dd4e3afb2a2ea6800301fc6bc55869685221d81045aa697f9c89d29e60f5580a

Analysis

max time kernel
213s
max time network
256s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03/12/2022, 20:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dd4e3afb2a2ea6800301fc6bc55869685221d81045aa697f9c89d29e60f5580a.exe
Size

9.6MB
MD5

baee066a147e3e7cc605f525c1b3b917
SHA1

0a7b1193fb18a9bb20632537f77c1aacf961ee0a
SHA256

dd4e3afb2a2ea6800301fc6bc55869685221d81045aa697f9c89d29e60f5580a
SHA512

7d77fc0f8dc5b90ed7c2d0c10aeaa0e715918bd191ed7507a1f0c5bf57ed05503b06114ea86d7aa1a8971c559ad41498aed042be2086ef809ab220adb0777561
SSDEEP

24576:aDyTFtj+DyTFtjFDyTFtjBDyTFtjTDyTFtjzDyTFtj:HtntWtatYtYt

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
1092	tmp240653062.exe
1180	tmp240653359.exe
4264	tmp240654031.exe
2044	notpad.exe
4632	tmp240654140.exe
2600	tmp240671156.exe
4880	notpad.exe
616	tmp240671484.exe
1644	tmp240671531.exe
316	tmp240671687.exe
4548	tmp240672078.exe
3184	tmp240671906.exe
4240	notpad.exe
3768	tmp240672640.exe
3872	tmp240672656.exe
3840	tmp240672828.exe
1948	tmp240672796.exe
3172	tmp240673218.exe
1500	notpad.exe
3096	tmp240673296.exe
368	tmp240673609.exe
5056	tmp240675984.exe
4884	tmp240675937.exe
1248	tmp240676093.exe
860	notpad.exe
3388	tmp240676406.exe
2864	tmp240676515.exe
1132	notpad.exe
3428	tmp240676937.exe
3900	tmp240677640.exe
3976	notpad.exe
5092	tmp240677984.exe
1592	tmp240678125.exe
3948	notpad.exe
5052	tmp240678296.exe
436	tmp240679015.exe
1452	notpad.exe
2252	tmp240679328.exe
976	tmp240679359.exe
2564	notpad.exe
1044	tmp240679531.exe
2820	tmp240680218.exe
4204	notpad.exe
4428	tmp240680390.exe
2892	tmp240680421.exe
1608	notpad.exe
1284	tmp240680578.exe
3292	tmp240680687.exe
4544	notpad.exe
1688	tmp240680859.exe
2344	tmp240681031.exe
3680	notpad.exe
332	tmp240681203.exe
4496	tmp240692406.exe
2232	notpad.exe
4892	tmp240700000.exe
788	tmp240700625.exe
4264	notpad.exe
4224	tmp240700875.exe
4676	tmp240701015.exe
2044	notpad.exe
872	tmp240701265.exe
1612	tmp240701312.exe
116	notpad.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4796-132-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0007000000022ddf-137.dat	upx
behavioral2/files/0x0007000000022ddf-139.dat	upx
behavioral2/memory/4796-138-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1180-143-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1180-144-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0007000000022de8-146.dat	upx
behavioral2/files/0x0007000000022de8-147.dat	upx
behavioral2/files/0x0006000000022deb-150.dat	upx
behavioral2/files/0x0006000000022deb-149.dat	upx
behavioral2/files/0x0006000000022de6-155.dat	upx
behavioral2/memory/1180-152-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0007000000022de8-158.dat	upx
behavioral2/memory/4880-167-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4632-171-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2044-168-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0006000000022de6-163.dat	upx
behavioral2/files/0x0006000000022df2-177.dat	upx
behavioral2/files/0x0006000000022df2-178.dat	upx
behavioral2/memory/4632-180-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0007000000022de8-179.dat	upx
behavioral2/memory/4880-175-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0006000000022de6-185.dat	upx
behavioral2/memory/4240-191-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0006000000022df9-194.dat	upx
behavioral2/memory/1948-196-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0007000000022de8-201.dat	upx
behavioral2/memory/3184-195-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0006000000022df9-193.dat	upx
behavioral2/files/0x0006000000022dfd-203.dat	upx
behavioral2/memory/1500-204-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0006000000022dfd-206.dat	upx
behavioral2/files/0x0006000000022de6-210.dat	upx
behavioral2/memory/1948-208-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3096-221-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0007000000022de8-224.dat	upx
behavioral2/files/0x0006000000022de6-228.dat	upx
behavioral2/memory/1500-218-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/860-232-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0007000000022de8-234.dat	upx
behavioral2/memory/1132-235-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0006000000022de6-239.dat	upx
behavioral2/memory/1132-243-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0007000000022de8-245.dat	upx
behavioral2/memory/3976-250-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3948-252-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3948-255-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1452-259-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2564-263-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4204-267-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1608-271-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4544-275-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3680-277-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3680-278-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3680-281-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2232-285-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4264-289-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2044-293-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/116-295-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1512-296-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3656-297-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1660-298-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3836-299-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2540-300-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Checks computer location settings 2 TTPs 42 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240701265.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240701546.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240704390.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240706500.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240678296.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240679531.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240680578.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240756421.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240679328.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240710609.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240740312.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240702859.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240704031.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240703171.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240768359.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240671156.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240681203.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240700000.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240710281.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240680859.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240702500.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240703375.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240705578.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240757031.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240768828.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240676406.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240702156.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240704734.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240680390.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240701859.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240703781.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240706046.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240722703.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240671484.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240672640.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240676937.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240722718.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240700875.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240705218.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240653062.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240673609.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240677984.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240704734.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240679328.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240702156.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240703171.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240681203.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240701546.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240680859.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240680859.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240700000.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240768359.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240653062.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240676937.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240680578.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240681203.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240702500.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240705218.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240710281.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240722703.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240671484.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240679328.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240704390.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240671156.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240680390.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240722718.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240676937.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240704390.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240680578.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240703375.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240706500.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240768359.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240679531.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240702859.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240700875.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240705218.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240722703.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240768359.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240678296.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240700000.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240653062.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240680390.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240701859.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240710609.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240676406.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240679531.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240703781.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240705578.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240672640.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240680390.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240722703.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240722718.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240771687.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240771687.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240671156.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240702500.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240768828.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240771687.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240677984.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240705578.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240702500.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240673609.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240701546.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240704734.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240722718.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240768828.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4940	1248	WerFault.exe	100

Modifies registry class 43 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240676406.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240681203.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240700000.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240700875.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240703375.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240671484.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240704734.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240679328.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240680578.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240680859.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240701546.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240722703.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240672640.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240702859.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240704390.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240706500.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240710609.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240740312.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240757031.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240702156.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240676937.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240678296.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240702500.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240703781.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240710281.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240722718.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240768359.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240671156.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240679531.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240771687.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240673609.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240704031.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240705218.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240756421.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240701859.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240677984.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240680390.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240701265.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240703171.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240705578.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240706046.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240768828.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240653062.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4796 wrote to memory of 1092	4796	dd4e3afb2a2ea6800301fc6bc55869685221d81045aa697f9c89d29e60f5580a.exe	78
PID 4796 wrote to memory of 1092	4796	dd4e3afb2a2ea6800301fc6bc55869685221d81045aa697f9c89d29e60f5580a.exe	78
PID 4796 wrote to memory of 1092	4796	dd4e3afb2a2ea6800301fc6bc55869685221d81045aa697f9c89d29e60f5580a.exe	78
PID 4796 wrote to memory of 1180	4796	dd4e3afb2a2ea6800301fc6bc55869685221d81045aa697f9c89d29e60f5580a.exe	79
PID 4796 wrote to memory of 1180	4796	dd4e3afb2a2ea6800301fc6bc55869685221d81045aa697f9c89d29e60f5580a.exe	79
PID 4796 wrote to memory of 1180	4796	dd4e3afb2a2ea6800301fc6bc55869685221d81045aa697f9c89d29e60f5580a.exe	79
PID 1180 wrote to memory of 4264	1180	tmp240653359.exe	80
PID 1180 wrote to memory of 4264	1180	tmp240653359.exe	80
PID 1180 wrote to memory of 4264	1180	tmp240653359.exe	80
PID 1092 wrote to memory of 2044	1092	tmp240653062.exe	81
PID 1092 wrote to memory of 2044	1092	tmp240653062.exe	81
PID 1092 wrote to memory of 2044	1092	tmp240653062.exe	81
PID 1180 wrote to memory of 4632	1180	tmp240653359.exe	82
PID 1180 wrote to memory of 4632	1180	tmp240653359.exe	82
PID 1180 wrote to memory of 4632	1180	tmp240653359.exe	82
PID 2044 wrote to memory of 2600	2044	notpad.exe	83
PID 2044 wrote to memory of 2600	2044	notpad.exe	83
PID 2044 wrote to memory of 2600	2044	notpad.exe	83
PID 2600 wrote to memory of 4880	2600	tmp240671156.exe	84
PID 2600 wrote to memory of 4880	2600	tmp240671156.exe	84
PID 2600 wrote to memory of 4880	2600	tmp240671156.exe	84
PID 4632 wrote to memory of 616	4632	tmp240654140.exe	85
PID 4632 wrote to memory of 616	4632	tmp240654140.exe	85
PID 4632 wrote to memory of 616	4632	tmp240654140.exe	85
PID 2044 wrote to memory of 1644	2044	notpad.exe	88
PID 2044 wrote to memory of 1644	2044	notpad.exe	88
PID 2044 wrote to memory of 1644	2044	notpad.exe	88
PID 4880 wrote to memory of 316	4880	notpad.exe	86
PID 4880 wrote to memory of 316	4880	notpad.exe	86
PID 4880 wrote to memory of 316	4880	notpad.exe	86
PID 4880 wrote to memory of 4548	4880	notpad.exe	87
PID 4880 wrote to memory of 4548	4880	notpad.exe	87
PID 4880 wrote to memory of 4548	4880	notpad.exe	87
PID 4632 wrote to memory of 3184	4632	tmp240654140.exe	92
PID 4632 wrote to memory of 3184	4632	tmp240654140.exe	92
PID 4632 wrote to memory of 3184	4632	tmp240654140.exe	92
PID 616 wrote to memory of 4240	616	tmp240671484.exe	89
PID 616 wrote to memory of 4240	616	tmp240671484.exe	89
PID 616 wrote to memory of 4240	616	tmp240671484.exe	89
PID 3184 wrote to memory of 3768	3184	tmp240671906.exe	90
PID 3184 wrote to memory of 3768	3184	tmp240671906.exe	90
PID 3184 wrote to memory of 3768	3184	tmp240671906.exe	90
PID 4240 wrote to memory of 3872	4240	notpad.exe	91
PID 4240 wrote to memory of 3872	4240	notpad.exe	91
PID 4240 wrote to memory of 3872	4240	notpad.exe	91
PID 4240 wrote to memory of 3840	4240	notpad.exe	93
PID 4240 wrote to memory of 3840	4240	notpad.exe	93
PID 4240 wrote to memory of 3840	4240	notpad.exe	93
PID 3184 wrote to memory of 1948	3184	tmp240671906.exe	94
PID 3184 wrote to memory of 1948	3184	tmp240671906.exe	94
PID 3184 wrote to memory of 1948	3184	tmp240671906.exe	94
PID 1948 wrote to memory of 3172	1948	tmp240672796.exe	97
PID 1948 wrote to memory of 3172	1948	tmp240672796.exe	97
PID 1948 wrote to memory of 3172	1948	tmp240672796.exe	97
PID 3768 wrote to memory of 1500	3768	tmp240672640.exe	95
PID 3768 wrote to memory of 1500	3768	tmp240672640.exe	95
PID 3768 wrote to memory of 1500	3768	tmp240672640.exe	95
PID 1948 wrote to memory of 3096	1948	tmp240672796.exe	96
PID 1948 wrote to memory of 3096	1948	tmp240672796.exe	96
PID 1948 wrote to memory of 3096	1948	tmp240672796.exe	96
PID 1500 wrote to memory of 368	1500	notpad.exe	98
PID 1500 wrote to memory of 368	1500	notpad.exe	98
PID 1500 wrote to memory of 368	1500	notpad.exe	98
PID 1500 wrote to memory of 4884	1500	notpad.exe	108

C:\Users\Admin\AppData\Local\Temp\dd4e3afb2a2ea6800301fc6bc55869685221d81045aa697f9c89d29e60f5580a.exe
"C:\Users\Admin\AppData\Local\Temp\dd4e3afb2a2ea6800301fc6bc55869685221d81045aa697f9c89d29e60f5580a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4796
- C:\Users\Admin\AppData\Local\Temp\tmp240653062.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240653062.exe
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1092
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2044
  - - C:\Users\Admin\AppData\Local\Temp\tmp240671156.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240671156.exe
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2600
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4880
      - C:\Users\Admin\AppData\Local\Temp\tmp240671687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671687.exe
        6⤵
        Executes dropped EXE
        
        PID:316
      - C:\Users\Admin\AppData\Local\Temp\tmp240672078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672078.exe
        6⤵
        Executes dropped EXE
        
        PID:4548
  - - C:\Users\Admin\AppData\Local\Temp\tmp240671531.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240671531.exe
      4⤵
      Executes dropped EXE
      PID:1644
- C:\Users\Admin\AppData\Local\Temp\tmp240653359.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240653359.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1180
- - C:\Users\Admin\AppData\Local\Temp\tmp240654031.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240654031.exe
    3⤵
    - Executes dropped EXE
    PID:4264
- - C:\Users\Admin\AppData\Local\Temp\tmp240654140.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240654140.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4632
  - - C:\Users\Admin\AppData\Local\Temp\tmp240671484.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240671484.exe
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:616
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4240
      - C:\Users\Admin\AppData\Local\Temp\tmp240672656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672656.exe
        6⤵
        Executes dropped EXE
        
        PID:3872
      - C:\Users\Admin\AppData\Local\Temp\tmp240672828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672828.exe
        6⤵
        Executes dropped EXE
        
        PID:3840
  - - C:\Users\Admin\AppData\Local\Temp\tmp240671906.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240671906.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3184
    - - C:\Users\Admin\AppData\Local\Temp\tmp240672796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672796.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1948
      - C:\Users\Admin\AppData\Local\Temp\tmp240673296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673296.exe
        6⤵
        Executes dropped EXE
        
        PID:3096
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675984.exe
        7⤵
        Executes dropped EXE
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676093.exe
        7⤵
        Executes dropped EXE
        
        PID:1248
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1248 -s 224
        8⤵
        Program crash
        
        PID:4940
      - C:\Users\Admin\AppData\Local\Temp\tmp240673218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673218.exe
        6⤵
        Executes dropped EXE
        
        PID:3172

C:\Users\Admin\AppData\Local\Temp\tmp240672640.exe
C:\Users\Admin\AppData\Local\Temp\tmp240672640.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3768
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1500
- - C:\Users\Admin\AppData\Local\Temp\tmp240673609.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240673609.exe
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Drops file in System32 directory
    - Modifies registry class
    PID:368
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      Executes dropped EXE
      PID:860
    - - C:\Users\Admin\AppData\Local\Temp\tmp240676406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676406.exe
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3388
      - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        6⤵
        Executes dropped EXE
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677640.exe
        7⤵
        Executes dropped EXE
        
        PID:3900
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676937.exe
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3428
    - - C:\Users\Admin\AppData\Local\Temp\tmp240676515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676515.exe
        5⤵
        Executes dropped EXE
        
        PID:2864
- - C:\Users\Admin\AppData\Local\Temp\tmp240675937.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240675937.exe
    3⤵
    - Executes dropped EXE
    PID:4884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1248 -ip 1248
1⤵
PID:1040

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
- Executes dropped EXE
PID:3976
- C:\Users\Admin\AppData\Local\Temp\tmp240677984.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240677984.exe
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Drops file in System32 directory
  - Modifies registry class
  PID:5092
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    - Executes dropped EXE
    PID:3948
  - - C:\Users\Admin\AppData\Local\Temp\tmp240679015.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240679015.exe
      4⤵
      Executes dropped EXE
      PID:436
  - - C:\Users\Admin\AppData\Local\Temp\tmp240678296.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240678296.exe
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Drops file in System32 directory
      Modifies registry class
      PID:5052
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        Executes dropped EXE
        
        PID:1452
- C:\Users\Admin\AppData\Local\Temp\tmp240678125.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240678125.exe
  2⤵
  - Executes dropped EXE
  PID:1592

C:\Users\Admin\AppData\Local\Temp\tmp240679359.exe
C:\Users\Admin\AppData\Local\Temp\tmp240679359.exe
1⤵
- Executes dropped EXE
PID:976

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
- Executes dropped EXE
PID:2564
- C:\Users\Admin\AppData\Local\Temp\tmp240680218.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240680218.exe
  2⤵
  - Executes dropped EXE
  PID:2820
- C:\Users\Admin\AppData\Local\Temp\tmp240679531.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240679531.exe
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Drops file in System32 directory
  - Modifies registry class
  PID:1044

C:\Users\Admin\AppData\Local\Temp\tmp240679328.exe
C:\Users\Admin\AppData\Local\Temp\tmp240679328.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:2252

C:\Users\Admin\AppData\Local\Temp\tmp240680421.exe
C:\Users\Admin\AppData\Local\Temp\tmp240680421.exe
1⤵
- Executes dropped EXE
PID:2892

C:\Users\Admin\AppData\Local\Temp\tmp240680390.exe
C:\Users\Admin\AppData\Local\Temp\tmp240680390.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:4428
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  - Executes dropped EXE
  PID:1608
- - C:\Users\Admin\AppData\Local\Temp\tmp240680578.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240680578.exe
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Drops file in System32 directory
    - Modifies registry class
    PID:1284
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      Executes dropped EXE
      PID:4544
    - - C:\Users\Admin\AppData\Local\Temp\tmp240680859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680859.exe
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1688
      - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        6⤵
        Executes dropped EXE
        
        PID:3680
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681203.exe
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:332
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        8⤵
        Executes dropped EXE
        
        PID:2232
        
        C:\Users\Admin\AppData\Local\Temp\tmp240700000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240700000.exe
        9⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4892
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        10⤵
        Executes dropped EXE
        
        PID:4264
        
        C:\Users\Admin\AppData\Local\Temp\tmp240700875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240700875.exe
        11⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4224
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        12⤵
        Executes dropped EXE
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\tmp240701265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240701265.exe
        13⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        
        PID:872
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        14⤵
        Executes dropped EXE
        
        PID:116
        
        C:\Users\Admin\AppData\Local\Temp\tmp240701546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240701546.exe
        15⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4304
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        16⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\tmp240701859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240701859.exe
        17⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1348
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        18⤵
        
        PID:3656
        
        C:\Users\Admin\AppData\Local\Temp\tmp240702156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240702156.exe
        19⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4240
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        20⤵
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\tmp240702500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240702500.exe
        21⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:320
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        22⤵
        
        PID:2540
        
        C:\Users\Admin\AppData\Local\Temp\tmp240702859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240702859.exe
        23⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3416
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        24⤵
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\tmp240703171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240703171.exe
        25⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:376
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        26⤵
        
        PID:3388
        
        C:\Users\Admin\AppData\Local\Temp\tmp240703437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240703437.exe
        27⤵
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\tmp240703515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240703515.exe
        27⤵
        
        PID:4140
        
        C:\Users\Admin\AppData\Local\Temp\tmp240703578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240703578.exe
        28⤵
        
        PID:4740
        
        C:\Users\Admin\AppData\Local\Temp\tmp240703625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240703625.exe
        28⤵
        
        PID:1388
        
        C:\Users\Admin\AppData\Local\Temp\tmp240703703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240703703.exe
        29⤵
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\tmp240703718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240703718.exe
        29⤵
        
        PID:4568
        
        C:\Users\Admin\AppData\Local\Temp\tmp240703781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240703781.exe
        30⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4232
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        31⤵
        
        PID:740
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704062.exe
        32⤵
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704140.exe
        32⤵
        
        PID:3536
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704203.exe
        33⤵
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704234.exe
        33⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704281.exe
        34⤵
        
        PID:3968
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704296.exe
        34⤵
        
        PID:2536
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704328.exe
        35⤵
        
        PID:1832
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704343.exe
        35⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\tmp240703843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240703843.exe
        30⤵
        
        PID:4540
        
        C:\Users\Admin\AppData\Local\Temp\tmp240703187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240703187.exe
        25⤵
        
        PID:4276
        
        C:\Users\Admin\AppData\Local\Temp\tmp240703265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240703265.exe
        26⤵
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\tmp240703312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240703312.exe
        26⤵
        
        PID:2460
        
        C:\Users\Admin\AppData\Local\Temp\tmp240703375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240703375.exe
        27⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1028
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        28⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\tmp240703812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240703812.exe
        29⤵
        
        PID:2992
        
        C:\Users\Admin\AppData\Local\Temp\tmp240703890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240703890.exe
        29⤵
        
        PID:1248
        
        C:\Users\Admin\AppData\Local\Temp\tmp240703953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240703953.exe
        30⤵
        
        PID:3152
        
        C:\Users\Admin\AppData\Local\Temp\tmp240703968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240703968.exe
        30⤵
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704031.exe
        31⤵
        Checks computer location settings
        Modifies registry class
        
        PID:5052
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        32⤵
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704390.exe
        33⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1588
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        34⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704734.exe
        35⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4856
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        36⤵
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705218.exe
        37⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:2100
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        38⤵
        
        PID:4956
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705640.exe
        39⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705671.exe
        39⤵
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705781.exe
        40⤵
        
        PID:116
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705875.exe
        40⤵
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705921.exe
        41⤵
        
        PID:3472
        
        C:\Users\Admin\AppData\Local\Temp\tmp240706000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240706000.exe
        41⤵
        
        PID:4296
        
        C:\Users\Admin\AppData\Local\Temp\tmp240706062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240706062.exe
        42⤵
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\tmp240706140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240706140.exe
        42⤵
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\tmp240709406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240709406.exe
        43⤵
        
        PID:2540
        
        C:\Users\Admin\AppData\Local\Temp\tmp240709500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240709500.exe
        43⤵
        
        PID:4980
        
        C:\Users\Admin\AppData\Local\Temp\tmp240709609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240709609.exe
        44⤵
        
        PID:4068
        
        C:\Users\Admin\AppData\Local\Temp\tmp240709656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240709656.exe
        44⤵
        
        PID:3416
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705296.exe
        37⤵
        
        PID:800
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705390.exe
        38⤵
        
        PID:664
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705437.exe
        38⤵
        
        PID:1324
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705484.exe
        39⤵
        
        PID:3640
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705500.exe
        39⤵
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705578.exe
        40⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1148
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        41⤵
        
        PID:1300
        
        C:\Users\Admin\AppData\Local\Temp\tmp240706046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240706046.exe
        42⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4072
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        43⤵
        
        PID:100
        
        C:\Users\Admin\AppData\Local\Temp\tmp240706500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240706500.exe
        44⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3836
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        45⤵
        
        PID:428
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710328.exe
        46⤵
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710484.exe
        46⤵
        
        PID:3948
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710531.exe
        47⤵
        
        PID:1472
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710562.exe
        47⤵
        
        PID:1480
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710609.exe
        48⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3176
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        49⤵
        
        PID:3112
        
        C:\Users\Admin\AppData\Local\Temp\tmp240722703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240722703.exe
        50⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:2868
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        51⤵
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\Temp\tmp240740312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240740312.exe
        52⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2212
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        53⤵
        
        PID:2852
        
        C:\Users\Admin\AppData\Local\Temp\tmp240756375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240756375.exe
        54⤵
        
        PID:1040
        
        C:\Users\Admin\AppData\Local\Temp\tmp240756390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240756390.exe
        54⤵
        
        PID:3104
        
        C:\Users\Admin\AppData\Local\Temp\tmp240756546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240756546.exe
        55⤵
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\tmp240756734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240756734.exe
        56⤵
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\tmp240756906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240756906.exe
        56⤵
        
        PID:3400
        
        C:\Users\Admin\AppData\Local\Temp\tmp240756968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240756968.exe
        57⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\tmp240767796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240767796.exe
        57⤵
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\tmp240767906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240767906.exe
        58⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\tmp240767968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240767968.exe
        58⤵
        
        PID:632
        
        C:\Users\Admin\AppData\Local\Temp\tmp240768187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240768187.exe
        59⤵
        
        PID:4560
        
        C:\Users\Admin\AppData\Local\Temp\tmp240768265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240768265.exe
        60⤵
        
        PID:3500
        
        C:\Users\Admin\AppData\Local\Temp\tmp240768312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240768312.exe
        60⤵
        
        PID:4608
        
        C:\Users\Admin\AppData\Local\Temp\tmp240768093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240768093.exe
        59⤵
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\tmp240755046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240755046.exe
        52⤵
        
        PID:724
        
        C:\Users\Admin\AppData\Local\Temp\tmp240755359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240755359.exe
        53⤵
        
        PID:5108
        
        C:\Users\Admin\AppData\Local\Temp\tmp240755671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240755671.exe
        53⤵
        
        PID:3852
        
        C:\Users\Admin\AppData\Local\Temp\tmp240755796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240755796.exe
        54⤵
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\tmp240755890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240755890.exe
        54⤵
        
        PID:4652
        
        C:\Users\Admin\AppData\Local\Temp\tmp240756421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240756421.exe
        55⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3416
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        56⤵
        
        PID:3688
        
        C:\Users\Admin\AppData\Local\Temp\tmp240757046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240757046.exe
        57⤵
        
        PID:4996
        
        C:\Users\Admin\AppData\Local\Temp\tmp240767984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240767984.exe
        57⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\tmp240768218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240768218.exe
        58⤵
        
        PID:5012
        
        C:\Users\Admin\AppData\Local\Temp\tmp240768296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240768296.exe
        58⤵
        
        PID:4712
        
        C:\Users\Admin\AppData\Local\Temp\tmp240768468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240768468.exe
        59⤵
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\tmp240768593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240768593.exe
        60⤵
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\tmp240768656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240768656.exe
        60⤵
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\tmp240768734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240768734.exe
        61⤵
        
        PID:4612
        
        C:\Users\Admin\AppData\Local\Temp\tmp240768812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240768812.exe
        61⤵
        
        PID:4312
        
        C:\Users\Admin\AppData\Local\Temp\tmp240768890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240768890.exe
        62⤵
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\tmp240769015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240769015.exe
        62⤵
        
        PID:220
        
        C:\Users\Admin\AppData\Local\Temp\tmp240769078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240769078.exe
        63⤵
        
        PID:2320
        
        C:\Users\Admin\AppData\Local\Temp\tmp240769093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240769093.exe
        63⤵
        
        PID:744
        
        C:\Users\Admin\AppData\Local\Temp\tmp240768421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240768421.exe
        59⤵
        
        PID:1832
        
        C:\Users\Admin\AppData\Local\Temp\tmp240756718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240756718.exe
        55⤵
        
        PID:4368
        
        C:\Users\Admin\AppData\Local\Temp\tmp240756921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240756921.exe
        56⤵
        
        PID:3520
        
        C:\Users\Admin\AppData\Local\Temp\tmp240756984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240756984.exe
        56⤵
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\tmp240757031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240757031.exe
        57⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3620
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        58⤵
        
        PID:984
        
        C:\Users\Admin\AppData\Local\Temp\tmp240768359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240768359.exe
        59⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3212
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        60⤵
        
        PID:4396
        
        C:\Users\Admin\AppData\Local\Temp\tmp240768828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240768828.exe
        61⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1772
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        62⤵
        
        PID:3980
        
        C:\Users\Admin\AppData\Local\Temp\tmp240771687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240771687.exe
        63⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4284
        
        C:\Users\Admin\AppData\Local\Temp\tmp240768875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240768875.exe
        61⤵
        
        PID:3640
        
        C:\Users\Admin\AppData\Local\Temp\tmp240768968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240768968.exe
        62⤵
        
        PID:3472
        
        C:\Users\Admin\AppData\Local\Temp\tmp240769046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240769046.exe
        62⤵
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\tmp240769140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240769140.exe
        63⤵
        
        PID:3872
        
        C:\Users\Admin\AppData\Local\Temp\tmp240771625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240771625.exe
        63⤵
        
        PID:4984
        
        C:\Users\Admin\AppData\Local\Temp\tmp240792234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240792234.exe
        64⤵
        
        PID:3172
        
        C:\Users\Admin\AppData\Local\Temp\tmp240768406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240768406.exe
        59⤵
        
        PID:3780
        
        C:\Users\Admin\AppData\Local\Temp\tmp240768515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240768515.exe
        60⤵
        
        PID:3720
        
        C:\Users\Admin\AppData\Local\Temp\tmp240768562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240768562.exe
        60⤵
        
        PID:3112
        
        C:\Users\Admin\AppData\Local\Temp\tmp240768671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240768671.exe
        61⤵
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\tmp240768718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240768718.exe
        61⤵
        
        PID:3928
        
        C:\Users\Admin\AppData\Local\Temp\tmp240768796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240768796.exe
        62⤵
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\tmp240768953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240768953.exe
        62⤵
        
        PID:724
        
        C:\Users\Admin\AppData\Local\Temp\tmp240769156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240769156.exe
        63⤵
        
        PID:4308
        
        C:\Users\Admin\AppData\Local\Temp\tmp240779390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240779390.exe
        64⤵
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\tmp240787828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240787828.exe
        64⤵
        
        PID:100
        
        C:\Users\Admin\AppData\Local\Temp\tmp240767781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240767781.exe
        57⤵
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\tmp240767921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240767921.exe
        58⤵
        
        PID:1188
        
        C:\Users\Admin\AppData\Local\Temp\tmp240768000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240768000.exe
        58⤵
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\tmp240769031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240769031.exe
        53⤵
        
        PID:3452
        
        C:\Users\Admin\AppData\Local\Temp\tmp240740046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240740046.exe
        50⤵
        
        PID:896
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710640.exe
        48⤵
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\tmp240730015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240730015.exe
        49⤵
        
        PID:3132
        
        C:\Users\Admin\AppData\Local\Temp\tmp240742921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240742921.exe
        49⤵
        
        PID:4496
        
        C:\Users\Admin\AppData\Local\Temp\tmp240755109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240755109.exe
        50⤵
        
        PID:4628
        
        C:\Users\Admin\AppData\Local\Temp\tmp240755390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240755390.exe
        50⤵
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\tmp240755750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240755750.exe
        51⤵
        
        PID:4420
        
        C:\Users\Admin\AppData\Local\Temp\tmp240755906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240755906.exe
        51⤵
        
        PID:5072
        
        C:\Users\Admin\AppData\Local\Temp\tmp240756453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240756453.exe
        52⤵
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\tmp240756531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240756531.exe
        52⤵
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\tmp240709359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240709359.exe
        44⤵
        
        PID:3528
        
        C:\Users\Admin\AppData\Local\Temp\tmp240709484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240709484.exe
        45⤵
        
        PID:3172
        
        C:\Users\Admin\AppData\Local\Temp\tmp240709593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240709593.exe
        45⤵
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\tmp240709734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240709734.exe
        46⤵
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\tmp240709828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240709828.exe
        46⤵
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Temp\tmp240709921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240709921.exe
        47⤵
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710015.exe
        47⤵
        
        PID:3960
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710125.exe
        48⤵
        
        PID:4616
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710218.exe
        48⤵
        
        PID:1144
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710343.exe
        49⤵
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710375.exe
        50⤵
        
        PID:2652
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710500.exe
        50⤵
        
        PID:5092
        
        C:\Users\Admin\AppData\Local\Temp\tmp240706078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240706078.exe
        42⤵
        
        PID:4244
        
        C:\Users\Admin\AppData\Local\Temp\tmp240709468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240709468.exe
        43⤵
        
        PID:4572
        
        C:\Users\Admin\AppData\Local\Temp\tmp240709515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240709515.exe
        43⤵
        
        PID:3408
        
        C:\Users\Admin\AppData\Local\Temp\tmp240709703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240709703.exe
        44⤵
        
        PID:5044
        
        C:\Users\Admin\AppData\Local\Temp\tmp240709750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240709750.exe
        44⤵
        
        PID:4728
        
        C:\Users\Admin\AppData\Local\Temp\tmp240709937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240709937.exe
        45⤵
        
        PID:5020
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710000.exe
        45⤵
        
        PID:4368
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710250.exe
        46⤵
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710296.exe
        47⤵
        
        PID:1420
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710312.exe
        47⤵
        
        PID:3248
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710453.exe
        48⤵
        
        PID:3520
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710468.exe
        48⤵
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710171.exe
        46⤵
        
        PID:3900
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705625.exe
        40⤵
        
        PID:792
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705718.exe
        41⤵
        
        PID:872
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705796.exe
        41⤵
        
        PID:3348
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705906.exe
        42⤵
        
        PID:4632
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705937.exe
        42⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704765.exe
        35⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704875.exe
        36⤵
        
        PID:4824
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704890.exe
        36⤵
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704953.exe
        37⤵
        
        PID:444
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704968.exe
        37⤵
        
        PID:2140
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705000.exe
        38⤵
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705062.exe
        38⤵
        
        PID:4412
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705234.exe
        39⤵
        
        PID:4396
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705312.exe
        39⤵
        
        PID:1460
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704406.exe
        33⤵
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704453.exe
        34⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704500.exe
        34⤵
        
        PID:4456
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704562.exe
        35⤵
        
        PID:3132
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704609.exe
        35⤵
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704625.exe
        36⤵
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704671.exe
        36⤵
        
        PID:384
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704046.exe
        31⤵
        
        PID:3176
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704109.exe
        32⤵
        
        PID:2224
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704125.exe
        32⤵
        
        PID:4624
        
        C:\Users\Admin\AppData\Local\Temp\tmp240703421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240703421.exe
        27⤵
        
        PID:3580
        
        C:\Users\Admin\AppData\Local\Temp\tmp240703453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240703453.exe
        28⤵
        
        PID:4696
        
        C:\Users\Admin\AppData\Local\Temp\tmp240703468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240703468.exe
        28⤵
        
        PID:924
        
        C:\Users\Admin\AppData\Local\Temp\tmp240702875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240702875.exe
        23⤵
        
        PID:3172
        
        C:\Users\Admin\AppData\Local\Temp\tmp240702937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240702937.exe
        24⤵
        
        PID:4336
        
        C:\Users\Admin\AppData\Local\Temp\tmp240702984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240702984.exe
        24⤵
        
        PID:3408
        
        C:\Users\Admin\AppData\Local\Temp\tmp240703031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240703031.exe
        25⤵
        
        PID:3096
        
        C:\Users\Admin\AppData\Local\Temp\tmp240703078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240703078.exe
        25⤵
        
        PID:1320
        
        C:\Users\Admin\AppData\Local\Temp\tmp240702531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240702531.exe
        21⤵
        
        PID:3836
        
        C:\Users\Admin\AppData\Local\Temp\tmp240702593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240702593.exe
        22⤵
        
        PID:3768
        
        C:\Users\Admin\AppData\Local\Temp\tmp240702671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240702671.exe
        22⤵
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\tmp240702250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240702250.exe
        19⤵
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\tmp240701937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240701937.exe
        17⤵
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\tmp240701625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240701625.exe
        15⤵
        
        PID:3196
        
        C:\Users\Admin\AppData\Local\Temp\tmp240701312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240701312.exe
        13⤵
        Executes dropped EXE
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\tmp240701015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240701015.exe
        11⤵
        Executes dropped EXE
        
        PID:4676
        
        C:\Users\Admin\AppData\Local\Temp\tmp240700625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240700625.exe
        9⤵
        Executes dropped EXE
        
        PID:788
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692406.exe
        7⤵
        Executes dropped EXE
        
        PID:4496
    - - C:\Users\Admin\AppData\Local\Temp\tmp240681031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681031.exe
        5⤵
        Executes dropped EXE
        
        PID:2344
- - C:\Users\Admin\AppData\Local\Temp\tmp240680687.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240680687.exe
    3⤵
    - Executes dropped EXE
    PID:3292

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
- Executes dropped EXE
PID:4204

C:\Users\Admin\AppData\Local\Temp\tmp240710281.exe
C:\Users\Admin\AppData\Local\Temp\tmp240710281.exe
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:3496
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:976
- - C:\Users\Admin\AppData\Local\Temp\tmp240710625.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240710625.exe
    3⤵
    PID:4624
- - C:\Users\Admin\AppData\Local\Temp\tmp240710671.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240710671.exe
    3⤵
    PID:5088
  - - C:\Users\Admin\AppData\Local\Temp\tmp240722718.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240722718.exe
      4⤵
      Checks computer location settings
      Drops file in System32 directory
      Modifies registry class
      PID:4248
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        
        PID:3716
      - C:\Users\Admin\AppData\Local\Temp\tmp240743156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240743156.exe
        6⤵
        
        PID:4972
      - C:\Users\Admin\AppData\Local\Temp\tmp240755062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240755062.exe
        6⤵
        
        PID:892
        
        C:\Users\Admin\AppData\Local\Temp\tmp240755296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240755296.exe
        7⤵
        
        PID:116
        
        C:\Users\Admin\AppData\Local\Temp\tmp240755828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240755828.exe
        8⤵
        
        PID:4164
        
        C:\Users\Admin\AppData\Local\Temp\tmp240755875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240755875.exe
        8⤵
        
        PID:3404
        
        C:\Users\Admin\AppData\Local\Temp\tmp240755984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240755984.exe
        9⤵
        
        PID:4072
        
        C:\Users\Admin\AppData\Local\Temp\tmp240756062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240756062.exe
        9⤵
        
        PID:5068
        
        C:\Users\Admin\AppData\Local\Temp\tmp240756187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240756187.exe
        10⤵
        
        PID:3528
        
        C:\Users\Admin\AppData\Local\Temp\tmp240756890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240756890.exe
        10⤵
        
        PID:3960
        
        C:\Users\Admin\AppData\Local\Temp\tmp240767312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240767312.exe
        11⤵
        
        PID:4736
        
        C:\Users\Admin\AppData\Local\Temp\tmp240767953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240767953.exe
        11⤵
        
        PID:1268
        
        C:\Users\Admin\AppData\Local\Temp\tmp240768062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240768062.exe
        12⤵
        
        PID:3372
        
        C:\Users\Admin\AppData\Local\Temp\tmp240768171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240768171.exe
        12⤵
        
        PID:4528
  - - C:\Users\Admin\AppData\Local\Temp\tmp240742953.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240742953.exe
      4⤵
      PID:532
    - - C:\Users\Admin\AppData\Local\Temp\tmp240755203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240755203.exe
        5⤵
        
        PID:1772
    - - C:\Users\Admin\AppData\Local\Temp\tmp240755312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240755312.exe
        5⤵
        
        PID:316
      - C:\Users\Admin\AppData\Local\Temp\tmp240755812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240755812.exe
        6⤵
        
        PID:1148
      - C:\Users\Admin\AppData\Local\Temp\tmp240756000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240756000.exe
        6⤵
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\tmp240756218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240756218.exe
        7⤵
        
        PID:3096
        
        C:\Users\Admin\AppData\Local\Temp\tmp240756406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240756406.exe
        7⤵
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\tmp240756468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240756468.exe
        8⤵
        
        PID:4696
        
        C:\Users\Admin\AppData\Local\Temp\tmp240756515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240756515.exe
        8⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\tmp240756640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240756640.exe
        9⤵
        
        PID:3652
        
        C:\Users\Admin\AppData\Local\Temp\tmp240756750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240756750.exe
        9⤵
        
        PID:2992

C:\Users\Admin\AppData\Local\Temp\tmp240755140.exe
C:\Users\Admin\AppData\Local\Temp\tmp240755140.exe
1⤵
PID:1324

C:\Users\Admin\AppData\Local\Temp\tmp240755234.exe
C:\Users\Admin\AppData\Local\Temp\tmp240755234.exe
1⤵
PID:1900
- C:\Users\Admin\AppData\Local\Temp\tmp240755656.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240755656.exe
  2⤵
  PID:3568
- C:\Users\Admin\AppData\Local\Temp\tmp240755859.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240755859.exe
  2⤵
  PID:744
- - C:\Users\Admin\AppData\Local\Temp\tmp240755968.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240755968.exe
    3⤵
    PID:3512
- - C:\Users\Admin\AppData\Local\Temp\tmp240756046.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240756046.exe
    3⤵
    PID:2912
  - - C:\Users\Admin\AppData\Local\Temp\tmp240756343.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240756343.exe
      4⤵
      PID:4816
  - - C:\Users\Admin\AppData\Local\Temp\tmp240756437.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240756437.exe
      4⤵
      PID:3408
    - - C:\Users\Admin\AppData\Local\Temp\tmp240756625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240756625.exe
        5⤵
        
        PID:3440
    - - C:\Users\Admin\AppData\Local\Temp\tmp240756953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240756953.exe
        5⤵
        
        PID:920
      - C:\Users\Admin\AppData\Local\Temp\tmp240767343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240767343.exe
        6⤵
        
        PID:3536
      - C:\Users\Admin\AppData\Local\Temp\tmp240767890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240767890.exe
        6⤵
        
        PID:848

C:\Users\Admin\AppData\Local\Temp\tmp240755265.exe
C:\Users\Admin\AppData\Local\Temp\tmp240755265.exe
1⤵
PID:220

C:\Users\Admin\AppData\Local\Temp\tmp240756500.exe
C:\Users\Admin\AppData\Local\Temp\tmp240756500.exe
1⤵
PID:4876

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp240653062.exe

Filesize
1.6MB

MD5
478d5172be363f92d87f69264d93c732

SHA1
6fa546afe58ff2dd7ab75a85614d7911b423e2f0

SHA256
fb6954874dd91edafcc232a5543ee5034ee961f724a867509823d978e80be21d

SHA512
89777acff077e3054bd6dfbeaafc2b63fdc91c4914f8271990d91e65d5112ef510cc578f347787813165f2fe3bd1df750eedc1e65abdb79fc396aa5a636f87af

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240653062.exe

Filesize
1.6MB

MD5
478d5172be363f92d87f69264d93c732

SHA1
6fa546afe58ff2dd7ab75a85614d7911b423e2f0

SHA256
fb6954874dd91edafcc232a5543ee5034ee961f724a867509823d978e80be21d

SHA512
89777acff077e3054bd6dfbeaafc2b63fdc91c4914f8271990d91e65d5112ef510cc578f347787813165f2fe3bd1df750eedc1e65abdb79fc396aa5a636f87af

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240653359.exe

Filesize
8.0MB

MD5
2d3a57d39e1ed30b61a7c024ca4ac2d2

SHA1
e5e38dddb239f0af623084ff3fe064a96232f994

SHA256
a8f5d12ec861fe257c8130745f005fdf1fea77c2f75d65fb2522d04859c688a7

SHA512
29bfd27345714d1faf7c0fb6b785690c4e3a44e1220ffe14c1dd5aeffb95aad50cf2cad1d71b064de0d72c340599974c97fb77d2b23a1cc0832e49ff610fce19

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240653359.exe

Filesize
8.0MB

MD5
2d3a57d39e1ed30b61a7c024ca4ac2d2

SHA1
e5e38dddb239f0af623084ff3fe064a96232f994

SHA256
a8f5d12ec861fe257c8130745f005fdf1fea77c2f75d65fb2522d04859c688a7

SHA512
29bfd27345714d1faf7c0fb6b785690c4e3a44e1220ffe14c1dd5aeffb95aad50cf2cad1d71b064de0d72c340599974c97fb77d2b23a1cc0832e49ff610fce19

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240654031.exe

Filesize
1.6MB

MD5
478d5172be363f92d87f69264d93c732

SHA1
6fa546afe58ff2dd7ab75a85614d7911b423e2f0

SHA256
fb6954874dd91edafcc232a5543ee5034ee961f724a867509823d978e80be21d

SHA512
89777acff077e3054bd6dfbeaafc2b63fdc91c4914f8271990d91e65d5112ef510cc578f347787813165f2fe3bd1df750eedc1e65abdb79fc396aa5a636f87af

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240654031.exe

Filesize
1.6MB

MD5
478d5172be363f92d87f69264d93c732

SHA1
6fa546afe58ff2dd7ab75a85614d7911b423e2f0

SHA256
fb6954874dd91edafcc232a5543ee5034ee961f724a867509823d978e80be21d

SHA512
89777acff077e3054bd6dfbeaafc2b63fdc91c4914f8271990d91e65d5112ef510cc578f347787813165f2fe3bd1df750eedc1e65abdb79fc396aa5a636f87af

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240654140.exe

Filesize
6.5MB

MD5
1fa4bd6730015f567004d1b168a5b440

SHA1
e3df9b3cee17585e149a1a2a454ca18c43ff466d

SHA256
fbbbb3983f1f0be065d263a78cf3b04618aa0b6f9d3c5e21f51ff1f5da05d695

SHA512
c4ac3634bded96abed09d438f190a79d57402d3ee7a997ddb32561672a2724a429730e18659e07e75666c00b1329e98a0744ccf1cf11ce34e53aba3682bfe7b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240654140.exe

Filesize
6.5MB

MD5
1fa4bd6730015f567004d1b168a5b440

SHA1
e3df9b3cee17585e149a1a2a454ca18c43ff466d

SHA256
fbbbb3983f1f0be065d263a78cf3b04618aa0b6f9d3c5e21f51ff1f5da05d695

SHA512
c4ac3634bded96abed09d438f190a79d57402d3ee7a997ddb32561672a2724a429730e18659e07e75666c00b1329e98a0744ccf1cf11ce34e53aba3682bfe7b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240671156.exe

Filesize
1.6MB

MD5
478d5172be363f92d87f69264d93c732

SHA1
6fa546afe58ff2dd7ab75a85614d7911b423e2f0

SHA256
fb6954874dd91edafcc232a5543ee5034ee961f724a867509823d978e80be21d

SHA512
89777acff077e3054bd6dfbeaafc2b63fdc91c4914f8271990d91e65d5112ef510cc578f347787813165f2fe3bd1df750eedc1e65abdb79fc396aa5a636f87af

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240671156.exe

Filesize
1.6MB

MD5
478d5172be363f92d87f69264d93c732

SHA1
6fa546afe58ff2dd7ab75a85614d7911b423e2f0

SHA256
fb6954874dd91edafcc232a5543ee5034ee961f724a867509823d978e80be21d

SHA512
89777acff077e3054bd6dfbeaafc2b63fdc91c4914f8271990d91e65d5112ef510cc578f347787813165f2fe3bd1df750eedc1e65abdb79fc396aa5a636f87af

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240671484.exe

Filesize
1.6MB

MD5
478d5172be363f92d87f69264d93c732

SHA1
6fa546afe58ff2dd7ab75a85614d7911b423e2f0

SHA256
fb6954874dd91edafcc232a5543ee5034ee961f724a867509823d978e80be21d

SHA512
89777acff077e3054bd6dfbeaafc2b63fdc91c4914f8271990d91e65d5112ef510cc578f347787813165f2fe3bd1df750eedc1e65abdb79fc396aa5a636f87af

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240671484.exe

Filesize
1.6MB

MD5
478d5172be363f92d87f69264d93c732

SHA1
6fa546afe58ff2dd7ab75a85614d7911b423e2f0

SHA256
fb6954874dd91edafcc232a5543ee5034ee961f724a867509823d978e80be21d

SHA512
89777acff077e3054bd6dfbeaafc2b63fdc91c4914f8271990d91e65d5112ef510cc578f347787813165f2fe3bd1df750eedc1e65abdb79fc396aa5a636f87af

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240671531.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240671687.exe

Filesize
1.6MB

MD5
478d5172be363f92d87f69264d93c732

SHA1
6fa546afe58ff2dd7ab75a85614d7911b423e2f0

SHA256
fb6954874dd91edafcc232a5543ee5034ee961f724a867509823d978e80be21d

SHA512
89777acff077e3054bd6dfbeaafc2b63fdc91c4914f8271990d91e65d5112ef510cc578f347787813165f2fe3bd1df750eedc1e65abdb79fc396aa5a636f87af

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240671687.exe

Filesize
1.6MB

MD5
478d5172be363f92d87f69264d93c732

SHA1
6fa546afe58ff2dd7ab75a85614d7911b423e2f0

SHA256
fb6954874dd91edafcc232a5543ee5034ee961f724a867509823d978e80be21d

SHA512
89777acff077e3054bd6dfbeaafc2b63fdc91c4914f8271990d91e65d5112ef510cc578f347787813165f2fe3bd1df750eedc1e65abdb79fc396aa5a636f87af

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240671906.exe

Filesize
4.9MB

MD5
743013fdff72ef37b5569dc367078c22

SHA1
84fb9108042b0eab231a46595d25a16f066d84c8

SHA256
48acd80ba16c375aa3793cd22c290998cf9edac89dfb6da0ff232dead6c34f7c

SHA512
116aa345ae7e2da765777b382a9f9f195d26af5ee4790c07f755ede21b1a4e9fa507e314f3fabff2c7abeec828e5e231544b85771a2a99dbba9bdf76ea6dbac0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240671906.exe

Filesize
4.9MB

MD5
743013fdff72ef37b5569dc367078c22

SHA1
84fb9108042b0eab231a46595d25a16f066d84c8

SHA256
48acd80ba16c375aa3793cd22c290998cf9edac89dfb6da0ff232dead6c34f7c

SHA512
116aa345ae7e2da765777b382a9f9f195d26af5ee4790c07f755ede21b1a4e9fa507e314f3fabff2c7abeec828e5e231544b85771a2a99dbba9bdf76ea6dbac0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240672078.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240672640.exe

Filesize
1.6MB

MD5
478d5172be363f92d87f69264d93c732

SHA1
6fa546afe58ff2dd7ab75a85614d7911b423e2f0

SHA256
fb6954874dd91edafcc232a5543ee5034ee961f724a867509823d978e80be21d

SHA512
89777acff077e3054bd6dfbeaafc2b63fdc91c4914f8271990d91e65d5112ef510cc578f347787813165f2fe3bd1df750eedc1e65abdb79fc396aa5a636f87af

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240672640.exe

Filesize
1.6MB

MD5
478d5172be363f92d87f69264d93c732

SHA1
6fa546afe58ff2dd7ab75a85614d7911b423e2f0

SHA256
fb6954874dd91edafcc232a5543ee5034ee961f724a867509823d978e80be21d

SHA512
89777acff077e3054bd6dfbeaafc2b63fdc91c4914f8271990d91e65d5112ef510cc578f347787813165f2fe3bd1df750eedc1e65abdb79fc396aa5a636f87af

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240672656.exe

Filesize
1.6MB

MD5
478d5172be363f92d87f69264d93c732

SHA1
6fa546afe58ff2dd7ab75a85614d7911b423e2f0

SHA256
fb6954874dd91edafcc232a5543ee5034ee961f724a867509823d978e80be21d

SHA512
89777acff077e3054bd6dfbeaafc2b63fdc91c4914f8271990d91e65d5112ef510cc578f347787813165f2fe3bd1df750eedc1e65abdb79fc396aa5a636f87af

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240672656.exe

Filesize
1.6MB

MD5
478d5172be363f92d87f69264d93c732

SHA1
6fa546afe58ff2dd7ab75a85614d7911b423e2f0

SHA256
fb6954874dd91edafcc232a5543ee5034ee961f724a867509823d978e80be21d

SHA512
89777acff077e3054bd6dfbeaafc2b63fdc91c4914f8271990d91e65d5112ef510cc578f347787813165f2fe3bd1df750eedc1e65abdb79fc396aa5a636f87af

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240672796.exe

Filesize
3.3MB

MD5
41506a5b7c72d5d724bd4b9dd53c99ed

SHA1
3a0e74e61a34a39121bfc1881b91ed50c031a9f3

SHA256
ff2736806079e720c92579ba7f8f388b15ab2b937d4f5d00296bfdcb9b614cf1

SHA512
d2cc2a85926315356f14de965b63762d81a6433839a51a8a5cd2ff98f2bd06fdb873fa55056b5a56a6b0da8d73694591209e9d17549277f01129bfbdc2dab356

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240672796.exe

Filesize
3.3MB

MD5
41506a5b7c72d5d724bd4b9dd53c99ed

SHA1
3a0e74e61a34a39121bfc1881b91ed50c031a9f3

SHA256
ff2736806079e720c92579ba7f8f388b15ab2b937d4f5d00296bfdcb9b614cf1

SHA512
d2cc2a85926315356f14de965b63762d81a6433839a51a8a5cd2ff98f2bd06fdb873fa55056b5a56a6b0da8d73694591209e9d17549277f01129bfbdc2dab356

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240672828.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240673218.exe

Filesize
1.6MB

MD5
478d5172be363f92d87f69264d93c732

SHA1
6fa546afe58ff2dd7ab75a85614d7911b423e2f0

SHA256
fb6954874dd91edafcc232a5543ee5034ee961f724a867509823d978e80be21d

SHA512
89777acff077e3054bd6dfbeaafc2b63fdc91c4914f8271990d91e65d5112ef510cc578f347787813165f2fe3bd1df750eedc1e65abdb79fc396aa5a636f87af

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240673218.exe

Filesize
1.6MB

MD5
478d5172be363f92d87f69264d93c732

SHA1
6fa546afe58ff2dd7ab75a85614d7911b423e2f0

SHA256
fb6954874dd91edafcc232a5543ee5034ee961f724a867509823d978e80be21d

SHA512
89777acff077e3054bd6dfbeaafc2b63fdc91c4914f8271990d91e65d5112ef510cc578f347787813165f2fe3bd1df750eedc1e65abdb79fc396aa5a636f87af

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240673296.exe

Filesize
1.7MB

MD5
639552812a711ab9e72fdea3d155e7e7

SHA1
a9d8868e999cb5890f37741d3657d26453b3d6b3

SHA256
f42ae0499bd0fa532448105ed5130286cdb26215d729d45da421e47bde656485

SHA512
ad3b36687cb1c686d97d3bf9fe209fdbb0d17d9fbfead703746c7cbc20e347f500eab306d997632f05067bc4000fc2c7c8765937997f05934472615b7160d3d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240673296.exe

Filesize
1.7MB

MD5
639552812a711ab9e72fdea3d155e7e7

SHA1
a9d8868e999cb5890f37741d3657d26453b3d6b3

SHA256
f42ae0499bd0fa532448105ed5130286cdb26215d729d45da421e47bde656485

SHA512
ad3b36687cb1c686d97d3bf9fe209fdbb0d17d9fbfead703746c7cbc20e347f500eab306d997632f05067bc4000fc2c7c8765937997f05934472615b7160d3d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240673609.exe

Filesize
1.6MB

MD5
478d5172be363f92d87f69264d93c732

SHA1
6fa546afe58ff2dd7ab75a85614d7911b423e2f0

SHA256
fb6954874dd91edafcc232a5543ee5034ee961f724a867509823d978e80be21d

SHA512
89777acff077e3054bd6dfbeaafc2b63fdc91c4914f8271990d91e65d5112ef510cc578f347787813165f2fe3bd1df750eedc1e65abdb79fc396aa5a636f87af

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240673609.exe

Filesize
1.6MB

MD5
478d5172be363f92d87f69264d93c732

SHA1
6fa546afe58ff2dd7ab75a85614d7911b423e2f0

SHA256
fb6954874dd91edafcc232a5543ee5034ee961f724a867509823d978e80be21d

SHA512
89777acff077e3054bd6dfbeaafc2b63fdc91c4914f8271990d91e65d5112ef510cc578f347787813165f2fe3bd1df750eedc1e65abdb79fc396aa5a636f87af

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240675937.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240675984.exe

Filesize
1.6MB

MD5
478d5172be363f92d87f69264d93c732

SHA1
6fa546afe58ff2dd7ab75a85614d7911b423e2f0

SHA256
fb6954874dd91edafcc232a5543ee5034ee961f724a867509823d978e80be21d

SHA512
89777acff077e3054bd6dfbeaafc2b63fdc91c4914f8271990d91e65d5112ef510cc578f347787813165f2fe3bd1df750eedc1e65abdb79fc396aa5a636f87af

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240675984.exe

Filesize
1.6MB

MD5
478d5172be363f92d87f69264d93c732

SHA1
6fa546afe58ff2dd7ab75a85614d7911b423e2f0

SHA256
fb6954874dd91edafcc232a5543ee5034ee961f724a867509823d978e80be21d

SHA512
89777acff077e3054bd6dfbeaafc2b63fdc91c4914f8271990d91e65d5112ef510cc578f347787813165f2fe3bd1df750eedc1e65abdb79fc396aa5a636f87af

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240676093.exe

Filesize
136KB

MD5
1d68240da3810b695cf9abb8d104c35d

SHA1
4a7b85bc8d64d792a573268c9bfd561c790ee963

SHA256
941992f358a72746ee378afb79a77a320ccb1ef83e31ae34ad923d191a7964b8

SHA512
bbc913b8749cc6593ab50423246578638428177ef248fe93650bf8d82605f4f181d8a2369aa44f1c31d47493be59e1d7d1c78f6cd6562f5f36e83b9348de1b55

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240676093.exe

Filesize
136KB

MD5
1d68240da3810b695cf9abb8d104c35d

SHA1
4a7b85bc8d64d792a573268c9bfd561c790ee963

SHA256
941992f358a72746ee378afb79a77a320ccb1ef83e31ae34ad923d191a7964b8

SHA512
bbc913b8749cc6593ab50423246578638428177ef248fe93650bf8d82605f4f181d8a2369aa44f1c31d47493be59e1d7d1c78f6cd6562f5f36e83b9348de1b55

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240676406.exe

Filesize
1.6MB

MD5
478d5172be363f92d87f69264d93c732

SHA1
6fa546afe58ff2dd7ab75a85614d7911b423e2f0

SHA256
fb6954874dd91edafcc232a5543ee5034ee961f724a867509823d978e80be21d

SHA512
89777acff077e3054bd6dfbeaafc2b63fdc91c4914f8271990d91e65d5112ef510cc578f347787813165f2fe3bd1df750eedc1e65abdb79fc396aa5a636f87af

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240676406.exe

Filesize
1.6MB

MD5
478d5172be363f92d87f69264d93c732

SHA1
6fa546afe58ff2dd7ab75a85614d7911b423e2f0

SHA256
fb6954874dd91edafcc232a5543ee5034ee961f724a867509823d978e80be21d

SHA512
89777acff077e3054bd6dfbeaafc2b63fdc91c4914f8271990d91e65d5112ef510cc578f347787813165f2fe3bd1df750eedc1e65abdb79fc396aa5a636f87af

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240676515.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240676937.exe

Filesize
1.6MB

MD5
478d5172be363f92d87f69264d93c732

SHA1
6fa546afe58ff2dd7ab75a85614d7911b423e2f0

SHA256
fb6954874dd91edafcc232a5543ee5034ee961f724a867509823d978e80be21d

SHA512
89777acff077e3054bd6dfbeaafc2b63fdc91c4914f8271990d91e65d5112ef510cc578f347787813165f2fe3bd1df750eedc1e65abdb79fc396aa5a636f87af

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240676937.exe

Filesize
1.6MB

MD5
478d5172be363f92d87f69264d93c732

SHA1
6fa546afe58ff2dd7ab75a85614d7911b423e2f0

SHA256
fb6954874dd91edafcc232a5543ee5034ee961f724a867509823d978e80be21d

SHA512
89777acff077e3054bd6dfbeaafc2b63fdc91c4914f8271990d91e65d5112ef510cc578f347787813165f2fe3bd1df750eedc1e65abdb79fc396aa5a636f87af

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240677640.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240677984.exe

Filesize
1.6MB

MD5
478d5172be363f92d87f69264d93c732

SHA1
6fa546afe58ff2dd7ab75a85614d7911b423e2f0

SHA256
fb6954874dd91edafcc232a5543ee5034ee961f724a867509823d978e80be21d

SHA512
89777acff077e3054bd6dfbeaafc2b63fdc91c4914f8271990d91e65d5112ef510cc578f347787813165f2fe3bd1df750eedc1e65abdb79fc396aa5a636f87af

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240677984.exe

Filesize
1.6MB

MD5
478d5172be363f92d87f69264d93c732

SHA1
6fa546afe58ff2dd7ab75a85614d7911b423e2f0

SHA256
fb6954874dd91edafcc232a5543ee5034ee961f724a867509823d978e80be21d

SHA512
89777acff077e3054bd6dfbeaafc2b63fdc91c4914f8271990d91e65d5112ef510cc578f347787813165f2fe3bd1df750eedc1e65abdb79fc396aa5a636f87af

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
1.6MB

MD5
478d5172be363f92d87f69264d93c732

SHA1
6fa546afe58ff2dd7ab75a85614d7911b423e2f0

SHA256
fb6954874dd91edafcc232a5543ee5034ee961f724a867509823d978e80be21d

SHA512
89777acff077e3054bd6dfbeaafc2b63fdc91c4914f8271990d91e65d5112ef510cc578f347787813165f2fe3bd1df750eedc1e65abdb79fc396aa5a636f87af

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
1.6MB

MD5
478d5172be363f92d87f69264d93c732

SHA1
6fa546afe58ff2dd7ab75a85614d7911b423e2f0

SHA256
fb6954874dd91edafcc232a5543ee5034ee961f724a867509823d978e80be21d

SHA512
89777acff077e3054bd6dfbeaafc2b63fdc91c4914f8271990d91e65d5112ef510cc578f347787813165f2fe3bd1df750eedc1e65abdb79fc396aa5a636f87af

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
1.6MB

MD5
478d5172be363f92d87f69264d93c732

SHA1
6fa546afe58ff2dd7ab75a85614d7911b423e2f0

SHA256
fb6954874dd91edafcc232a5543ee5034ee961f724a867509823d978e80be21d

SHA512
89777acff077e3054bd6dfbeaafc2b63fdc91c4914f8271990d91e65d5112ef510cc578f347787813165f2fe3bd1df750eedc1e65abdb79fc396aa5a636f87af

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
1.6MB

MD5
478d5172be363f92d87f69264d93c732

SHA1
6fa546afe58ff2dd7ab75a85614d7911b423e2f0

SHA256
fb6954874dd91edafcc232a5543ee5034ee961f724a867509823d978e80be21d

SHA512
89777acff077e3054bd6dfbeaafc2b63fdc91c4914f8271990d91e65d5112ef510cc578f347787813165f2fe3bd1df750eedc1e65abdb79fc396aa5a636f87af

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
1.6MB

MD5
478d5172be363f92d87f69264d93c732

SHA1
6fa546afe58ff2dd7ab75a85614d7911b423e2f0

SHA256
fb6954874dd91edafcc232a5543ee5034ee961f724a867509823d978e80be21d

SHA512
89777acff077e3054bd6dfbeaafc2b63fdc91c4914f8271990d91e65d5112ef510cc578f347787813165f2fe3bd1df750eedc1e65abdb79fc396aa5a636f87af

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
1.7MB

MD5
2f92beaead57b8575a0761f6239978ff

SHA1
cfe289e794c84ca668c85f93956f6a7c09f1bc2d

SHA256
f76b24c546f884035a55e85db6853cbf66c6ac4df9090643a622c763ab2b1fe5

SHA512
39ba66e1ca69b9663154a2e1c5eb7414c361ea909aa719fba860486047e4200f325c1e8de66801765d5a166628c979a602f37c5f577a9628d6825bb122737719

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
1.7MB

MD5
2f92beaead57b8575a0761f6239978ff

SHA1
cfe289e794c84ca668c85f93956f6a7c09f1bc2d

SHA256
f76b24c546f884035a55e85db6853cbf66c6ac4df9090643a622c763ab2b1fe5

SHA512
39ba66e1ca69b9663154a2e1c5eb7414c361ea909aa719fba860486047e4200f325c1e8de66801765d5a166628c979a602f37c5f577a9628d6825bb122737719

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
1.7MB

MD5
2f92beaead57b8575a0761f6239978ff

SHA1
cfe289e794c84ca668c85f93956f6a7c09f1bc2d

SHA256
f76b24c546f884035a55e85db6853cbf66c6ac4df9090643a622c763ab2b1fe5

SHA512
39ba66e1ca69b9663154a2e1c5eb7414c361ea909aa719fba860486047e4200f325c1e8de66801765d5a166628c979a602f37c5f577a9628d6825bb122737719

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
1.7MB

MD5
2f92beaead57b8575a0761f6239978ff

SHA1
cfe289e794c84ca668c85f93956f6a7c09f1bc2d

SHA256
f76b24c546f884035a55e85db6853cbf66c6ac4df9090643a622c763ab2b1fe5

SHA512
39ba66e1ca69b9663154a2e1c5eb7414c361ea909aa719fba860486047e4200f325c1e8de66801765d5a166628c979a602f37c5f577a9628d6825bb122737719

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
1.7MB

MD5
2f92beaead57b8575a0761f6239978ff

SHA1
cfe289e794c84ca668c85f93956f6a7c09f1bc2d

SHA256
f76b24c546f884035a55e85db6853cbf66c6ac4df9090643a622c763ab2b1fe5

SHA512
39ba66e1ca69b9663154a2e1c5eb7414c361ea909aa719fba860486047e4200f325c1e8de66801765d5a166628c979a602f37c5f577a9628d6825bb122737719

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
1.7MB

MD5
2f92beaead57b8575a0761f6239978ff

SHA1
cfe289e794c84ca668c85f93956f6a7c09f1bc2d

SHA256
f76b24c546f884035a55e85db6853cbf66c6ac4df9090643a622c763ab2b1fe5

SHA512
39ba66e1ca69b9663154a2e1c5eb7414c361ea909aa719fba860486047e4200f325c1e8de66801765d5a166628c979a602f37c5f577a9628d6825bb122737719

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
1.7MB

MD5
2f92beaead57b8575a0761f6239978ff

SHA1
cfe289e794c84ca668c85f93956f6a7c09f1bc2d

SHA256
f76b24c546f884035a55e85db6853cbf66c6ac4df9090643a622c763ab2b1fe5

SHA512
39ba66e1ca69b9663154a2e1c5eb7414c361ea909aa719fba860486047e4200f325c1e8de66801765d5a166628c979a602f37c5f577a9628d6825bb122737719

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
1.7MB

MD5
2f92beaead57b8575a0761f6239978ff

SHA1
cfe289e794c84ca668c85f93956f6a7c09f1bc2d

SHA256
f76b24c546f884035a55e85db6853cbf66c6ac4df9090643a622c763ab2b1fe5

SHA512
39ba66e1ca69b9663154a2e1c5eb7414c361ea909aa719fba860486047e4200f325c1e8de66801765d5a166628c979a602f37c5f577a9628d6825bb122737719

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
memory/116-295-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/740-317-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/860-232-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1132-235-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1132-243-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1180-143-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1180-152-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1180-144-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1248-314-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1248-223-0x0000000000010000-0x0000000000032000-memory.dmp

Filesize
136KB

Download
memory/1388-309-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1452-259-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1500-218-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1500-204-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1512-296-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1592-313-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1592-311-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1608-271-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1660-298-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1940-322-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1948-196-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1948-208-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2032-319-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2044-168-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2044-293-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2232-285-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2460-306-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2536-320-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2540-300-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2564-263-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2708-303-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2868-321-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2952-315-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3096-221-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3172-301-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3176-316-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3184-195-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3388-307-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3408-302-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3536-318-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3580-305-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3656-297-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3680-277-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3680-281-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3680-278-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3836-299-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3948-255-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3948-252-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3976-250-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4140-308-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4204-267-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4240-191-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4264-289-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4276-304-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4456-323-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4544-275-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4568-310-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4568-312-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4632-180-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4632-171-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4796-138-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4796-132-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4880-175-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4880-167-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download