efa171ab103ad36a40d9202c94509dedfc23294a7985e00d47742ef3488a258e

Analysis

max time kernel
155s
max time network
43s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03/12/2022, 20:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

efa171ab103ad36a40d9202c94509dedfc23294a7985e00d47742ef3488a258e.exe
Size

5.0MB
MD5

fd44b792442b6b9fd52a8ce8d61c813c
SHA1

7223dbab4765d52d6c92bd192d58d814144fc907
SHA256

efa171ab103ad36a40d9202c94509dedfc23294a7985e00d47742ef3488a258e
SHA512

21cf3e2b425d437203ba1defe7226b3a98a899e8840520c118ed4f180b78010dc7831c922c80292c8359a711e687948e16a01f02b9962bb26703a14301882a75
SSDEEP

98304:hrtirtitrtvrtit6rt3rtcrtirtitrtyrtit6rt3rtcrtirtitrtyt:b20JR0u5420Jm0u5420Jk

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
1968	tmp7109090.exe
1352	tmp7110088.exe
976	notpad.exe
1716	tmp7112615.exe
520	tmp7113770.exe
1304	notpad.exe
1508	tmp7114253.exe
576	tmp7115455.exe
2016	notpad.exe
1940	tmp7115798.exe
284	tmp7116594.exe
1660	notpad.exe
984	tmp7151257.exe
1440	tmp7118575.exe
1624	tmp7172255.exe
1476	tmp7136000.exe
944	tmp7167855.exe
1496	tmp7175265.exe
1592	notpad.exe
1692	tmp7121133.exe
1952	notpad.exe
1344	notpad.exe
1812	tmp7177933.exe
976	tmp7123083.exe
1716	tmp7145578.exe
1076	notpad.exe
1568	tmp7182535.exe
2024	tmp7127997.exe
1936	tmp7147185.exe
896	tmp7167216.exe
1604	tmp7130212.exe
1784	tmp7166826.exe
1672	notpad.exe
1460	notpad.exe
428	tmp7167731.exe
452	tmp7132896.exe
1104	tmp7173003.exe
1844	tmp7168479.exe
676	tmp7159010.exe
1624	tmp7172255.exe
552	tmp7155485.exe
1476	tmp7136000.exe
1840	notpad.exe
1596	notpad.exe
1032	notpad.exe
1228	tmp7136343.exe
1684	tmp7137810.exe
268	tmp7164891.exe
1984	notpad.exe
1344	notpad.exe
760	tmp7156015.exe
1640	tmp7177075.exe
860	tmp7143831.exe
1060	tmp7144018.exe
1076	notpad.exe
2020	tmp7145734.exe
1716	tmp7145578.exe
576	tmp7166436.exe
1296	tmp7177637.exe
1568	tmp7182535.exe
1156	tmp7145953.exe
616	tmp7146593.exe
1620	notpad.exe
1672	notpad.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1976-54-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1976-64-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x00090000000122e0-71.dat	upx
behavioral1/files/0x00090000000122e0-74.dat	upx
behavioral1/files/0x00090000000122e0-72.dat	upx
behavioral1/files/0x00090000000122e0-75.dat	upx
behavioral1/memory/976-76-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x000a0000000122cc-82.dat	upx
behavioral1/files/0x00090000000122e0-91.dat	upx
behavioral1/files/0x00090000000122e0-90.dat	upx
behavioral1/files/0x00090000000122e0-93.dat	upx
behavioral1/memory/976-88-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1304-98-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1304-106-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x00090000000122e0-112.dat	upx
behavioral1/files/0x00090000000122e0-110.dat	upx
behavioral1/files/0x00090000000122e0-109.dat	upx
behavioral1/files/0x000a0000000122cc-102.dat	upx
behavioral1/files/0x000a0000000122cc-118.dat	upx
behavioral1/memory/2016-125-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x00090000000122e0-129.dat	upx
behavioral1/files/0x00090000000122e0-127.dat	upx
behavioral1/files/0x00090000000122e0-126.dat	upx
behavioral1/memory/1660-141-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x000a0000000122cc-137.dat	upx
behavioral1/files/0x00090000000122e0-146.dat	upx
behavioral1/files/0x00090000000122e0-144.dat	upx
behavioral1/files/0x00090000000122e0-143.dat	upx
behavioral1/memory/1624-157-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x000a0000000122cc-154.dat	upx
behavioral1/memory/1496-159-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1496-163-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1952-166-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1952-171-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1812-173-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1812-177-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1568-180-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1936-184-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1568-187-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1604-191-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1784-190-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1604-196-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1460-198-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1936-203-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1844-207-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1104-206-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1784-210-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1624-211-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1844-217-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1596-220-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1840-219-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1460-223-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1104-230-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1624-233-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1596-232-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1228-236-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/268-235-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1228-248-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/268-245-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1840-252-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1640-255-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1296-258-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1076-257-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1568-254-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Loads dropped DLL 64 IoCs

pid	Process
1976	efa171ab103ad36a40d9202c94509dedfc23294a7985e00d47742ef3488a258e.exe
1976	efa171ab103ad36a40d9202c94509dedfc23294a7985e00d47742ef3488a258e.exe
1976	efa171ab103ad36a40d9202c94509dedfc23294a7985e00d47742ef3488a258e.exe
1976	efa171ab103ad36a40d9202c94509dedfc23294a7985e00d47742ef3488a258e.exe
1724	WerFault.exe
1724	WerFault.exe
1724	WerFault.exe
1968	tmp7109090.exe
1968	tmp7109090.exe
976	notpad.exe
976	notpad.exe
976	notpad.exe
1716	tmp7123536.exe
1716	tmp7123536.exe
1304	notpad.exe
1304	notpad.exe
1304	notpad.exe
1508	tmp7114253.exe
1508	tmp7114253.exe
2016	notpad.exe
2016	notpad.exe
2016	notpad.exe
1940	tmp7115798.exe
1940	tmp7115798.exe
1660	notpad.exe
1660	notpad.exe
1660	notpad.exe
984	tmp7151257.exe
984	tmp7151257.exe
1624	tmp7172255.exe
1624	tmp7172255.exe
1624	tmp7172255.exe
1476	tmp7136000.exe
1476	tmp7136000.exe
1496	tmp7175265.exe
1496	tmp7175265.exe
1496	tmp7175265.exe
1592	notpad.exe
1592	notpad.exe
1952	notpad.exe
1952	notpad.exe
1344	notpad.exe
1344	notpad.exe
1952	notpad.exe
1812	tmp7177933.exe
1812	tmp7177933.exe
1812	tmp7177933.exe
1716	tmp7145578.exe
1716	tmp7145578.exe
1568	tmp7182535.exe
1568	tmp7182535.exe
2024	tmp7127997.exe
2024	tmp7127997.exe
1568	tmp7182535.exe
1936	tmp7147185.exe
1568	tmp7182535.exe
1936	tmp7147185.exe
896	tmp7167216.exe
896	tmp7167216.exe
1604	tmp7130212.exe
1604	tmp7130212.exe
1672	notpad.exe
1672	notpad.exe
1604	tmp7130212.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7223517.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7251675.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7136000.exe
File created	C:\Windows\SysWOW64\notpad.exe-	notpad.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7173113.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7157903.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7199820.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7197012.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7147185.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7156779.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7229055.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7173003.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7211988.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7127997.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7171724.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7244374.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7203954.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7109090.exe
File created	C:\Windows\SysWOW64\notpad.exe-	notpad.exe
File created	C:\Windows\SysWOW64\notpad.exe	notpad.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7143831.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7143831.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7185421.exe
File created	C:\Windows\SysWOW64\notpad.exe	notpad.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7174563.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7197012.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7244374.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7159837.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7197808.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7226683.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7109090.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7145953.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7211551.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7159837.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7185796.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7211551.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7229055.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7247837.exe
File created	C:\Windows\SysWOW64\notpad.exe	notpad.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7176030.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7240958.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7171724.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7197761.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7202300.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7167216.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7159369.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7168479.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7197761.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7231597.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7184470.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7168479.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7197012.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7247837.exe
File created	C:\Windows\SysWOW64\notpad.exe	notpad.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7203954.exe
File created	C:\Windows\SysWOW64\notpad.exe	notpad.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7132896.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7132896.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7184470.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7173003.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7176030.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7216824.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7112615.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7164891.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1724	1352	WerFault.exe	27

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7114253.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7132896.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7230989.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7163846.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7180414.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7178666.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7218259.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7248695.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	notpad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7143831.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7166436.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	notpad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	notpad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	notpad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7173113.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7165125.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7176030.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7156779.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7197808.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7168479.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7197012.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7203954.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7159369.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7216824.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7244374.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7187527.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7251675.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7115798.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7164891.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7171724.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7202300.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7247837.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7223517.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7225279.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7151257.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	notpad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	notpad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7159837.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7197761.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7249538.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7136000.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7185421.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7201552.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7211988.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7226683.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7145953.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7184470.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7211551.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7237198.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7174563.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7185796.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7167855.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7185109.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7194672.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7219663.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7229055.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7147185.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7175109.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7199820.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7198603.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7204640.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7238914.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7109090.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7127997.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 1968	1976	efa171ab103ad36a40d9202c94509dedfc23294a7985e00d47742ef3488a258e.exe	26
PID 1976 wrote to memory of 1968	1976	efa171ab103ad36a40d9202c94509dedfc23294a7985e00d47742ef3488a258e.exe	26
PID 1976 wrote to memory of 1968	1976	efa171ab103ad36a40d9202c94509dedfc23294a7985e00d47742ef3488a258e.exe	26
PID 1976 wrote to memory of 1968	1976	efa171ab103ad36a40d9202c94509dedfc23294a7985e00d47742ef3488a258e.exe	26
PID 1976 wrote to memory of 1352	1976	efa171ab103ad36a40d9202c94509dedfc23294a7985e00d47742ef3488a258e.exe	27
PID 1976 wrote to memory of 1352	1976	efa171ab103ad36a40d9202c94509dedfc23294a7985e00d47742ef3488a258e.exe	27
PID 1976 wrote to memory of 1352	1976	efa171ab103ad36a40d9202c94509dedfc23294a7985e00d47742ef3488a258e.exe	27
PID 1976 wrote to memory of 1352	1976	efa171ab103ad36a40d9202c94509dedfc23294a7985e00d47742ef3488a258e.exe	27
PID 1352 wrote to memory of 1724	1352	tmp7110088.exe	28
PID 1352 wrote to memory of 1724	1352	tmp7110088.exe	28
PID 1352 wrote to memory of 1724	1352	tmp7110088.exe	28
PID 1352 wrote to memory of 1724	1352	tmp7110088.exe	28
PID 1968 wrote to memory of 976	1968	tmp7109090.exe	29
PID 1968 wrote to memory of 976	1968	tmp7109090.exe	29
PID 1968 wrote to memory of 976	1968	tmp7109090.exe	29
PID 1968 wrote to memory of 976	1968	tmp7109090.exe	29
PID 976 wrote to memory of 1716	976	notpad.exe	30
PID 976 wrote to memory of 1716	976	notpad.exe	30
PID 976 wrote to memory of 1716	976	notpad.exe	30
PID 976 wrote to memory of 1716	976	notpad.exe	30
PID 976 wrote to memory of 520	976	tmp7123083.exe	31
PID 976 wrote to memory of 520	976	tmp7123083.exe	31
PID 976 wrote to memory of 520	976	tmp7123083.exe	31
PID 976 wrote to memory of 520	976	tmp7123083.exe	31
PID 1716 wrote to memory of 1304	1716	tmp7123536.exe	32
PID 1716 wrote to memory of 1304	1716	tmp7123536.exe	32
PID 1716 wrote to memory of 1304	1716	tmp7123536.exe	32
PID 1716 wrote to memory of 1304	1716	tmp7123536.exe	32
PID 1304 wrote to memory of 1508	1304	notpad.exe	33
PID 1304 wrote to memory of 1508	1304	notpad.exe	33
PID 1304 wrote to memory of 1508	1304	notpad.exe	33
PID 1304 wrote to memory of 1508	1304	notpad.exe	33
PID 1304 wrote to memory of 576	1304	notpad.exe	34
PID 1304 wrote to memory of 576	1304	notpad.exe	34
PID 1304 wrote to memory of 576	1304	notpad.exe	34
PID 1304 wrote to memory of 576	1304	notpad.exe	34
PID 1508 wrote to memory of 2016	1508	tmp7114253.exe	35
PID 1508 wrote to memory of 2016	1508	tmp7114253.exe	35
PID 1508 wrote to memory of 2016	1508	tmp7114253.exe	35
PID 1508 wrote to memory of 2016	1508	tmp7114253.exe	35
PID 2016 wrote to memory of 1940	2016	notpad.exe	37
PID 2016 wrote to memory of 1940	2016	notpad.exe	37
PID 2016 wrote to memory of 1940	2016	notpad.exe	37
PID 2016 wrote to memory of 1940	2016	notpad.exe	37
PID 2016 wrote to memory of 284	2016	notpad.exe	36
PID 2016 wrote to memory of 284	2016	notpad.exe	36
PID 2016 wrote to memory of 284	2016	notpad.exe	36
PID 2016 wrote to memory of 284	2016	notpad.exe	36
PID 1940 wrote to memory of 1660	1940	tmp7115798.exe	38
PID 1940 wrote to memory of 1660	1940	tmp7115798.exe	38
PID 1940 wrote to memory of 1660	1940	tmp7115798.exe	38
PID 1940 wrote to memory of 1660	1940	tmp7115798.exe	38
PID 1660 wrote to memory of 984	1660	notpad.exe	102
PID 1660 wrote to memory of 984	1660	notpad.exe	102
PID 1660 wrote to memory of 984	1660	notpad.exe	102
PID 1660 wrote to memory of 984	1660	notpad.exe	102
PID 1660 wrote to memory of 1440	1660	notpad.exe	39
PID 1660 wrote to memory of 1440	1660	notpad.exe	39
PID 1660 wrote to memory of 1440	1660	notpad.exe	39
PID 1660 wrote to memory of 1440	1660	notpad.exe	39
PID 984 wrote to memory of 1624	984	tmp7151257.exe	191
PID 984 wrote to memory of 1624	984	tmp7151257.exe	191
PID 984 wrote to memory of 1624	984	tmp7151257.exe	191
PID 984 wrote to memory of 1624	984	tmp7151257.exe	191

C:\Users\Admin\AppData\Local\Temp\efa171ab103ad36a40d9202c94509dedfc23294a7985e00d47742ef3488a258e.exe
"C:\Users\Admin\AppData\Local\Temp\efa171ab103ad36a40d9202c94509dedfc23294a7985e00d47742ef3488a258e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Users\Admin\AppData\Local\Temp\tmp7109090.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7109090.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1968
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:976
  - - C:\Users\Admin\AppData\Local\Temp\tmp7112615.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7112615.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      PID:1716
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1304
      - C:\Users\Admin\AppData\Local\Temp\tmp7114253.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7114253.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1508
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116594.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116594.exe
        8⤵
        Executes dropped EXE
        
        PID:284
        
        C:\Users\Admin\AppData\Local\Temp\tmp7115798.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7115798.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1940
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118575.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118575.exe
        10⤵
        Executes dropped EXE
        
        PID:1440
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117327.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117327.exe
        10⤵
        
        PID:984
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        11⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119136.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119136.exe
        12⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        13⤵
        
        PID:1496
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120182.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120182.exe
        14⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121679.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121679.exe
        16⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        17⤵
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123536.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123536.exe
        18⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1716
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        19⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\tmp7127997.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7127997.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2024
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        21⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\tmp7130852.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7130852.exe
        22⤵
        
        PID:896
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        23⤵
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\tmp7132896.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7132896.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:452
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        25⤵
        
        PID:1104
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135236.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135236.exe
        26⤵
        
        PID:552
        
        C:\Users\Admin\AppData\Local\Temp\tmp7137700.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7137700.exe
        26⤵
        
        PID:268
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144018.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144018.exe
        27⤵
        Executes dropped EXE
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145734.exe
        27⤵
        Executes dropped EXE
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135048.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135048.exe
        24⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\tmp7143800.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7143800.exe
        25⤵
        
        PID:1344
        
        C:\Users\Admin\AppData\Local\Temp\tmp7137810.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7137810.exe
        25⤵
        Executes dropped EXE
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\tmp7132084.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7132084.exe
        22⤵
        
        PID:1844
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136000.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1476
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        24⤵
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\tmp7140618.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7140618.exe
        25⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        26⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145485.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145485.exe
        27⤵
        
        PID:576
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        28⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147185.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147185.exe
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1936
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        30⤵
        
        PID:360
        
        C:\Users\Admin\AppData\Local\Temp\tmp7153269.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7153269.exe
        31⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        32⤵
        Executes dropped EXE
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\tmp7156171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7156171.exe
        33⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158979.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158979.exe
        35⤵
        
        PID:1432
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159619.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159619.exe
        35⤵
        
        PID:588
        
        C:\Users\Admin\AppData\Local\Temp\tmp7163222.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7163222.exe
        36⤵
        
        PID:304
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158605.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158605.exe
        33⤵
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159369.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159369.exe
        34⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1980
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        35⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161522.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161522.exe
        36⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164283.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164283.exe
        36⤵
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\tmp7165983.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7165983.exe
        37⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        38⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\tmp7167419.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7167419.exe
        39⤵
        
        PID:284
        
        C:\Users\Admin\AppData\Local\Temp\tmp7167824.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7167824.exe
        39⤵
        
        PID:520
        
        C:\Users\Admin\AppData\Local\Temp\tmp7169025.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7169025.exe
        40⤵
        
        PID:360
        
        C:\Users\Admin\AppData\Local\Temp\tmp7171038.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7171038.exe
        40⤵
        
        PID:864
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166514.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166514.exe
        37⤵
        
        PID:848
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160289.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160289.exe
        34⤵
        
        PID:784
        
        C:\Users\Admin\AppData\Local\Temp\tmp7155516.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7155516.exe
        31⤵
        
        PID:632
        
        C:\Users\Admin\AppData\Local\Temp\tmp7156998.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7156998.exe
        32⤵
        
        PID:268
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        33⤵
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157622.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157622.exe
        34⤵
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159837.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159837.exe
        34⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157357.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157357.exe
        32⤵
        
        PID:1208
        
        C:\Users\Admin\AppData\Local\Temp\tmp7150976.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7150976.exe
        29⤵
        
        PID:1256
        
        C:\Users\Admin\AppData\Local\Temp\tmp7155329.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7155329.exe
        30⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        31⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\tmp7156608.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7156608.exe
        32⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        33⤵
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157903.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157903.exe
        34⤵
        Drops file in System32 directory
        
        PID:296
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        35⤵
        Executes dropped EXE
        
        PID:1032
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159977.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159977.exe
        36⤵
        
        PID:988
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        37⤵
        
        PID:1288
        
        C:\Users\Admin\AppData\Local\Temp\tmp7165125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7165125.exe
        38⤵
        Modifies registry class
        
        PID:2004
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        39⤵
        
        PID:812
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166670.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166670.exe
        40⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        41⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\tmp7167855.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7167855.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:944
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        43⤵
        
        PID:588
        
        C:\Users\Admin\AppData\Local\Temp\tmp7171724.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7171724.exe
        44⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1208
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        45⤵
        
        PID:1440
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175109.exe
        46⤵
        Modifies registry class
        
        PID:1748
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        47⤵
        
        PID:968
        
        C:\Users\Admin\AppData\Local\Temp\tmp7178666.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7178666.exe
        48⤵
        Modifies registry class
        
        PID:1492
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        49⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183378.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183378.exe
        50⤵
        
        PID:756
        
        C:\Users\Admin\AppData\Local\Temp\tmp7185140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7185140.exe
        50⤵
        
        PID:520
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187527.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187527.exe
        51⤵
        Modifies registry class
        
        PID:1288
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        52⤵
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\tmp7197012.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7197012.exe
        53⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1076
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        54⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\tmp7199820.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7199820.exe
        55⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\tmp7202488.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7202488.exe
        55⤵
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\tmp7204812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7204812.exe
        56⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\tmp7206700.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7206700.exe
        56⤵
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\tmp7199102.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7199102.exe
        53⤵
        
        PID:616
        
        C:\Users\Admin\AppData\Local\Temp\tmp7202300.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7202300.exe
        54⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1860
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        55⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\tmp7205545.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7205545.exe
        56⤵
        
        PID:588
        
        C:\Users\Admin\AppData\Local\Temp\tmp7226683.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7226683.exe
        57⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2032
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        58⤵
        
        PID:1496
        
        C:\Users\Admin\AppData\Local\Temp\tmp7229055.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7229055.exe
        59⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1288
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        60⤵
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\tmp7230989.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7230989.exe
        61⤵
        Modifies registry class
        
        PID:1540
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        62⤵
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\tmp7232440.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7232440.exe
        63⤵
        
        PID:1220
        
        C:\Users\Admin\AppData\Local\Temp\tmp7233813.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7233813.exe
        63⤵
        
        PID:1136
        
        C:\Users\Admin\AppData\Local\Temp\tmp7235061.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7235061.exe
        64⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        65⤵
        
        PID:992
        
        C:\Users\Admin\AppData\Local\Temp\tmp7236933.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7236933.exe
        66⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\tmp7237962.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7237962.exe
        66⤵
        
        PID:532
        
        C:\Users\Admin\AppData\Local\Temp\tmp7238945.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7238945.exe
        67⤵
        
        PID:1224
        
        C:\Users\Admin\AppData\Local\Temp\tmp7239881.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7239881.exe
        67⤵
        
        PID:984
        
        C:\Users\Admin\AppData\Local\Temp\tmp7235685.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7235685.exe
        64⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\tmp7231473.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7231473.exe
        61⤵
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\tmp7232268.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7232268.exe
        62⤵
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\tmp7233859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7233859.exe
        62⤵
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\tmp7229476.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7229476.exe
        59⤵
        
        PID:1080
        
        C:\Users\Admin\AppData\Local\Temp\tmp7231597.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7231597.exe
        60⤵
        Drops file in System32 directory
        
        PID:676
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        61⤵
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\tmp7235357.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7235357.exe
        62⤵
        
        PID:1912
        
        C:\Users\Admin\AppData\Local\Temp\tmp7235965.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7235965.exe
        62⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\tmp7237198.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7237198.exe
        63⤵
        Modifies registry class
        
        PID:1060
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        64⤵
        
        PID:1844
        
        C:\Users\Admin\AppData\Local\Temp\tmp7238914.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7238914.exe
        65⤵
        Modifies registry class
        
        PID:2044
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        66⤵
        
        PID:1104
        
        C:\Users\Admin\AppData\Local\Temp\tmp7240958.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7240958.exe
        67⤵
        Drops file in System32 directory
        
        PID:1984
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        68⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\tmp7244374.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7244374.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1476
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        70⤵
        
        PID:964
        
        C:\Users\Admin\AppData\Local\Temp\tmp7247837.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7247837.exe
        71⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1848
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        72⤵
        
        PID:760
        
        C:\Users\Admin\AppData\Local\Temp\tmp7249538.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7249538.exe
        73⤵
        Modifies registry class
        
        PID:1296
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        74⤵
        
        PID:1160
        
        C:\Users\Admin\AppData\Local\Temp\tmp7251675.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7251675.exe
        75⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:988
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        76⤵
        
        PID:1092
        
        C:\Users\Admin\AppData\Local\Temp\tmp7253625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7253625.exe
        77⤵
        
        PID:1136
        
        C:\Users\Admin\AppData\Local\Temp\tmp7252299.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7252299.exe
        75⤵
        
        PID:428
        
        C:\Users\Admin\AppData\Local\Temp\tmp7253172.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7253172.exe
        76⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        77⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\tmp7255310.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7255310.exe
        78⤵
        
        PID:268
        
        C:\Users\Admin\AppData\Local\Temp\tmp7254498.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7254498.exe
        76⤵
        
        PID:676
        
        C:\Users\Admin\AppData\Local\Temp\tmp7255091.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7255091.exe
        77⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\tmp7250380.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7250380.exe
        73⤵
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\tmp7253266.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7253266.exe
        74⤵
        
        PID:576
        
        C:\Users\Admin\AppData\Local\Temp\tmp7248118.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7248118.exe
        71⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\tmp7248695.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7248695.exe
        72⤵
        Modifies registry class
        
        PID:2016
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        73⤵
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\tmp7250224.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7250224.exe
        74⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\tmp7250567.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7250567.exe
        74⤵
        
        PID:932
        
        C:\Users\Admin\AppData\Local\Temp\tmp7251488.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7251488.exe
        75⤵
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\tmp7252580.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7252580.exe
        75⤵
        
        PID:1080
        
        C:\Users\Admin\AppData\Local\Temp\tmp7254935.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7254935.exe
        76⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        77⤵
        
        PID:304
        
        C:\Users\Admin\AppData\Local\Temp\tmp7249491.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7249491.exe
        72⤵
        
        PID:1288
        
        C:\Users\Admin\AppData\Local\Temp\tmp7246558.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7246558.exe
        69⤵
        
        PID:824
        
        C:\Users\Admin\AppData\Local\Temp\tmp7247603.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7247603.exe
        70⤵
        
        PID:1792
        
        C:\Users\Admin\AppData\Local\Temp\tmp7248352.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7248352.exe
        70⤵
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\tmp7242143.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7242143.exe
        67⤵
        
        PID:1316
        
        C:\Users\Admin\AppData\Local\Temp\tmp7242596.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7242596.exe
        68⤵
        
        PID:632
        
        C:\Users\Admin\AppData\Local\Temp\tmp7244218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7244218.exe
        68⤵
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\tmp7239444.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7239444.exe
        65⤵
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\tmp7241722.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7241722.exe
        66⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\tmp7242533.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7242533.exe
        66⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\tmp7237307.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7237307.exe
        63⤵
        
        PID:1344
        
        C:\Users\Admin\AppData\Local\Temp\tmp7233095.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7233095.exe
        60⤵
        
        PID:896
        
        C:\Users\Admin\AppData\Local\Temp\tmp7226746.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7226746.exe
        57⤵
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\tmp7210194.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7210194.exe
        56⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\tmp7211551.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7211551.exe
        57⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1600
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        58⤵
        
        PID:1136
        
        C:\Users\Admin\AppData\Local\Temp\tmp7215982.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7215982.exe
        59⤵
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\tmp7217308.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7217308.exe
        59⤵
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\tmp7218353.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7218353.exe
        60⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\tmp7219679.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7219679.exe
        60⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\tmp7212253.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7212253.exe
        57⤵
        
        PID:428
        
        C:\Users\Admin\AppData\Local\Temp\tmp7204266.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7204266.exe
        54⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\tmp7194391.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7194391.exe
        51⤵
        
        PID:1456
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182566.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182566.exe
        48⤵
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\tmp7185109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7185109.exe
        49⤵
        Modifies registry class
        
        PID:632
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        50⤵
        Executes dropped EXE
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187496.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187496.exe
        51⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\tmp7194485.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7194485.exe
        51⤵
        
        PID:976
        
        C:\Users\Admin\AppData\Local\Temp\tmp7194672.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7194672.exe
        52⤵
        Modifies registry class
        
        PID:1960
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        53⤵
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\tmp7198603.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7198603.exe
        54⤵
        Modifies registry class
        
        PID:1872
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        55⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\tmp7202519.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7202519.exe
        56⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\tmp7203517.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7203517.exe
        56⤵
        
        PID:860
        
        C:\Users\Admin\AppData\Local\Temp\tmp7205140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7205140.exe
        57⤵
        
        PID:1228
        
        C:\Users\Admin\AppData\Local\Temp\tmp7210023.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7210023.exe
        57⤵
        
        PID:520
        
        C:\Users\Admin\AppData\Local\Temp\tmp7201879.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7201879.exe
        54⤵
        
        PID:984
        
        C:\Users\Admin\AppData\Local\Temp\tmp7204094.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7204094.exe
        55⤵
        
        PID:1844
        
        C:\Users\Admin\AppData\Local\Temp\tmp7205077.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7205077.exe
        55⤵
        
        PID:1452
        
        C:\Users\Admin\AppData\Local\Temp\tmp7197808.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7197808.exe
        52⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\tmp7185546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7185546.exe
        49⤵
        
        PID:360
        
        C:\Users\Admin\AppData\Local\Temp\tmp7177933.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7177933.exe
        46⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182535.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182535.exe
        47⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1568
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        48⤵
        
        PID:1100
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184454.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184454.exe
        49⤵
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\tmp7185796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7185796.exe
        49⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:268
        
        C:\Users\Admin\AppData\Local\Temp\tmp7196762.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7196762.exe
        50⤵
        
        PID:560
        
        C:\Users\Admin\AppData\Local\Temp\tmp7198307.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7198307.exe
        50⤵
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183846.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183846.exe
        47⤵
        
        PID:1320
        
        C:\Users\Admin\AppData\Local\Temp\tmp7173113.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7173113.exe
        44⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175125.exe
        45⤵
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\tmp7177075.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7177075.exe
        45⤵
        Executes dropped EXE
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\tmp7169353.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7169353.exe
        42⤵
        
        PID:656
        
        C:\Users\Admin\AppData\Local\Temp\tmp7172255.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7172255.exe
        43⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\tmp7174283.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7174283.exe
        43⤵
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\tmp7167465.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7167465.exe
        40⤵
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168479.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168479.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1844
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\tmp7173846.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7173846.exe
        43⤵
        
        PID:1304
        
        C:\Users\Admin\AppData\Local\Temp\tmp7174563.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7174563.exe
        43⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:988
        
        C:\Users\Admin\AppData\Local\Temp\tmp7177403.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7177403.exe
        44⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        45⤵
        
        PID:1452
        
        C:\Users\Admin\AppData\Local\Temp\tmp7181240.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7181240.exe
        46⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        47⤵
        Modifies registry class
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\tmp7185421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7185421.exe
        48⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:532
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        49⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\tmp7192566.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7192566.exe
        50⤵
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\tmp7195187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7195187.exe
        50⤵
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\tmp7197761.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7197761.exe
        51⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1080
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        52⤵
        
        PID:1440
        
        C:\Users\Admin\AppData\Local\Temp\tmp7201552.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7201552.exe
        53⤵
        Modifies registry class
        
        PID:1320
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        54⤵
        
        PID:1316
        
        C:\Users\Admin\AppData\Local\Temp\tmp7203954.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7203954.exe
        55⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1624
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        56⤵
        
        PID:1288
        
        C:\Users\Admin\AppData\Local\Temp\tmp7210756.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7210756.exe
        57⤵
        
        PID:1496
        
        C:\Users\Admin\AppData\Local\Temp\tmp7212269.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7212269.exe
        57⤵
        
        PID:268
        
        C:\Users\Admin\AppData\Local\Temp\tmp7215498.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7215498.exe
        58⤵
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\tmp7218603.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7218603.exe
        58⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\tmp7208775.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7208775.exe
        55⤵
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\tmp7210553.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7210553.exe
        56⤵
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\tmp7215420.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7215420.exe
        56⤵
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\tmp7203236.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7203236.exe
        53⤵
        
        PID:1224
        
        C:\Users\Admin\AppData\Local\Temp\tmp7204640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7204640.exe
        54⤵
        Modifies registry class
        
        PID:360
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        55⤵
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\tmp7209445.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7209445.exe
        56⤵
        
        PID:552
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        57⤵
        
        PID:912
        
        C:\Users\Admin\AppData\Local\Temp\tmp7211988.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7211988.exe
        58⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1976
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        59⤵
        
        PID:1076
        
        C:\Users\Admin\AppData\Local\Temp\tmp7217043.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7217043.exe
        60⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\tmp7217511.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7217511.exe
        60⤵
        
        PID:1180
        
        C:\Users\Admin\AppData\Local\Temp\tmp7219679.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7219679.exe
        61⤵
        
        PID:532
        
        C:\Users\Admin\AppData\Local\Temp\tmp7220771.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7220771.exe
        61⤵
        
        PID:304
        
        C:\Users\Admin\AppData\Local\Temp\tmp7215483.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7215483.exe
        58⤵
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\tmp7216824.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7216824.exe
        59⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1980
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        60⤵
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\tmp7218259.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7218259.exe
        61⤵
        Modifies registry class
        
        PID:812
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        62⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\tmp7219710.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7219710.exe
        63⤵
        
        PID:944
        
        C:\Users\Admin\AppData\Local\Temp\tmp7221941.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7221941.exe
        63⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\tmp7225279.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7225279.exe
        64⤵
        Modifies registry class
        
        PID:1792
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        65⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\tmp7226995.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7226995.exe
        66⤵
        
        PID:888
        
        C:\Users\Admin\AppData\Local\Temp\tmp7227604.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7227604.exe
        66⤵
        
        PID:1296
        
        C:\Users\Admin\AppData\Local\Temp\tmp7228509.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7228509.exe
        67⤵
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\tmp7230365.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7230365.exe
        67⤵
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\tmp7226184.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7226184.exe
        64⤵
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\tmp7218540.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7218540.exe
        61⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\tmp7219663.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7219663.exe
        62⤵
        Modifies registry class
        
        PID:2028
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        63⤵
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\tmp7223517.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7223517.exe
        64⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1764
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        65⤵
        
        PID:1228
        
        C:\Users\Admin\AppData\Local\Temp\tmp7225732.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7225732.exe
        66⤵
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\tmp7226106.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7226106.exe
        66⤵
        
        PID:588
        
        C:\Users\Admin\AppData\Local\Temp\tmp7224297.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7224297.exe
        64⤵
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\tmp7224780.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7224780.exe
        65⤵
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\tmp7225264.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7225264.exe
        65⤵
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\tmp7219882.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7219882.exe
        62⤵
        
        PID:1844
        
        C:\Users\Admin\AppData\Local\Temp\tmp7216933.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7216933.exe
        59⤵
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\tmp7211505.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7211505.exe
        56⤵
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\tmp7212066.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7212066.exe
        57⤵
        
        PID:1476
        
        C:\Users\Admin\AppData\Local\Temp\tmp7212222.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7212222.exe
        57⤵
        
        PID:976
        
        C:\Users\Admin\AppData\Local\Temp\tmp7205124.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7205124.exe
        54⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\tmp7200803.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7200803.exe
        51⤵
        
        PID:296
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187480.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187480.exe
        48⤵
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\tmp7194142.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7194142.exe
        49⤵
        
        PID:1496
        
        C:\Users\Admin\AppData\Local\Temp\tmp7195452.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7195452.exe
        49⤵
        
        PID:1476
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184470.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184470.exe
        46⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187449.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187449.exe
        47⤵
        
        PID:1460
        
        C:\Users\Admin\AppData\Local\Temp\tmp7195405.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7195405.exe
        47⤵
        
        PID:1332
        
        C:\Users\Admin\AppData\Local\Temp\tmp7180445.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7180445.exe
        44⤵
        
        PID:1080
        
        C:\Users\Admin\AppData\Local\Temp\tmp7171709.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7171709.exe
        41⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166233.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166233.exe
        38⤵
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166436.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166436.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:576
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166919.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166919.exe
        39⤵
        
        PID:560
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164564.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164564.exe
        36⤵
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\tmp7167216.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7167216.exe
        37⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:896
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168121.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168121.exe
        37⤵
        
        PID:1432
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159010.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159010.exe
        34⤵
        Executes dropped EXE
        
        PID:676
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160508.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160508.exe
        35⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        36⤵
        
        PID:1456
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164891.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164891.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:268
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        38⤵
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\tmp7165734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7165734.exe
        39⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166483.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166483.exe
        39⤵
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\tmp7167200.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7167200.exe
        40⤵
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168183.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168183.exe
        40⤵
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\tmp7165453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7165453.exe
        37⤵
        
        PID:1080
        
        C:\Users\Admin\AppData\Local\Temp\tmp7167731.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7167731.exe
        38⤵
        Executes dropped EXE
        
        PID:428
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166826.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166826.exe
        38⤵
        Executes dropped EXE
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\tmp7163815.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7163815.exe
        35⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157653.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157653.exe
        32⤵
        
        PID:428
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158823.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158823.exe
        33⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159603.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159603.exe
        33⤵
        
        PID:968
        
        C:\Users\Admin\AppData\Local\Temp\tmp7156233.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7156233.exe
        30⤵
        
        PID:864
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146593.exe
        27⤵
        Executes dropped EXE
        
        PID:616
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147903.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147903.exe
        28⤵
        
        PID:1368
        
        C:\Users\Admin\AppData\Local\Temp\tmp7153020.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7153020.exe
        28⤵
        
        PID:1496
        
        C:\Users\Admin\AppData\Local\Temp\tmp7140025.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7140025.exe
        23⤵
        
        PID:1032
        
        C:\Users\Admin\AppData\Local\Temp\tmp7130212.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7130212.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\tmp7132100.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7132100.exe
        21⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        22⤵
        
        PID:1460
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134331.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134331.exe
        23⤵
        
        PID:676
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        24⤵
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\tmp7140087.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7140087.exe
        25⤵
        
        PID:760
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144939.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144939.exe
        25⤵
        
        PID:1296
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146998.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146998.exe
        26⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        27⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\tmp7148387.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7148387.exe
        28⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\tmp7154923.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7154923.exe
        28⤵
        
        PID:468
        
        C:\Users\Admin\AppData\Local\Temp\tmp7156779.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7156779.exe
        29⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:964
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        30⤵
        
        PID:284
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158137.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158137.exe
        31⤵
        
        PID:1296
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158807.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158807.exe
        31⤵
        
        PID:1428
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160009.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160009.exe
        32⤵
        
        PID:864
        
        C:\Users\Admin\AppData\Local\Temp\tmp7163846.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7163846.exe
        32⤵
        Modifies registry class
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157856.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157856.exe
        29⤵
        
        PID:576
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147856.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147856.exe
        26⤵
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136343.exe
        23⤵
        Executes dropped EXE
        
        PID:1228
        
        C:\Users\Admin\AppData\Local\Temp\tmp7143831.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7143831.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:860
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        25⤵
        Executes dropped EXE
        
        PID:1076
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145953.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1156
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        27⤵
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147950.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147950.exe
        28⤵
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\tmp7151257.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7151257.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:984
        
        C:\Users\Admin\AppData\Local\Temp\tmp7154970.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7154970.exe
        29⤵
        
        PID:304
        
        C:\Users\Admin\AppData\Local\Temp\tmp7156031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7156031.exe
        29⤵
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147295.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147295.exe
        26⤵
        
        PID:896
        
        C:\Users\Admin\AppData\Local\Temp\tmp7149354.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7149354.exe
        27⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        28⤵
        Executes dropped EXE
        
        PID:1460
        
        C:\Users\Admin\AppData\Local\Temp\tmp7155485.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7155485.exe
        29⤵
        Executes dropped EXE
        
        PID:552
        
        C:\Users\Admin\AppData\Local\Temp\tmp7156015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7156015.exe
        29⤵
        Executes dropped EXE
        
        PID:760
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158043.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158043.exe
        30⤵
        
        PID:560
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159244.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159244.exe
        30⤵
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\tmp7154018.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7154018.exe
        27⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1344
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168589.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168589.exe
        28⤵
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\tmp7169571.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7169571.exe
        28⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\tmp7173003.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7173003.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1104
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        30⤵
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\tmp7176030.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7176030.exe
        31⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:336
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        32⤵
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\tmp7177652.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7177652.exe
        33⤵
        
        PID:784
        
        C:\Users\Admin\AppData\Local\Temp\tmp7180414.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7180414.exe
        33⤵
        Modifies registry class
        
        PID:1368
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182644.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182644.exe
        34⤵
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184719.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184719.exe
        34⤵
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\tmp7176482.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7176482.exe
        31⤵
        
        PID:468
        
        C:\Users\Admin\AppData\Local\Temp\tmp7176716.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7176716.exe
        32⤵
        
        PID:1864
        
        C:\Users\Admin\AppData\Local\Temp\tmp7177637.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7177637.exe
        32⤵
        Executes dropped EXE
        
        PID:1296
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175265.exe
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1496
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145578.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134081.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134081.exe
        21⤵
        
        PID:428
        
        C:\Users\Admin\AppData\Local\Temp\tmp7126032.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7126032.exe
        18⤵
        
        PID:1076
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123083.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123083.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:976
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121133.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121133.exe
        14⤵
        Executes dropped EXE
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119667.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119667.exe
        12⤵
        
        PID:944
      - C:\Users\Admin\AppData\Local\Temp\tmp7115455.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7115455.exe
        6⤵
        Executes dropped EXE
        
        PID:576
  - - C:\Users\Admin\AppData\Local\Temp\tmp7113770.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7113770.exe
      4⤵
      Executes dropped EXE
      PID:520
- C:\Users\Admin\AppData\Local\Temp\tmp7110088.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7110088.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1352
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1352 -s 36
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1724

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp7109090.exe

Filesize
4.8MB

MD5
0a0be6124061c0e71cc2de054590f8f3

SHA1
ed908ce8409e0ff7daee5c8b64271ad936ffd64b

SHA256
95e1c13ad0573dd608e3d861fafe7af87023dfc6d0f98fe8710b178f6505adff

SHA512
c03e8e3df69169960efe17013df9f28a6cb5f511f4bcfefe547650e09357d2d714cd0b9f17ff81191cb7f4dc48241448bee9269821a4cfa935423ebb14c70292

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7109090.exe

Filesize
4.8MB

MD5
0a0be6124061c0e71cc2de054590f8f3

SHA1
ed908ce8409e0ff7daee5c8b64271ad936ffd64b

SHA256
95e1c13ad0573dd608e3d861fafe7af87023dfc6d0f98fe8710b178f6505adff

SHA512
c03e8e3df69169960efe17013df9f28a6cb5f511f4bcfefe547650e09357d2d714cd0b9f17ff81191cb7f4dc48241448bee9269821a4cfa935423ebb14c70292

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7110088.exe

Filesize
136KB

MD5
8223e8d4f917d219daacd6c5fd237c43

SHA1
8c0a757567a837ad2d7a2635eeac0b84efe10e6b

SHA256
30e0915ade78f222897c74ad81dd12ec8a1aa5002fd86cf3da290dd6a4611731

SHA512
0f8e5530dc09a583fd487fa4d36e860b42d8253180a5de5f82d26f42ed63a584a04f20e0f4a38db60d1b206b1f462db81b736ea40438fc324430851d36a6e85b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7112615.exe

Filesize
4.8MB

MD5
0a0be6124061c0e71cc2de054590f8f3

SHA1
ed908ce8409e0ff7daee5c8b64271ad936ffd64b

SHA256
95e1c13ad0573dd608e3d861fafe7af87023dfc6d0f98fe8710b178f6505adff

SHA512
c03e8e3df69169960efe17013df9f28a6cb5f511f4bcfefe547650e09357d2d714cd0b9f17ff81191cb7f4dc48241448bee9269821a4cfa935423ebb14c70292

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7112615.exe

Filesize
4.8MB

MD5
0a0be6124061c0e71cc2de054590f8f3

SHA1
ed908ce8409e0ff7daee5c8b64271ad936ffd64b

SHA256
95e1c13ad0573dd608e3d861fafe7af87023dfc6d0f98fe8710b178f6505adff

SHA512
c03e8e3df69169960efe17013df9f28a6cb5f511f4bcfefe547650e09357d2d714cd0b9f17ff81191cb7f4dc48241448bee9269821a4cfa935423ebb14c70292

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7113770.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7114253.exe

Filesize
4.8MB

MD5
0a0be6124061c0e71cc2de054590f8f3

SHA1
ed908ce8409e0ff7daee5c8b64271ad936ffd64b

SHA256
95e1c13ad0573dd608e3d861fafe7af87023dfc6d0f98fe8710b178f6505adff

SHA512
c03e8e3df69169960efe17013df9f28a6cb5f511f4bcfefe547650e09357d2d714cd0b9f17ff81191cb7f4dc48241448bee9269821a4cfa935423ebb14c70292

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7114253.exe

Filesize
4.8MB

MD5
0a0be6124061c0e71cc2de054590f8f3

SHA1
ed908ce8409e0ff7daee5c8b64271ad936ffd64b

SHA256
95e1c13ad0573dd608e3d861fafe7af87023dfc6d0f98fe8710b178f6505adff

SHA512
c03e8e3df69169960efe17013df9f28a6cb5f511f4bcfefe547650e09357d2d714cd0b9f17ff81191cb7f4dc48241448bee9269821a4cfa935423ebb14c70292

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7115455.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7115798.exe

Filesize
4.8MB

MD5
0a0be6124061c0e71cc2de054590f8f3

SHA1
ed908ce8409e0ff7daee5c8b64271ad936ffd64b

SHA256
95e1c13ad0573dd608e3d861fafe7af87023dfc6d0f98fe8710b178f6505adff

SHA512
c03e8e3df69169960efe17013df9f28a6cb5f511f4bcfefe547650e09357d2d714cd0b9f17ff81191cb7f4dc48241448bee9269821a4cfa935423ebb14c70292

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7115798.exe

Filesize
4.8MB

MD5
0a0be6124061c0e71cc2de054590f8f3

SHA1
ed908ce8409e0ff7daee5c8b64271ad936ffd64b

SHA256
95e1c13ad0573dd608e3d861fafe7af87023dfc6d0f98fe8710b178f6505adff

SHA512
c03e8e3df69169960efe17013df9f28a6cb5f511f4bcfefe547650e09357d2d714cd0b9f17ff81191cb7f4dc48241448bee9269821a4cfa935423ebb14c70292

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7116594.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7117327.exe

Filesize
4.8MB

MD5
0a0be6124061c0e71cc2de054590f8f3

SHA1
ed908ce8409e0ff7daee5c8b64271ad936ffd64b

SHA256
95e1c13ad0573dd608e3d861fafe7af87023dfc6d0f98fe8710b178f6505adff

SHA512
c03e8e3df69169960efe17013df9f28a6cb5f511f4bcfefe547650e09357d2d714cd0b9f17ff81191cb7f4dc48241448bee9269821a4cfa935423ebb14c70292

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7117327.exe

Filesize
4.8MB

MD5
0a0be6124061c0e71cc2de054590f8f3

SHA1
ed908ce8409e0ff7daee5c8b64271ad936ffd64b

SHA256
95e1c13ad0573dd608e3d861fafe7af87023dfc6d0f98fe8710b178f6505adff

SHA512
c03e8e3df69169960efe17013df9f28a6cb5f511f4bcfefe547650e09357d2d714cd0b9f17ff81191cb7f4dc48241448bee9269821a4cfa935423ebb14c70292

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7118575.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7119136.exe

Filesize
4.8MB

MD5
0a0be6124061c0e71cc2de054590f8f3

SHA1
ed908ce8409e0ff7daee5c8b64271ad936ffd64b

SHA256
95e1c13ad0573dd608e3d861fafe7af87023dfc6d0f98fe8710b178f6505adff

SHA512
c03e8e3df69169960efe17013df9f28a6cb5f511f4bcfefe547650e09357d2d714cd0b9f17ff81191cb7f4dc48241448bee9269821a4cfa935423ebb14c70292

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7119136.exe

Filesize
4.8MB

MD5
0a0be6124061c0e71cc2de054590f8f3

SHA1
ed908ce8409e0ff7daee5c8b64271ad936ffd64b

SHA256
95e1c13ad0573dd608e3d861fafe7af87023dfc6d0f98fe8710b178f6505adff

SHA512
c03e8e3df69169960efe17013df9f28a6cb5f511f4bcfefe547650e09357d2d714cd0b9f17ff81191cb7f4dc48241448bee9269821a4cfa935423ebb14c70292

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
4.8MB

MD5
0a0be6124061c0e71cc2de054590f8f3

SHA1
ed908ce8409e0ff7daee5c8b64271ad936ffd64b

SHA256
95e1c13ad0573dd608e3d861fafe7af87023dfc6d0f98fe8710b178f6505adff

SHA512
c03e8e3df69169960efe17013df9f28a6cb5f511f4bcfefe547650e09357d2d714cd0b9f17ff81191cb7f4dc48241448bee9269821a4cfa935423ebb14c70292

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
4.8MB

MD5
93839d843bc65acc637d0f90361262dc

SHA1
6b2a08eae9b9dee1163b4f156316c3ddee5144dd

SHA256
098a0e29b54701fcf164c4b121ad2cb5d5ec82af35144605896f82605f3f0d6b

SHA512
8b9327f12510871e670c4afae6d2d8944016c9b0da17f5b4357aadf8964f1cccdf5880d856cd2a52740b9c7484ab05ff991b19ad68cae4b12a44984ef7837221

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
4.8MB

MD5
f5f0b8c84af6801ab40cd2527ef5a1f8

SHA1
993de424bbbe60873fa7a20062830b586b9c18cf

SHA256
3da47f12953b83035f24a7573683dc2ae11b85363c142e52434d1564337bf7ac

SHA512
d3c92f98c039080526f1c2516f000f448c449db8841b74f4028dc354a77b50026559b552a39171a18bfb3dcba1e9f7f128b5ddc7dee744b1cc8c0704ef9963da

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
4.4MB

MD5
5c32a658d08cd3232d6e03f7de38443f

SHA1
6077be7feb665f29a35dee976c2e4bed8b88a105

SHA256
fd1cf25337d090d89d3557dc45342b5a1187c699b0f429d3e65f8f695968299d

SHA512
e0b602b8184da89ee8a7dcd370fcec85235dbea6e67455ff07e47aeaf0ae4e957e6007b217a49bffe4f12c8f3aa61b01cdb9a2e77da5ef2161228570861dd49a

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
5.0MB

MD5
976a45ce45d76f339883bd9010222baa

SHA1
dad24cd016bcab5f6e2fa036882bb72215018646

SHA256
761d5adf3620ed55280c3addf23d89bdb8a0b27d93d29ccbb3ff5a86cfe982e5

SHA512
35dc78b7b05d8a8010ca0d75510653716761dd4c70ebd09fffa126dab58843ed8e1e3b2cffc228237d0ad4e71f7b4559268dc5993d13ac6f96e7b219a0a1a249

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
5.0MB

MD5
976a45ce45d76f339883bd9010222baa

SHA1
dad24cd016bcab5f6e2fa036882bb72215018646

SHA256
761d5adf3620ed55280c3addf23d89bdb8a0b27d93d29ccbb3ff5a86cfe982e5

SHA512
35dc78b7b05d8a8010ca0d75510653716761dd4c70ebd09fffa126dab58843ed8e1e3b2cffc228237d0ad4e71f7b4559268dc5993d13ac6f96e7b219a0a1a249

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
5.0MB

MD5
976a45ce45d76f339883bd9010222baa

SHA1
dad24cd016bcab5f6e2fa036882bb72215018646

SHA256
761d5adf3620ed55280c3addf23d89bdb8a0b27d93d29ccbb3ff5a86cfe982e5

SHA512
35dc78b7b05d8a8010ca0d75510653716761dd4c70ebd09fffa126dab58843ed8e1e3b2cffc228237d0ad4e71f7b4559268dc5993d13ac6f96e7b219a0a1a249

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
5.0MB

MD5
976a45ce45d76f339883bd9010222baa

SHA1
dad24cd016bcab5f6e2fa036882bb72215018646

SHA256
761d5adf3620ed55280c3addf23d89bdb8a0b27d93d29ccbb3ff5a86cfe982e5

SHA512
35dc78b7b05d8a8010ca0d75510653716761dd4c70ebd09fffa126dab58843ed8e1e3b2cffc228237d0ad4e71f7b4559268dc5993d13ac6f96e7b219a0a1a249

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
5.0MB

MD5
976a45ce45d76f339883bd9010222baa

SHA1
dad24cd016bcab5f6e2fa036882bb72215018646

SHA256
761d5adf3620ed55280c3addf23d89bdb8a0b27d93d29ccbb3ff5a86cfe982e5

SHA512
35dc78b7b05d8a8010ca0d75510653716761dd4c70ebd09fffa126dab58843ed8e1e3b2cffc228237d0ad4e71f7b4559268dc5993d13ac6f96e7b219a0a1a249

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
5.0MB

MD5
976a45ce45d76f339883bd9010222baa

SHA1
dad24cd016bcab5f6e2fa036882bb72215018646

SHA256
761d5adf3620ed55280c3addf23d89bdb8a0b27d93d29ccbb3ff5a86cfe982e5

SHA512
35dc78b7b05d8a8010ca0d75510653716761dd4c70ebd09fffa126dab58843ed8e1e3b2cffc228237d0ad4e71f7b4559268dc5993d13ac6f96e7b219a0a1a249

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7109090.exe

Filesize
4.8MB

MD5
0a0be6124061c0e71cc2de054590f8f3

SHA1
ed908ce8409e0ff7daee5c8b64271ad936ffd64b

SHA256
95e1c13ad0573dd608e3d861fafe7af87023dfc6d0f98fe8710b178f6505adff

SHA512
c03e8e3df69169960efe17013df9f28a6cb5f511f4bcfefe547650e09357d2d714cd0b9f17ff81191cb7f4dc48241448bee9269821a4cfa935423ebb14c70292

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7109090.exe

Filesize
4.8MB

MD5
0a0be6124061c0e71cc2de054590f8f3

SHA1
ed908ce8409e0ff7daee5c8b64271ad936ffd64b

SHA256
95e1c13ad0573dd608e3d861fafe7af87023dfc6d0f98fe8710b178f6505adff

SHA512
c03e8e3df69169960efe17013df9f28a6cb5f511f4bcfefe547650e09357d2d714cd0b9f17ff81191cb7f4dc48241448bee9269821a4cfa935423ebb14c70292

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7110088.exe

Filesize
136KB

MD5
8223e8d4f917d219daacd6c5fd237c43

SHA1
8c0a757567a837ad2d7a2635eeac0b84efe10e6b

SHA256
30e0915ade78f222897c74ad81dd12ec8a1aa5002fd86cf3da290dd6a4611731

SHA512
0f8e5530dc09a583fd487fa4d36e860b42d8253180a5de5f82d26f42ed63a584a04f20e0f4a38db60d1b206b1f462db81b736ea40438fc324430851d36a6e85b

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7110088.exe

Filesize
136KB

MD5
8223e8d4f917d219daacd6c5fd237c43

SHA1
8c0a757567a837ad2d7a2635eeac0b84efe10e6b

SHA256
30e0915ade78f222897c74ad81dd12ec8a1aa5002fd86cf3da290dd6a4611731

SHA512
0f8e5530dc09a583fd487fa4d36e860b42d8253180a5de5f82d26f42ed63a584a04f20e0f4a38db60d1b206b1f462db81b736ea40438fc324430851d36a6e85b

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7110088.exe

Filesize
136KB

MD5
8223e8d4f917d219daacd6c5fd237c43

SHA1
8c0a757567a837ad2d7a2635eeac0b84efe10e6b

SHA256
30e0915ade78f222897c74ad81dd12ec8a1aa5002fd86cf3da290dd6a4611731

SHA512
0f8e5530dc09a583fd487fa4d36e860b42d8253180a5de5f82d26f42ed63a584a04f20e0f4a38db60d1b206b1f462db81b736ea40438fc324430851d36a6e85b

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7110088.exe

Filesize
136KB

MD5
8223e8d4f917d219daacd6c5fd237c43

SHA1
8c0a757567a837ad2d7a2635eeac0b84efe10e6b

SHA256
30e0915ade78f222897c74ad81dd12ec8a1aa5002fd86cf3da290dd6a4611731

SHA512
0f8e5530dc09a583fd487fa4d36e860b42d8253180a5de5f82d26f42ed63a584a04f20e0f4a38db60d1b206b1f462db81b736ea40438fc324430851d36a6e85b

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7110088.exe

Filesize
136KB

MD5
8223e8d4f917d219daacd6c5fd237c43

SHA1
8c0a757567a837ad2d7a2635eeac0b84efe10e6b

SHA256
30e0915ade78f222897c74ad81dd12ec8a1aa5002fd86cf3da290dd6a4611731

SHA512
0f8e5530dc09a583fd487fa4d36e860b42d8253180a5de5f82d26f42ed63a584a04f20e0f4a38db60d1b206b1f462db81b736ea40438fc324430851d36a6e85b

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7112615.exe

Filesize
4.8MB

MD5
0a0be6124061c0e71cc2de054590f8f3

SHA1
ed908ce8409e0ff7daee5c8b64271ad936ffd64b

SHA256
95e1c13ad0573dd608e3d861fafe7af87023dfc6d0f98fe8710b178f6505adff

SHA512
c03e8e3df69169960efe17013df9f28a6cb5f511f4bcfefe547650e09357d2d714cd0b9f17ff81191cb7f4dc48241448bee9269821a4cfa935423ebb14c70292

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7112615.exe

Filesize
4.8MB

MD5
0a0be6124061c0e71cc2de054590f8f3

SHA1
ed908ce8409e0ff7daee5c8b64271ad936ffd64b

SHA256
95e1c13ad0573dd608e3d861fafe7af87023dfc6d0f98fe8710b178f6505adff

SHA512
c03e8e3df69169960efe17013df9f28a6cb5f511f4bcfefe547650e09357d2d714cd0b9f17ff81191cb7f4dc48241448bee9269821a4cfa935423ebb14c70292

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7113770.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7114253.exe

Filesize
4.8MB

MD5
0a0be6124061c0e71cc2de054590f8f3

SHA1
ed908ce8409e0ff7daee5c8b64271ad936ffd64b

SHA256
95e1c13ad0573dd608e3d861fafe7af87023dfc6d0f98fe8710b178f6505adff

SHA512
c03e8e3df69169960efe17013df9f28a6cb5f511f4bcfefe547650e09357d2d714cd0b9f17ff81191cb7f4dc48241448bee9269821a4cfa935423ebb14c70292

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7114253.exe

Filesize
4.8MB

MD5
0a0be6124061c0e71cc2de054590f8f3

SHA1
ed908ce8409e0ff7daee5c8b64271ad936ffd64b

SHA256
95e1c13ad0573dd608e3d861fafe7af87023dfc6d0f98fe8710b178f6505adff

SHA512
c03e8e3df69169960efe17013df9f28a6cb5f511f4bcfefe547650e09357d2d714cd0b9f17ff81191cb7f4dc48241448bee9269821a4cfa935423ebb14c70292

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7115455.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7115798.exe

Filesize
4.8MB

MD5
0a0be6124061c0e71cc2de054590f8f3

SHA1
ed908ce8409e0ff7daee5c8b64271ad936ffd64b

SHA256
95e1c13ad0573dd608e3d861fafe7af87023dfc6d0f98fe8710b178f6505adff

SHA512
c03e8e3df69169960efe17013df9f28a6cb5f511f4bcfefe547650e09357d2d714cd0b9f17ff81191cb7f4dc48241448bee9269821a4cfa935423ebb14c70292

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7115798.exe

Filesize
4.8MB

MD5
0a0be6124061c0e71cc2de054590f8f3

SHA1
ed908ce8409e0ff7daee5c8b64271ad936ffd64b

SHA256
95e1c13ad0573dd608e3d861fafe7af87023dfc6d0f98fe8710b178f6505adff

SHA512
c03e8e3df69169960efe17013df9f28a6cb5f511f4bcfefe547650e09357d2d714cd0b9f17ff81191cb7f4dc48241448bee9269821a4cfa935423ebb14c70292

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7116594.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7117327.exe

Filesize
4.8MB

MD5
0a0be6124061c0e71cc2de054590f8f3

SHA1
ed908ce8409e0ff7daee5c8b64271ad936ffd64b

SHA256
95e1c13ad0573dd608e3d861fafe7af87023dfc6d0f98fe8710b178f6505adff

SHA512
c03e8e3df69169960efe17013df9f28a6cb5f511f4bcfefe547650e09357d2d714cd0b9f17ff81191cb7f4dc48241448bee9269821a4cfa935423ebb14c70292

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7117327.exe

Filesize
4.8MB

MD5
0a0be6124061c0e71cc2de054590f8f3

SHA1
ed908ce8409e0ff7daee5c8b64271ad936ffd64b

SHA256
95e1c13ad0573dd608e3d861fafe7af87023dfc6d0f98fe8710b178f6505adff

SHA512
c03e8e3df69169960efe17013df9f28a6cb5f511f4bcfefe547650e09357d2d714cd0b9f17ff81191cb7f4dc48241448bee9269821a4cfa935423ebb14c70292

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7118575.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7119136.exe

Filesize
4.8MB

MD5
0a0be6124061c0e71cc2de054590f8f3

SHA1
ed908ce8409e0ff7daee5c8b64271ad936ffd64b

SHA256
95e1c13ad0573dd608e3d861fafe7af87023dfc6d0f98fe8710b178f6505adff

SHA512
c03e8e3df69169960efe17013df9f28a6cb5f511f4bcfefe547650e09357d2d714cd0b9f17ff81191cb7f4dc48241448bee9269821a4cfa935423ebb14c70292

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7119136.exe

Filesize
4.8MB

MD5
0a0be6124061c0e71cc2de054590f8f3

SHA1
ed908ce8409e0ff7daee5c8b64271ad936ffd64b

SHA256
95e1c13ad0573dd608e3d861fafe7af87023dfc6d0f98fe8710b178f6505adff

SHA512
c03e8e3df69169960efe17013df9f28a6cb5f511f4bcfefe547650e09357d2d714cd0b9f17ff81191cb7f4dc48241448bee9269821a4cfa935423ebb14c70292

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7119667.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
5.0MB

MD5
976a45ce45d76f339883bd9010222baa

SHA1
dad24cd016bcab5f6e2fa036882bb72215018646

SHA256
761d5adf3620ed55280c3addf23d89bdb8a0b27d93d29ccbb3ff5a86cfe982e5

SHA512
35dc78b7b05d8a8010ca0d75510653716761dd4c70ebd09fffa126dab58843ed8e1e3b2cffc228237d0ad4e71f7b4559268dc5993d13ac6f96e7b219a0a1a249

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
5.0MB

MD5
976a45ce45d76f339883bd9010222baa

SHA1
dad24cd016bcab5f6e2fa036882bb72215018646

SHA256
761d5adf3620ed55280c3addf23d89bdb8a0b27d93d29ccbb3ff5a86cfe982e5

SHA512
35dc78b7b05d8a8010ca0d75510653716761dd4c70ebd09fffa126dab58843ed8e1e3b2cffc228237d0ad4e71f7b4559268dc5993d13ac6f96e7b219a0a1a249

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
5.0MB

MD5
976a45ce45d76f339883bd9010222baa

SHA1
dad24cd016bcab5f6e2fa036882bb72215018646

SHA256
761d5adf3620ed55280c3addf23d89bdb8a0b27d93d29ccbb3ff5a86cfe982e5

SHA512
35dc78b7b05d8a8010ca0d75510653716761dd4c70ebd09fffa126dab58843ed8e1e3b2cffc228237d0ad4e71f7b4559268dc5993d13ac6f96e7b219a0a1a249

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
5.0MB

MD5
976a45ce45d76f339883bd9010222baa

SHA1
dad24cd016bcab5f6e2fa036882bb72215018646

SHA256
761d5adf3620ed55280c3addf23d89bdb8a0b27d93d29ccbb3ff5a86cfe982e5

SHA512
35dc78b7b05d8a8010ca0d75510653716761dd4c70ebd09fffa126dab58843ed8e1e3b2cffc228237d0ad4e71f7b4559268dc5993d13ac6f96e7b219a0a1a249

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
5.0MB

MD5
976a45ce45d76f339883bd9010222baa

SHA1
dad24cd016bcab5f6e2fa036882bb72215018646

SHA256
761d5adf3620ed55280c3addf23d89bdb8a0b27d93d29ccbb3ff5a86cfe982e5

SHA512
35dc78b7b05d8a8010ca0d75510653716761dd4c70ebd09fffa126dab58843ed8e1e3b2cffc228237d0ad4e71f7b4559268dc5993d13ac6f96e7b219a0a1a249

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
5.0MB

MD5
976a45ce45d76f339883bd9010222baa

SHA1
dad24cd016bcab5f6e2fa036882bb72215018646

SHA256
761d5adf3620ed55280c3addf23d89bdb8a0b27d93d29ccbb3ff5a86cfe982e5

SHA512
35dc78b7b05d8a8010ca0d75510653716761dd4c70ebd09fffa126dab58843ed8e1e3b2cffc228237d0ad4e71f7b4559268dc5993d13ac6f96e7b219a0a1a249

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
5.0MB

MD5
976a45ce45d76f339883bd9010222baa

SHA1
dad24cd016bcab5f6e2fa036882bb72215018646

SHA256
761d5adf3620ed55280c3addf23d89bdb8a0b27d93d29ccbb3ff5a86cfe982e5

SHA512
35dc78b7b05d8a8010ca0d75510653716761dd4c70ebd09fffa126dab58843ed8e1e3b2cffc228237d0ad4e71f7b4559268dc5993d13ac6f96e7b219a0a1a249

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
5.0MB

MD5
976a45ce45d76f339883bd9010222baa

SHA1
dad24cd016bcab5f6e2fa036882bb72215018646

SHA256
761d5adf3620ed55280c3addf23d89bdb8a0b27d93d29ccbb3ff5a86cfe982e5

SHA512
35dc78b7b05d8a8010ca0d75510653716761dd4c70ebd09fffa126dab58843ed8e1e3b2cffc228237d0ad4e71f7b4559268dc5993d13ac6f96e7b219a0a1a249

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
5.0MB

MD5
976a45ce45d76f339883bd9010222baa

SHA1
dad24cd016bcab5f6e2fa036882bb72215018646

SHA256
761d5adf3620ed55280c3addf23d89bdb8a0b27d93d29ccbb3ff5a86cfe982e5

SHA512
35dc78b7b05d8a8010ca0d75510653716761dd4c70ebd09fffa126dab58843ed8e1e3b2cffc228237d0ad4e71f7b4559268dc5993d13ac6f96e7b219a0a1a249

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
5.0MB

MD5
976a45ce45d76f339883bd9010222baa

SHA1
dad24cd016bcab5f6e2fa036882bb72215018646

SHA256
761d5adf3620ed55280c3addf23d89bdb8a0b27d93d29ccbb3ff5a86cfe982e5

SHA512
35dc78b7b05d8a8010ca0d75510653716761dd4c70ebd09fffa126dab58843ed8e1e3b2cffc228237d0ad4e71f7b4559268dc5993d13ac6f96e7b219a0a1a249

Download Submit
memory/268-245-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/268-235-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/360-278-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/616-268-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/616-276-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/896-282-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/896-271-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/976-88-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/976-76-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/984-289-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/984-294-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1076-257-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1076-270-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1076-269-0x0000000000220000-0x000000000023F000-memory.dmp

Filesize
124KB

Download
memory/1104-230-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1104-206-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1228-236-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1228-248-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1256-290-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1296-258-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1296-265-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1304-106-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1304-98-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1352-69-0x0000000000010000-0x0000000000032000-memory.dmp

Filesize
136KB

Download
memory/1460-198-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1460-288-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1460-223-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1496-159-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1496-163-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1568-283-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1568-254-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1568-180-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1568-187-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1596-287-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1596-232-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1596-220-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1604-191-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1604-196-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1612-267-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1612-292-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1624-157-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1624-211-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1624-233-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1640-261-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1640-255-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1660-141-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1672-279-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1672-266-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1716-94-0x00000000024E0000-0x00000000024ED000-memory.dmp

Filesize
52KB

Download
memory/1784-190-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1784-210-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1812-177-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1812-173-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1840-252-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1840-219-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1844-217-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1844-207-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1936-184-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1936-203-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1952-166-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1952-171-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1968-59-0x00000000754E1000-0x00000000754E3000-memory.dmp

Filesize
8KB

Download
memory/1976-54-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1976-64-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2016-125-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download