c85e67d1581dc4e1e60f0f39dc7068338b348ec7c3a9ff90c5f768440fef7912

Analysis

max time kernel
151s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
30/10/2022, 20:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c85e67d1581dc4e1e60f0f39dc7068338b348ec7c3a9ff90c5f768440fef7912.exe
Size

1.3MB
MD5

a106560a61ac40d575bf8dfba62229a7
SHA1

5e2dbc801e06b86ced4499115567634131f5adb6
SHA256

c85e67d1581dc4e1e60f0f39dc7068338b348ec7c3a9ff90c5f768440fef7912
SHA512

5ad8fe689297f888b12676078960d40bfcb457f59b30cdc7527870a79ff6bec0389ca621069dc88dbcf40b44662c8c304d0d50af6f2a80c5b8b91fc49447cd08
SSDEEP

24576:OR1RgRJRmRWRJRbR9RCRwR8RvRhR3R8RARTR9RTRIRkReRJRPRkR:OR1RgRJRmRWRJRbR9RCRwR8RvRhR3R8w

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
1160	tmp7087156.exe
1808	tmp7087187.exe
908	tmp7087265.exe
1148	tmp7087375.exe
872	tmp7087546.exe
1784	tmp7087843.exe
1080	notpad.exe
984	tmp7088326.exe
1216	notpad.exe
2000	tmp7088389.exe
1972	tmp7088576.exe
824	tmp7088903.exe
288	tmp7088685.exe
2020	notpad.exe
2040	tmp7089449.exe
1668	tmp7089559.exe
1704	tmp7089309.exe
860	notpad.exe
2012	tmp7089949.exe
1312	tmp7089886.exe
1808	notpad.exe
760	tmp7090027.exe
520	tmp7090385.exe
660	tmp7090058.exe
1788	tmp7093334.exe
1736	notpad.exe
1148	tmp7093989.exe
1304	tmp7094395.exe
1852	tmp7094488.exe
1604	tmp7094348.exe
1612	tmp7094691.exe
1368	notpad.exe
788	tmp7094909.exe
1592	tmp7095065.exe
1832	tmp7095268.exe
2044	tmp7095533.exe
1676	tmp7095627.exe
2024	notpad.exe
1572	tmp7096376.exe
1216	tmp7096547.exe
1288	tmp7096719.exe
1972	tmp7096594.exe
1172	notpad.exe
1108	tmp7097156.exe
1176	tmp7097249.exe
1328	tmp7097624.exe
1440	notpad.exe
1540	tmp7097468.exe
852	tmp7098248.exe
1624	tmp7098263.exe
552	tmp7098466.exe
1744	notpad.exe
804	tmp7098716.exe
860	tmp7098997.exe
1764	tmp7099433.exe
1340	tmp7099387.exe
1508	tmp7099808.exe
240	notpad.exe
1360	tmp7100057.exe
1788	tmp7100245.exe
1884	tmp7103567.exe
1736	tmp7102928.exe
1148	notpad.exe
1348	tmp7104020.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00080000000142c8-60.dat	upx
behavioral1/memory/1712-64-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x00080000000142c8-63.dat	upx
behavioral1/files/0x00080000000142c8-59.dat	upx
behavioral1/files/0x00080000000142c8-62.dat	upx
behavioral1/files/0x000600000001468b-71.dat	upx
behavioral1/files/0x000600000001468b-70.dat	upx
behavioral1/files/0x000600000001468b-73.dat	upx
behavioral1/files/0x000600000001468b-75.dat	upx
behavioral1/memory/1808-74-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x0007000000014ab1-82.dat	upx
behavioral1/files/0x0007000000014b4c-83.dat	upx
behavioral1/files/0x0007000000014b4c-84.dat	upx
behavioral1/files/0x0007000000014b4c-86.dat	upx
behavioral1/memory/908-87-0x0000000002630000-0x000000000264F000-memory.dmp	upx
behavioral1/memory/1148-88-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x0007000000014b4c-89.dat	upx
behavioral1/files/0x0007000000014ab1-95.dat	upx
behavioral1/files/0x0007000000014ab1-96.dat	upx
behavioral1/files/0x0007000000014ab1-93.dat	upx
behavioral1/files/0x0006000000014930-102.dat	upx
behavioral1/files/0x0007000000014ab1-106.dat	upx
behavioral1/files/0x0007000000014ab1-105.dat	upx
behavioral1/files/0x0007000000014ab1-108.dat	upx
behavioral1/files/0x0006000000014f9d-110.dat	upx
behavioral1/files/0x0006000000014f9d-114.dat	upx
behavioral1/memory/1784-115-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x0006000000014f9d-111.dat	upx
behavioral1/files/0x0006000000014f9d-113.dat	upx
behavioral1/files/0x0006000000014930-121.dat	upx
behavioral1/memory/1216-133-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x0007000000014ab1-137.dat	upx
behavioral1/files/0x0007000000014ab1-135.dat	upx
behavioral1/files/0x0007000000014ab1-134.dat	upx
behavioral1/files/0x0006000000014930-146.dat	upx
behavioral1/memory/2020-150-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x00070000000155fa-151.dat	upx
behavioral1/memory/2000-153-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/860-157-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1704-160-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1080-161-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/860-164-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1808-165-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1704-172-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1808-174-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1736-184-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/660-188-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1604-190-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/788-194-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1368-195-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1368-200-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/788-202-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2024-208-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1676-213-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1172-216-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1972-217-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1172-222-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1972-224-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1440-231-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1540-235-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/804-239-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1744-241-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1744-236-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/240-246-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Loads dropped DLL 64 IoCs

pid	Process
1712	c85e67d1581dc4e1e60f0f39dc7068338b348ec7c3a9ff90c5f768440fef7912.exe
1712	c85e67d1581dc4e1e60f0f39dc7068338b348ec7c3a9ff90c5f768440fef7912.exe
1712	c85e67d1581dc4e1e60f0f39dc7068338b348ec7c3a9ff90c5f768440fef7912.exe
1712	c85e67d1581dc4e1e60f0f39dc7068338b348ec7c3a9ff90c5f768440fef7912.exe
1808	tmp7087187.exe
1808	tmp7087187.exe
1808	tmp7087187.exe
1808	tmp7087187.exe
1148	tmp7087375.exe
1148	tmp7087375.exe
908	tmp7087265.exe
1148	tmp7087375.exe
1148	tmp7087375.exe
1784	tmp7087843.exe
1784	tmp7087843.exe
908	tmp7087265.exe
1080	notpad.exe
1080	notpad.exe
984	tmp7088326.exe
984	tmp7088326.exe
1784	tmp7087843.exe
1784	tmp7087843.exe
1216	notpad.exe
1216	notpad.exe
2000	tmp7088389.exe
2000	tmp7088389.exe
1216	notpad.exe
1972	tmp7088576.exe
1972	tmp7088576.exe
2020	notpad.exe
2020	notpad.exe
2020	notpad.exe
2000	tmp7088389.exe
2000	tmp7088389.exe
2040	tmp7089449.exe
2040	tmp7089449.exe
1704	tmp7089309.exe
860	notpad.exe
1704	tmp7089309.exe
860	notpad.exe
860	notpad.exe
1312	tmp7089886.exe
1312	tmp7089886.exe
1808	notpad.exe
1808	notpad.exe
1704	tmp7089309.exe
1704	tmp7089309.exe
1808	notpad.exe
660	tmp7090058.exe
660	tmp7090058.exe
520	tmp7090385.exe
520	tmp7090385.exe
1736	notpad.exe
1736	notpad.exe
1736	notpad.exe
660	tmp7090058.exe
660	tmp7090058.exe
1604	tmp7094348.exe
1604	tmp7094348.exe
1148	tmp7093989.exe
1148	tmp7093989.exe
1604	tmp7094348.exe
1604	tmp7094348.exe
1368	notpad.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7118668.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7126905.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7112662.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	notpad.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	notpad.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7089449.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7109402.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7122709.exe
File created	C:\Windows\SysWOW64\notpad.exe	notpad.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7136920.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7147981.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7188541.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7214235.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7088326.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7148496.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7125657.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7175811.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7155079.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7104020.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7120166.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7214235.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7088326.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7090385.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7152224.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7192394.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7097156.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7118668.exe
File created	C:\Windows\SysWOW64\notpad.exe-	notpad.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7196123.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7187246.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7087265.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7104909.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7108840.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7109402.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7156077.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7187246.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7188541.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	notpad.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7116703.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7156218.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7168791.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7125657.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7138621.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7175811.exe
File created	C:\Windows\SysWOW64\notpad.exe-	notpad.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7090385.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7112662.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7144502.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7167590.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7104020.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7174548.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7152224.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7180351.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7196123.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7208447.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7105018.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7147981.exe
File created	C:\Windows\SysWOW64\notpad.exe-	notpad.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7174548.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7180351.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7156077.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	notpad.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7098997.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7117654.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7186778.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7222768.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7116703.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7174548.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7151538.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7190897.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7096376.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7212113.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7123364.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7125657.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7155656.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7166529.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7097156.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7098997.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7108840.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7120166.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7189212.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7118668.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7126905.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	notpad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7176420.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7089886.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7104020.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7104909.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7106282.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7153223.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7150181.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	notpad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7098248.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7126297.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7175811.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7180351.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7166966.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	notpad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7136920.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7147981.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7138075.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	notpad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7087265.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7106032.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7144081.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7109402.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7148496.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7144502.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	notpad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7192394.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7163737.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7167590.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7172083.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7156218.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7156592.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7154439.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7156077.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7155079.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	notpad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7088576.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7095065.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7145048.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7196123.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7139370.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7214235.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7205124.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	notpad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7093989.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 1160	1712	c85e67d1581dc4e1e60f0f39dc7068338b348ec7c3a9ff90c5f768440fef7912.exe	27
PID 1712 wrote to memory of 1160	1712	c85e67d1581dc4e1e60f0f39dc7068338b348ec7c3a9ff90c5f768440fef7912.exe	27
PID 1712 wrote to memory of 1160	1712	c85e67d1581dc4e1e60f0f39dc7068338b348ec7c3a9ff90c5f768440fef7912.exe	27
PID 1712 wrote to memory of 1160	1712	c85e67d1581dc4e1e60f0f39dc7068338b348ec7c3a9ff90c5f768440fef7912.exe	27
PID 1712 wrote to memory of 1808	1712	c85e67d1581dc4e1e60f0f39dc7068338b348ec7c3a9ff90c5f768440fef7912.exe	28
PID 1712 wrote to memory of 1808	1712	c85e67d1581dc4e1e60f0f39dc7068338b348ec7c3a9ff90c5f768440fef7912.exe	28
PID 1712 wrote to memory of 1808	1712	c85e67d1581dc4e1e60f0f39dc7068338b348ec7c3a9ff90c5f768440fef7912.exe	28
PID 1712 wrote to memory of 1808	1712	c85e67d1581dc4e1e60f0f39dc7068338b348ec7c3a9ff90c5f768440fef7912.exe	28
PID 1808 wrote to memory of 908	1808	tmp7087187.exe	29
PID 1808 wrote to memory of 908	1808	tmp7087187.exe	29
PID 1808 wrote to memory of 908	1808	tmp7087187.exe	29
PID 1808 wrote to memory of 908	1808	tmp7087187.exe	29
PID 1808 wrote to memory of 1148	1808	tmp7087187.exe	30
PID 1808 wrote to memory of 1148	1808	tmp7087187.exe	30
PID 1808 wrote to memory of 1148	1808	tmp7087187.exe	30
PID 1808 wrote to memory of 1148	1808	tmp7087187.exe	30
PID 1148 wrote to memory of 872	1148	tmp7087375.exe	31
PID 1148 wrote to memory of 872	1148	tmp7087375.exe	31
PID 1148 wrote to memory of 872	1148	tmp7087375.exe	31
PID 1148 wrote to memory of 872	1148	tmp7087375.exe	31
PID 1148 wrote to memory of 1784	1148	tmp7087375.exe	33
PID 1148 wrote to memory of 1784	1148	tmp7087375.exe	33
PID 1148 wrote to memory of 1784	1148	tmp7087375.exe	33
PID 1148 wrote to memory of 1784	1148	tmp7087375.exe	33
PID 1784 wrote to memory of 984	1784	tmp7087843.exe	34
PID 1784 wrote to memory of 984	1784	tmp7087843.exe	34
PID 1784 wrote to memory of 984	1784	tmp7087843.exe	34
PID 1784 wrote to memory of 984	1784	tmp7087843.exe	34
PID 908 wrote to memory of 1080	908	tmp7087265.exe	32
PID 908 wrote to memory of 1080	908	tmp7087265.exe	32
PID 908 wrote to memory of 1080	908	tmp7087265.exe	32
PID 908 wrote to memory of 1080	908	tmp7087265.exe	32
PID 1080 wrote to memory of 372	1080	notpad.exe	35
PID 1080 wrote to memory of 372	1080	notpad.exe	35
PID 1080 wrote to memory of 372	1080	notpad.exe	35
PID 1080 wrote to memory of 372	1080	notpad.exe	35
PID 984 wrote to memory of 1216	984	tmp7088326.exe	36
PID 984 wrote to memory of 1216	984	tmp7088326.exe	36
PID 984 wrote to memory of 1216	984	tmp7088326.exe	36
PID 984 wrote to memory of 1216	984	tmp7088326.exe	36
PID 1784 wrote to memory of 2000	1784	tmp7087843.exe	37
PID 1784 wrote to memory of 2000	1784	tmp7087843.exe	37
PID 1784 wrote to memory of 2000	1784	tmp7087843.exe	37
PID 1784 wrote to memory of 2000	1784	tmp7087843.exe	37
PID 1216 wrote to memory of 1972	1216	notpad.exe	38
PID 1216 wrote to memory of 1972	1216	notpad.exe	38
PID 1216 wrote to memory of 1972	1216	notpad.exe	38
PID 1216 wrote to memory of 1972	1216	notpad.exe	38
PID 2000 wrote to memory of 288	2000	tmp7088389.exe	39
PID 2000 wrote to memory of 288	2000	tmp7088389.exe	39
PID 2000 wrote to memory of 288	2000	tmp7088389.exe	39
PID 2000 wrote to memory of 288	2000	tmp7088389.exe	39
PID 1216 wrote to memory of 824	1216	notpad.exe	40
PID 1216 wrote to memory of 824	1216	notpad.exe	40
PID 1216 wrote to memory of 824	1216	notpad.exe	40
PID 1216 wrote to memory of 824	1216	notpad.exe	40
PID 1972 wrote to memory of 2020	1972	tmp7088576.exe	41
PID 1972 wrote to memory of 2020	1972	tmp7088576.exe	41
PID 1972 wrote to memory of 2020	1972	tmp7088576.exe	41
PID 1972 wrote to memory of 2020	1972	tmp7088576.exe	41
PID 2020 wrote to memory of 2040	2020	notpad.exe	42
PID 2020 wrote to memory of 2040	2020	notpad.exe	42
PID 2020 wrote to memory of 2040	2020	notpad.exe	42
PID 2020 wrote to memory of 2040	2020	notpad.exe	42

C:\Users\Admin\AppData\Local\Temp\c85e67d1581dc4e1e60f0f39dc7068338b348ec7c3a9ff90c5f768440fef7912.exe
"C:\Users\Admin\AppData\Local\Temp\c85e67d1581dc4e1e60f0f39dc7068338b348ec7c3a9ff90c5f768440fef7912.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Users\Admin\AppData\Local\Temp\tmp7087156.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7087156.exe
  2⤵
  - Executes dropped EXE
  PID:1160
- C:\Users\Admin\AppData\Local\Temp\tmp7087187.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7087187.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1808
- - C:\Users\Admin\AppData\Local\Temp\tmp7087265.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7087265.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:908
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1080
    - - C:\Users\Admin\AppData\Local\Temp\tmp7088373.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7088373.exe
        5⤵
        
        PID:372
- - C:\Users\Admin\AppData\Local\Temp\tmp7087375.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7087375.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1148
  - - C:\Users\Admin\AppData\Local\Temp\tmp7087546.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7087546.exe
      4⤵
      Executes dropped EXE
      PID:872
  - - C:\Users\Admin\AppData\Local\Temp\tmp7087843.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7087843.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1784
    - - C:\Users\Admin\AppData\Local\Temp\tmp7088326.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7088326.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:984
      - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1216
        
        C:\Users\Admin\AppData\Local\Temp\tmp7088576.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7088576.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1972
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\tmp7089449.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7089449.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2040
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:860
        
        C:\Users\Admin\AppData\Local\Temp\tmp7089949.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7089949.exe
        11⤵
        Executes dropped EXE
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\tmp7090027.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7090027.exe
        11⤵
        Executes dropped EXE
        
        PID:760
        
        C:\Users\Admin\AppData\Local\Temp\tmp7089559.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7089559.exe
        9⤵
        Executes dropped EXE
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\tmp7088903.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7088903.exe
        7⤵
        Executes dropped EXE
        
        PID:824
    - - C:\Users\Admin\AppData\Local\Temp\tmp7088389.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7088389.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2000
      - C:\Users\Admin\AppData\Local\Temp\tmp7088685.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7088685.exe
        6⤵
        Executes dropped EXE
        
        PID:288
      - C:\Users\Admin\AppData\Local\Temp\tmp7089309.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7089309.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\tmp7089886.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7089886.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1312
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\tmp7090385.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7090385.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:520
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\tmp7094395.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7094395.exe
        11⤵
        Executes dropped EXE
        
        PID:1304
        
        C:\Users\Admin\AppData\Local\Temp\tmp7094488.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7094488.exe
        11⤵
        Executes dropped EXE
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\tmp7093334.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7093334.exe
        9⤵
        Executes dropped EXE
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\tmp7090058.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7090058.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:660
        
        C:\Users\Admin\AppData\Local\Temp\tmp7093989.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7093989.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1148
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1368
        
        C:\Users\Admin\AppData\Local\Temp\tmp7095065.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7095065.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1592
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        11⤵
        Executes dropped EXE
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\tmp7096547.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7096547.exe
        12⤵
        Executes dropped EXE
        
        PID:1216
        
        C:\Users\Admin\AppData\Local\Temp\tmp7096719.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7096719.exe
        12⤵
        Executes dropped EXE
        
        PID:1288
        
        C:\Users\Admin\AppData\Local\Temp\tmp7095533.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7095533.exe
        10⤵
        Executes dropped EXE
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\tmp7094348.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7094348.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\tmp7094691.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7094691.exe
        9⤵
        Executes dropped EXE
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\tmp7094909.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7094909.exe
        9⤵
        Executes dropped EXE
        
        PID:788
        
        C:\Users\Admin\AppData\Local\Temp\tmp7095268.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7095268.exe
        10⤵
        Executes dropped EXE
        
        PID:1832
        
        C:\Users\Admin\AppData\Local\Temp\tmp7095627.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7095627.exe
        10⤵
        Executes dropped EXE
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\tmp7096376.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7096376.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1572
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        12⤵
        Executes dropped EXE
        
        PID:1172
        
        C:\Users\Admin\AppData\Local\Temp\tmp7097249.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7097249.exe
        13⤵
        Executes dropped EXE
        
        PID:1176
        
        C:\Users\Admin\AppData\Local\Temp\tmp7097624.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7097624.exe
        13⤵
        Executes dropped EXE
        
        PID:1328
        
        C:\Users\Admin\AppData\Local\Temp\tmp7096594.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7096594.exe
        11⤵
        Executes dropped EXE
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\tmp7097156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7097156.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1108
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        13⤵
        Executes dropped EXE
        
        PID:1440
        
        C:\Users\Admin\AppData\Local\Temp\tmp7098248.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7098248.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:852
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        15⤵
        Executes dropped EXE
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\tmp7098997.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7098997.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:860
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        17⤵
        Executes dropped EXE
        
        PID:240
        
        C:\Users\Admin\AppData\Local\Temp\tmp7100245.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7100245.exe
        18⤵
        Executes dropped EXE
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\tmp7103567.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7103567.exe
        18⤵
        Executes dropped EXE
        
        PID:1884
        
        C:\Users\Admin\AppData\Local\Temp\tmp7099433.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7099433.exe
        16⤵
        Executes dropped EXE
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\tmp7098466.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7098466.exe
        14⤵
        Executes dropped EXE
        
        PID:552
        
        C:\Users\Admin\AppData\Local\Temp\tmp7097468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7097468.exe
        12⤵
        Executes dropped EXE
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\tmp7098263.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7098263.exe
        13⤵
        Executes dropped EXE
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\tmp7098716.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7098716.exe
        13⤵
        Executes dropped EXE
        
        PID:804
        
        C:\Users\Admin\AppData\Local\Temp\tmp7099808.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7099808.exe
        14⤵
        Executes dropped EXE
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\tmp7100057.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7100057.exe
        15⤵
        Executes dropped EXE
        
        PID:1360
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        16⤵
        Executes dropped EXE
        
        PID:1148
        
        C:\Users\Admin\AppData\Local\Temp\tmp7104254.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7104254.exe
        17⤵
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\tmp7104613.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7104613.exe
        17⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\tmp7102928.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7102928.exe
        15⤵
        Executes dropped EXE
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\tmp7104020.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7104020.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1348
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        17⤵
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\tmp7104909.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7104909.exe
        18⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1368
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        19⤵
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\tmp7105845.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7105845.exe
        20⤵
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106173.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106173.exe
        20⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\tmp7105003.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7105003.exe
        18⤵
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\tmp7104597.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7104597.exe
        16⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\tmp7105018.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7105018.exe
        17⤵
        Drops file in System32 directory
        
        PID:1584
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        18⤵
        
        PID:1288
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106282.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106282.exe
        19⤵
        Modifies registry class
        
        PID:1620
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        20⤵
        
        PID:1160
        
        C:\Users\Admin\AppData\Local\Temp\tmp7108840.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7108840.exe
        21⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1712
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        22⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\tmp7112225.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7112225.exe
        23⤵
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\tmp7112678.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7112678.exe
        23⤵
        
        PID:240
        
        C:\Users\Admin\AppData\Local\Temp\tmp7109121.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7109121.exe
        21⤵
        
        PID:1356
        
        C:\Users\Admin\AppData\Local\Temp\tmp7107015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7107015.exe
        19⤵
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\tmp7105689.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7105689.exe
        17⤵
        
        PID:540
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106032.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106032.exe
        18⤵
        Modifies registry class
        
        PID:1960
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        19⤵
        
        PID:1176
        
        C:\Users\Admin\AppData\Local\Temp\tmp7107358.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7107358.exe
        20⤵
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\tmp7107795.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7107795.exe
        20⤵
        
        PID:1476
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106157.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106157.exe
        18⤵
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106687.exe
        19⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106984.exe
        19⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\tmp7107967.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7107967.exe
        20⤵
        
        PID:948
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        21⤵
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\tmp7109402.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7109402.exe
        22⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:616
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        23⤵
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\tmp7114768.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7114768.exe
        24⤵
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\tmp7114909.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7114909.exe
        24⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\tmp7112647.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7112647.exe
        22⤵
        
        PID:520
        
        C:\Users\Admin\AppData\Local\Temp\tmp7108793.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7108793.exe
        20⤵
        
        PID:1440
        
        C:\Users\Admin\AppData\Local\Temp\tmp7109074.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7109074.exe
        21⤵
        
        PID:1220
        
        C:\Users\Admin\AppData\Local\Temp\tmp7109277.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7109277.exe
        21⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\tmp7112662.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7112662.exe
        22⤵
        Drops file in System32 directory
        
        PID:676
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        23⤵
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116110.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116110.exe
        24⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        25⤵
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116703.exe
        26⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1512
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        27⤵
        
        PID:904
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117654.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117654.exe
        28⤵
        Drops file in System32 directory
        
        PID:1584
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        29⤵
        
        PID:1172
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118668.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118668.exe
        30⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2032
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        31⤵
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119760.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119760.exe
        32⤵
        
        PID:1288
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119885.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119885.exe
        32⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118856.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118856.exe
        30⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117748.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117748.exe
        28⤵
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116828.exe
        26⤵
        
        PID:980
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116204.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116204.exe
        24⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\tmp7114675.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7114675.exe
        22⤵
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\tmp7115486.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7115486.exe
        23⤵
        
        PID:1148
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116250.exe
        23⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116843.exe
        24⤵
        
        PID:788
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117186.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117186.exe
        24⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117951.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117951.exe
        25⤵
        
        PID:876
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118216.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118216.exe
        25⤵
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118700.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118700.exe
        26⤵
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119043.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119043.exe
        26⤵
        
        PID:1476
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119370.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119370.exe
        27⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        28⤵
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120166.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120166.exe
        29⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:556
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        30⤵
        
        PID:544
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121820.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121820.exe
        31⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        32⤵
        
        PID:1000
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122272.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122272.exe
        33⤵
        
        PID:520
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        34⤵
        
        PID:872
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122709.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122709.exe
        35⤵
        Drops file in System32 directory
        
        PID:1884
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        36⤵
        
        PID:240
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123364.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123364.exe
        37⤵
        Modifies registry class
        
        PID:1944
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        38⤵
        
        PID:396
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123988.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123988.exe
        39⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        40⤵
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\tmp7124565.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7124565.exe
        41⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        42⤵
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125096.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125096.exe
        43⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        44⤵
        
        PID:1896
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125657.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125657.exe
        45⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:980
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        46⤵
        
        PID:904
        
        C:\Users\Admin\AppData\Local\Temp\tmp7126297.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7126297.exe
        47⤵
        Modifies registry class
        
        PID:2020
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        48⤵
        
        PID:876
        
        C:\Users\Admin\AppData\Local\Temp\tmp7126905.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7126905.exe
        49⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1580
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        50⤵
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\tmp7127467.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7127467.exe
        51⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        52⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\tmp7132864.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7132864.exe
        53⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        54⤵
        
        PID:808
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134471.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134471.exe
        55⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        56⤵
        
        PID:552
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135189.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135189.exe
        57⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        58⤵
        
        PID:1356
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135844.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135844.exe
        59⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        60⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136390.exe
        61⤵
        
        PID:520
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        62⤵
        
        PID:1360
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136920.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136920.exe
        63⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1120
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        64⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\tmp7137466.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7137466.exe
        65⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        66⤵
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\Temp\tmp7138075.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7138075.exe
        67⤵
        Modifies registry class
        
        PID:908
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        68⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\tmp7138621.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7138621.exe
        69⤵
        Drops file in System32 directory
        
        PID:1148
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        70⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\tmp7139136.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7139136.exe
        71⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        72⤵
        
        PID:540
        
        C:\Users\Admin\AppData\Local\Temp\tmp7139853.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7139853.exe
        73⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        74⤵
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\tmp7142131.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7142131.exe
        75⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        76⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\tmp7143160.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7143160.exe
        77⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        78⤵
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\tmp7143940.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7143940.exe
        79⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        80⤵
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144502.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144502.exe
        81⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1476
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        82⤵
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145048.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145048.exe
        83⤵
        Modifies registry class
        
        PID:1660
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        84⤵
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145594.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145594.exe
        85⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        86⤵
        
        PID:1000
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146187.exe
        87⤵
        
        PID:928
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        88⤵
        
        PID:660
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146889.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146889.exe
        89⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        90⤵
        
        PID:1480
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147341.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147341.exe
        91⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        92⤵
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147903.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147903.exe
        93⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        94⤵
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\Temp\tmp7148496.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7148496.exe
        95⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1764
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        96⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\tmp7149167.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7149167.exe
        97⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        98⤵
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\tmp7150586.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7150586.exe
        99⤵
        
        PID:788
        
        C:\Users\Admin\AppData\Local\Temp\tmp7150181.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7150181.exe
        99⤵
        Modifies registry class
        
        PID:1268
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        100⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\tmp7151538.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7151538.exe
        101⤵
        Modifies registry class
        
        PID:1672
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        102⤵
        
        PID:1020
        
        C:\Users\Admin\AppData\Local\Temp\tmp7152099.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7152099.exe
        103⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        104⤵
        
        PID:1844
        
        C:\Users\Admin\AppData\Local\Temp\tmp7152723.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7152723.exe
        105⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        106⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\tmp7153223.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7153223.exe
        107⤵
        Modifies registry class
        
        PID:2040
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        108⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\tmp7153847.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7153847.exe
        109⤵
        
        PID:808
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        110⤵
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\tmp7154439.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7154439.exe
        111⤵
        Modifies registry class
        
        PID:552
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        112⤵
        Drops file in System32 directory
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\tmp7155079.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7155079.exe
        113⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1356
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        114⤵
        
        PID:1440
        
        C:\Users\Admin\AppData\Local\Temp\tmp7155656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7155656.exe
        115⤵
        Modifies registry class
        
        PID:1624
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        116⤵
        
        PID:1848
        
        C:\Users\Admin\AppData\Local\Temp\tmp7156077.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7156077.exe
        117⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1816
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        118⤵
        
        PID:240
        
        C:\Users\Admin\AppData\Local\Temp\tmp7156592.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7156592.exe
        119⤵
        Modifies registry class
        
        PID:1800
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        120⤵
        
        PID:368
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157185.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157185.exe
        121⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        122⤵
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161943.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161943.exe
        123⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        124⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1244
        
        C:\Users\Admin\AppData\Local\Temp\tmp7163737.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7163737.exe
        125⤵
        Modifies registry class
        
        PID:1040
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        126⤵
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164189.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164189.exe
        127⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        128⤵
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164829.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164829.exe
        129⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        130⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\tmp7165344.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7165344.exe
        131⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        132⤵
        
        PID:1176
        
        C:\Users\Admin\AppData\Local\Temp\tmp7165843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7165843.exe
        133⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        134⤵
        
        PID:852
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166373.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166373.exe
        135⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        136⤵
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166966.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166966.exe
        137⤵
        Modifies registry class
        
        PID:1752
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        138⤵
        
        PID:556
        
        C:\Users\Admin\AppData\Local\Temp\tmp7167590.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7167590.exe
        139⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1712
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        140⤵
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168167.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168167.exe
        141⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        142⤵
        
        PID:616
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168791.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168791.exe
        143⤵
        Drops file in System32 directory
        
        PID:860
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        144⤵
        Drops file in System32 directory
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\tmp7169353.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7169353.exe
        145⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        146⤵
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\tmp7172083.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7172083.exe
        147⤵
        Modifies registry class
        
        PID:1360
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        148⤵
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\tmp7172660.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7172660.exe
        149⤵
        
        PID:368
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        150⤵
        
        PID:432
        
        C:\Users\Admin\AppData\Local\Temp\tmp7173300.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7173300.exe
        151⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        152⤵
        
        PID:1460
        
        C:\Users\Admin\AppData\Local\Temp\tmp7173861.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7173861.exe
        153⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        154⤵
        
        PID:1300
        
        C:\Users\Admin\AppData\Local\Temp\tmp7174548.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7174548.exe
        155⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1592
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        156⤵
        
        PID:1032
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175125.exe
        157⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        158⤵
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175655.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175655.exe
        159⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        160⤵
        
        PID:584
        
        C:\Users\Admin\AppData\Local\Temp\tmp7176186.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7176186.exe
        161⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        162⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\tmp7176903.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7176903.exe
        163⤵
        
        PID:952
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        164⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\tmp7177496.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7177496.exe
        165⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        166⤵
        
        PID:624
        
        C:\Users\Admin\AppData\Local\Temp\tmp7178885.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7178885.exe
        167⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        168⤵
        
        PID:1156
        
        C:\Users\Admin\AppData\Local\Temp\tmp7179478.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7179478.exe
        169⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        170⤵
        
        PID:660
        
        C:\Users\Admin\AppData\Local\Temp\tmp7180195.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7180195.exe
        171⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        172⤵
        
        PID:1848
        
        C:\Users\Admin\AppData\Local\Temp\tmp7180835.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7180835.exe
        173⤵
        
        PID:872
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        174⤵
        
        PID:520
        
        C:\Users\Admin\AppData\Local\Temp\tmp7181318.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7181318.exe
        175⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        176⤵
        
        PID:1368
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182083.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182083.exe
        177⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        178⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182863.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182863.exe
        179⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        180⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183424.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183424.exe
        181⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        182⤵
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183939.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183939.exe
        183⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        184⤵
        
        PID:540
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184626.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184626.exe
        185⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        186⤵
        
        PID:1328
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187246.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187246.exe
        187⤵
        Drops file in System32 directory
        
        PID:1020
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        188⤵
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187855.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187855.exe
        189⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        190⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\tmp7188541.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7188541.exe
        191⤵
        Drops file in System32 directory
        
        PID:1620
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        192⤵
        Modifies registry class
        
        PID:808
        
        C:\Users\Admin\AppData\Local\Temp\tmp7189212.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7189212.exe
        193⤵
        Modifies registry class
        
        PID:1640
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        194⤵
        
        PID:1340
        
        C:\Users\Admin\AppData\Local\Temp\tmp7189774.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7189774.exe
        195⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        196⤵
        
        PID:1220
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190226.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190226.exe
        197⤵
        
        PID:912
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        198⤵
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190897.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190897.exe
        199⤵
        Modifies registry class
        
        PID:1624
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        200⤵
        
        PID:928
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191536.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191536.exe
        201⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        202⤵
        
        PID:1120
        
        C:\Users\Admin\AppData\Local\Temp\tmp7192394.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7192394.exe
        203⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1800
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        204⤵
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\tmp7193658.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7193658.exe
        205⤵
        
        PID:764
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        206⤵
        Modifies registry class
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\tmp7194344.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7194344.exe
        207⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        208⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\tmp7195046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7195046.exe
        209⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        210⤵
        
        PID:980
        
        C:\Users\Admin\AppData\Local\Temp\tmp7195873.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7195873.exe
        211⤵
        
        PID:788
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        212⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\tmp7196560.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7196560.exe
        213⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        214⤵
        
        PID:876
        
        C:\Users\Admin\AppData\Local\Temp\tmp7197168.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7197168.exe
        215⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        216⤵
        Drops file in System32 directory
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\tmp7197901.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7197901.exe
        217⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        218⤵
        
        PID:760
        
        C:\Users\Admin\AppData\Local\Temp\tmp7198588.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7198588.exe
        219⤵
        
        PID:584
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        220⤵
        
        PID:544
        
        C:\Users\Admin\AppData\Local\Temp\tmp7199290.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7199290.exe
        221⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        222⤵
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\tmp7203236.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7203236.exe
        223⤵
        
        PID:948
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        224⤵
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\tmp7203829.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7203829.exe
        225⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        226⤵
        
        PID:912
        
        C:\Users\Admin\AppData\Local\Temp\tmp7204484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7204484.exe
        227⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        228⤵
        
        PID:1884
        
        C:\Users\Admin\AppData\Local\Temp\tmp7205124.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7205124.exe
        229⤵
        Modifies registry class
        
        PID:1524
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        230⤵
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\tmp7205842.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7205842.exe
        231⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        232⤵
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\tmp7206575.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7206575.exe
        233⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        234⤵
        
        PID:764
        
        C:\Users\Admin\AppData\Local\Temp\tmp7207183.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7207183.exe
        235⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        236⤵
        
        PID:960
        
        C:\Users\Admin\AppData\Local\Temp\tmp7207885.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7207885.exe
        237⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        238⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\tmp7208447.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7208447.exe
        239⤵
        Drops file in System32 directory
        
        PID:1460
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        240⤵
        
        PID:1832
        
        C:\Users\Admin\AppData\Local\Temp\tmp7210023.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7210023.exe
        241⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        242⤵
        
        PID:540
        
        C:\Users\Admin\AppData\Local\Temp\tmp7210662.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7210662.exe
        243⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        244⤵
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\tmp7211380.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7211380.exe
        245⤵
        
        PID:824
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        246⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\tmp7212113.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7212113.exe
        247⤵
        Modifies registry class
        
        PID:1108
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        248⤵
        
        PID:584
        
        C:\Users\Admin\AppData\Local\Temp\tmp7212737.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7212737.exe
        249⤵
        
        PID:544
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        250⤵
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\tmp7213455.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7213455.exe
        251⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        252⤵
        
        PID:800
        
        C:\Users\Admin\AppData\Local\Temp\tmp7213985.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7213985.exe
        253⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        254⤵
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\tmp7214765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7214765.exe
        255⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        256⤵
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\tmp7215467.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7215467.exe
        257⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        258⤵
        
        PID:520
        
        C:\Users\Admin\AppData\Local\Temp\tmp7219476.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7219476.exe
        259⤵
        
        PID:872
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        260⤵
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\tmp7220100.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7220100.exe
        261⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        262⤵
        
        PID:908
        
        C:\Users\Admin\AppData\Local\Temp\tmp7220927.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7220927.exe
        263⤵
        
        PID:764
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        264⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:368
        
        C:\Users\Admin\AppData\Local\Temp\tmp7221660.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7221660.exe
        265⤵
        
        PID:432
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        266⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\tmp7222487.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7222487.exe
        267⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        268⤵
        
        PID:112
        
        C:\Users\Admin\AppData\Local\Temp\tmp7223251.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7223251.exe
        269⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        270⤵
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\tmp7223985.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7223985.exe
        271⤵
        
        PID:904
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        272⤵
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\tmp7224593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7224593.exe
        273⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        274⤵
        
        PID:760
        
        C:\Users\Admin\AppData\Local\Temp\tmp7226481.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7226481.exe
        275⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        276⤵
        
        PID:1172
        
        C:\Users\Admin\AppData\Local\Temp\tmp7226933.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7226933.exe
        277⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        278⤵
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\tmp7227666.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7227666.exe
        279⤵
        
        PID:552
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        280⤵
        
        PID:804
        
        C:\Users\Admin\AppData\Local\Temp\tmp7228306.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7228306.exe
        281⤵
        
        PID:800
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        282⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\tmp7229039.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7229039.exe
        283⤵
        
        PID:616
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        284⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\tmp7229491.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7229491.exe
        285⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        286⤵
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\tmp7230178.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7230178.exe
        287⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        288⤵
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\tmp7230677.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7230677.exe
        289⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        290⤵
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\tmp7231566.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7231566.exe
        291⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        292⤵
        
        PID:908
        
        C:\Users\Admin\AppData\Local\Temp\tmp7235575.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7235575.exe
        293⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        294⤵
        
        PID:788
        
        C:\Users\Admin\AppData\Local\Temp\tmp7236340.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7236340.exe
        295⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        296⤵
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\tmp7237026.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7237026.exe
        297⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        298⤵
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\tmp7237245.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7237245.exe
        297⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\tmp7236574.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7236574.exe
        295⤵
        
        PID:1300
        
        C:\Users\Admin\AppData\Local\Temp\tmp7235872.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7235872.exe
        293⤵
        
        PID:1244
        
        C:\Users\Admin\AppData\Local\Temp\tmp7233360.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7233360.exe
        291⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\tmp7230958.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7230958.exe
        289⤵
        
        PID:1360
        
        C:\Users\Admin\AppData\Local\Temp\tmp7230349.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7230349.exe
        287⤵
        
        PID:1008
        
        C:\Users\Admin\AppData\Local\Temp\tmp7229710.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7229710.exe
        285⤵
        
        PID:1524
        
        C:\Users\Admin\AppData\Local\Temp\tmp7229226.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7229226.exe
        283⤵
        
        PID:860
        
        C:\Users\Admin\AppData\Local\Temp\tmp7228587.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7228587.exe
        281⤵
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\tmp7227838.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7227838.exe
        279⤵
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\tmp7227261.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7227261.exe
        277⤵
        
        PID:584
        
        C:\Users\Admin\AppData\Local\Temp\tmp7226715.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7226715.exe
        275⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\tmp7225981.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7225981.exe
        273⤵
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\tmp7224187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7224187.exe
        271⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\tmp7223485.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7223485.exe
        269⤵
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\tmp7222768.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7222768.exe
        267⤵
        Modifies registry class
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\tmp7221894.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7221894.exe
        265⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\tmp7221301.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7221301.exe
        263⤵
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\tmp7220287.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7220287.exe
        261⤵
        
        PID:1368
        
        C:\Users\Admin\AppData\Local\Temp\tmp7219679.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7219679.exe
        259⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\tmp7218135.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7218135.exe
        257⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\tmp7215030.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7215030.exe
        255⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\tmp7214235.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7214235.exe
        253⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\tmp7213611.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7213611.exe
        251⤵
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\tmp7212877.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7212877.exe
        249⤵
        
        PID:1312
        
        C:\Users\Admin\AppData\Local\Temp\tmp7212347.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7212347.exe
        247⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\tmp7211676.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7211676.exe
        245⤵
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\tmp7210959.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7210959.exe
        243⤵
        
        PID:1328
        
        C:\Users\Admin\AppData\Local\Temp\tmp7210241.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7210241.exe
        241⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\tmp7208634.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7208634.exe
        239⤵
        
        PID:1300
        
        C:\Users\Admin\AppData\Local\Temp\tmp7208010.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7208010.exe
        237⤵
        
        PID:1244
        
        C:\Users\Admin\AppData\Local\Temp\tmp7207526.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7207526.exe
        235⤵
        
        PID:368
        
        C:\Users\Admin\AppData\Local\Temp\tmp7206793.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7206793.exe
        233⤵
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\tmp7206029.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7206029.exe
        231⤵
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\tmp7205358.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7205358.exe
        229⤵
        
        PID:1848
        
        C:\Users\Admin\AppData\Local\Temp\tmp7204718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7204718.exe
        227⤵
        
        PID:660
        
        C:\Users\Admin\AppData\Local\Temp\tmp7204016.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7204016.exe
        225⤵
        
        PID:1220
        
        C:\Users\Admin\AppData\Local\Temp\tmp7203424.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7203424.exe
        223⤵
        
        PID:556
        
        C:\Users\Admin\AppData\Local\Temp\tmp7201864.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7201864.exe
        221⤵
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\tmp7198837.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7198837.exe
        219⤵
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\tmp7198135.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7198135.exe
        217⤵
        
        PID:1176
        
        C:\Users\Admin\AppData\Local\Temp\tmp7197340.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7197340.exe
        215⤵
        
        PID:1844
        
        C:\Users\Admin\AppData\Local\Temp\tmp7196747.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7196747.exe
        213⤵
        
        PID:904
        
        C:\Users\Admin\AppData\Local\Temp\tmp7196123.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7196123.exe
        211⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\tmp7195280.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7195280.exe
        209⤵
        
        PID:1896
        
        C:\Users\Admin\AppData\Local\Temp\tmp7194719.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7194719.exe
        207⤵
        
        PID:432
        
        C:\Users\Admin\AppData\Local\Temp\tmp7193892.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7193892.exe
        205⤵
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\tmp7193268.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7193268.exe
        203⤵
        
        PID:1004
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191911.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191911.exe
        201⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191053.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191053.exe
        199⤵
        
        PID:1440
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190413.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190413.exe
        197⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\tmp7189867.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7189867.exe
        195⤵
        
        PID:1288
        
        C:\Users\Admin\AppData\Local\Temp\tmp7189306.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7189306.exe
        193⤵
        
        PID:1448
        
        C:\Users\Admin\AppData\Local\Temp\tmp7188791.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7188791.exe
        191⤵
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\tmp7188073.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7188073.exe
        189⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187449.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187449.exe
        187⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\tmp7186778.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7186778.exe
        185⤵
        Modifies registry class
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184126.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184126.exe
        183⤵
        
        PID:1456
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183565.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183565.exe
        181⤵
        
        PID:1460
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183003.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183003.exe
        179⤵
        
        PID:432
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182317.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182317.exe
        177⤵
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\tmp7181615.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7181615.exe
        175⤵
        
        PID:984
        
        C:\Users\Admin\AppData\Local\Temp\tmp7180975.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7180975.exe
        173⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\tmp7180351.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7180351.exe
        171⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:928
        
        C:\Users\Admin\AppData\Local\Temp\tmp7179790.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7179790.exe
        169⤵
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\tmp7179025.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7179025.exe
        167⤵
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\tmp7178479.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7178479.exe
        165⤵
        
        PID:1312
        
        C:\Users\Admin\AppData\Local\Temp\tmp7177013.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7177013.exe
        163⤵
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\tmp7176420.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7176420.exe
        161⤵
        Modifies registry class
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175811.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175811.exe
        159⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175265.exe
        157⤵
        
        PID:1328
        
        C:\Users\Admin\AppData\Local\Temp\tmp7174641.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7174641.exe
        155⤵
        
        PID:904
        
        C:\Users\Admin\AppData\Local\Temp\tmp7174002.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7174002.exe
        153⤵
        
        PID:980
        
        C:\Users\Admin\AppData\Local\Temp\tmp7173409.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7173409.exe
        151⤵
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\tmp7172801.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7172801.exe
        149⤵
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\tmp7172192.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7172192.exe
        147⤵
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\tmp7171677.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7171677.exe
        145⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168947.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168947.exe
        143⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168308.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168308.exe
        141⤵
        
        PID:1000
        
        C:\Users\Admin\AppData\Local\Temp\tmp7167699.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7167699.exe
        139⤵
        
        PID:1288
        
        C:\Users\Admin\AppData\Local\Temp\tmp7167107.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7167107.exe
        137⤵
        
        PID:1448
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166529.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166529.exe
        135⤵
        Modifies registry class
        
        PID:1172
        
        C:\Users\Admin\AppData\Local\Temp\tmp7165952.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7165952.exe
        133⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\tmp7165500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7165500.exe
        131⤵
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164954.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164954.exe
        129⤵
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164361.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164361.exe
        127⤵
        
        PID:540
        
        C:\Users\Admin\AppData\Local\Temp\tmp7163831.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7163831.exe
        125⤵
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\tmp7162427.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7162427.exe
        123⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159041.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159041.exe
        121⤵
        
        PID:676
        
        C:\Users\Admin\AppData\Local\Temp\tmp7156733.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7156733.exe
        119⤵
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\tmp7156218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7156218.exe
        117⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:520
        
        C:\Users\Admin\AppData\Local\Temp\tmp7155750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7155750.exe
        115⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\tmp7155266.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7155266.exe
        113⤵
        
        PID:1160
        
        C:\Users\Admin\AppData\Local\Temp\tmp7154580.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7154580.exe
        111⤵
        
        PID:1288
        
        C:\Users\Admin\AppData\Local\Temp\tmp7154034.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7154034.exe
        109⤵
        
        PID:924
        
        C:\Users\Admin\AppData\Local\Temp\tmp7153379.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7153379.exe
        107⤵
        
        PID:1172
        
        C:\Users\Admin\AppData\Local\Temp\tmp7152848.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7152848.exe
        105⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\tmp7152224.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7152224.exe
        103⤵
        Drops file in System32 directory
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\tmp7151631.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7151631.exe
        101⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\tmp7149307.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7149307.exe
        97⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\tmp7148699.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7148699.exe
        95⤵
        
        PID:1460
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147981.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147981.exe
        93⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147497.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147497.exe
        91⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146983.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146983.exe
        89⤵
        
        PID:872
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146421.exe
        87⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145688.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145688.exe
        85⤵
        
        PID:1220
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145188.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145188.exe
        83⤵
        
        PID:1288
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144642.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144642.exe
        81⤵
        
        PID:924
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144081.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144081.exe
        79⤵
        Modifies registry class
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\tmp7143566.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7143566.exe
        77⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\tmp7142692.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7142692.exe
        75⤵
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\tmp7141694.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7141694.exe
        73⤵
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\tmp7139370.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7139370.exe
        71⤵
        Modifies registry class
        
        PID:1300
        
        C:\Users\Admin\AppData\Local\Temp\tmp7138714.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7138714.exe
        69⤵
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\tmp7138168.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7138168.exe
        67⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\tmp7137638.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7137638.exe
        65⤵
        
        PID:368
        
        C:\Users\Admin\AppData\Local\Temp\tmp7137030.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7137030.exe
        63⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136577.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136577.exe
        61⤵
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135984.exe
        59⤵
        
        PID:928
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135423.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135423.exe
        57⤵
        
        PID:1284
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134674.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134674.exe
        55⤵
        
        PID:1312
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134112.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134112.exe
        53⤵
        
        PID:924
        
        C:\Users\Admin\AppData\Local\Temp\tmp7127623.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7127623.exe
        51⤵
        
        PID:972
        
        C:\Users\Admin\AppData\Local\Temp\tmp7127046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7127046.exe
        49⤵
        
        PID:824
        
        C:\Users\Admin\AppData\Local\Temp\tmp7126453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7126453.exe
        47⤵
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125751.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125751.exe
        45⤵
        
        PID:1216
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125252.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125252.exe
        43⤵
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\tmp7124643.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7124643.exe
        41⤵
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\tmp7124082.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7124082.exe
        39⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123582.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123582.exe
        37⤵
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122818.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122818.exe
        35⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122381.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122381.exe
        33⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121929.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121929.exe
        31⤵
        
        PID:928
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120291.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120291.exe
        29⤵
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119714.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119714.exe
        27⤵
        
        PID:952
        
        C:\Users\Admin\AppData\Local\Temp\tmp7099387.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7099387.exe
        14⤵
        Executes dropped EXE
        
        PID:1340

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp7087156.exe

Filesize
36KB

MD5
0eea1ee5d61bfbdb94019fcc2890794a

SHA1
3b41751f8086e271ccbca169533a4a00d4dc883c

SHA256
8c59f6411b7e4193395b013a50f844ca28a26d6efb6bc8069cf4bdbcd99b04e1

SHA512
1ec388131beb8c8a257dcdd8b70e3e9a9734d1e37eda4197eb7576b1526c177d2b5455fcc0f497b8e9580c2b3701c3da4506c737db7da061d566c36d865429a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7087187.exe

Filesize
1.3MB

MD5
8151eb8cabb55853bc0e6f048ca9d0cd

SHA1
187dabcc6296660bf4d7b7f86bd6ec6eef404c8d

SHA256
eaacade5426e4faca1a6b9a46e5393a292cf831894fb3cef942265aa954a4093

SHA512
46af8d06707a009400705793f1cd39706e1ca3c3ecb30a05c1617f3fc01ce179ac7cb2ea63fc6c8a539a409684bd643a09b606ddaa5b3832e2e8500df0750d04

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7087187.exe

Filesize
1.3MB

MD5
8151eb8cabb55853bc0e6f048ca9d0cd

SHA1
187dabcc6296660bf4d7b7f86bd6ec6eef404c8d

SHA256
eaacade5426e4faca1a6b9a46e5393a292cf831894fb3cef942265aa954a4093

SHA512
46af8d06707a009400705793f1cd39706e1ca3c3ecb30a05c1617f3fc01ce179ac7cb2ea63fc6c8a539a409684bd643a09b606ddaa5b3832e2e8500df0750d04

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7087265.exe

Filesize
36KB

MD5
0eea1ee5d61bfbdb94019fcc2890794a

SHA1
3b41751f8086e271ccbca169533a4a00d4dc883c

SHA256
8c59f6411b7e4193395b013a50f844ca28a26d6efb6bc8069cf4bdbcd99b04e1

SHA512
1ec388131beb8c8a257dcdd8b70e3e9a9734d1e37eda4197eb7576b1526c177d2b5455fcc0f497b8e9580c2b3701c3da4506c737db7da061d566c36d865429a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7087265.exe

Filesize
36KB

MD5
0eea1ee5d61bfbdb94019fcc2890794a

SHA1
3b41751f8086e271ccbca169533a4a00d4dc883c

SHA256
8c59f6411b7e4193395b013a50f844ca28a26d6efb6bc8069cf4bdbcd99b04e1

SHA512
1ec388131beb8c8a257dcdd8b70e3e9a9734d1e37eda4197eb7576b1526c177d2b5455fcc0f497b8e9580c2b3701c3da4506c737db7da061d566c36d865429a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7087375.exe

Filesize
1.2MB

MD5
886070f97c97c7af197901a9410eb375

SHA1
2e0a8f12a1c2ed64c5d402e8a7563e6e8a54b38f

SHA256
e8150cbfb497de46b9315e59e69645f4c3b5606c83f39e33fe38db84dbe22482

SHA512
4bffa222b46dc42920072bc4631a5308a9c8f46689b5f4360afcdb02c7b9d3db6fe6f40d8fd5d4dc043b5229e6af7b3319064c815c1a1c1ec978c8ba1620a4d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7087375.exe

Filesize
1.2MB

MD5
886070f97c97c7af197901a9410eb375

SHA1
2e0a8f12a1c2ed64c5d402e8a7563e6e8a54b38f

SHA256
e8150cbfb497de46b9315e59e69645f4c3b5606c83f39e33fe38db84dbe22482

SHA512
4bffa222b46dc42920072bc4631a5308a9c8f46689b5f4360afcdb02c7b9d3db6fe6f40d8fd5d4dc043b5229e6af7b3319064c815c1a1c1ec978c8ba1620a4d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7087546.exe

Filesize
36KB

MD5
0eea1ee5d61bfbdb94019fcc2890794a

SHA1
3b41751f8086e271ccbca169533a4a00d4dc883c

SHA256
8c59f6411b7e4193395b013a50f844ca28a26d6efb6bc8069cf4bdbcd99b04e1

SHA512
1ec388131beb8c8a257dcdd8b70e3e9a9734d1e37eda4197eb7576b1526c177d2b5455fcc0f497b8e9580c2b3701c3da4506c737db7da061d566c36d865429a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7087843.exe

Filesize
1.2MB

MD5
26d43ac429db76659d9ac42d43911d63

SHA1
82d88bd83cf835253418800005450adec890fc0f

SHA256
e5d48be5d656f8e04590c1f3dfbb642b952ce1ecbee8fe8073187592950b97ed

SHA512
ae6096e935e04b6d82b1a383083e311501f113bd2535f405c746801756793861679d9be136cdc45df16ae7f2cda854232d3a6839b43a50932f43471d3aac292c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7087843.exe

Filesize
1.2MB

MD5
26d43ac429db76659d9ac42d43911d63

SHA1
82d88bd83cf835253418800005450adec890fc0f

SHA256
e5d48be5d656f8e04590c1f3dfbb642b952ce1ecbee8fe8073187592950b97ed

SHA512
ae6096e935e04b6d82b1a383083e311501f113bd2535f405c746801756793861679d9be136cdc45df16ae7f2cda854232d3a6839b43a50932f43471d3aac292c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7088326.exe

Filesize
36KB

MD5
0eea1ee5d61bfbdb94019fcc2890794a

SHA1
3b41751f8086e271ccbca169533a4a00d4dc883c

SHA256
8c59f6411b7e4193395b013a50f844ca28a26d6efb6bc8069cf4bdbcd99b04e1

SHA512
1ec388131beb8c8a257dcdd8b70e3e9a9734d1e37eda4197eb7576b1526c177d2b5455fcc0f497b8e9580c2b3701c3da4506c737db7da061d566c36d865429a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7088326.exe

Filesize
36KB

MD5
0eea1ee5d61bfbdb94019fcc2890794a

SHA1
3b41751f8086e271ccbca169533a4a00d4dc883c

SHA256
8c59f6411b7e4193395b013a50f844ca28a26d6efb6bc8069cf4bdbcd99b04e1

SHA512
1ec388131beb8c8a257dcdd8b70e3e9a9734d1e37eda4197eb7576b1526c177d2b5455fcc0f497b8e9580c2b3701c3da4506c737db7da061d566c36d865429a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7088389.exe

Filesize
1.2MB

MD5
ff3e835d83ed84f93c6d1b8b95692981

SHA1
4a9c089345bed504487e75cd9c78a53966fc5c1f

SHA256
e86e80e5d24a39629084d12883509082f6cead69f0f9d74eefae14b5b610e1da

SHA512
13afcb35c129719dc3c105a780728ccffb338bac16812b16d60f1116d6c4075ef0cb7b2fb8583040174bbb4afe6a81f68437c661c1e57e1bf138a8c267fe46c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7088389.exe

Filesize
1.2MB

MD5
ff3e835d83ed84f93c6d1b8b95692981

SHA1
4a9c089345bed504487e75cd9c78a53966fc5c1f

SHA256
e86e80e5d24a39629084d12883509082f6cead69f0f9d74eefae14b5b610e1da

SHA512
13afcb35c129719dc3c105a780728ccffb338bac16812b16d60f1116d6c4075ef0cb7b2fb8583040174bbb4afe6a81f68437c661c1e57e1bf138a8c267fe46c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7088576.exe

Filesize
36KB

MD5
0eea1ee5d61bfbdb94019fcc2890794a

SHA1
3b41751f8086e271ccbca169533a4a00d4dc883c

SHA256
8c59f6411b7e4193395b013a50f844ca28a26d6efb6bc8069cf4bdbcd99b04e1

SHA512
1ec388131beb8c8a257dcdd8b70e3e9a9734d1e37eda4197eb7576b1526c177d2b5455fcc0f497b8e9580c2b3701c3da4506c737db7da061d566c36d865429a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7088576.exe

Filesize
36KB

MD5
0eea1ee5d61bfbdb94019fcc2890794a

SHA1
3b41751f8086e271ccbca169533a4a00d4dc883c

SHA256
8c59f6411b7e4193395b013a50f844ca28a26d6efb6bc8069cf4bdbcd99b04e1

SHA512
1ec388131beb8c8a257dcdd8b70e3e9a9734d1e37eda4197eb7576b1526c177d2b5455fcc0f497b8e9580c2b3701c3da4506c737db7da061d566c36d865429a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7088685.exe

Filesize
36KB

MD5
0eea1ee5d61bfbdb94019fcc2890794a

SHA1
3b41751f8086e271ccbca169533a4a00d4dc883c

SHA256
8c59f6411b7e4193395b013a50f844ca28a26d6efb6bc8069cf4bdbcd99b04e1

SHA512
1ec388131beb8c8a257dcdd8b70e3e9a9734d1e37eda4197eb7576b1526c177d2b5455fcc0f497b8e9580c2b3701c3da4506c737db7da061d566c36d865429a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7088903.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7089449.exe

Filesize
36KB

MD5
0eea1ee5d61bfbdb94019fcc2890794a

SHA1
3b41751f8086e271ccbca169533a4a00d4dc883c

SHA256
8c59f6411b7e4193395b013a50f844ca28a26d6efb6bc8069cf4bdbcd99b04e1

SHA512
1ec388131beb8c8a257dcdd8b70e3e9a9734d1e37eda4197eb7576b1526c177d2b5455fcc0f497b8e9580c2b3701c3da4506c737db7da061d566c36d865429a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7089449.exe

Filesize
36KB

MD5
0eea1ee5d61bfbdb94019fcc2890794a

SHA1
3b41751f8086e271ccbca169533a4a00d4dc883c

SHA256
8c59f6411b7e4193395b013a50f844ca28a26d6efb6bc8069cf4bdbcd99b04e1

SHA512
1ec388131beb8c8a257dcdd8b70e3e9a9734d1e37eda4197eb7576b1526c177d2b5455fcc0f497b8e9580c2b3701c3da4506c737db7da061d566c36d865429a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7089559.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
C:\Windows\SysWOW64\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\Windows\SysWOW64\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\Windows\SysWOW64\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
36KB

MD5
0eea1ee5d61bfbdb94019fcc2890794a

SHA1
3b41751f8086e271ccbca169533a4a00d4dc883c

SHA256
8c59f6411b7e4193395b013a50f844ca28a26d6efb6bc8069cf4bdbcd99b04e1

SHA512
1ec388131beb8c8a257dcdd8b70e3e9a9734d1e37eda4197eb7576b1526c177d2b5455fcc0f497b8e9580c2b3701c3da4506c737db7da061d566c36d865429a9

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
36KB

MD5
0eea1ee5d61bfbdb94019fcc2890794a

SHA1
3b41751f8086e271ccbca169533a4a00d4dc883c

SHA256
8c59f6411b7e4193395b013a50f844ca28a26d6efb6bc8069cf4bdbcd99b04e1

SHA512
1ec388131beb8c8a257dcdd8b70e3e9a9734d1e37eda4197eb7576b1526c177d2b5455fcc0f497b8e9580c2b3701c3da4506c737db7da061d566c36d865429a9

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
36KB

MD5
0eea1ee5d61bfbdb94019fcc2890794a

SHA1
3b41751f8086e271ccbca169533a4a00d4dc883c

SHA256
8c59f6411b7e4193395b013a50f844ca28a26d6efb6bc8069cf4bdbcd99b04e1

SHA512
1ec388131beb8c8a257dcdd8b70e3e9a9734d1e37eda4197eb7576b1526c177d2b5455fcc0f497b8e9580c2b3701c3da4506c737db7da061d566c36d865429a9

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
223KB

MD5
3a55d076e4017aa7580dda76e3f4b15f

SHA1
95279c1d2cb418bc6b0e433477b9179566aef201

SHA256
37266f63d642eba9b97e4d1afcf31442a0c8a47c1d14d4ff4b5a5492381ea38e

SHA512
eb5fa11fa269ce71f9be5bd88c8aa75554ec6002b39d4da8da3bf58bbe740d844d3172a30e05302b81fcf62dc96631ba53761d1d3dcb9174d221d12ec60e907f

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
223KB

MD5
3a55d076e4017aa7580dda76e3f4b15f

SHA1
95279c1d2cb418bc6b0e433477b9179566aef201

SHA256
37266f63d642eba9b97e4d1afcf31442a0c8a47c1d14d4ff4b5a5492381ea38e

SHA512
eb5fa11fa269ce71f9be5bd88c8aa75554ec6002b39d4da8da3bf58bbe740d844d3172a30e05302b81fcf62dc96631ba53761d1d3dcb9174d221d12ec60e907f

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
223KB

MD5
3a55d076e4017aa7580dda76e3f4b15f

SHA1
95279c1d2cb418bc6b0e433477b9179566aef201

SHA256
37266f63d642eba9b97e4d1afcf31442a0c8a47c1d14d4ff4b5a5492381ea38e

SHA512
eb5fa11fa269ce71f9be5bd88c8aa75554ec6002b39d4da8da3bf58bbe740d844d3172a30e05302b81fcf62dc96631ba53761d1d3dcb9174d221d12ec60e907f

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
223KB

MD5
3a55d076e4017aa7580dda76e3f4b15f

SHA1
95279c1d2cb418bc6b0e433477b9179566aef201

SHA256
37266f63d642eba9b97e4d1afcf31442a0c8a47c1d14d4ff4b5a5492381ea38e

SHA512
eb5fa11fa269ce71f9be5bd88c8aa75554ec6002b39d4da8da3bf58bbe740d844d3172a30e05302b81fcf62dc96631ba53761d1d3dcb9174d221d12ec60e907f

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7087156.exe

Filesize
36KB

MD5
0eea1ee5d61bfbdb94019fcc2890794a

SHA1
3b41751f8086e271ccbca169533a4a00d4dc883c

SHA256
8c59f6411b7e4193395b013a50f844ca28a26d6efb6bc8069cf4bdbcd99b04e1

SHA512
1ec388131beb8c8a257dcdd8b70e3e9a9734d1e37eda4197eb7576b1526c177d2b5455fcc0f497b8e9580c2b3701c3da4506c737db7da061d566c36d865429a9

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7087156.exe

Filesize
36KB

MD5
0eea1ee5d61bfbdb94019fcc2890794a

SHA1
3b41751f8086e271ccbca169533a4a00d4dc883c

SHA256
8c59f6411b7e4193395b013a50f844ca28a26d6efb6bc8069cf4bdbcd99b04e1

SHA512
1ec388131beb8c8a257dcdd8b70e3e9a9734d1e37eda4197eb7576b1526c177d2b5455fcc0f497b8e9580c2b3701c3da4506c737db7da061d566c36d865429a9

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7087187.exe

Filesize
1.3MB

MD5
8151eb8cabb55853bc0e6f048ca9d0cd

SHA1
187dabcc6296660bf4d7b7f86bd6ec6eef404c8d

SHA256
eaacade5426e4faca1a6b9a46e5393a292cf831894fb3cef942265aa954a4093

SHA512
46af8d06707a009400705793f1cd39706e1ca3c3ecb30a05c1617f3fc01ce179ac7cb2ea63fc6c8a539a409684bd643a09b606ddaa5b3832e2e8500df0750d04

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7087187.exe

Filesize
1.3MB

MD5
8151eb8cabb55853bc0e6f048ca9d0cd

SHA1
187dabcc6296660bf4d7b7f86bd6ec6eef404c8d

SHA256
eaacade5426e4faca1a6b9a46e5393a292cf831894fb3cef942265aa954a4093

SHA512
46af8d06707a009400705793f1cd39706e1ca3c3ecb30a05c1617f3fc01ce179ac7cb2ea63fc6c8a539a409684bd643a09b606ddaa5b3832e2e8500df0750d04

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7087265.exe

Filesize
36KB

MD5
0eea1ee5d61bfbdb94019fcc2890794a

SHA1
3b41751f8086e271ccbca169533a4a00d4dc883c

SHA256
8c59f6411b7e4193395b013a50f844ca28a26d6efb6bc8069cf4bdbcd99b04e1

SHA512
1ec388131beb8c8a257dcdd8b70e3e9a9734d1e37eda4197eb7576b1526c177d2b5455fcc0f497b8e9580c2b3701c3da4506c737db7da061d566c36d865429a9

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7087265.exe

Filesize
36KB

MD5
0eea1ee5d61bfbdb94019fcc2890794a

SHA1
3b41751f8086e271ccbca169533a4a00d4dc883c

SHA256
8c59f6411b7e4193395b013a50f844ca28a26d6efb6bc8069cf4bdbcd99b04e1

SHA512
1ec388131beb8c8a257dcdd8b70e3e9a9734d1e37eda4197eb7576b1526c177d2b5455fcc0f497b8e9580c2b3701c3da4506c737db7da061d566c36d865429a9

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7087375.exe

Filesize
1.2MB

MD5
886070f97c97c7af197901a9410eb375

SHA1
2e0a8f12a1c2ed64c5d402e8a7563e6e8a54b38f

SHA256
e8150cbfb497de46b9315e59e69645f4c3b5606c83f39e33fe38db84dbe22482

SHA512
4bffa222b46dc42920072bc4631a5308a9c8f46689b5f4360afcdb02c7b9d3db6fe6f40d8fd5d4dc043b5229e6af7b3319064c815c1a1c1ec978c8ba1620a4d6

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7087375.exe

Filesize
1.2MB

MD5
886070f97c97c7af197901a9410eb375

SHA1
2e0a8f12a1c2ed64c5d402e8a7563e6e8a54b38f

SHA256
e8150cbfb497de46b9315e59e69645f4c3b5606c83f39e33fe38db84dbe22482

SHA512
4bffa222b46dc42920072bc4631a5308a9c8f46689b5f4360afcdb02c7b9d3db6fe6f40d8fd5d4dc043b5229e6af7b3319064c815c1a1c1ec978c8ba1620a4d6

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7087546.exe

Filesize
36KB

MD5
0eea1ee5d61bfbdb94019fcc2890794a

SHA1
3b41751f8086e271ccbca169533a4a00d4dc883c

SHA256
8c59f6411b7e4193395b013a50f844ca28a26d6efb6bc8069cf4bdbcd99b04e1

SHA512
1ec388131beb8c8a257dcdd8b70e3e9a9734d1e37eda4197eb7576b1526c177d2b5455fcc0f497b8e9580c2b3701c3da4506c737db7da061d566c36d865429a9

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7087546.exe

Filesize
36KB

MD5
0eea1ee5d61bfbdb94019fcc2890794a

SHA1
3b41751f8086e271ccbca169533a4a00d4dc883c

SHA256
8c59f6411b7e4193395b013a50f844ca28a26d6efb6bc8069cf4bdbcd99b04e1

SHA512
1ec388131beb8c8a257dcdd8b70e3e9a9734d1e37eda4197eb7576b1526c177d2b5455fcc0f497b8e9580c2b3701c3da4506c737db7da061d566c36d865429a9

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7087843.exe

Filesize
1.2MB

MD5
26d43ac429db76659d9ac42d43911d63

SHA1
82d88bd83cf835253418800005450adec890fc0f

SHA256
e5d48be5d656f8e04590c1f3dfbb642b952ce1ecbee8fe8073187592950b97ed

SHA512
ae6096e935e04b6d82b1a383083e311501f113bd2535f405c746801756793861679d9be136cdc45df16ae7f2cda854232d3a6839b43a50932f43471d3aac292c

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7087843.exe

Filesize
1.2MB

MD5
26d43ac429db76659d9ac42d43911d63

SHA1
82d88bd83cf835253418800005450adec890fc0f

SHA256
e5d48be5d656f8e04590c1f3dfbb642b952ce1ecbee8fe8073187592950b97ed

SHA512
ae6096e935e04b6d82b1a383083e311501f113bd2535f405c746801756793861679d9be136cdc45df16ae7f2cda854232d3a6839b43a50932f43471d3aac292c

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7088326.exe

Filesize
36KB

MD5
0eea1ee5d61bfbdb94019fcc2890794a

SHA1
3b41751f8086e271ccbca169533a4a00d4dc883c

SHA256
8c59f6411b7e4193395b013a50f844ca28a26d6efb6bc8069cf4bdbcd99b04e1

SHA512
1ec388131beb8c8a257dcdd8b70e3e9a9734d1e37eda4197eb7576b1526c177d2b5455fcc0f497b8e9580c2b3701c3da4506c737db7da061d566c36d865429a9

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7088326.exe

Filesize
36KB

MD5
0eea1ee5d61bfbdb94019fcc2890794a

SHA1
3b41751f8086e271ccbca169533a4a00d4dc883c

SHA256
8c59f6411b7e4193395b013a50f844ca28a26d6efb6bc8069cf4bdbcd99b04e1

SHA512
1ec388131beb8c8a257dcdd8b70e3e9a9734d1e37eda4197eb7576b1526c177d2b5455fcc0f497b8e9580c2b3701c3da4506c737db7da061d566c36d865429a9

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7088373.exe

Filesize
36KB

MD5
0eea1ee5d61bfbdb94019fcc2890794a

SHA1
3b41751f8086e271ccbca169533a4a00d4dc883c

SHA256
8c59f6411b7e4193395b013a50f844ca28a26d6efb6bc8069cf4bdbcd99b04e1

SHA512
1ec388131beb8c8a257dcdd8b70e3e9a9734d1e37eda4197eb7576b1526c177d2b5455fcc0f497b8e9580c2b3701c3da4506c737db7da061d566c36d865429a9

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7088373.exe

Filesize
36KB

MD5
0eea1ee5d61bfbdb94019fcc2890794a

SHA1
3b41751f8086e271ccbca169533a4a00d4dc883c

SHA256
8c59f6411b7e4193395b013a50f844ca28a26d6efb6bc8069cf4bdbcd99b04e1

SHA512
1ec388131beb8c8a257dcdd8b70e3e9a9734d1e37eda4197eb7576b1526c177d2b5455fcc0f497b8e9580c2b3701c3da4506c737db7da061d566c36d865429a9

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7088389.exe

Filesize
1.2MB

MD5
ff3e835d83ed84f93c6d1b8b95692981

SHA1
4a9c089345bed504487e75cd9c78a53966fc5c1f

SHA256
e86e80e5d24a39629084d12883509082f6cead69f0f9d74eefae14b5b610e1da

SHA512
13afcb35c129719dc3c105a780728ccffb338bac16812b16d60f1116d6c4075ef0cb7b2fb8583040174bbb4afe6a81f68437c661c1e57e1bf138a8c267fe46c0

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7088389.exe

Filesize
1.2MB

MD5
ff3e835d83ed84f93c6d1b8b95692981

SHA1
4a9c089345bed504487e75cd9c78a53966fc5c1f

SHA256
e86e80e5d24a39629084d12883509082f6cead69f0f9d74eefae14b5b610e1da

SHA512
13afcb35c129719dc3c105a780728ccffb338bac16812b16d60f1116d6c4075ef0cb7b2fb8583040174bbb4afe6a81f68437c661c1e57e1bf138a8c267fe46c0

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7088576.exe

Filesize
36KB

MD5
0eea1ee5d61bfbdb94019fcc2890794a

SHA1
3b41751f8086e271ccbca169533a4a00d4dc883c

SHA256
8c59f6411b7e4193395b013a50f844ca28a26d6efb6bc8069cf4bdbcd99b04e1

SHA512
1ec388131beb8c8a257dcdd8b70e3e9a9734d1e37eda4197eb7576b1526c177d2b5455fcc0f497b8e9580c2b3701c3da4506c737db7da061d566c36d865429a9

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7088576.exe

Filesize
36KB

MD5
0eea1ee5d61bfbdb94019fcc2890794a

SHA1
3b41751f8086e271ccbca169533a4a00d4dc883c

SHA256
8c59f6411b7e4193395b013a50f844ca28a26d6efb6bc8069cf4bdbcd99b04e1

SHA512
1ec388131beb8c8a257dcdd8b70e3e9a9734d1e37eda4197eb7576b1526c177d2b5455fcc0f497b8e9580c2b3701c3da4506c737db7da061d566c36d865429a9

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7088685.exe

Filesize
36KB

MD5
0eea1ee5d61bfbdb94019fcc2890794a

SHA1
3b41751f8086e271ccbca169533a4a00d4dc883c

SHA256
8c59f6411b7e4193395b013a50f844ca28a26d6efb6bc8069cf4bdbcd99b04e1

SHA512
1ec388131beb8c8a257dcdd8b70e3e9a9734d1e37eda4197eb7576b1526c177d2b5455fcc0f497b8e9580c2b3701c3da4506c737db7da061d566c36d865429a9

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7088685.exe

Filesize
36KB

MD5
0eea1ee5d61bfbdb94019fcc2890794a

SHA1
3b41751f8086e271ccbca169533a4a00d4dc883c

SHA256
8c59f6411b7e4193395b013a50f844ca28a26d6efb6bc8069cf4bdbcd99b04e1

SHA512
1ec388131beb8c8a257dcdd8b70e3e9a9734d1e37eda4197eb7576b1526c177d2b5455fcc0f497b8e9580c2b3701c3da4506c737db7da061d566c36d865429a9

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7088903.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7089309.exe

Filesize
1.1MB

MD5
eb0c9c133f9ea30c74205174a8e92519

SHA1
ee652a62bec3f56bc9d6fea04ac066f142c66cbc

SHA256
15e84e04669ea9dc477fa6471da0782fe35db59026ad9ad13c560580bcf95715

SHA512
3e8ff92708972d8b4097eef0cfbd12fb9b50a104b211c1e1374b6235ee5e6b241e10ef772f14920cb0a35a23894126908d72c31da6dbec8439daa3f660a7faad

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7089449.exe

Filesize
36KB

MD5
0eea1ee5d61bfbdb94019fcc2890794a

SHA1
3b41751f8086e271ccbca169533a4a00d4dc883c

SHA256
8c59f6411b7e4193395b013a50f844ca28a26d6efb6bc8069cf4bdbcd99b04e1

SHA512
1ec388131beb8c8a257dcdd8b70e3e9a9734d1e37eda4197eb7576b1526c177d2b5455fcc0f497b8e9580c2b3701c3da4506c737db7da061d566c36d865429a9

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7089449.exe

Filesize
36KB

MD5
0eea1ee5d61bfbdb94019fcc2890794a

SHA1
3b41751f8086e271ccbca169533a4a00d4dc883c

SHA256
8c59f6411b7e4193395b013a50f844ca28a26d6efb6bc8069cf4bdbcd99b04e1

SHA512
1ec388131beb8c8a257dcdd8b70e3e9a9734d1e37eda4197eb7576b1526c177d2b5455fcc0f497b8e9580c2b3701c3da4506c737db7da061d566c36d865429a9

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7089559.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
223KB

MD5
3a55d076e4017aa7580dda76e3f4b15f

SHA1
95279c1d2cb418bc6b0e433477b9179566aef201

SHA256
37266f63d642eba9b97e4d1afcf31442a0c8a47c1d14d4ff4b5a5492381ea38e

SHA512
eb5fa11fa269ce71f9be5bd88c8aa75554ec6002b39d4da8da3bf58bbe740d844d3172a30e05302b81fcf62dc96631ba53761d1d3dcb9174d221d12ec60e907f

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
223KB

MD5
3a55d076e4017aa7580dda76e3f4b15f

SHA1
95279c1d2cb418bc6b0e433477b9179566aef201

SHA256
37266f63d642eba9b97e4d1afcf31442a0c8a47c1d14d4ff4b5a5492381ea38e

SHA512
eb5fa11fa269ce71f9be5bd88c8aa75554ec6002b39d4da8da3bf58bbe740d844d3172a30e05302b81fcf62dc96631ba53761d1d3dcb9174d221d12ec60e907f

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
223KB

MD5
3a55d076e4017aa7580dda76e3f4b15f

SHA1
95279c1d2cb418bc6b0e433477b9179566aef201

SHA256
37266f63d642eba9b97e4d1afcf31442a0c8a47c1d14d4ff4b5a5492381ea38e

SHA512
eb5fa11fa269ce71f9be5bd88c8aa75554ec6002b39d4da8da3bf58bbe740d844d3172a30e05302b81fcf62dc96631ba53761d1d3dcb9174d221d12ec60e907f

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
223KB

MD5
3a55d076e4017aa7580dda76e3f4b15f

SHA1
95279c1d2cb418bc6b0e433477b9179566aef201

SHA256
37266f63d642eba9b97e4d1afcf31442a0c8a47c1d14d4ff4b5a5492381ea38e

SHA512
eb5fa11fa269ce71f9be5bd88c8aa75554ec6002b39d4da8da3bf58bbe740d844d3172a30e05302b81fcf62dc96631ba53761d1d3dcb9174d221d12ec60e907f

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
223KB

MD5
3a55d076e4017aa7580dda76e3f4b15f

SHA1
95279c1d2cb418bc6b0e433477b9179566aef201

SHA256
37266f63d642eba9b97e4d1afcf31442a0c8a47c1d14d4ff4b5a5492381ea38e

SHA512
eb5fa11fa269ce71f9be5bd88c8aa75554ec6002b39d4da8da3bf58bbe740d844d3172a30e05302b81fcf62dc96631ba53761d1d3dcb9174d221d12ec60e907f

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
223KB

MD5
3a55d076e4017aa7580dda76e3f4b15f

SHA1
95279c1d2cb418bc6b0e433477b9179566aef201

SHA256
37266f63d642eba9b97e4d1afcf31442a0c8a47c1d14d4ff4b5a5492381ea38e

SHA512
eb5fa11fa269ce71f9be5bd88c8aa75554ec6002b39d4da8da3bf58bbe740d844d3172a30e05302b81fcf62dc96631ba53761d1d3dcb9174d221d12ec60e907f

Download Submit
memory/240-246-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/240-255-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/540-275-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/660-188-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/788-194-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/788-202-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/804-239-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/804-245-0x00000000003E0000-0x00000000003FF000-memory.dmp

Filesize
124KB

Download
memory/804-250-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/860-157-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/860-164-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/908-87-0x0000000002630000-0x000000000264F000-memory.dmp

Filesize
124KB

Download
memory/984-109-0x0000000001E40000-0x0000000001E4D000-memory.dmp

Filesize
52KB

Download
memory/1060-266-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1060-268-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1080-161-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1148-262-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1148-88-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1160-292-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1160-58-0x00000000765B1000-0x00000000765B3000-memory.dmp

Filesize
8KB

Download
memory/1160-296-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1172-216-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1172-222-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1176-280-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1176-284-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1216-133-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1288-279-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1288-287-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1368-200-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1368-195-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1440-294-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1440-297-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1440-231-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1508-258-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1508-247-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1540-235-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1572-281-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1572-286-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1604-190-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1632-271-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1632-264-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1676-213-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1704-160-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1704-170-0x0000000000220000-0x000000000023F000-memory.dmp

Filesize
124KB

Download
memory/1704-171-0x0000000000220000-0x000000000023F000-memory.dmp

Filesize
124KB

Download
memory/1704-172-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1712-64-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1736-265-0x0000000000320000-0x000000000033F000-memory.dmp

Filesize
124KB

Download
memory/1736-267-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1736-184-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1744-241-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1744-236-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1784-115-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1800-300-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1808-174-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1808-165-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1808-74-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1940-293-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1956-276-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1972-217-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1972-224-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2000-289-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2000-153-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2020-150-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2024-208-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download