bc641a184f7a7397bd0b519be265e8842301b641612d425b6c17052d6c2ce114

Analysis

max time kernel
34s
max time network
52s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
06/12/2022, 00:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

bc641a184f7a7397bd0b519be265e8842301b641612d425b6c17052d6c2ce114.exe
Size

8.6MB
MD5

0a27fb07642556d00615c39a2018356e
SHA1

85ebd78a389226161ee862fbde030b8183643543
SHA256

bc641a184f7a7397bd0b519be265e8842301b641612d425b6c17052d6c2ce114
SHA512

62de9b0a0a54492d0775216f387a3b4a5082bf16a72f16fec6e5041500c3bcac63ad3ce9d80cfbabbb2e8c883588a9e9fe988fbcd7a8e8caca80e2a75799e706
SSDEEP

24576:3DyTFtjSDyTFtjyDyTFtjJDyTFtjTDyTFtjtDyTFtjSDyTFtjVDyTFtjSDyTFtjM:QtztDtqtotGtztetztDtqtotGtzt

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 34 IoCs

pid	Process
1528	tmp7100510.exe
812	tmp7100915.exe
660	tmp7116063.exe
1916	tmp7102148.exe
1732	notpad.exe
568	tmp7102725.exe
1552	tmp7103302.exe
1744	notpad.exe
1852	tmp7103614.exe
916	tmp7111757.exe
1244	notpad.exe
440	tmp7130992.exe
1764	tmp7134549.exe
1740	notpad.exe
896	tmp7114472.exe
2004	tmp7115143.exe
1568	notpad.exe
1736	tmp7155999.exe
660	tmp7116063.exe
1488	notpad.exe
1104	tmp7153020.exe
516	tmp7116703.exe
1732	notpad.exe
948	notpad.exe
1100	tmp7191599.exe
1148	tmp7189711.exe
1020	tmp7191552.exe
884	tmp7190710.exe
1064	tmp7191973.exe
1656	tmp7118684.exe
2028	notpad.exe
1688	notpad.exe
928	tmp7177964.exe
1628	tmp7189867.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0009000000013482-59.dat	upx
behavioral1/files/0x0009000000013482-64.dat	upx
behavioral1/memory/1196-63-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x0009000000013482-62.dat	upx
behavioral1/files/0x0009000000013482-60.dat	upx
behavioral1/memory/812-65-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x0007000000014143-77.dat	upx
behavioral1/memory/812-76-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x0007000000014143-82.dat	upx
behavioral1/files/0x0007000000014143-81.dat	upx
behavioral1/files/0x0007000000014143-79.dat	upx
behavioral1/memory/1732-98-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x0007000000014143-102.dat	upx
behavioral1/files/0x0007000000014143-100.dat	upx
behavioral1/files/0x0007000000014143-99.dat	upx
behavioral1/memory/1732-95-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x0006000000014118-90.dat	upx
behavioral1/memory/1744-103-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x0006000000014118-110.dat	upx
behavioral1/files/0x0007000000014143-113.dat	upx
behavioral1/memory/1744-122-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x0007000000014143-119.dat	upx
behavioral1/memory/1244-123-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1244-136-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x0007000000014143-140.dat	upx
behavioral1/files/0x0007000000014143-138.dat	upx
behavioral1/files/0x0007000000014143-137.dat	upx
behavioral1/files/0x0006000000014118-129.dat	upx
behavioral1/files/0x0007000000014143-115.dat	upx
behavioral1/files/0x0007000000014143-154.dat	upx
behavioral1/memory/1740-153-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x0007000000014143-155.dat	upx
behavioral1/files/0x0006000000014118-148.dat	upx
behavioral1/memory/1568-157-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1568-161-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1488-168-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1732-174-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1148-181-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/884-183-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/884-188-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1688-194-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1956-200-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1456-205-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1524-212-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/364-214-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/364-219-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/960-225-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1048-232-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1120-237-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1684-239-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1684-244-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/680-250-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1768-255-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/852-259-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1728-261-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/852-257-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1568-264-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1736-268-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1352-267-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1736-269-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1352-271-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/876-277-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/948-279-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1056-282-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Loads dropped DLL 61 IoCs

pid	Process
1196	bc641a184f7a7397bd0b519be265e8842301b641612d425b6c17052d6c2ce114.exe
1196	bc641a184f7a7397bd0b519be265e8842301b641612d425b6c17052d6c2ce114.exe
1196	bc641a184f7a7397bd0b519be265e8842301b641612d425b6c17052d6c2ce114.exe
1196	bc641a184f7a7397bd0b519be265e8842301b641612d425b6c17052d6c2ce114.exe
812	tmp7100915.exe
812	tmp7100915.exe
812	tmp7100915.exe
812	tmp7100915.exe
1528	tmp7100510.exe
1528	tmp7100510.exe
1284	WerFault.exe
1284	WerFault.exe
1732	notpad.exe
1732	notpad.exe
1732	notpad.exe
568	tmp7102725.exe
568	tmp7102725.exe
1744	notpad.exe
1744	notpad.exe
1852	notpad.exe
1744	notpad.exe
1852	notpad.exe
1284	WerFault.exe
1244	notpad.exe
1244	notpad.exe
1244	notpad.exe
440	tmp7130992.exe
440	tmp7130992.exe
1740	notpad.exe
1740	notpad.exe
1740	notpad.exe
896	tmp7114472.exe
896	tmp7114472.exe
1568	notpad.exe
1568	notpad.exe
1568	notpad.exe
1736	tmp7187855.exe
1736	tmp7187855.exe
1488	notpad.exe
1488	notpad.exe
1488	notpad.exe
1104	tmp7153020.exe
1104	tmp7153020.exe
1732	notpad.exe
1732	notpad.exe
1732	notpad.exe
948	notpad.exe
948	notpad.exe
1148	tmp7189711.exe
1148	tmp7189711.exe
1020	tmp7191552.exe
1020	tmp7191552.exe
1148	tmp7189711.exe
884	tmp7190710.exe
884	tmp7190710.exe
884	tmp7190710.exe
1656	tmp7222752.exe
1656	tmp7222752.exe
1688	notpad.exe
1688	notpad.exe
1688	notpad.exe

Drops file in System32 directory 34 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7191552.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7130992.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7114472.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	notpad.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7100510.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7177964.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7130992.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7155999.exe
File created	C:\Windows\SysWOW64\notpad.exe	notpad.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7191552.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7191552.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7100510.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7100510.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7103614.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7118684.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7187855.exe
File created	C:\Windows\SysWOW64\fsb.tmp	tmp7100510.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7103614.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7130992.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7153020.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7102725.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7114472.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7155999.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7103614.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7153020.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7118684.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7177964.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7177964.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7102725.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7153020.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7118684.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7102725.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7114472.exe
File created	C:\Windows\SysWOW64\notpad.exe-	notpad.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process
1284	1916	WerFault.exe

Modifies registry class 11 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7100510.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7103614.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7130992.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7114472.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7187855.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	notpad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7177964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7102725.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7153020.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7191552.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7118684.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1196 wrote to memory of 1528	1196	bc641a184f7a7397bd0b519be265e8842301b641612d425b6c17052d6c2ce114.exe	27
PID 1196 wrote to memory of 1528	1196	bc641a184f7a7397bd0b519be265e8842301b641612d425b6c17052d6c2ce114.exe	27
PID 1196 wrote to memory of 1528	1196	bc641a184f7a7397bd0b519be265e8842301b641612d425b6c17052d6c2ce114.exe	27
PID 1196 wrote to memory of 1528	1196	bc641a184f7a7397bd0b519be265e8842301b641612d425b6c17052d6c2ce114.exe	27
PID 1196 wrote to memory of 812	1196	bc641a184f7a7397bd0b519be265e8842301b641612d425b6c17052d6c2ce114.exe	28
PID 1196 wrote to memory of 812	1196	bc641a184f7a7397bd0b519be265e8842301b641612d425b6c17052d6c2ce114.exe	28
PID 1196 wrote to memory of 812	1196	bc641a184f7a7397bd0b519be265e8842301b641612d425b6c17052d6c2ce114.exe	28
PID 1196 wrote to memory of 812	1196	bc641a184f7a7397bd0b519be265e8842301b641612d425b6c17052d6c2ce114.exe	28
PID 812 wrote to memory of 660	812	tmp7100915.exe	44
PID 812 wrote to memory of 660	812	tmp7100915.exe	44
PID 812 wrote to memory of 660	812	tmp7100915.exe	44
PID 812 wrote to memory of 660	812	tmp7100915.exe	44
PID 812 wrote to memory of 1916	812	tmp7100915.exe	31
PID 812 wrote to memory of 1916	812	tmp7100915.exe	31
PID 812 wrote to memory of 1916	812	tmp7100915.exe	31
PID 812 wrote to memory of 1916	812	tmp7100915.exe	31
PID 1916 wrote to memory of 1284	1916	tmp7102148.exe	29
PID 1916 wrote to memory of 1284	1916	tmp7102148.exe	29
PID 1916 wrote to memory of 1284	1916	tmp7102148.exe	29
PID 1916 wrote to memory of 1284	1916	tmp7102148.exe	29
PID 1528 wrote to memory of 1732	1528	tmp7100510.exe	49
PID 1528 wrote to memory of 1732	1528	tmp7100510.exe	49
PID 1528 wrote to memory of 1732	1528	tmp7100510.exe	49
PID 1528 wrote to memory of 1732	1528	tmp7100510.exe	49
PID 1732 wrote to memory of 568	1732	notpad.exe	35
PID 1732 wrote to memory of 568	1732	notpad.exe	35
PID 1732 wrote to memory of 568	1732	notpad.exe	35
PID 1732 wrote to memory of 568	1732	notpad.exe	35
PID 1732 wrote to memory of 1552	1732	notpad.exe	34
PID 1732 wrote to memory of 1552	1732	notpad.exe	34
PID 1732 wrote to memory of 1552	1732	notpad.exe	34
PID 1732 wrote to memory of 1552	1732	notpad.exe	34
PID 568 wrote to memory of 1744	568	tmp7102725.exe	33
PID 568 wrote to memory of 1744	568	tmp7102725.exe	33
PID 568 wrote to memory of 1744	568	tmp7102725.exe	33
PID 568 wrote to memory of 1744	568	tmp7102725.exe	33
PID 1744 wrote to memory of 1852	1744	notpad.exe	36
PID 1744 wrote to memory of 1852	1744	notpad.exe	36
PID 1744 wrote to memory of 1852	1744	notpad.exe	36
PID 1744 wrote to memory of 1852	1744	notpad.exe	36
PID 1852 wrote to memory of 1244	1852	notpad.exe	38
PID 1852 wrote to memory of 1244	1852	notpad.exe	38
PID 1852 wrote to memory of 1244	1852	notpad.exe	38
PID 1852 wrote to memory of 1244	1852	notpad.exe	38
PID 1744 wrote to memory of 916	1744	notpad.exe	37
PID 1744 wrote to memory of 916	1744	notpad.exe	37
PID 1744 wrote to memory of 916	1744	notpad.exe	37
PID 1744 wrote to memory of 916	1744	notpad.exe	37
PID 1244 wrote to memory of 440	1244	notpad.exe	62
PID 1244 wrote to memory of 440	1244	notpad.exe	62
PID 1244 wrote to memory of 440	1244	notpad.exe	62
PID 1244 wrote to memory of 440	1244	notpad.exe	62
PID 1244 wrote to memory of 1764	1244	notpad.exe	90
PID 1244 wrote to memory of 1764	1244	notpad.exe	90
PID 1244 wrote to memory of 1764	1244	notpad.exe	90
PID 1244 wrote to memory of 1764	1244	notpad.exe	90
PID 440 wrote to memory of 1740	440	tmp7130992.exe	40
PID 440 wrote to memory of 1740	440	tmp7130992.exe	40
PID 440 wrote to memory of 1740	440	tmp7130992.exe	40
PID 440 wrote to memory of 1740	440	tmp7130992.exe	40
PID 1740 wrote to memory of 896	1740	notpad.exe	47
PID 1740 wrote to memory of 896	1740	notpad.exe	47
PID 1740 wrote to memory of 896	1740	notpad.exe	47
PID 1740 wrote to memory of 896	1740	notpad.exe	47

C:\Users\Admin\AppData\Local\Temp\bc641a184f7a7397bd0b519be265e8842301b641612d425b6c17052d6c2ce114.exe
"C:\Users\Admin\AppData\Local\Temp\bc641a184f7a7397bd0b519be265e8842301b641612d425b6c17052d6c2ce114.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1196
- C:\Users\Admin\AppData\Local\Temp\tmp7100510.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7100510.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1528
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    PID:1732
  - - C:\Users\Admin\AppData\Local\Temp\tmp7103302.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7103302.exe
      4⤵
      Executes dropped EXE
      PID:1552
  - - C:\Users\Admin\AppData\Local\Temp\tmp7102725.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7102725.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:568
- C:\Users\Admin\AppData\Local\Temp\tmp7100915.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7100915.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:812
- - C:\Users\Admin\AppData\Local\Temp\tmp7102148.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7102148.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1916
- - C:\Users\Admin\AppData\Local\Temp\tmp7101368.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7101368.exe
    3⤵
    PID:660
- - C:\Users\Admin\AppData\Local\Temp\tmp7187761.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7187761.exe
    3⤵
    PID:1528
- - C:\Users\Admin\AppData\Local\Temp\tmp7187933.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7187933.exe
    3⤵
    PID:1272
  - - C:\Users\Admin\AppData\Local\Temp\tmp7188463.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7188463.exe
      4⤵
      PID:372
  - - C:\Users\Admin\AppData\Local\Temp\tmp7188666.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7188666.exe
      4⤵
      PID:1332
    - - C:\Users\Admin\AppData\Local\Temp\tmp7188947.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7188947.exe
        5⤵
        
        PID:1856
      - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        6⤵
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\tmp7189774.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7189774.exe
        7⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        8⤵
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190351.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190351.exe
        9⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190585.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190585.exe
        9⤵
        
        PID:1352
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191193.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191193.exe
        10⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191552.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191552.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1020
        
        C:\Users\Admin\AppData\Local\Temp\tmp7192020.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7192020.exe
        11⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\tmp7192566.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7192566.exe
        11⤵
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\tmp7227729.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7227729.exe
        10⤵
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\tmp7228103.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7228103.exe
        10⤵
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\tmp7228555.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7228555.exe
        11⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\tmp7228727.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7228727.exe
        11⤵
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\tmp7229070.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7229070.exe
        12⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        13⤵
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\tmp7229788.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7229788.exe
        14⤵
        
        PID:916
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        15⤵
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\tmp7230349.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7230349.exe
        16⤵
        
        PID:1056
        
        C:\Users\Admin\AppData\Local\Temp\tmp7230880.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7230880.exe
        16⤵
        
        PID:1920
        
        C:\Users\Admin\AppData\Local\Temp\tmp7241738.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7241738.exe
        17⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        18⤵
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\tmp7247213.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7247213.exe
        19⤵
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\tmp7244702.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7244702.exe
        17⤵
        
        PID:880
        
        C:\Users\Admin\AppData\Local\Temp\tmp7247166.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7247166.exe
        18⤵
        
        PID:944
        
        C:\Users\Admin\AppData\Local\Temp\tmp7247744.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7247744.exe
        18⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\tmp7229835.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7229835.exe
        14⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\tmp7230303.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7230303.exe
        15⤵
        
        PID:672
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        16⤵
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\tmp7230521.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7230521.exe
        15⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\tmp7231254.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7231254.exe
        16⤵
        
        PID:1524
        
        C:\Users\Admin\AppData\Local\Temp\tmp7243079.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7243079.exe
        16⤵
        
        PID:1792
        
        C:\Users\Admin\AppData\Local\Temp\tmp7229429.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7229429.exe
        12⤵
        
        PID:564
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190023.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190023.exe
        7⤵
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190710.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190710.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:884
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        9⤵
        
        PID:368
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191068.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191068.exe
        10⤵
        
        PID:856
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        11⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191786.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191786.exe
        12⤵
        
        PID:1012
        
        C:\Users\Admin\AppData\Local\Temp\tmp7192207.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7192207.exe
        12⤵
        
        PID:816
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191490.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191490.exe
        10⤵
        
        PID:580
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191973.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191973.exe
        11⤵
        Executes dropped EXE
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\tmp7192379.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7192379.exe
        11⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\tmp7192706.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7192706.exe
        12⤵
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\tmp7224125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7224125.exe
        12⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190866.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190866.exe
        8⤵
        
        PID:1316
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191318.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191318.exe
        9⤵
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191739.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191739.exe
        9⤵
        
        PID:1552
    - - C:\Users\Admin\AppData\Local\Temp\tmp7189228.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7189228.exe
        5⤵
        
        PID:1580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 36
1⤵
- Loads dropped DLL
- Program crash
PID:1284

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1744
- C:\Users\Admin\AppData\Local\Temp\tmp7103614.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7103614.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  PID:1852
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1244
  - - C:\Users\Admin\AppData\Local\Temp\tmp7114097.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7114097.exe
      4⤵
      PID:1764
  - - C:\Users\Admin\AppData\Local\Temp\tmp7113583.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7113583.exe
      4⤵
      PID:440
- C:\Users\Admin\AppData\Local\Temp\tmp7111757.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7111757.exe
  2⤵
  - Executes dropped EXE
  PID:916

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Users\Admin\AppData\Local\Temp\tmp7115143.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7115143.exe
  2⤵
  - Executes dropped EXE
  PID:2004
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    PID:812
- C:\Users\Admin\AppData\Local\Temp\tmp7114472.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7114472.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  PID:896

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:1568
- C:\Users\Admin\AppData\Local\Temp\tmp7116063.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7116063.exe
  2⤵
  - Executes dropped EXE
  PID:660
- C:\Users\Admin\AppData\Local\Temp\tmp7115611.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7115611.exe
  2⤵
  PID:1736

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1488
- C:\Users\Admin\AppData\Local\Temp\tmp7116375.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7116375.exe
  2⤵
  PID:1104
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1732
  - - C:\Users\Admin\AppData\Local\Temp\tmp7116906.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7116906.exe
      4⤵
      PID:948
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        
        PID:1148
      - C:\Users\Admin\AppData\Local\Temp\tmp7117810.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117810.exe
        6⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        7⤵
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\tmp7130197.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7130197.exe
        8⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        9⤵
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134549.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134549.exe
        10⤵
        Executes dropped EXE
        
        PID:1764
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        11⤵
        
        PID:852
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135111.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135111.exe
        12⤵
        
        PID:988
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        13⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\tmp7155500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7155500.exe
        14⤵
        
        PID:672
        
        C:\Users\Admin\AppData\Local\Temp\tmp7155469.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7155469.exe
        14⤵
        
        PID:468
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135298.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135298.exe
        12⤵
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134970.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134970.exe
        10⤵
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118684.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118684.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1656
      - C:\Users\Admin\AppData\Local\Temp\tmp7118559.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118559.exe
        6⤵
        
        PID:1064
  - - C:\Users\Admin\AppData\Local\Temp\tmp7117483.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7117483.exe
      4⤵
      PID:1100
- C:\Users\Admin\AppData\Local\Temp\tmp7116703.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7116703.exe
  2⤵
  - Executes dropped EXE
  PID:516

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1688
- C:\Users\Admin\AppData\Local\Temp\tmp7130368.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7130368.exe
  2⤵
  PID:928
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    PID:1956
  - - C:\Users\Admin\AppData\Local\Temp\tmp7130992.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7130992.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:440
  - - C:\Users\Admin\AppData\Local\Temp\tmp7130821.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7130821.exe
      4⤵
      PID:880
- C:\Users\Admin\AppData\Local\Temp\tmp7130634.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7130634.exe
  2⤵
  PID:1628

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:1456
- C:\Users\Admin\AppData\Local\Temp\tmp7131367.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7131367.exe
  2⤵
  PID:1696
- C:\Users\Admin\AppData\Local\Temp\tmp7131211.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7131211.exe
  2⤵
  PID:748

C:\Users\Admin\AppData\Local\Temp\tmp7131570.exe
C:\Users\Admin\AppData\Local\Temp\tmp7131570.exe
1⤵
PID:1352

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:364
- C:\Users\Admin\AppData\Local\Temp\tmp7131913.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7131913.exe
  2⤵
  PID:1480
- C:\Users\Admin\AppData\Local\Temp\tmp7131726.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7131726.exe
  2⤵
  PID:1748

C:\Users\Admin\AppData\Local\Temp\tmp7132053.exe
C:\Users\Admin\AppData\Local\Temp\tmp7132053.exe
1⤵
PID:596
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:1048
- - C:\Users\Admin\AppData\Local\Temp\tmp7132318.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7132318.exe
    3⤵
    PID:820
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      PID:1120
- - C:\Users\Admin\AppData\Local\Temp\tmp7132880.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7132880.exe
    3⤵
    PID:1384
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      PID:2000

C:\Users\Admin\AppData\Local\Temp\tmp7132162.exe
C:\Users\Admin\AppData\Local\Temp\tmp7132162.exe
1⤵
PID:1732

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:960

C:\Users\Admin\AppData\Local\Temp\tmp7131476.exe
C:\Users\Admin\AppData\Local\Temp\tmp7131476.exe
1⤵
PID:1400

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:1524

C:\Users\Admin\AppData\Local\Temp\tmp7133161.exe
C:\Users\Admin\AppData\Local\Temp\tmp7133161.exe
1⤵
PID:2012

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:1684
- C:\Users\Admin\AppData\Local\Temp\tmp7133847.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7133847.exe
  2⤵
  PID:1364
- C:\Users\Admin\AppData\Local\Temp\tmp7133332.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7133332.exe
  2⤵
  PID:2020

C:\Users\Admin\AppData\Local\Temp\tmp7133052.exe
C:\Users\Admin\AppData\Local\Temp\tmp7133052.exe
1⤵
PID:1536

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:680
- C:\Users\Admin\AppData\Local\Temp\tmp7134378.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7134378.exe
  2⤵
  PID:972
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    PID:1832
- C:\Users\Admin\AppData\Local\Temp\tmp7134003.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7134003.exe
  2⤵
  PID:2028

C:\Users\Admin\AppData\Local\Temp\tmp7135563.exe
C:\Users\Admin\AppData\Local\Temp\tmp7135563.exe
1⤵
PID:1696

C:\Users\Admin\AppData\Local\Temp\tmp7135454.exe
C:\Users\Admin\AppData\Local\Temp\tmp7135454.exe
1⤵
PID:672
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1568
- - C:\Users\Admin\AppData\Local\Temp\tmp7152068.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7152068.exe
    3⤵
    PID:1560
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      PID:1352
    - - C:\Users\Admin\AppData\Local\Temp\tmp7152411.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7152411.exe
        5⤵
        
        PID:1920
      - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        6⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\tmp7153067.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7153067.exe
        7⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\tmp7153784.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7153784.exe
        9⤵
        
        PID:372
        
        C:\Users\Admin\AppData\Local\Temp\tmp7153971.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7153971.exe
        9⤵
        
        PID:1332
        
        C:\Users\Admin\AppData\Local\Temp\tmp7154346.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7154346.exe
        10⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        11⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\tmp7154829.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7154829.exe
        12⤵
        
        PID:340
        
        C:\Users\Admin\AppData\Local\Temp\tmp7154923.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7154923.exe
        12⤵
        
        PID:368
        
        C:\Users\Admin\AppData\Local\Temp\tmp7155173.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7155173.exe
        13⤵
        
        PID:1456
        
        C:\Users\Admin\AppData\Local\Temp\tmp7155266.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7155266.exe
        13⤵
        
        PID:1256
        
        C:\Users\Admin\AppData\Local\Temp\tmp7154642.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7154642.exe
        10⤵
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\tmp7227666.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7227666.exe
        9⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        10⤵
        
        PID:1296
        
        C:\Users\Admin\AppData\Local\Temp\tmp7228384.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7228384.exe
        11⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        12⤵
        
        PID:624
        
        C:\Users\Admin\AppData\Local\Temp\tmp7228945.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7228945.exe
        13⤵
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\Temp\tmp7229226.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7229226.exe
        13⤵
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\tmp7230474.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7230474.exe
        14⤵
        
        PID:1912
        
        C:\Users\Admin\AppData\Local\Temp\tmp7241535.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7241535.exe
        14⤵
        
        PID:1456
        
        C:\Users\Admin\AppData\Local\Temp\tmp7245045.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7245045.exe
        15⤵
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\tmp7247775.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7247775.exe
        15⤵
        
        PID:1860
        
        C:\Users\Admin\AppData\Local\Temp\tmp7228587.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7228587.exe
        11⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\tmp7228852.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7228852.exe
        12⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        13⤵
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\tmp7229398.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7229398.exe
        14⤵
        
        PID:692
        
        C:\Users\Admin\AppData\Local\Temp\tmp7230193.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7230193.exe
        14⤵
        
        PID:740
        
        C:\Users\Admin\AppData\Local\Temp\tmp7231691.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7231691.exe
        15⤵
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\tmp7244717.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7244717.exe
        15⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\tmp7246698.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7246698.exe
        16⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        17⤵
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\tmp7247790.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7247790.exe
        16⤵
        
        PID:616
        
        C:\Users\Admin\AppData\Local\Temp\tmp7229133.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7229133.exe
        12⤵
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\tmp7229679.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7229679.exe
        13⤵
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\tmp7229897.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7229897.exe
        13⤵
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\tmp7227931.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7227931.exe
        9⤵
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\tmp7156561.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7156561.exe
        7⤵
        
        PID:876
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        8⤵
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\tmp7156842.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7156842.exe
        9⤵
        
        PID:372
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        10⤵
        
        PID:1304
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157216.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157216.exe
        11⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        12⤵
        
        PID:1248
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157856.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157856.exe
        13⤵
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184906.exe
        13⤵
        
        PID:368
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187340.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187340.exe
        14⤵
        
        PID:672
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187558.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187558.exe
        14⤵
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157528.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157528.exe
        11⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187075.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187075.exe
        12⤵
        
        PID:988
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187324.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187324.exe
        12⤵
        
        PID:1792
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187574.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187574.exe
        13⤵
        
        PID:896
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\tmp7188167.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7188167.exe
        15⤵
        
        PID:568
        
        C:\Users\Admin\AppData\Local\Temp\tmp7188479.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7188479.exe
        15⤵
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\Temp\tmp7188994.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7188994.exe
        16⤵
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\tmp7189649.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7189649.exe
        16⤵
        
        PID:916
        
        C:\Users\Admin\AppData\Local\Temp\tmp7189867.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7189867.exe
        17⤵
        Executes dropped EXE
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190273.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190273.exe
        17⤵
        
        PID:1324
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187855.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187855.exe
        13⤵
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\tmp7156982.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7156982.exe
        9⤵
        
        PID:964
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157669.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157669.exe
        10⤵
        
        PID:1120
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157778.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157778.exe
        10⤵
        
        PID:1232
        
        C:\Users\Admin\AppData\Local\Temp\tmp7178027.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7178027.exe
        11⤵
        
        PID:1124
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183424.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183424.exe
        11⤵
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\tmp7153909.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7153909.exe
        8⤵
        
        PID:616
        
        C:\Users\Admin\AppData\Local\Temp\tmp7188354.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7188354.exe
        9⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\tmp7188650.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7188650.exe
        9⤵
        
        PID:1144
    - - C:\Users\Admin\AppData\Local\Temp\tmp7152801.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7152801.exe
        5⤵
        
        PID:876
      - C:\Users\Admin\AppData\Local\Temp\tmp7153519.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7153519.exe
        6⤵
        
        PID:568
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        7⤵
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\tmp7154143.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7154143.exe
        8⤵
        
        PID:1344
        
        C:\Users\Admin\AppData\Local\Temp\tmp7154439.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7154439.exe
        8⤵
        
        PID:816
- - C:\Users\Admin\AppData\Local\Temp\tmp7152240.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7152240.exe
    3⤵
    PID:1736
  - - C:\Users\Admin\AppData\Local\Temp\tmp7153020.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7153020.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      PID:1104
  - - C:\Users\Admin\AppData\Local\Temp\tmp7152458.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7152458.exe
      4⤵
      PID:1712

C:\Users\Admin\AppData\Local\Temp\tmp7154299.exe
C:\Users\Admin\AppData\Local\Temp\tmp7154299.exe
1⤵
PID:964

C:\Users\Admin\AppData\Local\Temp\tmp7154720.exe
C:\Users\Admin\AppData\Local\Temp\tmp7154720.exe
1⤵
PID:680
- C:\Users\Admin\AppData\Local\Temp\tmp7154892.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7154892.exe
  2⤵
  PID:1580
- C:\Users\Admin\AppData\Local\Temp\tmp7155063.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7155063.exe
  2⤵
  PID:1804

C:\Users\Admin\AppData\Local\Temp\tmp7154907.exe
C:\Users\Admin\AppData\Local\Temp\tmp7154907.exe
1⤵
PID:624

C:\Users\Admin\AppData\Local\Temp\tmp7155141.exe
C:\Users\Admin\AppData\Local\Temp\tmp7155141.exe
1⤵
PID:1816
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:1596

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:1400
- C:\Users\Admin\AppData\Local\Temp\tmp7155703.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7155703.exe
  2⤵
  PID:580
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    PID:2040
  - - C:\Users\Admin\AppData\Local\Temp\tmp7156639.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7156639.exe
      4⤵
      PID:1704
    - - C:\Users\Admin\AppData\Local\Temp\tmp7156998.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7156998.exe
        5⤵
        
        PID:1720
      - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        6⤵
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\tmp7186919.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7186919.exe
        7⤵
        
        PID:740
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187153.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187153.exe
        7⤵
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187605.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187605.exe
        8⤵
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187870.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187870.exe
        8⤵
        
        PID:616
    - - C:\Users\Admin\AppData\Local\Temp\tmp7177964.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7177964.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:928
      - C:\Users\Admin\AppData\Local\Temp\tmp7183331.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183331.exe
        6⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        7⤵
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187527.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187527.exe
        8⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\tmp7188120.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7188120.exe
        9⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        10⤵
        Executes dropped EXE
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\tmp7189040.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7189040.exe
        11⤵
        
        PID:1244
        
        C:\Users\Admin\AppData\Local\Temp\tmp7189711.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7189711.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1148
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190257.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190257.exe
        12⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        13⤵
        
        PID:988
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190756.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190756.exe
        14⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        15⤵
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191380.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191380.exe
        16⤵
        
        PID:944
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191599.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191599.exe
        16⤵
        Executes dropped EXE
        
        PID:1100
        
        C:\Users\Admin\AppData\Local\Temp\tmp7192363.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7192363.exe
        17⤵
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\tmp7192550.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7192550.exe
        17⤵
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\tmp7222815.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7222815.exe
        18⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        19⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\tmp7226340.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7226340.exe
        20⤵
        
        PID:364
        
        C:\Users\Admin\AppData\Local\Temp\tmp7226496.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7226496.exe
        20⤵
        
        PID:1920
        
        C:\Users\Admin\AppData\Local\Temp\tmp7226668.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7226668.exe
        21⤵
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\tmp7226949.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7226949.exe
        21⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\tmp7227105.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7227105.exe
        22⤵
        
        PID:1316
        
        C:\Users\Admin\AppData\Local\Temp\tmp7227557.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7227557.exe
        22⤵
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\tmp7225825.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7225825.exe
        18⤵
        
        PID:916
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191100.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191100.exe
        14⤵
        
        PID:876
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191677.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191677.exe
        15⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        16⤵
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\tmp7222503.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7222503.exe
        17⤵
        
        PID:1896
        
        C:\Users\Admin\AppData\Local\Temp\tmp7224031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7224031.exe
        17⤵
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\tmp7231192.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7231192.exe
        18⤵
        
        PID:812
        
        C:\Users\Admin\AppData\Local\Temp\tmp7243298.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7243298.exe
        19⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\tmp7244764.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7244764.exe
        19⤵
        
        PID:1272
        
        C:\Users\Admin\AppData\Local\Temp\tmp7192270.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7192270.exe
        15⤵
        
        PID:372
        
        C:\Users\Admin\AppData\Local\Temp\tmp7222752.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7222752.exe
        16⤵
        Loads dropped DLL
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\tmp7192394.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7192394.exe
        16⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        17⤵
        
        PID:936
        
        C:\Users\Admin\AppData\Local\Temp\tmp7226153.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7226153.exe
        18⤵
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\tmp7224749.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7224749.exe
        18⤵
        
        PID:1056
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190507.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190507.exe
        12⤵
        
        PID:852
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190772.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190772.exe
        13⤵
        
        PID:440
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190928.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190928.exe
        13⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\tmp7188323.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7188323.exe
        9⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\tmp7188838.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7188838.exe
        10⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\tmp7188510.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7188510.exe
        10⤵
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187402.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187402.exe
        8⤵
        
        PID:2004
      - C:\Users\Admin\AppData\Local\Temp\tmp7187122.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187122.exe
        6⤵
        
        PID:1324
  - - C:\Users\Admin\AppData\Local\Temp\tmp7153613.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7153613.exe
      4⤵
      PID:1056
- C:\Users\Admin\AppData\Local\Temp\tmp7156171.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7156171.exe
  2⤵
  PID:1640

C:\Users\Admin\AppData\Local\Temp\tmp7155516.exe
C:\Users\Admin\AppData\Local\Temp\tmp7155516.exe
1⤵
PID:1532

C:\Users\Admin\AppData\Local\Temp\tmp7155563.exe
C:\Users\Admin\AppData\Local\Temp\tmp7155563.exe
1⤵
PID:1864
- C:\Users\Admin\AppData\Local\Temp\tmp7156280.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7156280.exe
  2⤵
  PID:1920
- C:\Users\Admin\AppData\Local\Temp\tmp7155999.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7155999.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:1736

C:\Users\Admin\AppData\Local\Temp\tmp7156265.exe
C:\Users\Admin\AppData\Local\Temp\tmp7156265.exe
1⤵
PID:1040

C:\Users\Admin\AppData\Local\Temp\tmp7156452.exe
C:\Users\Admin\AppData\Local\Temp\tmp7156452.exe
1⤵
PID:960

C:\Users\Admin\AppData\Local\Temp\tmp7155235.exe
C:\Users\Admin\AppData\Local\Temp\tmp7155235.exe
1⤵
PID:1728

C:\Users\Admin\AppData\Local\Temp\tmp7154673.exe
C:\Users\Admin\AppData\Local\Temp\tmp7154673.exe
1⤵
PID:972

C:\Users\Admin\AppData\Local\Temp\tmp7154533.exe
C:\Users\Admin\AppData\Local\Temp\tmp7154533.exe
1⤵
PID:1540

C:\Users\Admin\AppData\Local\Temp\tmp7154096.exe
C:\Users\Admin\AppData\Local\Temp\tmp7154096.exe
1⤵
PID:1384

C:\Users\Admin\AppData\Local\Temp\tmp7187808.exe
C:\Users\Admin\AppData\Local\Temp\tmp7187808.exe
1⤵
PID:1392

C:\Users\Admin\AppData\Local\Temp\tmp7188104.exe
C:\Users\Admin\AppData\Local\Temp\tmp7188104.exe
1⤵
PID:1712

C:\Users\Admin\AppData\Local\Temp\tmp7226122.exe
C:\Users\Admin\AppData\Local\Temp\tmp7226122.exe
1⤵
PID:1148
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:852
- - C:\Users\Admin\AppData\Local\Temp\tmp7226808.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7226808.exe
    3⤵
    PID:1736
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      PID:1352
- - C:\Users\Admin\AppData\Local\Temp\tmp7226917.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7226917.exe
    3⤵
    PID:820
  - - C:\Users\Admin\AppData\Local\Temp\tmp7227339.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7227339.exe
      4⤵
      PID:948
  - - C:\Users\Admin\AppData\Local\Temp\tmp7227042.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7227042.exe
      4⤵
      PID:1384

C:\Users\Admin\AppData\Local\Temp\tmp7226403.exe
C:\Users\Admin\AppData\Local\Temp\tmp7226403.exe
1⤵
PID:1624
- C:\Users\Admin\AppData\Local\Temp\tmp7226777.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7226777.exe
  2⤵
  PID:1392
- C:\Users\Admin\AppData\Local\Temp\tmp7227089.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7227089.exe
  2⤵
  PID:988

C:\Users\Admin\AppData\Local\Temp\tmp7227323.exe
C:\Users\Admin\AppData\Local\Temp\tmp7227323.exe
1⤵
PID:368
- C:\Users\Admin\AppData\Local\Temp\tmp7227744.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7227744.exe
  2⤵
  PID:2020
- C:\Users\Admin\AppData\Local\Temp\tmp7227947.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7227947.exe
  2⤵
  PID:1932

C:\Users\Admin\AppData\Local\Temp\tmp7231083.exe
C:\Users\Admin\AppData\Local\Temp\tmp7231083.exe
1⤵
PID:1304
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:340

C:\Users\Admin\AppData\Local\Temp\tmp7226715.exe
C:\Users\Admin\AppData\Local\Temp\tmp7226715.exe
1⤵
PID:1488

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp7100510.exe

Filesize
4.2MB

MD5
b8c7ee9563fbf2d146f25b7c50e04c52

SHA1
bad6a7503cbf50479fa6a67be1625ba6270e42fe

SHA256
665da9a804af5eb20b8955c2ff85d6e6d2603d735c22ed0f3d23e24d9d770ba5

SHA512
8f187b054803b7a083e1d90db9c6ef685287d9305ec29bd5ed7feab4270f2feec5e2dcda494df9fad1009e77dce2b9d4dc2bd9e035dcc0fd2e68b6e6ba0e396b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7100510.exe

Filesize
4.2MB

MD5
b8c7ee9563fbf2d146f25b7c50e04c52

SHA1
bad6a7503cbf50479fa6a67be1625ba6270e42fe

SHA256
665da9a804af5eb20b8955c2ff85d6e6d2603d735c22ed0f3d23e24d9d770ba5

SHA512
8f187b054803b7a083e1d90db9c6ef685287d9305ec29bd5ed7feab4270f2feec5e2dcda494df9fad1009e77dce2b9d4dc2bd9e035dcc0fd2e68b6e6ba0e396b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7100915.exe

Filesize
4.4MB

MD5
66788a084279f7986744fad3f5a2464b

SHA1
edef3954477030041ce614020787fa0b5a7aaa70

SHA256
3b46466bcd359626862dfdd2063a445a6a325717e08b9f0db4d383f039ccd4fd

SHA512
b508079981894a2a7e2e4643ddfe7d6129f13db34dec9072af5b48d5740fbd60e585aa42a48967c48d3a2a53e0ca04e9c8849eddd956006b8e9298eae06f8a69

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7100915.exe

Filesize
4.4MB

MD5
66788a084279f7986744fad3f5a2464b

SHA1
edef3954477030041ce614020787fa0b5a7aaa70

SHA256
3b46466bcd359626862dfdd2063a445a6a325717e08b9f0db4d383f039ccd4fd

SHA512
b508079981894a2a7e2e4643ddfe7d6129f13db34dec9072af5b48d5740fbd60e585aa42a48967c48d3a2a53e0ca04e9c8849eddd956006b8e9298eae06f8a69

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7101368.exe

Filesize
4.2MB

MD5
b8c7ee9563fbf2d146f25b7c50e04c52

SHA1
bad6a7503cbf50479fa6a67be1625ba6270e42fe

SHA256
665da9a804af5eb20b8955c2ff85d6e6d2603d735c22ed0f3d23e24d9d770ba5

SHA512
8f187b054803b7a083e1d90db9c6ef685287d9305ec29bd5ed7feab4270f2feec5e2dcda494df9fad1009e77dce2b9d4dc2bd9e035dcc0fd2e68b6e6ba0e396b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7102148.exe

Filesize
136KB

MD5
1fa27c9d428a2bad5e717cdde877610a

SHA1
24cce607e5fa103c10565e9420f956772c21774e

SHA256
adb79a36e1e86097d0bd0aecd40498361c3dad7f110aa5f7160912af94942e0b

SHA512
424c0fd2210152dfc07a8c8551e9023bb00f928152cb3f072bb5873570cdaa650cdfe503a389e9073e833d709910b03b912c5a476a9ea6eb359262aae5c5adf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7102725.exe

Filesize
4.2MB

MD5
b8c7ee9563fbf2d146f25b7c50e04c52

SHA1
bad6a7503cbf50479fa6a67be1625ba6270e42fe

SHA256
665da9a804af5eb20b8955c2ff85d6e6d2603d735c22ed0f3d23e24d9d770ba5

SHA512
8f187b054803b7a083e1d90db9c6ef685287d9305ec29bd5ed7feab4270f2feec5e2dcda494df9fad1009e77dce2b9d4dc2bd9e035dcc0fd2e68b6e6ba0e396b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7102725.exe

Filesize
4.2MB

MD5
b8c7ee9563fbf2d146f25b7c50e04c52

SHA1
bad6a7503cbf50479fa6a67be1625ba6270e42fe

SHA256
665da9a804af5eb20b8955c2ff85d6e6d2603d735c22ed0f3d23e24d9d770ba5

SHA512
8f187b054803b7a083e1d90db9c6ef685287d9305ec29bd5ed7feab4270f2feec5e2dcda494df9fad1009e77dce2b9d4dc2bd9e035dcc0fd2e68b6e6ba0e396b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7103302.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7103614.exe

Filesize
4.2MB

MD5
b8c7ee9563fbf2d146f25b7c50e04c52

SHA1
bad6a7503cbf50479fa6a67be1625ba6270e42fe

SHA256
665da9a804af5eb20b8955c2ff85d6e6d2603d735c22ed0f3d23e24d9d770ba5

SHA512
8f187b054803b7a083e1d90db9c6ef685287d9305ec29bd5ed7feab4270f2feec5e2dcda494df9fad1009e77dce2b9d4dc2bd9e035dcc0fd2e68b6e6ba0e396b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7103614.exe

Filesize
4.2MB

MD5
b8c7ee9563fbf2d146f25b7c50e04c52

SHA1
bad6a7503cbf50479fa6a67be1625ba6270e42fe

SHA256
665da9a804af5eb20b8955c2ff85d6e6d2603d735c22ed0f3d23e24d9d770ba5

SHA512
8f187b054803b7a083e1d90db9c6ef685287d9305ec29bd5ed7feab4270f2feec5e2dcda494df9fad1009e77dce2b9d4dc2bd9e035dcc0fd2e68b6e6ba0e396b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7111757.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7113583.exe

Filesize
4.2MB

MD5
b8c7ee9563fbf2d146f25b7c50e04c52

SHA1
bad6a7503cbf50479fa6a67be1625ba6270e42fe

SHA256
665da9a804af5eb20b8955c2ff85d6e6d2603d735c22ed0f3d23e24d9d770ba5

SHA512
8f187b054803b7a083e1d90db9c6ef685287d9305ec29bd5ed7feab4270f2feec5e2dcda494df9fad1009e77dce2b9d4dc2bd9e035dcc0fd2e68b6e6ba0e396b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7113583.exe

Filesize
4.2MB

MD5
b8c7ee9563fbf2d146f25b7c50e04c52

SHA1
bad6a7503cbf50479fa6a67be1625ba6270e42fe

SHA256
665da9a804af5eb20b8955c2ff85d6e6d2603d735c22ed0f3d23e24d9d770ba5

SHA512
8f187b054803b7a083e1d90db9c6ef685287d9305ec29bd5ed7feab4270f2feec5e2dcda494df9fad1009e77dce2b9d4dc2bd9e035dcc0fd2e68b6e6ba0e396b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7114097.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7114472.exe

Filesize
4.2MB

MD5
b8c7ee9563fbf2d146f25b7c50e04c52

SHA1
bad6a7503cbf50479fa6a67be1625ba6270e42fe

SHA256
665da9a804af5eb20b8955c2ff85d6e6d2603d735c22ed0f3d23e24d9d770ba5

SHA512
8f187b054803b7a083e1d90db9c6ef685287d9305ec29bd5ed7feab4270f2feec5e2dcda494df9fad1009e77dce2b9d4dc2bd9e035dcc0fd2e68b6e6ba0e396b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7114472.exe

Filesize
4.2MB

MD5
b8c7ee9563fbf2d146f25b7c50e04c52

SHA1
bad6a7503cbf50479fa6a67be1625ba6270e42fe

SHA256
665da9a804af5eb20b8955c2ff85d6e6d2603d735c22ed0f3d23e24d9d770ba5

SHA512
8f187b054803b7a083e1d90db9c6ef685287d9305ec29bd5ed7feab4270f2feec5e2dcda494df9fad1009e77dce2b9d4dc2bd9e035dcc0fd2e68b6e6ba0e396b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7115143.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
4.2MB

MD5
b8c7ee9563fbf2d146f25b7c50e04c52

SHA1
bad6a7503cbf50479fa6a67be1625ba6270e42fe

SHA256
665da9a804af5eb20b8955c2ff85d6e6d2603d735c22ed0f3d23e24d9d770ba5

SHA512
8f187b054803b7a083e1d90db9c6ef685287d9305ec29bd5ed7feab4270f2feec5e2dcda494df9fad1009e77dce2b9d4dc2bd9e035dcc0fd2e68b6e6ba0e396b

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
4.2MB

MD5
b8c7ee9563fbf2d146f25b7c50e04c52

SHA1
bad6a7503cbf50479fa6a67be1625ba6270e42fe

SHA256
665da9a804af5eb20b8955c2ff85d6e6d2603d735c22ed0f3d23e24d9d770ba5

SHA512
8f187b054803b7a083e1d90db9c6ef685287d9305ec29bd5ed7feab4270f2feec5e2dcda494df9fad1009e77dce2b9d4dc2bd9e035dcc0fd2e68b6e6ba0e396b

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
4.2MB

MD5
b8c7ee9563fbf2d146f25b7c50e04c52

SHA1
bad6a7503cbf50479fa6a67be1625ba6270e42fe

SHA256
665da9a804af5eb20b8955c2ff85d6e6d2603d735c22ed0f3d23e24d9d770ba5

SHA512
8f187b054803b7a083e1d90db9c6ef685287d9305ec29bd5ed7feab4270f2feec5e2dcda494df9fad1009e77dce2b9d4dc2bd9e035dcc0fd2e68b6e6ba0e396b

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
4.2MB

MD5
6e684f0fefb75286d48521759429850a

SHA1
38fa2103176790481c81c32f5afa348343a934a6

SHA256
f01d832e0bbb0b44a643420056fef10b95544ceee7904eaa4b89d83ba5453788

SHA512
e3fdd3c8a43f85df17ff1e898d43439563fe3d7177a05f71ee41c8e9499b4491f175200dd88ada763f9d3ce289334617c7e86126e1c26740784138a655195490

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
4.4MB

MD5
68d26e70c600b5b9d8d40586fe5ae982

SHA1
be8565863185a82969a549b1f881a5dcd6d1d14e

SHA256
4d876921621bbc8a4ff6282499af77132d461d0c2909fdbd2bb460280f8b87e1

SHA512
26e93e47443373c8574887ae25ae2f7eb26c26f3a455fdb887c07788e61b5ff6e7e89faf90066230e5587ea19bdfc7bec209ad04fef7c3a60535ceb443620722

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
4.4MB

MD5
68d26e70c600b5b9d8d40586fe5ae982

SHA1
be8565863185a82969a549b1f881a5dcd6d1d14e

SHA256
4d876921621bbc8a4ff6282499af77132d461d0c2909fdbd2bb460280f8b87e1

SHA512
26e93e47443373c8574887ae25ae2f7eb26c26f3a455fdb887c07788e61b5ff6e7e89faf90066230e5587ea19bdfc7bec209ad04fef7c3a60535ceb443620722

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
4.4MB

MD5
68d26e70c600b5b9d8d40586fe5ae982

SHA1
be8565863185a82969a549b1f881a5dcd6d1d14e

SHA256
4d876921621bbc8a4ff6282499af77132d461d0c2909fdbd2bb460280f8b87e1

SHA512
26e93e47443373c8574887ae25ae2f7eb26c26f3a455fdb887c07788e61b5ff6e7e89faf90066230e5587ea19bdfc7bec209ad04fef7c3a60535ceb443620722

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
4.4MB

MD5
68d26e70c600b5b9d8d40586fe5ae982

SHA1
be8565863185a82969a549b1f881a5dcd6d1d14e

SHA256
4d876921621bbc8a4ff6282499af77132d461d0c2909fdbd2bb460280f8b87e1

SHA512
26e93e47443373c8574887ae25ae2f7eb26c26f3a455fdb887c07788e61b5ff6e7e89faf90066230e5587ea19bdfc7bec209ad04fef7c3a60535ceb443620722

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
4.4MB

MD5
68d26e70c600b5b9d8d40586fe5ae982

SHA1
be8565863185a82969a549b1f881a5dcd6d1d14e

SHA256
4d876921621bbc8a4ff6282499af77132d461d0c2909fdbd2bb460280f8b87e1

SHA512
26e93e47443373c8574887ae25ae2f7eb26c26f3a455fdb887c07788e61b5ff6e7e89faf90066230e5587ea19bdfc7bec209ad04fef7c3a60535ceb443620722

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7100510.exe

Filesize
4.2MB

MD5
b8c7ee9563fbf2d146f25b7c50e04c52

SHA1
bad6a7503cbf50479fa6a67be1625ba6270e42fe

SHA256
665da9a804af5eb20b8955c2ff85d6e6d2603d735c22ed0f3d23e24d9d770ba5

SHA512
8f187b054803b7a083e1d90db9c6ef685287d9305ec29bd5ed7feab4270f2feec5e2dcda494df9fad1009e77dce2b9d4dc2bd9e035dcc0fd2e68b6e6ba0e396b

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7100510.exe

Filesize
4.2MB

MD5
b8c7ee9563fbf2d146f25b7c50e04c52

SHA1
bad6a7503cbf50479fa6a67be1625ba6270e42fe

SHA256
665da9a804af5eb20b8955c2ff85d6e6d2603d735c22ed0f3d23e24d9d770ba5

SHA512
8f187b054803b7a083e1d90db9c6ef685287d9305ec29bd5ed7feab4270f2feec5e2dcda494df9fad1009e77dce2b9d4dc2bd9e035dcc0fd2e68b6e6ba0e396b

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7100915.exe

Filesize
4.4MB

MD5
66788a084279f7986744fad3f5a2464b

SHA1
edef3954477030041ce614020787fa0b5a7aaa70

SHA256
3b46466bcd359626862dfdd2063a445a6a325717e08b9f0db4d383f039ccd4fd

SHA512
b508079981894a2a7e2e4643ddfe7d6129f13db34dec9072af5b48d5740fbd60e585aa42a48967c48d3a2a53e0ca04e9c8849eddd956006b8e9298eae06f8a69

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7100915.exe

Filesize
4.4MB

MD5
66788a084279f7986744fad3f5a2464b

SHA1
edef3954477030041ce614020787fa0b5a7aaa70

SHA256
3b46466bcd359626862dfdd2063a445a6a325717e08b9f0db4d383f039ccd4fd

SHA512
b508079981894a2a7e2e4643ddfe7d6129f13db34dec9072af5b48d5740fbd60e585aa42a48967c48d3a2a53e0ca04e9c8849eddd956006b8e9298eae06f8a69

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7101368.exe

Filesize
4.2MB

MD5
b8c7ee9563fbf2d146f25b7c50e04c52

SHA1
bad6a7503cbf50479fa6a67be1625ba6270e42fe

SHA256
665da9a804af5eb20b8955c2ff85d6e6d2603d735c22ed0f3d23e24d9d770ba5

SHA512
8f187b054803b7a083e1d90db9c6ef685287d9305ec29bd5ed7feab4270f2feec5e2dcda494df9fad1009e77dce2b9d4dc2bd9e035dcc0fd2e68b6e6ba0e396b

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7101368.exe

Filesize
4.2MB

MD5
b8c7ee9563fbf2d146f25b7c50e04c52

SHA1
bad6a7503cbf50479fa6a67be1625ba6270e42fe

SHA256
665da9a804af5eb20b8955c2ff85d6e6d2603d735c22ed0f3d23e24d9d770ba5

SHA512
8f187b054803b7a083e1d90db9c6ef685287d9305ec29bd5ed7feab4270f2feec5e2dcda494df9fad1009e77dce2b9d4dc2bd9e035dcc0fd2e68b6e6ba0e396b

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7102148.exe

Filesize
136KB

MD5
1fa27c9d428a2bad5e717cdde877610a

SHA1
24cce607e5fa103c10565e9420f956772c21774e

SHA256
adb79a36e1e86097d0bd0aecd40498361c3dad7f110aa5f7160912af94942e0b

SHA512
424c0fd2210152dfc07a8c8551e9023bb00f928152cb3f072bb5873570cdaa650cdfe503a389e9073e833d709910b03b912c5a476a9ea6eb359262aae5c5adf1

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7102148.exe

Filesize
136KB

MD5
1fa27c9d428a2bad5e717cdde877610a

SHA1
24cce607e5fa103c10565e9420f956772c21774e

SHA256
adb79a36e1e86097d0bd0aecd40498361c3dad7f110aa5f7160912af94942e0b

SHA512
424c0fd2210152dfc07a8c8551e9023bb00f928152cb3f072bb5873570cdaa650cdfe503a389e9073e833d709910b03b912c5a476a9ea6eb359262aae5c5adf1

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7102148.exe

Filesize
136KB

MD5
1fa27c9d428a2bad5e717cdde877610a

SHA1
24cce607e5fa103c10565e9420f956772c21774e

SHA256
adb79a36e1e86097d0bd0aecd40498361c3dad7f110aa5f7160912af94942e0b

SHA512
424c0fd2210152dfc07a8c8551e9023bb00f928152cb3f072bb5873570cdaa650cdfe503a389e9073e833d709910b03b912c5a476a9ea6eb359262aae5c5adf1

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7102148.exe

Filesize
136KB

MD5
1fa27c9d428a2bad5e717cdde877610a

SHA1
24cce607e5fa103c10565e9420f956772c21774e

SHA256
adb79a36e1e86097d0bd0aecd40498361c3dad7f110aa5f7160912af94942e0b

SHA512
424c0fd2210152dfc07a8c8551e9023bb00f928152cb3f072bb5873570cdaa650cdfe503a389e9073e833d709910b03b912c5a476a9ea6eb359262aae5c5adf1

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7102148.exe

Filesize
136KB

MD5
1fa27c9d428a2bad5e717cdde877610a

SHA1
24cce607e5fa103c10565e9420f956772c21774e

SHA256
adb79a36e1e86097d0bd0aecd40498361c3dad7f110aa5f7160912af94942e0b

SHA512
424c0fd2210152dfc07a8c8551e9023bb00f928152cb3f072bb5873570cdaa650cdfe503a389e9073e833d709910b03b912c5a476a9ea6eb359262aae5c5adf1

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7102725.exe

Filesize
4.2MB

MD5
b8c7ee9563fbf2d146f25b7c50e04c52

SHA1
bad6a7503cbf50479fa6a67be1625ba6270e42fe

SHA256
665da9a804af5eb20b8955c2ff85d6e6d2603d735c22ed0f3d23e24d9d770ba5

SHA512
8f187b054803b7a083e1d90db9c6ef685287d9305ec29bd5ed7feab4270f2feec5e2dcda494df9fad1009e77dce2b9d4dc2bd9e035dcc0fd2e68b6e6ba0e396b

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7102725.exe

Filesize
4.2MB

MD5
b8c7ee9563fbf2d146f25b7c50e04c52

SHA1
bad6a7503cbf50479fa6a67be1625ba6270e42fe

SHA256
665da9a804af5eb20b8955c2ff85d6e6d2603d735c22ed0f3d23e24d9d770ba5

SHA512
8f187b054803b7a083e1d90db9c6ef685287d9305ec29bd5ed7feab4270f2feec5e2dcda494df9fad1009e77dce2b9d4dc2bd9e035dcc0fd2e68b6e6ba0e396b

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7103302.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7103614.exe

Filesize
4.2MB

MD5
b8c7ee9563fbf2d146f25b7c50e04c52

SHA1
bad6a7503cbf50479fa6a67be1625ba6270e42fe

SHA256
665da9a804af5eb20b8955c2ff85d6e6d2603d735c22ed0f3d23e24d9d770ba5

SHA512
8f187b054803b7a083e1d90db9c6ef685287d9305ec29bd5ed7feab4270f2feec5e2dcda494df9fad1009e77dce2b9d4dc2bd9e035dcc0fd2e68b6e6ba0e396b

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7103614.exe

Filesize
4.2MB

MD5
b8c7ee9563fbf2d146f25b7c50e04c52

SHA1
bad6a7503cbf50479fa6a67be1625ba6270e42fe

SHA256
665da9a804af5eb20b8955c2ff85d6e6d2603d735c22ed0f3d23e24d9d770ba5

SHA512
8f187b054803b7a083e1d90db9c6ef685287d9305ec29bd5ed7feab4270f2feec5e2dcda494df9fad1009e77dce2b9d4dc2bd9e035dcc0fd2e68b6e6ba0e396b

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7111757.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7113583.exe

Filesize
4.2MB

MD5
b8c7ee9563fbf2d146f25b7c50e04c52

SHA1
bad6a7503cbf50479fa6a67be1625ba6270e42fe

SHA256
665da9a804af5eb20b8955c2ff85d6e6d2603d735c22ed0f3d23e24d9d770ba5

SHA512
8f187b054803b7a083e1d90db9c6ef685287d9305ec29bd5ed7feab4270f2feec5e2dcda494df9fad1009e77dce2b9d4dc2bd9e035dcc0fd2e68b6e6ba0e396b

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7113583.exe

Filesize
4.2MB

MD5
b8c7ee9563fbf2d146f25b7c50e04c52

SHA1
bad6a7503cbf50479fa6a67be1625ba6270e42fe

SHA256
665da9a804af5eb20b8955c2ff85d6e6d2603d735c22ed0f3d23e24d9d770ba5

SHA512
8f187b054803b7a083e1d90db9c6ef685287d9305ec29bd5ed7feab4270f2feec5e2dcda494df9fad1009e77dce2b9d4dc2bd9e035dcc0fd2e68b6e6ba0e396b

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7114097.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7114472.exe

Filesize
4.2MB

MD5
b8c7ee9563fbf2d146f25b7c50e04c52

SHA1
bad6a7503cbf50479fa6a67be1625ba6270e42fe

SHA256
665da9a804af5eb20b8955c2ff85d6e6d2603d735c22ed0f3d23e24d9d770ba5

SHA512
8f187b054803b7a083e1d90db9c6ef685287d9305ec29bd5ed7feab4270f2feec5e2dcda494df9fad1009e77dce2b9d4dc2bd9e035dcc0fd2e68b6e6ba0e396b

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7114472.exe

Filesize
4.2MB

MD5
b8c7ee9563fbf2d146f25b7c50e04c52

SHA1
bad6a7503cbf50479fa6a67be1625ba6270e42fe

SHA256
665da9a804af5eb20b8955c2ff85d6e6d2603d735c22ed0f3d23e24d9d770ba5

SHA512
8f187b054803b7a083e1d90db9c6ef685287d9305ec29bd5ed7feab4270f2feec5e2dcda494df9fad1009e77dce2b9d4dc2bd9e035dcc0fd2e68b6e6ba0e396b

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7115143.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
4.4MB

MD5
68d26e70c600b5b9d8d40586fe5ae982

SHA1
be8565863185a82969a549b1f881a5dcd6d1d14e

SHA256
4d876921621bbc8a4ff6282499af77132d461d0c2909fdbd2bb460280f8b87e1

SHA512
26e93e47443373c8574887ae25ae2f7eb26c26f3a455fdb887c07788e61b5ff6e7e89faf90066230e5587ea19bdfc7bec209ad04fef7c3a60535ceb443620722

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
4.4MB

MD5
68d26e70c600b5b9d8d40586fe5ae982

SHA1
be8565863185a82969a549b1f881a5dcd6d1d14e

SHA256
4d876921621bbc8a4ff6282499af77132d461d0c2909fdbd2bb460280f8b87e1

SHA512
26e93e47443373c8574887ae25ae2f7eb26c26f3a455fdb887c07788e61b5ff6e7e89faf90066230e5587ea19bdfc7bec209ad04fef7c3a60535ceb443620722

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
4.4MB

MD5
68d26e70c600b5b9d8d40586fe5ae982

SHA1
be8565863185a82969a549b1f881a5dcd6d1d14e

SHA256
4d876921621bbc8a4ff6282499af77132d461d0c2909fdbd2bb460280f8b87e1

SHA512
26e93e47443373c8574887ae25ae2f7eb26c26f3a455fdb887c07788e61b5ff6e7e89faf90066230e5587ea19bdfc7bec209ad04fef7c3a60535ceb443620722

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
4.4MB

MD5
68d26e70c600b5b9d8d40586fe5ae982

SHA1
be8565863185a82969a549b1f881a5dcd6d1d14e

SHA256
4d876921621bbc8a4ff6282499af77132d461d0c2909fdbd2bb460280f8b87e1

SHA512
26e93e47443373c8574887ae25ae2f7eb26c26f3a455fdb887c07788e61b5ff6e7e89faf90066230e5587ea19bdfc7bec209ad04fef7c3a60535ceb443620722

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
4.4MB

MD5
68d26e70c600b5b9d8d40586fe5ae982

SHA1
be8565863185a82969a549b1f881a5dcd6d1d14e

SHA256
4d876921621bbc8a4ff6282499af77132d461d0c2909fdbd2bb460280f8b87e1

SHA512
26e93e47443373c8574887ae25ae2f7eb26c26f3a455fdb887c07788e61b5ff6e7e89faf90066230e5587ea19bdfc7bec209ad04fef7c3a60535ceb443620722

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
4.4MB

MD5
68d26e70c600b5b9d8d40586fe5ae982

SHA1
be8565863185a82969a549b1f881a5dcd6d1d14e

SHA256
4d876921621bbc8a4ff6282499af77132d461d0c2909fdbd2bb460280f8b87e1

SHA512
26e93e47443373c8574887ae25ae2f7eb26c26f3a455fdb887c07788e61b5ff6e7e89faf90066230e5587ea19bdfc7bec209ad04fef7c3a60535ceb443620722

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
4.4MB

MD5
68d26e70c600b5b9d8d40586fe5ae982

SHA1
be8565863185a82969a549b1f881a5dcd6d1d14e

SHA256
4d876921621bbc8a4ff6282499af77132d461d0c2909fdbd2bb460280f8b87e1

SHA512
26e93e47443373c8574887ae25ae2f7eb26c26f3a455fdb887c07788e61b5ff6e7e89faf90066230e5587ea19bdfc7bec209ad04fef7c3a60535ceb443620722

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
4.4MB

MD5
68d26e70c600b5b9d8d40586fe5ae982

SHA1
be8565863185a82969a549b1f881a5dcd6d1d14e

SHA256
4d876921621bbc8a4ff6282499af77132d461d0c2909fdbd2bb460280f8b87e1

SHA512
26e93e47443373c8574887ae25ae2f7eb26c26f3a455fdb887c07788e61b5ff6e7e89faf90066230e5587ea19bdfc7bec209ad04fef7c3a60535ceb443620722

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
4.4MB

MD5
68d26e70c600b5b9d8d40586fe5ae982

SHA1
be8565863185a82969a549b1f881a5dcd6d1d14e

SHA256
4d876921621bbc8a4ff6282499af77132d461d0c2909fdbd2bb460280f8b87e1

SHA512
26e93e47443373c8574887ae25ae2f7eb26c26f3a455fdb887c07788e61b5ff6e7e89faf90066230e5587ea19bdfc7bec209ad04fef7c3a60535ceb443620722

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
4.4MB

MD5
68d26e70c600b5b9d8d40586fe5ae982

SHA1
be8565863185a82969a549b1f881a5dcd6d1d14e

SHA256
4d876921621bbc8a4ff6282499af77132d461d0c2909fdbd2bb460280f8b87e1

SHA512
26e93e47443373c8574887ae25ae2f7eb26c26f3a455fdb887c07788e61b5ff6e7e89faf90066230e5587ea19bdfc7bec209ad04fef7c3a60535ceb443620722

Download Submit
memory/364-214-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/364-219-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/368-302-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/680-250-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/680-297-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/812-65-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/812-76-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/816-294-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/816-290-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/852-257-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/852-259-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/876-277-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/884-188-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/884-183-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/948-279-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/960-225-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1048-232-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1048-284-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1056-282-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1104-170-0x0000000001CC0000-0x0000000001CCD000-memory.dmp

Filesize
52KB

Download
memory/1120-237-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1148-181-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1196-63-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1244-136-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1244-123-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1248-325-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1332-287-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1352-271-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1352-267-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1400-311-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1456-205-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1488-168-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1524-212-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1528-58-0x0000000075FE1000-0x0000000075FE3000-memory.dmp

Filesize
8KB

Download
memory/1568-264-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1568-161-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1568-157-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1596-309-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1640-316-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1684-239-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1684-244-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1688-194-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1728-261-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1728-306-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1732-98-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1732-95-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1732-174-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1736-268-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1736-269-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1740-153-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1744-103-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1744-122-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1748-323-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1768-255-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1832-304-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1852-299-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1852-289-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1864-314-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1916-97-0x0000000000010000-0x0000000000032000-memory.dmp

Filesize
136KB

Download
memory/1956-200-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2000-288-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2000-291-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2040-320-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2040-318-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2040-276-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download