83a50597a8db5f629f1ce1c091a4e8325562485a23f130ca2e57fe5ad0362d1c

Analysis

max time kernel
150s
max time network
50s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03/12/2022, 21:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

83a50597a8db5f629f1ce1c091a4e8325562485a23f130ca2e57fe5ad0362d1c.exe
Size

4.8MB
MD5

6c6363defccd56b8422d6cac8884d744
SHA1

f83d632bd30f53c2eed2b0983ce2544107c96bcf
SHA256

83a50597a8db5f629f1ce1c091a4e8325562485a23f130ca2e57fe5ad0362d1c
SHA512

3b84d224f9282da279165db04a8b5544e37e1b417be3409aa10e8feb3f99936efdd783e67986b1f7df212ea2253af9ba3d4a2492b967aa661d29c083fc6e5408
SSDEEP

24576:DDyTFtjeDyo1tjbDyTFtjeDyo1tjVDyTFtjeDyo1tjyDyTFtjeDyo1tjeDyTFtjQ:MtktQtkt2tktrtkt3tktDtktvtkt

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
768	tmp7112085.exe
2012	tmp7112241.exe
1336	tmp7112600.exe
1008	tmp7113146.exe
784	tmp7113442.exe
1116	notpad.exe
1396	tmp7113676.exe
1152	tmp7114019.exe
1684	tmp7114690.exe
1504	tmp7114659.exe
1596	notpad.exe
1988	tmp7139557.exe
1176	tmp7135111.exe
1560	tmp7149541.exe
1996	tmp7135329.exe
552	notpad.exe
1340	tmp7135735.exe
956	tmp7148090.exe
1976	tmp7136078.exe
1328	notpad.exe
1760	notpad.exe
1616	tmp7140118.exe
1788	tmp7144720.exe
960	tmp7136905.exe
828	notpad.exe
1692	tmp7143753.exe
1008	tmp7144814.exe
1636	tmp7137716.exe
592	tmp7137607.exe
1532	tmp7137841.exe
1516	notpad.exe
528	tmp7138153.exe
1588	tmp7138215.exe
1120	tmp7138356.exe
532	tmp7138480.exe
1744	tmp7138465.exe
1964	tmp7147997.exe
1580	notpad.exe
1828	tmp7138902.exe
1812	notpad.exe
1316	tmp7147919.exe
1176	tmp7135111.exe
1988	tmp7139557.exe
272	tmp7139370.exe
2012	tmp7139510.exe
1604	notpad.exe
1560	tmp7149541.exe
968	tmp7139666.exe
1348	tmp7139900.exe
1404	notpad.exe
596	tmp7140025.exe
1268	tmp7140228.exe
1700	tmp7140508.exe
1616	tmp7140118.exe
280	tmp7140462.exe
1308	notpad.exe
1116	tmp7143613.exe
1068	tmp7140742.exe
1788	tmp7144720.exe
1692	tmp7143753.exe
1332	tmp7144767.exe
1860	notpad.exe
1724	tmp7145578.exe
1008	tmp7144814.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/968-59-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x000a000000012302-60.dat	upx
behavioral1/files/0x000a000000012302-63.dat	upx
behavioral1/files/0x000a000000012302-61.dat	upx
behavioral1/memory/968-64-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x000a000000012302-65.dat	upx
behavioral1/files/0x000900000001231e-68.dat	upx
behavioral1/files/0x0009000000012322-73.dat	upx
behavioral1/memory/2012-77-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x0009000000012322-78.dat	upx
behavioral1/files/0x0009000000012322-76.dat	upx
behavioral1/files/0x0009000000012322-74.dat	upx
behavioral1/files/0x000900000001231e-87.dat	upx
behavioral1/files/0x000800000001232f-89.dat	upx
behavioral1/files/0x000800000001232f-91.dat	upx
behavioral1/files/0x000800000001232f-88.dat	upx
behavioral1/files/0x000900000001231e-86.dat	upx
behavioral1/memory/1008-96-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1396-95-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1116-92-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x000900000001231e-83.dat	upx
behavioral1/memory/1008-101-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x000800000001232f-100.dat	upx
behavioral1/files/0x0008000000012317-104.dat	upx
behavioral1/memory/1116-110-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1396-117-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x000a00000001231e-118.dat	upx
behavioral1/files/0x000a00000001231e-122.dat	upx
behavioral1/files/0x000a00000001231e-121.dat	upx
behavioral1/files/0x00070000000126f1-123.dat	upx
behavioral1/files/0x00070000000126f1-126.dat	upx
behavioral1/memory/1396-127-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x00070000000126f1-129.dat	upx
behavioral1/files/0x0008000000012317-134.dat	upx
behavioral1/files/0x0007000000012758-141.dat	upx
behavioral1/files/0x000a00000001231e-155.dat	upx
behavioral1/memory/1988-163-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x000800000001311a-158.dat	upx
behavioral1/memory/1560-169-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/552-173-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/956-178-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/828-179-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1760-184-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/956-187-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/828-199-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1788-198-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1760-197-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1008-206-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/592-208-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1588-218-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1964-224-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1828-227-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2012-232-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1812-229-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1604-241-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2012-242-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1604-233-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1516-210-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1404-243-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1268-246-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1788-183-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x000800000001311a-157.dat	upx
behavioral1/memory/1988-154-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1560-153-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Loads dropped DLL 64 IoCs

pid	Process
968	83a50597a8db5f629f1ce1c091a4e8325562485a23f130ca2e57fe5ad0362d1c.exe
968	83a50597a8db5f629f1ce1c091a4e8325562485a23f130ca2e57fe5ad0362d1c.exe
968	83a50597a8db5f629f1ce1c091a4e8325562485a23f130ca2e57fe5ad0362d1c.exe
968	83a50597a8db5f629f1ce1c091a4e8325562485a23f130ca2e57fe5ad0362d1c.exe
2012	tmp7112241.exe
768	tmp7112085.exe
2012	tmp7112241.exe
2012	tmp7112241.exe
2012	tmp7112241.exe
1008	tmp7113146.exe
1008	tmp7113146.exe
768	tmp7112085.exe
1008	tmp7113146.exe
1008	tmp7113146.exe
1116	notpad.exe
1116	notpad.exe
1116	notpad.exe
1396	tmp7113676.exe
1396	tmp7113676.exe
1152	tmp7114019.exe
1152	tmp7114019.exe
1396	tmp7113676.exe
1396	tmp7113676.exe
1596	notpad.exe
1596	notpad.exe
1596	notpad.exe
1988	tmp7139557.exe
1596	notpad.exe
1988	tmp7139557.exe
1176	tmp7135111.exe
1176	tmp7135111.exe
1988	tmp7139557.exe
1988	tmp7139557.exe
1560	tmp7149541.exe
1560	tmp7149541.exe
552	notpad.exe
552	notpad.exe
1560	tmp7149541.exe
1340	tmp7135735.exe
1340	tmp7135735.exe
552	notpad.exe
956	tmp7148090.exe
552	notpad.exe
956	tmp7148090.exe
1760	notpad.exe
1760	notpad.exe
1616	tmp7140118.exe
1616	tmp7140118.exe
1788	tmp7144720.exe
1788	tmp7144720.exe
956	tmp7148090.exe
956	tmp7148090.exe
828	notpad.exe
828	notpad.exe
1760	notpad.exe
1760	notpad.exe
1788	tmp7144720.exe
1692	tmp7143753.exe
1692	tmp7143753.exe
1008	tmp7144814.exe
1008	tmp7144814.exe
828	notpad.exe
828	notpad.exe
592	tmp7137607.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7147919.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7140025.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7168979.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7215826.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7216434.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7217433.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7253188.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7256480.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7114019.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7137716.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7149541.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7139900.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7170398.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7217433.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7164564.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7214297.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7257026.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7148433.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7149619.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7149619.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7176108.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7229523.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7214297.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7140118.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7138465.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7138465.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7164564.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7164564.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7167512.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7147404.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7146717.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7147451.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7174267.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7139900.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7148433.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7165874.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7175250.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7258008.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7178526.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7214983.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7214983.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7217667.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7228883.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7114019.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7146717.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7212347.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7253188.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7257026.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7135111.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7167512.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7168979.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7213236.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7112085.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7135735.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7164408.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7216434.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7257026.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7143753.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7147404.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7170398.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7212347.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7214297.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7256480.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7143753.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2032	532	WerFault.exe	53

Modifies registry class 44 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7164564.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7215826.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7138465.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7147451.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7149619.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7135735.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7147919.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7174267.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7146717.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7173893.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7147404.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7165874.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7167512.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7168979.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7175250.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7180398.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7135111.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7149541.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7256480.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7214983.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7217667.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7143753.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7139900.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7148433.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7164408.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7178526.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7212347.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7112085.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7140118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7213236.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7216434.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7253188.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7255590.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7140025.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7143613.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7228883.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7229523.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7170398.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7214297.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7176108.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7217433.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7257026.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7114019.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7137716.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 968 wrote to memory of 768	968	83a50597a8db5f629f1ce1c091a4e8325562485a23f130ca2e57fe5ad0362d1c.exe	28
PID 968 wrote to memory of 768	968	83a50597a8db5f629f1ce1c091a4e8325562485a23f130ca2e57fe5ad0362d1c.exe	28
PID 968 wrote to memory of 768	968	83a50597a8db5f629f1ce1c091a4e8325562485a23f130ca2e57fe5ad0362d1c.exe	28
PID 968 wrote to memory of 768	968	83a50597a8db5f629f1ce1c091a4e8325562485a23f130ca2e57fe5ad0362d1c.exe	28
PID 968 wrote to memory of 2012	968	83a50597a8db5f629f1ce1c091a4e8325562485a23f130ca2e57fe5ad0362d1c.exe	29
PID 968 wrote to memory of 2012	968	83a50597a8db5f629f1ce1c091a4e8325562485a23f130ca2e57fe5ad0362d1c.exe	29
PID 968 wrote to memory of 2012	968	83a50597a8db5f629f1ce1c091a4e8325562485a23f130ca2e57fe5ad0362d1c.exe	29
PID 968 wrote to memory of 2012	968	83a50597a8db5f629f1ce1c091a4e8325562485a23f130ca2e57fe5ad0362d1c.exe	29
PID 2012 wrote to memory of 1336	2012	tmp7112241.exe	31
PID 2012 wrote to memory of 1336	2012	tmp7112241.exe	31
PID 2012 wrote to memory of 1336	2012	tmp7112241.exe	31
PID 2012 wrote to memory of 1336	2012	tmp7112241.exe	31
PID 2012 wrote to memory of 1008	2012	tmp7112241.exe	32
PID 2012 wrote to memory of 1008	2012	tmp7112241.exe	32
PID 2012 wrote to memory of 1008	2012	tmp7112241.exe	32
PID 2012 wrote to memory of 1008	2012	tmp7112241.exe	32
PID 1008 wrote to memory of 784	1008	tmp7113146.exe	33
PID 1008 wrote to memory of 784	1008	tmp7113146.exe	33
PID 1008 wrote to memory of 784	1008	tmp7113146.exe	33
PID 1008 wrote to memory of 784	1008	tmp7113146.exe	33
PID 768 wrote to memory of 1116	768	tmp7112085.exe	30
PID 768 wrote to memory of 1116	768	tmp7112085.exe	30
PID 768 wrote to memory of 1116	768	tmp7112085.exe	30
PID 768 wrote to memory of 1116	768	tmp7112085.exe	30
PID 1008 wrote to memory of 1396	1008	tmp7113146.exe	34
PID 1008 wrote to memory of 1396	1008	tmp7113146.exe	34
PID 1008 wrote to memory of 1396	1008	tmp7113146.exe	34
PID 1008 wrote to memory of 1396	1008	tmp7113146.exe	34
PID 1116 wrote to memory of 1152	1116	notpad.exe	35
PID 1116 wrote to memory of 1152	1116	notpad.exe	35
PID 1116 wrote to memory of 1152	1116	notpad.exe	35
PID 1116 wrote to memory of 1152	1116	notpad.exe	35
PID 1116 wrote to memory of 1684	1116	notpad.exe	36
PID 1116 wrote to memory of 1684	1116	notpad.exe	36
PID 1116 wrote to memory of 1684	1116	notpad.exe	36
PID 1116 wrote to memory of 1684	1116	notpad.exe	36
PID 1396 wrote to memory of 1504	1396	tmp7113676.exe	37
PID 1396 wrote to memory of 1504	1396	tmp7113676.exe	37
PID 1396 wrote to memory of 1504	1396	tmp7113676.exe	37
PID 1396 wrote to memory of 1504	1396	tmp7113676.exe	37
PID 1152 wrote to memory of 1596	1152	tmp7114019.exe	82
PID 1152 wrote to memory of 1596	1152	tmp7114019.exe	82
PID 1152 wrote to memory of 1596	1152	tmp7114019.exe	82
PID 1152 wrote to memory of 1596	1152	tmp7114019.exe	82
PID 1396 wrote to memory of 1988	1396	tmp7113676.exe	70
PID 1396 wrote to memory of 1988	1396	tmp7113676.exe	70
PID 1396 wrote to memory of 1988	1396	tmp7113676.exe	70
PID 1396 wrote to memory of 1988	1396	tmp7113676.exe	70
PID 1596 wrote to memory of 1176	1596	notpad.exe	81
PID 1596 wrote to memory of 1176	1596	notpad.exe	81
PID 1596 wrote to memory of 1176	1596	notpad.exe	81
PID 1596 wrote to memory of 1176	1596	notpad.exe	81
PID 1988 wrote to memory of 1996	1988	tmp7139557.exe	39
PID 1988 wrote to memory of 1996	1988	tmp7139557.exe	39
PID 1988 wrote to memory of 1996	1988	tmp7139557.exe	39
PID 1988 wrote to memory of 1996	1988	tmp7139557.exe	39
PID 1596 wrote to memory of 1560	1596	notpad.exe	114
PID 1596 wrote to memory of 1560	1596	notpad.exe	114
PID 1596 wrote to memory of 1560	1596	notpad.exe	114
PID 1596 wrote to memory of 1560	1596	notpad.exe	114
PID 1176 wrote to memory of 552	1176	tmp7135111.exe	80
PID 1176 wrote to memory of 552	1176	tmp7135111.exe	80
PID 1176 wrote to memory of 552	1176	tmp7135111.exe	80
PID 1176 wrote to memory of 552	1176	tmp7135111.exe	80

C:\Users\Admin\AppData\Local\Temp\83a50597a8db5f629f1ce1c091a4e8325562485a23f130ca2e57fe5ad0362d1c.exe
"C:\Users\Admin\AppData\Local\Temp\83a50597a8db5f629f1ce1c091a4e8325562485a23f130ca2e57fe5ad0362d1c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:968
- C:\Users\Admin\AppData\Local\Temp\tmp7112085.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7112085.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:768
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1116
  - - C:\Users\Admin\AppData\Local\Temp\tmp7114019.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7114019.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1152
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1596
  - - C:\Users\Admin\AppData\Local\Temp\tmp7114690.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7114690.exe
      4⤵
      Executes dropped EXE
      PID:1684
- C:\Users\Admin\AppData\Local\Temp\tmp7112241.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7112241.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2012
- - C:\Users\Admin\AppData\Local\Temp\tmp7112600.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7112600.exe
    3⤵
    - Executes dropped EXE
    PID:1336
- - C:\Users\Admin\AppData\Local\Temp\tmp7113146.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7113146.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1008
  - - C:\Users\Admin\AppData\Local\Temp\tmp7113442.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7113442.exe
      4⤵
      Executes dropped EXE
      PID:784
  - - C:\Users\Admin\AppData\Local\Temp\tmp7113676.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7113676.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1396
    - - C:\Users\Admin\AppData\Local\Temp\tmp7114659.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7114659.exe
        5⤵
        Executes dropped EXE
        
        PID:1504
    - - C:\Users\Admin\AppData\Local\Temp\tmp7121508.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121508.exe
        5⤵
        
        PID:1988
      - C:\Users\Admin\AppData\Local\Temp\tmp7135329.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135329.exe
        6⤵
        Executes dropped EXE
        
        PID:1996
- - C:\Users\Admin\AppData\Local\Temp\tmp7140025.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7140025.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    PID:596
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      Executes dropped EXE
      PID:1308
    - - C:\Users\Admin\AppData\Local\Temp\tmp7144814.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144814.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1008
    - - C:\Users\Admin\AppData\Local\Temp\tmp7147170.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147170.exe
        5⤵
        
        PID:988
      - C:\Users\Admin\AppData\Local\Temp\tmp7147451.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147451.exe
        6⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1612
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        7⤵
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\tmp7148745.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7148745.exe
        8⤵
        
        PID:856
        
        C:\Users\Admin\AppData\Local\Temp\tmp7149323.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7149323.exe
        8⤵
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164408.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164408.exe
        9⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1068
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        10⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\tmp7165874.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7165874.exe
        11⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:784
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        12⤵
        
        PID:796
        
        C:\Users\Admin\AppData\Local\Temp\tmp7167465.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7167465.exe
        13⤵
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168214.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168214.exe
        13⤵
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168979.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168979.exe
        14⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1964
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        15⤵
        
        PID:288
        
        C:\Users\Admin\AppData\Local\Temp\tmp7170398.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7170398.exe
        16⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:956
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        17⤵
        
        PID:1140
        
        C:\Users\Admin\AppData\Local\Temp\tmp7173893.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7173893.exe
        18⤵
        Modifies registry class
        
        PID:596
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        19⤵
        
        PID:1116
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175109.exe
        20⤵
        
        PID:1032
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175390.exe
        20⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\tmp7176108.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7176108.exe
        21⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:272
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        22⤵
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\tmp7178448.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7178448.exe
        23⤵
        
        PID:320
        
        C:\Users\Admin\AppData\Local\Temp\tmp7180086.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7180086.exe
        23⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\tmp7180445.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7180445.exe
        24⤵
        
        PID:1312
        
        C:\Users\Admin\AppData\Local\Temp\tmp7210927.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7210927.exe
        24⤵
        
        PID:340
        
        C:\Users\Admin\AppData\Local\Temp\tmp7177699.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7177699.exe
        21⤵
        
        PID:1120
        
        C:\Users\Admin\AppData\Local\Temp\tmp7174673.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7174673.exe
        18⤵
        
        PID:828
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175250.exe
        19⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1724
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        20⤵
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\tmp7176576.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7176576.exe
        21⤵
        
        PID:1072
        
        C:\Users\Admin\AppData\Local\Temp\tmp7177918.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7177918.exe
        21⤵
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\tmp7178526.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7178526.exe
        22⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1552
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        23⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\tmp7180398.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7180398.exe
        24⤵
        Modifies registry class
        
        PID:1484
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        25⤵
        
        PID:932
        
        C:\Users\Admin\AppData\Local\Temp\tmp7212441.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7212441.exe
        26⤵
        
        PID:960
        
        C:\Users\Admin\AppData\Local\Temp\tmp7212799.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7212799.exe
        26⤵
        
        PID:1396
        
        C:\Users\Admin\AppData\Local\Temp\tmp7213236.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7213236.exe
        27⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1464
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        28⤵
        
        PID:576
        
        C:\Users\Admin\AppData\Local\Temp\tmp7214297.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7214297.exe
        29⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:704
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        30⤵
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\tmp7215046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7215046.exe
        31⤵
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\tmp7215592.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7215592.exe
        31⤵
        
        PID:1308
        
        C:\Users\Admin\AppData\Local\Temp\tmp7215966.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7215966.exe
        32⤵
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\tmp7216341.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7216341.exe
        32⤵
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\tmp7214562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7214562.exe
        29⤵
        
        PID:1348
        
        C:\Users\Admin\AppData\Local\Temp\tmp7214983.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7214983.exe
        30⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1828
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        31⤵
        
        PID:388
        
        C:\Users\Admin\AppData\Local\Temp\tmp7215826.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7215826.exe
        32⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2024
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        33⤵
        
        PID:1008
        
        C:\Users\Admin\AppData\Local\Temp\tmp7216590.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7216590.exe
        34⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\tmp7217074.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7217074.exe
        34⤵
        
        PID:796
        
        C:\Users\Admin\AppData\Local\Temp\tmp7217667.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7217667.exe
        35⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:644
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        36⤵
        
        PID:340
        
        C:\Users\Admin\AppData\Local\Temp\tmp7229429.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7229429.exe
        37⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\tmp7229866.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7229866.exe
        37⤵
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\tmp7253188.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7253188.exe
        38⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1116
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        39⤵
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\tmp7256480.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7256480.exe
        40⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:616
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        41⤵
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\tmp7257837.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7257837.exe
        42⤵
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\tmp7258554.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7258554.exe
        42⤵
        
        PID:1316
        
        C:\Users\Admin\AppData\Local\Temp\tmp7257384.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7257384.exe
        40⤵
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\tmp7258008.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7258008.exe
        41⤵
        Drops file in System32 directory
        
        PID:1000
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        42⤵
        
        PID:836
        
        C:\Users\Admin\AppData\Local\Temp\tmp7260052.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7260052.exe
        43⤵
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\tmp7258601.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7258601.exe
        41⤵
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\tmp7254888.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7254888.exe
        38⤵
        
        PID:832
        
        C:\Users\Admin\AppData\Local\Temp\tmp7228633.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7228633.exe
        35⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\tmp7216107.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7216107.exe
        32⤵
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\Temp\tmp7216434.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7216434.exe
        33⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1388
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        34⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\tmp7217433.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7217433.exe
        35⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1808
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        36⤵
        
        PID:968
        
        C:\Users\Admin\AppData\Local\Temp\tmp7228446.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7228446.exe
        37⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\tmp7229070.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7229070.exe
        37⤵
        
        PID:568
        
        C:\Users\Admin\AppData\Local\Temp\tmp7229523.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7229523.exe
        38⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:960
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        39⤵
        
        PID:528
        
        C:\Users\Admin\AppData\Local\Temp\tmp7255341.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7255341.exe
        40⤵
        
        PID:1440
        
        C:\Users\Admin\AppData\Local\Temp\tmp7255824.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7255824.exe
        40⤵
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\tmp7257026.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7257026.exe
        41⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1212
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        42⤵
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\tmp7259568.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7259568.exe
        43⤵
        
        PID:1836
        
        C:\Users\Admin\AppData\Local\Temp\tmp7260005.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7260005.exe
        43⤵
        
        PID:600
        
        C:\Users\Admin\AppData\Local\Temp\tmp7257696.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7257696.exe
        41⤵
        
        PID:1208
        
        C:\Users\Admin\AppData\Local\Temp\tmp7240864.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7240864.exe
        38⤵
        
        PID:692
        
        C:\Users\Admin\AppData\Local\Temp\tmp7227994.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7227994.exe
        35⤵
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\tmp7228883.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7228883.exe
        36⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:280
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        37⤵
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\tmp7240926.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7240926.exe
        38⤵
        
        PID:704
        
        C:\Users\Admin\AppData\Local\Temp\tmp7254810.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7254810.exe
        38⤵
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\tmp7255590.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7255590.exe
        39⤵
        Modifies registry class
        
        PID:828
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        40⤵
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\tmp7257072.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7257072.exe
        41⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\tmp7257743.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7257743.exe
        41⤵
        
        PID:796
        
        C:\Users\Admin\AppData\Local\Temp\tmp7258570.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7258570.exe
        42⤵
        
        PID:968
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        43⤵
        
        PID:1176
        
        C:\Users\Admin\AppData\Local\Temp\tmp7256058.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7256058.exe
        39⤵
        
        PID:592
        
        C:\Users\Admin\AppData\Local\Temp\tmp7229569.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7229569.exe
        36⤵
        
        PID:288
        
        C:\Users\Admin\AppData\Local\Temp\tmp7216777.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7216777.exe
        33⤵
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\tmp7215420.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7215420.exe
        30⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\tmp7213517.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7213517.exe
        27⤵
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\tmp7210771.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7210771.exe
        24⤵
        
        PID:1172
        
        C:\Users\Admin\AppData\Local\Temp\tmp7212347.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7212347.exe
        25⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:768
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        26⤵
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\tmp7213330.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7213330.exe
        27⤵
        
        PID:1268
        
        C:\Users\Admin\AppData\Local\Temp\tmp7213782.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7213782.exe
        27⤵
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\tmp7214531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7214531.exe
        28⤵
        
        PID:1304
        
        C:\Users\Admin\AppData\Local\Temp\tmp7214874.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7214874.exe
        28⤵
        
        PID:1480
        
        C:\Users\Admin\AppData\Local\Temp\tmp7212628.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7212628.exe
        25⤵
        
        PID:856
        
        C:\Users\Admin\AppData\Local\Temp\tmp7179852.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7179852.exe
        22⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175640.exe
        19⤵
        
        PID:1404
        
        C:\Users\Admin\AppData\Local\Temp\tmp7170804.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7170804.exe
        16⤵
        
        PID:1304
        
        C:\Users\Admin\AppData\Local\Temp\tmp7174267.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7174267.exe
        17⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1548
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        18⤵
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175827.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175827.exe
        19⤵
        
        PID:832
        
        C:\Users\Admin\AppData\Local\Temp\tmp7176014.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7176014.exe
        19⤵
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\tmp7176607.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7176607.exe
        20⤵
        
        PID:1008
        
        C:\Users\Admin\AppData\Local\Temp\tmp7177871.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7177871.exe
        20⤵
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175187.exe
        17⤵
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\tmp7169509.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7169509.exe
        14⤵
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166795.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166795.exe
        11⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\tmp7167731.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7167731.exe
        12⤵
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168682.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168682.exe
        12⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164673.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164673.exe
        9⤵
        
        PID:1496
      - C:\Users\Admin\AppData\Local\Temp\tmp7148075.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7148075.exe
        6⤵
        
        PID:1772
- - C:\Users\Admin\AppData\Local\Temp\tmp7140508.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7140508.exe
    3⤵
    - Executes dropped EXE
    PID:1700

C:\Users\Admin\AppData\Local\Temp\tmp7135345.exe
C:\Users\Admin\AppData\Local\Temp\tmp7135345.exe
1⤵
PID:1560
- C:\Users\Admin\AppData\Local\Temp\tmp7135735.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7135735.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  PID:1340
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1760
  - - C:\Users\Admin\AppData\Local\Temp\tmp7136905.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7136905.exe
      4⤵
      Executes dropped EXE
      PID:960
  - - C:\Users\Admin\AppData\Local\Temp\tmp7137607.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7137607.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:592
- C:\Users\Admin\AppData\Local\Temp\tmp7136343.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7136343.exe
  2⤵
  PID:1328

C:\Users\Admin\AppData\Local\Temp\tmp7136078.exe
C:\Users\Admin\AppData\Local\Temp\tmp7136078.exe
1⤵
- Executes dropped EXE
PID:1976

C:\Users\Admin\AppData\Local\Temp\tmp7136702.exe
C:\Users\Admin\AppData\Local\Temp\tmp7136702.exe
1⤵
PID:1788
- C:\Users\Admin\AppData\Local\Temp\tmp7137529.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7137529.exe
  2⤵
  PID:1692
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    - Executes dropped EXE
    PID:1516
  - - C:\Users\Admin\AppData\Local\Temp\tmp7138465.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7138465.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      PID:1744
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        Executes dropped EXE
        
        PID:1812
      - C:\Users\Admin\AppData\Local\Temp\tmp7139572.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7139572.exe
        6⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        7⤵
        Executes dropped EXE
        
        PID:1404
        
        C:\Users\Admin\AppData\Local\Temp\tmp7140462.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7140462.exe
        8⤵
        Executes dropped EXE
        
        PID:280
        
        C:\Users\Admin\AppData\Local\Temp\tmp7143753.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7143753.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145578.exe
        9⤵
        Executes dropped EXE
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147201.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147201.exe
        9⤵
        
        PID:784
      - C:\Users\Admin\AppData\Local\Temp\tmp7140118.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7140118.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\tmp7143613.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7143613.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1116
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        8⤵
        Executes dropped EXE
        
        PID:1860
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146717.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146717.exe
        9⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1360
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147357.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147357.exe
        9⤵
        
        PID:1208
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147997.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147997.exe
        10⤵
        Executes dropped EXE
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\tmp7148527.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7148527.exe
        10⤵
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144720.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144720.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1788
  - - C:\Users\Admin\AppData\Local\Temp\tmp7138902.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7138902.exe
      4⤵
      Executes dropped EXE
      PID:1828
    - - C:\Users\Admin\AppData\Local\Temp\tmp7139666.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7139666.exe
        5⤵
        Executes dropped EXE
        
        PID:968
    - - C:\Users\Admin\AppData\Local\Temp\tmp7139370.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7139370.exe
        5⤵
        Executes dropped EXE
        
        PID:272
- C:\Users\Admin\AppData\Local\Temp\tmp7137841.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7137841.exe
  2⤵
  - Executes dropped EXE
  PID:1532

C:\Users\Admin\AppData\Local\Temp\tmp7136530.exe
C:\Users\Admin\AppData\Local\Temp\tmp7136530.exe
1⤵
PID:1616
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:828
- - C:\Users\Admin\AppData\Local\Temp\tmp7138215.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7138215.exe
    3⤵
    - Executes dropped EXE
    PID:1588
- - C:\Users\Admin\AppData\Local\Temp\tmp7137716.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7137716.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    PID:1636

C:\Users\Admin\AppData\Local\Temp\tmp7137388.exe
C:\Users\Admin\AppData\Local\Temp\tmp7137388.exe
1⤵
PID:1008
- C:\Users\Admin\AppData\Local\Temp\tmp7138480.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7138480.exe
  2⤵
  - Executes dropped EXE
  PID:532
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 532 -s 36
    3⤵
    - Program crash
    PID:2032
- C:\Users\Admin\AppData\Local\Temp\tmp7138153.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7138153.exe
  2⤵
  - Executes dropped EXE
  PID:528

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:1964
- C:\Users\Admin\AppData\Local\Temp\tmp7139510.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7139510.exe
  2⤵
  - Executes dropped EXE
  PID:2012
- C:\Users\Admin\AppData\Local\Temp\tmp7139120.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7139120.exe
  2⤵
  PID:1176
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:552

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
- Executes dropped EXE
PID:1604
- C:\Users\Admin\AppData\Local\Temp\tmp7139900.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7139900.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  PID:1348
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    - Executes dropped EXE
    PID:1580
  - - C:\Users\Admin\AppData\Local\Temp\tmp7147404.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7147404.exe
      4⤵
      Drops file in System32 directory
      Modifies registry class
      PID:860
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        
        PID:1800
      - C:\Users\Admin\AppData\Local\Temp\tmp7148433.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7148433.exe
        6⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1140
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        7⤵
        Executes dropped EXE
        
        PID:1328
        
        C:\Users\Admin\AppData\Local\Temp\tmp7149619.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7149619.exe
        8⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:436
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        9⤵
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164564.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164564.exe
        10⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:692
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        11⤵
        
        PID:1008
        
        C:\Users\Admin\AppData\Local\Temp\tmp7165968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7165968.exe
        12⤵
        
        PID:1072
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166498.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166498.exe
        12⤵
        
        PID:976
        
        C:\Users\Admin\AppData\Local\Temp\tmp7167512.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7167512.exe
        13⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1580
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        14⤵
        
        PID:776
        
        C:\Users\Admin\AppData\Local\Temp\tmp7169057.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7169057.exe
        15⤵
        
        PID:712
        
        C:\Users\Admin\AppData\Local\Temp\tmp7169868.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7169868.exe
        15⤵
        
        PID:1316
        
        C:\Users\Admin\AppData\Local\Temp\tmp7170601.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7170601.exe
        16⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\tmp7173222.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7173222.exe
        16⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\tmp7167949.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7167949.exe
        13⤵
        
        PID:1212
        
        C:\Users\Admin\AppData\Local\Temp\tmp7165235.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7165235.exe
        10⤵
        
        PID:1308
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166342.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166342.exe
        11⤵
        
        PID:1120
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166717.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166717.exe
        11⤵
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164065.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164065.exe
        8⤵
        
        PID:680
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164517.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164517.exe
        9⤵
        
        PID:1332
        
        C:\Users\Admin\AppData\Local\Temp\tmp7165172.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7165172.exe
        9⤵
        
        PID:2044
      - C:\Users\Admin\AppData\Local\Temp\tmp7149307.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7149307.exe
        6⤵
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164111.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164111.exe
        7⤵
        
        PID:828
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164345.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164345.exe
        7⤵
        
        PID:1788
  - - C:\Users\Admin\AppData\Local\Temp\tmp7147965.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7147965.exe
      4⤵
      PID:1928
    - - C:\Users\Admin\AppData\Local\Temp\tmp7148090.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7148090.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:956
    - - C:\Users\Admin\AppData\Local\Temp\tmp7149447.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7149447.exe
        5⤵
        
        PID:768
- C:\Users\Admin\AppData\Local\Temp\tmp7140228.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7140228.exe
  2⤵
  - Executes dropped EXE
  PID:1268
- - C:\Users\Admin\AppData\Local\Temp\tmp7140742.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7140742.exe
    3⤵
    - Executes dropped EXE
    PID:1068
- - C:\Users\Admin\AppData\Local\Temp\tmp7144767.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7144767.exe
    3⤵
    - Executes dropped EXE
    PID:1332

C:\Users\Admin\AppData\Local\Temp\tmp7139557.exe
C:\Users\Admin\AppData\Local\Temp\tmp7139557.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Users\Admin\AppData\Local\Temp\tmp7135657.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7135657.exe
  2⤵
  PID:956

C:\Users\Admin\AppData\Local\Temp\tmp7138761.exe
C:\Users\Admin\AppData\Local\Temp\tmp7138761.exe
1⤵
PID:1316

C:\Users\Admin\AppData\Local\Temp\tmp7138746.exe
C:\Users\Admin\AppData\Local\Temp\tmp7138746.exe
1⤵
PID:1580

C:\Users\Admin\AppData\Local\Temp\tmp7138356.exe
C:\Users\Admin\AppData\Local\Temp\tmp7138356.exe
1⤵
- Executes dropped EXE
PID:1120

C:\Users\Admin\AppData\Local\Temp\tmp7135111.exe
C:\Users\Admin\AppData\Local\Temp\tmp7135111.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1176

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:1680
- C:\Users\Admin\AppData\Local\Temp\tmp7147513.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7147513.exe
  2⤵
  PID:1664
- C:\Users\Admin\AppData\Local\Temp\tmp7147919.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7147919.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  PID:1316
- - C:\Users\Admin\AppData\Local\Temp\tmp7148683.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7148683.exe
    3⤵
    PID:316
- - C:\Users\Admin\AppData\Local\Temp\tmp7149541.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7149541.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    PID:1560

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp7112085.exe

Filesize
675KB

MD5
faf152aa69587a601c404d70a1b0e286

SHA1
e6ed276709251b9d08484d6752c3d736ab21852f

SHA256
21a2fecab84964dc6a36daccf0806687e3997e9c3e2e1f4644caf97e69853c4d

SHA512
3674deb8695f74398f8f71bae4a19c433fc02dd3074e4640fa81868f889f2a5d3f7fb8dbada7daa1eea74a6a47cd768c54adbe34e80a71d48106eb11a3faa815

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7112085.exe

Filesize
675KB

MD5
faf152aa69587a601c404d70a1b0e286

SHA1
e6ed276709251b9d08484d6752c3d736ab21852f

SHA256
21a2fecab84964dc6a36daccf0806687e3997e9c3e2e1f4644caf97e69853c4d

SHA512
3674deb8695f74398f8f71bae4a19c433fc02dd3074e4640fa81868f889f2a5d3f7fb8dbada7daa1eea74a6a47cd768c54adbe34e80a71d48106eb11a3faa815

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7112241.exe

Filesize
4.2MB

MD5
3a7afea71e821c09a0d5795f2ab17ffa

SHA1
b3483e3612e8384cc7ee298854f9b24df4fc8887

SHA256
3a783dc4c33984f15aa8377058f1f4b82691b7db193f9f85b70d450cf20e281d

SHA512
cb62d85d5a47242d84c0096fe06f2a430902ef6e2022d315971d99a3c891bfa1fca9c63743e51e351939d6a1f2037250b2ca7491365d8cb335cf502a868531b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7112241.exe

Filesize
4.2MB

MD5
3a7afea71e821c09a0d5795f2ab17ffa

SHA1
b3483e3612e8384cc7ee298854f9b24df4fc8887

SHA256
3a783dc4c33984f15aa8377058f1f4b82691b7db193f9f85b70d450cf20e281d

SHA512
cb62d85d5a47242d84c0096fe06f2a430902ef6e2022d315971d99a3c891bfa1fca9c63743e51e351939d6a1f2037250b2ca7491365d8cb335cf502a868531b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7112600.exe

Filesize
675KB

MD5
faf152aa69587a601c404d70a1b0e286

SHA1
e6ed276709251b9d08484d6752c3d736ab21852f

SHA256
21a2fecab84964dc6a36daccf0806687e3997e9c3e2e1f4644caf97e69853c4d

SHA512
3674deb8695f74398f8f71bae4a19c433fc02dd3074e4640fa81868f889f2a5d3f7fb8dbada7daa1eea74a6a47cd768c54adbe34e80a71d48106eb11a3faa815

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7113146.exe

Filesize
3.5MB

MD5
4e60f9dd64f7bea911e27c35927914db

SHA1
a15831b2bd078d067f6f6bcad0544b87e606ff72

SHA256
c7b1e79d05eea50a897196732c2513321e9aa80f237ff867bf82205d33c7b890

SHA512
c4ff7326900dcc43fbfb909d6dc91218db4f9c0da0e24bf6626fe52f2f52a2c6c43b49af951b03e19fdafeeb7f2b0795d59d86c8a992a35576e509a6fada9595

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7113146.exe

Filesize
3.5MB

MD5
4e60f9dd64f7bea911e27c35927914db

SHA1
a15831b2bd078d067f6f6bcad0544b87e606ff72

SHA256
c7b1e79d05eea50a897196732c2513321e9aa80f237ff867bf82205d33c7b890

SHA512
c4ff7326900dcc43fbfb909d6dc91218db4f9c0da0e24bf6626fe52f2f52a2c6c43b49af951b03e19fdafeeb7f2b0795d59d86c8a992a35576e509a6fada9595

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7113442.exe

Filesize
675KB

MD5
faf152aa69587a601c404d70a1b0e286

SHA1
e6ed276709251b9d08484d6752c3d736ab21852f

SHA256
21a2fecab84964dc6a36daccf0806687e3997e9c3e2e1f4644caf97e69853c4d

SHA512
3674deb8695f74398f8f71bae4a19c433fc02dd3074e4640fa81868f889f2a5d3f7fb8dbada7daa1eea74a6a47cd768c54adbe34e80a71d48106eb11a3faa815

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7113676.exe

Filesize
2.8MB

MD5
07207c6449dcdb2e9cd6de4fd45e2197

SHA1
1de0c57b1d3a09064a93ce7b71ec743a76b6f769

SHA256
557622d2efef3914db91c1cba10876b2f5728d5c59bebfc5d562adb34c2019cb

SHA512
f013db719b541da73de6cb5dd3e7fee28a3c5f84c56535124f90927bac618ade2cf826e999a17489124abe4c680feee707a932a7c8f6cf1b662f45c86e4173bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7113676.exe

Filesize
2.8MB

MD5
07207c6449dcdb2e9cd6de4fd45e2197

SHA1
1de0c57b1d3a09064a93ce7b71ec743a76b6f769

SHA256
557622d2efef3914db91c1cba10876b2f5728d5c59bebfc5d562adb34c2019cb

SHA512
f013db719b541da73de6cb5dd3e7fee28a3c5f84c56535124f90927bac618ade2cf826e999a17489124abe4c680feee707a932a7c8f6cf1b662f45c86e4173bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7114019.exe

Filesize
675KB

MD5
faf152aa69587a601c404d70a1b0e286

SHA1
e6ed276709251b9d08484d6752c3d736ab21852f

SHA256
21a2fecab84964dc6a36daccf0806687e3997e9c3e2e1f4644caf97e69853c4d

SHA512
3674deb8695f74398f8f71bae4a19c433fc02dd3074e4640fa81868f889f2a5d3f7fb8dbada7daa1eea74a6a47cd768c54adbe34e80a71d48106eb11a3faa815

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7114019.exe

Filesize
675KB

MD5
faf152aa69587a601c404d70a1b0e286

SHA1
e6ed276709251b9d08484d6752c3d736ab21852f

SHA256
21a2fecab84964dc6a36daccf0806687e3997e9c3e2e1f4644caf97e69853c4d

SHA512
3674deb8695f74398f8f71bae4a19c433fc02dd3074e4640fa81868f889f2a5d3f7fb8dbada7daa1eea74a6a47cd768c54adbe34e80a71d48106eb11a3faa815

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7114659.exe

Filesize
675KB

MD5
faf152aa69587a601c404d70a1b0e286

SHA1
e6ed276709251b9d08484d6752c3d736ab21852f

SHA256
21a2fecab84964dc6a36daccf0806687e3997e9c3e2e1f4644caf97e69853c4d

SHA512
3674deb8695f74398f8f71bae4a19c433fc02dd3074e4640fa81868f889f2a5d3f7fb8dbada7daa1eea74a6a47cd768c54adbe34e80a71d48106eb11a3faa815

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7114690.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7121508.exe

Filesize
2.1MB

MD5
097f3ea907670bed31599cfd655ee348

SHA1
cb7eed08824f8786da069a6c46d647a951ff8a4f

SHA256
8215c6b64c22424d2d657506a30c8d93c87deb115e6dbf779cafd25054763745

SHA512
257ad13a9e49d0fde64e315e0317c8fbc6c6668d24948280c7b709179467790d6d2ca9b93c474d09683b0a3e103a0bafee9396636040e101b04f1d40a1d96a0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7121508.exe

Filesize
2.1MB

MD5
097f3ea907670bed31599cfd655ee348

SHA1
cb7eed08824f8786da069a6c46d647a951ff8a4f

SHA256
8215c6b64c22424d2d657506a30c8d93c87deb115e6dbf779cafd25054763745

SHA512
257ad13a9e49d0fde64e315e0317c8fbc6c6668d24948280c7b709179467790d6d2ca9b93c474d09683b0a3e103a0bafee9396636040e101b04f1d40a1d96a0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7135111.exe

Filesize
675KB

MD5
faf152aa69587a601c404d70a1b0e286

SHA1
e6ed276709251b9d08484d6752c3d736ab21852f

SHA256
21a2fecab84964dc6a36daccf0806687e3997e9c3e2e1f4644caf97e69853c4d

SHA512
3674deb8695f74398f8f71bae4a19c433fc02dd3074e4640fa81868f889f2a5d3f7fb8dbada7daa1eea74a6a47cd768c54adbe34e80a71d48106eb11a3faa815

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7135111.exe

Filesize
675KB

MD5
faf152aa69587a601c404d70a1b0e286

SHA1
e6ed276709251b9d08484d6752c3d736ab21852f

SHA256
21a2fecab84964dc6a36daccf0806687e3997e9c3e2e1f4644caf97e69853c4d

SHA512
3674deb8695f74398f8f71bae4a19c433fc02dd3074e4640fa81868f889f2a5d3f7fb8dbada7daa1eea74a6a47cd768c54adbe34e80a71d48106eb11a3faa815

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7135329.exe

Filesize
675KB

MD5
faf152aa69587a601c404d70a1b0e286

SHA1
e6ed276709251b9d08484d6752c3d736ab21852f

SHA256
21a2fecab84964dc6a36daccf0806687e3997e9c3e2e1f4644caf97e69853c4d

SHA512
3674deb8695f74398f8f71bae4a19c433fc02dd3074e4640fa81868f889f2a5d3f7fb8dbada7daa1eea74a6a47cd768c54adbe34e80a71d48106eb11a3faa815

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7135345.exe

Filesize
862KB

MD5
8b6a4f9bc23b51c743c26fe650880b2f

SHA1
ca28477b54e54aa380b7480330161d3f969e9859

SHA256
e89c25ec53fa04816a5e689b4d7b0055d3a64e8f80e9adf305a6c9f6faae2735

SHA512
610d301346678de4ed86b63c111058085889eef76924ba091da8e73842f77602eaca71497bb067281400357f992fa11641d612644494913ba3d342c2340e301a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7135345.exe

Filesize
862KB

MD5
8b6a4f9bc23b51c743c26fe650880b2f

SHA1
ca28477b54e54aa380b7480330161d3f969e9859

SHA256
e89c25ec53fa04816a5e689b4d7b0055d3a64e8f80e9adf305a6c9f6faae2735

SHA512
610d301346678de4ed86b63c111058085889eef76924ba091da8e73842f77602eaca71497bb067281400357f992fa11641d612644494913ba3d342c2340e301a

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
675KB

MD5
faf152aa69587a601c404d70a1b0e286

SHA1
e6ed276709251b9d08484d6752c3d736ab21852f

SHA256
21a2fecab84964dc6a36daccf0806687e3997e9c3e2e1f4644caf97e69853c4d

SHA512
3674deb8695f74398f8f71bae4a19c433fc02dd3074e4640fa81868f889f2a5d3f7fb8dbada7daa1eea74a6a47cd768c54adbe34e80a71d48106eb11a3faa815

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
675KB

MD5
faf152aa69587a601c404d70a1b0e286

SHA1
e6ed276709251b9d08484d6752c3d736ab21852f

SHA256
21a2fecab84964dc6a36daccf0806687e3997e9c3e2e1f4644caf97e69853c4d

SHA512
3674deb8695f74398f8f71bae4a19c433fc02dd3074e4640fa81868f889f2a5d3f7fb8dbada7daa1eea74a6a47cd768c54adbe34e80a71d48106eb11a3faa815

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
862KB

MD5
8b6a4f9bc23b51c743c26fe650880b2f

SHA1
ca28477b54e54aa380b7480330161d3f969e9859

SHA256
e89c25ec53fa04816a5e689b4d7b0055d3a64e8f80e9adf305a6c9f6faae2735

SHA512
610d301346678de4ed86b63c111058085889eef76924ba091da8e73842f77602eaca71497bb067281400357f992fa11641d612644494913ba3d342c2340e301a

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
862KB

MD5
8b6a4f9bc23b51c743c26fe650880b2f

SHA1
ca28477b54e54aa380b7480330161d3f969e9859

SHA256
e89c25ec53fa04816a5e689b4d7b0055d3a64e8f80e9adf305a6c9f6faae2735

SHA512
610d301346678de4ed86b63c111058085889eef76924ba091da8e73842f77602eaca71497bb067281400357f992fa11641d612644494913ba3d342c2340e301a

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
1.5MB

MD5
c3814c97b2eb11340eecd3e08e9e0c70

SHA1
9198ba38a118520537612f900b43d33bcc1ea660

SHA256
a99cd3de1351a2c70432f55196489df08c8ef167a76d35881cf321b10698904e

SHA512
8c2c2a781034941d08e035258d231fb6f1dffc7c47732df6b85606bff952a3eade1375a63f3687579b10150780d46dcd4766a01356745ce5b33bd363af38e8ab

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
1.5MB

MD5
c3814c97b2eb11340eecd3e08e9e0c70

SHA1
9198ba38a118520537612f900b43d33bcc1ea660

SHA256
a99cd3de1351a2c70432f55196489df08c8ef167a76d35881cf321b10698904e

SHA512
8c2c2a781034941d08e035258d231fb6f1dffc7c47732df6b85606bff952a3eade1375a63f3687579b10150780d46dcd4766a01356745ce5b33bd363af38e8ab

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
1.5MB

MD5
c3814c97b2eb11340eecd3e08e9e0c70

SHA1
9198ba38a118520537612f900b43d33bcc1ea660

SHA256
a99cd3de1351a2c70432f55196489df08c8ef167a76d35881cf321b10698904e

SHA512
8c2c2a781034941d08e035258d231fb6f1dffc7c47732df6b85606bff952a3eade1375a63f3687579b10150780d46dcd4766a01356745ce5b33bd363af38e8ab

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7112085.exe

Filesize
675KB

MD5
faf152aa69587a601c404d70a1b0e286

SHA1
e6ed276709251b9d08484d6752c3d736ab21852f

SHA256
21a2fecab84964dc6a36daccf0806687e3997e9c3e2e1f4644caf97e69853c4d

SHA512
3674deb8695f74398f8f71bae4a19c433fc02dd3074e4640fa81868f889f2a5d3f7fb8dbada7daa1eea74a6a47cd768c54adbe34e80a71d48106eb11a3faa815

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7112085.exe

Filesize
675KB

MD5
faf152aa69587a601c404d70a1b0e286

SHA1
e6ed276709251b9d08484d6752c3d736ab21852f

SHA256
21a2fecab84964dc6a36daccf0806687e3997e9c3e2e1f4644caf97e69853c4d

SHA512
3674deb8695f74398f8f71bae4a19c433fc02dd3074e4640fa81868f889f2a5d3f7fb8dbada7daa1eea74a6a47cd768c54adbe34e80a71d48106eb11a3faa815

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7112241.exe

Filesize
4.2MB

MD5
3a7afea71e821c09a0d5795f2ab17ffa

SHA1
b3483e3612e8384cc7ee298854f9b24df4fc8887

SHA256
3a783dc4c33984f15aa8377058f1f4b82691b7db193f9f85b70d450cf20e281d

SHA512
cb62d85d5a47242d84c0096fe06f2a430902ef6e2022d315971d99a3c891bfa1fca9c63743e51e351939d6a1f2037250b2ca7491365d8cb335cf502a868531b8

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7112241.exe

Filesize
4.2MB

MD5
3a7afea71e821c09a0d5795f2ab17ffa

SHA1
b3483e3612e8384cc7ee298854f9b24df4fc8887

SHA256
3a783dc4c33984f15aa8377058f1f4b82691b7db193f9f85b70d450cf20e281d

SHA512
cb62d85d5a47242d84c0096fe06f2a430902ef6e2022d315971d99a3c891bfa1fca9c63743e51e351939d6a1f2037250b2ca7491365d8cb335cf502a868531b8

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7112600.exe

Filesize
675KB

MD5
faf152aa69587a601c404d70a1b0e286

SHA1
e6ed276709251b9d08484d6752c3d736ab21852f

SHA256
21a2fecab84964dc6a36daccf0806687e3997e9c3e2e1f4644caf97e69853c4d

SHA512
3674deb8695f74398f8f71bae4a19c433fc02dd3074e4640fa81868f889f2a5d3f7fb8dbada7daa1eea74a6a47cd768c54adbe34e80a71d48106eb11a3faa815

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7112600.exe

Filesize
675KB

MD5
faf152aa69587a601c404d70a1b0e286

SHA1
e6ed276709251b9d08484d6752c3d736ab21852f

SHA256
21a2fecab84964dc6a36daccf0806687e3997e9c3e2e1f4644caf97e69853c4d

SHA512
3674deb8695f74398f8f71bae4a19c433fc02dd3074e4640fa81868f889f2a5d3f7fb8dbada7daa1eea74a6a47cd768c54adbe34e80a71d48106eb11a3faa815

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7113146.exe

Filesize
3.5MB

MD5
4e60f9dd64f7bea911e27c35927914db

SHA1
a15831b2bd078d067f6f6bcad0544b87e606ff72

SHA256
c7b1e79d05eea50a897196732c2513321e9aa80f237ff867bf82205d33c7b890

SHA512
c4ff7326900dcc43fbfb909d6dc91218db4f9c0da0e24bf6626fe52f2f52a2c6c43b49af951b03e19fdafeeb7f2b0795d59d86c8a992a35576e509a6fada9595

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7113146.exe

Filesize
3.5MB

MD5
4e60f9dd64f7bea911e27c35927914db

SHA1
a15831b2bd078d067f6f6bcad0544b87e606ff72

SHA256
c7b1e79d05eea50a897196732c2513321e9aa80f237ff867bf82205d33c7b890

SHA512
c4ff7326900dcc43fbfb909d6dc91218db4f9c0da0e24bf6626fe52f2f52a2c6c43b49af951b03e19fdafeeb7f2b0795d59d86c8a992a35576e509a6fada9595

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7113442.exe

Filesize
675KB

MD5
faf152aa69587a601c404d70a1b0e286

SHA1
e6ed276709251b9d08484d6752c3d736ab21852f

SHA256
21a2fecab84964dc6a36daccf0806687e3997e9c3e2e1f4644caf97e69853c4d

SHA512
3674deb8695f74398f8f71bae4a19c433fc02dd3074e4640fa81868f889f2a5d3f7fb8dbada7daa1eea74a6a47cd768c54adbe34e80a71d48106eb11a3faa815

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7113442.exe

Filesize
675KB

MD5
faf152aa69587a601c404d70a1b0e286

SHA1
e6ed276709251b9d08484d6752c3d736ab21852f

SHA256
21a2fecab84964dc6a36daccf0806687e3997e9c3e2e1f4644caf97e69853c4d

SHA512
3674deb8695f74398f8f71bae4a19c433fc02dd3074e4640fa81868f889f2a5d3f7fb8dbada7daa1eea74a6a47cd768c54adbe34e80a71d48106eb11a3faa815

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7113676.exe

Filesize
2.8MB

MD5
07207c6449dcdb2e9cd6de4fd45e2197

SHA1
1de0c57b1d3a09064a93ce7b71ec743a76b6f769

SHA256
557622d2efef3914db91c1cba10876b2f5728d5c59bebfc5d562adb34c2019cb

SHA512
f013db719b541da73de6cb5dd3e7fee28a3c5f84c56535124f90927bac618ade2cf826e999a17489124abe4c680feee707a932a7c8f6cf1b662f45c86e4173bd

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7113676.exe

Filesize
2.8MB

MD5
07207c6449dcdb2e9cd6de4fd45e2197

SHA1
1de0c57b1d3a09064a93ce7b71ec743a76b6f769

SHA256
557622d2efef3914db91c1cba10876b2f5728d5c59bebfc5d562adb34c2019cb

SHA512
f013db719b541da73de6cb5dd3e7fee28a3c5f84c56535124f90927bac618ade2cf826e999a17489124abe4c680feee707a932a7c8f6cf1b662f45c86e4173bd

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7114019.exe

Filesize
675KB

MD5
faf152aa69587a601c404d70a1b0e286

SHA1
e6ed276709251b9d08484d6752c3d736ab21852f

SHA256
21a2fecab84964dc6a36daccf0806687e3997e9c3e2e1f4644caf97e69853c4d

SHA512
3674deb8695f74398f8f71bae4a19c433fc02dd3074e4640fa81868f889f2a5d3f7fb8dbada7daa1eea74a6a47cd768c54adbe34e80a71d48106eb11a3faa815

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7114019.exe

Filesize
675KB

MD5
faf152aa69587a601c404d70a1b0e286

SHA1
e6ed276709251b9d08484d6752c3d736ab21852f

SHA256
21a2fecab84964dc6a36daccf0806687e3997e9c3e2e1f4644caf97e69853c4d

SHA512
3674deb8695f74398f8f71bae4a19c433fc02dd3074e4640fa81868f889f2a5d3f7fb8dbada7daa1eea74a6a47cd768c54adbe34e80a71d48106eb11a3faa815

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7114659.exe

Filesize
675KB

MD5
faf152aa69587a601c404d70a1b0e286

SHA1
e6ed276709251b9d08484d6752c3d736ab21852f

SHA256
21a2fecab84964dc6a36daccf0806687e3997e9c3e2e1f4644caf97e69853c4d

SHA512
3674deb8695f74398f8f71bae4a19c433fc02dd3074e4640fa81868f889f2a5d3f7fb8dbada7daa1eea74a6a47cd768c54adbe34e80a71d48106eb11a3faa815

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7114659.exe

Filesize
675KB

MD5
faf152aa69587a601c404d70a1b0e286

SHA1
e6ed276709251b9d08484d6752c3d736ab21852f

SHA256
21a2fecab84964dc6a36daccf0806687e3997e9c3e2e1f4644caf97e69853c4d

SHA512
3674deb8695f74398f8f71bae4a19c433fc02dd3074e4640fa81868f889f2a5d3f7fb8dbada7daa1eea74a6a47cd768c54adbe34e80a71d48106eb11a3faa815

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7114690.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7121508.exe

Filesize
2.1MB

MD5
097f3ea907670bed31599cfd655ee348

SHA1
cb7eed08824f8786da069a6c46d647a951ff8a4f

SHA256
8215c6b64c22424d2d657506a30c8d93c87deb115e6dbf779cafd25054763745

SHA512
257ad13a9e49d0fde64e315e0317c8fbc6c6668d24948280c7b709179467790d6d2ca9b93c474d09683b0a3e103a0bafee9396636040e101b04f1d40a1d96a0b

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7121508.exe

Filesize
2.1MB

MD5
097f3ea907670bed31599cfd655ee348

SHA1
cb7eed08824f8786da069a6c46d647a951ff8a4f

SHA256
8215c6b64c22424d2d657506a30c8d93c87deb115e6dbf779cafd25054763745

SHA512
257ad13a9e49d0fde64e315e0317c8fbc6c6668d24948280c7b709179467790d6d2ca9b93c474d09683b0a3e103a0bafee9396636040e101b04f1d40a1d96a0b

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7135111.exe

Filesize
675KB

MD5
faf152aa69587a601c404d70a1b0e286

SHA1
e6ed276709251b9d08484d6752c3d736ab21852f

SHA256
21a2fecab84964dc6a36daccf0806687e3997e9c3e2e1f4644caf97e69853c4d

SHA512
3674deb8695f74398f8f71bae4a19c433fc02dd3074e4640fa81868f889f2a5d3f7fb8dbada7daa1eea74a6a47cd768c54adbe34e80a71d48106eb11a3faa815

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7135111.exe

Filesize
675KB

MD5
faf152aa69587a601c404d70a1b0e286

SHA1
e6ed276709251b9d08484d6752c3d736ab21852f

SHA256
21a2fecab84964dc6a36daccf0806687e3997e9c3e2e1f4644caf97e69853c4d

SHA512
3674deb8695f74398f8f71bae4a19c433fc02dd3074e4640fa81868f889f2a5d3f7fb8dbada7daa1eea74a6a47cd768c54adbe34e80a71d48106eb11a3faa815

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7135329.exe

Filesize
675KB

MD5
faf152aa69587a601c404d70a1b0e286

SHA1
e6ed276709251b9d08484d6752c3d736ab21852f

SHA256
21a2fecab84964dc6a36daccf0806687e3997e9c3e2e1f4644caf97e69853c4d

SHA512
3674deb8695f74398f8f71bae4a19c433fc02dd3074e4640fa81868f889f2a5d3f7fb8dbada7daa1eea74a6a47cd768c54adbe34e80a71d48106eb11a3faa815

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7135329.exe

Filesize
675KB

MD5
faf152aa69587a601c404d70a1b0e286

SHA1
e6ed276709251b9d08484d6752c3d736ab21852f

SHA256
21a2fecab84964dc6a36daccf0806687e3997e9c3e2e1f4644caf97e69853c4d

SHA512
3674deb8695f74398f8f71bae4a19c433fc02dd3074e4640fa81868f889f2a5d3f7fb8dbada7daa1eea74a6a47cd768c54adbe34e80a71d48106eb11a3faa815

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7135345.exe

Filesize
862KB

MD5
8b6a4f9bc23b51c743c26fe650880b2f

SHA1
ca28477b54e54aa380b7480330161d3f969e9859

SHA256
e89c25ec53fa04816a5e689b4d7b0055d3a64e8f80e9adf305a6c9f6faae2735

SHA512
610d301346678de4ed86b63c111058085889eef76924ba091da8e73842f77602eaca71497bb067281400357f992fa11641d612644494913ba3d342c2340e301a

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7135345.exe

Filesize
862KB

MD5
8b6a4f9bc23b51c743c26fe650880b2f

SHA1
ca28477b54e54aa380b7480330161d3f969e9859

SHA256
e89c25ec53fa04816a5e689b4d7b0055d3a64e8f80e9adf305a6c9f6faae2735

SHA512
610d301346678de4ed86b63c111058085889eef76924ba091da8e73842f77602eaca71497bb067281400357f992fa11641d612644494913ba3d342c2340e301a

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7135657.exe

Filesize
1.5MB

MD5
1744564400bb38e7615e051789b0adca

SHA1
85a27508e97f59e25b70535b8b4f8868710f685c

SHA256
abd6f5240021b2f3a4041eca66630df7601de507c803455bb3c9387ae0cd79e7

SHA512
b9483d6d291a56954a1eb1b189566c3fb50ef0551268901b4ec5268521bfea5bfe4e77b56983adafa3a2162a02b98457c87a79f14121ae6ae7e0ffc92cc527b6

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7135657.exe

Filesize
1.5MB

MD5
1744564400bb38e7615e051789b0adca

SHA1
85a27508e97f59e25b70535b8b4f8868710f685c

SHA256
abd6f5240021b2f3a4041eca66630df7601de507c803455bb3c9387ae0cd79e7

SHA512
b9483d6d291a56954a1eb1b189566c3fb50ef0551268901b4ec5268521bfea5bfe4e77b56983adafa3a2162a02b98457c87a79f14121ae6ae7e0ffc92cc527b6

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7135735.exe

Filesize
675KB

MD5
faf152aa69587a601c404d70a1b0e286

SHA1
e6ed276709251b9d08484d6752c3d736ab21852f

SHA256
21a2fecab84964dc6a36daccf0806687e3997e9c3e2e1f4644caf97e69853c4d

SHA512
3674deb8695f74398f8f71bae4a19c433fc02dd3074e4640fa81868f889f2a5d3f7fb8dbada7daa1eea74a6a47cd768c54adbe34e80a71d48106eb11a3faa815

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
862KB

MD5
8b6a4f9bc23b51c743c26fe650880b2f

SHA1
ca28477b54e54aa380b7480330161d3f969e9859

SHA256
e89c25ec53fa04816a5e689b4d7b0055d3a64e8f80e9adf305a6c9f6faae2735

SHA512
610d301346678de4ed86b63c111058085889eef76924ba091da8e73842f77602eaca71497bb067281400357f992fa11641d612644494913ba3d342c2340e301a

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
862KB

MD5
8b6a4f9bc23b51c743c26fe650880b2f

SHA1
ca28477b54e54aa380b7480330161d3f969e9859

SHA256
e89c25ec53fa04816a5e689b4d7b0055d3a64e8f80e9adf305a6c9f6faae2735

SHA512
610d301346678de4ed86b63c111058085889eef76924ba091da8e73842f77602eaca71497bb067281400357f992fa11641d612644494913ba3d342c2340e301a

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
1.5MB

MD5
c3814c97b2eb11340eecd3e08e9e0c70

SHA1
9198ba38a118520537612f900b43d33bcc1ea660

SHA256
a99cd3de1351a2c70432f55196489df08c8ef167a76d35881cf321b10698904e

SHA512
8c2c2a781034941d08e035258d231fb6f1dffc7c47732df6b85606bff952a3eade1375a63f3687579b10150780d46dcd4766a01356745ce5b33bd363af38e8ab

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
1.5MB

MD5
c3814c97b2eb11340eecd3e08e9e0c70

SHA1
9198ba38a118520537612f900b43d33bcc1ea660

SHA256
a99cd3de1351a2c70432f55196489df08c8ef167a76d35881cf321b10698904e

SHA512
8c2c2a781034941d08e035258d231fb6f1dffc7c47732df6b85606bff952a3eade1375a63f3687579b10150780d46dcd4766a01356745ce5b33bd363af38e8ab

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
1.5MB

MD5
c3814c97b2eb11340eecd3e08e9e0c70

SHA1
9198ba38a118520537612f900b43d33bcc1ea660

SHA256
a99cd3de1351a2c70432f55196489df08c8ef167a76d35881cf321b10698904e

SHA512
8c2c2a781034941d08e035258d231fb6f1dffc7c47732df6b85606bff952a3eade1375a63f3687579b10150780d46dcd4766a01356745ce5b33bd363af38e8ab

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
1.5MB

MD5
c3814c97b2eb11340eecd3e08e9e0c70

SHA1
9198ba38a118520537612f900b43d33bcc1ea660

SHA256
a99cd3de1351a2c70432f55196489df08c8ef167a76d35881cf321b10698904e

SHA512
8c2c2a781034941d08e035258d231fb6f1dffc7c47732df6b85606bff952a3eade1375a63f3687579b10150780d46dcd4766a01356745ce5b33bd363af38e8ab

Download Submit
memory/532-230-0x0000000000010000-0x0000000000032000-memory.dmp

Filesize
136KB

Download
memory/552-173-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/592-208-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/768-58-0x0000000076091000-0x0000000076093000-memory.dmp

Filesize
8KB

Download
memory/828-179-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/828-199-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/956-178-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/956-187-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/956-181-0x00000000001B0000-0x00000000001CF000-memory.dmp

Filesize
124KB

Download
memory/968-64-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/968-59-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/988-286-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/988-280-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1008-93-0x0000000000320000-0x000000000033F000-memory.dmp

Filesize
124KB

Download
memory/1008-96-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1008-206-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1008-101-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1008-94-0x0000000000320000-0x000000000033F000-memory.dmp

Filesize
124KB

Download
memory/1116-110-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1116-92-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1176-156-0x0000000000370000-0x000000000037D000-memory.dmp

Filesize
52KB

Download
memory/1208-281-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1268-246-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1268-264-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1308-272-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1396-127-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1396-117-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1396-95-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1404-243-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1404-262-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1404-258-0x0000000000220000-0x000000000023F000-memory.dmp

Filesize
124KB

Download
memory/1516-210-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1560-169-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1560-153-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1580-278-0x0000000000220000-0x000000000023F000-memory.dmp

Filesize
124KB

Download
memory/1580-282-0x0000000000220000-0x000000000023F000-memory.dmp

Filesize
124KB

Download
memory/1580-285-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1580-277-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1588-218-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1596-148-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1596-147-0x0000000000220000-0x000000000023F000-memory.dmp

Filesize
124KB

Download
memory/1596-146-0x0000000000220000-0x000000000023F000-memory.dmp

Filesize
124KB

Download
memory/1604-233-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1604-241-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1616-261-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1680-279-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1692-270-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1692-259-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1760-197-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1760-184-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1788-183-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1788-198-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1812-229-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1812-245-0x00000000002B0000-0x00000000002CF000-memory.dmp

Filesize
124KB

Download
memory/1812-244-0x00000000002B0000-0x00000000002CF000-memory.dmp

Filesize
124KB

Download
memory/1812-249-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1828-227-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1860-275-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1928-283-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1964-224-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1988-154-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1988-163-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2012-232-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2012-242-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2012-77-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download