d24381a5c4d0e943fa125c53605c206d6ec8959919ada602ea32d8aa4dead483

Analysis

max time kernel
148s
max time network
51s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
30/10/2022, 20:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d24381a5c4d0e943fa125c53605c206d6ec8959919ada602ea32d8aa4dead483.exe
Size

9.8MB
MD5

a1d6c03802b53d710ad97145703ba23d
SHA1

f6c66a95a842d5228cfcb533abc91f44584a6ede
SHA256

d24381a5c4d0e943fa125c53605c206d6ec8959919ada602ea32d8aa4dead483
SHA512

ef502ddc5a58b656b1eafb161618777152d7e6d0f8edb95ce0a3504bd8456a0e8b4c0b50ce044093eb3acecf7328b3a11f7b413024eb361383558fb3fd0ce216
SSDEEP

196608:S20Ec420Ecq20EcN20Ec420Ecq20EcE20Ec420Ecq20Ec:S20Ec420Ecq20EcN20Ec420Ecq20EcE7

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
1356	tmp7079465.exe
308	tmp7079793.exe
1540	tmp7080682.exe
1380	tmp7081322.exe
812	tmp7083100.exe
1280	tmp7081509.exe
596	notpad.exe
1628	tmp7084598.exe
1576	tmp7085409.exe
432	notpad.exe
1932	tmp7087390.exe
1816	tmp7087765.exe
1664	notpad.exe
1016	tmp7088576.exe
572	tmp7089418.exe
1992	notpad.exe
836	tmp7090807.exe
1744	tmp7091462.exe
1604	notpad.exe
560	tmp7091961.exe
112	tmp7092242.exe
1528	notpad.exe
1020	tmp7093568.exe
1280	tmp7093646.exe
1408	notpad.exe
1560	tmp7093755.exe
1356	tmp7093864.exe
540	tmp7093849.exe
1812	notpad.exe
828	tmp7094036.exe
1672	tmp7094083.exe
1788	notpad.exe
1552	tmp7094192.exe
1236	tmp7094426.exe
1628	tmp7094239.exe
960	tmp7094301.exe
1052	notpad.exe
1696	notpad.exe
2040	tmp7094816.exe
1776	tmp7094956.exe
2028	tmp7094972.exe
572	tmp7095050.exe
2016	tmp7095705.exe
2032	tmp7095471.exe
1372	notpad.exe
840	tmp7095580.exe
988	tmp7095939.exe
836	notpad.exe
1644	tmp7095783.exe
1168	tmp7096064.exe
1964	notpad.exe
308	tmp7096189.exe
1748	tmp7096579.exe
1328	tmp7096485.exe
284	notpad.exe
1692	tmp7096625.exe
1524	tmp7097109.exe
1344	tmp7096922.exe
1656	tmp7100603.exe
892	tmp7101087.exe
1684	tmp7096906.exe
980	tmp7097187.exe
968	tmp7101555.exe
864	tmp7101321.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000a000000013482-62.dat	upx
behavioral1/files/0x000a000000013482-60.dat	upx
behavioral1/files/0x000a000000013482-59.dat	upx
behavioral1/memory/1308-63-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x000a000000013482-64.dat	upx
behavioral1/memory/308-65-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x00090000000134dc-77.dat	upx
behavioral1/memory/308-76-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x00090000000134dc-75.dat	upx
behavioral1/files/0x00090000000134dc-72.dat	upx
behavioral1/memory/1380-85-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x0007000000014143-89.dat	upx
behavioral1/files/0x00090000000134dc-71.dat	upx
behavioral1/files/0x0007000000014143-94.dat	upx
behavioral1/files/0x0007000000014143-93.dat	upx
behavioral1/files/0x0007000000014143-91.dat	upx
behavioral1/memory/596-101-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/596-106-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x0006000000014118-108.dat	upx
behavioral1/files/0x0007000000014143-114.dat	upx
behavioral1/files/0x0007000000014143-112.dat	upx
behavioral1/files/0x0007000000014143-111.dat	upx
behavioral1/memory/432-127-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x0006000000014118-122.dat	upx
behavioral1/files/0x0007000000014143-133.dat	upx
behavioral1/files/0x0007000000014143-131.dat	upx
behavioral1/files/0x0007000000014143-130.dat	upx
behavioral1/memory/1664-137-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x0007000000014143-148.dat	upx
behavioral1/files/0x0006000000014118-145.dat	upx
behavioral1/files/0x0007000000014143-151.dat	upx
behavioral1/files/0x0007000000014143-149.dat	upx
behavioral1/memory/1664-144-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1992-158-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1992-160-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x0006000000014118-157.dat	upx
behavioral1/memory/1604-165-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1528-172-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1280-178-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1408-183-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1812-194-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/828-196-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1696-198-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1788-199-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1052-200-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1628-202-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1788-203-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1628-211-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1052-217-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2040-219-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1696-222-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1964-231-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1372-229-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1644-235-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/840-236-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/836-234-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/284-239-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1692-245-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1372-242-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1644-248-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/840-249-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/284-259-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/836-257-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1692-261-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Loads dropped DLL 64 IoCs

pid	Process
1308	d24381a5c4d0e943fa125c53605c206d6ec8959919ada602ea32d8aa4dead483.exe
1308	d24381a5c4d0e943fa125c53605c206d6ec8959919ada602ea32d8aa4dead483.exe
1308	d24381a5c4d0e943fa125c53605c206d6ec8959919ada602ea32d8aa4dead483.exe
1308	d24381a5c4d0e943fa125c53605c206d6ec8959919ada602ea32d8aa4dead483.exe
308	tmp7079793.exe
308	tmp7079793.exe
308	tmp7079793.exe
308	tmp7079793.exe
1380	tmp7081322.exe
1380	tmp7081322.exe
1380	tmp7081322.exe
1380	tmp7081322.exe
1356	tmp7079465.exe
1356	tmp7079465.exe
1856	WerFault.exe
1856	WerFault.exe
596	notpad.exe
596	notpad.exe
596	notpad.exe
1628	tmp7084598.exe
1628	tmp7084598.exe
432	notpad.exe
432	notpad.exe
432	notpad.exe
1932	tmp7087390.exe
1932	tmp7087390.exe
1664	notpad.exe
1664	notpad.exe
1664	notpad.exe
1016	tmp7088576.exe
1016	tmp7088576.exe
1992	notpad.exe
1992	notpad.exe
1992	notpad.exe
836	tmp7090807.exe
836	tmp7090807.exe
1856	WerFault.exe
1604	notpad.exe
1604	notpad.exe
1604	notpad.exe
560	tmp7091961.exe
560	tmp7091961.exe
1528	notpad.exe
1528	notpad.exe
1528	notpad.exe
1528	notpad.exe
1020	tmp7093568.exe
1020	tmp7093568.exe
1280	tmp7093646.exe
1280	tmp7093646.exe
1280	tmp7093646.exe
1408	notpad.exe
1408	notpad.exe
1560	tmp7093755.exe
1560	tmp7093755.exe
1408	notpad.exe
1408	notpad.exe
1812	notpad.exe
1812	notpad.exe
540	tmp7093849.exe
540	tmp7093849.exe
828	tmp7094036.exe
828	tmp7094036.exe
828	tmp7094036.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7118200.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7119074.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7119433.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7172021.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7180304.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7087390.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7096064.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7119074.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7136421.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7183518.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7214905.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7172832.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7093755.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7101961.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7102413.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7102975.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7104441.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7105595.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7151132.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7182270.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7212612.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7105595.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7115392.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7119433.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7149775.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7184610.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7184610.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7118200.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7084598.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7091961.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7094956.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7095471.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7102975.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7104706.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7116952.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7088576.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7091961.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7100603.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	notpad.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7181474.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7096189.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7101711.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7126344.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7170227.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7184610.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7201832.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7088576.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7138168.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7149775.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7096064.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7124316.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7126344.exe
File created	C:\Windows\SysWOW64\notpad.exe-	notpad.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7093849.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7094192.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7096189.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7114253.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7115392.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7145344.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7157138.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7128200.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7174049.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7195873.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7079465.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process
1856	812	WerFault.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7094192.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7101961.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7115392.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7126437.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7180304.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7210397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7214905.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7096189.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7107093.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7114253.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7146452.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7151132.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7170227.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7100603.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7137576.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	notpad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7199196.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7212612.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7079465.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7172832.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7093849.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	notpad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7090807.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7104441.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7138168.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7159884.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7116952.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7119074.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7174049.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7088576.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7094301.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7095471.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7172021.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7093568.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7102413.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7105595.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7118200.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7184610.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7087390.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7102975.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7104098.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7183518.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7102803.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7104706.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7124316.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7195873.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7096064.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7128200.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7181474.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7182270.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7084598.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7094956.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7119433.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7136421.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7149775.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7201832.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7165094.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7101711.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7106313.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7126344.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7133566.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7145344.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7157138.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7093755.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1308 wrote to memory of 1356	1308	d24381a5c4d0e943fa125c53605c206d6ec8959919ada602ea32d8aa4dead483.exe	27
PID 1308 wrote to memory of 1356	1308	d24381a5c4d0e943fa125c53605c206d6ec8959919ada602ea32d8aa4dead483.exe	27
PID 1308 wrote to memory of 1356	1308	d24381a5c4d0e943fa125c53605c206d6ec8959919ada602ea32d8aa4dead483.exe	27
PID 1308 wrote to memory of 1356	1308	d24381a5c4d0e943fa125c53605c206d6ec8959919ada602ea32d8aa4dead483.exe	27
PID 1308 wrote to memory of 308	1308	d24381a5c4d0e943fa125c53605c206d6ec8959919ada602ea32d8aa4dead483.exe	28
PID 1308 wrote to memory of 308	1308	d24381a5c4d0e943fa125c53605c206d6ec8959919ada602ea32d8aa4dead483.exe	28
PID 1308 wrote to memory of 308	1308	d24381a5c4d0e943fa125c53605c206d6ec8959919ada602ea32d8aa4dead483.exe	28
PID 1308 wrote to memory of 308	1308	d24381a5c4d0e943fa125c53605c206d6ec8959919ada602ea32d8aa4dead483.exe	28
PID 308 wrote to memory of 1540	308	tmp7079793.exe	34
PID 308 wrote to memory of 1540	308	tmp7079793.exe	34
PID 308 wrote to memory of 1540	308	tmp7079793.exe	34
PID 308 wrote to memory of 1540	308	tmp7079793.exe	34
PID 308 wrote to memory of 1380	308	tmp7079793.exe	33
PID 308 wrote to memory of 1380	308	tmp7079793.exe	33
PID 308 wrote to memory of 1380	308	tmp7079793.exe	33
PID 308 wrote to memory of 1380	308	tmp7079793.exe	33
PID 1380 wrote to memory of 1280	1380	tmp7081322.exe	29
PID 1380 wrote to memory of 1280	1380	tmp7081322.exe	29
PID 1380 wrote to memory of 1280	1380	tmp7081322.exe	29
PID 1380 wrote to memory of 1280	1380	tmp7081322.exe	29
PID 1380 wrote to memory of 812	1380	tmp7081322.exe	32
PID 1380 wrote to memory of 812	1380	tmp7081322.exe	32
PID 1380 wrote to memory of 812	1380	tmp7081322.exe	32
PID 1380 wrote to memory of 812	1380	tmp7081322.exe	32
PID 812 wrote to memory of 1856	812	tmp7083100.exe	30
PID 812 wrote to memory of 1856	812	tmp7083100.exe	30
PID 812 wrote to memory of 1856	812	tmp7083100.exe	30
PID 812 wrote to memory of 1856	812	tmp7083100.exe	30
PID 1356 wrote to memory of 596	1356	tmp7079465.exe	31
PID 1356 wrote to memory of 596	1356	tmp7079465.exe	31
PID 1356 wrote to memory of 596	1356	tmp7079465.exe	31
PID 1356 wrote to memory of 596	1356	tmp7079465.exe	31
PID 596 wrote to memory of 1628	596	notpad.exe	35
PID 596 wrote to memory of 1628	596	notpad.exe	35
PID 596 wrote to memory of 1628	596	notpad.exe	35
PID 596 wrote to memory of 1628	596	notpad.exe	35
PID 596 wrote to memory of 1576	596	notpad.exe	36
PID 596 wrote to memory of 1576	596	notpad.exe	36
PID 596 wrote to memory of 1576	596	notpad.exe	36
PID 596 wrote to memory of 1576	596	notpad.exe	36
PID 1628 wrote to memory of 432	1628	tmp7084598.exe	37
PID 1628 wrote to memory of 432	1628	tmp7084598.exe	37
PID 1628 wrote to memory of 432	1628	tmp7084598.exe	37
PID 1628 wrote to memory of 432	1628	tmp7084598.exe	37
PID 432 wrote to memory of 1932	432	notpad.exe	38
PID 432 wrote to memory of 1932	432	notpad.exe	38
PID 432 wrote to memory of 1932	432	notpad.exe	38
PID 432 wrote to memory of 1932	432	notpad.exe	38
PID 432 wrote to memory of 1816	432	notpad.exe	39
PID 432 wrote to memory of 1816	432	notpad.exe	39
PID 432 wrote to memory of 1816	432	notpad.exe	39
PID 432 wrote to memory of 1816	432	notpad.exe	39
PID 1932 wrote to memory of 1664	1932	tmp7087390.exe	40
PID 1932 wrote to memory of 1664	1932	tmp7087390.exe	40
PID 1932 wrote to memory of 1664	1932	tmp7087390.exe	40
PID 1932 wrote to memory of 1664	1932	tmp7087390.exe	40
PID 1664 wrote to memory of 1016	1664	notpad.exe	42
PID 1664 wrote to memory of 1016	1664	notpad.exe	42
PID 1664 wrote to memory of 1016	1664	notpad.exe	42
PID 1664 wrote to memory of 1016	1664	notpad.exe	42
PID 1664 wrote to memory of 572	1664	notpad.exe	41
PID 1664 wrote to memory of 572	1664	notpad.exe	41
PID 1664 wrote to memory of 572	1664	notpad.exe	41
PID 1664 wrote to memory of 572	1664	notpad.exe	41

C:\Users\Admin\AppData\Local\Temp\d24381a5c4d0e943fa125c53605c206d6ec8959919ada602ea32d8aa4dead483.exe
"C:\Users\Admin\AppData\Local\Temp\d24381a5c4d0e943fa125c53605c206d6ec8959919ada602ea32d8aa4dead483.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1308
- C:\Users\Admin\AppData\Local\Temp\tmp7079465.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7079465.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1356
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:596
  - - C:\Users\Admin\AppData\Local\Temp\tmp7084598.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7084598.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1628
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:432
      - C:\Users\Admin\AppData\Local\Temp\tmp7087390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7087390.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1932
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\tmp7089418.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7089418.exe
        8⤵
        Executes dropped EXE
        
        PID:572
        
        C:\Users\Admin\AppData\Local\Temp\tmp7088576.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7088576.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1016
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\tmp7091462.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7091462.exe
        10⤵
        Executes dropped EXE
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\tmp7090807.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7090807.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:836
      - C:\Users\Admin\AppData\Local\Temp\tmp7087765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7087765.exe
        6⤵
        Executes dropped EXE
        
        PID:1816
  - - C:\Users\Admin\AppData\Local\Temp\tmp7085409.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7085409.exe
      4⤵
      Executes dropped EXE
      PID:1576
- C:\Users\Admin\AppData\Local\Temp\tmp7079793.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7079793.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:308
- - C:\Users\Admin\AppData\Local\Temp\tmp7081322.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7081322.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1380
- - C:\Users\Admin\AppData\Local\Temp\tmp7080682.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7080682.exe
    3⤵
    - Executes dropped EXE
    PID:1540

C:\Users\Admin\AppData\Local\Temp\tmp7081509.exe
C:\Users\Admin\AppData\Local\Temp\tmp7081509.exe
1⤵
- Executes dropped EXE
PID:1280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 812 -s 36
1⤵
- Loads dropped DLL
- Program crash
PID:1856

C:\Users\Admin\AppData\Local\Temp\tmp7083100.exe
C:\Users\Admin\AppData\Local\Temp\tmp7083100.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:812

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1604
- C:\Users\Admin\AppData\Local\Temp\tmp7091961.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7091961.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  PID:560
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1528
  - - C:\Users\Admin\AppData\Local\Temp\tmp7093568.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7093568.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies registry class
      PID:1020
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1408
      - C:\Users\Admin\AppData\Local\Temp\tmp7093849.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7093849.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:540
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        7⤵
        Executes dropped EXE
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\tmp7094301.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7094301.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:960
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        9⤵
        Executes dropped EXE
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\tmp7095050.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7095050.exe
        10⤵
        Executes dropped EXE
        
        PID:572
        
        C:\Users\Admin\AppData\Local\Temp\tmp7095783.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7095783.exe
        10⤵
        Executes dropped EXE
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\tmp7096579.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7096579.exe
        11⤵
        Executes dropped EXE
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\tmp7097109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7097109.exe
        11⤵
        Executes dropped EXE
        
        PID:1524
        
        C:\Users\Admin\AppData\Local\Temp\tmp7094816.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7094816.exe
        8⤵
        Executes dropped EXE
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\tmp7095471.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7095471.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2032
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        10⤵
        Executes dropped EXE
        
        PID:836
        
        C:\Users\Admin\AppData\Local\Temp\tmp7096485.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7096485.exe
        11⤵
        Executes dropped EXE
        
        PID:1328
        
        C:\Users\Admin\AppData\Local\Temp\tmp7097187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7097187.exe
        11⤵
        Executes dropped EXE
        
        PID:980
        
        C:\Users\Admin\AppData\Local\Temp\tmp7101711.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7101711.exe
        12⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1552
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        13⤵
        
        PID:1004
        
        C:\Users\Admin\AppData\Local\Temp\tmp7102507.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7102507.exe
        14⤵
        
        PID:1920
        
        C:\Users\Admin\AppData\Local\Temp\tmp7102787.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7102787.exe
        14⤵
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\tmp7103193.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7103193.exe
        15⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\tmp7103661.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7103661.exe
        15⤵
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\tmp7102023.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7102023.exe
        12⤵
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\tmp7095939.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7095939.exe
        9⤵
        Executes dropped EXE
        
        PID:988
      - C:\Users\Admin\AppData\Local\Temp\tmp7094036.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7094036.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:828
        
        C:\Users\Admin\AppData\Local\Temp\tmp7094192.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7094192.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1552
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        8⤵
        Executes dropped EXE
        
        PID:1052
        
        C:\Users\Admin\AppData\Local\Temp\tmp7094956.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7094956.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1776
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        10⤵
        Executes dropped EXE
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\tmp7096064.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7096064.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1168
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        12⤵
        Executes dropped EXE
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\tmp7096906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7096906.exe
        13⤵
        Executes dropped EXE
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\tmp7101649.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7101649.exe
        13⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\tmp7102413.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7102413.exe
        14⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2028
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        15⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\tmp7103365.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7103365.exe
        16⤵
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\Temp\tmp7103848.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7103848.exe
        16⤵
        
        PID:468
        
        C:\Users\Admin\AppData\Local\Temp\tmp7104441.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7104441.exe
        17⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:616
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        18⤵
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\tmp7105034.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7105034.exe
        19⤵
        
        PID:328
        
        C:\Users\Admin\AppData\Local\Temp\tmp7105377.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7105377.exe
        19⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\tmp7105658.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7105658.exe
        20⤵
        
        PID:1100
        
        C:\Users\Admin\AppData\Local\Temp\tmp7105876.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7105876.exe
        20⤵
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\tmp7104800.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7104800.exe
        17⤵
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\tmp7102819.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7102819.exe
        14⤵
        
        PID:1844
        
        C:\Users\Admin\AppData\Local\Temp\tmp7096625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7096625.exe
        11⤵
        Executes dropped EXE
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\tmp7101087.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7101087.exe
        12⤵
        Executes dropped EXE
        
        PID:892
        
        C:\Users\Admin\AppData\Local\Temp\tmp7101555.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7101555.exe
        12⤵
        Executes dropped EXE
        
        PID:968
        
        C:\Users\Admin\AppData\Local\Temp\tmp7095580.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7095580.exe
        9⤵
        Executes dropped EXE
        
        PID:840
        
        C:\Users\Admin\AppData\Local\Temp\tmp7096189.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7096189.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:308
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        11⤵
        Executes dropped EXE
        
        PID:284
        
        C:\Users\Admin\AppData\Local\Temp\tmp7100603.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7100603.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1656
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        13⤵
        
        PID:640
        
        C:\Users\Admin\AppData\Local\Temp\tmp7101961.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7101961.exe
        14⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1636
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        15⤵
        
        PID:832
        
        C:\Users\Admin\AppData\Local\Temp\tmp7102803.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7102803.exe
        16⤵
        Modifies registry class
        
        PID:988
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        17⤵
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\tmp7103474.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7103474.exe
        18⤵
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\tmp7103786.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7103786.exe
        18⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\tmp7104191.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7104191.exe
        19⤵
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\tmp7104581.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7104581.exe
        19⤵
        
        PID:916
        
        C:\Users\Admin\AppData\Local\Temp\tmp7103287.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7103287.exe
        16⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\tmp7103614.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7103614.exe
        17⤵
        
        PID:580
        
        C:\Users\Admin\AppData\Local\Temp\tmp7103973.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7103973.exe
        17⤵
        
        PID:1356
        
        C:\Users\Admin\AppData\Local\Temp\tmp7102522.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7102522.exe
        14⤵
        
        PID:1276
        
        C:\Users\Admin\AppData\Local\Temp\tmp7102975.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7102975.exe
        15⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1204
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        16⤵
        
        PID:1148
        
        C:\Users\Admin\AppData\Local\Temp\tmp7104098.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7104098.exe
        17⤵
        Modifies registry class
        
        PID:556
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        18⤵
        
        PID:1412
        
        C:\Users\Admin\AppData\Local\Temp\tmp7104706.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7104706.exe
        19⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1560
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        20⤵
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\tmp7105455.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7105455.exe
        21⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\tmp7105736.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7105736.exe
        21⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106313.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106313.exe
        22⤵
        Modifies registry class
        
        PID:1104
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        23⤵
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\tmp7107093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7107093.exe
        24⤵
        Modifies registry class
        
        PID:988
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        25⤵
        
        PID:360
        
        C:\Users\Admin\AppData\Local\Temp\tmp7114253.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7114253.exe
        26⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1604
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        27⤵
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\tmp7115611.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7115611.exe
        28⤵
        
        PID:1020
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116110.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116110.exe
        28⤵
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117358.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117358.exe
        29⤵
        
        PID:824
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117732.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117732.exe
        29⤵
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\tmp7114831.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7114831.exe
        26⤵
        
        PID:572
        
        C:\Users\Admin\AppData\Local\Temp\tmp7115392.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7115392.exe
        27⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1380
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        28⤵
        
        PID:1344
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116952.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116952.exe
        29⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:556
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        30⤵
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118247.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118247.exe
        31⤵
        
        PID:968
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118746.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118746.exe
        31⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119074.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119074.exe
        32⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1812
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        33⤵
        
        PID:596
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122990.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122990.exe
        34⤵
        
        PID:1016
        
        C:\Users\Admin\AppData\Local\Temp\tmp7124050.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7124050.exe
        34⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125111.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125111.exe
        35⤵
        
        PID:1920
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125470.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125470.exe
        35⤵
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122069.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122069.exe
        32⤵
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117545.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117545.exe
        29⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118200.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118200.exe
        30⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1976
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        31⤵
        
        PID:1412
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119433.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119433.exe
        32⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2044
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        33⤵
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\tmp7124316.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7124316.exe
        34⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1852
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        35⤵
        
        PID:640
        
        C:\Users\Admin\AppData\Local\Temp\tmp7126344.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7126344.exe
        36⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1744
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        37⤵
        
        PID:988
        
        C:\Users\Admin\AppData\Local\Temp\tmp7127623.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7127623.exe
        38⤵
        
        PID:1280
        
        C:\Users\Admin\AppData\Local\Temp\tmp7128528.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7128528.exe
        38⤵
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\tmp7132412.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7132412.exe
        39⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        40⤵
        
        PID:1164
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134596.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134596.exe
        41⤵
        
        PID:996
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136374.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136374.exe
        41⤵
        
        PID:864
        
        C:\Users\Admin\AppData\Local\Temp\tmp7137576.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7137576.exe
        42⤵
        Modifies registry class
        
        PID:596
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        43⤵
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\tmp7142271.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7142271.exe
        44⤵
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145001.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145001.exe
        44⤵
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146452.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146452.exe
        45⤵
        Modifies registry class
        
        PID:1168
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        46⤵
        Modifies registry class
        
        PID:1096
        
        C:\Users\Admin\AppData\Local\Temp\tmp7150165.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7150165.exe
        47⤵
        
        PID:892
        
        C:\Users\Admin\AppData\Local\Temp\tmp7150836.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7150836.exe
        47⤵
        
        PID:996
        
        C:\Users\Admin\AppData\Local\Temp\tmp7152583.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7152583.exe
        48⤵
        
        PID:1412
        
        C:\Users\Admin\AppData\Local\Temp\tmp7154065.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7154065.exe
        48⤵
        
        PID:1100
        
        C:\Users\Admin\AppData\Local\Temp\tmp7148979.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7148979.exe
        45⤵
        
        PID:1204
        
        C:\Users\Admin\AppData\Local\Temp\tmp7141647.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7141647.exe
        42⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\tmp7133691.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7133691.exe
        39⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\tmp7127030.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7127030.exe
        36⤵
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\tmp7128200.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7128200.exe
        37⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:112
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        38⤵
        
        PID:560
        
        C:\Users\Admin\AppData\Local\Temp\tmp7133052.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7133052.exe
        39⤵
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134331.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134331.exe
        39⤵
        
        PID:520
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135470.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135470.exe
        40⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136390.exe
        40⤵
        
        PID:1100
        
        C:\Users\Admin\AppData\Local\Temp\tmp7131460.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7131460.exe
        37⤵
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125096.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125096.exe
        34⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\tmp7126437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7126437.exe
        35⤵
        Modifies registry class
        
        PID:1992
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        36⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\tmp7128996.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7128996.exe
        37⤵
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\tmp7132303.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7132303.exe
        37⤵
        
        PID:1148
        
        C:\Users\Admin\AppData\Local\Temp\tmp7133566.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7133566.exe
        38⤵
        Modifies registry class
        
        PID:568
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        39⤵
        
        PID:328
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136421.exe
        40⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1964
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        41⤵
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\tmp7138168.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7138168.exe
        42⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1404
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        43⤵
        
        PID:1152
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145344.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145344.exe
        44⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2036
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        45⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147560.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147560.exe
        46⤵
        
        PID:836
        
        C:\Users\Admin\AppData\Local\Temp\tmp7150212.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7150212.exe
        46⤵
        
        PID:980
        
        C:\Users\Admin\AppData\Local\Temp\tmp7151132.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7151132.exe
        47⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1164
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        48⤵
        
        PID:688
        
        C:\Users\Admin\AppData\Local\Temp\tmp7156561.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7156561.exe
        49⤵
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\tmp7156857.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7156857.exe
        49⤵
        
        PID:1104
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157934.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157934.exe
        50⤵
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158995.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158995.exe
        50⤵
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\tmp7153051.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7153051.exe
        47⤵
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146639.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146639.exe
        44⤵
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147357.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147357.exe
        45⤵
        
        PID:1356
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147716.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147716.exe
        45⤵
        
        PID:540
        
        C:\Users\Admin\AppData\Local\Temp\tmp7143706.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7143706.exe
        42⤵
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145797.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145797.exe
        43⤵
        
        PID:360
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146967.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146967.exe
        43⤵
        
        PID:764
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136733.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136733.exe
        40⤵
        
        PID:268
        
        C:\Users\Admin\AppData\Local\Temp\tmp7142349.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7142349.exe
        41⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        42⤵
        
        PID:896
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146499.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146499.exe
        43⤵
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\tmp7148964.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7148964.exe
        43⤵
        
        PID:1328
        
        C:\Users\Admin\AppData\Local\Temp\tmp7149775.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7149775.exe
        44⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1344
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        45⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\tmp7151351.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7151351.exe
        46⤵
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\tmp7154533.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7154533.exe
        46⤵
        
        PID:1844
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157138.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157138.exe
        47⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:832
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        48⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159884.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159884.exe
        49⤵
        Modifies registry class
        
        PID:1776
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        50⤵
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\tmp7165094.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7165094.exe
        51⤵
        Modifies registry class
        
        PID:1696
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        52⤵
        
        PID:764
        
        C:\Users\Admin\AppData\Local\Temp\tmp7170913.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7170913.exe
        53⤵
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\tmp7171178.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7171178.exe
        53⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\tmp7174049.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7174049.exe
        54⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1000
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        55⤵
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\tmp7180850.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7180850.exe
        56⤵
        
        PID:328
        
        C:\Users\Admin\AppData\Local\Temp\tmp7181927.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7181927.exe
        56⤵
        
        PID:988
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184984.exe
        57⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\tmp7185374.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7185374.exe
        57⤵
        
        PID:1280
        
        C:\Users\Admin\AppData\Local\Temp\tmp7196778.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7196778.exe
        58⤵
        
        PID:1792
        
        C:\Users\Admin\AppData\Local\Temp\tmp7200865.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7200865.exe
        58⤵
        
        PID:596
        
        C:\Users\Admin\AppData\Local\Temp\tmp7179868.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7179868.exe
        54⤵
        
        PID:924
        
        C:\Users\Admin\AppData\Local\Temp\tmp7180304.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7180304.exe
        55⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1292
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        56⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182270.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182270.exe
        57⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:276
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        58⤵
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184719.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184719.exe
        59⤵
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\tmp7196684.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7196684.exe
        59⤵
        
        PID:960
        
        C:\Users\Admin\AppData\Local\Temp\tmp7202378.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7202378.exe
        60⤵
        
        PID:1252
        
        C:\Users\Admin\AppData\Local\Temp\tmp7211941.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7211941.exe
        60⤵
        
        PID:360
        
        C:\Users\Admin\AppData\Local\Temp\tmp7215327.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7215327.exe
        61⤵
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\tmp7221582.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7221582.exe
        61⤵
        
        PID:556
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183908.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183908.exe
        57⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\tmp7199196.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7199196.exe
        58⤵
        Modifies registry class
        
        PID:980
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        59⤵
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\tmp7210397.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7210397.exe
        60⤵
        Modifies registry class
        
        PID:1540
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        61⤵
        
        PID:1148
        
        C:\Users\Admin\AppData\Local\Temp\tmp7215327.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7215327.exe
        62⤵
        
        PID:836
        
        C:\Users\Admin\AppData\Local\Temp\tmp7223610.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7223610.exe
        62⤵
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\tmp7211052.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7211052.exe
        60⤵
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\tmp7214593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7214593.exe
        61⤵
        
        PID:1344
        
        C:\Users\Admin\AppData\Local\Temp\tmp7221489.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7221489.exe
        61⤵
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\tmp7224047.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7224047.exe
        62⤵
        
        PID:1052
        
        C:\Users\Admin\AppData\Local\Temp\tmp7208306.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7208306.exe
        58⤵
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\tmp7211115.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7211115.exe
        59⤵
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\tmp7212113.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7212113.exe
        59⤵
        
        PID:640
        
        C:\Users\Admin\AppData\Local\Temp\tmp7181365.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7181365.exe
        55⤵
        
        PID:1164
        
        C:\Users\Admin\AppData\Local\Temp\tmp7169431.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7169431.exe
        51⤵
        
        PID:1408
        
        C:\Users\Admin\AppData\Local\Temp\tmp7170227.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7170227.exe
        52⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1932
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        53⤵
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\Temp\tmp7172832.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7172832.exe
        54⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1720
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        55⤵
        
        PID:568
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175063.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175063.exe
        56⤵
        
        PID:980
        
        C:\Users\Admin\AppData\Local\Temp\tmp7180648.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7180648.exe
        56⤵
        
        PID:1252
        
        C:\Users\Admin\AppData\Local\Temp\tmp7181474.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7181474.exe
        57⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1508
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        58⤵
        
        PID:660
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183892.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183892.exe
        59⤵
        
        PID:112
        
        C:\Users\Admin\AppData\Local\Temp\tmp7185218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7185218.exe
        59⤵
        
        PID:1152
        
        C:\Users\Admin\AppData\Local\Temp\tmp7195873.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7195873.exe
        60⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1420
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        61⤵
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\tmp7201832.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7201832.exe
        62⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:580
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        63⤵
        
        PID:540
        
        C:\Users\Admin\AppData\Local\Temp\tmp7212612.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7212612.exe
        64⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:112
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        65⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\tmp7221629.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7221629.exe
        64⤵
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\tmp7209835.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7209835.exe
        62⤵
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\tmp7214905.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7214905.exe
        63⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:828
        
        C:\Users\Admin\AppData\Local\Temp\tmp7198572.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7198572.exe
        60⤵
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\tmp7201770.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7201770.exe
        61⤵
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\tmp7210444.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7210444.exe
        61⤵
        
        PID:1104
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183159.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183159.exe
        57⤵
        
        PID:1308
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184610.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184610.exe
        58⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2024
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        59⤵
        
        PID:1204
        
        C:\Users\Admin\AppData\Local\Temp\tmp7199539.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7199539.exe
        60⤵
        
        PID:1164
        
        C:\Users\Admin\AppData\Local\Temp\tmp7208182.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7208182.exe
        60⤵
        
        PID:1908
        
        C:\Users\Admin\AppData\Local\Temp\tmp7214625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7214625.exe
        61⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\tmp7194485.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7194485.exe
        58⤵
        
        PID:308
        
        C:\Users\Admin\AppData\Local\Temp\tmp7174251.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7174251.exe
        54⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\tmp7181100.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7181100.exe
        55⤵
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\tmp7181942.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7181942.exe
        55⤵
        
        PID:268
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183518.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183518.exe
        56⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:360
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        57⤵
        
        PID:1356
        
        C:\Users\Admin\AppData\Local\Temp\tmp7194454.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7194454.exe
        58⤵
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\tmp7198806.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7198806.exe
        58⤵
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\tmp7209789.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7209789.exe
        59⤵
        
        PID:1912
        
        C:\Users\Admin\AppData\Local\Temp\tmp7211068.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7211068.exe
        59⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\tmp7214859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7214859.exe
        60⤵
        
        PID:892
        
        C:\Users\Admin\AppData\Local\Temp\tmp7221255.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7221255.exe
        60⤵
        
        PID:1072
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184938.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184938.exe
        56⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\tmp7170975.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7170975.exe
        52⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\tmp7172021.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7172021.exe
        53⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:824
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        54⤵
        
        PID:1328
        
        C:\Users\Admin\AppData\Local\Temp\tmp7174376.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7174376.exe
        55⤵
        
        PID:1096
        
        C:\Users\Admin\AppData\Local\Temp\tmp7180492.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7180492.exe
        55⤵
        
        PID:1016
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182457.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182457.exe
        56⤵
        
        PID:1360
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184236.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184236.exe
        56⤵
        
        PID:1408
        
        C:\Users\Admin\AppData\Local\Temp\tmp7185406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7185406.exe
        57⤵
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\tmp7196778.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7196778.exe
        57⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\tmp7173378.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7173378.exe
        53⤵
        
        PID:896
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161381.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161381.exe
        49⤵
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\tmp7167855.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7167855.exe
        50⤵
        
        PID:1908
        
        C:\Users\Admin\AppData\Local\Temp\tmp7169462.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7169462.exe
        50⤵
        
        PID:572
        
        C:\Users\Admin\AppData\Local\Temp\tmp7172239.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7172239.exe
        51⤵
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\tmp7173549.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7173549.exe
        51⤵
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158589.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158589.exe
        47⤵
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\tmp7150290.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7150290.exe
        44⤵
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145703.exe
        41⤵
        
        PID:1360
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134908.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134908.exe
        38⤵
        
        PID:1220
        
        C:\Users\Admin\AppData\Local\Temp\tmp7127670.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7127670.exe
        35⤵
        
        PID:432
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123614.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123614.exe
        32⤵
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\tmp7124830.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7124830.exe
        33⤵
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125798.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125798.exe
        33⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118762.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118762.exe
        30⤵
        
        PID:1236
        
        C:\Users\Admin\AppData\Local\Temp\tmp7115845.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7115845.exe
        27⤵
        
        PID:1408
        
        C:\Users\Admin\AppData\Local\Temp\tmp7113785.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7113785.exe
        24⤵
        
        PID:432
        
        C:\Users\Admin\AppData\Local\Temp\tmp7114347.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7114347.exe
        25⤵
        
        PID:1276
        
        C:\Users\Admin\AppData\Local\Temp\tmp7115002.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7115002.exe
        25⤵
        
        PID:1280
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106391.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106391.exe
        22⤵
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\tmp7105112.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7105112.exe
        19⤵
        
        PID:596
        
        C:\Users\Admin\AppData\Local\Temp\tmp7105595.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7105595.exe
        20⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1292
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        21⤵
        
        PID:1040
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106017.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106017.exe
        22⤵
        
        PID:1004
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106360.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106360.exe
        22⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106422.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106422.exe
        23⤵
        
        PID:832
        
        C:\Users\Admin\AppData\Local\Temp\tmp7113926.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7113926.exe
        23⤵
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\tmp7105705.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7105705.exe
        20⤵
        
        PID:864
        
        C:\Users\Admin\AppData\Local\Temp\tmp7104457.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7104457.exe
        17⤵
        
        PID:996
        
        C:\Users\Admin\AppData\Local\Temp\tmp7104878.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7104878.exe
        18⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\tmp7105159.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7105159.exe
        18⤵
        
        PID:1172
        
        C:\Users\Admin\AppData\Local\Temp\tmp7103708.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7103708.exe
        15⤵
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\tmp7101321.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7101321.exe
        12⤵
        Executes dropped EXE
        
        PID:864
        
        C:\Users\Admin\AppData\Local\Temp\tmp7101898.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7101898.exe
        13⤵
        
        PID:1520
        
        C:\Users\Admin\AppData\Local\Temp\tmp7102319.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7102319.exe
        13⤵
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\tmp7096922.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7096922.exe
        10⤵
        Executes dropped EXE
        
        PID:1344
        
        C:\Users\Admin\AppData\Local\Temp\tmp7094426.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7094426.exe
        7⤵
        Executes dropped EXE
        
        PID:1236
  - - C:\Users\Admin\AppData\Local\Temp\tmp7093646.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7093646.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1280
    - - C:\Users\Admin\AppData\Local\Temp\tmp7093755.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7093755.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1560
      - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\tmp7094083.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7094083.exe
        7⤵
        Executes dropped EXE
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\tmp7094239.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7094239.exe
        7⤵
        Executes dropped EXE
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\tmp7094972.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7094972.exe
        8⤵
        Executes dropped EXE
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\tmp7095705.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7095705.exe
        8⤵
        Executes dropped EXE
        
        PID:2016
    - - C:\Users\Admin\AppData\Local\Temp\tmp7093864.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7093864.exe
        5⤵
        Executes dropped EXE
        
        PID:1356
- C:\Users\Admin\AppData\Local\Temp\tmp7092242.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7092242.exe
  2⤵
  - Executes dropped EXE
  PID:112

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp7079465.exe

Filesize
3.2MB

MD5
208f5e6d97d4470ff11de2b0f01a6a38

SHA1
17f387b50a4d40e0690a065405dbb13d4cc41690

SHA256
c67c049a5a8768bad7f8839c897747b7943be20ef2435cbc9e14317a40f8dc1a

SHA512
d26d00adfcb1b687543a005c37c3a93cfde430c478fdd7aee35657989a5e01df71cdd2121a53f655c3629ff98875259695b339b57481655f5a44fb3775c19c17

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7079465.exe

Filesize
3.2MB

MD5
208f5e6d97d4470ff11de2b0f01a6a38

SHA1
17f387b50a4d40e0690a065405dbb13d4cc41690

SHA256
c67c049a5a8768bad7f8839c897747b7943be20ef2435cbc9e14317a40f8dc1a

SHA512
d26d00adfcb1b687543a005c37c3a93cfde430c478fdd7aee35657989a5e01df71cdd2121a53f655c3629ff98875259695b339b57481655f5a44fb3775c19c17

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7079793.exe

Filesize
6.6MB

MD5
d07b5ebdfba7482ef429b645b040a549

SHA1
49463b04fed97407793dca6c66b4b68fd54fa5dc

SHA256
da22b701bfed64ef10dce57d599647db198a12129a33ceef74bf6522ac91a8dc

SHA512
a6abac305e6b8b02278969528de153e6a001af8834b311051230f3612e97af0ebd01d99333b22853bed04c8f4192894d5a84fa354379370a41b70cc7ca6f9dc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7079793.exe

Filesize
6.6MB

MD5
d07b5ebdfba7482ef429b645b040a549

SHA1
49463b04fed97407793dca6c66b4b68fd54fa5dc

SHA256
da22b701bfed64ef10dce57d599647db198a12129a33ceef74bf6522ac91a8dc

SHA512
a6abac305e6b8b02278969528de153e6a001af8834b311051230f3612e97af0ebd01d99333b22853bed04c8f4192894d5a84fa354379370a41b70cc7ca6f9dc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7080682.exe

Filesize
3.2MB

MD5
208f5e6d97d4470ff11de2b0f01a6a38

SHA1
17f387b50a4d40e0690a065405dbb13d4cc41690

SHA256
c67c049a5a8768bad7f8839c897747b7943be20ef2435cbc9e14317a40f8dc1a

SHA512
d26d00adfcb1b687543a005c37c3a93cfde430c478fdd7aee35657989a5e01df71cdd2121a53f655c3629ff98875259695b339b57481655f5a44fb3775c19c17

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7081322.exe

Filesize
3.4MB

MD5
cc38023a7862ec77ed1457eda6a09d7a

SHA1
69fc0f126d2f8f083076242a78fc884e7e688fcf

SHA256
56fbb514cff103481ef015fcc7b1108a234b340fbe7d9ee8df68d3406ceda67d

SHA512
e841ab0d714bed1cccfdeab8466d99fb95291a9785e6e1ac89b6f1917ad27667264a13609fb7aea35d103befa128de7a0f28ce5d4a3dc153c06b4b75a3b5e1c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7081322.exe

Filesize
3.4MB

MD5
cc38023a7862ec77ed1457eda6a09d7a

SHA1
69fc0f126d2f8f083076242a78fc884e7e688fcf

SHA256
56fbb514cff103481ef015fcc7b1108a234b340fbe7d9ee8df68d3406ceda67d

SHA512
e841ab0d714bed1cccfdeab8466d99fb95291a9785e6e1ac89b6f1917ad27667264a13609fb7aea35d103befa128de7a0f28ce5d4a3dc153c06b4b75a3b5e1c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7081509.exe

Filesize
3.2MB

MD5
208f5e6d97d4470ff11de2b0f01a6a38

SHA1
17f387b50a4d40e0690a065405dbb13d4cc41690

SHA256
c67c049a5a8768bad7f8839c897747b7943be20ef2435cbc9e14317a40f8dc1a

SHA512
d26d00adfcb1b687543a005c37c3a93cfde430c478fdd7aee35657989a5e01df71cdd2121a53f655c3629ff98875259695b339b57481655f5a44fb3775c19c17

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7083100.exe

Filesize
136KB

MD5
9aeb06a81883647698958706907b1c8b

SHA1
1ed819748dd1683826910789ce3c0e331ab636b9

SHA256
2739d7b4fc7ec6f5ccbed17d4c9f57c8905147bdc926a1995e1f9c4f258d55cc

SHA512
d388602a1e322789dda56df6776d570972acce420e45044699f7178115f8c20f32f9723a63657c58771df3ef54afa3193e817679b91cc24fe80d94c78ad09bbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7084598.exe

Filesize
3.2MB

MD5
208f5e6d97d4470ff11de2b0f01a6a38

SHA1
17f387b50a4d40e0690a065405dbb13d4cc41690

SHA256
c67c049a5a8768bad7f8839c897747b7943be20ef2435cbc9e14317a40f8dc1a

SHA512
d26d00adfcb1b687543a005c37c3a93cfde430c478fdd7aee35657989a5e01df71cdd2121a53f655c3629ff98875259695b339b57481655f5a44fb3775c19c17

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7084598.exe

Filesize
3.2MB

MD5
208f5e6d97d4470ff11de2b0f01a6a38

SHA1
17f387b50a4d40e0690a065405dbb13d4cc41690

SHA256
c67c049a5a8768bad7f8839c897747b7943be20ef2435cbc9e14317a40f8dc1a

SHA512
d26d00adfcb1b687543a005c37c3a93cfde430c478fdd7aee35657989a5e01df71cdd2121a53f655c3629ff98875259695b339b57481655f5a44fb3775c19c17

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7085409.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7087390.exe

Filesize
3.2MB

MD5
208f5e6d97d4470ff11de2b0f01a6a38

SHA1
17f387b50a4d40e0690a065405dbb13d4cc41690

SHA256
c67c049a5a8768bad7f8839c897747b7943be20ef2435cbc9e14317a40f8dc1a

SHA512
d26d00adfcb1b687543a005c37c3a93cfde430c478fdd7aee35657989a5e01df71cdd2121a53f655c3629ff98875259695b339b57481655f5a44fb3775c19c17

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7087390.exe

Filesize
3.2MB

MD5
208f5e6d97d4470ff11de2b0f01a6a38

SHA1
17f387b50a4d40e0690a065405dbb13d4cc41690

SHA256
c67c049a5a8768bad7f8839c897747b7943be20ef2435cbc9e14317a40f8dc1a

SHA512
d26d00adfcb1b687543a005c37c3a93cfde430c478fdd7aee35657989a5e01df71cdd2121a53f655c3629ff98875259695b339b57481655f5a44fb3775c19c17

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7087765.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7088576.exe

Filesize
3.2MB

MD5
208f5e6d97d4470ff11de2b0f01a6a38

SHA1
17f387b50a4d40e0690a065405dbb13d4cc41690

SHA256
c67c049a5a8768bad7f8839c897747b7943be20ef2435cbc9e14317a40f8dc1a

SHA512
d26d00adfcb1b687543a005c37c3a93cfde430c478fdd7aee35657989a5e01df71cdd2121a53f655c3629ff98875259695b339b57481655f5a44fb3775c19c17

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7088576.exe

Filesize
3.2MB

MD5
208f5e6d97d4470ff11de2b0f01a6a38

SHA1
17f387b50a4d40e0690a065405dbb13d4cc41690

SHA256
c67c049a5a8768bad7f8839c897747b7943be20ef2435cbc9e14317a40f8dc1a

SHA512
d26d00adfcb1b687543a005c37c3a93cfde430c478fdd7aee35657989a5e01df71cdd2121a53f655c3629ff98875259695b339b57481655f5a44fb3775c19c17

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7089418.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7090807.exe

Filesize
3.2MB

MD5
208f5e6d97d4470ff11de2b0f01a6a38

SHA1
17f387b50a4d40e0690a065405dbb13d4cc41690

SHA256
c67c049a5a8768bad7f8839c897747b7943be20ef2435cbc9e14317a40f8dc1a

SHA512
d26d00adfcb1b687543a005c37c3a93cfde430c478fdd7aee35657989a5e01df71cdd2121a53f655c3629ff98875259695b339b57481655f5a44fb3775c19c17

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
3.2MB

MD5
208f5e6d97d4470ff11de2b0f01a6a38

SHA1
17f387b50a4d40e0690a065405dbb13d4cc41690

SHA256
c67c049a5a8768bad7f8839c897747b7943be20ef2435cbc9e14317a40f8dc1a

SHA512
d26d00adfcb1b687543a005c37c3a93cfde430c478fdd7aee35657989a5e01df71cdd2121a53f655c3629ff98875259695b339b57481655f5a44fb3775c19c17

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
3.2MB

MD5
208f5e6d97d4470ff11de2b0f01a6a38

SHA1
17f387b50a4d40e0690a065405dbb13d4cc41690

SHA256
c67c049a5a8768bad7f8839c897747b7943be20ef2435cbc9e14317a40f8dc1a

SHA512
d26d00adfcb1b687543a005c37c3a93cfde430c478fdd7aee35657989a5e01df71cdd2121a53f655c3629ff98875259695b339b57481655f5a44fb3775c19c17

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
3.2MB

MD5
208f5e6d97d4470ff11de2b0f01a6a38

SHA1
17f387b50a4d40e0690a065405dbb13d4cc41690

SHA256
c67c049a5a8768bad7f8839c897747b7943be20ef2435cbc9e14317a40f8dc1a

SHA512
d26d00adfcb1b687543a005c37c3a93cfde430c478fdd7aee35657989a5e01df71cdd2121a53f655c3629ff98875259695b339b57481655f5a44fb3775c19c17

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
3.4MB

MD5
335f9f161586458e8f679551f588d9e9

SHA1
851edd782fb259c091dfa08e80529777b5910008

SHA256
c44dfbf4f1e10d681a48521adecb84019627b3ed2014b6c73565fcb480095c8c

SHA512
98bc571ad8fc9789259ac843afaf8cfa439006e72457265a951092f6c4a090c95292d7e3a3c02e13c78d7dffd8adfd89b498e6ed3ba980e0ae705ab2f48b1fb6

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
3.4MB

MD5
335f9f161586458e8f679551f588d9e9

SHA1
851edd782fb259c091dfa08e80529777b5910008

SHA256
c44dfbf4f1e10d681a48521adecb84019627b3ed2014b6c73565fcb480095c8c

SHA512
98bc571ad8fc9789259ac843afaf8cfa439006e72457265a951092f6c4a090c95292d7e3a3c02e13c78d7dffd8adfd89b498e6ed3ba980e0ae705ab2f48b1fb6

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
3.4MB

MD5
335f9f161586458e8f679551f588d9e9

SHA1
851edd782fb259c091dfa08e80529777b5910008

SHA256
c44dfbf4f1e10d681a48521adecb84019627b3ed2014b6c73565fcb480095c8c

SHA512
98bc571ad8fc9789259ac843afaf8cfa439006e72457265a951092f6c4a090c95292d7e3a3c02e13c78d7dffd8adfd89b498e6ed3ba980e0ae705ab2f48b1fb6

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
3.4MB

MD5
335f9f161586458e8f679551f588d9e9

SHA1
851edd782fb259c091dfa08e80529777b5910008

SHA256
c44dfbf4f1e10d681a48521adecb84019627b3ed2014b6c73565fcb480095c8c

SHA512
98bc571ad8fc9789259ac843afaf8cfa439006e72457265a951092f6c4a090c95292d7e3a3c02e13c78d7dffd8adfd89b498e6ed3ba980e0ae705ab2f48b1fb6

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
3.4MB

MD5
335f9f161586458e8f679551f588d9e9

SHA1
851edd782fb259c091dfa08e80529777b5910008

SHA256
c44dfbf4f1e10d681a48521adecb84019627b3ed2014b6c73565fcb480095c8c

SHA512
98bc571ad8fc9789259ac843afaf8cfa439006e72457265a951092f6c4a090c95292d7e3a3c02e13c78d7dffd8adfd89b498e6ed3ba980e0ae705ab2f48b1fb6

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7079465.exe

Filesize
3.2MB

MD5
208f5e6d97d4470ff11de2b0f01a6a38

SHA1
17f387b50a4d40e0690a065405dbb13d4cc41690

SHA256
c67c049a5a8768bad7f8839c897747b7943be20ef2435cbc9e14317a40f8dc1a

SHA512
d26d00adfcb1b687543a005c37c3a93cfde430c478fdd7aee35657989a5e01df71cdd2121a53f655c3629ff98875259695b339b57481655f5a44fb3775c19c17

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7079465.exe

Filesize
3.2MB

MD5
208f5e6d97d4470ff11de2b0f01a6a38

SHA1
17f387b50a4d40e0690a065405dbb13d4cc41690

SHA256
c67c049a5a8768bad7f8839c897747b7943be20ef2435cbc9e14317a40f8dc1a

SHA512
d26d00adfcb1b687543a005c37c3a93cfde430c478fdd7aee35657989a5e01df71cdd2121a53f655c3629ff98875259695b339b57481655f5a44fb3775c19c17

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7079793.exe

Filesize
6.6MB

MD5
d07b5ebdfba7482ef429b645b040a549

SHA1
49463b04fed97407793dca6c66b4b68fd54fa5dc

SHA256
da22b701bfed64ef10dce57d599647db198a12129a33ceef74bf6522ac91a8dc

SHA512
a6abac305e6b8b02278969528de153e6a001af8834b311051230f3612e97af0ebd01d99333b22853bed04c8f4192894d5a84fa354379370a41b70cc7ca6f9dc7

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7079793.exe

Filesize
6.6MB

MD5
d07b5ebdfba7482ef429b645b040a549

SHA1
49463b04fed97407793dca6c66b4b68fd54fa5dc

SHA256
da22b701bfed64ef10dce57d599647db198a12129a33ceef74bf6522ac91a8dc

SHA512
a6abac305e6b8b02278969528de153e6a001af8834b311051230f3612e97af0ebd01d99333b22853bed04c8f4192894d5a84fa354379370a41b70cc7ca6f9dc7

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7080682.exe

Filesize
3.2MB

MD5
208f5e6d97d4470ff11de2b0f01a6a38

SHA1
17f387b50a4d40e0690a065405dbb13d4cc41690

SHA256
c67c049a5a8768bad7f8839c897747b7943be20ef2435cbc9e14317a40f8dc1a

SHA512
d26d00adfcb1b687543a005c37c3a93cfde430c478fdd7aee35657989a5e01df71cdd2121a53f655c3629ff98875259695b339b57481655f5a44fb3775c19c17

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7080682.exe

Filesize
3.2MB

MD5
208f5e6d97d4470ff11de2b0f01a6a38

SHA1
17f387b50a4d40e0690a065405dbb13d4cc41690

SHA256
c67c049a5a8768bad7f8839c897747b7943be20ef2435cbc9e14317a40f8dc1a

SHA512
d26d00adfcb1b687543a005c37c3a93cfde430c478fdd7aee35657989a5e01df71cdd2121a53f655c3629ff98875259695b339b57481655f5a44fb3775c19c17

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7081322.exe

Filesize
3.4MB

MD5
cc38023a7862ec77ed1457eda6a09d7a

SHA1
69fc0f126d2f8f083076242a78fc884e7e688fcf

SHA256
56fbb514cff103481ef015fcc7b1108a234b340fbe7d9ee8df68d3406ceda67d

SHA512
e841ab0d714bed1cccfdeab8466d99fb95291a9785e6e1ac89b6f1917ad27667264a13609fb7aea35d103befa128de7a0f28ce5d4a3dc153c06b4b75a3b5e1c4

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7081322.exe

Filesize
3.4MB

MD5
cc38023a7862ec77ed1457eda6a09d7a

SHA1
69fc0f126d2f8f083076242a78fc884e7e688fcf

SHA256
56fbb514cff103481ef015fcc7b1108a234b340fbe7d9ee8df68d3406ceda67d

SHA512
e841ab0d714bed1cccfdeab8466d99fb95291a9785e6e1ac89b6f1917ad27667264a13609fb7aea35d103befa128de7a0f28ce5d4a3dc153c06b4b75a3b5e1c4

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7081509.exe

Filesize
3.2MB

MD5
208f5e6d97d4470ff11de2b0f01a6a38

SHA1
17f387b50a4d40e0690a065405dbb13d4cc41690

SHA256
c67c049a5a8768bad7f8839c897747b7943be20ef2435cbc9e14317a40f8dc1a

SHA512
d26d00adfcb1b687543a005c37c3a93cfde430c478fdd7aee35657989a5e01df71cdd2121a53f655c3629ff98875259695b339b57481655f5a44fb3775c19c17

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7081509.exe

Filesize
3.2MB

MD5
208f5e6d97d4470ff11de2b0f01a6a38

SHA1
17f387b50a4d40e0690a065405dbb13d4cc41690

SHA256
c67c049a5a8768bad7f8839c897747b7943be20ef2435cbc9e14317a40f8dc1a

SHA512
d26d00adfcb1b687543a005c37c3a93cfde430c478fdd7aee35657989a5e01df71cdd2121a53f655c3629ff98875259695b339b57481655f5a44fb3775c19c17

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7083100.exe

Filesize
136KB

MD5
9aeb06a81883647698958706907b1c8b

SHA1
1ed819748dd1683826910789ce3c0e331ab636b9

SHA256
2739d7b4fc7ec6f5ccbed17d4c9f57c8905147bdc926a1995e1f9c4f258d55cc

SHA512
d388602a1e322789dda56df6776d570972acce420e45044699f7178115f8c20f32f9723a63657c58771df3ef54afa3193e817679b91cc24fe80d94c78ad09bbe

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7083100.exe

Filesize
136KB

MD5
9aeb06a81883647698958706907b1c8b

SHA1
1ed819748dd1683826910789ce3c0e331ab636b9

SHA256
2739d7b4fc7ec6f5ccbed17d4c9f57c8905147bdc926a1995e1f9c4f258d55cc

SHA512
d388602a1e322789dda56df6776d570972acce420e45044699f7178115f8c20f32f9723a63657c58771df3ef54afa3193e817679b91cc24fe80d94c78ad09bbe

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7083100.exe

Filesize
136KB

MD5
9aeb06a81883647698958706907b1c8b

SHA1
1ed819748dd1683826910789ce3c0e331ab636b9

SHA256
2739d7b4fc7ec6f5ccbed17d4c9f57c8905147bdc926a1995e1f9c4f258d55cc

SHA512
d388602a1e322789dda56df6776d570972acce420e45044699f7178115f8c20f32f9723a63657c58771df3ef54afa3193e817679b91cc24fe80d94c78ad09bbe

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7083100.exe

Filesize
136KB

MD5
9aeb06a81883647698958706907b1c8b

SHA1
1ed819748dd1683826910789ce3c0e331ab636b9

SHA256
2739d7b4fc7ec6f5ccbed17d4c9f57c8905147bdc926a1995e1f9c4f258d55cc

SHA512
d388602a1e322789dda56df6776d570972acce420e45044699f7178115f8c20f32f9723a63657c58771df3ef54afa3193e817679b91cc24fe80d94c78ad09bbe

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7084598.exe

Filesize
3.2MB

MD5
208f5e6d97d4470ff11de2b0f01a6a38

SHA1
17f387b50a4d40e0690a065405dbb13d4cc41690

SHA256
c67c049a5a8768bad7f8839c897747b7943be20ef2435cbc9e14317a40f8dc1a

SHA512
d26d00adfcb1b687543a005c37c3a93cfde430c478fdd7aee35657989a5e01df71cdd2121a53f655c3629ff98875259695b339b57481655f5a44fb3775c19c17

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7084598.exe

Filesize
3.2MB

MD5
208f5e6d97d4470ff11de2b0f01a6a38

SHA1
17f387b50a4d40e0690a065405dbb13d4cc41690

SHA256
c67c049a5a8768bad7f8839c897747b7943be20ef2435cbc9e14317a40f8dc1a

SHA512
d26d00adfcb1b687543a005c37c3a93cfde430c478fdd7aee35657989a5e01df71cdd2121a53f655c3629ff98875259695b339b57481655f5a44fb3775c19c17

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7085409.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7087390.exe

Filesize
3.2MB

MD5
208f5e6d97d4470ff11de2b0f01a6a38

SHA1
17f387b50a4d40e0690a065405dbb13d4cc41690

SHA256
c67c049a5a8768bad7f8839c897747b7943be20ef2435cbc9e14317a40f8dc1a

SHA512
d26d00adfcb1b687543a005c37c3a93cfde430c478fdd7aee35657989a5e01df71cdd2121a53f655c3629ff98875259695b339b57481655f5a44fb3775c19c17

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7087390.exe

Filesize
3.2MB

MD5
208f5e6d97d4470ff11de2b0f01a6a38

SHA1
17f387b50a4d40e0690a065405dbb13d4cc41690

SHA256
c67c049a5a8768bad7f8839c897747b7943be20ef2435cbc9e14317a40f8dc1a

SHA512
d26d00adfcb1b687543a005c37c3a93cfde430c478fdd7aee35657989a5e01df71cdd2121a53f655c3629ff98875259695b339b57481655f5a44fb3775c19c17

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7087765.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7088576.exe

Filesize
3.2MB

MD5
208f5e6d97d4470ff11de2b0f01a6a38

SHA1
17f387b50a4d40e0690a065405dbb13d4cc41690

SHA256
c67c049a5a8768bad7f8839c897747b7943be20ef2435cbc9e14317a40f8dc1a

SHA512
d26d00adfcb1b687543a005c37c3a93cfde430c478fdd7aee35657989a5e01df71cdd2121a53f655c3629ff98875259695b339b57481655f5a44fb3775c19c17

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7088576.exe

Filesize
3.2MB

MD5
208f5e6d97d4470ff11de2b0f01a6a38

SHA1
17f387b50a4d40e0690a065405dbb13d4cc41690

SHA256
c67c049a5a8768bad7f8839c897747b7943be20ef2435cbc9e14317a40f8dc1a

SHA512
d26d00adfcb1b687543a005c37c3a93cfde430c478fdd7aee35657989a5e01df71cdd2121a53f655c3629ff98875259695b339b57481655f5a44fb3775c19c17

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7089418.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7090807.exe

Filesize
3.2MB

MD5
208f5e6d97d4470ff11de2b0f01a6a38

SHA1
17f387b50a4d40e0690a065405dbb13d4cc41690

SHA256
c67c049a5a8768bad7f8839c897747b7943be20ef2435cbc9e14317a40f8dc1a

SHA512
d26d00adfcb1b687543a005c37c3a93cfde430c478fdd7aee35657989a5e01df71cdd2121a53f655c3629ff98875259695b339b57481655f5a44fb3775c19c17

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7090807.exe

Filesize
3.2MB

MD5
208f5e6d97d4470ff11de2b0f01a6a38

SHA1
17f387b50a4d40e0690a065405dbb13d4cc41690

SHA256
c67c049a5a8768bad7f8839c897747b7943be20ef2435cbc9e14317a40f8dc1a

SHA512
d26d00adfcb1b687543a005c37c3a93cfde430c478fdd7aee35657989a5e01df71cdd2121a53f655c3629ff98875259695b339b57481655f5a44fb3775c19c17

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
3.4MB

MD5
335f9f161586458e8f679551f588d9e9

SHA1
851edd782fb259c091dfa08e80529777b5910008

SHA256
c44dfbf4f1e10d681a48521adecb84019627b3ed2014b6c73565fcb480095c8c

SHA512
98bc571ad8fc9789259ac843afaf8cfa439006e72457265a951092f6c4a090c95292d7e3a3c02e13c78d7dffd8adfd89b498e6ed3ba980e0ae705ab2f48b1fb6

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
3.4MB

MD5
335f9f161586458e8f679551f588d9e9

SHA1
851edd782fb259c091dfa08e80529777b5910008

SHA256
c44dfbf4f1e10d681a48521adecb84019627b3ed2014b6c73565fcb480095c8c

SHA512
98bc571ad8fc9789259ac843afaf8cfa439006e72457265a951092f6c4a090c95292d7e3a3c02e13c78d7dffd8adfd89b498e6ed3ba980e0ae705ab2f48b1fb6

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
3.4MB

MD5
335f9f161586458e8f679551f588d9e9

SHA1
851edd782fb259c091dfa08e80529777b5910008

SHA256
c44dfbf4f1e10d681a48521adecb84019627b3ed2014b6c73565fcb480095c8c

SHA512
98bc571ad8fc9789259ac843afaf8cfa439006e72457265a951092f6c4a090c95292d7e3a3c02e13c78d7dffd8adfd89b498e6ed3ba980e0ae705ab2f48b1fb6

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
3.4MB

MD5
335f9f161586458e8f679551f588d9e9

SHA1
851edd782fb259c091dfa08e80529777b5910008

SHA256
c44dfbf4f1e10d681a48521adecb84019627b3ed2014b6c73565fcb480095c8c

SHA512
98bc571ad8fc9789259ac843afaf8cfa439006e72457265a951092f6c4a090c95292d7e3a3c02e13c78d7dffd8adfd89b498e6ed3ba980e0ae705ab2f48b1fb6

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
3.4MB

MD5
335f9f161586458e8f679551f588d9e9

SHA1
851edd782fb259c091dfa08e80529777b5910008

SHA256
c44dfbf4f1e10d681a48521adecb84019627b3ed2014b6c73565fcb480095c8c

SHA512
98bc571ad8fc9789259ac843afaf8cfa439006e72457265a951092f6c4a090c95292d7e3a3c02e13c78d7dffd8adfd89b498e6ed3ba980e0ae705ab2f48b1fb6

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
3.4MB

MD5
335f9f161586458e8f679551f588d9e9

SHA1
851edd782fb259c091dfa08e80529777b5910008

SHA256
c44dfbf4f1e10d681a48521adecb84019627b3ed2014b6c73565fcb480095c8c

SHA512
98bc571ad8fc9789259ac843afaf8cfa439006e72457265a951092f6c4a090c95292d7e3a3c02e13c78d7dffd8adfd89b498e6ed3ba980e0ae705ab2f48b1fb6

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
3.4MB

MD5
335f9f161586458e8f679551f588d9e9

SHA1
851edd782fb259c091dfa08e80529777b5910008

SHA256
c44dfbf4f1e10d681a48521adecb84019627b3ed2014b6c73565fcb480095c8c

SHA512
98bc571ad8fc9789259ac843afaf8cfa439006e72457265a951092f6c4a090c95292d7e3a3c02e13c78d7dffd8adfd89b498e6ed3ba980e0ae705ab2f48b1fb6

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
3.4MB

MD5
335f9f161586458e8f679551f588d9e9

SHA1
851edd782fb259c091dfa08e80529777b5910008

SHA256
c44dfbf4f1e10d681a48521adecb84019627b3ed2014b6c73565fcb480095c8c

SHA512
98bc571ad8fc9789259ac843afaf8cfa439006e72457265a951092f6c4a090c95292d7e3a3c02e13c78d7dffd8adfd89b498e6ed3ba980e0ae705ab2f48b1fb6

Download Submit
memory/284-259-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/284-239-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/308-65-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/308-76-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/432-127-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/468-300-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/596-101-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/596-106-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/640-276-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/640-274-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/812-86-0x0000000000010000-0x0000000000032000-memory.dmp

Filesize
136KB

Download
memory/828-196-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/832-275-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/832-280-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/836-234-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/836-257-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/840-249-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/840-236-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/864-267-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/980-263-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1004-273-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1004-279-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1052-217-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1052-200-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1148-299-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1276-289-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1276-278-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1280-178-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1308-63-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1356-58-0x0000000074DA1000-0x0000000074DA3000-memory.dmp

Filesize
8KB

Download
memory/1372-241-0x0000000000220000-0x000000000023F000-memory.dmp

Filesize
124KB

Download
memory/1372-240-0x0000000000220000-0x000000000023F000-memory.dmp

Filesize
124KB

Download
memory/1372-229-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1372-242-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1380-85-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1408-183-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1412-303-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1528-172-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1604-165-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1628-115-0x0000000000370000-0x000000000037D000-memory.dmp

Filesize
52KB

Download
memory/1628-211-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1628-202-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1628-116-0x0000000000370000-0x000000000038F000-memory.dmp

Filesize
124KB

Download
memory/1644-248-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1644-235-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1664-144-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1664-137-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1692-261-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1692-245-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1696-222-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1696-292-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1696-198-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1752-297-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1776-285-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1788-199-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1788-203-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1812-194-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1932-277-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1964-266-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1964-231-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1992-160-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1992-158-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2024-290-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2032-293-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2040-219-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download