beaf286caea5b79b7eb67b56e196b54ff49022bc683a419d527f099d66d4d12e

Analysis

max time kernel
155s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03/12/2022, 20:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

beaf286caea5b79b7eb67b56e196b54ff49022bc683a419d527f099d66d4d12e.exe
Size

2.4MB
MD5

eea134df8c6fad7ef194105335555cf0
SHA1

6292cf1e7d49fd64281fc1dff4f1c663495ac1c4
SHA256

beaf286caea5b79b7eb67b56e196b54ff49022bc683a419d527f099d66d4d12e
SHA512

5a77ba3d7315aa6c6d7b308146b73f1ca0f7d5748e67aac54f61e4b23ebe28ab0a18e648da759ede8f79f3b3d8cc92c7ba71af4751677fe371e9b4aae2db2226
SSDEEP

24576:HDyTFtjBDyTFtjBDyTFtjBDyTFtjTDyTFtjBDyTFtjRDyTFtjBDyTFtj7DyTFtjG:AtqtitqtYtqtitqt4tqtdtqtltqt

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
1144	notpad.exe
1936	tmp7110041.exe
972	notpad.exe
1172	tmp7121960.exe
1816	tmp7111399.exe
580	tmp7112038.exe
1672	notpad.exe
1180	tmp7112506.exe
1008	tmp7113193.exe
1168	tmp7125579.exe
1512	tmp7113692.exe
1624	notpad.exe
1648	tmp7115907.exe
1160	tmp7135532.exe
1692	notpad.exe
860	tmp7127170.exe
1860	tmp7117498.exe
1588	tmp7146499.exe
1352	notpad.exe
1460	tmp7144658.exe
1808	tmp7147092.exe
1740	notpad.exe
112	tmp7144861.exe
1188	notpad.exe
1172	notpad.exe
956	tmp7122054.exe
1720	notpad.exe
1772	tmp7122412.exe
1700	tmp7122522.exe
432	tmp7147529.exe
452	tmp7145828.exe
468	tmp7123770.exe
740	notpad.exe
1204	notpad.exe
1092	tmp7134892.exe
1616	tmp7125158.exe
1680	tmp7135298.exe
1168	notpad.exe
1604	tmp7135563.exe
1632	tmp7146343.exe
1000	tmp7146124.exe
1488	tmp7145953.exe
860	tmp7127170.exe
364	notpad.exe
1120	notpad.exe
1536	tmp7144362.exe
760	tmp7137108.exe
1112	tmp7146671.exe
1620	tmp7130384.exe
1740	notpad.exe
652	tmp7145079.exe
1696	notpad.exe
1172	notpad.exe
1668	tmp7139104.exe
964	notpad.exe
1816	notpad.exe
932	tmp7132942.exe
380	tmp7138449.exe
1724	tmp7145329.exe
1976	tmp7139557.exe
1924	notpad.exe
1580	tmp7139650.exe
576	tmp7146046.exe
1204	notpad.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00090000000139dc-55.dat	upx
behavioral1/memory/1096-56-0x0000000000540000-0x000000000055F000-memory.dmp	upx
behavioral1/files/0x00090000000139dc-57.dat	upx
behavioral1/files/0x00090000000139dc-59.dat	upx
behavioral1/files/0x00090000000139dc-60.dat	upx
behavioral1/files/0x0007000000005c50-66.dat	upx
behavioral1/files/0x00090000000139dc-69.dat	upx
behavioral1/files/0x00090000000139dc-70.dat	upx
behavioral1/files/0x00090000000139dc-72.dat	upx
behavioral1/memory/1144-76-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/972-78-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/972-91-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x00090000000139dc-95.dat	upx
behavioral1/files/0x00090000000139dc-93.dat	upx
behavioral1/files/0x00090000000139dc-92.dat	upx
behavioral1/files/0x0007000000005c50-84.dat	upx
behavioral1/memory/1672-105-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x0007000000005c50-102.dat	upx
behavioral1/files/0x00090000000139dc-114.dat	upx
behavioral1/files/0x00090000000139dc-111.dat	upx
behavioral1/files/0x00090000000139dc-110.dat	upx
behavioral1/memory/1672-108-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1168-115-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x00090000000139dc-127.dat	upx
behavioral1/files/0x00090000000139dc-125.dat	upx
behavioral1/files/0x00090000000139dc-124.dat	upx
behavioral1/memory/1168-131-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x0007000000005c50-121.dat	upx
behavioral1/memory/1624-133-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x0007000000005c50-139.dat	upx
behavioral1/files/0x00090000000139dc-143.dat	upx
behavioral1/memory/1624-148-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x00090000000139dc-147.dat	upx
behavioral1/files/0x00090000000139dc-144.dat	upx
behavioral1/memory/1692-160-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1692-151-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1352-163-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1352-168-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1808-174-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1188-176-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1188-181-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1720-187-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/452-189-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/452-194-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/740-200-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1680-202-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1680-207-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1604-213-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1488-215-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1488-220-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/760-225-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1120-224-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1120-226-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1740-234-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/760-232-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1740-239-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1172-241-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1172-246-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/964-252-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1724-258-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1924-260-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1924-265-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1284-267-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1168-270-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Loads dropped DLL 64 IoCs

pid	Process
1096	beaf286caea5b79b7eb67b56e196b54ff49022bc683a419d527f099d66d4d12e.exe
1096	beaf286caea5b79b7eb67b56e196b54ff49022bc683a419d527f099d66d4d12e.exe
1144	notpad.exe
1144	notpad.exe
1936	tmp7110041.exe
1936	tmp7110041.exe
1144	notpad.exe
972	notpad.exe
972	notpad.exe
972	notpad.exe
1816	tmp7111399.exe
1816	tmp7111399.exe
1672	notpad.exe
1672	notpad.exe
1672	notpad.exe
1180	tmp7112506.exe
1180	tmp7112506.exe
1168	notpad.exe
1168	notpad.exe
1512	tmp7113692.exe
1512	tmp7113692.exe
1168	notpad.exe
1624	notpad.exe
1624	notpad.exe
1624	notpad.exe
1160	tmp7135532.exe
1160	tmp7135532.exe
1692	notpad.exe
1692	notpad.exe
1692	notpad.exe
1860	tmp7117498.exe
1860	tmp7117498.exe
1352	notpad.exe
1352	notpad.exe
1460	tmp7144658.exe
1460	tmp7144658.exe
1352	notpad.exe
1808	tmp7147092.exe
1808	tmp7147092.exe
112	tmp7144861.exe
112	tmp7144861.exe
1808	tmp7147092.exe
1188	notpad.exe
1188	notpad.exe
956	tmp7122054.exe
956	tmp7122054.exe
1188	notpad.exe
1720	notpad.exe
1720	notpad.exe
1720	notpad.exe
1700	tmp7122522.exe
1700	tmp7122522.exe
452	tmp7145828.exe
452	tmp7145828.exe
468	tmp7123770.exe
468	tmp7123770.exe
452	tmp7145828.exe
740	notpad.exe
740	notpad.exe
740	notpad.exe
1092	tmp7134892.exe
1092	tmp7134892.exe
1680	tmp7135298.exe
1680	tmp7135298.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\notpad.exe	tmp7219086.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7110041.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7139104.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7145407.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7211583.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7144471.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7154221.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7160258.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7161537.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7134892.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7139557.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7141569.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7146998.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7216996.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7144986.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7152505.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7216996.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7144658.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7150851.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7231769.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7142692.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7113692.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7122522.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7146046.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7137326.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7144861.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7147419.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7245092.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7111399.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7134892.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7150851.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7168807.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7138434.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7159104.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7186061.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7112506.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7146124.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7132942.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7138434.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7122054.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7122054.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7150867.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7176669.exe
File created	C:\Windows\SysWOW64\notpad.exe	notpad.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7235248.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7113692.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7174189.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7180601.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7228259.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7235248.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7146671.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7154767.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7168791.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7234405.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7135532.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7132942.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7214765.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7176123.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7208915.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7219086.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7110041.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7146483.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7136172.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7174189.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7111399.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7144986.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7146062.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7147139.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7186061.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7169618.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	notpad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	notpad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7110041.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7122054.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7145298.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7228259.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7246106.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7144861.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7146671.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7146983.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7163628.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7138434.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7234405.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7117498.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7136312.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7141569.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7144471.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7145407.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7207199.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7146483.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7147419.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7216996.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7219086.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7235248.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7245092.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7168807.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	beaf286caea5b79b7eb67b56e196b54ff49022bc683a419d527f099d66d4d12e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7112506.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7134892.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7145079.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7139104.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7159104.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7160118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7199227.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	notpad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7137607.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7146998.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7152505.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7214765.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7231909.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7139557.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7145688.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7184454.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7191349.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7203938.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7211583.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7231769.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7113692.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7123770.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7135298.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7154221.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7158714.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7160258.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7188806.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	notpad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	notpad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7151101.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7180601.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1096 wrote to memory of 1144	1096	beaf286caea5b79b7eb67b56e196b54ff49022bc683a419d527f099d66d4d12e.exe	26
PID 1096 wrote to memory of 1144	1096	beaf286caea5b79b7eb67b56e196b54ff49022bc683a419d527f099d66d4d12e.exe	26
PID 1096 wrote to memory of 1144	1096	beaf286caea5b79b7eb67b56e196b54ff49022bc683a419d527f099d66d4d12e.exe	26
PID 1096 wrote to memory of 1144	1096	beaf286caea5b79b7eb67b56e196b54ff49022bc683a419d527f099d66d4d12e.exe	26
PID 1144 wrote to memory of 1936	1144	notpad.exe	27
PID 1144 wrote to memory of 1936	1144	notpad.exe	27
PID 1144 wrote to memory of 1936	1144	notpad.exe	27
PID 1144 wrote to memory of 1936	1144	notpad.exe	27
PID 1936 wrote to memory of 972	1936	tmp7110041.exe	28
PID 1936 wrote to memory of 972	1936	tmp7110041.exe	28
PID 1936 wrote to memory of 972	1936	tmp7110041.exe	28
PID 1936 wrote to memory of 972	1936	tmp7110041.exe	28
PID 1144 wrote to memory of 1172	1144	notpad.exe	29
PID 1144 wrote to memory of 1172	1144	notpad.exe	49
PID 1144 wrote to memory of 1172	1144	notpad.exe	49
PID 1144 wrote to memory of 1172	1144	notpad.exe	49
PID 972 wrote to memory of 1816	972	notpad.exe	30
PID 972 wrote to memory of 1816	972	notpad.exe	30
PID 972 wrote to memory of 1816	972	notpad.exe	30
PID 972 wrote to memory of 1816	972	notpad.exe	30
PID 972 wrote to memory of 580	972	notpad.exe	32
PID 972 wrote to memory of 580	972	notpad.exe	32
PID 972 wrote to memory of 580	972	notpad.exe	32
PID 972 wrote to memory of 580	972	notpad.exe	32
PID 1816 wrote to memory of 1672	1816	tmp7111399.exe	31
PID 1816 wrote to memory of 1672	1816	tmp7111399.exe	31
PID 1816 wrote to memory of 1672	1816	tmp7111399.exe	31
PID 1816 wrote to memory of 1672	1816	tmp7111399.exe	31
PID 1672 wrote to memory of 1180	1672	notpad.exe	35
PID 1672 wrote to memory of 1180	1672	notpad.exe	35
PID 1672 wrote to memory of 1180	1672	notpad.exe	35
PID 1672 wrote to memory of 1180	1672	notpad.exe	35
PID 1672 wrote to memory of 1008	1672	notpad.exe	34
PID 1672 wrote to memory of 1008	1672	notpad.exe	34
PID 1672 wrote to memory of 1008	1672	notpad.exe	34
PID 1672 wrote to memory of 1008	1672	notpad.exe	34
PID 1180 wrote to memory of 1168	1180	tmp7112506.exe	63
PID 1180 wrote to memory of 1168	1180	tmp7112506.exe	63
PID 1180 wrote to memory of 1168	1180	tmp7112506.exe	63
PID 1180 wrote to memory of 1168	1180	tmp7112506.exe	63
PID 1168 wrote to memory of 1512	1168	notpad.exe	36
PID 1168 wrote to memory of 1512	1168	notpad.exe	36
PID 1168 wrote to memory of 1512	1168	notpad.exe	36
PID 1168 wrote to memory of 1512	1168	notpad.exe	36
PID 1512 wrote to memory of 1624	1512	tmp7113692.exe	38
PID 1512 wrote to memory of 1624	1512	tmp7113692.exe	38
PID 1512 wrote to memory of 1624	1512	tmp7113692.exe	38
PID 1512 wrote to memory of 1624	1512	tmp7113692.exe	38
PID 1168 wrote to memory of 1648	1168	notpad.exe	37
PID 1168 wrote to memory of 1648	1168	notpad.exe	37
PID 1168 wrote to memory of 1648	1168	notpad.exe	37
PID 1168 wrote to memory of 1648	1168	notpad.exe	37
PID 1624 wrote to memory of 1160	1624	notpad.exe	99
PID 1624 wrote to memory of 1160	1624	notpad.exe	99
PID 1624 wrote to memory of 1160	1624	notpad.exe	99
PID 1624 wrote to memory of 1160	1624	notpad.exe	99
PID 1160 wrote to memory of 1692	1160	tmp7135532.exe	41
PID 1160 wrote to memory of 1692	1160	tmp7135532.exe	41
PID 1160 wrote to memory of 1692	1160	tmp7135532.exe	41
PID 1160 wrote to memory of 1692	1160	tmp7135532.exe	41
PID 1624 wrote to memory of 860	1624	notpad.exe	68
PID 1624 wrote to memory of 860	1624	notpad.exe	68
PID 1624 wrote to memory of 860	1624	notpad.exe	68
PID 1624 wrote to memory of 860	1624	notpad.exe	68

C:\Users\Admin\AppData\Local\Temp\beaf286caea5b79b7eb67b56e196b54ff49022bc683a419d527f099d66d4d12e.exe
"C:\Users\Admin\AppData\Local\Temp\beaf286caea5b79b7eb67b56e196b54ff49022bc683a419d527f099d66d4d12e.exe"
1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1096
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1144
- - C:\Users\Admin\AppData\Local\Temp\tmp7110041.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7110041.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1936
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:972
    - - C:\Users\Admin\AppData\Local\Temp\tmp7111399.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7111399.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1816
      - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\tmp7113193.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7113193.exe
        7⤵
        Executes dropped EXE
        
        PID:1008
        
        C:\Users\Admin\AppData\Local\Temp\tmp7112506.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7112506.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1180
    - - C:\Users\Admin\AppData\Local\Temp\tmp7112038.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7112038.exe
        5⤵
        Executes dropped EXE
        
        PID:580
- - C:\Users\Admin\AppData\Local\Temp\tmp7110899.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7110899.exe
    3⤵
    PID:1172

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:1168
- C:\Users\Admin\AppData\Local\Temp\tmp7113692.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7113692.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1512
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1624
  - - C:\Users\Admin\AppData\Local\Temp\tmp7116079.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7116079.exe
      4⤵
      PID:1160
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1692
      - C:\Users\Admin\AppData\Local\Temp\tmp7117498.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117498.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1860
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        7⤵
        
        PID:1352
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119901.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119901.exe
        8⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        9⤵
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121242.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121242.exe
        10⤵
        
        PID:112
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1188
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122054.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122054.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:956
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        13⤵
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122522.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122522.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1700
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        15⤵
        
        PID:452
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123770.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123770.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:468
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        17⤵
        
        PID:740
        
        C:\Users\Admin\AppData\Local\Temp\tmp7124534.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7124534.exe
        18⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        19⤵
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125579.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125579.exe
        20⤵
        Executes dropped EXE
        
        PID:1168
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        21⤵
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\tmp7126266.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7126266.exe
        22⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        23⤵
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\tmp7127280.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7127280.exe
        24⤵
        
        PID:364
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        25⤵
        Executes dropped EXE
        
        PID:1120
        
        C:\Users\Admin\AppData\Local\Temp\tmp7128262.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7128262.exe
        26⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        27⤵
        
        PID:760
        
        C:\Users\Admin\AppData\Local\Temp\tmp7129183.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7129183.exe
        28⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        29⤵
        Executes dropped EXE
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\tmp7132053.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7132053.exe
        30⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\tmp7131008.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7131008.exe
        30⤵
        
        PID:652
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        31⤵
        
        PID:1172
        
        C:\Users\Admin\AppData\Local\Temp\tmp7132833.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7132833.exe
        32⤵
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\tmp7132240.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7132240.exe
        32⤵
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\tmp7130384.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7130384.exe
        28⤵
        Executes dropped EXE
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\tmp7129074.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7129074.exe
        26⤵
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\tmp7128153.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7128153.exe
        24⤵
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\tmp7127170.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7127170.exe
        22⤵
        Executes dropped EXE
        
        PID:860
        
        C:\Users\Admin\AppData\Local\Temp\tmp7126141.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7126141.exe
        20⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125158.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125158.exe
        18⤵
        Executes dropped EXE
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\tmp7124082.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7124082.exe
        16⤵
        
        PID:1204
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123364.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123364.exe
        14⤵
        
        PID:432
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122412.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122412.exe
        12⤵
        Executes dropped EXE
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121960.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121960.exe
        10⤵
        Executes dropped EXE
        
        PID:1172
        
        C:\Users\Admin\AppData\Local\Temp\tmp7137201.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7137201.exe
        9⤵
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121071.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121071.exe
        8⤵
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144986.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144986.exe
        8⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:580
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        9⤵
        Executes dropped EXE
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145563.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145563.exe
        10⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        11⤵
        Executes dropped EXE
        
        PID:1204
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146124.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146124.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1000
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        13⤵
        
        PID:272
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147419.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147419.exe
        14⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1180
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        15⤵
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\tmp7150945.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7150945.exe
        16⤵
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\tmp7151179.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7151179.exe
        16⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\tmp7152505.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7152505.exe
        17⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1960
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        18⤵
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\tmp7154455.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7154455.exe
        19⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        20⤵
        
        PID:792
        
        C:\Users\Admin\AppData\Local\Temp\tmp7155781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7155781.exe
        21⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158464.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158464.exe
        21⤵
        
        PID:1164
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159197.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159197.exe
        22⤵
        
        PID:1284
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159541.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159541.exe
        22⤵
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\tmp7155641.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7155641.exe
        19⤵
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158636.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158636.exe
        20⤵
        
        PID:980
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159431.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159431.exe
        20⤵
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\tmp7153862.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7153862.exe
        17⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\tmp7150196.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7150196.exe
        14⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\tmp7151101.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7151101.exe
        15⤵
        Modifies registry class
        
        PID:1092
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        16⤵
        
        PID:828
        
        C:\Users\Admin\AppData\Local\Temp\tmp7153675.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7153675.exe
        17⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\tmp7153847.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7153847.exe
        17⤵
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\tmp7154767.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7154767.exe
        18⤵
        Drops file in System32 directory
        
        PID:1752
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        19⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158714.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158714.exe
        20⤵
        Modifies registry class
        
        PID:556
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        21⤵
        
        PID:580
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160024.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160024.exe
        22⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161413.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161413.exe
        22⤵
        
        PID:624
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161927.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161927.exe
        23⤵
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\tmp7163331.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7163331.exe
        23⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159416.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159416.exe
        20⤵
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160118.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160118.exe
        21⤵
        Modifies registry class
        
        PID:1560
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        22⤵
        
        PID:856
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161678.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161678.exe
        23⤵
        
        PID:1224
        
        C:\Users\Admin\AppData\Local\Temp\tmp7163300.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7163300.exe
        23⤵
        
        PID:632
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168370.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168370.exe
        24⤵
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\tmp7169415.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7169415.exe
        24⤵
        
        PID:888
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161132.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161132.exe
        21⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\tmp7156155.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7156155.exe
        18⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\tmp7152942.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7152942.exe
        15⤵
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147217.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147217.exe
        12⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\tmp7149791.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7149791.exe
        13⤵
        
        PID:652
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145828.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:452
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146202.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146202.exe
        11⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146561.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146561.exe
        11⤵
        
        PID:692
      - C:\Users\Admin\AppData\Local\Temp\tmp7118715.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118715.exe
        6⤵
        
        PID:1588
  - - C:\Users\Admin\AppData\Local\Temp\tmp7116952.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7116952.exe
      4⤵
      PID:860
- C:\Users\Admin\AppData\Local\Temp\tmp7115907.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7115907.exe
  2⤵
  - Executes dropped EXE
  PID:1648

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:964
- C:\Users\Admin\AppData\Local\Temp\tmp7132942.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7132942.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:932
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    PID:1724
  - - C:\Users\Admin\AppData\Local\Temp\tmp7133629.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7133629.exe
      4⤵
      PID:1976
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        
        PID:1924
      - C:\Users\Admin\AppData\Local\Temp\tmp7134175.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134175.exe
        6⤵
        
        PID:576
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        7⤵
        
        PID:1284
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135048.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135048.exe
        8⤵
        
        PID:604
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134892.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134892.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1092
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1168
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135298.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135298.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1680
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        11⤵
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135532.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135532.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1160
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        13⤵
        
        PID:1100
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136031.exe
        12⤵
        
        PID:864
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136312.exe
        13⤵
        Modifies registry class
        
        PID:764
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        14⤵
        
        PID:1460
        
        C:\Users\Admin\AppData\Local\Temp\tmp7137529.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7137529.exe
        15⤵
        
        PID:652
        
        C:\Users\Admin\AppData\Local\Temp\tmp7138434.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7138434.exe
        16⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1804
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        17⤵
        Executes dropped EXE
        
        PID:964
        
        C:\Users\Admin\AppData\Local\Temp\tmp7139323.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7139323.exe
        18⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:740
        
        C:\Users\Admin\AppData\Local\Temp\tmp7140196.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7140196.exe
        20⤵
        
        PID:576
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        21⤵
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\Temp\tmp7141569.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7141569.exe
        22⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:240
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        23⤵
        
        PID:360
        
        C:\Users\Admin\AppData\Local\Temp\tmp7143207.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7143207.exe
        24⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:364
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144237.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144237.exe
        26⤵
        
        PID:800
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144549.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144549.exe
        26⤵
        
        PID:900
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145688.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145688.exe
        27⤵
        Modifies registry class
        
        PID:1748
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        28⤵
        
        PID:1248
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146671.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1112
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147263.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147263.exe
        29⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\tmp7150883.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7150883.exe
        30⤵
        
        PID:976
        
        C:\Users\Admin\AppData\Local\Temp\tmp7152068.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7152068.exe
        30⤵
        
        PID:544
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146343.exe
        27⤵
        Executes dropped EXE
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\tmp7143972.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7143972.exe
        24⤵
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144627.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144627.exe
        25⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1352
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145438.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145438.exe
        27⤵
        
        PID:1004
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146062.exe
        28⤵
        Modifies registry class
        
        PID:1812
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        29⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1520
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147092.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147092.exe
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147544.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147544.exe
        30⤵
        
        PID:380
        
        C:\Users\Admin\AppData\Local\Temp\tmp7150867.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7150867.exe
        31⤵
        Drops file in System32 directory
        
        PID:1072
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        32⤵
        
        PID:964
        
        C:\Users\Admin\AppData\Local\Temp\tmp7152302.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7152302.exe
        33⤵
        
        PID:1224
        
        C:\Users\Admin\AppData\Local\Temp\tmp7153176.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7153176.exe
        33⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\tmp7154221.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7154221.exe
        34⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:112
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        35⤵
        
        PID:952
        
        C:\Users\Admin\AppData\Local\Temp\tmp7155297.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7155297.exe
        36⤵
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157450.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157450.exe
        36⤵
        
        PID:1144
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159104.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159104.exe
        37⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1532
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        38⤵
        
        PID:900
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160258.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160258.exe
        39⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1996
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        40⤵
        
        PID:364
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160633.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160633.exe
        41⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161366.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161366.exe
        41⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\tmp7162458.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7162458.exe
        42⤵
        
        PID:1096
        
        C:\Users\Admin\AppData\Local\Temp\tmp7163253.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7163253.exe
        42⤵
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160477.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160477.exe
        39⤵
        
        PID:1004
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161537.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161537.exe
        40⤵
        Drops file in System32 directory
        
        PID:860
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        41⤵
        
        PID:828
        
        C:\Users\Admin\AppData\Local\Temp\tmp7163628.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7163628.exe
        42⤵
        Modifies registry class
        
        PID:1660
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        43⤵
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168495.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168495.exe
        44⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        45⤵
        
        PID:972
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168807.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168807.exe
        46⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:588
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        47⤵
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\tmp7170929.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7170929.exe
        48⤵
        
        PID:1052
        
        C:\Users\Admin\AppData\Local\Temp\tmp7171833.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7171833.exe
        48⤵
        
        PID:1164
        
        C:\Users\Admin\AppData\Local\Temp\tmp7174173.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7174173.exe
        49⤵
        
        PID:760
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175546.exe
        49⤵
        
        PID:1844
        
        C:\Users\Admin\AppData\Local\Temp\tmp7169649.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7169649.exe
        46⤵
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\tmp7170367.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7170367.exe
        47⤵
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\tmp7171849.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7171849.exe
        47⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168542.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168542.exe
        44⤵
        
        PID:1128
        
        C:\Users\Admin\AppData\Local\Temp\tmp7169166.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7169166.exe
        45⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\tmp7170195.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7170195.exe
        45⤵
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164174.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164174.exe
        42⤵
        
        PID:652
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168791.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168791.exe
        43⤵
        Drops file in System32 directory
        
        PID:1184
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        44⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\tmp7169618.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7169618.exe
        45⤵
        Modifies registry class
        
        PID:1740
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        46⤵
        
        PID:1480
        
        C:\Users\Admin\AppData\Local\Temp\tmp7174189.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7174189.exe
        47⤵
        Drops file in System32 directory
        
        PID:468
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        48⤵
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\tmp7176669.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7176669.exe
        49⤵
        Drops file in System32 directory
        
        PID:360
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        50⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\tmp7180242.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7180242.exe
        51⤵
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183955.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183955.exe
        51⤵
        
        PID:856
        
        C:\Users\Admin\AppData\Local\Temp\tmp7186061.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7186061.exe
        52⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1208
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        53⤵
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\tmp7188806.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7188806.exe
        54⤵
        Modifies registry class
        
        PID:980
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        55⤵
        
        PID:556
        
        C:\Users\Admin\AppData\Local\Temp\tmp7193315.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7193315.exe
        56⤵
        
        PID:960
        
        C:\Users\Admin\AppData\Local\Temp\tmp7193908.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7193908.exe
        56⤵
        
        PID:992
        
        C:\Users\Admin\AppData\Local\Temp\tmp7196154.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7196154.exe
        57⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        58⤵
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\tmp7203767.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7203767.exe
        59⤵
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\tmp7207199.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7207199.exe
        60⤵
        Modifies registry class
        
        PID:792
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        61⤵
        
        PID:1128
        
        C:\Users\Admin\AppData\Local\Temp\tmp7211583.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7211583.exe
        62⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1564
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        63⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\tmp7217277.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7217277.exe
        64⤵
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\tmp7218525.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7218525.exe
        64⤵
        
        PID:976
        
        C:\Users\Admin\AppData\Local\Temp\tmp7219804.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7219804.exe
        65⤵
        
        PID:956
        
        C:\Users\Admin\AppData\Local\Temp\tmp7220631.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7220631.exe
        65⤵
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\tmp7213564.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7213564.exe
        62⤵
        
        PID:1480
        
        C:\Users\Admin\AppData\Local\Temp\tmp7216996.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7216996.exe
        63⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1716
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        64⤵
        Modifies registry class
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\tmp7224312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7224312.exe
        65⤵
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\tmp7225810.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7225810.exe
        65⤵
        
        PID:828
        
        C:\Users\Admin\AppData\Local\Temp\tmp7230474.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7230474.exe
        66⤵
        
        PID:360
        
        C:\Users\Admin\AppData\Local\Temp\tmp7232409.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7232409.exe
        66⤵
        
        PID:632
        
        C:\Users\Admin\AppData\Local\Temp\tmp7219039.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7219039.exe
        63⤵
        
        PID:924
        
        C:\Users\Admin\AppData\Local\Temp\tmp7208291.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7208291.exe
        60⤵
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\tmp7201567.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7201567.exe
        59⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        60⤵
        
        PID:1184
        
        C:\Users\Admin\AppData\Local\Temp\tmp7208150.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7208150.exe
        61⤵
        
        PID:568
        
        C:\Users\Admin\AppData\Local\Temp\tmp7208775.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7208775.exe
        61⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\tmp7210366.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7210366.exe
        62⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\tmp7213158.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7213158.exe
        62⤵
        
        PID:452
        
        C:\Users\Admin\AppData\Local\Temp\tmp7199149.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7199149.exe
        57⤵
        
        PID:604
        
        C:\Users\Admin\AppData\Local\Temp\tmp7192332.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7192332.exe
        54⤵
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\tmp7194017.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7194017.exe
        55⤵
        
        PID:1092
        
        C:\Users\Admin\AppData\Local\Temp\tmp7194532.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7194532.exe
        55⤵
        
        PID:1164
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187465.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187465.exe
        52⤵
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\Temp\tmp7178885.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7178885.exe
        49⤵
        
        PID:672
        
        C:\Users\Admin\AppData\Local\Temp\tmp7180601.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7180601.exe
        50⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:624
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        51⤵
        
        PID:112
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184875.exe
        52⤵
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\tmp7186778.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7186778.exe
        52⤵
        
        PID:1520
        
        C:\Users\Admin\AppData\Local\Temp\tmp7188760.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7188760.exe
        53⤵
        
        PID:1128
        
        C:\Users\Admin\AppData\Local\Temp\tmp7192909.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7192909.exe
        53⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183861.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183861.exe
        50⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\tmp7174735.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7174735.exe
        47⤵
        
        PID:900
        
        C:\Users\Admin\AppData\Local\Temp\tmp7176123.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7176123.exe
        48⤵
        Drops file in System32 directory
        
        PID:1336
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        49⤵
        
        PID:1212
        
        C:\Users\Admin\AppData\Local\Temp\tmp7178245.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7178245.exe
        50⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\tmp7179961.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7179961.exe
        50⤵
        
        PID:1288
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184454.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184454.exe
        51⤵
        Modifies registry class
        
        PID:268
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        52⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187387.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187387.exe
        53⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        54⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191349.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191349.exe
        55⤵
        Modifies registry class
        
        PID:1540
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        56⤵
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\tmp7195967.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7195967.exe
        57⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\tmp7199898.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7199898.exe
        57⤵
        
        PID:1004
        
        C:\Users\Admin\AppData\Local\Temp\tmp7203268.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7203268.exe
        58⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\tmp7206637.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7206637.exe
        58⤵
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\tmp7193206.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7193206.exe
        55⤵
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\tmp7195873.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7195873.exe
        56⤵
        
        PID:1472
        
        C:\Users\Admin\AppData\Local\Temp\tmp7199992.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7199992.exe
        56⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\tmp7189586.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7189586.exe
        53⤵
        
        PID:976
        
        C:\Users\Admin\AppData\Local\Temp\tmp7192613.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7192613.exe
        54⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        55⤵
        
        PID:580
        
        C:\Users\Admin\AppData\Local\Temp\tmp7199227.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7199227.exe
        56⤵
        Modifies registry class
        
        PID:1736
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        57⤵
        
        PID:1860
        
        C:\Users\Admin\AppData\Local\Temp\tmp7203938.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7203938.exe
        58⤵
        Modifies registry class
        
        PID:1088
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        59⤵
        
        PID:1160
        
        C:\Users\Admin\AppData\Local\Temp\tmp7208915.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7208915.exe
        60⤵
        Drops file in System32 directory
        
        PID:1708
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        61⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\tmp7214765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7214765.exe
        62⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1680
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        63⤵
        
        PID:556
        
        C:\Users\Admin\AppData\Local\Temp\tmp7219071.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7219071.exe
        64⤵
        
        PID:1212
        
        C:\Users\Admin\AppData\Local\Temp\tmp7220069.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7220069.exe
        64⤵
        
        PID:992
        
        C:\Users\Admin\AppData\Local\Temp\tmp7225217.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7225217.exe
        65⤵
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\tmp7226091.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7226091.exe
        65⤵
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\tmp7217713.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7217713.exe
        62⤵
        
        PID:1084
        
        C:\Users\Admin\AppData\Local\Temp\tmp7219086.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7219086.exe
        63⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1724
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        64⤵
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\tmp7228259.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7228259.exe
        65⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:268
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        66⤵
        Modifies registry class
        
        PID:1216
        
        C:\Users\Admin\AppData\Local\Temp\tmp7231769.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7231769.exe
        67⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1660
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        68⤵
        
        PID:576
        
        C:\Users\Admin\AppData\Local\Temp\tmp7234405.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7234405.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:568
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        70⤵
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\tmp7241223.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7241223.exe
        71⤵
        
        PID:380
        
        C:\Users\Admin\AppData\Local\Temp\tmp7244312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7244312.exe
        71⤵
        
        PID:1432
        
        C:\Users\Admin\AppData\Local\Temp\tmp7246090.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7246090.exe
        72⤵
        
        PID:964
        
        C:\Users\Admin\AppData\Local\Temp\tmp7248804.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7248804.exe
        72⤵
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\tmp7237978.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7237978.exe
        69⤵
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\tmp7245092.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7245092.exe
        70⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:900
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        71⤵
        
        PID:1052
        
        C:\Users\Admin\AppData\Local\Temp\tmp7247307.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7247307.exe
        70⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\tmp7232424.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7232424.exe
        67⤵
        
        PID:1284
        
        C:\Users\Admin\AppData\Local\Temp\tmp7235107.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7235107.exe
        68⤵
        
        PID:1144
        
        C:\Users\Admin\AppData\Local\Temp\tmp7243344.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7243344.exe
        68⤵
        
        PID:468
        
        C:\Users\Admin\AppData\Local\Temp\tmp7230349.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7230349.exe
        65⤵
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\tmp7231909.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7231909.exe
        66⤵
        Modifies registry class
        
        PID:1860
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        67⤵
        
        PID:1000
        
        C:\Users\Admin\AppData\Local\Temp\tmp7235248.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7235248.exe
        68⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:544
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        69⤵
        
        PID:1092
        
        C:\Users\Admin\AppData\Local\Temp\tmp7246355.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7246355.exe
        70⤵
        
        PID:1168
        
        C:\Users\Admin\AppData\Local\Temp\tmp7248867.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7248867.exe
        70⤵
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\tmp7243329.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7243329.exe
        68⤵
        
        PID:856
        
        C:\Users\Admin\AppData\Local\Temp\tmp7246106.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7246106.exe
        69⤵
        Modifies registry class
        
        PID:1128
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        70⤵
        
        PID:520
        
        C:\Users\Admin\AppData\Local\Temp\tmp7249070.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7249070.exe
        69⤵
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\tmp7233501.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7233501.exe
        66⤵
        
        PID:272
        
        C:\Users\Admin\AppData\Local\Temp\tmp7220022.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7220022.exe
        63⤵
        
        PID:580
        
        C:\Users\Admin\AppData\Local\Temp\tmp7210397.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7210397.exe
        60⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\tmp7213689.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7213689.exe
        61⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\tmp7216387.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7216387.exe
        61⤵
        
        PID:1168
        
        C:\Users\Admin\AppData\Local\Temp\tmp7207058.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7207058.exe
        58⤵
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\tmp7208369.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7208369.exe
        59⤵
        
        PID:1144
        
        C:\Users\Admin\AppData\Local\Temp\tmp7210116.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7210116.exe
        59⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\tmp7201474.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7201474.exe
        56⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\tmp7203049.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7203049.exe
        57⤵
        
        PID:624
        
        C:\Users\Admin\AppData\Local\Temp\tmp7203158.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7203158.exe
        57⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\tmp7194610.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7194610.exe
        54⤵
        
        PID:1844
        
        C:\Users\Admin\AppData\Local\Temp\tmp7185125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7185125.exe
        51⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\tmp7177278.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7177278.exe
        48⤵
        
        PID:580
        
        C:\Users\Admin\AppData\Local\Temp\tmp7170975.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7170975.exe
        45⤵
        
        PID:992
        
        C:\Users\Admin\AppData\Local\Temp\tmp7174049.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7174049.exe
        46⤵
        
        PID:1092
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175063.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175063.exe
        46⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\tmp7169135.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7169135.exe
        43⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\tmp7162427.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7162427.exe
        40⤵
        
        PID:692
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159556.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159556.exe
        37⤵
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\tmp7155079.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7155079.exe
        34⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\tmp7151117.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7151117.exe
        31⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146655.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146655.exe
        28⤵
        
        PID:864
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144861.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144861.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:112
        
        C:\Users\Admin\AppData\Local\Temp\tmp7143067.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7143067.exe
        22⤵
        
        PID:1288
        
        C:\Users\Admin\AppData\Local\Temp\tmp7143675.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7143675.exe
        23⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        24⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144658.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144658.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1460
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145407.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145407.exe
        27⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:960
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        28⤵
        Executes dropped EXE
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145953.exe
        29⤵
        Executes dropped EXE
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146983.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146983.exe
        29⤵
        Modifies registry class
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147139.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147139.exe
        30⤵
        Modifies registry class
        
        PID:1964
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        31⤵
        
        PID:1212
        
        C:\Users\Admin\AppData\Local\Temp\tmp7150851.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7150851.exe
        32⤵
        Drops file in System32 directory
        
        PID:468
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        33⤵
        
        PID:1460
        
        C:\Users\Admin\AppData\Local\Temp\tmp7152786.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7152786.exe
        34⤵
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\tmp7153425.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7153425.exe
        34⤵
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\Temp\tmp7154439.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7154439.exe
        35⤵
        
        PID:432
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157466.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157466.exe
        35⤵
        
        PID:1248
        
        C:\Users\Admin\AppData\Local\Temp\tmp7152131.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7152131.exe
        32⤵
        
        PID:860
        
        C:\Users\Admin\AppData\Local\Temp\tmp7152895.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7152895.exe
        33⤵
        
        PID:856
        
        C:\Users\Admin\AppData\Local\Temp\tmp7154003.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7154003.exe
        33⤵
        
        PID:1844
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147529.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147529.exe
        30⤵
        Executes dropped EXE
        
        PID:432
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145672.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145672.exe
        27⤵
        
        PID:1844
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146281.exe
        28⤵
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146639.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146639.exe
        28⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145235.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145235.exe
        25⤵
        
        PID:604
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146499.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146499.exe
        26⤵
        Executes dropped EXE
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146998.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146998.exe
        26⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1476
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144486.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144486.exe
        23⤵
        
        PID:1112
        
        C:\Users\Admin\AppData\Local\Temp\tmp7141413.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7141413.exe
        20⤵
        
        PID:856
        
        C:\Users\Admin\AppData\Local\Temp\tmp7142692.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7142692.exe
        21⤵
        Drops file in System32 directory
        
        PID:1960
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        22⤵
        
        PID:1000
        
        C:\Users\Admin\AppData\Local\Temp\tmp7143706.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7143706.exe
        23⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        24⤵
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144471.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144471.exe
        25⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:888
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        26⤵
        Executes dropped EXE
        
        PID:1172
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145298.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145298.exe
        27⤵
        Modifies registry class
        
        PID:1672
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        28⤵
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146296.exe
        29⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146046.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:576
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146483.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146483.exe
        28⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146780.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146780.exe
        28⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145095.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145095.exe
        25⤵
        
        PID:1084
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145532.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145532.exe
        26⤵
        
        PID:1320
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145875.exe
        26⤵
        
        PID:1308
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144362.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144362.exe
        23⤵
        Executes dropped EXE
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145329.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145329.exe
        24⤵
        Executes dropped EXE
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\tmp7143504.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7143504.exe
        21⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\tmp7139650.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7139650.exe
        18⤵
        Executes dropped EXE
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\tmp7140165.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7140165.exe
        19⤵
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\tmp7140976.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7140976.exe
        19⤵
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\tmp7139104.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7139104.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136593.exe
        13⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135407.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135407.exe
        10⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135563.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135563.exe
        11⤵
        Executes dropped EXE
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136078.exe
        11⤵
        
        PID:1832
      - C:\Users\Admin\AppData\Local\Temp\tmp7134643.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134643.exe
        6⤵
        
        PID:1204
  - - C:\Users\Admin\AppData\Local\Temp\tmp7134050.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7134050.exe
      4⤵
      PID:1580
- C:\Users\Admin\AppData\Local\Temp\tmp7133426.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7133426.exe
  2⤵
  PID:380

C:\Users\Admin\AppData\Local\Temp\tmp7136172.exe
C:\Users\Admin\AppData\Local\Temp\tmp7136172.exe
1⤵
- Drops file in System32 directory
PID:1224
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:1536
- - C:\Users\Admin\AppData\Local\Temp\tmp7137123.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7137123.exe
    3⤵
    PID:952
  - - C:\Users\Admin\AppData\Local\Temp\tmp7137435.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7137435.exe
      4⤵
      PID:792
- - C:\Users\Admin\AppData\Local\Temp\tmp7136562.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7136562.exe
    3⤵
    PID:1372
- - C:\Users\Admin\AppData\Local\Temp\tmp7145079.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7145079.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    PID:652

C:\Users\Admin\AppData\Local\Temp\tmp7136421.exe
C:\Users\Admin\AppData\Local\Temp\tmp7136421.exe
1⤵
PID:1464
- C:\Users\Admin\AppData\Local\Temp\tmp7136624.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7136624.exe
  2⤵
  PID:1088
- C:\Users\Admin\AppData\Local\Temp\tmp7137108.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7137108.exe
  2⤵
  - Executes dropped EXE
  PID:760

C:\Users\Admin\AppData\Local\Temp\tmp7137326.exe
C:\Users\Admin\AppData\Local\Temp\tmp7137326.exe
1⤵
- Drops file in System32 directory
PID:1096
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  - Executes dropped EXE
  PID:1696
- - C:\Users\Admin\AppData\Local\Temp\tmp7137607.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7137607.exe
    3⤵
    - Modifies registry class
    PID:544
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      PID:1796
    - - C:\Users\Admin\AppData\Local\Temp\tmp7138558.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7138558.exe
        5⤵
        
        PID:1816
    - - C:\Users\Admin\AppData\Local\Temp\tmp7139245.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7139245.exe
        5⤵
        
        PID:588
      - C:\Users\Admin\AppData\Local\Temp\tmp7139557.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7139557.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1976
      - C:\Users\Admin\AppData\Local\Temp\tmp7140103.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7140103.exe
        6⤵
        
        PID:1544
- - C:\Users\Admin\AppData\Local\Temp\tmp7138449.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7138449.exe
    3⤵
    - Executes dropped EXE
    PID:380
  - - C:\Users\Admin\AppData\Local\Temp\tmp7139479.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7139479.exe
      4⤵
      PID:908
  - - C:\Users\Admin\AppData\Local\Temp\tmp7139962.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7139962.exe
      4⤵
      PID:1876

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp7110041.exe

Filesize
2.4MB

MD5
eea134df8c6fad7ef194105335555cf0

SHA1
6292cf1e7d49fd64281fc1dff4f1c663495ac1c4

SHA256
beaf286caea5b79b7eb67b56e196b54ff49022bc683a419d527f099d66d4d12e

SHA512
5a77ba3d7315aa6c6d7b308146b73f1ca0f7d5748e67aac54f61e4b23ebe28ab0a18e648da759ede8f79f3b3d8cc92c7ba71af4751677fe371e9b4aae2db2226

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7110041.exe

Filesize
2.4MB

MD5
eea134df8c6fad7ef194105335555cf0

SHA1
6292cf1e7d49fd64281fc1dff4f1c663495ac1c4

SHA256
beaf286caea5b79b7eb67b56e196b54ff49022bc683a419d527f099d66d4d12e

SHA512
5a77ba3d7315aa6c6d7b308146b73f1ca0f7d5748e67aac54f61e4b23ebe28ab0a18e648da759ede8f79f3b3d8cc92c7ba71af4751677fe371e9b4aae2db2226

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7110899.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7111399.exe

Filesize
2.4MB

MD5
eea134df8c6fad7ef194105335555cf0

SHA1
6292cf1e7d49fd64281fc1dff4f1c663495ac1c4

SHA256
beaf286caea5b79b7eb67b56e196b54ff49022bc683a419d527f099d66d4d12e

SHA512
5a77ba3d7315aa6c6d7b308146b73f1ca0f7d5748e67aac54f61e4b23ebe28ab0a18e648da759ede8f79f3b3d8cc92c7ba71af4751677fe371e9b4aae2db2226

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7111399.exe

Filesize
2.4MB

MD5
eea134df8c6fad7ef194105335555cf0

SHA1
6292cf1e7d49fd64281fc1dff4f1c663495ac1c4

SHA256
beaf286caea5b79b7eb67b56e196b54ff49022bc683a419d527f099d66d4d12e

SHA512
5a77ba3d7315aa6c6d7b308146b73f1ca0f7d5748e67aac54f61e4b23ebe28ab0a18e648da759ede8f79f3b3d8cc92c7ba71af4751677fe371e9b4aae2db2226

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7112038.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7112506.exe

Filesize
2.4MB

MD5
eea134df8c6fad7ef194105335555cf0

SHA1
6292cf1e7d49fd64281fc1dff4f1c663495ac1c4

SHA256
beaf286caea5b79b7eb67b56e196b54ff49022bc683a419d527f099d66d4d12e

SHA512
5a77ba3d7315aa6c6d7b308146b73f1ca0f7d5748e67aac54f61e4b23ebe28ab0a18e648da759ede8f79f3b3d8cc92c7ba71af4751677fe371e9b4aae2db2226

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7112506.exe

Filesize
2.4MB

MD5
eea134df8c6fad7ef194105335555cf0

SHA1
6292cf1e7d49fd64281fc1dff4f1c663495ac1c4

SHA256
beaf286caea5b79b7eb67b56e196b54ff49022bc683a419d527f099d66d4d12e

SHA512
5a77ba3d7315aa6c6d7b308146b73f1ca0f7d5748e67aac54f61e4b23ebe28ab0a18e648da759ede8f79f3b3d8cc92c7ba71af4751677fe371e9b4aae2db2226

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7113193.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7113692.exe

Filesize
2.4MB

MD5
eea134df8c6fad7ef194105335555cf0

SHA1
6292cf1e7d49fd64281fc1dff4f1c663495ac1c4

SHA256
beaf286caea5b79b7eb67b56e196b54ff49022bc683a419d527f099d66d4d12e

SHA512
5a77ba3d7315aa6c6d7b308146b73f1ca0f7d5748e67aac54f61e4b23ebe28ab0a18e648da759ede8f79f3b3d8cc92c7ba71af4751677fe371e9b4aae2db2226

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7113692.exe

Filesize
2.4MB

MD5
eea134df8c6fad7ef194105335555cf0

SHA1
6292cf1e7d49fd64281fc1dff4f1c663495ac1c4

SHA256
beaf286caea5b79b7eb67b56e196b54ff49022bc683a419d527f099d66d4d12e

SHA512
5a77ba3d7315aa6c6d7b308146b73f1ca0f7d5748e67aac54f61e4b23ebe28ab0a18e648da759ede8f79f3b3d8cc92c7ba71af4751677fe371e9b4aae2db2226

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7115907.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7116079.exe

Filesize
2.4MB

MD5
eea134df8c6fad7ef194105335555cf0

SHA1
6292cf1e7d49fd64281fc1dff4f1c663495ac1c4

SHA256
beaf286caea5b79b7eb67b56e196b54ff49022bc683a419d527f099d66d4d12e

SHA512
5a77ba3d7315aa6c6d7b308146b73f1ca0f7d5748e67aac54f61e4b23ebe28ab0a18e648da759ede8f79f3b3d8cc92c7ba71af4751677fe371e9b4aae2db2226

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7116079.exe

Filesize
2.4MB

MD5
eea134df8c6fad7ef194105335555cf0

SHA1
6292cf1e7d49fd64281fc1dff4f1c663495ac1c4

SHA256
beaf286caea5b79b7eb67b56e196b54ff49022bc683a419d527f099d66d4d12e

SHA512
5a77ba3d7315aa6c6d7b308146b73f1ca0f7d5748e67aac54f61e4b23ebe28ab0a18e648da759ede8f79f3b3d8cc92c7ba71af4751677fe371e9b4aae2db2226

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7116952.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7117498.exe

Filesize
2.4MB

MD5
eea134df8c6fad7ef194105335555cf0

SHA1
6292cf1e7d49fd64281fc1dff4f1c663495ac1c4

SHA256
beaf286caea5b79b7eb67b56e196b54ff49022bc683a419d527f099d66d4d12e

SHA512
5a77ba3d7315aa6c6d7b308146b73f1ca0f7d5748e67aac54f61e4b23ebe28ab0a18e648da759ede8f79f3b3d8cc92c7ba71af4751677fe371e9b4aae2db2226

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7118715.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
2.4MB

MD5
eea134df8c6fad7ef194105335555cf0

SHA1
6292cf1e7d49fd64281fc1dff4f1c663495ac1c4

SHA256
beaf286caea5b79b7eb67b56e196b54ff49022bc683a419d527f099d66d4d12e

SHA512
5a77ba3d7315aa6c6d7b308146b73f1ca0f7d5748e67aac54f61e4b23ebe28ab0a18e648da759ede8f79f3b3d8cc92c7ba71af4751677fe371e9b4aae2db2226

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
2.4MB

MD5
eea134df8c6fad7ef194105335555cf0

SHA1
6292cf1e7d49fd64281fc1dff4f1c663495ac1c4

SHA256
beaf286caea5b79b7eb67b56e196b54ff49022bc683a419d527f099d66d4d12e

SHA512
5a77ba3d7315aa6c6d7b308146b73f1ca0f7d5748e67aac54f61e4b23ebe28ab0a18e648da759ede8f79f3b3d8cc92c7ba71af4751677fe371e9b4aae2db2226

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
2.4MB

MD5
3008e0c01f014562642b5fb0e3db62e6

SHA1
a5692a48f85a6333545b70997881fc4acc5ae240

SHA256
902434019bcf3932437cf30510cfc55b7e4ba99287425c2efc3970950a7f27f6

SHA512
7b70de0227c455b91fe75d92d672c9c978a8cd8337672ed0df3e211b0d4ac022ea3ad96f21a8b8757e93beb92ea1e1fc280b3d0ca48c1cca5655c12836d2ca56

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
2.4MB

MD5
eea134df8c6fad7ef194105335555cf0

SHA1
6292cf1e7d49fd64281fc1dff4f1c663495ac1c4

SHA256
beaf286caea5b79b7eb67b56e196b54ff49022bc683a419d527f099d66d4d12e

SHA512
5a77ba3d7315aa6c6d7b308146b73f1ca0f7d5748e67aac54f61e4b23ebe28ab0a18e648da759ede8f79f3b3d8cc92c7ba71af4751677fe371e9b4aae2db2226

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
2.4MB

MD5
eea134df8c6fad7ef194105335555cf0

SHA1
6292cf1e7d49fd64281fc1dff4f1c663495ac1c4

SHA256
beaf286caea5b79b7eb67b56e196b54ff49022bc683a419d527f099d66d4d12e

SHA512
5a77ba3d7315aa6c6d7b308146b73f1ca0f7d5748e67aac54f61e4b23ebe28ab0a18e648da759ede8f79f3b3d8cc92c7ba71af4751677fe371e9b4aae2db2226

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
2.5MB

MD5
2ca3e763a9adc37ca2982a08a6b331d4

SHA1
66b24de7f3f3dd2735f5db7069859882648e3abe

SHA256
410288576b4c75f2d956551a82972551d0f2c983d4ebcf18924747721a867bbd

SHA512
450f3a573b6a25929557b03951fc8ffafcb43373630e3dab51ccc777918d222ae8de3dd6e41819666698335e6ddef468f8eef69e71b81c53775ea17f40517d30

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
2.5MB

MD5
2ca3e763a9adc37ca2982a08a6b331d4

SHA1
66b24de7f3f3dd2735f5db7069859882648e3abe

SHA256
410288576b4c75f2d956551a82972551d0f2c983d4ebcf18924747721a867bbd

SHA512
450f3a573b6a25929557b03951fc8ffafcb43373630e3dab51ccc777918d222ae8de3dd6e41819666698335e6ddef468f8eef69e71b81c53775ea17f40517d30

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
2.5MB

MD5
2ca3e763a9adc37ca2982a08a6b331d4

SHA1
66b24de7f3f3dd2735f5db7069859882648e3abe

SHA256
410288576b4c75f2d956551a82972551d0f2c983d4ebcf18924747721a867bbd

SHA512
450f3a573b6a25929557b03951fc8ffafcb43373630e3dab51ccc777918d222ae8de3dd6e41819666698335e6ddef468f8eef69e71b81c53775ea17f40517d30

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
2.5MB

MD5
2ca3e763a9adc37ca2982a08a6b331d4

SHA1
66b24de7f3f3dd2735f5db7069859882648e3abe

SHA256
410288576b4c75f2d956551a82972551d0f2c983d4ebcf18924747721a867bbd

SHA512
450f3a573b6a25929557b03951fc8ffafcb43373630e3dab51ccc777918d222ae8de3dd6e41819666698335e6ddef468f8eef69e71b81c53775ea17f40517d30

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
2.5MB

MD5
2ca3e763a9adc37ca2982a08a6b331d4

SHA1
66b24de7f3f3dd2735f5db7069859882648e3abe

SHA256
410288576b4c75f2d956551a82972551d0f2c983d4ebcf18924747721a867bbd

SHA512
450f3a573b6a25929557b03951fc8ffafcb43373630e3dab51ccc777918d222ae8de3dd6e41819666698335e6ddef468f8eef69e71b81c53775ea17f40517d30

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
2.5MB

MD5
2ca3e763a9adc37ca2982a08a6b331d4

SHA1
66b24de7f3f3dd2735f5db7069859882648e3abe

SHA256
410288576b4c75f2d956551a82972551d0f2c983d4ebcf18924747721a867bbd

SHA512
450f3a573b6a25929557b03951fc8ffafcb43373630e3dab51ccc777918d222ae8de3dd6e41819666698335e6ddef468f8eef69e71b81c53775ea17f40517d30

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
2.5MB

MD5
2ca3e763a9adc37ca2982a08a6b331d4

SHA1
66b24de7f3f3dd2735f5db7069859882648e3abe

SHA256
410288576b4c75f2d956551a82972551d0f2c983d4ebcf18924747721a867bbd

SHA512
450f3a573b6a25929557b03951fc8ffafcb43373630e3dab51ccc777918d222ae8de3dd6e41819666698335e6ddef468f8eef69e71b81c53775ea17f40517d30

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7110041.exe

Filesize
2.4MB

MD5
eea134df8c6fad7ef194105335555cf0

SHA1
6292cf1e7d49fd64281fc1dff4f1c663495ac1c4

SHA256
beaf286caea5b79b7eb67b56e196b54ff49022bc683a419d527f099d66d4d12e

SHA512
5a77ba3d7315aa6c6d7b308146b73f1ca0f7d5748e67aac54f61e4b23ebe28ab0a18e648da759ede8f79f3b3d8cc92c7ba71af4751677fe371e9b4aae2db2226

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7110041.exe

Filesize
2.4MB

MD5
eea134df8c6fad7ef194105335555cf0

SHA1
6292cf1e7d49fd64281fc1dff4f1c663495ac1c4

SHA256
beaf286caea5b79b7eb67b56e196b54ff49022bc683a419d527f099d66d4d12e

SHA512
5a77ba3d7315aa6c6d7b308146b73f1ca0f7d5748e67aac54f61e4b23ebe28ab0a18e648da759ede8f79f3b3d8cc92c7ba71af4751677fe371e9b4aae2db2226

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7110899.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7111399.exe

Filesize
2.4MB

MD5
eea134df8c6fad7ef194105335555cf0

SHA1
6292cf1e7d49fd64281fc1dff4f1c663495ac1c4

SHA256
beaf286caea5b79b7eb67b56e196b54ff49022bc683a419d527f099d66d4d12e

SHA512
5a77ba3d7315aa6c6d7b308146b73f1ca0f7d5748e67aac54f61e4b23ebe28ab0a18e648da759ede8f79f3b3d8cc92c7ba71af4751677fe371e9b4aae2db2226

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7111399.exe

Filesize
2.4MB

MD5
eea134df8c6fad7ef194105335555cf0

SHA1
6292cf1e7d49fd64281fc1dff4f1c663495ac1c4

SHA256
beaf286caea5b79b7eb67b56e196b54ff49022bc683a419d527f099d66d4d12e

SHA512
5a77ba3d7315aa6c6d7b308146b73f1ca0f7d5748e67aac54f61e4b23ebe28ab0a18e648da759ede8f79f3b3d8cc92c7ba71af4751677fe371e9b4aae2db2226

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7112038.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7112506.exe

Filesize
2.4MB

MD5
eea134df8c6fad7ef194105335555cf0

SHA1
6292cf1e7d49fd64281fc1dff4f1c663495ac1c4

SHA256
beaf286caea5b79b7eb67b56e196b54ff49022bc683a419d527f099d66d4d12e

SHA512
5a77ba3d7315aa6c6d7b308146b73f1ca0f7d5748e67aac54f61e4b23ebe28ab0a18e648da759ede8f79f3b3d8cc92c7ba71af4751677fe371e9b4aae2db2226

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7112506.exe

Filesize
2.4MB

MD5
eea134df8c6fad7ef194105335555cf0

SHA1
6292cf1e7d49fd64281fc1dff4f1c663495ac1c4

SHA256
beaf286caea5b79b7eb67b56e196b54ff49022bc683a419d527f099d66d4d12e

SHA512
5a77ba3d7315aa6c6d7b308146b73f1ca0f7d5748e67aac54f61e4b23ebe28ab0a18e648da759ede8f79f3b3d8cc92c7ba71af4751677fe371e9b4aae2db2226

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7113193.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7113692.exe

Filesize
2.4MB

MD5
eea134df8c6fad7ef194105335555cf0

SHA1
6292cf1e7d49fd64281fc1dff4f1c663495ac1c4

SHA256
beaf286caea5b79b7eb67b56e196b54ff49022bc683a419d527f099d66d4d12e

SHA512
5a77ba3d7315aa6c6d7b308146b73f1ca0f7d5748e67aac54f61e4b23ebe28ab0a18e648da759ede8f79f3b3d8cc92c7ba71af4751677fe371e9b4aae2db2226

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7113692.exe

Filesize
2.4MB

MD5
eea134df8c6fad7ef194105335555cf0

SHA1
6292cf1e7d49fd64281fc1dff4f1c663495ac1c4

SHA256
beaf286caea5b79b7eb67b56e196b54ff49022bc683a419d527f099d66d4d12e

SHA512
5a77ba3d7315aa6c6d7b308146b73f1ca0f7d5748e67aac54f61e4b23ebe28ab0a18e648da759ede8f79f3b3d8cc92c7ba71af4751677fe371e9b4aae2db2226

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7115907.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7116079.exe

Filesize
2.4MB

MD5
eea134df8c6fad7ef194105335555cf0

SHA1
6292cf1e7d49fd64281fc1dff4f1c663495ac1c4

SHA256
beaf286caea5b79b7eb67b56e196b54ff49022bc683a419d527f099d66d4d12e

SHA512
5a77ba3d7315aa6c6d7b308146b73f1ca0f7d5748e67aac54f61e4b23ebe28ab0a18e648da759ede8f79f3b3d8cc92c7ba71af4751677fe371e9b4aae2db2226

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7116079.exe

Filesize
2.4MB

MD5
eea134df8c6fad7ef194105335555cf0

SHA1
6292cf1e7d49fd64281fc1dff4f1c663495ac1c4

SHA256
beaf286caea5b79b7eb67b56e196b54ff49022bc683a419d527f099d66d4d12e

SHA512
5a77ba3d7315aa6c6d7b308146b73f1ca0f7d5748e67aac54f61e4b23ebe28ab0a18e648da759ede8f79f3b3d8cc92c7ba71af4751677fe371e9b4aae2db2226

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7116952.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7117498.exe

Filesize
2.4MB

MD5
eea134df8c6fad7ef194105335555cf0

SHA1
6292cf1e7d49fd64281fc1dff4f1c663495ac1c4

SHA256
beaf286caea5b79b7eb67b56e196b54ff49022bc683a419d527f099d66d4d12e

SHA512
5a77ba3d7315aa6c6d7b308146b73f1ca0f7d5748e67aac54f61e4b23ebe28ab0a18e648da759ede8f79f3b3d8cc92c7ba71af4751677fe371e9b4aae2db2226

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7117498.exe

Filesize
2.4MB

MD5
eea134df8c6fad7ef194105335555cf0

SHA1
6292cf1e7d49fd64281fc1dff4f1c663495ac1c4

SHA256
beaf286caea5b79b7eb67b56e196b54ff49022bc683a419d527f099d66d4d12e

SHA512
5a77ba3d7315aa6c6d7b308146b73f1ca0f7d5748e67aac54f61e4b23ebe28ab0a18e648da759ede8f79f3b3d8cc92c7ba71af4751677fe371e9b4aae2db2226

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7118715.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
2.5MB

MD5
2ca3e763a9adc37ca2982a08a6b331d4

SHA1
66b24de7f3f3dd2735f5db7069859882648e3abe

SHA256
410288576b4c75f2d956551a82972551d0f2c983d4ebcf18924747721a867bbd

SHA512
450f3a573b6a25929557b03951fc8ffafcb43373630e3dab51ccc777918d222ae8de3dd6e41819666698335e6ddef468f8eef69e71b81c53775ea17f40517d30

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
2.5MB

MD5
2ca3e763a9adc37ca2982a08a6b331d4

SHA1
66b24de7f3f3dd2735f5db7069859882648e3abe

SHA256
410288576b4c75f2d956551a82972551d0f2c983d4ebcf18924747721a867bbd

SHA512
450f3a573b6a25929557b03951fc8ffafcb43373630e3dab51ccc777918d222ae8de3dd6e41819666698335e6ddef468f8eef69e71b81c53775ea17f40517d30

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
2.5MB

MD5
2ca3e763a9adc37ca2982a08a6b331d4

SHA1
66b24de7f3f3dd2735f5db7069859882648e3abe

SHA256
410288576b4c75f2d956551a82972551d0f2c983d4ebcf18924747721a867bbd

SHA512
450f3a573b6a25929557b03951fc8ffafcb43373630e3dab51ccc777918d222ae8de3dd6e41819666698335e6ddef468f8eef69e71b81c53775ea17f40517d30

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
2.5MB

MD5
2ca3e763a9adc37ca2982a08a6b331d4

SHA1
66b24de7f3f3dd2735f5db7069859882648e3abe

SHA256
410288576b4c75f2d956551a82972551d0f2c983d4ebcf18924747721a867bbd

SHA512
450f3a573b6a25929557b03951fc8ffafcb43373630e3dab51ccc777918d222ae8de3dd6e41819666698335e6ddef468f8eef69e71b81c53775ea17f40517d30

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
2.5MB

MD5
2ca3e763a9adc37ca2982a08a6b331d4

SHA1
66b24de7f3f3dd2735f5db7069859882648e3abe

SHA256
410288576b4c75f2d956551a82972551d0f2c983d4ebcf18924747721a867bbd

SHA512
450f3a573b6a25929557b03951fc8ffafcb43373630e3dab51ccc777918d222ae8de3dd6e41819666698335e6ddef468f8eef69e71b81c53775ea17f40517d30

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
2.5MB

MD5
2ca3e763a9adc37ca2982a08a6b331d4

SHA1
66b24de7f3f3dd2735f5db7069859882648e3abe

SHA256
410288576b4c75f2d956551a82972551d0f2c983d4ebcf18924747721a867bbd

SHA512
450f3a573b6a25929557b03951fc8ffafcb43373630e3dab51ccc777918d222ae8de3dd6e41819666698335e6ddef468f8eef69e71b81c53775ea17f40517d30

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
2.5MB

MD5
2ca3e763a9adc37ca2982a08a6b331d4

SHA1
66b24de7f3f3dd2735f5db7069859882648e3abe

SHA256
410288576b4c75f2d956551a82972551d0f2c983d4ebcf18924747721a867bbd

SHA512
450f3a573b6a25929557b03951fc8ffafcb43373630e3dab51ccc777918d222ae8de3dd6e41819666698335e6ddef468f8eef69e71b81c53775ea17f40517d30

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
2.5MB

MD5
2ca3e763a9adc37ca2982a08a6b331d4

SHA1
66b24de7f3f3dd2735f5db7069859882648e3abe

SHA256
410288576b4c75f2d956551a82972551d0f2c983d4ebcf18924747721a867bbd

SHA512
450f3a573b6a25929557b03951fc8ffafcb43373630e3dab51ccc777918d222ae8de3dd6e41819666698335e6ddef468f8eef69e71b81c53775ea17f40517d30

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
2.5MB

MD5
2ca3e763a9adc37ca2982a08a6b331d4

SHA1
66b24de7f3f3dd2735f5db7069859882648e3abe

SHA256
410288576b4c75f2d956551a82972551d0f2c983d4ebcf18924747721a867bbd

SHA512
450f3a573b6a25929557b03951fc8ffafcb43373630e3dab51ccc777918d222ae8de3dd6e41819666698335e6ddef468f8eef69e71b81c53775ea17f40517d30

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
2.5MB

MD5
2ca3e763a9adc37ca2982a08a6b331d4

SHA1
66b24de7f3f3dd2735f5db7069859882648e3abe

SHA256
410288576b4c75f2d956551a82972551d0f2c983d4ebcf18924747721a867bbd

SHA512
450f3a573b6a25929557b03951fc8ffafcb43373630e3dab51ccc777918d222ae8de3dd6e41819666698335e6ddef468f8eef69e71b81c53775ea17f40517d30

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
2.5MB

MD5
2ca3e763a9adc37ca2982a08a6b331d4

SHA1
66b24de7f3f3dd2735f5db7069859882648e3abe

SHA256
410288576b4c75f2d956551a82972551d0f2c983d4ebcf18924747721a867bbd

SHA512
450f3a573b6a25929557b03951fc8ffafcb43373630e3dab51ccc777918d222ae8de3dd6e41819666698335e6ddef468f8eef69e71b81c53775ea17f40517d30

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
2.5MB

MD5
2ca3e763a9adc37ca2982a08a6b331d4

SHA1
66b24de7f3f3dd2735f5db7069859882648e3abe

SHA256
410288576b4c75f2d956551a82972551d0f2c983d4ebcf18924747721a867bbd

SHA512
450f3a573b6a25929557b03951fc8ffafcb43373630e3dab51ccc777918d222ae8de3dd6e41819666698335e6ddef468f8eef69e71b81c53775ea17f40517d30

Download Submit
memory/380-304-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/380-309-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/452-194-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/452-189-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/588-303-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/588-311-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/652-298-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/740-317-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/740-200-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/760-232-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/760-225-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/864-277-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/864-281-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/952-291-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/964-310-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/964-252-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/964-302-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/972-78-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/972-91-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1096-56-0x0000000000540000-0x000000000055F000-memory.dmp

Filesize
124KB

Download
memory/1096-54-0x00000000768A1000-0x00000000768A3000-memory.dmp

Filesize
8KB

Download
memory/1100-276-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1100-280-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1120-226-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1120-224-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1144-76-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1168-270-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1168-131-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1168-115-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1172-241-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1172-246-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1188-176-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1188-181-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1284-267-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1352-163-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1352-168-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1376-273-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1460-292-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1460-294-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1464-285-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1488-215-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1488-220-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1536-287-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1580-316-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1604-213-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1624-133-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1624-148-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1672-105-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1672-108-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1680-202-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1680-207-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1692-151-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1692-160-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1696-300-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1696-293-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1720-187-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1724-258-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1740-234-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1740-239-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1796-301-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1808-174-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1816-96-0x0000000000490000-0x000000000049D000-memory.dmp

Filesize
52KB

Download
memory/1924-260-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1924-265-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1996-275-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download