c2f2ac76096b9ac734ce6810e3a10ac3aa245865374336459058fe53bb28aaf0

Analysis

max time kernel
157s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06/12/2022, 00:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c2f2ac76096b9ac734ce6810e3a10ac3aa245865374336459058fe53bb28aaf0.exe
Size

3.1MB
MD5

6c8e5574bebe6aafa65675e8c90305f5
SHA1

88ff95ba18e0ebb911efaf25397c5db7c27cf315
SHA256

c2f2ac76096b9ac734ce6810e3a10ac3aa245865374336459058fe53bb28aaf0
SHA512

7ab42f500a922c75874a6cf3b45d676d7dcaaadb15d73e11c4f0e44b3ef413da95d21337dfc317fc169bcf911dd83209568979b8d89d78c53a7add82fdb4e87d
SSDEEP

98304:aS++cwcaS+/txS++cwcaS+/tES++cwcaS+/tGS++cwcaS+/tNS++cwcaS+/tZt:TKNPmj

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
1100	tmp7107935.exe
1500	tmp7109605.exe
1072	notpad.exe
1184	tmp7124300.exe
1796	notpad.exe
1736	tmp7125610.exe
820	tmp7126687.exe
1672	tmp7131070.exe
1636	notpad.exe
788	tmp7134159.exe
1992	notpad.exe
436	tmp7135033.exe
1480	tmp7136000.exe
672	notpad.exe
2036	tmp7136780.exe
1684	tmp7144767.exe
1648	notpad.exe
1292	tmp7137295.exe
912	tmp7141288.exe
1592	notpad.exe
1100	tmp7145220.exe
740	tmp7145610.exe
852	tmp7145376.exe
952	tmp7146171.exe
1644	tmp7147731.exe
1468	notpad.exe
1096	notpad.exe
1640	tmp7147107.exe
1732	tmp7147965.exe
620	tmp7147388.exe
1756	tmp7148184.exe
1672	notpad.exe
820	tmp7149494.exe
1700	tmp7147747.exe
1976	tmp7149042.exe
788	tmp7150898.exe
1436	notpad.exe
1728	notpad.exe
1364	tmp7150056.exe
1408	tmp7149947.exe
1852	notpad.exe
1000	tmp7149791.exe
972	tmp7156374.exe
1204	tmp7151210.exe
436	tmp7156935.exe
916	notpad.exe
1920	tmp7156545.exe
520	tmp7157887.exe
904	tmp7159073.exe
1520	notpad.exe
1704	tmp7158667.exe
1360	tmp7157996.exe
1312	tmp7158230.exe
1808	notpad.exe
852	tmp7158979.exe
1708	tmp7159962.exe
1648	tmp7158823.exe
648	tmp7160586.exe
1776	tmp7158573.exe
1652	tmp7159400.exe
1884	tmp7158995.exe
1068	tmp7159743.exe
740	tmp7160258.exe
1592	tmp7160305.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1292-54-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1292-63-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x0009000000012301-68.dat	upx
behavioral1/files/0x0009000000012301-69.dat	upx
behavioral1/files/0x0009000000012301-71.dat	upx
behavioral1/files/0x0009000000012301-72.dat	upx
behavioral1/memory/1072-73-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x00090000000122f5-81.dat	upx
behavioral1/files/0x0009000000012301-84.dat	upx
behavioral1/files/0x0009000000012301-87.dat	upx
behavioral1/files/0x0009000000012301-85.dat	upx
behavioral1/memory/1796-91-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1072-92-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x00090000000122f5-99.dat	upx
behavioral1/memory/1796-105-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x000a000000012301-107.dat	upx
behavioral1/memory/820-108-0x00000000005D0000-0x00000000005EF000-memory.dmp	upx
behavioral1/files/0x000a000000012301-109.dat	upx
behavioral1/files/0x000a000000012301-111.dat	upx
behavioral1/files/0x000a000000012301-112.dat	upx
behavioral1/files/0x00090000000122f5-118.dat	upx
behavioral1/memory/1636-121-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x000a000000012301-125.dat	upx
behavioral1/files/0x000a000000012301-123.dat	upx
behavioral1/files/0x000a000000012301-122.dat	upx
behavioral1/files/0x0007000000012752-127.dat	upx
behavioral1/files/0x0007000000012752-128.dat	upx
behavioral1/files/0x0007000000012752-130.dat	upx
behavioral1/memory/1636-131-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x0007000000012752-132.dat	upx
behavioral1/memory/1992-137-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/436-138-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x00090000000122f5-140.dat	upx
behavioral1/files/0x000a000000012301-146.dat	upx
behavioral1/files/0x000a000000012301-144.dat	upx
behavioral1/files/0x000a000000012301-143.dat	upx
behavioral1/memory/672-147-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x00090000000122f5-156.dat	upx
behavioral1/memory/436-158-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1992-161-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1592-165-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1648-166-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1292-167-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/672-172-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1292-177-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1096-181-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1468-182-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/740-183-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1648-185-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1640-193-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1672-194-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/740-198-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1592-200-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1700-202-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1640-205-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1436-211-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1728-212-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1096-214-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1468-217-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1672-223-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1408-230-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1852-233-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1520-237-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1000-239-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Loads dropped DLL 64 IoCs

pid	Process
1292	c2f2ac76096b9ac734ce6810e3a10ac3aa245865374336459058fe53bb28aaf0.exe
1292	c2f2ac76096b9ac734ce6810e3a10ac3aa245865374336459058fe53bb28aaf0.exe
1292	c2f2ac76096b9ac734ce6810e3a10ac3aa245865374336459058fe53bb28aaf0.exe
1292	c2f2ac76096b9ac734ce6810e3a10ac3aa245865374336459058fe53bb28aaf0.exe
1100	tmp7107935.exe
1100	tmp7107935.exe
1072	notpad.exe
1072	notpad.exe
1972	WerFault.exe
1972	WerFault.exe
1184	tmp7124300.exe
1184	tmp7124300.exe
1072	notpad.exe
1796	notpad.exe
1796	notpad.exe
1796	notpad.exe
820	tmp7126687.exe
820	tmp7126687.exe
1636	notpad.exe
1636	notpad.exe
788	tmp7134159.exe
788	tmp7134159.exe
1636	notpad.exe
1636	notpad.exe
1992	notpad.exe
1992	notpad.exe
1480	tmp7136000.exe
1480	tmp7136000.exe
436	tmp7135033.exe
436	tmp7135033.exe
436	tmp7135033.exe
2036	tmp7136780.exe
2036	tmp7136780.exe
1992	notpad.exe
1992	notpad.exe
672	notpad.exe
672	notpad.exe
912	tmp7141288.exe
912	tmp7141288.exe
1648	notpad.exe
1648	notpad.exe
672	notpad.exe
672	notpad.exe
1292	tmp7137295.exe
1292	tmp7137295.exe
1592	notpad.exe
1592	notpad.exe
1292	tmp7137295.exe
852	tmp7145376.exe
852	tmp7145376.exe
952	tmp7146171.exe
952	tmp7146171.exe
1648	notpad.exe
1648	notpad.exe
740	tmp7145610.exe
740	tmp7145610.exe
1468	notpad.exe
1468	notpad.exe
1096	notpad.exe
1096	notpad.exe
1732	tmp7147965.exe
1732	tmp7147965.exe
740	tmp7145610.exe
1592	notpad.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7150056.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7145376.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7149042.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7171615.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7173487.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7173487.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7192441.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7195577.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7126687.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7158823.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7150056.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7145220.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7178947.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7183034.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7194173.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7145376.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7161522.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7170258.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7156374.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7146171.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7147965.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7196575.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7134159.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7183986.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7186076.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7192316.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7194173.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7157887.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7145376.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7158823.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7158823.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7174033.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7187278.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7191037.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7191037.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7124300.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7174033.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7136000.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7149042.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7145220.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7156374.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7160305.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7181630.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7181630.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7183939.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7141288.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7196575.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7196575.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7147965.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7156374.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7162083.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7171615.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7181630.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7183986.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7183939.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7136780.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7157996.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7195577.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7146171.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7183034.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7187278.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7162083.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7136000.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7146171.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1972	1500	WerFault.exe	27

Modifies registry class 40 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7162083.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7173487.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7181630.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7124300.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7157887.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7170258.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7186076.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7186108.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7146171.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7183034.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7191037.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7194173.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7147965.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7149042.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7158823.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7160305.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7183986.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7183939.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7187278.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7192441.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7107935.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7136000.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7136780.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7145376.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7156374.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7178947.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7195577.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7141288.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7175546.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7192114.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7150056.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7157996.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7171615.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7196575.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7126687.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7134159.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7145220.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7161522.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7174033.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7192316.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1292 wrote to memory of 1100	1292	c2f2ac76096b9ac734ce6810e3a10ac3aa245865374336459058fe53bb28aaf0.exe	26
PID 1292 wrote to memory of 1100	1292	c2f2ac76096b9ac734ce6810e3a10ac3aa245865374336459058fe53bb28aaf0.exe	26
PID 1292 wrote to memory of 1100	1292	c2f2ac76096b9ac734ce6810e3a10ac3aa245865374336459058fe53bb28aaf0.exe	26
PID 1292 wrote to memory of 1100	1292	c2f2ac76096b9ac734ce6810e3a10ac3aa245865374336459058fe53bb28aaf0.exe	26
PID 1292 wrote to memory of 1500	1292	c2f2ac76096b9ac734ce6810e3a10ac3aa245865374336459058fe53bb28aaf0.exe	27
PID 1292 wrote to memory of 1500	1292	c2f2ac76096b9ac734ce6810e3a10ac3aa245865374336459058fe53bb28aaf0.exe	27
PID 1292 wrote to memory of 1500	1292	c2f2ac76096b9ac734ce6810e3a10ac3aa245865374336459058fe53bb28aaf0.exe	27
PID 1292 wrote to memory of 1500	1292	c2f2ac76096b9ac734ce6810e3a10ac3aa245865374336459058fe53bb28aaf0.exe	27
PID 1500 wrote to memory of 1972	1500	tmp7109605.exe	28
PID 1500 wrote to memory of 1972	1500	tmp7109605.exe	28
PID 1500 wrote to memory of 1972	1500	tmp7109605.exe	28
PID 1500 wrote to memory of 1972	1500	tmp7109605.exe	28
PID 1100 wrote to memory of 1072	1100	tmp7107935.exe	29
PID 1100 wrote to memory of 1072	1100	tmp7107935.exe	29
PID 1100 wrote to memory of 1072	1100	tmp7107935.exe	29
PID 1100 wrote to memory of 1072	1100	tmp7107935.exe	29
PID 1072 wrote to memory of 1184	1072	notpad.exe	30
PID 1072 wrote to memory of 1184	1072	notpad.exe	30
PID 1072 wrote to memory of 1184	1072	notpad.exe	30
PID 1072 wrote to memory of 1184	1072	notpad.exe	30
PID 1184 wrote to memory of 1796	1184	tmp7124300.exe	31
PID 1184 wrote to memory of 1796	1184	tmp7124300.exe	31
PID 1184 wrote to memory of 1796	1184	tmp7124300.exe	31
PID 1184 wrote to memory of 1796	1184	tmp7124300.exe	31
PID 1072 wrote to memory of 1736	1072	notpad.exe	32
PID 1072 wrote to memory of 1736	1072	notpad.exe	32
PID 1072 wrote to memory of 1736	1072	notpad.exe	32
PID 1072 wrote to memory of 1736	1072	notpad.exe	32
PID 1796 wrote to memory of 820	1796	notpad.exe	33
PID 1796 wrote to memory of 820	1796	notpad.exe	33
PID 1796 wrote to memory of 820	1796	notpad.exe	33
PID 1796 wrote to memory of 820	1796	notpad.exe	33
PID 1796 wrote to memory of 1672	1796	notpad.exe	34
PID 1796 wrote to memory of 1672	1796	notpad.exe	34
PID 1796 wrote to memory of 1672	1796	notpad.exe	34
PID 1796 wrote to memory of 1672	1796	notpad.exe	34
PID 820 wrote to memory of 1636	820	tmp7126687.exe	35
PID 820 wrote to memory of 1636	820	tmp7126687.exe	35
PID 820 wrote to memory of 1636	820	tmp7126687.exe	35
PID 820 wrote to memory of 1636	820	tmp7126687.exe	35
PID 1636 wrote to memory of 788	1636	notpad.exe	36
PID 1636 wrote to memory of 788	1636	notpad.exe	36
PID 1636 wrote to memory of 788	1636	notpad.exe	36
PID 1636 wrote to memory of 788	1636	notpad.exe	36
PID 788 wrote to memory of 1992	788	tmp7134159.exe	37
PID 788 wrote to memory of 1992	788	tmp7134159.exe	37
PID 788 wrote to memory of 1992	788	tmp7134159.exe	37
PID 788 wrote to memory of 1992	788	tmp7134159.exe	37
PID 1636 wrote to memory of 436	1636	notpad.exe	38
PID 1636 wrote to memory of 436	1636	notpad.exe	38
PID 1636 wrote to memory of 436	1636	notpad.exe	38
PID 1636 wrote to memory of 436	1636	notpad.exe	38
PID 1992 wrote to memory of 1480	1992	notpad.exe	39
PID 1992 wrote to memory of 1480	1992	notpad.exe	39
PID 1992 wrote to memory of 1480	1992	notpad.exe	39
PID 1992 wrote to memory of 1480	1992	notpad.exe	39
PID 1480 wrote to memory of 672	1480	tmp7136000.exe	40
PID 1480 wrote to memory of 672	1480	tmp7136000.exe	40
PID 1480 wrote to memory of 672	1480	tmp7136000.exe	40
PID 1480 wrote to memory of 672	1480	tmp7136000.exe	40
PID 436 wrote to memory of 2036	436	tmp7135033.exe	41
PID 436 wrote to memory of 2036	436	tmp7135033.exe	41
PID 436 wrote to memory of 2036	436	tmp7135033.exe	41
PID 436 wrote to memory of 2036	436	tmp7135033.exe	41

C:\Users\Admin\AppData\Local\Temp\c2f2ac76096b9ac734ce6810e3a10ac3aa245865374336459058fe53bb28aaf0.exe
"C:\Users\Admin\AppData\Local\Temp\c2f2ac76096b9ac734ce6810e3a10ac3aa245865374336459058fe53bb28aaf0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1292
- C:\Users\Admin\AppData\Local\Temp\tmp7107935.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7107935.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1100
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1072
  - - C:\Users\Admin\AppData\Local\Temp\tmp7124300.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7124300.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1184
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1796
      - C:\Users\Admin\AppData\Local\Temp\tmp7126687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7126687.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:820
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134159.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134159.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:788
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136000.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1480
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:672
        
        C:\Users\Admin\AppData\Local\Temp\tmp7141288.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7141288.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:912
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146171.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:952
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1096
        
        C:\Users\Admin\AppData\Local\Temp\tmp7148184.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7148184.exe
        16⤵
        Executes dropped EXE
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\tmp7149947.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7149947.exe
        16⤵
        Executes dropped EXE
        
        PID:1408
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157887.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157887.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:520
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        18⤵
        Executes dropped EXE
        
        PID:1520
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159400.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159400.exe
        19⤵
        Executes dropped EXE
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160929.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160929.exe
        19⤵
        
        PID:1096
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159073.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159073.exe
        17⤵
        Executes dropped EXE
        
        PID:904
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147747.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147747.exe
        14⤵
        Executes dropped EXE
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\tmp7151210.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7151210.exe
        15⤵
        Executes dropped EXE
        
        PID:1204
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158667.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158667.exe
        15⤵
        Executes dropped EXE
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145610.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145610.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:740
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147388.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147388.exe
        13⤵
        Executes dropped EXE
        
        PID:620
        
        C:\Users\Admin\AppData\Local\Temp\tmp7149494.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7149494.exe
        13⤵
        Executes dropped EXE
        
        PID:820
        
        C:\Users\Admin\AppData\Local\Temp\tmp7137295.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7137295.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1292
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145376.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145376.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:852
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147965.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147965.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1732
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        14⤵
        Executes dropped EXE
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\tmp7150056.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7150056.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1364
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        16⤵
        Executes dropped EXE
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157996.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157996.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1360
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        18⤵
        Executes dropped EXE
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160305.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160305.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1592
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        20⤵
        
        PID:796
        
        C:\Users\Admin\AppData\Local\Temp\tmp7162255.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7162255.exe
        21⤵
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\tmp7170585.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7170585.exe
        21⤵
        
        PID:1184
        
        C:\Users\Admin\AppData\Local\Temp\tmp7173253.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7173253.exe
        22⤵
        
        PID:1000
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175281.exe
        22⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161631.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161631.exe
        19⤵
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\tmp7169306.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7169306.exe
        20⤵
        
        PID:1080
        
        C:\Users\Admin\AppData\Local\Temp\tmp7172489.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7172489.exe
        20⤵
        
        PID:656
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159743.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159743.exe
        17⤵
        Executes dropped EXE
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161522.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161522.exe
        18⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1988
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        19⤵
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\tmp7170258.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7170258.exe
        20⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:904
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        21⤵
        
        PID:1204
        
        C:\Users\Admin\AppData\Local\Temp\tmp7172676.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7172676.exe
        22⤵
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175219.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175219.exe
        22⤵
        
        PID:740
        
        C:\Users\Admin\AppData\Local\Temp\tmp7172348.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7172348.exe
        20⤵
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\tmp7173893.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7173893.exe
        21⤵
        
        PID:912
        
        C:\Users\Admin\AppData\Local\Temp\tmp7176279.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7176279.exe
        21⤵
        
        PID:660
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164299.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164299.exe
        18⤵
        
        PID:1792
        
        C:\Users\Admin\AppData\Local\Temp\tmp7156935.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7156935.exe
        15⤵
        Executes dropped EXE
        
        PID:436
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158823.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158823.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1648
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        17⤵
        
        PID:968
        
        C:\Users\Admin\AppData\Local\Temp\tmp7162083.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7162083.exe
        18⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1580
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        19⤵
        
        PID:1012
        
        C:\Users\Admin\AppData\Local\Temp\tmp7171615.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7171615.exe
        20⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1700
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        21⤵
        
        PID:612
        
        C:\Users\Admin\AppData\Local\Temp\tmp7173144.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7173144.exe
        22⤵
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175047.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175047.exe
        22⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\tmp7178588.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7178588.exe
        23⤵
        
        PID:1084
        
        C:\Users\Admin\AppData\Local\Temp\tmp7181412.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7181412.exe
        23⤵
        
        PID:1152
        
        C:\Users\Admin\AppData\Local\Temp\tmp7172691.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7172691.exe
        20⤵
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\tmp7174033.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7174033.exe
        21⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1440
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        22⤵
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\tmp7178947.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7178947.exe
        23⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1364
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        24⤵
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183034.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183034.exe
        25⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1792
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        26⤵
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\tmp7185515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7185515.exe
        27⤵
        
        PID:964
        
        C:\Users\Admin\AppData\Local\Temp\tmp7248648.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7248648.exe
        28⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187090.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187090.exe
        27⤵
        
        PID:636
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191115.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191115.exe
        28⤵
        
        PID:1456
        
        C:\Users\Admin\AppData\Local\Temp\tmp7192784.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7192784.exe
        28⤵
        
        PID:692
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184501.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184501.exe
        25⤵
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\tmp7186076.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7186076.exe
        26⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1012
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        27⤵
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190522.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190522.exe
        28⤵
        
        PID:1096
        
        C:\Users\Admin\AppData\Local\Temp\tmp7192036.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7192036.exe
        28⤵
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\tmp7192441.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7192441.exe
        29⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:936
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        30⤵
        
        PID:1920
        
        C:\Users\Admin\AppData\Local\Temp\tmp7195187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7195187.exe
        31⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\tmp7196357.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7196357.exe
        31⤵
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\tmp7200600.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7200600.exe
        32⤵
        
        PID:852
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        33⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\tmp7202363.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7202363.exe
        34⤵
        
        PID:940
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        35⤵
        
        PID:944
        
        C:\Users\Admin\AppData\Local\Temp\tmp7204032.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7204032.exe
        36⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        37⤵
        
        PID:1440
        
        C:\Users\Admin\AppData\Local\Temp\tmp7205389.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7205389.exe
        38⤵
        
        PID:904
        
        C:\Users\Admin\AppData\Local\Temp\tmp7205998.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7205998.exe
        38⤵
        
        PID:316
        
        C:\Users\Admin\AppData\Local\Temp\tmp7207324.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7207324.exe
        39⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\tmp7208119.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7208119.exe
        39⤵
        
        PID:1524
        
        C:\Users\Admin\AppData\Local\Temp\tmp7204781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7204781.exe
        36⤵
        
        PID:1312
        
        C:\Users\Admin\AppData\Local\Temp\tmp7205483.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7205483.exe
        37⤵
        
        PID:740
        
        C:\Users\Admin\AppData\Local\Temp\tmp7206122.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7206122.exe
        37⤵
        
        PID:984
        
        C:\Users\Admin\AppData\Local\Temp\tmp7203065.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7203065.exe
        34⤵
        
        PID:1476
        
        C:\Users\Admin\AppData\Local\Temp\tmp7205030.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7205030.exe
        35⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        36⤵
        
        PID:1388
        
        C:\Users\Admin\AppData\Local\Temp\tmp7206840.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7206840.exe
        37⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        38⤵
        
        PID:240
        
        C:\Users\Admin\AppData\Local\Temp\tmp7208665.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7208665.exe
        39⤵
        
        PID:656
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        40⤵
        
        PID:1076
        
        C:\Users\Admin\AppData\Local\Temp\tmp7209648.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7209648.exe
        41⤵
        
        PID:520
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        42⤵
        
        PID:1352
        
        C:\Users\Admin\AppData\Local\Temp\tmp7211099.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7211099.exe
        43⤵
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\tmp7212144.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7212144.exe
        43⤵
        
        PID:852
        
        C:\Users\Admin\AppData\Local\Temp\tmp7213969.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7213969.exe
        44⤵
        
        PID:436
        
        C:\Users\Admin\AppData\Local\Temp\tmp7214999.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7214999.exe
        44⤵
        
        PID:1480
        
        C:\Users\Admin\AppData\Local\Temp\tmp7210366.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7210366.exe
        41⤵
        
        PID:1360
        
        C:\Users\Admin\AppData\Local\Temp\tmp7210803.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7210803.exe
        42⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        43⤵
        
        PID:540
        
        C:\Users\Admin\AppData\Local\Temp\tmp7212565.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7212565.exe
        44⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        45⤵
        
        PID:860
        
        C:\Users\Admin\AppData\Local\Temp\tmp7215997.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7215997.exe
        46⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        47⤵
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\tmp7217979.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7217979.exe
        48⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        49⤵
        
        PID:940
        
        C:\Users\Admin\AppData\Local\Temp\tmp7220927.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7220927.exe
        50⤵
        
        PID:1152
        
        C:\Users\Admin\AppData\Local\Temp\tmp7223158.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7223158.exe
        50⤵
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\tmp7227167.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7227167.exe
        51⤵
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\tmp7229959.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7229959.exe
        51⤵
        
        PID:692
        
        C:\Users\Admin\AppData\Local\Temp\tmp7219492.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7219492.exe
        48⤵
        
        PID:944
        
        C:\Users\Admin\AppData\Local\Temp\tmp7221879.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7221879.exe
        49⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        50⤵
        
        PID:1192
        
        C:\Users\Admin\AppData\Local\Temp\tmp7224749.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7224749.exe
        51⤵
        
        PID:620
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        52⤵
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\tmp7234390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7234390.exe
        53⤵
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\tmp7238430.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7238430.exe
        53⤵
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\tmp7229304.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7229304.exe
        51⤵
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\tmp7230412.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7230412.exe
        52⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\tmp7229991.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7229991.exe
        52⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        53⤵
        
        PID:1408
        
        C:\Users\Admin\AppData\Local\Temp\tmp7237307.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7237307.exe
        54⤵
        
        PID:972
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        55⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\tmp7243610.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7243610.exe
        56⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        57⤵
        
        PID:612
        
        C:\Users\Admin\AppData\Local\Temp\tmp7250099.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7250099.exe
        58⤵
        
        PID:764
        
        C:\Users\Admin\AppData\Local\Temp\tmp7252829.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7252829.exe
        59⤵
        
        PID:1912
        
        C:\Users\Admin\AppData\Local\Temp\tmp7246683.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7246683.exe
        56⤵
        
        PID:964
        
        C:\Users\Admin\AppData\Local\Temp\tmp7249616.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7249616.exe
        57⤵
        
        PID:1096
        
        C:\Users\Admin\AppData\Local\Temp\tmp7237541.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7237541.exe
        54⤵
        
        PID:916
        
        C:\Users\Admin\AppData\Local\Temp\tmp7246667.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7246667.exe
        55⤵
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\tmp7223111.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7223111.exe
        49⤵
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\tmp7217199.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7217199.exe
        46⤵
        
        PID:1080
        
        C:\Users\Admin\AppData\Local\Temp\tmp7218821.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7218821.exe
        47⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        48⤵
        
        PID:792
        
        C:\Users\Admin\AppData\Local\Temp\tmp7222159.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7222159.exe
        49⤵
        
        PID:796
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        50⤵
        
        PID:956
        
        C:\Users\Admin\AppData\Local\Temp\tmp7224234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7224234.exe
        51⤵
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\tmp7227869.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7227869.exe
        51⤵
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\tmp7237213.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7237213.exe
        52⤵
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\tmp7234483.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7234483.exe
        52⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\tmp7222924.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7222924.exe
        49⤵
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\tmp7225498.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7225498.exe
        50⤵
        
        PID:960
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        51⤵
        
        PID:1416
        
        C:\Users\Admin\AppData\Local\Temp\tmp7228555.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7228555.exe
        52⤵
        
        PID:912
        
        C:\Users\Admin\AppData\Local\Temp\tmp7234405.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7234405.exe
        52⤵
        
        PID:1884
        
        C:\Users\Admin\AppData\Local\Temp\tmp7238711.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7238711.exe
        53⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        54⤵
        
        PID:1116
        
        C:\Users\Admin\AppData\Local\Temp\tmp7247104.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7247104.exe
        55⤵
        
        PID:1168
        
        C:\Users\Admin\AppData\Local\Temp\tmp7241878.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7241878.exe
        53⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\tmp7227635.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7227635.exe
        50⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        49⤵
        
        PID:968
        
        C:\Users\Admin\AppData\Local\Temp\tmp7221067.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7221067.exe
        47⤵
        
        PID:1308
        
        C:\Users\Admin\AppData\Local\Temp\tmp7214422.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7214422.exe
        44⤵
        
        PID:1116
        
        C:\Users\Admin\AppData\Local\Temp\tmp7216575.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7216575.exe
        45⤵
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\tmp7217526.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7217526.exe
        45⤵
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\tmp7211817.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7211817.exe
        42⤵
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\tmp7209180.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7209180.exe
        39⤵
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\tmp7209898.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7209898.exe
        40⤵
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\tmp7210428.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7210428.exe
        40⤵
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\tmp7207885.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7207885.exe
        37⤵
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\tmp7208853.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7208853.exe
        38⤵
        
        PID:1912
        
        C:\Users\Admin\AppData\Local\Temp\tmp7209461.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7209461.exe
        38⤵
        
        PID:912
        
        C:\Users\Admin\AppData\Local\Temp\tmp7205717.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7205717.exe
        35⤵
        
        PID:828
        
        C:\Users\Admin\AppData\Local\Temp\tmp7201427.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7201427.exe
        32⤵
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\tmp7194485.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7194485.exe
        29⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\tmp7189274.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7189274.exe
        26⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182083.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182083.exe
        23⤵
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183986.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183986.exe
        24⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:672
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        25⤵
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\tmp7186919.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7186919.exe
        26⤵
        
        PID:944
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190382.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190382.exe
        26⤵
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191880.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191880.exe
        27⤵
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191474.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191474.exe
        27⤵
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\tmp7185374.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7185374.exe
        24⤵
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175874.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175874.exe
        21⤵
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\tmp7170913.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7170913.exe
        18⤵
        
        PID:1920
        
        C:\Users\Admin\AppData\Local\Temp\tmp7173487.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7173487.exe
        19⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1736
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        20⤵
        
        PID:848
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175546.exe
        21⤵
        Modifies registry class
        
        PID:1476
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        22⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\tmp7181630.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7181630.exe
        23⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1068
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        24⤵
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183939.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183939.exe
        25⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1580
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        26⤵
        
        PID:760
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187278.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187278.exe
        27⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1092
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        28⤵
        
        PID:1204
        
        C:\Users\Admin\AppData\Local\Temp\tmp7192114.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7192114.exe
        29⤵
        Modifies registry class
        
        PID:576
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        30⤵
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\tmp7193533.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7193533.exe
        31⤵
        
        PID:672
        
        C:\Users\Admin\AppData\Local\Temp\tmp7194329.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7194329.exe
        31⤵
        
        PID:332
        
        C:\Users\Admin\AppData\Local\Temp\tmp7195577.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7195577.exe
        32⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1564
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        33⤵
        
        PID:1000
        
        C:\Users\Admin\AppData\Local\Temp\tmp7196575.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7196575.exe
        34⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1724
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        35⤵
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\tmp7200413.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7200413.exe
        36⤵
        
        PID:1408
        
        C:\Users\Admin\AppData\Local\Temp\tmp7201037.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7201037.exe
        36⤵
        
        PID:1084
        
        C:\Users\Admin\AppData\Local\Temp\tmp7201754.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7201754.exe
        37⤵
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\tmp7203158.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7203158.exe
        38⤵
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\tmp7203642.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7203642.exe
        38⤵
        
        PID:1792
        
        C:\Users\Admin\AppData\Local\Temp\tmp7203112.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7203112.exe
        37⤵
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\tmp7199336.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7199336.exe
        34⤵
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\tmp7199726.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7199726.exe
        35⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\tmp7200662.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7200662.exe
        35⤵
        
        PID:968
        
        C:\Users\Admin\AppData\Local\Temp\tmp7196029.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7196029.exe
        32⤵
        
        PID:1440
        
        C:\Users\Admin\AppData\Local\Temp\tmp7192800.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7192800.exe
        29⤵
        
        PID:1080
        
        C:\Users\Admin\AppData\Local\Temp\tmp7193767.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7193767.exe
        30⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\tmp7194844.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7194844.exe
        30⤵
        
        PID:1012
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191677.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191677.exe
        27⤵
        
        PID:1164
        
        C:\Users\Admin\AppData\Local\Temp\tmp7192316.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7192316.exe
        28⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1796
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        29⤵
        
        PID:904
        
        C:\Users\Admin\AppData\Local\Temp\tmp7194173.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7194173.exe
        30⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:592
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        31⤵
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\tmp7195811.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7195811.exe
        32⤵
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\tmp7196170.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7196170.exe
        32⤵
        
        PID:760
        
        C:\Users\Admin\AppData\Local\Temp\tmp7198712.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7198712.exe
        33⤵
        
        PID:912
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        34⤵
        
        PID:692
        
        C:\Users\Admin\AppData\Local\Temp\tmp7200787.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7200787.exe
        35⤵
        
        PID:952
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        36⤵
        
        PID:1164
        
        C:\Users\Admin\AppData\Local\Temp\tmp7201286.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7201286.exe
        37⤵
        
        PID:860
        
        C:\Users\Admin\AppData\Local\Temp\tmp7201754.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7201754.exe
        37⤵
        
        PID:816
        
        C:\Users\Admin\AppData\Local\Temp\tmp7203252.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7203252.exe
        38⤵
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\Temp\tmp7204578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7204578.exe
        38⤵
        
        PID:1012
        
        C:\Users\Admin\AppData\Local\Temp\tmp7200818.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7200818.exe
        35⤵
        
        PID:1452
        
        C:\Users\Admin\AppData\Local\Temp\tmp7201224.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7201224.exe
        36⤵
        
        PID:900
        
        C:\Users\Admin\AppData\Local\Temp\tmp7201630.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7201630.exe
        36⤵
        
        PID:436
        
        C:\Users\Admin\AppData\Local\Temp\tmp7200397.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7200397.exe
        33⤵
        
        PID:1076
        
        C:\Users\Admin\AppData\Local\Temp\tmp7195140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7195140.exe
        30⤵
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\tmp7196544.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7196544.exe
        31⤵
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\tmp7200288.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7200288.exe
        31⤵
        
        PID:520
        
        C:\Users\Admin\AppData\Local\Temp\tmp7193034.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7193034.exe
        28⤵
        
        PID:1352
        
        C:\Users\Admin\AppData\Local\Temp\tmp7186326.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7186326.exe
        25⤵
        
        PID:1192
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191037.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191037.exe
        26⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:912
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        27⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\tmp7192831.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7192831.exe
        28⤵
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\tmp7194282.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7194282.exe
        28⤵
        
        PID:620
        
        C:\Users\Admin\AppData\Local\Temp\tmp7195592.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7195592.exe
        29⤵
        
        PID:796
        
        C:\Users\Admin\AppData\Local\Temp\tmp7196341.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7196341.exe
        29⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        30⤵
        
        PID:1292
        
        C:\Users\Admin\AppData\Local\Temp\tmp7253937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7253937.exe
        31⤵
        
        PID:620
        
        C:\Users\Admin\AppData\Local\Temp\tmp7255481.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7255481.exe
        32⤵
        
        PID:520
        
        C:\Users\Admin\AppData\Local\Temp\tmp7255793.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7255793.exe
        32⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\tmp7192207.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7192207.exe
        26⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183128.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183128.exe
        23⤵
        
        PID:796
        
        C:\Users\Admin\AppData\Local\Temp\tmp7186108.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7186108.exe
        24⤵
        Modifies registry class
        
        PID:612
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        25⤵
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191568.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191568.exe
        26⤵
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191848.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191848.exe
        26⤵
        
        PID:848
        
        C:\Users\Admin\AppData\Local\Temp\tmp7193689.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7193689.exe
        27⤵
        
        PID:916
        
        C:\Users\Admin\AppData\Local\Temp\tmp7194516.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7194516.exe
        27⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191334.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191334.exe
        24⤵
        
        PID:1844
        
        C:\Users\Admin\AppData\Local\Temp\tmp7180273.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7180273.exe
        21⤵
        
        PID:1352
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182130.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182130.exe
        22⤵
        
        PID:936
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183487.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183487.exe
        22⤵
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\tmp7174969.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7174969.exe
        19⤵
        
        PID:788
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160586.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160586.exe
        16⤵
        Executes dropped EXE
        
        PID:648
        
        C:\Users\Admin\AppData\Local\Temp\tmp7149791.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7149791.exe
        13⤵
        Executes dropped EXE
        
        PID:1000
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158230.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158230.exe
        14⤵
        Executes dropped EXE
        
        PID:1312
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159962.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159962.exe
        14⤵
        Executes dropped EXE
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147731.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147731.exe
        11⤵
        Executes dropped EXE
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135033.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135033.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:436
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136780.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136780.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2036
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145220.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145220.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1100
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        12⤵
        Executes dropped EXE
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\tmp7156545.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7156545.exe
        13⤵
        Executes dropped EXE
        
        PID:1920
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158979.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158979.exe
        13⤵
        Executes dropped EXE
        
        PID:852
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160258.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160258.exe
        14⤵
        Executes dropped EXE
        
        PID:740
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161537.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161537.exe
        14⤵
        
        PID:828
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147107.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147107.exe
        11⤵
        Executes dropped EXE
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\tmp7149042.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7149042.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1976
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        13⤵
        Executes dropped EXE
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\tmp7156374.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7156374.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:972
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        15⤵
        Executes dropped EXE
        
        PID:916
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158995.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158995.exe
        16⤵
        Executes dropped EXE
        
        PID:1884
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160929.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160929.exe
        16⤵
        
        PID:1152
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158573.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158573.exe
        14⤵
        Executes dropped EXE
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160929.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160929.exe
        15⤵
        
        PID:576
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164330.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164330.exe
        15⤵
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\tmp7150898.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7150898.exe
        12⤵
        Executes dropped EXE
        
        PID:788
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144767.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144767.exe
        9⤵
        Executes dropped EXE
        
        PID:1684
      - C:\Users\Admin\AppData\Local\Temp\tmp7131070.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7131070.exe
        6⤵
        Executes dropped EXE
        
        PID:1672
  - - C:\Users\Admin\AppData\Local\Temp\tmp7125610.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7125610.exe
      4⤵
      Executes dropped EXE
      PID:1736
- C:\Users\Admin\AppData\Local\Temp\tmp7109605.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7109605.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1500
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1500 -s 36
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1972

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:648

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp7107935.exe

Filesize
3.0MB

MD5
cf5c4e14c97cc85c258969e8062540b7

SHA1
834f6fefe1d5f21f4aab5a330c50814a91cf79e0

SHA256
74f5bc73194c70afbfecef288d4b162a7fb87bfc7649d776ca58c652493f2b88

SHA512
04151ac1a49322128a0f4f2e82818e2e2591012dc61e92de048f21f1e7bb27c5fa2d2639837aa3522d3ba114b54aaa3174448d6341571fd9096e30b82c433c49

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7107935.exe

Filesize
3.0MB

MD5
cf5c4e14c97cc85c258969e8062540b7

SHA1
834f6fefe1d5f21f4aab5a330c50814a91cf79e0

SHA256
74f5bc73194c70afbfecef288d4b162a7fb87bfc7649d776ca58c652493f2b88

SHA512
04151ac1a49322128a0f4f2e82818e2e2591012dc61e92de048f21f1e7bb27c5fa2d2639837aa3522d3ba114b54aaa3174448d6341571fd9096e30b82c433c49

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7109605.exe

Filesize
136KB

MD5
9d15700f3d2fb78ddbb370019b565aab

SHA1
5ca71a929e58a05a5397842af605d467565ac017

SHA256
6fa635e01601ab0663906e0675daa0d876db79734468b3a32f6909bcaf1af68d

SHA512
98844499e9890b3729b590fa089f95c34aa4c23222d222cc1da1ec6ca3688daeb898196cbf7a35bb862126b75ee7241d6cacbc661e42f0c0545deefde1e796b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7124300.exe

Filesize
3.0MB

MD5
cf5c4e14c97cc85c258969e8062540b7

SHA1
834f6fefe1d5f21f4aab5a330c50814a91cf79e0

SHA256
74f5bc73194c70afbfecef288d4b162a7fb87bfc7649d776ca58c652493f2b88

SHA512
04151ac1a49322128a0f4f2e82818e2e2591012dc61e92de048f21f1e7bb27c5fa2d2639837aa3522d3ba114b54aaa3174448d6341571fd9096e30b82c433c49

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7124300.exe

Filesize
3.0MB

MD5
cf5c4e14c97cc85c258969e8062540b7

SHA1
834f6fefe1d5f21f4aab5a330c50814a91cf79e0

SHA256
74f5bc73194c70afbfecef288d4b162a7fb87bfc7649d776ca58c652493f2b88

SHA512
04151ac1a49322128a0f4f2e82818e2e2591012dc61e92de048f21f1e7bb27c5fa2d2639837aa3522d3ba114b54aaa3174448d6341571fd9096e30b82c433c49

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7125610.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7126687.exe

Filesize
3.0MB

MD5
cf5c4e14c97cc85c258969e8062540b7

SHA1
834f6fefe1d5f21f4aab5a330c50814a91cf79e0

SHA256
74f5bc73194c70afbfecef288d4b162a7fb87bfc7649d776ca58c652493f2b88

SHA512
04151ac1a49322128a0f4f2e82818e2e2591012dc61e92de048f21f1e7bb27c5fa2d2639837aa3522d3ba114b54aaa3174448d6341571fd9096e30b82c433c49

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7126687.exe

Filesize
3.0MB

MD5
cf5c4e14c97cc85c258969e8062540b7

SHA1
834f6fefe1d5f21f4aab5a330c50814a91cf79e0

SHA256
74f5bc73194c70afbfecef288d4b162a7fb87bfc7649d776ca58c652493f2b88

SHA512
04151ac1a49322128a0f4f2e82818e2e2591012dc61e92de048f21f1e7bb27c5fa2d2639837aa3522d3ba114b54aaa3174448d6341571fd9096e30b82c433c49

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7131070.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7134159.exe

Filesize
3.0MB

MD5
cf5c4e14c97cc85c258969e8062540b7

SHA1
834f6fefe1d5f21f4aab5a330c50814a91cf79e0

SHA256
74f5bc73194c70afbfecef288d4b162a7fb87bfc7649d776ca58c652493f2b88

SHA512
04151ac1a49322128a0f4f2e82818e2e2591012dc61e92de048f21f1e7bb27c5fa2d2639837aa3522d3ba114b54aaa3174448d6341571fd9096e30b82c433c49

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7134159.exe

Filesize
3.0MB

MD5
cf5c4e14c97cc85c258969e8062540b7

SHA1
834f6fefe1d5f21f4aab5a330c50814a91cf79e0

SHA256
74f5bc73194c70afbfecef288d4b162a7fb87bfc7649d776ca58c652493f2b88

SHA512
04151ac1a49322128a0f4f2e82818e2e2591012dc61e92de048f21f1e7bb27c5fa2d2639837aa3522d3ba114b54aaa3174448d6341571fd9096e30b82c433c49

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7135033.exe

Filesize
3.2MB

MD5
fd03e56e08b827b925ca1d2dca240792

SHA1
bb19b23f67f1eef102ba1c0db8e6a6b7b580e34c

SHA256
46a9f00aa07550886f5b012bce119293f9a009dbf0a11f75398dfe8a6c3f8a4c

SHA512
b5a51f2f93625c6eaa10069bfe8cfce8586ad763d363624a37f648a3e94477fab98c3aa9ea1809a533c31f311f7004f60fe488dffcabe50af82f861298d54a04

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7135033.exe

Filesize
3.2MB

MD5
fd03e56e08b827b925ca1d2dca240792

SHA1
bb19b23f67f1eef102ba1c0db8e6a6b7b580e34c

SHA256
46a9f00aa07550886f5b012bce119293f9a009dbf0a11f75398dfe8a6c3f8a4c

SHA512
b5a51f2f93625c6eaa10069bfe8cfce8586ad763d363624a37f648a3e94477fab98c3aa9ea1809a533c31f311f7004f60fe488dffcabe50af82f861298d54a04

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7136000.exe

Filesize
3.0MB

MD5
cf5c4e14c97cc85c258969e8062540b7

SHA1
834f6fefe1d5f21f4aab5a330c50814a91cf79e0

SHA256
74f5bc73194c70afbfecef288d4b162a7fb87bfc7649d776ca58c652493f2b88

SHA512
04151ac1a49322128a0f4f2e82818e2e2591012dc61e92de048f21f1e7bb27c5fa2d2639837aa3522d3ba114b54aaa3174448d6341571fd9096e30b82c433c49

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7136000.exe

Filesize
3.0MB

MD5
cf5c4e14c97cc85c258969e8062540b7

SHA1
834f6fefe1d5f21f4aab5a330c50814a91cf79e0

SHA256
74f5bc73194c70afbfecef288d4b162a7fb87bfc7649d776ca58c652493f2b88

SHA512
04151ac1a49322128a0f4f2e82818e2e2591012dc61e92de048f21f1e7bb27c5fa2d2639837aa3522d3ba114b54aaa3174448d6341571fd9096e30b82c433c49

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7136780.exe

Filesize
3.0MB

MD5
cf5c4e14c97cc85c258969e8062540b7

SHA1
834f6fefe1d5f21f4aab5a330c50814a91cf79e0

SHA256
74f5bc73194c70afbfecef288d4b162a7fb87bfc7649d776ca58c652493f2b88

SHA512
04151ac1a49322128a0f4f2e82818e2e2591012dc61e92de048f21f1e7bb27c5fa2d2639837aa3522d3ba114b54aaa3174448d6341571fd9096e30b82c433c49

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7144767.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
C:\Windows\SysWOW64\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\Windows\SysWOW64\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\Windows\SysWOW64\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\Windows\SysWOW64\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\Windows\SysWOW64\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
3.0MB

MD5
cf5c4e14c97cc85c258969e8062540b7

SHA1
834f6fefe1d5f21f4aab5a330c50814a91cf79e0

SHA256
74f5bc73194c70afbfecef288d4b162a7fb87bfc7649d776ca58c652493f2b88

SHA512
04151ac1a49322128a0f4f2e82818e2e2591012dc61e92de048f21f1e7bb27c5fa2d2639837aa3522d3ba114b54aaa3174448d6341571fd9096e30b82c433c49

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
3.0MB

MD5
15932f08aada0e74ba17803e371df09d

SHA1
dc8effda7d67beb48c80a9f86d18f69afd307dbe

SHA256
1153cfbc78e87aef05149f6ebf66f88142d80e7df2c83f76fb986452a30b81fd

SHA512
d3ae9d1f9754e8e8564c0ffb609db1910a778775b7154dce068182d0f678e9700eece7a237d1aef49da79ef0a7db0594613716e280f5a03eb8180a792fb626d0

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
3.0MB

MD5
cf5c4e14c97cc85c258969e8062540b7

SHA1
834f6fefe1d5f21f4aab5a330c50814a91cf79e0

SHA256
74f5bc73194c70afbfecef288d4b162a7fb87bfc7649d776ca58c652493f2b88

SHA512
04151ac1a49322128a0f4f2e82818e2e2591012dc61e92de048f21f1e7bb27c5fa2d2639837aa3522d3ba114b54aaa3174448d6341571fd9096e30b82c433c49

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
3.2MB

MD5
fd03e56e08b827b925ca1d2dca240792

SHA1
bb19b23f67f1eef102ba1c0db8e6a6b7b580e34c

SHA256
46a9f00aa07550886f5b012bce119293f9a009dbf0a11f75398dfe8a6c3f8a4c

SHA512
b5a51f2f93625c6eaa10069bfe8cfce8586ad763d363624a37f648a3e94477fab98c3aa9ea1809a533c31f311f7004f60fe488dffcabe50af82f861298d54a04

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
3.2MB

MD5
fd03e56e08b827b925ca1d2dca240792

SHA1
bb19b23f67f1eef102ba1c0db8e6a6b7b580e34c

SHA256
46a9f00aa07550886f5b012bce119293f9a009dbf0a11f75398dfe8a6c3f8a4c

SHA512
b5a51f2f93625c6eaa10069bfe8cfce8586ad763d363624a37f648a3e94477fab98c3aa9ea1809a533c31f311f7004f60fe488dffcabe50af82f861298d54a04

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
3.2MB

MD5
fd03e56e08b827b925ca1d2dca240792

SHA1
bb19b23f67f1eef102ba1c0db8e6a6b7b580e34c

SHA256
46a9f00aa07550886f5b012bce119293f9a009dbf0a11f75398dfe8a6c3f8a4c

SHA512
b5a51f2f93625c6eaa10069bfe8cfce8586ad763d363624a37f648a3e94477fab98c3aa9ea1809a533c31f311f7004f60fe488dffcabe50af82f861298d54a04

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
6.1MB

MD5
bdc17915ad56ad0f3200ca570fae36d6

SHA1
f82a6b8f49808294df7c5b2b26fece90541f5bdb

SHA256
b69f505fe81559d37e4eef751c0166bef3b3c30b2da8e0d4e126a1bb28bae6d6

SHA512
2a0eea7f3274281f7805c94cc87d04cf88c00c4aa17309b010eabcbc3fb74eca05f3e1aaf14bab3dd55679e238354aefdea7041b2d41907050e52cb00711a034

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
6.1MB

MD5
bdc17915ad56ad0f3200ca570fae36d6

SHA1
f82a6b8f49808294df7c5b2b26fece90541f5bdb

SHA256
b69f505fe81559d37e4eef751c0166bef3b3c30b2da8e0d4e126a1bb28bae6d6

SHA512
2a0eea7f3274281f7805c94cc87d04cf88c00c4aa17309b010eabcbc3fb74eca05f3e1aaf14bab3dd55679e238354aefdea7041b2d41907050e52cb00711a034

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
6.1MB

MD5
bdc17915ad56ad0f3200ca570fae36d6

SHA1
f82a6b8f49808294df7c5b2b26fece90541f5bdb

SHA256
b69f505fe81559d37e4eef751c0166bef3b3c30b2da8e0d4e126a1bb28bae6d6

SHA512
2a0eea7f3274281f7805c94cc87d04cf88c00c4aa17309b010eabcbc3fb74eca05f3e1aaf14bab3dd55679e238354aefdea7041b2d41907050e52cb00711a034

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
6.1MB

MD5
bdc17915ad56ad0f3200ca570fae36d6

SHA1
f82a6b8f49808294df7c5b2b26fece90541f5bdb

SHA256
b69f505fe81559d37e4eef751c0166bef3b3c30b2da8e0d4e126a1bb28bae6d6

SHA512
2a0eea7f3274281f7805c94cc87d04cf88c00c4aa17309b010eabcbc3fb74eca05f3e1aaf14bab3dd55679e238354aefdea7041b2d41907050e52cb00711a034

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7107935.exe

Filesize
3.0MB

MD5
cf5c4e14c97cc85c258969e8062540b7

SHA1
834f6fefe1d5f21f4aab5a330c50814a91cf79e0

SHA256
74f5bc73194c70afbfecef288d4b162a7fb87bfc7649d776ca58c652493f2b88

SHA512
04151ac1a49322128a0f4f2e82818e2e2591012dc61e92de048f21f1e7bb27c5fa2d2639837aa3522d3ba114b54aaa3174448d6341571fd9096e30b82c433c49

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7107935.exe

Filesize
3.0MB

MD5
cf5c4e14c97cc85c258969e8062540b7

SHA1
834f6fefe1d5f21f4aab5a330c50814a91cf79e0

SHA256
74f5bc73194c70afbfecef288d4b162a7fb87bfc7649d776ca58c652493f2b88

SHA512
04151ac1a49322128a0f4f2e82818e2e2591012dc61e92de048f21f1e7bb27c5fa2d2639837aa3522d3ba114b54aaa3174448d6341571fd9096e30b82c433c49

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7109605.exe

Filesize
136KB

MD5
9d15700f3d2fb78ddbb370019b565aab

SHA1
5ca71a929e58a05a5397842af605d467565ac017

SHA256
6fa635e01601ab0663906e0675daa0d876db79734468b3a32f6909bcaf1af68d

SHA512
98844499e9890b3729b590fa089f95c34aa4c23222d222cc1da1ec6ca3688daeb898196cbf7a35bb862126b75ee7241d6cacbc661e42f0c0545deefde1e796b2

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7109605.exe

Filesize
136KB

MD5
9d15700f3d2fb78ddbb370019b565aab

SHA1
5ca71a929e58a05a5397842af605d467565ac017

SHA256
6fa635e01601ab0663906e0675daa0d876db79734468b3a32f6909bcaf1af68d

SHA512
98844499e9890b3729b590fa089f95c34aa4c23222d222cc1da1ec6ca3688daeb898196cbf7a35bb862126b75ee7241d6cacbc661e42f0c0545deefde1e796b2

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7109605.exe

Filesize
136KB

MD5
9d15700f3d2fb78ddbb370019b565aab

SHA1
5ca71a929e58a05a5397842af605d467565ac017

SHA256
6fa635e01601ab0663906e0675daa0d876db79734468b3a32f6909bcaf1af68d

SHA512
98844499e9890b3729b590fa089f95c34aa4c23222d222cc1da1ec6ca3688daeb898196cbf7a35bb862126b75ee7241d6cacbc661e42f0c0545deefde1e796b2

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7109605.exe

Filesize
136KB

MD5
9d15700f3d2fb78ddbb370019b565aab

SHA1
5ca71a929e58a05a5397842af605d467565ac017

SHA256
6fa635e01601ab0663906e0675daa0d876db79734468b3a32f6909bcaf1af68d

SHA512
98844499e9890b3729b590fa089f95c34aa4c23222d222cc1da1ec6ca3688daeb898196cbf7a35bb862126b75ee7241d6cacbc661e42f0c0545deefde1e796b2

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7124300.exe

Filesize
3.0MB

MD5
cf5c4e14c97cc85c258969e8062540b7

SHA1
834f6fefe1d5f21f4aab5a330c50814a91cf79e0

SHA256
74f5bc73194c70afbfecef288d4b162a7fb87bfc7649d776ca58c652493f2b88

SHA512
04151ac1a49322128a0f4f2e82818e2e2591012dc61e92de048f21f1e7bb27c5fa2d2639837aa3522d3ba114b54aaa3174448d6341571fd9096e30b82c433c49

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7124300.exe

Filesize
3.0MB

MD5
cf5c4e14c97cc85c258969e8062540b7

SHA1
834f6fefe1d5f21f4aab5a330c50814a91cf79e0

SHA256
74f5bc73194c70afbfecef288d4b162a7fb87bfc7649d776ca58c652493f2b88

SHA512
04151ac1a49322128a0f4f2e82818e2e2591012dc61e92de048f21f1e7bb27c5fa2d2639837aa3522d3ba114b54aaa3174448d6341571fd9096e30b82c433c49

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7125610.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7126687.exe

Filesize
3.0MB

MD5
cf5c4e14c97cc85c258969e8062540b7

SHA1
834f6fefe1d5f21f4aab5a330c50814a91cf79e0

SHA256
74f5bc73194c70afbfecef288d4b162a7fb87bfc7649d776ca58c652493f2b88

SHA512
04151ac1a49322128a0f4f2e82818e2e2591012dc61e92de048f21f1e7bb27c5fa2d2639837aa3522d3ba114b54aaa3174448d6341571fd9096e30b82c433c49

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7126687.exe

Filesize
3.0MB

MD5
cf5c4e14c97cc85c258969e8062540b7

SHA1
834f6fefe1d5f21f4aab5a330c50814a91cf79e0

SHA256
74f5bc73194c70afbfecef288d4b162a7fb87bfc7649d776ca58c652493f2b88

SHA512
04151ac1a49322128a0f4f2e82818e2e2591012dc61e92de048f21f1e7bb27c5fa2d2639837aa3522d3ba114b54aaa3174448d6341571fd9096e30b82c433c49

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7131070.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7134159.exe

Filesize
3.0MB

MD5
cf5c4e14c97cc85c258969e8062540b7

SHA1
834f6fefe1d5f21f4aab5a330c50814a91cf79e0

SHA256
74f5bc73194c70afbfecef288d4b162a7fb87bfc7649d776ca58c652493f2b88

SHA512
04151ac1a49322128a0f4f2e82818e2e2591012dc61e92de048f21f1e7bb27c5fa2d2639837aa3522d3ba114b54aaa3174448d6341571fd9096e30b82c433c49

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7134159.exe

Filesize
3.0MB

MD5
cf5c4e14c97cc85c258969e8062540b7

SHA1
834f6fefe1d5f21f4aab5a330c50814a91cf79e0

SHA256
74f5bc73194c70afbfecef288d4b162a7fb87bfc7649d776ca58c652493f2b88

SHA512
04151ac1a49322128a0f4f2e82818e2e2591012dc61e92de048f21f1e7bb27c5fa2d2639837aa3522d3ba114b54aaa3174448d6341571fd9096e30b82c433c49

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7135033.exe

Filesize
3.2MB

MD5
fd03e56e08b827b925ca1d2dca240792

SHA1
bb19b23f67f1eef102ba1c0db8e6a6b7b580e34c

SHA256
46a9f00aa07550886f5b012bce119293f9a009dbf0a11f75398dfe8a6c3f8a4c

SHA512
b5a51f2f93625c6eaa10069bfe8cfce8586ad763d363624a37f648a3e94477fab98c3aa9ea1809a533c31f311f7004f60fe488dffcabe50af82f861298d54a04

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7135033.exe

Filesize
3.2MB

MD5
fd03e56e08b827b925ca1d2dca240792

SHA1
bb19b23f67f1eef102ba1c0db8e6a6b7b580e34c

SHA256
46a9f00aa07550886f5b012bce119293f9a009dbf0a11f75398dfe8a6c3f8a4c

SHA512
b5a51f2f93625c6eaa10069bfe8cfce8586ad763d363624a37f648a3e94477fab98c3aa9ea1809a533c31f311f7004f60fe488dffcabe50af82f861298d54a04

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7136000.exe

Filesize
3.0MB

MD5
cf5c4e14c97cc85c258969e8062540b7

SHA1
834f6fefe1d5f21f4aab5a330c50814a91cf79e0

SHA256
74f5bc73194c70afbfecef288d4b162a7fb87bfc7649d776ca58c652493f2b88

SHA512
04151ac1a49322128a0f4f2e82818e2e2591012dc61e92de048f21f1e7bb27c5fa2d2639837aa3522d3ba114b54aaa3174448d6341571fd9096e30b82c433c49

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7136000.exe

Filesize
3.0MB

MD5
cf5c4e14c97cc85c258969e8062540b7

SHA1
834f6fefe1d5f21f4aab5a330c50814a91cf79e0

SHA256
74f5bc73194c70afbfecef288d4b162a7fb87bfc7649d776ca58c652493f2b88

SHA512
04151ac1a49322128a0f4f2e82818e2e2591012dc61e92de048f21f1e7bb27c5fa2d2639837aa3522d3ba114b54aaa3174448d6341571fd9096e30b82c433c49

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7136780.exe

Filesize
3.0MB

MD5
cf5c4e14c97cc85c258969e8062540b7

SHA1
834f6fefe1d5f21f4aab5a330c50814a91cf79e0

SHA256
74f5bc73194c70afbfecef288d4b162a7fb87bfc7649d776ca58c652493f2b88

SHA512
04151ac1a49322128a0f4f2e82818e2e2591012dc61e92de048f21f1e7bb27c5fa2d2639837aa3522d3ba114b54aaa3174448d6341571fd9096e30b82c433c49

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7136780.exe

Filesize
3.0MB

MD5
cf5c4e14c97cc85c258969e8062540b7

SHA1
834f6fefe1d5f21f4aab5a330c50814a91cf79e0

SHA256
74f5bc73194c70afbfecef288d4b162a7fb87bfc7649d776ca58c652493f2b88

SHA512
04151ac1a49322128a0f4f2e82818e2e2591012dc61e92de048f21f1e7bb27c5fa2d2639837aa3522d3ba114b54aaa3174448d6341571fd9096e30b82c433c49

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7144767.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
3.2MB

MD5
fd03e56e08b827b925ca1d2dca240792

SHA1
bb19b23f67f1eef102ba1c0db8e6a6b7b580e34c

SHA256
46a9f00aa07550886f5b012bce119293f9a009dbf0a11f75398dfe8a6c3f8a4c

SHA512
b5a51f2f93625c6eaa10069bfe8cfce8586ad763d363624a37f648a3e94477fab98c3aa9ea1809a533c31f311f7004f60fe488dffcabe50af82f861298d54a04

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
3.2MB

MD5
fd03e56e08b827b925ca1d2dca240792

SHA1
bb19b23f67f1eef102ba1c0db8e6a6b7b580e34c

SHA256
46a9f00aa07550886f5b012bce119293f9a009dbf0a11f75398dfe8a6c3f8a4c

SHA512
b5a51f2f93625c6eaa10069bfe8cfce8586ad763d363624a37f648a3e94477fab98c3aa9ea1809a533c31f311f7004f60fe488dffcabe50af82f861298d54a04

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
3.2MB

MD5
fd03e56e08b827b925ca1d2dca240792

SHA1
bb19b23f67f1eef102ba1c0db8e6a6b7b580e34c

SHA256
46a9f00aa07550886f5b012bce119293f9a009dbf0a11f75398dfe8a6c3f8a4c

SHA512
b5a51f2f93625c6eaa10069bfe8cfce8586ad763d363624a37f648a3e94477fab98c3aa9ea1809a533c31f311f7004f60fe488dffcabe50af82f861298d54a04

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
3.2MB

MD5
fd03e56e08b827b925ca1d2dca240792

SHA1
bb19b23f67f1eef102ba1c0db8e6a6b7b580e34c

SHA256
46a9f00aa07550886f5b012bce119293f9a009dbf0a11f75398dfe8a6c3f8a4c

SHA512
b5a51f2f93625c6eaa10069bfe8cfce8586ad763d363624a37f648a3e94477fab98c3aa9ea1809a533c31f311f7004f60fe488dffcabe50af82f861298d54a04

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
6.1MB

MD5
bdc17915ad56ad0f3200ca570fae36d6

SHA1
f82a6b8f49808294df7c5b2b26fece90541f5bdb

SHA256
b69f505fe81559d37e4eef751c0166bef3b3c30b2da8e0d4e126a1bb28bae6d6

SHA512
2a0eea7f3274281f7805c94cc87d04cf88c00c4aa17309b010eabcbc3fb74eca05f3e1aaf14bab3dd55679e238354aefdea7041b2d41907050e52cb00711a034

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
6.1MB

MD5
bdc17915ad56ad0f3200ca570fae36d6

SHA1
f82a6b8f49808294df7c5b2b26fece90541f5bdb

SHA256
b69f505fe81559d37e4eef751c0166bef3b3c30b2da8e0d4e126a1bb28bae6d6

SHA512
2a0eea7f3274281f7805c94cc87d04cf88c00c4aa17309b010eabcbc3fb74eca05f3e1aaf14bab3dd55679e238354aefdea7041b2d41907050e52cb00711a034

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
6.1MB

MD5
bdc17915ad56ad0f3200ca570fae36d6

SHA1
f82a6b8f49808294df7c5b2b26fece90541f5bdb

SHA256
b69f505fe81559d37e4eef751c0166bef3b3c30b2da8e0d4e126a1bb28bae6d6

SHA512
2a0eea7f3274281f7805c94cc87d04cf88c00c4aa17309b010eabcbc3fb74eca05f3e1aaf14bab3dd55679e238354aefdea7041b2d41907050e52cb00711a034

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
6.1MB

MD5
bdc17915ad56ad0f3200ca570fae36d6

SHA1
f82a6b8f49808294df7c5b2b26fece90541f5bdb

SHA256
b69f505fe81559d37e4eef751c0166bef3b3c30b2da8e0d4e126a1bb28bae6d6

SHA512
2a0eea7f3274281f7805c94cc87d04cf88c00c4aa17309b010eabcbc3fb74eca05f3e1aaf14bab3dd55679e238354aefdea7041b2d41907050e52cb00711a034

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
6.1MB

MD5
bdc17915ad56ad0f3200ca570fae36d6

SHA1
f82a6b8f49808294df7c5b2b26fece90541f5bdb

SHA256
b69f505fe81559d37e4eef751c0166bef3b3c30b2da8e0d4e126a1bb28bae6d6

SHA512
2a0eea7f3274281f7805c94cc87d04cf88c00c4aa17309b010eabcbc3fb74eca05f3e1aaf14bab3dd55679e238354aefdea7041b2d41907050e52cb00711a034

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
6.1MB

MD5
bdc17915ad56ad0f3200ca570fae36d6

SHA1
f82a6b8f49808294df7c5b2b26fece90541f5bdb

SHA256
b69f505fe81559d37e4eef751c0166bef3b3c30b2da8e0d4e126a1bb28bae6d6

SHA512
2a0eea7f3274281f7805c94cc87d04cf88c00c4aa17309b010eabcbc3fb74eca05f3e1aaf14bab3dd55679e238354aefdea7041b2d41907050e52cb00711a034

Download Submit
memory/436-158-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/436-138-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/436-234-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/436-257-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/672-172-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/672-147-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/740-183-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/740-198-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/788-126-0x00000000003B0000-0x00000000003BD000-memory.dmp

Filesize
52KB

Download
memory/796-275-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/820-108-0x00000000005D0000-0x00000000005EF000-memory.dmp

Filesize
124KB

Download
memory/852-267-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/852-276-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/916-282-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/916-235-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/968-274-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1000-262-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1000-239-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1068-272-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1068-287-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1072-92-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1072-73-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1096-214-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1096-181-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1096-213-0x0000000000220000-0x000000000023F000-memory.dmp

Filesize
124KB

Download
memory/1100-64-0x0000000075E81000-0x0000000075E83000-memory.dmp

Filesize
8KB

Download
memory/1292-177-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1292-167-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1292-54-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1292-63-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1408-230-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1436-211-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1436-266-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1436-264-0x0000000000220000-0x000000000023F000-memory.dmp

Filesize
124KB

Download
memory/1468-217-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1468-182-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1500-65-0x0000000000010000-0x0000000000032000-memory.dmp

Filesize
136KB

Download
memory/1520-237-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1520-281-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1592-200-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1592-165-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1636-131-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1636-121-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1640-193-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1640-205-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1648-185-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1648-166-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1672-194-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1672-223-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1700-202-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1700-241-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1728-212-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1728-248-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1776-263-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1796-105-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1796-91-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1808-285-0x0000000000220000-0x000000000023F000-memory.dmp

Filesize
124KB

Download
memory/1808-270-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1808-286-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1852-273-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1852-265-0x00000000002A0000-0x00000000002BF000-memory.dmp

Filesize
124KB

Download
memory/1852-268-0x00000000002A0000-0x00000000002BF000-memory.dmp

Filesize
124KB

Download
memory/1852-233-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1992-137-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1992-161-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download