de8acee35b6f5d45be397195d3ac8e3ba30379c27faab952824f1d382bc98c71

Analysis

max time kernel
29s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
07-12-2022 03:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de8acee35b6f5d45be397195d3ac8e3ba30379c27faab952824f1d382bc98c71.exe
Size

6.2MB
MD5

6c143e5c13f24723fd6b3a64bae266cd
SHA1

f2b39aa438774641c45292f63783eb4b16ae0b23
SHA256

de8acee35b6f5d45be397195d3ac8e3ba30379c27faab952824f1d382bc98c71
SHA512

9a4e8d595a958dbfd8cedb1dfe10161ea6fabb37c799477a434d81683deee311c65295a9f61a398c714d299e8020af612e0639568c6e90ba1efc7044ad73ee64
SSDEEP

196608:x0JEp0JEq0JEc0JEp0JEq0JEy0JEp0JEq0JEl0JEp0JEq0JE:x0JEp0JEq0JEc0JEp0JEq0JEy0JEp0J

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 23 IoCs

pid	Process
2260	tmp240580281.exe
2784	tmp240585078.exe
3624	tmp240589312.exe
1644	tmp240589453.exe
2292	notpad.exe
1700	tmp240589546.exe
2720	tmp240591250.exe
1756	tmp240589625.exe
3800	notpad.exe
4632	tmp240591593.exe
100	tmp240591578.exe
1764	tmp240591937.exe
3332	tmp240623921.exe
3464	tmp240636921.exe
2788	notpad.exe
3456	tmp240592531.exe
1124	tmp240594765.exe
3900	tmp240620421.exe
456	tmp240648203.exe
4692	notpad.exe
392	tmp240596765.exe
4848	tmp240596984.exe
4780	tmp240676296.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5076-132-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0002000000022df5-138.dat	upx
behavioral2/files/0x0002000000022df5-137.dat	upx
behavioral2/memory/2784-139-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/5076-140-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0001000000022dfc-146.dat	upx
behavioral2/files/0x0004000000022df8-150.dat	upx
behavioral2/files/0x0004000000022df8-149.dat	upx
behavioral2/memory/2784-147-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2292-152-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1644-151-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0001000000022dfc-145.dat	upx
behavioral2/files/0x0002000000022df6-156.dat	upx
behavioral2/files/0x0004000000022df8-166.dat	upx
behavioral2/memory/1644-165-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0004000000022df8-188.dat	upx
behavioral2/memory/3800-186-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2720-183-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2788-189-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0002000000022df6-176.dat	upx
behavioral2/memory/2292-171-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2720-168-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3800-167-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0001000000022e00-161.dat	upx
behavioral2/files/0x0001000000022e00-160.dat	upx
behavioral2/memory/2788-198-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0004000000022df8-200.dat	upx
behavioral2/files/0x0002000000022df6-194.dat	upx
behavioral2/memory/3900-201-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0002000000022df6-205.dat	upx
behavioral2/memory/4692-209-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0004000000022df8-208.dat	upx
behavioral2/memory/4692-220-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0004000000022df8-222.dat	upx
behavioral2/files/0x0002000000022df6-229.dat	upx
behavioral2/memory/1472-227-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0001000000022e1f-233.dat	upx
behavioral2/files/0x0002000000022df6-237.dat	upx
behavioral2/files/0x0001000000022e23-241.dat	upx
behavioral2/files/0x0001000000022e1f-244.dat	upx
behavioral2/memory/4800-243-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1476-245-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4320-246-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0001000000022e23-240.dat	upx
behavioral2/files/0x0001000000022e1f-232.dat	upx
behavioral2/files/0x0002000000022df6-216.dat	upx
behavioral2/memory/3900-212-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4320-254-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1476-257-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1196-259-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4636-268-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2480-269-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1800-274-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4976-277-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2108-279-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4080-278-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2480-266-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1800-265-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4636-263-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4080-281-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1552-282-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1552-289-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3616-292-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/5040-291-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240580281.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240589546.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240591578.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240592531.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240648203.exe

Drops file in System32 directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240591578.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240596984.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240592531.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240648203.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240648203.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240596984.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240580281.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240589546.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240589546.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240591578.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240591578.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240592531.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240592531.exe
File created	C:\Windows\SysWOW64\fsb.tmp	tmp240580281.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240580281.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240580281.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240589546.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240648203.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240596984.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process
1260	1764	WerFault.exe

Modifies registry class 6 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240589546.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240591578.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240592531.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240648203.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240596984.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240580281.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5076 wrote to memory of 2260	5076	de8acee35b6f5d45be397195d3ac8e3ba30379c27faab952824f1d382bc98c71.exe	81
PID 5076 wrote to memory of 2260	5076	de8acee35b6f5d45be397195d3ac8e3ba30379c27faab952824f1d382bc98c71.exe	81
PID 5076 wrote to memory of 2260	5076	de8acee35b6f5d45be397195d3ac8e3ba30379c27faab952824f1d382bc98c71.exe	81
PID 5076 wrote to memory of 2784	5076	de8acee35b6f5d45be397195d3ac8e3ba30379c27faab952824f1d382bc98c71.exe	82
PID 5076 wrote to memory of 2784	5076	de8acee35b6f5d45be397195d3ac8e3ba30379c27faab952824f1d382bc98c71.exe	82
PID 5076 wrote to memory of 2784	5076	de8acee35b6f5d45be397195d3ac8e3ba30379c27faab952824f1d382bc98c71.exe	82
PID 2784 wrote to memory of 3624	2784	tmp240585078.exe	85
PID 2784 wrote to memory of 3624	2784	tmp240585078.exe	85
PID 2784 wrote to memory of 3624	2784	tmp240585078.exe	85
PID 2784 wrote to memory of 1644	2784	tmp240585078.exe	83
PID 2784 wrote to memory of 1644	2784	tmp240585078.exe	83
PID 2784 wrote to memory of 1644	2784	tmp240585078.exe	83
PID 2260 wrote to memory of 2292	2260	tmp240580281.exe	84
PID 2260 wrote to memory of 2292	2260	tmp240580281.exe	84
PID 2260 wrote to memory of 2292	2260	tmp240580281.exe	84
PID 1644 wrote to memory of 1700	1644	notpad.exe	97
PID 1644 wrote to memory of 1700	1644	notpad.exe	97
PID 1644 wrote to memory of 1700	1644	notpad.exe	97
PID 2292 wrote to memory of 1756	2292	notpad.exe	86
PID 2292 wrote to memory of 1756	2292	notpad.exe	86
PID 2292 wrote to memory of 1756	2292	notpad.exe	86
PID 1644 wrote to memory of 2720	1644	notpad.exe	96
PID 1644 wrote to memory of 2720	1644	notpad.exe	96
PID 1644 wrote to memory of 2720	1644	notpad.exe	96
PID 1700 wrote to memory of 3800	1700	tmp240589546.exe	234
PID 1700 wrote to memory of 3800	1700	tmp240589546.exe	234
PID 1700 wrote to memory of 3800	1700	tmp240589546.exe	234
PID 2292 wrote to memory of 4632	2292	notpad.exe	87
PID 2292 wrote to memory of 4632	2292	notpad.exe	87
PID 2292 wrote to memory of 4632	2292	notpad.exe	87
PID 2720 wrote to memory of 100	2720	tmp240591250.exe	94
PID 2720 wrote to memory of 100	2720	tmp240591250.exe	94
PID 2720 wrote to memory of 100	2720	tmp240591250.exe	94
PID 2720 wrote to memory of 1764	2720	tmp240591250.exe	93
PID 2720 wrote to memory of 1764	2720	tmp240591250.exe	93
PID 2720 wrote to memory of 1764	2720	tmp240591250.exe	93
PID 3800 wrote to memory of 3332	3800	notpad.exe	192
PID 3800 wrote to memory of 3332	3800	notpad.exe	192
PID 3800 wrote to memory of 3332	3800	notpad.exe	192
PID 3800 wrote to memory of 3464	3800	notpad.exe	236
PID 3800 wrote to memory of 3464	3800	notpad.exe	236
PID 3800 wrote to memory of 3464	3800	notpad.exe	236
PID 100 wrote to memory of 2788	100	tmp240591578.exe	89
PID 100 wrote to memory of 2788	100	tmp240591578.exe	89
PID 100 wrote to memory of 2788	100	tmp240591578.exe	89
PID 2788 wrote to memory of 3456	2788	notpad.exe	98
PID 2788 wrote to memory of 3456	2788	notpad.exe	98
PID 2788 wrote to memory of 3456	2788	notpad.exe	98
PID 2788 wrote to memory of 1124	2788	notpad.exe	99
PID 2788 wrote to memory of 1124	2788	notpad.exe	99
PID 2788 wrote to memory of 1124	2788	notpad.exe	99
PID 3456 wrote to memory of 3900	3456	tmp240592531.exe	158
PID 3456 wrote to memory of 3900	3456	tmp240592531.exe	158
PID 3456 wrote to memory of 3900	3456	tmp240592531.exe	158
PID 3900 wrote to memory of 456	3900	tmp240620421.exe	251
PID 3900 wrote to memory of 456	3900	tmp240620421.exe	251
PID 3900 wrote to memory of 456	3900	tmp240620421.exe	251
PID 456 wrote to memory of 4692	456	tmp240648203.exe	101
PID 456 wrote to memory of 4692	456	tmp240648203.exe	101
PID 456 wrote to memory of 4692	456	tmp240648203.exe	101
PID 3900 wrote to memory of 392	3900	tmp240697390.exe	112
PID 3900 wrote to memory of 392	3900	tmp240697390.exe	112
PID 3900 wrote to memory of 392	3900	tmp240697390.exe	112
PID 4692 wrote to memory of 4848	4692	notpad.exe	111

C:\Users\Admin\AppData\Local\Temp\de8acee35b6f5d45be397195d3ac8e3ba30379c27faab952824f1d382bc98c71.exe
"C:\Users\Admin\AppData\Local\Temp\de8acee35b6f5d45be397195d3ac8e3ba30379c27faab952824f1d382bc98c71.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5076
- C:\Users\Admin\AppData\Local\Temp\tmp240580281.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240580281.exe
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2260
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2292
  - - C:\Users\Admin\AppData\Local\Temp\tmp240589625.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240589625.exe
      4⤵
      Executes dropped EXE
      PID:1756
  - - C:\Users\Admin\AppData\Local\Temp\tmp240591593.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240591593.exe
      4⤵
      Executes dropped EXE
      PID:4632
- C:\Users\Admin\AppData\Local\Temp\tmp240585078.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240585078.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Users\Admin\AppData\Local\Temp\tmp240589453.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240589453.exe
    3⤵
    - Executes dropped EXE
    PID:1644
  - - C:\Users\Admin\AppData\Local\Temp\tmp240591250.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240591250.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2720
  - - C:\Users\Admin\AppData\Local\Temp\tmp240589546.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240589546.exe
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1700
- - C:\Users\Admin\AppData\Local\Temp\tmp240589312.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240589312.exe
    3⤵
    - Executes dropped EXE
    PID:3624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1764 -s 224
1⤵
- Program crash
PID:1260
- C:\Users\Admin\AppData\Local\Temp\tmp240622406.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240622406.exe
  2⤵
  PID:2080
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    PID:3180
  - - C:\Users\Admin\AppData\Local\Temp\tmp240664656.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240664656.exe
      4⤵
      PID:2480
  - - C:\Users\Admin\AppData\Local\Temp\tmp240664687.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240664687.exe
      4⤵
      PID:3440
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    PID:2596
  - - C:\Users\Admin\AppData\Local\Temp\tmp240699015.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240699015.exe
      4⤵
      PID:616
    - - C:\Users\Admin\AppData\Local\Temp\tmp240699171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240699171.exe
        5⤵
        
        PID:3160
      - C:\Users\Admin\AppData\Local\Temp\tmp240699218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240699218.exe
        6⤵
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\tmp240699281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240699281.exe
        7⤵
        
        PID:3612
        
        C:\Users\Admin\AppData\Local\Temp\tmp240699359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240699359.exe
        8⤵
        
        PID:756
        
        C:\Users\Admin\AppData\Local\Temp\tmp240699312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240699312.exe
        8⤵
        
        PID:3180
        
        C:\Users\Admin\AppData\Local\Temp\tmp240699265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240699265.exe
        7⤵
        
        PID:1008
      - C:\Users\Admin\AppData\Local\Temp\tmp240699203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240699203.exe
        6⤵
        
        PID:1136
    - - C:\Users\Admin\AppData\Local\Temp\tmp240699078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240699078.exe
        5⤵
        
        PID:1332
  - - C:\Users\Admin\AppData\Local\Temp\tmp240698984.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240698984.exe
      4⤵
      PID:5116
- C:\Users\Admin\AppData\Local\Temp\tmp240622421.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240622421.exe
  2⤵
  PID:3384

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2788
- C:\Users\Admin\AppData\Local\Temp\tmp240592531.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240592531.exe
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3456
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    PID:3900
  - - C:\Users\Admin\AppData\Local\Temp\tmp240594984.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240594984.exe
      4⤵
      PID:456
  - - C:\Users\Admin\AppData\Local\Temp\tmp240596765.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240596765.exe
      4⤵
      Executes dropped EXE
      PID:392
- C:\Users\Admin\AppData\Local\Temp\tmp240594765.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240594765.exe
  2⤵
  - Executes dropped EXE
  PID:1124
- C:\Users\Admin\AppData\Local\Temp\tmp240681406.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240681406.exe
  2⤵
  PID:4396
- C:\Users\Admin\AppData\Local\Temp\tmp240681375.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240681375.exe
  2⤵
  PID:1780

C:\Users\Admin\AppData\Local\Temp\tmp240592031.exe
C:\Users\Admin\AppData\Local\Temp\tmp240592031.exe
1⤵
PID:3464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1764 -ip 1764
1⤵
PID:3856

C:\Users\Admin\AppData\Local\Temp\tmp240591843.exe
C:\Users\Admin\AppData\Local\Temp\tmp240591843.exe
1⤵
PID:3332

C:\Users\Admin\AppData\Local\Temp\tmp240591937.exe
C:\Users\Admin\AppData\Local\Temp\tmp240591937.exe
1⤵
- Executes dropped EXE
PID:1764

C:\Users\Admin\AppData\Local\Temp\tmp240591578.exe
C:\Users\Admin\AppData\Local\Temp\tmp240591578.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:100

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:3800

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4692
- C:\Users\Admin\AppData\Local\Temp\tmp240597828.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240597828.exe
  2⤵
  PID:4780
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    PID:1472
  - - C:\Users\Admin\AppData\Local\Temp\tmp240621031.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240621031.exe
      4⤵
      PID:3068
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        
        PID:3644
      - C:\Users\Admin\AppData\Local\Temp\tmp240621671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621671.exe
        6⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        7⤵
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622109.exe
        8⤵
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621906.exe
        8⤵
        
        PID:4296
      - C:\Users\Admin\AppData\Local\Temp\tmp240621687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621687.exe
        6⤵
        
        PID:4084
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622203.exe
        7⤵
        
        PID:4376
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621984.exe
        7⤵
        
        PID:3592
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656078.exe
        8⤵
        
        PID:448
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679937.exe
        9⤵
        
        PID:4408
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680062.exe
        10⤵
        
        PID:504
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680421.exe
        10⤵
        
        PID:3340
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679875.exe
        9⤵
        
        PID:4264
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656031.exe
        8⤵
        
        PID:3028
  - - C:\Users\Admin\AppData\Local\Temp\tmp240621468.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240621468.exe
      4⤵
      PID:1200
    - - C:\Users\Admin\AppData\Local\Temp\tmp240656015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656015.exe
        5⤵
        
        PID:528
    - - C:\Users\Admin\AppData\Local\Temp\tmp240655859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655859.exe
        5⤵
        
        PID:3784
- C:\Users\Admin\AppData\Local\Temp\tmp240596984.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240596984.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  PID:4848

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:4800
- C:\Users\Admin\AppData\Local\Temp\tmp240598484.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240598484.exe
  2⤵
  PID:5004
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    PID:1476
  - - C:\Users\Admin\AppData\Local\Temp\tmp240598843.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240598843.exe
      4⤵
      PID:2464
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        
        PID:4636
      - C:\Users\Admin\AppData\Local\Temp\tmp240608140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240608140.exe
        6⤵
        
        PID:4976
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623796.exe
        7⤵
        
        PID:5040
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623890.exe
        7⤵
        
        PID:4256
      - C:\Users\Admin\AppData\Local\Temp\tmp240607781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240607781.exe
        6⤵
        
        PID:3156
  - - C:\Users\Admin\AppData\Local\Temp\tmp240606593.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240606593.exe
      4⤵
      PID:2480
- C:\Users\Admin\AppData\Local\Temp\tmp240598531.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240598531.exe
  2⤵
  PID:4320
- - C:\Users\Admin\AppData\Local\Temp\tmp240598781.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240598781.exe
    3⤵
    PID:1320
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      PID:1196
    - - C:\Users\Admin\AppData\Local\Temp\tmp240605125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605125.exe
        5⤵
        
        PID:4824
    - - C:\Users\Admin\AppData\Local\Temp\tmp240607640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240607640.exe
        5⤵
        
        PID:1800
      - C:\Users\Admin\AppData\Local\Temp\tmp240607968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240607968.exe
        6⤵
        
        PID:4268
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623093.exe
        7⤵
        
        PID:2232
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623062.exe
        7⤵
        
        PID:1484
      - C:\Users\Admin\AppData\Local\Temp\tmp240608359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240608359.exe
        6⤵
        
        PID:4392
- - C:\Users\Admin\AppData\Local\Temp\tmp240604750.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240604750.exe
    3⤵
    PID:2336

C:\Users\Admin\AppData\Local\Temp\tmp240598125.exe
C:\Users\Admin\AppData\Local\Temp\tmp240598125.exe
1⤵
PID:3116

C:\Users\Admin\AppData\Local\Temp\tmp240598093.exe
C:\Users\Admin\AppData\Local\Temp\tmp240598093.exe
1⤵
PID:1368

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:1472

C:\Users\Admin\AppData\Local\Temp\tmp240608250.exe
C:\Users\Admin\AppData\Local\Temp\tmp240608250.exe
1⤵
PID:4580

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:4080
- C:\Users\Admin\AppData\Local\Temp\tmp240608515.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240608515.exe
  2⤵
  PID:1396
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    PID:2108
  - - C:\Users\Admin\AppData\Local\Temp\tmp240609187.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240609187.exe
      4⤵
      PID:4540
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        
        PID:5040
      - C:\Users\Admin\AppData\Local\Temp\tmp240612750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240612750.exe
        6⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613453.exe
        8⤵
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615656.exe
        8⤵
        
        PID:520
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620031.exe
        9⤵
        
        PID:1296
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620156.exe
        9⤵
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623968.exe
        7⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623921.exe
        7⤵
        Executes dropped EXE
        
        PID:3332
      - C:\Users\Admin\AppData\Local\Temp\tmp240613250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613250.exe
        6⤵
        
        PID:204
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615718.exe
        7⤵
        
        PID:224
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619921.exe
        7⤵
        
        PID:4512
  - - C:\Users\Admin\AppData\Local\Temp\tmp240612546.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240612546.exe
      4⤵
      PID:4880
    - - C:\Users\Admin\AppData\Local\Temp\tmp240615078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615078.exe
        5⤵
        
        PID:3912
    - - C:\Users\Admin\AppData\Local\Temp\tmp240615609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615609.exe
        5⤵
        
        PID:3328
      - C:\Users\Admin\AppData\Local\Temp\tmp240624093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624093.exe
        6⤵
        
        PID:1612
  - - C:\Users\Admin\AppData\Local\Temp\tmp240666109.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240666109.exe
      4⤵
      PID:728
  - - C:\Users\Admin\AppData\Local\Temp\tmp240666140.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240666140.exe
      4⤵
      PID:5084
- C:\Users\Admin\AppData\Local\Temp\tmp240609062.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240609062.exe
  2⤵
  PID:1552
- - C:\Users\Admin\AppData\Local\Temp\tmp240612296.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240612296.exe
    3⤵
    PID:2784
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      PID:3616
    - - C:\Users\Admin\AppData\Local\Temp\tmp240613078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613078.exe
        5⤵
        
        PID:2540
      - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        6⤵
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615812.exe
        7⤵
        
        PID:3796
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619968.exe
        7⤵
        
        PID:3080
    - - C:\Users\Admin\AppData\Local\Temp\tmp240615046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615046.exe
        5⤵
        
        PID:3892
      - C:\Users\Admin\AppData\Local\Temp\tmp240615703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615703.exe
        6⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        7⤵
        
        PID:3088
        
        C:\Users\Admin\AppData\Local\Temp\tmp240719343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240719343.exe
        8⤵
        
        PID:3948
        
        C:\Users\Admin\AppData\Local\Temp\tmp240719109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240719109.exe
        8⤵
        
        PID:3120
      - C:\Users\Admin\AppData\Local\Temp\tmp240619281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619281.exe
        6⤵
        
        PID:228
  - - C:\Users\Admin\AppData\Local\Temp\tmp240665812.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240665812.exe
      4⤵
      PID:2396
    - - C:\Users\Admin\AppData\Local\Temp\tmp240665890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665890.exe
        5⤵
        
        PID:3332
    - - C:\Users\Admin\AppData\Local\Temp\tmp240666015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666015.exe
        5⤵
        
        PID:2712
      - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        6⤵
        
        PID:3292
        
        C:\Users\Admin\AppData\Local\Temp\tmp240718296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240718296.exe
        7⤵
        
        PID:3952
        
        C:\Users\Admin\AppData\Local\Temp\tmp240718468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240718468.exe
        7⤵
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\tmp240718953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240718953.exe
        8⤵
        
        PID:668
        
        C:\Users\Admin\AppData\Local\Temp\tmp240718656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240718656.exe
        8⤵
        
        PID:1444
  - - C:\Users\Admin\AppData\Local\Temp\tmp240665609.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240665609.exe
      4⤵
      PID:1508
- - C:\Users\Admin\AppData\Local\Temp\tmp240612875.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240612875.exe
    3⤵
    PID:4796

C:\Users\Admin\AppData\Local\Temp\tmp240608296.exe
C:\Users\Admin\AppData\Local\Temp\tmp240608296.exe
1⤵
PID:4400
- C:\Users\Admin\AppData\Local\Temp\tmp240665140.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240665140.exe
  2⤵
  PID:4504
- C:\Users\Admin\AppData\Local\Temp\tmp240665109.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240665109.exe
  2⤵
  PID:960

C:\Users\Admin\AppData\Local\Temp\tmp240608875.exe
C:\Users\Admin\AppData\Local\Temp\tmp240608875.exe
1⤵
PID:2872

C:\Users\Admin\AppData\Local\Temp\tmp240607890.exe
C:\Users\Admin\AppData\Local\Temp\tmp240607890.exe
1⤵
PID:5028

C:\Users\Admin\AppData\Local\Temp\tmp240620312.exe
C:\Users\Admin\AppData\Local\Temp\tmp240620312.exe
1⤵
PID:2072
- C:\Users\Admin\AppData\Local\Temp\tmp240620421.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240620421.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3900
- C:\Users\Admin\AppData\Local\Temp\tmp240620437.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240620437.exe
  2⤵
  PID:4672

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:1004
- C:\Users\Admin\AppData\Local\Temp\tmp240620765.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240620765.exe
  2⤵
  PID:4596
- - C:\Users\Admin\AppData\Local\Temp\tmp240620875.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240620875.exe
    3⤵
    PID:2860
  - - C:\Users\Admin\AppData\Local\Temp\tmp240698015.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240698015.exe
      4⤵
      PID:1260
  - - C:\Users\Admin\AppData\Local\Temp\tmp240698031.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240698031.exe
      4⤵
      PID:4700
    - - C:\Users\Admin\AppData\Local\Temp\tmp240698140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240698140.exe
        5⤵
        
        PID:3476
    - - C:\Users\Admin\AppData\Local\Temp\tmp240698093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240698093.exe
        5⤵
        
        PID:1892
- - C:\Users\Admin\AppData\Local\Temp\tmp240620812.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240620812.exe
    3⤵
    PID:4988
- C:\Users\Admin\AppData\Local\Temp\tmp240620609.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240620609.exe
  2⤵
  PID:4780

C:\Users\Admin\AppData\Local\Temp\tmp240620234.exe
C:\Users\Admin\AppData\Local\Temp\tmp240620234.exe
1⤵
PID:1052

C:\Users\Admin\AppData\Local\Temp\tmp240620265.exe
C:\Users\Admin\AppData\Local\Temp\tmp240620265.exe
1⤵
PID:4944

C:\Users\Admin\AppData\Local\Temp\tmp240621828.exe
C:\Users\Admin\AppData\Local\Temp\tmp240621828.exe
1⤵
PID:900
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:1260

C:\Users\Admin\AppData\Local\Temp\tmp240622250.exe
C:\Users\Admin\AppData\Local\Temp\tmp240622250.exe
1⤵
PID:400

C:\Users\Admin\AppData\Local\Temp\tmp240622453.exe
C:\Users\Admin\AppData\Local\Temp\tmp240622453.exe
1⤵
PID:1728

C:\Users\Admin\AppData\Local\Temp\tmp240622609.exe
C:\Users\Admin\AppData\Local\Temp\tmp240622609.exe
1⤵
PID:1096
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:3936
- - C:\Users\Admin\AppData\Local\Temp\tmp240664953.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240664953.exe
    3⤵
    PID:3160
- - C:\Users\Admin\AppData\Local\Temp\tmp240664968.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240664968.exe
    3⤵
    PID:3036
  - - C:\Users\Admin\AppData\Local\Temp\tmp240665078.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240665078.exe
      4⤵
      PID:3612

C:\Users\Admin\AppData\Local\Temp\tmp240622875.exe
C:\Users\Admin\AppData\Local\Temp\tmp240622875.exe
1⤵
PID:3292
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:3612

C:\Users\Admin\AppData\Local\Temp\tmp240623109.exe
C:\Users\Admin\AppData\Local\Temp\tmp240623109.exe
1⤵
PID:504

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:4760
- C:\Users\Admin\AppData\Local\Temp\tmp240623515.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240623515.exe
  2⤵
  PID:4480
- - C:\Users\Admin\AppData\Local\Temp\tmp240623671.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240623671.exe
    3⤵
    PID:3032
  - - C:\Users\Admin\AppData\Local\Temp\tmp240623781.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240623781.exe
      4⤵
      PID:3620
  - - C:\Users\Admin\AppData\Local\Temp\tmp240623734.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240623734.exe
      4⤵
      PID:3124
- - C:\Users\Admin\AppData\Local\Temp\tmp240623609.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240623609.exe
    3⤵
    PID:4524
- C:\Users\Admin\AppData\Local\Temp\tmp240623375.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240623375.exe
  2⤵
  PID:4180

C:\Users\Admin\AppData\Local\Temp\tmp240623218.exe
C:\Users\Admin\AppData\Local\Temp\tmp240623218.exe
1⤵
PID:4080

C:\Users\Admin\AppData\Local\Temp\tmp240623531.exe
C:\Users\Admin\AppData\Local\Temp\tmp240623531.exe
1⤵
PID:2972

C:\Users\Admin\AppData\Local\Temp\tmp240623750.exe
C:\Users\Admin\AppData\Local\Temp\tmp240623750.exe
1⤵
PID:3256

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:952
- C:\Users\Admin\AppData\Local\Temp\tmp240624171.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240624171.exe
  2⤵
  PID:1616
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3800
  - - C:\Users\Admin\AppData\Local\Temp\tmp240635890.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240635890.exe
      4⤵
      PID:224
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        
        PID:4452
      - C:\Users\Admin\AppData\Local\Temp\tmp240640890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640890.exe
        6⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        7⤵
        
        PID:4780
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655625.exe
        8⤵
        
        PID:1368
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655843.exe
        9⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        10⤵
        
        PID:4024
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680687.exe
        11⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        12⤵
        
        PID:3220
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680703.exe
        11⤵
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656140.exe
        9⤵
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\Temp\tmp240664828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240664828.exe
        10⤵
        
        PID:3936
        
        C:\Users\Admin\AppData\Local\Temp\tmp240664718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240664718.exe
        10⤵
        
        PID:1196
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653375.exe
        8⤵
        
        PID:376
      - C:\Users\Admin\AppData\Local\Temp\tmp240644171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644171.exe
        6⤵
        
        PID:3472
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652515.exe
        7⤵
        
        PID:4748
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653265.exe
        7⤵
        
        PID:1944
  - - C:\Users\Admin\AppData\Local\Temp\tmp240636890.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240636890.exe
      4⤵
      PID:1636
    - - C:\Users\Admin\AppData\Local\Temp\tmp240637046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637046.exe
        5⤵
        
        PID:1640
      - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        6⤵
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643250.exe
        7⤵
        
        PID:2388
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644203.exe
        7⤵
        
        PID:3948
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652531.exe
        8⤵
        
        PID:3868
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653281.exe
        8⤵
        
        PID:1212
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679000.exe
        8⤵
        
        PID:3296
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678875.exe
        8⤵
        
        PID:4520
      - C:\Users\Admin\AppData\Local\Temp\tmp240718421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240718421.exe
        6⤵
        
        PID:4064
      - C:\Users\Admin\AppData\Local\Temp\tmp240718484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240718484.exe
        6⤵
        
        PID:1296
    - - C:\Users\Admin\AppData\Local\Temp\tmp240643046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643046.exe
        5⤵
        
        PID:4944
      - C:\Users\Admin\AppData\Local\Temp\tmp240649031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649031.exe
        6⤵
        
        PID:1360
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652500.exe
        7⤵
        
        PID:1256
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653343.exe
        7⤵
        
        PID:2304
      - C:\Users\Admin\AppData\Local\Temp\tmp240644218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644218.exe
        6⤵
        
        PID:1052
- C:\Users\Admin\AppData\Local\Temp\tmp240635687.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240635687.exe
  2⤵
  PID:1504
- - C:\Users\Admin\AppData\Local\Temp\tmp240636968.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240636968.exe
    3⤵
    PID:3080
  - - C:\Users\Admin\AppData\Local\Temp\tmp240648203.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240648203.exe
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:456
  - - C:\Users\Admin\AppData\Local\Temp\tmp240649218.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240649218.exe
      4⤵
      PID:4596
    - - C:\Users\Admin\AppData\Local\Temp\tmp240655562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655562.exe
        5⤵
        
        PID:3644
    - - C:\Users\Admin\AppData\Local\Temp\tmp240653359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653359.exe
        5⤵
        
        PID:1784
      - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        6⤵
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\tmp240698421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240698421.exe
        7⤵
        
        PID:532
        
        C:\Users\Admin\AppData\Local\Temp\tmp240698515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240698515.exe
        8⤵
        
        PID:4528
        
        C:\Users\Admin\AppData\Local\Temp\tmp240698765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240698765.exe
        8⤵
        
        PID:4092
        
        C:\Users\Admin\AppData\Local\Temp\tmp240698406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240698406.exe
        7⤵
        
        PID:4596

C:\Users\Admin\AppData\Local\Temp\tmp240624046.exe
C:\Users\Admin\AppData\Local\Temp\tmp240624046.exe
1⤵
PID:3328
- C:\Users\Admin\AppData\Local\Temp\tmp240624125.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240624125.exe
  2⤵
  PID:3312
- - C:\Users\Admin\AppData\Local\Temp\tmp240636953.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240636953.exe
    3⤵
    PID:2548
- - C:\Users\Admin\AppData\Local\Temp\tmp240635703.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240635703.exe
    3⤵
    PID:3796

C:\Users\Admin\AppData\Local\Temp\tmp240624000.exe
C:\Users\Admin\AppData\Local\Temp\tmp240624000.exe
1⤵
PID:4880

C:\Users\Admin\AppData\Local\Temp\tmp240623718.exe
C:\Users\Admin\AppData\Local\Temp\tmp240623718.exe
1⤵
PID:2288

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:4976

C:\Users\Admin\AppData\Local\Temp\tmp240623625.exe
C:\Users\Admin\AppData\Local\Temp\tmp240623625.exe
1⤵
PID:1508

C:\Users\Admin\AppData\Local\Temp\tmp240623281.exe
C:\Users\Admin\AppData\Local\Temp\tmp240623281.exe
1⤵
PID:4972

C:\Users\Admin\AppData\Local\Temp\tmp240623187.exe
C:\Users\Admin\AppData\Local\Temp\tmp240623187.exe
1⤵
PID:2872

C:\Users\Admin\AppData\Local\Temp\tmp240623125.exe
C:\Users\Admin\AppData\Local\Temp\tmp240623125.exe
1⤵
PID:1980

C:\Users\Admin\AppData\Local\Temp\tmp240623156.exe
C:\Users\Admin\AppData\Local\Temp\tmp240623156.exe
1⤵
PID:3208

C:\Users\Admin\AppData\Local\Temp\tmp240623000.exe
C:\Users\Admin\AppData\Local\Temp\tmp240623000.exe
1⤵
PID:4268
- C:\Users\Admin\AppData\Local\Temp\tmp240665250.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240665250.exe
  2⤵
  PID:3488
- C:\Users\Admin\AppData\Local\Temp\tmp240665125.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240665125.exe
  2⤵
  PID:1132

C:\Users\Admin\AppData\Local\Temp\tmp240622968.exe
C:\Users\Admin\AppData\Local\Temp\tmp240622968.exe
1⤵
PID:2192
- C:\Users\Admin\AppData\Local\Temp\tmp240699375.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240699375.exe
  2⤵
  PID:2856
- - C:\Users\Admin\AppData\Local\Temp\tmp240699546.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240699546.exe
    3⤵
    PID:4540
  - - C:\Users\Admin\AppData\Local\Temp\tmp240699609.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240699609.exe
      4⤵
      PID:2772
    - - C:\Users\Admin\AppData\Local\Temp\tmp240715328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240715328.exe
        5⤵
        
        PID:2824
    - - C:\Users\Admin\AppData\Local\Temp\tmp240717843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240717843.exe
        5⤵
        
        PID:5088
- - C:\Users\Admin\AppData\Local\Temp\tmp240699421.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240699421.exe
    3⤵
    PID:4908
- C:\Users\Admin\AppData\Local\Temp\tmp240699343.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240699343.exe
  2⤵
  PID:1160

C:\Users\Admin\AppData\Local\Temp\tmp240622906.exe
C:\Users\Admin\AppData\Local\Temp\tmp240622906.exe
1⤵
PID:796

C:\Users\Admin\AppData\Local\Temp\tmp240622812.exe
C:\Users\Admin\AppData\Local\Temp\tmp240622812.exe
1⤵
PID:3440
- C:\Users\Admin\AppData\Local\Temp\tmp240665031.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240665031.exe
  2⤵
  PID:4268
- C:\Users\Admin\AppData\Local\Temp\tmp240664875.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240664875.exe
  2⤵
  PID:2524
- - C:\Users\Admin\AppData\Local\Temp\tmp240680625.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240680625.exe
    3⤵
    PID:3208
- - C:\Users\Admin\AppData\Local\Temp\tmp240680640.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240680640.exe
    3⤵
    PID:4180

C:\Users\Admin\AppData\Local\Temp\tmp240622781.exe
C:\Users\Admin\AppData\Local\Temp\tmp240622781.exe
1⤵
PID:3956

C:\Users\Admin\AppData\Local\Temp\tmp240622718.exe
C:\Users\Admin\AppData\Local\Temp\tmp240622718.exe
1⤵
PID:2868

C:\Users\Admin\AppData\Local\Temp\tmp240622687.exe
C:\Users\Admin\AppData\Local\Temp\tmp240622687.exe
1⤵
PID:1976
- C:\Users\Admin\AppData\Local\Temp\tmp240664703.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240664703.exe
  2⤵
  PID:4652
- C:\Users\Admin\AppData\Local\Temp\tmp240664906.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240664906.exe
  2⤵
  PID:3688
- - C:\Users\Admin\AppData\Local\Temp\tmp240665375.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240665375.exe
    3⤵
    PID:2784
- - C:\Users\Admin\AppData\Local\Temp\tmp240665093.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240665093.exe
    3⤵
    PID:2232

C:\Users\Admin\AppData\Local\Temp\tmp240622640.exe
C:\Users\Admin\AppData\Local\Temp\tmp240622640.exe
1⤵
PID:756
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:4908

C:\Users\Admin\AppData\Local\Temp\tmp240622484.exe
C:\Users\Admin\AppData\Local\Temp\tmp240622484.exe
1⤵
PID:4668

C:\Users\Admin\AppData\Local\Temp\tmp240622218.exe
C:\Users\Admin\AppData\Local\Temp\tmp240622218.exe
1⤵
PID:4688

C:\Users\Admin\AppData\Local\Temp\tmp240622093.exe
C:\Users\Admin\AppData\Local\Temp\tmp240622093.exe
1⤵
PID:4800

C:\Users\Admin\AppData\Local\Temp\tmp240620171.exe
C:\Users\Admin\AppData\Local\Temp\tmp240620171.exe
1⤵
PID:3952

C:\Users\Admin\AppData\Local\Temp\tmp240636921.exe
C:\Users\Admin\AppData\Local\Temp\tmp240636921.exe
1⤵
- Executes dropped EXE
PID:3464

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:3184
- C:\Users\Admin\AppData\Local\Temp\tmp240655937.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240655937.exe
  2⤵
  PID:2448
- C:\Users\Admin\AppData\Local\Temp\tmp240656109.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240656109.exe
  2⤵
  PID:3180

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:1104
- C:\Users\Admin\AppData\Local\Temp\tmp240656296.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240656296.exe
  2⤵
  PID:4148
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    PID:4824
  - - C:\Users\Admin\AppData\Local\Temp\tmp240664765.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240664765.exe
      4⤵
      PID:2284
  - - C:\Users\Admin\AppData\Local\Temp\tmp240662765.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240662765.exe
      4⤵
      PID:756
    - - C:\Users\Admin\AppData\Local\Temp\tmp240699437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240699437.exe
        5⤵
        
        PID:4024
    - - C:\Users\Admin\AppData\Local\Temp\tmp240699484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240699484.exe
        5⤵
        
        PID:4972
- C:\Users\Admin\AppData\Local\Temp\tmp240662531.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240662531.exe
  2⤵
  PID:1976
- C:\Users\Admin\AppData\Local\Temp\tmp240680109.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240680109.exe
  2⤵
  PID:1864
- C:\Users\Admin\AppData\Local\Temp\tmp240679984.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240679984.exe
  2⤵
  PID:2352

C:\Users\Admin\AppData\Local\Temp\tmp240655781.exe
C:\Users\Admin\AppData\Local\Temp\tmp240655781.exe
1⤵
PID:3592

C:\Users\Admin\AppData\Local\Temp\tmp240655687.exe
C:\Users\Admin\AppData\Local\Temp\tmp240655687.exe
1⤵
PID:1200

C:\Users\Admin\AppData\Local\Temp\tmp240655578.exe
C:\Users\Admin\AppData\Local\Temp\tmp240655578.exe
1⤵
PID:5004

C:\Users\Admin\AppData\Local\Temp\tmp240655640.exe
C:\Users\Admin\AppData\Local\Temp\tmp240655640.exe
1⤵
PID:3120

C:\Users\Admin\AppData\Local\Temp\tmp240665406.exe
C:\Users\Admin\AppData\Local\Temp\tmp240665406.exe
1⤵
PID:1700
- C:\Users\Admin\AppData\Local\Temp\tmp240665796.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240665796.exe
  2⤵
  PID:3104
- C:\Users\Admin\AppData\Local\Temp\tmp240665546.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240665546.exe
  2⤵
  PID:2720

C:\Users\Admin\AppData\Local\Temp\tmp240665921.exe
C:\Users\Admin\AppData\Local\Temp\tmp240665921.exe
1⤵
PID:1452

C:\Users\Admin\AppData\Local\Temp\tmp240665984.exe
C:\Users\Admin\AppData\Local\Temp\tmp240665984.exe
1⤵
PID:4256
- C:\Users\Admin\AppData\Local\Temp\tmp240666062.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240666062.exe
  2⤵
  PID:2288
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    PID:1752
  - - C:\Users\Admin\AppData\Local\Temp\tmp240666515.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240666515.exe
      4⤵
      PID:3204
    - - C:\Users\Admin\AppData\Local\Temp\tmp240666984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666984.exe
        5⤵
        
        PID:4452
      - C:\Users\Admin\AppData\Local\Temp\tmp240676046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676046.exe
        6⤵
        
        PID:4236
      - C:\Users\Admin\AppData\Local\Temp\tmp240676296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676296.exe
        6⤵
        Executes dropped EXE
        
        PID:4780
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679078.exe
        7⤵
        
        PID:3116
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679843.exe
        7⤵
        
        PID:1104
  - - C:\Users\Admin\AppData\Local\Temp\tmp240666375.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240666375.exe
      4⤵
      PID:4228
- C:\Users\Admin\AppData\Local\Temp\tmp240666125.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240666125.exe
  2⤵
  PID:4380
- - C:\Users\Admin\AppData\Local\Temp\tmp240717812.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240717812.exe
    3⤵
    PID:1488
- - C:\Users\Admin\AppData\Local\Temp\tmp240717781.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240717781.exe
    3⤵
    PID:3884

C:\Users\Admin\AppData\Local\Temp\tmp240666218.exe
C:\Users\Admin\AppData\Local\Temp\tmp240666218.exe
1⤵
PID:2212

C:\Users\Admin\AppData\Local\Temp\tmp240666468.exe
C:\Users\Admin\AppData\Local\Temp\tmp240666468.exe
1⤵
PID:4752

C:\Users\Admin\AppData\Local\Temp\tmp240666500.exe
C:\Users\Admin\AppData\Local\Temp\tmp240666500.exe
1⤵
PID:1616

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:1536
- C:\Users\Admin\AppData\Local\Temp\tmp240666781.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240666781.exe
  2⤵
  PID:1636
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    PID:2544
  - - C:\Users\Admin\AppData\Local\Temp\tmp240678984.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240678984.exe
      4⤵
      PID:4492
    - - C:\Users\Admin\AppData\Local\Temp\tmp240679234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679234.exe
        5⤵
        
        PID:4296
      - C:\Users\Admin\AppData\Local\Temp\tmp240679656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679656.exe
        6⤵
        
        PID:3784
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679796.exe
        7⤵
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679890.exe
        8⤵
        
        PID:4528
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679968.exe
        8⤵
        
        PID:3248
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679765.exe
        7⤵
        
        PID:2056
      - C:\Users\Admin\AppData\Local\Temp\tmp240679312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679312.exe
        6⤵
        
        PID:3760
    - - C:\Users\Admin\AppData\Local\Temp\tmp240679109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679109.exe
        5⤵
        
        PID:1372
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        
        PID:2192
  - - C:\Users\Admin\AppData\Local\Temp\tmp240676562.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240676562.exe
      4⤵
      PID:3844
  - - C:\Users\Admin\AppData\Local\Temp\tmp240719390.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240719390.exe
      4⤵
      PID:4508
  - - C:\Users\Admin\AppData\Local\Temp\tmp240719312.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240719312.exe
      4⤵
      PID:1472
- C:\Users\Admin\AppData\Local\Temp\tmp240675953.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240675953.exe
  2⤵
  PID:4304
- - C:\Users\Admin\AppData\Local\Temp\tmp240676359.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240676359.exe
    3⤵
    PID:3868
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      PID:448
- - C:\Users\Admin\AppData\Local\Temp\tmp240678968.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240678968.exe
    3⤵
    PID:4336
  - - C:\Users\Admin\AppData\Local\Temp\tmp240679218.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240679218.exe
      4⤵
      PID:1736
  - - C:\Users\Admin\AppData\Local\Temp\tmp240679593.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240679593.exe
      4⤵
      PID:4660

C:\Users\Admin\AppData\Local\Temp\tmp240666593.exe
C:\Users\Admin\AppData\Local\Temp\tmp240666593.exe
1⤵
PID:4028
- C:\Users\Admin\AppData\Local\Temp\tmp240666718.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240666718.exe
  2⤵
  PID:3976
- C:\Users\Admin\AppData\Local\Temp\tmp240676265.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240676265.exe
  2⤵
  PID:4700

C:\Users\Admin\AppData\Local\Temp\tmp240666656.exe
C:\Users\Admin\AppData\Local\Temp\tmp240666656.exe
1⤵
PID:3980
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:3752
- - C:\Users\Admin\AppData\Local\Temp\tmp240667234.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240667234.exe
    3⤵
    PID:3484
- - C:\Users\Admin\AppData\Local\Temp\tmp240676281.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240676281.exe
    3⤵
    PID:3948

C:\Users\Admin\AppData\Local\Temp\tmp240666281.exe
C:\Users\Admin\AppData\Local\Temp\tmp240666281.exe
1⤵
PID:724

C:\Users\Admin\AppData\Local\Temp\tmp240666250.exe
C:\Users\Admin\AppData\Local\Temp\tmp240666250.exe
1⤵
PID:2748

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:2108
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:4228
- - C:\Users\Admin\AppData\Local\Temp\tmp240697218.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240697218.exe
    3⤵
    PID:4284
- - C:\Users\Admin\AppData\Local\Temp\tmp240681640.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240681640.exe
    3⤵
    PID:4152

C:\Users\Admin\AppData\Local\Temp\tmp240665734.exe
C:\Users\Admin\AppData\Local\Temp\tmp240665734.exe
1⤵
PID:3040
- C:\Users\Admin\AppData\Local\Temp\tmp240680968.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240680968.exe
  2⤵
  PID:1700
- C:\Users\Admin\AppData\Local\Temp\tmp240680953.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240680953.exe
  2⤵
  PID:2724

C:\Users\Admin\AppData\Local\Temp\tmp240665562.exe
C:\Users\Admin\AppData\Local\Temp\tmp240665562.exe
1⤵
PID:340

C:\Users\Admin\AppData\Local\Temp\tmp240665515.exe
C:\Users\Admin\AppData\Local\Temp\tmp240665515.exe
1⤵
PID:2160

C:\Users\Admin\AppData\Local\Temp\tmp240665421.exe
C:\Users\Admin\AppData\Local\Temp\tmp240665421.exe
1⤵
PID:992

C:\Users\Admin\AppData\Local\Temp\tmp240665359.exe
C:\Users\Admin\AppData\Local\Temp\tmp240665359.exe
1⤵
PID:3136

C:\Users\Admin\AppData\Local\Temp\tmp240665343.exe
C:\Users\Admin\AppData\Local\Temp\tmp240665343.exe
1⤵
PID:2308

C:\Users\Admin\AppData\Local\Temp\tmp240665328.exe
C:\Users\Admin\AppData\Local\Temp\tmp240665328.exe
1⤵
PID:1844

C:\Users\Admin\AppData\Local\Temp\tmp240665000.exe
C:\Users\Admin\AppData\Local\Temp\tmp240665000.exe
1⤵
PID:4400

C:\Users\Admin\AppData\Local\Temp\tmp240664890.exe
C:\Users\Admin\AppData\Local\Temp\tmp240664890.exe
1⤵
PID:796

C:\Users\Admin\AppData\Local\Temp\tmp240679203.exe
C:\Users\Admin\AppData\Local\Temp\tmp240679203.exe
1⤵
PID:4856
- C:\Users\Admin\AppData\Local\Temp\tmp240679687.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240679687.exe
  2⤵
  PID:3832
- C:\Users\Admin\AppData\Local\Temp\tmp240679328.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240679328.exe
  2⤵
  PID:3376

C:\Users\Admin\AppData\Local\Temp\tmp240679125.exe
C:\Users\Admin\AppData\Local\Temp\tmp240679125.exe
1⤵
PID:2248

C:\Users\Admin\AppData\Local\Temp\tmp240679734.exe
C:\Users\Admin\AppData\Local\Temp\tmp240679734.exe
1⤵
PID:4324
- C:\Users\Admin\AppData\Local\Temp\tmp240680140.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240680140.exe
  2⤵
  PID:1800
- C:\Users\Admin\AppData\Local\Temp\tmp240680000.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240680000.exe
  2⤵
  PID:3536

C:\Users\Admin\AppData\Local\Temp\tmp240680484.exe
C:\Users\Admin\AppData\Local\Temp\tmp240680484.exe
1⤵
PID:3500

C:\Users\Admin\AppData\Local\Temp\tmp240680515.exe
C:\Users\Admin\AppData\Local\Temp\tmp240680515.exe
1⤵
PID:3036
- C:\Users\Admin\AppData\Local\Temp\tmp240680593.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240680593.exe
  2⤵
  PID:2524
- C:\Users\Admin\AppData\Local\Temp\tmp240680578.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240680578.exe
  2⤵
  PID:2368

C:\Users\Admin\AppData\Local\Temp\tmp240680750.exe
C:\Users\Admin\AppData\Local\Temp\tmp240680750.exe
1⤵
PID:4544

C:\Users\Admin\AppData\Local\Temp\tmp240680859.exe
C:\Users\Admin\AppData\Local\Temp\tmp240680859.exe
1⤵
PID:1524
- C:\Users\Admin\AppData\Local\Temp\tmp240680906.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240680906.exe
  2⤵
  PID:4540
- - C:\Users\Admin\AppData\Local\Temp\tmp240699578.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240699578.exe
    3⤵
    PID:1524
- C:\Users\Admin\AppData\Local\Temp\tmp240680921.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240680921.exe
  2⤵
  PID:3040

C:\Users\Admin\AppData\Local\Temp\tmp240681078.exe
C:\Users\Admin\AppData\Local\Temp\tmp240681078.exe
1⤵
PID:2540
- C:\Users\Admin\AppData\Local\Temp\tmp240681125.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240681125.exe
  2⤵
  PID:3912
- C:\Users\Admin\AppData\Local\Temp\tmp240681156.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240681156.exe
  2⤵
  PID:2820

C:\Users\Admin\AppData\Local\Temp\tmp240680984.exe
C:\Users\Admin\AppData\Local\Temp\tmp240680984.exe
1⤵
PID:4188
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:1756
- - C:\Users\Admin\AppData\Local\Temp\tmp240681328.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240681328.exe
    3⤵
    PID:3328
  - - C:\Users\Admin\AppData\Local\Temp\tmp240681468.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240681468.exe
      4⤵
      PID:1612
    - - C:\Users\Admin\AppData\Local\Temp\tmp240697250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240697250.exe
        5⤵
        
        PID:3808
    - - C:\Users\Admin\AppData\Local\Temp\tmp240681562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681562.exe
        5⤵
        
        PID:4364
  - - C:\Users\Admin\AppData\Local\Temp\tmp240681390.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240681390.exe
      4⤵
      PID:4328
- - C:\Users\Admin\AppData\Local\Temp\tmp240681265.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240681265.exe
    3⤵
    PID:4256

C:\Users\Admin\AppData\Local\Temp\tmp240681343.exe
C:\Users\Admin\AppData\Local\Temp\tmp240681343.exe
1⤵
PID:2788

C:\Users\Admin\AppData\Local\Temp\tmp240681312.exe
C:\Users\Admin\AppData\Local\Temp\tmp240681312.exe
1⤵
PID:2108

C:\Users\Admin\AppData\Local\Temp\tmp240681250.exe
C:\Users\Admin\AppData\Local\Temp\tmp240681250.exe
1⤵
PID:3636

C:\Users\Admin\AppData\Local\Temp\tmp240681218.exe
C:\Users\Admin\AppData\Local\Temp\tmp240681218.exe
1⤵
PID:1384

C:\Users\Admin\AppData\Local\Temp\tmp240680843.exe
C:\Users\Admin\AppData\Local\Temp\tmp240680843.exe
1⤵
PID:3756

C:\Users\Admin\AppData\Local\Temp\tmp240680765.exe
C:\Users\Admin\AppData\Local\Temp\tmp240680765.exe
1⤵
PID:2312

C:\Users\Admin\AppData\Local\Temp\tmp240679921.exe
C:\Users\Admin\AppData\Local\Temp\tmp240679921.exe
1⤵
PID:3244
- C:\Users\Admin\AppData\Local\Temp\tmp240699000.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240699000.exe
  2⤵
  PID:4648
- C:\Users\Admin\AppData\Local\Temp\tmp240698921.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240698921.exe
  2⤵
  PID:4088

C:\Users\Admin\AppData\Local\Temp\tmp240679812.exe
C:\Users\Admin\AppData\Local\Temp\tmp240679812.exe
1⤵
PID:4148

C:\Users\Admin\AppData\Local\Temp\tmp240679703.exe
C:\Users\Admin\AppData\Local\Temp\tmp240679703.exe
1⤵
PID:1180

C:\Users\Admin\AppData\Local\Temp\tmp240679093.exe
C:\Users\Admin\AppData\Local\Temp\tmp240679093.exe
1⤵
PID:2384

C:\Users\Admin\AppData\Local\Temp\tmp240678921.exe
C:\Users\Admin\AppData\Local\Temp\tmp240678921.exe
1⤵
PID:4852

C:\Users\Admin\AppData\Local\Temp\tmp240697281.exe
C:\Users\Admin\AppData\Local\Temp\tmp240697281.exe
1⤵
PID:1000

C:\Users\Admin\AppData\Local\Temp\tmp240697343.exe
C:\Users\Admin\AppData\Local\Temp\tmp240697343.exe
1⤵
PID:2256

C:\Users\Admin\AppData\Local\Temp\tmp240697515.exe
C:\Users\Admin\AppData\Local\Temp\tmp240697515.exe
1⤵
PID:396
- C:\Users\Admin\AppData\Local\Temp\tmp240719187.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240719187.exe
  2⤵
  PID:2544
- C:\Users\Admin\AppData\Local\Temp\tmp240719125.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240719125.exe
  2⤵
  PID:1004

C:\Users\Admin\AppData\Local\Temp\tmp240697531.exe
C:\Users\Admin\AppData\Local\Temp\tmp240697531.exe
1⤵
PID:4372
- C:\Users\Admin\AppData\Local\Temp\tmp240697609.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240697609.exe
  2⤵
  PID:3484
- - C:\Users\Admin\AppData\Local\Temp\tmp240697671.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240697671.exe
    3⤵
    PID:1840
- - C:\Users\Admin\AppData\Local\Temp\tmp240697656.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240697656.exe
    3⤵
    PID:4640
- C:\Users\Admin\AppData\Local\Temp\tmp240697578.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240697578.exe
  2⤵
  PID:892

C:\Users\Admin\AppData\Local\Temp\tmp240697750.exe
C:\Users\Admin\AppData\Local\Temp\tmp240697750.exe
1⤵
PID:3948
- C:\Users\Admin\AppData\Local\Temp\tmp240719468.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240719468.exe
  2⤵
  PID:1656
- C:\Users\Admin\AppData\Local\Temp\tmp240719562.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240719562.exe
  2⤵
  PID:2464
- - C:\Users\Admin\AppData\Local\Temp\tmp240719828.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240719828.exe
    3⤵
    PID:3520
- - C:\Users\Admin\AppData\Local\Temp\tmp240719765.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240719765.exe
    3⤵
    PID:4360

C:\Users\Admin\AppData\Local\Temp\tmp240697640.exe
C:\Users\Admin\AppData\Local\Temp\tmp240697640.exe
1⤵
PID:1312
- C:\Users\Admin\AppData\Local\Temp\tmp240697781.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240697781.exe
  2⤵
  PID:1836

C:\Users\Admin\AppData\Local\Temp\tmp240698156.exe
C:\Users\Admin\AppData\Local\Temp\tmp240698156.exe
1⤵
PID:4336

C:\Users\Admin\AppData\Local\Temp\tmp240698187.exe
C:\Users\Admin\AppData\Local\Temp\tmp240698187.exe
1⤵
PID:3028
- C:\Users\Admin\AppData\Local\Temp\tmp240698281.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240698281.exe
  2⤵
  PID:5028
- C:\Users\Admin\AppData\Local\Temp\tmp240698250.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240698250.exe
  2⤵
  PID:3868

C:\Users\Admin\AppData\Local\Temp\tmp240698390.exe
C:\Users\Admin\AppData\Local\Temp\tmp240698390.exe
1⤵
PID:4436
- C:\Users\Admin\AppData\Local\Temp\tmp240698796.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240698796.exe
  2⤵
  PID:3116
- C:\Users\Admin\AppData\Local\Temp\tmp240698500.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240698500.exe
  2⤵
  PID:3164

C:\Users\Admin\AppData\Local\Temp\tmp240699093.exe
C:\Users\Admin\AppData\Local\Temp\tmp240699093.exe
1⤵
PID:4008

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:4080
- C:\Users\Admin\AppData\Local\Temp\tmp240699640.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240699640.exe
  2⤵
  PID:2724
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    PID:864
  - - C:\Users\Admin\AppData\Local\Temp\tmp240711609.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240711609.exe
      4⤵
      PID:3912
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        
        PID:4976
      - C:\Users\Admin\AppData\Local\Temp\tmp240717687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240717687.exe
        6⤵
        
        PID:3800
        
        C:\Users\Admin\AppData\Local\Temp\tmp240717937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240717937.exe
        7⤵
        
        PID:5044
        
        C:\Users\Admin\AppData\Local\Temp\tmp240717796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240717796.exe
        7⤵
        
        PID:1124
      - C:\Users\Admin\AppData\Local\Temp\tmp240713328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240713328.exe
        6⤵
        
        PID:2712
  - - C:\Users\Admin\AppData\Local\Temp\tmp240713062.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240713062.exe
      4⤵
      PID:4380
- C:\Users\Admin\AppData\Local\Temp\tmp240711265.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240711265.exe
  2⤵
  PID:3524

C:\Users\Admin\AppData\Local\Temp\tmp240699062.exe
C:\Users\Admin\AppData\Local\Temp\tmp240699062.exe
1⤵
PID:3100

C:\Users\Admin\AppData\Local\Temp\tmp240698875.exe
C:\Users\Admin\AppData\Local\Temp\tmp240698875.exe
1⤵
PID:3244

C:\Users\Admin\AppData\Local\Temp\tmp240698859.exe
C:\Users\Admin\AppData\Local\Temp\tmp240698859.exe
1⤵
PID:4492

C:\Users\Admin\AppData\Local\Temp\tmp240698375.exe
C:\Users\Admin\AppData\Local\Temp\tmp240698375.exe
1⤵
PID:2080

C:\Users\Admin\AppData\Local\Temp\tmp240698265.exe
C:\Users\Admin\AppData\Local\Temp\tmp240698265.exe
1⤵
PID:2144

C:\Users\Admin\AppData\Local\Temp\tmp240698203.exe
C:\Users\Admin\AppData\Local\Temp\tmp240698203.exe
1⤵
PID:4672

C:\Users\Admin\AppData\Local\Temp\tmp240698062.exe
C:\Users\Admin\AppData\Local\Temp\tmp240698062.exe
1⤵
PID:3788

C:\Users\Admin\AppData\Local\Temp\tmp240698000.exe
C:\Users\Admin\AppData\Local\Temp\tmp240698000.exe
1⤵
PID:1784

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:2860

C:\Users\Admin\AppData\Local\Temp\tmp240697593.exe
C:\Users\Admin\AppData\Local\Temp\tmp240697593.exe
1⤵
PID:4028

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:4012

C:\Users\Admin\AppData\Local\Temp\tmp240697437.exe
C:\Users\Admin\AppData\Local\Temp\tmp240697437.exe
1⤵
PID:2736

C:\Users\Admin\AppData\Local\Temp\tmp240697390.exe
C:\Users\Admin\AppData\Local\Temp\tmp240697390.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3900

C:\Users\Admin\AppData\Local\Temp\tmp240697375.exe
C:\Users\Admin\AppData\Local\Temp\tmp240697375.exe
1⤵
PID:3980

C:\Users\Admin\AppData\Local\Temp\tmp240697312.exe
C:\Users\Admin\AppData\Local\Temp\tmp240697312.exe
1⤵
PID:3148

C:\Users\Admin\AppData\Local\Temp\tmp240718109.exe
C:\Users\Admin\AppData\Local\Temp\tmp240718109.exe
1⤵
PID:2212
- C:\Users\Admin\AppData\Local\Temp\tmp240718406.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240718406.exe
  2⤵
  PID:4272
- C:\Users\Admin\AppData\Local\Temp\tmp240719000.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240719000.exe
  2⤵
  PID:3088

C:\Users\Admin\AppData\Local\Temp\tmp240718390.exe
C:\Users\Admin\AppData\Local\Temp\tmp240718390.exe
1⤵
PID:1052
- C:\Users\Admin\AppData\Local\Temp\tmp240719015.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240719015.exe
  2⤵
  PID:396
- C:\Users\Admin\AppData\Local\Temp\tmp240718968.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240718968.exe
  2⤵
  PID:5060

C:\Users\Admin\AppData\Local\Temp\tmp240718156.exe
C:\Users\Admin\AppData\Local\Temp\tmp240718156.exe
1⤵
PID:4992
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:1344

C:\Users\Admin\AppData\Local\Temp\tmp240718140.exe
C:\Users\Admin\AppData\Local\Temp\tmp240718140.exe
1⤵
PID:1640

C:\Users\Admin\AppData\Local\Temp\tmp240719140.exe
C:\Users\Admin\AppData\Local\Temp\tmp240719140.exe
1⤵
PID:4944
- C:\Users\Admin\AppData\Local\Temp\tmp240719328.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240719328.exe
  2⤵
  PID:2092
- - C:\Users\Admin\AppData\Local\Temp\tmp240719515.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240719515.exe
    3⤵
    PID:2844
  - - C:\Users\Admin\AppData\Local\Temp\tmp240719687.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240719687.exe
      4⤵
      PID:4084
  - - C:\Users\Admin\AppData\Local\Temp\tmp240719656.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240719656.exe
      4⤵
      PID:528
- - C:\Users\Admin\AppData\Local\Temp\tmp240719484.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240719484.exe
    3⤵
    PID:1892
- C:\Users\Admin\AppData\Local\Temp\tmp240719281.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240719281.exe
  2⤵
  PID:1360

C:\Users\Admin\AppData\Local\Temp\tmp240719875.exe
C:\Users\Admin\AppData\Local\Temp\tmp240719875.exe
1⤵
PID:1944
- C:\Users\Admin\AppData\Local\Temp\tmp240719953.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240719953.exe
  2⤵
  PID:1284

C:\Users\Admin\AppData\Local\Temp\tmp240719843.exe
C:\Users\Admin\AppData\Local\Temp\tmp240719843.exe
1⤵
PID:2144

C:\Users\Admin\AppData\Local\Temp\tmp240719718.exe
C:\Users\Admin\AppData\Local\Temp\tmp240719718.exe
1⤵
PID:3584

C:\Users\Admin\AppData\Local\Temp\tmp240719625.exe
C:\Users\Admin\AppData\Local\Temp\tmp240719625.exe
1⤵
PID:4672

C:\Users\Admin\AppData\Local\Temp\tmp240719500.exe
C:\Users\Admin\AppData\Local\Temp\tmp240719500.exe
1⤵
PID:3372

C:\Users\Admin\AppData\Local\Temp\tmp240719437.exe
C:\Users\Admin\AppData\Local\Temp\tmp240719437.exe
1⤵
PID:1836

C:\Users\Admin\AppData\Local\Temp\tmp240719093.exe
C:\Users\Admin\AppData\Local\Temp\tmp240719093.exe
1⤵
PID:3472

C:\Users\Admin\AppData\Local\Temp\tmp240718000.exe
C:\Users\Admin\AppData\Local\Temp\tmp240718000.exe
1⤵
PID:628

C:\Users\Admin\AppData\Local\Temp\tmp240717921.exe
C:\Users\Admin\AppData\Local\Temp\tmp240717921.exe
1⤵
PID:4352

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp240580281.exe

Filesize
1.5MB

MD5
d58fc2f4a8b6fc1764adb27f3b0e40a8

SHA1
a76ed0c48ff13869131361ac06fd7b1f69d55821

SHA256
cbfb9248d84a4b5d11ba194e36adefb9a131f6aa2daee191400946abfa41de66

SHA512
bf3ae635bb383f8b8e84b92dc4412addc370954250e8ed3202cdee7a0923e99d5ce07634e99d67ca7ae5b88c765212715b6c59562d0f19075d40f03de335b4be

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240580281.exe

Filesize
1.5MB

MD5
d58fc2f4a8b6fc1764adb27f3b0e40a8

SHA1
a76ed0c48ff13869131361ac06fd7b1f69d55821

SHA256
cbfb9248d84a4b5d11ba194e36adefb9a131f6aa2daee191400946abfa41de66

SHA512
bf3ae635bb383f8b8e84b92dc4412addc370954250e8ed3202cdee7a0923e99d5ce07634e99d67ca7ae5b88c765212715b6c59562d0f19075d40f03de335b4be

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240585078.exe

Filesize
4.7MB

MD5
47316efc4f88963391223828de3ee088

SHA1
2ac284807d748beb73adad8ed2241f87787669c0

SHA256
9e1219efdd3a0a25d4697a79880ee5b5643bc0569cd0e55f6345f33bea28fbd6

SHA512
ea69c96f583c17b064f23ad2e4ff4b34b678d9dcee857a7d3090784e4ab65c6dcafa5b5e8f7573455406a8c176bf5332705aeb9e429f803ea92bb145da8627c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240585078.exe

Filesize
4.7MB

MD5
47316efc4f88963391223828de3ee088

SHA1
2ac284807d748beb73adad8ed2241f87787669c0

SHA256
9e1219efdd3a0a25d4697a79880ee5b5643bc0569cd0e55f6345f33bea28fbd6

SHA512
ea69c96f583c17b064f23ad2e4ff4b34b678d9dcee857a7d3090784e4ab65c6dcafa5b5e8f7573455406a8c176bf5332705aeb9e429f803ea92bb145da8627c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240589312.exe

Filesize
1.5MB

MD5
d58fc2f4a8b6fc1764adb27f3b0e40a8

SHA1
a76ed0c48ff13869131361ac06fd7b1f69d55821

SHA256
cbfb9248d84a4b5d11ba194e36adefb9a131f6aa2daee191400946abfa41de66

SHA512
bf3ae635bb383f8b8e84b92dc4412addc370954250e8ed3202cdee7a0923e99d5ce07634e99d67ca7ae5b88c765212715b6c59562d0f19075d40f03de335b4be

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240589312.exe

Filesize
1.5MB

MD5
d58fc2f4a8b6fc1764adb27f3b0e40a8

SHA1
a76ed0c48ff13869131361ac06fd7b1f69d55821

SHA256
cbfb9248d84a4b5d11ba194e36adefb9a131f6aa2daee191400946abfa41de66

SHA512
bf3ae635bb383f8b8e84b92dc4412addc370954250e8ed3202cdee7a0923e99d5ce07634e99d67ca7ae5b88c765212715b6c59562d0f19075d40f03de335b4be

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240589453.exe

Filesize
3.2MB

MD5
83d45cb222c2cd837f2514b07f477d80

SHA1
8ecdab45837903e7edcbbe6fcd69ff69fbc0bfcc

SHA256
3321fc1ff1c7ea408ead017360577540029414213f1c140c42e6738364e1807c

SHA512
01713a89afbbd29a05dc01703e3e4526ad448aef7307f0b859144f625931b74591416ff17c7207f021b19cad6e32c0cbb905b042978156b7e5b65a172136ab47

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240589453.exe

Filesize
3.2MB

MD5
83d45cb222c2cd837f2514b07f477d80

SHA1
8ecdab45837903e7edcbbe6fcd69ff69fbc0bfcc

SHA256
3321fc1ff1c7ea408ead017360577540029414213f1c140c42e6738364e1807c

SHA512
01713a89afbbd29a05dc01703e3e4526ad448aef7307f0b859144f625931b74591416ff17c7207f021b19cad6e32c0cbb905b042978156b7e5b65a172136ab47

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240589546.exe

Filesize
1.5MB

MD5
d58fc2f4a8b6fc1764adb27f3b0e40a8

SHA1
a76ed0c48ff13869131361ac06fd7b1f69d55821

SHA256
cbfb9248d84a4b5d11ba194e36adefb9a131f6aa2daee191400946abfa41de66

SHA512
bf3ae635bb383f8b8e84b92dc4412addc370954250e8ed3202cdee7a0923e99d5ce07634e99d67ca7ae5b88c765212715b6c59562d0f19075d40f03de335b4be

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240589546.exe

Filesize
1.5MB

MD5
d58fc2f4a8b6fc1764adb27f3b0e40a8

SHA1
a76ed0c48ff13869131361ac06fd7b1f69d55821

SHA256
cbfb9248d84a4b5d11ba194e36adefb9a131f6aa2daee191400946abfa41de66

SHA512
bf3ae635bb383f8b8e84b92dc4412addc370954250e8ed3202cdee7a0923e99d5ce07634e99d67ca7ae5b88c765212715b6c59562d0f19075d40f03de335b4be

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240589625.exe

Filesize
1.5MB

MD5
d58fc2f4a8b6fc1764adb27f3b0e40a8

SHA1
a76ed0c48ff13869131361ac06fd7b1f69d55821

SHA256
cbfb9248d84a4b5d11ba194e36adefb9a131f6aa2daee191400946abfa41de66

SHA512
bf3ae635bb383f8b8e84b92dc4412addc370954250e8ed3202cdee7a0923e99d5ce07634e99d67ca7ae5b88c765212715b6c59562d0f19075d40f03de335b4be

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240589625.exe

Filesize
1.5MB

MD5
d58fc2f4a8b6fc1764adb27f3b0e40a8

SHA1
a76ed0c48ff13869131361ac06fd7b1f69d55821

SHA256
cbfb9248d84a4b5d11ba194e36adefb9a131f6aa2daee191400946abfa41de66

SHA512
bf3ae635bb383f8b8e84b92dc4412addc370954250e8ed3202cdee7a0923e99d5ce07634e99d67ca7ae5b88c765212715b6c59562d0f19075d40f03de335b4be

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240591250.exe

Filesize
1.7MB

MD5
565436eacbb9e282a9d22f533c3f4a5f

SHA1
d844e74738045896fc1791a454a5dafe858dd418

SHA256
f2bd724a53850fdb6aef1da55ef8ef3d0baffd7d7da5d091bf675c30dcd1658b

SHA512
36db2cd660347347c6ee95c74c1e4fee25fba8763d5855456aa84e436b0f6b075514de9f61d4998231b497573358b8f653b9ba98e82c605756f8665496f43352

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240591250.exe

Filesize
1.7MB

MD5
565436eacbb9e282a9d22f533c3f4a5f

SHA1
d844e74738045896fc1791a454a5dafe858dd418

SHA256
f2bd724a53850fdb6aef1da55ef8ef3d0baffd7d7da5d091bf675c30dcd1658b

SHA512
36db2cd660347347c6ee95c74c1e4fee25fba8763d5855456aa84e436b0f6b075514de9f61d4998231b497573358b8f653b9ba98e82c605756f8665496f43352

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240591578.exe

Filesize
1.5MB

MD5
d58fc2f4a8b6fc1764adb27f3b0e40a8

SHA1
a76ed0c48ff13869131361ac06fd7b1f69d55821

SHA256
cbfb9248d84a4b5d11ba194e36adefb9a131f6aa2daee191400946abfa41de66

SHA512
bf3ae635bb383f8b8e84b92dc4412addc370954250e8ed3202cdee7a0923e99d5ce07634e99d67ca7ae5b88c765212715b6c59562d0f19075d40f03de335b4be

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240591578.exe

Filesize
1.5MB

MD5
d58fc2f4a8b6fc1764adb27f3b0e40a8

SHA1
a76ed0c48ff13869131361ac06fd7b1f69d55821

SHA256
cbfb9248d84a4b5d11ba194e36adefb9a131f6aa2daee191400946abfa41de66

SHA512
bf3ae635bb383f8b8e84b92dc4412addc370954250e8ed3202cdee7a0923e99d5ce07634e99d67ca7ae5b88c765212715b6c59562d0f19075d40f03de335b4be

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240591593.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240591843.exe

Filesize
1.5MB

MD5
d58fc2f4a8b6fc1764adb27f3b0e40a8

SHA1
a76ed0c48ff13869131361ac06fd7b1f69d55821

SHA256
cbfb9248d84a4b5d11ba194e36adefb9a131f6aa2daee191400946abfa41de66

SHA512
bf3ae635bb383f8b8e84b92dc4412addc370954250e8ed3202cdee7a0923e99d5ce07634e99d67ca7ae5b88c765212715b6c59562d0f19075d40f03de335b4be

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240591843.exe

Filesize
1.5MB

MD5
d58fc2f4a8b6fc1764adb27f3b0e40a8

SHA1
a76ed0c48ff13869131361ac06fd7b1f69d55821

SHA256
cbfb9248d84a4b5d11ba194e36adefb9a131f6aa2daee191400946abfa41de66

SHA512
bf3ae635bb383f8b8e84b92dc4412addc370954250e8ed3202cdee7a0923e99d5ce07634e99d67ca7ae5b88c765212715b6c59562d0f19075d40f03de335b4be

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240591937.exe

Filesize
136KB

MD5
caf06086af40dd5b46c4b007996afd82

SHA1
d89cfb57c6ad83eb9520e69cdb28c1a4e8f072bb

SHA256
931268ca515290cda15a24e61f14d8595f9e6b0fcf77ba9ba43783c3e70f9741

SHA512
da555af03d447e1bf49f4015bbae3231f7f69312604c8156624afa07c6fc0406b1f9bae11c3f870508ba471e0d97511db9c084d940c1a8742fd2dd028e5f65de

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240591937.exe

Filesize
136KB

MD5
caf06086af40dd5b46c4b007996afd82

SHA1
d89cfb57c6ad83eb9520e69cdb28c1a4e8f072bb

SHA256
931268ca515290cda15a24e61f14d8595f9e6b0fcf77ba9ba43783c3e70f9741

SHA512
da555af03d447e1bf49f4015bbae3231f7f69312604c8156624afa07c6fc0406b1f9bae11c3f870508ba471e0d97511db9c084d940c1a8742fd2dd028e5f65de

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240592031.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240592531.exe

Filesize
1.5MB

MD5
d58fc2f4a8b6fc1764adb27f3b0e40a8

SHA1
a76ed0c48ff13869131361ac06fd7b1f69d55821

SHA256
cbfb9248d84a4b5d11ba194e36adefb9a131f6aa2daee191400946abfa41de66

SHA512
bf3ae635bb383f8b8e84b92dc4412addc370954250e8ed3202cdee7a0923e99d5ce07634e99d67ca7ae5b88c765212715b6c59562d0f19075d40f03de335b4be

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240592531.exe

Filesize
1.5MB

MD5
d58fc2f4a8b6fc1764adb27f3b0e40a8

SHA1
a76ed0c48ff13869131361ac06fd7b1f69d55821

SHA256
cbfb9248d84a4b5d11ba194e36adefb9a131f6aa2daee191400946abfa41de66

SHA512
bf3ae635bb383f8b8e84b92dc4412addc370954250e8ed3202cdee7a0923e99d5ce07634e99d67ca7ae5b88c765212715b6c59562d0f19075d40f03de335b4be

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240594765.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240594984.exe

Filesize
1.5MB

MD5
d58fc2f4a8b6fc1764adb27f3b0e40a8

SHA1
a76ed0c48ff13869131361ac06fd7b1f69d55821

SHA256
cbfb9248d84a4b5d11ba194e36adefb9a131f6aa2daee191400946abfa41de66

SHA512
bf3ae635bb383f8b8e84b92dc4412addc370954250e8ed3202cdee7a0923e99d5ce07634e99d67ca7ae5b88c765212715b6c59562d0f19075d40f03de335b4be

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240594984.exe

Filesize
1.5MB

MD5
d58fc2f4a8b6fc1764adb27f3b0e40a8

SHA1
a76ed0c48ff13869131361ac06fd7b1f69d55821

SHA256
cbfb9248d84a4b5d11ba194e36adefb9a131f6aa2daee191400946abfa41de66

SHA512
bf3ae635bb383f8b8e84b92dc4412addc370954250e8ed3202cdee7a0923e99d5ce07634e99d67ca7ae5b88c765212715b6c59562d0f19075d40f03de335b4be

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240596765.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240596984.exe

Filesize
1.5MB

MD5
d58fc2f4a8b6fc1764adb27f3b0e40a8

SHA1
a76ed0c48ff13869131361ac06fd7b1f69d55821

SHA256
cbfb9248d84a4b5d11ba194e36adefb9a131f6aa2daee191400946abfa41de66

SHA512
bf3ae635bb383f8b8e84b92dc4412addc370954250e8ed3202cdee7a0923e99d5ce07634e99d67ca7ae5b88c765212715b6c59562d0f19075d40f03de335b4be

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240596984.exe

Filesize
1.5MB

MD5
d58fc2f4a8b6fc1764adb27f3b0e40a8

SHA1
a76ed0c48ff13869131361ac06fd7b1f69d55821

SHA256
cbfb9248d84a4b5d11ba194e36adefb9a131f6aa2daee191400946abfa41de66

SHA512
bf3ae635bb383f8b8e84b92dc4412addc370954250e8ed3202cdee7a0923e99d5ce07634e99d67ca7ae5b88c765212715b6c59562d0f19075d40f03de335b4be

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240597828.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240598093.exe

Filesize
1.5MB

MD5
d58fc2f4a8b6fc1764adb27f3b0e40a8

SHA1
a76ed0c48ff13869131361ac06fd7b1f69d55821

SHA256
cbfb9248d84a4b5d11ba194e36adefb9a131f6aa2daee191400946abfa41de66

SHA512
bf3ae635bb383f8b8e84b92dc4412addc370954250e8ed3202cdee7a0923e99d5ce07634e99d67ca7ae5b88c765212715b6c59562d0f19075d40f03de335b4be

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240598093.exe

Filesize
1.5MB

MD5
d58fc2f4a8b6fc1764adb27f3b0e40a8

SHA1
a76ed0c48ff13869131361ac06fd7b1f69d55821

SHA256
cbfb9248d84a4b5d11ba194e36adefb9a131f6aa2daee191400946abfa41de66

SHA512
bf3ae635bb383f8b8e84b92dc4412addc370954250e8ed3202cdee7a0923e99d5ce07634e99d67ca7ae5b88c765212715b6c59562d0f19075d40f03de335b4be

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240598125.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240598484.exe

Filesize
1.5MB

MD5
d58fc2f4a8b6fc1764adb27f3b0e40a8

SHA1
a76ed0c48ff13869131361ac06fd7b1f69d55821

SHA256
cbfb9248d84a4b5d11ba194e36adefb9a131f6aa2daee191400946abfa41de66

SHA512
bf3ae635bb383f8b8e84b92dc4412addc370954250e8ed3202cdee7a0923e99d5ce07634e99d67ca7ae5b88c765212715b6c59562d0f19075d40f03de335b4be

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240598484.exe

Filesize
1.5MB

MD5
d58fc2f4a8b6fc1764adb27f3b0e40a8

SHA1
a76ed0c48ff13869131361ac06fd7b1f69d55821

SHA256
cbfb9248d84a4b5d11ba194e36adefb9a131f6aa2daee191400946abfa41de66

SHA512
bf3ae635bb383f8b8e84b92dc4412addc370954250e8ed3202cdee7a0923e99d5ce07634e99d67ca7ae5b88c765212715b6c59562d0f19075d40f03de335b4be

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240598531.exe

Filesize
1.7MB

MD5
e61698f4388d770f52a9c1b2d66a257e

SHA1
190d849270905c7ab8779b633d14e21c9edee97e

SHA256
ac6f90944c14b59d578f17414ade9d5ccdcadeb2edeb5a9dc398acaef3f6008c

SHA512
1ae21c286c685d2251bb7e117fdd5bfecf8c90d90c109805b2e7522afc1352df5e3024cce44f9dcdef8f4385c76262a083f8b84e2168b0718853f138bea25a60

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240598531.exe

Filesize
1.7MB

MD5
e61698f4388d770f52a9c1b2d66a257e

SHA1
190d849270905c7ab8779b633d14e21c9edee97e

SHA256
ac6f90944c14b59d578f17414ade9d5ccdcadeb2edeb5a9dc398acaef3f6008c

SHA512
1ae21c286c685d2251bb7e117fdd5bfecf8c90d90c109805b2e7522afc1352df5e3024cce44f9dcdef8f4385c76262a083f8b84e2168b0718853f138bea25a60

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240598781.exe

Filesize
1.5MB

MD5
d58fc2f4a8b6fc1764adb27f3b0e40a8

SHA1
a76ed0c48ff13869131361ac06fd7b1f69d55821

SHA256
cbfb9248d84a4b5d11ba194e36adefb9a131f6aa2daee191400946abfa41de66

SHA512
bf3ae635bb383f8b8e84b92dc4412addc370954250e8ed3202cdee7a0923e99d5ce07634e99d67ca7ae5b88c765212715b6c59562d0f19075d40f03de335b4be

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240598781.exe

Filesize
1.5MB

MD5
d58fc2f4a8b6fc1764adb27f3b0e40a8

SHA1
a76ed0c48ff13869131361ac06fd7b1f69d55821

SHA256
cbfb9248d84a4b5d11ba194e36adefb9a131f6aa2daee191400946abfa41de66

SHA512
bf3ae635bb383f8b8e84b92dc4412addc370954250e8ed3202cdee7a0923e99d5ce07634e99d67ca7ae5b88c765212715b6c59562d0f19075d40f03de335b4be

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
1.5MB

MD5
4276a0dcbb4dc675f10763ceca153f02

SHA1
a346696444db7ce0802a999600198ba5cf13aee2

SHA256
ff2c0fbf8fa252701104cea35d021b57a6c22bdb3ff9a222e8346da2b5c968eb

SHA512
f48cec8242f971a9337ccde6fec6ff87591419b127cae2a735d0102229e27c8d803cc0b252fd10b406526d68e29b3dc1ca27a95be40cea95f6f831657700a60d

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
1.5MB

MD5
d58fc2f4a8b6fc1764adb27f3b0e40a8

SHA1
a76ed0c48ff13869131361ac06fd7b1f69d55821

SHA256
cbfb9248d84a4b5d11ba194e36adefb9a131f6aa2daee191400946abfa41de66

SHA512
bf3ae635bb383f8b8e84b92dc4412addc370954250e8ed3202cdee7a0923e99d5ce07634e99d67ca7ae5b88c765212715b6c59562d0f19075d40f03de335b4be

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
1.5MB

MD5
d58fc2f4a8b6fc1764adb27f3b0e40a8

SHA1
a76ed0c48ff13869131361ac06fd7b1f69d55821

SHA256
cbfb9248d84a4b5d11ba194e36adefb9a131f6aa2daee191400946abfa41de66

SHA512
bf3ae635bb383f8b8e84b92dc4412addc370954250e8ed3202cdee7a0923e99d5ce07634e99d67ca7ae5b88c765212715b6c59562d0f19075d40f03de335b4be

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
1.5MB

MD5
d58fc2f4a8b6fc1764adb27f3b0e40a8

SHA1
a76ed0c48ff13869131361ac06fd7b1f69d55821

SHA256
cbfb9248d84a4b5d11ba194e36adefb9a131f6aa2daee191400946abfa41de66

SHA512
bf3ae635bb383f8b8e84b92dc4412addc370954250e8ed3202cdee7a0923e99d5ce07634e99d67ca7ae5b88c765212715b6c59562d0f19075d40f03de335b4be

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
1.5MB

MD5
d58fc2f4a8b6fc1764adb27f3b0e40a8

SHA1
a76ed0c48ff13869131361ac06fd7b1f69d55821

SHA256
cbfb9248d84a4b5d11ba194e36adefb9a131f6aa2daee191400946abfa41de66

SHA512
bf3ae635bb383f8b8e84b92dc4412addc370954250e8ed3202cdee7a0923e99d5ce07634e99d67ca7ae5b88c765212715b6c59562d0f19075d40f03de335b4be

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
1.5MB

MD5
d58fc2f4a8b6fc1764adb27f3b0e40a8

SHA1
a76ed0c48ff13869131361ac06fd7b1f69d55821

SHA256
cbfb9248d84a4b5d11ba194e36adefb9a131f6aa2daee191400946abfa41de66

SHA512
bf3ae635bb383f8b8e84b92dc4412addc370954250e8ed3202cdee7a0923e99d5ce07634e99d67ca7ae5b88c765212715b6c59562d0f19075d40f03de335b4be

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
3.2MB

MD5
766962c19575ecc4cedf441cdaea71b3

SHA1
b79853a4bb8ec3dcc3572efc4cd430b1e04cf212

SHA256
dca6d39a2f6fc3a00a45dac8e0e263470611a6cf167ff0aa189f307c4250f1bb

SHA512
74daf3665f5a42426aa5aa2e4dc3115112635759bbbef45f461c9fed1162186090bcf52864d130d8d16de3d46a26b2dfd4765312ab84b898ca9fbd2cfa16201f

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
3.2MB

MD5
766962c19575ecc4cedf441cdaea71b3

SHA1
b79853a4bb8ec3dcc3572efc4cd430b1e04cf212

SHA256
dca6d39a2f6fc3a00a45dac8e0e263470611a6cf167ff0aa189f307c4250f1bb

SHA512
74daf3665f5a42426aa5aa2e4dc3115112635759bbbef45f461c9fed1162186090bcf52864d130d8d16de3d46a26b2dfd4765312ab84b898ca9fbd2cfa16201f

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
3.2MB

MD5
766962c19575ecc4cedf441cdaea71b3

SHA1
b79853a4bb8ec3dcc3572efc4cd430b1e04cf212

SHA256
dca6d39a2f6fc3a00a45dac8e0e263470611a6cf167ff0aa189f307c4250f1bb

SHA512
74daf3665f5a42426aa5aa2e4dc3115112635759bbbef45f461c9fed1162186090bcf52864d130d8d16de3d46a26b2dfd4765312ab84b898ca9fbd2cfa16201f

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
1.7MB

MD5
e61698f4388d770f52a9c1b2d66a257e

SHA1
190d849270905c7ab8779b633d14e21c9edee97e

SHA256
ac6f90944c14b59d578f17414ade9d5ccdcadeb2edeb5a9dc398acaef3f6008c

SHA512
1ae21c286c685d2251bb7e117fdd5bfecf8c90d90c109805b2e7522afc1352df5e3024cce44f9dcdef8f4385c76262a083f8b84e2168b0718853f138bea25a60

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
1.7MB

MD5
e61698f4388d770f52a9c1b2d66a257e

SHA1
190d849270905c7ab8779b633d14e21c9edee97e

SHA256
ac6f90944c14b59d578f17414ade9d5ccdcadeb2edeb5a9dc398acaef3f6008c

SHA512
1ae21c286c685d2251bb7e117fdd5bfecf8c90d90c109805b2e7522afc1352df5e3024cce44f9dcdef8f4385c76262a083f8b84e2168b0718853f138bea25a60

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
1.7MB

MD5
e61698f4388d770f52a9c1b2d66a257e

SHA1
190d849270905c7ab8779b633d14e21c9edee97e

SHA256
ac6f90944c14b59d578f17414ade9d5ccdcadeb2edeb5a9dc398acaef3f6008c

SHA512
1ae21c286c685d2251bb7e117fdd5bfecf8c90d90c109805b2e7522afc1352df5e3024cce44f9dcdef8f4385c76262a083f8b84e2168b0718853f138bea25a60

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
1.7MB

MD5
e61698f4388d770f52a9c1b2d66a257e

SHA1
190d849270905c7ab8779b633d14e21c9edee97e

SHA256
ac6f90944c14b59d578f17414ade9d5ccdcadeb2edeb5a9dc398acaef3f6008c

SHA512
1ae21c286c685d2251bb7e117fdd5bfecf8c90d90c109805b2e7522afc1352df5e3024cce44f9dcdef8f4385c76262a083f8b84e2168b0718853f138bea25a60

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
1.7MB

MD5
e61698f4388d770f52a9c1b2d66a257e

SHA1
190d849270905c7ab8779b633d14e21c9edee97e

SHA256
ac6f90944c14b59d578f17414ade9d5ccdcadeb2edeb5a9dc398acaef3f6008c

SHA512
1ae21c286c685d2251bb7e117fdd5bfecf8c90d90c109805b2e7522afc1352df5e3024cce44f9dcdef8f4385c76262a083f8b84e2168b0718853f138bea25a60

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
1.7MB

MD5
e61698f4388d770f52a9c1b2d66a257e

SHA1
190d849270905c7ab8779b633d14e21c9edee97e

SHA256
ac6f90944c14b59d578f17414ade9d5ccdcadeb2edeb5a9dc398acaef3f6008c

SHA512
1ae21c286c685d2251bb7e117fdd5bfecf8c90d90c109805b2e7522afc1352df5e3024cce44f9dcdef8f4385c76262a083f8b84e2168b0718853f138bea25a60

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
1.7MB

MD5
e61698f4388d770f52a9c1b2d66a257e

SHA1
190d849270905c7ab8779b633d14e21c9edee97e

SHA256
ac6f90944c14b59d578f17414ade9d5ccdcadeb2edeb5a9dc398acaef3f6008c

SHA512
1ae21c286c685d2251bb7e117fdd5bfecf8c90d90c109805b2e7522afc1352df5e3024cce44f9dcdef8f4385c76262a083f8b84e2168b0718853f138bea25a60

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
memory/204-305-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/204-310-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/520-312-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1004-317-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1196-259-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1200-322-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1472-227-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1472-319-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1472-320-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1476-245-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1476-257-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1552-282-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1552-289-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1644-151-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1644-165-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1644-308-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1764-190-0x0000000000010000-0x0000000000032000-memory.dmp

Filesize
136KB

Download
memory/1800-274-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1800-265-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2072-315-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2072-316-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2108-279-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2108-300-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2248-323-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2292-171-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2292-152-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2480-269-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2480-266-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2720-183-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2720-168-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2784-139-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2784-147-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2788-189-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2788-198-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3080-313-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3088-314-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3464-311-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3464-307-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3616-302-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3616-292-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3644-321-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3800-167-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3800-186-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3892-306-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3892-309-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3900-212-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3900-201-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4080-278-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4080-281-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4320-246-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4320-254-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4596-318-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4636-268-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4636-263-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4692-220-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4692-209-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4800-243-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4880-304-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4880-295-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4976-277-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5040-301-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5040-291-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5076-132-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5076-140-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download