662925e276c69d0f6a0655e940afdae1196e2324e8babf7927d5aa100e856641

Analysis

max time kernel
144s
max time network
49s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05/12/2022, 11:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

662925e276c69d0f6a0655e940afdae1196e2324e8babf7927d5aa100e856641.exe
Size

689KB
MD5

0096ca85e4bb7a97cd221506913a0b40
SHA1

cde8488ff9551946ddd55d5c8afc85c5da1dae4f
SHA256

662925e276c69d0f6a0655e940afdae1196e2324e8babf7927d5aa100e856641
SHA512

38b822a9571898b44fa143b1032ea701d0a1ebe88f76eb7bbdedbd31cf75cfa5b5e605ae68905a9b74ace2b077917f8a5b6e7ce275fea0d78906a8c75727f92e
SSDEEP

12288:HPIR9PePhR9PuPhR9P7PIR9PePhR9PuPhR9PMPIR9PePhR9PuPhR9P:QRSRmRmRSRmRJRSRmR

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
916	tmp7071540.exe
868	tmp7071572.exe
860	tmp7071665.exe
1272	tmp7071759.exe
1008	tmp7071837.exe
1068	tmp7072086.exe
932	notpad.exe
280	tmp7072804.exe
1388	tmp7073054.exe
1032	notpad.exe
1596	tmp7074442.exe
836	tmp7074660.exe
880	notpad.exe
1560	tmp7074894.exe
1184	tmp7075066.exe
936	notpad.exe
1848	tmp7075378.exe
1340	notpad.exe
388	tmp7075472.exe
1248	tmp7075596.exe
876	tmp7075690.exe
784	notpad.exe
1008	tmp7075877.exe
1616	tmp7075955.exe
1584	notpad.exe
828	tmp7076064.exe
1728	tmp7076127.exe
1860	notpad.exe
1836	tmp7076267.exe
1640	tmp7076345.exe
560	notpad.exe
2032	tmp7076532.exe
1736	tmp7076579.exe
1552	notpad.exe
1108	tmp7076735.exe
1032	tmp7076860.exe
712	notpad.exe
1652	tmp7076985.exe
1828	tmp7077016.exe
1700	notpad.exe
968	notpad.exe
1268	tmp7077312.exe
868	tmp7077390.exe
2000	notpad.exe
1116	tmp7077624.exe
1532	tmp7077656.exe
596	notpad.exe
2028	tmp7077780.exe
1612	tmp7077843.exe
1716	notpad.exe
784	tmp7077983.exe
1588	tmp7078030.exe
828	notpad.exe
316	tmp7078139.exe
1488	tmp7078170.exe
1628	notpad.exe
532	tmp7078326.exe
1120	tmp7078358.exe
560	notpad.exe
1508	tmp7078529.exe
1988	tmp7078560.exe
1072	notpad.exe
1108	tmp7078779.exe
1996	tmp7078810.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000a000000012302-59.dat	upx
behavioral1/memory/1848-64-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x000a000000012302-63.dat	upx
behavioral1/files/0x000a000000012302-62.dat	upx
behavioral1/files/0x000a000000012302-60.dat	upx
behavioral1/files/0x0008000000012314-75.dat	upx
behavioral1/memory/868-74-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x0008000000012314-73.dat	upx
behavioral1/files/0x0008000000012314-70.dat	upx
behavioral1/files/0x0008000000012314-69.dat	upx
behavioral1/memory/1272-85-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x000900000001232f-91.dat	upx
behavioral1/files/0x000900000001232f-92.dat	upx
behavioral1/files/0x000900000001232f-95.dat	upx
behavioral1/files/0x000900000001232f-94.dat	upx
behavioral1/files/0x0008000000012326-101.dat	upx
behavioral1/files/0x000900000001232f-111.dat	upx
behavioral1/files/0x000900000001232f-109.dat	upx
behavioral1/memory/932-108-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x000900000001232f-107.dat	upx
behavioral1/memory/1032-114-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x0008000000012326-120.dat	upx
behavioral1/files/0x000900000001232f-125.dat	upx
behavioral1/files/0x000900000001232f-130.dat	upx
behavioral1/memory/1032-129-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x000900000001232f-127.dat	upx
behavioral1/files/0x0008000000012326-137.dat	upx
behavioral1/memory/880-146-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x000900000001232f-143.dat	upx
behavioral1/files/0x000900000001232f-142.dat	upx
behavioral1/files/0x000900000001232f-148.dat	upx
behavioral1/files/0x0008000000012326-154.dat	upx
behavioral1/memory/936-158-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1340-162-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/784-170-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1584-176-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1860-177-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1860-181-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/560-188-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1552-194-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/712-199-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1700-203-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/968-211-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2000-216-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/596-222-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1716-227-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/828-235-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1628-241-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/560-246-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1072-250-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1664-254-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1980-257-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1184-260-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1268-263-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/592-266-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/596-268-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1616-272-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1728-274-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/544-278-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1744-280-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1988-284-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1032-286-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1016-288-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1016-291-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Loads dropped DLL 64 IoCs

pid	Process
1848	662925e276c69d0f6a0655e940afdae1196e2324e8babf7927d5aa100e856641.exe
1848	662925e276c69d0f6a0655e940afdae1196e2324e8babf7927d5aa100e856641.exe
1848	662925e276c69d0f6a0655e940afdae1196e2324e8babf7927d5aa100e856641.exe
1848	662925e276c69d0f6a0655e940afdae1196e2324e8babf7927d5aa100e856641.exe
868	tmp7071572.exe
868	tmp7071572.exe
868	tmp7071572.exe
868	tmp7071572.exe
1272	tmp7071759.exe
1272	tmp7071759.exe
1272	tmp7071759.exe
1272	tmp7071759.exe
600	WerFault.exe
600	WerFault.exe
916	tmp7071540.exe
916	tmp7071540.exe
932	notpad.exe
932	notpad.exe
932	notpad.exe
280	tmp7072804.exe
280	tmp7072804.exe
1032	notpad.exe
1032	notpad.exe
1032	notpad.exe
1596	tmp7074442.exe
1596	tmp7074442.exe
880	notpad.exe
880	notpad.exe
880	notpad.exe
1560	tmp7074894.exe
1560	tmp7074894.exe
936	notpad.exe
936	notpad.exe
1848	tmp7075378.exe
1848	tmp7075378.exe
936	notpad.exe
1340	notpad.exe
1340	notpad.exe
1340	notpad.exe
1248	tmp7075596.exe
1248	tmp7075596.exe
784	notpad.exe
784	notpad.exe
784	notpad.exe
1008	tmp7075877.exe
1008	tmp7075877.exe
1584	notpad.exe
1584	notpad.exe
1584	notpad.exe
828	tmp7076064.exe
828	tmp7076064.exe
600	WerFault.exe
1860	notpad.exe
1860	notpad.exe
1860	notpad.exe
1836	tmp7076267.exe
1836	tmp7076267.exe
560	notpad.exe
560	notpad.exe
560	notpad.exe
2032	tmp7076532.exe
2032	tmp7076532.exe
1552	notpad.exe
1552	notpad.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7081478.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7083053.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7084333.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7088545.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7088545.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7172894.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7078139.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7076985.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7085643.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7085643.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7085783.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7091197.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7176732.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7074894.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7075877.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7076735.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7077780.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7081478.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7084333.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7085783.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7138621.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7075877.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7180429.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7182738.exe
File created	C:\Windows\SysWOW64\notpad.exe	notpad.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7088623.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7177980.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7081212.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7077983.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7078326.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7176732.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7077312.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7085487.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7081337.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7134924.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7136655.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7174797.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7182738.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7201037.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7085518.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7090011.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7090011.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7172894.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7079980.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7078950.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7079793.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7088545.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7136094.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7176732.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7077188.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7076735.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7085487.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7075378.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7085518.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7179634.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7077780.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7134924.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7136094.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7183456.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7075378.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7078950.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7081805.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7085971.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7077983.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
600	1068	WerFault.exe	33

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7135438.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7179899.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7071540.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7078139.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7087468.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7174797.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7088155.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7089793.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7136094.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7134924.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7138621.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7076985.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7081805.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7085830.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7172894.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7177980.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7075877.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7080292.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7083428.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7085783.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7091197.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7136655.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7077983.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7078529.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7081337.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7182863.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7074894.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7079153.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7084333.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7171475.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7182738.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7183456.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7075378.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7077780.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7133020.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7076532.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7077188.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7078779.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7084738.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7086064.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7088623.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7131492.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7076267.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7076735.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7084582.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7085518.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7090011.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7201037.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7077624.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7081212.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7085487.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	notpad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7074442.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7083053.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7134159.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7075596.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7087281.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7178042.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7180429.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7072804.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7078326.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7085971.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7080120.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7083334.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1848 wrote to memory of 916	1848	662925e276c69d0f6a0655e940afdae1196e2324e8babf7927d5aa100e856641.exe	28
PID 1848 wrote to memory of 916	1848	662925e276c69d0f6a0655e940afdae1196e2324e8babf7927d5aa100e856641.exe	28
PID 1848 wrote to memory of 916	1848	662925e276c69d0f6a0655e940afdae1196e2324e8babf7927d5aa100e856641.exe	28
PID 1848 wrote to memory of 916	1848	662925e276c69d0f6a0655e940afdae1196e2324e8babf7927d5aa100e856641.exe	28
PID 1848 wrote to memory of 868	1848	662925e276c69d0f6a0655e940afdae1196e2324e8babf7927d5aa100e856641.exe	29
PID 1848 wrote to memory of 868	1848	662925e276c69d0f6a0655e940afdae1196e2324e8babf7927d5aa100e856641.exe	29
PID 1848 wrote to memory of 868	1848	662925e276c69d0f6a0655e940afdae1196e2324e8babf7927d5aa100e856641.exe	29
PID 1848 wrote to memory of 868	1848	662925e276c69d0f6a0655e940afdae1196e2324e8babf7927d5aa100e856641.exe	29
PID 868 wrote to memory of 860	868	tmp7071572.exe	30
PID 868 wrote to memory of 860	868	tmp7071572.exe	30
PID 868 wrote to memory of 860	868	tmp7071572.exe	30
PID 868 wrote to memory of 860	868	tmp7071572.exe	30
PID 868 wrote to memory of 1272	868	tmp7071572.exe	32
PID 868 wrote to memory of 1272	868	tmp7071572.exe	32
PID 868 wrote to memory of 1272	868	tmp7071572.exe	32
PID 868 wrote to memory of 1272	868	tmp7071572.exe	32
PID 1272 wrote to memory of 1008	1272	tmp7071759.exe	31
PID 1272 wrote to memory of 1008	1272	tmp7071759.exe	31
PID 1272 wrote to memory of 1008	1272	tmp7071759.exe	31
PID 1272 wrote to memory of 1008	1272	tmp7071759.exe	31
PID 1272 wrote to memory of 1068	1272	tmp7071759.exe	33
PID 1272 wrote to memory of 1068	1272	tmp7071759.exe	33
PID 1272 wrote to memory of 1068	1272	tmp7071759.exe	33
PID 1272 wrote to memory of 1068	1272	tmp7071759.exe	33
PID 1068 wrote to memory of 600	1068	tmp7072086.exe	34
PID 1068 wrote to memory of 600	1068	tmp7072086.exe	34
PID 1068 wrote to memory of 600	1068	tmp7072086.exe	34
PID 1068 wrote to memory of 600	1068	tmp7072086.exe	34
PID 916 wrote to memory of 932	916	tmp7071540.exe	35
PID 916 wrote to memory of 932	916	tmp7071540.exe	35
PID 916 wrote to memory of 932	916	tmp7071540.exe	35
PID 916 wrote to memory of 932	916	tmp7071540.exe	35
PID 932 wrote to memory of 280	932	notpad.exe	36
PID 932 wrote to memory of 280	932	notpad.exe	36
PID 932 wrote to memory of 280	932	notpad.exe	36
PID 932 wrote to memory of 280	932	notpad.exe	36
PID 932 wrote to memory of 1388	932	notpad.exe	37
PID 932 wrote to memory of 1388	932	notpad.exe	37
PID 932 wrote to memory of 1388	932	notpad.exe	37
PID 932 wrote to memory of 1388	932	notpad.exe	37
PID 280 wrote to memory of 1032	280	tmp7072804.exe	38
PID 280 wrote to memory of 1032	280	tmp7072804.exe	38
PID 280 wrote to memory of 1032	280	tmp7072804.exe	38
PID 280 wrote to memory of 1032	280	tmp7072804.exe	38
PID 1032 wrote to memory of 1596	1032	notpad.exe	39
PID 1032 wrote to memory of 1596	1032	notpad.exe	39
PID 1032 wrote to memory of 1596	1032	notpad.exe	39
PID 1032 wrote to memory of 1596	1032	notpad.exe	39
PID 1032 wrote to memory of 836	1032	notpad.exe	40
PID 1032 wrote to memory of 836	1032	notpad.exe	40
PID 1032 wrote to memory of 836	1032	notpad.exe	40
PID 1032 wrote to memory of 836	1032	notpad.exe	40
PID 1596 wrote to memory of 880	1596	tmp7074442.exe	41
PID 1596 wrote to memory of 880	1596	tmp7074442.exe	41
PID 1596 wrote to memory of 880	1596	tmp7074442.exe	41
PID 1596 wrote to memory of 880	1596	tmp7074442.exe	41
PID 880 wrote to memory of 1560	880	notpad.exe	42
PID 880 wrote to memory of 1560	880	notpad.exe	42
PID 880 wrote to memory of 1560	880	notpad.exe	42
PID 880 wrote to memory of 1560	880	notpad.exe	42
PID 880 wrote to memory of 1184	880	notpad.exe	43
PID 880 wrote to memory of 1184	880	notpad.exe	43
PID 880 wrote to memory of 1184	880	notpad.exe	43
PID 880 wrote to memory of 1184	880	notpad.exe	43

C:\Users\Admin\AppData\Local\Temp\662925e276c69d0f6a0655e940afdae1196e2324e8babf7927d5aa100e856641.exe
"C:\Users\Admin\AppData\Local\Temp\662925e276c69d0f6a0655e940afdae1196e2324e8babf7927d5aa100e856641.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1848
- C:\Users\Admin\AppData\Local\Temp\tmp7071540.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7071540.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:916
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:932
  - - C:\Users\Admin\AppData\Local\Temp\tmp7072804.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7072804.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:280
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1032
      - C:\Users\Admin\AppData\Local\Temp\tmp7074442.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7074442.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1596
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:880
        
        C:\Users\Admin\AppData\Local\Temp\tmp7074894.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7074894.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1560
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:936
        
        C:\Users\Admin\AppData\Local\Temp\tmp7075378.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7075378.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1848
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1340
        
        C:\Users\Admin\AppData\Local\Temp\tmp7075596.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7075596.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1248
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:784
        
        C:\Users\Admin\AppData\Local\Temp\tmp7075877.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7075877.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1008
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\tmp7076064.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7076064.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:828
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1860
        
        C:\Users\Admin\AppData\Local\Temp\tmp7076267.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7076267.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1836
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:560
        
        C:\Users\Admin\AppData\Local\Temp\tmp7076532.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7076532.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:2032
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\tmp7076735.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7076735.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1108
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        23⤵
        Executes dropped EXE
        
        PID:712
        
        C:\Users\Admin\AppData\Local\Temp\tmp7076985.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7076985.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1652
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        25⤵
        Executes dropped EXE
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\tmp7077188.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7077188.exe
        26⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1752
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        27⤵
        Executes dropped EXE
        
        PID:968
        
        C:\Users\Admin\AppData\Local\Temp\tmp7077312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7077312.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1268
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        29⤵
        Executes dropped EXE
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\tmp7077624.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7077624.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1116
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        31⤵
        Executes dropped EXE
        
        PID:596
        
        C:\Users\Admin\AppData\Local\Temp\tmp7077780.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7077780.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2028
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        33⤵
        Executes dropped EXE
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\tmp7077983.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7077983.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:784
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        35⤵
        Executes dropped EXE
        
        PID:828
        
        C:\Users\Admin\AppData\Local\Temp\tmp7078139.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7078139.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:316
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        37⤵
        Executes dropped EXE
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\tmp7078326.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7078326.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:532
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        39⤵
        Executes dropped EXE
        
        PID:560
        
        C:\Users\Admin\AppData\Local\Temp\tmp7078529.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7078529.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1508
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        41⤵
        Executes dropped EXE
        
        PID:1072
        
        C:\Users\Admin\AppData\Local\Temp\tmp7078779.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7078779.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1108
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        43⤵
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\tmp7078950.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7078950.exe
        44⤵
        Drops file in System32 directory
        
        PID:796
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        45⤵
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\tmp7079153.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7079153.exe
        46⤵
        Modifies registry class
        
        PID:1928
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        47⤵
        
        PID:1184
        
        C:\Users\Admin\AppData\Local\Temp\tmp7079793.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7079793.exe
        48⤵
        Drops file in System32 directory
        
        PID:1436
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        49⤵
        
        PID:1268
        
        C:\Users\Admin\AppData\Local\Temp\tmp7079980.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7079980.exe
        50⤵
        Drops file in System32 directory
        
        PID:936
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        51⤵
        
        PID:592
        
        C:\Users\Admin\AppData\Local\Temp\tmp7080120.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7080120.exe
        52⤵
        Modifies registry class
        
        PID:1208
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        53⤵
        
        PID:596
        
        C:\Users\Admin\AppData\Local\Temp\tmp7080292.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7080292.exe
        54⤵
        Modifies registry class
        
        PID:1248
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        55⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\tmp7081212.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7081212.exe
        56⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1592
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        57⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\tmp7081337.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7081337.exe
        58⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:776
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        59⤵
        
        PID:544
        
        C:\Users\Admin\AppData\Local\Temp\tmp7081478.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7081478.exe
        60⤵
        Drops file in System32 directory
        
        PID:1684
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        61⤵
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\tmp7081805.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7081805.exe
        62⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2032
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        63⤵
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\tmp7083053.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7083053.exe
        64⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1968
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        65⤵
        
        PID:1032
        
        C:\Users\Admin\AppData\Local\Temp\tmp7083334.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7083334.exe
        66⤵
        Modifies registry class
        
        PID:1828
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        67⤵
        
        PID:1016
        
        C:\Users\Admin\AppData\Local\Temp\tmp7083428.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7083428.exe
        68⤵
        Modifies registry class
        
        PID:288
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        69⤵
        
        PID:1212
        
        C:\Users\Admin\AppData\Local\Temp\tmp7084192.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7084192.exe
        70⤵
        
        PID:272
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        71⤵
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\tmp7084333.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7084333.exe
        72⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:868
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        73⤵
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\tmp7084582.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7084582.exe
        74⤵
        Modifies registry class
        
        PID:1532
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        75⤵
        
        PID:1272
        
        C:\Users\Admin\AppData\Local\Temp\tmp7084738.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7084738.exe
        76⤵
        Modifies registry class
        
        PID:1116
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        77⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\tmp7085487.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7085487.exe
        78⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:336
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        79⤵
        
        PID:340
        
        C:\Users\Admin\AppData\Local\Temp\tmp7085643.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7085643.exe
        80⤵
        Drops file in System32 directory
        
        PID:828
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        81⤵
        
        PID:1836
        
        C:\Users\Admin\AppData\Local\Temp\tmp7085830.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7085830.exe
        82⤵
        Modifies registry class
        
        PID:1000
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        83⤵
        
        PID:1264
        
        C:\Users\Admin\AppData\Local\Temp\tmp7086017.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7086017.exe
        84⤵
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\tmp7086626.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7086626.exe
        84⤵
        
        PID:856
        
        C:\Users\Admin\AppData\Local\Temp\tmp7086797.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7086797.exe
        85⤵
        
        PID:1268
        
        C:\Users\Admin\AppData\Local\Temp\tmp7087000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7087000.exe
        85⤵
        
        PID:1208
        
        C:\Users\Admin\AppData\Local\Temp\tmp7085955.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7085955.exe
        82⤵
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\tmp7086064.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7086064.exe
        83⤵
        Modifies registry class
        
        PID:1652
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        84⤵
        
        PID:1316
        
        C:\Users\Admin\AppData\Local\Temp\tmp7086891.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7086891.exe
        85⤵
        
        PID:528
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        86⤵
        
        PID:1008
        
        C:\Users\Admin\AppData\Local\Temp\tmp7087281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7087281.exe
        87⤵
        Modifies registry class
        
        PID:1716
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        88⤵
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\tmp7087562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7087562.exe
        89⤵
        
        PID:1260
        
        C:\Users\Admin\AppData\Local\Temp\tmp7088123.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7088123.exe
        89⤵
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\Temp\tmp7088357.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7088357.exe
        90⤵
        
        PID:1032
        
        C:\Users\Admin\AppData\Local\Temp\tmp7088498.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7088498.exe
        90⤵
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\tmp7087359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7087359.exe
        87⤵
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\tmp7087437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7087437.exe
        88⤵
        
        PID:532
        
        C:\Users\Admin\AppData\Local\Temp\tmp7088061.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7088061.exe
        88⤵
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\tmp7086969.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7086969.exe
        85⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\tmp7087047.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7087047.exe
        86⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\tmp7087234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7087234.exe
        86⤵
        
        PID:860
        
        C:\Users\Admin\AppData\Local\Temp\tmp7086532.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7086532.exe
        83⤵
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\tmp7085705.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7085705.exe
        80⤵
        
        PID:916
        
        C:\Users\Admin\AppData\Local\Temp\tmp7085783.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7085783.exe
        81⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1984
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        82⤵
        
        PID:568
        
        C:\Users\Admin\AppData\Local\Temp\tmp7085971.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7085971.exe
        83⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:712
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        84⤵
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\tmp7086376.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7086376.exe
        85⤵
        
        PID:1348
        
        C:\Users\Admin\AppData\Local\Temp\tmp7086579.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7086579.exe
        85⤵
        
        PID:288
        
        C:\Users\Admin\AppData\Local\Temp\tmp7086751.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7086751.exe
        86⤵
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\tmp7086813.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7086813.exe
        86⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\tmp7086142.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7086142.exe
        83⤵
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\tmp7086595.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7086595.exe
        84⤵
        
        PID:616
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        85⤵
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\tmp7087109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7087109.exe
        86⤵
        
        PID:596
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        87⤵
        
        PID:776
        
        C:\Users\Admin\AppData\Local\Temp\tmp7087468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7087468.exe
        88⤵
        Modifies registry class
        
        PID:316
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        89⤵
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\tmp7088482.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7088482.exe
        90⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\tmp7089699.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7089699.exe
        90⤵
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\tmp7090011.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7090011.exe
        91⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:288
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        92⤵
        
        PID:1008
        
        C:\Users\Admin\AppData\Local\Temp\tmp7091711.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7091711.exe
        93⤵
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\tmp7091930.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7091930.exe
        93⤵
        
        PID:912
        
        C:\Users\Admin\AppData\Local\Temp\tmp7133020.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7133020.exe
        94⤵
        Modifies registry class
        
        PID:1348
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        95⤵
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134159.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134159.exe
        96⤵
        Modifies registry class
        
        PID:1696
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        97⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135438.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135438.exe
        98⤵
        Modifies registry class
        
        PID:836
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        99⤵
        
        PID:1440
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136406.exe
        100⤵
        
        PID:784
        
        C:\Users\Admin\AppData\Local\Temp\tmp7137420.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7137420.exe
        100⤵
        
        PID:776
        
        C:\Users\Admin\AppData\Local\Temp\tmp7138621.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7138621.exe
        101⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:340
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        102⤵
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\tmp7171475.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7171475.exe
        103⤵
        Modifies registry class
        
        PID:1772
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        104⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\tmp7172317.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7172317.exe
        105⤵
        
        PID:288
        
        C:\Users\Admin\AppData\Local\Temp\tmp7172613.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7172613.exe
        105⤵
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\tmp7173035.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7173035.exe
        106⤵
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\tmp7173362.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7173362.exe
        106⤵
        
        PID:1304
        
        C:\Users\Admin\AppData\Local\Temp\tmp7171662.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7171662.exe
        103⤵
        
        PID:876
        
        C:\Users\Admin\AppData\Local\Temp\tmp7172021.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7172021.exe
        104⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        105⤵
        
        PID:836
        
        C:\Users\Admin\AppData\Local\Temp\tmp7172894.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7172894.exe
        106⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1728
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        107⤵
        
        PID:1112
        
        C:\Users\Admin\AppData\Local\Temp\tmp7174095.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7174095.exe
        108⤵
        
        PID:960
        
        C:\Users\Admin\AppData\Local\Temp\tmp7174517.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7174517.exe
        108⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\tmp7174938.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7174938.exe
        109⤵
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175078.exe
        109⤵
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\tmp7173128.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7173128.exe
        106⤵
        
        PID:908
        
        C:\Users\Admin\AppData\Local\Temp\tmp7173440.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7173440.exe
        107⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        108⤵
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\tmp7174797.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7174797.exe
        109⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1652
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        110⤵
        
        PID:676
        
        C:\Users\Admin\AppData\Local\Temp\tmp7176233.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7176233.exe
        111⤵
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\tmp7176404.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7176404.exe
        111⤵
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\tmp7176732.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7176732.exe
        112⤵
        Drops file in System32 directory
        
        PID:968
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        113⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\tmp7178042.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7178042.exe
        114⤵
        Modifies registry class
        
        PID:1140
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        115⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\tmp7178963.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7178963.exe
        116⤵
        
        PID:876
        
        C:\Users\Admin\AppData\Local\Temp\tmp7179103.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7179103.exe
        116⤵
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\tmp7179946.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7179946.exe
        117⤵
        
        PID:1496
        
        C:\Users\Admin\AppData\Local\Temp\tmp7180710.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7180710.exe
        117⤵
        
        PID:388
        
        C:\Users\Admin\AppData\Local\Temp\tmp7178308.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7178308.exe
        114⤵
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\tmp7178682.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7178682.exe
        115⤵
        
        PID:1272
        
        C:\Users\Admin\AppData\Local\Temp\tmp7179134.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7179134.exe
        115⤵
        
        PID:1000
        
        C:\Users\Admin\AppData\Local\Temp\tmp7177418.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7177418.exe
        112⤵
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\tmp7174985.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7174985.exe
        109⤵
        
        PID:576
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175421.exe
        110⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        111⤵
        
        PID:1836
        
        C:\Users\Admin\AppData\Local\Temp\tmp7176716.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7176716.exe
        112⤵
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\tmp7177574.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7177574.exe
        112⤵
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\tmp7177980.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7177980.exe
        113⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:320
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        114⤵
        
        PID:1016
        
        C:\Users\Admin\AppData\Local\Temp\tmp7178448.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7178448.exe
        115⤵
        
        PID:692
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        116⤵
        
        PID:636
        
        C:\Users\Admin\AppData\Local\Temp\tmp7179634.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7179634.exe
        117⤵
        Drops file in System32 directory
        
        PID:1788
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        118⤵
        
        PID:1120
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182020.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182020.exe
        119⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182223.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182223.exe
        119⤵
        
        PID:1072
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183456.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183456.exe
        120⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1768
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        121⤵
        
        PID:340
        
        C:\Users\Admin\AppData\Local\Temp\tmp7201037.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7201037.exe
        122⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1952
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        123⤵
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\tmp7215217.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7215217.exe
        124⤵
        
        PID:616
        
        C:\Users\Admin\AppData\Local\Temp\tmp7216637.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7216637.exe
        124⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\tmp7218977.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7218977.exe
        125⤵
        
        PID:712
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        126⤵
        
        PID:1260
        
        C:\Users\Admin\AppData\Local\Temp\tmp7220381.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7220381.exe
        125⤵
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\tmp7206294.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7206294.exe
        122⤵
        
        PID:336
        
        C:\Users\Admin\AppData\Local\Temp\tmp7214827.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7214827.exe
        123⤵
        
        PID:1248
        
        C:\Users\Admin\AppData\Local\Temp\tmp7218883.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7218883.exe
        123⤵
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\tmp7197948.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7197948.exe
        120⤵
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\tmp7179899.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7179899.exe
        117⤵
        Modifies registry class
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182863.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182863.exe
        118⤵
        Modifies registry class
        
        PID:932
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        119⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\tmp7194282.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7194282.exe
        120⤵
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\tmp7200709.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7200709.exe
        120⤵
        
        PID:568
        
        C:\Users\Admin\AppData\Local\Temp\tmp7206512.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7206512.exe
        121⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        122⤵
        
        PID:388
        
        C:\Users\Admin\AppData\Local\Temp\tmp7218103.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7218103.exe
        123⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\tmp7218556.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7218556.exe
        123⤵
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\tmp7221192.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7221192.exe
        124⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\tmp7206840.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7206840.exe
        121⤵
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\tmp7193861.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7193861.exe
        118⤵
        
        PID:676
        
        C:\Users\Admin\AppData\Local\Temp\tmp7178776.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7178776.exe
        115⤵
        
        PID:532
        
        C:\Users\Admin\AppData\Local\Temp\tmp7180429.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7180429.exe
        116⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1436
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        117⤵
        
        PID:272
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182738.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182738.exe
        118⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1928
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        119⤵
        
        PID:592
        
        C:\Users\Admin\AppData\Local\Temp\tmp7193830.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7193830.exe
        120⤵
        
        PID:1396
        
        C:\Users\Admin\AppData\Local\Temp\tmp7198728.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7198728.exe
        120⤵
        
        PID:320
        
        C:\Users\Admin\AppData\Local\Temp\tmp7206606.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7206606.exe
        121⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        122⤵
        
        PID:1112
        
        C:\Users\Admin\AppData\Local\Temp\tmp7221114.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7221114.exe
        123⤵
        
        PID:1324
        
        C:\Users\Admin\AppData\Local\Temp\tmp7218197.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7218197.exe
        121⤵
        
        PID:908
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183315.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183315.exe
        118⤵
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\tmp7194001.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7194001.exe
        119⤵
        
        PID:1184
        
        C:\Users\Admin\AppData\Local\Temp\tmp7200803.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7200803.exe
        119⤵
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182052.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182052.exe
        116⤵
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\tmp7177996.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7177996.exe
        113⤵
        
        PID:568
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175952.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175952.exe
        110⤵
        
        PID:1396
        
        C:\Users\Admin\AppData\Local\Temp\tmp7173627.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7173627.exe
        107⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\tmp7172395.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7172395.exe
        104⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\tmp7138730.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7138730.exe
        101⤵
        
        PID:968
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135953.exe
        98⤵
        
        PID:1072
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136655.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136655.exe
        99⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1716
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        100⤵
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\tmp7138714.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7138714.exe
        101⤵
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157357.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157357.exe
        101⤵
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\tmp7171053.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7171053.exe
        102⤵
        
        PID:616
        
        C:\Users\Admin\AppData\Local\Temp\tmp7171194.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7171194.exe
        102⤵
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\tmp7138309.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7138309.exe
        99⤵
        
        PID:576
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134362.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134362.exe
        96⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134924.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134924.exe
        97⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1516
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        98⤵
        
        PID:1248
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136094.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136094.exe
        99⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1788
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        100⤵
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\tmp7137778.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7137778.exe
        101⤵
        
        PID:828
        
        C:\Users\Admin\AppData\Local\Temp\tmp7138746.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7138746.exe
        101⤵
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\tmp7170507.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7170507.exe
        102⤵
        
        PID:568
        
        C:\Users\Admin\AppData\Local\Temp\tmp7171225.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7171225.exe
        102⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136593.exe
        99⤵
        
        PID:316
        
        C:\Users\Admin\AppData\Local\Temp\tmp7137825.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7137825.exe
        100⤵
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\tmp7138668.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7138668.exe
        100⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135158.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135158.exe
        97⤵
        
        PID:1272
        
        C:\Users\Admin\AppData\Local\Temp\tmp7133364.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7133364.exe
        94⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\tmp7090713.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7090713.exe
        91⤵
        
        PID:528
        
        C:\Users\Admin\AppData\Local\Temp\tmp7088030.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7088030.exe
        88⤵
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\tmp7088545.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7088545.exe
        89⤵
        Drops file in System32 directory
        
        PID:1184
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        90⤵
        
        PID:836
        
        C:\Users\Admin\AppData\Local\Temp\tmp7089559.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7089559.exe
        91⤵
        
        PID:320
        
        C:\Users\Admin\AppData\Local\Temp\tmp7089855.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7089855.exe
        91⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\tmp7091197.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7091197.exe
        92⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1496
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        93⤵
        
        PID:1260
        
        C:\Users\Admin\AppData\Local\Temp\tmp7131492.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7131492.exe
        94⤵
        Modifies registry class
        
        PID:1120
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        95⤵
        
        PID:1184
        
        C:\Users\Admin\AppData\Local\Temp\tmp7133379.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7133379.exe
        96⤵
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\tmp7133613.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7133613.exe
        96⤵
        
        PID:876
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134393.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134393.exe
        97⤵
        
        PID:692
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134877.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134877.exe
        97⤵
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\tmp7131788.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7131788.exe
        94⤵
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\tmp7133145.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7133145.exe
        95⤵
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\tmp7133520.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7133520.exe
        95⤵
        
        PID:1016
        
        C:\Users\Admin\AppData\Local\Temp\tmp7091883.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7091883.exe
        92⤵
        
        PID:1388
        
        C:\Users\Admin\AppData\Local\Temp\tmp7089449.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7089449.exe
        89⤵
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\tmp7087219.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7087219.exe
        86⤵
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\tmp7088155.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7088155.exe
        87⤵
        Modifies registry class
        
        PID:1724
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        88⤵
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\tmp7088623.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7088623.exe
        89⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1808
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        90⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\tmp7089995.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7089995.exe
        91⤵
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\tmp7090697.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7090697.exe
        91⤵
        
        PID:388
        
        C:\Users\Admin\AppData\Local\Temp\tmp7091056.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7091056.exe
        92⤵
        
        PID:784
        
        C:\Users\Admin\AppData\Local\Temp\tmp7091477.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7091477.exe
        92⤵
        
        PID:932
        
        C:\Users\Admin\AppData\Local\Temp\tmp7089527.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7089527.exe
        89⤵
        
        PID:1340
        
        C:\Users\Admin\AppData\Local\Temp\tmp7089793.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7089793.exe
        90⤵
        Modifies registry class
        
        PID:1552
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        91⤵
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\tmp7090183.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7090183.exe
        92⤵
        
        PID:1304
        
        C:\Users\Admin\AppData\Local\Temp\tmp7090729.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7090729.exe
        92⤵
        
        PID:1116
        
        C:\Users\Admin\AppData\Local\Temp\tmp7091212.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7091212.exe
        93⤵
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\tmp7092429.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7092429.exe
        93⤵
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\tmp7089949.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7089949.exe
        90⤵
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\Temp\tmp7088201.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7088201.exe
        87⤵
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\tmp7086673.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7086673.exe
        84⤵
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\tmp7085846.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7085846.exe
        81⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\tmp7085503.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7085503.exe
        78⤵
        
        PID:1248
        
        C:\Users\Admin\AppData\Local\Temp\tmp7085518.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7085518.exe
        79⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:784
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        80⤵
        
        PID:1260
        
        C:\Users\Admin\AppData\Local\Temp\tmp7085690.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7085690.exe
        81⤵
        
        PID:316
        
        C:\Users\Admin\AppData\Local\Temp\tmp7085752.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7085752.exe
        81⤵
        
        PID:1332
        
        C:\Users\Admin\AppData\Local\Temp\tmp7085861.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7085861.exe
        82⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\tmp7085908.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7085908.exe
        82⤵
        
        PID:1112
        
        C:\Users\Admin\AppData\Local\Temp\tmp7085549.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7085549.exe
        79⤵
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\tmp7084754.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7084754.exe
        76⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\tmp7084613.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7084613.exe
        74⤵
        
        PID:936
        
        C:\Users\Admin\AppData\Local\Temp\tmp7084364.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7084364.exe
        72⤵
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\tmp7084223.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7084223.exe
        70⤵
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\tmp7084021.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7084021.exe
        68⤵
        
        PID:912
        
        C:\Users\Admin\AppData\Local\Temp\tmp7083350.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7083350.exe
        66⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\tmp7083084.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7083084.exe
        64⤵
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\tmp7082944.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7082944.exe
        62⤵
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\tmp7081556.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7081556.exe
        60⤵
        
        PID:1836
        
        C:\Users\Admin\AppData\Local\Temp\tmp7081368.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7081368.exe
        58⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\tmp7081228.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7081228.exe
        56⤵
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\tmp7081119.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7081119.exe
        54⤵
        
        PID:1008
        
        C:\Users\Admin\AppData\Local\Temp\tmp7080136.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7080136.exe
        52⤵
        
        PID:1272
        
        C:\Users\Admin\AppData\Local\Temp\tmp7080011.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7080011.exe
        50⤵
        
        PID:528
        
        C:\Users\Admin\AppData\Local\Temp\tmp7079840.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7079840.exe
        48⤵
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\tmp7079684.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7079684.exe
        46⤵
        
        PID:616
        
        C:\Users\Admin\AppData\Local\Temp\tmp7078966.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7078966.exe
        44⤵
        
        PID:1348
        
        C:\Users\Admin\AppData\Local\Temp\tmp7078810.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7078810.exe
        42⤵
        Executes dropped EXE
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\tmp7078560.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7078560.exe
        40⤵
        Executes dropped EXE
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\tmp7078358.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7078358.exe
        38⤵
        Executes dropped EXE
        
        PID:1120
        
        C:\Users\Admin\AppData\Local\Temp\tmp7078170.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7078170.exe
        36⤵
        Executes dropped EXE
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\tmp7078030.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7078030.exe
        34⤵
        Executes dropped EXE
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\tmp7077843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7077843.exe
        32⤵
        Executes dropped EXE
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\tmp7077656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7077656.exe
        30⤵
        Executes dropped EXE
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\tmp7077390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7077390.exe
        28⤵
        Executes dropped EXE
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\tmp7077234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7077234.exe
        26⤵
        
        PID:1184
        
        C:\Users\Admin\AppData\Local\Temp\tmp7077016.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7077016.exe
        24⤵
        Executes dropped EXE
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\tmp7076860.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7076860.exe
        22⤵
        Executes dropped EXE
        
        PID:1032
        
        C:\Users\Admin\AppData\Local\Temp\tmp7076579.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7076579.exe
        20⤵
        Executes dropped EXE
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\tmp7076345.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7076345.exe
        18⤵
        Executes dropped EXE
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\tmp7076127.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7076127.exe
        16⤵
        Executes dropped EXE
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\tmp7075955.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7075955.exe
        14⤵
        Executes dropped EXE
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\tmp7075690.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7075690.exe
        12⤵
        Executes dropped EXE
        
        PID:876
        
        C:\Users\Admin\AppData\Local\Temp\tmp7075472.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7075472.exe
        10⤵
        Executes dropped EXE
        
        PID:388
        
        C:\Users\Admin\AppData\Local\Temp\tmp7075066.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7075066.exe
        8⤵
        Executes dropped EXE
        
        PID:1184
      - C:\Users\Admin\AppData\Local\Temp\tmp7074660.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7074660.exe
        6⤵
        Executes dropped EXE
        
        PID:836
  - - C:\Users\Admin\AppData\Local\Temp\tmp7073054.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7073054.exe
      4⤵
      Executes dropped EXE
      PID:1388
- C:\Users\Admin\AppData\Local\Temp\tmp7071572.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7071572.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:868
- - C:\Users\Admin\AppData\Local\Temp\tmp7071665.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7071665.exe
    3⤵
    - Executes dropped EXE
    PID:860
- - C:\Users\Admin\AppData\Local\Temp\tmp7071759.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7071759.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1272
  - - C:\Users\Admin\AppData\Local\Temp\tmp7072086.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7072086.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1068
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 36
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:600

C:\Users\Admin\AppData\Local\Temp\tmp7071837.exe
C:\Users\Admin\AppData\Local\Temp\tmp7071837.exe
1⤵
- Executes dropped EXE
PID:1008

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp7071540.exe

Filesize
173KB

MD5
5fdf690a24f2c2aefa91a0195c20bb3c

SHA1
e5b913deca47d15bd848b75d834beb2628ed9af1

SHA256
8ea9da7aad1ba80377d371422a59623c153601071463670080987bc2afab68f3

SHA512
bb07a9497eeaa27049214eed1e35120a1c97362db257275aa7182a52714c90b08b55593e81ccfe719f03afbd05870d190f896c07a0b7634de06de4ac48ae124b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7071540.exe

Filesize
173KB

MD5
5fdf690a24f2c2aefa91a0195c20bb3c

SHA1
e5b913deca47d15bd848b75d834beb2628ed9af1

SHA256
8ea9da7aad1ba80377d371422a59623c153601071463670080987bc2afab68f3

SHA512
bb07a9497eeaa27049214eed1e35120a1c97362db257275aa7182a52714c90b08b55593e81ccfe719f03afbd05870d190f896c07a0b7634de06de4ac48ae124b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7071572.exe

Filesize
505KB

MD5
c37f3775e985d7c8b068d78397a52474

SHA1
a466c0ce5be12bfd6c75e6c3c3967a8f44c4befc

SHA256
d4e46d0952f3c353e5ab998236921a98f7e5f03ee3b275dc6adb2e15138f329f

SHA512
952f03009d4a74f425c1ac2e9884bbbe4f4c45b89f203b5977d87ea10c02f7ed8fb586826ad2d47d61bf1a7ae91aac22ae06601d5bd1c72d23c1a30097f461d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7071572.exe

Filesize
505KB

MD5
c37f3775e985d7c8b068d78397a52474

SHA1
a466c0ce5be12bfd6c75e6c3c3967a8f44c4befc

SHA256
d4e46d0952f3c353e5ab998236921a98f7e5f03ee3b275dc6adb2e15138f329f

SHA512
952f03009d4a74f425c1ac2e9884bbbe4f4c45b89f203b5977d87ea10c02f7ed8fb586826ad2d47d61bf1a7ae91aac22ae06601d5bd1c72d23c1a30097f461d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7071665.exe

Filesize
173KB

MD5
5fdf690a24f2c2aefa91a0195c20bb3c

SHA1
e5b913deca47d15bd848b75d834beb2628ed9af1

SHA256
8ea9da7aad1ba80377d371422a59623c153601071463670080987bc2afab68f3

SHA512
bb07a9497eeaa27049214eed1e35120a1c97362db257275aa7182a52714c90b08b55593e81ccfe719f03afbd05870d190f896c07a0b7634de06de4ac48ae124b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7071759.exe

Filesize
320KB

MD5
16ab7ef92781ef9c0cc6a112d27b704d

SHA1
a4cb5b4383aae858156f9eb5964e7cddb0145f4e

SHA256
cd17eec0dc90ab2ead09e30ccb81ae63a2228fe26694c16834128e901801c184

SHA512
e33c067b7ee0c072d5fd2c875e3184f36f72868d3914ea02ecbd08e71b5b93dc05b301d4e905513ce30316dabb307ff7e6d4fae2ad1018088608c6a1756b065b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7071759.exe

Filesize
320KB

MD5
16ab7ef92781ef9c0cc6a112d27b704d

SHA1
a4cb5b4383aae858156f9eb5964e7cddb0145f4e

SHA256
cd17eec0dc90ab2ead09e30ccb81ae63a2228fe26694c16834128e901801c184

SHA512
e33c067b7ee0c072d5fd2c875e3184f36f72868d3914ea02ecbd08e71b5b93dc05b301d4e905513ce30316dabb307ff7e6d4fae2ad1018088608c6a1756b065b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7071837.exe

Filesize
173KB

MD5
5fdf690a24f2c2aefa91a0195c20bb3c

SHA1
e5b913deca47d15bd848b75d834beb2628ed9af1

SHA256
8ea9da7aad1ba80377d371422a59623c153601071463670080987bc2afab68f3

SHA512
bb07a9497eeaa27049214eed1e35120a1c97362db257275aa7182a52714c90b08b55593e81ccfe719f03afbd05870d190f896c07a0b7634de06de4ac48ae124b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7072086.exe

Filesize
136KB

MD5
d5f141728f1c7934a4364aa5cd1336e3

SHA1
3ddcbd57853c3c99703f8c7ee2a75ff3f3b00abd

SHA256
018efd19106c9e131de2a334c52576c1d626ad0cf86261fb478fa8fda30c80e9

SHA512
912f3bdd5873ee810d905d524b0775051e406bf49f9087b90b1d6e9afaefc64a571f39114b846feedc2007b393cd2594c657fa352858dbb157134c5d6b60554a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7072804.exe

Filesize
173KB

MD5
5fdf690a24f2c2aefa91a0195c20bb3c

SHA1
e5b913deca47d15bd848b75d834beb2628ed9af1

SHA256
8ea9da7aad1ba80377d371422a59623c153601071463670080987bc2afab68f3

SHA512
bb07a9497eeaa27049214eed1e35120a1c97362db257275aa7182a52714c90b08b55593e81ccfe719f03afbd05870d190f896c07a0b7634de06de4ac48ae124b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7072804.exe

Filesize
173KB

MD5
5fdf690a24f2c2aefa91a0195c20bb3c

SHA1
e5b913deca47d15bd848b75d834beb2628ed9af1

SHA256
8ea9da7aad1ba80377d371422a59623c153601071463670080987bc2afab68f3

SHA512
bb07a9497eeaa27049214eed1e35120a1c97362db257275aa7182a52714c90b08b55593e81ccfe719f03afbd05870d190f896c07a0b7634de06de4ac48ae124b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7073054.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7074442.exe

Filesize
173KB

MD5
5fdf690a24f2c2aefa91a0195c20bb3c

SHA1
e5b913deca47d15bd848b75d834beb2628ed9af1

SHA256
8ea9da7aad1ba80377d371422a59623c153601071463670080987bc2afab68f3

SHA512
bb07a9497eeaa27049214eed1e35120a1c97362db257275aa7182a52714c90b08b55593e81ccfe719f03afbd05870d190f896c07a0b7634de06de4ac48ae124b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7074442.exe

Filesize
173KB

MD5
5fdf690a24f2c2aefa91a0195c20bb3c

SHA1
e5b913deca47d15bd848b75d834beb2628ed9af1

SHA256
8ea9da7aad1ba80377d371422a59623c153601071463670080987bc2afab68f3

SHA512
bb07a9497eeaa27049214eed1e35120a1c97362db257275aa7182a52714c90b08b55593e81ccfe719f03afbd05870d190f896c07a0b7634de06de4ac48ae124b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7074660.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7074894.exe

Filesize
173KB

MD5
5fdf690a24f2c2aefa91a0195c20bb3c

SHA1
e5b913deca47d15bd848b75d834beb2628ed9af1

SHA256
8ea9da7aad1ba80377d371422a59623c153601071463670080987bc2afab68f3

SHA512
bb07a9497eeaa27049214eed1e35120a1c97362db257275aa7182a52714c90b08b55593e81ccfe719f03afbd05870d190f896c07a0b7634de06de4ac48ae124b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7074894.exe

Filesize
173KB

MD5
5fdf690a24f2c2aefa91a0195c20bb3c

SHA1
e5b913deca47d15bd848b75d834beb2628ed9af1

SHA256
8ea9da7aad1ba80377d371422a59623c153601071463670080987bc2afab68f3

SHA512
bb07a9497eeaa27049214eed1e35120a1c97362db257275aa7182a52714c90b08b55593e81ccfe719f03afbd05870d190f896c07a0b7634de06de4ac48ae124b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7075066.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7075378.exe

Filesize
173KB

MD5
5fdf690a24f2c2aefa91a0195c20bb3c

SHA1
e5b913deca47d15bd848b75d834beb2628ed9af1

SHA256
8ea9da7aad1ba80377d371422a59623c153601071463670080987bc2afab68f3

SHA512
bb07a9497eeaa27049214eed1e35120a1c97362db257275aa7182a52714c90b08b55593e81ccfe719f03afbd05870d190f896c07a0b7634de06de4ac48ae124b

Download Submit
C:\Windows\SysWOW64\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\Windows\SysWOW64\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\Windows\SysWOW64\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\Windows\SysWOW64\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
173KB

MD5
b3369a4e5f2725724bc4f93d417567e3

SHA1
667bd182665648fc22b2ab541c198c7909a3e418

SHA256
b7ddb4a2d5288ab6282082e4be0ded2459a259b7a4fea8f5e07720120560c81e

SHA512
022cb5d49dbc9d67c2652cd6ecacf2d55953568929626760bfa3c3141982acd49abe9a10297a8d84a23d5a861230ca4c3c24668232687f35141892d1c76762d5

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
173KB

MD5
5fdf690a24f2c2aefa91a0195c20bb3c

SHA1
e5b913deca47d15bd848b75d834beb2628ed9af1

SHA256
8ea9da7aad1ba80377d371422a59623c153601071463670080987bc2afab68f3

SHA512
bb07a9497eeaa27049214eed1e35120a1c97362db257275aa7182a52714c90b08b55593e81ccfe719f03afbd05870d190f896c07a0b7634de06de4ac48ae124b

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
173KB

MD5
465b07f6a1c6aee29c9ec41d9cb5f111

SHA1
52d036ff073db02f151b8184845c5ef36ad1f3e8

SHA256
40f3eaa63b891a5302942b63d4a99fb0bb074ed396f9debb9686feedd5dfa30b

SHA512
b1daeff585200f1f988e863c708049023f8193664260161d56a8c1150ec7fd1e078f757c90f08a6f3b2913a639b16f7b59a97a2c128b76e0617e95eece5f45be

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
360KB

MD5
9c9b0aca980362038f2fa3262d7c2b94

SHA1
192f648679228dea1ed63c1f79290ed2ac5ad21d

SHA256
aa59d5323ee4f14b29cd073ed72a9749c8a596d2460f61fb62e92e30299a9df5

SHA512
491f791b5dfe11fc0a6bc24298d7b87ce2014225b3d5b2574b2391f39e8c3f8ca5ab2d674083148152b246712903eb2474e0ec4631684549535abf1d12766318

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
360KB

MD5
9c9b0aca980362038f2fa3262d7c2b94

SHA1
192f648679228dea1ed63c1f79290ed2ac5ad21d

SHA256
aa59d5323ee4f14b29cd073ed72a9749c8a596d2460f61fb62e92e30299a9df5

SHA512
491f791b5dfe11fc0a6bc24298d7b87ce2014225b3d5b2574b2391f39e8c3f8ca5ab2d674083148152b246712903eb2474e0ec4631684549535abf1d12766318

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
360KB

MD5
9c9b0aca980362038f2fa3262d7c2b94

SHA1
192f648679228dea1ed63c1f79290ed2ac5ad21d

SHA256
aa59d5323ee4f14b29cd073ed72a9749c8a596d2460f61fb62e92e30299a9df5

SHA512
491f791b5dfe11fc0a6bc24298d7b87ce2014225b3d5b2574b2391f39e8c3f8ca5ab2d674083148152b246712903eb2474e0ec4631684549535abf1d12766318

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
360KB

MD5
9c9b0aca980362038f2fa3262d7c2b94

SHA1
192f648679228dea1ed63c1f79290ed2ac5ad21d

SHA256
aa59d5323ee4f14b29cd073ed72a9749c8a596d2460f61fb62e92e30299a9df5

SHA512
491f791b5dfe11fc0a6bc24298d7b87ce2014225b3d5b2574b2391f39e8c3f8ca5ab2d674083148152b246712903eb2474e0ec4631684549535abf1d12766318

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
360KB

MD5
9c9b0aca980362038f2fa3262d7c2b94

SHA1
192f648679228dea1ed63c1f79290ed2ac5ad21d

SHA256
aa59d5323ee4f14b29cd073ed72a9749c8a596d2460f61fb62e92e30299a9df5

SHA512
491f791b5dfe11fc0a6bc24298d7b87ce2014225b3d5b2574b2391f39e8c3f8ca5ab2d674083148152b246712903eb2474e0ec4631684549535abf1d12766318

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7071540.exe

Filesize
173KB

MD5
5fdf690a24f2c2aefa91a0195c20bb3c

SHA1
e5b913deca47d15bd848b75d834beb2628ed9af1

SHA256
8ea9da7aad1ba80377d371422a59623c153601071463670080987bc2afab68f3

SHA512
bb07a9497eeaa27049214eed1e35120a1c97362db257275aa7182a52714c90b08b55593e81ccfe719f03afbd05870d190f896c07a0b7634de06de4ac48ae124b

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7071540.exe

Filesize
173KB

MD5
5fdf690a24f2c2aefa91a0195c20bb3c

SHA1
e5b913deca47d15bd848b75d834beb2628ed9af1

SHA256
8ea9da7aad1ba80377d371422a59623c153601071463670080987bc2afab68f3

SHA512
bb07a9497eeaa27049214eed1e35120a1c97362db257275aa7182a52714c90b08b55593e81ccfe719f03afbd05870d190f896c07a0b7634de06de4ac48ae124b

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7071572.exe

Filesize
505KB

MD5
c37f3775e985d7c8b068d78397a52474

SHA1
a466c0ce5be12bfd6c75e6c3c3967a8f44c4befc

SHA256
d4e46d0952f3c353e5ab998236921a98f7e5f03ee3b275dc6adb2e15138f329f

SHA512
952f03009d4a74f425c1ac2e9884bbbe4f4c45b89f203b5977d87ea10c02f7ed8fb586826ad2d47d61bf1a7ae91aac22ae06601d5bd1c72d23c1a30097f461d7

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7071572.exe

Filesize
505KB

MD5
c37f3775e985d7c8b068d78397a52474

SHA1
a466c0ce5be12bfd6c75e6c3c3967a8f44c4befc

SHA256
d4e46d0952f3c353e5ab998236921a98f7e5f03ee3b275dc6adb2e15138f329f

SHA512
952f03009d4a74f425c1ac2e9884bbbe4f4c45b89f203b5977d87ea10c02f7ed8fb586826ad2d47d61bf1a7ae91aac22ae06601d5bd1c72d23c1a30097f461d7

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7071665.exe

Filesize
173KB

MD5
5fdf690a24f2c2aefa91a0195c20bb3c

SHA1
e5b913deca47d15bd848b75d834beb2628ed9af1

SHA256
8ea9da7aad1ba80377d371422a59623c153601071463670080987bc2afab68f3

SHA512
bb07a9497eeaa27049214eed1e35120a1c97362db257275aa7182a52714c90b08b55593e81ccfe719f03afbd05870d190f896c07a0b7634de06de4ac48ae124b

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7071665.exe

Filesize
173KB

MD5
5fdf690a24f2c2aefa91a0195c20bb3c

SHA1
e5b913deca47d15bd848b75d834beb2628ed9af1

SHA256
8ea9da7aad1ba80377d371422a59623c153601071463670080987bc2afab68f3

SHA512
bb07a9497eeaa27049214eed1e35120a1c97362db257275aa7182a52714c90b08b55593e81ccfe719f03afbd05870d190f896c07a0b7634de06de4ac48ae124b

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7071759.exe

Filesize
320KB

MD5
16ab7ef92781ef9c0cc6a112d27b704d

SHA1
a4cb5b4383aae858156f9eb5964e7cddb0145f4e

SHA256
cd17eec0dc90ab2ead09e30ccb81ae63a2228fe26694c16834128e901801c184

SHA512
e33c067b7ee0c072d5fd2c875e3184f36f72868d3914ea02ecbd08e71b5b93dc05b301d4e905513ce30316dabb307ff7e6d4fae2ad1018088608c6a1756b065b

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7071759.exe

Filesize
320KB

MD5
16ab7ef92781ef9c0cc6a112d27b704d

SHA1
a4cb5b4383aae858156f9eb5964e7cddb0145f4e

SHA256
cd17eec0dc90ab2ead09e30ccb81ae63a2228fe26694c16834128e901801c184

SHA512
e33c067b7ee0c072d5fd2c875e3184f36f72868d3914ea02ecbd08e71b5b93dc05b301d4e905513ce30316dabb307ff7e6d4fae2ad1018088608c6a1756b065b

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7071837.exe

Filesize
173KB

MD5
5fdf690a24f2c2aefa91a0195c20bb3c

SHA1
e5b913deca47d15bd848b75d834beb2628ed9af1

SHA256
8ea9da7aad1ba80377d371422a59623c153601071463670080987bc2afab68f3

SHA512
bb07a9497eeaa27049214eed1e35120a1c97362db257275aa7182a52714c90b08b55593e81ccfe719f03afbd05870d190f896c07a0b7634de06de4ac48ae124b

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7071837.exe

Filesize
173KB

MD5
5fdf690a24f2c2aefa91a0195c20bb3c

SHA1
e5b913deca47d15bd848b75d834beb2628ed9af1

SHA256
8ea9da7aad1ba80377d371422a59623c153601071463670080987bc2afab68f3

SHA512
bb07a9497eeaa27049214eed1e35120a1c97362db257275aa7182a52714c90b08b55593e81ccfe719f03afbd05870d190f896c07a0b7634de06de4ac48ae124b

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7072086.exe

Filesize
136KB

MD5
d5f141728f1c7934a4364aa5cd1336e3

SHA1
3ddcbd57853c3c99703f8c7ee2a75ff3f3b00abd

SHA256
018efd19106c9e131de2a334c52576c1d626ad0cf86261fb478fa8fda30c80e9

SHA512
912f3bdd5873ee810d905d524b0775051e406bf49f9087b90b1d6e9afaefc64a571f39114b846feedc2007b393cd2594c657fa352858dbb157134c5d6b60554a

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7072086.exe

Filesize
136KB

MD5
d5f141728f1c7934a4364aa5cd1336e3

SHA1
3ddcbd57853c3c99703f8c7ee2a75ff3f3b00abd

SHA256
018efd19106c9e131de2a334c52576c1d626ad0cf86261fb478fa8fda30c80e9

SHA512
912f3bdd5873ee810d905d524b0775051e406bf49f9087b90b1d6e9afaefc64a571f39114b846feedc2007b393cd2594c657fa352858dbb157134c5d6b60554a

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7072086.exe

Filesize
136KB

MD5
d5f141728f1c7934a4364aa5cd1336e3

SHA1
3ddcbd57853c3c99703f8c7ee2a75ff3f3b00abd

SHA256
018efd19106c9e131de2a334c52576c1d626ad0cf86261fb478fa8fda30c80e9

SHA512
912f3bdd5873ee810d905d524b0775051e406bf49f9087b90b1d6e9afaefc64a571f39114b846feedc2007b393cd2594c657fa352858dbb157134c5d6b60554a

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7072086.exe

Filesize
136KB

MD5
d5f141728f1c7934a4364aa5cd1336e3

SHA1
3ddcbd57853c3c99703f8c7ee2a75ff3f3b00abd

SHA256
018efd19106c9e131de2a334c52576c1d626ad0cf86261fb478fa8fda30c80e9

SHA512
912f3bdd5873ee810d905d524b0775051e406bf49f9087b90b1d6e9afaefc64a571f39114b846feedc2007b393cd2594c657fa352858dbb157134c5d6b60554a

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7072804.exe

Filesize
173KB

MD5
5fdf690a24f2c2aefa91a0195c20bb3c

SHA1
e5b913deca47d15bd848b75d834beb2628ed9af1

SHA256
8ea9da7aad1ba80377d371422a59623c153601071463670080987bc2afab68f3

SHA512
bb07a9497eeaa27049214eed1e35120a1c97362db257275aa7182a52714c90b08b55593e81ccfe719f03afbd05870d190f896c07a0b7634de06de4ac48ae124b

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7072804.exe

Filesize
173KB

MD5
5fdf690a24f2c2aefa91a0195c20bb3c

SHA1
e5b913deca47d15bd848b75d834beb2628ed9af1

SHA256
8ea9da7aad1ba80377d371422a59623c153601071463670080987bc2afab68f3

SHA512
bb07a9497eeaa27049214eed1e35120a1c97362db257275aa7182a52714c90b08b55593e81ccfe719f03afbd05870d190f896c07a0b7634de06de4ac48ae124b

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7073054.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7074442.exe

Filesize
173KB

MD5
5fdf690a24f2c2aefa91a0195c20bb3c

SHA1
e5b913deca47d15bd848b75d834beb2628ed9af1

SHA256
8ea9da7aad1ba80377d371422a59623c153601071463670080987bc2afab68f3

SHA512
bb07a9497eeaa27049214eed1e35120a1c97362db257275aa7182a52714c90b08b55593e81ccfe719f03afbd05870d190f896c07a0b7634de06de4ac48ae124b

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7074442.exe

Filesize
173KB

MD5
5fdf690a24f2c2aefa91a0195c20bb3c

SHA1
e5b913deca47d15bd848b75d834beb2628ed9af1

SHA256
8ea9da7aad1ba80377d371422a59623c153601071463670080987bc2afab68f3

SHA512
bb07a9497eeaa27049214eed1e35120a1c97362db257275aa7182a52714c90b08b55593e81ccfe719f03afbd05870d190f896c07a0b7634de06de4ac48ae124b

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7074660.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7074894.exe

Filesize
173KB

MD5
5fdf690a24f2c2aefa91a0195c20bb3c

SHA1
e5b913deca47d15bd848b75d834beb2628ed9af1

SHA256
8ea9da7aad1ba80377d371422a59623c153601071463670080987bc2afab68f3

SHA512
bb07a9497eeaa27049214eed1e35120a1c97362db257275aa7182a52714c90b08b55593e81ccfe719f03afbd05870d190f896c07a0b7634de06de4ac48ae124b

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7074894.exe

Filesize
173KB

MD5
5fdf690a24f2c2aefa91a0195c20bb3c

SHA1
e5b913deca47d15bd848b75d834beb2628ed9af1

SHA256
8ea9da7aad1ba80377d371422a59623c153601071463670080987bc2afab68f3

SHA512
bb07a9497eeaa27049214eed1e35120a1c97362db257275aa7182a52714c90b08b55593e81ccfe719f03afbd05870d190f896c07a0b7634de06de4ac48ae124b

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7075066.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7075378.exe

Filesize
173KB

MD5
5fdf690a24f2c2aefa91a0195c20bb3c

SHA1
e5b913deca47d15bd848b75d834beb2628ed9af1

SHA256
8ea9da7aad1ba80377d371422a59623c153601071463670080987bc2afab68f3

SHA512
bb07a9497eeaa27049214eed1e35120a1c97362db257275aa7182a52714c90b08b55593e81ccfe719f03afbd05870d190f896c07a0b7634de06de4ac48ae124b

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7075378.exe

Filesize
173KB

MD5
5fdf690a24f2c2aefa91a0195c20bb3c

SHA1
e5b913deca47d15bd848b75d834beb2628ed9af1

SHA256
8ea9da7aad1ba80377d371422a59623c153601071463670080987bc2afab68f3

SHA512
bb07a9497eeaa27049214eed1e35120a1c97362db257275aa7182a52714c90b08b55593e81ccfe719f03afbd05870d190f896c07a0b7634de06de4ac48ae124b

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
360KB

MD5
9c9b0aca980362038f2fa3262d7c2b94

SHA1
192f648679228dea1ed63c1f79290ed2ac5ad21d

SHA256
aa59d5323ee4f14b29cd073ed72a9749c8a596d2460f61fb62e92e30299a9df5

SHA512
491f791b5dfe11fc0a6bc24298d7b87ce2014225b3d5b2574b2391f39e8c3f8ca5ab2d674083148152b246712903eb2474e0ec4631684549535abf1d12766318

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
360KB

MD5
9c9b0aca980362038f2fa3262d7c2b94

SHA1
192f648679228dea1ed63c1f79290ed2ac5ad21d

SHA256
aa59d5323ee4f14b29cd073ed72a9749c8a596d2460f61fb62e92e30299a9df5

SHA512
491f791b5dfe11fc0a6bc24298d7b87ce2014225b3d5b2574b2391f39e8c3f8ca5ab2d674083148152b246712903eb2474e0ec4631684549535abf1d12766318

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
360KB

MD5
9c9b0aca980362038f2fa3262d7c2b94

SHA1
192f648679228dea1ed63c1f79290ed2ac5ad21d

SHA256
aa59d5323ee4f14b29cd073ed72a9749c8a596d2460f61fb62e92e30299a9df5

SHA512
491f791b5dfe11fc0a6bc24298d7b87ce2014225b3d5b2574b2391f39e8c3f8ca5ab2d674083148152b246712903eb2474e0ec4631684549535abf1d12766318

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
360KB

MD5
9c9b0aca980362038f2fa3262d7c2b94

SHA1
192f648679228dea1ed63c1f79290ed2ac5ad21d

SHA256
aa59d5323ee4f14b29cd073ed72a9749c8a596d2460f61fb62e92e30299a9df5

SHA512
491f791b5dfe11fc0a6bc24298d7b87ce2014225b3d5b2574b2391f39e8c3f8ca5ab2d674083148152b246712903eb2474e0ec4631684549535abf1d12766318

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
360KB

MD5
9c9b0aca980362038f2fa3262d7c2b94

SHA1
192f648679228dea1ed63c1f79290ed2ac5ad21d

SHA256
aa59d5323ee4f14b29cd073ed72a9749c8a596d2460f61fb62e92e30299a9df5

SHA512
491f791b5dfe11fc0a6bc24298d7b87ce2014225b3d5b2574b2391f39e8c3f8ca5ab2d674083148152b246712903eb2474e0ec4631684549535abf1d12766318

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
360KB

MD5
9c9b0aca980362038f2fa3262d7c2b94

SHA1
192f648679228dea1ed63c1f79290ed2ac5ad21d

SHA256
aa59d5323ee4f14b29cd073ed72a9749c8a596d2460f61fb62e92e30299a9df5

SHA512
491f791b5dfe11fc0a6bc24298d7b87ce2014225b3d5b2574b2391f39e8c3f8ca5ab2d674083148152b246712903eb2474e0ec4631684549535abf1d12766318

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
360KB

MD5
9c9b0aca980362038f2fa3262d7c2b94

SHA1
192f648679228dea1ed63c1f79290ed2ac5ad21d

SHA256
aa59d5323ee4f14b29cd073ed72a9749c8a596d2460f61fb62e92e30299a9df5

SHA512
491f791b5dfe11fc0a6bc24298d7b87ce2014225b3d5b2574b2391f39e8c3f8ca5ab2d674083148152b246712903eb2474e0ec4631684549535abf1d12766318

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
360KB

MD5
9c9b0aca980362038f2fa3262d7c2b94

SHA1
192f648679228dea1ed63c1f79290ed2ac5ad21d

SHA256
aa59d5323ee4f14b29cd073ed72a9749c8a596d2460f61fb62e92e30299a9df5

SHA512
491f791b5dfe11fc0a6bc24298d7b87ce2014225b3d5b2574b2391f39e8c3f8ca5ab2d674083148152b246712903eb2474e0ec4631684549535abf1d12766318

Download Submit
memory/280-113-0x0000000000370000-0x000000000037D000-memory.dmp

Filesize
52KB

Download
memory/288-339-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/340-311-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/544-278-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/560-188-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/560-246-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/568-324-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/592-266-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/596-268-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/596-222-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/712-199-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/784-170-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/828-235-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/856-337-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/856-342-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/868-74-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/880-146-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/916-58-0x0000000076091000-0x0000000076093000-memory.dmp

Filesize
8KB

Download
memory/916-316-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/932-108-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/936-158-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/968-211-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1016-288-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1016-291-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1032-129-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1032-114-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1032-286-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1068-90-0x0000000000010000-0x0000000000032000-memory.dmp

Filesize
136KB

Download
memory/1072-250-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1184-260-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1212-293-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1248-307-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1260-313-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1264-335-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1268-263-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1272-301-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1272-85-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1316-336-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1332-320-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1340-162-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1532-341-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1532-348-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1552-194-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1584-176-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1616-272-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1628-241-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1664-254-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1700-203-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1716-227-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1728-274-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1744-280-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1748-334-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1760-338-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1772-299-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1812-297-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1828-327-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1836-319-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1848-64-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1860-181-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1860-177-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1980-257-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1988-284-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2000-216-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2024-329-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2028-305-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download