ec74a0affd57c249b854261b83c35802a85107d92cb105b99901322f837040cf

Analysis

max time kernel
85s
max time network
53s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
06/12/2022, 00:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec74a0affd57c249b854261b83c35802a85107d92cb105b99901322f837040cf.exe
Size

8.6MB
MD5

0ac7093ea7a955f1308d269546cbb98a
SHA1

c00fa2479ce784b9e222f1547539a08711157230
SHA256

ec74a0affd57c249b854261b83c35802a85107d92cb105b99901322f837040cf
SHA512

a8703d806e8eb8d87e103323684a05ba10a53832a9081a7b36c9a6829eb80d2d8c11be34aa43c541d2795fbcae5cd9c6d8090a23073b901a5b9a44df3ca308e8
SSDEEP

196608:2sys0sWs0s2sfsXswsys0sWs0s2sfsXsrsys0sWs0s2sfsXsx:2sys0sWs0s2sfsXswsys0sWs0s2sfsXn

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
1584	tmp7093131.exe
572	tmp7093209.exe
1720	tmp7126515.exe
332	tmp7093677.exe
1488	tmp7093693.exe
1940	tmp7130368.exe
836	notpad.exe
1832	tmp7126905.exe
1600	tmp7128231.exe
1628	tmp7104238.exe
1976	tmp7129089.exe
1988	tmp7116687.exe
1572	tmp7104566.exe
2004	tmp7116360.exe
1920	notpad.exe
484	tmp7128294.exe
1304	notpad.exe
1000	tmp7105658.exe
1464	tmp7126437.exe
1544	notpad.exe
1584	tmp7107779.exe
1076	tmp7129635.exe
1368	tmp7125876.exe
1596	tmp7123770.exe
2000	tmp7114675.exe
632	tmp7108622.exe
1780	tmp7109183.exe
1216	notpad.exe
1276	notpad.exe
2016	tmp7109464.exe
836	notpad.exe
1280	tmp7109792.exe
688	notpad.exe
1836	tmp7127061.exe
2012	tmp7110041.exe
1828	tmp7127763.exe
1708	notpad.exe
240	tmp7111383.exe
936	tmp7111882.exe
1124	notpad.exe
1048	notpad.exe
1268	notpad.exe
1924	notpad.exe
960	tmp7128808.exe
1036	tmp7112709.exe
1920	notpad.exe
2040	tmp7128621.exe
1304	notpad.exe
280	tmp7123879.exe
1476	tmp7113739.exe
1332	tmp7113754.exe
564	tmp7114004.exe
1772	notpad.exe
536	tmp7130556.exe
708	notpad.exe
980	tmp7130290.exe
1372	notpad.exe
1748	tmp7130790.exe
896	tmp7130150.exe
2000	tmp7114675.exe
516	notpad.exe
112	notpad.exe
892	tmp7114893.exe
588	tmp7115158.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00070000000142d7-60.dat	upx
behavioral1/files/0x00070000000142d7-70.dat	upx
behavioral1/memory/1720-72-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/572-71-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x00070000000142d7-69.dat	upx
behavioral1/files/0x000800000001413a-68.dat	upx
behavioral1/files/0x000800000001413a-67.dat	upx
behavioral1/memory/1544-66-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x00070000000142d7-89.dat	upx
behavioral1/files/0x00070000000142d7-87.dat	upx
behavioral1/files/0x00070000000142d7-86.dat	upx
behavioral1/files/0x00070000000142c0-83.dat	upx
behavioral1/files/0x00070000000142d7-61.dat	upx
behavioral1/files/0x000800000001413a-64.dat	upx
behavioral1/files/0x000800000001413a-63.dat	upx
behavioral1/memory/1940-90-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1720-94-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x000600000001448d-103.dat	upx
behavioral1/memory/1600-106-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/572-112-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1940-116-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x00070000000142d7-121.dat	upx
behavioral1/files/0x00070000000142d7-145.dat	upx
behavioral1/memory/1976-150-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1920-161-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x00070000000142c0-160.dat	upx
behavioral1/memory/1920-162-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x00070000000142d7-140.dat	upx
behavioral1/files/0x00070000000142d7-137.dat	upx
behavioral1/memory/1600-134-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x00070000000142c0-128.dat	upx
behavioral1/files/0x00070000000142d7-124.dat	upx
behavioral1/memory/1464-168-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1076-175-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x00070000000142d7-119.dat	upx
behavioral1/memory/2000-181-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1216-186-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/836-192-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x00070000000142c0-109.dat	upx
behavioral1/files/0x000600000001448d-108.dat	upx
behavioral1/files/0x000600000001448d-98.dat	upx
behavioral1/files/0x000600000001448d-96.dat	upx
behavioral1/memory/1836-200-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1708-201-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1708-206-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1124-212-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1924-218-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1920-220-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1920-223-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/280-233-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1772-241-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/980-251-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1748-256-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/516-259-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/112-263-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/552-265-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1416-272-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/344-277-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1556-279-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1556-276-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1048-274-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/844-268-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1768-266-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1748-247-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Loads dropped DLL 64 IoCs

pid	Process
1544	ec74a0affd57c249b854261b83c35802a85107d92cb105b99901322f837040cf.exe
1544	ec74a0affd57c249b854261b83c35802a85107d92cb105b99901322f837040cf.exe
1584	tmp7107779.exe
1584	tmp7107779.exe
1544	notpad.exe
1544	notpad.exe
572	tmp7093209.exe
1720	tmp7126515.exe
572	tmp7093209.exe
1720	tmp7126515.exe
332	tmp7093677.exe
332	tmp7093677.exe
1720	tmp7126515.exe
572	tmp7093209.exe
1940	tmp7130368.exe
572	tmp7093209.exe
1940	tmp7130368.exe
1940	tmp7130368.exe
1600	tmp7128231.exe
1832	tmp7126905.exe
1600	tmp7128231.exe
1832	tmp7126905.exe
1600	tmp7128231.exe
1600	tmp7128231.exe
1976	tmp7129089.exe
1988	tmp7116687.exe
1976	tmp7129089.exe
1988	tmp7116687.exe
1976	tmp7129089.exe
1920	notpad.exe
1920	notpad.exe
1920	notpad.exe
1304	notpad.exe
1304	notpad.exe
1464	tmp7126437.exe
1464	tmp7126437.exe
1464	tmp7126437.exe
1544	notpad.exe
1544	notpad.exe
1076	tmp7129635.exe
1076	tmp7129635.exe
1076	tmp7129635.exe
1368	tmp7125876.exe
1368	tmp7125876.exe
2000	tmp7114675.exe
2000	tmp7114675.exe
2000	tmp7114675.exe
632	tmp7108622.exe
632	tmp7108622.exe
1216	notpad.exe
1216	notpad.exe
1216	notpad.exe
1276	notpad.exe
1276	notpad.exe
836	notpad.exe
836	notpad.exe
836	notpad.exe
1280	tmp7109792.exe
1280	tmp7109792.exe
1836	tmp7127061.exe
1836	tmp7127061.exe
1836	tmp7127061.exe
2012	tmp7110041.exe
2012	tmp7110041.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7114893.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	notpad.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7108622.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7111383.exe
File created	C:\Windows\SysWOW64\notpad.exe-	notpad.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7115221.exe
File created	C:\Windows\SysWOW64\notpad.exe	notpad.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7131024.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7130400.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7129089.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7166264.exe
File created	C:\Windows\SysWOW64\notpad.exe	notpad.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7128808.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	notpad.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7127607.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7181490.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7147107.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7116687.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7115221.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7123879.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7113739.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7147669.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7129760.exe
File created	C:\Windows\SysWOW64\notpad.exe-	notpad.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7183097.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7150134.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7163955.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7126905.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7113739.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	notpad.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7131024.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7126656.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7126656.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7128294.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7129261.exe
File created	C:\Windows\SysWOW64\fsb.tmp	tmp7093131.exe
File created	C:\Windows\SysWOW64\notpad.exe-	notpad.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7114893.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7146624.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7130368.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7148324.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7181490.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7130790.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7163955.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7093677.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7108622.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7123879.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7178900.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7197230.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7150134.exe
File created	C:\Windows\SysWOW64\notpad.exe-	notpad.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7130368.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7166093.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	notpad.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7181490.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7146624.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7130368.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7147107.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7126905.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7108622.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7130150.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7178900.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7147107.exe
File created	C:\Windows\SysWOW64\notpad.exe	notpad.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 53 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7149135.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	notpad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7093677.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7128621.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7129261.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7148324.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	notpad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	notpad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7131024.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7125688.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7181490.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7111383.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7130150.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7130790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7115221.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7130368.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7146624.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7116687.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7093131.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7116313.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7123879.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7126905.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	notpad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7109792.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7197230.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7147669.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7163955.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7128294.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7150134.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7129323.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	notpad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	notpad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7183097.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7162068.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7148137.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7147107.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7128808.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7114893.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7125876.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7108622.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7110041.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7130400.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7178900.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7113739.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	notpad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7127607.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7129760.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7166093.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	notpad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	notpad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7129089.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7126656.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	notpad.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1544 wrote to memory of 1584	1544	ec74a0affd57c249b854261b83c35802a85107d92cb105b99901322f837040cf.exe	26
PID 1544 wrote to memory of 1584	1544	ec74a0affd57c249b854261b83c35802a85107d92cb105b99901322f837040cf.exe	26
PID 1544 wrote to memory of 1584	1544	ec74a0affd57c249b854261b83c35802a85107d92cb105b99901322f837040cf.exe	26
PID 1544 wrote to memory of 1584	1544	ec74a0affd57c249b854261b83c35802a85107d92cb105b99901322f837040cf.exe	26
PID 1584 wrote to memory of 1720	1584	tmp7107779.exe	27
PID 1584 wrote to memory of 1720	1584	tmp7107779.exe	27
PID 1584 wrote to memory of 1720	1584	tmp7107779.exe	27
PID 1584 wrote to memory of 1720	1584	tmp7107779.exe	27
PID 1544 wrote to memory of 572	1544	notpad.exe	28
PID 1544 wrote to memory of 572	1544	notpad.exe	28
PID 1544 wrote to memory of 572	1544	notpad.exe	28
PID 1544 wrote to memory of 572	1544	notpad.exe	28
PID 572 wrote to memory of 332	572	tmp7093209.exe	31
PID 572 wrote to memory of 332	572	tmp7093209.exe	31
PID 572 wrote to memory of 332	572	tmp7093209.exe	31
PID 572 wrote to memory of 332	572	tmp7093209.exe	31
PID 1720 wrote to memory of 1488	1720	tmp7126515.exe	30
PID 1720 wrote to memory of 1488	1720	tmp7126515.exe	30
PID 1720 wrote to memory of 1488	1720	tmp7126515.exe	30
PID 1720 wrote to memory of 1488	1720	tmp7126515.exe	30
PID 332 wrote to memory of 1940	332	tmp7093677.exe	158
PID 332 wrote to memory of 1940	332	tmp7093677.exe	158
PID 332 wrote to memory of 1940	332	tmp7093677.exe	158
PID 332 wrote to memory of 1940	332	tmp7093677.exe	158
PID 1720 wrote to memory of 836	1720	tmp7126515.exe	127
PID 1720 wrote to memory of 836	1720	tmp7126515.exe	127
PID 1720 wrote to memory of 836	1720	tmp7126515.exe	127
PID 1720 wrote to memory of 836	1720	tmp7126515.exe	127
PID 572 wrote to memory of 1600	572	tmp7093209.exe	141
PID 572 wrote to memory of 1600	572	tmp7093209.exe	141
PID 572 wrote to memory of 1600	572	tmp7093209.exe	141
PID 572 wrote to memory of 1600	572	tmp7093209.exe	141
PID 1940 wrote to memory of 1832	1940	tmp7130368.exe	181
PID 1940 wrote to memory of 1832	1940	tmp7130368.exe	181
PID 1940 wrote to memory of 1832	1940	tmp7130368.exe	181
PID 1940 wrote to memory of 1832	1940	tmp7130368.exe	181
PID 1940 wrote to memory of 1628	1940	tmp7130368.exe	57
PID 1940 wrote to memory of 1628	1940	tmp7130368.exe	57
PID 1940 wrote to memory of 1628	1940	tmp7130368.exe	57
PID 1940 wrote to memory of 1628	1940	tmp7130368.exe	57
PID 1600 wrote to memory of 1988	1600	tmp7128231.exe	94
PID 1600 wrote to memory of 1988	1600	tmp7128231.exe	94
PID 1600 wrote to memory of 1988	1600	tmp7128231.exe	94
PID 1600 wrote to memory of 1988	1600	tmp7128231.exe	94
PID 1832 wrote to memory of 1976	1832	tmp7126905.exe	176
PID 1832 wrote to memory of 1976	1832	tmp7126905.exe	176
PID 1832 wrote to memory of 1976	1832	tmp7126905.exe	176
PID 1832 wrote to memory of 1976	1832	tmp7126905.exe	176
PID 1600 wrote to memory of 1572	1600	tmp7128231.exe	39
PID 1600 wrote to memory of 1572	1600	tmp7128231.exe	39
PID 1600 wrote to memory of 1572	1600	tmp7128231.exe	39
PID 1600 wrote to memory of 1572	1600	tmp7128231.exe	39
PID 1976 wrote to memory of 2004	1976	tmp7129089.exe	92
PID 1976 wrote to memory of 2004	1976	tmp7129089.exe	92
PID 1976 wrote to memory of 2004	1976	tmp7129089.exe	92
PID 1976 wrote to memory of 2004	1976	tmp7129089.exe	92
PID 1988 wrote to memory of 1920	1988	tmp7116687.exe	71
PID 1988 wrote to memory of 1920	1988	tmp7116687.exe	71
PID 1988 wrote to memory of 1920	1988	tmp7116687.exe	71
PID 1988 wrote to memory of 1920	1988	tmp7116687.exe	71
PID 1976 wrote to memory of 484	1976	tmp7129089.exe	143
PID 1976 wrote to memory of 484	1976	tmp7129089.exe	143
PID 1976 wrote to memory of 484	1976	tmp7129089.exe	143
PID 1976 wrote to memory of 484	1976	tmp7129089.exe	143

C:\Users\Admin\AppData\Local\Temp\ec74a0affd57c249b854261b83c35802a85107d92cb105b99901322f837040cf.exe
"C:\Users\Admin\AppData\Local\Temp\ec74a0affd57c249b854261b83c35802a85107d92cb105b99901322f837040cf.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1544
- C:\Users\Admin\AppData\Local\Temp\tmp7093131.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7093131.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  PID:1584
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    PID:1720
  - - C:\Users\Admin\AppData\Local\Temp\tmp7093693.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7093693.exe
      4⤵
      Executes dropped EXE
      PID:1488
  - - C:\Users\Admin\AppData\Local\Temp\tmp7094020.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7094020.exe
      4⤵
      PID:836
  - - C:\Users\Admin\AppData\Local\Temp\tmp7127295.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7127295.exe
      4⤵
      PID:552
  - - C:\Users\Admin\AppData\Local\Temp\tmp7127763.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7127763.exe
      4⤵
      Executes dropped EXE
      PID:1828
- C:\Users\Admin\AppData\Local\Temp\tmp7093209.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7093209.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:572
- - C:\Users\Admin\AppData\Local\Temp\tmp7093677.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7093677.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:332
- - C:\Users\Admin\AppData\Local\Temp\tmp7094005.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7094005.exe
    3⤵
    PID:1600

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:1940
- C:\Users\Admin\AppData\Local\Temp\tmp7104238.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7104238.exe
  2⤵
  - Executes dropped EXE
  PID:1628
- C:\Users\Admin\AppData\Local\Temp\tmp7094457.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7094457.exe
  2⤵
  PID:1832
- - C:\Users\Admin\AppData\Local\Temp\tmp7128075.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7128075.exe
    3⤵
    PID:988
- - C:\Users\Admin\AppData\Local\Temp\tmp7127685.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7127685.exe
    3⤵
    PID:1848

C:\Users\Admin\AppData\Local\Temp\tmp7105658.exe
C:\Users\Admin\AppData\Local\Temp\tmp7105658.exe
1⤵
- Executes dropped EXE
PID:1000

C:\Users\Admin\AppData\Local\Temp\tmp7105096.exe
C:\Users\Admin\AppData\Local\Temp\tmp7105096.exe
1⤵
PID:1304
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:1464
- - C:\Users\Admin\AppData\Local\Temp\tmp7107623.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7107623.exe
    3⤵
    PID:1544
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      PID:1076
    - - C:\Users\Admin\AppData\Local\Temp\tmp7108107.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7108107.exe
        5⤵
        
        PID:1368
      - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        6⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\tmp7108622.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7108622.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:632
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1216
        
        C:\Users\Admin\AppData\Local\Temp\tmp7109183.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7109183.exe
        7⤵
        Executes dropped EXE
        
        PID:1780
    - - C:\Users\Admin\AppData\Local\Temp\tmp7108403.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7108403.exe
        5⤵
        
        PID:1596
- - C:\Users\Admin\AppData\Local\Temp\tmp7107779.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7107779.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1584

C:\Users\Admin\AppData\Local\Temp\tmp7104987.exe
C:\Users\Admin\AppData\Local\Temp\tmp7104987.exe
1⤵
PID:484

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:1920

C:\Users\Admin\AppData\Local\Temp\tmp7104581.exe
C:\Users\Admin\AppData\Local\Temp\tmp7104581.exe
1⤵
PID:2004

C:\Users\Admin\AppData\Local\Temp\tmp7104566.exe
C:\Users\Admin\AppData\Local\Temp\tmp7104566.exe
1⤵
- Executes dropped EXE
PID:1572

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:1976

C:\Users\Admin\AppData\Local\Temp\tmp7104332.exe
C:\Users\Admin\AppData\Local\Temp\tmp7104332.exe
1⤵
PID:1988

C:\Users\Admin\AppData\Local\Temp\tmp7109308.exe
C:\Users\Admin\AppData\Local\Temp\tmp7109308.exe
1⤵
PID:1276
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:836
- - C:\Users\Admin\AppData\Local\Temp\tmp7109854.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7109854.exe
    3⤵
    PID:688
  - - C:\Users\Admin\AppData\Local\Temp\tmp7127607.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7127607.exe
      4⤵
      Drops file in System32 directory
      Modifies registry class
      PID:1636
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        Executes dropped EXE
        
        PID:1268
      - C:\Users\Admin\AppData\Local\Temp\tmp7128294.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7128294.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:484
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        7⤵
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\tmp7128808.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7128808.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:960
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1304
        
        C:\Users\Admin\AppData\Local\Temp\tmp7129495.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7129495.exe
        10⤵
        
        PID:968
        
        C:\Users\Admin\AppData\Local\Temp\tmp7129635.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7129635.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1076
        
        C:\Users\Admin\AppData\Local\Temp\tmp7129978.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7129978.exe
        11⤵
        
        PID:320
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123879.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123879.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:280
        
        C:\Users\Admin\AppData\Local\Temp\tmp7130290.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7130290.exe
        11⤵
        Executes dropped EXE
        
        PID:980
        
        C:\Users\Admin\AppData\Local\Temp\tmp7129089.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7129089.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1976
      - C:\Users\Admin\AppData\Local\Temp\tmp7128543.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7128543.exe
        6⤵
        
        PID:1272
        
        C:\Users\Admin\AppData\Local\Temp\tmp7129323.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7129323.exe
        7⤵
        Modifies registry class
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\tmp7128871.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7128871.exe
        7⤵
        
        PID:1680
  - - C:\Users\Admin\AppData\Local\Temp\tmp7127670.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7127670.exe
      4⤵
      PID:1984
    - - C:\Users\Admin\AppData\Local\Temp\tmp7128606.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7128606.exe
        5⤵
        
        PID:1656
    - - C:\Users\Admin\AppData\Local\Temp\tmp7129167.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7129167.exe
        5⤵
        
        PID:1612
- - C:\Users\Admin\AppData\Local\Temp\tmp7109792.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7109792.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies registry class
    PID:1280

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:1836
- C:\Users\Admin\AppData\Local\Temp\tmp7110041.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7110041.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  PID:2012
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    - Executes dropped EXE
    PID:1708
  - - C:\Users\Admin\AppData\Local\Temp\tmp7111882.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7111882.exe
      4⤵
      Executes dropped EXE
      PID:936
  - - C:\Users\Admin\AppData\Local\Temp\tmp7111383.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7111383.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      PID:240
- C:\Users\Admin\AppData\Local\Temp\tmp7111211.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7111211.exe
  2⤵
  PID:1828

C:\Users\Admin\AppData\Local\Temp\tmp7109464.exe
C:\Users\Admin\AppData\Local\Temp\tmp7109464.exe
1⤵
- Executes dropped EXE
PID:2016

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
- Executes dropped EXE
PID:1124
- C:\Users\Admin\AppData\Local\Temp\tmp7112335.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7112335.exe
  2⤵
  PID:1268
- C:\Users\Admin\AppData\Local\Temp\tmp7112069.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7112069.exe
  2⤵
  PID:1048
- - C:\Users\Admin\AppData\Local\Temp\tmp7116874.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7116874.exe
    3⤵
    PID:1976
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1544
    - - C:\Users\Admin\AppData\Local\Temp\tmp7121430.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121430.exe
        5⤵
        
        PID:1620
    - - C:\Users\Admin\AppData\Local\Temp\tmp7123770.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123770.exe
        5⤵
        Executes dropped EXE
        
        PID:1596
      - C:\Users\Admin\AppData\Local\Temp\tmp7125688.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125688.exe
        6⤵
        Modifies registry class
        
        PID:1716
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        7⤵
        
        PID:1116
        
        C:\Users\Admin\AppData\Local\Temp\tmp7126188.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7126188.exe
        8⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:836
        
        C:\Users\Admin\AppData\Local\Temp\tmp7126765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7126765.exe
        10⤵
        
        PID:592
        
        C:\Users\Admin\AppData\Local\Temp\tmp7127467.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7127467.exe
        10⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\tmp7128231.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7128231.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\tmp7128621.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7128621.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2040
      - C:\Users\Admin\AppData\Local\Temp\tmp7125876.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125876.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1368
  - - C:\Users\Admin\AppData\Local\Temp\tmp7129261.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7129261.exe
      4⤵
      Drops file in System32 directory
      Modifies registry class
      PID:1620
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:708
      - C:\Users\Admin\AppData\Local\Temp\tmp7130150.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7130150.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:896
        
        C:\Users\Admin\AppData\Local\Temp\tmp7130790.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7130790.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1748
  - - C:\Users\Admin\AppData\Local\Temp\tmp7129588.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7129588.exe
      4⤵
      PID:1604
- - C:\Users\Admin\AppData\Local\Temp\tmp7117186.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7117186.exe
    3⤵
    PID:1504
  - - C:\Users\Admin\AppData\Local\Temp\tmp7117374.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7117374.exe
      4⤵
      PID:1552
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        
        PID:320
      - C:\Users\Admin\AppData\Local\Temp\tmp7125673.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125673.exe
        6⤵
        
        PID:536
        
        C:\Users\Admin\AppData\Local\Temp\tmp7126219.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7126219.exe
        7⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        8⤵
        
        PID:1472
        
        C:\Users\Admin\AppData\Local\Temp\tmp7127061.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7127061.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1836
        
        C:\Users\Admin\AppData\Local\Temp\tmp7127950.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7127950.exe
        9⤵
        
        PID:1308
        
        C:\Users\Admin\AppData\Local\Temp\tmp7128746.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7128746.exe
        10⤵
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\tmp7128574.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7128574.exe
        10⤵
        
        PID:1180
        
        C:\Users\Admin\AppData\Local\Temp\tmp7131289.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7131289.exe
        7⤵
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\tmp7130977.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7130977.exe
        7⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        8⤵
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\tmp7141694.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7141694.exe
        9⤵
        
        PID:1296
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144845.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144845.exe
        9⤵
        
        PID:984
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145095.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145095.exe
        10⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        11⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145906.exe
        12⤵
        
        PID:1352
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146140.exe
        12⤵
        
        PID:968
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146624.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146624.exe
        13⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1368
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        14⤵
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147107.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147107.exe
        15⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1712
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        16⤵
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\tmp7148324.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7148324.exe
        17⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:908
        
        C:\Users\Admin\AppData\Local\Temp\tmp7148621.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7148621.exe
        18⤵
        
        PID:1412
        
        C:\Users\Admin\AppData\Local\Temp\tmp7148730.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7148730.exe
        18⤵
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147419.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147419.exe
        15⤵
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147669.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147669.exe
        16⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1844
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        17⤵
        
        PID:1280
        
        C:\Users\Admin\AppData\Local\Temp\tmp7148137.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7148137.exe
        18⤵
        Modifies registry class
        
        PID:1320
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        19⤵
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\tmp7149135.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7149135.exe
        20⤵
        Modifies registry class
        
        PID:1036
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        21⤵
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\tmp7150134.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7150134.exe
        22⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1552
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        23⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159385.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159385.exe
        24⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        25⤵
        
        PID:800
        
        C:\Users\Admin\AppData\Local\Temp\tmp7162598.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7162598.exe
        26⤵
        
        PID:1476
        
        C:\Users\Admin\AppData\Local\Temp\tmp7163472.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7163472.exe
        26⤵
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164548.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164548.exe
        27⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        28⤵
        
        PID:1416
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166093.exe
        29⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1932
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        30⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175609.exe
        31⤵
        
        PID:240
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        32⤵
        
        PID:1180
        
        C:\Users\Admin\AppData\Local\Temp\tmp7180351.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7180351.exe
        33⤵
        
        PID:960
        
        C:\Users\Admin\AppData\Local\Temp\tmp7181490.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7181490.exe
        33⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:472
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182426.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182426.exe
        34⤵
        
        PID:1272
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183097.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183097.exe
        34⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\tmp7179368.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7179368.exe
        31⤵
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182239.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182239.exe
        32⤵
        
        PID:296
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182769.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182769.exe
        32⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166654.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166654.exe
        29⤵
        
        PID:1296
        
        C:\Users\Admin\AppData\Local\Temp\tmp7176654.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7176654.exe
        30⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        31⤵
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182582.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182582.exe
        32⤵
        
        PID:1920
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183144.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183144.exe
        32⤵
        
        PID:892
        
        C:\Users\Admin\AppData\Local\Temp\tmp7194266.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7194266.exe
        33⤵
        
        PID:640
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        34⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1112
        
        C:\Users\Admin\AppData\Local\Temp\tmp7200928.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7200928.exe
        35⤵
        
        PID:956
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        36⤵
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\tmp7205374.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7205374.exe
        37⤵
        
        PID:540
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        38⤵
        
        PID:1296
        
        C:\Users\Admin\AppData\Local\Temp\tmp7210397.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7210397.exe
        39⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        40⤵
        
        PID:364
        
        C:\Users\Admin\AppData\Local\Temp\tmp7213377.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7213377.exe
        41⤵
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\tmp7221910.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7221910.exe
        41⤵
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\tmp7230131.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7230131.exe
        42⤵
        
        PID:588
        
        C:\Users\Admin\AppData\Local\Temp\tmp7232175.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7232175.exe
        42⤵
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\tmp7212004.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7212004.exe
        39⤵
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\tmp7214016.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7214016.exe
        40⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        41⤵
        Modifies registry class
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\tmp7229616.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7229616.exe
        42⤵
        
        PID:524
        
        C:\Users\Admin\AppData\Local\Temp\tmp7231301.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7231301.exe
        42⤵
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\Temp\tmp7232253.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7232253.exe
        43⤵
        
        PID:540
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        44⤵
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\tmp7240193.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7240193.exe
        45⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\tmp7236652.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7236652.exe
        43⤵
        
        PID:1080
        
        C:\Users\Admin\AppData\Local\Temp\tmp7227058.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7227058.exe
        40⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\tmp7209321.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7209321.exe
        37⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\tmp7211614.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7211614.exe
        38⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        39⤵
        Modifies registry class
        
        PID:1272
        
        C:\Users\Admin\AppData\Local\Temp\tmp7215249.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7215249.exe
        40⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\tmp7227666.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7227666.exe
        40⤵
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\tmp7231317.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7231317.exe
        41⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\tmp7232533.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7232533.exe
        41⤵
        
        PID:840
        
        C:\Users\Admin\AppData\Local\Temp\tmp7213314.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7213314.exe
        38⤵
        
        PID:1332
        
        C:\Users\Admin\AppData\Local\Temp\tmp7202129.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7202129.exe
        35⤵
        
        PID:808
        
        C:\Users\Admin\AppData\Local\Temp\tmp7202690.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7202690.exe
        36⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        37⤵
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\tmp7209383.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7209383.exe
        38⤵
        
        PID:676
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        39⤵
        
        PID:1180
        
        C:\Users\Admin\AppData\Local\Temp\tmp7212051.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7212051.exe
        40⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\tmp7214063.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7214063.exe
        40⤵
        
        PID:936
        
        C:\Users\Admin\AppData\Local\Temp\tmp7227713.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7227713.exe
        41⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        42⤵
        
        PID:564
        
        C:\Users\Admin\AppData\Local\Temp\tmp7235170.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7235170.exe
        43⤵
        
        PID:1260
        
        C:\Users\Admin\AppData\Local\Temp\tmp7239304.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7239304.exe
        43⤵
        
        PID:296
        
        C:\Users\Admin\AppData\Local\Temp\tmp7231753.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7231753.exe
        41⤵
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\tmp7210881.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7210881.exe
        38⤵
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\tmp7212831.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7212831.exe
        39⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        40⤵
        
        PID:896
        
        C:\Users\Admin\AppData\Local\Temp\tmp7225981.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7225981.exe
        41⤵
        
        PID:992
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        42⤵
        
        PID:1328
        
        C:\Users\Admin\AppData\Local\Temp\tmp7231863.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7231863.exe
        43⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\tmp7236605.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7236605.exe
        43⤵
        
        PID:708
        
        C:\Users\Admin\AppData\Local\Temp\tmp7229476.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7229476.exe
        41⤵
        
        PID:988
        
        C:\Users\Admin\AppData\Local\Temp\tmp7232674.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7232674.exe
        42⤵
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\tmp7239397.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7239397.exe
        42⤵
        
        PID:1268
        
        C:\Users\Admin\AppData\Local\Temp\tmp7215108.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7215108.exe
        39⤵
        
        PID:784
        
        C:\Users\Admin\AppData\Local\Temp\tmp7206169.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7206169.exe
        36⤵
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\tmp7198276.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7198276.exe
        33⤵
        
        PID:1480
        
        C:\Users\Admin\AppData\Local\Temp\tmp7181396.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7181396.exe
        30⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\tmp7165235.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7165235.exe
        27⤵
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161459.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161459.exe
        24⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\tmp7162068.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7162068.exe
        25⤵
        Modifies registry class
        
        PID:1728
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        26⤵
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\tmp7163955.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7163955.exe
        27⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1276
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        28⤵
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\tmp7165484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7165484.exe
        29⤵
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166873.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166873.exe
        29⤵
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\tmp7176435.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7176435.exe
        30⤵
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\tmp7179774.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7179774.exe
        30⤵
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164689.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164689.exe
        27⤵
        
        PID:536
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166264.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166264.exe
        28⤵
        Drops file in System32 directory
        
        PID:1372
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        29⤵
        
        PID:676
        
        C:\Users\Admin\AppData\Local\Temp\tmp7176295.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7176295.exe
        30⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\tmp7178900.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7178900.exe
        30⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1308
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182098.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182098.exe
        31⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        32⤵
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187231.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187231.exe
        33⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        34⤵
        
        PID:524
        
        C:\Users\Admin\AppData\Local\Temp\tmp7197230.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7197230.exe
        35⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1152
        
        C:\Users\Admin\AppData\Local\Temp\tmp7198369.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7198369.exe
        35⤵
        
        PID:588
        
        C:\Users\Admin\AppData\Local\Temp\tmp7201255.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7201255.exe
        36⤵
        
        PID:536
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        37⤵
        
        PID:1908
        
        C:\Users\Admin\AppData\Local\Temp\tmp7206122.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7206122.exe
        38⤵
        
        PID:1888
        
        C:\Users\Admin\AppData\Local\Temp\tmp7207870.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7207870.exe
        38⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\tmp7210615.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7210615.exe
        39⤵
        
        PID:596
        
        C:\Users\Admin\AppData\Local\Temp\tmp7212378.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7212378.exe
        39⤵
        
        PID:708
        
        C:\Users\Admin\AppData\Local\Temp\tmp7203034.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7203034.exe
        36⤵
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\Temp\tmp7193658.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7193658.exe
        33⤵
        
        PID:992
        
        C:\Users\Admin\AppData\Local\Temp\tmp7197121.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7197121.exe
        34⤵
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\tmp7198603.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7198603.exe
        34⤵
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182644.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182644.exe
        31⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175562.exe
        28⤵
        
        PID:1832
        
        C:\Users\Admin\AppData\Local\Temp\tmp7162926.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7162926.exe
        25⤵
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\tmp7150867.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7150867.exe
        22⤵
        
        PID:632
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158745.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158745.exe
        23⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161662.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161662.exe
        23⤵
        
        PID:364
        
        C:\Users\Admin\AppData\Local\Temp\tmp7149369.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7149369.exe
        20⤵
        
        PID:564
        
        C:\Users\Admin\AppData\Local\Temp\tmp7149650.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7149650.exe
        21⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        22⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\tmp7150914.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7150914.exe
        23⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161647.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161647.exe
        23⤵
        
        PID:1480
        
        C:\Users\Admin\AppData\Local\Temp\tmp7163784.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7163784.exe
        24⤵
        
        PID:1152
        
        C:\Users\Admin\AppData\Local\Temp\tmp7165094.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7165094.exe
        24⤵
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\tmp7149806.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7149806.exe
        21⤵
        
        PID:960
        
        C:\Users\Admin\AppData\Local\Temp\tmp7148667.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7148667.exe
        18⤵
        
        PID:864
        
        C:\Users\Admin\AppData\Local\Temp\tmp7149057.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7149057.exe
        19⤵
        
        PID:1848
        
        C:\Users\Admin\AppData\Local\Temp\tmp7149463.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7149463.exe
        19⤵
        
        PID:1472
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147856.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147856.exe
        16⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146905.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146905.exe
        13⤵
        
        PID:1120
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145485.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145485.exe
        10⤵
        
        PID:2020
  - - C:\Users\Admin\AppData\Local\Temp\tmp7123099.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7123099.exe
      4⤵
      PID:540

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
- Executes dropped EXE
PID:1924
- C:\Users\Admin\AppData\Local\Temp\tmp7112709.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7112709.exe
  2⤵
  - Executes dropped EXE
  PID:1036
- C:\Users\Admin\AppData\Local\Temp\tmp7112522.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7112522.exe
  2⤵
  PID:960
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1920
  - - C:\Users\Admin\AppData\Local\Temp\tmp7113208.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7113208.exe
      4⤵
      PID:2040
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        
        PID:280
      - C:\Users\Admin\AppData\Local\Temp\tmp7113754.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7113754.exe
        6⤵
        Executes dropped EXE
        
        PID:1332
      - C:\Users\Admin\AppData\Local\Temp\tmp7114066.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7114066.exe
        6⤵
        
        PID:536
        
        C:\Users\Admin\AppData\Local\Temp\tmp7114799.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7114799.exe
        7⤵
        
        PID:896
        
        C:\Users\Admin\AppData\Local\Temp\tmp7114456.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7114456.exe
        7⤵
        
        PID:1372
      - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        6⤵
        
        PID:800
  - - C:\Users\Admin\AppData\Local\Temp\tmp7113505.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7113505.exe
      4⤵
      PID:1304
    - - C:\Users\Admin\AppData\Local\Temp\tmp7113739.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7113739.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1476
      - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        6⤵
        Executes dropped EXE
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\tmp7114316.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7114316.exe
        7⤵
        
        PID:708
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        8⤵
        
        PID:980
        
        C:\Users\Admin\AppData\Local\Temp\tmp7115049.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7115049.exe
        9⤵
        
        PID:112
        
        C:\Users\Admin\AppData\Local\Temp\tmp7115751.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7115751.exe
        10⤵
        
        PID:1420
        
        C:\Users\Admin\AppData\Local\Temp\tmp7131070.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7131070.exe
        10⤵
        
        PID:1912
        
        C:\Users\Admin\AppData\Local\Temp\tmp7114675.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7114675.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\tmp7129760.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7129760.exe
        8⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:784
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        9⤵
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\tmp7114503.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7114503.exe
        7⤵
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\tmp7115268.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7115268.exe
        8⤵
        
        PID:1112
        
        C:\Users\Admin\AppData\Local\Temp\tmp7114893.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7114893.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:892
    - - C:\Users\Admin\AppData\Local\Temp\tmp7114004.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7114004.exe
        5⤵
        Executes dropped EXE
        
        PID:564

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:552
- C:\Users\Admin\AppData\Local\Temp\tmp7115486.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7115486.exe
  2⤵
  PID:1732
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    PID:344
- - C:\Users\Admin\AppData\Local\Temp\tmp7131195.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7131195.exe
    3⤵
    PID:1828
- C:\Users\Admin\AppData\Local\Temp\tmp7116016.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7116016.exe
  2⤵
  PID:1416

C:\Users\Admin\AppData\Local\Temp\tmp7115221.exe
C:\Users\Admin\AppData\Local\Temp\tmp7115221.exe
1⤵
- Drops file in System32 directory
- Modifies registry class
PID:1320
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:844
- - C:\Users\Admin\AppData\Local\Temp\tmp7116141.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7116141.exe
    3⤵
    PID:1556
- - C:\Users\Admin\AppData\Local\Temp\tmp7115876.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7115876.exe
    3⤵
    PID:1836

C:\Users\Admin\AppData\Local\Temp\tmp7115158.exe
C:\Users\Admin\AppData\Local\Temp\tmp7115158.exe
1⤵
- Executes dropped EXE
PID:588

C:\Users\Admin\AppData\Local\Temp\tmp7116360.exe
C:\Users\Admin\AppData\Local\Temp\tmp7116360.exe
1⤵
- Executes dropped EXE
PID:2004

C:\Users\Admin\AppData\Local\Temp\tmp7116516.exe
C:\Users\Admin\AppData\Local\Temp\tmp7116516.exe
1⤵
PID:1908

C:\Users\Admin\AppData\Local\Temp\tmp7116687.exe
C:\Users\Admin\AppData\Local\Temp\tmp7116687.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1988

C:\Users\Admin\AppData\Local\Temp\tmp7116609.exe
C:\Users\Admin\AppData\Local\Temp\tmp7116609.exe
1⤵
PID:1020
- C:\Users\Admin\AppData\Local\Temp\tmp7116952.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7116952.exe
  2⤵
  PID:1120
- C:\Users\Admin\AppData\Local\Temp\tmp7117249.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7117249.exe
  2⤵
  PID:1892

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1048

C:\Users\Admin\AppData\Local\Temp\tmp7116578.exe
C:\Users\Admin\AppData\Local\Temp\tmp7116578.exe
1⤵
PID:864

C:\Users\Admin\AppData\Local\Temp\tmp7116313.exe
C:\Users\Admin\AppData\Local\Temp\tmp7116313.exe
1⤵
- Modifies registry class
PID:908

C:\Users\Admin\AppData\Local\Temp\tmp7116250.exe
C:\Users\Admin\AppData\Local\Temp\tmp7116250.exe
1⤵
PID:1776

C:\Users\Admin\AppData\Local\Temp\tmp7116001.exe
C:\Users\Admin\AppData\Local\Temp\tmp7116001.exe
1⤵
PID:1828

C:\Users\Admin\AppData\Local\Temp\tmp7115361.exe
C:\Users\Admin\AppData\Local\Temp\tmp7115361.exe
1⤵
PID:1768

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
- Executes dropped EXE
PID:516

C:\Users\Admin\AppData\Local\Temp\tmp7125907.exe
C:\Users\Admin\AppData\Local\Temp\tmp7125907.exe
1⤵
PID:896
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:1372
- - C:\Users\Admin\AppData\Local\Temp\tmp7126437.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7126437.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1464
- C:\Users\Admin\AppData\Local\Temp\tmp7130400.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7130400.exe
  2⤵
  - Drops file in System32 directory
  - Modifies registry class
  PID:1116
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    - Executes dropped EXE
    PID:112
  - - C:\Users\Admin\AppData\Local\Temp\tmp7131242.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7131242.exe
      4⤵
      PID:832
    - - C:\Users\Admin\AppData\Local\Temp\tmp7144393.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144393.exe
        5⤵
        
        PID:1036
      - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        6⤵
        
        PID:1260
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145391.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145391.exe
        7⤵
        
        PID:904
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145594.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145594.exe
        7⤵
        
        PID:296
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145984.exe
        8⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        9⤵
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146639.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146639.exe
        10⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147014.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147014.exe
        10⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147373.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147373.exe
        11⤵
        
        PID:332
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147544.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147544.exe
        11⤵
        
        PID:936
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146468.exe
        8⤵
        
        PID:1332
    - - C:\Users\Admin\AppData\Local\Temp\tmp7145188.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145188.exe
        5⤵
        
        PID:1424
- - C:\Users\Admin\AppData\Local\Temp\tmp7126515.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7126515.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1720

C:\Users\Admin\AppData\Local\Temp\tmp7126656.exe
C:\Users\Admin\AppData\Local\Temp\tmp7126656.exe
1⤵
- Drops file in System32 directory
- Modifies registry class
PID:676
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  - Executes dropped EXE
  PID:688

C:\Users\Admin\AppData\Local\Temp\tmp7126203.exe
C:\Users\Admin\AppData\Local\Temp\tmp7126203.exe
1⤵
PID:640
- C:\Users\Admin\AppData\Local\Temp\tmp7127139.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7127139.exe
  2⤵
  PID:1580

C:\Users\Admin\AppData\Local\Temp\tmp7130368.exe
C:\Users\Admin\AppData\Local\Temp\tmp7130368.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  PID:1276
- - C:\Users\Admin\AppData\Local\Temp\tmp7130712.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7130712.exe
    3⤵
    PID:1112
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      PID:1372
    - - C:\Users\Admin\AppData\Local\Temp\tmp7126905.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7126905.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1832
    - - C:\Users\Admin\AppData\Local\Temp\tmp7131304.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7131304.exe
        5⤵
        
        PID:908
      - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        6⤵
        
        PID:688
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144908.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144908.exe
        7⤵
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145298.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145298.exe
        7⤵
        
        PID:840
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145953.exe
        8⤵
        
        PID:472
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        9⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146452.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146452.exe
        10⤵
        
        PID:280
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146842.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146842.exe
        10⤵
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147061.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147061.exe
        11⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        12⤵
        
        PID:676
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147513.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147513.exe
        13⤵
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147950.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147950.exe
        13⤵
        
        PID:988
        
        C:\Users\Admin\AppData\Local\Temp\tmp7148527.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7148527.exe
        14⤵
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\tmp7148699.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7148699.exe
        14⤵
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147232.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147232.exe
        11⤵
        
        PID:572
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146124.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146124.exe
        8⤵
        
        PID:1596
    - - C:\Users\Admin\AppData\Local\Temp\tmp7144486.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144486.exe
        5⤵
        
        PID:1988
      - C:\Users\Admin\AppData\Local\Temp\tmp7144986.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144986.exe
        6⤵
        
        PID:864
      - C:\Users\Admin\AppData\Local\Temp\tmp7145220.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145220.exe
        6⤵
        
        PID:1532
- - C:\Users\Admin\AppData\Local\Temp\tmp7131024.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7131024.exe
    3⤵
    - Drops file in System32 directory
    - Modifies registry class
    PID:1732
  - - C:\Users\Admin\AppData\Local\Temp\tmp7131382.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7131382.exe
      4⤵
      PID:592

C:\Users\Admin\AppData\Local\Temp\tmp7130556.exe
C:\Users\Admin\AppData\Local\Temp\tmp7130556.exe
1⤵
- Executes dropped EXE
PID:536
- C:\Users\Admin\AppData\Local\Temp\tmp7126874.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7126874.exe
  2⤵
  PID:1152

C:\Users\Admin\AppData\Local\Temp\tmp7147809.exe
C:\Users\Admin\AppData\Local\Temp\tmp7147809.exe
1⤵
PID:1800
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:1832

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp7093131.exe

Filesize
2.8MB

MD5
20c308c6f95fa4a9374ef1b0b24cbfa4

SHA1
93124ee63a837a4aedfa38be0058a4b4dabbf640

SHA256
13d6eeabc511d89120b4ef0701e1b6d62b743b962ea7f38ecd71e7c918abca3e

SHA512
a156f9d3b5f27a4a13b4bce87b798c41da2e30fb9c88d69d8fc6c6f57e1daa24d86715dbfcb166f439ebbe24415de941d24a99b68a463077a84d12c782717859

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7093131.exe

Filesize
2.8MB

MD5
20c308c6f95fa4a9374ef1b0b24cbfa4

SHA1
93124ee63a837a4aedfa38be0058a4b4dabbf640

SHA256
13d6eeabc511d89120b4ef0701e1b6d62b743b962ea7f38ecd71e7c918abca3e

SHA512
a156f9d3b5f27a4a13b4bce87b798c41da2e30fb9c88d69d8fc6c6f57e1daa24d86715dbfcb166f439ebbe24415de941d24a99b68a463077a84d12c782717859

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7093209.exe

Filesize
5.7MB

MD5
bf0b691b1cba416739d1ecbdbfe8513c

SHA1
ab4cd1e92079684f43fdda365b0d7d62a3728153

SHA256
b573209902b00d79d1a0159f24c49a2404048ef965718e2ad2e859603375baee

SHA512
de33d7ce473b1d915898e6777e3002e8e01600d35a4732ac42426303104b05c087d5824a66036830806554dad78d4598ba204b6670dc3b852d9b673019d1daa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7093209.exe

Filesize
5.7MB

MD5
bf0b691b1cba416739d1ecbdbfe8513c

SHA1
ab4cd1e92079684f43fdda365b0d7d62a3728153

SHA256
b573209902b00d79d1a0159f24c49a2404048ef965718e2ad2e859603375baee

SHA512
de33d7ce473b1d915898e6777e3002e8e01600d35a4732ac42426303104b05c087d5824a66036830806554dad78d4598ba204b6670dc3b852d9b673019d1daa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7093677.exe

Filesize
2.8MB

MD5
20c308c6f95fa4a9374ef1b0b24cbfa4

SHA1
93124ee63a837a4aedfa38be0058a4b4dabbf640

SHA256
13d6eeabc511d89120b4ef0701e1b6d62b743b962ea7f38ecd71e7c918abca3e

SHA512
a156f9d3b5f27a4a13b4bce87b798c41da2e30fb9c88d69d8fc6c6f57e1daa24d86715dbfcb166f439ebbe24415de941d24a99b68a463077a84d12c782717859

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7093677.exe

Filesize
2.8MB

MD5
20c308c6f95fa4a9374ef1b0b24cbfa4

SHA1
93124ee63a837a4aedfa38be0058a4b4dabbf640

SHA256
13d6eeabc511d89120b4ef0701e1b6d62b743b962ea7f38ecd71e7c918abca3e

SHA512
a156f9d3b5f27a4a13b4bce87b798c41da2e30fb9c88d69d8fc6c6f57e1daa24d86715dbfcb166f439ebbe24415de941d24a99b68a463077a84d12c782717859

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7093693.exe

Filesize
2.8MB

MD5
20c308c6f95fa4a9374ef1b0b24cbfa4

SHA1
93124ee63a837a4aedfa38be0058a4b4dabbf640

SHA256
13d6eeabc511d89120b4ef0701e1b6d62b743b962ea7f38ecd71e7c918abca3e

SHA512
a156f9d3b5f27a4a13b4bce87b798c41da2e30fb9c88d69d8fc6c6f57e1daa24d86715dbfcb166f439ebbe24415de941d24a99b68a463077a84d12c782717859

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7094005.exe

Filesize
2.9MB

MD5
9a0d7e92021347cca2f6abba564e0279

SHA1
86a1e2f6fe49186cdace356c06cef86a9e4a9c68

SHA256
3a3185dd08555ca64f2cfa188bb407170e13c2f91d25765c02c8546c7eb41eb6

SHA512
4447a17a4803906d9b3e3f1382d4260dd9dd2ec3c57c36732eb878c2b78cf6fef5cafa267d40e842638784a465a5a386169a5d35272d4bbad3e5856eb6c41d65

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7094005.exe

Filesize
2.9MB

MD5
9a0d7e92021347cca2f6abba564e0279

SHA1
86a1e2f6fe49186cdace356c06cef86a9e4a9c68

SHA256
3a3185dd08555ca64f2cfa188bb407170e13c2f91d25765c02c8546c7eb41eb6

SHA512
4447a17a4803906d9b3e3f1382d4260dd9dd2ec3c57c36732eb878c2b78cf6fef5cafa267d40e842638784a465a5a386169a5d35272d4bbad3e5856eb6c41d65

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7094020.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7094457.exe

Filesize
2.8MB

MD5
20c308c6f95fa4a9374ef1b0b24cbfa4

SHA1
93124ee63a837a4aedfa38be0058a4b4dabbf640

SHA256
13d6eeabc511d89120b4ef0701e1b6d62b743b962ea7f38ecd71e7c918abca3e

SHA512
a156f9d3b5f27a4a13b4bce87b798c41da2e30fb9c88d69d8fc6c6f57e1daa24d86715dbfcb166f439ebbe24415de941d24a99b68a463077a84d12c782717859

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7094457.exe

Filesize
2.8MB

MD5
20c308c6f95fa4a9374ef1b0b24cbfa4

SHA1
93124ee63a837a4aedfa38be0058a4b4dabbf640

SHA256
13d6eeabc511d89120b4ef0701e1b6d62b743b962ea7f38ecd71e7c918abca3e

SHA512
a156f9d3b5f27a4a13b4bce87b798c41da2e30fb9c88d69d8fc6c6f57e1daa24d86715dbfcb166f439ebbe24415de941d24a99b68a463077a84d12c782717859

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7104238.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7104332.exe

Filesize
2.8MB

MD5
20c308c6f95fa4a9374ef1b0b24cbfa4

SHA1
93124ee63a837a4aedfa38be0058a4b4dabbf640

SHA256
13d6eeabc511d89120b4ef0701e1b6d62b743b962ea7f38ecd71e7c918abca3e

SHA512
a156f9d3b5f27a4a13b4bce87b798c41da2e30fb9c88d69d8fc6c6f57e1daa24d86715dbfcb166f439ebbe24415de941d24a99b68a463077a84d12c782717859

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7104332.exe

Filesize
2.8MB

MD5
20c308c6f95fa4a9374ef1b0b24cbfa4

SHA1
93124ee63a837a4aedfa38be0058a4b4dabbf640

SHA256
13d6eeabc511d89120b4ef0701e1b6d62b743b962ea7f38ecd71e7c918abca3e

SHA512
a156f9d3b5f27a4a13b4bce87b798c41da2e30fb9c88d69d8fc6c6f57e1daa24d86715dbfcb166f439ebbe24415de941d24a99b68a463077a84d12c782717859

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7104566.exe

Filesize
67KB

MD5
388b8fbc36a8558587afc90fb23a3b99

SHA1
ed55ad0a7078651857bd8fc0eedd8b07f94594cc

SHA256
fefeac4c10bbe237cc6c861229ecaacbd2a366ac4fbd04a3862b62bd7a778093

SHA512
0a91f6fd90f3429a69c907d9f81420334be92407269df964b6619874aa241ec6aeb2c1920ac643ce604c7ea65b21cc80f0a09c722327b6c3b7be58f9e3029e52

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7104581.exe

Filesize
2.8MB

MD5
20c308c6f95fa4a9374ef1b0b24cbfa4

SHA1
93124ee63a837a4aedfa38be0058a4b4dabbf640

SHA256
13d6eeabc511d89120b4ef0701e1b6d62b743b962ea7f38ecd71e7c918abca3e

SHA512
a156f9d3b5f27a4a13b4bce87b798c41da2e30fb9c88d69d8fc6c6f57e1daa24d86715dbfcb166f439ebbe24415de941d24a99b68a463077a84d12c782717859

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7104987.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7105096.exe

Filesize
2.8MB

MD5
20c308c6f95fa4a9374ef1b0b24cbfa4

SHA1
93124ee63a837a4aedfa38be0058a4b4dabbf640

SHA256
13d6eeabc511d89120b4ef0701e1b6d62b743b962ea7f38ecd71e7c918abca3e

SHA512
a156f9d3b5f27a4a13b4bce87b798c41da2e30fb9c88d69d8fc6c6f57e1daa24d86715dbfcb166f439ebbe24415de941d24a99b68a463077a84d12c782717859

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7105658.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
2.8MB

MD5
20a0d467195c677725b8d49526573a19

SHA1
37b31db7dbc1e0ea5741d8364ee0102e912ab53f

SHA256
e943c434cfce7aed043414aaef832ed33892f606e7cae675d04c1c637346294b

SHA512
c10e1e339f36c8dc1683f9cf3f48c10343aa18748acfa8fa3b5dda6f19f49545a2e36bd63892604d545a73fe26336c571662d2a83aceb7b53e537abf450fb58c

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
2.8MB

MD5
20c308c6f95fa4a9374ef1b0b24cbfa4

SHA1
93124ee63a837a4aedfa38be0058a4b4dabbf640

SHA256
13d6eeabc511d89120b4ef0701e1b6d62b743b962ea7f38ecd71e7c918abca3e

SHA512
a156f9d3b5f27a4a13b4bce87b798c41da2e30fb9c88d69d8fc6c6f57e1daa24d86715dbfcb166f439ebbe24415de941d24a99b68a463077a84d12c782717859

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
2.8MB

MD5
20c308c6f95fa4a9374ef1b0b24cbfa4

SHA1
93124ee63a837a4aedfa38be0058a4b4dabbf640

SHA256
13d6eeabc511d89120b4ef0701e1b6d62b743b962ea7f38ecd71e7c918abca3e

SHA512
a156f9d3b5f27a4a13b4bce87b798c41da2e30fb9c88d69d8fc6c6f57e1daa24d86715dbfcb166f439ebbe24415de941d24a99b68a463077a84d12c782717859

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
3.0MB

MD5
c5297340fbe43f912dca9e5635c83485

SHA1
9069aa9576e1b1645fba0714506b0c612cf6891a

SHA256
7e50bce7490fc02ab9599abd9da6822a25f51cecaf1c5ead7ea4ad20b11a9b42

SHA512
215b687764e1d21f0ccf0b09456b71662011b70f35786a1a71dcfefe0c3654a2feed9f5c4d599f16c8cd44237e54d74146b1d130714c6f47b545fbae97087e52

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
3.0MB

MD5
c5297340fbe43f912dca9e5635c83485

SHA1
9069aa9576e1b1645fba0714506b0c612cf6891a

SHA256
7e50bce7490fc02ab9599abd9da6822a25f51cecaf1c5ead7ea4ad20b11a9b42

SHA512
215b687764e1d21f0ccf0b09456b71662011b70f35786a1a71dcfefe0c3654a2feed9f5c4d599f16c8cd44237e54d74146b1d130714c6f47b545fbae97087e52

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
3.0MB

MD5
c5297340fbe43f912dca9e5635c83485

SHA1
9069aa9576e1b1645fba0714506b0c612cf6891a

SHA256
7e50bce7490fc02ab9599abd9da6822a25f51cecaf1c5ead7ea4ad20b11a9b42

SHA512
215b687764e1d21f0ccf0b09456b71662011b70f35786a1a71dcfefe0c3654a2feed9f5c4d599f16c8cd44237e54d74146b1d130714c6f47b545fbae97087e52

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
3.0MB

MD5
c5297340fbe43f912dca9e5635c83485

SHA1
9069aa9576e1b1645fba0714506b0c612cf6891a

SHA256
7e50bce7490fc02ab9599abd9da6822a25f51cecaf1c5ead7ea4ad20b11a9b42

SHA512
215b687764e1d21f0ccf0b09456b71662011b70f35786a1a71dcfefe0c3654a2feed9f5c4d599f16c8cd44237e54d74146b1d130714c6f47b545fbae97087e52

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
3.0MB

MD5
c5297340fbe43f912dca9e5635c83485

SHA1
9069aa9576e1b1645fba0714506b0c612cf6891a

SHA256
7e50bce7490fc02ab9599abd9da6822a25f51cecaf1c5ead7ea4ad20b11a9b42

SHA512
215b687764e1d21f0ccf0b09456b71662011b70f35786a1a71dcfefe0c3654a2feed9f5c4d599f16c8cd44237e54d74146b1d130714c6f47b545fbae97087e52

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7093131.exe

Filesize
2.8MB

MD5
20c308c6f95fa4a9374ef1b0b24cbfa4

SHA1
93124ee63a837a4aedfa38be0058a4b4dabbf640

SHA256
13d6eeabc511d89120b4ef0701e1b6d62b743b962ea7f38ecd71e7c918abca3e

SHA512
a156f9d3b5f27a4a13b4bce87b798c41da2e30fb9c88d69d8fc6c6f57e1daa24d86715dbfcb166f439ebbe24415de941d24a99b68a463077a84d12c782717859

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7093131.exe

Filesize
2.8MB

MD5
20c308c6f95fa4a9374ef1b0b24cbfa4

SHA1
93124ee63a837a4aedfa38be0058a4b4dabbf640

SHA256
13d6eeabc511d89120b4ef0701e1b6d62b743b962ea7f38ecd71e7c918abca3e

SHA512
a156f9d3b5f27a4a13b4bce87b798c41da2e30fb9c88d69d8fc6c6f57e1daa24d86715dbfcb166f439ebbe24415de941d24a99b68a463077a84d12c782717859

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7093209.exe

Filesize
5.7MB

MD5
bf0b691b1cba416739d1ecbdbfe8513c

SHA1
ab4cd1e92079684f43fdda365b0d7d62a3728153

SHA256
b573209902b00d79d1a0159f24c49a2404048ef965718e2ad2e859603375baee

SHA512
de33d7ce473b1d915898e6777e3002e8e01600d35a4732ac42426303104b05c087d5824a66036830806554dad78d4598ba204b6670dc3b852d9b673019d1daa0

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7093209.exe

Filesize
5.7MB

MD5
bf0b691b1cba416739d1ecbdbfe8513c

SHA1
ab4cd1e92079684f43fdda365b0d7d62a3728153

SHA256
b573209902b00d79d1a0159f24c49a2404048ef965718e2ad2e859603375baee

SHA512
de33d7ce473b1d915898e6777e3002e8e01600d35a4732ac42426303104b05c087d5824a66036830806554dad78d4598ba204b6670dc3b852d9b673019d1daa0

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7093677.exe

Filesize
2.8MB

MD5
20c308c6f95fa4a9374ef1b0b24cbfa4

SHA1
93124ee63a837a4aedfa38be0058a4b4dabbf640

SHA256
13d6eeabc511d89120b4ef0701e1b6d62b743b962ea7f38ecd71e7c918abca3e

SHA512
a156f9d3b5f27a4a13b4bce87b798c41da2e30fb9c88d69d8fc6c6f57e1daa24d86715dbfcb166f439ebbe24415de941d24a99b68a463077a84d12c782717859

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7093677.exe

Filesize
2.8MB

MD5
20c308c6f95fa4a9374ef1b0b24cbfa4

SHA1
93124ee63a837a4aedfa38be0058a4b4dabbf640

SHA256
13d6eeabc511d89120b4ef0701e1b6d62b743b962ea7f38ecd71e7c918abca3e

SHA512
a156f9d3b5f27a4a13b4bce87b798c41da2e30fb9c88d69d8fc6c6f57e1daa24d86715dbfcb166f439ebbe24415de941d24a99b68a463077a84d12c782717859

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7093693.exe

Filesize
2.8MB

MD5
20c308c6f95fa4a9374ef1b0b24cbfa4

SHA1
93124ee63a837a4aedfa38be0058a4b4dabbf640

SHA256
13d6eeabc511d89120b4ef0701e1b6d62b743b962ea7f38ecd71e7c918abca3e

SHA512
a156f9d3b5f27a4a13b4bce87b798c41da2e30fb9c88d69d8fc6c6f57e1daa24d86715dbfcb166f439ebbe24415de941d24a99b68a463077a84d12c782717859

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7093693.exe

Filesize
2.8MB

MD5
20c308c6f95fa4a9374ef1b0b24cbfa4

SHA1
93124ee63a837a4aedfa38be0058a4b4dabbf640

SHA256
13d6eeabc511d89120b4ef0701e1b6d62b743b962ea7f38ecd71e7c918abca3e

SHA512
a156f9d3b5f27a4a13b4bce87b798c41da2e30fb9c88d69d8fc6c6f57e1daa24d86715dbfcb166f439ebbe24415de941d24a99b68a463077a84d12c782717859

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7094005.exe

Filesize
2.9MB

MD5
9a0d7e92021347cca2f6abba564e0279

SHA1
86a1e2f6fe49186cdace356c06cef86a9e4a9c68

SHA256
3a3185dd08555ca64f2cfa188bb407170e13c2f91d25765c02c8546c7eb41eb6

SHA512
4447a17a4803906d9b3e3f1382d4260dd9dd2ec3c57c36732eb878c2b78cf6fef5cafa267d40e842638784a465a5a386169a5d35272d4bbad3e5856eb6c41d65

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7094005.exe

Filesize
2.9MB

MD5
9a0d7e92021347cca2f6abba564e0279

SHA1
86a1e2f6fe49186cdace356c06cef86a9e4a9c68

SHA256
3a3185dd08555ca64f2cfa188bb407170e13c2f91d25765c02c8546c7eb41eb6

SHA512
4447a17a4803906d9b3e3f1382d4260dd9dd2ec3c57c36732eb878c2b78cf6fef5cafa267d40e842638784a465a5a386169a5d35272d4bbad3e5856eb6c41d65

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7094020.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7094457.exe

Filesize
2.8MB

MD5
20c308c6f95fa4a9374ef1b0b24cbfa4

SHA1
93124ee63a837a4aedfa38be0058a4b4dabbf640

SHA256
13d6eeabc511d89120b4ef0701e1b6d62b743b962ea7f38ecd71e7c918abca3e

SHA512
a156f9d3b5f27a4a13b4bce87b798c41da2e30fb9c88d69d8fc6c6f57e1daa24d86715dbfcb166f439ebbe24415de941d24a99b68a463077a84d12c782717859

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7094457.exe

Filesize
2.8MB

MD5
20c308c6f95fa4a9374ef1b0b24cbfa4

SHA1
93124ee63a837a4aedfa38be0058a4b4dabbf640

SHA256
13d6eeabc511d89120b4ef0701e1b6d62b743b962ea7f38ecd71e7c918abca3e

SHA512
a156f9d3b5f27a4a13b4bce87b798c41da2e30fb9c88d69d8fc6c6f57e1daa24d86715dbfcb166f439ebbe24415de941d24a99b68a463077a84d12c782717859

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7104238.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7104332.exe

Filesize
2.8MB

MD5
20c308c6f95fa4a9374ef1b0b24cbfa4

SHA1
93124ee63a837a4aedfa38be0058a4b4dabbf640

SHA256
13d6eeabc511d89120b4ef0701e1b6d62b743b962ea7f38ecd71e7c918abca3e

SHA512
a156f9d3b5f27a4a13b4bce87b798c41da2e30fb9c88d69d8fc6c6f57e1daa24d86715dbfcb166f439ebbe24415de941d24a99b68a463077a84d12c782717859

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7104332.exe

Filesize
2.8MB

MD5
20c308c6f95fa4a9374ef1b0b24cbfa4

SHA1
93124ee63a837a4aedfa38be0058a4b4dabbf640

SHA256
13d6eeabc511d89120b4ef0701e1b6d62b743b962ea7f38ecd71e7c918abca3e

SHA512
a156f9d3b5f27a4a13b4bce87b798c41da2e30fb9c88d69d8fc6c6f57e1daa24d86715dbfcb166f439ebbe24415de941d24a99b68a463077a84d12c782717859

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7104566.exe

Filesize
67KB

MD5
388b8fbc36a8558587afc90fb23a3b99

SHA1
ed55ad0a7078651857bd8fc0eedd8b07f94594cc

SHA256
fefeac4c10bbe237cc6c861229ecaacbd2a366ac4fbd04a3862b62bd7a778093

SHA512
0a91f6fd90f3429a69c907d9f81420334be92407269df964b6619874aa241ec6aeb2c1920ac643ce604c7ea65b21cc80f0a09c722327b6c3b7be58f9e3029e52

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7104566.exe

Filesize
67KB

MD5
388b8fbc36a8558587afc90fb23a3b99

SHA1
ed55ad0a7078651857bd8fc0eedd8b07f94594cc

SHA256
fefeac4c10bbe237cc6c861229ecaacbd2a366ac4fbd04a3862b62bd7a778093

SHA512
0a91f6fd90f3429a69c907d9f81420334be92407269df964b6619874aa241ec6aeb2c1920ac643ce604c7ea65b21cc80f0a09c722327b6c3b7be58f9e3029e52

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7104581.exe

Filesize
2.8MB

MD5
20c308c6f95fa4a9374ef1b0b24cbfa4

SHA1
93124ee63a837a4aedfa38be0058a4b4dabbf640

SHA256
13d6eeabc511d89120b4ef0701e1b6d62b743b962ea7f38ecd71e7c918abca3e

SHA512
a156f9d3b5f27a4a13b4bce87b798c41da2e30fb9c88d69d8fc6c6f57e1daa24d86715dbfcb166f439ebbe24415de941d24a99b68a463077a84d12c782717859

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7104581.exe

Filesize
2.8MB

MD5
20c308c6f95fa4a9374ef1b0b24cbfa4

SHA1
93124ee63a837a4aedfa38be0058a4b4dabbf640

SHA256
13d6eeabc511d89120b4ef0701e1b6d62b743b962ea7f38ecd71e7c918abca3e

SHA512
a156f9d3b5f27a4a13b4bce87b798c41da2e30fb9c88d69d8fc6c6f57e1daa24d86715dbfcb166f439ebbe24415de941d24a99b68a463077a84d12c782717859

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7104987.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7105096.exe

Filesize
2.8MB

MD5
20c308c6f95fa4a9374ef1b0b24cbfa4

SHA1
93124ee63a837a4aedfa38be0058a4b4dabbf640

SHA256
13d6eeabc511d89120b4ef0701e1b6d62b743b962ea7f38ecd71e7c918abca3e

SHA512
a156f9d3b5f27a4a13b4bce87b798c41da2e30fb9c88d69d8fc6c6f57e1daa24d86715dbfcb166f439ebbe24415de941d24a99b68a463077a84d12c782717859

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7105096.exe

Filesize
2.8MB

MD5
20c308c6f95fa4a9374ef1b0b24cbfa4

SHA1
93124ee63a837a4aedfa38be0058a4b4dabbf640

SHA256
13d6eeabc511d89120b4ef0701e1b6d62b743b962ea7f38ecd71e7c918abca3e

SHA512
a156f9d3b5f27a4a13b4bce87b798c41da2e30fb9c88d69d8fc6c6f57e1daa24d86715dbfcb166f439ebbe24415de941d24a99b68a463077a84d12c782717859

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7105658.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
3.0MB

MD5
c5297340fbe43f912dca9e5635c83485

SHA1
9069aa9576e1b1645fba0714506b0c612cf6891a

SHA256
7e50bce7490fc02ab9599abd9da6822a25f51cecaf1c5ead7ea4ad20b11a9b42

SHA512
215b687764e1d21f0ccf0b09456b71662011b70f35786a1a71dcfefe0c3654a2feed9f5c4d599f16c8cd44237e54d74146b1d130714c6f47b545fbae97087e52

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
3.0MB

MD5
c5297340fbe43f912dca9e5635c83485

SHA1
9069aa9576e1b1645fba0714506b0c612cf6891a

SHA256
7e50bce7490fc02ab9599abd9da6822a25f51cecaf1c5ead7ea4ad20b11a9b42

SHA512
215b687764e1d21f0ccf0b09456b71662011b70f35786a1a71dcfefe0c3654a2feed9f5c4d599f16c8cd44237e54d74146b1d130714c6f47b545fbae97087e52

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
3.0MB

MD5
c5297340fbe43f912dca9e5635c83485

SHA1
9069aa9576e1b1645fba0714506b0c612cf6891a

SHA256
7e50bce7490fc02ab9599abd9da6822a25f51cecaf1c5ead7ea4ad20b11a9b42

SHA512
215b687764e1d21f0ccf0b09456b71662011b70f35786a1a71dcfefe0c3654a2feed9f5c4d599f16c8cd44237e54d74146b1d130714c6f47b545fbae97087e52

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
3.0MB

MD5
c5297340fbe43f912dca9e5635c83485

SHA1
9069aa9576e1b1645fba0714506b0c612cf6891a

SHA256
7e50bce7490fc02ab9599abd9da6822a25f51cecaf1c5ead7ea4ad20b11a9b42

SHA512
215b687764e1d21f0ccf0b09456b71662011b70f35786a1a71dcfefe0c3654a2feed9f5c4d599f16c8cd44237e54d74146b1d130714c6f47b545fbae97087e52

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
3.0MB

MD5
c5297340fbe43f912dca9e5635c83485

SHA1
9069aa9576e1b1645fba0714506b0c612cf6891a

SHA256
7e50bce7490fc02ab9599abd9da6822a25f51cecaf1c5ead7ea4ad20b11a9b42

SHA512
215b687764e1d21f0ccf0b09456b71662011b70f35786a1a71dcfefe0c3654a2feed9f5c4d599f16c8cd44237e54d74146b1d130714c6f47b545fbae97087e52

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
3.0MB

MD5
c5297340fbe43f912dca9e5635c83485

SHA1
9069aa9576e1b1645fba0714506b0c612cf6891a

SHA256
7e50bce7490fc02ab9599abd9da6822a25f51cecaf1c5ead7ea4ad20b11a9b42

SHA512
215b687764e1d21f0ccf0b09456b71662011b70f35786a1a71dcfefe0c3654a2feed9f5c4d599f16c8cd44237e54d74146b1d130714c6f47b545fbae97087e52

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
3.0MB

MD5
c5297340fbe43f912dca9e5635c83485

SHA1
9069aa9576e1b1645fba0714506b0c612cf6891a

SHA256
7e50bce7490fc02ab9599abd9da6822a25f51cecaf1c5ead7ea4ad20b11a9b42

SHA512
215b687764e1d21f0ccf0b09456b71662011b70f35786a1a71dcfefe0c3654a2feed9f5c4d599f16c8cd44237e54d74146b1d130714c6f47b545fbae97087e52

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
3.0MB

MD5
c5297340fbe43f912dca9e5635c83485

SHA1
9069aa9576e1b1645fba0714506b0c612cf6891a

SHA256
7e50bce7490fc02ab9599abd9da6822a25f51cecaf1c5ead7ea4ad20b11a9b42

SHA512
215b687764e1d21f0ccf0b09456b71662011b70f35786a1a71dcfefe0c3654a2feed9f5c4d599f16c8cd44237e54d74146b1d130714c6f47b545fbae97087e52

Download Submit
memory/112-263-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/280-233-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/320-302-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/320-294-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/344-275-0x0000000000220000-0x000000000023F000-memory.dmp

Filesize
124KB

Download
memory/344-277-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/516-259-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/536-244-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/536-310-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/552-265-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/572-112-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/572-104-0x00000000001C0000-0x00000000001DF000-memory.dmp

Filesize
124KB

Download
memory/572-105-0x00000000001C0000-0x00000000001DF000-memory.dmp

Filesize
124KB

Download
memory/572-71-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/640-312-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/800-300-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/800-304-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/836-192-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/844-268-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/980-246-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/980-251-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1020-286-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1020-282-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1048-287-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1048-274-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1048-283-0x0000000000220000-0x000000000023F000-memory.dmp

Filesize
124KB

Download
memory/1048-284-0x0000000000220000-0x000000000023F000-memory.dmp

Filesize
124KB

Download
memory/1076-175-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1116-308-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1124-212-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1216-186-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1276-188-0x0000000000310000-0x000000000032F000-memory.dmp

Filesize
124KB

Download
memory/1304-230-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1416-272-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1464-168-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1504-285-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1504-292-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1544-296-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1544-289-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1544-66-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1556-276-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1556-279-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1584-58-0x0000000075681000-0x0000000075683000-memory.dmp

Filesize
8KB

Download
memory/1596-298-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1600-106-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1600-134-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1708-201-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1708-206-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1720-72-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1720-94-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1748-256-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1748-247-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1768-266-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1772-241-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1836-200-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1920-220-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1920-223-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1920-161-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1920-162-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1924-218-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1940-90-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1940-116-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1976-150-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1988-144-0x0000000000380000-0x000000000038D000-memory.dmp

Filesize
52KB

Download
memory/2000-181-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download