31016fa552296c59009b533bd6ed74eb66a718367780c6aafa4abd5a151a4a24

Analysis

max time kernel
84s
max time network
41s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03/12/2022, 21:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

31016fa552296c59009b533bd6ed74eb66a718367780c6aafa4abd5a151a4a24.exe
Size

3.2MB
MD5

ffa55e199fd9037e07d6d3eb3181db6c
SHA1

6c9b3cc94cd2a9bc6a7778845b1c71bec7d002e3
SHA256

31016fa552296c59009b533bd6ed74eb66a718367780c6aafa4abd5a151a4a24
SHA512

6213532c8da6abc861b05c32c6e9f613985076cd8df3b2763a2599ec5f514431f0559b69fb585b0b2f10e402b391358ce08557d4be6d4322b256d32928708003
SSDEEP

24576:cDyTFtjEDyTFtjTDyTFtjBDyTFtjJDyTFtjcDyTFtjEDyTFtjTDyTFtjBDyTFtj:1txtItqtCt5txtItqt

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
1620	tmp7108232.exe
1868	tmp7109152.exe
1448	notpad.exe
1092	tmp7113817.exe
832	tmp7114363.exe
904	notpad.exe
2040	tmp7115080.exe
1052	notpad.exe
1696	tmp7115658.exe
1524	tmp7134222.exe
1976	tmp7116438.exe
2000	notpad.exe
1608	tmp7118060.exe
972	tmp7119230.exe
1600	notpad.exe
736	tmp7119667.exe
920	tmp7120119.exe
364	notpad.exe
908	tmp7120494.exe
1952	notpad.exe
1588	tmp7121180.exe
944	tmp7132287.exe
1960	tmp7122350.exe
1364	notpad.exe
1776	tmp7123442.exe
832	tmp7124830.exe
1780	notpad.exe
1204	tmp7125236.exe
2036	tmp7134658.exe
1232	tmp7133691.exe
1380	tmp7125985.exe
1968	notpad.exe
1972	tmp7126718.exe
1920	tmp7126983.exe
1064	tmp7134799.exe
1400	tmp7127498.exe
1572	tmp7127701.exe
1980	tmp7128403.exe
580	notpad.exe
1504	tmp7128637.exe
1924	tmp7129417.exe
1068	notpad.exe
1860	tmp7129666.exe
2020	tmp7129900.exe
820	notpad.exe
1752	tmp7130431.exe
1612	notpad.exe
1288	tmp7131117.exe
1688	notpad.exe
1460	tmp7130758.exe
944	tmp7132287.exe
1176	tmp7132038.exe
1720	notpad.exe
1932	tmp7133442.exe
1772	tmp7132428.exe
1116	tmp7133894.exe
836	tmp7133566.exe
1928	notpad.exe
1668	tmp7134112.exe
1232	tmp7133691.exe
1604	tmp7133847.exe
1640	notpad.exe
2036	tmp7134658.exe
2008	tmp7134284.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1612-54-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1612-64-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x0007000000014112-74.dat	upx
behavioral1/files/0x0007000000014112-73.dat	upx
behavioral1/files/0x0007000000014112-71.dat	upx
behavioral1/files/0x0007000000014112-70.dat	upx
behavioral1/memory/1448-75-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x0009000000013922-81.dat	upx
behavioral1/memory/1448-87-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x0007000000014112-92.dat	upx
behavioral1/files/0x0007000000014112-90.dat	upx
behavioral1/files/0x0007000000014112-89.dat	upx
behavioral1/files/0x0009000000013922-99.dat	upx
behavioral1/memory/904-98-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/904-110-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x0007000000014112-107.dat	upx
behavioral1/memory/1052-120-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x0007000000014112-105.dat	upx
behavioral1/files/0x0007000000014112-104.dat	upx
behavioral1/files/0x0009000000013922-122.dat	upx
behavioral1/files/0x0007000000014112-125.dat	upx
behavioral1/files/0x0007000000014112-126.dat	upx
behavioral1/files/0x0007000000014112-128.dat	upx
behavioral1/memory/2000-141-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x0007000000014112-144.dat	upx
behavioral1/files/0x0007000000014112-143.dat	upx
behavioral1/files/0x0007000000014112-146.dat	upx
behavioral1/files/0x0009000000013922-138.dat	upx
behavioral1/files/0x0009000000013922-152.dat	upx
behavioral1/memory/1600-156-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/364-161-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/364-164-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1952-168-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1364-173-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1364-176-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1780-183-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2036-185-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2036-190-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1968-196-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1064-199-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1064-202-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/580-209-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1068-214-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1612-221-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/820-220-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/820-226-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1612-230-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1688-237-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1932-240-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1460-239-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1176-238-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1720-235-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1460-243-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1176-252-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1720-259-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1932-258-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1120-262-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1640-264-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2008-263-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1928-266-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1928-268-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2008-270-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1640-271-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1120-272-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Loads dropped DLL 64 IoCs

pid	Process
1612	31016fa552296c59009b533bd6ed74eb66a718367780c6aafa4abd5a151a4a24.exe
1612	31016fa552296c59009b533bd6ed74eb66a718367780c6aafa4abd5a151a4a24.exe
1612	31016fa552296c59009b533bd6ed74eb66a718367780c6aafa4abd5a151a4a24.exe
1612	31016fa552296c59009b533bd6ed74eb66a718367780c6aafa4abd5a151a4a24.exe
1944	WerFault.exe
1944	WerFault.exe
1620	tmp7108232.exe
1620	tmp7108232.exe
1448	notpad.exe
1448	notpad.exe
1448	notpad.exe
1092	tmp7113817.exe
1092	tmp7113817.exe
904	notpad.exe
904	notpad.exe
904	notpad.exe
2040	tmp7115080.exe
2040	tmp7115080.exe
1052	notpad.exe
1052	notpad.exe
1052	notpad.exe
1524	tmp7134222.exe
1524	tmp7134222.exe
1944	WerFault.exe
2000	notpad.exe
2000	notpad.exe
2000	notpad.exe
1608	tmp7118060.exe
1608	tmp7118060.exe
1600	notpad.exe
1600	notpad.exe
1600	notpad.exe
736	tmp7119667.exe
736	tmp7119667.exe
364	notpad.exe
364	notpad.exe
364	notpad.exe
908	tmp7120494.exe
908	tmp7120494.exe
1952	notpad.exe
1952	notpad.exe
1952	notpad.exe
944	tmp7132287.exe
944	tmp7132287.exe
1364	notpad.exe
1364	notpad.exe
1364	notpad.exe
1776	tmp7123442.exe
1776	tmp7123442.exe
1780	notpad.exe
1780	notpad.exe
1204	tmp7125236.exe
1204	tmp7125236.exe
1780	notpad.exe
2036	tmp7134658.exe
2036	tmp7134658.exe
1380	tmp7125985.exe
1380	tmp7125985.exe
2036	tmp7134658.exe
1968	notpad.exe
1968	notpad.exe
1920	tmp7126983.exe
1920	tmp7126983.exe
1968	notpad.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7125236.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7127701.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7133566.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7144564.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7173425.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7113817.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7166982.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7140633.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7154798.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7166982.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7168635.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7135891.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7151241.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7166467.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7130431.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7147981.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7173425.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7175016.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7127701.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7129666.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7145376.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7152583.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7153316.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7145750.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7153098.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7173035.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7179337.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7134924.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7159151.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7175203.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7140633.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7145376.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7157091.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7160211.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7134924.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7133691.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7152630.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7172099.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7183034.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7166280.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7175562.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7179134.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7115080.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7118060.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7120494.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7162115.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7165781.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7162645.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7166280.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7184782.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7159853.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7162926.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7168573.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7132287.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7123442.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7128637.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7132428.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7147981.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7187168.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7140633.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7143675.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7160383.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7170975.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7187168.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1944	1868	WerFault.exe	27

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7123442.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7134924.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7138824.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7153519.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7169291.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7179914.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7108232.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7125236.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7131117.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7132428.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7133691.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7161647.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7118060.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7158261.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7179337.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7135891.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7142458.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7150664.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7168635.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7120494.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7125985.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7126983.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7143675.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7144564.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7165593.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7172598.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7187168.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7128637.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7147981.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7151023.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7158948.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7166280.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7179727.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7132287.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7133566.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7174501.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7175203.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7157091.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7158511.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7165999.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7166467.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7170975.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7173269.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7115080.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7134222.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7145750.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7151241.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7152458.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7161896.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7166982.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7168573.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7173035.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7175016.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7181194.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7213221.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7226449.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7130431.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7162926.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7177512.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7145376.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7153316.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7159837.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7162645.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7113817.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1612 wrote to memory of 1620	1612	31016fa552296c59009b533bd6ed74eb66a718367780c6aafa4abd5a151a4a24.exe	26
PID 1612 wrote to memory of 1620	1612	31016fa552296c59009b533bd6ed74eb66a718367780c6aafa4abd5a151a4a24.exe	26
PID 1612 wrote to memory of 1620	1612	31016fa552296c59009b533bd6ed74eb66a718367780c6aafa4abd5a151a4a24.exe	26
PID 1612 wrote to memory of 1620	1612	31016fa552296c59009b533bd6ed74eb66a718367780c6aafa4abd5a151a4a24.exe	26
PID 1612 wrote to memory of 1868	1612	31016fa552296c59009b533bd6ed74eb66a718367780c6aafa4abd5a151a4a24.exe	27
PID 1612 wrote to memory of 1868	1612	31016fa552296c59009b533bd6ed74eb66a718367780c6aafa4abd5a151a4a24.exe	27
PID 1612 wrote to memory of 1868	1612	31016fa552296c59009b533bd6ed74eb66a718367780c6aafa4abd5a151a4a24.exe	27
PID 1612 wrote to memory of 1868	1612	31016fa552296c59009b533bd6ed74eb66a718367780c6aafa4abd5a151a4a24.exe	27
PID 1868 wrote to memory of 1944	1868	tmp7109152.exe	28
PID 1868 wrote to memory of 1944	1868	tmp7109152.exe	28
PID 1868 wrote to memory of 1944	1868	tmp7109152.exe	28
PID 1868 wrote to memory of 1944	1868	tmp7109152.exe	28
PID 1620 wrote to memory of 1448	1620	tmp7108232.exe	29
PID 1620 wrote to memory of 1448	1620	tmp7108232.exe	29
PID 1620 wrote to memory of 1448	1620	tmp7108232.exe	29
PID 1620 wrote to memory of 1448	1620	tmp7108232.exe	29
PID 1448 wrote to memory of 1092	1448	notpad.exe	30
PID 1448 wrote to memory of 1092	1448	notpad.exe	30
PID 1448 wrote to memory of 1092	1448	notpad.exe	30
PID 1448 wrote to memory of 1092	1448	notpad.exe	30
PID 1448 wrote to memory of 832	1448	notpad.exe	31
PID 1448 wrote to memory of 832	1448	notpad.exe	31
PID 1448 wrote to memory of 832	1448	notpad.exe	31
PID 1448 wrote to memory of 832	1448	notpad.exe	31
PID 1092 wrote to memory of 904	1092	tmp7113817.exe	32
PID 1092 wrote to memory of 904	1092	tmp7113817.exe	32
PID 1092 wrote to memory of 904	1092	tmp7113817.exe	32
PID 1092 wrote to memory of 904	1092	tmp7113817.exe	32
PID 904 wrote to memory of 2040	904	notpad.exe	37
PID 904 wrote to memory of 2040	904	notpad.exe	37
PID 904 wrote to memory of 2040	904	notpad.exe	37
PID 904 wrote to memory of 2040	904	notpad.exe	37
PID 904 wrote to memory of 1696	904	notpad.exe	33
PID 904 wrote to memory of 1696	904	notpad.exe	33
PID 904 wrote to memory of 1696	904	notpad.exe	33
PID 904 wrote to memory of 1696	904	notpad.exe	33
PID 2040 wrote to memory of 1052	2040	tmp7115080.exe	36
PID 2040 wrote to memory of 1052	2040	tmp7115080.exe	36
PID 2040 wrote to memory of 1052	2040	tmp7115080.exe	36
PID 2040 wrote to memory of 1052	2040	tmp7115080.exe	36
PID 1052 wrote to memory of 1524	1052	notpad.exe	90
PID 1052 wrote to memory of 1524	1052	notpad.exe	90
PID 1052 wrote to memory of 1524	1052	notpad.exe	90
PID 1052 wrote to memory of 1524	1052	notpad.exe	90
PID 1052 wrote to memory of 1976	1052	notpad.exe	35
PID 1052 wrote to memory of 1976	1052	notpad.exe	35
PID 1052 wrote to memory of 1976	1052	notpad.exe	35
PID 1052 wrote to memory of 1976	1052	notpad.exe	35
PID 1524 wrote to memory of 2000	1524	tmp7134222.exe	38
PID 1524 wrote to memory of 2000	1524	tmp7134222.exe	38
PID 1524 wrote to memory of 2000	1524	tmp7134222.exe	38
PID 1524 wrote to memory of 2000	1524	tmp7134222.exe	38
PID 2000 wrote to memory of 1608	2000	notpad.exe	41
PID 2000 wrote to memory of 1608	2000	notpad.exe	41
PID 2000 wrote to memory of 1608	2000	notpad.exe	41
PID 2000 wrote to memory of 1608	2000	notpad.exe	41
PID 2000 wrote to memory of 972	2000	notpad.exe	39
PID 2000 wrote to memory of 972	2000	notpad.exe	39
PID 2000 wrote to memory of 972	2000	notpad.exe	39
PID 2000 wrote to memory of 972	2000	notpad.exe	39
PID 1608 wrote to memory of 1600	1608	tmp7118060.exe	40
PID 1608 wrote to memory of 1600	1608	tmp7118060.exe	40
PID 1608 wrote to memory of 1600	1608	tmp7118060.exe	40
PID 1608 wrote to memory of 1600	1608	tmp7118060.exe	40

C:\Users\Admin\AppData\Local\Temp\31016fa552296c59009b533bd6ed74eb66a718367780c6aafa4abd5a151a4a24.exe
"C:\Users\Admin\AppData\Local\Temp\31016fa552296c59009b533bd6ed74eb66a718367780c6aafa4abd5a151a4a24.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1612
- C:\Users\Admin\AppData\Local\Temp\tmp7108232.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7108232.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1620
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1448
  - - C:\Users\Admin\AppData\Local\Temp\tmp7113817.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7113817.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1092
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:904
      - C:\Users\Admin\AppData\Local\Temp\tmp7115658.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7115658.exe
        6⤵
        Executes dropped EXE
        
        PID:1696
      - C:\Users\Admin\AppData\Local\Temp\tmp7115080.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7115080.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2040
  - - C:\Users\Admin\AppData\Local\Temp\tmp7114363.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7114363.exe
      4⤵
      Executes dropped EXE
      PID:832
- C:\Users\Admin\AppData\Local\Temp\tmp7109152.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7109152.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1868
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1868 -s 36
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1944

C:\Users\Admin\AppData\Local\Temp\tmp7115876.exe
C:\Users\Admin\AppData\Local\Temp\tmp7115876.exe
1⤵
PID:1524
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2000
- - C:\Users\Admin\AppData\Local\Temp\tmp7119230.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7119230.exe
    3⤵
    - Executes dropped EXE
    PID:972
- - C:\Users\Admin\AppData\Local\Temp\tmp7118060.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7118060.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1608

C:\Users\Admin\AppData\Local\Temp\tmp7116438.exe
C:\Users\Admin\AppData\Local\Temp\tmp7116438.exe
1⤵
- Executes dropped EXE
PID:1976

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1052

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1600
- C:\Users\Admin\AppData\Local\Temp\tmp7119667.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7119667.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:736
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:364
  - - C:\Users\Admin\AppData\Local\Temp\tmp7120494.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7120494.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      PID:908
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1952
      - C:\Users\Admin\AppData\Local\Temp\tmp7121508.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121508.exe
        6⤵
        
        PID:944
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123442.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123442.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1776
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125236.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125236.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1204
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        11⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125985.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125985.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1380
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\tmp7126983.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7126983.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1920
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        15⤵
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\tmp7127701.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7127701.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1572
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        17⤵
        Executes dropped EXE
        
        PID:580
        
        C:\Users\Admin\AppData\Local\Temp\tmp7128637.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7128637.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1504
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        19⤵
        Executes dropped EXE
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\tmp7129666.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7129666.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1860
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        21⤵
        Executes dropped EXE
        
        PID:820
        
        C:\Users\Admin\AppData\Local\Temp\tmp7130431.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7130431.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1752
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        23⤵
        Executes dropped EXE
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\tmp7131117.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7131117.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1288
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        25⤵
        Executes dropped EXE
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\tmp7132287.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7132287.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:944
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        27⤵
        Executes dropped EXE
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\tmp7133691.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7133691.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1232
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        29⤵
        Executes dropped EXE
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134799.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134799.exe
        30⤵
        Executes dropped EXE
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135860.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135860.exe
        30⤵
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136250.exe
        31⤵
        
        PID:952
        
        C:\Users\Admin\AppData\Local\Temp\tmp7138543.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7138543.exe
        31⤵
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134284.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134284.exe
        28⤵
        Executes dropped EXE
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134924.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134924.exe
        29⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2016
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        30⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136078.exe
        31⤵
        
        PID:1184
        
        C:\Users\Admin\AppData\Local\Temp\tmp7137420.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7137420.exe
        31⤵
        
        PID:520
        
        C:\Users\Admin\AppData\Local\Temp\tmp7140633.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7140633.exe
        32⤵
        Drops file in System32 directory
        
        PID:1112
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        33⤵
        
        PID:820
        
        C:\Users\Admin\AppData\Local\Temp\tmp7141335.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7141335.exe
        34⤵
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\tmp7141819.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7141819.exe
        34⤵
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\tmp7142458.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7142458.exe
        35⤵
        Modifies registry class
        
        PID:1332
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        36⤵
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144221.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144221.exe
        37⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144518.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144518.exe
        37⤵
        
        PID:1908
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145376.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145376.exe
        38⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:568
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        39⤵
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146421.exe
        40⤵
        
        PID:996
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147700.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147700.exe
        40⤵
        
        PID:736
        
        C:\Users\Admin\AppData\Local\Temp\tmp7148153.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7148153.exe
        41⤵
        
        PID:520
        
        C:\Users\Admin\AppData\Local\Temp\tmp7150415.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7150415.exe
        41⤵
        
        PID:548
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146234.exe
        38⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\tmp7143332.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7143332.exe
        35⤵
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\tmp7141132.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7141132.exe
        32⤵
        
        PID:364
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135579.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135579.exe
        29⤵
        
        PID:524
        
        C:\Users\Admin\AppData\Local\Temp\tmp7133442.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7133442.exe
        26⤵
        Executes dropped EXE
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\tmp7133847.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7133847.exe
        27⤵
        Executes dropped EXE
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134658.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134658.exe
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\tmp7132038.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7132038.exe
        24⤵
        Executes dropped EXE
        
        PID:1176
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134112.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134112.exe
        25⤵
        Executes dropped EXE
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\tmp7133566.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7133566.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:836
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        26⤵
        
        PID:1120
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135080.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135080.exe
        27⤵
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135657.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135657.exe
        27⤵
        
        PID:1104
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136374.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136374.exe
        28⤵
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\tmp7138558.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7138558.exe
        28⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\tmp7130758.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7130758.exe
        22⤵
        Executes dropped EXE
        
        PID:1460
        
        C:\Users\Admin\AppData\Local\Temp\tmp7132428.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7132428.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1772
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        24⤵
        Executes dropped EXE
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134222.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134222.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1524
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134970.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134970.exe
        25⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135891.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135891.exe
        26⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1680
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        27⤵
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\tmp7138824.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7138824.exe
        28⤵
        Modifies registry class
        
        PID:1292
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        29⤵
        
        PID:1448
        
        C:\Users\Admin\AppData\Local\Temp\tmp7141850.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7141850.exe
        30⤵
        
        PID:1460
        
        C:\Users\Admin\AppData\Local\Temp\tmp7142708.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7142708.exe
        30⤵
        
        PID:816
        
        C:\Users\Admin\AppData\Local\Temp\tmp7143675.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7143675.exe
        31⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2036
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        32⤵
        
        PID:836
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144564.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144564.exe
        33⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1520
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        34⤵
        
        PID:632
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145220.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145220.exe
        35⤵
        
        PID:1120
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146327.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146327.exe
        35⤵
        
        PID:1072
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147685.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147685.exe
        36⤵
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\tmp7150352.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7150352.exe
        36⤵
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144908.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144908.exe
        33⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145750.exe
        34⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1576
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        35⤵
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147981.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147981.exe
        36⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1752
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        37⤵
        
        PID:952
        
        C:\Users\Admin\AppData\Local\Temp\tmp7150664.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7150664.exe
        38⤵
        Modifies registry class
        
        PID:612
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        39⤵
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\tmp7151241.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7151241.exe
        40⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1652
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        41⤵
        
        PID:1476
        
        C:\Users\Admin\AppData\Local\Temp\tmp7152583.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7152583.exe
        42⤵
        Drops file in System32 directory
        
        PID:1212
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        43⤵
        
        PID:864
        
        C:\Users\Admin\AppData\Local\Temp\tmp7153098.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7153098.exe
        44⤵
        Drops file in System32 directory
        
        PID:1784
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        45⤵
        
        PID:320
        
        C:\Users\Admin\AppData\Local\Temp\tmp7153581.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7153581.exe
        46⤵
        
        PID:268
        
        C:\Users\Admin\AppData\Local\Temp\tmp7154237.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7154237.exe
        46⤵
        
        PID:1408
        
        C:\Users\Admin\AppData\Local\Temp\tmp7155188.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7155188.exe
        47⤵
        
        PID:816
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157013.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157013.exe
        47⤵
        
        PID:944
        
        C:\Users\Admin\AppData\Local\Temp\tmp7153410.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7153410.exe
        44⤵
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\tmp7154018.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7154018.exe
        45⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        46⤵
        
        PID:1292
        
        C:\Users\Admin\AppData\Local\Temp\tmp7154642.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7154642.exe
        47⤵
        
        PID:612
        
        C:\Users\Admin\AppData\Local\Temp\tmp7155048.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7155048.exe
        47⤵
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\tmp7156920.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7156920.exe
        48⤵
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157996.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157996.exe
        48⤵
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\tmp7154517.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7154517.exe
        45⤵
        
        PID:548
        
        C:\Users\Admin\AppData\Local\Temp\tmp7152895.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7152895.exe
        42⤵
        
        PID:836
        
        C:\Users\Admin\AppData\Local\Temp\tmp7153301.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7153301.exe
        43⤵
        
        PID:240
        
        C:\Users\Admin\AppData\Local\Temp\tmp7153800.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7153800.exe
        43⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\tmp7152021.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7152021.exe
        40⤵
        
        PID:1448
        
        C:\Users\Admin\AppData\Local\Temp\tmp7152458.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7152458.exe
        41⤵
        Modifies registry class
        
        PID:1668
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        42⤵
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\tmp7152801.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7152801.exe
        43⤵
        
        PID:1056
        
        C:\Users\Admin\AppData\Local\Temp\tmp7153238.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7153238.exe
        43⤵
        
        PID:1908
        
        C:\Users\Admin\AppData\Local\Temp\tmp7153519.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7153519.exe
        44⤵
        Modifies registry class
        
        PID:1068
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        45⤵
        
        PID:1288
        
        C:\Users\Admin\AppData\Local\Temp\tmp7154315.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7154315.exe
        46⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\tmp7154533.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7154533.exe
        46⤵
        
        PID:1472
        
        C:\Users\Admin\AppData\Local\Temp\tmp7155360.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7155360.exe
        47⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        48⤵
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157091.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157091.exe
        49⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1968
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        50⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158261.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158261.exe
        51⤵
        Modifies registry class
        
        PID:1708
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        52⤵
        
        PID:632
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158511.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158511.exe
        53⤵
        Modifies registry class
        
        PID:940
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        54⤵
        
        PID:1184
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158948.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158948.exe
        55⤵
        Modifies registry class
        
        PID:788
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        56⤵
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159151.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159151.exe
        57⤵
        Drops file in System32 directory
        
        PID:1744
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        58⤵
        
        PID:672
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159837.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159837.exe
        59⤵
        Modifies registry class
        
        PID:1752
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        60⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160383.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160383.exe
        61⤵
        Drops file in System32 directory
        
        PID:1604
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        62⤵
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161756.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161756.exe
        63⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\tmp7162395.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7162395.exe
        63⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\tmp7162926.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7162926.exe
        64⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1796
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        65⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\tmp7165781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7165781.exe
        66⤵
        Drops file in System32 directory
        
        PID:1936
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        67⤵
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\tmp7165999.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7165999.exe
        68⤵
        Modifies registry class
        
        PID:1396
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        69⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166483.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166483.exe
        70⤵
        
        PID:992
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166888.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166888.exe
        70⤵
        
        PID:524
        
        C:\Users\Admin\AppData\Local\Temp\tmp7167356.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7167356.exe
        71⤵
        
        PID:908
        
        C:\Users\Admin\AppData\Local\Temp\tmp7167450.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7167450.exe
        71⤵
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166233.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166233.exe
        68⤵
        
        PID:816
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166467.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166467.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2040
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        70⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166982.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166982.exe
        71⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:836
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        72⤵
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168682.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168682.exe
        73⤵
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168854.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168854.exe
        73⤵
        
        PID:1176
        
        C:\Users\Admin\AppData\Local\Temp\tmp7169275.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7169275.exe
        74⤵
        
        PID:1476
        
        C:\Users\Admin\AppData\Local\Temp\tmp7169603.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7169603.exe
        74⤵
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168386.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168386.exe
        71⤵
        
        PID:548
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168635.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168635.exe
        72⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1436
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        73⤵
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\tmp7169291.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7169291.exe
        74⤵
        Modifies registry class
        
        PID:1232
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        75⤵
        
        PID:832
        
        C:\Users\Admin\AppData\Local\Temp\tmp7169930.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7169930.exe
        76⤵
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\tmp7170617.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7170617.exe
        76⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\tmp7170991.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7170991.exe
        77⤵
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\tmp7171943.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7171943.exe
        77⤵
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\tmp7169587.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7169587.exe
        74⤵
        
        PID:1460
        
        C:\Users\Admin\AppData\Local\Temp\tmp7169712.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7169712.exe
        75⤵
        
        PID:1256
        
        C:\Users\Admin\AppData\Local\Temp\tmp7169743.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7169743.exe
        75⤵
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\tmp7169041.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7169041.exe
        72⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166763.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166763.exe
        69⤵
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\tmp7165843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7165843.exe
        66⤵
        
        PID:1256
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166280.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166280.exe
        67⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1720
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        68⤵
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166748.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166748.exe
        69⤵
        
        PID:580
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        70⤵
        
        PID:864
        
        C:\Users\Admin\AppData\Local\Temp\tmp7167278.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7167278.exe
        71⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        72⤵
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\tmp7167715.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7167715.exe
        73⤵
        
        PID:568
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168292.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168292.exe
        73⤵
        
        PID:788
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168573.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168573.exe
        74⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1948
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        75⤵
        
        PID:1280
        
        C:\Users\Admin\AppData\Local\Temp\tmp7169057.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7169057.exe
        76⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        77⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\tmp7169540.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7169540.exe
        78⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        79⤵
        
        PID:992
        
        C:\Users\Admin\AppData\Local\Temp\tmp7170975.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7170975.exe
        80⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2036
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        81⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\tmp7172161.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7172161.exe
        82⤵
        
        PID:996
        
        C:\Users\Admin\AppData\Local\Temp\tmp7172286.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7172286.exe
        82⤵
        
        PID:1908
        
        C:\Users\Admin\AppData\Local\Temp\tmp7172426.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7172426.exe
        83⤵
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\tmp7172457.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7172457.exe
        83⤵
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\tmp7171896.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7171896.exe
        80⤵
        
        PID:864
        
        C:\Users\Admin\AppData\Local\Temp\tmp7172099.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7172099.exe
        81⤵
        Drops file in System32 directory
        
        PID:568
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        82⤵
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\tmp7172598.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7172598.exe
        83⤵
        Modifies registry class
        
        PID:1192
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        84⤵
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\tmp7173035.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7173035.exe
        85⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1712
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        86⤵
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\tmp7173269.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7173269.exe
        87⤵
        Modifies registry class
        
        PID:548
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        88⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\tmp7173503.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7173503.exe
        89⤵
        
        PID:1524
        
        C:\Users\Admin\AppData\Local\Temp\tmp7174080.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7174080.exe
        89⤵
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\tmp7174657.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7174657.exe
        90⤵
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\tmp7174922.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7174922.exe
        90⤵
        
        PID:1204
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175765.exe
        91⤵
        
        PID:972
        
        C:\Users\Admin\AppData\Local\Temp\tmp7177122.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7177122.exe
        91⤵
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\tmp7173315.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7173315.exe
        87⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\tmp7174064.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7174064.exe
        88⤵
        
        PID:1408
        
        C:\Users\Admin\AppData\Local\Temp\tmp7174251.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7174251.exe
        88⤵
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\tmp7174501.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7174501.exe
        89⤵
        Modifies registry class
        
        PID:1936
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        90⤵
        
        PID:1460
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175016.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175016.exe
        91⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1692
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        92⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175406.exe
        93⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175468.exe
        93⤵
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175655.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175655.exe
        94⤵
        
        PID:908
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175811.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175811.exe
        94⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\tmp7176201.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7176201.exe
        95⤵
        
        PID:864
        
        C:\Users\Admin\AppData\Local\Temp\tmp7176279.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7176279.exe
        95⤵
        
        PID:836
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175063.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175063.exe
        91⤵
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175203.exe
        92⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1920
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        93⤵
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175749.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175749.exe
        94⤵
        
        PID:828
        
        C:\Users\Admin\AppData\Local\Temp\tmp7176077.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7176077.exe
        94⤵
        
        PID:712
        
        C:\Users\Admin\AppData\Local\Temp\tmp7176373.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7176373.exe
        95⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        96⤵
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\tmp7177684.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7177684.exe
        97⤵
        
        PID:572
        
        C:\Users\Admin\AppData\Local\Temp\tmp7177886.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7177886.exe
        97⤵
        
        PID:1288
        
        C:\Users\Admin\AppData\Local\Temp\tmp7179337.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7179337.exe
        98⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1080
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        99⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\tmp7180039.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7180039.exe
        100⤵
        
        PID:764
        
        C:\Users\Admin\AppData\Local\Temp\tmp7180164.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7180164.exe
        100⤵
        
        PID:1092
        
        C:\Users\Admin\AppData\Local\Temp\tmp7180414.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7180414.exe
        101⤵
        
        PID:396
        
        C:\Users\Admin\AppData\Local\Temp\tmp7181022.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7181022.exe
        101⤵
        
        PID:992
        
        C:\Users\Admin\AppData\Local\Temp\tmp7181194.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7181194.exe
        102⤵
        Modifies registry class
        
        PID:1068
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        103⤵
        
        PID:1396
        
        C:\Users\Admin\AppData\Local\Temp\tmp7185624.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7185624.exe
        104⤵
        
        PID:1460
        
        C:\Users\Admin\AppData\Local\Temp\tmp7186264.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7186264.exe
        104⤵
        
        PID:1104
        
        C:\Users\Admin\AppData\Local\Temp\tmp7186638.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7186638.exe
        105⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        106⤵
        
        PID:908
        
        C:\Users\Admin\AppData\Local\Temp\tmp7188058.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7188058.exe
        107⤵
        
        PID:828
        
        C:\Users\Admin\AppData\Local\Temp\tmp7188260.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7188260.exe
        107⤵
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\tmp7188853.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7188853.exe
        108⤵
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190975.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190975.exe
        108⤵
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\tmp7192675.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7192675.exe
        109⤵
        
        PID:1332
        
        C:\Users\Admin\AppData\Local\Temp\tmp7193346.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7193346.exe
        109⤵
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\tmp7186747.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7186747.exe
        105⤵
        
        PID:832
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187168.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187168.exe
        106⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1076
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        107⤵
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190444.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190444.exe
        108⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        109⤵
        
        PID:688
        
        C:\Users\Admin\AppData\Local\Temp\tmp7192644.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7192644.exe
        110⤵
        
        PID:836
        
        C:\Users\Admin\AppData\Local\Temp\tmp7193783.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7193783.exe
        110⤵
        
        PID:1520
        
        C:\Users\Admin\AppData\Local\Temp\tmp7197121.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7197121.exe
        111⤵
        
        PID:316
        
        C:\Users\Admin\AppData\Local\Temp\tmp7199118.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7199118.exe
        111⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\tmp7206762.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7206762.exe
        112⤵
        
        PID:304
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191131.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191131.exe
        108⤵
        
        PID:816
        
        C:\Users\Admin\AppData\Local\Temp\tmp7193736.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7193736.exe
        109⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        110⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\tmp7197948.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7197948.exe
        111⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        112⤵
        
        PID:944
        
        C:\Users\Admin\AppData\Local\Temp\tmp7203829.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7203829.exe
        113⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        114⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\tmp7207480.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7207480.exe
        115⤵
        
        PID:1176
        
        C:\Users\Admin\AppData\Local\Temp\tmp7210319.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7210319.exe
        115⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\tmp7213221.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7213221.exe
        116⤵
        Modifies registry class
        
        PID:2008
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        117⤵
        
        PID:1092
        
        C:\Users\Admin\AppData\Local\Temp\tmp7217994.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7217994.exe
        118⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\tmp7217355.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7217355.exe
        118⤵
        
        PID:560
        
        C:\Users\Admin\AppData\Local\Temp\tmp7214609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7214609.exe
        116⤵
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\tmp7218010.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7218010.exe
        117⤵
        
        PID:572
        
        C:\Users\Admin\AppData\Local\Temp\tmp7222019.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7222019.exe
        117⤵
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\tmp7233688.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7233688.exe
        116⤵
        
        PID:1184
        
        C:\Users\Admin\AppData\Local\Temp\tmp7205857.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7205857.exe
        113⤵
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\tmp7209726.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7209726.exe
        114⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        115⤵
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\tmp7210990.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7210990.exe
        116⤵
        
        PID:836
        
        C:\Users\Admin\AppData\Local\Temp\tmp7211785.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7211785.exe
        116⤵
        
        PID:520
        
        C:\Users\Admin\AppData\Local\Temp\tmp7215124.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7215124.exe
        117⤵
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\tmp7218119.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7218119.exe
        117⤵
        
        PID:288
        
        C:\Users\Admin\AppData\Local\Temp\tmp7222081.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7222081.exe
        118⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        119⤵
        
        PID:1052
        
        C:\Users\Admin\AppData\Local\Temp\tmp7227697.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7227697.exe
        120⤵
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\tmp7232908.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7232908.exe
        120⤵
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\tmp7233173.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7233173.exe
        121⤵
        
        PID:832
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        122⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\tmp7253438.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7253438.exe
        123⤵
        
        PID:1292
        
        C:\Users\Admin\AppData\Local\Temp\tmp7240833.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7240833.exe
        121⤵
        
        PID:1332
        
        C:\Users\Admin\AppData\Local\Temp\tmp7224390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7224390.exe
        118⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\tmp7210101.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7210101.exe
        114⤵
        
        PID:976
        
        C:\Users\Admin\AppData\Local\Temp\tmp7211177.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7211177.exe
        115⤵
        
        PID:240
        
        C:\Users\Admin\AppData\Local\Temp\tmp7211801.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7211801.exe
        115⤵
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\tmp7198213.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7198213.exe
        111⤵
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\tmp7194298.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7194298.exe
        109⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\tmp7198026.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7198026.exe
        110⤵
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\tmp7198790.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7198790.exe
        110⤵
        
        PID:524
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187761.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187761.exe
        106⤵
        
        PID:1212
        
        C:\Users\Admin\AppData\Local\Temp\tmp7181958.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7181958.exe
        102⤵
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\tmp7179680.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7179680.exe
        98⤵
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\tmp7179914.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7179914.exe
        99⤵
        Modifies registry class
        
        PID:1988
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        100⤵
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\tmp7181147.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7181147.exe
        101⤵
        
        PID:940
        
        C:\Users\Admin\AppData\Local\Temp\tmp7181412.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7181412.exe
        101⤵
        
        PID:788
        
        C:\Users\Admin\AppData\Local\Temp\tmp7181708.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7181708.exe
        102⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        103⤵
        
        PID:1476
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184782.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184782.exe
        104⤵
        Drops file in System32 directory
        
        PID:1720
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        105⤵
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\tmp7186685.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7186685.exe
        106⤵
        
        PID:568
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187746.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187746.exe
        106⤵
        
        PID:320
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191037.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191037.exe
        107⤵
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191334.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191334.exe
        107⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\tmp7193408.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7193408.exe
        108⤵
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\tmp7194360.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7194360.exe
        108⤵
        
        PID:364
        
        C:\Users\Admin\AppData\Local\Temp\tmp7186014.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7186014.exe
        104⤵
        
        PID:580
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187356.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187356.exe
        105⤵
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\tmp7188104.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7188104.exe
        105⤵
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\tmp7188806.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7188806.exe
        106⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        107⤵
        
        PID:712
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191536.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191536.exe
        108⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        109⤵
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\tmp7194344.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7194344.exe
        110⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\tmp7197028.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7197028.exe
        110⤵
        
        PID:1104
        
        C:\Users\Admin\AppData\Local\Temp\tmp7197558.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7197558.exe
        111⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\tmp7198354.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7198354.exe
        111⤵
        
        PID:580
        
        C:\Users\Admin\AppData\Local\Temp\tmp7198744.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7198744.exe
        112⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        113⤵
        
        PID:972
        
        C:\Users\Admin\AppData\Local\Temp\tmp7205436.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7205436.exe
        114⤵
        
        PID:1072
        
        C:\Users\Admin\AppData\Local\Temp\tmp7207604.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7207604.exe
        114⤵
        
        PID:688
        
        C:\Users\Admin\AppData\Local\Temp\tmp7212113.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7212113.exe
        115⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        116⤵
        
        PID:832
        
        C:\Users\Admin\AppData\Local\Temp\tmp7215093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7215093.exe
        117⤵
        
        PID:928
        
        C:\Users\Admin\AppData\Local\Temp\tmp7217869.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7217869.exe
        117⤵
        
        PID:1920
        
        C:\Users\Admin\AppData\Local\Temp\tmp7218743.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7218743.exe
        118⤵
        
        PID:396
        
        C:\Users\Admin\AppData\Local\Temp\tmp7222300.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7222300.exe
        118⤵
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\tmp7226605.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7226605.exe
        119⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        120⤵
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\tmp7230661.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7230661.exe
        121⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        122⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\tmp7234062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7234062.exe
        123⤵
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\tmp7240396.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7240396.exe
        124⤵
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\tmp7231426.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7231426.exe
        121⤵
        
        PID:316
        
        C:\Users\Admin\AppData\Local\Temp\tmp7235513.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7235513.exe
        122⤵
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\tmp7226871.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7226871.exe
        119⤵
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\tmp7212737.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7212737.exe
        115⤵
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\tmp7217854.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7217854.exe
        116⤵
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\tmp7214625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7214625.exe
        116⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        117⤵
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\tmp7220911.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7220911.exe
        118⤵
        
        PID:1408
        
        C:\Users\Admin\AppData\Local\Temp\tmp7222284.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7222284.exe
        118⤵
        
        PID:592
        
        C:\Users\Admin\AppData\Local\Temp\tmp7230708.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7230708.exe
        119⤵
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\tmp7232799.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7232799.exe
        119⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\tmp7233750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7233750.exe
        120⤵
        
        PID:992
        
        C:\Users\Admin\AppData\Local\Temp\tmp7204016.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7204016.exe
        112⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\tmp7192862.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7192862.exe
        108⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\tmp7194688.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7194688.exe
        109⤵
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\tmp7197620.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7197620.exe
        109⤵
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\tmp7199102.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7199102.exe
        110⤵
        
        PID:828
        
        C:\Users\Admin\AppData\Local\Temp\tmp7204500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7204500.exe
        110⤵
        
        PID:788
        
        C:\Users\Admin\AppData\Local\Temp\tmp7189462.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7189462.exe
        106⤵
        
        PID:548
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182036.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182036.exe
        102⤵
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183019.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183019.exe
        103⤵
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183908.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183908.exe
        103⤵
        
        PID:1232
        
        C:\Users\Admin\AppData\Local\Temp\tmp7180570.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7180570.exe
        99⤵
        
        PID:580
        
        C:\Users\Admin\AppData\Local\Temp\tmp7177028.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7177028.exe
        95⤵
        
        PID:1412
        
        C:\Users\Admin\AppData\Local\Temp\tmp7178947.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7178947.exe
        96⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\tmp7179431.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7179431.exe
        96⤵
        
        PID:1232
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175265.exe
        92⤵
        
        PID:524
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175562.exe
        93⤵
        Drops file in System32 directory
        
        PID:1784
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        94⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\tmp7176248.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7176248.exe
        93⤵
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\tmp7174751.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7174751.exe
        89⤵
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\tmp7173081.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7173081.exe
        85⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\tmp7173425.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7173425.exe
        86⤵
        Drops file in System32 directory
        
        PID:268
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        87⤵
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\tmp7174517.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7174517.exe
        88⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\tmp7233360.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7233360.exe
        89⤵
        
        PID:1520
        
        C:\Users\Admin\AppData\Local\Temp\tmp7174907.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7174907.exe
        88⤵
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175687.exe
        89⤵
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\tmp7176841.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7176841.exe
        89⤵
        
        PID:688
        
        C:\Users\Admin\AppData\Local\Temp\tmp7177512.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7177512.exe
        90⤵
        Modifies registry class
        
        PID:952
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        91⤵
        
        PID:1396
        
        C:\Users\Admin\AppData\Local\Temp\tmp7179134.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7179134.exe
        92⤵
        Drops file in System32 directory
        
        PID:1604
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        93⤵
        
        PID:240
        
        C:\Users\Admin\AppData\Local\Temp\tmp7179727.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7179727.exe
        94⤵
        Modifies registry class
        
        PID:2008
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        95⤵
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\tmp7180538.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7180538.exe
        96⤵
        
        PID:944
        
        C:\Users\Admin\AppData\Local\Temp\tmp7180694.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7180694.exe
        96⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182130.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182130.exe
        97⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182863.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182863.exe
        97⤵
        
        PID:904
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183034.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183034.exe
        98⤵
        Drops file in System32 directory
        
        PID:1472
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        99⤵
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\tmp7185374.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7185374.exe
        100⤵
        
        PID:268
        
        C:\Users\Admin\AppData\Local\Temp\tmp7186232.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7186232.exe
        100⤵
        
        PID:560
        
        C:\Users\Admin\AppData\Local\Temp\tmp7186872.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7186872.exe
        101⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187496.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187496.exe
        101⤵
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\tmp7189820.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7189820.exe
        102⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191209.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191209.exe
        102⤵
        
        PID:1072
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183892.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183892.exe
        98⤵
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\tmp7180024.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7180024.exe
        94⤵
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\tmp7180367.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7180367.exe
        95⤵
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\tmp7181272.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7181272.exe
        95⤵
        
        PID:736
        
        C:\Users\Admin\AppData\Local\Temp\tmp7181443.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7181443.exe
        96⤵
        
        PID:316
        
        C:\Users\Admin\AppData\Local\Temp\tmp7181599.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7181599.exe
        96⤵
        
        PID:1112
        
        C:\Users\Admin\AppData\Local\Temp\tmp7179181.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7179181.exe
        92⤵
        
        PID:1280
        
        C:\Users\Admin\AppData\Local\Temp\tmp7179618.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7179618.exe
        93⤵
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\tmp7180055.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7180055.exe
        93⤵
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\tmp7180226.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7180226.exe
        94⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        95⤵
        
        PID:1072
        
        C:\Users\Admin\AppData\Local\Temp\tmp7181849.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7181849.exe
        96⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182832.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182832.exe
        96⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183580.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183580.exe
        97⤵
        
        PID:1120
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183955.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183955.exe
        97⤵
        
        PID:1412
        
        C:\Users\Admin\AppData\Local\Temp\tmp7185562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7185562.exe
        98⤵
        
        PID:1080
        
        C:\Users\Admin\AppData\Local\Temp\tmp7186076.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7186076.exe
        98⤵
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\tmp7181256.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7181256.exe
        94⤵
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\tmp7178963.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7178963.exe
        90⤵
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\tmp7173986.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7173986.exe
        86⤵
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\tmp7174719.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7174719.exe
        87⤵
        
        PID:764
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175094.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175094.exe
        87⤵
        
        PID:1860
        
        C:\Users\Admin\AppData\Local\Temp\tmp7172629.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7172629.exe
        83⤵
        
        PID:1212
        
        C:\Users\Admin\AppData\Local\Temp\tmp7172660.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7172660.exe
        84⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\tmp7172676.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7172676.exe
        84⤵
        
        PID:320
        
        C:\Users\Admin\AppData\Local\Temp\tmp7172145.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7172145.exe
        81⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\tmp7169977.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7169977.exe
        78⤵
        
        PID:1092
        
        C:\Users\Admin\AppData\Local\Temp\tmp7170617.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7170617.exe
        79⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\tmp7171038.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7171038.exe
        80⤵
        
        PID:364
        
        C:\Users\Admin\AppData\Local\Temp\tmp7171927.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7171927.exe
        80⤵
        
        PID:580
        
        C:\Users\Admin\AppData\Local\Temp\tmp7170944.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7170944.exe
        79⤵
        
        PID:524
        
        C:\Users\Admin\AppData\Local\Temp\tmp7169306.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7169306.exe
        76⤵
        
        PID:672
        
        C:\Users\Admin\AppData\Local\Temp\tmp7169571.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7169571.exe
        77⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\tmp7169961.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7169961.exe
        77⤵
        
        PID:764
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168745.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168745.exe
        74⤵
        
        PID:612
        
        C:\Users\Admin\AppData\Local\Temp\tmp7167434.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7167434.exe
        71⤵
        
        PID:1192
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168339.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168339.exe
        72⤵
        
        PID:1112
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168760.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168760.exe
        72⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\tmp7167122.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7167122.exe
        69⤵
        
        PID:828
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168433.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168433.exe
        70⤵
        
        PID:996
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168557.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168557.exe
        70⤵
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166529.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166529.exe
        67⤵
        
        PID:560
        
        C:\Users\Admin\AppData\Local\Temp\tmp7163815.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7163815.exe
        64⤵
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160913.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160913.exe
        61⤵
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161647.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161647.exe
        62⤵
        Modifies registry class
        
        PID:1608
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        63⤵
        
        PID:1104
        
        C:\Users\Admin\AppData\Local\Temp\tmp7162115.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7162115.exe
        64⤵
        Drops file in System32 directory
        
        PID:1708
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        65⤵
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\tmp7162349.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7162349.exe
        66⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\tmp7162411.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7162411.exe
        66⤵
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\tmp7163503.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7163503.exe
        67⤵
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\tmp7165515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7165515.exe
        67⤵
        
        PID:1448
        
        C:\Users\Admin\AppData\Local\Temp\tmp7162161.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7162161.exe
        64⤵
        
        PID:364
        
        C:\Users\Admin\AppData\Local\Temp\tmp7162645.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7162645.exe
        65⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1572
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        66⤵
        
        PID:1112
        
        C:\Users\Admin\AppData\Local\Temp\tmp7163581.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7163581.exe
        67⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\tmp7165235.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7165235.exe
        67⤵
        
        PID:1288
        
        C:\Users\Admin\AppData\Local\Temp\tmp7165593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7165593.exe
        68⤵
        Modifies registry class
        
        PID:1332
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        69⤵
        
        PID:1920
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166311.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166311.exe
        70⤵
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166607.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166607.exe
        70⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\tmp7167107.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7167107.exe
        71⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\tmp7167621.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7167621.exe
        71⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166108.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166108.exe
        68⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\tmp7163347.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7163347.exe
        65⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161943.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161943.exe
        62⤵
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160196.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160196.exe
        59⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160648.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160648.exe
        60⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161631.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161631.exe
        60⤵
        
        PID:1460
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159619.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159619.exe
        57⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159853.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159853.exe
        58⤵
        Drops file in System32 directory
        
        PID:520
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        59⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160211.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160211.exe
        60⤵
        Drops file in System32 directory
        
        PID:1332
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        61⤵
        
        PID:560
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160867.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160867.exe
        62⤵
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161678.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161678.exe
        62⤵
        
        PID:1052
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161896.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161896.exe
        63⤵
        Modifies registry class
        
        PID:524
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        64⤵
        
        PID:940
        
        C:\Users\Admin\AppData\Local\Temp\tmp7162661.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7162661.exe
        65⤵
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\tmp7163441.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7163441.exe
        65⤵
        
        PID:320
        
        C:\Users\Admin\AppData\Local\Temp\tmp7163628.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7163628.exe
        66⤵
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\tmp7165531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7165531.exe
        66⤵
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\tmp7162364.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7162364.exe
        63⤵
        
        PID:240
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160586.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160586.exe
        60⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160898.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160898.exe
        61⤵
        
        PID:992
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161569.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161569.exe
        61⤵
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159993.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159993.exe
        58⤵
        
        PID:1280
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158995.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158995.exe
        55⤵
        
        PID:1256
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159899.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159899.exe
        56⤵
        
        PID:1412
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160757.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160757.exe
        56⤵
        
        PID:1472
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158620.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158620.exe
        53⤵
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158651.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158651.exe
        54⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158761.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158761.exe
        54⤵
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158293.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158293.exe
        51⤵
        
        PID:524
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158386.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158386.exe
        52⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158449.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158449.exe
        52⤵
        
        PID:568
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158012.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158012.exe
        49⤵
        
        PID:972
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159057.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159057.exe
        50⤵
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159634.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159634.exe
        50⤵
        
        PID:268
        
        C:\Users\Admin\AppData\Local\Temp\tmp7156202.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7156202.exe
        47⤵
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\tmp7154127.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7154127.exe
        44⤵
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\tmp7152645.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7152645.exe
        41⤵
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\tmp7151054.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7151054.exe
        38⤵
        
        PID:1092
        
        C:\Users\Admin\AppData\Local\Temp\tmp7151382.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7151382.exe
        39⤵
        
        PID:1460
        
        C:\Users\Admin\AppData\Local\Temp\tmp7152224.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7152224.exe
        39⤵
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\tmp7149666.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7149666.exe
        36⤵
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\tmp7151023.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7151023.exe
        37⤵
        Modifies registry class
        
        PID:1116
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        38⤵
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\tmp7151959.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7151959.exe
        39⤵
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\tmp7152380.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7152380.exe
        39⤵
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\tmp7152630.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7152630.exe
        40⤵
        Drops file in System32 directory
        
        PID:1064
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        41⤵
        
        PID:972
        
        C:\Users\Admin\AppData\Local\Temp\tmp7153316.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7153316.exe
        42⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:920
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        43⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\tmp7153971.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7153971.exe
        44⤵
        
        PID:1072
        
        C:\Users\Admin\AppData\Local\Temp\tmp7154439.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7154439.exe
        44⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\tmp7155157.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7155157.exe
        45⤵
        
        PID:1080
        
        C:\Users\Admin\AppData\Local\Temp\tmp7156967.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7156967.exe
        45⤵
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\tmp7153847.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7153847.exe
        42⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\tmp7154798.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7154798.exe
        43⤵
        Drops file in System32 directory
        
        PID:952
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        44⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\tmp7155344.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7155344.exe
        45⤵
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\tmp7156811.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7156811.exe
        45⤵
        
        PID:1092
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157965.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157965.exe
        46⤵
        
        PID:580
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158714.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158714.exe
        46⤵
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\tmp7155095.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7155095.exe
        43⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\tmp7153129.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7153129.exe
        40⤵
        
        PID:304
        
        C:\Users\Admin\AppData\Local\Temp\tmp7151741.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7151741.exe
        37⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147669.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147669.exe
        34⤵
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144330.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144330.exe
        31⤵
        
        PID:1232
        
        C:\Users\Admin\AppData\Local\Temp\tmp7141538.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7141538.exe
        28⤵
        
        PID:1208
        
        C:\Users\Admin\AppData\Local\Temp\tmp7142053.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7142053.exe
        29⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        30⤵
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\tmp7143145.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7143145.exe
        31⤵
        
        PID:1476
        
        C:\Users\Admin\AppData\Local\Temp\tmp7143628.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7143628.exe
        31⤵
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144299.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144299.exe
        32⤵
        
        PID:864
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145110.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145110.exe
        32⤵
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\tmp7142630.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7142630.exe
        29⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136406.exe
        26⤵
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\tmp7204796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7204796.exe
        26⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        27⤵
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\tmp7208213.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7208213.exe
        28⤵
        
        PID:904
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        29⤵
        
        PID:1476
        
        C:\Users\Admin\AppData\Local\Temp\tmp7212347.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7212347.exe
        30⤵
        
        PID:1056
        
        C:\Users\Admin\AppData\Local\Temp\tmp7214562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7214562.exe
        30⤵
        
        PID:940
        
        C:\Users\Admin\AppData\Local\Temp\tmp7217292.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7217292.exe
        31⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        32⤵
        
        PID:568
        
        C:\Users\Admin\AppData\Local\Temp\tmp7224843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7224843.exe
        33⤵
        
        PID:1460
        
        C:\Users\Admin\AppData\Local\Temp\tmp7226449.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7226449.exe
        33⤵
        Modifies registry class
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\tmp7228836.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7228836.exe
        34⤵
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\tmp7231317.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7231317.exe
        34⤵
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\tmp7232518.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7232518.exe
        35⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        36⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\tmp7239803.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7239803.exe
        37⤵
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\tmp7253609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7253609.exe
        37⤵
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\tmp7233454.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7233454.exe
        35⤵
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\tmp7220787.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7220787.exe
        31⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\tmp7225825.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7225825.exe
        32⤵
        
        PID:944
        
        C:\Users\Admin\AppData\Local\Temp\tmp7222986.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7222986.exe
        32⤵
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\tmp7211317.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7211317.exe
        28⤵
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\tmp7214843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7214843.exe
        29⤵
        
        PID:580
        
        C:\Users\Admin\AppData\Local\Temp\tmp7220818.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7220818.exe
        29⤵
        
        PID:1908
        
        C:\Users\Admin\AppData\Local\Temp\tmp7133894.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7133894.exe
        23⤵
        Executes dropped EXE
        
        PID:1116
        
        C:\Users\Admin\AppData\Local\Temp\tmp7129900.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7129900.exe
        20⤵
        Executes dropped EXE
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\tmp7129417.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7129417.exe
        18⤵
        Executes dropped EXE
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\tmp7128403.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7128403.exe
        16⤵
        Executes dropped EXE
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\tmp7127498.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7127498.exe
        14⤵
        Executes dropped EXE
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\tmp7126718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7126718.exe
        12⤵
        Executes dropped EXE
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125688.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125688.exe
        10⤵
        
        PID:1232
        
        C:\Users\Admin\AppData\Local\Temp\tmp7124830.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7124830.exe
        8⤵
        Executes dropped EXE
        
        PID:832
      - C:\Users\Admin\AppData\Local\Temp\tmp7122350.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122350.exe
        6⤵
        Executes dropped EXE
        
        PID:1960
  - - C:\Users\Admin\AppData\Local\Temp\tmp7121180.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7121180.exe
      4⤵
      Executes dropped EXE
      PID:1588
- C:\Users\Admin\AppData\Local\Temp\tmp7120119.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7120119.exe
  2⤵
  - Executes dropped EXE
  PID:920

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp7108232.exe

Filesize
3.0MB

MD5
740593e73b952d0c0be78bcb68a3f734

SHA1
93ac000e46d180a284f16f6c2c43056c1b7a787f

SHA256
21f7a6df33a2c1d0018dc67de081dd129ff0b98ad54d26c70a36583e4dd12b30

SHA512
587851d03f2819561fb1cbc0e9792cfd7fffebe99b8c56f533ab62fd5e3d86c11a39a50bc9df87dfd1e03d90db99a91c4b3dc2a4825f9559c0c8b9a1caeaff70

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7108232.exe

Filesize
3.0MB

MD5
740593e73b952d0c0be78bcb68a3f734

SHA1
93ac000e46d180a284f16f6c2c43056c1b7a787f

SHA256
21f7a6df33a2c1d0018dc67de081dd129ff0b98ad54d26c70a36583e4dd12b30

SHA512
587851d03f2819561fb1cbc0e9792cfd7fffebe99b8c56f533ab62fd5e3d86c11a39a50bc9df87dfd1e03d90db99a91c4b3dc2a4825f9559c0c8b9a1caeaff70

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7109152.exe

Filesize
136KB

MD5
9aeb06a81883647698958706907b1c8b

SHA1
1ed819748dd1683826910789ce3c0e331ab636b9

SHA256
2739d7b4fc7ec6f5ccbed17d4c9f57c8905147bdc926a1995e1f9c4f258d55cc

SHA512
d388602a1e322789dda56df6776d570972acce420e45044699f7178115f8c20f32f9723a63657c58771df3ef54afa3193e817679b91cc24fe80d94c78ad09bbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7113817.exe

Filesize
3.0MB

MD5
740593e73b952d0c0be78bcb68a3f734

SHA1
93ac000e46d180a284f16f6c2c43056c1b7a787f

SHA256
21f7a6df33a2c1d0018dc67de081dd129ff0b98ad54d26c70a36583e4dd12b30

SHA512
587851d03f2819561fb1cbc0e9792cfd7fffebe99b8c56f533ab62fd5e3d86c11a39a50bc9df87dfd1e03d90db99a91c4b3dc2a4825f9559c0c8b9a1caeaff70

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7113817.exe

Filesize
3.0MB

MD5
740593e73b952d0c0be78bcb68a3f734

SHA1
93ac000e46d180a284f16f6c2c43056c1b7a787f

SHA256
21f7a6df33a2c1d0018dc67de081dd129ff0b98ad54d26c70a36583e4dd12b30

SHA512
587851d03f2819561fb1cbc0e9792cfd7fffebe99b8c56f533ab62fd5e3d86c11a39a50bc9df87dfd1e03d90db99a91c4b3dc2a4825f9559c0c8b9a1caeaff70

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7114363.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7115080.exe

Filesize
3.0MB

MD5
740593e73b952d0c0be78bcb68a3f734

SHA1
93ac000e46d180a284f16f6c2c43056c1b7a787f

SHA256
21f7a6df33a2c1d0018dc67de081dd129ff0b98ad54d26c70a36583e4dd12b30

SHA512
587851d03f2819561fb1cbc0e9792cfd7fffebe99b8c56f533ab62fd5e3d86c11a39a50bc9df87dfd1e03d90db99a91c4b3dc2a4825f9559c0c8b9a1caeaff70

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7115080.exe

Filesize
3.0MB

MD5
740593e73b952d0c0be78bcb68a3f734

SHA1
93ac000e46d180a284f16f6c2c43056c1b7a787f

SHA256
21f7a6df33a2c1d0018dc67de081dd129ff0b98ad54d26c70a36583e4dd12b30

SHA512
587851d03f2819561fb1cbc0e9792cfd7fffebe99b8c56f533ab62fd5e3d86c11a39a50bc9df87dfd1e03d90db99a91c4b3dc2a4825f9559c0c8b9a1caeaff70

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7115658.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7115876.exe

Filesize
3.0MB

MD5
740593e73b952d0c0be78bcb68a3f734

SHA1
93ac000e46d180a284f16f6c2c43056c1b7a787f

SHA256
21f7a6df33a2c1d0018dc67de081dd129ff0b98ad54d26c70a36583e4dd12b30

SHA512
587851d03f2819561fb1cbc0e9792cfd7fffebe99b8c56f533ab62fd5e3d86c11a39a50bc9df87dfd1e03d90db99a91c4b3dc2a4825f9559c0c8b9a1caeaff70

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7115876.exe

Filesize
3.0MB

MD5
740593e73b952d0c0be78bcb68a3f734

SHA1
93ac000e46d180a284f16f6c2c43056c1b7a787f

SHA256
21f7a6df33a2c1d0018dc67de081dd129ff0b98ad54d26c70a36583e4dd12b30

SHA512
587851d03f2819561fb1cbc0e9792cfd7fffebe99b8c56f533ab62fd5e3d86c11a39a50bc9df87dfd1e03d90db99a91c4b3dc2a4825f9559c0c8b9a1caeaff70

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7116438.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7118060.exe

Filesize
3.0MB

MD5
740593e73b952d0c0be78bcb68a3f734

SHA1
93ac000e46d180a284f16f6c2c43056c1b7a787f

SHA256
21f7a6df33a2c1d0018dc67de081dd129ff0b98ad54d26c70a36583e4dd12b30

SHA512
587851d03f2819561fb1cbc0e9792cfd7fffebe99b8c56f533ab62fd5e3d86c11a39a50bc9df87dfd1e03d90db99a91c4b3dc2a4825f9559c0c8b9a1caeaff70

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7118060.exe

Filesize
3.0MB

MD5
740593e73b952d0c0be78bcb68a3f734

SHA1
93ac000e46d180a284f16f6c2c43056c1b7a787f

SHA256
21f7a6df33a2c1d0018dc67de081dd129ff0b98ad54d26c70a36583e4dd12b30

SHA512
587851d03f2819561fb1cbc0e9792cfd7fffebe99b8c56f533ab62fd5e3d86c11a39a50bc9df87dfd1e03d90db99a91c4b3dc2a4825f9559c0c8b9a1caeaff70

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7119230.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7119667.exe

Filesize
3.0MB

MD5
740593e73b952d0c0be78bcb68a3f734

SHA1
93ac000e46d180a284f16f6c2c43056c1b7a787f

SHA256
21f7a6df33a2c1d0018dc67de081dd129ff0b98ad54d26c70a36583e4dd12b30

SHA512
587851d03f2819561fb1cbc0e9792cfd7fffebe99b8c56f533ab62fd5e3d86c11a39a50bc9df87dfd1e03d90db99a91c4b3dc2a4825f9559c0c8b9a1caeaff70

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7119667.exe

Filesize
3.0MB

MD5
740593e73b952d0c0be78bcb68a3f734

SHA1
93ac000e46d180a284f16f6c2c43056c1b7a787f

SHA256
21f7a6df33a2c1d0018dc67de081dd129ff0b98ad54d26c70a36583e4dd12b30

SHA512
587851d03f2819561fb1cbc0e9792cfd7fffebe99b8c56f533ab62fd5e3d86c11a39a50bc9df87dfd1e03d90db99a91c4b3dc2a4825f9559c0c8b9a1caeaff70

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
3.0MB

MD5
740593e73b952d0c0be78bcb68a3f734

SHA1
93ac000e46d180a284f16f6c2c43056c1b7a787f

SHA256
21f7a6df33a2c1d0018dc67de081dd129ff0b98ad54d26c70a36583e4dd12b30

SHA512
587851d03f2819561fb1cbc0e9792cfd7fffebe99b8c56f533ab62fd5e3d86c11a39a50bc9df87dfd1e03d90db99a91c4b3dc2a4825f9559c0c8b9a1caeaff70

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
3.0MB

MD5
740593e73b952d0c0be78bcb68a3f734

SHA1
93ac000e46d180a284f16f6c2c43056c1b7a787f

SHA256
21f7a6df33a2c1d0018dc67de081dd129ff0b98ad54d26c70a36583e4dd12b30

SHA512
587851d03f2819561fb1cbc0e9792cfd7fffebe99b8c56f533ab62fd5e3d86c11a39a50bc9df87dfd1e03d90db99a91c4b3dc2a4825f9559c0c8b9a1caeaff70

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
3.0MB

MD5
2270dfc9822d537328d3bbd37714343d

SHA1
a94764ec7287fd2a7256062431d085c168229b79

SHA256
42044d76b6d755cd49d4df6de8ef210736520c700f65ce6cc45386d032343f96

SHA512
7981c992314693a00d3ec4223bacb04f3baaca99b228502696a1a696600618315341b20d7f4891f215a683935e4ad8b562a06a694daa30342cec29793de66d9d

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
3.0MB

MD5
42237bfb4805657e7b74ca19b2caef60

SHA1
66e0ae041268884579ec14eb5c37b174f815f8e5

SHA256
f039d5822033ef20247d749d7416019c66b15c6f4748cd4af2dd976f371635d8

SHA512
893f23977b2ce1c70c19f2121742cbd17c19908706be409c7210fed27bb03bcfac7f82e869e4b1c5a4d62e29601b7f611e8cd221da434c23198d502d307caa7f

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
3.0MB

MD5
8c3d9b26f074075e8348eea602cdf000

SHA1
ac91d0fe8c3d02e133a4709def7e99ee19dffd16

SHA256
7e606488027c171cc73986593d1b1c366bf11c54e127032e213f3e0619eaa3c0

SHA512
570f253784e8efa2819453ed00a35a0c46cd5160da5b07ed2bd3e1393d84f677effd7c579da5c76542b65ab727e390cbfb778b02657aa383365c187a8019a9ba

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
3.2MB

MD5
f30bc236490e3bfe2d779e308c3fc7b0

SHA1
a6612da0e6ef0b7f2895a094849668c60cd85deb

SHA256
c1bf852888d442a99d2d3f349ce2312380183d2d6f80664999c37dc68e462388

SHA512
3a9ad0d3dbe17646eed1ad971ede716c30bed805d55be22f4beec39bff414fd9dd853fedf53d7aa115eaea0f33de19ce1d3b6955a6daf32d075fc11c84f7797a

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
3.2MB

MD5
f30bc236490e3bfe2d779e308c3fc7b0

SHA1
a6612da0e6ef0b7f2895a094849668c60cd85deb

SHA256
c1bf852888d442a99d2d3f349ce2312380183d2d6f80664999c37dc68e462388

SHA512
3a9ad0d3dbe17646eed1ad971ede716c30bed805d55be22f4beec39bff414fd9dd853fedf53d7aa115eaea0f33de19ce1d3b6955a6daf32d075fc11c84f7797a

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
3.2MB

MD5
f30bc236490e3bfe2d779e308c3fc7b0

SHA1
a6612da0e6ef0b7f2895a094849668c60cd85deb

SHA256
c1bf852888d442a99d2d3f349ce2312380183d2d6f80664999c37dc68e462388

SHA512
3a9ad0d3dbe17646eed1ad971ede716c30bed805d55be22f4beec39bff414fd9dd853fedf53d7aa115eaea0f33de19ce1d3b6955a6daf32d075fc11c84f7797a

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
3.2MB

MD5
f30bc236490e3bfe2d779e308c3fc7b0

SHA1
a6612da0e6ef0b7f2895a094849668c60cd85deb

SHA256
c1bf852888d442a99d2d3f349ce2312380183d2d6f80664999c37dc68e462388

SHA512
3a9ad0d3dbe17646eed1ad971ede716c30bed805d55be22f4beec39bff414fd9dd853fedf53d7aa115eaea0f33de19ce1d3b6955a6daf32d075fc11c84f7797a

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
3.2MB

MD5
f30bc236490e3bfe2d779e308c3fc7b0

SHA1
a6612da0e6ef0b7f2895a094849668c60cd85deb

SHA256
c1bf852888d442a99d2d3f349ce2312380183d2d6f80664999c37dc68e462388

SHA512
3a9ad0d3dbe17646eed1ad971ede716c30bed805d55be22f4beec39bff414fd9dd853fedf53d7aa115eaea0f33de19ce1d3b6955a6daf32d075fc11c84f7797a

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
3.2MB

MD5
f30bc236490e3bfe2d779e308c3fc7b0

SHA1
a6612da0e6ef0b7f2895a094849668c60cd85deb

SHA256
c1bf852888d442a99d2d3f349ce2312380183d2d6f80664999c37dc68e462388

SHA512
3a9ad0d3dbe17646eed1ad971ede716c30bed805d55be22f4beec39bff414fd9dd853fedf53d7aa115eaea0f33de19ce1d3b6955a6daf32d075fc11c84f7797a

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7108232.exe

Filesize
3.0MB

MD5
740593e73b952d0c0be78bcb68a3f734

SHA1
93ac000e46d180a284f16f6c2c43056c1b7a787f

SHA256
21f7a6df33a2c1d0018dc67de081dd129ff0b98ad54d26c70a36583e4dd12b30

SHA512
587851d03f2819561fb1cbc0e9792cfd7fffebe99b8c56f533ab62fd5e3d86c11a39a50bc9df87dfd1e03d90db99a91c4b3dc2a4825f9559c0c8b9a1caeaff70

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7108232.exe

Filesize
3.0MB

MD5
740593e73b952d0c0be78bcb68a3f734

SHA1
93ac000e46d180a284f16f6c2c43056c1b7a787f

SHA256
21f7a6df33a2c1d0018dc67de081dd129ff0b98ad54d26c70a36583e4dd12b30

SHA512
587851d03f2819561fb1cbc0e9792cfd7fffebe99b8c56f533ab62fd5e3d86c11a39a50bc9df87dfd1e03d90db99a91c4b3dc2a4825f9559c0c8b9a1caeaff70

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7109152.exe

Filesize
136KB

MD5
9aeb06a81883647698958706907b1c8b

SHA1
1ed819748dd1683826910789ce3c0e331ab636b9

SHA256
2739d7b4fc7ec6f5ccbed17d4c9f57c8905147bdc926a1995e1f9c4f258d55cc

SHA512
d388602a1e322789dda56df6776d570972acce420e45044699f7178115f8c20f32f9723a63657c58771df3ef54afa3193e817679b91cc24fe80d94c78ad09bbe

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7109152.exe

Filesize
136KB

MD5
9aeb06a81883647698958706907b1c8b

SHA1
1ed819748dd1683826910789ce3c0e331ab636b9

SHA256
2739d7b4fc7ec6f5ccbed17d4c9f57c8905147bdc926a1995e1f9c4f258d55cc

SHA512
d388602a1e322789dda56df6776d570972acce420e45044699f7178115f8c20f32f9723a63657c58771df3ef54afa3193e817679b91cc24fe80d94c78ad09bbe

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7109152.exe

Filesize
136KB

MD5
9aeb06a81883647698958706907b1c8b

SHA1
1ed819748dd1683826910789ce3c0e331ab636b9

SHA256
2739d7b4fc7ec6f5ccbed17d4c9f57c8905147bdc926a1995e1f9c4f258d55cc

SHA512
d388602a1e322789dda56df6776d570972acce420e45044699f7178115f8c20f32f9723a63657c58771df3ef54afa3193e817679b91cc24fe80d94c78ad09bbe

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7109152.exe

Filesize
136KB

MD5
9aeb06a81883647698958706907b1c8b

SHA1
1ed819748dd1683826910789ce3c0e331ab636b9

SHA256
2739d7b4fc7ec6f5ccbed17d4c9f57c8905147bdc926a1995e1f9c4f258d55cc

SHA512
d388602a1e322789dda56df6776d570972acce420e45044699f7178115f8c20f32f9723a63657c58771df3ef54afa3193e817679b91cc24fe80d94c78ad09bbe

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7109152.exe

Filesize
136KB

MD5
9aeb06a81883647698958706907b1c8b

SHA1
1ed819748dd1683826910789ce3c0e331ab636b9

SHA256
2739d7b4fc7ec6f5ccbed17d4c9f57c8905147bdc926a1995e1f9c4f258d55cc

SHA512
d388602a1e322789dda56df6776d570972acce420e45044699f7178115f8c20f32f9723a63657c58771df3ef54afa3193e817679b91cc24fe80d94c78ad09bbe

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7113817.exe

Filesize
3.0MB

MD5
740593e73b952d0c0be78bcb68a3f734

SHA1
93ac000e46d180a284f16f6c2c43056c1b7a787f

SHA256
21f7a6df33a2c1d0018dc67de081dd129ff0b98ad54d26c70a36583e4dd12b30

SHA512
587851d03f2819561fb1cbc0e9792cfd7fffebe99b8c56f533ab62fd5e3d86c11a39a50bc9df87dfd1e03d90db99a91c4b3dc2a4825f9559c0c8b9a1caeaff70

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7113817.exe

Filesize
3.0MB

MD5
740593e73b952d0c0be78bcb68a3f734

SHA1
93ac000e46d180a284f16f6c2c43056c1b7a787f

SHA256
21f7a6df33a2c1d0018dc67de081dd129ff0b98ad54d26c70a36583e4dd12b30

SHA512
587851d03f2819561fb1cbc0e9792cfd7fffebe99b8c56f533ab62fd5e3d86c11a39a50bc9df87dfd1e03d90db99a91c4b3dc2a4825f9559c0c8b9a1caeaff70

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7114363.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7115080.exe

Filesize
3.0MB

MD5
740593e73b952d0c0be78bcb68a3f734

SHA1
93ac000e46d180a284f16f6c2c43056c1b7a787f

SHA256
21f7a6df33a2c1d0018dc67de081dd129ff0b98ad54d26c70a36583e4dd12b30

SHA512
587851d03f2819561fb1cbc0e9792cfd7fffebe99b8c56f533ab62fd5e3d86c11a39a50bc9df87dfd1e03d90db99a91c4b3dc2a4825f9559c0c8b9a1caeaff70

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7115080.exe

Filesize
3.0MB

MD5
740593e73b952d0c0be78bcb68a3f734

SHA1
93ac000e46d180a284f16f6c2c43056c1b7a787f

SHA256
21f7a6df33a2c1d0018dc67de081dd129ff0b98ad54d26c70a36583e4dd12b30

SHA512
587851d03f2819561fb1cbc0e9792cfd7fffebe99b8c56f533ab62fd5e3d86c11a39a50bc9df87dfd1e03d90db99a91c4b3dc2a4825f9559c0c8b9a1caeaff70

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7115658.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7115876.exe

Filesize
3.0MB

MD5
740593e73b952d0c0be78bcb68a3f734

SHA1
93ac000e46d180a284f16f6c2c43056c1b7a787f

SHA256
21f7a6df33a2c1d0018dc67de081dd129ff0b98ad54d26c70a36583e4dd12b30

SHA512
587851d03f2819561fb1cbc0e9792cfd7fffebe99b8c56f533ab62fd5e3d86c11a39a50bc9df87dfd1e03d90db99a91c4b3dc2a4825f9559c0c8b9a1caeaff70

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7115876.exe

Filesize
3.0MB

MD5
740593e73b952d0c0be78bcb68a3f734

SHA1
93ac000e46d180a284f16f6c2c43056c1b7a787f

SHA256
21f7a6df33a2c1d0018dc67de081dd129ff0b98ad54d26c70a36583e4dd12b30

SHA512
587851d03f2819561fb1cbc0e9792cfd7fffebe99b8c56f533ab62fd5e3d86c11a39a50bc9df87dfd1e03d90db99a91c4b3dc2a4825f9559c0c8b9a1caeaff70

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7116438.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7118060.exe

Filesize
3.0MB

MD5
740593e73b952d0c0be78bcb68a3f734

SHA1
93ac000e46d180a284f16f6c2c43056c1b7a787f

SHA256
21f7a6df33a2c1d0018dc67de081dd129ff0b98ad54d26c70a36583e4dd12b30

SHA512
587851d03f2819561fb1cbc0e9792cfd7fffebe99b8c56f533ab62fd5e3d86c11a39a50bc9df87dfd1e03d90db99a91c4b3dc2a4825f9559c0c8b9a1caeaff70

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7118060.exe

Filesize
3.0MB

MD5
740593e73b952d0c0be78bcb68a3f734

SHA1
93ac000e46d180a284f16f6c2c43056c1b7a787f

SHA256
21f7a6df33a2c1d0018dc67de081dd129ff0b98ad54d26c70a36583e4dd12b30

SHA512
587851d03f2819561fb1cbc0e9792cfd7fffebe99b8c56f533ab62fd5e3d86c11a39a50bc9df87dfd1e03d90db99a91c4b3dc2a4825f9559c0c8b9a1caeaff70

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7119230.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7119667.exe

Filesize
3.0MB

MD5
740593e73b952d0c0be78bcb68a3f734

SHA1
93ac000e46d180a284f16f6c2c43056c1b7a787f

SHA256
21f7a6df33a2c1d0018dc67de081dd129ff0b98ad54d26c70a36583e4dd12b30

SHA512
587851d03f2819561fb1cbc0e9792cfd7fffebe99b8c56f533ab62fd5e3d86c11a39a50bc9df87dfd1e03d90db99a91c4b3dc2a4825f9559c0c8b9a1caeaff70

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7119667.exe

Filesize
3.0MB

MD5
740593e73b952d0c0be78bcb68a3f734

SHA1
93ac000e46d180a284f16f6c2c43056c1b7a787f

SHA256
21f7a6df33a2c1d0018dc67de081dd129ff0b98ad54d26c70a36583e4dd12b30

SHA512
587851d03f2819561fb1cbc0e9792cfd7fffebe99b8c56f533ab62fd5e3d86c11a39a50bc9df87dfd1e03d90db99a91c4b3dc2a4825f9559c0c8b9a1caeaff70

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
3.2MB

MD5
f30bc236490e3bfe2d779e308c3fc7b0

SHA1
a6612da0e6ef0b7f2895a094849668c60cd85deb

SHA256
c1bf852888d442a99d2d3f349ce2312380183d2d6f80664999c37dc68e462388

SHA512
3a9ad0d3dbe17646eed1ad971ede716c30bed805d55be22f4beec39bff414fd9dd853fedf53d7aa115eaea0f33de19ce1d3b6955a6daf32d075fc11c84f7797a

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
3.2MB

MD5
f30bc236490e3bfe2d779e308c3fc7b0

SHA1
a6612da0e6ef0b7f2895a094849668c60cd85deb

SHA256
c1bf852888d442a99d2d3f349ce2312380183d2d6f80664999c37dc68e462388

SHA512
3a9ad0d3dbe17646eed1ad971ede716c30bed805d55be22f4beec39bff414fd9dd853fedf53d7aa115eaea0f33de19ce1d3b6955a6daf32d075fc11c84f7797a

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
3.2MB

MD5
f30bc236490e3bfe2d779e308c3fc7b0

SHA1
a6612da0e6ef0b7f2895a094849668c60cd85deb

SHA256
c1bf852888d442a99d2d3f349ce2312380183d2d6f80664999c37dc68e462388

SHA512
3a9ad0d3dbe17646eed1ad971ede716c30bed805d55be22f4beec39bff414fd9dd853fedf53d7aa115eaea0f33de19ce1d3b6955a6daf32d075fc11c84f7797a

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
3.2MB

MD5
f30bc236490e3bfe2d779e308c3fc7b0

SHA1
a6612da0e6ef0b7f2895a094849668c60cd85deb

SHA256
c1bf852888d442a99d2d3f349ce2312380183d2d6f80664999c37dc68e462388

SHA512
3a9ad0d3dbe17646eed1ad971ede716c30bed805d55be22f4beec39bff414fd9dd853fedf53d7aa115eaea0f33de19ce1d3b6955a6daf32d075fc11c84f7797a

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
3.2MB

MD5
f30bc236490e3bfe2d779e308c3fc7b0

SHA1
a6612da0e6ef0b7f2895a094849668c60cd85deb

SHA256
c1bf852888d442a99d2d3f349ce2312380183d2d6f80664999c37dc68e462388

SHA512
3a9ad0d3dbe17646eed1ad971ede716c30bed805d55be22f4beec39bff414fd9dd853fedf53d7aa115eaea0f33de19ce1d3b6955a6daf32d075fc11c84f7797a

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
3.2MB

MD5
f30bc236490e3bfe2d779e308c3fc7b0

SHA1
a6612da0e6ef0b7f2895a094849668c60cd85deb

SHA256
c1bf852888d442a99d2d3f349ce2312380183d2d6f80664999c37dc68e462388

SHA512
3a9ad0d3dbe17646eed1ad971ede716c30bed805d55be22f4beec39bff414fd9dd853fedf53d7aa115eaea0f33de19ce1d3b6955a6daf32d075fc11c84f7797a

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
3.2MB

MD5
f30bc236490e3bfe2d779e308c3fc7b0

SHA1
a6612da0e6ef0b7f2895a094849668c60cd85deb

SHA256
c1bf852888d442a99d2d3f349ce2312380183d2d6f80664999c37dc68e462388

SHA512
3a9ad0d3dbe17646eed1ad971ede716c30bed805d55be22f4beec39bff414fd9dd853fedf53d7aa115eaea0f33de19ce1d3b6955a6daf32d075fc11c84f7797a

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
3.2MB

MD5
f30bc236490e3bfe2d779e308c3fc7b0

SHA1
a6612da0e6ef0b7f2895a094849668c60cd85deb

SHA256
c1bf852888d442a99d2d3f349ce2312380183d2d6f80664999c37dc68e462388

SHA512
3a9ad0d3dbe17646eed1ad971ede716c30bed805d55be22f4beec39bff414fd9dd853fedf53d7aa115eaea0f33de19ce1d3b6955a6daf32d075fc11c84f7797a

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
3.2MB

MD5
f30bc236490e3bfe2d779e308c3fc7b0

SHA1
a6612da0e6ef0b7f2895a094849668c60cd85deb

SHA256
c1bf852888d442a99d2d3f349ce2312380183d2d6f80664999c37dc68e462388

SHA512
3a9ad0d3dbe17646eed1ad971ede716c30bed805d55be22f4beec39bff414fd9dd853fedf53d7aa115eaea0f33de19ce1d3b6955a6daf32d075fc11c84f7797a

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
3.2MB

MD5
f30bc236490e3bfe2d779e308c3fc7b0

SHA1
a6612da0e6ef0b7f2895a094849668c60cd85deb

SHA256
c1bf852888d442a99d2d3f349ce2312380183d2d6f80664999c37dc68e462388

SHA512
3a9ad0d3dbe17646eed1ad971ede716c30bed805d55be22f4beec39bff414fd9dd853fedf53d7aa115eaea0f33de19ce1d3b6955a6daf32d075fc11c84f7797a

Download Submit
memory/364-161-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/364-164-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/520-294-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/520-291-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/580-209-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/820-226-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/820-297-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/820-290-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/820-220-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/904-98-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/904-110-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1052-120-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1064-202-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1064-199-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1068-214-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1104-277-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1104-285-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1120-262-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1120-272-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1176-252-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1176-238-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1208-301-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1364-176-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1364-173-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1448-75-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1448-87-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1460-239-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1460-243-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1600-156-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1612-64-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1612-230-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1612-221-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1612-54-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1620-59-0x0000000076681000-0x0000000076683000-memory.dmp

Filesize
8KB

Download
memory/1640-264-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1640-271-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1688-234-0x0000000000220000-0x000000000023F000-memory.dmp

Filesize
124KB

Download
memory/1688-237-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1688-233-0x0000000000220000-0x000000000023F000-memory.dmp

Filesize
124KB

Download
memory/1720-259-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1720-235-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1732-276-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1732-288-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1736-278-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1736-287-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1772-302-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1780-183-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1868-65-0x0000000000010000-0x0000000000032000-memory.dmp

Filesize
136KB

Download
memory/1928-268-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1928-266-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1932-240-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1932-258-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1952-168-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1956-283-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1956-296-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1968-196-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2000-280-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2000-279-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2000-141-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2004-303-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2008-263-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2008-270-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2036-190-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2036-185-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2040-111-0x00000000024E0000-0x00000000024ED000-memory.dmp

Filesize
52KB

Download