b9d8b176e38236e1ab48a4cdd10be4326262f7f75f657a2f36f365c22558d343

Analysis

max time kernel
9s
max time network
52s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
24-11-2022 00:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b9d8b176e38236e1ab48a4cdd10be4326262f7f75f657a2f36f365c22558d343.exe
Size

359KB
MD5

1e83272cf6b9a9ce38f589389ed81930
SHA1

05339c0a221649190582f8675c0a3fd1a05c35c8
SHA256

b9d8b176e38236e1ab48a4cdd10be4326262f7f75f657a2f36f365c22558d343
SHA512

a8b558c7731dad91b5e2241a1c8e2695a7b78aded94922f994d01815a3b39b7b3571467d46cf6a1908e3f832df3a855742a24ccad4a7b5ee0c8767392f506e58
SSDEEP

6144:HPeXhCRhrDPePOXhCRhrDPdPOftdcNMP2ftdcNdPVNSDyDISthpYNSDyDISthp:HPRR9PePhR9PdP1MP9dP/SDyttjcSDy7

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 64 IoCs

Processes:

tmp7075082.exetmp7075238.exenotpad.exetmp7075877.exenotpad.exetmp7075986.exetmp7076142.exetmp7076392.exenotpad.exetmp7076735.exetmp7076844.exenotpad.exetmp7077188.exetmp7077312.exenotpad.exetmp7077749.exenotpad.exetmp7077936.exetmp7078077.exetmp7078139.exenotpad.exetmp7078529.exenotpad.exetmp7078654.exetmp7078748.exetmp7078763.exetmp7078888.exenotpad.exetmp7078826.exetmp7079013.exetmp7079044.exetmp7079153.exenotpad.exetmp7079122.exetmp7079309.exetmp7079325.exenotpad.exetmp7079387.exetmp7079465.exetmp7079543.exetmp7079512.exenotpad.exetmp7079684.exetmp7079808.exetmp7079886.exetmp7079840.exenotpad.exetmp7079949.exetmp7079964.exenotpad.exetmp7080058.exetmp7080167.exetmp7080245.exenotpad.exetmp7080261.exetmp7080432.exetmp7080386.exenotpad.exetmp7080510.exetmp7080666.exetmp7080698.exetmp7080557.exetmp7080526.exenotpad.exe

pid	process
628	tmp7075082.exe
1344	tmp7075238.exe
548	notpad.exe
432	tmp7075877.exe
1064	notpad.exe
1692	tmp7075986.exe
876	tmp7076142.exe
1396	tmp7076392.exe
1128	notpad.exe
1792	tmp7076735.exe
1952	tmp7076844.exe
1528	notpad.exe
1364	tmp7077188.exe
1004	tmp7077312.exe
1520	notpad.exe
1472	tmp7077749.exe
2008	notpad.exe
1284	tmp7077936.exe
960	tmp7078077.exe
1676	tmp7078139.exe
956	notpad.exe
520	tmp7078529.exe
1804	notpad.exe
832	tmp7078654.exe
544	tmp7078748.exe
1756	tmp7078763.exe
1404	tmp7078888.exe
1148	notpad.exe
1772	tmp7078826.exe
1008	tmp7079013.exe
1368	tmp7079044.exe
1584	tmp7079153.exe
1684	notpad.exe
880	tmp7079122.exe
1124	tmp7079309.exe
1984	tmp7079325.exe
1996	notpad.exe
1956	tmp7079387.exe
1812	tmp7079465.exe
1816	tmp7079543.exe
1280	tmp7079512.exe
1644	notpad.exe
1468	tmp7079684.exe
1004	tmp7079808.exe
908	tmp7079886.exe
1576	tmp7079840.exe
1940	notpad.exe
2044	tmp7079949.exe
1140	tmp7079964.exe
1708	notpad.exe
916	tmp7080058.exe
280	tmp7080167.exe
1676	tmp7080245.exe
960	notpad.exe
2020	tmp7080261.exe
628	tmp7080432.exe
1680	tmp7080386.exe
432	notpad.exe
848	tmp7080510.exe
548	tmp7080666.exe
700	tmp7080698.exe
2032	tmp7080557.exe
1600	tmp7080526.exe
1772	notpad.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/960-62-0x0000000000400000-0x000000000041F000-memory.dmp	upx
\Windows\SysWOW64\notpad.exe	upx
\Windows\SysWOW64\notpad.exe	upx
C:\Windows\SysWOW64\notpad.exe	upx
C:\Windows\SysWOW64\notpad.exe	upx
C:\Windows\SysWOW64\fsb.stb	upx
\Windows\SysWOW64\notpad.exe	upx
C:\Windows\SysWOW64\notpad.exe	upx
\Windows\SysWOW64\notpad.exe	upx
behavioral1/memory/548-87-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1064-102-0x0000000000400000-0x000000000041F000-memory.dmp	upx
C:\Windows\SysWOW64\fsb.stb	upx
behavioral1/memory/1064-96-0x0000000000400000-0x000000000041F000-memory.dmp	upx
\Windows\SysWOW64\notpad.exe	upx
\Windows\SysWOW64\notpad.exe	upx
C:\Windows\SysWOW64\notpad.exe	upx
C:\Windows\SysWOW64\fsb.stb	upx
behavioral1/memory/1128-119-0x0000000000400000-0x000000000041F000-memory.dmp	upx
\Windows\SysWOW64\notpad.exe	upx
C:\Windows\SysWOW64\notpad.exe	upx
\Windows\SysWOW64\notpad.exe	upx
C:\Windows\SysWOW64\fsb.stb	upx
behavioral1/memory/1528-135-0x0000000000400000-0x000000000041F000-memory.dmp	upx
\Windows\SysWOW64\notpad.exe	upx
\Windows\SysWOW64\notpad.exe	upx
C:\Windows\SysWOW64\notpad.exe	upx
C:\Windows\SysWOW64\fsb.stb	upx
\Windows\SysWOW64\notpad.exe	upx
\Windows\SysWOW64\notpad.exe	upx
behavioral1/memory/1520-154-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2008-159-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/956-166-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/832-172-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1804-176-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1772-185-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1148-186-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1684-193-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/880-196-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1956-201-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1996-204-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1644-209-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1468-213-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1940-216-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/908-217-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/908-224-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1940-230-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1708-236-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1680-245-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2020-246-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/960-243-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/432-248-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1600-253-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1588-256-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1772-255-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1124-259-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1944-261-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1956-264-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1816-265-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1956-267-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1816-268-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1888-270-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1568-273-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1172-274-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1660-277-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Loads dropped DLL 64 IoCs

Processes:

b9d8b176e38236e1ab48a4cdd10be4326262f7f75f657a2f36f365c22558d343.exetmp7075082.exenotpad.exetmp7075877.exenotpad.exetmp7076142.exenotpad.exetmp7076735.exenotpad.exetmp7077188.exenotpad.exetmp7077749.exenotpad.exetmp7078077.exenotpad.exetmp7078529.exenotpad.exetmp7078654.exetmp7078748.exenotpad.exetmp7078826.exetmp7079013.exenotpad.exetmp7079122.exe

pid	process
960	b9d8b176e38236e1ab48a4cdd10be4326262f7f75f657a2f36f365c22558d343.exe
960	b9d8b176e38236e1ab48a4cdd10be4326262f7f75f657a2f36f365c22558d343.exe
960	b9d8b176e38236e1ab48a4cdd10be4326262f7f75f657a2f36f365c22558d343.exe
960	b9d8b176e38236e1ab48a4cdd10be4326262f7f75f657a2f36f365c22558d343.exe
628	tmp7075082.exe
628	tmp7075082.exe
548	notpad.exe
548	notpad.exe
548	notpad.exe
432	tmp7075877.exe
432	tmp7075877.exe
1064	notpad.exe
1064	notpad.exe
1064	notpad.exe
876	tmp7076142.exe
876	tmp7076142.exe
1128	notpad.exe
1128	notpad.exe
1128	notpad.exe
1792	tmp7076735.exe
1792	tmp7076735.exe
1528	notpad.exe
1528	notpad.exe
1528	notpad.exe
1364	tmp7077188.exe
1364	tmp7077188.exe
1520	notpad.exe
1520	notpad.exe
1520	notpad.exe
1472	tmp7077749.exe
1472	tmp7077749.exe
2008	notpad.exe
2008	notpad.exe
2008	notpad.exe
960	tmp7078077.exe
960	tmp7078077.exe
956	notpad.exe
956	notpad.exe
520	tmp7078529.exe
520	tmp7078529.exe
956	notpad.exe
956	notpad.exe
1804	notpad.exe
1804	notpad.exe
832	tmp7078654.exe
832	tmp7078654.exe
832	tmp7078654.exe
544	tmp7078748.exe
544	tmp7078748.exe
1804	notpad.exe
1804	notpad.exe
1148	notpad.exe
1148	notpad.exe
1772	tmp7078826.exe
1772	tmp7078826.exe
1008	tmp7079013.exe
1008	tmp7079013.exe
1772	tmp7078826.exe
1148	notpad.exe
1148	notpad.exe
1684	notpad.exe
1684	notpad.exe
880	tmp7079122.exe
880	tmp7079122.exe

Drops file in System32 directory 64 IoCs

Processes:

tmp7082086.exetmp7075082.exetmp7077749.exetmp7079013.exetmp7080432.exetmp7081056.exetmp7081821.exetmp7083615.exetmp7079808.exetmp7079840.exetmp7082382.exetmp7083256.exetmp7076735.exetmp7082148.exetmp7082195.exetmp7093209.exetmp7078748.exetmp7079309.exetmp7079964.exetmp7079512.exetmp7096516.exenotpad.exetmp7078529.exetmp7080245.exetmp7076142.exetmp7078077.exetmp7077188.exetmp7081556.exetmp7075877.exe

description	ioc	process
File created	C:\Windows\SysWOW64\notpad.exe	tmp7082086.exe
File created	C:\Windows\SysWOW64\fsb.stb	tmp7075082.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7077749.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7077749.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7079013.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7080432.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7081056.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7081821.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7083615.exe
File created	C:\Windows\SysWOW64\fsb.tmp	tmp7075082.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7079013.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7079808.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7079840.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7082382.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7083256.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7076735.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7082148.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7082148.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7082195.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7093209.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7078748.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7079309.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7075082.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7076735.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7079964.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7079512.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7096516.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7079013.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7081056.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7082382.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7093209.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	notpad.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7078529.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7080245.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7082086.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7096516.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7076142.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7078077.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7078748.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7075082.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7077188.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7079808.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7081556.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7079309.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7078529.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7079808.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7083256.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7076142.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7077188.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7078077.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7079512.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7081556.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7082086.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7082382.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7078077.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7081056.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7082148.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7083256.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7083615.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7081821.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7083615.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7079840.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7081556.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7075877.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 29 IoCs

Processes:

tmp7081821.exetmp7082148.exetmp7079309.exetmp7080432.exetmp7081556.exetmp7082382.exetmp7093209.exetmp7078077.exetmp7079013.exetmp7075877.exetmp7078748.exetmp7079840.exetmp7076735.exetmp7078529.exetmp7083256.exetmp7076142.exetmp7081056.exetmp7079808.exetmp7083615.exetmp7077749.exetmp7079512.exetmp7079964.exetmp7082086.exetmp7082195.exenotpad.exetmp7075082.exetmp7077188.exetmp7080245.exetmp7096516.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7081821.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7082148.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7079309.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7080432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7081556.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7082382.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7093209.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7078077.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7079013.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7075877.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7078748.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7079840.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7076735.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7078529.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7083256.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7076142.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7081056.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7079808.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7083615.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7077749.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7079512.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7079964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7082086.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7082195.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	notpad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7075082.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7077188.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7080245.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7096516.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b9d8b176e38236e1ab48a4cdd10be4326262f7f75f657a2f36f365c22558d343.exetmp7075082.exenotpad.exetmp7075877.exenotpad.exetmp7076142.exenotpad.exetmp7076735.exenotpad.exetmp7077188.exenotpad.exe

description	pid	process	target process
PID 960 wrote to memory of 628	960	b9d8b176e38236e1ab48a4cdd10be4326262f7f75f657a2f36f365c22558d343.exe	tmp7075082.exe
PID 960 wrote to memory of 628	960	b9d8b176e38236e1ab48a4cdd10be4326262f7f75f657a2f36f365c22558d343.exe	tmp7075082.exe
PID 960 wrote to memory of 628	960	b9d8b176e38236e1ab48a4cdd10be4326262f7f75f657a2f36f365c22558d343.exe	tmp7075082.exe
PID 960 wrote to memory of 628	960	b9d8b176e38236e1ab48a4cdd10be4326262f7f75f657a2f36f365c22558d343.exe	tmp7075082.exe
PID 960 wrote to memory of 1344	960	b9d8b176e38236e1ab48a4cdd10be4326262f7f75f657a2f36f365c22558d343.exe	tmp7075238.exe
PID 960 wrote to memory of 1344	960	b9d8b176e38236e1ab48a4cdd10be4326262f7f75f657a2f36f365c22558d343.exe	tmp7075238.exe
PID 960 wrote to memory of 1344	960	b9d8b176e38236e1ab48a4cdd10be4326262f7f75f657a2f36f365c22558d343.exe	tmp7075238.exe
PID 960 wrote to memory of 1344	960	b9d8b176e38236e1ab48a4cdd10be4326262f7f75f657a2f36f365c22558d343.exe	tmp7075238.exe
PID 628 wrote to memory of 548	628	tmp7075082.exe	notpad.exe
PID 628 wrote to memory of 548	628	tmp7075082.exe	notpad.exe
PID 628 wrote to memory of 548	628	tmp7075082.exe	notpad.exe
PID 628 wrote to memory of 548	628	tmp7075082.exe	notpad.exe
PID 548 wrote to memory of 432	548	notpad.exe	tmp7075877.exe
PID 548 wrote to memory of 432	548	notpad.exe	tmp7075877.exe
PID 548 wrote to memory of 432	548	notpad.exe	tmp7075877.exe
PID 548 wrote to memory of 432	548	notpad.exe	tmp7075877.exe
PID 548 wrote to memory of 1692	548	notpad.exe	tmp7075986.exe
PID 548 wrote to memory of 1692	548	notpad.exe	tmp7075986.exe
PID 548 wrote to memory of 1692	548	notpad.exe	tmp7075986.exe
PID 548 wrote to memory of 1692	548	notpad.exe	tmp7075986.exe
PID 432 wrote to memory of 1064	432	tmp7075877.exe	notpad.exe
PID 432 wrote to memory of 1064	432	tmp7075877.exe	notpad.exe
PID 432 wrote to memory of 1064	432	tmp7075877.exe	notpad.exe
PID 432 wrote to memory of 1064	432	tmp7075877.exe	notpad.exe
PID 1064 wrote to memory of 876	1064	notpad.exe	tmp7076142.exe
PID 1064 wrote to memory of 876	1064	notpad.exe	tmp7076142.exe
PID 1064 wrote to memory of 876	1064	notpad.exe	tmp7076142.exe
PID 1064 wrote to memory of 876	1064	notpad.exe	tmp7076142.exe
PID 1064 wrote to memory of 1396	1064	notpad.exe	tmp7076392.exe
PID 1064 wrote to memory of 1396	1064	notpad.exe	tmp7076392.exe
PID 1064 wrote to memory of 1396	1064	notpad.exe	tmp7076392.exe
PID 1064 wrote to memory of 1396	1064	notpad.exe	tmp7076392.exe
PID 876 wrote to memory of 1128	876	tmp7076142.exe	notpad.exe
PID 876 wrote to memory of 1128	876	tmp7076142.exe	notpad.exe
PID 876 wrote to memory of 1128	876	tmp7076142.exe	notpad.exe
PID 876 wrote to memory of 1128	876	tmp7076142.exe	notpad.exe
PID 1128 wrote to memory of 1792	1128	notpad.exe	tmp7076735.exe
PID 1128 wrote to memory of 1792	1128	notpad.exe	tmp7076735.exe
PID 1128 wrote to memory of 1792	1128	notpad.exe	tmp7076735.exe
PID 1128 wrote to memory of 1792	1128	notpad.exe	tmp7076735.exe
PID 1128 wrote to memory of 1952	1128	notpad.exe	tmp7076844.exe
PID 1128 wrote to memory of 1952	1128	notpad.exe	tmp7076844.exe
PID 1128 wrote to memory of 1952	1128	notpad.exe	tmp7076844.exe
PID 1128 wrote to memory of 1952	1128	notpad.exe	tmp7076844.exe
PID 1792 wrote to memory of 1528	1792	tmp7076735.exe	notpad.exe
PID 1792 wrote to memory of 1528	1792	tmp7076735.exe	notpad.exe
PID 1792 wrote to memory of 1528	1792	tmp7076735.exe	notpad.exe
PID 1792 wrote to memory of 1528	1792	tmp7076735.exe	notpad.exe
PID 1528 wrote to memory of 1364	1528	notpad.exe	tmp7077188.exe
PID 1528 wrote to memory of 1364	1528	notpad.exe	tmp7077188.exe
PID 1528 wrote to memory of 1364	1528	notpad.exe	tmp7077188.exe
PID 1528 wrote to memory of 1364	1528	notpad.exe	tmp7077188.exe
PID 1528 wrote to memory of 1004	1528	notpad.exe	tmp7077312.exe
PID 1528 wrote to memory of 1004	1528	notpad.exe	tmp7077312.exe
PID 1528 wrote to memory of 1004	1528	notpad.exe	tmp7077312.exe
PID 1528 wrote to memory of 1004	1528	notpad.exe	tmp7077312.exe
PID 1364 wrote to memory of 1520	1364	tmp7077188.exe	notpad.exe
PID 1364 wrote to memory of 1520	1364	tmp7077188.exe	notpad.exe
PID 1364 wrote to memory of 1520	1364	tmp7077188.exe	notpad.exe
PID 1364 wrote to memory of 1520	1364	tmp7077188.exe	notpad.exe
PID 1520 wrote to memory of 1472	1520	notpad.exe	tmp7077749.exe
PID 1520 wrote to memory of 1472	1520	notpad.exe	tmp7077749.exe
PID 1520 wrote to memory of 1472	1520	notpad.exe	tmp7077749.exe
PID 1520 wrote to memory of 1472	1520	notpad.exe	tmp7077749.exe

C:\Users\Admin\AppData\Local\Temp\b9d8b176e38236e1ab48a4cdd10be4326262f7f75f657a2f36f365c22558d343.exe
"C:\Users\Admin\AppData\Local\Temp\b9d8b176e38236e1ab48a4cdd10be4326262f7f75f657a2f36f365c22558d343.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:960

C:\Users\Admin\AppData\Local\Temp\tmp7075082.exe
C:\Users\Admin\AppData\Local\Temp\tmp7075082.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:628

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:548

C:\Users\Admin\AppData\Local\Temp\tmp7075877.exe
C:\Users\Admin\AppData\Local\Temp\tmp7075877.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:432

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1064

C:\Users\Admin\AppData\Local\Temp\tmp7076142.exe
C:\Users\Admin\AppData\Local\Temp\tmp7076142.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:876

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1128

C:\Users\Admin\AppData\Local\Temp\tmp7076735.exe
C:\Users\Admin\AppData\Local\Temp\tmp7076735.exe
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1792

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1528

C:\Users\Admin\AppData\Local\Temp\tmp7077188.exe
C:\Users\Admin\AppData\Local\Temp\tmp7077188.exe
10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1364

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1520

C:\Users\Admin\AppData\Local\Temp\tmp7077749.exe
C:\Users\Admin\AppData\Local\Temp\tmp7077749.exe
12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1472

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
13⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2008

C:\Users\Admin\AppData\Local\Temp\tmp7078077.exe
C:\Users\Admin\AppData\Local\Temp\tmp7078077.exe
14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:960

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
15⤵
- Executes dropped EXE
- Loads dropped DLL
PID:956

C:\Users\Admin\AppData\Local\Temp\tmp7078529.exe
C:\Users\Admin\AppData\Local\Temp\tmp7078529.exe
16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:520

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1804

C:\Users\Admin\AppData\Local\Temp\tmp7078748.exe
C:\Users\Admin\AppData\Local\Temp\tmp7078748.exe
18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:544

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1148

C:\Users\Admin\AppData\Local\Temp\tmp7079013.exe
C:\Users\Admin\AppData\Local\Temp\tmp7079013.exe
20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1008

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1684

C:\Users\Admin\AppData\Local\Temp\tmp7079309.exe
C:\Users\Admin\AppData\Local\Temp\tmp7079309.exe
22⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1124

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
23⤵
- Executes dropped EXE
PID:1996

C:\Users\Admin\AppData\Local\Temp\tmp7079512.exe
C:\Users\Admin\AppData\Local\Temp\tmp7079512.exe
24⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1280

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
25⤵
- Executes dropped EXE
PID:1644

C:\Users\Admin\AppData\Local\Temp\tmp7079808.exe
C:\Users\Admin\AppData\Local\Temp\tmp7079808.exe
26⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1004

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
27⤵
- Executes dropped EXE
PID:1940

C:\Users\Admin\AppData\Local\Temp\tmp7080058.exe
C:\Users\Admin\AppData\Local\Temp\tmp7080058.exe
28⤵
- Executes dropped EXE
PID:916

C:\Users\Admin\AppData\Local\Temp\tmp7080261.exe
C:\Users\Admin\AppData\Local\Temp\tmp7080261.exe
28⤵
- Executes dropped EXE
PID:2020

C:\Users\Admin\AppData\Local\Temp\tmp7080510.exe
C:\Users\Admin\AppData\Local\Temp\tmp7080510.exe
29⤵
- Executes dropped EXE
PID:848

C:\Users\Admin\AppData\Local\Temp\tmp7080698.exe
C:\Users\Admin\AppData\Local\Temp\tmp7080698.exe
29⤵
- Executes dropped EXE
PID:700

C:\Users\Admin\AppData\Local\Temp\tmp7079886.exe
C:\Users\Admin\AppData\Local\Temp\tmp7079886.exe
26⤵
- Executes dropped EXE
PID:908

C:\Users\Admin\AppData\Local\Temp\tmp7079964.exe
C:\Users\Admin\AppData\Local\Temp\tmp7079964.exe
27⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1140

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
28⤵
- Executes dropped EXE
PID:960

C:\Users\Admin\AppData\Local\Temp\tmp7080432.exe
C:\Users\Admin\AppData\Local\Temp\tmp7080432.exe
29⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:628

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
30⤵
- Executes dropped EXE
PID:1772

C:\Users\Admin\AppData\Local\Temp\tmp7081259.exe
C:\Users\Admin\AppData\Local\Temp\tmp7081259.exe
31⤵
PID:1396

C:\Users\Admin\AppData\Local\Temp\tmp7081353.exe
C:\Users\Admin\AppData\Local\Temp\tmp7081353.exe
31⤵
PID:1124

C:\Users\Admin\AppData\Local\Temp\tmp7081556.exe
C:\Users\Admin\AppData\Local\Temp\tmp7081556.exe
32⤵
- Drops file in System32 directory
- Modifies registry class
PID:1724

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
33⤵
PID:1956

C:\Users\Admin\AppData\Local\Temp\tmp7081821.exe
C:\Users\Admin\AppData\Local\Temp\tmp7081821.exe
34⤵
- Drops file in System32 directory
- Modifies registry class
PID:1792

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
35⤵
PID:1568

C:\Users\Admin\AppData\Local\Temp\tmp7082148.exe
C:\Users\Admin\AppData\Local\Temp\tmp7082148.exe
36⤵
- Drops file in System32 directory
- Modifies registry class
PID:1528

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
37⤵
PID:1660

C:\Users\Admin\AppData\Local\Temp\tmp7082382.exe
C:\Users\Admin\AppData\Local\Temp\tmp7082382.exe
38⤵
- Drops file in System32 directory
- Modifies registry class
PID:1496

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
39⤵
PID:576

C:\Users\Admin\AppData\Local\Temp\tmp7082616.exe
C:\Users\Admin\AppData\Local\Temp\tmp7082616.exe
40⤵
PID:1284

C:\Users\Admin\AppData\Local\Temp\tmp7082944.exe
C:\Users\Admin\AppData\Local\Temp\tmp7082944.exe
40⤵
PID:848

C:\Users\Admin\AppData\Local\Temp\tmp7083256.exe
C:\Users\Admin\AppData\Local\Temp\tmp7083256.exe
41⤵
- Drops file in System32 directory
- Modifies registry class
PID:956

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
42⤵
PID:980

C:\Users\Admin\AppData\Local\Temp\tmp7083615.exe
C:\Users\Admin\AppData\Local\Temp\tmp7083615.exe
43⤵
- Drops file in System32 directory
- Modifies registry class
PID:1620

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
44⤵
PID:884

C:\Users\Admin\AppData\Local\Temp\tmp7083693.exe
C:\Users\Admin\AppData\Local\Temp\tmp7083693.exe
43⤵
PID:1952

C:\Users\Admin\AppData\Local\Temp\tmp7084192.exe
C:\Users\Admin\AppData\Local\Temp\tmp7084192.exe
44⤵
PID:1644

C:\Users\Admin\AppData\Local\Temp\tmp7083833.exe
C:\Users\Admin\AppData\Local\Temp\tmp7083833.exe
44⤵
PID:1856

C:\Users\Admin\AppData\Local\Temp\tmp7083412.exe
C:\Users\Admin\AppData\Local\Temp\tmp7083412.exe
41⤵
PID:1544

C:\Users\Admin\AppData\Local\Temp\tmp7101789.exe
C:\Users\Admin\AppData\Local\Temp\tmp7101789.exe
38⤵
PID:1068

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
39⤵
PID:700

C:\Users\Admin\AppData\Local\Temp\tmp7102741.exe
C:\Users\Admin\AppData\Local\Temp\tmp7102741.exe
40⤵
PID:1756

C:\Users\Admin\AppData\Local\Temp\tmp7107233.exe
C:\Users\Admin\AppData\Local\Temp\tmp7107233.exe
40⤵
PID:1916

C:\Users\Admin\AppData\Local\Temp\tmp7108310.exe
C:\Users\Admin\AppData\Local\Temp\tmp7108310.exe
41⤵
PID:2032

C:\Users\Admin\AppData\Local\Temp\tmp7111149.exe
C:\Users\Admin\AppData\Local\Temp\tmp7111149.exe
41⤵
PID:1048

C:\Users\Admin\AppData\Local\Temp\tmp7082226.exe
C:\Users\Admin\AppData\Local\Temp\tmp7082226.exe
36⤵
PID:1300

C:\Users\Admin\AppData\Local\Temp\tmp7082414.exe
C:\Users\Admin\AppData\Local\Temp\tmp7082414.exe
37⤵
PID:564

C:\Users\Admin\AppData\Local\Temp\tmp7082476.exe
C:\Users\Admin\AppData\Local\Temp\tmp7082476.exe
37⤵
PID:1940

C:\Users\Admin\AppData\Local\Temp\tmp7081914.exe
C:\Users\Admin\AppData\Local\Temp\tmp7081914.exe
34⤵
PID:1888

C:\Users\Admin\AppData\Local\Temp\tmp7082086.exe
C:\Users\Admin\AppData\Local\Temp\tmp7082086.exe
35⤵
- Drops file in System32 directory
- Modifies registry class
PID:1616

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
36⤵
PID:1172

C:\Users\Admin\AppData\Local\Temp\tmp7082195.exe
C:\Users\Admin\AppData\Local\Temp\tmp7082195.exe
37⤵
- Drops file in System32 directory
- Modifies registry class
PID:1268

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
38⤵
PID:1484

C:\Users\Admin\AppData\Local\Temp\tmp7082523.exe
C:\Users\Admin\AppData\Local\Temp\tmp7082523.exe
39⤵
PID:916

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
40⤵
PID:1804

C:\Users\Admin\AppData\Local\Temp\tmp7083084.exe
C:\Users\Admin\AppData\Local\Temp\tmp7083084.exe
41⤵
PID:1836

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
42⤵
PID:860

C:\Users\Admin\AppData\Local\Temp\tmp7083428.exe
C:\Users\Admin\AppData\Local\Temp\tmp7083428.exe
43⤵
PID:1960

C:\Users\Admin\AppData\Local\Temp\tmp7083630.exe
C:\Users\Admin\AppData\Local\Temp\tmp7083630.exe
43⤵
PID:1948

C:\Users\Admin\AppData\Local\Temp\tmp7083989.exe
C:\Users\Admin\AppData\Local\Temp\tmp7083989.exe
44⤵
PID:1816

C:\Users\Admin\AppData\Local\Temp\tmp7083786.exe
C:\Users\Admin\AppData\Local\Temp\tmp7083786.exe
44⤵
PID:968

C:\Users\Admin\AppData\Local\Temp\tmp7095736.exe
C:\Users\Admin\AppData\Local\Temp\tmp7095736.exe
42⤵
PID:544

C:\Users\Admin\AppData\Local\Temp\tmp7095502.exe
C:\Users\Admin\AppData\Local\Temp\tmp7095502.exe
42⤵
PID:2032

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
43⤵
PID:2020

C:\Users\Admin\AppData\Local\Temp\tmp7096516.exe
C:\Users\Admin\AppData\Local\Temp\tmp7096516.exe
44⤵
- Drops file in System32 directory
- Modifies registry class
PID:1320

C:\Users\Admin\AppData\Local\Temp\tmp7096797.exe
C:\Users\Admin\AppData\Local\Temp\tmp7096797.exe
44⤵
PID:1788

C:\Users\Admin\AppData\Local\Temp\tmp7097015.exe
C:\Users\Admin\AppData\Local\Temp\tmp7097015.exe
45⤵
PID:1524

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
46⤵
PID:1132

C:\Users\Admin\AppData\Local\Temp\tmp7099995.exe
C:\Users\Admin\AppData\Local\Temp\tmp7099995.exe
47⤵
PID:1616

C:\Users\Admin\AppData\Local\Temp\tmp7100541.exe
C:\Users\Admin\AppData\Local\Temp\tmp7100541.exe
48⤵
PID:636

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
49⤵
PID:1660

C:\Users\Admin\AppData\Local\Temp\tmp7102226.exe
C:\Users\Admin\AppData\Local\Temp\tmp7102226.exe
50⤵
PID:1484

C:\Users\Admin\AppData\Local\Temp\tmp7104238.exe
C:\Users\Admin\AppData\Local\Temp\tmp7104238.exe
51⤵
PID:1624

C:\Users\Admin\AppData\Local\Temp\tmp7108263.exe
C:\Users\Admin\AppData\Local\Temp\tmp7108263.exe
51⤵
PID:1560

C:\Users\Admin\AppData\Local\Temp\tmp7100713.exe
C:\Users\Admin\AppData\Local\Temp\tmp7100713.exe
48⤵
PID:280

C:\Users\Admin\AppData\Local\Temp\tmp7097405.exe
C:\Users\Admin\AppData\Local\Temp\tmp7097405.exe
45⤵
PID:1128

C:\Users\Admin\AppData\Local\Temp\tmp7083209.exe
C:\Users\Admin\AppData\Local\Temp\tmp7083209.exe
41⤵
PID:628

C:\Users\Admin\AppData\Local\Temp\tmp7083443.exe
C:\Users\Admin\AppData\Local\Temp\tmp7083443.exe
42⤵
PID:1320

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
43⤵
PID:1356

C:\Users\Admin\AppData\Local\Temp\tmp7083568.exe
C:\Users\Admin\AppData\Local\Temp\tmp7083568.exe
42⤵
PID:1128

C:\Users\Admin\AppData\Local\Temp\tmp7084660.exe
C:\Users\Admin\AppData\Local\Temp\tmp7084660.exe
40⤵
PID:1968

C:\Users\Admin\AppData\Local\Temp\tmp7084598.exe
C:\Users\Admin\AppData\Local\Temp\tmp7084598.exe
40⤵
PID:908

C:\Users\Admin\AppData\Local\Temp\tmp7082772.exe
C:\Users\Admin\AppData\Local\Temp\tmp7082772.exe
39⤵
PID:1624

C:\Users\Admin\AppData\Local\Temp\tmp7082991.exe
C:\Users\Admin\AppData\Local\Temp\tmp7082991.exe
40⤵
PID:2020

C:\Users\Admin\AppData\Local\Temp\tmp7083365.exe
C:\Users\Admin\AppData\Local\Temp\tmp7083365.exe
40⤵
PID:544

C:\Users\Admin\AppData\Local\Temp\tmp7082367.exe
C:\Users\Admin\AppData\Local\Temp\tmp7082367.exe
37⤵
PID:1976

C:\Users\Admin\AppData\Local\Temp\tmp7082460.exe
C:\Users\Admin\AppData\Local\Temp\tmp7082460.exe
38⤵
PID:512

C:\Users\Admin\AppData\Local\Temp\tmp7082835.exe
C:\Users\Admin\AppData\Local\Temp\tmp7082835.exe
38⤵
PID:540

C:\Users\Admin\AppData\Local\Temp\tmp7082164.exe
C:\Users\Admin\AppData\Local\Temp\tmp7082164.exe
35⤵
PID:1256

C:\Users\Admin\AppData\Local\Temp\tmp7084317.exe
C:\Users\Admin\AppData\Local\Temp\tmp7084317.exe
36⤵
PID:1140

C:\Users\Admin\AppData\Local\Temp\tmp7084223.exe
C:\Users\Admin\AppData\Local\Temp\tmp7084223.exe
36⤵
PID:1080

C:\Users\Admin\AppData\Local\Temp\tmp7081680.exe
C:\Users\Admin\AppData\Local\Temp\tmp7081680.exe
32⤵
PID:1952

C:\Users\Admin\AppData\Local\Temp\tmp7146437.exe
C:\Users\Admin\AppData\Local\Temp\tmp7146437.exe
32⤵
PID:1068

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
33⤵
PID:2016

C:\Users\Admin\AppData\Local\Temp\tmp7152583.exe
C:\Users\Admin\AppData\Local\Temp\tmp7152583.exe
34⤵
PID:1316

C:\Users\Admin\AppData\Local\Temp\tmp7155765.exe
C:\Users\Admin\AppData\Local\Temp\tmp7155765.exe
35⤵
PID:1600

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
36⤵
PID:1732

C:\Users\Admin\AppData\Local\Temp\tmp7163784.exe
C:\Users\Admin\AppData\Local\Temp\tmp7163784.exe
37⤵
PID:272

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
38⤵
PID:1396

C:\Users\Admin\AppData\Local\Temp\tmp7165422.exe
C:\Users\Admin\AppData\Local\Temp\tmp7165422.exe
39⤵
PID:1528

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
40⤵
PID:2016

C:\Users\Admin\AppData\Local\Temp\tmp7189118.exe
C:\Users\Admin\AppData\Local\Temp\tmp7189118.exe
41⤵
PID:1052

C:\Users\Admin\AppData\Local\Temp\tmp7189399.exe
C:\Users\Admin\AppData\Local\Temp\tmp7189399.exe
41⤵
PID:912

C:\Users\Admin\AppData\Local\Temp\tmp7192051.exe
C:\Users\Admin\AppData\Local\Temp\tmp7192051.exe
42⤵
PID:1788

C:\Users\Admin\AppData\Local\Temp\tmp7194968.exe
C:\Users\Admin\AppData\Local\Temp\tmp7194968.exe
42⤵
PID:1468

C:\Users\Admin\AppData\Local\Temp\tmp7167887.exe
C:\Users\Admin\AppData\Local\Temp\tmp7167887.exe
39⤵
PID:1080

C:\Users\Admin\AppData\Local\Temp\tmp7170944.exe
C:\Users\Admin\AppData\Local\Temp\tmp7170944.exe
40⤵
PID:1568

C:\Users\Admin\AppData\Local\Temp\tmp7171490.exe
C:\Users\Admin\AppData\Local\Temp\tmp7171490.exe
40⤵
PID:592

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
41⤵
PID:2036

C:\Users\Admin\AppData\Local\Temp\tmp7214391.exe
C:\Users\Admin\AppData\Local\Temp\tmp7214391.exe
42⤵
PID:1548

C:\Users\Admin\AppData\Local\Temp\tmp7216528.exe
C:\Users\Admin\AppData\Local\Temp\tmp7216528.exe
42⤵
PID:1980

C:\Users\Admin\AppData\Local\Temp\tmp7221879.exe
C:\Users\Admin\AppData\Local\Temp\tmp7221879.exe
43⤵
PID:1788

C:\Users\Admin\AppData\Local\Temp\tmp7165157.exe
C:\Users\Admin\AppData\Local\Temp\tmp7165157.exe
37⤵
PID:576

C:\Users\Admin\AppData\Local\Temp\tmp7171927.exe
C:\Users\Admin\AppData\Local\Temp\tmp7171927.exe
38⤵
PID:1812

C:\Users\Admin\AppData\Local\Temp\tmp7177528.exe
C:\Users\Admin\AppData\Local\Temp\tmp7177528.exe
38⤵
PID:1616

C:\Users\Admin\AppData\Local\Temp\tmp7161896.exe
C:\Users\Admin\AppData\Local\Temp\tmp7161896.exe
35⤵
PID:1836

C:\Users\Admin\AppData\Local\Temp\tmp7132833.exe
C:\Users\Admin\AppData\Local\Temp\tmp7132833.exe
31⤵
PID:1324

C:\Users\Admin\AppData\Local\Temp\tmp7132381.exe
C:\Users\Admin\AppData\Local\Temp\tmp7132381.exe
31⤵
PID:1804

C:\Users\Admin\AppData\Local\Temp\tmp7080526.exe
C:\Users\Admin\AppData\Local\Temp\tmp7080526.exe
29⤵
- Executes dropped EXE
PID:1600

C:\Users\Admin\AppData\Local\Temp\tmp7081056.exe
C:\Users\Admin\AppData\Local\Temp\tmp7081056.exe
30⤵
- Drops file in System32 directory
- Modifies registry class
PID:1524

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
31⤵
PID:1944

C:\Users\Admin\AppData\Local\Temp\tmp7081634.exe
C:\Users\Admin\AppData\Local\Temp\tmp7081634.exe
32⤵
PID:1860

C:\Users\Admin\AppData\Local\Temp\tmp7081743.exe
C:\Users\Admin\AppData\Local\Temp\tmp7081743.exe
32⤵
PID:1816

C:\Users\Admin\AppData\Local\Temp\tmp7081852.exe
C:\Users\Admin\AppData\Local\Temp\tmp7081852.exe
33⤵
PID:828

C:\Users\Admin\AppData\Local\Temp\tmp7081930.exe
C:\Users\Admin\AppData\Local\Temp\tmp7081930.exe
33⤵
PID:1360

C:\Users\Admin\AppData\Local\Temp\tmp7081322.exe
C:\Users\Admin\AppData\Local\Temp\tmp7081322.exe
30⤵
PID:1788

C:\Users\Admin\AppData\Local\Temp\tmp7080167.exe
C:\Users\Admin\AppData\Local\Temp\tmp7080167.exe
27⤵
- Executes dropped EXE
PID:280

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
27⤵
PID:1064

C:\Users\Admin\AppData\Local\Temp\tmp7079684.exe
C:\Users\Admin\AppData\Local\Temp\tmp7079684.exe
24⤵
- Executes dropped EXE
PID:1468

C:\Users\Admin\AppData\Local\Temp\tmp7079840.exe
C:\Users\Admin\AppData\Local\Temp\tmp7079840.exe
25⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1576

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
26⤵
- Executes dropped EXE
PID:1708

C:\Users\Admin\AppData\Local\Temp\tmp7080245.exe
C:\Users\Admin\AppData\Local\Temp\tmp7080245.exe
27⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1676

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
28⤵
- Executes dropped EXE
PID:432

C:\Users\Admin\AppData\Local\Temp\tmp7080666.exe
C:\Users\Admin\AppData\Local\Temp\tmp7080666.exe
29⤵
- Executes dropped EXE
PID:548

C:\Users\Admin\AppData\Local\Temp\tmp7080994.exe
C:\Users\Admin\AppData\Local\Temp\tmp7080994.exe
29⤵
PID:1588

C:\Users\Admin\AppData\Local\Temp\tmp7081337.exe
C:\Users\Admin\AppData\Local\Temp\tmp7081337.exe
30⤵
PID:2036

C:\Users\Admin\AppData\Local\Temp\tmp7081462.exe
C:\Users\Admin\AppData\Local\Temp\tmp7081462.exe
30⤵
PID:1980

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
29⤵
PID:996

C:\Users\Admin\AppData\Local\Temp\tmp7085269.exe
C:\Users\Admin\AppData\Local\Temp\tmp7085269.exe
30⤵
PID:1128

C:\Users\Admin\AppData\Local\Temp\tmp7085877.exe
C:\Users\Admin\AppData\Local\Temp\tmp7085877.exe
31⤵
PID:880

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
32⤵
PID:1988

C:\Users\Admin\AppData\Local\Temp\tmp7087078.exe
C:\Users\Admin\AppData\Local\Temp\tmp7087078.exe
33⤵
PID:1004

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
34⤵
PID:968

C:\Users\Admin\AppData\Local\Temp\tmp7088420.exe
C:\Users\Admin\AppData\Local\Temp\tmp7088420.exe
35⤵
PID:688

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
36⤵
PID:1156

C:\Users\Admin\AppData\Local\Temp\tmp7092647.exe
C:\Users\Admin\AppData\Local\Temp\tmp7092647.exe
37⤵
PID:1916

C:\Users\Admin\AppData\Local\Temp\tmp7093303.exe
C:\Users\Admin\AppData\Local\Temp\tmp7093303.exe
37⤵
PID:1048

C:\Users\Admin\AppData\Local\Temp\tmp7095596.exe
C:\Users\Admin\AppData\Local\Temp\tmp7095596.exe
38⤵
PID:1368

C:\Users\Admin\AppData\Local\Temp\tmp7095955.exe
C:\Users\Admin\AppData\Local\Temp\tmp7095955.exe
38⤵
PID:1812

C:\Users\Admin\AppData\Local\Temp\tmp7088966.exe
C:\Users\Admin\AppData\Local\Temp\tmp7088966.exe
35⤵
PID:520

C:\Users\Admin\AppData\Local\Temp\tmp7092741.exe
C:\Users\Admin\AppData\Local\Temp\tmp7092741.exe
36⤵
PID:560

C:\Users\Admin\AppData\Local\Temp\tmp7093209.exe
C:\Users\Admin\AppData\Local\Temp\tmp7093209.exe
36⤵
- Drops file in System32 directory
- Modifies registry class
PID:916

C:\Users\Admin\AppData\Local\Temp\tmp7087265.exe
C:\Users\Admin\AppData\Local\Temp\tmp7087265.exe
33⤵
PID:1888

C:\Users\Admin\AppData\Local\Temp\tmp7088326.exe
C:\Users\Admin\AppData\Local\Temp\tmp7088326.exe
34⤵
PID:932

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
35⤵
PID:1208

C:\Users\Admin\AppData\Local\Temp\tmp7088997.exe
C:\Users\Admin\AppData\Local\Temp\tmp7088997.exe
36⤵
PID:1140

C:\Users\Admin\AppData\Local\Temp\tmp7089543.exe
C:\Users\Admin\AppData\Local\Temp\tmp7089543.exe
36⤵
PID:1704

C:\Users\Admin\AppData\Local\Temp\tmp7092554.exe
C:\Users\Admin\AppData\Local\Temp\tmp7092554.exe
37⤵
PID:1484

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
38⤵
PID:1540

C:\Users\Admin\AppData\Local\Temp\tmp7094395.exe
C:\Users\Admin\AppData\Local\Temp\tmp7094395.exe
39⤵
PID:1968

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
40⤵
PID:1648

C:\Users\Admin\AppData\Local\Temp\tmp7095861.exe
C:\Users\Admin\AppData\Local\Temp\tmp7095861.exe
41⤵
PID:1396

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
42⤵
PID:1736

C:\Users\Admin\AppData\Local\Temp\tmp7099012.exe
C:\Users\Admin\AppData\Local\Temp\tmp7099012.exe
43⤵
PID:1984

C:\Users\Admin\AppData\Local\Temp\tmp7099777.exe
C:\Users\Admin\AppData\Local\Temp\tmp7099777.exe
43⤵
PID:840

C:\Users\Admin\AppData\Local\Temp\tmp7100775.exe
C:\Users\Admin\AppData\Local\Temp\tmp7100775.exe
44⤵
PID:1256

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
45⤵
PID:1360

C:\Users\Admin\AppData\Local\Temp\tmp7102335.exe
C:\Users\Admin\AppData\Local\Temp\tmp7102335.exe
46⤵
PID:360

C:\Users\Admin\AppData\Local\Temp\tmp7108310.exe
C:\Users\Admin\AppData\Local\Temp\tmp7108310.exe
46⤵
PID:912

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
47⤵
PID:1356

C:\Users\Admin\AppData\Local\Temp\tmp7101617.exe
C:\Users\Admin\AppData\Local\Temp\tmp7101617.exe
44⤵
PID:1364

C:\Users\Admin\AppData\Local\Temp\tmp7096033.exe
C:\Users\Admin\AppData\Local\Temp\tmp7096033.exe
41⤵
PID:1588

C:\Users\Admin\AppData\Local\Temp\tmp7097234.exe
C:\Users\Admin\AppData\Local\Temp\tmp7097234.exe
42⤵
PID:860

C:\Users\Admin\AppData\Local\Temp\tmp7097452.exe
C:\Users\Admin\AppData\Local\Temp\tmp7097452.exe
42⤵
PID:880

C:\Users\Admin\AppData\Local\Temp\tmp7119183.exe
C:\Users\Admin\AppData\Local\Temp\tmp7119183.exe
41⤵
PID:1340

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
42⤵
PID:1172

C:\Users\Admin\AppData\Local\Temp\tmp7120494.exe
C:\Users\Admin\AppData\Local\Temp\tmp7120494.exe
43⤵
PID:2044

C:\Users\Admin\AppData\Local\Temp\tmp7121632.exe
C:\Users\Admin\AppData\Local\Temp\tmp7121632.exe
44⤵
PID:916

C:\Users\Admin\AppData\Local\Temp\tmp7122802.exe
C:\Users\Admin\AppData\Local\Temp\tmp7122802.exe
44⤵
PID:1708

C:\Users\Admin\AppData\Local\Temp\tmp7120135.exe
C:\Users\Admin\AppData\Local\Temp\tmp7120135.exe
43⤵
PID:932

C:\Users\Admin\AppData\Local\Temp\tmp7119402.exe
C:\Users\Admin\AppData\Local\Temp\tmp7119402.exe
41⤵
PID:1132

C:\Users\Admin\AppData\Local\Temp\tmp7119994.exe
C:\Users\Admin\AppData\Local\Temp\tmp7119994.exe
42⤵
PID:636

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
43⤵
PID:512

C:\Users\Admin\AppData\Local\Temp\tmp7121679.exe
C:\Users\Admin\AppData\Local\Temp\tmp7121679.exe
44⤵
PID:1376

C:\Users\Admin\AppData\Local\Temp\tmp7122709.exe
C:\Users\Admin\AppData\Local\Temp\tmp7122709.exe
44⤵
PID:1636

C:\Users\Admin\AppData\Local\Temp\tmp7125080.exe
C:\Users\Admin\AppData\Local\Temp\tmp7125080.exe
45⤵
PID:1680

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
46⤵
PID:1404

C:\Users\Admin\AppData\Local\Temp\tmp7130649.exe
C:\Users\Admin\AppData\Local\Temp\tmp7130649.exe
47⤵
PID:1368

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
48⤵
PID:1796

C:\Users\Admin\AppData\Local\Temp\tmp7136702.exe
C:\Users\Admin\AppData\Local\Temp\tmp7136702.exe
49⤵
PID:1956

C:\Users\Admin\AppData\Local\Temp\tmp7137108.exe
C:\Users\Admin\AppData\Local\Temp\tmp7137108.exe
49⤵
PID:1992

C:\Users\Admin\AppData\Local\Temp\tmp7132568.exe
C:\Users\Admin\AppData\Local\Temp\tmp7132568.exe
47⤵
PID:1916

C:\Users\Admin\AppData\Local\Temp\tmp7134128.exe
C:\Users\Admin\AppData\Local\Temp\tmp7134128.exe
48⤵
PID:860

C:\Users\Admin\AppData\Local\Temp\tmp7134487.exe
C:\Users\Admin\AppData\Local\Temp\tmp7134487.exe
48⤵
PID:876

C:\Users\Admin\AppData\Local\Temp\tmp7127810.exe
C:\Users\Admin\AppData\Local\Temp\tmp7127810.exe
45⤵
PID:1268

C:\Users\Admin\AppData\Local\Temp\tmp7120634.exe
C:\Users\Admin\AppData\Local\Temp\tmp7120634.exe
42⤵
PID:688

C:\Users\Admin\AppData\Local\Temp\tmp7094785.exe
C:\Users\Admin\AppData\Local\Temp\tmp7094785.exe
39⤵
PID:1836

C:\Users\Admin\AppData\Local\Temp\tmp7092866.exe
C:\Users\Admin\AppData\Local\Temp\tmp7092866.exe
37⤵
PID:1300

C:\Users\Admin\AppData\Local\Temp\tmp7088654.exe
C:\Users\Admin\AppData\Local\Temp\tmp7088654.exe
34⤵
PID:1576

C:\Users\Admin\AppData\Local\Temp\tmp7086454.exe
C:\Users\Admin\AppData\Local\Temp\tmp7086454.exe
31⤵
PID:1996

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
32⤵
PID:1740

C:\Users\Admin\AppData\Local\Temp\tmp7192550.exe
C:\Users\Admin\AppData\Local\Temp\tmp7192550.exe
33⤵
PID:1796

C:\Users\Admin\AppData\Local\Temp\tmp7205062.exe
C:\Users\Admin\AppData\Local\Temp\tmp7205062.exe
33⤵
PID:2012

C:\Users\Admin\AppData\Local\Temp\tmp7080386.exe
C:\Users\Admin\AppData\Local\Temp\tmp7080386.exe
27⤵
- Executes dropped EXE
PID:1680

C:\Users\Admin\AppData\Local\Temp\tmp7080557.exe
C:\Users\Admin\AppData\Local\Temp\tmp7080557.exe
28⤵
- Executes dropped EXE
PID:2032

C:\Users\Admin\AppData\Local\Temp\tmp7079949.exe
C:\Users\Admin\AppData\Local\Temp\tmp7079949.exe
25⤵
- Executes dropped EXE
PID:2044

C:\Users\Admin\AppData\Local\Temp\tmp7079387.exe
C:\Users\Admin\AppData\Local\Temp\tmp7079387.exe
22⤵
- Executes dropped EXE
PID:1956

C:\Users\Admin\AppData\Local\Temp\tmp7079543.exe
C:\Users\Admin\AppData\Local\Temp\tmp7079543.exe
23⤵
- Executes dropped EXE
PID:1816

C:\Users\Admin\AppData\Local\Temp\tmp7079122.exe
C:\Users\Admin\AppData\Local\Temp\tmp7079122.exe
20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:880

C:\Users\Admin\AppData\Local\Temp\tmp7079325.exe
C:\Users\Admin\AppData\Local\Temp\tmp7079325.exe
21⤵
- Executes dropped EXE
PID:1984

C:\Users\Admin\AppData\Local\Temp\tmp7079465.exe
C:\Users\Admin\AppData\Local\Temp\tmp7079465.exe
21⤵
- Executes dropped EXE
PID:1812

C:\Users\Admin\AppData\Local\Temp\tmp7078826.exe
C:\Users\Admin\AppData\Local\Temp\tmp7078826.exe
18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1772

C:\Users\Admin\AppData\Local\Temp\tmp7079044.exe
C:\Users\Admin\AppData\Local\Temp\tmp7079044.exe
19⤵
- Executes dropped EXE
PID:1368

C:\Users\Admin\AppData\Local\Temp\tmp7079153.exe
C:\Users\Admin\AppData\Local\Temp\tmp7079153.exe
19⤵
- Executes dropped EXE
PID:1584

C:\Users\Admin\AppData\Local\Temp\tmp7078654.exe
C:\Users\Admin\AppData\Local\Temp\tmp7078654.exe
16⤵
- Executes dropped EXE
- Loads dropped DLL
PID:832

C:\Users\Admin\AppData\Local\Temp\tmp7078763.exe
C:\Users\Admin\AppData\Local\Temp\tmp7078763.exe
17⤵
- Executes dropped EXE
PID:1756

C:\Users\Admin\AppData\Local\Temp\tmp7078888.exe
C:\Users\Admin\AppData\Local\Temp\tmp7078888.exe
17⤵
- Executes dropped EXE
PID:1404

C:\Users\Admin\AppData\Local\Temp\tmp7078139.exe
C:\Users\Admin\AppData\Local\Temp\tmp7078139.exe
14⤵
- Executes dropped EXE
PID:1676

C:\Users\Admin\AppData\Local\Temp\tmp7084239.exe
C:\Users\Admin\AppData\Local\Temp\tmp7084239.exe
14⤵
PID:1636

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
15⤵
PID:1780

C:\Users\Admin\AppData\Local\Temp\tmp7084426.exe
C:\Users\Admin\AppData\Local\Temp\tmp7084426.exe
16⤵
PID:1940

C:\Users\Admin\AppData\Local\Temp\tmp7084489.exe
C:\Users\Admin\AppData\Local\Temp\tmp7084489.exe
16⤵
PID:916

C:\Users\Admin\AppData\Local\Temp\tmp7084333.exe
C:\Users\Admin\AppData\Local\Temp\tmp7084333.exe
14⤵
PID:1760

C:\Users\Admin\AppData\Local\Temp\tmp7077936.exe
C:\Users\Admin\AppData\Local\Temp\tmp7077936.exe
12⤵
- Executes dropped EXE
PID:1284

C:\Users\Admin\AppData\Local\Temp\tmp7077312.exe
C:\Users\Admin\AppData\Local\Temp\tmp7077312.exe
10⤵
- Executes dropped EXE
PID:1004

C:\Users\Admin\AppData\Local\Temp\tmp7076844.exe
C:\Users\Admin\AppData\Local\Temp\tmp7076844.exe
8⤵
- Executes dropped EXE
PID:1952

C:\Users\Admin\AppData\Local\Temp\tmp7076392.exe
C:\Users\Admin\AppData\Local\Temp\tmp7076392.exe
6⤵
- Executes dropped EXE
PID:1396

C:\Users\Admin\AppData\Local\Temp\tmp7084879.exe
C:\Users\Admin\AppData\Local\Temp\tmp7084879.exe
6⤵
PID:1788

C:\Users\Admin\AppData\Local\Temp\tmp7085175.exe
C:\Users\Admin\AppData\Local\Temp\tmp7085175.exe
7⤵
PID:1960

C:\Users\Admin\AppData\Local\Temp\tmp7085253.exe
C:\Users\Admin\AppData\Local\Temp\tmp7085253.exe
7⤵
PID:1684

C:\Users\Admin\AppData\Local\Temp\tmp7084738.exe
C:\Users\Admin\AppData\Local\Temp\tmp7084738.exe
6⤵
PID:1804

C:\Users\Admin\AppData\Local\Temp\tmp7075986.exe
C:\Users\Admin\AppData\Local\Temp\tmp7075986.exe
4⤵
- Executes dropped EXE
PID:1692

C:\Users\Admin\AppData\Local\Temp\tmp7075238.exe
C:\Users\Admin\AppData\Local\Temp\tmp7075238.exe
2⤵
- Executes dropped EXE
PID:1344

C:\Users\Admin\AppData\Local\Temp\tmp7083662.exe
C:\Users\Admin\AppData\Local\Temp\tmp7083662.exe
1⤵
PID:1984

C:\Users\Admin\AppData\Local\Temp\tmp7083708.exe
C:\Users\Admin\AppData\Local\Temp\tmp7083708.exe
1⤵
PID:1848

C:\Users\Admin\AppData\Local\Temp\tmp7083989.exe
C:\Users\Admin\AppData\Local\Temp\tmp7083989.exe
2⤵
PID:1516

C:\Users\Admin\AppData\Local\Temp\tmp7084052.exe
C:\Users\Admin\AppData\Local\Temp\tmp7084052.exe
2⤵
PID:840

C:\Users\Admin\AppData\Local\Temp\tmp7083943.exe
C:\Users\Admin\AppData\Local\Temp\tmp7083943.exe
1⤵
PID:1060

C:\Users\Admin\AppData\Local\Temp\tmp7084395.exe
C:\Users\Admin\AppData\Local\Temp\tmp7084395.exe
1⤵
PID:1068

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
2⤵
PID:1564

C:\Users\Admin\AppData\Local\Temp\tmp7084582.exe
C:\Users\Admin\AppData\Local\Temp\tmp7084582.exe
1⤵
PID:960

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
2⤵
PID:2020

C:\Users\Admin\AppData\Local\Temp\tmp7085066.exe
C:\Users\Admin\AppData\Local\Temp\tmp7085066.exe
3⤵
PID:1584

C:\Users\Admin\AppData\Local\Temp\tmp7208837.exe
C:\Users\Admin\AppData\Local\Temp\tmp7208837.exe
4⤵
PID:1716

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
5⤵
PID:908

C:\Users\Admin\AppData\Local\Temp\tmp7212940.exe
C:\Users\Admin\AppData\Local\Temp\tmp7212940.exe
6⤵
PID:1636

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
7⤵
PID:2032

C:\Users\Admin\AppData\Local\Temp\tmp7221832.exe
C:\Users\Admin\AppData\Local\Temp\tmp7221832.exe
8⤵
PID:1812

C:\Users\Admin\AppData\Local\Temp\tmp7223969.exe
C:\Users\Admin\AppData\Local\Temp\tmp7223969.exe
8⤵
PID:660

C:\Users\Admin\AppData\Local\Temp\tmp7215030.exe
C:\Users\Admin\AppData\Local\Temp\tmp7215030.exe
6⤵
PID:956

C:\Users\Admin\AppData\Local\Temp\tmp7217885.exe
C:\Users\Admin\AppData\Local\Temp\tmp7217885.exe
7⤵
PID:360

C:\Users\Admin\AppData\Local\Temp\tmp7217620.exe
C:\Users\Admin\AppData\Local\Temp\tmp7217620.exe
7⤵
PID:1328

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
8⤵
PID:1860

C:\Users\Admin\AppData\Local\Temp\tmp7219227.exe
C:\Users\Admin\AppData\Local\Temp\tmp7219227.exe
9⤵
PID:560

C:\Users\Admin\AppData\Local\Temp\tmp7221317.exe
C:\Users\Admin\AppData\Local\Temp\tmp7221317.exe
9⤵
PID:2028

C:\Users\Admin\AppData\Local\Temp\tmp7209102.exe
C:\Users\Admin\AppData\Local\Temp\tmp7209102.exe
4⤵
PID:1068

C:\Users\Admin\AppData\Local\Temp\tmp7085128.exe
C:\Users\Admin\AppData\Local\Temp\tmp7085128.exe
3⤵
PID:660

C:\Users\Admin\AppData\Local\Temp\tmp7085425.exe
C:\Users\Admin\AppData\Local\Temp\tmp7085425.exe
4⤵
PID:1356

C:\Users\Admin\AppData\Local\Temp\tmp7084707.exe
C:\Users\Admin\AppData\Local\Temp\tmp7084707.exe
1⤵
PID:1648

C:\Users\Admin\AppData\Local\Temp\tmp7084941.exe
C:\Users\Admin\AppData\Local\Temp\tmp7084941.exe
2⤵
PID:544

C:\Users\Admin\AppData\Local\Temp\tmp7084832.exe
C:\Users\Admin\AppData\Local\Temp\tmp7084832.exe
2⤵
PID:432

C:\Users\Admin\AppData\Local\Temp\tmp7085206.exe
C:\Users\Admin\AppData\Local\Temp\tmp7085206.exe
1⤵
PID:860

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
2⤵
PID:1688

C:\Users\Admin\AppData\Local\Temp\tmp7085971.exe
C:\Users\Admin\AppData\Local\Temp\tmp7085971.exe
3⤵
PID:1732

C:\Users\Admin\AppData\Local\Temp\tmp7086563.exe
C:\Users\Admin\AppData\Local\Temp\tmp7086563.exe
3⤵
PID:1616

C:\Users\Admin\AppData\Local\Temp\tmp7087219.exe
C:\Users\Admin\AppData\Local\Temp\tmp7087219.exe
4⤵
PID:1992

C:\Users\Admin\AppData\Local\Temp\tmp7138574.exe
C:\Users\Admin\AppData\Local\Temp\tmp7138574.exe
5⤵
PID:2008

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
6⤵
PID:636

C:\Users\Admin\AppData\Local\Temp\tmp7143925.exe
C:\Users\Admin\AppData\Local\Temp\tmp7143925.exe
7⤵
PID:960

C:\Users\Admin\AppData\Local\Temp\tmp7145656.exe
C:\Users\Admin\AppData\Local\Temp\tmp7145656.exe
8⤵
PID:540

C:\Users\Admin\AppData\Local\Temp\tmp7151413.exe
C:\Users\Admin\AppData\Local\Temp\tmp7151413.exe
8⤵
PID:1740

C:\Users\Admin\AppData\Local\Temp\tmp7143535.exe
C:\Users\Admin\AppData\Local\Temp\tmp7143535.exe
7⤵
PID:1060

C:\Users\Admin\AppData\Local\Temp\tmp7138761.exe
C:\Users\Admin\AppData\Local\Temp\tmp7138761.exe
5⤵
PID:1644

C:\Users\Admin\AppData\Local\Temp\tmp7087546.exe
C:\Users\Admin\AppData\Local\Temp\tmp7087546.exe
4⤵
PID:1740

C:\Users\Admin\AppData\Local\Temp\tmp7085237.exe
C:\Users\Admin\AppData\Local\Temp\tmp7085237.exe
1⤵
PID:1860

C:\Users\Admin\AppData\Local\Temp\tmp7084442.exe
C:\Users\Admin\AppData\Local\Temp\tmp7084442.exe
1⤵
PID:1300

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:2008

C:\Users\Admin\AppData\Local\Temp\tmp7084099.exe
C:\Users\Admin\AppData\Local\Temp\tmp7084099.exe
1⤵
PID:1256

C:\Users\Admin\AppData\Local\Temp\tmp7099761.exe
C:\Users\Admin\AppData\Local\Temp\tmp7099761.exe
1⤵
PID:2012

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
2⤵
PID:884

C:\Users\Admin\AppData\Local\Temp\tmp7100681.exe
C:\Users\Admin\AppData\Local\Temp\tmp7100681.exe
3⤵
PID:1652

C:\Users\Admin\AppData\Local\Temp\tmp7101243.exe
C:\Users\Admin\AppData\Local\Temp\tmp7101243.exe
3⤵
PID:1636

C:\Users\Admin\AppData\Local\Temp\tmp7102351.exe
C:\Users\Admin\AppData\Local\Temp\tmp7102351.exe
4⤵
PID:592

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
5⤵
PID:1564

C:\Users\Admin\AppData\Local\Temp\tmp7108123.exe
C:\Users\Admin\AppData\Local\Temp\tmp7108123.exe
6⤵
PID:1968

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
7⤵
- Drops file in System32 directory
- Modifies registry class
PID:1836

C:\Users\Admin\AppData\Local\Temp\tmp7110416.exe
C:\Users\Admin\AppData\Local\Temp\tmp7110416.exe
8⤵
PID:996

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
9⤵
PID:628

C:\Users\Admin\AppData\Local\Temp\tmp7116001.exe
C:\Users\Admin\AppData\Local\Temp\tmp7116001.exe
10⤵
PID:1128

C:\Users\Admin\AppData\Local\Temp\tmp7117046.exe
C:\Users\Admin\AppData\Local\Temp\tmp7117046.exe
10⤵
PID:1512

C:\Users\Admin\AppData\Local\Temp\tmp7120665.exe
C:\Users\Admin\AppData\Local\Temp\tmp7120665.exe
11⤵
PID:832

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
12⤵
PID:1704

C:\Users\Admin\AppData\Local\Temp\tmp7122615.exe
C:\Users\Admin\AppData\Local\Temp\tmp7122615.exe
13⤵
PID:1660

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
14⤵
PID:1300

C:\Users\Admin\AppData\Local\Temp\tmp7127046.exe
C:\Users\Admin\AppData\Local\Temp\tmp7127046.exe
15⤵
PID:1148

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
16⤵
PID:1356

C:\Users\Admin\AppData\Local\Temp\tmp7133582.exe
C:\Users\Admin\AppData\Local\Temp\tmp7133582.exe
17⤵
PID:1016

C:\Users\Admin\AppData\Local\Temp\tmp7133863.exe
C:\Users\Admin\AppData\Local\Temp\tmp7133863.exe
17⤵
PID:1848

C:\Users\Admin\AppData\Local\Temp\tmp7134378.exe
C:\Users\Admin\AppData\Local\Temp\tmp7134378.exe
18⤵
PID:1128

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
19⤵
PID:2012

C:\Users\Admin\AppData\Local\Temp\tmp7139120.exe
C:\Users\Admin\AppData\Local\Temp\tmp7139120.exe
20⤵
PID:520

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
21⤵
PID:1496

C:\Users\Admin\AppData\Local\Temp\tmp7145344.exe
C:\Users\Admin\AppData\Local\Temp\tmp7145344.exe
22⤵
PID:1660

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
23⤵
PID:1124

C:\Users\Admin\AppData\Local\Temp\tmp7146671.exe
C:\Users\Admin\AppData\Local\Temp\tmp7146671.exe
24⤵
PID:560

C:\Users\Admin\AppData\Local\Temp\tmp7151413.exe
C:\Users\Admin\AppData\Local\Temp\tmp7151413.exe
25⤵
PID:1484

C:\Users\Admin\AppData\Local\Temp\tmp7193237.exe
C:\Users\Admin\AppData\Local\Temp\tmp7193237.exe
26⤵
PID:560

C:\Users\Admin\AppData\Local\Temp\tmp7194844.exe
C:\Users\Admin\AppData\Local\Temp\tmp7194844.exe
27⤵
PID:2000

C:\Users\Admin\AppData\Local\Temp\tmp7194532.exe
C:\Users\Admin\AppData\Local\Temp\tmp7194532.exe
27⤵
PID:2004

C:\Users\Admin\AppData\Local\Temp\tmp7193065.exe
C:\Users\Admin\AppData\Local\Temp\tmp7193065.exe
26⤵
PID:968

C:\Users\Admin\AppData\Local\Temp\tmp7155500.exe
C:\Users\Admin\AppData\Local\Temp\tmp7155500.exe
25⤵
PID:968

C:\Users\Admin\AppData\Local\Temp\tmp7145563.exe
C:\Users\Admin\AppData\Local\Temp\tmp7145563.exe
22⤵
PID:700

C:\Users\Admin\AppData\Local\Temp\tmp7147497.exe
C:\Users\Admin\AppData\Local\Temp\tmp7147497.exe
23⤵
PID:1504

C:\Users\Admin\AppData\Local\Temp\tmp7151273.exe
C:\Users\Admin\AppData\Local\Temp\tmp7151273.exe
23⤵
PID:1064

C:\Users\Admin\AppData\Local\Temp\tmp7144018.exe
C:\Users\Admin\AppData\Local\Temp\tmp7144018.exe
20⤵
PID:1976

C:\Users\Admin\AppData\Local\Temp\tmp7145875.exe
C:\Users\Admin\AppData\Local\Temp\tmp7145875.exe
21⤵
PID:1548

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
22⤵
PID:548

C:\Users\Admin\AppData\Local\Temp\tmp7162255.exe
C:\Users\Admin\AppData\Local\Temp\tmp7162255.exe
23⤵
PID:628

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
24⤵
PID:1140

C:\Users\Admin\AppData\Local\Temp\tmp7164751.exe
C:\Users\Admin\AppData\Local\Temp\tmp7164751.exe
25⤵
PID:1644

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
26⤵
PID:1848

C:\Users\Admin\AppData\Local\Temp\tmp7181396.exe
C:\Users\Admin\AppData\Local\Temp\tmp7181396.exe
27⤵
PID:1124

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
28⤵
PID:1760

C:\Users\Admin\AppData\Local\Temp\tmp7189540.exe
C:\Users\Admin\AppData\Local\Temp\tmp7189540.exe
29⤵
PID:1772

C:\Users\Admin\AppData\Local\Temp\tmp7189306.exe
C:\Users\Admin\AppData\Local\Temp\tmp7189306.exe
29⤵
PID:1996

C:\Users\Admin\AppData\Local\Temp\tmp7186388.exe
C:\Users\Admin\AppData\Local\Temp\tmp7186388.exe
27⤵
PID:752

C:\Users\Admin\AppData\Local\Temp\tmp7190210.exe
C:\Users\Admin\AppData\Local\Temp\tmp7190210.exe
28⤵
PID:860

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
29⤵
PID:1308

C:\Users\Admin\AppData\Local\Temp\tmp7203642.exe
C:\Users\Admin\AppData\Local\Temp\tmp7203642.exe
30⤵
PID:1616

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
31⤵
PID:1212

C:\Users\Admin\AppData\Local\Temp\tmp7204890.exe
C:\Users\Admin\AppData\Local\Temp\tmp7204890.exe
30⤵
PID:1584

C:\Users\Admin\AppData\Local\Temp\tmp7194500.exe
C:\Users\Admin\AppData\Local\Temp\tmp7194500.exe
28⤵
PID:688

C:\Users\Admin\AppData\Local\Temp\tmp7171818.exe
C:\Users\Admin\AppData\Local\Temp\tmp7171818.exe
25⤵
PID:564

C:\Users\Admin\AppData\Local\Temp\tmp7180944.exe
C:\Users\Admin\AppData\Local\Temp\tmp7180944.exe
26⤵
PID:1472

C:\Users\Admin\AppData\Local\Temp\tmp7181646.exe
C:\Users\Admin\AppData\Local\Temp\tmp7181646.exe
26⤵
PID:1364

C:\Users\Admin\AppData\Local\Temp\tmp7164174.exe
C:\Users\Admin\AppData\Local\Temp\tmp7164174.exe
23⤵
PID:940

C:\Users\Admin\AppData\Local\Temp\tmp7167091.exe
C:\Users\Admin\AppData\Local\Temp\tmp7167091.exe
24⤵
PID:884

C:\Users\Admin\AppData\Local\Temp\tmp7177278.exe
C:\Users\Admin\AppData\Local\Temp\tmp7177278.exe
24⤵
PID:1496

C:\Users\Admin\AppData\Local\Temp\tmp7155485.exe
C:\Users\Admin\AppData\Local\Temp\tmp7155485.exe
21⤵
PID:956

C:\Users\Admin\AppData\Local\Temp\tmp7212924.exe
C:\Users\Admin\AppData\Local\Temp\tmp7212924.exe
20⤵
PID:1708

C:\Users\Admin\AppData\Local\Temp\tmp7209898.exe
C:\Users\Admin\AppData\Local\Temp\tmp7209898.exe
20⤵
PID:592

C:\Users\Admin\AppData\Local\Temp\tmp7137654.exe
C:\Users\Admin\AppData\Local\Temp\tmp7137654.exe
18⤵
PID:1340

C:\Users\Admin\AppData\Local\Temp\tmp7127888.exe
C:\Users\Admin\AppData\Local\Temp\tmp7127888.exe
15⤵
PID:1772

C:\Users\Admin\AppData\Local\Temp\tmp7190257.exe
C:\Users\Admin\AppData\Local\Temp\tmp7190257.exe
16⤵
PID:960

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
17⤵
PID:1484

C:\Users\Admin\AppData\Local\Temp\tmp7190647.exe
C:\Users\Admin\AppData\Local\Temp\tmp7190647.exe
16⤵
PID:1976

C:\Users\Admin\AppData\Local\Temp\tmp7122990.exe
C:\Users\Admin\AppData\Local\Temp\tmp7122990.exe
13⤵
PID:1904

C:\Users\Admin\AppData\Local\Temp\tmp7123317.exe
C:\Users\Admin\AppData\Local\Temp\tmp7123317.exe
14⤵
PID:1308

C:\Users\Admin\AppData\Local\Temp\tmp7124191.exe
C:\Users\Admin\AppData\Local\Temp\tmp7124191.exe
14⤵
PID:752

C:\Users\Admin\AppData\Local\Temp\tmp7122116.exe
C:\Users\Admin\AppData\Local\Temp\tmp7122116.exe
11⤵
PID:1208

C:\Users\Admin\AppData\Local\Temp\tmp7113427.exe
C:\Users\Admin\AppData\Local\Temp\tmp7113427.exe
8⤵
PID:1788

C:\Users\Admin\AppData\Local\Temp\tmp7116952.exe
C:\Users\Admin\AppData\Local\Temp\tmp7116952.exe
9⤵
PID:1860

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
10⤵
PID:1648

C:\Users\Admin\AppData\Local\Temp\tmp7117264.exe
C:\Users\Admin\AppData\Local\Temp\tmp7117264.exe
9⤵
PID:1956

C:\Users\Admin\AppData\Local\Temp\tmp7108388.exe
C:\Users\Admin\AppData\Local\Temp\tmp7108388.exe
6⤵
PID:1500

C:\Users\Admin\AppData\Local\Temp\tmp7109885.exe
C:\Users\Admin\AppData\Local\Temp\tmp7109885.exe
7⤵
PID:1724

C:\Users\Admin\AppData\Local\Temp\tmp7110494.exe
C:\Users\Admin\AppData\Local\Temp\tmp7110494.exe
7⤵
PID:2020

C:\Users\Admin\AppData\Local\Temp\tmp7102631.exe
C:\Users\Admin\AppData\Local\Temp\tmp7102631.exe
4⤵
PID:1704

C:\Users\Admin\AppData\Local\Temp\tmp7152380.exe
C:\Users\Admin\AppData\Local\Temp\tmp7152380.exe
1⤵
PID:1520

C:\Users\Admin\AppData\Local\Temp\tmp7210896.exe
C:\Users\Admin\AppData\Local\Temp\tmp7210896.exe
1⤵
PID:1504

C:\Users\Admin\AppData\Local\Temp\tmp7212378.exe
C:\Users\Admin\AppData\Local\Temp\tmp7212378.exe
2⤵
PID:880

C:\Users\Admin\AppData\Local\Temp\tmp7211239.exe
C:\Users\Admin\AppData\Local\Temp\tmp7211239.exe
2⤵
PID:1176

C:\Users\Admin\AppData\Local\Temp\tmp7209664.exe
C:\Users\Admin\AppData\Local\Temp\tmp7209664.exe
1⤵
PID:932

C:\Users\Admin\AppData\Local\Temp\tmp7221941.exe
C:\Users\Admin\AppData\Local\Temp\tmp7221941.exe
1⤵
PID:520

C:\Users\Admin\AppData\Local\Temp\tmp7221645.exe
C:\Users\Admin\AppData\Local\Temp\tmp7221645.exe
1⤵
PID:2004

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
2⤵
PID:1804

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp7075082.exe

Filesize
283KB

MD5
fff0b6c8eb795f44363254f13c635f61

SHA1
e82f1518d8fb9a0b0a6c202fbe6c57878857922a

SHA256
f305ba6bb00de9a449028fdf8ea3eeaeeffeb2d211f934e7f4a142614f43d9f5

SHA512
17628b628ba6d810f89001b5095ec09161e0dd89281d34e10c9bc15ab8e0852c39eff6cfce9e06323ba027cfec6c51bda353a3cca65b926a14eca9af2139bfeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7075082.exe

Filesize
283KB

MD5
fff0b6c8eb795f44363254f13c635f61

SHA1
e82f1518d8fb9a0b0a6c202fbe6c57878857922a

SHA256
f305ba6bb00de9a449028fdf8ea3eeaeeffeb2d211f934e7f4a142614f43d9f5

SHA512
17628b628ba6d810f89001b5095ec09161e0dd89281d34e10c9bc15ab8e0852c39eff6cfce9e06323ba027cfec6c51bda353a3cca65b926a14eca9af2139bfeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7075238.exe

Filesize
65KB

MD5
c9f225f98574759e377bce6d87958c9c

SHA1
3a23ac5865ea5ac89d87b4219646a1cee5820ac1

SHA256
7834f55bcff4d30d7b778bceea618cfd23cf4f184f7db6b74d1b49bbcf6c0560

SHA512
d9ffd8ba019cde8e7d71b6c208f2b949e271527373458fee48e461e49ff096d32361d372a48aaa84b153847dd75c79a99e23f8fa450c888aae180bb3e2dc4c1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7075877.exe

Filesize
283KB

MD5
fff0b6c8eb795f44363254f13c635f61

SHA1
e82f1518d8fb9a0b0a6c202fbe6c57878857922a

SHA256
f305ba6bb00de9a449028fdf8ea3eeaeeffeb2d211f934e7f4a142614f43d9f5

SHA512
17628b628ba6d810f89001b5095ec09161e0dd89281d34e10c9bc15ab8e0852c39eff6cfce9e06323ba027cfec6c51bda353a3cca65b926a14eca9af2139bfeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7075877.exe

Filesize
283KB

MD5
fff0b6c8eb795f44363254f13c635f61

SHA1
e82f1518d8fb9a0b0a6c202fbe6c57878857922a

SHA256
f305ba6bb00de9a449028fdf8ea3eeaeeffeb2d211f934e7f4a142614f43d9f5

SHA512
17628b628ba6d810f89001b5095ec09161e0dd89281d34e10c9bc15ab8e0852c39eff6cfce9e06323ba027cfec6c51bda353a3cca65b926a14eca9af2139bfeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7075986.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7076142.exe

Filesize
283KB

MD5
fff0b6c8eb795f44363254f13c635f61

SHA1
e82f1518d8fb9a0b0a6c202fbe6c57878857922a

SHA256
f305ba6bb00de9a449028fdf8ea3eeaeeffeb2d211f934e7f4a142614f43d9f5

SHA512
17628b628ba6d810f89001b5095ec09161e0dd89281d34e10c9bc15ab8e0852c39eff6cfce9e06323ba027cfec6c51bda353a3cca65b926a14eca9af2139bfeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7076142.exe

Filesize
283KB

MD5
fff0b6c8eb795f44363254f13c635f61

SHA1
e82f1518d8fb9a0b0a6c202fbe6c57878857922a

SHA256
f305ba6bb00de9a449028fdf8ea3eeaeeffeb2d211f934e7f4a142614f43d9f5

SHA512
17628b628ba6d810f89001b5095ec09161e0dd89281d34e10c9bc15ab8e0852c39eff6cfce9e06323ba027cfec6c51bda353a3cca65b926a14eca9af2139bfeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7076392.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7076735.exe

Filesize
283KB

MD5
fff0b6c8eb795f44363254f13c635f61

SHA1
e82f1518d8fb9a0b0a6c202fbe6c57878857922a

SHA256
f305ba6bb00de9a449028fdf8ea3eeaeeffeb2d211f934e7f4a142614f43d9f5

SHA512
17628b628ba6d810f89001b5095ec09161e0dd89281d34e10c9bc15ab8e0852c39eff6cfce9e06323ba027cfec6c51bda353a3cca65b926a14eca9af2139bfeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7076735.exe

Filesize
283KB

MD5
fff0b6c8eb795f44363254f13c635f61

SHA1
e82f1518d8fb9a0b0a6c202fbe6c57878857922a

SHA256
f305ba6bb00de9a449028fdf8ea3eeaeeffeb2d211f934e7f4a142614f43d9f5

SHA512
17628b628ba6d810f89001b5095ec09161e0dd89281d34e10c9bc15ab8e0852c39eff6cfce9e06323ba027cfec6c51bda353a3cca65b926a14eca9af2139bfeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7076844.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7077188.exe

Filesize
283KB

MD5
fff0b6c8eb795f44363254f13c635f61

SHA1
e82f1518d8fb9a0b0a6c202fbe6c57878857922a

SHA256
f305ba6bb00de9a449028fdf8ea3eeaeeffeb2d211f934e7f4a142614f43d9f5

SHA512
17628b628ba6d810f89001b5095ec09161e0dd89281d34e10c9bc15ab8e0852c39eff6cfce9e06323ba027cfec6c51bda353a3cca65b926a14eca9af2139bfeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7077188.exe

Filesize
283KB

MD5
fff0b6c8eb795f44363254f13c635f61

SHA1
e82f1518d8fb9a0b0a6c202fbe6c57878857922a

SHA256
f305ba6bb00de9a449028fdf8ea3eeaeeffeb2d211f934e7f4a142614f43d9f5

SHA512
17628b628ba6d810f89001b5095ec09161e0dd89281d34e10c9bc15ab8e0852c39eff6cfce9e06323ba027cfec6c51bda353a3cca65b926a14eca9af2139bfeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7077312.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7077749.exe

Filesize
283KB

MD5
fff0b6c8eb795f44363254f13c635f61

SHA1
e82f1518d8fb9a0b0a6c202fbe6c57878857922a

SHA256
f305ba6bb00de9a449028fdf8ea3eeaeeffeb2d211f934e7f4a142614f43d9f5

SHA512
17628b628ba6d810f89001b5095ec09161e0dd89281d34e10c9bc15ab8e0852c39eff6cfce9e06323ba027cfec6c51bda353a3cca65b926a14eca9af2139bfeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7077749.exe

Filesize
283KB

MD5
fff0b6c8eb795f44363254f13c635f61

SHA1
e82f1518d8fb9a0b0a6c202fbe6c57878857922a

SHA256
f305ba6bb00de9a449028fdf8ea3eeaeeffeb2d211f934e7f4a142614f43d9f5

SHA512
17628b628ba6d810f89001b5095ec09161e0dd89281d34e10c9bc15ab8e0852c39eff6cfce9e06323ba027cfec6c51bda353a3cca65b926a14eca9af2139bfeb

Download Submit
C:\Windows\SysWOW64\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\Windows\SysWOW64\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\Windows\SysWOW64\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\Windows\SysWOW64\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\Windows\SysWOW64\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
283KB

MD5
fff0b6c8eb795f44363254f13c635f61

SHA1
e82f1518d8fb9a0b0a6c202fbe6c57878857922a

SHA256
f305ba6bb00de9a449028fdf8ea3eeaeeffeb2d211f934e7f4a142614f43d9f5

SHA512
17628b628ba6d810f89001b5095ec09161e0dd89281d34e10c9bc15ab8e0852c39eff6cfce9e06323ba027cfec6c51bda353a3cca65b926a14eca9af2139bfeb

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
283KB

MD5
fff0b6c8eb795f44363254f13c635f61

SHA1
e82f1518d8fb9a0b0a6c202fbe6c57878857922a

SHA256
f305ba6bb00de9a449028fdf8ea3eeaeeffeb2d211f934e7f4a142614f43d9f5

SHA512
17628b628ba6d810f89001b5095ec09161e0dd89281d34e10c9bc15ab8e0852c39eff6cfce9e06323ba027cfec6c51bda353a3cca65b926a14eca9af2139bfeb

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
283KB

MD5
d5581c9ab09d1fb6a0a3ecbd2c848d0a

SHA1
83dcddec44224a77a152776c66a5225d9360dd51

SHA256
fca71d452ec9d697af85fd91865701a2b6646b26df847017d5d8c1ac69cda47e

SHA512
79db927aa1223da77bc7f8d0f028f3052c9adefe70b4be14bc06ecf544f792269db7e0a932ee1f0446acada36bb49983536dff534ae91e788dfcd8ee37318533

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
283KB

MD5
fff0b6c8eb795f44363254f13c635f61

SHA1
e82f1518d8fb9a0b0a6c202fbe6c57878857922a

SHA256
f305ba6bb00de9a449028fdf8ea3eeaeeffeb2d211f934e7f4a142614f43d9f5

SHA512
17628b628ba6d810f89001b5095ec09161e0dd89281d34e10c9bc15ab8e0852c39eff6cfce9e06323ba027cfec6c51bda353a3cca65b926a14eca9af2139bfeb

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
283KB

MD5
fff0b6c8eb795f44363254f13c635f61

SHA1
e82f1518d8fb9a0b0a6c202fbe6c57878857922a

SHA256
f305ba6bb00de9a449028fdf8ea3eeaeeffeb2d211f934e7f4a142614f43d9f5

SHA512
17628b628ba6d810f89001b5095ec09161e0dd89281d34e10c9bc15ab8e0852c39eff6cfce9e06323ba027cfec6c51bda353a3cca65b926a14eca9af2139bfeb

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
469KB

MD5
1938c5293e9e1ce61c8400205cf9cd11

SHA1
e6a1aff3198020bda0691c7b3e5cd9df8b89531a

SHA256
099371a894af72626f7ae69c7f717bc15900a20996c9aad9dd7eea1416037dd9

SHA512
326eec8f5f65958e8ad3ecad12070b841792131b5e826a711fcdd81bf9cd36a91343df1c6a755aa6c8d51a44b6b64bd6b25f8af9a209ebb2ea0a45644872e010

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
469KB

MD5
1938c5293e9e1ce61c8400205cf9cd11

SHA1
e6a1aff3198020bda0691c7b3e5cd9df8b89531a

SHA256
099371a894af72626f7ae69c7f717bc15900a20996c9aad9dd7eea1416037dd9

SHA512
326eec8f5f65958e8ad3ecad12070b841792131b5e826a711fcdd81bf9cd36a91343df1c6a755aa6c8d51a44b6b64bd6b25f8af9a209ebb2ea0a45644872e010

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
469KB

MD5
1938c5293e9e1ce61c8400205cf9cd11

SHA1
e6a1aff3198020bda0691c7b3e5cd9df8b89531a

SHA256
099371a894af72626f7ae69c7f717bc15900a20996c9aad9dd7eea1416037dd9

SHA512
326eec8f5f65958e8ad3ecad12070b841792131b5e826a711fcdd81bf9cd36a91343df1c6a755aa6c8d51a44b6b64bd6b25f8af9a209ebb2ea0a45644872e010

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
469KB

MD5
1938c5293e9e1ce61c8400205cf9cd11

SHA1
e6a1aff3198020bda0691c7b3e5cd9df8b89531a

SHA256
099371a894af72626f7ae69c7f717bc15900a20996c9aad9dd7eea1416037dd9

SHA512
326eec8f5f65958e8ad3ecad12070b841792131b5e826a711fcdd81bf9cd36a91343df1c6a755aa6c8d51a44b6b64bd6b25f8af9a209ebb2ea0a45644872e010

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
469KB

MD5
1938c5293e9e1ce61c8400205cf9cd11

SHA1
e6a1aff3198020bda0691c7b3e5cd9df8b89531a

SHA256
099371a894af72626f7ae69c7f717bc15900a20996c9aad9dd7eea1416037dd9

SHA512
326eec8f5f65958e8ad3ecad12070b841792131b5e826a711fcdd81bf9cd36a91343df1c6a755aa6c8d51a44b6b64bd6b25f8af9a209ebb2ea0a45644872e010

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
469KB

MD5
1938c5293e9e1ce61c8400205cf9cd11

SHA1
e6a1aff3198020bda0691c7b3e5cd9df8b89531a

SHA256
099371a894af72626f7ae69c7f717bc15900a20996c9aad9dd7eea1416037dd9

SHA512
326eec8f5f65958e8ad3ecad12070b841792131b5e826a711fcdd81bf9cd36a91343df1c6a755aa6c8d51a44b6b64bd6b25f8af9a209ebb2ea0a45644872e010

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7075082.exe

Filesize
283KB

MD5
fff0b6c8eb795f44363254f13c635f61

SHA1
e82f1518d8fb9a0b0a6c202fbe6c57878857922a

SHA256
f305ba6bb00de9a449028fdf8ea3eeaeeffeb2d211f934e7f4a142614f43d9f5

SHA512
17628b628ba6d810f89001b5095ec09161e0dd89281d34e10c9bc15ab8e0852c39eff6cfce9e06323ba027cfec6c51bda353a3cca65b926a14eca9af2139bfeb

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7075082.exe

Filesize
283KB

MD5
fff0b6c8eb795f44363254f13c635f61

SHA1
e82f1518d8fb9a0b0a6c202fbe6c57878857922a

SHA256
f305ba6bb00de9a449028fdf8ea3eeaeeffeb2d211f934e7f4a142614f43d9f5

SHA512
17628b628ba6d810f89001b5095ec09161e0dd89281d34e10c9bc15ab8e0852c39eff6cfce9e06323ba027cfec6c51bda353a3cca65b926a14eca9af2139bfeb

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7075238.exe

Filesize
65KB

MD5
c9f225f98574759e377bce6d87958c9c

SHA1
3a23ac5865ea5ac89d87b4219646a1cee5820ac1

SHA256
7834f55bcff4d30d7b778bceea618cfd23cf4f184f7db6b74d1b49bbcf6c0560

SHA512
d9ffd8ba019cde8e7d71b6c208f2b949e271527373458fee48e461e49ff096d32361d372a48aaa84b153847dd75c79a99e23f8fa450c888aae180bb3e2dc4c1b

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7075238.exe

Filesize
65KB

MD5
c9f225f98574759e377bce6d87958c9c

SHA1
3a23ac5865ea5ac89d87b4219646a1cee5820ac1

SHA256
7834f55bcff4d30d7b778bceea618cfd23cf4f184f7db6b74d1b49bbcf6c0560

SHA512
d9ffd8ba019cde8e7d71b6c208f2b949e271527373458fee48e461e49ff096d32361d372a48aaa84b153847dd75c79a99e23f8fa450c888aae180bb3e2dc4c1b

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7075877.exe

Filesize
283KB

MD5
fff0b6c8eb795f44363254f13c635f61

SHA1
e82f1518d8fb9a0b0a6c202fbe6c57878857922a

SHA256
f305ba6bb00de9a449028fdf8ea3eeaeeffeb2d211f934e7f4a142614f43d9f5

SHA512
17628b628ba6d810f89001b5095ec09161e0dd89281d34e10c9bc15ab8e0852c39eff6cfce9e06323ba027cfec6c51bda353a3cca65b926a14eca9af2139bfeb

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7075877.exe

Filesize
283KB

MD5
fff0b6c8eb795f44363254f13c635f61

SHA1
e82f1518d8fb9a0b0a6c202fbe6c57878857922a

SHA256
f305ba6bb00de9a449028fdf8ea3eeaeeffeb2d211f934e7f4a142614f43d9f5

SHA512
17628b628ba6d810f89001b5095ec09161e0dd89281d34e10c9bc15ab8e0852c39eff6cfce9e06323ba027cfec6c51bda353a3cca65b926a14eca9af2139bfeb

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7075986.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7076142.exe

Filesize
283KB

MD5
fff0b6c8eb795f44363254f13c635f61

SHA1
e82f1518d8fb9a0b0a6c202fbe6c57878857922a

SHA256
f305ba6bb00de9a449028fdf8ea3eeaeeffeb2d211f934e7f4a142614f43d9f5

SHA512
17628b628ba6d810f89001b5095ec09161e0dd89281d34e10c9bc15ab8e0852c39eff6cfce9e06323ba027cfec6c51bda353a3cca65b926a14eca9af2139bfeb

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7076142.exe

Filesize
283KB

MD5
fff0b6c8eb795f44363254f13c635f61

SHA1
e82f1518d8fb9a0b0a6c202fbe6c57878857922a

SHA256
f305ba6bb00de9a449028fdf8ea3eeaeeffeb2d211f934e7f4a142614f43d9f5

SHA512
17628b628ba6d810f89001b5095ec09161e0dd89281d34e10c9bc15ab8e0852c39eff6cfce9e06323ba027cfec6c51bda353a3cca65b926a14eca9af2139bfeb

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7076392.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7076735.exe

Filesize
283KB

MD5
fff0b6c8eb795f44363254f13c635f61

SHA1
e82f1518d8fb9a0b0a6c202fbe6c57878857922a

SHA256
f305ba6bb00de9a449028fdf8ea3eeaeeffeb2d211f934e7f4a142614f43d9f5

SHA512
17628b628ba6d810f89001b5095ec09161e0dd89281d34e10c9bc15ab8e0852c39eff6cfce9e06323ba027cfec6c51bda353a3cca65b926a14eca9af2139bfeb

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7076735.exe

Filesize
283KB

MD5
fff0b6c8eb795f44363254f13c635f61

SHA1
e82f1518d8fb9a0b0a6c202fbe6c57878857922a

SHA256
f305ba6bb00de9a449028fdf8ea3eeaeeffeb2d211f934e7f4a142614f43d9f5

SHA512
17628b628ba6d810f89001b5095ec09161e0dd89281d34e10c9bc15ab8e0852c39eff6cfce9e06323ba027cfec6c51bda353a3cca65b926a14eca9af2139bfeb

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7076844.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7077188.exe

Filesize
283KB

MD5
fff0b6c8eb795f44363254f13c635f61

SHA1
e82f1518d8fb9a0b0a6c202fbe6c57878857922a

SHA256
f305ba6bb00de9a449028fdf8ea3eeaeeffeb2d211f934e7f4a142614f43d9f5

SHA512
17628b628ba6d810f89001b5095ec09161e0dd89281d34e10c9bc15ab8e0852c39eff6cfce9e06323ba027cfec6c51bda353a3cca65b926a14eca9af2139bfeb

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7077188.exe

Filesize
283KB

MD5
fff0b6c8eb795f44363254f13c635f61

SHA1
e82f1518d8fb9a0b0a6c202fbe6c57878857922a

SHA256
f305ba6bb00de9a449028fdf8ea3eeaeeffeb2d211f934e7f4a142614f43d9f5

SHA512
17628b628ba6d810f89001b5095ec09161e0dd89281d34e10c9bc15ab8e0852c39eff6cfce9e06323ba027cfec6c51bda353a3cca65b926a14eca9af2139bfeb

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7077312.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7077749.exe

Filesize
283KB

MD5
fff0b6c8eb795f44363254f13c635f61

SHA1
e82f1518d8fb9a0b0a6c202fbe6c57878857922a

SHA256
f305ba6bb00de9a449028fdf8ea3eeaeeffeb2d211f934e7f4a142614f43d9f5

SHA512
17628b628ba6d810f89001b5095ec09161e0dd89281d34e10c9bc15ab8e0852c39eff6cfce9e06323ba027cfec6c51bda353a3cca65b926a14eca9af2139bfeb

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7077749.exe

Filesize
283KB

MD5
fff0b6c8eb795f44363254f13c635f61

SHA1
e82f1518d8fb9a0b0a6c202fbe6c57878857922a

SHA256
f305ba6bb00de9a449028fdf8ea3eeaeeffeb2d211f934e7f4a142614f43d9f5

SHA512
17628b628ba6d810f89001b5095ec09161e0dd89281d34e10c9bc15ab8e0852c39eff6cfce9e06323ba027cfec6c51bda353a3cca65b926a14eca9af2139bfeb

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7077936.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
469KB

MD5
1938c5293e9e1ce61c8400205cf9cd11

SHA1
e6a1aff3198020bda0691c7b3e5cd9df8b89531a

SHA256
099371a894af72626f7ae69c7f717bc15900a20996c9aad9dd7eea1416037dd9

SHA512
326eec8f5f65958e8ad3ecad12070b841792131b5e826a711fcdd81bf9cd36a91343df1c6a755aa6c8d51a44b6b64bd6b25f8af9a209ebb2ea0a45644872e010

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
469KB

MD5
1938c5293e9e1ce61c8400205cf9cd11

SHA1
e6a1aff3198020bda0691c7b3e5cd9df8b89531a

SHA256
099371a894af72626f7ae69c7f717bc15900a20996c9aad9dd7eea1416037dd9

SHA512
326eec8f5f65958e8ad3ecad12070b841792131b5e826a711fcdd81bf9cd36a91343df1c6a755aa6c8d51a44b6b64bd6b25f8af9a209ebb2ea0a45644872e010

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
469KB

MD5
1938c5293e9e1ce61c8400205cf9cd11

SHA1
e6a1aff3198020bda0691c7b3e5cd9df8b89531a

SHA256
099371a894af72626f7ae69c7f717bc15900a20996c9aad9dd7eea1416037dd9

SHA512
326eec8f5f65958e8ad3ecad12070b841792131b5e826a711fcdd81bf9cd36a91343df1c6a755aa6c8d51a44b6b64bd6b25f8af9a209ebb2ea0a45644872e010

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
469KB

MD5
1938c5293e9e1ce61c8400205cf9cd11

SHA1
e6a1aff3198020bda0691c7b3e5cd9df8b89531a

SHA256
099371a894af72626f7ae69c7f717bc15900a20996c9aad9dd7eea1416037dd9

SHA512
326eec8f5f65958e8ad3ecad12070b841792131b5e826a711fcdd81bf9cd36a91343df1c6a755aa6c8d51a44b6b64bd6b25f8af9a209ebb2ea0a45644872e010

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
469KB

MD5
1938c5293e9e1ce61c8400205cf9cd11

SHA1
e6a1aff3198020bda0691c7b3e5cd9df8b89531a

SHA256
099371a894af72626f7ae69c7f717bc15900a20996c9aad9dd7eea1416037dd9

SHA512
326eec8f5f65958e8ad3ecad12070b841792131b5e826a711fcdd81bf9cd36a91343df1c6a755aa6c8d51a44b6b64bd6b25f8af9a209ebb2ea0a45644872e010

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
469KB

MD5
1938c5293e9e1ce61c8400205cf9cd11

SHA1
e6a1aff3198020bda0691c7b3e5cd9df8b89531a

SHA256
099371a894af72626f7ae69c7f717bc15900a20996c9aad9dd7eea1416037dd9

SHA512
326eec8f5f65958e8ad3ecad12070b841792131b5e826a711fcdd81bf9cd36a91343df1c6a755aa6c8d51a44b6b64bd6b25f8af9a209ebb2ea0a45644872e010

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
469KB

MD5
1938c5293e9e1ce61c8400205cf9cd11

SHA1
e6a1aff3198020bda0691c7b3e5cd9df8b89531a

SHA256
099371a894af72626f7ae69c7f717bc15900a20996c9aad9dd7eea1416037dd9

SHA512
326eec8f5f65958e8ad3ecad12070b841792131b5e826a711fcdd81bf9cd36a91343df1c6a755aa6c8d51a44b6b64bd6b25f8af9a209ebb2ea0a45644872e010

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
469KB

MD5
1938c5293e9e1ce61c8400205cf9cd11

SHA1
e6a1aff3198020bda0691c7b3e5cd9df8b89531a

SHA256
099371a894af72626f7ae69c7f717bc15900a20996c9aad9dd7eea1416037dd9

SHA512
326eec8f5f65958e8ad3ecad12070b841792131b5e826a711fcdd81bf9cd36a91343df1c6a755aa6c8d51a44b6b64bd6b25f8af9a209ebb2ea0a45644872e010

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
469KB

MD5
1938c5293e9e1ce61c8400205cf9cd11

SHA1
e6a1aff3198020bda0691c7b3e5cd9df8b89531a

SHA256
099371a894af72626f7ae69c7f717bc15900a20996c9aad9dd7eea1416037dd9

SHA512
326eec8f5f65958e8ad3ecad12070b841792131b5e826a711fcdd81bf9cd36a91343df1c6a755aa6c8d51a44b6b64bd6b25f8af9a209ebb2ea0a45644872e010

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
469KB

MD5
1938c5293e9e1ce61c8400205cf9cd11

SHA1
e6a1aff3198020bda0691c7b3e5cd9df8b89531a

SHA256
099371a894af72626f7ae69c7f717bc15900a20996c9aad9dd7eea1416037dd9

SHA512
326eec8f5f65958e8ad3ecad12070b841792131b5e826a711fcdd81bf9cd36a91343df1c6a755aa6c8d51a44b6b64bd6b25f8af9a209ebb2ea0a45644872e010

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
469KB

MD5
1938c5293e9e1ce61c8400205cf9cd11

SHA1
e6a1aff3198020bda0691c7b3e5cd9df8b89531a

SHA256
099371a894af72626f7ae69c7f717bc15900a20996c9aad9dd7eea1416037dd9

SHA512
326eec8f5f65958e8ad3ecad12070b841792131b5e826a711fcdd81bf9cd36a91343df1c6a755aa6c8d51a44b6b64bd6b25f8af9a209ebb2ea0a45644872e010

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
469KB

MD5
1938c5293e9e1ce61c8400205cf9cd11

SHA1
e6a1aff3198020bda0691c7b3e5cd9df8b89531a

SHA256
099371a894af72626f7ae69c7f717bc15900a20996c9aad9dd7eea1416037dd9

SHA512
326eec8f5f65958e8ad3ecad12070b841792131b5e826a711fcdd81bf9cd36a91343df1c6a755aa6c8d51a44b6b64bd6b25f8af9a209ebb2ea0a45644872e010

Download Submit
memory/280-222-0x0000000000000000-mapping.dmp

Download
memory/432-73-0x0000000000000000-mapping.dmp

Download
memory/432-248-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/432-233-0x0000000000000000-mapping.dmp

Download
memory/432-88-0x0000000000480000-0x000000000048D000-memory.dmp

Filesize
52KB

Download
memory/520-162-0x0000000000000000-mapping.dmp

Download
memory/544-167-0x0000000000000000-mapping.dmp

Download
memory/548-68-0x0000000000000000-mapping.dmp

Download
memory/548-87-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/548-238-0x0000000000000000-mapping.dmp

Download
memory/576-288-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/628-231-0x0000000000000000-mapping.dmp

Download
memory/628-56-0x0000000000000000-mapping.dmp

Download
memory/628-307-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/628-309-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/628-63-0x00000000757A1000-0x00000000757A3000-memory.dmp

Filesize
8KB

Download
memory/700-237-0x0000000000000000-mapping.dmp

Download
memory/832-165-0x0000000000000000-mapping.dmp

Download
memory/832-172-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/848-234-0x0000000000000000-mapping.dmp

Download
memory/848-294-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/860-299-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/876-91-0x0000000000000000-mapping.dmp

Download
memory/880-183-0x0000000000000000-mapping.dmp

Download
memory/880-196-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/884-320-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/908-224-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/908-217-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/908-207-0x0000000000000000-mapping.dmp

Download
memory/916-220-0x0000000000000000-mapping.dmp

Download
memory/956-161-0x0000000000000000-mapping.dmp

Download
memory/956-166-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/960-243-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/960-62-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/960-156-0x0000000000000000-mapping.dmp

Download
memory/960-226-0x0000000000000000-mapping.dmp

Download
memory/980-311-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/980-303-0x00000000003A0000-0x00000000003BF000-memory.dmp

Filesize
124KB

Download
memory/980-301-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1004-133-0x0000000000000000-mapping.dmp

Download
memory/1004-205-0x0000000000000000-mapping.dmp

Download
memory/1008-177-0x0000000000000000-mapping.dmp

Download
memory/1064-96-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1064-102-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1064-83-0x0000000000000000-mapping.dmp

Download
memory/1124-187-0x0000000000000000-mapping.dmp

Download
memory/1124-259-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1128-119-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1128-105-0x0000000000000000-mapping.dmp

Download
memory/1140-215-0x0000000000000000-mapping.dmp

Download
memory/1148-173-0x0000000000000000-mapping.dmp

Download
memory/1148-186-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1172-274-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1280-198-0x0000000000000000-mapping.dmp

Download
memory/1284-150-0x0000000000000000-mapping.dmp

Download
memory/1300-281-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1344-60-0x0000000000000000-mapping.dmp

Download
memory/1356-302-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1356-310-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1356-304-0x0000000000220000-0x000000000023F000-memory.dmp

Filesize
124KB

Download
memory/1364-126-0x0000000000000000-mapping.dmp

Download
memory/1368-178-0x0000000000000000-mapping.dmp

Download
memory/1396-95-0x0000000000000000-mapping.dmp

Download
memory/1404-171-0x0000000000000000-mapping.dmp

Download
memory/1468-203-0x0000000000000000-mapping.dmp

Download
memory/1468-213-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1472-143-0x0000000000000000-mapping.dmp

Download
memory/1484-283-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1520-154-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1520-139-0x0000000000000000-mapping.dmp

Download
memory/1528-122-0x0000000000000000-mapping.dmp

Download
memory/1528-135-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1568-273-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1576-208-0x0000000000000000-mapping.dmp

Download
memory/1584-182-0x0000000000000000-mapping.dmp

Download
memory/1588-247-0x0000000000000000-mapping.dmp

Download
memory/1588-256-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1600-239-0x0000000000000000-mapping.dmp

Download
memory/1600-253-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1624-292-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1644-209-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1644-202-0x0000000000000000-mapping.dmp

Download
memory/1660-277-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1676-225-0x0000000000000000-mapping.dmp

Download
memory/1676-158-0x0000000000000000-mapping.dmp

Download
memory/1680-229-0x0000000000000000-mapping.dmp

Download
memory/1680-245-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1684-181-0x0000000000000000-mapping.dmp

Download
memory/1684-193-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1692-81-0x0000000000000000-mapping.dmp

Download
memory/1708-236-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1708-218-0x0000000000000000-mapping.dmp

Download
memory/1756-169-0x0000000000000000-mapping.dmp

Download
memory/1772-185-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1772-255-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1772-175-0x0000000000000000-mapping.dmp

Download
memory/1792-109-0x0000000000000000-mapping.dmp

Download
memory/1804-164-0x0000000000000000-mapping.dmp

Download
memory/1804-291-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1804-176-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1812-194-0x0000000000000000-mapping.dmp

Download
memory/1816-268-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1816-265-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1816-197-0x0000000000000000-mapping.dmp

Download
memory/1848-318-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1848-308-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1888-270-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1940-210-0x0000000000000000-mapping.dmp

Download
memory/1940-216-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1940-230-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1944-261-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1948-315-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1948-306-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1952-305-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1952-115-0x0000000000000000-mapping.dmp

Download
memory/1956-201-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1956-264-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1956-267-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1956-192-0x0000000000000000-mapping.dmp

Download
memory/1976-284-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1984-189-0x0000000000000000-mapping.dmp

Download
memory/1996-204-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1996-191-0x0000000000000000-mapping.dmp

Download
memory/2008-159-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2008-153-0x0000000000000000-mapping.dmp

Download
memory/2020-246-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2020-228-0x0000000000000000-mapping.dmp

Download
memory/2032-240-0x0000000000000000-mapping.dmp

Download
memory/2044-212-0x0000000000000000-mapping.dmp

Download