4f53f4a737345ac04c18239963c9a0877e68418109955ac767499df5d5f65bb0

Analysis

max time kernel
151s
max time network
51s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
03-12-2022 21:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4f53f4a737345ac04c18239963c9a0877e68418109955ac767499df5d5f65bb0.exe
Size

9.6MB
MD5

7c778188b0964a4f903d12d87d244d1f
SHA1

c214daa077709cb39f76476f995272f9c28609af
SHA256

4f53f4a737345ac04c18239963c9a0877e68418109955ac767499df5d5f65bb0
SHA512

fe912eee01e068193052e9f87e6a25973d3c83a277229579771a45a00ca881f83d14e56de98069b4ae33c9cfd996a4dc600feaf55dc70c70cbe882c7b80355d5
SSDEEP

98304:xrtirtitrtqrtcrtirtitrtfrtcrtirtitrtyrtcrtirtitrtyrtcrtirtitrtd1:L20J+420Jh420Jm420Jm420Jv420Jk

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1148	tmp7081010.exe
112	tmp7081259.exe
580	notpad.exe
276	tmp7106048.exe
1684	tmp7105361.exe
1516	notpad.exe
904	tmp7116469.exe
996	notpad.exe
1172	tmp7130758.exe
1948	tmp7136234.exe
1976	notpad.exe
1104	tmp7112662.exe
1696	tmp7172801.exe
2044	tmp7131991.exe
1152	tmp7121804.exe
1636	notpad.exe
1228	notpad.exe
944	notpad.exe
556	tmp7191271.exe
1964	tmp7144018.exe
1804	tmp7144346.exe
1656	tmp7126063.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1744-63-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x000700000001413a-66.dat	upx
behavioral1/files/0x000700000001413a-67.dat	upx
behavioral1/files/0x000700000001413a-69.dat	upx
behavioral1/files/0x000700000001413a-70.dat	upx
behavioral1/memory/580-81-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x0007000000013a31-76.dat	upx
behavioral1/files/0x000700000001413a-85.dat	upx
behavioral1/files/0x000700000001413a-84.dat	upx
behavioral1/files/0x000700000001413a-87.dat	upx
behavioral1/memory/1516-96-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x0007000000013a31-98.dat	upx
behavioral1/files/0x000700000001413a-101.dat	upx
behavioral1/files/0x000700000001413a-104.dat	upx
behavioral1/files/0x000700000001413a-102.dat	upx
behavioral1/files/0x000700000001413a-122.dat	upx
behavioral1/files/0x000700000001413a-139.dat	upx
behavioral1/files/0x000700000001413a-137.dat	upx
behavioral1/files/0x000700000001413a-136.dat	upx
behavioral1/memory/1104-135-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x0007000000013a31-132.dat	upx
behavioral1/files/0x000700000001413a-152.dat	upx
behavioral1/files/0x0007000000013a31-147.dat	upx
behavioral1/memory/1152-141-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x000700000001413a-119.dat	upx
behavioral1/files/0x000700000001413a-118.dat	upx
behavioral1/memory/1172-116-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x0007000000013a31-110.dat	upx
behavioral1/memory/944-156-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1152-157-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/944-161-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1804-166-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1804-169-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1812-174-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1028-181-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1172-186-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1808-193-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/944-211-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1804-213-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1804-217-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/696-223-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1692-205-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2028-199-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1052-227-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1052-231-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2008-237-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1808-243-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2028-247-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2028-250-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1204-254-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1356-257-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1096-260-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1812-263-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/996-266-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1576-269-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1948-271-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/924-275-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1724-276-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1724-279-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1992-281-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1716-284-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1556-286-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1556-289-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1804-291-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Loads dropped DLL 39 IoCs

pid	Process
1744	4f53f4a737345ac04c18239963c9a0877e68418109955ac767499df5d5f65bb0.exe
1744	4f53f4a737345ac04c18239963c9a0877e68418109955ac767499df5d5f65bb0.exe
1744	4f53f4a737345ac04c18239963c9a0877e68418109955ac767499df5d5f65bb0.exe
1744	4f53f4a737345ac04c18239963c9a0877e68418109955ac767499df5d5f65bb0.exe
1148	tmp7081010.exe
1148	tmp7081010.exe
580	notpad.exe
580	tmp7108825.exe
580	tmp7108825.exe
276	tmp7126328.exe
276	tmp7126328.exe
1516	notpad.exe
1516	notpad.exe
1516	notpad.exe
904	tmp7116469.exe
904	tmp7116469.exe
1172	tmp7130758.exe
1172	tmp7130758.exe
1172	tmp7130758.exe
1948	tmp7136234.exe
1948	tmp7136234.exe
1104	tmp7112662.exe
1104	tmp7112662.exe
1104	tmp7112662.exe
1696	tmp7172801.exe
1696	tmp7172801.exe
1152	tmp7121804.exe
1152	tmp7121804.exe
1152	tmp7184657.exe
1636	notpad.exe
1636	notpad.exe
944	notpad.exe
944	notpad.exe
944	notpad.exe
556	tmp7191271.exe
556	tmp7191271.exe
1804	tmp7144346.exe
1804	tmp7144346.exe
1804	tmp7144346.exe

Drops file in System32 directory 23 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\notpad.exe	tmp7136234.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7172801.exe
File created	C:\Windows\SysWOW64\notpad.exe	notpad.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7191271.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7106048.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	notpad.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7191271.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7126063.exe
File created	C:\Windows\SysWOW64\fsb.tmp	tmp7081010.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7081010.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7106048.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7106048.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7116469.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7116469.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7116469.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7136234.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7136234.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7081010.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7081010.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7172801.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7172801.exe
File created	C:\Windows\SysWOW64\notpad.exe-	notpad.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7191271.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 7 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7081010.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7106048.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7116469.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7136234.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7172801.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	notpad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7191271.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1744 wrote to memory of 1148	1744	4f53f4a737345ac04c18239963c9a0877e68418109955ac767499df5d5f65bb0.exe	27
PID 1744 wrote to memory of 1148	1744	4f53f4a737345ac04c18239963c9a0877e68418109955ac767499df5d5f65bb0.exe	27
PID 1744 wrote to memory of 1148	1744	4f53f4a737345ac04c18239963c9a0877e68418109955ac767499df5d5f65bb0.exe	27
PID 1744 wrote to memory of 1148	1744	4f53f4a737345ac04c18239963c9a0877e68418109955ac767499df5d5f65bb0.exe	27
PID 1744 wrote to memory of 112	1744	4f53f4a737345ac04c18239963c9a0877e68418109955ac767499df5d5f65bb0.exe	28
PID 1744 wrote to memory of 112	1744	4f53f4a737345ac04c18239963c9a0877e68418109955ac767499df5d5f65bb0.exe	28
PID 1744 wrote to memory of 112	1744	4f53f4a737345ac04c18239963c9a0877e68418109955ac767499df5d5f65bb0.exe	28
PID 1744 wrote to memory of 112	1744	4f53f4a737345ac04c18239963c9a0877e68418109955ac767499df5d5f65bb0.exe	28
PID 1148 wrote to memory of 580	1148	tmp7081010.exe	29
PID 1148 wrote to memory of 580	1148	tmp7081010.exe	29
PID 1148 wrote to memory of 580	1148	tmp7081010.exe	29
PID 1148 wrote to memory of 580	1148	tmp7081010.exe	29
PID 580 wrote to memory of 276	580	tmp7108825.exe	100
PID 580 wrote to memory of 276	580	tmp7108825.exe	100
PID 580 wrote to memory of 276	580	tmp7108825.exe	100
PID 580 wrote to memory of 276	580	tmp7108825.exe	100
PID 580 wrote to memory of 1684	580	tmp7108825.exe	96
PID 580 wrote to memory of 1684	580	tmp7108825.exe	96
PID 580 wrote to memory of 1684	580	tmp7108825.exe	96
PID 580 wrote to memory of 1684	580	tmp7108825.exe	96
PID 276 wrote to memory of 1516	276	tmp7126328.exe	128
PID 276 wrote to memory of 1516	276	tmp7126328.exe	128
PID 276 wrote to memory of 1516	276	tmp7126328.exe	128
PID 276 wrote to memory of 1516	276	tmp7126328.exe	128
PID 1516 wrote to memory of 904	1516	notpad.exe	167
PID 1516 wrote to memory of 904	1516	notpad.exe	167
PID 1516 wrote to memory of 904	1516	notpad.exe	167
PID 1516 wrote to memory of 904	1516	notpad.exe	167
PID 1516 wrote to memory of 996	1516	notpad.exe	101
PID 1516 wrote to memory of 996	1516	notpad.exe	101
PID 1516 wrote to memory of 996	1516	notpad.exe	101
PID 1516 wrote to memory of 996	1516	notpad.exe	101
PID 904 wrote to memory of 1172	904	tmp7116469.exe	229
PID 904 wrote to memory of 1172	904	tmp7116469.exe	229
PID 904 wrote to memory of 1172	904	tmp7116469.exe	229
PID 904 wrote to memory of 1172	904	tmp7116469.exe	229
PID 1172 wrote to memory of 1948	1172	tmp7130758.exe	276
PID 1172 wrote to memory of 1948	1172	tmp7130758.exe	276
PID 1172 wrote to memory of 1948	1172	tmp7130758.exe	276
PID 1172 wrote to memory of 1948	1172	tmp7130758.exe	276
PID 1172 wrote to memory of 1976	1172	tmp7130758.exe	169
PID 1172 wrote to memory of 1976	1172	tmp7130758.exe	169
PID 1172 wrote to memory of 1976	1172	tmp7130758.exe	169
PID 1172 wrote to memory of 1976	1172	tmp7130758.exe	169
PID 1948 wrote to memory of 1104	1948	tmp7136234.exe	138
PID 1948 wrote to memory of 1104	1948	tmp7136234.exe	138
PID 1948 wrote to memory of 1104	1948	tmp7136234.exe	138
PID 1948 wrote to memory of 1104	1948	tmp7136234.exe	138
PID 1104 wrote to memory of 1696	1104	tmp7112662.exe	330
PID 1104 wrote to memory of 1696	1104	tmp7112662.exe	330
PID 1104 wrote to memory of 1696	1104	tmp7112662.exe	330
PID 1104 wrote to memory of 1696	1104	tmp7112662.exe	330
PID 1104 wrote to memory of 2044	1104	tmp7112662.exe	238
PID 1104 wrote to memory of 2044	1104	tmp7112662.exe	238
PID 1104 wrote to memory of 2044	1104	tmp7112662.exe	238
PID 1104 wrote to memory of 2044	1104	tmp7112662.exe	238
PID 1696 wrote to memory of 1152	1696	tmp7172801.exe	180
PID 1696 wrote to memory of 1152	1696	tmp7172801.exe	180
PID 1696 wrote to memory of 1152	1696	tmp7172801.exe	180
PID 1696 wrote to memory of 1152	1696	tmp7172801.exe	180
PID 1152 wrote to memory of 1636	1152	tmp7121804.exe	331
PID 1152 wrote to memory of 1636	1152	tmp7121804.exe	331
PID 1152 wrote to memory of 1636	1152	tmp7121804.exe	331
PID 1152 wrote to memory of 1636	1152	tmp7121804.exe	331

C:\Users\Admin\AppData\Local\Temp\4f53f4a737345ac04c18239963c9a0877e68418109955ac767499df5d5f65bb0.exe
"C:\Users\Admin\AppData\Local\Temp\4f53f4a737345ac04c18239963c9a0877e68418109955ac767499df5d5f65bb0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1744
- C:\Users\Admin\AppData\Local\Temp\tmp7081010.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7081010.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1148
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:580
  - - C:\Users\Admin\AppData\Local\Temp\tmp7082242.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7082242.exe
      4⤵
      PID:276
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        
        PID:1516
      - C:\Users\Admin\AppData\Local\Temp\tmp7083927.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7083927.exe
        6⤵
        
        PID:904
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        7⤵
        
        PID:1172
        
        C:\Users\Admin\AppData\Local\Temp\tmp7086064.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7086064.exe
        8⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        9⤵
        
        PID:1104
        
        C:\Users\Admin\AppData\Local\Temp\tmp7086969.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7086969.exe
        10⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        11⤵
        
        PID:1152
        
        C:\Users\Admin\AppData\Local\Temp\tmp7088279.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7088279.exe
        12⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        13⤵
        
        PID:944
        
        C:\Users\Admin\AppData\Local\Temp\tmp7092304.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7092304.exe
        14⤵
        
        PID:556
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        15⤵
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\tmp7095487.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7095487.exe
        16⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        17⤵
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\tmp7096345.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7096345.exe
        18⤵
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\tmp7095986.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7095986.exe
        18⤵
        
        PID:1020
        
        C:\Users\Admin\AppData\Local\Temp\tmp7095752.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7095752.exe
        16⤵
        
        PID:812
        
        C:\Users\Admin\AppData\Local\Temp\tmp7094972.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7094972.exe
        14⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\tmp7098981.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7098981.exe
        14⤵
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\tmp7098872.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7098872.exe
        14⤵
        
        PID:760
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        15⤵
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\tmp7099418.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7099418.exe
        16⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        17⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\tmp7115502.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7115502.exe
        18⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\tmp7115455.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7115455.exe
        18⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        19⤵
        
        PID:1344
        
        C:\Users\Admin\AppData\Local\Temp\tmp7115892.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7115892.exe
        20⤵
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\tmp7115782.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7115782.exe
        20⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        21⤵
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116204.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116204.exe
        22⤵
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116141.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116141.exe
        22⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        23⤵
        Executes dropped EXE
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\tmp7099277.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7099277.exe
        16⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        17⤵
        
        PID:696
        
        C:\Users\Admin\AppData\Local\Temp\tmp7099745.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7099745.exe
        18⤵
        
        PID:568
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        19⤵
        
        PID:1052
        
        C:\Users\Admin\AppData\Local\Temp\tmp7100167.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7100167.exe
        20⤵
        
        PID:904
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        21⤵
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\tmp7103287.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7103287.exe
        22⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        23⤵
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\tmp7103786.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7103786.exe
        24⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        25⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\tmp7104425.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7104425.exe
        26⤵
        
        PID:520
        
        C:\Users\Admin\AppData\Local\Temp\tmp7104160.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7104160.exe
        26⤵
        
        PID:308
        
        C:\Users\Admin\AppData\Local\Temp\tmp7103957.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7103957.exe
        24⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        23⤵
        
        PID:840
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125158.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125158.exe
        24⤵
        
        PID:828
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        25⤵
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125408.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125408.exe
        26⤵
        
        PID:1084
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125376.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125376.exe
        26⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        27⤵
        
        PID:660
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125610.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125610.exe
        28⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        29⤵
        
        PID:268
        
        C:\Users\Admin\AppData\Local\Temp\tmp7126063.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7126063.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125907.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125907.exe
        30⤵
        
        PID:308
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        31⤵
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\tmp7126328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7126328.exe
        32⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:276
        
        C:\Users\Admin\AppData\Local\Temp\tmp7126281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7126281.exe
        32⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        33⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        33⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135080.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135080.exe
        34⤵
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135033.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135033.exe
        34⤵
        
        PID:596
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        35⤵
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135423.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135423.exe
        36⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135298.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135298.exe
        36⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        37⤵
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135704.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135704.exe
        38⤵
        
        PID:924
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135626.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135626.exe
        38⤵
        
        PID:864
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        39⤵
        
        PID:540
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135969.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135969.exe
        40⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        41⤵
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\tmp7141554.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7141554.exe
        42⤵
        
        PID:328
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        43⤵
        
        PID:1444
        
        C:\Users\Admin\AppData\Local\Temp\tmp7142458.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7142458.exe
        44⤵
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\tmp7142692.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7142692.exe
        45⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\tmp7142755.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7142755.exe
        45⤵
        
        PID:1420
        
        C:\Users\Admin\AppData\Local\Temp\tmp7142880.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7142880.exe
        46⤵
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\tmp7143004.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7143004.exe
        46⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\tmp7143176.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7143176.exe
        47⤵
        
        PID:688
        
        C:\Users\Admin\AppData\Local\Temp\tmp7143129.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7143129.exe
        47⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        48⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\tmp7143691.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7143691.exe
        49⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        50⤵
        
        PID:568
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145032.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145032.exe
        51⤵
        
        PID:596
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145407.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145407.exe
        51⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146140.exe
        52⤵
        
        PID:968
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        53⤵
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147014.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147014.exe
        54⤵
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147107.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147107.exe
        54⤵
        
        PID:1004
        
        C:\Users\Admin\AppData\Local\Temp\tmp7170117.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7170117.exe
        55⤵
        
        PID:832
        
        C:\Users\Admin\AppData\Local\Temp\tmp7172161.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7172161.exe
        55⤵
        
        PID:1280
        
        C:\Users\Admin\AppData\Local\Temp\tmp7189181.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7189181.exe
        56⤵
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\tmp7189680.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7189680.exe
        56⤵
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191630.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191630.exe
        57⤵
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\tmp7192519.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7192519.exe
        57⤵
        
        PID:664
        
        C:\Users\Admin\AppData\Local\Temp\tmp7193112.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7193112.exe
        58⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\tmp7193954.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7193954.exe
        58⤵
        
        PID:572
        
        C:\Users\Admin\AppData\Local\Temp\tmp7228399.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7228399.exe
        59⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\tmp7225825.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7225825.exe
        59⤵
        
        PID:980
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146468.exe
        52⤵
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147248.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147248.exe
        53⤵
        
        PID:980
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        54⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\tmp7173737.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7173737.exe
        55⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        56⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190008.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190008.exe
        57⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        58⤵
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\tmp7192004.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7192004.exe
        59⤵
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\tmp7192192.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7192192.exe
        59⤵
        
        PID:1040
        
        C:\Users\Admin\AppData\Local\Temp\tmp7193128.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7193128.exe
        60⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        61⤵
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\Temp\tmp7227931.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7227931.exe
        62⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        63⤵
        
        PID:1152
        
        C:\Users\Admin\AppData\Local\Temp\tmp7193970.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7193970.exe
        60⤵
        
        PID:1252
        
        C:\Users\Admin\AppData\Local\Temp\tmp7230708.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7230708.exe
        61⤵
        
        PID:836
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190897.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190897.exe
        57⤵
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\tmp7220974.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7220974.exe
        58⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        59⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\tmp7228930.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7228930.exe
        60⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\tmp7229772.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7229772.exe
        60⤵
        
        PID:1820
        
        C:\Users\Admin\AppData\Local\Temp\tmp7230303.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7230303.exe
        61⤵
        
        PID:828
        
        C:\Users\Admin\AppData\Local\Temp\tmp7174095.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7174095.exe
        55⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191802.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191802.exe
        56⤵
        
        PID:1344
        
        C:\Users\Admin\AppData\Local\Temp\tmp7192566.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7192566.exe
        56⤵
        
        PID:960
        
        C:\Users\Admin\AppData\Local\Temp\tmp7195670.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7195670.exe
        57⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\tmp7227619.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7227619.exe
        57⤵
        
        PID:944
        
        C:\Users\Admin\AppData\Local\Temp\tmp7169759.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7169759.exe
        53⤵
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\tmp7172801.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7172801.exe
        54⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\tmp7173534.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7173534.exe
        54⤵
        
        PID:1276
        
        C:\Users\Admin\AppData\Local\Temp\tmp7174251.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7174251.exe
        55⤵
        
        PID:892
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184657.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184657.exe
        55⤵
        Loads dropped DLL
        
        PID:1152
        
        C:\Users\Admin\AppData\Local\Temp\tmp7189820.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7189820.exe
        56⤵
        
        PID:1168
        
        C:\Users\Admin\AppData\Local\Temp\tmp7189571.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7189571.exe
        56⤵
        
        PID:1356
        
        C:\Users\Admin\AppData\Local\Temp\tmp7143753.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7143753.exe
        49⤵
        
        PID:1360
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144050.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144050.exe
        50⤵
        
        PID:284
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144252.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144252.exe
        50⤵
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144471.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144471.exe
        51⤵
        
        PID:1036
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144642.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144642.exe
        51⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144954.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144954.exe
        52⤵
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145469.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145469.exe
        53⤵
        
        PID:1792
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146078.exe
        53⤵
        
        PID:1016
        
        C:\Users\Admin\AppData\Local\Temp\tmp7141772.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7141772.exe
        42⤵
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\tmp7141897.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7141897.exe
        43⤵
        
        PID:1164
        
        C:\Users\Admin\AppData\Local\Temp\tmp7141944.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7141944.exe
        43⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\tmp7142178.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7142178.exe
        44⤵
        
        PID:1524
        
        C:\Users\Admin\AppData\Local\Temp\tmp7142334.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7142334.exe
        44⤵
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136047.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136047.exe
        40⤵
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136265.exe
        41⤵
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136234.exe
        41⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125735.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125735.exe
        28⤵
        
        PID:988
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125189.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125189.exe
        24⤵
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\tmp7103458.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7103458.exe
        22⤵
        
        PID:1520
        
        C:\Users\Admin\AppData\Local\Temp\tmp7100447.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7100447.exe
        20⤵
        
        PID:616
        
        C:\Users\Admin\AppData\Local\Temp\tmp7099855.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7099855.exe
        18⤵
        
        PID:996
        
        C:\Users\Admin\AppData\Local\Temp\tmp7089309.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7089309.exe
        12⤵
        
        PID:1228
        
        C:\Users\Admin\AppData\Local\Temp\tmp7087375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7087375.exe
        10⤵
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\tmp7086439.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7086439.exe
        8⤵
        
        PID:1976
      - C:\Users\Admin\AppData\Local\Temp\tmp7084832.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7084832.exe
        6⤵
        
        PID:996
  - - C:\Users\Admin\AppData\Local\Temp\tmp7082741.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7082741.exe
      4⤵
      PID:1684
- C:\Users\Admin\AppData\Local\Temp\tmp7081259.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7081259.exe
  2⤵
  - Executes dropped EXE
  PID:112

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:1028
- C:\Users\Admin\AppData\Local\Temp\tmp7096688.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7096688.exe
  2⤵
  PID:616
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    PID:1172
  - - C:\Users\Admin\AppData\Local\Temp\tmp7097203.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7097203.exe
      4⤵
      PID:1976
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        
        PID:1808
      - C:\Users\Admin\AppData\Local\Temp\tmp7097608.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7097608.exe
        6⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        7⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\tmp7098107.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7098107.exe
        8⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        9⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\tmp7098560.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7098560.exe
        10⤵
        
        PID:660
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        11⤵
        
        PID:944
        
        C:\Users\Admin\AppData\Local\Temp\tmp7098700.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7098700.exe
        10⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        11⤵
        
        PID:1356
        
        C:\Users\Admin\AppData\Local\Temp\tmp7105081.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7105081.exe
        12⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        13⤵
        
        PID:1096
        
        C:\Users\Admin\AppData\Local\Temp\tmp7105361.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7105361.exe
        14⤵
        Executes dropped EXE
        
        PID:1684
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        15⤵
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\tmp7105767.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7105767.exe
        16⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        17⤵
        Executes dropped EXE
        
        PID:996
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106313.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106313.exe
        18⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        19⤵
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106656.exe
        20⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        21⤵
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\tmp7107046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7107046.exe
        22⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        23⤵
        
        PID:924
        
        C:\Users\Admin\AppData\Local\Temp\tmp7107545.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7107545.exe
        24⤵
        
        PID:832
        
        C:\Users\Admin\AppData\Local\Temp\tmp7107467.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7107467.exe
        24⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        25⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\tmp7107904.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7107904.exe
        26⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        27⤵
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\tmp7108294.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7108294.exe
        28⤵
        
        PID:1420
        
        C:\Users\Admin\AppData\Local\Temp\tmp7108185.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7108185.exe
        28⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        29⤵
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\tmp7108528.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7108528.exe
        30⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        31⤵
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\tmp7108825.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7108825.exe
        32⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:580
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        33⤵
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\tmp7111102.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7111102.exe
        34⤵
        
        PID:284
        
        C:\Users\Admin\AppData\Local\Temp\tmp7110712.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7110712.exe
        34⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        35⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\tmp7111492.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7111492.exe
        36⤵
        
        PID:896
        
        C:\Users\Admin\AppData\Local\Temp\tmp7111305.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7111305.exe
        36⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        37⤵
        
        PID:568
        
        C:\Users\Admin\AppData\Local\Temp\tmp7112038.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7112038.exe
        38⤵
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\tmp7111789.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7111789.exe
        38⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        39⤵
        
        PID:864
        
        C:\Users\Admin\AppData\Local\Temp\tmp7112288.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7112288.exe
        40⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        41⤵
        
        PID:1520
        
        C:\Users\Admin\AppData\Local\Temp\tmp7112662.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7112662.exe
        42⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1104
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        43⤵
        
        PID:572
        
        C:\Users\Admin\AppData\Local\Temp\tmp7113005.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7113005.exe
        44⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        45⤵
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\tmp7113333.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7113333.exe
        46⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        47⤵
        
        PID:520
        
        C:\Users\Admin\AppData\Local\Temp\tmp7113863.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7113863.exe
        48⤵
        
        PID:308
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        49⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\tmp7114191.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7114191.exe
        50⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        51⤵
        
        PID:268
        
        C:\Users\Admin\AppData\Local\Temp\tmp7114799.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7114799.exe
        52⤵
        
        PID:760
        
        C:\Users\Admin\AppData\Local\Temp\tmp7114565.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7114565.exe
        52⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        53⤵
        
        PID:1908
        
        C:\Users\Admin\AppData\Local\Temp\tmp7115158.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7115158.exe
        54⤵
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\tmp7115112.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7115112.exe
        54⤵
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\tmp7114363.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7114363.exe
        50⤵
        
        PID:560
        
        C:\Users\Admin\AppData\Local\Temp\tmp7113973.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7113973.exe
        48⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        47⤵
        Executes dropped EXE
        
        PID:1228
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121898.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121898.exe
        48⤵
        
        PID:1252
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121804.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121804.exe
        48⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1152
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        49⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:944
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122241.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122241.exe
        50⤵
        
        PID:1356
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122069.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122069.exe
        50⤵
        
        PID:916
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        51⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122787.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122787.exe
        52⤵
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122459.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122459.exe
        52⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        53⤵
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123208.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123208.exe
        54⤵
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123005.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123005.exe
        54⤵
        
        PID:360
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        55⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123489.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123489.exe
        56⤵
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123395.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123395.exe
        56⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        57⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123676.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123676.exe
        58⤵
        
        PID:540
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        59⤵
        
        PID:1408
        
        C:\Users\Admin\AppData\Local\Temp\tmp7124004.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7124004.exe
        60⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        61⤵
        
        PID:968
        
        C:\Users\Admin\AppData\Local\Temp\tmp7124050.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7124050.exe
        60⤵
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123738.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123738.exe
        58⤵
        
        PID:864
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144814.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144814.exe
        56⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\tmp7113551.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7113551.exe
        46⤵
        
        PID:1444
        
        C:\Users\Admin\AppData\Local\Temp\tmp7142412.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7142412.exe
        47⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        48⤵
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\tmp7143238.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7143238.exe
        49⤵
        
        PID:1084
        
        C:\Users\Admin\AppData\Local\Temp\tmp7143410.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7143410.exe
        49⤵
        
        PID:1168
        
        C:\Users\Admin\AppData\Local\Temp\tmp7143816.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7143816.exe
        50⤵
        
        PID:812
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144018.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144018.exe
        51⤵
        Executes dropped EXE
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144346.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144346.exe
        51⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\tmp7113130.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7113130.exe
        44⤵
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\tmp7112803.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7112803.exe
        42⤵
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\tmp7112381.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7112381.exe
        40⤵
        
        PID:1052
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144720.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144720.exe
        34⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144830.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144830.exe
        34⤵
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144986.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144986.exe
        35⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        36⤵
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146187.exe
        37⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146749.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146749.exe
        37⤵
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\tmp7169322.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7169322.exe
        38⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\tmp7170336.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7170336.exe
        38⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\tmp7173971.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7173971.exe
        39⤵
        
        PID:1420
        
        C:\Users\Admin\AppData\Local\Temp\tmp7174142.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7174142.exe
        39⤵
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\tmp7189742.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7189742.exe
        40⤵
        
        PID:284
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        41⤵
        
        PID:812
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190725.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190725.exe
        42⤵
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191240.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191240.exe
        42⤵
        
        PID:540
        
        C:\Users\Admin\AppData\Local\Temp\tmp7193221.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7193221.exe
        43⤵
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\tmp7220506.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7220506.exe
        43⤵
        
        PID:1912
        
        C:\Users\Admin\AppData\Local\Temp\tmp7228415.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7228415.exe
        44⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\tmp7229554.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7229554.exe
        44⤵
        
        PID:1920
        
        C:\Users\Admin\AppData\Local\Temp\tmp7189945.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7189945.exe
        40⤵
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190632.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190632.exe
        41⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191271.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191271.exe
        41⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:556
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191848.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191848.exe
        42⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191755.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191755.exe
        42⤵
        
        PID:640
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        43⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\tmp7193627.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7193627.exe
        44⤵
        
        PID:1316
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145422.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145422.exe
        35⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\tmp7110166.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7110166.exe
        32⤵
        
        PID:688
        
        C:\Users\Admin\AppData\Local\Temp\tmp7108637.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7108637.exe
        30⤵
        
        PID:560
        
        C:\Users\Admin\AppData\Local\Temp\tmp7107982.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7107982.exe
        26⤵
        
        PID:840
        
        C:\Users\Admin\AppData\Local\Temp\tmp7107280.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7107280.exe
        22⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116469.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116469.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:904
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        24⤵
        
        PID:1164
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116750.exe
        25⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        26⤵
        
        PID:764
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121149.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121149.exe
        27⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        28⤵
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121586.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121586.exe
        29⤵
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121414.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121414.exe
        29⤵
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121242.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121242.exe
        27⤵
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120806.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120806.exe
        25⤵
        
        PID:832
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116500.exe
        23⤵
        
        PID:1040
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106828.exe
        20⤵
        
        PID:616
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106438.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106438.exe
        18⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106048.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106048.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:276
        
        C:\Users\Admin\AppData\Local\Temp\tmp7105580.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7105580.exe
        14⤵
        
        PID:1388
        
        C:\Users\Admin\AppData\Local\Temp\tmp7105174.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7105174.exe
        12⤵
        
        PID:1908
        
        C:\Users\Admin\AppData\Local\Temp\tmp7098310.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7098310.exe
        8⤵
        
        PID:840
      - C:\Users\Admin\AppData\Local\Temp\tmp7097889.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7097889.exe
        6⤵
        
        PID:832
  - - C:\Users\Admin\AppData\Local\Temp\tmp7097390.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7097390.exe
      4⤵
      PID:968
    - - C:\Users\Admin\AppData\Local\Temp\tmp7124284.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7124284.exe
        5⤵
        
        PID:2044
    - - C:\Users\Admin\AppData\Local\Temp\tmp7124222.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7124222.exe
        5⤵
        
        PID:1916
      - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        6⤵
        
        PID:2040
- C:\Users\Admin\AppData\Local\Temp\tmp7096953.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7096953.exe
  2⤵
  PID:904

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:1204
- C:\Users\Admin\AppData\Local\Temp\tmp7104909.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7104909.exe
  2⤵
  PID:988
- C:\Users\Admin\AppData\Local\Temp\tmp7104737.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7104737.exe
  2⤵
  PID:1556

C:\Users\Admin\AppData\Local\Temp\tmp7124596.exe
C:\Users\Admin\AppData\Local\Temp\tmp7124596.exe
1⤵
PID:1164

C:\Users\Admin\AppData\Local\Temp\tmp7124550.exe
C:\Users\Admin\AppData\Local\Temp\tmp7124550.exe
1⤵
PID:2016
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:948
- - C:\Users\Admin\AppData\Local\Temp\tmp7124971.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7124971.exe
    3⤵
    PID:1404
- - C:\Users\Admin\AppData\Local\Temp\tmp7124830.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7124830.exe
    3⤵
    PID:1276

C:\Users\Admin\AppData\Local\Temp\tmp7126531.exe
C:\Users\Admin\AppData\Local\Temp\tmp7126531.exe
1⤵
PID:868
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:1856
- - C:\Users\Admin\AppData\Local\Temp\tmp7129354.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7129354.exe
    3⤵
    PID:696
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      PID:1628
    - - C:\Users\Admin\AppData\Local\Temp\tmp7130977.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7130977.exe
        5⤵
        
        PID:616
      - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        6⤵
        
        PID:540
        
        C:\Users\Admin\AppData\Local\Temp\tmp7131460.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7131460.exe
        7⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        8⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\tmp7131882.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7131882.exe
        9⤵
        
        PID:328
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        10⤵
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\tmp7132459.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7132459.exe
        11⤵
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\tmp7132178.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7132178.exe
        11⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        12⤵
        
        PID:1004
        
        C:\Users\Admin\AppData\Local\Temp\tmp7132755.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7132755.exe
        13⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\tmp7132646.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7132646.exe
        13⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        14⤵
        
        PID:1220
        
        C:\Users\Admin\AppData\Local\Temp\tmp7133161.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7133161.exe
        15⤵
        
        PID:1100
        
        C:\Users\Admin\AppData\Local\Temp\tmp7133036.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7133036.exe
        15⤵
        
        PID:836
        
        C:\Users\Admin\AppData\Local\Temp\tmp7131991.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7131991.exe
        9⤵
        Executes dropped EXE
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\tmp7131710.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7131710.exe
        7⤵
        
        PID:1540
    - - C:\Users\Admin\AppData\Local\Temp\tmp7131258.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7131258.exe
        5⤵
        
        PID:1016
- - C:\Users\Admin\AppData\Local\Temp\tmp7130758.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7130758.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1172

C:\Users\Admin\AppData\Local\Temp\tmp7126578.exe
C:\Users\Admin\AppData\Local\Temp\tmp7126578.exe
1⤵
PID:1764

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:1920
- C:\Users\Admin\AppData\Local\Temp\tmp7133504.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7133504.exe
  2⤵
  PID:1332
- C:\Users\Admin\AppData\Local\Temp\tmp7133348.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7133348.exe
  2⤵
  PID:520
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    PID:1084
  - - C:\Users\Admin\AppData\Local\Temp\tmp7133785.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7133785.exe
      4⤵
      PID:1280
  - - C:\Users\Admin\AppData\Local\Temp\tmp7133738.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7133738.exe
      4⤵
      PID:560
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        
        PID:556
      - C:\Users\Admin\AppData\Local\Temp\tmp7134003.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134003.exe
        6⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        7⤵
        
        PID:1388
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134456.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134456.exe
        8⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134268.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134268.exe
        8⤵
        
        PID:308
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        9⤵
        
        PID:1096
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134846.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134846.exe
        10⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134658.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134658.exe
        10⤵
        
        PID:1472
      - C:\Users\Admin\AppData\Local\Temp\tmp7134066.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134066.exe
        6⤵
        
        PID:1940

C:\Users\Admin\AppData\Local\Temp\tmp7143628.exe
C:\Users\Admin\AppData\Local\Temp\tmp7143628.exe
1⤵
PID:1356

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp7081010.exe

Filesize
9.5MB

MD5
5884c7a9f49cd261e6c14039c5380ae6

SHA1
77f17f8db67fb7aa65c0d7d95488c7adb3286585

SHA256
68e995db12f55c6a696c0733f6a999ea550a6cce2a4dfba55a83b84b167c1f09

SHA512
cc9bdd76b9e9eedec73e077d352f47ca7782a7b8e5feb60c2f011cdd4f3b11bd51304f97e0d69a41b1fcc58baee566601ef12b1802b909cc7a0fb61abc843d63

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7081010.exe

Filesize
9.5MB

MD5
5884c7a9f49cd261e6c14039c5380ae6

SHA1
77f17f8db67fb7aa65c0d7d95488c7adb3286585

SHA256
68e995db12f55c6a696c0733f6a999ea550a6cce2a4dfba55a83b84b167c1f09

SHA512
cc9bdd76b9e9eedec73e077d352f47ca7782a7b8e5feb60c2f011cdd4f3b11bd51304f97e0d69a41b1fcc58baee566601ef12b1802b909cc7a0fb61abc843d63

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7081259.exe

Filesize
67KB

MD5
388b8fbc36a8558587afc90fb23a3b99

SHA1
ed55ad0a7078651857bd8fc0eedd8b07f94594cc

SHA256
fefeac4c10bbe237cc6c861229ecaacbd2a366ac4fbd04a3862b62bd7a778093

SHA512
0a91f6fd90f3429a69c907d9f81420334be92407269df964b6619874aa241ec6aeb2c1920ac643ce604c7ea65b21cc80f0a09c722327b6c3b7be58f9e3029e52

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7082242.exe

Filesize
9.5MB

MD5
5884c7a9f49cd261e6c14039c5380ae6

SHA1
77f17f8db67fb7aa65c0d7d95488c7adb3286585

SHA256
68e995db12f55c6a696c0733f6a999ea550a6cce2a4dfba55a83b84b167c1f09

SHA512
cc9bdd76b9e9eedec73e077d352f47ca7782a7b8e5feb60c2f011cdd4f3b11bd51304f97e0d69a41b1fcc58baee566601ef12b1802b909cc7a0fb61abc843d63

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7082242.exe

Filesize
9.5MB

MD5
5884c7a9f49cd261e6c14039c5380ae6

SHA1
77f17f8db67fb7aa65c0d7d95488c7adb3286585

SHA256
68e995db12f55c6a696c0733f6a999ea550a6cce2a4dfba55a83b84b167c1f09

SHA512
cc9bdd76b9e9eedec73e077d352f47ca7782a7b8e5feb60c2f011cdd4f3b11bd51304f97e0d69a41b1fcc58baee566601ef12b1802b909cc7a0fb61abc843d63

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7082741.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7083927.exe

Filesize
9.5MB

MD5
5884c7a9f49cd261e6c14039c5380ae6

SHA1
77f17f8db67fb7aa65c0d7d95488c7adb3286585

SHA256
68e995db12f55c6a696c0733f6a999ea550a6cce2a4dfba55a83b84b167c1f09

SHA512
cc9bdd76b9e9eedec73e077d352f47ca7782a7b8e5feb60c2f011cdd4f3b11bd51304f97e0d69a41b1fcc58baee566601ef12b1802b909cc7a0fb61abc843d63

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7083927.exe

Filesize
9.5MB

MD5
5884c7a9f49cd261e6c14039c5380ae6

SHA1
77f17f8db67fb7aa65c0d7d95488c7adb3286585

SHA256
68e995db12f55c6a696c0733f6a999ea550a6cce2a4dfba55a83b84b167c1f09

SHA512
cc9bdd76b9e9eedec73e077d352f47ca7782a7b8e5feb60c2f011cdd4f3b11bd51304f97e0d69a41b1fcc58baee566601ef12b1802b909cc7a0fb61abc843d63

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7084832.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7086064.exe

Filesize
9.5MB

MD5
5884c7a9f49cd261e6c14039c5380ae6

SHA1
77f17f8db67fb7aa65c0d7d95488c7adb3286585

SHA256
68e995db12f55c6a696c0733f6a999ea550a6cce2a4dfba55a83b84b167c1f09

SHA512
cc9bdd76b9e9eedec73e077d352f47ca7782a7b8e5feb60c2f011cdd4f3b11bd51304f97e0d69a41b1fcc58baee566601ef12b1802b909cc7a0fb61abc843d63

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7086064.exe

Filesize
9.5MB

MD5
5884c7a9f49cd261e6c14039c5380ae6

SHA1
77f17f8db67fb7aa65c0d7d95488c7adb3286585

SHA256
68e995db12f55c6a696c0733f6a999ea550a6cce2a4dfba55a83b84b167c1f09

SHA512
cc9bdd76b9e9eedec73e077d352f47ca7782a7b8e5feb60c2f011cdd4f3b11bd51304f97e0d69a41b1fcc58baee566601ef12b1802b909cc7a0fb61abc843d63

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7086439.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7086969.exe

Filesize
9.5MB

MD5
5884c7a9f49cd261e6c14039c5380ae6

SHA1
77f17f8db67fb7aa65c0d7d95488c7adb3286585

SHA256
68e995db12f55c6a696c0733f6a999ea550a6cce2a4dfba55a83b84b167c1f09

SHA512
cc9bdd76b9e9eedec73e077d352f47ca7782a7b8e5feb60c2f011cdd4f3b11bd51304f97e0d69a41b1fcc58baee566601ef12b1802b909cc7a0fb61abc843d63

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7086969.exe

Filesize
9.5MB

MD5
5884c7a9f49cd261e6c14039c5380ae6

SHA1
77f17f8db67fb7aa65c0d7d95488c7adb3286585

SHA256
68e995db12f55c6a696c0733f6a999ea550a6cce2a4dfba55a83b84b167c1f09

SHA512
cc9bdd76b9e9eedec73e077d352f47ca7782a7b8e5feb60c2f011cdd4f3b11bd51304f97e0d69a41b1fcc58baee566601ef12b1802b909cc7a0fb61abc843d63

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7087375.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7088279.exe

Filesize
9.5MB

MD5
5884c7a9f49cd261e6c14039c5380ae6

SHA1
77f17f8db67fb7aa65c0d7d95488c7adb3286585

SHA256
68e995db12f55c6a696c0733f6a999ea550a6cce2a4dfba55a83b84b167c1f09

SHA512
cc9bdd76b9e9eedec73e077d352f47ca7782a7b8e5feb60c2f011cdd4f3b11bd51304f97e0d69a41b1fcc58baee566601ef12b1802b909cc7a0fb61abc843d63

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7088279.exe

Filesize
9.5MB

MD5
5884c7a9f49cd261e6c14039c5380ae6

SHA1
77f17f8db67fb7aa65c0d7d95488c7adb3286585

SHA256
68e995db12f55c6a696c0733f6a999ea550a6cce2a4dfba55a83b84b167c1f09

SHA512
cc9bdd76b9e9eedec73e077d352f47ca7782a7b8e5feb60c2f011cdd4f3b11bd51304f97e0d69a41b1fcc58baee566601ef12b1802b909cc7a0fb61abc843d63

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7089309.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
9.3MB

MD5
f204989b696c26a3615aedd92e1dcf7f

SHA1
d84f3f5c1aa3363c8892aee7ee94d5eacc62fcfa

SHA256
df8b5d0c740aaba2941c78327dd7616b7a8ca530498db219d498daef865525bb

SHA512
da8e689b66f7bb87e21b4c35357dbb3f7b78937a51eeec9af3669a1c33d3d7d283b746532e7c86e02afdb3b978ded0f8a21477ff15c3abf7b6d2381526e9ccfd

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
9.5MB

MD5
ab266fed00708d977450d549eee9ca37

SHA1
cc138fd3a93e1c54d93e715f3ba7b46edb0961a5

SHA256
75bc8c6a12be05c6645d3db6b82dd20b8b806e0f5e4fa4f9195bd11435c844ee

SHA512
1465b8e4c001ee23ed1ec18dec4b619669f2cc73f1ba0c44ea3755130b7ab2a7960a7d5a014fde03cc54597a8f8c6942598a224b33a39e4172b089dc7069e046

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
9.5MB

MD5
fc8453069312326512138aba1a430fa3

SHA1
f3702e55232a4b845d0569711ef183564b83dba4

SHA256
a5bed003a8153c8542758fad65c30b1a9bb3acbc28e101e2e62adcb185dc3c07

SHA512
e2413f45bce646de76779cc6811026998ba7c9e1cd2f26ff5759409e069e82fbaf94b62f9dc0e3b66125d0cdf4b548dea0047b506726859d96ee51053f629049

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
9.5MB

MD5
1b3bea1769b6720bcf8e01a61f54e0ef

SHA1
ba46add99b5482a5e46c8c51120dd68421eabd22

SHA256
035f5e178c2238b8fe50fc8d35bb61b976e71cf2d931edd7600423866f191aaa

SHA512
6bcea62935ea346d07fdc576dd7085c0bf31cf69651e702091981e73693aa553a0b008ebc3c1a83324ab6a762f3908d05ee90052e99ad22fc78f097c49ad76de

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
9.5MB

MD5
a3f6834092193eccfd1dde2ad6dad123

SHA1
b1fe9b59451e196c530c461769d5f4af40f441d1

SHA256
cb3e2d071ea9b4e4938dc88751bbbadd1b44c9c8a1d3561ebf25d75f74695c21

SHA512
59aba1bc7b3076bff4778203bd2a47b44a7df627a629811f894b54b810cac3c073608ecbc243e0302eadce4f1c170c757ae77e78b074bdd1c354969a1208f728

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
9.7MB

MD5
3c5fb0ec9b8a757e2e48a43f277962f9

SHA1
1cf36564a1918eb23e6619fbd2611bb1f7cf0b34

SHA256
aba66d30d4bb63e135c629d751bc75e8161abf69e72615d2e5070fbf6e3057b5

SHA512
70f40fa5fabb34846287d30e3c53ad225b5d2aa3cf9bd1b2419899a280b965672947bb7f126cf79334d2b3349c211b4ce22d7cfd07bb811a9c1ae10e7b47005b

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
9.7MB

MD5
3c5fb0ec9b8a757e2e48a43f277962f9

SHA1
1cf36564a1918eb23e6619fbd2611bb1f7cf0b34

SHA256
aba66d30d4bb63e135c629d751bc75e8161abf69e72615d2e5070fbf6e3057b5

SHA512
70f40fa5fabb34846287d30e3c53ad225b5d2aa3cf9bd1b2419899a280b965672947bb7f126cf79334d2b3349c211b4ce22d7cfd07bb811a9c1ae10e7b47005b

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
9.7MB

MD5
3c5fb0ec9b8a757e2e48a43f277962f9

SHA1
1cf36564a1918eb23e6619fbd2611bb1f7cf0b34

SHA256
aba66d30d4bb63e135c629d751bc75e8161abf69e72615d2e5070fbf6e3057b5

SHA512
70f40fa5fabb34846287d30e3c53ad225b5d2aa3cf9bd1b2419899a280b965672947bb7f126cf79334d2b3349c211b4ce22d7cfd07bb811a9c1ae10e7b47005b

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
9.7MB

MD5
3c5fb0ec9b8a757e2e48a43f277962f9

SHA1
1cf36564a1918eb23e6619fbd2611bb1f7cf0b34

SHA256
aba66d30d4bb63e135c629d751bc75e8161abf69e72615d2e5070fbf6e3057b5

SHA512
70f40fa5fabb34846287d30e3c53ad225b5d2aa3cf9bd1b2419899a280b965672947bb7f126cf79334d2b3349c211b4ce22d7cfd07bb811a9c1ae10e7b47005b

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
9.7MB

MD5
3c5fb0ec9b8a757e2e48a43f277962f9

SHA1
1cf36564a1918eb23e6619fbd2611bb1f7cf0b34

SHA256
aba66d30d4bb63e135c629d751bc75e8161abf69e72615d2e5070fbf6e3057b5

SHA512
70f40fa5fabb34846287d30e3c53ad225b5d2aa3cf9bd1b2419899a280b965672947bb7f126cf79334d2b3349c211b4ce22d7cfd07bb811a9c1ae10e7b47005b

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
9.7MB

MD5
3c5fb0ec9b8a757e2e48a43f277962f9

SHA1
1cf36564a1918eb23e6619fbd2611bb1f7cf0b34

SHA256
aba66d30d4bb63e135c629d751bc75e8161abf69e72615d2e5070fbf6e3057b5

SHA512
70f40fa5fabb34846287d30e3c53ad225b5d2aa3cf9bd1b2419899a280b965672947bb7f126cf79334d2b3349c211b4ce22d7cfd07bb811a9c1ae10e7b47005b

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7081010.exe

Filesize
9.5MB

MD5
5884c7a9f49cd261e6c14039c5380ae6

SHA1
77f17f8db67fb7aa65c0d7d95488c7adb3286585

SHA256
68e995db12f55c6a696c0733f6a999ea550a6cce2a4dfba55a83b84b167c1f09

SHA512
cc9bdd76b9e9eedec73e077d352f47ca7782a7b8e5feb60c2f011cdd4f3b11bd51304f97e0d69a41b1fcc58baee566601ef12b1802b909cc7a0fb61abc843d63

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7081010.exe

Filesize
9.5MB

MD5
5884c7a9f49cd261e6c14039c5380ae6

SHA1
77f17f8db67fb7aa65c0d7d95488c7adb3286585

SHA256
68e995db12f55c6a696c0733f6a999ea550a6cce2a4dfba55a83b84b167c1f09

SHA512
cc9bdd76b9e9eedec73e077d352f47ca7782a7b8e5feb60c2f011cdd4f3b11bd51304f97e0d69a41b1fcc58baee566601ef12b1802b909cc7a0fb61abc843d63

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7081259.exe

Filesize
67KB

MD5
388b8fbc36a8558587afc90fb23a3b99

SHA1
ed55ad0a7078651857bd8fc0eedd8b07f94594cc

SHA256
fefeac4c10bbe237cc6c861229ecaacbd2a366ac4fbd04a3862b62bd7a778093

SHA512
0a91f6fd90f3429a69c907d9f81420334be92407269df964b6619874aa241ec6aeb2c1920ac643ce604c7ea65b21cc80f0a09c722327b6c3b7be58f9e3029e52

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7081259.exe

Filesize
67KB

MD5
388b8fbc36a8558587afc90fb23a3b99

SHA1
ed55ad0a7078651857bd8fc0eedd8b07f94594cc

SHA256
fefeac4c10bbe237cc6c861229ecaacbd2a366ac4fbd04a3862b62bd7a778093

SHA512
0a91f6fd90f3429a69c907d9f81420334be92407269df964b6619874aa241ec6aeb2c1920ac643ce604c7ea65b21cc80f0a09c722327b6c3b7be58f9e3029e52

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7082242.exe

Filesize
9.5MB

MD5
5884c7a9f49cd261e6c14039c5380ae6

SHA1
77f17f8db67fb7aa65c0d7d95488c7adb3286585

SHA256
68e995db12f55c6a696c0733f6a999ea550a6cce2a4dfba55a83b84b167c1f09

SHA512
cc9bdd76b9e9eedec73e077d352f47ca7782a7b8e5feb60c2f011cdd4f3b11bd51304f97e0d69a41b1fcc58baee566601ef12b1802b909cc7a0fb61abc843d63

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7082242.exe

Filesize
9.5MB

MD5
5884c7a9f49cd261e6c14039c5380ae6

SHA1
77f17f8db67fb7aa65c0d7d95488c7adb3286585

SHA256
68e995db12f55c6a696c0733f6a999ea550a6cce2a4dfba55a83b84b167c1f09

SHA512
cc9bdd76b9e9eedec73e077d352f47ca7782a7b8e5feb60c2f011cdd4f3b11bd51304f97e0d69a41b1fcc58baee566601ef12b1802b909cc7a0fb61abc843d63

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7082741.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7083927.exe

Filesize
9.5MB

MD5
5884c7a9f49cd261e6c14039c5380ae6

SHA1
77f17f8db67fb7aa65c0d7d95488c7adb3286585

SHA256
68e995db12f55c6a696c0733f6a999ea550a6cce2a4dfba55a83b84b167c1f09

SHA512
cc9bdd76b9e9eedec73e077d352f47ca7782a7b8e5feb60c2f011cdd4f3b11bd51304f97e0d69a41b1fcc58baee566601ef12b1802b909cc7a0fb61abc843d63

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7083927.exe

Filesize
9.5MB

MD5
5884c7a9f49cd261e6c14039c5380ae6

SHA1
77f17f8db67fb7aa65c0d7d95488c7adb3286585

SHA256
68e995db12f55c6a696c0733f6a999ea550a6cce2a4dfba55a83b84b167c1f09

SHA512
cc9bdd76b9e9eedec73e077d352f47ca7782a7b8e5feb60c2f011cdd4f3b11bd51304f97e0d69a41b1fcc58baee566601ef12b1802b909cc7a0fb61abc843d63

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7084832.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7086064.exe

Filesize
9.5MB

MD5
5884c7a9f49cd261e6c14039c5380ae6

SHA1
77f17f8db67fb7aa65c0d7d95488c7adb3286585

SHA256
68e995db12f55c6a696c0733f6a999ea550a6cce2a4dfba55a83b84b167c1f09

SHA512
cc9bdd76b9e9eedec73e077d352f47ca7782a7b8e5feb60c2f011cdd4f3b11bd51304f97e0d69a41b1fcc58baee566601ef12b1802b909cc7a0fb61abc843d63

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7086064.exe

Filesize
9.5MB

MD5
5884c7a9f49cd261e6c14039c5380ae6

SHA1
77f17f8db67fb7aa65c0d7d95488c7adb3286585

SHA256
68e995db12f55c6a696c0733f6a999ea550a6cce2a4dfba55a83b84b167c1f09

SHA512
cc9bdd76b9e9eedec73e077d352f47ca7782a7b8e5feb60c2f011cdd4f3b11bd51304f97e0d69a41b1fcc58baee566601ef12b1802b909cc7a0fb61abc843d63

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7086439.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7086969.exe

Filesize
9.5MB

MD5
5884c7a9f49cd261e6c14039c5380ae6

SHA1
77f17f8db67fb7aa65c0d7d95488c7adb3286585

SHA256
68e995db12f55c6a696c0733f6a999ea550a6cce2a4dfba55a83b84b167c1f09

SHA512
cc9bdd76b9e9eedec73e077d352f47ca7782a7b8e5feb60c2f011cdd4f3b11bd51304f97e0d69a41b1fcc58baee566601ef12b1802b909cc7a0fb61abc843d63

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7086969.exe

Filesize
9.5MB

MD5
5884c7a9f49cd261e6c14039c5380ae6

SHA1
77f17f8db67fb7aa65c0d7d95488c7adb3286585

SHA256
68e995db12f55c6a696c0733f6a999ea550a6cce2a4dfba55a83b84b167c1f09

SHA512
cc9bdd76b9e9eedec73e077d352f47ca7782a7b8e5feb60c2f011cdd4f3b11bd51304f97e0d69a41b1fcc58baee566601ef12b1802b909cc7a0fb61abc843d63

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7087375.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7088279.exe

Filesize
9.5MB

MD5
5884c7a9f49cd261e6c14039c5380ae6

SHA1
77f17f8db67fb7aa65c0d7d95488c7adb3286585

SHA256
68e995db12f55c6a696c0733f6a999ea550a6cce2a4dfba55a83b84b167c1f09

SHA512
cc9bdd76b9e9eedec73e077d352f47ca7782a7b8e5feb60c2f011cdd4f3b11bd51304f97e0d69a41b1fcc58baee566601ef12b1802b909cc7a0fb61abc843d63

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7088279.exe

Filesize
9.5MB

MD5
5884c7a9f49cd261e6c14039c5380ae6

SHA1
77f17f8db67fb7aa65c0d7d95488c7adb3286585

SHA256
68e995db12f55c6a696c0733f6a999ea550a6cce2a4dfba55a83b84b167c1f09

SHA512
cc9bdd76b9e9eedec73e077d352f47ca7782a7b8e5feb60c2f011cdd4f3b11bd51304f97e0d69a41b1fcc58baee566601ef12b1802b909cc7a0fb61abc843d63

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7089309.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
9.7MB

MD5
3c5fb0ec9b8a757e2e48a43f277962f9

SHA1
1cf36564a1918eb23e6619fbd2611bb1f7cf0b34

SHA256
aba66d30d4bb63e135c629d751bc75e8161abf69e72615d2e5070fbf6e3057b5

SHA512
70f40fa5fabb34846287d30e3c53ad225b5d2aa3cf9bd1b2419899a280b965672947bb7f126cf79334d2b3349c211b4ce22d7cfd07bb811a9c1ae10e7b47005b

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
9.7MB

MD5
3c5fb0ec9b8a757e2e48a43f277962f9

SHA1
1cf36564a1918eb23e6619fbd2611bb1f7cf0b34

SHA256
aba66d30d4bb63e135c629d751bc75e8161abf69e72615d2e5070fbf6e3057b5

SHA512
70f40fa5fabb34846287d30e3c53ad225b5d2aa3cf9bd1b2419899a280b965672947bb7f126cf79334d2b3349c211b4ce22d7cfd07bb811a9c1ae10e7b47005b

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
9.7MB

MD5
3c5fb0ec9b8a757e2e48a43f277962f9

SHA1
1cf36564a1918eb23e6619fbd2611bb1f7cf0b34

SHA256
aba66d30d4bb63e135c629d751bc75e8161abf69e72615d2e5070fbf6e3057b5

SHA512
70f40fa5fabb34846287d30e3c53ad225b5d2aa3cf9bd1b2419899a280b965672947bb7f126cf79334d2b3349c211b4ce22d7cfd07bb811a9c1ae10e7b47005b

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
9.7MB

MD5
3c5fb0ec9b8a757e2e48a43f277962f9

SHA1
1cf36564a1918eb23e6619fbd2611bb1f7cf0b34

SHA256
aba66d30d4bb63e135c629d751bc75e8161abf69e72615d2e5070fbf6e3057b5

SHA512
70f40fa5fabb34846287d30e3c53ad225b5d2aa3cf9bd1b2419899a280b965672947bb7f126cf79334d2b3349c211b4ce22d7cfd07bb811a9c1ae10e7b47005b

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
9.7MB

MD5
3c5fb0ec9b8a757e2e48a43f277962f9

SHA1
1cf36564a1918eb23e6619fbd2611bb1f7cf0b34

SHA256
aba66d30d4bb63e135c629d751bc75e8161abf69e72615d2e5070fbf6e3057b5

SHA512
70f40fa5fabb34846287d30e3c53ad225b5d2aa3cf9bd1b2419899a280b965672947bb7f126cf79334d2b3349c211b4ce22d7cfd07bb811a9c1ae10e7b47005b

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
9.7MB

MD5
3c5fb0ec9b8a757e2e48a43f277962f9

SHA1
1cf36564a1918eb23e6619fbd2611bb1f7cf0b34

SHA256
aba66d30d4bb63e135c629d751bc75e8161abf69e72615d2e5070fbf6e3057b5

SHA512
70f40fa5fabb34846287d30e3c53ad225b5d2aa3cf9bd1b2419899a280b965672947bb7f126cf79334d2b3349c211b4ce22d7cfd07bb811a9c1ae10e7b47005b

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
9.7MB

MD5
3c5fb0ec9b8a757e2e48a43f277962f9

SHA1
1cf36564a1918eb23e6619fbd2611bb1f7cf0b34

SHA256
aba66d30d4bb63e135c629d751bc75e8161abf69e72615d2e5070fbf6e3057b5

SHA512
70f40fa5fabb34846287d30e3c53ad225b5d2aa3cf9bd1b2419899a280b965672947bb7f126cf79334d2b3349c211b4ce22d7cfd07bb811a9c1ae10e7b47005b

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
9.7MB

MD5
3c5fb0ec9b8a757e2e48a43f277962f9

SHA1
1cf36564a1918eb23e6619fbd2611bb1f7cf0b34

SHA256
aba66d30d4bb63e135c629d751bc75e8161abf69e72615d2e5070fbf6e3057b5

SHA512
70f40fa5fabb34846287d30e3c53ad225b5d2aa3cf9bd1b2419899a280b965672947bb7f126cf79334d2b3349c211b4ce22d7cfd07bb811a9c1ae10e7b47005b

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
9.7MB

MD5
3c5fb0ec9b8a757e2e48a43f277962f9

SHA1
1cf36564a1918eb23e6619fbd2611bb1f7cf0b34

SHA256
aba66d30d4bb63e135c629d751bc75e8161abf69e72615d2e5070fbf6e3057b5

SHA512
70f40fa5fabb34846287d30e3c53ad225b5d2aa3cf9bd1b2419899a280b965672947bb7f126cf79334d2b3349c211b4ce22d7cfd07bb811a9c1ae10e7b47005b

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
9.7MB

MD5
3c5fb0ec9b8a757e2e48a43f277962f9

SHA1
1cf36564a1918eb23e6619fbd2611bb1f7cf0b34

SHA256
aba66d30d4bb63e135c629d751bc75e8161abf69e72615d2e5070fbf6e3057b5

SHA512
70f40fa5fabb34846287d30e3c53ad225b5d2aa3cf9bd1b2419899a280b965672947bb7f126cf79334d2b3349c211b4ce22d7cfd07bb811a9c1ae10e7b47005b

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
9.7MB

MD5
3c5fb0ec9b8a757e2e48a43f277962f9

SHA1
1cf36564a1918eb23e6619fbd2611bb1f7cf0b34

SHA256
aba66d30d4bb63e135c629d751bc75e8161abf69e72615d2e5070fbf6e3057b5

SHA512
70f40fa5fabb34846287d30e3c53ad225b5d2aa3cf9bd1b2419899a280b965672947bb7f126cf79334d2b3349c211b4ce22d7cfd07bb811a9c1ae10e7b47005b

Download Submit
memory/268-319-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/520-314-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/568-299-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/572-308-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/580-81-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/696-223-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/764-341-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/864-301-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/924-275-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/944-156-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/944-161-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/944-211-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/996-266-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1028-181-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1052-231-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1052-227-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1096-260-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1104-135-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1108-332-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1148-59-0x0000000074DA1000-0x0000000074DA3000-memory.dmp

Filesize
8KB

Download
memory/1152-141-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1152-157-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1164-339-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1164-336-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1172-186-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1172-116-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1204-254-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1228-346-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1344-329-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1356-257-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1516-293-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1516-296-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1516-96-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1520-304-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1528-326-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1556-289-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1556-286-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1560-344-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1576-269-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1616-317-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1692-205-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1696-140-0x0000000001DA0000-0x0000000001DAD000-memory.dmp

Filesize
52KB

Download
memory/1716-284-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1724-279-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1724-276-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1744-311-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1744-63-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1804-213-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1804-166-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1804-217-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1804-169-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1804-291-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1808-193-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1808-243-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1812-174-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1812-263-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1908-323-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1948-271-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1948-121-0x00000000024F0000-0x000000000250F000-memory.dmp

Filesize
124KB

Download
memory/1976-335-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1992-281-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2008-237-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2028-247-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2028-199-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2028-250-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download