3f9a118b18858a5fc9d37000e768fb8e8d139bef2e78af902d07ee76fefe8f6b

Analysis

max time kernel
43s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
03-12-2022 20:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f9a118b18858a5fc9d37000e768fb8e8d139bef2e78af902d07ee76fefe8f6b.exe
Size

5.2MB
MD5

788810168de6f1000118ff3923e105dd
SHA1

96d23b1692efd3a2608835eac6e2e11e4dc7b8d0
SHA256

3f9a118b18858a5fc9d37000e768fb8e8d139bef2e78af902d07ee76fefe8f6b
SHA512

68f050d155dfd2554205bd477a78e85f76e0f20bdf34449cf15996e99303102479bfb9c9da4a355436e099c715bc85daf96a7df16ecfbb457c0993bb5da3e0b3
SSDEEP

12288:HPgdPrPFdPZdPiPFdPZdPFPFdPZdPhPgdPrPFdPZdPiPFdPZdPFPFdPZdPTPgdPc:

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
1284	tmp7092133.exe
112	tmp7092257.exe
1752	tmp7092507.exe
368	tmp7092741.exe
1756	tmp7096469.exe
1092	tmp7092913.exe
296	tmp7093037.exe
1400	tmp7093318.exe
1612	notpad.exe
788	notpad.exe
1964	tmp7094332.exe
1976	tmp7093334.exe
1172	notpad.exe
1288	tmp7094800.exe
1100	tmp7094909.exe
1528	tmp7094566.exe
1608	notpad.exe
1408	notpad.exe
2012	tmp7104285.exe
1376	tmp7095752.exe
556	tmp7095955.exe
240	tmp7096095.exe
520	tmp7095221.exe
1592	notpad.exe
1584	tmp7096391.exe
1840	tmp7096423.exe
1340	tmp7096516.exe
1372	notpad.exe
1736	tmp7096781.exe
1756	tmp7096469.exe
1932	tmp7096828.exe
1216	tmp7096906.exe
1940	notpad.exe
372	tmp7097015.exe
1460	tmp7097187.exe
1348	tmp7097125.exe
1020	tmp7097249.exe
1676	tmp7097203.exe
788	notpad.exe
1456	tmp7097437.exe
1660	notpad.exe
1576	tmp7097452.exe
584	tmp7097468.exe
1508	tmp7097593.exe
2004	tmp7097686.exe
1724	notpad.exe
1844	tmp7103099.exe
904	tmp7097811.exe
2020	tmp7103630.exe
1408	notpad.exe
1568	tmp7104238.exe
2012	tmp7104285.exe
1528	notpad.exe
872	tmp7104769.exe
1784	tmp7104753.exe
1524	notpad.exe
1816	tmp7105814.exe
676	tmp7105907.exe
1516	tmp7106017.exe
1848	notpad.exe
432	tmp7106126.exe
692	tmp7106157.exe
1000	notpad.exe
1216	tmp7106391.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00080000000142c8-59.dat	upx
behavioral1/files/0x00080000000142c8-60.dat	upx
behavioral1/memory/1220-65-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x00080000000142c8-64.dat	upx
behavioral1/files/0x00080000000142c8-62.dat	upx
behavioral1/files/0x00070000000146af-71.dat	upx
behavioral1/files/0x000700000001482d-75.dat	upx
behavioral1/files/0x00070000000146af-78.dat	upx
behavioral1/files/0x00070000000146af-80.dat	upx
behavioral1/files/0x00070000000146af-81.dat	upx
behavioral1/files/0x000700000001482d-77.dat	upx
behavioral1/memory/112-76-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x000700000001482d-73.dat	upx
behavioral1/files/0x000700000001482d-72.dat	upx
behavioral1/memory/1756-90-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/368-91-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1756-101-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x00070000000146af-102.dat	upx
behavioral1/files/0x00070000000146af-105.dat	upx
behavioral1/files/0x00070000000146af-103.dat	upx
behavioral1/files/0x00090000000142d7-123.dat	upx
behavioral1/files/0x00070000000146af-125.dat	upx
behavioral1/files/0x00070000000146af-127.dat	upx
behavioral1/files/0x00070000000146af-147.dat	upx
behavioral1/memory/1608-155-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1408-158-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1608-163-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1592-176-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1940-196-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/372-199-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/788-210-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1676-209-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/584-214-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/788-213-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1660-212-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1756-190-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1372-184-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/520-182-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1976-170-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1408-167-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1976-154-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x00070000000144ba-150.dat	upx
behavioral1/files/0x00070000000146af-146.dat	upx
behavioral1/memory/1172-144-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x00070000000144ba-139.dat	upx
behavioral1/memory/1612-128-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x00070000000146af-124.dat	upx
behavioral1/files/0x00090000000142d7-122.dat	upx
behavioral1/memory/368-120-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x00070000000144ba-116.dat	upx
behavioral1/files/0x00090000000142d7-112.dat	upx
behavioral1/files/0x00090000000142d7-110.dat	upx
behavioral1/files/0x00070000000144ba-96.dat	upx
behavioral1/memory/1724-217-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1660-224-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/584-223-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1724-229-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1528-234-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1408-235-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1408-241-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1528-243-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1524-248-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1848-255-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1000-260-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Loads dropped DLL 64 IoCs

pid	Process
1220	3f9a118b18858a5fc9d37000e768fb8e8d139bef2e78af902d07ee76fefe8f6b.exe
1220	3f9a118b18858a5fc9d37000e768fb8e8d139bef2e78af902d07ee76fefe8f6b.exe
1220	3f9a118b18858a5fc9d37000e768fb8e8d139bef2e78af902d07ee76fefe8f6b.exe
1220	3f9a118b18858a5fc9d37000e768fb8e8d139bef2e78af902d07ee76fefe8f6b.exe
112	tmp7092257.exe
112	tmp7092257.exe
1284	tmp7092133.exe
112	tmp7092257.exe
112	tmp7092257.exe
1284	tmp7092133.exe
368	tmp7092741.exe
1756	tmp7096469.exe
368	tmp7092741.exe
1756	tmp7096469.exe
1756	tmp7096469.exe
1092	tmp7092913.exe
1092	tmp7092913.exe
1612	notpad.exe
1612	notpad.exe
368	tmp7092741.exe
1612	notpad.exe
368	tmp7092741.exe
788	notpad.exe
788	notpad.exe
1172	notpad.exe
1172	notpad.exe
1976	tmp7093334.exe
1976	tmp7093334.exe
1172	notpad.exe
1288	tmp7094800.exe
1288	tmp7094800.exe
1528	notpad.exe
1528	notpad.exe
1608	notpad.exe
1608	notpad.exe
1408	notpad.exe
1408	notpad.exe
1608	notpad.exe
1408	notpad.exe
1976	tmp7093334.exe
1976	tmp7093334.exe
2012	tmp7104285.exe
2012	tmp7104285.exe
520	tmp7095221.exe
520	tmp7095221.exe
1592	notpad.exe
1592	notpad.exe
1592	notpad.exe
1840	tmp7096423.exe
1840	tmp7096423.exe
1372	notpad.exe
1372	notpad.exe
520	tmp7095221.exe
520	tmp7095221.exe
1372	notpad.exe
1756	tmp7096469.exe
1756	tmp7096469.exe
1736	tmp7096781.exe
1736	tmp7096781.exe
1756	tmp7096469.exe
1756	tmp7096469.exe
372	tmp7097015.exe
372	tmp7097015.exe
1940	notpad.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7106126.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7111352.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7119604.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7107826.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7111087.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7119604.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7119885.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7124362.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7124362.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	notpad.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7096423.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7103630.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7108887.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7111087.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7125782.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7128309.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7106126.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7107592.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7118200.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7092133.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7096423.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7109776.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7110369.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7115767.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7120072.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7108606.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7109402.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7115346.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7097437.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7108169.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7096423.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7097452.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7107436.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7109917.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7116422.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7108466.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7108606.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7104285.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7108887.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7119854.exe
File created	C:\Windows\SysWOW64\notpad.exe	notpad.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7096781.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7108949.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7109745.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7111352.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7128309.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7118497.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7119277.exe
File created	C:\Windows\SysWOW64\notpad.exe-	notpad.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7096781.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7105907.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7108559.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7117264.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7094800.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7119277.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7120743.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7107592.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7125782.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7115938.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7115938.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7117888.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7106875.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7107218.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7118497.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7108559.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7109776.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7115938.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7118497.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7120072.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7094800.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7108045.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7108169.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7120540.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7109917.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7115346.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7116422.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7125174.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	notpad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7106875.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7107218.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7119277.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7097187.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7106126.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7116921.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7120743.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7125782.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7125844.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7116063.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7118824.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7119604.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7104285.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7106547.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7111539.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7109402.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7120852.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7119183.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7124362.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7106734.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7107826.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7108466.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7111087.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7117264.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7119854.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7118200.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7108949.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7109745.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7110447.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7119885.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7096781.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7106391.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7108887.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7107436.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7108606.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7117888.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7116625.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7096423.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7105907.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7111352.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7115767.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7116094.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7116531.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7117701.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7128309.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7097437.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7097452.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7110369.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7092133.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7120400.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1220 wrote to memory of 1284	1220	3f9a118b18858a5fc9d37000e768fb8e8d139bef2e78af902d07ee76fefe8f6b.exe	27
PID 1220 wrote to memory of 1284	1220	3f9a118b18858a5fc9d37000e768fb8e8d139bef2e78af902d07ee76fefe8f6b.exe	27
PID 1220 wrote to memory of 1284	1220	3f9a118b18858a5fc9d37000e768fb8e8d139bef2e78af902d07ee76fefe8f6b.exe	27
PID 1220 wrote to memory of 1284	1220	3f9a118b18858a5fc9d37000e768fb8e8d139bef2e78af902d07ee76fefe8f6b.exe	27
PID 1220 wrote to memory of 112	1220	3f9a118b18858a5fc9d37000e768fb8e8d139bef2e78af902d07ee76fefe8f6b.exe	28
PID 1220 wrote to memory of 112	1220	3f9a118b18858a5fc9d37000e768fb8e8d139bef2e78af902d07ee76fefe8f6b.exe	28
PID 1220 wrote to memory of 112	1220	3f9a118b18858a5fc9d37000e768fb8e8d139bef2e78af902d07ee76fefe8f6b.exe	28
PID 1220 wrote to memory of 112	1220	3f9a118b18858a5fc9d37000e768fb8e8d139bef2e78af902d07ee76fefe8f6b.exe	28
PID 112 wrote to memory of 1752	112	tmp7092257.exe	29
PID 112 wrote to memory of 1752	112	tmp7092257.exe	29
PID 112 wrote to memory of 1752	112	tmp7092257.exe	29
PID 112 wrote to memory of 1752	112	tmp7092257.exe	29
PID 112 wrote to memory of 368	112	tmp7092257.exe	30
PID 112 wrote to memory of 368	112	tmp7092257.exe	30
PID 112 wrote to memory of 368	112	tmp7092257.exe	30
PID 112 wrote to memory of 368	112	tmp7092257.exe	30
PID 1284 wrote to memory of 1756	1284	tmp7092133.exe	56
PID 1284 wrote to memory of 1756	1284	tmp7092133.exe	56
PID 1284 wrote to memory of 1756	1284	tmp7092133.exe	56
PID 1284 wrote to memory of 1756	1284	tmp7092133.exe	56
PID 368 wrote to memory of 1092	368	tmp7092741.exe	32
PID 368 wrote to memory of 1092	368	tmp7092741.exe	32
PID 368 wrote to memory of 1092	368	tmp7092741.exe	32
PID 368 wrote to memory of 1092	368	tmp7092741.exe	32
PID 1756 wrote to memory of 296	1756	tmp7096469.exe	31
PID 1756 wrote to memory of 296	1756	tmp7096469.exe	31
PID 1756 wrote to memory of 296	1756	tmp7096469.exe	31
PID 1756 wrote to memory of 296	1756	tmp7096469.exe	31
PID 1756 wrote to memory of 1400	1756	tmp7096469.exe	34
PID 1756 wrote to memory of 1400	1756	tmp7096469.exe	34
PID 1756 wrote to memory of 1400	1756	tmp7096469.exe	34
PID 1756 wrote to memory of 1400	1756	tmp7096469.exe	34
PID 1092 wrote to memory of 1612	1092	tmp7092913.exe	35
PID 1092 wrote to memory of 1612	1092	tmp7092913.exe	35
PID 1092 wrote to memory of 1612	1092	tmp7092913.exe	35
PID 1092 wrote to memory of 1612	1092	tmp7092913.exe	35
PID 1612 wrote to memory of 788	1612	notpad.exe	49
PID 1612 wrote to memory of 788	1612	notpad.exe	49
PID 1612 wrote to memory of 788	1612	notpad.exe	49
PID 1612 wrote to memory of 788	1612	notpad.exe	49
PID 368 wrote to memory of 1976	368	tmp7092741.exe	70
PID 368 wrote to memory of 1976	368	tmp7092741.exe	70
PID 368 wrote to memory of 1976	368	tmp7092741.exe	70
PID 368 wrote to memory of 1976	368	tmp7092741.exe	70
PID 1612 wrote to memory of 1964	1612	notpad.exe	37
PID 1612 wrote to memory of 1964	1612	notpad.exe	37
PID 1612 wrote to memory of 1964	1612	notpad.exe	37
PID 1612 wrote to memory of 1964	1612	notpad.exe	37
PID 788 wrote to memory of 1172	788	notpad.exe	69
PID 788 wrote to memory of 1172	788	notpad.exe	69
PID 788 wrote to memory of 1172	788	notpad.exe	69
PID 788 wrote to memory of 1172	788	notpad.exe	69
PID 1172 wrote to memory of 1288	1172	notpad.exe	68
PID 1172 wrote to memory of 1288	1172	notpad.exe	68
PID 1172 wrote to memory of 1288	1172	notpad.exe	68
PID 1172 wrote to memory of 1288	1172	notpad.exe	68
PID 1976 wrote to memory of 1528	1976	tmp7093334.exe	67
PID 1976 wrote to memory of 1528	1976	tmp7093334.exe	67
PID 1976 wrote to memory of 1528	1976	tmp7093334.exe	67
PID 1976 wrote to memory of 1528	1976	tmp7093334.exe	67
PID 1172 wrote to memory of 1100	1172	notpad.exe	66
PID 1172 wrote to memory of 1100	1172	notpad.exe	66
PID 1172 wrote to memory of 1100	1172	notpad.exe	66
PID 1172 wrote to memory of 1100	1172	notpad.exe	66

C:\Users\Admin\AppData\Local\Temp\3f9a118b18858a5fc9d37000e768fb8e8d139bef2e78af902d07ee76fefe8f6b.exe
"C:\Users\Admin\AppData\Local\Temp\3f9a118b18858a5fc9d37000e768fb8e8d139bef2e78af902d07ee76fefe8f6b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1220
- C:\Users\Admin\AppData\Local\Temp\tmp7092133.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7092133.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1284
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    PID:1756
  - - C:\Users\Admin\AppData\Local\Temp\tmp7093318.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7093318.exe
      4⤵
      Executes dropped EXE
      PID:1400
  - - C:\Users\Admin\AppData\Local\Temp\tmp7097015.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7097015.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:372
  - - C:\Users\Admin\AppData\Local\Temp\tmp7096906.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7096906.exe
      4⤵
      Executes dropped EXE
      PID:1216
- C:\Users\Admin\AppData\Local\Temp\tmp7092257.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7092257.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:112
- - C:\Users\Admin\AppData\Local\Temp\tmp7092507.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7092507.exe
    3⤵
    - Executes dropped EXE
    PID:1752
- - C:\Users\Admin\AppData\Local\Temp\tmp7092741.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7092741.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:368
  - - C:\Users\Admin\AppData\Local\Temp\tmp7092913.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7092913.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1092
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1612
      - C:\Users\Admin\AppData\Local\Temp\tmp7094145.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7094145.exe
        6⤵
        
        PID:788
        
        C:\Users\Admin\AppData\Local\Temp\tmp7097593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7097593.exe
        7⤵
        Executes dropped EXE
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\tmp7097452.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7097452.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1576
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        8⤵
        Executes dropped EXE
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\tmp7103630.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7103630.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2020
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\tmp7104769.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7104769.exe
        11⤵
        Executes dropped EXE
        
        PID:872
        
        C:\Users\Admin\AppData\Local\Temp\tmp7105814.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7105814.exe
        11⤵
        Executes dropped EXE
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\tmp7104238.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7104238.exe
        9⤵
        Executes dropped EXE
        
        PID:1568
      - C:\Users\Admin\AppData\Local\Temp\tmp7094332.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7094332.exe
        6⤵
        Executes dropped EXE
        
        PID:1964
  - - C:\Users\Admin\AppData\Local\Temp\tmp7093334.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7093334.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1976

C:\Users\Admin\AppData\Local\Temp\tmp7093037.exe
C:\Users\Admin\AppData\Local\Temp\tmp7093037.exe
1⤵
- Executes dropped EXE
PID:296

C:\Users\Admin\AppData\Local\Temp\tmp7095955.exe
C:\Users\Admin\AppData\Local\Temp\tmp7095955.exe
1⤵
- Executes dropped EXE
PID:556

C:\Users\Admin\AppData\Local\Temp\tmp7095221.exe
C:\Users\Admin\AppData\Local\Temp\tmp7095221.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:520
- C:\Users\Admin\AppData\Local\Temp\tmp7096391.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7096391.exe
  2⤵
  - Executes dropped EXE
  PID:1584
- C:\Users\Admin\AppData\Local\Temp\tmp7096469.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7096469.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1756

C:\Users\Admin\AppData\Local\Temp\tmp7096781.exe
C:\Users\Admin\AppData\Local\Temp\tmp7096781.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1736
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1940
- - C:\Users\Admin\AppData\Local\Temp\tmp7097249.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7097249.exe
    3⤵
    - Executes dropped EXE
    PID:1020
- - C:\Users\Admin\AppData\Local\Temp\tmp7097125.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7097125.exe
    3⤵
    - Executes dropped EXE
    PID:1348

C:\Users\Admin\AppData\Local\Temp\tmp7097203.exe
C:\Users\Admin\AppData\Local\Temp\tmp7097203.exe
1⤵
- Executes dropped EXE
PID:1676
- C:\Users\Admin\AppData\Local\Temp\tmp7097437.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7097437.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  PID:1456
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    - Executes dropped EXE
    PID:1660
  - - C:\Users\Admin\AppData\Local\Temp\tmp7097686.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7097686.exe
      4⤵
      Executes dropped EXE
      PID:2004
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1408
      - C:\Users\Admin\AppData\Local\Temp\tmp7104285.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7104285.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2012
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        7⤵
        Executes dropped EXE
        
        PID:1524
        
        C:\Users\Admin\AppData\Local\Temp\tmp7105907.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7105907.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:676
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        9⤵
        Executes dropped EXE
        
        PID:1848
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106126.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106126.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:432
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        11⤵
        Executes dropped EXE
        
        PID:1000
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106391.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106391.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1216
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        13⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106547.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106547.exe
        14⤵
        Modifies registry class
        
        PID:1940
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        15⤵
        
        PID:1264
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106734.exe
        16⤵
        Modifies registry class
        
        PID:540
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        17⤵
        
        PID:876
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106875.exe
        18⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1456
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        19⤵
        
        PID:1480
        
        C:\Users\Admin\AppData\Local\Temp\tmp7107046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7107046.exe
        20⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        21⤵
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\tmp7107218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7107218.exe
        22⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:960
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        23⤵
        
        PID:1040
        
        C:\Users\Admin\AppData\Local\Temp\tmp7107436.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7107436.exe
        24⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:804
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        25⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\tmp7107592.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7107592.exe
        26⤵
        Drops file in System32 directory
        
        PID:1704
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        27⤵
        
        PID:292
        
        C:\Users\Admin\AppData\Local\Temp\tmp7107826.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7107826.exe
        28⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1724
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        29⤵
        
        PID:952
        
        C:\Users\Admin\AppData\Local\Temp\tmp7108045.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7108045.exe
        30⤵
        Modifies registry class
        
        PID:1976
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        31⤵
        
        PID:1408
        
        C:\Users\Admin\AppData\Local\Temp\tmp7108232.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7108232.exe
        32⤵
        
        PID:1080
        
        C:\Users\Admin\AppData\Local\Temp\tmp7108294.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7108294.exe
        32⤵
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\tmp7108466.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7108466.exe
        33⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:520
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        34⤵
        
        PID:1360
        
        C:\Users\Admin\AppData\Local\Temp\tmp7108606.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7108606.exe
        35⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:296
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        36⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\tmp7108949.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7108949.exe
        37⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1264
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        38⤵
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\tmp7109308.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7109308.exe
        39⤵
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\tmp7109433.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7109433.exe
        39⤵
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\tmp7109714.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7109714.exe
        40⤵
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\tmp7109792.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7109792.exe
        40⤵
        
        PID:1304
        
        C:\Users\Admin\AppData\Local\Temp\tmp7109137.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7109137.exe
        37⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\tmp7109261.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7109261.exe
        38⤵
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\tmp7109355.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7109355.exe
        38⤵
        
        PID:928
        
        C:\Users\Admin\AppData\Local\Temp\tmp7108747.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7108747.exe
        35⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\tmp7108887.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7108887.exe
        36⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1348
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        37⤵
        
        PID:1884
        
        C:\Users\Admin\AppData\Local\Temp\tmp7109199.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7109199.exe
        38⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        39⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\tmp7109527.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7109527.exe
        40⤵
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\tmp7109698.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7109698.exe
        40⤵
        
        PID:552
        
        C:\Users\Admin\AppData\Local\Temp\tmp7109776.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7109776.exe
        41⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1808
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        42⤵
        
        PID:544
        
        C:\Users\Admin\AppData\Local\Temp\tmp7110088.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7110088.exe
        43⤵
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\tmp7110197.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7110197.exe
        43⤵
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\tmp7110463.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7110463.exe
        44⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\tmp7110556.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7110556.exe
        44⤵
        
        PID:764
        
        C:\Users\Admin\AppData\Local\Temp\tmp7109839.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7109839.exe
        41⤵
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\tmp7109293.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7109293.exe
        38⤵
        
        PID:1176
        
        C:\Users\Admin\AppData\Local\Temp\tmp7109402.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7109402.exe
        39⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1680
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        40⤵
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\tmp7109745.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7109745.exe
        41⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1880
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        42⤵
        
        PID:1244
        
        C:\Users\Admin\AppData\Local\Temp\tmp7109901.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7109901.exe
        43⤵
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\tmp7110073.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7110073.exe
        43⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\tmp7110369.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7110369.exe
        44⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1512
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        45⤵
        
        PID:1000
        
        C:\Users\Admin\AppData\Local\Temp\tmp7110634.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7110634.exe
        46⤵
        
        PID:1032
        
        C:\Users\Admin\AppData\Local\Temp\tmp7110697.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7110697.exe
        46⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\tmp7110853.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7110853.exe
        47⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\tmp7110946.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7110946.exe
        47⤵
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\tmp7109807.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7109807.exe
        41⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\tmp7109917.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7109917.exe
        42⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:872
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        43⤵
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\tmp7110447.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7110447.exe
        44⤵
        Modifies registry class
        
        PID:1268
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        45⤵
        
        PID:296
        
        C:\Users\Admin\AppData\Local\Temp\tmp7110790.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7110790.exe
        46⤵
        
        PID:824
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        47⤵
        
        PID:972
        
        C:\Users\Admin\AppData\Local\Temp\tmp7111133.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7111133.exe
        48⤵
        
        PID:876
        
        C:\Users\Admin\AppData\Local\Temp\tmp7111274.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7111274.exe
        48⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\tmp7111352.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7111352.exe
        49⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:660
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        50⤵
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\tmp7114706.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7114706.exe
        51⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\tmp7115268.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7115268.exe
        51⤵
        
        PID:1284
        
        C:\Users\Admin\AppData\Local\Temp\tmp7115346.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7115346.exe
        52⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1060
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        53⤵
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\tmp7115533.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7115533.exe
        54⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        55⤵
        
        PID:1244
        
        C:\Users\Admin\AppData\Local\Temp\tmp7115782.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7115782.exe
        56⤵
        
        PID:872
        
        C:\Users\Admin\AppData\Local\Temp\tmp7115814.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7115814.exe
        56⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116063.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116063.exe
        57⤵
        Modifies registry class
        
        PID:1092
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        58⤵
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116157.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116157.exe
        59⤵
        
        PID:296
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116313.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116313.exe
        59⤵
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116531.exe
        60⤵
        Modifies registry class
        
        PID:928
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        61⤵
        
        PID:1480
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116921.exe
        62⤵
        Modifies registry class
        
        PID:804
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        63⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117264.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117264.exe
        64⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2012
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        65⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117545.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117545.exe
        66⤵
        
        PID:1832
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117561.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117561.exe
        66⤵
        
        PID:872
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117717.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117717.exe
        67⤵
        
        PID:1360
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117810.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117810.exe
        67⤵
        
        PID:1000
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117342.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117342.exe
        64⤵
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117483.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117483.exe
        65⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        66⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117701.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117701.exe
        67⤵
        Modifies registry class
        
        PID:1244
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        68⤵
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118013.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118013.exe
        69⤵
        
        PID:984
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118154.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118154.exe
        69⤵
        
        PID:1104
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118263.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118263.exe
        70⤵
        
        PID:288
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118325.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118325.exe
        70⤵
        
        PID:1172
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117779.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117779.exe
        67⤵
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117888.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117888.exe
        68⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1692
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        69⤵
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118200.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118200.exe
        70⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1400
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        71⤵
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118497.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118497.exe
        72⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1564
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        73⤵
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118668.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118668.exe
        74⤵
        
        PID:1356
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118715.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118715.exe
        74⤵
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118824.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118824.exe
        75⤵
        Modifies registry class
        
        PID:1844
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        76⤵
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119183.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119183.exe
        77⤵
        Modifies registry class
        
        PID:1440
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        78⤵
        
        PID:616
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119386.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119386.exe
        79⤵
        
        PID:1340
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119495.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119495.exe
        79⤵
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119667.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119667.exe
        80⤵
        
        PID:1848
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119807.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119807.exe
        80⤵
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119916.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119916.exe
        81⤵
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119948.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119948.exe
        81⤵
        
        PID:1216
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119230.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119230.exe
        77⤵
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119277.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119277.exe
        78⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1640
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        79⤵
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119604.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119604.exe
        80⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1896
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        81⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119854.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119854.exe
        82⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1160
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119932.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119932.exe
        82⤵
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120072.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120072.exe
        83⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:268
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        84⤵
        
        PID:1172
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120400.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120400.exe
        85⤵
        Modifies registry class
        
        PID:1756
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        86⤵
        
        PID:1176
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120743.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120743.exe
        87⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1288
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        88⤵
        
        PID:912
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120915.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120915.exe
        89⤵
        
        PID:1300
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120946.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120946.exe
        89⤵
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125174.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125174.exe
        90⤵
        Modifies registry class
        
        PID:1816
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        91⤵
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125844.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125844.exe
        92⤵
        Modifies registry class
        
        PID:1108
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        93⤵
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\tmp7128418.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7128418.exe
        94⤵
        
        PID:808
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        95⤵
        
        PID:1300
        
        C:\Users\Admin\AppData\Local\Temp\tmp7130571.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7130571.exe
        96⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        97⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135438.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135438.exe
        98⤵
        
        PID:1032
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135657.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135657.exe
        98⤵
        
        PID:824
        
        C:\Users\Admin\AppData\Local\Temp\tmp7138324.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7138324.exe
        99⤵
        
        PID:1456
        
        C:\Users\Admin\AppData\Local\Temp\tmp7139058.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7139058.exe
        99⤵
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145563.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145563.exe
        100⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        101⤵
        
        PID:1440
        
        C:\Users\Admin\AppData\Local\Temp\tmp7152552.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7152552.exe
        102⤵
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\tmp7154268.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7154268.exe
        102⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158792.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158792.exe
        103⤵
        
        PID:584
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        104⤵
        
        PID:1844
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159478.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159478.exe
        103⤵
        
        PID:972
        
        C:\Users\Admin\AppData\Local\Temp\tmp7163425.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7163425.exe
        104⤵
        
        PID:372
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166514.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166514.exe
        104⤵
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147731.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147731.exe
        100⤵
        
        PID:1368
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134034.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134034.exe
        96⤵
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135626.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135626.exe
        97⤵
        
        PID:872
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        98⤵
        
        PID:1480
        
        C:\Users\Admin\AppData\Local\Temp\tmp7138324.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7138324.exe
        97⤵
        
        PID:268
        
        C:\Users\Admin\AppData\Local\Temp\tmp7129729.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7129729.exe
        94⤵
        
        PID:616
        
        C:\Users\Admin\AppData\Local\Temp\tmp7130337.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7130337.exe
        95⤵
        
        PID:1848
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134081.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134081.exe
        95⤵
        
        PID:1360
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136250.exe
        96⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\tmp7138122.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7138122.exe
        96⤵
        
        PID:984
        
        C:\Users\Admin\AppData\Local\Temp\tmp7126827.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7126827.exe
        92⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\tmp7128231.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7128231.exe
        93⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\tmp7128528.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7128528.exe
        93⤵
        
        PID:1304
        
        C:\Users\Admin\AppData\Local\Temp\tmp7130010.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7130010.exe
        94⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125298.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125298.exe
        90⤵
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125579.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125579.exe
        91⤵
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125969.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125969.exe
        91⤵
        
        PID:800
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120837.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120837.exe
        87⤵
        
        PID:952
        
        C:\Users\Admin\AppData\Local\Temp\tmp7124347.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7124347.exe
        88⤵
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\tmp7124799.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7124799.exe
        88⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125080.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125080.exe
        89⤵
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125408.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125408.exe
        89⤵
        
        PID:1348
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120462.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120462.exe
        85⤵
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120852.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120852.exe
        86⤵
        Modifies registry class
        
        PID:1624
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        87⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\tmp7124628.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7124628.exe
        88⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125033.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125033.exe
        88⤵
        
        PID:1524
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125283.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125283.exe
        89⤵
        
        PID:1896
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125501.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125501.exe
        89⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125782.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125782.exe
        90⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:872
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        91⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\tmp7127186.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7127186.exe
        92⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\tmp7128434.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7128434.exe
        92⤵
        
        PID:928
        
        C:\Users\Admin\AppData\Local\Temp\tmp7129885.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7129885.exe
        93⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        94⤵
        
        PID:1408
        
        C:\Users\Admin\AppData\Local\Temp\tmp7133894.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7133894.exe
        95⤵
        
        PID:240
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135610.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135610.exe
        95⤵
        
        PID:1268
        
        C:\Users\Admin\AppData\Local\Temp\tmp7138324.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7138324.exe
        96⤵
        
        PID:980
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        97⤵
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\tmp7151912.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7151912.exe
        98⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        99⤵
        
        PID:1896
        
        C:\Users\Admin\AppData\Local\Temp\tmp7156998.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7156998.exe
        100⤵
        
        PID:1092
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159119.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159119.exe
        100⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160258.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160258.exe
        101⤵
        
        PID:1288
        
        C:\Users\Admin\AppData\Local\Temp\tmp7163066.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7163066.exe
        101⤵
        
        PID:676
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166592.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166592.exe
        102⤵
        
        PID:292
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        103⤵
        
        PID:1004
        
        C:\Users\Admin\AppData\Local\Temp\tmp7169072.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7169072.exe
        104⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\tmp7171943.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7171943.exe
        105⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        106⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\tmp7178479.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7178479.exe
        107⤵
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\tmp7180289.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7180289.exe
        107⤵
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\tmp7181802.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7181802.exe
        108⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        109⤵
        
        PID:372
        
        C:\Users\Admin\AppData\Local\Temp\tmp7188869.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7188869.exe
        110⤵
        
        PID:288
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190039.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190039.exe
        110⤵
        
        PID:1848
        
        C:\Users\Admin\AppData\Local\Temp\tmp7192098.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7192098.exe
        111⤵
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\tmp7193284.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7193284.exe
        111⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\tmp7199321.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7199321.exe
        112⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        113⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\tmp7208853.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7208853.exe
        114⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        115⤵
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\tmp7218681.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7218681.exe
        116⤵
        
        PID:692
        
        C:\Users\Admin\AppData\Local\Temp\tmp7222393.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7222393.exe
        116⤵
        
        PID:1268
        
        C:\Users\Admin\AppData\Local\Temp\tmp7226231.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7226231.exe
        117⤵
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\tmp7228072.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7228072.exe
        118⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\tmp7223641.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7223641.exe
        117⤵
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\tmp7209040.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7209040.exe
        114⤵
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\tmp7213002.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7213002.exe
        115⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        116⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\tmp7232424.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7232424.exe
        117⤵
        
        PID:676
        
        C:\Users\Admin\AppData\Local\Temp\tmp7232736.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7232736.exe
        117⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\tmp7223501.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7223501.exe
        115⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\tmp7232393.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7232393.exe
        116⤵
        
        PID:372
        
        C:\Users\Admin\AppData\Local\Temp\tmp7227198.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7227198.exe
        116⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\tmp7200647.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7200647.exe
        112⤵
        
        PID:1456
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182613.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182613.exe
        108⤵
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183580.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183580.exe
        109⤵
        
        PID:808
        
        C:\Users\Admin\AppData\Local\Temp\tmp7189789.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7189789.exe
        109⤵
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\tmp7174548.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7174548.exe
        105⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175718.exe
        106⤵
        
        PID:1268
        
        C:\Users\Admin\AppData\Local\Temp\tmp7180336.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7180336.exe
        106⤵
        
        PID:1480
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166997.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166997.exe
        102⤵
        
        PID:1104
        
        C:\Users\Admin\AppData\Local\Temp\tmp7154049.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7154049.exe
        98⤵
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\tmp7156935.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7156935.exe
        99⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        100⤵
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159619.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159619.exe
        101⤵
        
        PID:952
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        102⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168464.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168464.exe
        103⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\tmp7170102.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7170102.exe
        104⤵
        
        PID:1256
        
        C:\Users\Admin\AppData\Local\Temp\tmp7171272.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7171272.exe
        104⤵
        
        PID:1172
        
        C:\Users\Admin\AppData\Local\Temp\tmp7171755.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7171755.exe
        105⤵
        
        PID:432
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        106⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\tmp7181880.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7181880.exe
        107⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        108⤵
        
        PID:1120
        
        C:\Users\Admin\AppData\Local\Temp\tmp7192784.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7192784.exe
        109⤵
        
        PID:552
        
        C:\Users\Admin\AppData\Local\Temp\tmp7195093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7195093.exe
        110⤵
        
        PID:1340
        
        C:\Users\Admin\AppData\Local\Temp\tmp7200725.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7200725.exe
        110⤵
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\tmp7212768.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7212768.exe
        111⤵
        
        PID:872
        
        C:\Users\Admin\AppData\Local\Temp\tmp7213564.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7213564.exe
        111⤵
        
        PID:600
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191521.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191521.exe
        109⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        110⤵
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\tmp7226153.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7226153.exe
        111⤵
        
        PID:1440
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184017.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184017.exe
        107⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191599.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191599.exe
        108⤵
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\tmp7199305.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7199305.exe
        108⤵
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\Temp\tmp7200553.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7200553.exe
        109⤵
        
        PID:396
        
        C:\Users\Admin\AppData\Local\Temp\tmp7201099.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7201099.exe
        109⤵
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\tmp7176638.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7176638.exe
        105⤵
        
        PID:240
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166904.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166904.exe
        103⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        104⤵
        
        PID:1176
        
        C:\Users\Admin\AppData\Local\Temp\tmp7170632.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7170632.exe
        105⤵
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\tmp7171584.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7171584.exe
        105⤵
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\tmp7173861.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7173861.exe
        106⤵
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175624.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175624.exe
        106⤵
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\tmp7181693.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7181693.exe
        107⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187059.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187059.exe
        107⤵
        
        PID:1884
        
        C:\Users\Admin\AppData\Local\Temp\tmp7163409.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7163409.exe
        101⤵
        
        PID:760
        
        C:\Users\Admin\AppData\Local\Temp\tmp7167653.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7167653.exe
        102⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        103⤵
        
        PID:1284
        
        C:\Users\Admin\AppData\Local\Temp\tmp7233376.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7233376.exe
        104⤵
        
        PID:1276
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168682.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168682.exe
        102⤵
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168885.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168885.exe
        103⤵
        
        PID:928
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        104⤵
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\tmp7172348.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7172348.exe
        105⤵
        
        PID:1092
        
        C:\Users\Admin\AppData\Local\Temp\tmp7176981.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7176981.exe
        105⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\tmp7181381.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7181381.exe
        106⤵
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182644.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182644.exe
        106⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\tmp7189867.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7189867.exe
        107⤵
        
        PID:296
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        108⤵
        
        PID:616
        
        C:\Users\Admin\AppData\Local\Temp\tmp7195826.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7195826.exe
        109⤵
        
        PID:544
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        110⤵
        
        PID:1408
        
        C:\Users\Admin\AppData\Local\Temp\tmp7201271.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7201271.exe
        111⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\tmp7216684.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7216684.exe
        111⤵
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\tmp7223548.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7223548.exe
        112⤵
        
        PID:1368
        
        C:\Users\Admin\AppData\Local\Temp\tmp7226371.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7226371.exe
        112⤵
        
        PID:1300
        
        C:\Users\Admin\AppData\Local\Temp\tmp7232752.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7232752.exe
        113⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\tmp7198884.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7198884.exe
        109⤵
        
        PID:1244
        
        C:\Users\Admin\AppData\Local\Temp\tmp7193050.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7193050.exe
        107⤵
        
        PID:800
        
        C:\Users\Admin\AppData\Local\Temp\tmp7170554.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7170554.exe
        103⤵
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158293.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158293.exe
        99⤵
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159650.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159650.exe
        100⤵
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161865.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161865.exe
        100⤵
        
        PID:1460
        
        C:\Users\Admin\AppData\Local\Temp\tmp7141117.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7141117.exe
        96⤵
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146093.exe
        97⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\tmp7148246.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7148246.exe
        97⤵
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\tmp7130821.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7130821.exe
        93⤵
        
        PID:1244
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136078.exe
        94⤵
        
        PID:544
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        95⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\tmp7154159.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7154159.exe
        96⤵
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\tmp7156311.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7156311.exe
        96⤵
        
        PID:1448
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159509.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159509.exe
        97⤵
        
        PID:1348
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161678.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161678.exe
        97⤵
        
        PID:1040
        
        C:\Users\Admin\AppData\Local\Temp\tmp7163519.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7163519.exe
        98⤵
        
        PID:980
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166623.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166623.exe
        98⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\tmp7139011.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7139011.exe
        94⤵
        
        PID:1460
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125813.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125813.exe
        90⤵
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120930.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120930.exe
        86⤵
        
        PID:804
        
        C:\Users\Admin\AppData\Local\Temp\tmp7124362.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7124362.exe
        87⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1440
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        88⤵
        
        PID:112
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125236.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125236.exe
        89⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125720.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125720.exe
        89⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\tmp7126016.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7126016.exe
        90⤵
        
        PID:788
        
        C:\Users\Admin\AppData\Local\Temp\tmp7126843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7126843.exe
        90⤵
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\tmp7128309.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7128309.exe
        91⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1580
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        92⤵
        
        PID:960
        
        C:\Users\Admin\AppData\Local\Temp\tmp7129776.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7129776.exe
        93⤵
        
        PID:760
        
        C:\Users\Admin\AppData\Local\Temp\tmp7130166.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7130166.exe
        93⤵
        
        PID:912
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134097.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134097.exe
        94⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        95⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\tmp7138153.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7138153.exe
        96⤵
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\tmp7139073.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7139073.exe
        96⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\tmp7142365.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7142365.exe
        97⤵
        
        PID:292
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147591.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147591.exe
        97⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\tmp7152053.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7152053.exe
        98⤵
        
        PID:1120
        
        C:\Users\Admin\AppData\Local\Temp\tmp7152645.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7152645.exe
        98⤵
        
        PID:1312
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135641.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135641.exe
        94⤵
        
        PID:112
        
        C:\Users\Admin\AppData\Local\Temp\tmp7139167.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7139167.exe
        95⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145454.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145454.exe
        95⤵
        
        PID:808
        
        C:\Users\Admin\AppData\Local\Temp\tmp7128340.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7128340.exe
        91⤵
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\tmp7124940.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7124940.exe
        87⤵
        
        PID:1340
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120306.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120306.exe
        83⤵
        
        PID:288
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120431.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120431.exe
        84⤵
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120509.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120509.exe
        84⤵
        
        PID:852
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119636.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119636.exe
        80⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119714.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119714.exe
        81⤵
        
        PID:692
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119760.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119760.exe
        81⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119885.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119885.exe
        82⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1724
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        83⤵
        
        PID:540
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120213.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120213.exe
        84⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120322.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120322.exe
        84⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120384.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120384.exe
        85⤵
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120447.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120447.exe
        85⤵
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120540.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120540.exe
        86⤵
        Modifies registry class
        
        PID:1884
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        87⤵
        
        PID:1220
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120868.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120868.exe
        88⤵
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120962.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120962.exe
        88⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125064.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125064.exe
        89⤵
        
        PID:432
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125470.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125470.exe
        89⤵
        
        PID:1160
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125938.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125938.exe
        90⤵
        
        PID:1100
        
        C:\Users\Admin\AppData\Local\Temp\tmp7128278.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7128278.exe
        90⤵
        
        PID:904
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120618.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120618.exe
        86⤵
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119963.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119963.exe
        82⤵
        
        PID:368
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119370.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119370.exe
        78⤵
        
        PID:1880
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119417.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119417.exe
        79⤵
        
        PID:1524
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119448.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119448.exe
        79⤵
        
        PID:1120
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118856.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118856.exe
        75⤵
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118528.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118528.exe
        72⤵
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118590.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118590.exe
        73⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        74⤵
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118809.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118809.exe
        75⤵
        
        PID:1448
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118840.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118840.exe
        75⤵
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118887.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118887.exe
        76⤵
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119012.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119012.exe
        76⤵
        
        PID:808
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118622.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118622.exe
        73⤵
        
        PID:972
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118294.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118294.exe
        70⤵
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118388.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118388.exe
        71⤵
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118419.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118419.exe
        71⤵
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118122.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118122.exe
        68⤵
        
        PID:1216
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117530.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117530.exe
        65⤵
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116999.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116999.exe
        62⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117140.exe
        63⤵
        
        PID:1304
        
        C:\Users\Admin\AppData\Local\Temp\tmp7129916.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7129916.exe
        64⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117280.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117280.exe
        63⤵
        
        PID:1524
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116687.exe
        60⤵
        
        PID:972
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116110.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116110.exe
        57⤵
        
        PID:1020
        
        C:\Users\Admin\AppData\Local\Temp\tmp7115595.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7115595.exe
        54⤵
        
        PID:1832
        
        C:\Users\Admin\AppData\Local\Temp\tmp7115767.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7115767.exe
        55⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1584
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        56⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\tmp7115938.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7115938.exe
        57⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:624
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        58⤵
        
        PID:368
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116094.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116094.exe
        59⤵
        Modifies registry class
        
        PID:520
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        60⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116422.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116422.exe
        61⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:788
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        62⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116703.exe
        63⤵
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116843.exe
        63⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116984.exe
        64⤵
        
        PID:1220
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117062.exe
        64⤵
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116469.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116469.exe
        61⤵
        
        PID:852
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116625.exe
        62⤵
        Modifies registry class
        
        PID:876
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        63⤵
        
        PID:960
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117046.exe
        64⤵
        
        PID:1300
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117124.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117124.exe
        64⤵
        
        PID:616
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117218.exe
        65⤵
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117296.exe
        65⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116812.exe
        62⤵
        
        PID:1176
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116328.exe
        59⤵
        
        PID:800
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116484.exe
        60⤵
        
        PID:1460
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116609.exe
        60⤵
        
        PID:1288
        
        C:\Users\Admin\AppData\Local\Temp\tmp7115970.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7115970.exe
        57⤵
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116079.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116079.exe
        58⤵
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116126.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116126.exe
        58⤵
        
        PID:540
        
        C:\Users\Admin\AppData\Local\Temp\tmp7115798.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7115798.exe
        55⤵
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\Temp\tmp7115392.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7115392.exe
        52⤵
        
        PID:760
        
        C:\Users\Admin\AppData\Local\Temp\tmp7111383.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7111383.exe
        49⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\tmp7110899.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7110899.exe
        46⤵
        
        PID:1460
        
        C:\Users\Admin\AppData\Local\Temp\tmp7111087.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7111087.exe
        47⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1960
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        48⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\tmp7111367.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7111367.exe
        49⤵
        
        PID:1356
        
        C:\Users\Admin\AppData\Local\Temp\tmp7111445.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7111445.exe
        49⤵
        
        PID:804
        
        C:\Users\Admin\AppData\Local\Temp\tmp7111539.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7111539.exe
        50⤵
        Modifies registry class
        
        PID:1680
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        51⤵
        
        PID:552
        
        C:\Users\Admin\AppData\Local\Temp\tmp7115361.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7115361.exe
        52⤵
        
        PID:1040
        
        C:\Users\Admin\AppData\Local\Temp\tmp7115439.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7115439.exe
        52⤵
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\tmp7115548.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7115548.exe
        53⤵
        
        PID:1880
        
        C:\Users\Admin\AppData\Local\Temp\tmp7115580.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7115580.exe
        53⤵
        
        PID:908
        
        C:\Users\Admin\AppData\Local\Temp\tmp7115205.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7115205.exe
        50⤵
        
        PID:1448
        
        C:\Users\Admin\AppData\Local\Temp\tmp7111165.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7111165.exe
        47⤵
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\tmp7110572.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7110572.exe
        44⤵
        
        PID:372
        
        C:\Users\Admin\AppData\Local\Temp\tmp7110775.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7110775.exe
        45⤵
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\tmp7110931.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7110931.exe
        45⤵
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\tmp7110104.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7110104.exe
        42⤵
        
        PID:1832
        
        C:\Users\Admin\AppData\Local\Temp\tmp7109542.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7109542.exe
        39⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\tmp7108934.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7108934.exe
        36⤵
        
        PID:980
        
        C:\Users\Admin\AppData\Local\Temp\tmp7108497.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7108497.exe
        33⤵
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\tmp7108060.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7108060.exe
        30⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\tmp7108169.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7108169.exe
        31⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1832
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        32⤵
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\tmp7108419.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7108419.exe
        33⤵
        
        PID:396
        
        C:\Users\Admin\AppData\Local\Temp\tmp7108481.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7108481.exe
        33⤵
        
        PID:764
        
        C:\Users\Admin\AppData\Local\Temp\tmp7108559.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7108559.exe
        34⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1532
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        35⤵
        
        PID:824
        
        C:\Users\Admin\AppData\Local\Temp\tmp7108825.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7108825.exe
        36⤵
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\tmp7108918.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7108918.exe
        36⤵
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\tmp7108965.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7108965.exe
        37⤵
        
        PID:1172
        
        C:\Users\Admin\AppData\Local\Temp\tmp7109105.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7109105.exe
        37⤵
        
        PID:788
        
        C:\Users\Admin\AppData\Local\Temp\tmp7108622.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7108622.exe
        34⤵
        
        PID:1032
        
        C:\Users\Admin\AppData\Local\Temp\tmp7108263.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7108263.exe
        31⤵
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\tmp7107889.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7107889.exe
        28⤵
        
        PID:1304
        
        C:\Users\Admin\AppData\Local\Temp\tmp7107639.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7107639.exe
        26⤵
        
        PID:552
        
        C:\Users\Admin\AppData\Local\Temp\tmp7107514.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7107514.exe
        24⤵
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\tmp7107233.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7107233.exe
        22⤵
        
        PID:1288
        
        C:\Users\Admin\AppData\Local\Temp\tmp7107077.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7107077.exe
        20⤵
        
        PID:924
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106890.exe
        18⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106765.exe
        16⤵
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106563.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106563.exe
        14⤵
        
        PID:1020
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106422.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106422.exe
        12⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106157.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106157.exe
        10⤵
        Executes dropped EXE
        
        PID:692
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106017.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106017.exe
        8⤵
        Executes dropped EXE
        
        PID:1516
      - C:\Users\Admin\AppData\Local\Temp\tmp7104753.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7104753.exe
        6⤵
        Executes dropped EXE
        
        PID:1784
  - - C:\Users\Admin\AppData\Local\Temp\tmp7103099.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7103099.exe
      4⤵
      Executes dropped EXE
      PID:1844
- C:\Users\Admin\AppData\Local\Temp\tmp7097468.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7097468.exe
  2⤵
  - Executes dropped EXE
  PID:584
- - C:\Users\Admin\AppData\Local\Temp\tmp7097811.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7097811.exe
    3⤵
    - Executes dropped EXE
    PID:904

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:788
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1172

C:\Users\Admin\AppData\Local\Temp\tmp7097187.exe
C:\Users\Admin\AppData\Local\Temp\tmp7097187.exe
1⤵
- Executes dropped EXE
- Modifies registry class
PID:1460

C:\Users\Admin\AppData\Local\Temp\tmp7096828.exe
C:\Users\Admin\AppData\Local\Temp\tmp7096828.exe
1⤵
- Executes dropped EXE
PID:1932

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1372

C:\Users\Admin\AppData\Local\Temp\tmp7096516.exe
C:\Users\Admin\AppData\Local\Temp\tmp7096516.exe
1⤵
- Executes dropped EXE
PID:1340

C:\Users\Admin\AppData\Local\Temp\tmp7096423.exe
C:\Users\Admin\AppData\Local\Temp\tmp7096423.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1840

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1592

C:\Users\Admin\AppData\Local\Temp\tmp7096095.exe
C:\Users\Admin\AppData\Local\Temp\tmp7096095.exe
1⤵
- Executes dropped EXE
PID:240

C:\Users\Admin\AppData\Local\Temp\tmp7095752.exe
C:\Users\Admin\AppData\Local\Temp\tmp7095752.exe
1⤵
- Executes dropped EXE
PID:1376

C:\Users\Admin\AppData\Local\Temp\tmp7095533.exe
C:\Users\Admin\AppData\Local\Temp\tmp7095533.exe
1⤵
PID:2012

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:1408

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1608

C:\Users\Admin\AppData\Local\Temp\tmp7094909.exe
C:\Users\Admin\AppData\Local\Temp\tmp7094909.exe
1⤵
- Executes dropped EXE
PID:1100

C:\Users\Admin\AppData\Local\Temp\tmp7094566.exe
C:\Users\Admin\AppData\Local\Temp\tmp7094566.exe
1⤵
- Executes dropped EXE
PID:1528

C:\Users\Admin\AppData\Local\Temp\tmp7094800.exe
C:\Users\Admin\AppData\Local\Temp\tmp7094800.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1288

C:\Users\Admin\AppData\Local\Temp\tmp7168854.exe
C:\Users\Admin\AppData\Local\Temp\tmp7168854.exe
1⤵
PID:924

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp7092133.exe

Filesize
462KB

MD5
ea72c06249d31101dbd16471e53c82ce

SHA1
6d0e8409f1a7abdd1c28182b994b15153fbb0172

SHA256
5ee0904c41ebfd4d7e7413a653c0d3c1cca020241bce76a6b46b7af92b26de5c

SHA512
7ee1b965f3ce8f7e52eb217332ee026b4258bf999bcc3c6bf2efe9cfe1b12f70b0864590d2dbe77f8aca0606a87990338a9df896641c15f4b0b867f3e60d8e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7092133.exe

Filesize
462KB

MD5
ea72c06249d31101dbd16471e53c82ce

SHA1
6d0e8409f1a7abdd1c28182b994b15153fbb0172

SHA256
5ee0904c41ebfd4d7e7413a653c0d3c1cca020241bce76a6b46b7af92b26de5c

SHA512
7ee1b965f3ce8f7e52eb217332ee026b4258bf999bcc3c6bf2efe9cfe1b12f70b0864590d2dbe77f8aca0606a87990338a9df896641c15f4b0b867f3e60d8e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7092257.exe

Filesize
4.8MB

MD5
f69dacdfe80a5610b82c4d833f4d3fb3

SHA1
b06213068399f4132961e3944f037f960db03cb2

SHA256
585760592139dc19a55b690cd361b07ec9d353a6df7cd658e591f2ef4e939478

SHA512
889288449bbd9af939a4c9a2bf91fc4826b263c50e92f1af0c39032ca54bc5a07a8fd6923957ddf074751ac11c6badd319daffcc4a5476f4c1f877394dfc6ee9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7092257.exe

Filesize
4.8MB

MD5
f69dacdfe80a5610b82c4d833f4d3fb3

SHA1
b06213068399f4132961e3944f037f960db03cb2

SHA256
585760592139dc19a55b690cd361b07ec9d353a6df7cd658e591f2ef4e939478

SHA512
889288449bbd9af939a4c9a2bf91fc4826b263c50e92f1af0c39032ca54bc5a07a8fd6923957ddf074751ac11c6badd319daffcc4a5476f4c1f877394dfc6ee9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7092507.exe

Filesize
462KB

MD5
ea72c06249d31101dbd16471e53c82ce

SHA1
6d0e8409f1a7abdd1c28182b994b15153fbb0172

SHA256
5ee0904c41ebfd4d7e7413a653c0d3c1cca020241bce76a6b46b7af92b26de5c

SHA512
7ee1b965f3ce8f7e52eb217332ee026b4258bf999bcc3c6bf2efe9cfe1b12f70b0864590d2dbe77f8aca0606a87990338a9df896641c15f4b0b867f3e60d8e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7092741.exe

Filesize
4.3MB

MD5
c96ae5695ec1c1b79a0f74308f74653c

SHA1
88ff4bdb12593e34a3f2e567f758a0a9c99d342d

SHA256
b5fcf703bcef1f3f5c8e4d8a53f7ae3356527db40a645aff24fe9cd12d7ce405

SHA512
bc3c6cbc2b3b9dcd802e51d9ab19ede105c27bac5d1a0b58fb79241c1f676e2067b9b398ce14cf621724d8555c261d650a73b8da2993860fa4f454b4170668bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7092741.exe

Filesize
4.3MB

MD5
c96ae5695ec1c1b79a0f74308f74653c

SHA1
88ff4bdb12593e34a3f2e567f758a0a9c99d342d

SHA256
b5fcf703bcef1f3f5c8e4d8a53f7ae3356527db40a645aff24fe9cd12d7ce405

SHA512
bc3c6cbc2b3b9dcd802e51d9ab19ede105c27bac5d1a0b58fb79241c1f676e2067b9b398ce14cf621724d8555c261d650a73b8da2993860fa4f454b4170668bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7092913.exe

Filesize
462KB

MD5
ea72c06249d31101dbd16471e53c82ce

SHA1
6d0e8409f1a7abdd1c28182b994b15153fbb0172

SHA256
5ee0904c41ebfd4d7e7413a653c0d3c1cca020241bce76a6b46b7af92b26de5c

SHA512
7ee1b965f3ce8f7e52eb217332ee026b4258bf999bcc3c6bf2efe9cfe1b12f70b0864590d2dbe77f8aca0606a87990338a9df896641c15f4b0b867f3e60d8e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7092913.exe

Filesize
462KB

MD5
ea72c06249d31101dbd16471e53c82ce

SHA1
6d0e8409f1a7abdd1c28182b994b15153fbb0172

SHA256
5ee0904c41ebfd4d7e7413a653c0d3c1cca020241bce76a6b46b7af92b26de5c

SHA512
7ee1b965f3ce8f7e52eb217332ee026b4258bf999bcc3c6bf2efe9cfe1b12f70b0864590d2dbe77f8aca0606a87990338a9df896641c15f4b0b867f3e60d8e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7093037.exe

Filesize
462KB

MD5
ea72c06249d31101dbd16471e53c82ce

SHA1
6d0e8409f1a7abdd1c28182b994b15153fbb0172

SHA256
5ee0904c41ebfd4d7e7413a653c0d3c1cca020241bce76a6b46b7af92b26de5c

SHA512
7ee1b965f3ce8f7e52eb217332ee026b4258bf999bcc3c6bf2efe9cfe1b12f70b0864590d2dbe77f8aca0606a87990338a9df896641c15f4b0b867f3e60d8e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7093318.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7093334.exe

Filesize
3.8MB

MD5
4c6592d0bdd311b3b4e5dedb5b870db0

SHA1
901e60916b83383c15b64aff5dff9693b3b94a90

SHA256
68c8dd8b3f27f37427cd775e8a1e58f82f4ae9b3300b3b8cbfaf232da398cb0f

SHA512
1dc0bfdbc43597c2b16c14c15a673384764352a467e7066b6848e82bea7f275490ccd17c250fedb4252f0b8ce49fc89873006b4449d8a97b577273a0026eea6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7093334.exe

Filesize
3.8MB

MD5
4c6592d0bdd311b3b4e5dedb5b870db0

SHA1
901e60916b83383c15b64aff5dff9693b3b94a90

SHA256
68c8dd8b3f27f37427cd775e8a1e58f82f4ae9b3300b3b8cbfaf232da398cb0f

SHA512
1dc0bfdbc43597c2b16c14c15a673384764352a467e7066b6848e82bea7f275490ccd17c250fedb4252f0b8ce49fc89873006b4449d8a97b577273a0026eea6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7094145.exe

Filesize
462KB

MD5
ea72c06249d31101dbd16471e53c82ce

SHA1
6d0e8409f1a7abdd1c28182b994b15153fbb0172

SHA256
5ee0904c41ebfd4d7e7413a653c0d3c1cca020241bce76a6b46b7af92b26de5c

SHA512
7ee1b965f3ce8f7e52eb217332ee026b4258bf999bcc3c6bf2efe9cfe1b12f70b0864590d2dbe77f8aca0606a87990338a9df896641c15f4b0b867f3e60d8e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7094145.exe

Filesize
462KB

MD5
ea72c06249d31101dbd16471e53c82ce

SHA1
6d0e8409f1a7abdd1c28182b994b15153fbb0172

SHA256
5ee0904c41ebfd4d7e7413a653c0d3c1cca020241bce76a6b46b7af92b26de5c

SHA512
7ee1b965f3ce8f7e52eb217332ee026b4258bf999bcc3c6bf2efe9cfe1b12f70b0864590d2dbe77f8aca0606a87990338a9df896641c15f4b0b867f3e60d8e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7094332.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7094566.exe

Filesize
462KB

MD5
ea72c06249d31101dbd16471e53c82ce

SHA1
6d0e8409f1a7abdd1c28182b994b15153fbb0172

SHA256
5ee0904c41ebfd4d7e7413a653c0d3c1cca020241bce76a6b46b7af92b26de5c

SHA512
7ee1b965f3ce8f7e52eb217332ee026b4258bf999bcc3c6bf2efe9cfe1b12f70b0864590d2dbe77f8aca0606a87990338a9df896641c15f4b0b867f3e60d8e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7094566.exe

Filesize
462KB

MD5
ea72c06249d31101dbd16471e53c82ce

SHA1
6d0e8409f1a7abdd1c28182b994b15153fbb0172

SHA256
5ee0904c41ebfd4d7e7413a653c0d3c1cca020241bce76a6b46b7af92b26de5c

SHA512
7ee1b965f3ce8f7e52eb217332ee026b4258bf999bcc3c6bf2efe9cfe1b12f70b0864590d2dbe77f8aca0606a87990338a9df896641c15f4b0b867f3e60d8e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7094800.exe

Filesize
462KB

MD5
ea72c06249d31101dbd16471e53c82ce

SHA1
6d0e8409f1a7abdd1c28182b994b15153fbb0172

SHA256
5ee0904c41ebfd4d7e7413a653c0d3c1cca020241bce76a6b46b7af92b26de5c

SHA512
7ee1b965f3ce8f7e52eb217332ee026b4258bf999bcc3c6bf2efe9cfe1b12f70b0864590d2dbe77f8aca0606a87990338a9df896641c15f4b0b867f3e60d8e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7094800.exe

Filesize
462KB

MD5
ea72c06249d31101dbd16471e53c82ce

SHA1
6d0e8409f1a7abdd1c28182b994b15153fbb0172

SHA256
5ee0904c41ebfd4d7e7413a653c0d3c1cca020241bce76a6b46b7af92b26de5c

SHA512
7ee1b965f3ce8f7e52eb217332ee026b4258bf999bcc3c6bf2efe9cfe1b12f70b0864590d2dbe77f8aca0606a87990338a9df896641c15f4b0b867f3e60d8e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7094909.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
462KB

MD5
ea72c06249d31101dbd16471e53c82ce

SHA1
6d0e8409f1a7abdd1c28182b994b15153fbb0172

SHA256
5ee0904c41ebfd4d7e7413a653c0d3c1cca020241bce76a6b46b7af92b26de5c

SHA512
7ee1b965f3ce8f7e52eb217332ee026b4258bf999bcc3c6bf2efe9cfe1b12f70b0864590d2dbe77f8aca0606a87990338a9df896641c15f4b0b867f3e60d8e0c

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
462KB

MD5
ea72c06249d31101dbd16471e53c82ce

SHA1
6d0e8409f1a7abdd1c28182b994b15153fbb0172

SHA256
5ee0904c41ebfd4d7e7413a653c0d3c1cca020241bce76a6b46b7af92b26de5c

SHA512
7ee1b965f3ce8f7e52eb217332ee026b4258bf999bcc3c6bf2efe9cfe1b12f70b0864590d2dbe77f8aca0606a87990338a9df896641c15f4b0b867f3e60d8e0c

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
462KB

MD5
ea72c06249d31101dbd16471e53c82ce

SHA1
6d0e8409f1a7abdd1c28182b994b15153fbb0172

SHA256
5ee0904c41ebfd4d7e7413a653c0d3c1cca020241bce76a6b46b7af92b26de5c

SHA512
7ee1b965f3ce8f7e52eb217332ee026b4258bf999bcc3c6bf2efe9cfe1b12f70b0864590d2dbe77f8aca0606a87990338a9df896641c15f4b0b867f3e60d8e0c

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
462KB

MD5
ea72c06249d31101dbd16471e53c82ce

SHA1
6d0e8409f1a7abdd1c28182b994b15153fbb0172

SHA256
5ee0904c41ebfd4d7e7413a653c0d3c1cca020241bce76a6b46b7af92b26de5c

SHA512
7ee1b965f3ce8f7e52eb217332ee026b4258bf999bcc3c6bf2efe9cfe1b12f70b0864590d2dbe77f8aca0606a87990338a9df896641c15f4b0b867f3e60d8e0c

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
648KB

MD5
3e9a32e9258ace1ae8689b9535693301

SHA1
823f4d7f846bb32e454ee29f7f96de4037f077bf

SHA256
af96adab1bf9f17c8c25c63b1df0037c7df499376d546388937a88b42790542c

SHA512
e1972a8d38f68bcfdf62472c89158e97db68f972858bd986d761d6b32a7da790e04a19667972cc7aba76abd61635bac9ea4a3679e952df4be5dbb0361879c632

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
648KB

MD5
3e9a32e9258ace1ae8689b9535693301

SHA1
823f4d7f846bb32e454ee29f7f96de4037f077bf

SHA256
af96adab1bf9f17c8c25c63b1df0037c7df499376d546388937a88b42790542c

SHA512
e1972a8d38f68bcfdf62472c89158e97db68f972858bd986d761d6b32a7da790e04a19667972cc7aba76abd61635bac9ea4a3679e952df4be5dbb0361879c632

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
648KB

MD5
3e9a32e9258ace1ae8689b9535693301

SHA1
823f4d7f846bb32e454ee29f7f96de4037f077bf

SHA256
af96adab1bf9f17c8c25c63b1df0037c7df499376d546388937a88b42790542c

SHA512
e1972a8d38f68bcfdf62472c89158e97db68f972858bd986d761d6b32a7da790e04a19667972cc7aba76abd61635bac9ea4a3679e952df4be5dbb0361879c632

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
648KB

MD5
3e9a32e9258ace1ae8689b9535693301

SHA1
823f4d7f846bb32e454ee29f7f96de4037f077bf

SHA256
af96adab1bf9f17c8c25c63b1df0037c7df499376d546388937a88b42790542c

SHA512
e1972a8d38f68bcfdf62472c89158e97db68f972858bd986d761d6b32a7da790e04a19667972cc7aba76abd61635bac9ea4a3679e952df4be5dbb0361879c632

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7092133.exe

Filesize
462KB

MD5
ea72c06249d31101dbd16471e53c82ce

SHA1
6d0e8409f1a7abdd1c28182b994b15153fbb0172

SHA256
5ee0904c41ebfd4d7e7413a653c0d3c1cca020241bce76a6b46b7af92b26de5c

SHA512
7ee1b965f3ce8f7e52eb217332ee026b4258bf999bcc3c6bf2efe9cfe1b12f70b0864590d2dbe77f8aca0606a87990338a9df896641c15f4b0b867f3e60d8e0c

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7092133.exe

Filesize
462KB

MD5
ea72c06249d31101dbd16471e53c82ce

SHA1
6d0e8409f1a7abdd1c28182b994b15153fbb0172

SHA256
5ee0904c41ebfd4d7e7413a653c0d3c1cca020241bce76a6b46b7af92b26de5c

SHA512
7ee1b965f3ce8f7e52eb217332ee026b4258bf999bcc3c6bf2efe9cfe1b12f70b0864590d2dbe77f8aca0606a87990338a9df896641c15f4b0b867f3e60d8e0c

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7092257.exe

Filesize
4.8MB

MD5
f69dacdfe80a5610b82c4d833f4d3fb3

SHA1
b06213068399f4132961e3944f037f960db03cb2

SHA256
585760592139dc19a55b690cd361b07ec9d353a6df7cd658e591f2ef4e939478

SHA512
889288449bbd9af939a4c9a2bf91fc4826b263c50e92f1af0c39032ca54bc5a07a8fd6923957ddf074751ac11c6badd319daffcc4a5476f4c1f877394dfc6ee9

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7092257.exe

Filesize
4.8MB

MD5
f69dacdfe80a5610b82c4d833f4d3fb3

SHA1
b06213068399f4132961e3944f037f960db03cb2

SHA256
585760592139dc19a55b690cd361b07ec9d353a6df7cd658e591f2ef4e939478

SHA512
889288449bbd9af939a4c9a2bf91fc4826b263c50e92f1af0c39032ca54bc5a07a8fd6923957ddf074751ac11c6badd319daffcc4a5476f4c1f877394dfc6ee9

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7092507.exe

Filesize
462KB

MD5
ea72c06249d31101dbd16471e53c82ce

SHA1
6d0e8409f1a7abdd1c28182b994b15153fbb0172

SHA256
5ee0904c41ebfd4d7e7413a653c0d3c1cca020241bce76a6b46b7af92b26de5c

SHA512
7ee1b965f3ce8f7e52eb217332ee026b4258bf999bcc3c6bf2efe9cfe1b12f70b0864590d2dbe77f8aca0606a87990338a9df896641c15f4b0b867f3e60d8e0c

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7092507.exe

Filesize
462KB

MD5
ea72c06249d31101dbd16471e53c82ce

SHA1
6d0e8409f1a7abdd1c28182b994b15153fbb0172

SHA256
5ee0904c41ebfd4d7e7413a653c0d3c1cca020241bce76a6b46b7af92b26de5c

SHA512
7ee1b965f3ce8f7e52eb217332ee026b4258bf999bcc3c6bf2efe9cfe1b12f70b0864590d2dbe77f8aca0606a87990338a9df896641c15f4b0b867f3e60d8e0c

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7092741.exe

Filesize
4.3MB

MD5
c96ae5695ec1c1b79a0f74308f74653c

SHA1
88ff4bdb12593e34a3f2e567f758a0a9c99d342d

SHA256
b5fcf703bcef1f3f5c8e4d8a53f7ae3356527db40a645aff24fe9cd12d7ce405

SHA512
bc3c6cbc2b3b9dcd802e51d9ab19ede105c27bac5d1a0b58fb79241c1f676e2067b9b398ce14cf621724d8555c261d650a73b8da2993860fa4f454b4170668bb

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7092741.exe

Filesize
4.3MB

MD5
c96ae5695ec1c1b79a0f74308f74653c

SHA1
88ff4bdb12593e34a3f2e567f758a0a9c99d342d

SHA256
b5fcf703bcef1f3f5c8e4d8a53f7ae3356527db40a645aff24fe9cd12d7ce405

SHA512
bc3c6cbc2b3b9dcd802e51d9ab19ede105c27bac5d1a0b58fb79241c1f676e2067b9b398ce14cf621724d8555c261d650a73b8da2993860fa4f454b4170668bb

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7092913.exe

Filesize
462KB

MD5
ea72c06249d31101dbd16471e53c82ce

SHA1
6d0e8409f1a7abdd1c28182b994b15153fbb0172

SHA256
5ee0904c41ebfd4d7e7413a653c0d3c1cca020241bce76a6b46b7af92b26de5c

SHA512
7ee1b965f3ce8f7e52eb217332ee026b4258bf999bcc3c6bf2efe9cfe1b12f70b0864590d2dbe77f8aca0606a87990338a9df896641c15f4b0b867f3e60d8e0c

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7092913.exe

Filesize
462KB

MD5
ea72c06249d31101dbd16471e53c82ce

SHA1
6d0e8409f1a7abdd1c28182b994b15153fbb0172

SHA256
5ee0904c41ebfd4d7e7413a653c0d3c1cca020241bce76a6b46b7af92b26de5c

SHA512
7ee1b965f3ce8f7e52eb217332ee026b4258bf999bcc3c6bf2efe9cfe1b12f70b0864590d2dbe77f8aca0606a87990338a9df896641c15f4b0b867f3e60d8e0c

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7093037.exe

Filesize
462KB

MD5
ea72c06249d31101dbd16471e53c82ce

SHA1
6d0e8409f1a7abdd1c28182b994b15153fbb0172

SHA256
5ee0904c41ebfd4d7e7413a653c0d3c1cca020241bce76a6b46b7af92b26de5c

SHA512
7ee1b965f3ce8f7e52eb217332ee026b4258bf999bcc3c6bf2efe9cfe1b12f70b0864590d2dbe77f8aca0606a87990338a9df896641c15f4b0b867f3e60d8e0c

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7093037.exe

Filesize
462KB

MD5
ea72c06249d31101dbd16471e53c82ce

SHA1
6d0e8409f1a7abdd1c28182b994b15153fbb0172

SHA256
5ee0904c41ebfd4d7e7413a653c0d3c1cca020241bce76a6b46b7af92b26de5c

SHA512
7ee1b965f3ce8f7e52eb217332ee026b4258bf999bcc3c6bf2efe9cfe1b12f70b0864590d2dbe77f8aca0606a87990338a9df896641c15f4b0b867f3e60d8e0c

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7093318.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7093334.exe

Filesize
3.8MB

MD5
4c6592d0bdd311b3b4e5dedb5b870db0

SHA1
901e60916b83383c15b64aff5dff9693b3b94a90

SHA256
68c8dd8b3f27f37427cd775e8a1e58f82f4ae9b3300b3b8cbfaf232da398cb0f

SHA512
1dc0bfdbc43597c2b16c14c15a673384764352a467e7066b6848e82bea7f275490ccd17c250fedb4252f0b8ce49fc89873006b4449d8a97b577273a0026eea6d

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7093334.exe

Filesize
3.8MB

MD5
4c6592d0bdd311b3b4e5dedb5b870db0

SHA1
901e60916b83383c15b64aff5dff9693b3b94a90

SHA256
68c8dd8b3f27f37427cd775e8a1e58f82f4ae9b3300b3b8cbfaf232da398cb0f

SHA512
1dc0bfdbc43597c2b16c14c15a673384764352a467e7066b6848e82bea7f275490ccd17c250fedb4252f0b8ce49fc89873006b4449d8a97b577273a0026eea6d

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7094145.exe

Filesize
462KB

MD5
ea72c06249d31101dbd16471e53c82ce

SHA1
6d0e8409f1a7abdd1c28182b994b15153fbb0172

SHA256
5ee0904c41ebfd4d7e7413a653c0d3c1cca020241bce76a6b46b7af92b26de5c

SHA512
7ee1b965f3ce8f7e52eb217332ee026b4258bf999bcc3c6bf2efe9cfe1b12f70b0864590d2dbe77f8aca0606a87990338a9df896641c15f4b0b867f3e60d8e0c

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7094145.exe

Filesize
462KB

MD5
ea72c06249d31101dbd16471e53c82ce

SHA1
6d0e8409f1a7abdd1c28182b994b15153fbb0172

SHA256
5ee0904c41ebfd4d7e7413a653c0d3c1cca020241bce76a6b46b7af92b26de5c

SHA512
7ee1b965f3ce8f7e52eb217332ee026b4258bf999bcc3c6bf2efe9cfe1b12f70b0864590d2dbe77f8aca0606a87990338a9df896641c15f4b0b867f3e60d8e0c

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7094332.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7094566.exe

Filesize
462KB

MD5
ea72c06249d31101dbd16471e53c82ce

SHA1
6d0e8409f1a7abdd1c28182b994b15153fbb0172

SHA256
5ee0904c41ebfd4d7e7413a653c0d3c1cca020241bce76a6b46b7af92b26de5c

SHA512
7ee1b965f3ce8f7e52eb217332ee026b4258bf999bcc3c6bf2efe9cfe1b12f70b0864590d2dbe77f8aca0606a87990338a9df896641c15f4b0b867f3e60d8e0c

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7094566.exe

Filesize
462KB

MD5
ea72c06249d31101dbd16471e53c82ce

SHA1
6d0e8409f1a7abdd1c28182b994b15153fbb0172

SHA256
5ee0904c41ebfd4d7e7413a653c0d3c1cca020241bce76a6b46b7af92b26de5c

SHA512
7ee1b965f3ce8f7e52eb217332ee026b4258bf999bcc3c6bf2efe9cfe1b12f70b0864590d2dbe77f8aca0606a87990338a9df896641c15f4b0b867f3e60d8e0c

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7094800.exe

Filesize
462KB

MD5
ea72c06249d31101dbd16471e53c82ce

SHA1
6d0e8409f1a7abdd1c28182b994b15153fbb0172

SHA256
5ee0904c41ebfd4d7e7413a653c0d3c1cca020241bce76a6b46b7af92b26de5c

SHA512
7ee1b965f3ce8f7e52eb217332ee026b4258bf999bcc3c6bf2efe9cfe1b12f70b0864590d2dbe77f8aca0606a87990338a9df896641c15f4b0b867f3e60d8e0c

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7094800.exe

Filesize
462KB

MD5
ea72c06249d31101dbd16471e53c82ce

SHA1
6d0e8409f1a7abdd1c28182b994b15153fbb0172

SHA256
5ee0904c41ebfd4d7e7413a653c0d3c1cca020241bce76a6b46b7af92b26de5c

SHA512
7ee1b965f3ce8f7e52eb217332ee026b4258bf999bcc3c6bf2efe9cfe1b12f70b0864590d2dbe77f8aca0606a87990338a9df896641c15f4b0b867f3e60d8e0c

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7094909.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
648KB

MD5
3e9a32e9258ace1ae8689b9535693301

SHA1
823f4d7f846bb32e454ee29f7f96de4037f077bf

SHA256
af96adab1bf9f17c8c25c63b1df0037c7df499376d546388937a88b42790542c

SHA512
e1972a8d38f68bcfdf62472c89158e97db68f972858bd986d761d6b32a7da790e04a19667972cc7aba76abd61635bac9ea4a3679e952df4be5dbb0361879c632

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
648KB

MD5
3e9a32e9258ace1ae8689b9535693301

SHA1
823f4d7f846bb32e454ee29f7f96de4037f077bf

SHA256
af96adab1bf9f17c8c25c63b1df0037c7df499376d546388937a88b42790542c

SHA512
e1972a8d38f68bcfdf62472c89158e97db68f972858bd986d761d6b32a7da790e04a19667972cc7aba76abd61635bac9ea4a3679e952df4be5dbb0361879c632

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
648KB

MD5
3e9a32e9258ace1ae8689b9535693301

SHA1
823f4d7f846bb32e454ee29f7f96de4037f077bf

SHA256
af96adab1bf9f17c8c25c63b1df0037c7df499376d546388937a88b42790542c

SHA512
e1972a8d38f68bcfdf62472c89158e97db68f972858bd986d761d6b32a7da790e04a19667972cc7aba76abd61635bac9ea4a3679e952df4be5dbb0361879c632

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
648KB

MD5
3e9a32e9258ace1ae8689b9535693301

SHA1
823f4d7f846bb32e454ee29f7f96de4037f077bf

SHA256
af96adab1bf9f17c8c25c63b1df0037c7df499376d546388937a88b42790542c

SHA512
e1972a8d38f68bcfdf62472c89158e97db68f972858bd986d761d6b32a7da790e04a19667972cc7aba76abd61635bac9ea4a3679e952df4be5dbb0361879c632

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
648KB

MD5
3e9a32e9258ace1ae8689b9535693301

SHA1
823f4d7f846bb32e454ee29f7f96de4037f077bf

SHA256
af96adab1bf9f17c8c25c63b1df0037c7df499376d546388937a88b42790542c

SHA512
e1972a8d38f68bcfdf62472c89158e97db68f972858bd986d761d6b32a7da790e04a19667972cc7aba76abd61635bac9ea4a3679e952df4be5dbb0361879c632

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
648KB

MD5
3e9a32e9258ace1ae8689b9535693301

SHA1
823f4d7f846bb32e454ee29f7f96de4037f077bf

SHA256
af96adab1bf9f17c8c25c63b1df0037c7df499376d546388937a88b42790542c

SHA512
e1972a8d38f68bcfdf62472c89158e97db68f972858bd986d761d6b32a7da790e04a19667972cc7aba76abd61635bac9ea4a3679e952df4be5dbb0361879c632

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
648KB

MD5
3e9a32e9258ace1ae8689b9535693301

SHA1
823f4d7f846bb32e454ee29f7f96de4037f077bf

SHA256
af96adab1bf9f17c8c25c63b1df0037c7df499376d546388937a88b42790542c

SHA512
e1972a8d38f68bcfdf62472c89158e97db68f972858bd986d761d6b32a7da790e04a19667972cc7aba76abd61635bac9ea4a3679e952df4be5dbb0361879c632

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
648KB

MD5
3e9a32e9258ace1ae8689b9535693301

SHA1
823f4d7f846bb32e454ee29f7f96de4037f077bf

SHA256
af96adab1bf9f17c8c25c63b1df0037c7df499376d546388937a88b42790542c

SHA512
e1972a8d38f68bcfdf62472c89158e97db68f972858bd986d761d6b32a7da790e04a19667972cc7aba76abd61635bac9ea4a3679e952df4be5dbb0361879c632

Download Submit
memory/112-76-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/292-284-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/368-91-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/368-120-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/372-199-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/520-182-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/584-223-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/584-214-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/764-301-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/788-210-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/788-213-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/824-305-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/876-269-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/952-286-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1000-260-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1040-278-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1172-144-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1176-320-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1220-65-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1264-265-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1284-58-0x00000000765B1000-0x00000000765B3000-memory.dmp

Filesize
8KB

Download
memory/1360-302-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1372-184-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1408-241-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1408-235-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1408-292-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1408-158-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1408-167-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1408-291-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1456-205-0x0000000000560000-0x000000000056D000-memory.dmp

Filesize
52KB

Download
memory/1480-271-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1524-248-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1528-243-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1528-234-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1528-156-0x0000000001FD0000-0x0000000001FEF000-memory.dmp

Filesize
124KB

Download
memory/1576-329-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1592-176-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1608-163-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1608-155-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1612-128-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1612-263-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1612-312-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1652-310-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1660-212-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1660-224-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1676-316-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1676-209-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1724-229-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1724-217-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1744-297-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1752-280-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1756-190-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1756-90-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1756-101-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1800-289-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1816-295-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1848-255-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1872-322-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1884-317-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1940-196-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1964-308-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1976-154-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1976-170-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2036-324-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2044-275-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download