0328599e8552838314b63e7dd614dc8664febda4402d766b9ff15336f806bc95

Analysis

max time kernel
16s
max time network
53s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
11/10/2022, 21:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0328599e8552838314b63e7dd614dc8664febda4402d766b9ff15336f806bc95.exe
Size

894KB
MD5

445126b80b7d56640cf32494d52414a0
SHA1

10e26c3a2b44211e9226c5288ed29ff67abfd56c
SHA256

0328599e8552838314b63e7dd614dc8664febda4402d766b9ff15336f806bc95
SHA512

8b75d49eea929e1a04c72569653878b224983d70a79c38f9093469738c66c7a4a97ec4d063dd9c8ff35f542f209fb12a79f5938b1e0a9479d652c9be8269de94
SSDEEP

24576:JRTRQRARkRPRORCRJRcRYRgRJRWRSRmR:JRTRQRARkRPRORCRJRcRYRgRJRWRSRmR

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
840	tmp7092538.exe
1948	tmp7092585.exe
1296	tmp7092694.exe
764	tmp7092819.exe
1768	tmp7092928.exe
1756	tmp7093162.exe
624	tmp7093381.exe
1472	tmp7093599.exe
1604	tmp7093927.exe
1092	tmp7094145.exe
1468	notpad.exe
1412	tmp7094410.exe
1876	tmp7094426.exe
1936	tmp7094473.exe
1908	tmp7095128.exe
1888	tmp7094597.exe
396	notpad.exe
1028	tmp7095253.exe
1880	tmp7095767.exe
1484	tmp7096001.exe
1932	tmp7096048.exe
1256	tmp7096126.exe
1216	notpad.exe
1168	tmp7096251.exe
812	tmp7096329.exe
996	tmp7096376.exe
524	tmp7096423.exe
1712	notpad.exe
980	tmp7096547.exe
1760	tmp7096594.exe
1464	tmp7096703.exe
1068	tmp7096657.exe
888	notpad.exe
684	tmp7096922.exe
1680	tmp7096937.exe
1260	notpad.exe
1856	tmp7097031.exe
1248	tmp7097218.exe
596	tmp7097203.exe
2000	notpad.exe
1148	tmp7097265.exe
1640	tmp7097327.exe
920	tmp7097421.exe
1480	tmp7097499.exe
1924	tmp7097530.exe
360	tmp7097624.exe
1336	notpad.exe
1780	tmp7097749.exe
1456	tmp7097811.exe
748	tmp7097842.exe
276	tmp7097920.exe
960	notpad.exe
1968	tmp7098201.exe
2012	tmp7098045.exe
1952	tmp7098295.exe
436	tmp7098326.exe
1028	tmp7098513.exe
1624	notpad.exe
1732	tmp7098638.exe
472	notpad.exe
1616	tmp7099012.exe
764	tmp7098856.exe
1656	tmp7099059.exe
624	notpad.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00080000000152c0-59.dat	upx
behavioral1/files/0x00080000000152c0-60.dat	upx
behavioral1/memory/1376-64-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x00080000000152c0-63.dat	upx
behavioral1/files/0x00080000000152c0-62.dat	upx
behavioral1/files/0x0006000000015c1d-71.dat	upx
behavioral1/files/0x0006000000015c1d-73.dat	upx
behavioral1/files/0x0006000000015c1d-70.dat	upx
behavioral1/memory/1948-75-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x0007000000015c62-85.dat	upx
behavioral1/files/0x0006000000015c1d-74.dat	upx
behavioral1/files/0x0007000000015c79-83.dat	upx
behavioral1/files/0x0007000000015c79-82.dat	upx
behavioral1/files/0x0007000000015c79-87.dat	upx
behavioral1/files/0x0007000000015c79-86.dat	upx
behavioral1/memory/764-88-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x0006000000015c9b-95.dat	upx
behavioral1/files/0x0006000000015c9b-94.dat	upx
behavioral1/files/0x0006000000015c9b-97.dat	upx
behavioral1/files/0x0006000000015c9b-100.dat	upx
behavioral1/memory/1756-99-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1472-101-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1296-102-0x0000000000510000-0x000000000052F000-memory.dmp	upx
behavioral1/files/0x0006000000015d1d-108.dat	upx
behavioral1/files/0x0006000000015d1d-109.dat	upx
behavioral1/files/0x0007000000015c62-111.dat	upx
behavioral1/memory/1472-113-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x0006000000015d1d-116.dat	upx
behavioral1/files/0x0007000000015c62-115.dat	upx
behavioral1/files/0x0006000000015d1d-114.dat	upx
behavioral1/files/0x0007000000015c62-120.dat	upx
behavioral1/files/0x0006000000015c52-129.dat	upx
behavioral1/files/0x0006000000015e01-127.dat	upx
behavioral1/files/0x0006000000015e01-126.dat	upx
behavioral1/files/0x0006000000015e01-133.dat	upx
behavioral1/files/0x0006000000015e01-135.dat	upx
behavioral1/memory/1092-136-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x0007000000015c62-147.dat	upx
behavioral1/files/0x0007000000015c62-150.dat	upx
behavioral1/memory/1468-146-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x0007000000015c62-145.dat	upx
behavioral1/files/0x0006000000016053-151.dat	upx
behavioral1/files/0x0006000000016053-154.dat	upx
behavioral1/files/0x0006000000016053-152.dat	upx
behavioral1/memory/1936-156-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/396-157-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1028-158-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/396-164-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1028-167-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1256-175-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1216-178-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1712-187-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/996-188-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/888-193-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1068-196-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1260-205-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1856-204-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2000-216-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1148-213-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1336-218-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/360-219-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/360-224-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1336-228-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/748-234-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Loads dropped DLL 64 IoCs

pid	Process
1376	0328599e8552838314b63e7dd614dc8664febda4402d766b9ff15336f806bc95.exe
1376	0328599e8552838314b63e7dd614dc8664febda4402d766b9ff15336f806bc95.exe
1376	0328599e8552838314b63e7dd614dc8664febda4402d766b9ff15336f806bc95.exe
1376	0328599e8552838314b63e7dd614dc8664febda4402d766b9ff15336f806bc95.exe
1948	tmp7092585.exe
1948	tmp7092585.exe
1948	tmp7092585.exe
1948	tmp7092585.exe
764	tmp7092819.exe
764	tmp7092819.exe
764	tmp7092819.exe
764	tmp7092819.exe
1296	tmp7092694.exe
1756	tmp7093162.exe
1756	tmp7093162.exe
1756	tmp7093162.exe
1756	tmp7093162.exe
1472	tmp7093599.exe
1472	tmp7093599.exe
1472	tmp7093599.exe
1472	tmp7093599.exe
1296	tmp7092694.exe
1092	tmp7094145.exe
1092	tmp7094145.exe
1468	notpad.exe
1468	notpad.exe
1092	tmp7094145.exe
1092	tmp7094145.exe
1468	notpad.exe
1936	tmp7094473.exe
1936	tmp7094473.exe
1412	tmp7094410.exe
1412	tmp7094410.exe
1936	tmp7094473.exe
1936	tmp7094473.exe
396	notpad.exe
396	notpad.exe
1028	tmp7095253.exe
1028	tmp7095253.exe
396	notpad.exe
1028	tmp7095253.exe
1028	tmp7095253.exe
1880	tmp7095767.exe
1880	tmp7095767.exe
1256	tmp7096126.exe
1256	tmp7096126.exe
1216	notpad.exe
1216	notpad.exe
1256	tmp7096126.exe
1256	tmp7096126.exe
1216	notpad.exe
1168	tmp7096251.exe
1168	tmp7096251.exe
996	tmp7096376.exe
996	tmp7096376.exe
1712	notpad.exe
1712	notpad.exe
996	tmp7096376.exe
996	tmp7096376.exe
1712	notpad.exe
980	tmp7096547.exe
980	tmp7096547.exe
1068	tmp7096657.exe
888	notpad.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\fsb.stb	tmp7092694.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7097421.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7099012.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7098856.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7104769.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7096251.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7102507.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7103801.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7106063.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7128278.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7095767.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7101368.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7102257.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7109402.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7107015.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7095767.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7097218.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7098513.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7099730.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7096922.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7097749.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7098513.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7109402.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7096547.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7100276.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7103505.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7151382.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7107561.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7107561.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7107015.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7094410.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7097749.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7097749.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7103224.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7104769.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7106563.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7107015.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7182738.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7095767.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7097218.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7098513.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7100276.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7101368.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7105829.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7106063.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7098856.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7104285.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7104769.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7106063.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7096251.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7102257.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7103801.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7104550.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7104956.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7106063.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7097218.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7128278.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7096922.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7098513.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7101742.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7104956.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7105564.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7112662.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7096547.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
948	1732	WerFault.exe	84

Modifies registry class 42 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7104550.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7096922.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7102725.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7102507.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7103801.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7104956.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7109402.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7096547.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7097421.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7100276.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7103224.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7105190.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7151382.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7107561.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7092694.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7098856.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7102257.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7106563.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7097749.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7101742.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7100666.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7101368.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7104769.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7099012.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7099730.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7104285.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7106063.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7182738.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7096251.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7098513.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7098201.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7103021.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7103505.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7128278.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7112662.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7107015.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7095767.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7097218.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7105564.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7105829.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7094410.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7104082.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1376 wrote to memory of 840	1376	0328599e8552838314b63e7dd614dc8664febda4402d766b9ff15336f806bc95.exe	26
PID 1376 wrote to memory of 840	1376	0328599e8552838314b63e7dd614dc8664febda4402d766b9ff15336f806bc95.exe	26
PID 1376 wrote to memory of 840	1376	0328599e8552838314b63e7dd614dc8664febda4402d766b9ff15336f806bc95.exe	26
PID 1376 wrote to memory of 840	1376	0328599e8552838314b63e7dd614dc8664febda4402d766b9ff15336f806bc95.exe	26
PID 1376 wrote to memory of 1948	1376	0328599e8552838314b63e7dd614dc8664febda4402d766b9ff15336f806bc95.exe	27
PID 1376 wrote to memory of 1948	1376	0328599e8552838314b63e7dd614dc8664febda4402d766b9ff15336f806bc95.exe	27
PID 1376 wrote to memory of 1948	1376	0328599e8552838314b63e7dd614dc8664febda4402d766b9ff15336f806bc95.exe	27
PID 1376 wrote to memory of 1948	1376	0328599e8552838314b63e7dd614dc8664febda4402d766b9ff15336f806bc95.exe	27
PID 1948 wrote to memory of 1296	1948	tmp7092585.exe	28
PID 1948 wrote to memory of 1296	1948	tmp7092585.exe	28
PID 1948 wrote to memory of 1296	1948	tmp7092585.exe	28
PID 1948 wrote to memory of 1296	1948	tmp7092585.exe	28
PID 1948 wrote to memory of 764	1948	tmp7092585.exe	29
PID 1948 wrote to memory of 764	1948	tmp7092585.exe	29
PID 1948 wrote to memory of 764	1948	tmp7092585.exe	29
PID 1948 wrote to memory of 764	1948	tmp7092585.exe	29
PID 764 wrote to memory of 1768	764	tmp7092819.exe	32
PID 764 wrote to memory of 1768	764	tmp7092819.exe	32
PID 764 wrote to memory of 1768	764	tmp7092819.exe	32
PID 764 wrote to memory of 1768	764	tmp7092819.exe	32
PID 764 wrote to memory of 1756	764	tmp7092819.exe	30
PID 764 wrote to memory of 1756	764	tmp7092819.exe	30
PID 764 wrote to memory of 1756	764	tmp7092819.exe	30
PID 764 wrote to memory of 1756	764	tmp7092819.exe	30
PID 1756 wrote to memory of 624	1756	tmp7093162.exe	33
PID 1756 wrote to memory of 624	1756	tmp7093162.exe	33
PID 1756 wrote to memory of 624	1756	tmp7093162.exe	33
PID 1756 wrote to memory of 624	1756	tmp7093162.exe	33
PID 1756 wrote to memory of 1472	1756	tmp7093162.exe	34
PID 1756 wrote to memory of 1472	1756	tmp7093162.exe	34
PID 1756 wrote to memory of 1472	1756	tmp7093162.exe	34
PID 1756 wrote to memory of 1472	1756	tmp7093162.exe	34
PID 1472 wrote to memory of 1604	1472	tmp7093599.exe	35
PID 1472 wrote to memory of 1604	1472	tmp7093599.exe	35
PID 1472 wrote to memory of 1604	1472	tmp7093599.exe	35
PID 1472 wrote to memory of 1604	1472	tmp7093599.exe	35
PID 1472 wrote to memory of 1092	1472	tmp7093599.exe	36
PID 1472 wrote to memory of 1092	1472	tmp7093599.exe	36
PID 1472 wrote to memory of 1092	1472	tmp7093599.exe	36
PID 1472 wrote to memory of 1092	1472	tmp7093599.exe	36
PID 1296 wrote to memory of 1468	1296	tmp7092694.exe	31
PID 1296 wrote to memory of 1468	1296	tmp7092694.exe	31
PID 1296 wrote to memory of 1468	1296	tmp7092694.exe	31
PID 1296 wrote to memory of 1468	1296	tmp7092694.exe	31
PID 1092 wrote to memory of 1412	1092	tmp7094145.exe	39
PID 1092 wrote to memory of 1412	1092	tmp7094145.exe	39
PID 1092 wrote to memory of 1412	1092	tmp7094145.exe	39
PID 1092 wrote to memory of 1412	1092	tmp7094145.exe	39
PID 1468 wrote to memory of 1876	1468	notpad.exe	38
PID 1468 wrote to memory of 1876	1468	notpad.exe	38
PID 1468 wrote to memory of 1876	1468	notpad.exe	38
PID 1468 wrote to memory of 1876	1468	notpad.exe	38
PID 1092 wrote to memory of 1936	1092	tmp7094145.exe	37
PID 1092 wrote to memory of 1936	1092	tmp7094145.exe	37
PID 1092 wrote to memory of 1936	1092	tmp7094145.exe	37
PID 1092 wrote to memory of 1936	1092	tmp7094145.exe	37
PID 1936 wrote to memory of 1908	1936	tmp7094473.exe	40
PID 1936 wrote to memory of 1908	1936	tmp7094473.exe	40
PID 1936 wrote to memory of 1908	1936	tmp7094473.exe	40
PID 1936 wrote to memory of 1908	1936	tmp7094473.exe	40
PID 1468 wrote to memory of 1888	1468	notpad.exe	41
PID 1468 wrote to memory of 1888	1468	notpad.exe	41
PID 1468 wrote to memory of 1888	1468	notpad.exe	41
PID 1468 wrote to memory of 1888	1468	notpad.exe	41

C:\Users\Admin\AppData\Local\Temp\0328599e8552838314b63e7dd614dc8664febda4402d766b9ff15336f806bc95.exe
"C:\Users\Admin\AppData\Local\Temp\0328599e8552838314b63e7dd614dc8664febda4402d766b9ff15336f806bc95.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1376
- C:\Users\Admin\AppData\Local\Temp\tmp7092538.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7092538.exe
  2⤵
  - Executes dropped EXE
  PID:840
- C:\Users\Admin\AppData\Local\Temp\tmp7092585.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7092585.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1948
- - C:\Users\Admin\AppData\Local\Temp\tmp7092694.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7092694.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1296
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1468
    - - C:\Users\Admin\AppData\Local\Temp\tmp7094426.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7094426.exe
        5⤵
        Executes dropped EXE
        
        PID:1876
    - - C:\Users\Admin\AppData\Local\Temp\tmp7094597.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7094597.exe
        5⤵
        Executes dropped EXE
        
        PID:1888
    - - C:\Users\Admin\AppData\Local\Temp\tmp7102257.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7102257.exe
        5⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1764
      - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        6⤵
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\tmp7102507.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7102507.exe
        7⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1824
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        8⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\tmp7102725.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7102725.exe
        9⤵
        Modifies registry class
        
        PID:1976
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        10⤵
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\tmp7103021.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7103021.exe
        11⤵
        Modifies registry class
        
        PID:1968
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        12⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\tmp7103224.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7103224.exe
        13⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1028
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        14⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\tmp7103505.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7103505.exe
        15⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1612
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        16⤵
        
        PID:320
        
        C:\Users\Admin\AppData\Local\Temp\tmp7103801.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7103801.exe
        17⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:904
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        18⤵
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\tmp7104082.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7104082.exe
        19⤵
        Modifies registry class
        
        PID:764
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        20⤵
        
        PID:888
        
        C:\Users\Admin\AppData\Local\Temp\tmp7104285.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7104285.exe
        21⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:980
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        22⤵
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\tmp7104550.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7104550.exe
        23⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1552
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        24⤵
        
        PID:684
        
        C:\Users\Admin\AppData\Local\Temp\tmp7104769.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7104769.exe
        25⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2028
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        26⤵
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\tmp7104956.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7104956.exe
        27⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1868
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        28⤵
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\tmp7104971.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7104971.exe
        27⤵
        
        PID:1452
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118497.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118497.exe
        27⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        28⤵
        
        PID:892
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119542.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119542.exe
        29⤵
        
        PID:960
        
        C:\Users\Admin\AppData\Local\Temp\tmp7148137.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7148137.exe
        30⤵
        
        PID:840
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122178.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122178.exe
        29⤵
        
        PID:840
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123660.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123660.exe
        30⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        31⤵
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\tmp7126827.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7126827.exe
        32⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\tmp7128278.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7128278.exe
        33⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:944
        
        C:\Users\Admin\AppData\Local\Temp\tmp7127202.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7127202.exe
        33⤵
        
        PID:436
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        34⤵
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\tmp7131024.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7131024.exe
        35⤵
        
        PID:764
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        36⤵
        
        PID:1296
        
        C:\Users\Admin\AppData\Local\Temp\tmp7132428.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7132428.exe
        37⤵
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\tmp7132708.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7132708.exe
        37⤵
        
        PID:1000
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136484.exe
        38⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        39⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\tmp7142521.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7142521.exe
        40⤵
        
        PID:524
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145672.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145672.exe
        40⤵
        
        PID:988
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147357.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147357.exe
        41⤵
        
        PID:1196
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145984.exe
        41⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        42⤵
        
        PID:960
        
        C:\Users\Admin\AppData\Local\Temp\tmp7148231.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7148231.exe
        43⤵
        
        PID:944
        
        C:\Users\Admin\AppData\Local\Temp\tmp7148636.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7148636.exe
        44⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\tmp7149759.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7149759.exe
        44⤵
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\tmp7165703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7165703.exe
        42⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        43⤵
        
        PID:1912
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166966.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166966.exe
        44⤵
        
        PID:1408
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168121.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168121.exe
        45⤵
        
        PID:544
        
        C:\Users\Admin\AppData\Local\Temp\tmp7167949.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7167949.exe
        45⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\tmp7137139.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7137139.exe
        38⤵
        
        PID:616
        
        C:\Users\Admin\AppData\Local\Temp\tmp7131476.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7131476.exe
        35⤵
        
        PID:888
        
        C:\Users\Admin\AppData\Local\Temp\tmp7131960.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7131960.exe
        36⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        37⤵
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\tmp7140540.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7140540.exe
        38⤵
        
        PID:828
        
        C:\Users\Admin\AppData\Local\Temp\tmp7141788.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7141788.exe
        38⤵
        
        PID:1332
        
        C:\Users\Admin\AppData\Local\Temp\tmp7142599.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7142599.exe
        39⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        40⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147903.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147903.exe
        41⤵
        
        PID:892
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        42⤵
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\tmp7149369.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7149369.exe
        43⤵
        
        PID:924
        
        C:\Users\Admin\AppData\Local\Temp\tmp7149806.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7149806.exe
        43⤵
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\tmp7150836.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7150836.exe
        44⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\tmp7152443.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7152443.exe
        44⤵
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\tmp7148855.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7148855.exe
        41⤵
        
        PID:1216
        
        C:\Users\Admin\AppData\Local\Temp\tmp7149385.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7149385.exe
        42⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        43⤵
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\tmp7151382.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7151382.exe
        44⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:888
        
        C:\Users\Admin\AppData\Local\Temp\tmp7151647.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7151647.exe
        45⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        46⤵
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\tmp7154783.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7154783.exe
        47⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        48⤵
        
        PID:1472
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157591.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157591.exe
        49⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        50⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159400.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159400.exe
        51⤵
        
        PID:660
        
        C:\Users\Admin\AppData\Local\Temp\tmp7162115.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7162115.exe
        51⤵
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\tmp7165952.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7165952.exe
        52⤵
        
        PID:840
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166685.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166685.exe
        52⤵
        
        PID:1216
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158027.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158027.exe
        49⤵
        
        PID:616
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158589.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158589.exe
        50⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        51⤵
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\tmp7165203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7165203.exe
        52⤵
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\tmp7165422.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7165422.exe
        52⤵
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\tmp7165874.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7165874.exe
        53⤵
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159229.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159229.exe
        50⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\tmp7155719.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7155719.exe
        47⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\tmp7156608.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7156608.exe
        48⤵
        
        PID:1452
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157856.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157856.exe
        48⤵
        
        PID:828
        
        C:\Users\Admin\AppData\Local\Temp\tmp7151881.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7151881.exe
        45⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\tmp7203517.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7203517.exe
        46⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        47⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\tmp7210459.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7210459.exe
        48⤵
        
        PID:108
        
        C:\Users\Admin\AppData\Local\Temp\tmp7213174.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7213174.exe
        48⤵
        
        PID:1332
        
        C:\Users\Admin\AppData\Local\Temp\tmp7218025.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7218025.exe
        49⤵
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\tmp7150118.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7150118.exe
        42⤵
        
        PID:624
        
        C:\Users\Admin\AppData\Local\Temp\tmp7142739.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7142739.exe
        39⤵
        
        PID:584
        
        C:\Users\Admin\AppData\Local\Temp\tmp7217791.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7217791.exe
        39⤵
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\tmp7132381.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7132381.exe
        36⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123801.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123801.exe
        30⤵
        
        PID:988
        
        C:\Users\Admin\AppData\Local\Temp\tmp7104784.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7104784.exe
        25⤵
        
        PID:1296
        
        C:\Users\Admin\AppData\Local\Temp\tmp7104581.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7104581.exe
        23⤵
        
        PID:1164
        
        C:\Users\Admin\AppData\Local\Temp\tmp7104316.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7104316.exe
        21⤵
        
        PID:832
        
        C:\Users\Admin\AppData\Local\Temp\tmp7113302.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7113302.exe
        20⤵
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\tmp7104098.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7104098.exe
        19⤵
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\tmp7103864.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7103864.exe
        17⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\tmp7103521.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7103521.exe
        15⤵
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\tmp7103240.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7103240.exe
        13⤵
        
        PID:1196
        
        C:\Users\Admin\AppData\Local\Temp\tmp7103053.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7103053.exe
        11⤵
        
        PID:1232
        
        C:\Users\Admin\AppData\Local\Temp\tmp7102772.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7102772.exe
        9⤵
        
        PID:840
        
        C:\Users\Admin\AppData\Local\Temp\tmp7102522.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7102522.exe
        7⤵
        
        PID:1888
    - - C:\Users\Admin\AppData\Local\Temp\tmp7102273.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7102273.exe
        5⤵
        
        PID:828
- - C:\Users\Admin\AppData\Local\Temp\tmp7092819.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7092819.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:764
  - - C:\Users\Admin\AppData\Local\Temp\tmp7093162.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7093162.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1756
    - - C:\Users\Admin\AppData\Local\Temp\tmp7093381.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7093381.exe
        5⤵
        Executes dropped EXE
        
        PID:624
    - - C:\Users\Admin\AppData\Local\Temp\tmp7093599.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7093599.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1472
      - C:\Users\Admin\AppData\Local\Temp\tmp7093927.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7093927.exe
        6⤵
        Executes dropped EXE
        
        PID:1604
      - C:\Users\Admin\AppData\Local\Temp\tmp7094145.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7094145.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1092
        
        C:\Users\Admin\AppData\Local\Temp\tmp7094473.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7094473.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\tmp7095128.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7095128.exe
        8⤵
        Executes dropped EXE
        
        PID:1908
        
        C:\Users\Admin\AppData\Local\Temp\tmp7095253.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7095253.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\tmp7096001.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7096001.exe
        9⤵
        Executes dropped EXE
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\tmp7096126.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7096126.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1256
        
        C:\Users\Admin\AppData\Local\Temp\tmp7096251.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7096251.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1168
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\tmp7096594.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7096594.exe
        12⤵
        Executes dropped EXE
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\tmp7096703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7096703.exe
        12⤵
        Executes dropped EXE
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\Temp\tmp7096376.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7096376.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:996
        
        C:\Users\Admin\AppData\Local\Temp\tmp7096547.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7096547.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:980
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:888
        
        C:\Users\Admin\AppData\Local\Temp\tmp7096937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7096937.exe
        13⤵
        Executes dropped EXE
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\tmp7150898.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7150898.exe
        14⤵
        
        PID:1248
        
        C:\Users\Admin\AppData\Local\Temp\tmp7096657.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7096657.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\tmp7096922.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7096922.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:684
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        13⤵
        Executes dropped EXE
        
        PID:1260
        
        C:\Users\Admin\AppData\Local\Temp\tmp7097203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7097203.exe
        14⤵
        Executes dropped EXE
        
        PID:596
        
        C:\Users\Admin\AppData\Local\Temp\tmp7097327.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7097327.exe
        14⤵
        Executes dropped EXE
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\tmp7097031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7097031.exe
        12⤵
        Executes dropped EXE
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\tmp7097218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7097218.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1248
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        14⤵
        Executes dropped EXE
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\tmp7097421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7097421.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:920
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        16⤵
        Executes dropped EXE
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\tmp7097811.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7097811.exe
        17⤵
        Executes dropped EXE
        
        PID:1456
        
        C:\Users\Admin\AppData\Local\Temp\tmp7097920.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7097920.exe
        17⤵
        Executes dropped EXE
        
        PID:276
        
        C:\Users\Admin\AppData\Local\Temp\tmp7097530.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7097530.exe
        15⤵
        Executes dropped EXE
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\tmp7097265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7097265.exe
        13⤵
        Executes dropped EXE
        
        PID:1148
        
        C:\Users\Admin\AppData\Local\Temp\tmp7097499.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7097499.exe
        14⤵
        Executes dropped EXE
        
        PID:1480
        
        C:\Users\Admin\AppData\Local\Temp\tmp7097624.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7097624.exe
        14⤵
        Executes dropped EXE
        
        PID:360
        
        C:\Users\Admin\AppData\Local\Temp\tmp7097749.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7097749.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1780
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        16⤵
        Executes dropped EXE
        
        PID:960
        
        C:\Users\Admin\AppData\Local\Temp\tmp7098201.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7098201.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1968
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        18⤵
        Executes dropped EXE
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\tmp7098856.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7098856.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:764
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        20⤵
        
        PID:980
        
        C:\Users\Admin\AppData\Local\Temp\tmp7099730.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7099730.exe
        21⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1316
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        22⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\tmp7100276.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7100276.exe
        23⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:684
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        24⤵
        
        PID:1296
        
        C:\Users\Admin\AppData\Local\Temp\tmp7100666.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7100666.exe
        25⤵
        Modifies registry class
        
        PID:976
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        26⤵
        
        PID:1452
        
        C:\Users\Admin\AppData\Local\Temp\tmp7101368.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7101368.exe
        27⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2024
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        28⤵
        
        PID:572
        
        C:\Users\Admin\AppData\Local\Temp\tmp7101742.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7101742.exe
        29⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1388
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        30⤵
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\tmp7102054.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7102054.exe
        29⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168885.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168885.exe
        30⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        31⤵
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\tmp7171693.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7171693.exe
        32⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        33⤵
        
        PID:108
        
        C:\Users\Admin\AppData\Local\Temp\tmp7176108.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7176108.exe
        34⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        35⤵
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\tmp7178276.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7178276.exe
        36⤵
        
        PID:988
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        37⤵
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\tmp7194126.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7194126.exe
        38⤵
        
        PID:624
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        39⤵
        
        PID:1480
        
        C:\Users\Admin\AppData\Local\Temp\tmp7210444.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7210444.exe
        40⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        41⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\tmp7218119.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7218119.exe
        42⤵
        
        PID:1452
        
        C:\Users\Admin\AppData\Local\Temp\tmp7222393.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7222393.exe
        42⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\tmp7238103.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7238103.exe
        43⤵
        
        PID:904
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        44⤵
        
        PID:624
        
        C:\Users\Admin\AppData\Local\Temp\tmp7238290.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7238290.exe
        43⤵
        
        PID:1328
        
        C:\Users\Admin\AppData\Local\Temp\tmp7211395.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7211395.exe
        40⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\tmp7213252.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7213252.exe
        41⤵
        
        PID:436
        
        C:\Users\Admin\AppData\Local\Temp\tmp7222924.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7222924.exe
        41⤵
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\tmp7201084.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7201084.exe
        38⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\tmp7202987.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7202987.exe
        39⤵
        
        PID:1164
        
        C:\Users\Admin\AppData\Local\Temp\tmp7209040.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7209040.exe
        39⤵
        
        PID:584
        
        C:\Users\Admin\AppData\Local\Temp\tmp7181194.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7181194.exe
        36⤵
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182738.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182738.exe
        37⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190538.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190538.exe
        37⤵
        
        PID:764
        
        C:\Users\Admin\AppData\Local\Temp\tmp7176997.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7176997.exe
        34⤵
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\tmp7178323.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7178323.exe
        35⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        36⤵
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\tmp7195889.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7195889.exe
        37⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        38⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\tmp7203751.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7203751.exe
        39⤵
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\tmp7208041.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7208041.exe
        40⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\tmp7202893.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7202893.exe
        37⤵
        
        PID:1520
        
        C:\Users\Admin\AppData\Local\Temp\tmp7211754.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7211754.exe
        38⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        39⤵
        
        PID:1324
        
        C:\Users\Admin\AppData\Local\Temp\tmp7222440.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7222440.exe
        40⤵
        
        PID:812
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        41⤵
        
        PID:1076
        
        C:\Users\Admin\AppData\Local\Temp\tmp7231644.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7231644.exe
        42⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\tmp7222581.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7222581.exe
        40⤵
        
        PID:616
        
        C:\Users\Admin\AppData\Local\Temp\tmp7226325.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7226325.exe
        41⤵
        
        PID:1360
        
        C:\Users\Admin\AppData\Local\Temp\tmp7218103.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7218103.exe
        38⤵
        
        PID:1908
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191396.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191396.exe
        35⤵
        
        PID:1328
        
        C:\Users\Admin\AppData\Local\Temp\tmp7172473.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7172473.exe
        32⤵
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\tmp7173643.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7173643.exe
        33⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        34⤵
        
        PID:1476
        
        C:\Users\Admin\AppData\Local\Temp\tmp7176981.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7176981.exe
        35⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        36⤵
        
        PID:660
        
        C:\Users\Admin\AppData\Local\Temp\tmp7181303.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7181303.exe
        37⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\tmp7181521.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7181521.exe
        37⤵
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\tmp7185296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7185296.exe
        38⤵
        
        PID:944
        
        C:\Users\Admin\AppData\Local\Temp\tmp7194578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7194578.exe
        38⤵
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\tmp7177902.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7177902.exe
        35⤵
        
        PID:1196
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182504.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182504.exe
        36⤵
        
        PID:892
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182832.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182832.exe
        36⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\tmp7174922.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7174922.exe
        33⤵
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\tmp7101415.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7101415.exe
        27⤵
        
        PID:736
        
        C:\Users\Admin\AppData\Local\Temp\tmp7100744.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7100744.exe
        25⤵
        
        PID:1360
        
        C:\Users\Admin\AppData\Local\Temp\tmp7100354.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7100354.exe
        23⤵
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\tmp7100042.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7100042.exe
        21⤵
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\tmp7099293.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7099293.exe
        19⤵
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\tmp7098326.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7098326.exe
        17⤵
        Executes dropped EXE
        
        PID:436
        
        C:\Users\Admin\AppData\Local\Temp\tmp7097842.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7097842.exe
        15⤵
        Executes dropped EXE
        
        PID:748
        
        C:\Users\Admin\AppData\Local\Temp\tmp7098045.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7098045.exe
        16⤵
        Executes dropped EXE
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\tmp7098295.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7098295.exe
        16⤵
        Executes dropped EXE
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\tmp7098513.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7098513.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1028
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        18⤵
        Executes dropped EXE
        
        PID:472
        
        C:\Users\Admin\AppData\Local\Temp\tmp7099012.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7099012.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1616
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        20⤵
        Executes dropped EXE
        
        PID:624
        
        C:\Users\Admin\AppData\Local\Temp\tmp7099433.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7099433.exe
        21⤵
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\tmp7099589.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7099589.exe
        21⤵
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\Temp\tmp7099059.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7099059.exe
        19⤵
        Executes dropped EXE
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\tmp7098638.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7098638.exe
        17⤵
        Executes dropped EXE
        
        PID:1732
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1732 -s 36
        18⤵
        Program crash
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\tmp7207870.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7207870.exe
        13⤵
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\tmp7107405.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7107405.exe
        12⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        13⤵
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\tmp7107951.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7107951.exe
        14⤵
        
        PID:1360
        
        C:\Users\Admin\AppData\Local\Temp\tmp7108123.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7108123.exe
        14⤵
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\tmp7108450.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7108450.exe
        15⤵
        
        PID:1520
        
        C:\Users\Admin\AppData\Local\Temp\tmp7108606.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7108606.exe
        15⤵
        
        PID:572
        
        C:\Users\Admin\AppData\Local\Temp\tmp7094410.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7094410.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1412
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:396
        
        C:\Users\Admin\AppData\Local\Temp\tmp7095767.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7095767.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1880
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1216
        
        C:\Users\Admin\AppData\Local\Temp\tmp7096329.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7096329.exe
        11⤵
        Executes dropped EXE
        
        PID:812
        
        C:\Users\Admin\AppData\Local\Temp\tmp7096423.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7096423.exe
        11⤵
        Executes dropped EXE
        
        PID:524
        
        C:\Users\Admin\AppData\Local\Temp\tmp7096048.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7096048.exe
        9⤵
        Executes dropped EXE
        
        PID:1932
  - - C:\Users\Admin\AppData\Local\Temp\tmp7092928.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7092928.exe
      4⤵
      Executes dropped EXE
      PID:1768

C:\Users\Admin\AppData\Local\Temp\tmp7105190.exe
C:\Users\Admin\AppData\Local\Temp\tmp7105190.exe
1⤵
- Modifies registry class
PID:1924
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:1332
- - C:\Users\Admin\AppData\Local\Temp\tmp7105408.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7105408.exe
    3⤵
    PID:1644
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      PID:1764
    - - C:\Users\Admin\AppData\Local\Temp\tmp7105564.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7105564.exe
        5⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1336
      - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        6⤵
        
        PID:1888
        
        C:\Users\Admin\AppData\Local\Temp\tmp7105829.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7105829.exe
        7⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1684
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        8⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106063.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106063.exe
        9⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2016
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        10⤵
        
        PID:472
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106282.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106282.exe
        11⤵
        
        PID:944
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        12⤵
        
        PID:1356
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106563.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106563.exe
        13⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1568
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        14⤵
        
        PID:1324
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106797.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106797.exe
        15⤵
        
        PID:320
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        16⤵
        
        PID:996
        
        C:\Users\Admin\AppData\Local\Temp\tmp7107015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7107015.exe
        17⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1328
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        18⤵
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\tmp7107249.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7107249.exe
        19⤵
        
        PID:888
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        20⤵
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\tmp7107421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7107421.exe
        21⤵
        
        PID:1472
        
        C:\Users\Admin\AppData\Local\Temp\tmp7107561.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7107561.exe
        22⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1640
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        23⤵
        
        PID:1480
        
        C:\Users\Admin\AppData\Local\Temp\tmp7108996.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7108996.exe
        24⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        25⤵
        
        PID:276
        
        C:\Users\Admin\AppData\Local\Temp\tmp7109573.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7109573.exe
        26⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\tmp7109932.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7109932.exe
        26⤵
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\tmp7110182.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7110182.exe
        27⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        28⤵
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\tmp7111040.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7111040.exe
        29⤵
        
        PID:472
        
        C:\Users\Admin\AppData\Local\Temp\tmp7111274.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7111274.exe
        29⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\tmp7112413.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7112413.exe
        30⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        31⤵
        
        PID:1820
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117436.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117436.exe
        32⤵
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118746.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118746.exe
        32⤵
        
        PID:1332
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119667.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119667.exe
        33⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\tmp7114207.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7114207.exe
        30⤵
        
        PID:1452
        
        C:\Users\Admin\AppData\Local\Temp\tmp7110509.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7110509.exe
        27⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\tmp7109074.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7109074.exe
        24⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\tmp7109402.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7109402.exe
        25⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1644
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        26⤵
        
        PID:1888
        
        C:\Users\Admin\AppData\Local\Temp\tmp7110260.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7110260.exe
        27⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\tmp7110400.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7110400.exe
        27⤵
        
        PID:436
        
        C:\Users\Admin\AppData\Local\Temp\tmp7110650.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7110650.exe
        28⤵
        
        PID:812
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        29⤵
        
        PID:1196
        
        C:\Users\Admin\AppData\Local\Temp\tmp7111492.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7111492.exe
        30⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        31⤵
        
        PID:1896
        
        C:\Users\Admin\AppData\Local\Temp\tmp7112662.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7112662.exe
        32⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:320
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        33⤵
        
        PID:1316
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116250.exe
        34⤵
        
        PID:1296
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116422.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116422.exe
        34⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116859.exe
        35⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        36⤵
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118590.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118590.exe
        37⤵
        
        PID:736
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119526.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119526.exe
        38⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119932.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119932.exe
        38⤵
        
        PID:396
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116952.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116952.exe
        35⤵
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\tmp7113115.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7113115.exe
        32⤵
        
        PID:764
        
        C:\Users\Admin\AppData\Local\Temp\tmp7113395.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7113395.exe
        33⤵
        
        PID:980
        
        C:\Users\Admin\AppData\Local\Temp\tmp7128824.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7128824.exe
        32⤵
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\Temp\tmp7111664.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7111664.exe
        30⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\tmp7112335.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7112335.exe
        31⤵
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\tmp7112600.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7112600.exe
        31⤵
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\tmp7111055.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7111055.exe
        28⤵
        
        PID:944
        
        C:\Users\Admin\AppData\Local\Temp\tmp7109480.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7109480.exe
        25⤵
        
        PID:368
        
        C:\Users\Admin\AppData\Local\Temp\tmp7108138.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7108138.exe
        22⤵
        
        PID:976
        
        C:\Users\Admin\AppData\Local\Temp\tmp7107265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7107265.exe
        19⤵
        
        PID:832
        
        C:\Users\Admin\AppData\Local\Temp\tmp7107343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7107343.exe
        20⤵
        
        PID:296
        
        C:\Users\Admin\AppData\Local\Temp\tmp7107467.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7107467.exe
        20⤵
        
        PID:672
        
        C:\Users\Admin\AppData\Local\Temp\tmp7107031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7107031.exe
        17⤵
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106828.exe
        15⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106594.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106594.exe
        13⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106344.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106344.exe
        11⤵
        
        PID:1196
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106079.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106079.exe
        9⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\tmp7105845.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7105845.exe
        7⤵
        
        PID:584
    - - C:\Users\Admin\AppData\Local\Temp\tmp7105595.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7105595.exe
        5⤵
        
        PID:820
- - C:\Users\Admin\AppData\Local\Temp\tmp7105424.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7105424.exe
    3⤵
    PID:616
- - C:\Users\Admin\AppData\Local\Temp\tmp7119573.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7119573.exe
    3⤵
    PID:1924
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      PID:1880
    - - C:\Users\Admin\AppData\Local\Temp\tmp7123614.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123614.exe
        5⤵
        
        PID:560
    - - C:\Users\Admin\AppData\Local\Temp\tmp7126609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7126609.exe
        5⤵
        
        PID:1896
      - C:\Users\Admin\AppData\Local\Temp\tmp7128918.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7128918.exe
        6⤵
        
        PID:1808

C:\Users\Admin\AppData\Local\Temp\tmp7105205.exe
C:\Users\Admin\AppData\Local\Temp\tmp7105205.exe
1⤵
PID:572

C:\Users\Admin\AppData\Local\Temp\tmp7126687.exe
C:\Users\Admin\AppData\Local\Temp\tmp7126687.exe
1⤵
PID:1736
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:1608
- - C:\Users\Admin\AppData\Local\Temp\tmp7128777.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7128777.exe
    3⤵
    PID:1756
- - C:\Users\Admin\AppData\Local\Temp\tmp7132303.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7132303.exe
    3⤵
    PID:2040
  - - C:\Users\Admin\AppData\Local\Temp\tmp7137154.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7137154.exe
      4⤵
      PID:2004
  - - C:\Users\Admin\AppData\Local\Temp\tmp7137248.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7137248.exe
      4⤵
      PID:1900

C:\Users\Admin\AppData\Local\Temp\tmp7166873.exe
C:\Users\Admin\AppData\Local\Temp\tmp7166873.exe
1⤵
PID:924
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:1592
- - C:\Users\Admin\AppData\Local\Temp\tmp7169119.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7169119.exe
    3⤵
    PID:976
  - - C:\Users\Admin\AppData\Local\Temp\tmp7169774.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7169774.exe
      4⤵
      PID:1876
  - - C:\Users\Admin\AppData\Local\Temp\tmp7169431.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7169431.exe
      4⤵
      PID:572

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp7092538.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7092585.exe

Filesize
845KB

MD5
d6c8dba712f5216cf8d6e35242b129c2

SHA1
28583d9e798b0385fd5d17a6c21ddfd263a578b9

SHA256
4e15a611565e96ec554163913be3d2fa67092545ca60d2138af75cf9760481f9

SHA512
646c1ccc498db3b4deec775cc24752278406920e963caa224e73253fa36a0590c959eb4782edee0bcca4a1272a5bcf0d987f0ac6607c2e0e0bac8816e3d87fa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7092585.exe

Filesize
845KB

MD5
d6c8dba712f5216cf8d6e35242b129c2

SHA1
28583d9e798b0385fd5d17a6c21ddfd263a578b9

SHA256
4e15a611565e96ec554163913be3d2fa67092545ca60d2138af75cf9760481f9

SHA512
646c1ccc498db3b4deec775cc24752278406920e963caa224e73253fa36a0590c959eb4782edee0bcca4a1272a5bcf0d987f0ac6607c2e0e0bac8816e3d87fa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7092694.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7092694.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7092819.exe

Filesize
798KB

MD5
e7401631b31d723653d0493cb1f1eff5

SHA1
6c75aab0376d290df966f79d6dd29586fb9c15e6

SHA256
0fa7e2e0f9cd0eb9a7aa98304159839e12d10a6815e7b3361f9cd2f0e71430c8

SHA512
5f590a12a9353d71464d71f443b252eb6155561599151fb4dff62cfdaec9ef4335c268cb9898f21c0a12520a57f50e965afaae97c0fd3fffbe8e00d22fad24b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7092819.exe

Filesize
798KB

MD5
e7401631b31d723653d0493cb1f1eff5

SHA1
6c75aab0376d290df966f79d6dd29586fb9c15e6

SHA256
0fa7e2e0f9cd0eb9a7aa98304159839e12d10a6815e7b3361f9cd2f0e71430c8

SHA512
5f590a12a9353d71464d71f443b252eb6155561599151fb4dff62cfdaec9ef4335c268cb9898f21c0a12520a57f50e965afaae97c0fd3fffbe8e00d22fad24b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7092928.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7093162.exe

Filesize
751KB

MD5
cb49497963ab471099d0123a5666ffd3

SHA1
bd19420b676ae0ab7173f407345a0803e47bb6fb

SHA256
2b0304c2b4f1ca70dcad915843808162e71da277dd990ad6f8e878d5ee66eb36

SHA512
2a4d0efca9d2aecf533027dc045e39f9ac65b94803340c0bf6ec5aa5b6139e6033cde24af965da7e6f7c83152c27964f3642a0568e8aef8f3d053be3faa51d81

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7093162.exe

Filesize
751KB

MD5
cb49497963ab471099d0123a5666ffd3

SHA1
bd19420b676ae0ab7173f407345a0803e47bb6fb

SHA256
2b0304c2b4f1ca70dcad915843808162e71da277dd990ad6f8e878d5ee66eb36

SHA512
2a4d0efca9d2aecf533027dc045e39f9ac65b94803340c0bf6ec5aa5b6139e6033cde24af965da7e6f7c83152c27964f3642a0568e8aef8f3d053be3faa51d81

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7093381.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7093599.exe

Filesize
703KB

MD5
d11fd74203a551b8b1ec3b88630dbf9c

SHA1
eb93ac596cdf1682c193efb4a3ac048749e02e56

SHA256
b154bacad2e789577a602befb024d20bdff928884bb618fb2ad018c088530dac

SHA512
84f811677f36dc2301ad0783bf0858081f41c4862245586bf14d1952e9821cea1e9b05e41719429ff7817d91943e90b46142f1c1632f823084e3ae43ef112887

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7093599.exe

Filesize
703KB

MD5
d11fd74203a551b8b1ec3b88630dbf9c

SHA1
eb93ac596cdf1682c193efb4a3ac048749e02e56

SHA256
b154bacad2e789577a602befb024d20bdff928884bb618fb2ad018c088530dac

SHA512
84f811677f36dc2301ad0783bf0858081f41c4862245586bf14d1952e9821cea1e9b05e41719429ff7817d91943e90b46142f1c1632f823084e3ae43ef112887

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7093927.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7094145.exe

Filesize
656KB

MD5
6acf911eb3af129b2e240fb0fca3da63

SHA1
93d43471e0d88898d65eae3e04cd2433297116a9

SHA256
1149b821e91a8a05d75b2ae09fde34943feb2136df7be20fb02331154c44ed50

SHA512
fb9419696c14c9f1799ac452b87452c43d066dc633726ab851f87bc42b24e3c66425f4cf6ef686929eb7aea1f5ff8cfa36cfb932e0637f026d2df4a9cc7712f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7094145.exe

Filesize
656KB

MD5
6acf911eb3af129b2e240fb0fca3da63

SHA1
93d43471e0d88898d65eae3e04cd2433297116a9

SHA256
1149b821e91a8a05d75b2ae09fde34943feb2136df7be20fb02331154c44ed50

SHA512
fb9419696c14c9f1799ac452b87452c43d066dc633726ab851f87bc42b24e3c66425f4cf6ef686929eb7aea1f5ff8cfa36cfb932e0637f026d2df4a9cc7712f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7094410.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7094410.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7094426.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7094473.exe

Filesize
609KB

MD5
cf4bdd24c723907a4f0737d9b13d5ae0

SHA1
bc4971c34e809dc738351d77f5d7562f760f97d4

SHA256
7028f384a35a792a9413015f73fb39b9961aa60205c5479131345b1c7e5ffb41

SHA512
15528035bc7c483a3999dca3551b3718bbd9d99975ac6b5684549e7a2aab57a199f526556aa1263f3aa865ce56efd2c2cb533365690d187a044d2da264aa0833

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7094473.exe

Filesize
609KB

MD5
cf4bdd24c723907a4f0737d9b13d5ae0

SHA1
bc4971c34e809dc738351d77f5d7562f760f97d4

SHA256
7028f384a35a792a9413015f73fb39b9961aa60205c5479131345b1c7e5ffb41

SHA512
15528035bc7c483a3999dca3551b3718bbd9d99975ac6b5684549e7a2aab57a199f526556aa1263f3aa865ce56efd2c2cb533365690d187a044d2da264aa0833

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7094597.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7095128.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7095253.exe

Filesize
561KB

MD5
ba24d587387b8f54a2d4011dafc0dee2

SHA1
6740995b61a067abf692236bad9d0becc692c02d

SHA256
16c1a496517072b2b703ae82dea87033a5b9b0946f25421320a7d8ac2979e88c

SHA512
9be2666282307c96b38ee7b7287a05bf4ad835c632c78b7a5b4b419f853af97c3be4601c731b55e49541d17e0cdd88848d1a8803f0710479655b094bc99ba34a

Download Submit
C:\Windows\SysWOW64\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
222KB

MD5
47318c708df7b2a459e43607530fae9a

SHA1
5f208e03969eb163811d5d2828f8498f618907fd

SHA256
49188b7c853308c7dcaab9eeea28dadad3a8eb8f3de9d92dacc60196a63198a3

SHA512
a33ce81a3a8a065c53ba7ce87985c903ee583af7d5e6bd09fb255280d332252902cd0fe37381eb5622bca6ecbd2f5940bbbf8ca42fc1afea93259721958fa34b

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
222KB

MD5
47318c708df7b2a459e43607530fae9a

SHA1
5f208e03969eb163811d5d2828f8498f618907fd

SHA256
49188b7c853308c7dcaab9eeea28dadad3a8eb8f3de9d92dacc60196a63198a3

SHA512
a33ce81a3a8a065c53ba7ce87985c903ee583af7d5e6bd09fb255280d332252902cd0fe37381eb5622bca6ecbd2f5940bbbf8ca42fc1afea93259721958fa34b

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
222KB

MD5
47318c708df7b2a459e43607530fae9a

SHA1
5f208e03969eb163811d5d2828f8498f618907fd

SHA256
49188b7c853308c7dcaab9eeea28dadad3a8eb8f3de9d92dacc60196a63198a3

SHA512
a33ce81a3a8a065c53ba7ce87985c903ee583af7d5e6bd09fb255280d332252902cd0fe37381eb5622bca6ecbd2f5940bbbf8ca42fc1afea93259721958fa34b

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7092538.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7092538.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7092585.exe

Filesize
845KB

MD5
d6c8dba712f5216cf8d6e35242b129c2

SHA1
28583d9e798b0385fd5d17a6c21ddfd263a578b9

SHA256
4e15a611565e96ec554163913be3d2fa67092545ca60d2138af75cf9760481f9

SHA512
646c1ccc498db3b4deec775cc24752278406920e963caa224e73253fa36a0590c959eb4782edee0bcca4a1272a5bcf0d987f0ac6607c2e0e0bac8816e3d87fa9

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7092585.exe

Filesize
845KB

MD5
d6c8dba712f5216cf8d6e35242b129c2

SHA1
28583d9e798b0385fd5d17a6c21ddfd263a578b9

SHA256
4e15a611565e96ec554163913be3d2fa67092545ca60d2138af75cf9760481f9

SHA512
646c1ccc498db3b4deec775cc24752278406920e963caa224e73253fa36a0590c959eb4782edee0bcca4a1272a5bcf0d987f0ac6607c2e0e0bac8816e3d87fa9

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7092694.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7092694.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7092819.exe

Filesize
798KB

MD5
e7401631b31d723653d0493cb1f1eff5

SHA1
6c75aab0376d290df966f79d6dd29586fb9c15e6

SHA256
0fa7e2e0f9cd0eb9a7aa98304159839e12d10a6815e7b3361f9cd2f0e71430c8

SHA512
5f590a12a9353d71464d71f443b252eb6155561599151fb4dff62cfdaec9ef4335c268cb9898f21c0a12520a57f50e965afaae97c0fd3fffbe8e00d22fad24b2

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7092819.exe

Filesize
798KB

MD5
e7401631b31d723653d0493cb1f1eff5

SHA1
6c75aab0376d290df966f79d6dd29586fb9c15e6

SHA256
0fa7e2e0f9cd0eb9a7aa98304159839e12d10a6815e7b3361f9cd2f0e71430c8

SHA512
5f590a12a9353d71464d71f443b252eb6155561599151fb4dff62cfdaec9ef4335c268cb9898f21c0a12520a57f50e965afaae97c0fd3fffbe8e00d22fad24b2

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7092928.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7092928.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7093162.exe

Filesize
751KB

MD5
cb49497963ab471099d0123a5666ffd3

SHA1
bd19420b676ae0ab7173f407345a0803e47bb6fb

SHA256
2b0304c2b4f1ca70dcad915843808162e71da277dd990ad6f8e878d5ee66eb36

SHA512
2a4d0efca9d2aecf533027dc045e39f9ac65b94803340c0bf6ec5aa5b6139e6033cde24af965da7e6f7c83152c27964f3642a0568e8aef8f3d053be3faa51d81

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7093162.exe

Filesize
751KB

MD5
cb49497963ab471099d0123a5666ffd3

SHA1
bd19420b676ae0ab7173f407345a0803e47bb6fb

SHA256
2b0304c2b4f1ca70dcad915843808162e71da277dd990ad6f8e878d5ee66eb36

SHA512
2a4d0efca9d2aecf533027dc045e39f9ac65b94803340c0bf6ec5aa5b6139e6033cde24af965da7e6f7c83152c27964f3642a0568e8aef8f3d053be3faa51d81

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7093381.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7093381.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7093599.exe

Filesize
703KB

MD5
d11fd74203a551b8b1ec3b88630dbf9c

SHA1
eb93ac596cdf1682c193efb4a3ac048749e02e56

SHA256
b154bacad2e789577a602befb024d20bdff928884bb618fb2ad018c088530dac

SHA512
84f811677f36dc2301ad0783bf0858081f41c4862245586bf14d1952e9821cea1e9b05e41719429ff7817d91943e90b46142f1c1632f823084e3ae43ef112887

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7093599.exe

Filesize
703KB

MD5
d11fd74203a551b8b1ec3b88630dbf9c

SHA1
eb93ac596cdf1682c193efb4a3ac048749e02e56

SHA256
b154bacad2e789577a602befb024d20bdff928884bb618fb2ad018c088530dac

SHA512
84f811677f36dc2301ad0783bf0858081f41c4862245586bf14d1952e9821cea1e9b05e41719429ff7817d91943e90b46142f1c1632f823084e3ae43ef112887

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7093927.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7093927.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7094145.exe

Filesize
656KB

MD5
6acf911eb3af129b2e240fb0fca3da63

SHA1
93d43471e0d88898d65eae3e04cd2433297116a9

SHA256
1149b821e91a8a05d75b2ae09fde34943feb2136df7be20fb02331154c44ed50

SHA512
fb9419696c14c9f1799ac452b87452c43d066dc633726ab851f87bc42b24e3c66425f4cf6ef686929eb7aea1f5ff8cfa36cfb932e0637f026d2df4a9cc7712f9

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7094145.exe

Filesize
656KB

MD5
6acf911eb3af129b2e240fb0fca3da63

SHA1
93d43471e0d88898d65eae3e04cd2433297116a9

SHA256
1149b821e91a8a05d75b2ae09fde34943feb2136df7be20fb02331154c44ed50

SHA512
fb9419696c14c9f1799ac452b87452c43d066dc633726ab851f87bc42b24e3c66425f4cf6ef686929eb7aea1f5ff8cfa36cfb932e0637f026d2df4a9cc7712f9

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7094410.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7094410.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7094426.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7094426.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7094473.exe

Filesize
609KB

MD5
cf4bdd24c723907a4f0737d9b13d5ae0

SHA1
bc4971c34e809dc738351d77f5d7562f760f97d4

SHA256
7028f384a35a792a9413015f73fb39b9961aa60205c5479131345b1c7e5ffb41

SHA512
15528035bc7c483a3999dca3551b3718bbd9d99975ac6b5684549e7a2aab57a199f526556aa1263f3aa865ce56efd2c2cb533365690d187a044d2da264aa0833

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7094473.exe

Filesize
609KB

MD5
cf4bdd24c723907a4f0737d9b13d5ae0

SHA1
bc4971c34e809dc738351d77f5d7562f760f97d4

SHA256
7028f384a35a792a9413015f73fb39b9961aa60205c5479131345b1c7e5ffb41

SHA512
15528035bc7c483a3999dca3551b3718bbd9d99975ac6b5684549e7a2aab57a199f526556aa1263f3aa865ce56efd2c2cb533365690d187a044d2da264aa0833

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7094597.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7095128.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7095128.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7095253.exe

Filesize
561KB

MD5
ba24d587387b8f54a2d4011dafc0dee2

SHA1
6740995b61a067abf692236bad9d0becc692c02d

SHA256
16c1a496517072b2b703ae82dea87033a5b9b0946f25421320a7d8ac2979e88c

SHA512
9be2666282307c96b38ee7b7287a05bf4ad835c632c78b7a5b4b419f853af97c3be4601c731b55e49541d17e0cdd88848d1a8803f0710479655b094bc99ba34a

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7095253.exe

Filesize
561KB

MD5
ba24d587387b8f54a2d4011dafc0dee2

SHA1
6740995b61a067abf692236bad9d0becc692c02d

SHA256
16c1a496517072b2b703ae82dea87033a5b9b0946f25421320a7d8ac2979e88c

SHA512
9be2666282307c96b38ee7b7287a05bf4ad835c632c78b7a5b4b419f853af97c3be4601c731b55e49541d17e0cdd88848d1a8803f0710479655b094bc99ba34a

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
222KB

MD5
47318c708df7b2a459e43607530fae9a

SHA1
5f208e03969eb163811d5d2828f8498f618907fd

SHA256
49188b7c853308c7dcaab9eeea28dadad3a8eb8f3de9d92dacc60196a63198a3

SHA512
a33ce81a3a8a065c53ba7ce87985c903ee583af7d5e6bd09fb255280d332252902cd0fe37381eb5622bca6ecbd2f5940bbbf8ca42fc1afea93259721958fa34b

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
222KB

MD5
47318c708df7b2a459e43607530fae9a

SHA1
5f208e03969eb163811d5d2828f8498f618907fd

SHA256
49188b7c853308c7dcaab9eeea28dadad3a8eb8f3de9d92dacc60196a63198a3

SHA512
a33ce81a3a8a065c53ba7ce87985c903ee583af7d5e6bd09fb255280d332252902cd0fe37381eb5622bca6ecbd2f5940bbbf8ca42fc1afea93259721958fa34b

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
222KB

MD5
47318c708df7b2a459e43607530fae9a

SHA1
5f208e03969eb163811d5d2828f8498f618907fd

SHA256
49188b7c853308c7dcaab9eeea28dadad3a8eb8f3de9d92dacc60196a63198a3

SHA512
a33ce81a3a8a065c53ba7ce87985c903ee583af7d5e6bd09fb255280d332252902cd0fe37381eb5622bca6ecbd2f5940bbbf8ca42fc1afea93259721958fa34b

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
222KB

MD5
47318c708df7b2a459e43607530fae9a

SHA1
5f208e03969eb163811d5d2828f8498f618907fd

SHA256
49188b7c853308c7dcaab9eeea28dadad3a8eb8f3de9d92dacc60196a63198a3

SHA512
a33ce81a3a8a065c53ba7ce87985c903ee583af7d5e6bd09fb255280d332252902cd0fe37381eb5622bca6ecbd2f5940bbbf8ca42fc1afea93259721958fa34b

Download Submit
memory/320-296-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/360-224-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/360-219-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/360-256-0x0000000000220000-0x000000000023F000-memory.dmp

Filesize
124KB

Download
memory/396-164-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/396-157-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/472-249-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/472-330-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/572-275-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/624-255-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/624-260-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/684-308-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/748-234-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/764-88-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/840-58-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download
memory/888-193-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/888-302-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/960-238-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/980-263-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/980-258-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/996-188-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1028-167-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1028-158-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1068-196-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1092-136-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1148-213-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1216-178-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1256-175-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1260-205-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1296-268-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1296-102-0x0000000000510000-0x000000000052F000-memory.dmp

Filesize
124KB

Download
memory/1332-318-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1336-218-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1336-228-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1376-64-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1452-272-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1468-146-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1468-278-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1472-101-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1472-113-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1584-290-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1604-305-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1608-293-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1624-253-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1628-281-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1648-266-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1712-187-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1732-257-0x0000000000010000-0x0000000000032000-memory.dmp

Filesize
136KB

Download
memory/1756-99-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1756-98-0x0000000000230000-0x000000000024F000-memory.dmp

Filesize
124KB

Download
memory/1764-320-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1768-299-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1856-204-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1880-168-0x0000000002290000-0x000000000229D000-memory.dmp

Filesize
52KB

Download
memory/1888-324-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1932-327-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1936-156-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1944-312-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1944-315-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1948-75-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1952-242-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2000-216-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2012-284-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2016-287-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2020-311-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download