55efdbcfdac00a8c67b4a2d5cca7aa00e56e5c25abf1b46aaa7bd4ee56e17c1d

Analysis

max time kernel
117s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
14/10/2022, 10:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

55efdbcfdac00a8c67b4a2d5cca7aa00e56e5c25abf1b46aaa7bd4ee56e17c1d.exe
Size

891KB
MD5

02bdf0980c26572fb5638c307fcafc63
SHA1

58bf7e0811fab18c9850e3dc0852709a599189a9
SHA256

55efdbcfdac00a8c67b4a2d5cca7aa00e56e5c25abf1b46aaa7bd4ee56e17c1d
SHA512

92d3cc2363f32d7cb51dc7e3dafb9e1ae8f151a81c83238a382beec445385527314a86c5c3c22fd9763b28bdcc86456afd18ec3cad4cf618b76c9a7426cd228c
SSDEEP

12288:HPhR9PGPhR9PePhR9PuPhR9PoPNR9PgPhR9P9PhR9PGPhR9PePhR9PuPhR9P:JRWRSRmR8RgRJRWRSRmR

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
2016	tmp7092772.exe
932	tmp7092819.exe
840	tmp7102787.exe
1704	tmp7097546.exe
2004	tmp7103021.exe
792	tmp7102366.exe
752	notpad.exe
432	notpad.exe
1344	tmp7093396.exe
1364	tmp7093412.exe
756	tmp7093459.exe
1940	notpad.exe
776	tmp7093583.exe
1252	notpad.exe
2008	notpad.exe
1788	tmp7093802.exe
1724	tmp7101524.exe
1752	tmp7097203.exe
1496	tmp7094145.exe
1312	notpad.exe
852	tmp7095986.exe
1280	tmp7102819.exe
1284	tmp7094301.exe
648	notpad.exe
324	tmp7100915.exe
1068	tmp7094473.exe
940	notpad.exe
956	notpad.exe
1532	notpad.exe
1580	tmp7097842.exe
384	tmp7094785.exe
792	tmp7102366.exe
1292	notpad.exe
652	tmp7095268.exe
1260	notpad.exe
816	notpad.exe
1552	tmp7095409.exe
1756	notpad.exe
1104	tmp7096657.exe
1076	notpad.exe
1772	tmp7095580.exe
1760	notpad.exe
1572	tmp7095689.exe
2008	notpad.exe
552	notpad.exe
1764	tmp7095814.exe
884	tmp7102725.exe
1312	notpad.exe
1992	tmp7095970.exe
852	tmp7095986.exe
1704	tmp7097546.exe
676	tmp7100432.exe
1912	tmp7100104.exe
1732	notpad.exe
1528	tmp7100900.exe
812	tmp7100666.exe
1644	notpad.exe
1612	tmp7096298.exe
1976	tmp7096345.exe
1984	notpad.exe
792	tmp7102366.exe
732	tmp7097951.exe
1260	notpad.exe
652	tmp7095268.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00090000000126f1-58.dat	upx
behavioral1/files/0x00090000000126f1-62.dat	upx
behavioral1/files/0x00090000000126f1-61.dat	upx
behavioral1/files/0x00090000000126f1-59.dat	upx
behavioral1/memory/896-63-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/932-69-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x00070000000132e5-73.dat	upx
behavioral1/files/0x00070000000132e5-72.dat	upx
behavioral1/memory/932-77-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x00070000000132e5-75.dat	upx
behavioral1/files/0x00070000000132e5-78.dat	upx
behavioral1/memory/896-83-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1704-91-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x00080000000133e5-92.dat	upx
behavioral1/files/0x00070000000134d5-90.dat	upx
behavioral1/files/0x00070000000134d5-89.dat	upx
behavioral1/files/0x00070000000134d5-87.dat	upx
behavioral1/files/0x00080000000133e5-86.dat	upx
behavioral1/files/0x00070000000134d5-85.dat	upx
behavioral1/files/0x00080000000133e5-98.dat	upx
behavioral1/files/0x00080000000133e5-112.dat	upx
behavioral1/memory/792-118-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x00080000000133e5-120.dat	upx
behavioral1/memory/752-121-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x00080000000133e5-142.dat	upx
behavioral1/files/0x00080000000133e5-139.dat	upx
behavioral1/files/0x00070000000132f6-148.dat	upx
behavioral1/memory/2008-155-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/852-168-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/648-175-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/940-181-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1580-182-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1752-163-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1292-194-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/816-200-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1104-205-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1760-212-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1704-231-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1732-238-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/812-242-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1260-252-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1512-255-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/968-258-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1156-261-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1512-253-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1460-264-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1984-249-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1312-271-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2040-273-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/648-277-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1644-279-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/836-288-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1960-292-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1552-296-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/604-302-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/552-304-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1992-308-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2040-310-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/432-323-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1916-325-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1772-332-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1676-335-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/884-337-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1252-340-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Loads dropped DLL 64 IoCs

pid	Process
896	55efdbcfdac00a8c67b4a2d5cca7aa00e56e5c25abf1b46aaa7bd4ee56e17c1d.exe
896	55efdbcfdac00a8c67b4a2d5cca7aa00e56e5c25abf1b46aaa7bd4ee56e17c1d.exe
896	55efdbcfdac00a8c67b4a2d5cca7aa00e56e5c25abf1b46aaa7bd4ee56e17c1d.exe
896	55efdbcfdac00a8c67b4a2d5cca7aa00e56e5c25abf1b46aaa7bd4ee56e17c1d.exe
932	tmp7092819.exe
932	tmp7102850.exe
932	tmp7102850.exe
932	tmp7102850.exe
1704	tmp7097546.exe
1704	tmp7097546.exe
1704	tmp7097546.exe
2016	tmp7092772.exe
1704	tmp7097546.exe
2016	tmp7092772.exe
792	tmp7102366.exe
792	tmp7102366.exe
752	notpad.exe
752	notpad.exe
792	tmp7102366.exe
792	tmp7102366.exe
432	notpad.exe
432	notpad.exe
752	notpad.exe
1940	notpad.exe
1940	notpad.exe
1940	notpad.exe
1004	WerFault.exe
1004	WerFault.exe
776	tmp7093583.exe
776	tmp7093583.exe
2008	notpad.exe
2008	notpad.exe
2008	notpad.exe
1788	tmp7093802.exe
1788	tmp7093802.exe
1752	tmp7097203.exe
1752	tmp7097203.exe
1752	tmp7097203.exe
1496	tmp7094145.exe
1496	tmp7094145.exe
852	tmp7095986.exe
852	tmp7095986.exe
852	tmp7095986.exe
1280	tmp7102819.exe
1280	tmp7102819.exe
648	notpad.exe
648	notpad.exe
648	notpad.exe
1004	WerFault.exe
324	tmp7100915.exe
324	tmp7100915.exe
940	notpad.exe
940	notpad.exe
940	notpad.exe
956	notpad.exe
956	notpad.exe
1580	tmp7097842.exe
1580	tmp7097842.exe
1580	tmp7097842.exe
384	tmp7094785.exe
384	tmp7094785.exe
1292	notpad.exe
1292	notpad.exe
1292	notpad.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7100915.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7122194.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7118918.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7162645.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7101820.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	notpad.exe
File created	C:\Windows\SysWOW64\notpad.exe-	notpad.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7208291.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7207308.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7100915.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7102787.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7208291.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7181053.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7093802.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7101087.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7159338.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7131398.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7169103.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7102366.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7102709.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7097951.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7095409.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7208291.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7133020.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	notpad.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7102850.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7119901.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7124362.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7131398.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	notpad.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7102819.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7097842.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7128543.exe
File created	C:\Windows\SysWOW64\notpad.exe-	notpad.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7096657.exe
File created	C:\Windows\SysWOW64\notpad.exe	notpad.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7119823.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7096298.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7132724.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7204016.exe
File created	C:\Windows\SysWOW64\notpad.exe-	notpad.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	notpad.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7098591.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7101290.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7119994.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7121227.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7095268.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7095970.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7097842.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7103021.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7101758.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7204016.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7161132.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7100182.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7118310.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7127186.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7119370.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7102881.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7164907.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7206481.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7096298.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7098279.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	notpad.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7100432.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1004	1364	WerFault.exe	36

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7128543.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7100369.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7098061.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	notpad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7117810.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7120135.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7097842.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7203143.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7119168.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7121227.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	notpad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7098279.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7101290.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7102725.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7131398.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7160243.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7102787.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	notpad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	notpad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7131694.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	notpad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	notpad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7129776.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7133613.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	notpad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7119901.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7135360.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7204016.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	notpad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7101524.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7097951.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7095409.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7101087.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7164907.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7092772.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7102850.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7122194.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7118310.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7133020.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7093583.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7100182.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	notpad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7118918.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7095970.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7094785.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7099324.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7119620.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7122475.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7124362.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7162645.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7100900.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7101758.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	notpad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7208291.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7102819.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7101992.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7169727.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7095268.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7102366.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7119823.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7130493.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7131538.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	notpad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7160477.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 896 wrote to memory of 2016	896	55efdbcfdac00a8c67b4a2d5cca7aa00e56e5c25abf1b46aaa7bd4ee56e17c1d.exe	28
PID 896 wrote to memory of 2016	896	55efdbcfdac00a8c67b4a2d5cca7aa00e56e5c25abf1b46aaa7bd4ee56e17c1d.exe	28
PID 896 wrote to memory of 2016	896	55efdbcfdac00a8c67b4a2d5cca7aa00e56e5c25abf1b46aaa7bd4ee56e17c1d.exe	28
PID 896 wrote to memory of 2016	896	55efdbcfdac00a8c67b4a2d5cca7aa00e56e5c25abf1b46aaa7bd4ee56e17c1d.exe	28
PID 896 wrote to memory of 932	896	55efdbcfdac00a8c67b4a2d5cca7aa00e56e5c25abf1b46aaa7bd4ee56e17c1d.exe	29
PID 896 wrote to memory of 932	896	55efdbcfdac00a8c67b4a2d5cca7aa00e56e5c25abf1b46aaa7bd4ee56e17c1d.exe	29
PID 896 wrote to memory of 932	896	55efdbcfdac00a8c67b4a2d5cca7aa00e56e5c25abf1b46aaa7bd4ee56e17c1d.exe	29
PID 896 wrote to memory of 932	896	55efdbcfdac00a8c67b4a2d5cca7aa00e56e5c25abf1b46aaa7bd4ee56e17c1d.exe	29
PID 932 wrote to memory of 840	932	tmp7102850.exe	178
PID 932 wrote to memory of 840	932	tmp7102850.exe	178
PID 932 wrote to memory of 840	932	tmp7102850.exe	178
PID 932 wrote to memory of 840	932	tmp7102850.exe	178
PID 932 wrote to memory of 1704	932	tmp7102850.exe	239
PID 932 wrote to memory of 1704	932	tmp7102850.exe	239
PID 932 wrote to memory of 1704	932	tmp7102850.exe	239
PID 932 wrote to memory of 1704	932	tmp7102850.exe	239
PID 1704 wrote to memory of 2004	1704	tmp7097546.exe	170
PID 1704 wrote to memory of 2004	1704	tmp7097546.exe	170
PID 1704 wrote to memory of 2004	1704	tmp7097546.exe	170
PID 1704 wrote to memory of 2004	1704	tmp7097546.exe	170
PID 1704 wrote to memory of 792	1704	tmp7097546.exe	160
PID 1704 wrote to memory of 792	1704	tmp7097546.exe	160
PID 1704 wrote to memory of 792	1704	tmp7097546.exe	160
PID 1704 wrote to memory of 792	1704	tmp7097546.exe	160
PID 2016 wrote to memory of 752	2016	tmp7092772.exe	96
PID 2016 wrote to memory of 752	2016	tmp7092772.exe	96
PID 2016 wrote to memory of 752	2016	tmp7092772.exe	96
PID 2016 wrote to memory of 752	2016	tmp7092772.exe	96
PID 792 wrote to memory of 432	792	tmp7102366.exe	222
PID 792 wrote to memory of 432	792	tmp7102366.exe	222
PID 792 wrote to memory of 432	792	tmp7102366.exe	222
PID 792 wrote to memory of 432	792	tmp7102366.exe	222
PID 752 wrote to memory of 1344	752	notpad.exe	264
PID 752 wrote to memory of 1344	752	notpad.exe	264
PID 752 wrote to memory of 1344	752	notpad.exe	264
PID 752 wrote to memory of 1344	752	notpad.exe	264
PID 792 wrote to memory of 1364	792	tmp7102366.exe	36
PID 792 wrote to memory of 1364	792	tmp7102366.exe	36
PID 792 wrote to memory of 1364	792	tmp7102366.exe	36
PID 792 wrote to memory of 1364	792	tmp7102366.exe	36
PID 432 wrote to memory of 1940	432	notpad.exe	263
PID 432 wrote to memory of 1940	432	notpad.exe	263
PID 432 wrote to memory of 1940	432	notpad.exe	263
PID 432 wrote to memory of 1940	432	notpad.exe	263
PID 752 wrote to memory of 756	752	notpad.exe	262
PID 752 wrote to memory of 756	752	notpad.exe	262
PID 752 wrote to memory of 756	752	notpad.exe	262
PID 752 wrote to memory of 756	752	notpad.exe	262
PID 1364 wrote to memory of 1004	1364	tmp7093412.exe	261
PID 1364 wrote to memory of 1004	1364	tmp7093412.exe	261
PID 1364 wrote to memory of 1004	1364	tmp7093412.exe	261
PID 1364 wrote to memory of 1004	1364	tmp7093412.exe	261
PID 1940 wrote to memory of 776	1940	notpad.exe	260
PID 1940 wrote to memory of 776	1940	notpad.exe	260
PID 1940 wrote to memory of 776	1940	notpad.exe	260
PID 1940 wrote to memory of 776	1940	notpad.exe	260
PID 1940 wrote to memory of 1252	1940	notpad.exe	126
PID 1940 wrote to memory of 1252	1940	notpad.exe	126
PID 1940 wrote to memory of 1252	1940	notpad.exe	126
PID 1940 wrote to memory of 1252	1940	notpad.exe	126
PID 776 wrote to memory of 2008	776	tmp7093583.exe	259
PID 776 wrote to memory of 2008	776	tmp7093583.exe	259
PID 776 wrote to memory of 2008	776	tmp7093583.exe	259
PID 776 wrote to memory of 2008	776	tmp7093583.exe	259

C:\Users\Admin\AppData\Local\Temp\55efdbcfdac00a8c67b4a2d5cca7aa00e56e5c25abf1b46aaa7bd4ee56e17c1d.exe
"C:\Users\Admin\AppData\Local\Temp\55efdbcfdac00a8c67b4a2d5cca7aa00e56e5c25abf1b46aaa7bd4ee56e17c1d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:896
- C:\Users\Admin\AppData\Local\Temp\tmp7092772.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7092772.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2016
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    PID:752
- - C:\Users\Admin\AppData\Local\Temp\tmp7124362.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7124362.exe
    3⤵
    - Drops file in System32 directory
    - Modifies registry class
    PID:1684
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      PID:1580
    - - C:\Users\Admin\AppData\Local\Temp\tmp7125205.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125205.exe
        5⤵
        
        PID:1612
    - - C:\Users\Admin\AppData\Local\Temp\tmp7125626.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125626.exe
        5⤵
        
        PID:1528
      - C:\Users\Admin\AppData\Local\Temp\tmp7125813.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125813.exe
        6⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        7⤵
        
        PID:612
        
        C:\Users\Admin\AppData\Local\Temp\tmp7126515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7126515.exe
        8⤵
        
        PID:1072
        
        C:\Users\Admin\AppData\Local\Temp\tmp7126624.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7126624.exe
        8⤵
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\tmp7126921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7126921.exe
        9⤵
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\tmp7127841.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7127841.exe
        9⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        10⤵
        
        PID:1332
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134690.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134690.exe
        11⤵
        
        PID:940
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135953.exe
        11⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\tmp7152536.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7152536.exe
        12⤵
        
        PID:952
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        13⤵
        
        PID:316
        
        C:\Users\Admin\AppData\Local\Temp\tmp7154580.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7154580.exe
        14⤵
        
        PID:936
        
        C:\Users\Admin\AppData\Local\Temp\tmp7155641.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7155641.exe
        14⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\tmp7156233.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7156233.exe
        15⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        16⤵
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157169.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157169.exe
        17⤵
        
        PID:552
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        18⤵
        
        PID:1424
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157903.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157903.exe
        19⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        20⤵
        
        PID:1520
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158729.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158729.exe
        21⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        22⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159509.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159509.exe
        23⤵
        
        PID:676
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159790.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159790.exe
        23⤵
        
        PID:1252
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160523.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160523.exe
        24⤵
        
        PID:732
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        25⤵
        
        PID:1912
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161569.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161569.exe
        26⤵
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161787.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161787.exe
        26⤵
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\tmp7162895.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7162895.exe
        27⤵
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\tmp7163768.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7163768.exe
        27⤵
        
        PID:1460
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160898.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160898.exe
        24⤵
        
        PID:652
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158963.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158963.exe
        21⤵
        
        PID:604
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159338.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159338.exe
        22⤵
        Drops file in System32 directory
        
        PID:1616
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        23⤵
        
        PID:1304
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160243.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160243.exe
        24⤵
        Modifies registry class
        
        PID:1976
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        25⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160913.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160913.exe
        26⤵
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161101.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161101.exe
        26⤵
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\tmp7162208.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7162208.exe
        27⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        28⤵
        
        PID:1356
        
        C:\Users\Admin\AppData\Local\Temp\tmp7163175.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7163175.exe
        29⤵
        
        PID:836
        
        C:\Users\Admin\AppData\Local\Temp\tmp7163862.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7163862.exe
        29⤵
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164860.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164860.exe
        30⤵
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\tmp7165531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7165531.exe
        30⤵
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\tmp7162520.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7162520.exe
        27⤵
        
        PID:932
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160477.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160477.exe
        24⤵
        Modifies registry class
        
        PID:952
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161132.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161132.exe
        25⤵
        Drops file in System32 directory
        
        PID:1724
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        26⤵
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\tmp7162645.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7162645.exe
        27⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1464
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        28⤵
        
        PID:788
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164767.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164767.exe
        29⤵
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164907.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164907.exe
        30⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:948
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        31⤵
        
        PID:940
        
        C:\Users\Admin\AppData\Local\Temp\tmp7169166.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7169166.exe
        32⤵
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\tmp7169727.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7169727.exe
        32⤵
        Modifies registry class
        
        PID:732
        
        C:\Users\Admin\AppData\Local\Temp\tmp7171272.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7171272.exe
        33⤵
        
        PID:1288
        
        C:\Users\Admin\AppData\Local\Temp\tmp7171709.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7171709.exe
        33⤵
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164954.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164954.exe
        30⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164720.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164720.exe
        29⤵
        
        PID:1424
        
        C:\Users\Admin\AppData\Local\Temp\tmp7163222.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7163222.exe
        27⤵
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\tmp7163893.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7163893.exe
        28⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        29⤵
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\tmp7165359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7165359.exe
        30⤵
        
        PID:816
        
        C:\Users\Admin\AppData\Local\Temp\tmp7167107.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7167107.exe
        30⤵
        
        PID:1496
        
        C:\Users\Admin\AppData\Local\Temp\tmp7169103.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7169103.exe
        31⤵
        Drops file in System32 directory
        
        PID:1612
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        32⤵
        
        PID:1252
        
        C:\Users\Admin\AppData\Local\Temp\tmp7170351.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7170351.exe
        33⤵
        
        PID:612
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        34⤵
        
        PID:832
        
        C:\Users\Admin\AppData\Local\Temp\tmp7171927.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7171927.exe
        35⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\tmp7173362.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7173362.exe
        35⤵
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182504.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182504.exe
        36⤵
        
        PID:924
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184048.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184048.exe
        36⤵
        
        PID:1160
        
        C:\Users\Admin\AppData\Local\Temp\tmp7171163.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7171163.exe
        33⤵
        
        PID:1164
        
        C:\Users\Admin\AppData\Local\Temp\tmp7171412.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7171412.exe
        34⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        35⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\tmp7181053.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7181053.exe
        36⤵
        Drops file in System32 directory
        
        PID:1540
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        37⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182754.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182754.exe
        38⤵
        
        PID:1460
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184064.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184064.exe
        38⤵
        
        PID:836
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184345.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184345.exe
        39⤵
        
        PID:324
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        40⤵
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\tmp7203143.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7203143.exe
        41⤵
        Modifies registry class
        
        PID:1320
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        42⤵
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\tmp7204640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7204640.exe
        43⤵
        
        PID:1252
        
        C:\Users\Admin\AppData\Local\Temp\tmp7205374.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7205374.exe
        43⤵
        
        PID:984
        
        C:\Users\Admin\AppData\Local\Temp\tmp7206434.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7206434.exe
        44⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        45⤵
        
        PID:1260
        
        C:\Users\Admin\AppData\Local\Temp\tmp7207308.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7207308.exe
        46⤵
        Drops file in System32 directory
        
        PID:1104
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        47⤵
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\tmp7207979.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7207979.exe
        48⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        49⤵
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\tmp7211520.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7211520.exe
        50⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        51⤵
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\tmp7214625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7214625.exe
        52⤵
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\tmp7215607.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7215607.exe
        52⤵
        
        PID:988
        
        C:\Users\Admin\AppData\Local\Temp\tmp7216372.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7216372.exe
        53⤵
        
        PID:676
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        54⤵
        
        PID:1300
        
        C:\Users\Admin\AppData\Local\Temp\tmp7231379.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7231379.exe
        55⤵
        
        PID:968
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        56⤵
        
        PID:1260
        
        C:\Users\Admin\AppData\Local\Temp\tmp7232346.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7232346.exe
        57⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        58⤵
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\tmp7234249.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7234249.exe
        59⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        60⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\tmp7238555.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7238555.exe
        61⤵
        
        PID:840
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        62⤵
        
        PID:892
        
        C:\Users\Admin\AppData\Local\Temp\tmp7241691.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7241691.exe
        63⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\tmp7239288.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7239288.exe
        61⤵
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\tmp7240256.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7240256.exe
        62⤵
        
        PID:316
        
        C:\Users\Admin\AppData\Local\Temp\tmp7240614.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7240614.exe
        62⤵
        
        PID:612
        
        C:\Users\Admin\AppData\Local\Temp\tmp7236309.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7236309.exe
        59⤵
        
        PID:936
        
        C:\Users\Admin\AppData\Local\Temp\tmp7238290.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7238290.exe
        60⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\tmp7238758.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7238758.exe
        60⤵
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\tmp7232767.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7232767.exe
        57⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\tmp7233516.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7233516.exe
        58⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        59⤵
        
        PID:1292
        
        C:\Users\Admin\AppData\Local\Temp\tmp7233766.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7233766.exe
        58⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\tmp7231644.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7231644.exe
        55⤵
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\tmp7231956.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7231956.exe
        56⤵
        
        PID:920
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        57⤵
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\tmp7232830.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7232830.exe
        58⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        59⤵
        
        PID:1076
        
        C:\Users\Admin\AppData\Local\Temp\tmp7234530.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7234530.exe
        60⤵
        
        PID:552
        
        C:\Users\Admin\AppData\Local\Temp\tmp7235326.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7235326.exe
        60⤵
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\tmp7237978.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7237978.exe
        61⤵
        
        PID:976
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        62⤵
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\tmp7239787.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7239787.exe
        63⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        64⤵
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\tmp7241738.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7241738.exe
        65⤵
        
        PID:732
        
        C:\Users\Admin\AppData\Local\Temp\tmp7240349.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7240349.exe
        63⤵
        
        PID:984
        
        C:\Users\Admin\AppData\Local\Temp\tmp7241457.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7241457.exe
        64⤵
        
        PID:268
        
        C:\Users\Admin\AppData\Local\Temp\tmp7238508.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7238508.exe
        61⤵
        
        PID:1152
        
        C:\Users\Admin\AppData\Local\Temp\tmp7233235.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7233235.exe
        58⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\tmp7233797.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7233797.exe
        59⤵
        
        PID:896
        
        C:\Users\Admin\AppData\Local\Temp\tmp7235154.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7235154.exe
        59⤵
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\tmp7232268.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7232268.exe
        56⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\tmp7230412.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7230412.exe
        53⤵
        
        PID:1440
        
        C:\Users\Admin\AppData\Local\Temp\tmp7212253.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7212253.exe
        50⤵
        
        PID:788
        
        C:\Users\Admin\AppData\Local\Temp\tmp7214406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7214406.exe
        51⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        52⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\tmp7230022.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7230022.exe
        53⤵
        
        PID:892
        
        C:\Users\Admin\AppData\Local\Temp\tmp7230381.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7230381.exe
        53⤵
        
        PID:1352
        
        C:\Users\Admin\AppData\Local\Temp\tmp7230693.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7230693.exe
        54⤵
        
        PID:304
        
        C:\Users\Admin\AppData\Local\Temp\tmp7230895.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7230895.exe
        54⤵
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\tmp7216091.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7216091.exe
        51⤵
        
        PID:652
        
        C:\Users\Admin\AppData\Local\Temp\tmp7208291.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7208291.exe
        48⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1292
        
        C:\Users\Admin\AppData\Local\Temp\tmp7209976.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7209976.exe
        49⤵
        
        PID:832
        
        C:\Users\Admin\AppData\Local\Temp\tmp7212207.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7212207.exe
        49⤵
        
        PID:1424
        
        C:\Users\Admin\AppData\Local\Temp\tmp7207667.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7207667.exe
        46⤵
        
        PID:1008
        
        C:\Users\Admin\AppData\Local\Temp\tmp7208197.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7208197.exe
        47⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\tmp7209477.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7209477.exe
        47⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\tmp7206980.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7206980.exe
        44⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\tmp7203517.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7203517.exe
        41⤵
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\tmp7204734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7204734.exe
        42⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\tmp7205405.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7205405.exe
        42⤵
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\tmp7202441.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7202441.exe
        39⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\tmp7204016.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7204016.exe
        40⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:564
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        41⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:612
        
        C:\Users\Admin\AppData\Local\Temp\tmp7206481.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7206481.exe
        42⤵
        Drops file in System32 directory
        
        PID:1512
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        43⤵
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\tmp7207807.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7207807.exe
        44⤵
        
        PID:1444
        
        C:\Users\Admin\AppData\Local\Temp\tmp7208509.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7208509.exe
        44⤵
        
        PID:1460
        
        C:\Users\Admin\AppData\Local\Temp\tmp7211239.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7211239.exe
        45⤵
        
        PID:976
        
        C:\Users\Admin\AppData\Local\Temp\tmp7213689.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7213689.exe
        45⤵
        
        PID:940
        
        C:\Users\Admin\AppData\Local\Temp\tmp7207261.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7207261.exe
        42⤵
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\tmp7207542.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7207542.exe
        43⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        44⤵
        
        PID:852
        
        C:\Users\Admin\AppData\Local\Temp\tmp7209539.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7209539.exe
        45⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\tmp7208150.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7208150.exe
        43⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\tmp7204204.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7204204.exe
        40⤵
        
        PID:1036
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182364.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182364.exe
        36⤵
        
        PID:552
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182800.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182800.exe
        37⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        38⤵
        
        PID:896
        
        C:\Users\Admin\AppData\Local\Temp\tmp7194344.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7194344.exe
        39⤵
        
        PID:1076
        
        C:\Users\Admin\AppData\Local\Temp\tmp7202441.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7202441.exe
        39⤵
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\tmp7204157.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7204157.exe
        40⤵
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\tmp7204781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7204781.exe
        40⤵
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184017.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184017.exe
        37⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\tmp7171677.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7171677.exe
        34⤵
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\tmp7169681.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7169681.exe
        31⤵
        
        PID:540
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164174.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164174.exe
        28⤵
        
        PID:1076
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161771.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161771.exe
        25⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159556.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159556.exe
        22⤵
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158012.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158012.exe
        19⤵
        
        PID:752
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158199.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158199.exe
        20⤵
        
        PID:1076
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158293.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158293.exe
        20⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157263.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157263.exe
        17⤵
        
        PID:788
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157403.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157403.exe
        18⤵
        
        PID:1292
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157559.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157559.exe
        18⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\tmp7156374.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7156374.exe
        15⤵
        
        PID:836
        
        C:\Users\Admin\AppData\Local\Temp\tmp7153238.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7153238.exe
        12⤵
        
        PID:812
      - C:\Users\Admin\AppData\Local\Temp\tmp7125922.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125922.exe
        6⤵
        
        PID:1868
- C:\Users\Admin\AppData\Local\Temp\tmp7092819.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7092819.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:932
- - C:\Users\Admin\AppData\Local\Temp\tmp7092897.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7092897.exe
    3⤵
    PID:840
- - C:\Users\Admin\AppData\Local\Temp\tmp7093037.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7093037.exe
    3⤵
    PID:1704
  - - C:\Users\Admin\AppData\Local\Temp\tmp7093131.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7093131.exe
      4⤵
      PID:2004
  - - C:\Users\Admin\AppData\Local\Temp\tmp7093240.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7093240.exe
      4⤵
      PID:792
    - - C:\Users\Admin\AppData\Local\Temp\tmp7093412.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7093412.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1364
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1364 -s 36
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:1004

C:\Users\Admin\AppData\Local\Temp\tmp7093334.exe
C:\Users\Admin\AppData\Local\Temp\tmp7093334.exe
1⤵
PID:432
- C:\Users\Admin\AppData\Local\Temp\tmp7099340.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7099340.exe
  2⤵
  PID:732
- - C:\Users\Admin\AppData\Local\Temp\tmp7102522.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7102522.exe
    3⤵
    PID:788
- - C:\Users\Admin\AppData\Local\Temp\tmp7102507.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7102507.exe
    3⤵
    PID:948
- C:\Users\Admin\AppData\Local\Temp\tmp7099324.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7099324.exe
  2⤵
  - Modifies registry class
  PID:268

C:\Users\Admin\AppData\Local\Temp\tmp7093630.exe
C:\Users\Admin\AppData\Local\Temp\tmp7093630.exe
1⤵
PID:1252

C:\Users\Admin\AppData\Local\Temp\tmp7093833.exe
C:\Users\Admin\AppData\Local\Temp\tmp7093833.exe
1⤵
PID:1724

C:\Users\Admin\AppData\Local\Temp\tmp7094176.exe
C:\Users\Admin\AppData\Local\Temp\tmp7094176.exe
1⤵
PID:1312

C:\Users\Admin\AppData\Local\Temp\tmp7094301.exe
C:\Users\Admin\AppData\Local\Temp\tmp7094301.exe
1⤵
- Executes dropped EXE
PID:1284

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:648
- C:\Users\Admin\AppData\Local\Temp\tmp7094441.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7094441.exe
  2⤵
  PID:324
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:940
  - - C:\Users\Admin\AppData\Local\Temp\tmp7094566.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7094566.exe
      4⤵
      PID:956
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        
        PID:1580
      - C:\Users\Admin\AppData\Local\Temp\tmp7095175.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7095175.exe
        6⤵
        
        PID:792
  - - C:\Users\Admin\AppData\Local\Temp\tmp7094660.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7094660.exe
      4⤵
      PID:1532
- C:\Users\Admin\AppData\Local\Temp\tmp7094473.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7094473.exe
  2⤵
  - Executes dropped EXE
  PID:1068
- C:\Users\Admin\AppData\Local\Temp\tmp7097608.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7097608.exe
  2⤵
  PID:1304
- C:\Users\Admin\AppData\Local\Temp\tmp7097624.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7097624.exe
  2⤵
  PID:956

C:\Users\Admin\AppData\Local\Temp\tmp7094270.exe
C:\Users\Admin\AppData\Local\Temp\tmp7094270.exe
1⤵
PID:1280

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:852
- C:\Users\Admin\AppData\Local\Temp\tmp7101695.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7101695.exe
  2⤵
  PID:1424

C:\Users\Admin\AppData\Local\Temp\tmp7094145.exe
C:\Users\Admin\AppData\Local\Temp\tmp7094145.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1496

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:1752

C:\Users\Admin\AppData\Local\Temp\tmp7095284.exe
C:\Users\Admin\AppData\Local\Temp\tmp7095284.exe
1⤵
PID:1260
- C:\Users\Admin\AppData\Local\Temp\tmp7096469.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7096469.exe
  2⤵
  PID:652
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    PID:1512
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      Executes dropped EXE
      Modifies registry class
      PID:1756
    - - C:\Users\Admin\AppData\Local\Temp\tmp7099652.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7099652.exe
        5⤵
        
        PID:920
- C:\Users\Admin\AppData\Local\Temp\tmp7096501.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7096501.exe
  2⤵
  PID:612

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
- Executes dropped EXE
PID:816
- C:\Users\Admin\AppData\Local\Temp\tmp7095424.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7095424.exe
  2⤵
  PID:1756
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    PID:968
- C:\Users\Admin\AppData\Local\Temp\tmp7095409.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7095409.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  PID:1552

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:1104
- C:\Users\Admin\AppData\Local\Temp\tmp7095549.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7095549.exe
  2⤵
  PID:1076

C:\Users\Admin\AppData\Local\Temp\tmp7095689.exe
C:\Users\Admin\AppData\Local\Temp\tmp7095689.exe
1⤵
- Executes dropped EXE
PID:1572
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  - Executes dropped EXE
  PID:552

C:\Users\Admin\AppData\Local\Temp\tmp7095830.exe
C:\Users\Admin\AppData\Local\Temp\tmp7095830.exe
1⤵
PID:884
- C:\Users\Admin\AppData\Local\Temp\tmp7099948.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7099948.exe
  2⤵
  PID:976
- - C:\Users\Admin\AppData\Local\Temp\tmp7102897.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7102897.exe
    3⤵
    PID:1992
  - - C:\Users\Admin\AppData\Local\Temp\tmp7103021.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7103021.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      PID:2004
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:648
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        
        PID:2040
      - C:\Users\Admin\AppData\Local\Temp\tmp7117904.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117904.exe
        6⤵
        
        PID:1612
      - C:\Users\Admin\AppData\Local\Temp\tmp7117920.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117920.exe
        6⤵
        
        PID:1288
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118310.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118310.exe
        7⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2036
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        8⤵
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118918.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118918.exe
        9⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:876
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        10⤵
        
        PID:268
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119168.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119168.exe
        11⤵
        Modifies registry class
        
        PID:1076
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        12⤵
        
        PID:1320
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119386.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119386.exe
        13⤵
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119417.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119417.exe
        13⤵
        
        PID:1264
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119526.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119526.exe
        14⤵
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119745.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119745.exe
        14⤵
        
        PID:756
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119292.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119292.exe
        11⤵
        
        PID:1016
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119370.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119370.exe
        12⤵
        Drops file in System32 directory
        
        PID:1520
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        13⤵
        
        PID:1200
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119620.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119620.exe
        14⤵
        Modifies registry class
        
        PID:1160
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        15⤵
        
        PID:1008
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119901.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119901.exe
        16⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1548
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        17⤵
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120119.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120119.exe
        18⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120291.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120291.exe
        18⤵
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121227.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121227.exe
        19⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1512
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        20⤵
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122475.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122475.exe
        21⤵
        Modifies registry class
        
        PID:1156
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        22⤵
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\tmp7124409.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7124409.exe
        23⤵
        
        PID:956
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125111.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125111.exe
        24⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        25⤵
        
        PID:812
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125766.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125766.exe
        26⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\tmp7126234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7126234.exe
        26⤵
        
        PID:648
        
        C:\Users\Admin\AppData\Local\Temp\tmp7126375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7126375.exe
        27⤵
        
        PID:316
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        28⤵
        
        PID:924
        
        C:\Users\Admin\AppData\Local\Temp\tmp7127186.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7127186.exe
        29⤵
        Drops file in System32 directory
        
        PID:1464
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        30⤵
        
        PID:840
        
        C:\Users\Admin\AppData\Local\Temp\tmp7128543.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7128543.exe
        31⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1312
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        32⤵
        
        PID:1356
        
        C:\Users\Admin\AppData\Local\Temp\tmp7129167.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7129167.exe
        33⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        34⤵
        
        PID:852
        
        C:\Users\Admin\AppData\Local\Temp\tmp7129776.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7129776.exe
        35⤵
        Modifies registry class
        
        PID:1124
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        36⤵
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\tmp7130478.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7130478.exe
        37⤵
        
        PID:956
        
        C:\Users\Admin\AppData\Local\Temp\tmp7130946.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7130946.exe
        37⤵
        
        PID:952
        
        C:\Users\Admin\AppData\Local\Temp\tmp7131538.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7131538.exe
        38⤵
        Modifies registry class
        
        PID:1608
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        39⤵
        
        PID:876
        
        C:\Users\Admin\AppData\Local\Temp\tmp7132724.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7132724.exe
        40⤵
        Drops file in System32 directory
        
        PID:1144
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        41⤵
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\tmp7133613.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7133613.exe
        42⤵
        Modifies registry class
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134565.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134565.exe
        42⤵
        
        PID:1860
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135750.exe
        43⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        44⤵
        
        PID:1252
        
        C:\Users\Admin\AppData\Local\Temp\tmp7148402.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7148402.exe
        45⤵
        
        PID:956
        
        C:\Users\Admin\AppData\Local\Temp\tmp7148761.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7148761.exe
        45⤵
        
        PID:1912
        
        C:\Users\Admin\AppData\Local\Temp\tmp7153238.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7153238.exe
        46⤵
        
        PID:648
        
        C:\Users\Admin\AppData\Local\Temp\tmp7153925.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7153925.exe
        46⤵
        
        PID:612
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135844.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135844.exe
        43⤵
        
        PID:616
        
        C:\Users\Admin\AppData\Local\Temp\tmp7132974.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7132974.exe
        40⤵
        
        PID:924
        
        C:\Users\Admin\AppData\Local\Temp\tmp7133379.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7133379.exe
        41⤵
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\tmp7133754.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7133754.exe
        41⤵
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\tmp7131694.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7131694.exe
        38⤵
        Modifies registry class
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\tmp7130056.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7130056.exe
        35⤵
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\tmp7130493.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7130493.exe
        36⤵
        Modifies registry class
        
        PID:896
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        37⤵
        
        PID:1912
        
        C:\Users\Admin\AppData\Local\Temp\tmp7131398.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7131398.exe
        38⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1444
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        39⤵
        
        PID:532
        
        C:\Users\Admin\AppData\Local\Temp\tmp7132381.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7132381.exe
        40⤵
        
        PID:324
        
        C:\Users\Admin\AppData\Local\Temp\tmp7132584.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7132584.exe
        40⤵
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\tmp7133020.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7133020.exe
        41⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:268
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        42⤵
        
        PID:1284
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134346.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134346.exe
        43⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        44⤵
        
        PID:964
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135360.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135360.exe
        45⤵
        Modifies registry class
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135766.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135766.exe
        45⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146920.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146920.exe
        46⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        47⤵
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\tmp7153878.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7153878.exe
        48⤵
        
        PID:876
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        49⤵
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\tmp7154720.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7154720.exe
        48⤵
        
        PID:1152
        
        C:\Users\Admin\AppData\Local\Temp\tmp7155968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7155968.exe
        49⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\tmp7156514.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7156514.exe
        49⤵
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\tmp7148714.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7148714.exe
        46⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134924.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134924.exe
        43⤵
        
        PID:1320
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135329.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135329.exe
        44⤵
        
        PID:1392
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144923.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144923.exe
        44⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\tmp7133566.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7133566.exe
        41⤵
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\tmp7131648.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7131648.exe
        38⤵
        
        PID:732
        
        C:\Users\Admin\AppData\Local\Temp\tmp7131960.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7131960.exe
        39⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\tmp7132443.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7132443.exe
        39⤵
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\tmp7130743.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7130743.exe
        36⤵
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\tmp7129261.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7129261.exe
        33⤵
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\tmp7129401.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7129401.exe
        34⤵
        
        PID:788
        
        C:\Users\Admin\AppData\Local\Temp\tmp7129573.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7129573.exe
        34⤵
        
        PID:1392
        
        C:\Users\Admin\AppData\Local\Temp\tmp7128730.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7128730.exe
        31⤵
        
        PID:1016
        
        C:\Users\Admin\AppData\Local\Temp\tmp7128918.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7128918.exe
        32⤵
        
        PID:1860
        
        C:\Users\Admin\AppData\Local\Temp\tmp7129120.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7129120.exe
        32⤵
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\tmp7127326.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7127326.exe
        29⤵
        
        PID:1440
        
        C:\Users\Admin\AppData\Local\Temp\tmp7127794.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7127794.exe
        30⤵
        
        PID:836
        
        C:\Users\Admin\AppData\Local\Temp\tmp7127872.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7127872.exe
        30⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\tmp7126546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7126546.exe
        27⤵
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125252.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125252.exe
        24⤵
        
        PID:1444
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123130.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123130.exe
        21⤵
        
        PID:1076
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123692.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123692.exe
        22⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\tmp7124503.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7124503.exe
        22⤵
        
        PID:896
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121554.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121554.exe
        19⤵
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119979.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119979.exe
        16⤵
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120135.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120135.exe
        17⤵
        Modifies registry class
        
        PID:532
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        18⤵
        
        PID:836
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121601.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121601.exe
        19⤵
        
        PID:1036
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122334.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122334.exe
        19⤵
        
        PID:1392
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123489.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123489.exe
        20⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123660.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123660.exe
        20⤵
        
        PID:852
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120447.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120447.exe
        17⤵
        
        PID:612
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119682.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119682.exe
        14⤵
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119823.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119823.exe
        15⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:700
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        16⤵
        
        PID:1280
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119994.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119994.exe
        17⤵
        Drops file in System32 directory
        
        PID:384
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        18⤵
        
        PID:324
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120774.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120774.exe
        19⤵
        
        PID:988
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121258.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121258.exe
        19⤵
        
        PID:1260
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122194.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122194.exe
        20⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1104
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        21⤵
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123270.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123270.exe
        22⤵
        
        PID:1332
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123536.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123536.exe
        22⤵
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\tmp7124175.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7124175.exe
        23⤵
        
        PID:964
        
        C:\Users\Admin\AppData\Local\Temp\tmp7124456.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7124456.exe
        23⤵
        
        PID:676
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122990.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122990.exe
        20⤵
        
        PID:1300
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120104.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120104.exe
        17⤵
        
        PID:1204
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120353.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120353.exe
        18⤵
        
        PID:648
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121180.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121180.exe
        18⤵
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119870.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119870.exe
        15⤵
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119402.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119402.exe
        12⤵
        
        PID:1424
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119027.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119027.exe
        9⤵
        
        PID:1460
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119136.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119136.exe
        10⤵
        
        PID:1356
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119246.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119246.exe
        10⤵
        
        PID:968
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118731.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118731.exe
        7⤵
        
        PID:948
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      PID:964
- - C:\Users\Admin\AppData\Local\Temp\tmp7102850.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7102850.exe
    3⤵
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:932
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      PID:552
    - - C:\Users\Admin\AppData\Local\Temp\tmp7095814.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7095814.exe
        5⤵
        Executes dropped EXE
        
        PID:1764
- C:\Users\Admin\AppData\Local\Temp\tmp7099933.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7099933.exe
  2⤵
  PID:1444

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:1312
- C:\Users\Admin\AppData\Local\Temp\tmp7097405.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7097405.exe
  2⤵
  PID:1144
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    PID:2040
  - - C:\Users\Admin\AppData\Local\Temp\tmp7097530.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7097530.exe
      4⤵
      PID:2004
- C:\Users\Admin\AppData\Local\Temp\tmp7097421.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7097421.exe
  2⤵
  PID:832

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:1704
- C:\Users\Admin\AppData\Local\Temp\tmp7096064.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7096064.exe
  2⤵
  PID:676
- C:\Users\Admin\AppData\Local\Temp\tmp7096079.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7096079.exe
  2⤵
  PID:1912

C:\Users\Admin\AppData\Local\Temp\tmp7096173.exe
C:\Users\Admin\AppData\Local\Temp\tmp7096173.exe
1⤵
PID:1528
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:812

C:\Users\Admin\AppData\Local\Temp\tmp7096235.exe
C:\Users\Admin\AppData\Local\Temp\tmp7096235.exe
1⤵
PID:1644
- C:\Users\Admin\AppData\Local\Temp\tmp7097733.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7097733.exe
  2⤵
  PID:2036
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    PID:1632
- C:\Users\Admin\AppData\Local\Temp\tmp7097764.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7097764.exe
  2⤵
  PID:812
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    PID:2036
  - - C:\Users\Admin\AppData\Local\Temp\tmp7100822.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7100822.exe
      4⤵
      PID:1644
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        
        PID:1984
      - C:\Users\Admin\AppData\Local\Temp\tmp7100931.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7100931.exe
        6⤵
        
        PID:1608
      - C:\Users\Admin\AppData\Local\Temp\tmp7100978.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7100978.exe
        6⤵
        
        PID:1520
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        
        PID:1256
  - - C:\Users\Admin\AppData\Local\Temp\tmp7102397.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7102397.exe
      4⤵
      PID:1260
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        
        PID:776
      - C:\Users\Admin\AppData\Local\Temp\tmp7102647.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7102647.exe
        6⤵
        
        PID:1520
        
        C:\Users\Admin\AppData\Local\Temp\tmp7101087.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7101087.exe
        7⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:564
      - C:\Users\Admin\AppData\Local\Temp\tmp7102585.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7102585.exe
        6⤵
        
        PID:876
      - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2008
  - - C:\Users\Admin\AppData\Local\Temp\tmp7102538.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7102538.exe
      4⤵
      PID:268
    - - C:\Users\Admin\AppData\Local\Temp\tmp7101040.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7101040.exe
        5⤵
        
        PID:1512
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    PID:732

C:\Users\Admin\AppData\Local\Temp\tmp7096423.exe
C:\Users\Admin\AppData\Local\Temp\tmp7096423.exe
1⤵
PID:792

C:\Users\Admin\AppData\Local\Temp\tmp7096438.exe
C:\Users\Admin\AppData\Local\Temp\tmp7096438.exe
1⤵
PID:732
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:836

C:\Users\Admin\AppData\Local\Temp\tmp7096594.exe
C:\Users\Admin\AppData\Local\Temp\tmp7096594.exe
1⤵
PID:788
- C:\Users\Admin\AppData\Local\Temp\tmp7102819.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7102819.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  PID:1280
- - C:\Users\Admin\AppData\Local\Temp\tmp7101649.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7101649.exe
    3⤵
    PID:1712
- C:\Users\Admin\AppData\Local\Temp\tmp7102725.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7102725.exe
  2⤵
  - Modifies registry class
  PID:1444

C:\Users\Admin\AppData\Local\Temp\tmp7096657.exe
C:\Users\Admin\AppData\Local\Temp\tmp7096657.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1104
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:1156
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    PID:1676
- C:\Users\Admin\AppData\Local\Temp\tmp7095580.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7095580.exe
  2⤵
  - Executes dropped EXE
  PID:1772

C:\Users\Admin\AppData\Local\Temp\tmp7096672.exe
C:\Users\Admin\AppData\Local\Temp\tmp7096672.exe
1⤵
PID:1772

C:\Users\Admin\AppData\Local\Temp\tmp7096750.exe
C:\Users\Admin\AppData\Local\Temp\tmp7096750.exe
1⤵
PID:1724
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:1460
- - C:\Users\Admin\AppData\Local\Temp\tmp7096875.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7096875.exe
    3⤵
    PID:936
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      PID:1264
    - - C:\Users\Admin\AppData\Local\Temp\tmp7097140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7097140.exe
        5⤵
        
        PID:840
      - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        6⤵
        
        PID:976
    - - C:\Users\Admin\AppData\Local\Temp\tmp7097203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7097203.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1752
- - C:\Users\Admin\AppData\Local\Temp\tmp7097031.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7097031.exe
    3⤵
    PID:932
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:884
- - C:\Users\Admin\AppData\Local\Temp\tmp7102928.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7102928.exe
    3⤵
    PID:852
  - - C:\Users\Admin\AppData\Local\Temp\tmp7101617.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7101617.exe
      4⤵
      PID:1992
- - C:\Users\Admin\AppData\Local\Temp\tmp7103053.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7103053.exe
    3⤵
    PID:700

C:\Users\Admin\AppData\Local\Temp\tmp7096766.exe
C:\Users\Admin\AppData\Local\Temp\tmp7096766.exe
1⤵
PID:1928
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:604

C:\Users\Admin\AppData\Local\Temp\tmp7096579.exe
C:\Users\Admin\AppData\Local\Temp\tmp7096579.exe
1⤵
PID:1756

C:\Users\Admin\AppData\Local\Temp\tmp7097842.exe
C:\Users\Admin\AppData\Local\Temp\tmp7097842.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1580
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:752
- - C:\Users\Admin\AppData\Local\Temp\tmp7097983.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7097983.exe
    3⤵
    PID:1608
- - C:\Users\Admin\AppData\Local\Temp\tmp7097951.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7097951.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    PID:732
- - C:\Users\Admin\AppData\Local\Temp\tmp7093459.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7093459.exe
    3⤵
    - Executes dropped EXE
    PID:756
- - C:\Users\Admin\AppData\Local\Temp\tmp7093396.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7093396.exe
    3⤵
    - Executes dropped EXE
    PID:1344
- C:\Users\Admin\AppData\Local\Temp\tmp7094785.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7094785.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  PID:384

C:\Users\Admin\AppData\Local\Temp\tmp7097858.exe
C:\Users\Admin\AppData\Local\Temp\tmp7097858.exe
1⤵
PID:948

C:\Users\Admin\AppData\Local\Temp\tmp7098061.exe
C:\Users\Admin\AppData\Local\Temp\tmp7098061.exe
1⤵
- Modifies registry class
PID:1800
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:1960
- - C:\Users\Admin\AppData\Local\Temp\tmp7098139.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7098139.exe
    3⤵
    PID:1400
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      PID:1772
    - - C:\Users\Admin\AppData\Local\Temp\tmp7098310.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7098310.exe
        5⤵
        
        PID:924
    - - C:\Users\Admin\AppData\Local\Temp\tmp7099714.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7099714.exe
        5⤵
        
        PID:924
      - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        6⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\tmp7102787.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7102787.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:840
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        8⤵
        Executes dropped EXE
        
        PID:1312
        
        C:\Users\Admin\AppData\Local\Temp\tmp7095986.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7095986.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:852
        
        C:\Users\Admin\AppData\Local\Temp\tmp7095970.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7095970.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117467.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117467.exe
        10⤵
        
        PID:752
    - - C:\Users\Admin\AppData\Local\Temp\tmp7099730.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7099730.exe
        5⤵
        
        PID:2008
- - C:\Users\Admin\AppData\Local\Temp\tmp7098201.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7098201.exe
    3⤵
    PID:1508

C:\Users\Admin\AppData\Local\Temp\tmp7098076.exe
C:\Users\Admin\AppData\Local\Temp\tmp7098076.exe
1⤵
PID:1392

C:\Users\Admin\AppData\Local\Temp\tmp7098451.exe
C:\Users\Admin\AppData\Local\Temp\tmp7098451.exe
1⤵
PID:1700

C:\Users\Admin\AppData\Local\Temp\tmp7098513.exe
C:\Users\Admin\AppData\Local\Temp\tmp7098513.exe
1⤵
PID:932

C:\Users\Admin\AppData\Local\Temp\tmp7098544.exe
C:\Users\Admin\AppData\Local\Temp\tmp7098544.exe
1⤵
PID:1548

C:\Users\Admin\AppData\Local\Temp\tmp7098700.exe
C:\Users\Admin\AppData\Local\Temp\tmp7098700.exe
1⤵
PID:616

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:2040
- C:\Users\Admin\AppData\Local\Temp\tmp7098794.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7098794.exe
  2⤵
  PID:676
- C:\Users\Admin\AppData\Local\Temp\tmp7098965.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7098965.exe
  2⤵
  PID:2004
- C:\Users\Admin\AppData\Local\Temp\tmp7097546.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7097546.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1704

C:\Users\Admin\AppData\Local\Temp\tmp7098685.exe
C:\Users\Admin\AppData\Local\Temp\tmp7098685.exe
1⤵
PID:1768
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  - Executes dropped EXE
  PID:1532
- - C:\Users\Admin\AppData\Local\Temp\tmp7100588.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7100588.exe
    3⤵
    PID:2004
- - C:\Users\Admin\AppData\Local\Temp\tmp7100432.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7100432.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:676
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      PID:1536
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      PID:1620
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      Executes dropped EXE
      Modifies registry class
      PID:1732

C:\Users\Admin\AppData\Local\Temp\tmp7099028.exe
C:\Users\Admin\AppData\Local\Temp\tmp7099028.exe
1⤵
PID:1732

C:\Users\Admin\AppData\Local\Temp\tmp7099121.exe
C:\Users\Admin\AppData\Local\Temp\tmp7099121.exe
1⤵
PID:532

C:\Users\Admin\AppData\Local\Temp\tmp7099199.exe
C:\Users\Admin\AppData\Local\Temp\tmp7099199.exe
1⤵
PID:384
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:432
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1940
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1292

C:\Users\Admin\AppData\Local\Temp\tmp7099215.exe
C:\Users\Admin\AppData\Local\Temp\tmp7099215.exe
1⤵
PID:1292
- C:\Users\Admin\AppData\Local\Temp\tmp7095268.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7095268.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  PID:652

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:1916
- C:\Users\Admin\AppData\Local\Temp\tmp7099480.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7099480.exe
  2⤵
  PID:1392
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    PID:1756
  - - C:\Users\Admin\AppData\Local\Temp\tmp7099621.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7099621.exe
      4⤵
      PID:968
  - - C:\Users\Admin\AppData\Local\Temp\tmp7101165.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7101165.exe
      4⤵
      PID:968
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        
        PID:1772
      - C:\Users\Admin\AppData\Local\Temp\tmp7098279.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7098279.exe
        6⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1540
  - - C:\Users\Admin\AppData\Local\Temp\tmp7101212.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7101212.exe
      4⤵
      PID:1460
    - - C:\Users\Admin\AppData\Local\Temp\tmp7101321.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7101321.exe
        5⤵
        
        PID:936
      - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        6⤵
        
        PID:924
        
        C:\Users\Admin\AppData\Local\Temp\tmp7102756.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7102756.exe
        7⤵
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\tmp7102803.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7102803.exe
        7⤵
        
        PID:604
- C:\Users\Admin\AppData\Local\Temp\tmp7099527.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7099527.exe
  2⤵
  PID:876

C:\Users\Admin\AppData\Local\Temp\tmp7099839.exe
C:\Users\Admin\AppData\Local\Temp\tmp7099839.exe
1⤵
PID:1700

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
- Executes dropped EXE
PID:1252
- C:\Users\Admin\AppData\Local\Temp\tmp7100073.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7100073.exe
  2⤵
  PID:1016
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    PID:616
  - - C:\Users\Admin\AppData\Local\Temp\tmp7101820.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7101820.exe
      4⤵
      Drops file in System32 directory
      PID:1304
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1644
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    PID:1992
- C:\Users\Admin\AppData\Local\Temp\tmp7100104.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7100104.exe
  2⤵
  - Executes dropped EXE
  PID:1912

C:\Users\Admin\AppData\Local\Temp\tmp7099823.exe
C:\Users\Admin\AppData\Local\Temp\tmp7099823.exe
1⤵
PID:1724
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:852

C:\Users\Admin\AppData\Local\Temp\tmp7100681.exe
C:\Users\Admin\AppData\Local\Temp\tmp7100681.exe
1⤵
PID:1152

C:\Users\Admin\AppData\Local\Temp\tmp7100900.exe
C:\Users\Admin\AppData\Local\Temp\tmp7100900.exe
1⤵
- Executes dropped EXE
- Modifies registry class
PID:1528
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:268
- - C:\Users\Admin\AppData\Local\Temp\tmp7101071.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7101071.exe
    3⤵
    PID:652
  - - C:\Users\Admin\AppData\Local\Temp\tmp7101103.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7101103.exe
      4⤵
      PID:1504
- - C:\Users\Admin\AppData\Local\Temp\tmp7102553.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7102553.exe
    3⤵
    PID:1760
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      PID:564
  - - C:\Users\Admin\AppData\Local\Temp\tmp7095721.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7095721.exe
      4⤵
      PID:2008
    - - C:\Users\Admin\AppData\Local\Temp\tmp7093802.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7093802.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1788
- - C:\Users\Admin\AppData\Local\Temp\tmp7102600.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7102600.exe
    3⤵
    PID:1540
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      PID:1552

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
- Executes dropped EXE
- Modifies registry class
PID:1076
- C:\Users\Admin\AppData\Local\Temp\tmp7101430.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7101430.exe
  2⤵
  PID:1796
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    PID:604
- C:\Users\Admin\AppData\Local\Temp\tmp7101290.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7101290.exe
  2⤵
  - Drops file in System32 directory
  - Modifies registry class
  PID:1928
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  PID:1760

C:\Users\Admin\AppData\Local\Temp\tmp7101181.exe
C:\Users\Admin\AppData\Local\Temp\tmp7101181.exe
1⤵
PID:920

C:\Users\Admin\AppData\Local\Temp\tmp7101539.exe
C:\Users\Admin\AppData\Local\Temp\tmp7101539.exe
1⤵
PID:1356

C:\Users\Admin\AppData\Local\Temp\tmp7101602.exe
C:\Users\Admin\AppData\Local\Temp\tmp7101602.exe
1⤵
PID:1280
- C:\Users\Admin\AppData\Local\Temp\tmp7101695.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7101695.exe
  2⤵
  PID:616
- - C:\Users\Admin\AppData\Local\Temp\tmp7101929.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7101929.exe
    3⤵
    PID:1732
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      PID:1556
- - C:\Users\Admin\AppData\Local\Temp\tmp7100369.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7100369.exe
    3⤵
    - Modifies registry class
    PID:1144
- - C:\Users\Admin\AppData\Local\Temp\tmp7100182.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7100182.exe
    3⤵
    - Drops file in System32 directory
    - Modifies registry class
    PID:1768

C:\Users\Admin\AppData\Local\Temp\tmp7101758.exe
C:\Users\Admin\AppData\Local\Temp\tmp7101758.exe
1⤵
- Drops file in System32 directory
- Modifies registry class
PID:1860
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  PID:956
- - C:\Users\Admin\AppData\Local\Temp\tmp7102226.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7102226.exe
    3⤵
    PID:1152
  - - C:\Users\Admin\AppData\Local\Temp\tmp7102444.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7102444.exe
      4⤵
      PID:1132
  - - C:\Users\Admin\AppData\Local\Temp\tmp7102382.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7102382.exe
      4⤵
      PID:1616
- - C:\Users\Admin\AppData\Local\Temp\tmp7101992.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7101992.exe
    3⤵
    - Modifies registry class
    PID:1636

C:\Users\Admin\AppData\Local\Temp\tmp7101805.exe
C:\Users\Admin\AppData\Local\Temp\tmp7101805.exe
1⤵
PID:1736

C:\Users\Admin\AppData\Local\Temp\tmp7102366.exe
C:\Users\Admin\AppData\Local\Temp\tmp7102366.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:792
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  PID:1260

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:1736
- C:\Users\Admin\AppData\Local\Temp\tmp7117405.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7117405.exe
  2⤵
  PID:1124
- C:\Users\Admin\AppData\Local\Temp\tmp7117420.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7117420.exe
  2⤵
  PID:1068
- - C:\Users\Admin\AppData\Local\Temp\tmp7117810.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7117810.exe
    3⤵
    - Modifies registry class
    PID:1940
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      PID:1260
    - - C:\Users\Admin\AppData\Local\Temp\tmp7118746.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118746.exe
        5⤵
        
        PID:732
    - - C:\Users\Admin\AppData\Local\Temp\tmp7118778.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118778.exe
        5⤵
        
        PID:1152
      - C:\Users\Admin\AppData\Local\Temp\tmp7118965.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118965.exe
        6⤵
        
        PID:776
      - C:\Users\Admin\AppData\Local\Temp\tmp7119043.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119043.exe
        6⤵
        
        PID:1760
- - C:\Users\Admin\AppData\Local\Temp\tmp7118715.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7118715.exe
    3⤵
    PID:1508

C:\Users\Admin\AppData\Local\Temp\tmp7103146.exe
C:\Users\Admin\AppData\Local\Temp\tmp7103146.exe
1⤵
PID:1008

C:\Users\Admin\AppData\Local\Temp\tmp7102881.exe
C:\Users\Admin\AppData\Local\Temp\tmp7102881.exe
1⤵
- Drops file in System32 directory
PID:1232

C:\Users\Admin\AppData\Local\Temp\tmp7102725.exe
C:\Users\Admin\AppData\Local\Temp\tmp7102725.exe
1⤵
- Executes dropped EXE
PID:884

C:\Users\Admin\AppData\Local\Temp\tmp7102709.exe
C:\Users\Admin\AppData\Local\Temp\tmp7102709.exe
1⤵
- Drops file in System32 directory
PID:936

C:\Users\Admin\AppData\Local\Temp\tmp7102678.exe
C:\Users\Admin\AppData\Local\Temp\tmp7102678.exe
1⤵
PID:1156

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
PID:2036
- C:\Users\Admin\AppData\Local\Temp\tmp7100853.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7100853.exe
  2⤵
  PID:1288

C:\Users\Admin\AppData\Local\Temp\tmp7102304.exe
C:\Users\Admin\AppData\Local\Temp\tmp7102304.exe
1⤵
PID:812

C:\Users\Admin\AppData\Local\Temp\tmp7101883.exe
C:\Users\Admin\AppData\Local\Temp\tmp7101883.exe
1⤵
PID:1976

C:\Users\Admin\AppData\Local\Temp\tmp7101586.exe
C:\Users\Admin\AppData\Local\Temp\tmp7101586.exe
1⤵
PID:1332

C:\Users\Admin\AppData\Local\Temp\tmp7101524.exe
C:\Users\Admin\AppData\Local\Temp\tmp7101524.exe
1⤵
- Executes dropped EXE
- Modifies registry class
PID:1724

C:\Users\Admin\AppData\Local\Temp\tmp7100915.exe
C:\Users\Admin\AppData\Local\Temp\tmp7100915.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:324

C:\Users\Admin\AppData\Local\Temp\tmp7100666.exe
C:\Users\Admin\AppData\Local\Temp\tmp7100666.exe
1⤵
- Executes dropped EXE
PID:812
- C:\Users\Admin\AppData\Local\Temp\tmp7096345.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7096345.exe
  2⤵
  - Executes dropped EXE
  PID:1976
- C:\Users\Admin\AppData\Local\Temp\tmp7096298.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7096298.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:1612

C:\Users\Admin\AppData\Local\Temp\tmp7099106.exe
C:\Users\Admin\AppData\Local\Temp\tmp7099106.exe
1⤵
PID:1644

C:\Users\Admin\AppData\Local\Temp\tmp7099043.exe
C:\Users\Admin\AppData\Local\Temp\tmp7099043.exe
1⤵
PID:1008

C:\Users\Admin\AppData\Local\Temp\tmp7098607.exe
C:\Users\Admin\AppData\Local\Temp\tmp7098607.exe
1⤵
PID:852

C:\Users\Admin\AppData\Local\Temp\tmp7098591.exe
C:\Users\Admin\AppData\Local\Temp\tmp7098591.exe
1⤵
- Drops file in System32 directory
PID:1016

C:\Users\Admin\AppData\Local\Temp\tmp7098373.exe
C:\Users\Admin\AppData\Local\Temp\tmp7098373.exe
1⤵
PID:1796

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
- Executes dropped EXE
PID:1984

C:\Users\Admin\AppData\Local\Temp\tmp7093583.exe
C:\Users\Admin\AppData\Local\Temp\tmp7093583.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:776

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp7092772.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7092772.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7092819.exe

Filesize
277KB

MD5
dbb8841a96d2c9917d09d7dc7e58bb56

SHA1
2ebd12e525ce67145dd0c96adc2c3e33f440dfcf

SHA256
2381e753d3b2985e697906abb2ea9ff6317dccbf159d5f4ebd115adecd69d641

SHA512
cd38f7928b9ada8005c003ee44706536fc4e833557f27cc0f925e0e04887b97d00c4725d95729eedaaebf73531ad5d069375a2675d74c2d0e74fcb295c9c7f50

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7092819.exe

Filesize
277KB

MD5
dbb8841a96d2c9917d09d7dc7e58bb56

SHA1
2ebd12e525ce67145dd0c96adc2c3e33f440dfcf

SHA256
2381e753d3b2985e697906abb2ea9ff6317dccbf159d5f4ebd115adecd69d641

SHA512
cd38f7928b9ada8005c003ee44706536fc4e833557f27cc0f925e0e04887b97d00c4725d95729eedaaebf73531ad5d069375a2675d74c2d0e74fcb295c9c7f50

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7092897.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7093037.exe

Filesize
230KB

MD5
9b33f16800c04b2989b42f3f37f2388b

SHA1
a64753dbff856f2758e7acb5dcca3b86545cfe45

SHA256
76819b7fad25a897d2a322b4111c25573e9240553b44ad85059385383ea8b370

SHA512
35f4deb09b7f9e7bc40e7f96e6a7c48da9e37f81c5e628497f0f7b5bad51cfa428da0b89ef750f24aedcc6425886c0f8a278146441ebfaf58e54189264f2dbaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7093037.exe

Filesize
230KB

MD5
9b33f16800c04b2989b42f3f37f2388b

SHA1
a64753dbff856f2758e7acb5dcca3b86545cfe45

SHA256
76819b7fad25a897d2a322b4111c25573e9240553b44ad85059385383ea8b370

SHA512
35f4deb09b7f9e7bc40e7f96e6a7c48da9e37f81c5e628497f0f7b5bad51cfa428da0b89ef750f24aedcc6425886c0f8a278146441ebfaf58e54189264f2dbaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7093131.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7093240.exe

Filesize
183KB

MD5
c6ab8cc0235e19ec9cf88cdd6a3a6bf4

SHA1
f240de7b575a9624e4dadb2d3a4c96b0347359b2

SHA256
e18550c29bc1cbe70c37a0a0c7f6db7a13ba9e66783249f49aed4c7afd7d98b6

SHA512
0adcc5bfd4e72f08a72583c415d74b0c24f90196fbfb555d406526877ad6cf0b8c6148cc0adf2f72ef95188b3eb464272b2b760c8c0a5e9c4042566306c7344c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7093240.exe

Filesize
183KB

MD5
c6ab8cc0235e19ec9cf88cdd6a3a6bf4

SHA1
f240de7b575a9624e4dadb2d3a4c96b0347359b2

SHA256
e18550c29bc1cbe70c37a0a0c7f6db7a13ba9e66783249f49aed4c7afd7d98b6

SHA512
0adcc5bfd4e72f08a72583c415d74b0c24f90196fbfb555d406526877ad6cf0b8c6148cc0adf2f72ef95188b3eb464272b2b760c8c0a5e9c4042566306c7344c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7093334.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7093334.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7093396.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7093412.exe

Filesize
136KB

MD5
8e0e6ac0463992d40f8e8a406523e6c5

SHA1
6da066a097e4944b170fd76892455a9f7276c7b6

SHA256
7fad2ac5ddf9cbb7e61d008922cdeab250b4548c27058c1f996f96d83fa6467d

SHA512
e3311e6bd09182cd50b6aad024285cb3fd20ad16eceb2fe573aadd06493da3fc20e9074594ca6c77ea92aa12cfa27faa51729740f1293fd190ed40aaae47c7ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7093459.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7093583.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7093583.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7093630.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7093802.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7093802.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7093833.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
C:\Windows\SysWOW64\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\Windows\SysWOW64\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\Windows\SysWOW64\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
222KB

MD5
47318c708df7b2a459e43607530fae9a

SHA1
5f208e03969eb163811d5d2828f8498f618907fd

SHA256
49188b7c853308c7dcaab9eeea28dadad3a8eb8f3de9d92dacc60196a63198a3

SHA512
a33ce81a3a8a065c53ba7ce87985c903ee583af7d5e6bd09fb255280d332252902cd0fe37381eb5622bca6ecbd2f5940bbbf8ca42fc1afea93259721958fa34b

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
222KB

MD5
47318c708df7b2a459e43607530fae9a

SHA1
5f208e03969eb163811d5d2828f8498f618907fd

SHA256
49188b7c853308c7dcaab9eeea28dadad3a8eb8f3de9d92dacc60196a63198a3

SHA512
a33ce81a3a8a065c53ba7ce87985c903ee583af7d5e6bd09fb255280d332252902cd0fe37381eb5622bca6ecbd2f5940bbbf8ca42fc1afea93259721958fa34b

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
222KB

MD5
47318c708df7b2a459e43607530fae9a

SHA1
5f208e03969eb163811d5d2828f8498f618907fd

SHA256
49188b7c853308c7dcaab9eeea28dadad3a8eb8f3de9d92dacc60196a63198a3

SHA512
a33ce81a3a8a065c53ba7ce87985c903ee583af7d5e6bd09fb255280d332252902cd0fe37381eb5622bca6ecbd2f5940bbbf8ca42fc1afea93259721958fa34b

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
222KB

MD5
47318c708df7b2a459e43607530fae9a

SHA1
5f208e03969eb163811d5d2828f8498f618907fd

SHA256
49188b7c853308c7dcaab9eeea28dadad3a8eb8f3de9d92dacc60196a63198a3

SHA512
a33ce81a3a8a065c53ba7ce87985c903ee583af7d5e6bd09fb255280d332252902cd0fe37381eb5622bca6ecbd2f5940bbbf8ca42fc1afea93259721958fa34b

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7092772.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7092772.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7092819.exe

Filesize
277KB

MD5
dbb8841a96d2c9917d09d7dc7e58bb56

SHA1
2ebd12e525ce67145dd0c96adc2c3e33f440dfcf

SHA256
2381e753d3b2985e697906abb2ea9ff6317dccbf159d5f4ebd115adecd69d641

SHA512
cd38f7928b9ada8005c003ee44706536fc4e833557f27cc0f925e0e04887b97d00c4725d95729eedaaebf73531ad5d069375a2675d74c2d0e74fcb295c9c7f50

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7092819.exe

Filesize
277KB

MD5
dbb8841a96d2c9917d09d7dc7e58bb56

SHA1
2ebd12e525ce67145dd0c96adc2c3e33f440dfcf

SHA256
2381e753d3b2985e697906abb2ea9ff6317dccbf159d5f4ebd115adecd69d641

SHA512
cd38f7928b9ada8005c003ee44706536fc4e833557f27cc0f925e0e04887b97d00c4725d95729eedaaebf73531ad5d069375a2675d74c2d0e74fcb295c9c7f50

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7092897.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7092897.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7093037.exe

Filesize
230KB

MD5
9b33f16800c04b2989b42f3f37f2388b

SHA1
a64753dbff856f2758e7acb5dcca3b86545cfe45

SHA256
76819b7fad25a897d2a322b4111c25573e9240553b44ad85059385383ea8b370

SHA512
35f4deb09b7f9e7bc40e7f96e6a7c48da9e37f81c5e628497f0f7b5bad51cfa428da0b89ef750f24aedcc6425886c0f8a278146441ebfaf58e54189264f2dbaf

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7093037.exe

Filesize
230KB

MD5
9b33f16800c04b2989b42f3f37f2388b

SHA1
a64753dbff856f2758e7acb5dcca3b86545cfe45

SHA256
76819b7fad25a897d2a322b4111c25573e9240553b44ad85059385383ea8b370

SHA512
35f4deb09b7f9e7bc40e7f96e6a7c48da9e37f81c5e628497f0f7b5bad51cfa428da0b89ef750f24aedcc6425886c0f8a278146441ebfaf58e54189264f2dbaf

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7093131.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7093131.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7093240.exe

Filesize
183KB

MD5
c6ab8cc0235e19ec9cf88cdd6a3a6bf4

SHA1
f240de7b575a9624e4dadb2d3a4c96b0347359b2

SHA256
e18550c29bc1cbe70c37a0a0c7f6db7a13ba9e66783249f49aed4c7afd7d98b6

SHA512
0adcc5bfd4e72f08a72583c415d74b0c24f90196fbfb555d406526877ad6cf0b8c6148cc0adf2f72ef95188b3eb464272b2b760c8c0a5e9c4042566306c7344c

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7093240.exe

Filesize
183KB

MD5
c6ab8cc0235e19ec9cf88cdd6a3a6bf4

SHA1
f240de7b575a9624e4dadb2d3a4c96b0347359b2

SHA256
e18550c29bc1cbe70c37a0a0c7f6db7a13ba9e66783249f49aed4c7afd7d98b6

SHA512
0adcc5bfd4e72f08a72583c415d74b0c24f90196fbfb555d406526877ad6cf0b8c6148cc0adf2f72ef95188b3eb464272b2b760c8c0a5e9c4042566306c7344c

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7093334.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7093334.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7093396.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7093396.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7093412.exe

Filesize
136KB

MD5
8e0e6ac0463992d40f8e8a406523e6c5

SHA1
6da066a097e4944b170fd76892455a9f7276c7b6

SHA256
7fad2ac5ddf9cbb7e61d008922cdeab250b4548c27058c1f996f96d83fa6467d

SHA512
e3311e6bd09182cd50b6aad024285cb3fd20ad16eceb2fe573aadd06493da3fc20e9074594ca6c77ea92aa12cfa27faa51729740f1293fd190ed40aaae47c7ca

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7093412.exe

Filesize
136KB

MD5
8e0e6ac0463992d40f8e8a406523e6c5

SHA1
6da066a097e4944b170fd76892455a9f7276c7b6

SHA256
7fad2ac5ddf9cbb7e61d008922cdeab250b4548c27058c1f996f96d83fa6467d

SHA512
e3311e6bd09182cd50b6aad024285cb3fd20ad16eceb2fe573aadd06493da3fc20e9074594ca6c77ea92aa12cfa27faa51729740f1293fd190ed40aaae47c7ca

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7093412.exe

Filesize
136KB

MD5
8e0e6ac0463992d40f8e8a406523e6c5

SHA1
6da066a097e4944b170fd76892455a9f7276c7b6

SHA256
7fad2ac5ddf9cbb7e61d008922cdeab250b4548c27058c1f996f96d83fa6467d

SHA512
e3311e6bd09182cd50b6aad024285cb3fd20ad16eceb2fe573aadd06493da3fc20e9074594ca6c77ea92aa12cfa27faa51729740f1293fd190ed40aaae47c7ca

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7093412.exe

Filesize
136KB

MD5
8e0e6ac0463992d40f8e8a406523e6c5

SHA1
6da066a097e4944b170fd76892455a9f7276c7b6

SHA256
7fad2ac5ddf9cbb7e61d008922cdeab250b4548c27058c1f996f96d83fa6467d

SHA512
e3311e6bd09182cd50b6aad024285cb3fd20ad16eceb2fe573aadd06493da3fc20e9074594ca6c77ea92aa12cfa27faa51729740f1293fd190ed40aaae47c7ca

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7093459.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7093583.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7093583.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7093630.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7093802.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7093802.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7093833.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
222KB

MD5
47318c708df7b2a459e43607530fae9a

SHA1
5f208e03969eb163811d5d2828f8498f618907fd

SHA256
49188b7c853308c7dcaab9eeea28dadad3a8eb8f3de9d92dacc60196a63198a3

SHA512
a33ce81a3a8a065c53ba7ce87985c903ee583af7d5e6bd09fb255280d332252902cd0fe37381eb5622bca6ecbd2f5940bbbf8ca42fc1afea93259721958fa34b

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
222KB

MD5
47318c708df7b2a459e43607530fae9a

SHA1
5f208e03969eb163811d5d2828f8498f618907fd

SHA256
49188b7c853308c7dcaab9eeea28dadad3a8eb8f3de9d92dacc60196a63198a3

SHA512
a33ce81a3a8a065c53ba7ce87985c903ee583af7d5e6bd09fb255280d332252902cd0fe37381eb5622bca6ecbd2f5940bbbf8ca42fc1afea93259721958fa34b

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
222KB

MD5
47318c708df7b2a459e43607530fae9a

SHA1
5f208e03969eb163811d5d2828f8498f618907fd

SHA256
49188b7c853308c7dcaab9eeea28dadad3a8eb8f3de9d92dacc60196a63198a3

SHA512
a33ce81a3a8a065c53ba7ce87985c903ee583af7d5e6bd09fb255280d332252902cd0fe37381eb5622bca6ecbd2f5940bbbf8ca42fc1afea93259721958fa34b

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
222KB

MD5
47318c708df7b2a459e43607530fae9a

SHA1
5f208e03969eb163811d5d2828f8498f618907fd

SHA256
49188b7c853308c7dcaab9eeea28dadad3a8eb8f3de9d92dacc60196a63198a3

SHA512
a33ce81a3a8a065c53ba7ce87985c903ee583af7d5e6bd09fb255280d332252902cd0fe37381eb5622bca6ecbd2f5940bbbf8ca42fc1afea93259721958fa34b

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
222KB

MD5
47318c708df7b2a459e43607530fae9a

SHA1
5f208e03969eb163811d5d2828f8498f618907fd

SHA256
49188b7c853308c7dcaab9eeea28dadad3a8eb8f3de9d92dacc60196a63198a3

SHA512
a33ce81a3a8a065c53ba7ce87985c903ee583af7d5e6bd09fb255280d332252902cd0fe37381eb5622bca6ecbd2f5940bbbf8ca42fc1afea93259721958fa34b

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
222KB

MD5
47318c708df7b2a459e43607530fae9a

SHA1
5f208e03969eb163811d5d2828f8498f618907fd

SHA256
49188b7c853308c7dcaab9eeea28dadad3a8eb8f3de9d92dacc60196a63198a3

SHA512
a33ce81a3a8a065c53ba7ce87985c903ee583af7d5e6bd09fb255280d332252902cd0fe37381eb5622bca6ecbd2f5940bbbf8ca42fc1afea93259721958fa34b

Download Submit
memory/432-323-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/552-218-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/552-304-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/604-302-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/616-344-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/648-175-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/648-277-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/752-286-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/752-121-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/792-118-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/812-242-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/816-200-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/836-288-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/852-168-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/884-337-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/896-63-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/896-65-0x0000000000220000-0x000000000023F000-memory.dmp

Filesize
124KB

Download
memory/896-83-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/932-69-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/932-77-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/940-181-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/968-258-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1104-205-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1156-261-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1252-340-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1252-341-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1256-319-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1260-252-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1264-268-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1292-194-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1312-271-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1312-224-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1364-183-0x0000000000010000-0x0000000000032000-memory.dmp

Filesize
136KB

Download
memory/1460-264-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1512-255-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1512-253-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1532-348-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1536-351-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1552-298-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1552-296-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1556-316-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1580-182-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1580-187-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1620-314-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1632-283-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1644-279-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1676-335-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1704-91-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1704-231-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1732-238-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1752-163-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1756-328-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1760-212-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1772-332-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1772-295-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1788-157-0x00000000006D0000-0x00000000006DD000-memory.dmp

Filesize
52KB

Download
memory/1916-325-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1940-136-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1960-292-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1984-249-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1992-308-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2008-155-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2016-64-0x0000000076411000-0x0000000076413000-memory.dmp

Filesize
8KB

Download
memory/2040-273-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2040-310-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download