6d24a1079d31d71bef4f35a24ecbde6540bb180d5509cea78e07f3a409954102

Analysis

max time kernel
8s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02-10-2022 01:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6d24a1079d31d71bef4f35a24ecbde6540bb180d5509cea78e07f3a409954102.exe
Size

677KB
MD5

723c9b95d66c5f763327baa4fe889310
SHA1

37999e045e0f3713fea1c6063aa84e37d05cdf80
SHA256

6d24a1079d31d71bef4f35a24ecbde6540bb180d5509cea78e07f3a409954102
SHA512

793526f6f7a9414d4576b3b047743e6e6b3862e4b3d759f848c6b3a64c7411748fbafc44d0978330fe5d0fde8a1330ce8ba2c8a96f4aa8a5521a99249433f005
SSDEEP

12288:HPhR9PUPhR9PgPhR9P9PhR9PGPhR9PePhR9PuPhR9PnSDyTFtj:JRYRgRJRWRSRmRkDyTFtj

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
980	tmp7073288.exe
1888	tmp7073303.exe
1492	tmp7073522.exe
1328	tmp7073568.exe
852	tmp7073724.exe
904	tmp7073802.exe
1292	tmp7073990.exe
1288	notpad.exe
840	tmp7074099.exe
1624	tmp7074192.exe
1952	tmp7074333.exe
812	tmp7074270.exe
524	notpad.exe
1132	tmp7074411.exe
1824	tmp7074551.exe
776	tmp7074629.exe
1564	tmp7074645.exe
692	notpad.exe
608	tmp7074676.exe
1484	tmp7074879.exe
624	tmp7074894.exe
2008	tmp7074988.exe
1496	notpad.exe
1640	tmp7074957.exe
1196	tmp7075191.exe
1000	tmp7075238.exe
592	notpad.exe
1204	tmp7075394.exe
436	tmp7075425.exe
1696	notpad.exe
588	tmp7075565.exe
632	tmp7075581.exe
276	tmp7079184.exe
1288	tmp7075768.exe
1092	notpad.exe
1820	notpad.exe
396	tmp7077999.exe
1504	tmp7076002.exe
1928	notpad.exe
2000	tmp7076220.exe
568	tmp7078139.exe
1600	tmp7079652.exe
1712	notpad.exe
940	tmp7080963.exe
884	tmp7076392.exe
1756	tmp7079746.exe
1884	tmp7078482.exe
1648	tmp7081290.exe
2028	notpad.exe
1068	tmp7081181.exe
1704	tmp7080183.exe
1136	tmp7081384.exe
1492	tmp7078810.exe
320	notpad.exe
1348	notpad.exe
1940	tmp7077531.exe
980	tmp7081368.exe
1208	notpad.exe
1696	tmp7080526.exe
1048	tmp7080323.exe
1764	notpad.exe
472	tmp7080417.exe
456	notpad.exe
1092	notpad.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000a0000000122cd-58.dat	upx
behavioral1/files/0x000a0000000122cd-60.dat	upx
behavioral1/files/0x000a0000000122cd-62.dat	upx
behavioral1/files/0x000a0000000122cd-63.dat	upx
behavioral1/memory/1640-68-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x00080000000122d3-70.dat	upx
behavioral1/files/0x00080000000122d3-71.dat	upx
behavioral1/memory/1888-74-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x00080000000122d3-75.dat	upx
behavioral1/files/0x00080000000122d3-76.dat	upx
behavioral1/files/0x00090000000122d7-82.dat	upx
behavioral1/files/0x00090000000122d8-83.dat	upx
behavioral1/files/0x00090000000122d8-84.dat	upx
behavioral1/files/0x00090000000122d8-86.dat	upx
behavioral1/files/0x00090000000122d8-88.dat	upx
behavioral1/memory/1328-87-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x00090000000122d7-96.dat	upx
behavioral1/files/0x00090000000122d7-94.dat	upx
behavioral1/files/0x00080000000122dc-97.dat	upx
behavioral1/files/0x00080000000122dc-99.dat	upx
behavioral1/files/0x00090000000122d7-98.dat	upx
behavioral1/files/0x00080000000122dc-101.dat	upx
behavioral1/memory/904-102-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x00080000000122dc-103.dat	upx
behavioral1/files/0x00080000000122d4-109.dat	upx
behavioral1/memory/1288-118-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x00090000000122d7-122.dat	upx
behavioral1/files/0x00080000000122e2-126.dat	upx
behavioral1/files/0x00080000000122e2-127.dat	upx
behavioral1/files/0x00090000000122d7-150.dat	upx
behavioral1/memory/608-157-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1132-155-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/524-152-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x00080000000122d4-145.dat	upx
behavioral1/files/0x00090000000122d7-149.dat	upx
behavioral1/memory/840-134-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x00080000000122e2-133.dat	upx
behavioral1/files/0x00080000000122e2-132.dat	upx
behavioral1/files/0x00090000000122d7-125.dat	upx
behavioral1/files/0x00090000000122d7-123.dat	upx
behavioral1/memory/608-165-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/692-166-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1496-172-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/592-179-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1696-185-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/276-192-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1820-197-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1928-202-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1600-210-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/940-212-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1756-220-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1704-232-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1348-239-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1092-252-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/836-265-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1448-269-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/288-278-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1220-286-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/456-289-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1432-293-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1912-300-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/272-302-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1140-303-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1900-296-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Loads dropped DLL 64 IoCs

pid	Process
1640	6d24a1079d31d71bef4f35a24ecbde6540bb180d5509cea78e07f3a409954102.exe
1640	6d24a1079d31d71bef4f35a24ecbde6540bb180d5509cea78e07f3a409954102.exe
1640	6d24a1079d31d71bef4f35a24ecbde6540bb180d5509cea78e07f3a409954102.exe
1640	6d24a1079d31d71bef4f35a24ecbde6540bb180d5509cea78e07f3a409954102.exe
1888	tmp7073303.exe
1888	tmp7073303.exe
1888	tmp7073303.exe
1888	tmp7073303.exe
1328	tmp7073568.exe
1328	tmp7073568.exe
980	tmp7073288.exe
1328	tmp7073568.exe
1328	tmp7073568.exe
904	tmp7073802.exe
904	tmp7073802.exe
980	tmp7073288.exe
904	tmp7073802.exe
904	tmp7073802.exe
1288	notpad.exe
1288	notpad.exe
840	tmp7074099.exe
1288	notpad.exe
840	tmp7074099.exe
1624	tmp7074192.exe
1624	tmp7074192.exe
840	tmp7074099.exe
840	tmp7074099.exe
524	notpad.exe
524	notpad.exe
1132	tmp7074411.exe
1132	tmp7074411.exe
524	notpad.exe
1824	tmp7074551.exe
1824	tmp7074551.exe
1132	tmp7074411.exe
1132	tmp7074411.exe
692	notpad.exe
692	notpad.exe
608	tmp7074676.exe
608	tmp7074676.exe
692	notpad.exe
1484	tmp7074879.exe
608	tmp7074676.exe
608	tmp7074676.exe
1484	tmp7074879.exe
1496	notpad.exe
1496	notpad.exe
1496	notpad.exe
1196	tmp7075191.exe
1196	tmp7075191.exe
1700	WerFault.exe
1700	WerFault.exe
592	notpad.exe
592	notpad.exe
592	notpad.exe
1204	tmp7075394.exe
1204	tmp7075394.exe
1696	notpad.exe
1696	notpad.exe
1696	notpad.exe
588	tmp7079060.exe
588	tmp7079060.exe
276	tmp7079184.exe
276	tmp7079184.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7078482.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	notpad.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7079543.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7075565.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7081025.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7079247.exe
File created	C:\Windows\SysWOW64\fsb.stb	tmp7073288.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7074879.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7081181.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	notpad.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7081368.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7075394.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7075565.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	notpad.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7081181.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7078810.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7074879.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7077999.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7082975.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7079247.exe
File created	C:\Windows\SysWOW64\fsb.tmp	tmp7073288.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7073288.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7081181.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7081025.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7076220.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7077858.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7078139.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7079543.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7078482.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7079247.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7074879.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	notpad.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7078810.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7075191.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7078810.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7080526.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7074551.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7082975.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7079044.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7079169.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7079340.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7075565.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7078139.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7081181.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7081368.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7074879.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7075191.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7081368.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7079044.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7074192.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7080916.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7080526.exe
File created	C:\Windows\SysWOW64\notpad.exe-	notpad.exe
File created	C:\Windows\SysWOW64\notpad.exe	notpad.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7082008.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7081368.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7079340.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7074551.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7075768.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7075768.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7080916.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7080417.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7080417.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7077858.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1700	2008	WerFault.exe	50

Modifies registry class 31 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7074879.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7074551.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7075565.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7081368.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7079543.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7078810.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7079169.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7073288.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7075394.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7079247.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7077531.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7080526.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7077858.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7082975.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7074192.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7077999.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	notpad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7078482.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7080916.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7081181.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7079340.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7075191.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7075768.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7076220.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	notpad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7081025.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7079044.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7080417.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7082008.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7078139.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	notpad.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1640 wrote to memory of 980	1640	6d24a1079d31d71bef4f35a24ecbde6540bb180d5509cea78e07f3a409954102.exe	28
PID 1640 wrote to memory of 980	1640	6d24a1079d31d71bef4f35a24ecbde6540bb180d5509cea78e07f3a409954102.exe	28
PID 1640 wrote to memory of 980	1640	6d24a1079d31d71bef4f35a24ecbde6540bb180d5509cea78e07f3a409954102.exe	28
PID 1640 wrote to memory of 980	1640	6d24a1079d31d71bef4f35a24ecbde6540bb180d5509cea78e07f3a409954102.exe	28
PID 1640 wrote to memory of 1888	1640	6d24a1079d31d71bef4f35a24ecbde6540bb180d5509cea78e07f3a409954102.exe	29
PID 1640 wrote to memory of 1888	1640	6d24a1079d31d71bef4f35a24ecbde6540bb180d5509cea78e07f3a409954102.exe	29
PID 1640 wrote to memory of 1888	1640	6d24a1079d31d71bef4f35a24ecbde6540bb180d5509cea78e07f3a409954102.exe	29
PID 1640 wrote to memory of 1888	1640	6d24a1079d31d71bef4f35a24ecbde6540bb180d5509cea78e07f3a409954102.exe	29
PID 1888 wrote to memory of 1492	1888	tmp7073303.exe	30
PID 1888 wrote to memory of 1492	1888	tmp7073303.exe	30
PID 1888 wrote to memory of 1492	1888	tmp7073303.exe	30
PID 1888 wrote to memory of 1492	1888	tmp7073303.exe	30
PID 1888 wrote to memory of 1328	1888	tmp7073303.exe	31
PID 1888 wrote to memory of 1328	1888	tmp7073303.exe	31
PID 1888 wrote to memory of 1328	1888	tmp7073303.exe	31
PID 1888 wrote to memory of 1328	1888	tmp7073303.exe	31
PID 1328 wrote to memory of 852	1328	tmp7073568.exe	32
PID 1328 wrote to memory of 852	1328	tmp7073568.exe	32
PID 1328 wrote to memory of 852	1328	tmp7073568.exe	32
PID 1328 wrote to memory of 852	1328	tmp7073568.exe	32
PID 1328 wrote to memory of 904	1328	tmp7073568.exe	34
PID 1328 wrote to memory of 904	1328	tmp7073568.exe	34
PID 1328 wrote to memory of 904	1328	tmp7073568.exe	34
PID 1328 wrote to memory of 904	1328	tmp7073568.exe	34
PID 904 wrote to memory of 1292	904	tmp7073802.exe	35
PID 904 wrote to memory of 1292	904	tmp7073802.exe	35
PID 904 wrote to memory of 1292	904	tmp7073802.exe	35
PID 904 wrote to memory of 1292	904	tmp7073802.exe	35
PID 980 wrote to memory of 1288	980	tmp7073288.exe	33
PID 980 wrote to memory of 1288	980	tmp7073288.exe	33
PID 980 wrote to memory of 1288	980	tmp7073288.exe	33
PID 980 wrote to memory of 1288	980	tmp7073288.exe	33
PID 904 wrote to memory of 840	904	tmp7073802.exe	36
PID 904 wrote to memory of 840	904	tmp7073802.exe	36
PID 904 wrote to memory of 840	904	tmp7073802.exe	36
PID 904 wrote to memory of 840	904	tmp7073802.exe	36
PID 1288 wrote to memory of 1624	1288	notpad.exe	37
PID 1288 wrote to memory of 1624	1288	notpad.exe	37
PID 1288 wrote to memory of 1624	1288	notpad.exe	37
PID 1288 wrote to memory of 1624	1288	notpad.exe	37
PID 1288 wrote to memory of 1952	1288	notpad.exe	38
PID 1288 wrote to memory of 1952	1288	notpad.exe	38
PID 1288 wrote to memory of 1952	1288	notpad.exe	38
PID 1288 wrote to memory of 1952	1288	notpad.exe	38
PID 840 wrote to memory of 812	840	tmp7074099.exe	39
PID 840 wrote to memory of 812	840	tmp7074099.exe	39
PID 840 wrote to memory of 812	840	tmp7074099.exe	39
PID 840 wrote to memory of 812	840	tmp7074099.exe	39
PID 1624 wrote to memory of 524	1624	tmp7074192.exe	40
PID 1624 wrote to memory of 524	1624	tmp7074192.exe	40
PID 1624 wrote to memory of 524	1624	tmp7074192.exe	40
PID 1624 wrote to memory of 524	1624	tmp7074192.exe	40
PID 840 wrote to memory of 1132	840	tmp7074099.exe	48
PID 840 wrote to memory of 1132	840	tmp7074099.exe	48
PID 840 wrote to memory of 1132	840	tmp7074099.exe	48
PID 840 wrote to memory of 1132	840	tmp7074099.exe	48
PID 524 wrote to memory of 1824	524	notpad.exe	47
PID 524 wrote to memory of 1824	524	notpad.exe	47
PID 524 wrote to memory of 1824	524	notpad.exe	47
PID 524 wrote to memory of 1824	524	notpad.exe	47
PID 1132 wrote to memory of 776	1132	tmp7074411.exe	46
PID 1132 wrote to memory of 776	1132	tmp7074411.exe	46
PID 1132 wrote to memory of 776	1132	tmp7074411.exe	46
PID 1132 wrote to memory of 776	1132	tmp7074411.exe	46

C:\Users\Admin\AppData\Local\Temp\6d24a1079d31d71bef4f35a24ecbde6540bb180d5509cea78e07f3a409954102.exe
"C:\Users\Admin\AppData\Local\Temp\6d24a1079d31d71bef4f35a24ecbde6540bb180d5509cea78e07f3a409954102.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1640
- C:\Users\Admin\AppData\Local\Temp\tmp7073288.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7073288.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:980
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1288
  - - C:\Users\Admin\AppData\Local\Temp\tmp7074192.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7074192.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1624
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:524
      - C:\Users\Admin\AppData\Local\Temp\tmp7074645.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7074645.exe
        6⤵
        Executes dropped EXE
        
        PID:1564
      - C:\Users\Admin\AppData\Local\Temp\tmp7074551.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7074551.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1824
  - - C:\Users\Admin\AppData\Local\Temp\tmp7074333.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7074333.exe
      4⤵
      Executes dropped EXE
      PID:1952
- C:\Users\Admin\AppData\Local\Temp\tmp7073303.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7073303.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1888
- - C:\Users\Admin\AppData\Local\Temp\tmp7073522.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7073522.exe
    3⤵
    - Executes dropped EXE
    PID:1492
- - C:\Users\Admin\AppData\Local\Temp\tmp7073568.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7073568.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1328
  - - C:\Users\Admin\AppData\Local\Temp\tmp7073724.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7073724.exe
      4⤵
      Executes dropped EXE
      PID:852
  - - C:\Users\Admin\AppData\Local\Temp\tmp7073802.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7073802.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:904
    - - C:\Users\Admin\AppData\Local\Temp\tmp7073990.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7073990.exe
        5⤵
        Executes dropped EXE
        
        PID:1292
    - - C:\Users\Admin\AppData\Local\Temp\tmp7074099.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7074099.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:840
      - C:\Users\Admin\AppData\Local\Temp\tmp7074270.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7074270.exe
        6⤵
        Executes dropped EXE
        
        PID:812
      - C:\Users\Admin\AppData\Local\Temp\tmp7074411.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7074411.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1132

C:\Users\Admin\AppData\Local\Temp\tmp7074879.exe
C:\Users\Admin\AppData\Local\Temp\tmp7074879.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1484
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1496
- - C:\Users\Admin\AppData\Local\Temp\tmp7075191.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7075191.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    PID:1196
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:592
    - - C:\Users\Admin\AppData\Local\Temp\tmp7075394.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7075394.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1204
      - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\tmp7075565.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7075565.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:588
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        8⤵
        
        PID:276
        
        C:\Users\Admin\AppData\Local\Temp\tmp7075768.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7075768.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1288
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        10⤵
        Executes dropped EXE
        
        PID:1820
        
        C:\Users\Admin\AppData\Local\Temp\tmp7075971.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7075971.exe
        11⤵
        
        PID:396
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        12⤵
        Executes dropped EXE
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\tmp7076220.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7076220.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2000
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        14⤵
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\tmp7076376.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7076376.exe
        15⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        16⤵
        
        PID:940
        
        C:\Users\Admin\AppData\Local\Temp\tmp7076486.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7076486.exe
        17⤵
        
        PID:992
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        18⤵
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\tmp7076626.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7076626.exe
        19⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        20⤵
        Executes dropped EXE
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\tmp7077281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7077281.exe
        21⤵
        
        PID:1136
        
        C:\Users\Admin\AppData\Local\Temp\tmp7076766.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7076766.exe
        21⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        20⤵
        
        PID:1100
        
        C:\Users\Admin\AppData\Local\Temp\tmp7078623.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7078623.exe
        21⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        22⤵
        
        PID:608
        
        C:\Users\Admin\AppData\Local\Temp\tmp7078638.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7078638.exe
        21⤵
        
        PID:1368
        
        C:\Users\Admin\AppData\Local\Temp\tmp7076657.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7076657.exe
        19⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\tmp7076517.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7076517.exe
        17⤵
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\tmp7078280.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7078280.exe
        16⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        17⤵
        
        PID:836
        
        C:\Users\Admin\AppData\Local\Temp\tmp7078311.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7078311.exe
        16⤵
        
        PID:1472
        
        C:\Users\Admin\AppData\Local\Temp\tmp7076392.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7076392.exe
        15⤵
        Executes dropped EXE
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\tmp7076267.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7076267.exe
        13⤵
        
        PID:568
        
        C:\Users\Admin\AppData\Local\Temp\tmp7076002.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7076002.exe
        11⤵
        Executes dropped EXE
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\tmp7075846.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7075846.exe
        9⤵
        
        PID:1092
        
        C:\Users\Admin\AppData\Local\Temp\tmp7077905.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7077905.exe
        10⤵
        
        PID:560
        
        C:\Users\Admin\AppData\Local\Temp\tmp7077858.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7077858.exe
        10⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\tmp7075581.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7075581.exe
        7⤵
        Executes dropped EXE
        
        PID:632
    - - C:\Users\Admin\AppData\Local\Temp\tmp7075425.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7075425.exe
        5⤵
        Executes dropped EXE
        
        PID:436
- - C:\Users\Admin\AppData\Local\Temp\tmp7075238.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7075238.exe
    3⤵
    - Executes dropped EXE
    PID:1000

C:\Users\Admin\AppData\Local\Temp\tmp7074894.exe
C:\Users\Admin\AppData\Local\Temp\tmp7074894.exe
1⤵
- Executes dropped EXE
PID:624
- C:\Users\Admin\AppData\Local\Temp\tmp7148527.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7148527.exe
  2⤵
  PID:1884

C:\Users\Admin\AppData\Local\Temp\tmp7074676.exe
C:\Users\Admin\AppData\Local\Temp\tmp7074676.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:608
- C:\Users\Admin\AppData\Local\Temp\tmp7074988.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7074988.exe
  2⤵
  - Executes dropped EXE
  PID:2008
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 36
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1700
- C:\Users\Admin\AppData\Local\Temp\tmp7078716.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7078716.exe
  2⤵
  PID:320
- C:\Users\Admin\AppData\Local\Temp\tmp7078701.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7078701.exe
  2⤵
  PID:1096

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:692
- C:\Users\Admin\AppData\Local\Temp\tmp7074957.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7074957.exe
  2⤵
  - Executes dropped EXE
  PID:1640

C:\Users\Admin\AppData\Local\Temp\tmp7074629.exe
C:\Users\Admin\AppData\Local\Temp\tmp7074629.exe
1⤵
- Executes dropped EXE
PID:776

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:1704
- C:\Users\Admin\AppData\Local\Temp\tmp7077344.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7077344.exe
  2⤵
  PID:1492
- C:\Users\Admin\AppData\Local\Temp\tmp7077390.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7077390.exe
  2⤵
  PID:320

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:1208
- C:\Users\Admin\AppData\Local\Temp\tmp7077624.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7077624.exe
  2⤵
  PID:1696
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    - Executes dropped EXE
    PID:1764
- C:\Users\Admin\AppData\Local\Temp\tmp7077640.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7077640.exe
  2⤵
  PID:1048

C:\Users\Admin\AppData\Local\Temp\tmp7077780.exe
C:\Users\Admin\AppData\Local\Temp\tmp7077780.exe
1⤵
PID:472
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  - Executes dropped EXE
  PID:1092

C:\Users\Admin\AppData\Local\Temp\tmp7077999.exe
C:\Users\Admin\AppData\Local\Temp\tmp7077999.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:396
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:1976

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:548
- C:\Users\Admin\AppData\Local\Temp\tmp7078077.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7078077.exe
  2⤵
  PID:524

C:\Users\Admin\AppData\Local\Temp\tmp7078139.exe
C:\Users\Admin\AppData\Local\Temp\tmp7078139.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:568
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  PID:1712

C:\Users\Admin\AppData\Local\Temp\tmp7078373.exe
C:\Users\Admin\AppData\Local\Temp\tmp7078373.exe
1⤵
PID:1752
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:1448
- - C:\Users\Admin\AppData\Local\Temp\tmp7078529.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7078529.exe
    3⤵
    PID:1724

C:\Users\Admin\AppData\Local\Temp\tmp7078389.exe
C:\Users\Admin\AppData\Local\Temp\tmp7078389.exe
1⤵
PID:484

C:\Users\Admin\AppData\Local\Temp\tmp7078810.exe
C:\Users\Admin\AppData\Local\Temp\tmp7078810.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1492
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:1940
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  - Executes dropped EXE
  PID:1348

C:\Users\Admin\AppData\Local\Temp\tmp7078919.exe
C:\Users\Admin\AppData\Local\Temp\tmp7078919.exe
1⤵
PID:980
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:1548
- - C:\Users\Admin\AppData\Local\Temp\tmp7079060.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7079060.exe
    3⤵
    - Loads dropped DLL
    PID:588
- - C:\Users\Admin\AppData\Local\Temp\tmp7079044.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7079044.exe
    3⤵
    - Drops file in System32 directory
    - Modifies registry class
    PID:1628
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      PID:1220

C:\Users\Admin\AppData\Local\Temp\tmp7079184.exe
C:\Users\Admin\AppData\Local\Temp\tmp7079184.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:276

C:\Users\Admin\AppData\Local\Temp\tmp7079340.exe
C:\Users\Admin\AppData\Local\Temp\tmp7079340.exe
1⤵
- Drops file in System32 directory
- Modifies registry class
PID:2024
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:1900

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:1592
- C:\Users\Admin\AppData\Local\Temp\tmp7079481.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7079481.exe
  2⤵
  PID:1912
- - C:\Users\Admin\AppData\Local\Temp\tmp7079606.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7079606.exe
    3⤵
    PID:776
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      PID:1752
    - - C:\Users\Admin\AppData\Local\Temp\tmp7079871.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7079871.exe
        5⤵
        
        PID:1484
    - - C:\Users\Admin\AppData\Local\Temp\tmp7079902.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7079902.exe
        5⤵
        
        PID:564
      - C:\Users\Admin\AppData\Local\Temp\tmp7079996.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7079996.exe
        6⤵
        
        PID:584
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        7⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1096
        
        C:\Users\Admin\AppData\Local\Temp\tmp7080120.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7080120.exe
        8⤵
        
        PID:1404
        
        C:\Users\Admin\AppData\Local\Temp\tmp7080245.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7080245.exe
        8⤵
        
        PID:1520
        
        C:\Users\Admin\AppData\Local\Temp\tmp7080323.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7080323.exe
        9⤵
        Executes dropped EXE
        
        PID:1048
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        10⤵
        
        PID:1220
        
        C:\Users\Admin\AppData\Local\Temp\tmp7080495.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7080495.exe
        11⤵
        
        PID:1204
        
        C:\Users\Admin\AppData\Local\Temp\tmp7080573.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7080573.exe
        11⤵
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\tmp7080666.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7080666.exe
        12⤵
        
        PID:1432
        
        C:\Users\Admin\AppData\Local\Temp\tmp7080682.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7080682.exe
        12⤵
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\tmp7080417.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7080417.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:472
      - C:\Users\Admin\AppData\Local\Temp\tmp7080074.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7080074.exe
        6⤵
        
        PID:912
- - C:\Users\Admin\AppData\Local\Temp\tmp7079668.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7079668.exe
    3⤵
    PID:992
- C:\Users\Admin\AppData\Local\Temp\tmp7202924.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7202924.exe
  2⤵
  PID:1608
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    PID:1240
  - - C:\Users\Admin\AppData\Local\Temp\tmp7204453.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7204453.exe
      4⤵
      PID:2016
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        
        PID:1100
      - C:\Users\Admin\AppData\Local\Temp\tmp7205623.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7205623.exe
        6⤵
        
        PID:272
      - C:\Users\Admin\AppData\Local\Temp\tmp7206029.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7206029.exe
        6⤵
        
        PID:1328
        
        C:\Users\Admin\AppData\Local\Temp\tmp7206559.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7206559.exe
        7⤵
        
        PID:940
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        8⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\tmp7207620.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7207620.exe
        9⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        10⤵
        
        PID:1072
        
        C:\Users\Admin\AppData\Local\Temp\tmp7210257.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7210257.exe
        11⤵
        
        PID:904
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        12⤵
        
        PID:668
        
        C:\Users\Admin\AppData\Local\Temp\tmp7211848.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7211848.exe
        13⤵
        
        PID:320
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        14⤵
        
        PID:276
        
        C:\Users\Admin\AppData\Local\Temp\tmp7213642.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7213642.exe
        15⤵
        
        PID:268
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        16⤵
        
        PID:1432
        
        C:\Users\Admin\AppData\Local\Temp\tmp7214671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7214671.exe
        17⤵
        
        PID:1368
        
        C:\Users\Admin\AppData\Local\Temp\tmp7214859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7214859.exe
        17⤵
        
        PID:812
        
        C:\Users\Admin\AppData\Local\Temp\tmp7213829.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7213829.exe
        15⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\tmp7215093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7215093.exe
        16⤵
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\tmp7212316.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7212316.exe
        13⤵
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\tmp7213907.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7213907.exe
        14⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        15⤵
        
        PID:524
        
        C:\Users\Admin\AppData\Local\Temp\tmp7215483.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7215483.exe
        16⤵
        
        PID:776
        
        C:\Users\Admin\AppData\Local\Temp\tmp7214765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7214765.exe
        14⤵
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\tmp7211146.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7211146.exe
        11⤵
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\tmp7211941.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7211941.exe
        12⤵
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\tmp7212347.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7212347.exe
        12⤵
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\tmp7208494.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7208494.exe
        9⤵
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\tmp7209211.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7209211.exe
        10⤵
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\tmp7209976.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7209976.exe
        10⤵
        
        PID:1424
        
        C:\Users\Admin\AppData\Local\Temp\tmp7206762.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7206762.exe
        7⤵
        
        PID:1604
  - - C:\Users\Admin\AppData\Local\Temp\tmp7204703.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7204703.exe
      4⤵
      PID:564
    - - C:\Users\Admin\AppData\Local\Temp\tmp7205436.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7205436.exe
        5⤵
        
        PID:2028
    - - C:\Users\Admin\AppData\Local\Temp\tmp7204890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7204890.exe
        5⤵
        
        PID:624
      - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        6⤵
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\tmp7206590.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7206590.exe
        7⤵
        
        PID:1096
        
        C:\Users\Admin\AppData\Local\Temp\tmp7207199.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7207199.exe
        7⤵
        
        PID:1120
        
        C:\Users\Admin\AppData\Local\Temp\tmp7208728.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7208728.exe
        8⤵
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\tmp7209789.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7209789.exe
        8⤵
        
        PID:1156
- C:\Users\Admin\AppData\Local\Temp\tmp7203190.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7203190.exe
  2⤵
  PID:556
- - C:\Users\Admin\AppData\Local\Temp\tmp7203470.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7203470.exe
    3⤵
    PID:1008
- - C:\Users\Admin\AppData\Local\Temp\tmp7203814.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7203814.exe
    3⤵
    PID:1696

C:\Users\Admin\AppData\Local\Temp\tmp7079309.exe
C:\Users\Admin\AppData\Local\Temp\tmp7079309.exe
1⤵
PID:1676

C:\Users\Admin\AppData\Local\Temp\tmp7079512.exe
C:\Users\Admin\AppData\Local\Temp\tmp7079512.exe
1⤵
PID:316

C:\Users\Admin\AppData\Local\Temp\tmp7079543.exe
C:\Users\Admin\AppData\Local\Temp\tmp7079543.exe
1⤵
- Drops file in System32 directory
- Modifies registry class
PID:1604
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:1140

C:\Users\Admin\AppData\Local\Temp\tmp7079652.exe
C:\Users\Admin\AppData\Local\Temp\tmp7079652.exe
1⤵
- Executes dropped EXE
PID:1600

C:\Users\Admin\AppData\Local\Temp\tmp7079637.exe
C:\Users\Admin\AppData\Local\Temp\tmp7079637.exe
1⤵
PID:940

C:\Users\Admin\AppData\Local\Temp\tmp7079746.exe
C:\Users\Admin\AppData\Local\Temp\tmp7079746.exe
1⤵
- Executes dropped EXE
PID:1756
- C:\Users\Admin\AppData\Local\Temp\tmp7079855.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7079855.exe
  2⤵
  PID:1448
- - C:\Users\Admin\AppData\Local\Temp\tmp7078482.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7078482.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    PID:1884
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    PID:1640
  - - C:\Users\Admin\AppData\Local\Temp\tmp7080011.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7080011.exe
      4⤵
      PID:608
  - - C:\Users\Admin\AppData\Local\Temp\tmp7080089.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7080089.exe
      4⤵
      PID:1196
    - - C:\Users\Admin\AppData\Local\Temp\tmp7080105.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7080105.exe
        5⤵
        
        PID:436
      - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        6⤵
        Executes dropped EXE
        
        PID:1208
        
        C:\Users\Admin\AppData\Local\Temp\tmp7080339.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7080339.exe
        7⤵
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\tmp7080386.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7080386.exe
        7⤵
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\tmp7080432.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7080432.exe
        8⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        9⤵
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\tmp7080620.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7080620.exe
        10⤵
        
        PID:808
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        11⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\tmp7080791.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7080791.exe
        12⤵
        
        PID:1008
        
        C:\Users\Admin\AppData\Local\Temp\tmp7080807.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7080807.exe
        12⤵
        
        PID:1076
        
        C:\Users\Admin\AppData\Local\Temp\tmp7080916.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7080916.exe
        13⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:992
        
        C:\Users\Admin\AppData\Local\Temp\tmp7080978.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7080978.exe
        13⤵
        
        PID:1140
        
        C:\Users\Admin\AppData\Local\Temp\tmp7080651.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7080651.exe
        10⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\tmp7080713.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7080713.exe
        11⤵
        
        PID:780
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        12⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\tmp7080869.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7080869.exe
        13⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        14⤵
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\tmp7080994.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7080994.exe
        15⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        16⤵
        Executes dropped EXE
        
        PID:320
        
        C:\Users\Admin\AppData\Local\Temp\tmp7081259.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7081259.exe
        17⤵
        
        PID:852
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        18⤵
        
        PID:1196
        
        C:\Users\Admin\AppData\Local\Temp\tmp7081337.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7081337.exe
        19⤵
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\tmp7081368.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7081368.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:980
        
        C:\Users\Admin\AppData\Local\Temp\tmp7081384.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7081384.exe
        20⤵
        Executes dropped EXE
        
        PID:1136
        
        C:\Users\Admin\AppData\Local\Temp\tmp7081400.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7081400.exe
        20⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\tmp7081290.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7081290.exe
        17⤵
        Executes dropped EXE
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\tmp7081322.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7081322.exe
        18⤵
        
        PID:912
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        19⤵
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\tmp7081524.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7081524.exe
        20⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        21⤵
        
        PID:1412
        
        C:\Users\Admin\AppData\Local\Temp\tmp7081618.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7081618.exe
        22⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        23⤵
        Executes dropped EXE
        
        PID:456
        
        C:\Users\Admin\AppData\Local\Temp\tmp7082070.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7082070.exe
        24⤵
        
        PID:548
        
        C:\Users\Admin\AppData\Local\Temp\tmp7082086.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7082086.exe
        24⤵
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\tmp7082148.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7082148.exe
        25⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        26⤵
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\tmp7082398.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7082398.exe
        27⤵
        
        PID:848
        
        C:\Users\Admin\AppData\Local\Temp\tmp7082772.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7082772.exe
        27⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\tmp7082975.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7082975.exe
        28⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1640
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        29⤵
        
        PID:288
        
        C:\Users\Admin\AppData\Local\Temp\tmp7083256.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7083256.exe
        30⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        31⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\tmp7083927.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7083927.exe
        32⤵
        
        PID:904
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        33⤵
        
        PID:1264
        
        C:\Users\Admin\AppData\Local\Temp\tmp7084317.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7084317.exe
        34⤵
        
        PID:472
        
        C:\Users\Admin\AppData\Local\Temp\tmp7084879.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7084879.exe
        34⤵
        
        PID:988
        
        C:\Users\Admin\AppData\Local\Temp\tmp7084957.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7084957.exe
        35⤵
        
        PID:524
        
        C:\Users\Admin\AppData\Local\Temp\tmp7084972.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7084972.exe
        35⤵
        
        PID:396
        
        C:\Users\Admin\AppData\Local\Temp\tmp7084161.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7084161.exe
        32⤵
        
        PID:1208
        
        C:\Users\Admin\AppData\Local\Temp\tmp7083771.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7083771.exe
        30⤵
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\tmp7083880.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7083880.exe
        31⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        32⤵
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\tmp7084067.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7084067.exe
        33⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        34⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\tmp7084894.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7084894.exe
        35⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        36⤵
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\tmp7085113.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7085113.exe
        37⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        38⤵
        
        PID:804
        
        C:\Users\Admin\AppData\Local\Temp\tmp7085456.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7085456.exe
        39⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        40⤵
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\tmp7087234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7087234.exe
        41⤵
        
        PID:852
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        42⤵
        
        PID:320
        
        C:\Users\Admin\AppData\Local\Temp\tmp7088467.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7088467.exe
        43⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        44⤵
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118762.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118762.exe
        45⤵
        
        PID:1208
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119448.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119448.exe
        45⤵
        
        PID:396
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120587.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120587.exe
        46⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120634.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120634.exe
        46⤵
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\tmp7088607.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7088607.exe
        43⤵
        
        PID:556
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119573.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119573.exe
        44⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        45⤵
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122132.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122132.exe
        46⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        47⤵
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\tmp7124284.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7124284.exe
        48⤵
        
        PID:852
        
        C:\Users\Admin\AppData\Local\Temp\tmp7124893.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7124893.exe
        48⤵
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\tmp7143582.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7143582.exe
        49⤵
        
        PID:472
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        50⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146546.exe
        51⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        52⤵
        
        PID:624
        
        C:\Users\Admin\AppData\Local\Temp\tmp7148667.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7148667.exe
        53⤵
        
        PID:1280
        
        C:\Users\Admin\AppData\Local\Temp\tmp7149510.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7149510.exe
        54⤵
        
        PID:840
        
        C:\Users\Admin\AppData\Local\Temp\tmp7149978.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7149978.exe
        54⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146951.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146951.exe
        51⤵
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147560.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147560.exe
        52⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        53⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\tmp7149307.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7149307.exe
        54⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        55⤵
        
        PID:1092
        
        C:\Users\Admin\AppData\Local\Temp\tmp7152411.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7152411.exe
        56⤵
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\tmp7153425.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7153425.exe
        56⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\tmp7154127.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7154127.exe
        57⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        58⤵
        
        PID:1072
        
        C:\Users\Admin\AppData\Local\Temp\tmp7155344.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7155344.exe
        59⤵
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\tmp7155984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7155984.exe
        59⤵
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\tmp7156811.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7156811.exe
        60⤵
        
        PID:1000
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157388.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157388.exe
        60⤵
        
        PID:1276
        
        C:\Users\Admin\AppData\Local\Temp\tmp7154252.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7154252.exe
        57⤵
        
        PID:436
        
        C:\Users\Admin\AppData\Local\Temp\tmp7149635.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7149635.exe
        54⤵
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\tmp7150118.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7150118.exe
        55⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        56⤵
        
        PID:992
        
        C:\Users\Admin\AppData\Local\Temp\tmp7154377.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7154377.exe
        57⤵
        
        PID:560
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        58⤵
        
        PID:1424
        
        C:\Users\Admin\AppData\Local\Temp\tmp7155687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7155687.exe
        59⤵
        
        PID:904
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        60⤵
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175765.exe
        61⤵
        
        PID:1432
        
        C:\Users\Admin\AppData\Local\Temp\tmp7176498.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7176498.exe
        62⤵
        
        PID:524
        
        C:\Users\Admin\AppData\Local\Temp\tmp7174844.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7174844.exe
        61⤵
        
        PID:472
        
        C:\Users\Admin\AppData\Local\Temp\tmp7156717.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7156717.exe
        59⤵
        
        PID:456
        
        C:\Users\Admin\AppData\Local\Temp\tmp7173752.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7173752.exe
        60⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        61⤵
        
        PID:848
        
        C:\Users\Admin\AppData\Local\Temp\tmp7176373.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7176373.exe
        62⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\tmp7176545.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7176545.exe
        62⤵
        
        PID:556
        
        C:\Users\Admin\AppData\Local\Temp\tmp7176950.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7176950.exe
        63⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        64⤵
        
        PID:608
        
        C:\Users\Admin\AppData\Local\Temp\tmp7177855.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7177855.exe
        65⤵
        
        PID:316
        
        C:\Users\Admin\AppData\Local\Temp\tmp7179743.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7179743.exe
        65⤵
        
        PID:1404
        
        C:\Users\Admin\AppData\Local\Temp\tmp7180476.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7180476.exe
        66⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        67⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182520.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182520.exe
        68⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        69⤵
        
        PID:692
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183487.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183487.exe
        70⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        71⤵
        
        PID:1496
        
        C:\Users\Admin\AppData\Local\Temp\tmp7185172.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7185172.exe
        72⤵
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\tmp7186513.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7186513.exe
        73⤵
        
        PID:456
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        74⤵
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187605.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187605.exe
        75⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        76⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\tmp7200444.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7200444.exe
        75⤵
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\tmp7202347.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7202347.exe
        76⤵
        
        PID:1124
        
        C:\Users\Admin\AppData\Local\Temp\tmp7200974.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7200974.exe
        76⤵
        
        PID:524
        
        C:\Users\Admin\AppData\Local\Temp\tmp7186700.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7186700.exe
        73⤵
        
        PID:472
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183658.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183658.exe
        70⤵
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184516.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184516.exe
        71⤵
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\tmp7185047.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7185047.exe
        71⤵
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182691.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182691.exe
        68⤵
        
        PID:992
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183393.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183393.exe
        69⤵
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183705.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183705.exe
        69⤵
        
        PID:1156
        
        C:\Users\Admin\AppData\Local\Temp\tmp7181209.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7181209.exe
        66⤵
        
        PID:1096
        
        C:\Users\Admin\AppData\Local\Temp\tmp7177309.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7177309.exe
        63⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\tmp7177668.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7177668.exe
        64⤵
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\tmp7178713.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7178713.exe
        64⤵
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175328.exe
        60⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\tmp7154923.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7154923.exe
        57⤵
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\tmp7155297.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7155297.exe
        58⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\tmp7156031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7156031.exe
        58⤵
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\tmp7151397.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7151397.exe
        55⤵
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\Temp\tmp7148480.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7148480.exe
        52⤵
        
        PID:1124
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145469.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145469.exe
        49⤵
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122475.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122475.exe
        46⤵
        
        PID:1056
        
        C:\Users\Admin\AppData\Local\Temp\tmp7124191.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7124191.exe
        47⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        48⤵
        
        PID:1348
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136780.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136780.exe
        49⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        50⤵
        
        PID:1432
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146140.exe
        51⤵
        
        PID:524
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146593.exe
        52⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147123.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147123.exe
        52⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145719.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145719.exe
        51⤵
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\tmp7176092.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7176092.exe
        51⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        52⤵
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\tmp7177091.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7177091.exe
        53⤵
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\tmp7177309.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7177309.exe
        53⤵
        
        PID:1480
        
        C:\Users\Admin\AppData\Local\Temp\tmp7177590.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7177590.exe
        54⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        55⤵
        
        PID:584
        
        C:\Users\Admin\AppData\Local\Temp\tmp7181287.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7181287.exe
        56⤵
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\tmp7181740.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7181740.exe
        56⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182130.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182130.exe
        57⤵
        
        PID:436
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182754.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182754.exe
        57⤵
        
        PID:592
        
        C:\Users\Admin\AppData\Local\Temp\tmp7178791.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7178791.exe
        54⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\tmp7143582.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7143582.exe
        49⤵
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\tmp7124472.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7124472.exe
        47⤵
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120135.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120135.exe
        44⤵
        
        PID:1912
        
        C:\Users\Admin\AppData\Local\Temp\tmp7087312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7087312.exe
        41⤵
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\tmp7088654.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7088654.exe
        42⤵
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118575.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118575.exe
        42⤵
        
        PID:1204
        
        C:\Users\Admin\AppData\Local\Temp\tmp7085705.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7085705.exe
        39⤵
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\tmp7085846.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7085846.exe
        40⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        41⤵
        
        PID:1456
        
        C:\Users\Admin\AppData\Local\Temp\tmp7088389.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7088389.exe
        42⤵
        
        PID:912
        
        C:\Users\Admin\AppData\Local\Temp\tmp7088560.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7088560.exe
        43⤵
        
        PID:1292
        
        C:\Users\Admin\AppData\Local\Temp\tmp7089059.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7089059.exe
        43⤵
        
        PID:812
        
        C:\Users\Admin\AppData\Local\Temp\tmp7087702.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7087702.exe
        42⤵
        
        PID:1072
        
        C:\Users\Admin\AppData\Local\Temp\tmp7086907.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7086907.exe
        40⤵
        
        PID:288
        
        C:\Users\Admin\AppData\Local\Temp\tmp7085237.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7085237.exe
        37⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\tmp7085331.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7085331.exe
        38⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        39⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\tmp7085518.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7085518.exe
        40⤵
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\tmp7085612.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7085612.exe
        40⤵
        
        PID:1480
        
        C:\Users\Admin\AppData\Local\Temp\tmp7085721.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7085721.exe
        41⤵
        
        PID:780
        
        C:\Users\Admin\AppData\Local\Temp\tmp7085768.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7085768.exe
        41⤵
        
        PID:1240
        
        C:\Users\Admin\AppData\Local\Temp\tmp7085409.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7085409.exe
        38⤵
        
        PID:776
        
        C:\Users\Admin\AppData\Local\Temp\tmp7084941.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7084941.exe
        35⤵
        
        PID:1092
        
        C:\Users\Admin\AppData\Local\Temp\tmp7085378.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7085378.exe
        36⤵
        
        PID:484
        
        C:\Users\Admin\AppData\Local\Temp\tmp7086719.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7086719.exe
        36⤵
        
        PID:568
        
        C:\Users\Admin\AppData\Local\Temp\tmp7084629.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7084629.exe
        33⤵
        
        PID:812
        
        C:\Users\Admin\AppData\Local\Temp\tmp7084816.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7084816.exe
        34⤵
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\tmp7084832.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7084832.exe
        34⤵
        
        PID:556
        
        C:\Users\Admin\AppData\Local\Temp\tmp7083896.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7083896.exe
        31⤵
        
        PID:436
        
        C:\Users\Admin\AppData\Local\Temp\tmp7083131.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7083131.exe
        28⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\tmp7082180.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7082180.exe
        25⤵
        
        PID:1472
        
        C:\Users\Admin\AppData\Local\Temp\tmp7082289.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7082289.exe
        26⤵
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\tmp7082928.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7082928.exe
        26⤵
        
        PID:1076
        
        C:\Users\Admin\AppData\Local\Temp\tmp7081899.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7081899.exe
        22⤵
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\tmp7081946.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7081946.exe
        23⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        24⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\tmp7082164.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7082164.exe
        25⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\tmp7082180.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7082180.exe
        25⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\tmp7082273.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7082273.exe
        26⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        27⤵
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\tmp7083084.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7083084.exe
        28⤵
        
        PID:1280
        
        C:\Users\Admin\AppData\Local\Temp\tmp7083147.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7083147.exe
        28⤵
        
        PID:940
        
        C:\Users\Admin\AppData\Local\Temp\tmp7083755.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7083755.exe
        29⤵
        
        PID:564
        
        C:\Users\Admin\AppData\Local\Temp\tmp7083818.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7083818.exe
        29⤵
        
        PID:1496
        
        C:\Users\Admin\AppData\Local\Temp\tmp7082757.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7082757.exe
        26⤵
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\tmp7082008.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7082008.exe
        23⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:396
        
        C:\Users\Admin\AppData\Local\Temp\tmp7081556.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7081556.exe
        20⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\tmp7081602.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7081602.exe
        21⤵
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\tmp7081883.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7081883.exe
        21⤵
        
        PID:840
        
        C:\Users\Admin\AppData\Local\Temp\tmp7081353.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7081353.exe
        18⤵
        
        PID:1404
        
        C:\Users\Admin\AppData\Local\Temp\tmp7081103.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7081103.exe
        15⤵
        
        PID:1368
        
        C:\Users\Admin\AppData\Local\Temp\tmp7081166.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7081166.exe
        16⤵
        
        PID:1100
        
        C:\Users\Admin\AppData\Local\Temp\tmp7081197.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7081197.exe
        16⤵
        
        PID:592
        
        C:\Users\Admin\AppData\Local\Temp\tmp7080963.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7080963.exe
        13⤵
        Executes dropped EXE
        
        PID:940
        
        C:\Users\Admin\AppData\Local\Temp\tmp7081025.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7081025.exe
        14⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\tmp7081181.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7081181.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\tmp7080776.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7080776.exe
        11⤵
        
        PID:1480
        
        C:\Users\Admin\AppData\Local\Temp\tmp7080526.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7080526.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1696
    - - C:\Users\Admin\AppData\Local\Temp\tmp7080183.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7080183.exe
        5⤵
        Executes dropped EXE
        
        PID:1704
- C:\Users\Admin\AppData\Local\Temp\tmp7079933.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7079933.exe
  2⤵
  PID:1364

C:\Users\Admin\AppData\Local\Temp\tmp7079730.exe
C:\Users\Admin\AppData\Local\Temp\tmp7079730.exe
1⤵
PID:1684

C:\Users\Admin\AppData\Local\Temp\tmp7079574.exe
C:\Users\Admin\AppData\Local\Temp\tmp7079574.exe
1⤵
PID:272

C:\Users\Admin\AppData\Local\Temp\tmp7079262.exe
C:\Users\Admin\AppData\Local\Temp\tmp7079262.exe
1⤵
PID:1432

C:\Users\Admin\AppData\Local\Temp\tmp7079247.exe
C:\Users\Admin\AppData\Local\Temp\tmp7079247.exe
1⤵
- Drops file in System32 directory
- Modifies registry class
PID:1672

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:456

C:\Users\Admin\AppData\Local\Temp\tmp7079169.exe
C:\Users\Admin\AppData\Local\Temp\tmp7079169.exe
1⤵
- Drops file in System32 directory
- Modifies registry class
PID:1736

C:\Users\Admin\AppData\Local\Temp\tmp7078982.exe
C:\Users\Admin\AppData\Local\Temp\tmp7078982.exe
1⤵
PID:632

C:\Users\Admin\AppData\Local\Temp\tmp7078826.exe
C:\Users\Admin\AppData\Local\Temp\tmp7078826.exe
1⤵
PID:960

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:288

C:\Users\Admin\AppData\Local\Temp\tmp7078186.exe
C:\Users\Admin\AppData\Local\Temp\tmp7078186.exe
1⤵
PID:1580

C:\Users\Admin\AppData\Local\Temp\tmp7077796.exe
C:\Users\Admin\AppData\Local\Temp\tmp7077796.exe
1⤵
PID:456

C:\Users\Admin\AppData\Local\Temp\tmp7077546.exe
C:\Users\Admin\AppData\Local\Temp\tmp7077546.exe
1⤵
PID:980

C:\Users\Admin\AppData\Local\Temp\tmp7077531.exe
C:\Users\Admin\AppData\Local\Temp\tmp7077531.exe
1⤵
- Executes dropped EXE
- Modifies registry class
PID:1940

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:1412
- C:\Users\Admin\AppData\Local\Temp\tmp7118481.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7118481.exe
  2⤵
  PID:524
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    PID:840
  - - C:\Users\Admin\AppData\Local\Temp\tmp7121601.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7121601.exe
      4⤵
      PID:1640
    - - C:\Users\Admin\AppData\Local\Temp\tmp7122241.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122241.exe
        5⤵
        
        PID:272
    - - C:\Users\Admin\AppData\Local\Temp\tmp7122834.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122834.exe
        5⤵
        
        PID:1648
  - - C:\Users\Admin\AppData\Local\Temp\tmp7120306.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7120306.exe
      4⤵
      PID:1660
- C:\Users\Admin\AppData\Local\Temp\tmp7119277.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7119277.exe
  2⤵
  PID:1928
- - C:\Users\Admin\AppData\Local\Temp\tmp7120306.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7120306.exe
    3⤵
    PID:2012
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      PID:1404
    - - C:\Users\Admin\AppData\Local\Temp\tmp7123161.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123161.exe
        5⤵
        
        PID:884
    - - C:\Users\Admin\AppData\Local\Temp\tmp7123629.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123629.exe
        5⤵
        
        PID:1196
      - C:\Users\Admin\AppData\Local\Temp\tmp7123957.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123957.exe
        6⤵
        
        PID:1136
      - C:\Users\Admin\AppData\Local\Temp\tmp7124565.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7124565.exe
        6⤵
        
        PID:1496
        
        C:\Users\Admin\AppData\Local\Temp\tmp7185000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7185000.exe
        7⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        8⤵
        
        PID:1276
        
        C:\Users\Admin\AppData\Local\Temp\tmp7186654.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7186654.exe
        9⤵
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187106.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187106.exe
        9⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\tmp7200397.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7200397.exe
        10⤵
        
        PID:776
        
        C:\Users\Admin\AppData\Local\Temp\tmp7200850.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7200850.exe
        10⤵
        
        PID:1976
- - C:\Users\Admin\AppData\Local\Temp\tmp7121695.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7121695.exe
    3⤵
    PID:2028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp7073288.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7073288.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7073303.exe

Filesize
419KB

MD5
2b78972310f3890b845bba7d5a734abe

SHA1
3c7e4011f34ce44bb7bf8a15e2bf1e7f411caff3

SHA256
5fdd78631c2a5d1701d0c60d398917aa2413b39ed6516ceb88bff8e73e418f37

SHA512
eb1ba61861f88ac4f8e8546688be412393e144ce594413c17aa3edea64430ef4b6636a1e808c8b12a2180c0351023507f3c081b1ce3cae7c88c714a0af43eac4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7073303.exe

Filesize
419KB

MD5
2b78972310f3890b845bba7d5a734abe

SHA1
3c7e4011f34ce44bb7bf8a15e2bf1e7f411caff3

SHA256
5fdd78631c2a5d1701d0c60d398917aa2413b39ed6516ceb88bff8e73e418f37

SHA512
eb1ba61861f88ac4f8e8546688be412393e144ce594413c17aa3edea64430ef4b6636a1e808c8b12a2180c0351023507f3c081b1ce3cae7c88c714a0af43eac4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7073522.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7073568.exe

Filesize
372KB

MD5
f70ac95908d5df940d3a8bf8d8474cc2

SHA1
785a9be3f0e32dfab221ab9fe265027692c3b0b5

SHA256
972ca6754aa9ab8a5c77c1b038330d9f9ffe9a3c1cc72a9e2e9ce55e23360b5b

SHA512
937d35ed1a91cf9915a6c9a3f177921f9031c8ad255a5031537e5d284a16f16def28444374982f6c4d7ff8dd60f81aa01f756db6d1dd2acbf07b0c3fce320048

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7073568.exe

Filesize
372KB

MD5
f70ac95908d5df940d3a8bf8d8474cc2

SHA1
785a9be3f0e32dfab221ab9fe265027692c3b0b5

SHA256
972ca6754aa9ab8a5c77c1b038330d9f9ffe9a3c1cc72a9e2e9ce55e23360b5b

SHA512
937d35ed1a91cf9915a6c9a3f177921f9031c8ad255a5031537e5d284a16f16def28444374982f6c4d7ff8dd60f81aa01f756db6d1dd2acbf07b0c3fce320048

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7073724.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7073802.exe

Filesize
325KB

MD5
d28386c4d4ba4f81a48fea4b13fa560a

SHA1
91631ff8978c5ac3d2c6ef74eec3bd7be335b989

SHA256
4f0a158de9cd0a80750f3a171e5e175798056aabe4d5189b2d8e8a615070c924

SHA512
98cbdbd0032851853a4a7b7776dbc99bdbc7f0a9e63631d1adbc25ae62de1f7de6df5a001e5d06481bfdbee55283ec8d7deda46572178987aa45d33608865d30

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7073802.exe

Filesize
325KB

MD5
d28386c4d4ba4f81a48fea4b13fa560a

SHA1
91631ff8978c5ac3d2c6ef74eec3bd7be335b989

SHA256
4f0a158de9cd0a80750f3a171e5e175798056aabe4d5189b2d8e8a615070c924

SHA512
98cbdbd0032851853a4a7b7776dbc99bdbc7f0a9e63631d1adbc25ae62de1f7de6df5a001e5d06481bfdbee55283ec8d7deda46572178987aa45d33608865d30

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7073990.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7074099.exe

Filesize
277KB

MD5
527584a1bb28c78ee91c3726fb5f2812

SHA1
4a201c56e9ba924214155c874bc87c463845462d

SHA256
b8809d2b825b2e11c6770509322c0dddaae06b8a62ce37c03c9dc3ea26237ef8

SHA512
d944f47ade3cae8f32de3487c0f750e6277e1a8b4d98e4b65142e19c40731a3376686b120072292e4bf8d12160fb1d6aa93b8a12ea4dda0749c516de897095a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7074099.exe

Filesize
277KB

MD5
527584a1bb28c78ee91c3726fb5f2812

SHA1
4a201c56e9ba924214155c874bc87c463845462d

SHA256
b8809d2b825b2e11c6770509322c0dddaae06b8a62ce37c03c9dc3ea26237ef8

SHA512
d944f47ade3cae8f32de3487c0f750e6277e1a8b4d98e4b65142e19c40731a3376686b120072292e4bf8d12160fb1d6aa93b8a12ea4dda0749c516de897095a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7074192.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7074192.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7074270.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7074333.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7074411.exe

Filesize
230KB

MD5
75decab59f935628ce78b29751f381bf

SHA1
01287bb4456e3fc7b9ba7e12f0e937a6dda90f0e

SHA256
f5732e20244ffadb7e7167e5a2d72a3dd92a73aae1d6d7ddb34afb2e3f1a692b

SHA512
4fa508e6907b1e4c213b8eba99f097779741f99d49ff47ed30c0deaa297b8bfe21d8a4c6d652c36a78067c9b610777a932524e20549b992de0b2d8b31470401a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7074411.exe

Filesize
230KB

MD5
75decab59f935628ce78b29751f381bf

SHA1
01287bb4456e3fc7b9ba7e12f0e937a6dda90f0e

SHA256
f5732e20244ffadb7e7167e5a2d72a3dd92a73aae1d6d7ddb34afb2e3f1a692b

SHA512
4fa508e6907b1e4c213b8eba99f097779741f99d49ff47ed30c0deaa297b8bfe21d8a4c6d652c36a78067c9b610777a932524e20549b992de0b2d8b31470401a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7074551.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7074551.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7074629.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7074645.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
C:\Windows\SysWOW64\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\Windows\SysWOW64\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
222KB

MD5
47318c708df7b2a459e43607530fae9a

SHA1
5f208e03969eb163811d5d2828f8498f618907fd

SHA256
49188b7c853308c7dcaab9eeea28dadad3a8eb8f3de9d92dacc60196a63198a3

SHA512
a33ce81a3a8a065c53ba7ce87985c903ee583af7d5e6bd09fb255280d332252902cd0fe37381eb5622bca6ecbd2f5940bbbf8ca42fc1afea93259721958fa34b

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
222KB

MD5
47318c708df7b2a459e43607530fae9a

SHA1
5f208e03969eb163811d5d2828f8498f618907fd

SHA256
49188b7c853308c7dcaab9eeea28dadad3a8eb8f3de9d92dacc60196a63198a3

SHA512
a33ce81a3a8a065c53ba7ce87985c903ee583af7d5e6bd09fb255280d332252902cd0fe37381eb5622bca6ecbd2f5940bbbf8ca42fc1afea93259721958fa34b

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
222KB

MD5
47318c708df7b2a459e43607530fae9a

SHA1
5f208e03969eb163811d5d2828f8498f618907fd

SHA256
49188b7c853308c7dcaab9eeea28dadad3a8eb8f3de9d92dacc60196a63198a3

SHA512
a33ce81a3a8a065c53ba7ce87985c903ee583af7d5e6bd09fb255280d332252902cd0fe37381eb5622bca6ecbd2f5940bbbf8ca42fc1afea93259721958fa34b

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7073288.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7073288.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7073303.exe

Filesize
419KB

MD5
2b78972310f3890b845bba7d5a734abe

SHA1
3c7e4011f34ce44bb7bf8a15e2bf1e7f411caff3

SHA256
5fdd78631c2a5d1701d0c60d398917aa2413b39ed6516ceb88bff8e73e418f37

SHA512
eb1ba61861f88ac4f8e8546688be412393e144ce594413c17aa3edea64430ef4b6636a1e808c8b12a2180c0351023507f3c081b1ce3cae7c88c714a0af43eac4

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7073303.exe

Filesize
419KB

MD5
2b78972310f3890b845bba7d5a734abe

SHA1
3c7e4011f34ce44bb7bf8a15e2bf1e7f411caff3

SHA256
5fdd78631c2a5d1701d0c60d398917aa2413b39ed6516ceb88bff8e73e418f37

SHA512
eb1ba61861f88ac4f8e8546688be412393e144ce594413c17aa3edea64430ef4b6636a1e808c8b12a2180c0351023507f3c081b1ce3cae7c88c714a0af43eac4

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7073522.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7073522.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7073568.exe

Filesize
372KB

MD5
f70ac95908d5df940d3a8bf8d8474cc2

SHA1
785a9be3f0e32dfab221ab9fe265027692c3b0b5

SHA256
972ca6754aa9ab8a5c77c1b038330d9f9ffe9a3c1cc72a9e2e9ce55e23360b5b

SHA512
937d35ed1a91cf9915a6c9a3f177921f9031c8ad255a5031537e5d284a16f16def28444374982f6c4d7ff8dd60f81aa01f756db6d1dd2acbf07b0c3fce320048

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7073568.exe

Filesize
372KB

MD5
f70ac95908d5df940d3a8bf8d8474cc2

SHA1
785a9be3f0e32dfab221ab9fe265027692c3b0b5

SHA256
972ca6754aa9ab8a5c77c1b038330d9f9ffe9a3c1cc72a9e2e9ce55e23360b5b

SHA512
937d35ed1a91cf9915a6c9a3f177921f9031c8ad255a5031537e5d284a16f16def28444374982f6c4d7ff8dd60f81aa01f756db6d1dd2acbf07b0c3fce320048

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7073724.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7073724.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7073802.exe

Filesize
325KB

MD5
d28386c4d4ba4f81a48fea4b13fa560a

SHA1
91631ff8978c5ac3d2c6ef74eec3bd7be335b989

SHA256
4f0a158de9cd0a80750f3a171e5e175798056aabe4d5189b2d8e8a615070c924

SHA512
98cbdbd0032851853a4a7b7776dbc99bdbc7f0a9e63631d1adbc25ae62de1f7de6df5a001e5d06481bfdbee55283ec8d7deda46572178987aa45d33608865d30

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7073802.exe

Filesize
325KB

MD5
d28386c4d4ba4f81a48fea4b13fa560a

SHA1
91631ff8978c5ac3d2c6ef74eec3bd7be335b989

SHA256
4f0a158de9cd0a80750f3a171e5e175798056aabe4d5189b2d8e8a615070c924

SHA512
98cbdbd0032851853a4a7b7776dbc99bdbc7f0a9e63631d1adbc25ae62de1f7de6df5a001e5d06481bfdbee55283ec8d7deda46572178987aa45d33608865d30

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7073990.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7073990.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7074099.exe

Filesize
277KB

MD5
527584a1bb28c78ee91c3726fb5f2812

SHA1
4a201c56e9ba924214155c874bc87c463845462d

SHA256
b8809d2b825b2e11c6770509322c0dddaae06b8a62ce37c03c9dc3ea26237ef8

SHA512
d944f47ade3cae8f32de3487c0f750e6277e1a8b4d98e4b65142e19c40731a3376686b120072292e4bf8d12160fb1d6aa93b8a12ea4dda0749c516de897095a0

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7074099.exe

Filesize
277KB

MD5
527584a1bb28c78ee91c3726fb5f2812

SHA1
4a201c56e9ba924214155c874bc87c463845462d

SHA256
b8809d2b825b2e11c6770509322c0dddaae06b8a62ce37c03c9dc3ea26237ef8

SHA512
d944f47ade3cae8f32de3487c0f750e6277e1a8b4d98e4b65142e19c40731a3376686b120072292e4bf8d12160fb1d6aa93b8a12ea4dda0749c516de897095a0

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7074192.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7074192.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7074270.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7074270.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7074333.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7074411.exe

Filesize
230KB

MD5
75decab59f935628ce78b29751f381bf

SHA1
01287bb4456e3fc7b9ba7e12f0e937a6dda90f0e

SHA256
f5732e20244ffadb7e7167e5a2d72a3dd92a73aae1d6d7ddb34afb2e3f1a692b

SHA512
4fa508e6907b1e4c213b8eba99f097779741f99d49ff47ed30c0deaa297b8bfe21d8a4c6d652c36a78067c9b610777a932524e20549b992de0b2d8b31470401a

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7074411.exe

Filesize
230KB

MD5
75decab59f935628ce78b29751f381bf

SHA1
01287bb4456e3fc7b9ba7e12f0e937a6dda90f0e

SHA256
f5732e20244ffadb7e7167e5a2d72a3dd92a73aae1d6d7ddb34afb2e3f1a692b

SHA512
4fa508e6907b1e4c213b8eba99f097779741f99d49ff47ed30c0deaa297b8bfe21d8a4c6d652c36a78067c9b610777a932524e20549b992de0b2d8b31470401a

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7074551.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7074551.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7074629.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7074629.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7074645.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
222KB

MD5
47318c708df7b2a459e43607530fae9a

SHA1
5f208e03969eb163811d5d2828f8498f618907fd

SHA256
49188b7c853308c7dcaab9eeea28dadad3a8eb8f3de9d92dacc60196a63198a3

SHA512
a33ce81a3a8a065c53ba7ce87985c903ee583af7d5e6bd09fb255280d332252902cd0fe37381eb5622bca6ecbd2f5940bbbf8ca42fc1afea93259721958fa34b

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
222KB

MD5
47318c708df7b2a459e43607530fae9a

SHA1
5f208e03969eb163811d5d2828f8498f618907fd

SHA256
49188b7c853308c7dcaab9eeea28dadad3a8eb8f3de9d92dacc60196a63198a3

SHA512
a33ce81a3a8a065c53ba7ce87985c903ee583af7d5e6bd09fb255280d332252902cd0fe37381eb5622bca6ecbd2f5940bbbf8ca42fc1afea93259721958fa34b

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
222KB

MD5
47318c708df7b2a459e43607530fae9a

SHA1
5f208e03969eb163811d5d2828f8498f618907fd

SHA256
49188b7c853308c7dcaab9eeea28dadad3a8eb8f3de9d92dacc60196a63198a3

SHA512
a33ce81a3a8a065c53ba7ce87985c903ee583af7d5e6bd09fb255280d332252902cd0fe37381eb5622bca6ecbd2f5940bbbf8ca42fc1afea93259721958fa34b

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
222KB

MD5
47318c708df7b2a459e43607530fae9a

SHA1
5f208e03969eb163811d5d2828f8498f618907fd

SHA256
49188b7c853308c7dcaab9eeea28dadad3a8eb8f3de9d92dacc60196a63198a3

SHA512
a33ce81a3a8a065c53ba7ce87985c903ee583af7d5e6bd09fb255280d332252902cd0fe37381eb5622bca6ecbd2f5940bbbf8ca42fc1afea93259721958fa34b

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
222KB

MD5
47318c708df7b2a459e43607530fae9a

SHA1
5f208e03969eb163811d5d2828f8498f618907fd

SHA256
49188b7c853308c7dcaab9eeea28dadad3a8eb8f3de9d92dacc60196a63198a3

SHA512
a33ce81a3a8a065c53ba7ce87985c903ee583af7d5e6bd09fb255280d332252902cd0fe37381eb5622bca6ecbd2f5940bbbf8ca42fc1afea93259721958fa34b

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
222KB

MD5
47318c708df7b2a459e43607530fae9a

SHA1
5f208e03969eb163811d5d2828f8498f618907fd

SHA256
49188b7c853308c7dcaab9eeea28dadad3a8eb8f3de9d92dacc60196a63198a3

SHA512
a33ce81a3a8a065c53ba7ce87985c903ee583af7d5e6bd09fb255280d332252902cd0fe37381eb5622bca6ecbd2f5940bbbf8ca42fc1afea93259721958fa34b

Download Submit
memory/272-302-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/276-192-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/288-278-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/456-289-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/524-152-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/548-255-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/564-315-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/592-179-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/608-274-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/608-165-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/608-157-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/692-166-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/836-265-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/840-134-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/868-333-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/904-102-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/940-212-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/980-59-0x0000000075811000-0x0000000075813000-memory.dmp

Filesize
8KB

Download
memory/1092-252-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1096-318-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1100-272-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1132-155-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1140-303-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1196-316-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1208-243-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1208-321-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1208-324-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1220-330-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1220-286-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1288-118-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1328-87-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1348-239-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1432-293-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1448-267-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1448-269-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1496-172-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1520-322-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1520-326-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1548-284-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1592-295-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1600-210-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1640-311-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1640-68-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1676-339-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1696-185-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1704-232-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1712-262-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1740-327-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1752-306-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1756-220-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1756-308-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1764-250-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1768-334-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1820-197-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1824-156-0x00000000004F0000-0x00000000004FD000-memory.dmp

Filesize
52KB

Download
memory/1824-154-0x00000000004F0000-0x000000000050F000-memory.dmp

Filesize
124KB

Download
memory/1888-74-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1900-296-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1912-300-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1928-202-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1940-280-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1976-258-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2008-221-0x0000000000010000-0x0000000000032000-memory.dmp

Filesize
136KB

Download
memory/2012-340-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2028-231-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download