2773a577876224b2beaed176a4a61d59ea5168df312148ed516c2505fa95d178

Analysis

max time kernel
135s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05/12/2022, 11:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2773a577876224b2beaed176a4a61d59ea5168df312148ed516c2505fa95d178.exe
Size

6.3MB
MD5

e40bdc16e158210b2edc29d01fc47d3e
SHA1

729f151788505095d6751edb9557b0de0ac289b0
SHA256

2773a577876224b2beaed176a4a61d59ea5168df312148ed516c2505fa95d178
SHA512

c92928044ee55c0e1f076100b973d586093edd6ed249d4d060feb344f8731b0aefaa91e50ad9c00547d817ef255ffa55668b5937b022aecb88043572cc367ab5
SSDEEP

24576:IDyTFtjtDyTFtjSDyTFtj4DyTFtjtDyTFtjSDyTFtjKDyTFtjtDyTFtjSDyTFtjx:BtGtztNtGtztrtGtztStGtzt

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
1820	tmp7121991.exe
1444	tmp7122085.exe
1252	tmp7122225.exe
1448	tmp7122288.exe
1776	notpad.exe
1752	tmp7122787.exe
1352	notpad.exe
552	tmp7122880.exe
240	tmp7122958.exe
944	tmp7123130.exe
1960	notpad.exe
1992	tmp7127186.exe
832	tmp7133426.exe
1804	tmp7125673.exe
320	notpad.exe
612	notpad.exe
1956	notpad.exe
836	tmp7137108.exe
1164	notpad.exe
1940	notpad.exe
1224	tmp7124284.exe
960	tmp7124362.exe
1244	tmp7134362.exe
956	tmp7126437.exe
1756	tmp7124581.exe
932	notpad.exe
1816	notpad.exe
2036	notpad.exe
1596	tmp7135080.exe
1752	notpad.exe
1656	tmp7132724.exe
1920	tmp7125018.exe
1480	notpad.exe
1944	tmp7126812.exe
2020	notpad.exe
1948	tmp7136109.exe
568	tmp7133208.exe
1128	tmp7133270.exe
1620	tmp7125454.exe
692	notpad.exe
708	tmp7136749.exe
1868	tmp7125579.exe
896	notpad.exe
1536	notpad.exe
792	tmp7125766.exe
1804	tmp7125673.exe
1928	tmp7131757.exe
1876	tmp7136936.exe
2012	notpad.exe
1788	tmp7125922.exe
1284	tmp7125985.exe
1452	tmp7126032.exe
1204	tmp7135064.exe
1556	tmp7137139.exe
368	tmp7126266.exe
1728	notpad.exe
1488	tmp7126375.exe
956	tmp7126437.exe
1700	tmp7137326.exe
1816	notpad.exe
1528	tmp7135282.exe
1484	notpad.exe
1464	tmp7126656.exe
2036	notpad.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000015473-58.dat	upx
behavioral1/files/0x0008000000015473-61.dat	upx
behavioral1/files/0x0008000000015473-59.dat	upx
behavioral1/files/0x0008000000015473-62.dat	upx
behavioral1/memory/1444-74-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/368-75-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x0007000000015c70-77.dat	upx
behavioral1/files/0x0007000000015c70-78.dat	upx
behavioral1/files/0x0007000000015c70-81.dat	upx
behavioral1/files/0x0007000000015c70-80.dat	upx
behavioral1/files/0x0007000000015c70-90.dat	upx
behavioral1/files/0x0007000000015c70-93.dat	upx
behavioral1/files/0x0007000000015c70-91.dat	upx
behavioral1/files/0x0006000000015c60-87.dat	upx
behavioral1/files/0x0006000000015c60-108.dat	upx
behavioral1/memory/1352-111-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1776-98-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x0007000000015c70-113.dat	upx
behavioral1/files/0x0007000000015c70-115.dat	upx
behavioral1/files/0x0007000000015c70-112.dat	upx
behavioral1/files/0x0006000000015c60-121.dat	upx
behavioral1/memory/1960-134-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x0007000000015c70-133.dat	upx
behavioral1/files/0x0007000000015c70-129.dat	upx
behavioral1/files/0x0007000000015c70-127.dat	upx
behavioral1/memory/1960-126-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x0006000000015c60-141.dat	upx
behavioral1/files/0x0007000000015c70-149.dat	upx
behavioral1/memory/1804-148-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x0007000000015c70-150.dat	upx
behavioral1/files/0x0007000000015c70-152.dat	upx
behavioral1/memory/1956-160-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1164-164-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1244-171-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/932-178-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2036-184-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1656-190-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2020-191-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2020-195-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1128-202-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/692-215-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2012-225-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1928-223-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/896-211-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1204-233-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1728-238-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1700-244-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1484-250-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1784-252-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/240-256-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/524-259-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1996-261-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1216-263-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/640-262-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/640-271-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/836-276-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1288-279-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1744-283-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1940-282-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1304-288-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1012-292-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1720-291-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1392-293-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1720-294-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Loads dropped DLL 64 IoCs

pid	Process
368	2773a577876224b2beaed176a4a61d59ea5168df312148ed516c2505fa95d178.exe
368	2773a577876224b2beaed176a4a61d59ea5168df312148ed516c2505fa95d178.exe
368	2773a577876224b2beaed176a4a61d59ea5168df312148ed516c2505fa95d178.exe
368	2773a577876224b2beaed176a4a61d59ea5168df312148ed516c2505fa95d178.exe
1444	tmp7122085.exe
1444	tmp7122085.exe
1444	tmp7122085.exe
1444	tmp7122085.exe
1252	tmp7122225.exe
1252	tmp7122225.exe
1776	notpad.exe
1776	notpad.exe
1752	tmp7122787.exe
1752	tmp7122787.exe
1776	notpad.exe
1352	notpad.exe
1352	notpad.exe
1352	notpad.exe
240	notpad.exe
240	notpad.exe
1960	notpad.exe
1960	notpad.exe
1960	notpad.exe
1992	tmp7127186.exe
1992	tmp7136811.exe
1804	tmp7125673.exe
1804	tmp7125673.exe
1804	tmp7125673.exe
320	notpad.exe
320	notpad.exe
1956	notpad.exe
1956	notpad.exe
836	tmp7137108.exe
1956	notpad.exe
836	tmp7137108.exe
1164	notpad.exe
1164	notpad.exe
1164	notpad.exe
1224	tmp7124284.exe
1224	tmp7124284.exe
1244	tmp7134362.exe
1244	tmp7134362.exe
1244	tmp7134362.exe
956	tmp7126437.exe
956	tmp7126437.exe
932	notpad.exe
932	notpad.exe
1816	notpad.exe
1816	notpad.exe
932	notpad.exe
2036	notpad.exe
2036	notpad.exe
1752	notpad.exe
2036	notpad.exe
1752	notpad.exe
1656	tmp7132724.exe
1656	tmp7132724.exe
1656	tmp7132724.exe
1480	notpad.exe
1480	notpad.exe
2020	notpad.exe
2020	notpad.exe
2020	notpad.exe
1948	tmp7136109.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\notpad.exe	tmp7127186.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7124284.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	notpad.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7136936.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7136749.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7137326.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7137654.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7167122.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7137654.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7167824.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7168417.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7168776.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7134846.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7136218.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7168776.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7122958.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7125579.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7133176.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7131882.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7133582.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7165983.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7169946.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7182535.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7213813.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7122225.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7122225.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7136811.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7130025.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7131882.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7132131.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7133130.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7212565.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7136936.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7126375.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7136811.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7133582.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7137123.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7136811.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7131882.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7135080.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7135080.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7135298.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7136218.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7166436.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7213813.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7122225.exe
File created	C:\Windows\SysWOW64\notpad.exe	notpad.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7125454.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7125985.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7166763.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7167824.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7167965.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7184017.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7133130.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7136749.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7166763.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7166763.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7213252.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7259646.exe
File created	C:\Windows\SysWOW64\notpad.exe-	notpad.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7131757.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7132724.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7187168.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7213813.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7137108.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7168417.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7182535.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7127186.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7125454.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	notpad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7126656.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7128231.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	notpad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7133176.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7167824.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7169946.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7184017.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7136109.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7133254.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7130025.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7137654.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7213813.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7136218.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7175094.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7187168.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7122958.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	notpad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7125985.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7131757.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7135080.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7133426.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7137326.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7168152.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7122225.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7125579.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7126796.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7136811.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7132724.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7213252.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7134378.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7167965.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	notpad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	notpad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7137139.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7137123.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7171428.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7165983.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7166763.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7167122.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7168776.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7210990.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7132131.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7133270.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7136047.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7137045.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7122787.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7133130.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7166436.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7209305.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7126437.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7136749.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7136936.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7131882.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7212565.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7259646.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7124284.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7126375.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7134846.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 368 wrote to memory of 1820	368	2773a577876224b2beaed176a4a61d59ea5168df312148ed516c2505fa95d178.exe	27
PID 368 wrote to memory of 1820	368	2773a577876224b2beaed176a4a61d59ea5168df312148ed516c2505fa95d178.exe	27
PID 368 wrote to memory of 1820	368	2773a577876224b2beaed176a4a61d59ea5168df312148ed516c2505fa95d178.exe	27
PID 368 wrote to memory of 1820	368	2773a577876224b2beaed176a4a61d59ea5168df312148ed516c2505fa95d178.exe	27
PID 368 wrote to memory of 1444	368	2773a577876224b2beaed176a4a61d59ea5168df312148ed516c2505fa95d178.exe	28
PID 368 wrote to memory of 1444	368	2773a577876224b2beaed176a4a61d59ea5168df312148ed516c2505fa95d178.exe	28
PID 368 wrote to memory of 1444	368	2773a577876224b2beaed176a4a61d59ea5168df312148ed516c2505fa95d178.exe	28
PID 368 wrote to memory of 1444	368	2773a577876224b2beaed176a4a61d59ea5168df312148ed516c2505fa95d178.exe	28
PID 1444 wrote to memory of 1252	1444	tmp7122085.exe	29
PID 1444 wrote to memory of 1252	1444	tmp7122085.exe	29
PID 1444 wrote to memory of 1252	1444	tmp7122085.exe	29
PID 1444 wrote to memory of 1252	1444	tmp7122085.exe	29
PID 1444 wrote to memory of 1448	1444	tmp7122085.exe	30
PID 1444 wrote to memory of 1448	1444	tmp7122085.exe	30
PID 1444 wrote to memory of 1448	1444	tmp7122085.exe	30
PID 1444 wrote to memory of 1448	1444	tmp7122085.exe	30
PID 1252 wrote to memory of 1776	1252	tmp7122225.exe	31
PID 1252 wrote to memory of 1776	1252	tmp7122225.exe	31
PID 1252 wrote to memory of 1776	1252	tmp7122225.exe	31
PID 1252 wrote to memory of 1776	1252	tmp7122225.exe	31
PID 1776 wrote to memory of 1752	1776	notpad.exe	32
PID 1776 wrote to memory of 1752	1776	notpad.exe	32
PID 1776 wrote to memory of 1752	1776	notpad.exe	32
PID 1776 wrote to memory of 1752	1776	notpad.exe	32
PID 1752 wrote to memory of 1352	1752	tmp7122787.exe	33
PID 1752 wrote to memory of 1352	1752	tmp7122787.exe	33
PID 1752 wrote to memory of 1352	1752	tmp7122787.exe	33
PID 1752 wrote to memory of 1352	1752	tmp7122787.exe	33
PID 1776 wrote to memory of 552	1776	notpad.exe	34
PID 1776 wrote to memory of 552	1776	notpad.exe	34
PID 1776 wrote to memory of 552	1776	notpad.exe	34
PID 1776 wrote to memory of 552	1776	notpad.exe	34
PID 1352 wrote to memory of 240	1352	notpad.exe	35
PID 1352 wrote to memory of 240	1352	notpad.exe	35
PID 1352 wrote to memory of 240	1352	notpad.exe	35
PID 1352 wrote to memory of 240	1352	notpad.exe	35
PID 1352 wrote to memory of 944	1352	notpad.exe	36
PID 1352 wrote to memory of 944	1352	notpad.exe	36
PID 1352 wrote to memory of 944	1352	notpad.exe	36
PID 1352 wrote to memory of 944	1352	notpad.exe	36
PID 240 wrote to memory of 1960	240	notpad.exe	37
PID 240 wrote to memory of 1960	240	notpad.exe	37
PID 240 wrote to memory of 1960	240	notpad.exe	37
PID 240 wrote to memory of 1960	240	notpad.exe	37
PID 1960 wrote to memory of 1992	1960	notpad.exe	100
PID 1960 wrote to memory of 1992	1960	notpad.exe	100
PID 1960 wrote to memory of 1992	1960	notpad.exe	100
PID 1960 wrote to memory of 1992	1960	notpad.exe	100
PID 1960 wrote to memory of 832	1960	tmp7133410.exe	141
PID 1960 wrote to memory of 832	1960	tmp7133410.exe	141
PID 1960 wrote to memory of 832	1960	tmp7133410.exe	141
PID 1960 wrote to memory of 832	1960	tmp7133410.exe	141
PID 1992 wrote to memory of 1804	1992	tmp7136811.exe	77
PID 1992 wrote to memory of 1804	1992	tmp7136811.exe	77
PID 1992 wrote to memory of 1804	1992	tmp7136811.exe	77
PID 1992 wrote to memory of 1804	1992	tmp7136811.exe	77
PID 1804 wrote to memory of 320	1804	tmp7125673.exe	175
PID 1804 wrote to memory of 320	1804	tmp7125673.exe	175
PID 1804 wrote to memory of 320	1804	tmp7125673.exe	175
PID 1804 wrote to memory of 320	1804	tmp7125673.exe	175
PID 1804 wrote to memory of 612	1804	tmp7125673.exe	142
PID 1804 wrote to memory of 612	1804	tmp7125673.exe	142
PID 1804 wrote to memory of 612	1804	tmp7125673.exe	142
PID 1804 wrote to memory of 612	1804	tmp7125673.exe	142

C:\Users\Admin\AppData\Local\Temp\2773a577876224b2beaed176a4a61d59ea5168df312148ed516c2505fa95d178.exe
"C:\Users\Admin\AppData\Local\Temp\2773a577876224b2beaed176a4a61d59ea5168df312148ed516c2505fa95d178.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:368
- C:\Users\Admin\AppData\Local\Temp\tmp7121991.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7121991.exe
  2⤵
  - Executes dropped EXE
  PID:1820
- C:\Users\Admin\AppData\Local\Temp\tmp7122085.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7122085.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1444
- - C:\Users\Admin\AppData\Local\Temp\tmp7122225.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7122225.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1252
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1776
    - - C:\Users\Admin\AppData\Local\Temp\tmp7122787.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122787.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1752
      - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1352
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122958.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122958.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:240
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123302.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123302.exe
        9⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        10⤵
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123520.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123520.exe
        11⤵
        
        PID:320
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        12⤵
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123972.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123972.exe
        13⤵
        
        PID:836
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1164
        
        C:\Users\Admin\AppData\Local\Temp\tmp7124284.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7124284.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1224
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        16⤵
        
        PID:1244
        
        C:\Users\Admin\AppData\Local\Temp\tmp7124503.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7124503.exe
        17⤵
        
        PID:956
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:932
        
        C:\Users\Admin\AppData\Local\Temp\tmp7124706.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7124706.exe
        19⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        20⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\tmp7124862.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7124862.exe
        21⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        22⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        23⤵
        
        PID:240
        
        C:\Users\Admin\AppData\Local\Temp\tmp7133208.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7133208.exe
        24⤵
        Executes dropped EXE
        
        PID:568
        
        C:\Users\Admin\AppData\Local\Temp\tmp7133130.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7133130.exe
        24⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136047.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136047.exe
        22⤵
        Modifies registry class
        
        PID:944
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1480
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136218.exe
        24⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1340
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136749.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136749.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:708
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        27⤵
        
        PID:844
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136874.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136874.exe
        28⤵
        
        PID:640
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136998.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136998.exe
        28⤵
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\tmp7137139.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7137139.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\tmp7137045.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7137045.exe
        29⤵
        Modifies registry class
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136780.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136780.exe
        26⤵
        
        PID:524
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136811.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136811.exe
        27⤵
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1992
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        28⤵
        
        PID:1216
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136936.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136936.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1876
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        30⤵
        
        PID:1072
        
        C:\Users\Admin\AppData\Local\Temp\tmp7137310.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7137310.exe
        31⤵
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\tmp7137654.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7137654.exe
        32⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:956
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        33⤵
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166061.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166061.exe
        34⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166280.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166280.exe
        34⤵
        
        PID:424
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166436.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166436.exe
        35⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1996
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        36⤵
        
        PID:896
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166748.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166748.exe
        37⤵
        
        PID:936
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166795.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166795.exe
        37⤵
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\tmp7167122.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7167122.exe
        38⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:332
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        39⤵
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\tmp7167824.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7167824.exe
        40⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:640
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        41⤵
        
        PID:968
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168105.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168105.exe
        42⤵
        
        PID:860
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168277.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168277.exe
        42⤵
        
        PID:1384
        
        C:\Users\Admin\AppData\Local\Temp\tmp7169291.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7169291.exe
        43⤵
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\tmp7169727.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7169727.exe
        43⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168027.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168027.exe
        40⤵
        
        PID:288
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168417.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168417.exe
        41⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1468
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        42⤵
        
        PID:1392
        
        C:\Users\Admin\AppData\Local\Temp\tmp7169946.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7169946.exe
        43⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2028
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        44⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175094.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175094.exe
        45⤵
        Modifies registry class
        
        PID:1964
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        46⤵
        
        PID:1880
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183159.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183159.exe
        47⤵
        
        PID:424
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183300.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183300.exe
        47⤵
        
        PID:832
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184017.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184017.exe
        48⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1152
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        49⤵
        
        PID:844
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187168.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187168.exe
        50⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1988
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        51⤵
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\tmp7209305.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7209305.exe
        52⤵
        Modifies registry class
        
        PID:1872
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        53⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\tmp7212066.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7212066.exe
        54⤵
        
        PID:1136
        
        C:\Users\Admin\AppData\Local\Temp\tmp7212659.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7212659.exe
        54⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\tmp7213486.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7213486.exe
        55⤵
        
        PID:1388
        
        C:\Users\Admin\AppData\Local\Temp\tmp7213798.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7213798.exe
        55⤵
        
        PID:328
        
        C:\Users\Admin\AppData\Local\Temp\tmp7209648.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7209648.exe
        52⤵
        
        PID:1284
        
        C:\Users\Admin\AppData\Local\Temp\tmp7210990.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7210990.exe
        53⤵
        Modifies registry class
        
        PID:1204
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        54⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\tmp7212565.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7212565.exe
        55⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:548
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        56⤵
        
        PID:1012
        
        C:\Users\Admin\AppData\Local\Temp\tmp7213392.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7213392.exe
        57⤵
        
        PID:676
        
        C:\Users\Admin\AppData\Local\Temp\tmp7213813.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7213813.exe
        58⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2020
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        59⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\tmp7218259.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7218259.exe
        60⤵
        
        PID:692
        
        C:\Users\Admin\AppData\Local\Temp\tmp7219726.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7219726.exe
        60⤵
        
        PID:240
        
        C:\Users\Admin\AppData\Local\Temp\tmp7221676.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7221676.exe
        61⤵
        
        PID:368
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        62⤵
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\tmp7250817.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7250817.exe
        63⤵
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\tmp7250942.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7250942.exe
        63⤵
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\tmp7251909.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7251909.exe
        64⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        65⤵
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\tmp7254374.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7254374.exe
        64⤵
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\tmp7249834.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7249834.exe
        61⤵
        
        PID:1476
        
        C:\Users\Admin\AppData\Local\Temp\tmp7216372.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7216372.exe
        58⤵
        
        PID:936
        
        C:\Users\Admin\AppData\Local\Temp\tmp7212706.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7212706.exe
        55⤵
        
        PID:828
        
        C:\Users\Admin\AppData\Local\Temp\tmp7211271.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7211271.exe
        53⤵
        
        PID:1444
        
        C:\Users\Admin\AppData\Local\Temp\tmp7204765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7204765.exe
        50⤵
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\tmp7208993.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7208993.exe
        51⤵
        
        PID:1072
        
        C:\Users\Admin\AppData\Local\Temp\tmp7209477.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7209477.exe
        51⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\tmp7185858.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7185858.exe
        48⤵
        
        PID:960
        
        C:\Users\Admin\AppData\Local\Temp\tmp7181786.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7181786.exe
        45⤵
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183346.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183346.exe
        46⤵
        
        PID:980
        
        C:\Users\Admin\AppData\Local\Temp\tmp7185671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7185671.exe
        46⤵
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\tmp7170289.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7170289.exe
        43⤵
        
        PID:1012
        
        C:\Users\Admin\AppData\Local\Temp\tmp7171428.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7171428.exe
        44⤵
        Modifies registry class
        
        PID:1612
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        45⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182878.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182878.exe
        46⤵
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183986.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183986.exe
        46⤵
        
        PID:780
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187870.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187870.exe
        47⤵
        
        PID:872
        
        C:\Users\Admin\AppData\Local\Temp\tmp7208962.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7208962.exe
        47⤵
        
        PID:968
        
        C:\Users\Admin\AppData\Local\Temp\tmp7172099.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7172099.exe
        44⤵
        
        PID:976
        
        C:\Users\Admin\AppData\Local\Temp\tmp7213252.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7213252.exe
        44⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1924
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        45⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\tmp7215763.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7215763.exe
        46⤵
        
        PID:584
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        47⤵
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\tmp7219882.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7219882.exe
        48⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        49⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\tmp7231597.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7231597.exe
        50⤵
        
        PID:332
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        51⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\tmp7257119.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7257119.exe
        52⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        53⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\tmp7258024.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7258024.exe
        54⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        55⤵
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\tmp7259646.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7259646.exe
        56⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:584
        
        C:\Users\Admin\AppData\Local\Temp\tmp7258383.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7258383.exe
        54⤵
        
        PID:1292
        
        C:\Users\Admin\AppData\Local\Temp\tmp7258851.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7258851.exe
        55⤵
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\Temp\tmp7259490.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7259490.exe
        55⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\tmp7257603.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7257603.exe
        52⤵
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\tmp7259631.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7259631.exe
        53⤵
        
        PID:320
        
        C:\Users\Admin\AppData\Local\Temp\tmp7250957.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7250957.exe
        50⤵
        
        PID:780
        
        C:\Users\Admin\AppData\Local\Temp\tmp7256682.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7256682.exe
        51⤵
        
        PID:572
        
        C:\Users\Admin\AppData\Local\Temp\tmp7254467.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7254467.exe
        51⤵
        
        PID:1216
        
        C:\Users\Admin\AppData\Local\Temp\tmp7220443.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7220443.exe
        48⤵
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\tmp7221598.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7221598.exe
        49⤵
        
        PID:568
        
        C:\Users\Admin\AppData\Local\Temp\tmp7250177.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7250177.exe
        49⤵
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\tmp7216231.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7216231.exe
        46⤵
        
        PID:1880
        
        C:\Users\Admin\AppData\Local\Temp\tmp7216653.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7216653.exe
        47⤵
        
        PID:436
        
        C:\Users\Admin\AppData\Local\Temp\tmp7219539.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7219539.exe
        47⤵
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\tmp7169103.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7169103.exe
        41⤵
        
        PID:1232
        
        C:\Users\Admin\AppData\Local\Temp\tmp7167216.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7167216.exe
        38⤵
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166545.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166545.exe
        35⤵
        
        PID:1480
        
        C:\Users\Admin\AppData\Local\Temp\tmp7162083.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7162083.exe
        32⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136967.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136967.exe
        29⤵
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136858.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136858.exe
        27⤵
        
        PID:332
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136062.exe
        22⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125018.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125018.exe
        21⤵
        Executes dropped EXE
        
        PID:1920
        
        C:\Users\Admin\AppData\Local\Temp\tmp7124799.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7124799.exe
        19⤵
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\tmp7124581.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7124581.exe
        17⤵
        Executes dropped EXE
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\tmp7124362.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7124362.exe
        15⤵
        Executes dropped EXE
        
        PID:960
        
        C:\Users\Admin\AppData\Local\Temp\tmp7131757.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7131757.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1928
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        15⤵
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\tmp7131819.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7131819.exe
        14⤵
        
        PID:1288
        
        C:\Users\Admin\AppData\Local\Temp\tmp7131975.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7131975.exe
        15⤵
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\tmp7131928.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7131928.exe
        15⤵
        
        PID:632
        
        C:\Users\Admin\AppData\Local\Temp\tmp7124050.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7124050.exe
        13⤵
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\tmp7131601.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7131601.exe
        12⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\tmp7131648.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7131648.exe
        12⤵
        
        PID:1152
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123692.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123692.exe
        11⤵
        
        PID:612
        
        C:\Users\Admin\AppData\Local\Temp\tmp7133410.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7133410.exe
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\tmp7133442.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7133442.exe
        12⤵
        
        PID:472
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        13⤵
        
        PID:836
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        14⤵
        
        PID:912
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134534.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134534.exe
        15⤵
        
        PID:1116
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134783.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134783.exe
        15⤵
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134861.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134861.exe
        16⤵
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134877.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134877.exe
        16⤵
        
        PID:1304
        
        C:\Users\Admin\AppData\Local\Temp\tmp7133598.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7133598.exe
        13⤵
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\tmp7137014.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7137014.exe
        14⤵
        
        PID:860
        
        C:\Users\Admin\AppData\Local\Temp\tmp7137108.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7137108.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:836
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134159.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134159.exe
        13⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123395.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123395.exe
        9⤵
        
        PID:832
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        10⤵
        
        PID:780
        
        C:\Users\Admin\AppData\Local\Temp\tmp7133582.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7133582.exe
        11⤵
        Drops file in System32 directory
        
        PID:980
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134378.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134378.exe
        13⤵
        Modifies registry class
        
        PID:1824
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        14⤵
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135080.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135080.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1596
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135298.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135298.exe
        17⤵
        Drops file in System32 directory
        
        PID:1012
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135938.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135938.exe
        17⤵
        
        PID:328
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136140.exe
        18⤵
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135173.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135173.exe
        15⤵
        
        PID:1352
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135282.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135282.exe
        16⤵
        Executes dropped EXE
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134768.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134768.exe
        13⤵
        
        PID:1820
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135064.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135064.exe
        14⤵
        Executes dropped EXE
        
        PID:1204
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134846.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134846.exe
        14⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:848
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        15⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135345.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135345.exe
        16⤵
        
        PID:1136
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135953.exe
        16⤵
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136031.exe
        17⤵
        
        PID:1268
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136109.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134175.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134175.exe
        11⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        12⤵
        Executes dropped EXE
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\tmp7137326.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7137326.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1700
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        14⤵
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\tmp7165703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7165703.exe
        15⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166046.exe
        15⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166108.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166108.exe
        16⤵
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166186.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166186.exe
        16⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161943.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161943.exe
        13⤵
        
        PID:572
        
        C:\Users\Admin\AppData\Local\Temp\tmp7165983.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7165983.exe
        14⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1688
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        15⤵
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166311.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166311.exe
        16⤵
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166607.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166607.exe
        16⤵
        
        PID:436
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166763.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166763.exe
        17⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1340
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        18⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\tmp7167309.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7167309.exe
        19⤵
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\tmp7167512.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7167512.exe
        19⤵
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\tmp7167965.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7167965.exe
        20⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1928
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        21⤵
        
        PID:1288
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168152.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168152.exe
        22⤵
        Modifies registry class
        
        PID:1316
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        23⤵
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168199.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168199.exe
        22⤵
        
        PID:1444
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168776.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168776.exe
        23⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1204
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        24⤵
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\tmp7170383.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7170383.exe
        25⤵
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\tmp7172161.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7172161.exe
        25⤵
        
        PID:1360
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182535.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182535.exe
        26⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1620
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        27⤵
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184828.exe
        28⤵
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\tmp7185437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7185437.exe
        28⤵
        
        PID:332
        
        C:\Users\Admin\AppData\Local\Temp\tmp7185952.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7185952.exe
        29⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\tmp7208509.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7208509.exe
        29⤵
        
        PID:1164
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183939.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183939.exe
        26⤵
        
        PID:692
        
        C:\Users\Admin\AppData\Local\Temp\tmp7169712.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7169712.exe
        23⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168074.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168074.exe
        20⤵
        
        PID:836
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166779.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166779.exe
        17⤵
        
        PID:692
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166077.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166077.exe
        14⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\tmp7126874.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7126874.exe
        8⤵
        
        PID:424
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        9⤵
        
        PID:524
        
        C:\Users\Admin\AppData\Local\Temp\tmp7127014.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7127014.exe
        10⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\tmp7126983.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7126983.exe
        10⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        11⤵
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\tmp7127233.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7127233.exe
        12⤵
        
        PID:1216
        
        C:\Users\Admin\AppData\Local\Temp\tmp7128231.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7128231.exe
        13⤵
        Modifies registry class
        
        PID:584
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:320
        
        C:\Users\Admin\AppData\Local\Temp\tmp7128606.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7128606.exe
        13⤵
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123130.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123130.exe
        7⤵
        Executes dropped EXE
        
        PID:944
        
        C:\Users\Admin\AppData\Local\Temp\tmp7133020.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7133020.exe
        8⤵
        
        PID:328
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136062.exe
        9⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\tmp7133052.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7133052.exe
        8⤵
        
        PID:1268
    - - C:\Users\Admin\AppData\Local\Temp\tmp7122880.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122880.exe
        5⤵
        Executes dropped EXE
        
        PID:552
- - C:\Users\Admin\AppData\Local\Temp\tmp7122288.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7122288.exe
    3⤵
    - Executes dropped EXE
    PID:1448
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    PID:1392
  - - C:\Users\Admin\AppData\Local\Temp\tmp7132116.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7132116.exe
      4⤵
      PID:1136
  - - C:\Users\Admin\AppData\Local\Temp\tmp7132287.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7132287.exe
      4⤵
      PID:944

C:\Users\Admin\AppData\Local\Temp\tmp7125158.exe
C:\Users\Admin\AppData\Local\Temp\tmp7125158.exe
1⤵
PID:1480
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2020
- - C:\Users\Admin\AppData\Local\Temp\tmp7125314.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7125314.exe
    3⤵
    PID:1948
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      PID:1128
    - - C:\Users\Admin\AppData\Local\Temp\tmp7125454.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125454.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1620
      - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        6⤵
        Executes dropped EXE
        
        PID:692
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125579.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125579.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1868
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        8⤵
        Executes dropped EXE
        
        PID:896
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125735.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125735.exe
        9⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        10⤵
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125922.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125922.exe
        11⤵
        Executes dropped EXE
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125766.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125766.exe
        9⤵
        Executes dropped EXE
        
        PID:792
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125673.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125673.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1804
    - - C:\Users\Admin\AppData\Local\Temp\tmp7125501.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125501.exe
        5⤵
        
        PID:708
- - C:\Users\Admin\AppData\Local\Temp\tmp7125392.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7125392.exe
    3⤵
    PID:568
  - - C:\Users\Admin\AppData\Local\Temp\tmp7133254.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7133254.exe
      4⤵
      Modifies registry class
      PID:1592
  - - C:\Users\Admin\AppData\Local\Temp\tmp7133379.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7133379.exe
      4⤵
      PID:936

C:\Users\Admin\AppData\Local\Temp\tmp7125220.exe
C:\Users\Admin\AppData\Local\Temp\tmp7125220.exe
1⤵
PID:1944

C:\Users\Admin\AppData\Local\Temp\tmp7125876.exe
C:\Users\Admin\AppData\Local\Temp\tmp7125876.exe
1⤵
PID:1876
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  - Executes dropped EXE
  PID:2012
- - C:\Users\Admin\AppData\Local\Temp\tmp7125985.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7125985.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    PID:1284
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      PID:1204
    - - C:\Users\Admin\AppData\Local\Temp\tmp7126156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7126156.exe
        5⤵
        
        PID:1556
      - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        6⤵
        Executes dropped EXE
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\tmp7126437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7126437.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:956
        
        C:\Users\Admin\AppData\Local\Temp\tmp7126375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7126375.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1488
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        8⤵
        
        PID:1700
    - - C:\Users\Admin\AppData\Local\Temp\tmp7126266.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7126266.exe
        5⤵
        Executes dropped EXE
        
        PID:368
- - C:\Users\Admin\AppData\Local\Temp\tmp7126032.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7126032.exe
    3⤵
    - Executes dropped EXE
    PID:1452
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:1940
- - C:\Users\Admin\AppData\Local\Temp\tmp7131960.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7131960.exe
    3⤵
    PID:1304
  - - C:\Users\Admin\AppData\Local\Temp\tmp7132131.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7132131.exe
      4⤵
      Drops file in System32 directory
      Modifies registry class
      PID:1732
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2036
      - C:\Users\Admin\AppData\Local\Temp\tmp7133005.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7133005.exe
        6⤵
        
        PID:1688
      - C:\Users\Admin\AppData\Local\Temp\tmp7132724.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7132724.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1656
  - - C:\Users\Admin\AppData\Local\Temp\tmp7132209.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7132209.exe
      4⤵
      PID:1700
- - C:\Users\Admin\AppData\Local\Temp\tmp7131882.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7131882.exe
    3⤵
    - Drops file in System32 directory
    - Modifies registry class
    PID:1444

C:\Users\Admin\AppData\Local\Temp\tmp7126546.exe
C:\Users\Admin\AppData\Local\Temp\tmp7126546.exe
1⤵
PID:1528

C:\Users\Admin\AppData\Local\Temp\tmp7126531.exe
C:\Users\Admin\AppData\Local\Temp\tmp7126531.exe
1⤵
PID:1816
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  - Executes dropped EXE
  PID:1484
- - C:\Users\Admin\AppData\Local\Temp\tmp7126656.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7126656.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    PID:1464
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      PID:1784
    - - C:\Users\Admin\AppData\Local\Temp\tmp7126796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7126796.exe
        5⤵
        Modifies registry class
        
        PID:1764
      - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:240
        
        C:\Users\Admin\AppData\Local\Temp\tmp7126890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7126890.exe
        7⤵
        
        PID:2008
    - - C:\Users\Admin\AppData\Local\Temp\tmp7126812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7126812.exe
        5⤵
        Executes dropped EXE
        
        PID:1944
    - - C:\Users\Admin\AppData\Local\Temp\tmp7133176.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7133176.exe
        5⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:424
    - - C:\Users\Admin\AppData\Local\Temp\tmp7133223.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7133223.exe
        5⤵
        
        PID:1580
- - C:\Users\Admin\AppData\Local\Temp\tmp7126671.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7126671.exe
    3⤵
    PID:2036

C:\Users\Admin\AppData\Local\Temp\tmp7127186.exe
C:\Users\Admin\AppData\Local\Temp\tmp7127186.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1992
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:640
- - C:\Users\Admin\AppData\Local\Temp\tmp7131679.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7131679.exe
    3⤵
    PID:1936
- - C:\Users\Admin\AppData\Local\Temp\tmp7130025.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7130025.exe
    3⤵
    - Drops file in System32 directory
    - Modifies registry class
    PID:472

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:1012
- C:\Users\Admin\AppData\Local\Temp\tmp7132272.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7132272.exe
  2⤵
  PID:1528
- C:\Users\Admin\AppData\Local\Temp\tmp7132474.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7132474.exe
  2⤵
  PID:1784

C:\Users\Admin\AppData\Local\Temp\tmp7132038.exe
C:\Users\Admin\AppData\Local\Temp\tmp7132038.exe
1⤵
PID:1720
- C:\Users\Admin\AppData\Local\Temp\tmp7132178.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7132178.exe
  2⤵
  PID:1596
- C:\Users\Admin\AppData\Local\Temp\tmp7132303.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7132303.exe
  2⤵
  PID:900

C:\Users\Admin\AppData\Local\Temp\tmp7131944.exe
C:\Users\Admin\AppData\Local\Temp\tmp7131944.exe
1⤵
PID:848

C:\Users\Admin\AppData\Local\Temp\tmp7131804.exe
C:\Users\Admin\AppData\Local\Temp\tmp7131804.exe
1⤵
PID:2016
- C:\Users\Admin\AppData\Local\Temp\tmp7134362.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7134362.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1244
- C:\Users\Admin\AppData\Local\Temp\tmp7134300.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7134300.exe
  2⤵
  PID:836

C:\Users\Admin\AppData\Local\Temp\tmp7131726.exe
C:\Users\Admin\AppData\Local\Temp\tmp7131726.exe
1⤵
PID:1876

C:\Users\Admin\AppData\Local\Temp\tmp7133270.exe
C:\Users\Admin\AppData\Local\Temp\tmp7133270.exe
1⤵
- Executes dropped EXE
- Modifies registry class
PID:1128
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  - Executes dropped EXE
  PID:612

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:1880
- C:\Users\Admin\AppData\Local\Temp\tmp7133286.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7133286.exe
  2⤵
  PID:1064
- - C:\Users\Admin\AppData\Local\Temp\tmp7133488.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7133488.exe
    3⤵
    PID:1632
- - C:\Users\Admin\AppData\Local\Temp\tmp7133426.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7133426.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    PID:832

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:1232
- C:\Users\Admin\AppData\Local\Temp\tmp7137342.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7137342.exe
  2⤵
  PID:592
- C:\Users\Admin\AppData\Local\Temp\tmp7137638.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7137638.exe
  2⤵
  PID:1820
- - C:\Users\Admin\AppData\Local\Temp\tmp7162068.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7162068.exe
    3⤵
    PID:932
- - C:\Users\Admin\AppData\Local\Temp\tmp7165781.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7165781.exe
    3⤵
    PID:1136

C:\Users\Admin\AppData\Local\Temp\tmp7137123.exe
C:\Users\Admin\AppData\Local\Temp\tmp7137123.exe
1⤵
- Drops file in System32 directory
- Modifies registry class
PID:1168

C:\Users\Admin\AppData\Local\Temp\tmp7257369.exe
C:\Users\Admin\AppData\Local\Temp\tmp7257369.exe
1⤵
PID:1760

C:\Users\Admin\AppData\Local\Temp\tmp7257509.exe
C:\Users\Admin\AppData\Local\Temp\tmp7257509.exe
1⤵
PID:976
- C:\Users\Admin\AppData\Local\Temp\tmp7257977.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7257977.exe
  2⤵
  PID:564
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    PID:1480
  - - C:\Users\Admin\AppData\Local\Temp\tmp7259756.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7259756.exe
      4⤵
      PID:956
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        
        PID:1560
  - - C:\Users\Admin\AppData\Local\Temp\tmp7260582.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7260582.exe
      4⤵
      PID:1452
    - - C:\Users\Admin\AppData\Local\Temp\tmp7261503.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7261503.exe
        5⤵
        
        PID:1880
    - - C:\Users\Admin\AppData\Local\Temp\tmp7268523.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7268523.exe
        5⤵
        
        PID:1636
- C:\Users\Admin\AppData\Local\Temp\tmp7258757.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7258757.exe
  2⤵
  PID:1964

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp7121991.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7122085.exe

Filesize
201KB

MD5
2280cf04f6dc9d3f8edf4d91ae30c52b

SHA1
964329c715430e8a670dc959de2db0d09616c0cb

SHA256
e025ea0d8b3b4aebad30d407d8e2b34cbf8d65e3eb26fe31db0a81ebfcf8f5c5

SHA512
1c0244e0d3b6619417136056cb0ec4f972649251f8105595a3aeebdcfc4a9784a83c710b4cf56fd81e8f3cde2b4e25eea6e1fd745ab936b24adfd92086de412b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7122085.exe

Filesize
201KB

MD5
2280cf04f6dc9d3f8edf4d91ae30c52b

SHA1
964329c715430e8a670dc959de2db0d09616c0cb

SHA256
e025ea0d8b3b4aebad30d407d8e2b34cbf8d65e3eb26fe31db0a81ebfcf8f5c5

SHA512
1c0244e0d3b6619417136056cb0ec4f972649251f8105595a3aeebdcfc4a9784a83c710b4cf56fd81e8f3cde2b4e25eea6e1fd745ab936b24adfd92086de412b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7122225.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7122225.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7122288.exe

Filesize
67KB

MD5
5e28284f9b5f9097640d58a73d38ad4c

SHA1
7a90f8b051bc82cc9cadbcc9ba345ced02891a6c

SHA256
865f34fe7ba81e9622ddbdfc511547d190367bbf3dad21ceb6da3eec621044f5

SHA512
cb7218cfea8813ae8c7acf6f7511aecbeb9d697986e0eb8538065bf9e3e9c6ced9c29270eb677f5acf08d2e94b21018d8c4a376aa646fa73ce831fc87d448934

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7122787.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7122787.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7122880.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7122958.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7122958.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7123130.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7123302.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7123302.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7123395.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7123520.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7123520.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7123692.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
123KB

MD5
ad8132ed4ac5195938c7d99dad6b691e

SHA1
43e28607b3be40758fc7aad0b16074c45ada6a9e

SHA256
3856bd44cd77b3673ee8abeca3305d37c1f682a699913211d6643677d3a52237

SHA512
d9acbc88c33a8901761fb4469c710e49d02d4b86d9a1657e467b9b11752c52ebcc1f72df2eab09c7ebf3b45da8db9a1758e3816b1cac6e782c48939e40d8da36

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
309KB

MD5
ab781223d00dd2a2cc345f6246ee016d

SHA1
ac3818a007e78a85f63135699e6c5955fc617a19

SHA256
d71ba3a04124512578224d37e52b3c0adf66e8acb67bda8f41a9ceec212aa6df

SHA512
c7baacc06f54ffd9122155e6d0ebf463ef2976a9ef04c9522635ba7c836c6e20b0083d6c02c558f53d99c15ff485fa28dc17a466e6cb6385a6fbe77402478cb1

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
309KB

MD5
ab781223d00dd2a2cc345f6246ee016d

SHA1
ac3818a007e78a85f63135699e6c5955fc617a19

SHA256
d71ba3a04124512578224d37e52b3c0adf66e8acb67bda8f41a9ceec212aa6df

SHA512
c7baacc06f54ffd9122155e6d0ebf463ef2976a9ef04c9522635ba7c836c6e20b0083d6c02c558f53d99c15ff485fa28dc17a466e6cb6385a6fbe77402478cb1

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
309KB

MD5
ab781223d00dd2a2cc345f6246ee016d

SHA1
ac3818a007e78a85f63135699e6c5955fc617a19

SHA256
d71ba3a04124512578224d37e52b3c0adf66e8acb67bda8f41a9ceec212aa6df

SHA512
c7baacc06f54ffd9122155e6d0ebf463ef2976a9ef04c9522635ba7c836c6e20b0083d6c02c558f53d99c15ff485fa28dc17a466e6cb6385a6fbe77402478cb1

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
309KB

MD5
ab781223d00dd2a2cc345f6246ee016d

SHA1
ac3818a007e78a85f63135699e6c5955fc617a19

SHA256
d71ba3a04124512578224d37e52b3c0adf66e8acb67bda8f41a9ceec212aa6df

SHA512
c7baacc06f54ffd9122155e6d0ebf463ef2976a9ef04c9522635ba7c836c6e20b0083d6c02c558f53d99c15ff485fa28dc17a466e6cb6385a6fbe77402478cb1

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
309KB

MD5
ab781223d00dd2a2cc345f6246ee016d

SHA1
ac3818a007e78a85f63135699e6c5955fc617a19

SHA256
d71ba3a04124512578224d37e52b3c0adf66e8acb67bda8f41a9ceec212aa6df

SHA512
c7baacc06f54ffd9122155e6d0ebf463ef2976a9ef04c9522635ba7c836c6e20b0083d6c02c558f53d99c15ff485fa28dc17a466e6cb6385a6fbe77402478cb1

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
309KB

MD5
ab781223d00dd2a2cc345f6246ee016d

SHA1
ac3818a007e78a85f63135699e6c5955fc617a19

SHA256
d71ba3a04124512578224d37e52b3c0adf66e8acb67bda8f41a9ceec212aa6df

SHA512
c7baacc06f54ffd9122155e6d0ebf463ef2976a9ef04c9522635ba7c836c6e20b0083d6c02c558f53d99c15ff485fa28dc17a466e6cb6385a6fbe77402478cb1

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7121991.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7121991.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7122085.exe

Filesize
201KB

MD5
2280cf04f6dc9d3f8edf4d91ae30c52b

SHA1
964329c715430e8a670dc959de2db0d09616c0cb

SHA256
e025ea0d8b3b4aebad30d407d8e2b34cbf8d65e3eb26fe31db0a81ebfcf8f5c5

SHA512
1c0244e0d3b6619417136056cb0ec4f972649251f8105595a3aeebdcfc4a9784a83c710b4cf56fd81e8f3cde2b4e25eea6e1fd745ab936b24adfd92086de412b

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7122085.exe

Filesize
201KB

MD5
2280cf04f6dc9d3f8edf4d91ae30c52b

SHA1
964329c715430e8a670dc959de2db0d09616c0cb

SHA256
e025ea0d8b3b4aebad30d407d8e2b34cbf8d65e3eb26fe31db0a81ebfcf8f5c5

SHA512
1c0244e0d3b6619417136056cb0ec4f972649251f8105595a3aeebdcfc4a9784a83c710b4cf56fd81e8f3cde2b4e25eea6e1fd745ab936b24adfd92086de412b

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7122225.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7122225.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7122288.exe

Filesize
67KB

MD5
5e28284f9b5f9097640d58a73d38ad4c

SHA1
7a90f8b051bc82cc9cadbcc9ba345ced02891a6c

SHA256
865f34fe7ba81e9622ddbdfc511547d190367bbf3dad21ceb6da3eec621044f5

SHA512
cb7218cfea8813ae8c7acf6f7511aecbeb9d697986e0eb8538065bf9e3e9c6ced9c29270eb677f5acf08d2e94b21018d8c4a376aa646fa73ce831fc87d448934

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7122288.exe

Filesize
67KB

MD5
5e28284f9b5f9097640d58a73d38ad4c

SHA1
7a90f8b051bc82cc9cadbcc9ba345ced02891a6c

SHA256
865f34fe7ba81e9622ddbdfc511547d190367bbf3dad21ceb6da3eec621044f5

SHA512
cb7218cfea8813ae8c7acf6f7511aecbeb9d697986e0eb8538065bf9e3e9c6ced9c29270eb677f5acf08d2e94b21018d8c4a376aa646fa73ce831fc87d448934

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7122787.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7122787.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7122880.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7122958.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7122958.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7123130.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7123302.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7123302.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7123395.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7123520.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7123520.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7123692.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7123972.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7123972.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
309KB

MD5
ab781223d00dd2a2cc345f6246ee016d

SHA1
ac3818a007e78a85f63135699e6c5955fc617a19

SHA256
d71ba3a04124512578224d37e52b3c0adf66e8acb67bda8f41a9ceec212aa6df

SHA512
c7baacc06f54ffd9122155e6d0ebf463ef2976a9ef04c9522635ba7c836c6e20b0083d6c02c558f53d99c15ff485fa28dc17a466e6cb6385a6fbe77402478cb1

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
309KB

MD5
ab781223d00dd2a2cc345f6246ee016d

SHA1
ac3818a007e78a85f63135699e6c5955fc617a19

SHA256
d71ba3a04124512578224d37e52b3c0adf66e8acb67bda8f41a9ceec212aa6df

SHA512
c7baacc06f54ffd9122155e6d0ebf463ef2976a9ef04c9522635ba7c836c6e20b0083d6c02c558f53d99c15ff485fa28dc17a466e6cb6385a6fbe77402478cb1

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
309KB

MD5
ab781223d00dd2a2cc345f6246ee016d

SHA1
ac3818a007e78a85f63135699e6c5955fc617a19

SHA256
d71ba3a04124512578224d37e52b3c0adf66e8acb67bda8f41a9ceec212aa6df

SHA512
c7baacc06f54ffd9122155e6d0ebf463ef2976a9ef04c9522635ba7c836c6e20b0083d6c02c558f53d99c15ff485fa28dc17a466e6cb6385a6fbe77402478cb1

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
309KB

MD5
ab781223d00dd2a2cc345f6246ee016d

SHA1
ac3818a007e78a85f63135699e6c5955fc617a19

SHA256
d71ba3a04124512578224d37e52b3c0adf66e8acb67bda8f41a9ceec212aa6df

SHA512
c7baacc06f54ffd9122155e6d0ebf463ef2976a9ef04c9522635ba7c836c6e20b0083d6c02c558f53d99c15ff485fa28dc17a466e6cb6385a6fbe77402478cb1

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
309KB

MD5
ab781223d00dd2a2cc345f6246ee016d

SHA1
ac3818a007e78a85f63135699e6c5955fc617a19

SHA256
d71ba3a04124512578224d37e52b3c0adf66e8acb67bda8f41a9ceec212aa6df

SHA512
c7baacc06f54ffd9122155e6d0ebf463ef2976a9ef04c9522635ba7c836c6e20b0083d6c02c558f53d99c15ff485fa28dc17a466e6cb6385a6fbe77402478cb1

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
309KB

MD5
ab781223d00dd2a2cc345f6246ee016d

SHA1
ac3818a007e78a85f63135699e6c5955fc617a19

SHA256
d71ba3a04124512578224d37e52b3c0adf66e8acb67bda8f41a9ceec212aa6df

SHA512
c7baacc06f54ffd9122155e6d0ebf463ef2976a9ef04c9522635ba7c836c6e20b0083d6c02c558f53d99c15ff485fa28dc17a466e6cb6385a6fbe77402478cb1

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
309KB

MD5
ab781223d00dd2a2cc345f6246ee016d

SHA1
ac3818a007e78a85f63135699e6c5955fc617a19

SHA256
d71ba3a04124512578224d37e52b3c0adf66e8acb67bda8f41a9ceec212aa6df

SHA512
c7baacc06f54ffd9122155e6d0ebf463ef2976a9ef04c9522635ba7c836c6e20b0083d6c02c558f53d99c15ff485fa28dc17a466e6cb6385a6fbe77402478cb1

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
309KB

MD5
ab781223d00dd2a2cc345f6246ee016d

SHA1
ac3818a007e78a85f63135699e6c5955fc617a19

SHA256
d71ba3a04124512578224d37e52b3c0adf66e8acb67bda8f41a9ceec212aa6df

SHA512
c7baacc06f54ffd9122155e6d0ebf463ef2976a9ef04c9522635ba7c836c6e20b0083d6c02c558f53d99c15ff485fa28dc17a466e6cb6385a6fbe77402478cb1

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
309KB

MD5
ab781223d00dd2a2cc345f6246ee016d

SHA1
ac3818a007e78a85f63135699e6c5955fc617a19

SHA256
d71ba3a04124512578224d37e52b3c0adf66e8acb67bda8f41a9ceec212aa6df

SHA512
c7baacc06f54ffd9122155e6d0ebf463ef2976a9ef04c9522635ba7c836c6e20b0083d6c02c558f53d99c15ff485fa28dc17a466e6cb6385a6fbe77402478cb1

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
309KB

MD5
ab781223d00dd2a2cc345f6246ee016d

SHA1
ac3818a007e78a85f63135699e6c5955fc617a19

SHA256
d71ba3a04124512578224d37e52b3c0adf66e8acb67bda8f41a9ceec212aa6df

SHA512
c7baacc06f54ffd9122155e6d0ebf463ef2976a9ef04c9522635ba7c836c6e20b0083d6c02c558f53d99c15ff485fa28dc17a466e6cb6385a6fbe77402478cb1

Download Submit
memory/240-256-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/240-306-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/320-269-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/368-75-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/472-321-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/524-259-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/568-314-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/612-317-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/640-271-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/640-262-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/692-215-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/780-322-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/836-276-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/836-327-0x00000000020D0000-0x00000000020EF000-memory.dmp

Filesize
124KB

Download
memory/896-211-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/912-333-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/932-178-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/944-302-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1012-292-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1012-297-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1064-315-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1128-202-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1152-270-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1164-164-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1204-233-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1216-267-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1216-263-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1244-171-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1288-279-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1304-288-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1352-111-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1392-293-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1392-299-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1444-74-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1484-250-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1656-190-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1688-298-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1700-244-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1720-294-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1720-291-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1728-238-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1744-283-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1776-98-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1784-252-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1784-308-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1804-148-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1820-64-0x0000000074AD1000-0x0000000074AD3000-memory.dmp

Filesize
8KB

Download
memory/1880-310-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1928-223-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1936-275-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1940-282-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1956-330-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1956-160-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1956-326-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1960-126-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1960-134-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1992-132-0x00000000003E0000-0x00000000003FF000-memory.dmp

Filesize
124KB

Download
memory/1992-135-0x00000000003E0000-0x00000000003ED000-memory.dmp

Filesize
52KB

Download
memory/1996-261-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2012-225-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2016-324-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2020-191-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2020-195-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2036-184-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2036-301-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download