c4e4812487c4503e2546e72343067700fdd338791e162450f66013facecd118f

Analysis

max time kernel
126s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06/11/2022, 15:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c4e4812487c4503e2546e72343067700fdd338791e162450f66013facecd118f.exe
Size

417KB
MD5

0d11186c3f51c46ed8f1899275cb5eb6
SHA1

00dc60a9fcc6cd3241984b7f4f62a39143b56608
SHA256

c4e4812487c4503e2546e72343067700fdd338791e162450f66013facecd118f
SHA512

84e2ee4b4079fdd2606e0ea3532120ab876262165ac2346c778abb89fe771c0c696ffd568025c01316fd18c8e7fae896f118f62c8ada45629da796d0cae6e09c
SSDEEP

6144:HPOXhCRhrDPePOXhCRhrDPuPOXhCRhrDPGJDJ:HPhR9PePhR9PuPhR9PGJDJ

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
2288	tmp240550468.exe
2456	tmp240550500.exe
1692	tmp240550593.exe
2224	tmp240550625.exe
1792	tmp240550890.exe
3280	tmp240551281.exe
3688	notpad.exe
1040	tmp240552062.exe
1152	tmp240552109.exe
3520	notpad.exe
4576	tmp240552328.exe
5088	tmp240552375.exe
1280	notpad.exe
3340	tmp240552593.exe
4716	tmp240553703.exe
4368	notpad.exe
1640	tmp240553906.exe
1916	tmp240553921.exe
1576	notpad.exe
1912	tmp240554140.exe
952	tmp240554156.exe
1704	notpad.exe
3212	tmp240554421.exe
4984	tmp240554468.exe
4416	notpad.exe
1116	tmp240554703.exe
4292	tmp240554718.exe
3240	notpad.exe
3672	tmp240554859.exe
3716	tmp240554875.exe
4816	notpad.exe
3856	tmp240555000.exe
2916	tmp240555031.exe
4224	notpad.exe
4088	tmp240555187.exe
4448	tmp240555203.exe
2812	notpad.exe
1724	tmp240555343.exe
1688	tmp240555375.exe
2280	notpad.exe
3016	tmp240555515.exe
3568	tmp240555531.exe
3132	notpad.exe
2800	tmp240555656.exe
3000	tmp240555671.exe
3076	notpad.exe
1992	tmp240555796.exe
3424	tmp240555812.exe
4660	notpad.exe
4052	tmp240555937.exe
8	tmp240555953.exe
1512	notpad.exe
3888	tmp240556125.exe
632	tmp240556140.exe
1764	notpad.exe
2856	tmp240556421.exe
2880	tmp240556500.exe
4960	notpad.exe
5016	tmp240556750.exe
2764	tmp240556796.exe
3464	notpad.exe
1192	tmp240557031.exe
3912	tmp240557046.exe
3916	notpad.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3836-132-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0009000000022dd4-137.dat	upx
behavioral2/files/0x0009000000022dd4-138.dat	upx
behavioral2/files/0x0007000000022de9-143.dat	upx
behavioral2/files/0x0007000000022de9-144.dat	upx
behavioral2/memory/2456-145-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2224-146-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2224-152-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3836-154-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0008000000022df9-156.dat	upx
behavioral2/files/0x0008000000022df9-157.dat	upx
behavioral2/memory/3688-165-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0008000000022df2-162.dat	upx
behavioral2/files/0x0008000000022df9-168.dat	upx
behavioral2/memory/3520-176-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0008000000022df2-172.dat	upx
behavioral2/files/0x0008000000022df9-178.dat	upx
behavioral2/memory/1280-179-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0008000000022df2-183.dat	upx
behavioral2/memory/1280-187-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0008000000022df9-189.dat	upx
behavioral2/memory/4368-197-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0008000000022df2-193.dat	upx
behavioral2/files/0x0008000000022df9-199.dat	upx
behavioral2/files/0x0008000000022df2-204.dat	upx
behavioral2/memory/1576-207-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0008000000022df9-209.dat	upx
behavioral2/files/0x0008000000022df2-213.dat	upx
behavioral2/memory/1704-217-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0008000000022df9-219.dat	upx
behavioral2/files/0x0008000000022df2-224.dat	upx
behavioral2/memory/4416-227-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3240-237-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4816-244-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0008000000022df9-239.dat	upx
behavioral2/files/0x0008000000022df2-234.dat	upx
behavioral2/files/0x0008000000022df9-229.dat	upx
behavioral2/memory/4224-248-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2812-252-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2280-256-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3132-260-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3076-264-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4660-268-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1512-272-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1764-276-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4960-280-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3464-284-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3916-286-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4140-287-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4964-288-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/788-289-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/5108-290-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2128-291-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1560-292-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3540-293-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3540-294-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2560-295-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1620-296-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1576-297-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1524-298-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2904-299-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3732-300-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3720-301-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2416-302-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240556750.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240561062.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240562890.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240563109.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240601187.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240554140.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240554421.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240557703.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240562015.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240602546.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240602734.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240555187.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240556421.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240594250.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240597906.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240601390.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240562359.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240593484.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240598140.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240596312.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240557953.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240560000.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240560890.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240561843.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240563812.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240593671.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240555000.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240593859.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240594046.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240596484.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240602359.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240555796.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240559562.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240563359.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240602921.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240603125.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240553906.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240562203.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240594859.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240595265.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240595781.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240600812.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240600421.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240601546.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240555937.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240559093.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240562562.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240562765.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240594468.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240596687.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240594671.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240600984.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240552062.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240554703.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240555656.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240559781.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240592843.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240593031.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240600609.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240601937.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240552328.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240554859.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240556125.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240557484.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240593859.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240593859.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240594671.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240601390.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240555656.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240563109.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240561843.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240562203.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240593281.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240600234.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240600609.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240602921.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240554421.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240555343.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240562203.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240563812.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240556421.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240558140.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240593031.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240602156.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240555187.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240563625.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240597312.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240598484.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240600812.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240603125.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240560890.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240562765.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240561843.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240595500.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240598140.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240598906.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240601750.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240602156.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240552593.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240553906.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240561062.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240562203.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240592843.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240597906.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240553906.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240560250.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240603125.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240555937.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240561265.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240598484.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240600234.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240600812.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240601546.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240557031.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240594046.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240557484.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240558859.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240560000.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240561843.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240562359.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240602546.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240556125.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240557484.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240602734.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240558140.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240559093.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240562765.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240594671.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4704	3280	WerFault.exe	81

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240562203.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240595781.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240596484.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240597515.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240559562.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240560687.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240601187.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240603265.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240593484.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240594859.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240558500.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240563359.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240596968.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240600984.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240552062.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240557031.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240597312.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240602734.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240556750.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240558140.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240555937.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240561265.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240562765.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240595046.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240597906.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240553906.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240555000.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240598906.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240600234.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240600812.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240601937.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240557484.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240560468.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240561843.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240562015.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240562359.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240601390.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240601750.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240554703.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240555187.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240557953.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240560250.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240602921.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240554140.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240557703.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240596031.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240550468.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240592843.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240597718.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240556421.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240560890.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240555656.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240558265.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240560000.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240562562.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240593671.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240594250.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240552328.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240555343.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240595500.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240602156.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240556125.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240561062.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240563109.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3836 wrote to memory of 2288	3836	c4e4812487c4503e2546e72343067700fdd338791e162450f66013facecd118f.exe	76
PID 3836 wrote to memory of 2288	3836	c4e4812487c4503e2546e72343067700fdd338791e162450f66013facecd118f.exe	76
PID 3836 wrote to memory of 2288	3836	c4e4812487c4503e2546e72343067700fdd338791e162450f66013facecd118f.exe	76
PID 3836 wrote to memory of 2456	3836	c4e4812487c4503e2546e72343067700fdd338791e162450f66013facecd118f.exe	77
PID 3836 wrote to memory of 2456	3836	c4e4812487c4503e2546e72343067700fdd338791e162450f66013facecd118f.exe	77
PID 3836 wrote to memory of 2456	3836	c4e4812487c4503e2546e72343067700fdd338791e162450f66013facecd118f.exe	77
PID 2456 wrote to memory of 1692	2456	tmp240550500.exe	78
PID 2456 wrote to memory of 1692	2456	tmp240550500.exe	78
PID 2456 wrote to memory of 1692	2456	tmp240550500.exe	78
PID 2456 wrote to memory of 2224	2456	tmp240550500.exe	79
PID 2456 wrote to memory of 2224	2456	tmp240550500.exe	79
PID 2456 wrote to memory of 2224	2456	tmp240550500.exe	79
PID 2224 wrote to memory of 1792	2224	tmp240550625.exe	80
PID 2224 wrote to memory of 1792	2224	tmp240550625.exe	80
PID 2224 wrote to memory of 1792	2224	tmp240550625.exe	80
PID 2224 wrote to memory of 3280	2224	tmp240550625.exe	81
PID 2224 wrote to memory of 3280	2224	tmp240550625.exe	81
PID 2224 wrote to memory of 3280	2224	tmp240550625.exe	81
PID 2288 wrote to memory of 3688	2288	tmp240550468.exe	85
PID 2288 wrote to memory of 3688	2288	tmp240550468.exe	85
PID 2288 wrote to memory of 3688	2288	tmp240550468.exe	85
PID 3688 wrote to memory of 1040	3688	notpad.exe	86
PID 3688 wrote to memory of 1040	3688	notpad.exe	86
PID 3688 wrote to memory of 1040	3688	notpad.exe	86
PID 3688 wrote to memory of 1152	3688	notpad.exe	87
PID 3688 wrote to memory of 1152	3688	notpad.exe	87
PID 3688 wrote to memory of 1152	3688	notpad.exe	87
PID 1040 wrote to memory of 3520	1040	tmp240552062.exe	88
PID 1040 wrote to memory of 3520	1040	tmp240552062.exe	88
PID 1040 wrote to memory of 3520	1040	tmp240552062.exe	88
PID 3520 wrote to memory of 4576	3520	notpad.exe	89
PID 3520 wrote to memory of 4576	3520	notpad.exe	89
PID 3520 wrote to memory of 4576	3520	notpad.exe	89
PID 3520 wrote to memory of 5088	3520	notpad.exe	90
PID 3520 wrote to memory of 5088	3520	notpad.exe	90
PID 3520 wrote to memory of 5088	3520	notpad.exe	90
PID 4576 wrote to memory of 1280	4576	tmp240552328.exe	91
PID 4576 wrote to memory of 1280	4576	tmp240552328.exe	91
PID 4576 wrote to memory of 1280	4576	tmp240552328.exe	91
PID 1280 wrote to memory of 3340	1280	notpad.exe	92
PID 1280 wrote to memory of 3340	1280	notpad.exe	92
PID 1280 wrote to memory of 3340	1280	notpad.exe	92
PID 1280 wrote to memory of 4716	1280	notpad.exe	93
PID 1280 wrote to memory of 4716	1280	notpad.exe	93
PID 1280 wrote to memory of 4716	1280	notpad.exe	93
PID 3340 wrote to memory of 4368	3340	tmp240552593.exe	94
PID 3340 wrote to memory of 4368	3340	tmp240552593.exe	94
PID 3340 wrote to memory of 4368	3340	tmp240552593.exe	94
PID 4368 wrote to memory of 1640	4368	notpad.exe	95
PID 4368 wrote to memory of 1640	4368	notpad.exe	95
PID 4368 wrote to memory of 1640	4368	notpad.exe	95
PID 4368 wrote to memory of 1916	4368	notpad.exe	96
PID 4368 wrote to memory of 1916	4368	notpad.exe	96
PID 4368 wrote to memory of 1916	4368	notpad.exe	96
PID 1640 wrote to memory of 1576	1640	tmp240553906.exe	97
PID 1640 wrote to memory of 1576	1640	tmp240553906.exe	97
PID 1640 wrote to memory of 1576	1640	tmp240553906.exe	97
PID 1576 wrote to memory of 1912	1576	notpad.exe	98
PID 1576 wrote to memory of 1912	1576	notpad.exe	98
PID 1576 wrote to memory of 1912	1576	notpad.exe	98
PID 1576 wrote to memory of 952	1576	notpad.exe	99
PID 1576 wrote to memory of 952	1576	notpad.exe	99
PID 1576 wrote to memory of 952	1576	notpad.exe	99
PID 1912 wrote to memory of 1704	1912	tmp240554140.exe	100

C:\Users\Admin\AppData\Local\Temp\c4e4812487c4503e2546e72343067700fdd338791e162450f66013facecd118f.exe
"C:\Users\Admin\AppData\Local\Temp\c4e4812487c4503e2546e72343067700fdd338791e162450f66013facecd118f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3836
- C:\Users\Admin\AppData\Local\Temp\tmp240550468.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240550468.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2288
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3688
  - - C:\Users\Admin\AppData\Local\Temp\tmp240552062.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240552062.exe
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1040
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3520
      - C:\Users\Admin\AppData\Local\Temp\tmp240552328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240552328.exe
        6⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4576
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1280
        
        C:\Users\Admin\AppData\Local\Temp\tmp240552593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240552593.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3340
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4368
        
        C:\Users\Admin\AppData\Local\Temp\tmp240553906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240553906.exe
        10⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1640
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\tmp240554140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240554140.exe
        12⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        13⤵
        Executes dropped EXE
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\tmp240554421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240554421.exe
        14⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3212
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        15⤵
        Executes dropped EXE
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\tmp240554703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240554703.exe
        16⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        
        PID:1116
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        17⤵
        Executes dropped EXE
        
        PID:3240
        
        C:\Users\Admin\AppData\Local\Temp\tmp240554718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240554718.exe
        16⤵
        Executes dropped EXE
        
        PID:4292
        
        C:\Users\Admin\AppData\Local\Temp\tmp240554468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240554468.exe
        14⤵
        Executes dropped EXE
        
        PID:4984
        
        C:\Users\Admin\AppData\Local\Temp\tmp240554156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240554156.exe
        12⤵
        Executes dropped EXE
        
        PID:952
        
        C:\Users\Admin\AppData\Local\Temp\tmp240553921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240553921.exe
        10⤵
        Executes dropped EXE
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\tmp240553703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240553703.exe
        8⤵
        Executes dropped EXE
        
        PID:4716
      - C:\Users\Admin\AppData\Local\Temp\tmp240552375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240552375.exe
        6⤵
        Executes dropped EXE
        
        PID:5088
  - - C:\Users\Admin\AppData\Local\Temp\tmp240552109.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240552109.exe
      4⤵
      Executes dropped EXE
      PID:1152
- C:\Users\Admin\AppData\Local\Temp\tmp240550500.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240550500.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2456
- - C:\Users\Admin\AppData\Local\Temp\tmp240550593.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240550593.exe
    3⤵
    - Executes dropped EXE
    PID:1692
- - C:\Users\Admin\AppData\Local\Temp\tmp240550625.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240550625.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2224
  - - C:\Users\Admin\AppData\Local\Temp\tmp240550890.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240550890.exe
      4⤵
      Executes dropped EXE
      PID:1792
  - - C:\Users\Admin\AppData\Local\Temp\tmp240551281.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240551281.exe
      4⤵
      Executes dropped EXE
      PID:3280
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3280 -s 224
        5⤵
        Program crash
        
        PID:4704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3280 -ip 3280
1⤵
PID:3900

C:\Users\Admin\AppData\Local\Temp\tmp240554875.exe
C:\Users\Admin\AppData\Local\Temp\tmp240554875.exe
1⤵
- Executes dropped EXE
PID:3716

C:\Users\Admin\AppData\Local\Temp\tmp240555000.exe
C:\Users\Admin\AppData\Local\Temp\tmp240555000.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
PID:3856
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  - Executes dropped EXE
  PID:4224
- - C:\Users\Admin\AppData\Local\Temp\tmp240555203.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240555203.exe
    3⤵
    - Executes dropped EXE
    PID:4448
- - C:\Users\Admin\AppData\Local\Temp\tmp240555187.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240555187.exe
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Drops file in System32 directory
    - Modifies registry class
    PID:4088
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      Executes dropped EXE
      PID:2812
    - - C:\Users\Admin\AppData\Local\Temp\tmp240555343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240555343.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1724
      - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        6⤵
        Executes dropped EXE
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\tmp240555515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240555515.exe
        7⤵
        Executes dropped EXE
        
        PID:3016
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        8⤵
        Executes dropped EXE
        
        PID:3132
        
        C:\Users\Admin\AppData\Local\Temp\tmp240555671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240555671.exe
        9⤵
        Executes dropped EXE
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\tmp240555656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240555656.exe
        9⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\tmp240555531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240555531.exe
        7⤵
        Executes dropped EXE
        
        PID:3568
    - - C:\Users\Admin\AppData\Local\Temp\tmp240555375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240555375.exe
        5⤵
        Executes dropped EXE
        
        PID:1688

C:\Users\Admin\AppData\Local\Temp\tmp240555031.exe
C:\Users\Admin\AppData\Local\Temp\tmp240555031.exe
1⤵
- Executes dropped EXE
PID:2916

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
- Executes dropped EXE
PID:4816

C:\Users\Admin\AppData\Local\Temp\tmp240554859.exe
C:\Users\Admin\AppData\Local\Temp\tmp240554859.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
PID:3672

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
- Executes dropped EXE
PID:3076
- C:\Users\Admin\AppData\Local\Temp\tmp240555796.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240555796.exe
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  PID:1992
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    - Executes dropped EXE
    PID:4660
  - - C:\Users\Admin\AppData\Local\Temp\tmp240555937.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240555937.exe
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Drops file in System32 directory
      Modifies registry class
      PID:4052
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        Executes dropped EXE
        
        PID:1512
      - C:\Users\Admin\AppData\Local\Temp\tmp240556125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240556125.exe
        6⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3888
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        7⤵
        Executes dropped EXE
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\tmp240556421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240556421.exe
        8⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:2856
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        9⤵
        Executes dropped EXE
        
        PID:4960
        
        C:\Users\Admin\AppData\Local\Temp\tmp240556750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240556750.exe
        10⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        
        PID:5016
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        11⤵
        Executes dropped EXE
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\tmp240557031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240557031.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1192
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        13⤵
        Executes dropped EXE
        
        PID:3916
        
        C:\Users\Admin\AppData\Local\Temp\tmp240557484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240557484.exe
        14⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3924
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        15⤵
        
        PID:4140
        
        C:\Users\Admin\AppData\Local\Temp\tmp240557703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240557703.exe
        16⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3900
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        17⤵
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\tmp240557953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240557953.exe
        18⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1216
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        19⤵
        
        PID:788
        
        C:\Users\Admin\AppData\Local\Temp\tmp240558140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240558140.exe
        20⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2516
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        21⤵
        
        PID:5108
        
        C:\Users\Admin\AppData\Local\Temp\tmp240558265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240558265.exe
        22⤵
        Modifies registry class
        
        PID:4320
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        23⤵
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\tmp240558500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240558500.exe
        24⤵
        Modifies registry class
        
        PID:3172
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        25⤵
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\tmp240558859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240558859.exe
        26⤵
        Drops file in System32 directory
        
        PID:2924
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        27⤵
        
        PID:3540
        
        C:\Users\Admin\AppData\Local\Temp\tmp240559093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240559093.exe
        28⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4664
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        29⤵
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\Temp\tmp240559562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240559562.exe
        30⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4196
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        31⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\tmp240559781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240559781.exe
        32⤵
        Checks computer location settings
        
        PID:4128
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        33⤵
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\tmp240560000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240560000.exe
        34⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:5068
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        35⤵
        
        PID:1524
        
        C:\Users\Admin\AppData\Local\Temp\tmp240560250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240560250.exe
        36⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2508
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        37⤵
        
        PID:2904
        
        C:\Users\Admin\AppData\Local\Temp\tmp240560468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240560468.exe
        38⤵
        Modifies registry class
        
        PID:4108
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        39⤵
        
        PID:3732
        
        C:\Users\Admin\AppData\Local\Temp\tmp240560687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240560687.exe
        40⤵
        Modifies registry class
        
        PID:1048
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        41⤵
        
        PID:3720
        
        C:\Users\Admin\AppData\Local\Temp\tmp240560890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240560890.exe
        42⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:2032
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        43⤵
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\tmp240561062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240561062.exe
        44⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3672
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        45⤵
        
        PID:2096
        
        C:\Users\Admin\AppData\Local\Temp\tmp240561265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240561265.exe
        46⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3188
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        47⤵
        
        PID:4224
        
        C:\Users\Admin\AppData\Local\Temp\tmp240561453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240561453.exe
        48⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        49⤵
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\tmp240561843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240561843.exe
        50⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4116
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        51⤵
        
        PID:3304
        
        C:\Users\Admin\AppData\Local\Temp\tmp240562015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240562015.exe
        52⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3544
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        53⤵
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\tmp240562203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240562203.exe
        54⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:832
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        55⤵
        
        PID:3132
        
        C:\Users\Admin\AppData\Local\Temp\tmp240562359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240562359.exe
        56⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4844
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        57⤵
        
        PID:380
        
        C:\Users\Admin\AppData\Local\Temp\tmp240562562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240562562.exe
        58⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4440
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        59⤵
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\tmp240562765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240562765.exe
        60⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1432
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        61⤵
        
        PID:1080
        
        C:\Users\Admin\AppData\Local\Temp\tmp240562890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240562890.exe
        62⤵
        Checks computer location settings
        
        PID:4336
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        63⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\tmp240563109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240563109.exe
        64⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1672
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        65⤵
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\tmp240563359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240563359.exe
        66⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2004
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        67⤵
        
        PID:4644
        
        C:\Users\Admin\AppData\Local\Temp\tmp240563625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240563625.exe
        68⤵
        Drops file in System32 directory
        
        PID:3740
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        69⤵
        
        PID:4728
        
        C:\Users\Admin\AppData\Local\Temp\tmp240563812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240563812.exe
        70⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4412
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        71⤵
        
        PID:3480
        
        C:\Users\Admin\AppData\Local\Temp\tmp240592843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240592843.exe
        72⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:5056
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        73⤵
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\tmp240593031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240593031.exe
        74⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2128
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        75⤵
        
        PID:4716
        
        C:\Users\Admin\AppData\Local\Temp\tmp240593281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240593281.exe
        76⤵
        Drops file in System32 directory
        
        PID:4692
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        77⤵
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\tmp240593484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240593484.exe
        78⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3340
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        79⤵
        
        PID:4268
        
        C:\Users\Admin\AppData\Local\Temp\tmp240593671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240593671.exe
        80⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4100
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        81⤵
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\tmp240593859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240593859.exe
        82⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1732
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        83⤵
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\tmp240594046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240594046.exe
        84⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4144
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        85⤵
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\tmp240594250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240594250.exe
        86⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2508
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        87⤵
        
        PID:4072
        
        C:\Users\Admin\AppData\Local\Temp\tmp240594468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240594468.exe
        88⤵
        Checks computer location settings
        
        PID:2904
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        89⤵
        
        PID:4988
        
        C:\Users\Admin\AppData\Local\Temp\tmp240594671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240594671.exe
        90⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3732
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        91⤵
        
        PID:4616
        
        C:\Users\Admin\AppData\Local\Temp\tmp240594859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240594859.exe
        92⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2032
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        93⤵
        
        PID:3660
        
        C:\Users\Admin\AppData\Local\Temp\tmp240595046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240595046.exe
        94⤵
        Modifies registry class
        
        PID:5028
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        95⤵
        
        PID:4468
        
        C:\Users\Admin\AppData\Local\Temp\tmp240595265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240595265.exe
        96⤵
        Checks computer location settings
        
        PID:3124
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        97⤵
        
        PID:3532
        
        C:\Users\Admin\AppData\Local\Temp\tmp240595500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240595500.exe
        98⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1876
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        99⤵
        
        PID:3624
        
        C:\Users\Admin\AppData\Local\Temp\tmp240595781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240595781.exe
        100⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4512
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        101⤵
        
        PID:3756
        
        C:\Users\Admin\AppData\Local\Temp\tmp240596031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240596031.exe
        102⤵
        Modifies registry class
        
        PID:4792
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        103⤵
        
        PID:3424
        
        C:\Users\Admin\AppData\Local\Temp\tmp240596312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240596312.exe
        104⤵
        Checks computer location settings
        
        PID:1092
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        105⤵
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\tmp240596484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240596484.exe
        106⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1468
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        107⤵
        
        PID:3592
        
        C:\Users\Admin\AppData\Local\Temp\tmp240596687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240596687.exe
        108⤵
        Checks computer location settings
        
        PID:4980
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        109⤵
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\tmp240596968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240596968.exe
        110⤵
        Modifies registry class
        
        PID:4572
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        111⤵
        
        PID:3912
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597312.exe
        112⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2968
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        113⤵
        
        PID:3740
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597515.exe
        114⤵
        Modifies registry class
        
        PID:3916
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        115⤵
        
        PID:4136
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597718.exe
        116⤵
        Modifies registry class
        
        PID:1160
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        117⤵
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597906.exe
        118⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4772
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        119⤵
        
        PID:3200
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598140.exe
        120⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3180
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        121⤵
        
        PID:4636
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598484.exe
        122⤵
        Drops file in System32 directory
        
        PID:4688
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        123⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598687.exe
        124⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        125⤵
        
        PID:4196
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598906.exe
        126⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4968
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        127⤵
        
        PID:724
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600234.exe
        128⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3316
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        129⤵
        
        PID:3456
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600421.exe
        130⤵
        Checks computer location settings
        
        PID:5104
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        131⤵
        
        PID:1308
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600609.exe
        132⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3704
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        133⤵
        
        PID:3240
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600812.exe
        134⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:2360
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        135⤵
        
        PID:4920
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600984.exe
        136⤵
        Checks computer location settings
        Modifies registry class
        
        PID:372
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        137⤵
        
        PID:4788
        
        C:\Users\Admin\AppData\Local\Temp\tmp240601187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240601187.exe
        138⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4796
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        139⤵
        
        PID:4448
        
        C:\Users\Admin\AppData\Local\Temp\tmp240601390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240601390.exe
        140⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4224
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        141⤵
        
        PID:4276
        
        C:\Users\Admin\AppData\Local\Temp\tmp240601546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240601546.exe
        142⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4696
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        143⤵
        
        PID:4524
        
        C:\Users\Admin\AppData\Local\Temp\tmp240601750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240601750.exe
        144⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4296
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        145⤵
        
        PID:3652
        
        C:\Users\Admin\AppData\Local\Temp\tmp240601937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240601937.exe
        146⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3724
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        147⤵
        
        PID:4376
        
        C:\Users\Admin\AppData\Local\Temp\tmp240602156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240602156.exe
        148⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:900
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        149⤵
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\tmp240602359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240602359.exe
        150⤵
        Checks computer location settings
        
        PID:2284
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        151⤵
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\tmp240602546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240602546.exe
        152⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:5076
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        153⤵
        
        PID:1440
        
        C:\Users\Admin\AppData\Local\Temp\tmp240602734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240602734.exe
        154⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4148
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        155⤵
        
        PID:5016
        
        C:\Users\Admin\AppData\Local\Temp\tmp240602921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240602921.exe
        156⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:2456
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        157⤵
        
        PID:1444
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603125.exe
        158⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3952
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        159⤵
        
        PID:1328
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603265.exe
        160⤵
        Modifies registry class
        
        PID:392
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        161⤵
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603421.exe
        162⤵
        
        PID:4568
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603484.exe
        162⤵
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603281.exe
        160⤵
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603140.exe
        158⤵
        
        PID:1352
        
        C:\Users\Admin\AppData\Local\Temp\tmp240602937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240602937.exe
        156⤵
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\tmp240602750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240602750.exe
        154⤵
        
        PID:5060
        
        C:\Users\Admin\AppData\Local\Temp\tmp240602562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240602562.exe
        152⤵
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\tmp240602375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240602375.exe
        150⤵
        
        PID:1848
        
        C:\Users\Admin\AppData\Local\Temp\tmp240602171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240602171.exe
        148⤵
        
        PID:4792
        
        C:\Users\Admin\AppData\Local\Temp\tmp240601968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240601968.exe
        146⤵
        
        PID:4512
        
        C:\Users\Admin\AppData\Local\Temp\tmp240601765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240601765.exe
        144⤵
        
        PID:3532
        
        C:\Users\Admin\AppData\Local\Temp\tmp240601562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240601562.exe
        142⤵
        
        PID:1384
        
        C:\Users\Admin\AppData\Local\Temp\tmp240601406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240601406.exe
        140⤵
        
        PID:2616
        
        C:\Users\Admin\AppData\Local\Temp\tmp240601218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240601218.exe
        138⤵
        
        PID:3812
        
        C:\Users\Admin\AppData\Local\Temp\tmp240601000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240601000.exe
        136⤵
        
        PID:3088
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600828.exe
        134⤵
        
        PID:3264
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600671.exe
        132⤵
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600437.exe
        130⤵
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600250.exe
        128⤵
        
        PID:5068
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600062.exe
        126⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598734.exe
        124⤵
        
        PID:2444
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598531.exe
        122⤵
        
        PID:4748
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598296.exe
        120⤵
        
        PID:4708
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597921.exe
        118⤵
        
        PID:4132
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597734.exe
        116⤵
        
        PID:1232
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597531.exe
        114⤵
        
        PID:4508
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597343.exe
        112⤵
        
        PID:376
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597031.exe
        110⤵
        
        PID:508
        
        C:\Users\Admin\AppData\Local\Temp\tmp240596750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240596750.exe
        108⤵
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\Temp\tmp240596500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240596500.exe
        106⤵
        
        PID:632
        
        C:\Users\Admin\AppData\Local\Temp\tmp240596328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240596328.exe
        104⤵
        
        PID:380
        
        C:\Users\Admin\AppData\Local\Temp\tmp240596093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240596093.exe
        102⤵
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\tmp240595796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240595796.exe
        100⤵
        
        PID:3524
        
        C:\Users\Admin\AppData\Local\Temp\tmp240595609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240595609.exe
        98⤵
        
        PID:3272
        
        C:\Users\Admin\AppData\Local\Temp\tmp240595328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240595328.exe
        96⤵
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\tmp240595125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240595125.exe
        94⤵
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\tmp240594875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240594875.exe
        92⤵
        
        PID:1292
        
        C:\Users\Admin\AppData\Local\Temp\tmp240594687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240594687.exe
        90⤵
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\tmp240594484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240594484.exe
        88⤵
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\Temp\tmp240594265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240594265.exe
        86⤵
        
        PID:4976
        
        C:\Users\Admin\AppData\Local\Temp\tmp240594078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240594078.exe
        84⤵
        
        PID:3960
        
        C:\Users\Admin\AppData\Local\Temp\tmp240593875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240593875.exe
        82⤵
        
        PID:4152
        
        C:\Users\Admin\AppData\Local\Temp\tmp240593687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240593687.exe
        80⤵
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\Temp\tmp240593500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240593500.exe
        78⤵
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\tmp240593296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240593296.exe
        76⤵
        
        PID:4668
        
        C:\Users\Admin\AppData\Local\Temp\tmp240593046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240593046.exe
        74⤵
        
        PID:1148
        
        C:\Users\Admin\AppData\Local\Temp\tmp240592859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240592859.exe
        72⤵
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\tmp240563968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240563968.exe
        70⤵
        
        PID:1160
        
        C:\Users\Admin\AppData\Local\Temp\tmp240563640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240563640.exe
        68⤵
        
        PID:376
        
        C:\Users\Admin\AppData\Local\Temp\tmp240563437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240563437.exe
        66⤵
        
        PID:2224
        
        C:\Users\Admin\AppData\Local\Temp\tmp240563125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240563125.exe
        64⤵
        
        PID:4300
        
        C:\Users\Admin\AppData\Local\Temp\tmp240562921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240562921.exe
        62⤵
        
        PID:704
        
        C:\Users\Admin\AppData\Local\Temp\tmp240562781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240562781.exe
        60⤵
        
        PID:4660
        
        C:\Users\Admin\AppData\Local\Temp\tmp240562578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240562578.exe
        58⤵
        
        PID:3232
        
        C:\Users\Admin\AppData\Local\Temp\tmp240562406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240562406.exe
        56⤵
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\tmp240562218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240562218.exe
        54⤵
        
        PID:2396
        
        C:\Users\Admin\AppData\Local\Temp\tmp240562031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240562031.exe
        52⤵
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\tmp240561859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240561859.exe
        50⤵
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\tmp240561687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240561687.exe
        48⤵
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\tmp240561281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240561281.exe
        46⤵
        
        PID:64
        
        C:\Users\Admin\AppData\Local\Temp\tmp240561093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240561093.exe
        44⤵
        
        PID:3580
        
        C:\Users\Admin\AppData\Local\Temp\tmp240560906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240560906.exe
        42⤵
        
        PID:3668
        
        C:\Users\Admin\AppData\Local\Temp\tmp240560718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240560718.exe
        40⤵
        
        PID:3696
        
        C:\Users\Admin\AppData\Local\Temp\tmp240560484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240560484.exe
        38⤵
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\tmp240560265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240560265.exe
        36⤵
        
        PID:5012
        
        C:\Users\Admin\AppData\Local\Temp\tmp240560015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240560015.exe
        34⤵
        
        PID:952
        
        C:\Users\Admin\AppData\Local\Temp\tmp240559828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240559828.exe
        32⤵
        
        PID:1252
        
        C:\Users\Admin\AppData\Local\Temp\tmp240559593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240559593.exe
        30⤵
        
        PID:4156
        
        C:\Users\Admin\AppData\Local\Temp\tmp240559375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240559375.exe
        28⤵
        
        PID:4748
        
        C:\Users\Admin\AppData\Local\Temp\tmp240558875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240558875.exe
        26⤵
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\tmp240558718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240558718.exe
        24⤵
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\tmp240558281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240558281.exe
        22⤵
        
        PID:4780
        
        C:\Users\Admin\AppData\Local\Temp\tmp240558156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240558156.exe
        20⤵
        
        PID:4564
        
        C:\Users\Admin\AppData\Local\Temp\tmp240557984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240557984.exe
        18⤵
        
        PID:4264
        
        C:\Users\Admin\AppData\Local\Temp\tmp240557718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240557718.exe
        16⤵
        
        PID:3500
        
        C:\Users\Admin\AppData\Local\Temp\tmp240557515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240557515.exe
        14⤵
        
        PID:4728
        
        C:\Users\Admin\AppData\Local\Temp\tmp240557046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240557046.exe
        12⤵
        Executes dropped EXE
        
        PID:3912
        
        C:\Users\Admin\AppData\Local\Temp\tmp240556796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240556796.exe
        10⤵
        Executes dropped EXE
        
        PID:2764
        
        C:\Users\Admin\AppData\Local\Temp\tmp240556500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240556500.exe
        8⤵
        Executes dropped EXE
        
        PID:2880
      - C:\Users\Admin\AppData\Local\Temp\tmp240556140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240556140.exe
        6⤵
        Executes dropped EXE
        
        PID:632
  - - C:\Users\Admin\AppData\Local\Temp\tmp240555953.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240555953.exe
      4⤵
      Executes dropped EXE
      PID:8
- C:\Users\Admin\AppData\Local\Temp\tmp240555812.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240555812.exe
  2⤵
  - Executes dropped EXE
  PID:3424

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp240550468.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240550468.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240550500.exe

Filesize
230KB

MD5
5a0c219c10a7dd98b5ab5f7f08ed343d

SHA1
435d4b6baeaca06b571cb287da3063dcd9a23d87

SHA256
b7ad81b8de323d4ba8d2d38a0933128ca8dde5a60cb0c8456c41434e6a57cb0a

SHA512
9405b823fbf3ad7c21cd09432b463c2a13d18fc5e7b55bc6a3b583f2c8521b126ee945a2ad92cb91f652a7924dc43328526d89d8cbb44f5e832f8213d368e40c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240550500.exe

Filesize
230KB

MD5
5a0c219c10a7dd98b5ab5f7f08ed343d

SHA1
435d4b6baeaca06b571cb287da3063dcd9a23d87

SHA256
b7ad81b8de323d4ba8d2d38a0933128ca8dde5a60cb0c8456c41434e6a57cb0a

SHA512
9405b823fbf3ad7c21cd09432b463c2a13d18fc5e7b55bc6a3b583f2c8521b126ee945a2ad92cb91f652a7924dc43328526d89d8cbb44f5e832f8213d368e40c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240550593.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240550593.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240550625.exe

Filesize
183KB

MD5
49327bdeaf1a6c167314313c94c0dbae

SHA1
d3486de62675cab18e8d8737a2ee7ff47ed84ee5

SHA256
53d408c198ce7f44989e5c562b78919b2ccfd828ee63ff5a31d891be66043791

SHA512
21cf2d97b0128a893e8e8b6a2ad6b94438b5cf8bd6345d274219b0013b8b24452a8d6143704ba5ec02b8864e08819bfba4ee0ad5ab59ccd5a762c6b367440ce3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240550625.exe

Filesize
183KB

MD5
49327bdeaf1a6c167314313c94c0dbae

SHA1
d3486de62675cab18e8d8737a2ee7ff47ed84ee5

SHA256
53d408c198ce7f44989e5c562b78919b2ccfd828ee63ff5a31d891be66043791

SHA512
21cf2d97b0128a893e8e8b6a2ad6b94438b5cf8bd6345d274219b0013b8b24452a8d6143704ba5ec02b8864e08819bfba4ee0ad5ab59ccd5a762c6b367440ce3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240550890.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240550890.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240551281.exe

Filesize
136KB

MD5
3e799949a9b31a56ff693ce911c45ccf

SHA1
b4de03d3e965e666023bfb0fe53cbf1d81b9320d

SHA256
c9d4b0d3d49f0812e02725be751d0732ae1144878e505596ba065cce4d569b31

SHA512
c7cf7026b8fbeb39b33033b0d2817f582b8a7ee47c54c8bd94858069acef3073d6b7d67029b2c62bfa716804d123c222b8c3957bd4f87437996139c08e91b41a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240551281.exe

Filesize
136KB

MD5
3e799949a9b31a56ff693ce911c45ccf

SHA1
b4de03d3e965e666023bfb0fe53cbf1d81b9320d

SHA256
c9d4b0d3d49f0812e02725be751d0732ae1144878e505596ba065cce4d569b31

SHA512
c7cf7026b8fbeb39b33033b0d2817f582b8a7ee47c54c8bd94858069acef3073d6b7d67029b2c62bfa716804d123c222b8c3957bd4f87437996139c08e91b41a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240552062.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240552062.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240552109.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240552328.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240552328.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240552375.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240552593.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240552593.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240553703.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240553906.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240553906.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240553921.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240554140.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240554140.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240554156.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240554421.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240554421.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240554468.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240554703.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240554703.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240554718.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240554859.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240554859.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240554875.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240555000.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240555000.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Windows\SysWOW64\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\Windows\SysWOW64\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\Windows\SysWOW64\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\Windows\SysWOW64\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\Windows\SysWOW64\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\Windows\SysWOW64\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\Windows\SysWOW64\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\Windows\SysWOW64\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
209KB

MD5
5551c796739dc08bca075f9fd0fafbc0

SHA1
5d273e4bd700a994b5d7e1cb7a5f6171ad89e06d

SHA256
e0f3ab5c5d4dcc843226df0af746a284d81d09ca4cf94e480e58ee382090b6b9

SHA512
55e33c192202766dbc9102ac09fe6a8c95e60b3fd65553193f5edc574ec01cdc9504ca428b4ca42f72e23ce26ab132c740227eb40be1dd6ac45661e8cd8f8a1f

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
209KB

MD5
5551c796739dc08bca075f9fd0fafbc0

SHA1
5d273e4bd700a994b5d7e1cb7a5f6171ad89e06d

SHA256
e0f3ab5c5d4dcc843226df0af746a284d81d09ca4cf94e480e58ee382090b6b9

SHA512
55e33c192202766dbc9102ac09fe6a8c95e60b3fd65553193f5edc574ec01cdc9504ca428b4ca42f72e23ce26ab132c740227eb40be1dd6ac45661e8cd8f8a1f

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
209KB

MD5
5551c796739dc08bca075f9fd0fafbc0

SHA1
5d273e4bd700a994b5d7e1cb7a5f6171ad89e06d

SHA256
e0f3ab5c5d4dcc843226df0af746a284d81d09ca4cf94e480e58ee382090b6b9

SHA512
55e33c192202766dbc9102ac09fe6a8c95e60b3fd65553193f5edc574ec01cdc9504ca428b4ca42f72e23ce26ab132c740227eb40be1dd6ac45661e8cd8f8a1f

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
209KB

MD5
5551c796739dc08bca075f9fd0fafbc0

SHA1
5d273e4bd700a994b5d7e1cb7a5f6171ad89e06d

SHA256
e0f3ab5c5d4dcc843226df0af746a284d81d09ca4cf94e480e58ee382090b6b9

SHA512
55e33c192202766dbc9102ac09fe6a8c95e60b3fd65553193f5edc574ec01cdc9504ca428b4ca42f72e23ce26ab132c740227eb40be1dd6ac45661e8cd8f8a1f

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
209KB

MD5
5551c796739dc08bca075f9fd0fafbc0

SHA1
5d273e4bd700a994b5d7e1cb7a5f6171ad89e06d

SHA256
e0f3ab5c5d4dcc843226df0af746a284d81d09ca4cf94e480e58ee382090b6b9

SHA512
55e33c192202766dbc9102ac09fe6a8c95e60b3fd65553193f5edc574ec01cdc9504ca428b4ca42f72e23ce26ab132c740227eb40be1dd6ac45661e8cd8f8a1f

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
209KB

MD5
5551c796739dc08bca075f9fd0fafbc0

SHA1
5d273e4bd700a994b5d7e1cb7a5f6171ad89e06d

SHA256
e0f3ab5c5d4dcc843226df0af746a284d81d09ca4cf94e480e58ee382090b6b9

SHA512
55e33c192202766dbc9102ac09fe6a8c95e60b3fd65553193f5edc574ec01cdc9504ca428b4ca42f72e23ce26ab132c740227eb40be1dd6ac45661e8cd8f8a1f

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
209KB

MD5
5551c796739dc08bca075f9fd0fafbc0

SHA1
5d273e4bd700a994b5d7e1cb7a5f6171ad89e06d

SHA256
e0f3ab5c5d4dcc843226df0af746a284d81d09ca4cf94e480e58ee382090b6b9

SHA512
55e33c192202766dbc9102ac09fe6a8c95e60b3fd65553193f5edc574ec01cdc9504ca428b4ca42f72e23ce26ab132c740227eb40be1dd6ac45661e8cd8f8a1f

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
209KB

MD5
5551c796739dc08bca075f9fd0fafbc0

SHA1
5d273e4bd700a994b5d7e1cb7a5f6171ad89e06d

SHA256
e0f3ab5c5d4dcc843226df0af746a284d81d09ca4cf94e480e58ee382090b6b9

SHA512
55e33c192202766dbc9102ac09fe6a8c95e60b3fd65553193f5edc574ec01cdc9504ca428b4ca42f72e23ce26ab132c740227eb40be1dd6ac45661e8cd8f8a1f

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
209KB

MD5
5551c796739dc08bca075f9fd0fafbc0

SHA1
5d273e4bd700a994b5d7e1cb7a5f6171ad89e06d

SHA256
e0f3ab5c5d4dcc843226df0af746a284d81d09ca4cf94e480e58ee382090b6b9

SHA512
55e33c192202766dbc9102ac09fe6a8c95e60b3fd65553193f5edc574ec01cdc9504ca428b4ca42f72e23ce26ab132c740227eb40be1dd6ac45661e8cd8f8a1f

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
209KB

MD5
5551c796739dc08bca075f9fd0fafbc0

SHA1
5d273e4bd700a994b5d7e1cb7a5f6171ad89e06d

SHA256
e0f3ab5c5d4dcc843226df0af746a284d81d09ca4cf94e480e58ee382090b6b9

SHA512
55e33c192202766dbc9102ac09fe6a8c95e60b3fd65553193f5edc574ec01cdc9504ca428b4ca42f72e23ce26ab132c740227eb40be1dd6ac45661e8cd8f8a1f

Download Submit
memory/380-310-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/788-289-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1080-312-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1280-187-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1280-179-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1512-272-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1524-298-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1560-292-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1576-297-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1576-207-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1620-296-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1636-323-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1692-313-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1704-217-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1764-276-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2096-303-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2100-305-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2128-291-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2224-152-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2224-146-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2280-307-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2280-256-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2284-311-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2416-302-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2456-145-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2560-295-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2784-321-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2812-252-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2904-299-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3068-315-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3068-314-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3076-264-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3132-260-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3132-309-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3132-308-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3240-237-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3280-166-0x0000000000010000-0x0000000000032000-memory.dmp

Filesize
136KB

Download
memory/3304-306-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3464-284-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3480-320-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3520-176-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3540-294-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3540-293-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3688-165-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3720-301-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3732-300-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3836-132-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3836-154-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3916-286-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4140-287-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4224-248-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4224-304-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4368-197-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4416-227-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4644-316-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4660-268-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4716-322-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4728-319-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4728-317-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4816-244-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4960-280-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4964-288-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5108-318-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5108-290-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download