Users\Admin\AppData\Local\Temp\tmp240601406.exeC:\Users\Admin\AppData\Local\Temp\tmp240601406.exe83⤵PID:412
-
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"84⤵PID:3188
-
C:\Users\Admin\AppData\Local\Temp\tmp240601734.exeC:\Users\Admin\AppData\Local\Temp\tmp240601734.exe85⤵PID:4552
-
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"86⤵PID:888
-
C:\Users\Admin\AppData\Local\Temp\tmp240602171.exeC:\Users\Admin\AppData\Local\Temp\tmp240602171.exe87⤵PID:4464
-
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"88⤵PID:4492
-
C:\Users\Admin\AppData\Local\Temp\tmp240602484.exeC:\Users\Admin\AppData\Local\Temp\tmp240602484.exe89⤵PID:4636
-
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"90⤵PID:1388
-
C:\Users\Admin\AppData\Local\Temp\tmp240602718.exeC:\Users\Admin\AppData\Local\Temp\tmp240602718.exe91⤵PID:3248
-
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"92⤵PID:4192
-
C:\Users\Admin\AppData\Local\Temp\tmp240603015.exeC:\Users\Admin\AppData\Local\Temp\tmp240603015.exe93⤵PID:4532
-
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"94⤵PID:4480
-
C:\Users\Admin\AppData\Local\Temp\tmp240603296.exeC:\Users\Admin\AppData\Local\Temp\tmp240603296.exe95⤵PID:1076
-
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"96⤵PID:1496
-
C:\Users\Admin\AppData\Local\Temp\tmp240603625.exeC:\Users\Admin\AppData\Local\Temp\tmp240603625.exe97⤵
- Drops file in System32 directory
PID:1048 -
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"98⤵PID:4396
-
C:\Users\Admin\AppData\Local\Temp\tmp240604312.exeC:\Users\Admin\AppData\Local\Temp\tmp240604312.exe99⤵PID:4400
-
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"100⤵PID:496
-
C:\Users\Admin\AppData\Local\Temp\tmp240604593.exeC:\Users\Admin\AppData\Local\Temp\tmp240604593.exe101⤵PID:4412
-
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"102⤵PID:1196
-
C:\Users\Admin\AppData\Local\Temp\tmp240604859.exeC:\Users\Admin\AppData\Local\Temp\tmp240604859.exe103⤵
- Drops file in System32 directory
PID:4920 -
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"104⤵PID:3884
-
C:\Users\Admin\AppData\Local\Temp\tmp240605109.exeC:\Users\Admin\AppData\Local\Temp\tmp240605109.exe105⤵PID:3760
-
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"106⤵PID:5068
-
C:\Users\Admin\AppData\Local\Temp\tmp240605390.exeC:\Users\Admin\AppData\Local\Temp\tmp240605390.exe107⤵PID:744
-
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"108⤵PID:708
-
C:\Users\Admin\AppData\Local\Temp\tmp240605796.exeC:\Users\Admin\AppData\Local\Temp\tmp240605796.exe109⤵
- Checks computer location settings
PID:3664 -
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"110⤵PID:4696
-
C:\Users\Admin\AppData\Local\Temp\tmp240606093.exeC:\Users\Admin\AppData\Local\Temp\tmp240606093.exe111⤵
- Drops file in System32 directory
PID:1708 -
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"112⤵PID:4776
-
C:\Users\Admin\AppData\Local\Temp\tmp240606406.exeC:\Users\Admin\AppData\Local\Temp\tmp240606406.exe113⤵
- Modifies registry class
PID:2532 -
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"114⤵PID:4136
-
C:\Users\Admin\AppData\Local\Temp\tmp240606656.exeC:\Users\Admin\AppData\Local\Temp\tmp240606656.exe115⤵
- Drops file in System32 directory
PID:1956 -
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"116⤵PID:4968
-
C:\Users\Admin\AppData\Local\Temp\tmp240607000.exeC:\Users\Admin\AppData\Local\Temp\tmp240607000.exe117⤵PID:3032
-
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"118⤵PID:3556
-
C:\Users\Admin\AppData\Local\Temp\tmp240607265.exeC:\Users\Admin\AppData\Local\Temp\tmp240607265.exe119⤵
- Modifies registry class
PID:3044 -
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"120⤵PID:2220
-
C:\Users\Admin\AppData\Local\Temp\tmp240607453.exeC:\Users\Admin\AppData\Local\Temp\tmp240607453.exe121⤵PID:4436
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-