edf0c64fe81e91491018fdcf7b7b2ddb4b3416c5ca211d04056a7b7735fe1a21

Analysis

max time kernel
15s
max time network
46s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
03/12/2022, 20:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

edf0c64fe81e91491018fdcf7b7b2ddb4b3416c5ca211d04056a7b7735fe1a21.exe
Size

3.3MB
MD5

084128ce2746a74716545e96f5294e0d
SHA1

4cf21ef8ff170f91597962e77a82ef4a16f8abfc
SHA256

edf0c64fe81e91491018fdcf7b7b2ddb4b3416c5ca211d04056a7b7735fe1a21
SHA512

4058a2bc9c44fd85224524b8682b1cc0cdaff2de3c1df867e48d6bf2b2f39b270d96094723e060f585365f812f18158c9c302a064093bff6ce4b49ead8d53dc3
SSDEEP

24576:vDyTFtjEDyTFtjTDyTFtjBDyTFtjzDyTFtjcDyTFtjEDyTFtjTDyTFtjBDyTFtj:otxtItqtAt5txtItqt

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 29 IoCs

pid	Process
1240	tmp7084301.exe
1132	tmp7084364.exe
1168	notpad.exe
1308	tmp7118528.exe
1800	tmp7105845.exe
1348	notpad.exe
948	notpad.exe
932	notpad.exe
596	tmp7120650.exe
1696	tmp7165437.exe
976	tmp7108684.exe
2008	tmp7195109.exe
1012	notpad.exe
1676	tmp7223329.exe
1804	tmp7163737.exe
2020	tmp7194922.exe
452	tmp7214250.exe
1580	tmp7160383.exe
1648	tmp7211645.exe
1528	tmp7222191.exe
1284	notpad.exe
1800	tmp7219710.exe
1476	tmp7196996.exe
1372	tmp7214313.exe
1600	tmp7095767.exe
1000	tmp7162567.exe
1756	notpad.exe
624	tmp7118575.exe
956	tmp7217932.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1204-64-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x00090000000122df-72.dat	upx
behavioral1/files/0x00090000000122df-73.dat	upx
behavioral1/files/0x00090000000122df-70.dat	upx
behavioral1/files/0x00090000000122df-69.dat	upx
behavioral1/memory/1168-74-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1168-86-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x00090000000122df-89.dat	upx
behavioral1/files/0x00090000000122df-92.dat	upx
behavioral1/memory/1348-105-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x00090000000122df-109.dat	upx
behavioral1/files/0x00090000000122df-124.dat	upx
behavioral1/memory/596-123-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x00090000000122df-127.dat	upx
behavioral1/files/0x00090000000122df-125.dat	upx
behavioral1/files/0x00090000000122dc-116.dat	upx
behavioral1/memory/596-113-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x00090000000122df-107.dat	upx
behavioral1/files/0x00090000000122df-106.dat	upx
behavioral1/files/0x00090000000122dc-100.dat	upx
behavioral1/files/0x00090000000122df-90.dat	upx
behavioral1/memory/2008-128-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x00090000000122dc-80.dat	upx
behavioral1/files/0x00090000000122dc-134.dat	upx
behavioral1/memory/2008-145-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1804-146-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1284-169-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1756-181-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1928-189-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1928-194-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1272-199-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1528-211-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/820-231-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/820-226-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1000-224-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1568-239-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1328-243-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1124-254-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1100-251-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1100-249-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1508-218-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1704-206-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/616-187-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1692-256-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1372-174-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1580-163-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x00090000000122dc-156.dat	upx
behavioral1/memory/1804-155-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x00090000000122df-144.dat	upx
behavioral1/memory/1692-258-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1348-260-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x00090000000122df-142.dat	upx
behavioral1/files/0x00090000000122df-139.dat	upx
behavioral1/memory/1348-262-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/976-265-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1548-268-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1496-274-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1588-277-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1716-280-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/956-295-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/596-299-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1780-306-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1780-308-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1712-314-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Loads dropped DLL 52 IoCs

pid	Process
1204	edf0c64fe81e91491018fdcf7b7b2ddb4b3416c5ca211d04056a7b7735fe1a21.exe
1204	edf0c64fe81e91491018fdcf7b7b2ddb4b3416c5ca211d04056a7b7735fe1a21.exe
1204	edf0c64fe81e91491018fdcf7b7b2ddb4b3416c5ca211d04056a7b7735fe1a21.exe
1204	edf0c64fe81e91491018fdcf7b7b2ddb4b3416c5ca211d04056a7b7735fe1a21.exe
2032	WerFault.exe
2032	WerFault.exe
1240	tmp7121492.exe
1240	tmp7121492.exe
1168	notpad.exe
1168	notpad.exe
1168	notpad.exe
2032	WerFault.exe
1308	tmp7118528.exe
1308	tmp7118528.exe
1348	notpad.exe
1348	notpad.exe
1348	notpad.exe
948	tmp7164002.exe
948	tmp7164002.exe
596	tmp7120650.exe
596	tmp7120650.exe
596	tmp7120650.exe
1696	tmp7193018.exe
1696	tmp7193018.exe
2008	tmp7195109.exe
2008	tmp7195109.exe
2008	tmp7195109.exe
1012	notpad.exe
1012	notpad.exe
1804	tmp7163737.exe
1804	tmp7163737.exe
1804	tmp7163737.exe
2020	tmp7194922.exe
2020	tmp7194922.exe
1580	tmp7160383.exe
1580	tmp7160383.exe
1580	tmp7160383.exe
1648	tmp7211645.exe
1648	tmp7211645.exe
1284	notpad.exe
1284	notpad.exe
1284	notpad.exe
1800	tmp7219710.exe
1800	tmp7219710.exe
1372	tmp7214313.exe
1372	tmp7214313.exe
1372	tmp7214313.exe
1600	tmp7095767.exe
1600	tmp7095767.exe
1756	notpad.exe
1756	notpad.exe
1756	notpad.exe

Drops file in System32 directory 31 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\notpad.exe-	notpad.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7194922.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7194922.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7211645.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7219710.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7095767.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7118575.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	notpad.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7165437.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7219710.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7095767.exe
File created	C:\Windows\SysWOW64\notpad.exe	notpad.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7165437.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7211645.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7165437.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	notpad.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7211645.exe
File created	C:\Windows\SysWOW64\fsb.tmp	tmp7084301.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7084301.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7084301.exe
File created	C:\Windows\SysWOW64\notpad.exe	notpad.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7095767.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7118528.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7118528.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7118575.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7118528.exe
File created	C:\Windows\SysWOW64\notpad.exe-	notpad.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7194922.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7219710.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7084301.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7118575.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process
2032	1132	WerFault.exe

Modifies registry class 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7095767.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7084301.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	notpad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	notpad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7211645.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7219710.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7118528.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7165437.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7194922.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1204 wrote to memory of 1240	1204	edf0c64fe81e91491018fdcf7b7b2ddb4b3416c5ca211d04056a7b7735fe1a21.exe	25
PID 1204 wrote to memory of 1240	1204	edf0c64fe81e91491018fdcf7b7b2ddb4b3416c5ca211d04056a7b7735fe1a21.exe	25
PID 1204 wrote to memory of 1240	1204	edf0c64fe81e91491018fdcf7b7b2ddb4b3416c5ca211d04056a7b7735fe1a21.exe	25
PID 1204 wrote to memory of 1240	1204	edf0c64fe81e91491018fdcf7b7b2ddb4b3416c5ca211d04056a7b7735fe1a21.exe	25
PID 1204 wrote to memory of 1132	1204	edf0c64fe81e91491018fdcf7b7b2ddb4b3416c5ca211d04056a7b7735fe1a21.exe	24
PID 1204 wrote to memory of 1132	1204	edf0c64fe81e91491018fdcf7b7b2ddb4b3416c5ca211d04056a7b7735fe1a21.exe	24
PID 1204 wrote to memory of 1132	1204	edf0c64fe81e91491018fdcf7b7b2ddb4b3416c5ca211d04056a7b7735fe1a21.exe	24
PID 1204 wrote to memory of 1132	1204	edf0c64fe81e91491018fdcf7b7b2ddb4b3416c5ca211d04056a7b7735fe1a21.exe	24
PID 1132 wrote to memory of 2032	1132	tmp7084364.exe	22
PID 1132 wrote to memory of 2032	1132	tmp7084364.exe	22
PID 1132 wrote to memory of 2032	1132	tmp7084364.exe	22
PID 1132 wrote to memory of 2032	1132	tmp7084364.exe	22
PID 1240 wrote to memory of 1168	1240	tmp7121492.exe	23
PID 1240 wrote to memory of 1168	1240	tmp7121492.exe	23
PID 1240 wrote to memory of 1168	1240	tmp7121492.exe	23
PID 1240 wrote to memory of 1168	1240	tmp7121492.exe	23
PID 1168 wrote to memory of 1308	1168	notpad.exe	252
PID 1168 wrote to memory of 1308	1168	notpad.exe	252
PID 1168 wrote to memory of 1308	1168	notpad.exe	252
PID 1168 wrote to memory of 1308	1168	notpad.exe	252
PID 1168 wrote to memory of 1800	1168	notpad.exe	114
PID 1168 wrote to memory of 1800	1168	notpad.exe	114
PID 1168 wrote to memory of 1800	1168	notpad.exe	114
PID 1168 wrote to memory of 1800	1168	notpad.exe	114
PID 1308 wrote to memory of 1348	1308	tmp7118528.exe	299
PID 1308 wrote to memory of 1348	1308	tmp7118528.exe	299
PID 1308 wrote to memory of 1348	1308	tmp7118528.exe	299
PID 1308 wrote to memory of 1348	1308	tmp7118528.exe	299
PID 1348 wrote to memory of 948	1348	notpad.exe	218
PID 1348 wrote to memory of 948	1348	notpad.exe	218
PID 1348 wrote to memory of 948	1348	notpad.exe	218
PID 1348 wrote to memory of 948	1348	notpad.exe	218
PID 1348 wrote to memory of 932	1348	notpad.exe	294
PID 1348 wrote to memory of 932	1348	notpad.exe	294
PID 1348 wrote to memory of 932	1348	notpad.exe	294
PID 1348 wrote to memory of 932	1348	notpad.exe	294
PID 948 wrote to memory of 596	948	tmp7164002.exe	238
PID 948 wrote to memory of 596	948	tmp7164002.exe	238
PID 948 wrote to memory of 596	948	tmp7164002.exe	238
PID 948 wrote to memory of 596	948	tmp7164002.exe	238
PID 596 wrote to memory of 1696	596	tmp7120650.exe	427
PID 596 wrote to memory of 1696	596	tmp7120650.exe	427
PID 596 wrote to memory of 1696	596	tmp7120650.exe	427
PID 596 wrote to memory of 1696	596	tmp7120650.exe	427
PID 596 wrote to memory of 976	596	tmp7120650.exe	152
PID 596 wrote to memory of 976	596	tmp7120650.exe	152
PID 596 wrote to memory of 976	596	tmp7120650.exe	152
PID 596 wrote to memory of 976	596	tmp7120650.exe	152
PID 1696 wrote to memory of 2008	1696	tmp7193018.exe	480
PID 1696 wrote to memory of 2008	1696	tmp7193018.exe	480
PID 1696 wrote to memory of 2008	1696	tmp7193018.exe	480
PID 1696 wrote to memory of 2008	1696	tmp7193018.exe	480
PID 2008 wrote to memory of 1012	2008	tmp7195109.exe	448
PID 2008 wrote to memory of 1012	2008	tmp7195109.exe	448
PID 2008 wrote to memory of 1012	2008	tmp7195109.exe	448
PID 2008 wrote to memory of 1012	2008	tmp7195109.exe	448
PID 2008 wrote to memory of 1676	2008	tmp7195109.exe	445
PID 2008 wrote to memory of 1676	2008	tmp7195109.exe	445
PID 2008 wrote to memory of 1676	2008	tmp7195109.exe	445
PID 2008 wrote to memory of 1676	2008	tmp7195109.exe	445
PID 1012 wrote to memory of 1804	1012	notpad.exe	341
PID 1012 wrote to memory of 1804	1012	notpad.exe	341
PID 1012 wrote to memory of 1804	1012	notpad.exe	341
PID 1012 wrote to memory of 1804	1012	notpad.exe	341

C:\Users\Admin\AppData\Local\Temp\edf0c64fe81e91491018fdcf7b7b2ddb4b3416c5ca211d04056a7b7735fe1a21.exe
"C:\Users\Admin\AppData\Local\Temp\edf0c64fe81e91491018fdcf7b7b2ddb4b3416c5ca211d04056a7b7735fe1a21.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Users\Admin\AppData\Local\Temp\tmp7084364.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7084364.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1132
- C:\Users\Admin\AppData\Local\Temp\tmp7084301.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7084301.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  PID:1240
- C:\Users\Admin\AppData\Local\Temp\tmp7120041.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7120041.exe
  2⤵
  PID:1972
- - C:\Users\Admin\AppData\Local\Temp\tmp7163503.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7163503.exe
    3⤵
    PID:956
  - - C:\Users\Admin\AppData\Local\Temp\tmp7163940.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7163940.exe
      4⤵
      PID:992
  - - C:\Users\Admin\AppData\Local\Temp\tmp7163815.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7163815.exe
      4⤵
      PID:1716
- - C:\Users\Admin\AppData\Local\Temp\tmp7163160.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7163160.exe
    3⤵
    PID:1916
- C:\Users\Admin\AppData\Local\Temp\tmp7120213.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7120213.exe
  2⤵
  PID:1860
- - C:\Users\Admin\AppData\Local\Temp\tmp7120540.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7120540.exe
    3⤵
    PID:1948
- - C:\Users\Admin\AppData\Local\Temp\tmp7120696.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7120696.exe
    3⤵
    PID:956
  - - C:\Users\Admin\AppData\Local\Temp\tmp7121586.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7121586.exe
      4⤵
      PID:1568
  - - C:\Users\Admin\AppData\Local\Temp\tmp7121352.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7121352.exe
      4⤵
      PID:304
    - - C:\Users\Admin\AppData\Local\Temp\tmp7160336.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160336.exe
        5⤵
        
        PID:1980
    - - C:\Users\Admin\AppData\Local\Temp\tmp7160664.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160664.exe
        5⤵
        
        PID:1256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1132 -s 36
1⤵
- Loads dropped DLL
- Program crash
PID:2032

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1168
- C:\Users\Admin\AppData\Local\Temp\tmp7088825.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7088825.exe
  2⤵
  PID:1800
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    PID:1372
- C:\Users\Admin\AppData\Local\Temp\tmp7084691.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7084691.exe
  2⤵
  PID:1308
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    PID:1548

C:\Users\Admin\AppData\Local\Temp\tmp7089044.exe
C:\Users\Admin\AppData\Local\Temp\tmp7089044.exe
1⤵
PID:948
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:596

C:\Users\Admin\AppData\Local\Temp\tmp7089683.exe
C:\Users\Admin\AppData\Local\Temp\tmp7089683.exe
1⤵
PID:976

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:2008
- C:\Users\Admin\AppData\Local\Temp\tmp7094457.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7094457.exe
  2⤵
  PID:1676

C:\Users\Admin\AppData\Local\Temp\tmp7089496.exe
C:\Users\Admin\AppData\Local\Temp\tmp7089496.exe
1⤵
PID:1696

C:\Users\Admin\AppData\Local\Temp\tmp7089169.exe
C:\Users\Admin\AppData\Local\Temp\tmp7089169.exe
1⤵
PID:932

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:1348

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:1580
- C:\Users\Admin\AppData\Local\Temp\tmp7095206.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7095206.exe
  2⤵
  PID:1648
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    PID:1284
- C:\Users\Admin\AppData\Local\Temp\tmp7095315.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7095315.exe
  2⤵
  PID:1528

C:\Users\Admin\AppData\Local\Temp\tmp7095549.exe
C:\Users\Admin\AppData\Local\Temp\tmp7095549.exe
1⤵
PID:1476

C:\Users\Admin\AppData\Local\Temp\tmp7095767.exe
C:\Users\Admin\AppData\Local\Temp\tmp7095767.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1600
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:1756

C:\Users\Admin\AppData\Local\Temp\tmp7096033.exe
C:\Users\Admin\AppData\Local\Temp\tmp7096033.exe
1⤵
PID:956
- C:\Users\Admin\AppData\Local\Temp\tmp7106063.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7106063.exe
  2⤵
  PID:284
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    PID:596
  - - C:\Users\Admin\AppData\Local\Temp\tmp7106235.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7106235.exe
      4⤵
      PID:624
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        
        PID:304
      - C:\Users\Admin\AppData\Local\Temp\tmp7106453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106453.exe
        6⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        7⤵
        
        PID:1928
      - C:\Users\Admin\AppData\Local\Temp\tmp7106578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106578.exe
        6⤵
        
        PID:820
  - - C:\Users\Admin\AppData\Local\Temp\tmp7106297.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7106297.exe
      4⤵
      PID:1684
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        
        PID:1044
      - C:\Users\Admin\AppData\Local\Temp\tmp7109043.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7109043.exe
        6⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        7⤵
        
        PID:820
        
        C:\Users\Admin\AppData\Local\Temp\tmp7104223.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7104223.exe
        7⤵
        
        PID:1200
        
        C:\Users\Admin\AppData\Local\Temp\tmp7104145.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7104145.exe
        7⤵
        
        PID:820
      - C:\Users\Admin\AppData\Local\Temp\tmp7109152.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7109152.exe
        6⤵
        
        PID:1872
  - - C:\Users\Admin\AppData\Local\Temp\tmp7121274.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7121274.exe
      4⤵
      PID:900
  - - C:\Users\Admin\AppData\Local\Temp\tmp7121492.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7121492.exe
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1240
    - - C:\Users\Admin\AppData\Local\Temp\tmp7121976.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121976.exe
        5⤵
        
        PID:1272
    - - C:\Users\Admin\AppData\Local\Temp\tmp7122100.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122100.exe
        5⤵
        
        PID:820
    - - C:\Users\Admin\AppData\Local\Temp\tmp7161600.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161600.exe
        5⤵
        
        PID:468
    - - C:\Users\Admin\AppData\Local\Temp\tmp7161257.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161257.exe
        5⤵
        
        PID:1860
- C:\Users\Admin\AppData\Local\Temp\tmp7106110.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7106110.exe
  2⤵
  PID:1352

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:616
- C:\Users\Admin\AppData\Local\Temp\tmp7096360.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7096360.exe
  2⤵
  PID:1696
- C:\Users\Admin\AppData\Local\Temp\tmp7096267.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7096267.exe
  2⤵
  PID:1344

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:1928
- C:\Users\Admin\AppData\Local\Temp\tmp7096516.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7096516.exe
  2⤵
  PID:556
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    PID:1272
  - - C:\Users\Admin\AppData\Local\Temp\tmp7096922.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7096922.exe
      4⤵
      PID:724
  - - C:\Users\Admin\AppData\Local\Temp\tmp7096859.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7096859.exe
      4⤵
      PID:1804
    - - C:\Users\Admin\AppData\Local\Temp\tmp7094987.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7094987.exe
        5⤵
        
        PID:452
    - - C:\Users\Admin\AppData\Local\Temp\tmp7094847.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7094847.exe
        5⤵
        
        PID:2020
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      PID:1016
    - - C:\Users\Admin\AppData\Local\Temp\tmp7107233.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7107233.exe
        5⤵
        
        PID:452
      - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        6⤵
        
        PID:1712
    - - C:\Users\Admin\AppData\Local\Temp\tmp7107327.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7107327.exe
        5⤵
        
        PID:1120
    - - C:\Users\Admin\AppData\Local\Temp\tmp7162567.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7162567.exe
        5⤵
        Executes dropped EXE
        
        PID:1000
    - - C:\Users\Admin\AppData\Local\Temp\tmp7162224.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7162224.exe
        5⤵
        
        PID:932
      - C:\Users\Admin\AppData\Local\Temp\tmp7158199.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158199.exe
        6⤵
        
        PID:1584
- C:\Users\Admin\AppData\Local\Temp\tmp7096641.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7096641.exe
  2⤵
  PID:2008
- C:\Users\Admin\AppData\Local\Temp\tmp7106765.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7106765.exe
  2⤵
  PID:900
- C:\Users\Admin\AppData\Local\Temp\tmp7106703.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7106703.exe
  2⤵
  PID:1676
- - C:\Users\Admin\AppData\Local\Temp\tmp7109511.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7109511.exe
    3⤵
    PID:276
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      PID:1564
    - - C:\Users\Admin\AppData\Local\Temp\tmp7117030.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117030.exe
        5⤵
        
        PID:1716
      - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        6⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117592.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117592.exe
        7⤵
        
        PID:1296
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117701.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117701.exe
        8⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        9⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117857.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117857.exe
        8⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164330.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164330.exe
        8⤵
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164236.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164236.exe
        8⤵
        
        PID:1012
        
        C:\Users\Admin\AppData\Local\Temp\tmp7162473.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7162473.exe
        9⤵
        
        PID:1328
    - - C:\Users\Admin\AppData\Local\Temp\tmp7117124.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117124.exe
        5⤵
        
        PID:2036
      - C:\Users\Admin\AppData\Local\Temp\tmp7117171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117171.exe
        6⤵
        
        PID:1712
      - C:\Users\Admin\AppData\Local\Temp\tmp7117389.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117389.exe
        6⤵
        
        PID:1752
- - C:\Users\Admin\AppData\Local\Temp\tmp7116796.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7116796.exe
    3⤵
    PID:1772

C:\Users\Admin\AppData\Local\Temp\tmp7097109.exe
C:\Users\Admin\AppData\Local\Temp\tmp7097109.exe
1⤵
PID:1592

C:\Users\Admin\AppData\Local\Temp\tmp7097047.exe
C:\Users\Admin\AppData\Local\Temp\tmp7097047.exe
1⤵
PID:1124
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:1528
- - C:\Users\Admin\AppData\Local\Temp\tmp7097405.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7097405.exe
    3⤵
    PID:1916
- C:\Users\Admin\AppData\Local\Temp\tmp7100151.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7100151.exe
  2⤵
  PID:1284
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    PID:1692
  - - C:\Users\Admin\AppData\Local\Temp\tmp7100354.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7100354.exe
      4⤵
      PID:1788
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        
        PID:1348
      - C:\Users\Admin\AppData\Local\Temp\tmp7103333.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7103333.exe
        6⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        7⤵
        
        PID:976
        
        C:\Users\Admin\AppData\Local\Temp\tmp7104004.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7104004.exe
        8⤵
        
        PID:960
      - C:\Users\Admin\AppData\Local\Temp\tmp7103770.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7103770.exe
        6⤵
        
        PID:284
      - C:\Users\Admin\AppData\Local\Temp\tmp7118668.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118668.exe
        6⤵
        
        PID:960
      - C:\Users\Admin\AppData\Local\Temp\tmp7118481.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118481.exe
        6⤵
        
        PID:920
  - - C:\Users\Admin\AppData\Local\Temp\tmp7100479.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7100479.exe
      4⤵
      PID:1800
  - - C:\Users\Admin\AppData\Local\Temp\tmp7118060.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7118060.exe
      4⤵
      PID:1312
  - - C:\Users\Admin\AppData\Local\Temp\tmp7118154.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7118154.exe
      4⤵
      PID:1404
- - C:\Users\Admin\AppData\Local\Temp\tmp7095455.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7095455.exe
    3⤵
    PID:1800
- C:\Users\Admin\AppData\Local\Temp\tmp7100213.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7100213.exe
  2⤵
  PID:1528
- - C:\Users\Admin\AppData\Local\Temp\tmp7097327.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7097327.exe
    3⤵
    PID:1316
  - - C:\Users\Admin\AppData\Local\Temp\tmp7105533.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7105533.exe
      4⤵
      PID:1284
    - - C:\Users\Admin\AppData\Local\Temp\tmp7138948.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7138948.exe
        5⤵
        
        PID:920
      - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        6⤵
        
        PID:884
    - - C:\Users\Admin\AppData\Local\Temp\tmp7139323.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7139323.exe
        5⤵
        
        PID:432
      - C:\Users\Admin\AppData\Local\Temp\tmp7160804.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160804.exe
        6⤵
        
        PID:1240
      - C:\Users\Admin\AppData\Local\Temp\tmp7160383.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160383.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1580

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:1000
- C:\Users\Admin\AppData\Local\Temp\tmp7097795.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7097795.exe
  2⤵
  PID:596
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    PID:820
  - - C:\Users\Admin\AppData\Local\Temp\tmp7098170.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7098170.exe
      4⤵
      PID:2024
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        
        PID:1568
      - C:\Users\Admin\AppData\Local\Temp\tmp7098950.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7098950.exe
        6⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        7⤵
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106999.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106999.exe
        8⤵
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\tmp7090463.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7090463.exe
        9⤵
        
        PID:1012
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106906.exe
        8⤵
        
        PID:1272
      - C:\Users\Admin\AppData\Local\Temp\tmp7098872.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7098872.exe
        6⤵
        
        PID:900
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        
        PID:1496
      - C:\Users\Admin\AppData\Local\Temp\tmp7104613.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7104613.exe
        6⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        7⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\tmp7104971.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7104971.exe
        8⤵
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\tmp7104909.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7104909.exe
        8⤵
        
        PID:1256
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161506.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161506.exe
        9⤵
        
        PID:1160
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161257.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161257.exe
        9⤵
        
        PID:1936
      - C:\Users\Admin\AppData\Local\Temp\tmp7104675.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7104675.exe
        6⤵
        
        PID:556
  - - C:\Users\Admin\AppData\Local\Temp\tmp7098326.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7098326.exe
      4⤵
      PID:860
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      PID:1356
    - - C:\Users\Admin\AppData\Local\Temp\tmp7104457.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7104457.exe
        5⤵
        
        PID:1012
      - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        6⤵
        
        PID:1804
    - - C:\Users\Admin\AppData\Local\Temp\tmp7104379.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7104379.exe
        5⤵
        
        PID:2024
      - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        6⤵
        
        PID:1204
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161319.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161319.exe
        7⤵
        
        PID:1012
        
        C:\Users\Admin\AppData\Local\Temp\tmp7162286.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7162286.exe
        8⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        8⤵
        
        PID:1356
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160851.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160851.exe
        7⤵
        
        PID:1272
  - - C:\Users\Admin\AppData\Local\Temp\tmp7109293.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7109293.exe
      4⤵
      PID:1012
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        
        PID:1676
  - - C:\Users\Admin\AppData\Local\Temp\tmp7109355.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7109355.exe
      4⤵
      PID:1472
    - - C:\Users\Admin\AppData\Local\Temp\tmp7121960.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121960.exe
        5⤵
        
        PID:1752
    - - C:\Users\Admin\AppData\Local\Temp\tmp7121570.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121570.exe
        5⤵
        
        PID:1328
- C:\Users\Admin\AppData\Local\Temp\tmp7097951.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7097951.exe
  2⤵
  PID:976

C:\Users\Admin\AppData\Local\Temp\tmp7099121.exe
C:\Users\Admin\AppData\Local\Temp\tmp7099121.exe
1⤵
PID:240
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:1100
- - C:\Users\Admin\AppData\Local\Temp\tmp7100011.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7100011.exe
    3⤵
    PID:1176
- - C:\Users\Admin\AppData\Local\Temp\tmp7099792.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7099792.exe
    3⤵
    PID:580
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    PID:1536

C:\Users\Admin\AppData\Local\Temp\tmp7099449.exe
C:\Users\Admin\AppData\Local\Temp\tmp7099449.exe
1⤵
PID:1260

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:1328
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:1496
- - C:\Users\Admin\AppData\Local\Temp\tmp7119480.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7119480.exe
    3⤵
    PID:1176
- - C:\Users\Admin\AppData\Local\Temp\tmp7137513.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7137513.exe
    3⤵
    PID:2012
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      PID:2044
    - - C:\Users\Admin\AppData\Local\Temp\tmp7139151.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7139151.exe
        5⤵
        
        PID:392
      - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        6⤵
        
        PID:1316
    - - C:\Users\Admin\AppData\Local\Temp\tmp7139650.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7139650.exe
        5⤵
        
        PID:1584
      - C:\Users\Admin\AppData\Local\Temp\tmp7160711.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160711.exe
        6⤵
        
        PID:1868
      - C:\Users\Admin\AppData\Local\Temp\tmp7160477.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160477.exe
        6⤵
        
        PID:820
- - C:\Users\Admin\AppData\Local\Temp\tmp7138590.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7138590.exe
    3⤵
    PID:1284
  - - C:\Users\Admin\AppData\Local\Temp\tmp7211037.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7211037.exe
      4⤵
      PID:832
- - C:\Users\Admin\AppData\Local\Temp\tmp7164595.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7164595.exe
    3⤵
    PID:1724
  - - C:\Users\Admin\AppData\Local\Temp\tmp7162598.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7162598.exe
      4⤵
      PID:1564
- - C:\Users\Admin\AppData\Local\Temp\tmp7164923.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7164923.exe
    3⤵
    PID:1592

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:1124

C:\Users\Admin\AppData\Local\Temp\tmp7097608.exe
C:\Users\Admin\AppData\Local\Temp\tmp7097608.exe
1⤵
PID:1372
- C:\Users\Admin\AppData\Local\Temp\tmp7095845.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7095845.exe
  2⤵
  PID:1000
- - C:\Users\Admin\AppData\Local\Temp\tmp7162770.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7162770.exe
    3⤵
    PID:1780
- - C:\Users\Admin\AppData\Local\Temp\tmp7162723.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7162723.exe
    3⤵
    PID:960

C:\Users\Admin\AppData\Local\Temp\tmp7097561.exe
C:\Users\Admin\AppData\Local\Temp\tmp7097561.exe
1⤵
PID:1160

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:1508

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:1704

C:\Users\Admin\AppData\Local\Temp\tmp7095955.exe
C:\Users\Admin\AppData\Local\Temp\tmp7095955.exe
1⤵
PID:624

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:1716
- C:\Users\Admin\AppData\Local\Temp\tmp7105127.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7105127.exe
  2⤵
  PID:1580
- C:\Users\Admin\AppData\Local\Temp\tmp7105081.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7105081.exe
  2⤵
  PID:1752

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:1264
- C:\Users\Admin\AppData\Local\Temp\tmp7105283.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7105283.exe
  2⤵
  PID:1176
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    PID:1316
- - C:\Users\Admin\AppData\Local\Temp\tmp7120447.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7120447.exe
    3⤵
    PID:892
- - C:\Users\Admin\AppData\Local\Temp\tmp7120088.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7120088.exe
    3⤵
    PID:680
  - - C:\Users\Admin\AppData\Local\Temp\tmp7161849.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7161849.exe
      4⤵
      PID:1016
  - - C:\Users\Admin\AppData\Local\Temp\tmp7161397.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7161397.exe
      4⤵
      PID:856

C:\Users\Admin\AppData\Local\Temp\tmp7105642.exe
C:\Users\Admin\AppData\Local\Temp\tmp7105642.exe
1⤵
PID:392
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:1788
- - C:\Users\Admin\AppData\Local\Temp\tmp7105845.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7105845.exe
    3⤵
    - Executes dropped EXE
    PID:1800
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      PID:956
    - - C:\Users\Admin\AppData\Local\Temp\tmp7118512.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118512.exe
        5⤵
        
        PID:1736
    - - C:\Users\Admin\AppData\Local\Temp\tmp7118575.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118575.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:624
      - C:\Users\Admin\AppData\Local\Temp\tmp7118840.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118840.exe
        6⤵
        
        PID:1764
      - C:\Users\Admin\AppData\Local\Temp\tmp7118965.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118965.exe
        6⤵
        
        PID:304
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        7⤵
        
        PID:240
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121757.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121757.exe
        8⤵
        
        PID:1916
- - C:\Users\Admin\AppData\Local\Temp\tmp7105923.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7105923.exe
    3⤵
    PID:948
- - C:\Users\Admin\AppData\Local\Temp\tmp7139089.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7139089.exe
    3⤵
    PID:1512
  - - C:\Users\Admin\AppData\Local\Temp\tmp7160133.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7160133.exe
      4⤵
      PID:1792
  - - C:\Users\Admin\AppData\Local\Temp\tmp7160492.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7160492.exe
      4⤵
      PID:1344
    - - C:\Users\Admin\AppData\Local\Temp\tmp7165469.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7165469.exe
        5⤵
        
        PID:1712
      - C:\Users\Admin\AppData\Local\Temp\tmp7176014.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7176014.exe
        6⤵
        
        PID:520
      - C:\Users\Admin\AppData\Local\Temp\tmp7177684.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7177684.exe
        6⤵
        
        PID:552
- - C:\Users\Admin\AppData\Local\Temp\tmp7139994.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7139994.exe
    3⤵
    PID:1872

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:1776
- C:\Users\Admin\AppData\Local\Temp\tmp7105705.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7105705.exe
  2⤵
  PID:1860

C:\Users\Admin\AppData\Local\Temp\tmp7107452.exe
C:\Users\Admin\AppData\Local\Temp\tmp7107452.exe
1⤵
PID:1648
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:1264
- - C:\Users\Admin\AppData\Local\Temp\tmp7107639.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7107639.exe
    3⤵
    PID:1476
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      PID:1316
    - - C:\Users\Admin\AppData\Local\Temp\tmp7107951.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7107951.exe
        5⤵
        
        PID:824
    - - C:\Users\Admin\AppData\Local\Temp\tmp7107889.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7107889.exe
        5⤵
        
        PID:1948
    - - C:\Users\Admin\AppData\Local\Temp\tmp7105471.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7105471.exe
        5⤵
        
        PID:1516
- - C:\Users\Admin\AppData\Local\Temp\tmp7107717.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7107717.exe
    3⤵
    PID:1640
- - C:\Users\Admin\AppData\Local\Temp\tmp7105361.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7105361.exe
    3⤵
    PID:1916
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    PID:1944

C:\Users\Admin\AppData\Local\Temp\tmp7108076.exe
C:\Users\Admin\AppData\Local\Temp\tmp7108076.exe
1⤵
PID:1952
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:948
- - C:\Users\Admin\AppData\Local\Temp\tmp7108388.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7108388.exe
    3⤵
    PID:932
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      PID:1960
    - - C:\Users\Admin\AppData\Local\Temp\tmp7139775.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7139775.exe
        5⤵
        
        PID:1160
      - C:\Users\Admin\AppData\Local\Temp\tmp7156374.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7156374.exe
        6⤵
        
        PID:1624
      - C:\Users\Admin\AppData\Local\Temp\tmp7158183.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158183.exe
        6⤵
        
        PID:2044
      - C:\Users\Admin\AppData\Local\Temp\tmp7162208.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7162208.exe
        6⤵
        
        PID:1948
      - C:\Users\Admin\AppData\Local\Temp\tmp7162083.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7162083.exe
        6⤵
        
        PID:1952
    - - C:\Users\Admin\AppData\Local\Temp\tmp7139307.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7139307.exe
        5⤵
        
        PID:960
- - C:\Users\Admin\AppData\Local\Temp\tmp7108497.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7108497.exe
    3⤵
    PID:724

C:\Users\Admin\AppData\Local\Temp\tmp7108123.exe
C:\Users\Admin\AppData\Local\Temp\tmp7108123.exe
1⤵
PID:1524

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:680
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:1400

C:\Users\Admin\AppData\Local\Temp\tmp7108637.exe
C:\Users\Admin\AppData\Local\Temp\tmp7108637.exe
1⤵
PID:960
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:1364
- - C:\Users\Admin\AppData\Local\Temp\tmp7108887.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7108887.exe
    3⤵
    PID:1400
  - - C:\Users\Admin\AppData\Local\Temp\tmp7121414.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7121414.exe
      4⤵
      PID:2020
  - - C:\Users\Admin\AppData\Local\Temp\tmp7121211.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7121211.exe
      4⤵
      PID:1356
    - - C:\Users\Admin\AppData\Local\Temp\tmp7164517.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164517.exe
        5⤵
        
        PID:1364
    - - C:\Users\Admin\AppData\Local\Temp\tmp7164579.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164579.exe
        5⤵
        
        PID:1344
      - C:\Users\Admin\AppData\Local\Temp\tmp7165157.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7165157.exe
        6⤵
        
        PID:428
- - C:\Users\Admin\AppData\Local\Temp\tmp7108825.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7108825.exe
    3⤵
    PID:1684
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      PID:1976
    - - C:\Users\Admin\AppData\Local\Temp\tmp7164969.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164969.exe
        5⤵
        
        PID:1380
    - - C:\Users\Admin\AppData\Local\Temp\tmp7165437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7165437.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1696
      - C:\Users\Admin\AppData\Local\Temp\tmp7177059.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7177059.exe
        6⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        7⤵
        
        PID:392
        
        C:\Users\Admin\AppData\Local\Temp\tmp7179462.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7179462.exe
        8⤵
        
        PID:1352
        
        C:\Users\Admin\AppData\Local\Temp\tmp7180632.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7180632.exe
        8⤵
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\tmp7181490.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7181490.exe
        9⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1012
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182676.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182676.exe
        11⤵
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183128.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183128.exe
        11⤵
        
        PID:1476
        
        C:\Users\Admin\AppData\Local\Temp\tmp7189976.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7189976.exe
        12⤵
        
        PID:240
        
        C:\Users\Admin\AppData\Local\Temp\tmp7192597.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7192597.exe
        12⤵
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\tmp7181927.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7181927.exe
        9⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182894.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182894.exe
        10⤵
        
        PID:452
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182114.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182114.exe
        10⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        11⤵
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\tmp7188619.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7188619.exe
        12⤵
        
        PID:1864
        
        C:\Users\Admin\AppData\Local\Temp\tmp7189508.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7189508.exe
        12⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\tmp7193408.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7193408.exe
        13⤵
        
        PID:832
        
        C:\Users\Admin\AppData\Local\Temp\tmp7193018.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7193018.exe
        13⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1696
      - C:\Users\Admin\AppData\Local\Temp\tmp7178698.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7178698.exe
        6⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\tmp7179649.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7179649.exe
        7⤵
        
        PID:1948

C:\Users\Admin\AppData\Local\Temp\tmp7108684.exe
C:\Users\Admin\AppData\Local\Temp\tmp7108684.exe
1⤵
- Executes dropped EXE
PID:976
- C:\Users\Admin\AppData\Local\Temp\tmp7103957.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7103957.exe
  2⤵
  PID:1308
- - C:\Users\Admin\AppData\Local\Temp\tmp7118809.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7118809.exe
    3⤵
    PID:2016
- - C:\Users\Admin\AppData\Local\Temp\tmp7118902.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7118902.exe
    3⤵
    PID:1560
  - - C:\Users\Admin\AppData\Local\Temp\tmp7119199.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7119199.exe
      4⤵
      PID:1012
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        
        PID:1164
  - - C:\Users\Admin\AppData\Local\Temp\tmp7119230.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7119230.exe
      4⤵
      PID:240
    - - C:\Users\Admin\AppData\Local\Temp\tmp7122069.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122069.exe
        5⤵
        
        PID:1064
      - C:\Users\Admin\AppData\Local\Temp\tmp7139245.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7139245.exe
        6⤵
        
        PID:892
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        7⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\tmp7141554.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7141554.exe
        8⤵
        
        PID:796
        
        C:\Users\Admin\AppData\Local\Temp\tmp7143238.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7143238.exe
        9⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\tmp7138761.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7138761.exe
        10⤵
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122568.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122568.exe
        10⤵
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\tmp7143753.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7143753.exe
        9⤵
        
        PID:1160
        
        C:\Users\Admin\AppData\Local\Temp\tmp7140696.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7140696.exe
        8⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        9⤵
        
        PID:1296
      - C:\Users\Admin\AppData\Local\Temp\tmp7139791.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7139791.exe
        6⤵
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\tmp7141460.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7141460.exe
        7⤵
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\tmp7140524.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7140524.exe
        7⤵
        
        PID:1780
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        
        PID:724
      - C:\Users\Admin\AppData\Local\Temp\tmp7163519.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7163519.exe
        6⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\tmp7163659.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7163659.exe
        7⤵
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\tmp7163737.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7163737.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164033.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164033.exe
        8⤵
        
        PID:888
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164221.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164221.exe
        8⤵
        
        PID:1316
        
        C:\Users\Admin\AppData\Local\Temp\tmp7162458.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7162458.exe
        9⤵
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\tmp7162364.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7162364.exe
        9⤵
        
        PID:452
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144128.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144128.exe
        8⤵
        
        PID:1512
      - C:\Users\Admin\AppData\Local\Temp\tmp7163487.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7163487.exe
        6⤵
        
        PID:1100

C:\Users\Admin\AppData\Local\Temp\tmp7107514.exe
C:\Users\Admin\AppData\Local\Temp\tmp7107514.exe
1⤵
PID:1752

C:\Users\Admin\AppData\Local\Temp\tmp7117530.exe
C:\Users\Admin\AppData\Local\Temp\tmp7117530.exe
1⤵
PID:2012
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:1640
- - C:\Users\Admin\AppData\Local\Temp\tmp7117764.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7117764.exe
    3⤵
    PID:1576
- - C:\Users\Admin\AppData\Local\Temp\tmp7117826.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7117826.exe
    3⤵
    PID:796
  - - C:\Users\Admin\AppData\Local\Temp\tmp7118216.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7118216.exe
      4⤵
      PID:1348
    - - C:\Users\Admin\AppData\Local\Temp\tmp7143550.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7143550.exe
        5⤵
        
        PID:1576
  - - C:\Users\Admin\AppData\Local\Temp\tmp7118091.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7118091.exe
      4⤵
      PID:392
- - C:\Users\Admin\AppData\Local\Temp\tmp7120728.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7120728.exe
    3⤵
    PID:1736
- - C:\Users\Admin\AppData\Local\Temp\tmp7120478.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7120478.exe
    3⤵
    PID:1404

C:\Users\Admin\AppData\Local\Temp\tmp7118044.exe
C:\Users\Admin\AppData\Local\Temp\tmp7118044.exe
1⤵
PID:888
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:1756
- - C:\Users\Admin\AppData\Local\Temp\tmp7118388.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7118388.exe
    3⤵
    PID:1500
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      PID:1980
- - C:\Users\Admin\AppData\Local\Temp\tmp7118528.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7118528.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1308
- - C:\Users\Admin\AppData\Local\Temp\tmp7163144.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7163144.exe
    3⤵
    PID:276
- - C:\Users\Admin\AppData\Local\Temp\tmp7162739.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7162739.exe
    3⤵
    PID:240

C:\Users\Admin\AppData\Local\Temp\tmp7118793.exe
C:\Users\Admin\AppData\Local\Temp\tmp7118793.exe
1⤵
PID:1812
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:1496
- - C:\Users\Admin\AppData\Local\Temp\tmp7119246.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7119246.exe
    3⤵
    PID:944

C:\Users\Admin\AppData\Local\Temp\tmp7119573.exe
C:\Users\Admin\AppData\Local\Temp\tmp7119573.exe
1⤵
PID:1380
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:1528
- - C:\Users\Admin\AppData\Local\Temp\tmp7119916.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7119916.exe
    3⤵
    PID:1516
- - C:\Users\Admin\AppData\Local\Temp\tmp7120275.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7120275.exe
    3⤵
    PID:1692
- C:\Users\Admin\AppData\Local\Temp\tmp7160820.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7160820.exe
  2⤵
  PID:1056
- C:\Users\Admin\AppData\Local\Temp\tmp7161381.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7161381.exe
  2⤵
  PID:1312
- - C:\Users\Admin\AppData\Local\Temp\tmp7161896.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7161896.exe
    3⤵
    PID:2044
- - C:\Users\Admin\AppData\Local\Temp\tmp7161459.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7161459.exe
    3⤵
    PID:392

C:\Users\Admin\AppData\Local\Temp\tmp7119386.exe
C:\Users\Admin\AppData\Local\Temp\tmp7119386.exe
1⤵
PID:276
- C:\Users\Admin\AppData\Local\Temp\tmp7119948.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7119948.exe
  2⤵
  PID:1124
- C:\Users\Admin\AppData\Local\Temp\tmp7119636.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7119636.exe
  2⤵
  PID:1572

C:\Users\Admin\AppData\Local\Temp\tmp7119651.exe
C:\Users\Admin\AppData\Local\Temp\tmp7119651.exe
1⤵
PID:1712
- C:\Users\Admin\AppData\Local\Temp\tmp7119823.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7119823.exe
  2⤵
  PID:1648
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    PID:432
  - - C:\Users\Admin\AppData\Local\Temp\tmp7120650.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7120650.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:596
  - - C:\Users\Admin\AppData\Local\Temp\tmp7120462.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7120462.exe
      4⤵
      PID:1144
  - - C:\Users\Admin\AppData\Local\Temp\tmp7139931.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7139931.exe
      4⤵
      PID:1976
  - - C:\Users\Admin\AppData\Local\Temp\tmp7140742.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7140742.exe
      4⤵
      PID:1564
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        
        PID:1972
- C:\Users\Admin\AppData\Local\Temp\tmp7120166.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7120166.exe
  2⤵
  PID:1640

C:\Users\Admin\AppData\Local\Temp\tmp7120556.exe
C:\Users\Admin\AppData\Local\Temp\tmp7120556.exe
1⤵
PID:1584
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  PID:948
- - C:\Users\Admin\AppData\Local\Temp\tmp7121367.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7121367.exe
    3⤵
    PID:428
  - - C:\Users\Admin\AppData\Local\Temp\tmp7122022.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7122022.exe
      4⤵
      PID:1044
  - - C:\Users\Admin\AppData\Local\Temp\tmp7122288.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7122288.exe
      4⤵
      PID:1508
    - - C:\Users\Admin\AppData\Local\Temp\tmp7138777.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7138777.exe
        5⤵
        
        PID:1176
    - - C:\Users\Admin\AppData\Local\Temp\tmp7139432.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7139432.exe
        5⤵
        
        PID:1952
- - C:\Users\Admin\AppData\Local\Temp\tmp7121289.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7121289.exe
    3⤵
    PID:1744
- C:\Users\Admin\AppData\Local\Temp\tmp7140009.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7140009.exe
  2⤵
  PID:1344
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    PID:276
  - - C:\Users\Admin\AppData\Local\Temp\tmp7141928.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7141928.exe
      4⤵
      PID:2020
    - - C:\Users\Admin\AppData\Local\Temp\tmp7138668.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7138668.exe
        5⤵
        
        PID:1788
      - C:\Users\Admin\AppData\Local\Temp\tmp7160586.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160586.exe
        6⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161647.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161647.exe
        7⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\tmp7179228.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7179228.exe
        8⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        9⤵
        
        PID:1348
        
        C:\Users\Admin\AppData\Local\Temp\tmp7181630.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7181630.exe
        10⤵
        
        PID:1472
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182379.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182379.exe
        10⤵
        
        PID:960
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182988.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182988.exe
        11⤵
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\tmp7189586.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7189586.exe
        11⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\tmp7192285.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7192285.exe
        12⤵
        
        PID:1312
        
        C:\Users\Admin\AppData\Local\Temp\tmp7193174.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7193174.exe
        12⤵
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161350.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161350.exe
        7⤵
        
        PID:1540
      - C:\Users\Admin\AppData\Local\Temp\tmp7160180.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160180.exe
        6⤵
        
        PID:1308
    - - C:\Users\Admin\AppData\Local\Temp\tmp7122116.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122116.exe
        5⤵
        
        PID:1124
  - - C:\Users\Admin\AppData\Local\Temp\tmp7142770.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7142770.exe
      4⤵
      PID:1804
    - - C:\Users\Admin\AppData\Local\Temp\tmp7143644.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7143644.exe
        5⤵
        
        PID:1648
      - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        6⤵
        
        PID:556
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160040.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160040.exe
        7⤵
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157247.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157247.exe
        7⤵
        
        PID:1064
  - - C:\Users\Admin\AppData\Local\Temp\tmp7163565.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7163565.exe
      4⤵
      PID:1656
  - - C:\Users\Admin\AppData\Local\Temp\tmp7163706.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7163706.exe
      4⤵
      PID:2044
    - - C:\Users\Admin\AppData\Local\Temp\tmp7163862.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7163862.exe
        5⤵
        
        PID:1692
    - - C:\Users\Admin\AppData\Local\Temp\tmp7164002.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164002.exe
        5⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:948
- C:\Users\Admin\AppData\Local\Temp\tmp7140711.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7140711.exe
  2⤵
  PID:1400
- - C:\Users\Admin\AppData\Local\Temp\tmp7141398.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7141398.exe
    3⤵
    PID:1328
  - - C:\Users\Admin\AppData\Local\Temp\tmp7162692.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7162692.exe
      4⤵
      PID:1508
  - - C:\Users\Admin\AppData\Local\Temp\tmp7162785.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7162785.exe
      4⤵
      PID:1856
- - C:\Users\Admin\AppData\Local\Temp\tmp7142162.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7142162.exe
    3⤵
    PID:1732

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:1472

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:1204

C:\Users\Admin\AppData\Local\Temp\tmp7119214.exe
C:\Users\Admin\AppData\Local\Temp\tmp7119214.exe
1⤵
PID:1868
- C:\Users\Admin\AppData\Local\Temp\tmp7161366.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7161366.exe
  2⤵
  PID:1536
- C:\Users\Admin\AppData\Local\Temp\tmp7161163.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7161163.exe
  2⤵
  PID:1264

C:\Users\Admin\AppData\Local\Temp\tmp7118871.exe
C:\Users\Admin\AppData\Local\Temp\tmp7118871.exe
1⤵
PID:1056

C:\Users\Admin\AppData\Local\Temp\tmp7118107.exe
C:\Users\Admin\AppData\Local\Temp\tmp7118107.exe
1⤵
PID:956

C:\Users\Admin\AppData\Local\Temp\tmp7140352.exe
C:\Users\Admin\AppData\Local\Temp\tmp7140352.exe
1⤵
PID:1744
- C:\Users\Admin\AppData\Local\Temp\tmp7141117.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7141117.exe
  2⤵
  PID:1472
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    PID:1124
  - - C:\Users\Admin\AppData\Local\Temp\tmp7142677.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7142677.exe
      4⤵
      PID:468
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1348
      - C:\Users\Admin\AppData\Local\Temp\tmp7143956.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7143956.exe
        6⤵
        
        PID:432
  - - C:\Users\Admin\AppData\Local\Temp\tmp7143223.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7143223.exe
      4⤵
      PID:1168
    - - C:\Users\Admin\AppData\Local\Temp\tmp7160430.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160430.exe
        5⤵
        
        PID:1712
      - C:\Users\Admin\AppData\Local\Temp\tmp7161335.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161335.exe
        6⤵
        
        PID:1144
- C:\Users\Admin\AppData\Local\Temp\tmp7141975.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7141975.exe
  2⤵
  PID:1476
- - C:\Users\Admin\AppData\Local\Temp\tmp7143082.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7143082.exe
    3⤵
    PID:616
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      Executes dropped EXE
      PID:932
    - - C:\Users\Admin\AppData\Local\Temp\tmp7144065.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144065.exe
        5⤵
        
        PID:1812
      - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        6⤵
        
        PID:304
- - C:\Users\Admin\AppData\Local\Temp\tmp7143628.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7143628.exe
    3⤵
    PID:1936

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:900
- C:\Users\Admin\AppData\Local\Temp\tmp7143098.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7143098.exe
  2⤵
  PID:1552
- C:\Users\Admin\AppData\Local\Temp\tmp7143831.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7143831.exe
  2⤵
  PID:1788

C:\Users\Admin\AppData\Local\Temp\tmp7139744.exe
C:\Users\Admin\AppData\Local\Temp\tmp7139744.exe
1⤵
PID:1728

C:\Users\Admin\AppData\Local\Temp\tmp7162676.exe
C:\Users\Admin\AppData\Local\Temp\tmp7162676.exe
1⤵
PID:1484

C:\Users\Admin\AppData\Local\Temp\tmp7162754.exe
C:\Users\Admin\AppData\Local\Temp\tmp7162754.exe
1⤵
PID:1548
- C:\Users\Admin\AppData\Local\Temp\tmp7163269.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7163269.exe
  2⤵
  PID:1696
- C:\Users\Admin\AppData\Local\Temp\tmp7163082.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7163082.exe
  2⤵
  PID:1712
- - C:\Users\Admin\AppData\Local\Temp\tmp7160867.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7160867.exe
    3⤵
    PID:2016

C:\Users\Admin\AppData\Local\Temp\tmp7162832.exe
C:\Users\Admin\AppData\Local\Temp\tmp7162832.exe
1⤵
PID:1476
- C:\Users\Admin\AppData\Local\Temp\tmp7163191.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7163191.exe
  2⤵
  PID:1400
- C:\Users\Admin\AppData\Local\Temp\tmp7163238.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7163238.exe
  2⤵
  PID:1044

C:\Users\Admin\AppData\Local\Temp\tmp7163971.exe
C:\Users\Admin\AppData\Local\Temp\tmp7163971.exe
1⤵
PID:1524

C:\Users\Admin\AppData\Local\Temp\tmp7164065.exe
C:\Users\Admin\AppData\Local\Temp\tmp7164065.exe
1⤵
PID:1560

C:\Users\Admin\AppData\Local\Temp\tmp7164377.exe
C:\Users\Admin\AppData\Local\Temp\tmp7164377.exe
1⤵
PID:452
- C:\Users\Admin\AppData\Local\Temp\tmp7164673.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7164673.exe
  2⤵
  PID:1308
- C:\Users\Admin\AppData\Local\Temp\tmp7164423.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7164423.exe
  2⤵
  PID:1168
- - C:\Users\Admin\AppData\Local\Temp\tmp7144206.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7144206.exe
    3⤵
    PID:2024
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1756

C:\Users\Admin\AppData\Local\Temp\tmp7164533.exe
C:\Users\Admin\AppData\Local\Temp\tmp7164533.exe
1⤵
PID:1496

C:\Users\Admin\AppData\Local\Temp\tmp7164501.exe
C:\Users\Admin\AppData\Local\Temp\tmp7164501.exe
1⤵
PID:1684

C:\Users\Admin\AppData\Local\Temp\tmp7164345.exe
C:\Users\Admin\AppData\Local\Temp\tmp7164345.exe
1⤵
PID:1472

C:\Users\Admin\AppData\Local\Temp\tmp7164205.exe
C:\Users\Admin\AppData\Local\Temp\tmp7164205.exe
1⤵
PID:1944
- C:\Users\Admin\AppData\Local\Temp\tmp7162302.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7162302.exe
  2⤵
  PID:1724
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    PID:1124
  - - C:\Users\Admin\AppData\Local\Temp\tmp7175796.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7175796.exe
      4⤵
      PID:1548
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        
        PID:1516
      - C:\Users\Admin\AppData\Local\Temp\tmp7178557.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7178557.exe
        6⤵
        
        PID:824
      - C:\Users\Admin\AppData\Local\Temp\tmp7179150.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7179150.exe
        6⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\tmp7180819.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7180819.exe
        7⤵
        
        PID:556
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182332.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182332.exe
        7⤵
        
        PID:1296
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182800.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182800.exe
        8⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        9⤵
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190132.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190132.exe
        10⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        11⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\tmp7193440.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7193440.exe
        12⤵
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\tmp7194266.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7194266.exe
        12⤵
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\tmp7194656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7194656.exe
        13⤵
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\tmp7195109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7195109.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\tmp7195842.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7195842.exe
        14⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        15⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\tmp7196840.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7196840.exe
        16⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        17⤵
        
        PID:520
        
        C:\Users\Admin\AppData\Local\Temp\tmp7207339.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7207339.exe
        18⤵
        
        PID:1204
        
        C:\Users\Admin\AppData\Local\Temp\tmp7207760.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7207760.exe
        18⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\tmp7209633.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7209633.exe
        19⤵
        
        PID:996
        
        C:\Users\Admin\AppData\Local\Temp\tmp7210147.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7210147.exe
        19⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\tmp7211645.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7211645.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\tmp7196996.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7196996.exe
        16⤵
        Executes dropped EXE
        
        PID:1476
        
        C:\Users\Admin\AppData\Local\Temp\tmp7205498.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7205498.exe
        17⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\tmp7209243.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7209243.exe
        17⤵
        
        PID:1264
        
        C:\Users\Admin\AppData\Local\Temp\tmp7210163.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7210163.exe
        18⤵
        
        PID:680
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        19⤵
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\tmp7212051.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7212051.exe
        20⤵
        
        PID:616
        
        C:\Users\Admin\AppData\Local\Temp\tmp7213673.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7213673.exe
        20⤵
        
        PID:284
        
        C:\Users\Admin\AppData\Local\Temp\tmp7214250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7214250.exe
        21⤵
        Executes dropped EXE
        
        PID:452
        
        C:\Users\Admin\AppData\Local\Temp\tmp7214656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7214656.exe
        21⤵
        
        PID:1168
        
        C:\Users\Admin\AppData\Local\Temp\tmp7217526.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7217526.exe
        22⤵
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\tmp7218649.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7218649.exe
        22⤵
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\tmp7211021.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7211021.exe
        18⤵
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\tmp7196014.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7196014.exe
        14⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\tmp7211536.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7211536.exe
        12⤵
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\tmp7192457.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7192457.exe
        10⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\tmp7194188.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7194188.exe
        11⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\tmp7194890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7194890.exe
        12⤵
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\tmp7195187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7195187.exe
        12⤵
        
        PID:900
        
        C:\Users\Admin\AppData\Local\Temp\tmp7193674.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7193674.exe
        11⤵
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183378.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183378.exe
        8⤵
        
        PID:1724
  - - C:\Users\Admin\AppData\Local\Temp\tmp7176108.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7176108.exe
      4⤵
      PID:724
    - - C:\Users\Admin\AppData\Local\Temp\tmp7177980.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7177980.exe
        5⤵
        
        PID:1520
    - - C:\Users\Admin\AppData\Local\Temp\tmp7178854.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7178854.exe
        5⤵
        
        PID:276
      - C:\Users\Admin\AppData\Local\Temp\tmp7179290.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7179290.exe
        6⤵
        
        PID:1716
      - C:\Users\Admin\AppData\Local\Temp\tmp7179634.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7179634.exe
        6⤵
        
        PID:1160
- C:\Users\Admin\AppData\Local\Temp\tmp7162099.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7162099.exe
  2⤵
  PID:884

C:\Users\Admin\AppData\Local\Temp\tmp7163831.exe
C:\Users\Admin\AppData\Local\Temp\tmp7163831.exe
1⤵
PID:1272
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:680

C:\Users\Admin\AppData\Local\Temp\tmp7192972.exe
C:\Users\Admin\AppData\Local\Temp\tmp7192972.exe
1⤵
PID:1256
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:860
- - C:\Users\Admin\AppData\Local\Temp\tmp7194547.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7194547.exe
    3⤵
    PID:1532
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      PID:432
    - - C:\Users\Admin\AppData\Local\Temp\tmp7195998.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7195998.exe
        5⤵
        
        PID:1732
    - - C:\Users\Admin\AppData\Local\Temp\tmp7196263.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7196263.exe
        5⤵
        
        PID:1960
      - C:\Users\Admin\AppData\Local\Temp\tmp7196497.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7196497.exe
        6⤵
        
        PID:1868
      - C:\Users\Admin\AppData\Local\Temp\tmp7196981.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7196981.exe
        6⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\tmp7197636.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7197636.exe
        7⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        8⤵
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\tmp7209445.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7209445.exe
        9⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1284
        
        C:\Users\Admin\AppData\Local\Temp\tmp7211317.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7211317.exe
        11⤵
        
        PID:1164
        
        C:\Users\Admin\AppData\Local\Temp\tmp7212363.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7212363.exe
        12⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        13⤵
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\tmp7217043.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7217043.exe
        14⤵
        
        PID:960
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        15⤵
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\tmp7219710.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7219710.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\tmp7220100.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7220100.exe
        16⤵
        
        PID:1256
        
        C:\Users\Admin\AppData\Local\Temp\tmp7221286.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7221286.exe
        17⤵
        
        PID:1176
        
        C:\Users\Admin\AppData\Local\Temp\tmp7222191.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7222191.exe
        17⤵
        Executes dropped EXE
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\tmp7223485.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7223485.exe
        18⤵
        
        PID:432
        
        C:\Users\Admin\AppData\Local\Temp\tmp7224297.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7224297.exe
        18⤵
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\tmp7217932.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7217932.exe
        14⤵
        Executes dropped EXE
        
        PID:956
        
        C:\Users\Admin\AppData\Local\Temp\tmp7219086.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7219086.exe
        15⤵
        
        PID:240
        
        C:\Users\Admin\AppData\Local\Temp\tmp7220131.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7220131.exe
        15⤵
        
        PID:1324
        
        C:\Users\Admin\AppData\Local\Temp\tmp7220537.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7220537.exe
        16⤵
        
        PID:996
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        17⤵
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\tmp7223329.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7223329.exe
        18⤵
        Executes dropped EXE
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\tmp7221395.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7221395.exe
        16⤵
        
        PID:832
        
        C:\Users\Admin\AppData\Local\Temp\tmp7214359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7214359.exe
        12⤵
        
        PID:1860
        
        C:\Users\Admin\AppData\Local\Temp\tmp7214968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7214968.exe
        13⤵
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\tmp7218447.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7218447.exe
        13⤵
        
        PID:1296
        
        C:\Users\Admin\AppData\Local\Temp\tmp7210007.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7210007.exe
        9⤵
        
        PID:824
        
        C:\Users\Admin\AppData\Local\Temp\tmp7211146.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7211146.exe
        10⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        11⤵
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\tmp7214500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7214500.exe
        12⤵
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\tmp7214859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7214859.exe
        12⤵
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\tmp7218977.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7218977.exe
        13⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        14⤵
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\tmp7220599.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7220599.exe
        15⤵
        
        PID:1264
        
        C:\Users\Admin\AppData\Local\Temp\tmp7221052.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7221052.exe
        15⤵
        
        PID:556
        
        C:\Users\Admin\AppData\Local\Temp\tmp7222284.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7222284.exe
        16⤵
        
        PID:920
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        17⤵
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\tmp7223922.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7223922.exe
        16⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\tmp7224047.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7224047.exe
        17⤵
        
        PID:284
        
        C:\Users\Admin\AppData\Local\Temp\tmp7219897.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7219897.exe
        13⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\tmp7220272.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7220272.exe
        14⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        15⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\tmp7221645.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7221645.exe
        16⤵
        
        PID:392
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        17⤵
        
        PID:1348
        
        C:\Users\Admin\AppData\Local\Temp\tmp7222440.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7222440.exe
        16⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\tmp7220677.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7220677.exe
        14⤵
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\tmp7212097.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7212097.exe
        10⤵
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\tmp7214203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7214203.exe
        11⤵
        
        PID:1348
        
        C:\Users\Admin\AppData\Local\Temp\tmp7214313.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7214313.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\tmp7207526.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7207526.exe
        7⤵
        
        PID:1872
- - C:\Users\Admin\AppData\Local\Temp\tmp7194922.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7194922.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    PID:2020
  - - C:\Users\Admin\AppData\Local\Temp\tmp7196045.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7196045.exe
      4⤵
      PID:1564
  - - C:\Users\Admin\AppData\Local\Temp\tmp7196747.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7196747.exe
      4⤵
      PID:1308
    - - C:\Users\Admin\AppData\Local\Temp\tmp7197589.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7197589.exe
        5⤵
        
        PID:2024
    - - C:\Users\Admin\AppData\Local\Temp\tmp7197901.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7197901.exe
        5⤵
        
        PID:1100

C:\Users\Admin\AppData\Local\Temp\tmp7193221.exe
C:\Users\Admin\AppData\Local\Temp\tmp7193221.exe
1⤵
PID:996

C:\Users\Admin\AppData\Local\Temp\tmp7194173.exe
C:\Users\Admin\AppData\Local\Temp\tmp7194173.exe
1⤵
PID:856

C:\Users\Admin\AppData\Local\Temp\tmp7193627.exe
C:\Users\Admin\AppData\Local\Temp\tmp7193627.exe
1⤵
PID:884

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp7084301.exe

Filesize
3.2MB

MD5
0008082a323b56421ca53e7197b0d2ab

SHA1
7f1b357f71d769e055e99f5d0b283a3509c83002

SHA256
dee8748e6f464ef26ba1a005267515ed4c62651fb5d38e26f1ca2d3c67b420f3

SHA512
2d6e0a73106904ab1e91ee7a975057ee692ad8d7c3facaca6e77fbedd30ee31b45b2d549fe08b4c0ce36903b085b16ef4b54f2507bd5af5441e019aed9ce5425

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7084301.exe

Filesize
3.2MB

MD5
0008082a323b56421ca53e7197b0d2ab

SHA1
7f1b357f71d769e055e99f5d0b283a3509c83002

SHA256
dee8748e6f464ef26ba1a005267515ed4c62651fb5d38e26f1ca2d3c67b420f3

SHA512
2d6e0a73106904ab1e91ee7a975057ee692ad8d7c3facaca6e77fbedd30ee31b45b2d549fe08b4c0ce36903b085b16ef4b54f2507bd5af5441e019aed9ce5425

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7084364.exe

Filesize
136KB

MD5
8ac488ba4e9d7b80f2bff465d203af62

SHA1
98c85d2947163128867bea29135b06b78d21b9b4

SHA256
fbae3e91a7e05237aba3dcf37e24cbfb91878de99b53fa88cc3a08ee48b0285d

SHA512
229cc86125daef72ca78c7b9f114b78cd2a5b2a645bdcf756883a0bddf01dc050006a344b4919817af037aecd6f6173ad97ecc27abb26af3ed3e925354b65243

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7084691.exe

Filesize
3.2MB

MD5
0008082a323b56421ca53e7197b0d2ab

SHA1
7f1b357f71d769e055e99f5d0b283a3509c83002

SHA256
dee8748e6f464ef26ba1a005267515ed4c62651fb5d38e26f1ca2d3c67b420f3

SHA512
2d6e0a73106904ab1e91ee7a975057ee692ad8d7c3facaca6e77fbedd30ee31b45b2d549fe08b4c0ce36903b085b16ef4b54f2507bd5af5441e019aed9ce5425

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7084691.exe

Filesize
3.2MB

MD5
0008082a323b56421ca53e7197b0d2ab

SHA1
7f1b357f71d769e055e99f5d0b283a3509c83002

SHA256
dee8748e6f464ef26ba1a005267515ed4c62651fb5d38e26f1ca2d3c67b420f3

SHA512
2d6e0a73106904ab1e91ee7a975057ee692ad8d7c3facaca6e77fbedd30ee31b45b2d549fe08b4c0ce36903b085b16ef4b54f2507bd5af5441e019aed9ce5425

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7088825.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7089044.exe

Filesize
3.2MB

MD5
0008082a323b56421ca53e7197b0d2ab

SHA1
7f1b357f71d769e055e99f5d0b283a3509c83002

SHA256
dee8748e6f464ef26ba1a005267515ed4c62651fb5d38e26f1ca2d3c67b420f3

SHA512
2d6e0a73106904ab1e91ee7a975057ee692ad8d7c3facaca6e77fbedd30ee31b45b2d549fe08b4c0ce36903b085b16ef4b54f2507bd5af5441e019aed9ce5425

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7089044.exe

Filesize
3.2MB

MD5
0008082a323b56421ca53e7197b0d2ab

SHA1
7f1b357f71d769e055e99f5d0b283a3509c83002

SHA256
dee8748e6f464ef26ba1a005267515ed4c62651fb5d38e26f1ca2d3c67b420f3

SHA512
2d6e0a73106904ab1e91ee7a975057ee692ad8d7c3facaca6e77fbedd30ee31b45b2d549fe08b4c0ce36903b085b16ef4b54f2507bd5af5441e019aed9ce5425

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7089169.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7089496.exe

Filesize
3.2MB

MD5
0008082a323b56421ca53e7197b0d2ab

SHA1
7f1b357f71d769e055e99f5d0b283a3509c83002

SHA256
dee8748e6f464ef26ba1a005267515ed4c62651fb5d38e26f1ca2d3c67b420f3

SHA512
2d6e0a73106904ab1e91ee7a975057ee692ad8d7c3facaca6e77fbedd30ee31b45b2d549fe08b4c0ce36903b085b16ef4b54f2507bd5af5441e019aed9ce5425

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7089496.exe

Filesize
3.2MB

MD5
0008082a323b56421ca53e7197b0d2ab

SHA1
7f1b357f71d769e055e99f5d0b283a3509c83002

SHA256
dee8748e6f464ef26ba1a005267515ed4c62651fb5d38e26f1ca2d3c67b420f3

SHA512
2d6e0a73106904ab1e91ee7a975057ee692ad8d7c3facaca6e77fbedd30ee31b45b2d549fe08b4c0ce36903b085b16ef4b54f2507bd5af5441e019aed9ce5425

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7089683.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7090463.exe

Filesize
3.2MB

MD5
0008082a323b56421ca53e7197b0d2ab

SHA1
7f1b357f71d769e055e99f5d0b283a3509c83002

SHA256
dee8748e6f464ef26ba1a005267515ed4c62651fb5d38e26f1ca2d3c67b420f3

SHA512
2d6e0a73106904ab1e91ee7a975057ee692ad8d7c3facaca6e77fbedd30ee31b45b2d549fe08b4c0ce36903b085b16ef4b54f2507bd5af5441e019aed9ce5425

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7090463.exe

Filesize
3.2MB

MD5
0008082a323b56421ca53e7197b0d2ab

SHA1
7f1b357f71d769e055e99f5d0b283a3509c83002

SHA256
dee8748e6f464ef26ba1a005267515ed4c62651fb5d38e26f1ca2d3c67b420f3

SHA512
2d6e0a73106904ab1e91ee7a975057ee692ad8d7c3facaca6e77fbedd30ee31b45b2d549fe08b4c0ce36903b085b16ef4b54f2507bd5af5441e019aed9ce5425

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7094457.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7094847.exe

Filesize
3.2MB

MD5
0008082a323b56421ca53e7197b0d2ab

SHA1
7f1b357f71d769e055e99f5d0b283a3509c83002

SHA256
dee8748e6f464ef26ba1a005267515ed4c62651fb5d38e26f1ca2d3c67b420f3

SHA512
2d6e0a73106904ab1e91ee7a975057ee692ad8d7c3facaca6e77fbedd30ee31b45b2d549fe08b4c0ce36903b085b16ef4b54f2507bd5af5441e019aed9ce5425

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7094987.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
3.2MB

MD5
0008082a323b56421ca53e7197b0d2ab

SHA1
7f1b357f71d769e055e99f5d0b283a3509c83002

SHA256
dee8748e6f464ef26ba1a005267515ed4c62651fb5d38e26f1ca2d3c67b420f3

SHA512
2d6e0a73106904ab1e91ee7a975057ee692ad8d7c3facaca6e77fbedd30ee31b45b2d549fe08b4c0ce36903b085b16ef4b54f2507bd5af5441e019aed9ce5425

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
3.2MB

MD5
0008082a323b56421ca53e7197b0d2ab

SHA1
7f1b357f71d769e055e99f5d0b283a3509c83002

SHA256
dee8748e6f464ef26ba1a005267515ed4c62651fb5d38e26f1ca2d3c67b420f3

SHA512
2d6e0a73106904ab1e91ee7a975057ee692ad8d7c3facaca6e77fbedd30ee31b45b2d549fe08b4c0ce36903b085b16ef4b54f2507bd5af5441e019aed9ce5425

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
3.2MB

MD5
b1f00fff117ed48df5631fcda16238d2

SHA1
dbc9a9902b88125873d30a045d07910b78ab382b

SHA256
e556e255aff8e87165cca3ac4c826bebf8780445742920da30339f8b0c96223d

SHA512
8c2239e7de5fe5320bc8364db3ae22338db05751b8a0db1e5a41012da3935ab206edefeff85a6add4eaacbf34350f422f0aed92129e0099725c73a5f234290ac

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
3.2MB

MD5
0008082a323b56421ca53e7197b0d2ab

SHA1
7f1b357f71d769e055e99f5d0b283a3509c83002

SHA256
dee8748e6f464ef26ba1a005267515ed4c62651fb5d38e26f1ca2d3c67b420f3

SHA512
2d6e0a73106904ab1e91ee7a975057ee692ad8d7c3facaca6e77fbedd30ee31b45b2d549fe08b4c0ce36903b085b16ef4b54f2507bd5af5441e019aed9ce5425

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
3.3MB

MD5
fac881b6ac864178f728af16603f4b13

SHA1
81e07d27d24a902382de18044d429d39ece15545

SHA256
f8dc7f4f8641a33e00c268955b61f0d655d24d7d64770b376bfd408603394b14

SHA512
dc8b103d30ba99687046e1284f283523974537628de5d7454700c161ab65f171805fa8979c88625fb0329aafadf261bb1ee88f7a13ed01c00880b04a5195bfd2

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
3.3MB

MD5
fac881b6ac864178f728af16603f4b13

SHA1
81e07d27d24a902382de18044d429d39ece15545

SHA256
f8dc7f4f8641a33e00c268955b61f0d655d24d7d64770b376bfd408603394b14

SHA512
dc8b103d30ba99687046e1284f283523974537628de5d7454700c161ab65f171805fa8979c88625fb0329aafadf261bb1ee88f7a13ed01c00880b04a5195bfd2

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
3.3MB

MD5
fac881b6ac864178f728af16603f4b13

SHA1
81e07d27d24a902382de18044d429d39ece15545

SHA256
f8dc7f4f8641a33e00c268955b61f0d655d24d7d64770b376bfd408603394b14

SHA512
dc8b103d30ba99687046e1284f283523974537628de5d7454700c161ab65f171805fa8979c88625fb0329aafadf261bb1ee88f7a13ed01c00880b04a5195bfd2

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
3.3MB

MD5
fac881b6ac864178f728af16603f4b13

SHA1
81e07d27d24a902382de18044d429d39ece15545

SHA256
f8dc7f4f8641a33e00c268955b61f0d655d24d7d64770b376bfd408603394b14

SHA512
dc8b103d30ba99687046e1284f283523974537628de5d7454700c161ab65f171805fa8979c88625fb0329aafadf261bb1ee88f7a13ed01c00880b04a5195bfd2

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
3.3MB

MD5
fac881b6ac864178f728af16603f4b13

SHA1
81e07d27d24a902382de18044d429d39ece15545

SHA256
f8dc7f4f8641a33e00c268955b61f0d655d24d7d64770b376bfd408603394b14

SHA512
dc8b103d30ba99687046e1284f283523974537628de5d7454700c161ab65f171805fa8979c88625fb0329aafadf261bb1ee88f7a13ed01c00880b04a5195bfd2

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
3.3MB

MD5
fac881b6ac864178f728af16603f4b13

SHA1
81e07d27d24a902382de18044d429d39ece15545

SHA256
f8dc7f4f8641a33e00c268955b61f0d655d24d7d64770b376bfd408603394b14

SHA512
dc8b103d30ba99687046e1284f283523974537628de5d7454700c161ab65f171805fa8979c88625fb0329aafadf261bb1ee88f7a13ed01c00880b04a5195bfd2

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7084301.exe

Filesize
3.2MB

MD5
0008082a323b56421ca53e7197b0d2ab

SHA1
7f1b357f71d769e055e99f5d0b283a3509c83002

SHA256
dee8748e6f464ef26ba1a005267515ed4c62651fb5d38e26f1ca2d3c67b420f3

SHA512
2d6e0a73106904ab1e91ee7a975057ee692ad8d7c3facaca6e77fbedd30ee31b45b2d549fe08b4c0ce36903b085b16ef4b54f2507bd5af5441e019aed9ce5425

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7084301.exe

Filesize
3.2MB

MD5
0008082a323b56421ca53e7197b0d2ab

SHA1
7f1b357f71d769e055e99f5d0b283a3509c83002

SHA256
dee8748e6f464ef26ba1a005267515ed4c62651fb5d38e26f1ca2d3c67b420f3

SHA512
2d6e0a73106904ab1e91ee7a975057ee692ad8d7c3facaca6e77fbedd30ee31b45b2d549fe08b4c0ce36903b085b16ef4b54f2507bd5af5441e019aed9ce5425

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7084364.exe

Filesize
136KB

MD5
8ac488ba4e9d7b80f2bff465d203af62

SHA1
98c85d2947163128867bea29135b06b78d21b9b4

SHA256
fbae3e91a7e05237aba3dcf37e24cbfb91878de99b53fa88cc3a08ee48b0285d

SHA512
229cc86125daef72ca78c7b9f114b78cd2a5b2a645bdcf756883a0bddf01dc050006a344b4919817af037aecd6f6173ad97ecc27abb26af3ed3e925354b65243

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7084364.exe

Filesize
136KB

MD5
8ac488ba4e9d7b80f2bff465d203af62

SHA1
98c85d2947163128867bea29135b06b78d21b9b4

SHA256
fbae3e91a7e05237aba3dcf37e24cbfb91878de99b53fa88cc3a08ee48b0285d

SHA512
229cc86125daef72ca78c7b9f114b78cd2a5b2a645bdcf756883a0bddf01dc050006a344b4919817af037aecd6f6173ad97ecc27abb26af3ed3e925354b65243

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7084364.exe

Filesize
136KB

MD5
8ac488ba4e9d7b80f2bff465d203af62

SHA1
98c85d2947163128867bea29135b06b78d21b9b4

SHA256
fbae3e91a7e05237aba3dcf37e24cbfb91878de99b53fa88cc3a08ee48b0285d

SHA512
229cc86125daef72ca78c7b9f114b78cd2a5b2a645bdcf756883a0bddf01dc050006a344b4919817af037aecd6f6173ad97ecc27abb26af3ed3e925354b65243

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7084364.exe

Filesize
136KB

MD5
8ac488ba4e9d7b80f2bff465d203af62

SHA1
98c85d2947163128867bea29135b06b78d21b9b4

SHA256
fbae3e91a7e05237aba3dcf37e24cbfb91878de99b53fa88cc3a08ee48b0285d

SHA512
229cc86125daef72ca78c7b9f114b78cd2a5b2a645bdcf756883a0bddf01dc050006a344b4919817af037aecd6f6173ad97ecc27abb26af3ed3e925354b65243

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7084364.exe

Filesize
136KB

MD5
8ac488ba4e9d7b80f2bff465d203af62

SHA1
98c85d2947163128867bea29135b06b78d21b9b4

SHA256
fbae3e91a7e05237aba3dcf37e24cbfb91878de99b53fa88cc3a08ee48b0285d

SHA512
229cc86125daef72ca78c7b9f114b78cd2a5b2a645bdcf756883a0bddf01dc050006a344b4919817af037aecd6f6173ad97ecc27abb26af3ed3e925354b65243

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7084691.exe

Filesize
3.2MB

MD5
0008082a323b56421ca53e7197b0d2ab

SHA1
7f1b357f71d769e055e99f5d0b283a3509c83002

SHA256
dee8748e6f464ef26ba1a005267515ed4c62651fb5d38e26f1ca2d3c67b420f3

SHA512
2d6e0a73106904ab1e91ee7a975057ee692ad8d7c3facaca6e77fbedd30ee31b45b2d549fe08b4c0ce36903b085b16ef4b54f2507bd5af5441e019aed9ce5425

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7084691.exe

Filesize
3.2MB

MD5
0008082a323b56421ca53e7197b0d2ab

SHA1
7f1b357f71d769e055e99f5d0b283a3509c83002

SHA256
dee8748e6f464ef26ba1a005267515ed4c62651fb5d38e26f1ca2d3c67b420f3

SHA512
2d6e0a73106904ab1e91ee7a975057ee692ad8d7c3facaca6e77fbedd30ee31b45b2d549fe08b4c0ce36903b085b16ef4b54f2507bd5af5441e019aed9ce5425

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7088825.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7089044.exe

Filesize
3.2MB

MD5
0008082a323b56421ca53e7197b0d2ab

SHA1
7f1b357f71d769e055e99f5d0b283a3509c83002

SHA256
dee8748e6f464ef26ba1a005267515ed4c62651fb5d38e26f1ca2d3c67b420f3

SHA512
2d6e0a73106904ab1e91ee7a975057ee692ad8d7c3facaca6e77fbedd30ee31b45b2d549fe08b4c0ce36903b085b16ef4b54f2507bd5af5441e019aed9ce5425

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7089044.exe

Filesize
3.2MB

MD5
0008082a323b56421ca53e7197b0d2ab

SHA1
7f1b357f71d769e055e99f5d0b283a3509c83002

SHA256
dee8748e6f464ef26ba1a005267515ed4c62651fb5d38e26f1ca2d3c67b420f3

SHA512
2d6e0a73106904ab1e91ee7a975057ee692ad8d7c3facaca6e77fbedd30ee31b45b2d549fe08b4c0ce36903b085b16ef4b54f2507bd5af5441e019aed9ce5425

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7089169.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7089496.exe

Filesize
3.2MB

MD5
0008082a323b56421ca53e7197b0d2ab

SHA1
7f1b357f71d769e055e99f5d0b283a3509c83002

SHA256
dee8748e6f464ef26ba1a005267515ed4c62651fb5d38e26f1ca2d3c67b420f3

SHA512
2d6e0a73106904ab1e91ee7a975057ee692ad8d7c3facaca6e77fbedd30ee31b45b2d549fe08b4c0ce36903b085b16ef4b54f2507bd5af5441e019aed9ce5425

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7089496.exe

Filesize
3.2MB

MD5
0008082a323b56421ca53e7197b0d2ab

SHA1
7f1b357f71d769e055e99f5d0b283a3509c83002

SHA256
dee8748e6f464ef26ba1a005267515ed4c62651fb5d38e26f1ca2d3c67b420f3

SHA512
2d6e0a73106904ab1e91ee7a975057ee692ad8d7c3facaca6e77fbedd30ee31b45b2d549fe08b4c0ce36903b085b16ef4b54f2507bd5af5441e019aed9ce5425

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7089683.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7090463.exe

Filesize
3.2MB

MD5
0008082a323b56421ca53e7197b0d2ab

SHA1
7f1b357f71d769e055e99f5d0b283a3509c83002

SHA256
dee8748e6f464ef26ba1a005267515ed4c62651fb5d38e26f1ca2d3c67b420f3

SHA512
2d6e0a73106904ab1e91ee7a975057ee692ad8d7c3facaca6e77fbedd30ee31b45b2d549fe08b4c0ce36903b085b16ef4b54f2507bd5af5441e019aed9ce5425

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7090463.exe

Filesize
3.2MB

MD5
0008082a323b56421ca53e7197b0d2ab

SHA1
7f1b357f71d769e055e99f5d0b283a3509c83002

SHA256
dee8748e6f464ef26ba1a005267515ed4c62651fb5d38e26f1ca2d3c67b420f3

SHA512
2d6e0a73106904ab1e91ee7a975057ee692ad8d7c3facaca6e77fbedd30ee31b45b2d549fe08b4c0ce36903b085b16ef4b54f2507bd5af5441e019aed9ce5425

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7094457.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7094847.exe

Filesize
3.2MB

MD5
0008082a323b56421ca53e7197b0d2ab

SHA1
7f1b357f71d769e055e99f5d0b283a3509c83002

SHA256
dee8748e6f464ef26ba1a005267515ed4c62651fb5d38e26f1ca2d3c67b420f3

SHA512
2d6e0a73106904ab1e91ee7a975057ee692ad8d7c3facaca6e77fbedd30ee31b45b2d549fe08b4c0ce36903b085b16ef4b54f2507bd5af5441e019aed9ce5425

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7094847.exe

Filesize
3.2MB

MD5
0008082a323b56421ca53e7197b0d2ab

SHA1
7f1b357f71d769e055e99f5d0b283a3509c83002

SHA256
dee8748e6f464ef26ba1a005267515ed4c62651fb5d38e26f1ca2d3c67b420f3

SHA512
2d6e0a73106904ab1e91ee7a975057ee692ad8d7c3facaca6e77fbedd30ee31b45b2d549fe08b4c0ce36903b085b16ef4b54f2507bd5af5441e019aed9ce5425

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7094987.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
3.3MB

MD5
fac881b6ac864178f728af16603f4b13

SHA1
81e07d27d24a902382de18044d429d39ece15545

SHA256
f8dc7f4f8641a33e00c268955b61f0d655d24d7d64770b376bfd408603394b14

SHA512
dc8b103d30ba99687046e1284f283523974537628de5d7454700c161ab65f171805fa8979c88625fb0329aafadf261bb1ee88f7a13ed01c00880b04a5195bfd2

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
3.3MB

MD5
fac881b6ac864178f728af16603f4b13

SHA1
81e07d27d24a902382de18044d429d39ece15545

SHA256
f8dc7f4f8641a33e00c268955b61f0d655d24d7d64770b376bfd408603394b14

SHA512
dc8b103d30ba99687046e1284f283523974537628de5d7454700c161ab65f171805fa8979c88625fb0329aafadf261bb1ee88f7a13ed01c00880b04a5195bfd2

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
3.3MB

MD5
fac881b6ac864178f728af16603f4b13

SHA1
81e07d27d24a902382de18044d429d39ece15545

SHA256
f8dc7f4f8641a33e00c268955b61f0d655d24d7d64770b376bfd408603394b14

SHA512
dc8b103d30ba99687046e1284f283523974537628de5d7454700c161ab65f171805fa8979c88625fb0329aafadf261bb1ee88f7a13ed01c00880b04a5195bfd2

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
3.3MB

MD5
fac881b6ac864178f728af16603f4b13

SHA1
81e07d27d24a902382de18044d429d39ece15545

SHA256
f8dc7f4f8641a33e00c268955b61f0d655d24d7d64770b376bfd408603394b14

SHA512
dc8b103d30ba99687046e1284f283523974537628de5d7454700c161ab65f171805fa8979c88625fb0329aafadf261bb1ee88f7a13ed01c00880b04a5195bfd2

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
3.3MB

MD5
fac881b6ac864178f728af16603f4b13

SHA1
81e07d27d24a902382de18044d429d39ece15545

SHA256
f8dc7f4f8641a33e00c268955b61f0d655d24d7d64770b376bfd408603394b14

SHA512
dc8b103d30ba99687046e1284f283523974537628de5d7454700c161ab65f171805fa8979c88625fb0329aafadf261bb1ee88f7a13ed01c00880b04a5195bfd2

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
3.3MB

MD5
fac881b6ac864178f728af16603f4b13

SHA1
81e07d27d24a902382de18044d429d39ece15545

SHA256
f8dc7f4f8641a33e00c268955b61f0d655d24d7d64770b376bfd408603394b14

SHA512
dc8b103d30ba99687046e1284f283523974537628de5d7454700c161ab65f171805fa8979c88625fb0329aafadf261bb1ee88f7a13ed01c00880b04a5195bfd2

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
3.3MB

MD5
fac881b6ac864178f728af16603f4b13

SHA1
81e07d27d24a902382de18044d429d39ece15545

SHA256
f8dc7f4f8641a33e00c268955b61f0d655d24d7d64770b376bfd408603394b14

SHA512
dc8b103d30ba99687046e1284f283523974537628de5d7454700c161ab65f171805fa8979c88625fb0329aafadf261bb1ee88f7a13ed01c00880b04a5195bfd2

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
3.3MB

MD5
fac881b6ac864178f728af16603f4b13

SHA1
81e07d27d24a902382de18044d429d39ece15545

SHA256
f8dc7f4f8641a33e00c268955b61f0d655d24d7d64770b376bfd408603394b14

SHA512
dc8b103d30ba99687046e1284f283523974537628de5d7454700c161ab65f171805fa8979c88625fb0329aafadf261bb1ee88f7a13ed01c00880b04a5195bfd2

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
3.3MB

MD5
fac881b6ac864178f728af16603f4b13

SHA1
81e07d27d24a902382de18044d429d39ece15545

SHA256
f8dc7f4f8641a33e00c268955b61f0d655d24d7d64770b376bfd408603394b14

SHA512
dc8b103d30ba99687046e1284f283523974537628de5d7454700c161ab65f171805fa8979c88625fb0329aafadf261bb1ee88f7a13ed01c00880b04a5195bfd2

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
3.3MB

MD5
fac881b6ac864178f728af16603f4b13

SHA1
81e07d27d24a902382de18044d429d39ece15545

SHA256
f8dc7f4f8641a33e00c268955b61f0d655d24d7d64770b376bfd408603394b14

SHA512
dc8b103d30ba99687046e1284f283523974537628de5d7454700c161ab65f171805fa8979c88625fb0329aafadf261bb1ee88f7a13ed01c00880b04a5195bfd2

Download Submit
memory/304-301-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/596-299-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/596-113-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/596-123-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/616-187-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/680-324-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/820-226-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/820-231-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/820-339-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/900-238-0x00000000005B0000-0x00000000005BD000-memory.dmp

Filesize
52KB

Download
memory/948-326-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/956-295-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/976-265-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1000-224-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1016-312-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1044-337-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1100-251-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1100-249-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1124-254-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1132-66-0x0000000000010000-0x0000000000032000-memory.dmp

Filesize
136KB

Download
memory/1168-74-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1168-86-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1204-64-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1240-58-0x0000000076BA1000-0x0000000076BA3000-memory.dmp

Filesize
8KB

Download
memory/1264-318-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1264-284-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1272-199-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1284-169-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1316-287-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1316-320-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1328-243-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1348-260-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1348-105-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1348-262-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1356-272-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1364-333-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1372-174-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1496-274-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1508-218-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1528-211-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1548-268-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1568-239-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1580-163-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1588-277-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1676-341-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1676-343-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1692-256-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1692-258-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1704-206-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1712-314-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1716-280-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1756-181-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1776-290-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1780-306-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1780-308-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1788-293-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1804-146-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1804-155-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1928-194-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1928-305-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1928-189-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1960-328-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1960-331-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2008-145-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2008-128-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download