1e8e0153f5c9eb292d489c16a2923484d3557c100f3e1e40f1eb781920d54957

Analysis

max time kernel
151s
max time network
42s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
20/10/2022, 02:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e8e0153f5c9eb292d489c16a2923484d3557c100f3e1e40f1eb781920d54957.exe
Size

39KB
MD5

4c82d3b055799e3f2703b4affae570b0
SHA1

f9083de28f32148c9aec66bac6785b320ba46235
SHA256

1e8e0153f5c9eb292d489c16a2923484d3557c100f3e1e40f1eb781920d54957
SHA512

831d691465b823ba1434e3d29eb96751c9abd30a91788505e2a5d92e2a5109e781ba714f246d78165675b0e674e031f17a4e89c30b8c0e0c2bf58726b3dc4c6e
SSDEEP

768:s2+6q0K1sz23j79rbKDN5ES1h1txi4B9kT9lcXZ2Q1W8:sd6qh1sKhCES1htB9kT9lcP1W8

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
1852	notpad.exe
240	tmp7090136.exe
1240	tmp7090198.exe
1688	notpad.exe
552	tmp7090385.exe
1392	notpad.exe
924	tmp7090604.exe
1600	tmp7090448.exe
808	tmp7090619.exe
1836	notpad.exe
1184	tmp7090994.exe
1872	tmp7091041.exe
1556	notpad.exe
1612	tmp7091321.exe
868	tmp7091431.exe
1060	notpad.exe
960	tmp7091899.exe
864	tmp7091961.exe
1508	notpad.exe
1672	tmp7092101.exe
1472	tmp7092211.exe
1960	notpad.exe
1940	tmp7092382.exe
1720	tmp7092429.exe
2028	notpad.exe
1724	tmp7092616.exe
1728	notpad.exe
2036	tmp7092679.exe
580	tmp7092850.exe
1404	tmp7092897.exe
1296	notpad.exe
1660	tmp7093037.exe
816	notpad.exe
1428	tmp7093365.exe
432	tmp7093474.exe
808	tmp7093552.exe
1548	notpad.exe
284	tmp7093677.exe
1916	tmp7093724.exe
688	notpad.exe
1544	tmp7093864.exe
1828	tmp7093895.exe
1872	notpad.exe
792	tmp7094051.exe
1436	notpad.exe
308	tmp7094098.exe
1556	tmp7094161.exe
1784	tmp7094239.exe
1464	notpad.exe
952	tmp7094426.exe
824	tmp7094551.exe
1532	notpad.exe
1524	tmp7094707.exe
1988	tmp7094738.exe
1388	notpad.exe
936	tmp7094909.exe
1960	notpad.exe
1236	tmp7094941.exe
1040	tmp7095034.exe
2040	notpad.exe
2028	tmp7095112.exe
572	tmp7095268.exe
1920	tmp7095487.exe
904	notpad.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000a0000000122dd-55.dat	upx
behavioral1/memory/944-56-0x0000000002770000-0x000000000278F000-memory.dmp	upx
behavioral1/files/0x000a0000000122dd-57.dat	upx
behavioral1/files/0x000a0000000122dd-59.dat	upx
behavioral1/files/0x000a0000000122dd-60.dat	upx
behavioral1/files/0x0007000000005c50-66.dat	upx
behavioral1/files/0x000a0000000122dd-73.dat	upx
behavioral1/files/0x000a0000000122dd-72.dat	upx
behavioral1/memory/1852-75-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x000a0000000122dd-76.dat	upx
behavioral1/files/0x0007000000005c50-84.dat	upx
behavioral1/files/0x000a0000000122dd-87.dat	upx
behavioral1/files/0x000a0000000122dd-90.dat	upx
behavioral1/files/0x000a0000000122dd-88.dat	upx
behavioral1/memory/1688-103-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x0007000000005c50-100.dat	upx
behavioral1/files/0x000a0000000122dd-112.dat	upx
behavioral1/files/0x000a0000000122dd-110.dat	upx
behavioral1/files/0x000a0000000122dd-109.dat	upx
behavioral1/memory/1392-107-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x0007000000005c50-119.dat	upx
behavioral1/memory/1836-124-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x000a0000000122dd-126.dat	upx
behavioral1/files/0x000a0000000122dd-127.dat	upx
behavioral1/files/0x000a0000000122dd-129.dat	upx
behavioral1/files/0x0007000000005c50-135.dat	upx
behavioral1/memory/1556-139-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1556-143-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x000a0000000122dd-144.dat	upx
behavioral1/files/0x000a0000000122dd-145.dat	upx
behavioral1/files/0x000a0000000122dd-147.dat	upx
behavioral1/files/0x0007000000005c50-153.dat	upx
behavioral1/memory/1060-157-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1508-162-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1960-167-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2028-174-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1728-181-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1296-182-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1296-188-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/816-194-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1548-198-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/688-205-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1872-212-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1436-217-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1464-222-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1532-229-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1388-236-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1960-239-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1960-242-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2040-249-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/904-253-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1260-255-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1220-258-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/896-261-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1936-262-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1936-265-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1588-268-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/820-271-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/868-274-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/864-277-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/824-278-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/824-280-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1472-283-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1668-286-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Loads dropped DLL 64 IoCs

pid	Process
944	1e8e0153f5c9eb292d489c16a2923484d3557c100f3e1e40f1eb781920d54957.exe
944	1e8e0153f5c9eb292d489c16a2923484d3557c100f3e1e40f1eb781920d54957.exe
1852	notpad.exe
1852	notpad.exe
1852	notpad.exe
240	tmp7090136.exe
240	tmp7090136.exe
1688	notpad.exe
1688	notpad.exe
552	tmp7090385.exe
552	tmp7090385.exe
1392	notpad.exe
1392	notpad.exe
1688	notpad.exe
1392	notpad.exe
924	tmp7090604.exe
924	tmp7090604.exe
1836	notpad.exe
1836	notpad.exe
1836	notpad.exe
1184	tmp7090994.exe
1184	tmp7090994.exe
1556	notpad.exe
1556	notpad.exe
1556	notpad.exe
1612	tmp7091321.exe
1612	tmp7091321.exe
1060	notpad.exe
1060	notpad.exe
1060	notpad.exe
960	tmp7091899.exe
960	tmp7091899.exe
1508	notpad.exe
1508	notpad.exe
1508	notpad.exe
1672	tmp7092101.exe
1672	tmp7092101.exe
1960	notpad.exe
1960	notpad.exe
1960	notpad.exe
1940	tmp7092382.exe
1940	tmp7092382.exe
2028	notpad.exe
2028	notpad.exe
2028	notpad.exe
1724	tmp7092616.exe
1724	tmp7092616.exe
1728	notpad.exe
1728	notpad.exe
1728	notpad.exe
580	tmp7092850.exe
580	tmp7092850.exe
1296	notpad.exe
1296	notpad.exe
1660	tmp7093037.exe
1296	notpad.exe
1660	tmp7093037.exe
816	notpad.exe
816	notpad.exe
816	notpad.exe
432	tmp7093474.exe
432	tmp7093474.exe
1548	notpad.exe
1548	notpad.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\notpad.exe	tmp7095034.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7097078.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7101415.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7102226.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7114285.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7093037.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7094051.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7101415.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7102226.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7137498.exe
File created	C:\Windows\SysWOW64\notpad.exe	1e8e0153f5c9eb292d489c16a2923484d3557c100f3e1e40f1eb781920d54957.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7092616.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7093037.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7102226.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7106313.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7107389.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7163191.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7168776.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	1e8e0153f5c9eb292d489c16a2923484d3557c100f3e1e40f1eb781920d54957.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7091321.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7191770.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7101883.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7171911.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7188494.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7093037.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7097218.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7097078.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7099262.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7092101.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7094051.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7103505.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7137498.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7092382.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7098575.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7098575.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7104550.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7106921.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7132911.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7145173.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7152692.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7090136.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7094707.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7099917.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7112007.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7091321.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7093864.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7093474.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7095034.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7102928.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7145173.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7157762.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7171911.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7090136.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7090604.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7114503.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7155828.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7094161.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7103505.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7094161.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7169961.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7104550.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7096719.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7099511.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7098763.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7090136.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7092382.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7092850.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7096298.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7115018.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7155828.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7092101.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7093474.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7107389.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7108154.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7191770.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7090604.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7094909.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7097421.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7148153.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7169961.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7096719.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7101883.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7112007.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7114285.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7152692.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7163191.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7094051.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7095674.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7099355.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7102928.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7106313.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7106921.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7150149.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7090994.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7094707.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7095034.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7102787.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7105892.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7137045.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7171911.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7104550.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7157762.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7093037.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7093864.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7099262.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7102226.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7093677.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7098575.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7099137.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7099917.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7103505.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7132911.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7091321.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7092616.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7095268.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7101415.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7114503.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7135251.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7091899.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7097078.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7112366.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7095939.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7137498.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7090385.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7094426.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7097218.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7097624.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7099511.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 944 wrote to memory of 1852	944	1e8e0153f5c9eb292d489c16a2923484d3557c100f3e1e40f1eb781920d54957.exe	27
PID 944 wrote to memory of 1852	944	1e8e0153f5c9eb292d489c16a2923484d3557c100f3e1e40f1eb781920d54957.exe	27
PID 944 wrote to memory of 1852	944	1e8e0153f5c9eb292d489c16a2923484d3557c100f3e1e40f1eb781920d54957.exe	27
PID 944 wrote to memory of 1852	944	1e8e0153f5c9eb292d489c16a2923484d3557c100f3e1e40f1eb781920d54957.exe	27
PID 1852 wrote to memory of 240	1852	notpad.exe	28
PID 1852 wrote to memory of 240	1852	notpad.exe	28
PID 1852 wrote to memory of 240	1852	notpad.exe	28
PID 1852 wrote to memory of 240	1852	notpad.exe	28
PID 1852 wrote to memory of 1240	1852	notpad.exe	29
PID 1852 wrote to memory of 1240	1852	notpad.exe	29
PID 1852 wrote to memory of 1240	1852	notpad.exe	29
PID 1852 wrote to memory of 1240	1852	notpad.exe	29
PID 240 wrote to memory of 1688	240	tmp7090136.exe	30
PID 240 wrote to memory of 1688	240	tmp7090136.exe	30
PID 240 wrote to memory of 1688	240	tmp7090136.exe	30
PID 240 wrote to memory of 1688	240	tmp7090136.exe	30
PID 1688 wrote to memory of 552	1688	notpad.exe	31
PID 1688 wrote to memory of 552	1688	notpad.exe	31
PID 1688 wrote to memory of 552	1688	notpad.exe	31
PID 1688 wrote to memory of 552	1688	notpad.exe	31
PID 552 wrote to memory of 1392	552	tmp7090385.exe	32
PID 552 wrote to memory of 1392	552	tmp7090385.exe	32
PID 552 wrote to memory of 1392	552	tmp7090385.exe	32
PID 552 wrote to memory of 1392	552	tmp7090385.exe	32
PID 1392 wrote to memory of 924	1392	notpad.exe	33
PID 1392 wrote to memory of 924	1392	notpad.exe	33
PID 1392 wrote to memory of 924	1392	notpad.exe	33
PID 1392 wrote to memory of 924	1392	notpad.exe	33
PID 1688 wrote to memory of 1600	1688	notpad.exe	34
PID 1688 wrote to memory of 1600	1688	notpad.exe	34
PID 1688 wrote to memory of 1600	1688	notpad.exe	34
PID 1688 wrote to memory of 1600	1688	notpad.exe	34
PID 1392 wrote to memory of 808	1392	notpad.exe	35
PID 1392 wrote to memory of 808	1392	notpad.exe	35
PID 1392 wrote to memory of 808	1392	notpad.exe	35
PID 1392 wrote to memory of 808	1392	notpad.exe	35
PID 924 wrote to memory of 1836	924	tmp7090604.exe	36
PID 924 wrote to memory of 1836	924	tmp7090604.exe	36
PID 924 wrote to memory of 1836	924	tmp7090604.exe	36
PID 924 wrote to memory of 1836	924	tmp7090604.exe	36
PID 1836 wrote to memory of 1184	1836	notpad.exe	37
PID 1836 wrote to memory of 1184	1836	notpad.exe	37
PID 1836 wrote to memory of 1184	1836	notpad.exe	37
PID 1836 wrote to memory of 1184	1836	notpad.exe	37
PID 1836 wrote to memory of 1872	1836	notpad.exe	38
PID 1836 wrote to memory of 1872	1836	notpad.exe	38
PID 1836 wrote to memory of 1872	1836	notpad.exe	38
PID 1836 wrote to memory of 1872	1836	notpad.exe	38
PID 1184 wrote to memory of 1556	1184	tmp7090994.exe	39
PID 1184 wrote to memory of 1556	1184	tmp7090994.exe	39
PID 1184 wrote to memory of 1556	1184	tmp7090994.exe	39
PID 1184 wrote to memory of 1556	1184	tmp7090994.exe	39
PID 1556 wrote to memory of 1612	1556	notpad.exe	40
PID 1556 wrote to memory of 1612	1556	notpad.exe	40
PID 1556 wrote to memory of 1612	1556	notpad.exe	40
PID 1556 wrote to memory of 1612	1556	notpad.exe	40
PID 1556 wrote to memory of 868	1556	notpad.exe	41
PID 1556 wrote to memory of 868	1556	notpad.exe	41
PID 1556 wrote to memory of 868	1556	notpad.exe	41
PID 1556 wrote to memory of 868	1556	notpad.exe	41
PID 1612 wrote to memory of 1060	1612	tmp7091321.exe	42
PID 1612 wrote to memory of 1060	1612	tmp7091321.exe	42
PID 1612 wrote to memory of 1060	1612	tmp7091321.exe	42
PID 1612 wrote to memory of 1060	1612	tmp7091321.exe	42

C:\Users\Admin\AppData\Local\Temp\1e8e0153f5c9eb292d489c16a2923484d3557c100f3e1e40f1eb781920d54957.exe
"C:\Users\Admin\AppData\Local\Temp\1e8e0153f5c9eb292d489c16a2923484d3557c100f3e1e40f1eb781920d54957.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:944
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1852
- - C:\Users\Admin\AppData\Local\Temp\tmp7090136.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7090136.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:240
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1688
    - - C:\Users\Admin\AppData\Local\Temp\tmp7090385.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7090385.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:552
      - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1392
        
        C:\Users\Admin\AppData\Local\Temp\tmp7090604.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7090604.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:924
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1836
        
        C:\Users\Admin\AppData\Local\Temp\tmp7090994.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7090994.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1184
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\tmp7091321.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7091321.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1612
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\tmp7091899.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7091899.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:960
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\tmp7092101.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7092101.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1672
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\tmp7092382.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7092382.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1940
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\tmp7092616.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7092616.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1724
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\tmp7092850.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7092850.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:580
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1296
        
        C:\Users\Admin\AppData\Local\Temp\tmp7093037.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7093037.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1660
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:816
        
        C:\Users\Admin\AppData\Local\Temp\tmp7093474.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7093474.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:432
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\tmp7093677.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7093677.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:284
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        28⤵
        Executes dropped EXE
        
        PID:688
        
        C:\Users\Admin\AppData\Local\Temp\tmp7093864.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7093864.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1544
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        30⤵
        Executes dropped EXE
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\tmp7094051.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7094051.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:792
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        32⤵
        Executes dropped EXE
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\tmp7094161.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7094161.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1556
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        34⤵
        Executes dropped EXE
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\Temp\tmp7094426.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7094426.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:952
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        36⤵
        Executes dropped EXE
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\tmp7094707.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7094707.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1524
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        38⤵
        Executes dropped EXE
        
        PID:1388
        
        C:\Users\Admin\AppData\Local\Temp\tmp7094909.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7094909.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:936
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        40⤵
        Executes dropped EXE
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\tmp7095034.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7095034.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1040
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        42⤵
        Executes dropped EXE
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\tmp7095268.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7095268.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:572
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        44⤵
        Executes dropped EXE
        
        PID:904
        
        C:\Users\Admin\AppData\Local\Temp\tmp7095674.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7095674.exe
        45⤵
        Modifies registry class
        
        PID:1404
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        46⤵
        
        PID:1260
        
        C:\Users\Admin\AppData\Local\Temp\tmp7095955.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7095955.exe
        47⤵
        
        PID:1296
        
        C:\Users\Admin\AppData\Local\Temp\tmp7095752.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7095752.exe
        45⤵
        
        PID:1392
        
        C:\Users\Admin\AppData\Local\Temp\tmp7095487.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7095487.exe
        43⤵
        Executes dropped EXE
        
        PID:1920
        
        C:\Users\Admin\AppData\Local\Temp\tmp7095112.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7095112.exe
        41⤵
        Executes dropped EXE
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168916.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168916.exe
        42⤵
        
        PID:1420
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168776.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168776.exe
        42⤵
        Drops file in System32 directory
        
        PID:1724
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        43⤵
        
        PID:1836
        
        C:\Users\Admin\AppData\Local\Temp\tmp7171911.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7171911.exe
        44⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1596
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        45⤵
        
        PID:284
        
        C:\Users\Admin\AppData\Local\Temp\tmp7188494.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7188494.exe
        46⤵
        Drops file in System32 directory
        
        PID:1504
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        47⤵
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191536.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191536.exe
        48⤵
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\tmp7192582.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7192582.exe
        49⤵
        
        PID:1356
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191724.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191724.exe
        49⤵
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190444.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190444.exe
        46⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191770.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191770.exe
        47⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1536
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        48⤵
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\tmp7193986.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7193986.exe
        47⤵
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\tmp7174189.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7174189.exe
        44⤵
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\tmp7094941.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7094941.exe
        39⤵
        Executes dropped EXE
        
        PID:1236
        
        C:\Users\Admin\AppData\Local\Temp\tmp7094738.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7094738.exe
        37⤵
        Executes dropped EXE
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\tmp7094551.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7094551.exe
        35⤵
        Executes dropped EXE
        
        PID:824
        
        C:\Users\Admin\AppData\Local\Temp\tmp7094239.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7094239.exe
        33⤵
        Executes dropped EXE
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\tmp7094098.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7094098.exe
        31⤵
        Executes dropped EXE
        
        PID:308
        
        C:\Users\Admin\AppData\Local\Temp\tmp7093895.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7093895.exe
        29⤵
        Executes dropped EXE
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\tmp7093724.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7093724.exe
        27⤵
        Executes dropped EXE
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\tmp7093552.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7093552.exe
        25⤵
        Executes dropped EXE
        
        PID:808
        
        C:\Users\Admin\AppData\Local\Temp\tmp7114285.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7114285.exe
        25⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1252
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        26⤵
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\tmp7115314.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7115314.exe
        27⤵
        
        PID:1008
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119948.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119948.exe
        27⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120884.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120884.exe
        28⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\tmp7093365.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7093365.exe
        23⤵
        Executes dropped EXE
        
        PID:1428
        
        C:\Users\Admin\AppData\Local\Temp\tmp7092897.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7092897.exe
        21⤵
        Executes dropped EXE
        
        PID:1404
        
        C:\Users\Admin\AppData\Local\Temp\tmp7092679.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7092679.exe
        19⤵
        Executes dropped EXE
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\tmp7092429.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7092429.exe
        17⤵
        Executes dropped EXE
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\tmp7092211.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7092211.exe
        15⤵
        Executes dropped EXE
        
        PID:1472
        
        C:\Users\Admin\AppData\Local\Temp\tmp7091961.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7091961.exe
        13⤵
        Executes dropped EXE
        
        PID:864
        
        C:\Users\Admin\AppData\Local\Temp\tmp7091431.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7091431.exe
        11⤵
        Executes dropped EXE
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\tmp7091041.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7091041.exe
        9⤵
        Executes dropped EXE
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\tmp7090619.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7090619.exe
        7⤵
        Executes dropped EXE
        
        PID:808
    - - C:\Users\Admin\AppData\Local\Temp\tmp7090448.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7090448.exe
        5⤵
        Executes dropped EXE
        
        PID:1600
- - C:\Users\Admin\AppData\Local\Temp\tmp7090198.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7090198.exe
    3⤵
    - Executes dropped EXE
    PID:1240

C:\Users\Admin\AppData\Local\Temp\tmp7095939.exe
C:\Users\Admin\AppData\Local\Temp\tmp7095939.exe
1⤵
- Modifies registry class
PID:1252
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:1220
- - C:\Users\Admin\AppData\Local\Temp\tmp7096298.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7096298.exe
    3⤵
    - Modifies registry class
    PID:1868
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      PID:896
    - - C:\Users\Admin\AppData\Local\Temp\tmp7096719.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7096719.exe
        5⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1008
      - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        6⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\tmp7096875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7096875.exe
        7⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        8⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\tmp7097078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7097078.exe
        9⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1828
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        10⤵
        
        PID:820
        
        C:\Users\Admin\AppData\Local\Temp\tmp7097218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7097218.exe
        11⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:636
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        12⤵
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\tmp7097421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7097421.exe
        13⤵
        Modifies registry class
        
        PID:1608
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        14⤵
        
        PID:864
        
        C:\Users\Admin\AppData\Local\Temp\tmp7097624.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7097624.exe
        15⤵
        Modifies registry class
        
        PID:1464
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        16⤵
        
        PID:824
        
        C:\Users\Admin\AppData\Local\Temp\tmp7098575.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7098575.exe
        17⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1532
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        18⤵
        
        PID:1472
        
        C:\Users\Admin\AppData\Local\Temp\tmp7098763.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7098763.exe
        19⤵
        Drops file in System32 directory
        
        PID:2020
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        20⤵
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\tmp7099137.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7099137.exe
        21⤵
        Modifies registry class
        
        PID:1852
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        22⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\tmp7099262.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7099262.exe
        23⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:832
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        24⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\tmp7099371.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7099371.exe
        25⤵
        
        PID:572
        
        C:\Users\Admin\AppData\Local\Temp\tmp7099418.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7099418.exe
        25⤵
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\tmp7099511.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7099511.exe
        26⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1260
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        27⤵
        
        PID:1220
        
        C:\Users\Admin\AppData\Local\Temp\tmp7099917.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7099917.exe
        28⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1248
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        29⤵
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\tmp7100666.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7100666.exe
        30⤵
        
        PID:284
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        31⤵
        
        PID:1460
        
        C:\Users\Admin\AppData\Local\Temp\tmp7101040.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7101040.exe
        32⤵
        
        PID:820
        
        C:\Users\Admin\AppData\Local\Temp\tmp7101259.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7101259.exe
        32⤵
        
        PID:568
        
        C:\Users\Admin\AppData\Local\Temp\tmp7101415.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7101415.exe
        33⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1592
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        34⤵
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\tmp7101867.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7101867.exe
        35⤵
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\tmp7102070.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7102070.exe
        35⤵
        
        PID:544
        
        C:\Users\Admin\AppData\Local\Temp\tmp7102273.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7102273.exe
        36⤵
        
        PID:1356
        
        C:\Users\Admin\AppData\Local\Temp\tmp7102507.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7102507.exe
        36⤵
        
        PID:1208
        
        C:\Users\Admin\AppData\Local\Temp\tmp7101571.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7101571.exe
        33⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\tmp7100775.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7100775.exe
        30⤵
        
        PID:1864
        
        C:\Users\Admin\AppData\Local\Temp\tmp7100915.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7100915.exe
        31⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        32⤵
        
        PID:636
        
        C:\Users\Admin\AppData\Local\Temp\tmp7101477.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7101477.exe
        33⤵
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\tmp7101602.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7101602.exe
        33⤵
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\tmp7101883.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7101883.exe
        34⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1464
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        35⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\tmp7102226.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7102226.exe
        36⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:824
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        37⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\tmp7102928.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7102928.exe
        38⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1160
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        39⤵
        
        PID:580
        
        C:\Users\Admin\AppData\Local\Temp\tmp7103505.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7103505.exe
        40⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1688
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        41⤵
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\tmp7104550.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7104550.exe
        42⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1068
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        43⤵
        
        PID:792
        
        C:\Users\Admin\AppData\Local\Temp\tmp7105892.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7105892.exe
        44⤵
        Modifies registry class
        
        PID:1020
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        45⤵
        
        PID:1000
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106937.exe
        46⤵
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\tmp7107343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7107343.exe
        46⤵
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\tmp7107920.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7107920.exe
        47⤵
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\tmp7111414.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7111414.exe
        47⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\tmp7152786.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7152786.exe
        45⤵
        
        PID:1144
        
        C:\Users\Admin\AppData\Local\Temp\tmp7153940.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7153940.exe
        46⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\tmp7152926.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7152926.exe
        46⤵
        
        PID:636
        
        C:\Users\Admin\AppData\Local\Temp\tmp7152692.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7152692.exe
        45⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2000
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        46⤵
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191396.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191396.exe
        47⤵
        
        PID:980
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106266.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106266.exe
        44⤵
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106921.exe
        45⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:968
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        46⤵
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\tmp7108154.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7108154.exe
        47⤵
        Modifies registry class
        
        PID:1236
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        48⤵
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\tmp7112350.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7112350.exe
        49⤵
        
        PID:468
        
        C:\Users\Admin\AppData\Local\Temp\tmp7113458.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7113458.exe
        49⤵
        
        PID:816
        
        C:\Users\Admin\AppData\Local\Temp\tmp7114425.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7114425.exe
        50⤵
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\tmp7111539.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7111539.exe
        47⤵
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\tmp7112007.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7112007.exe
        48⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1288
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        49⤵
        
        PID:1424
        
        C:\Users\Admin\AppData\Local\Temp\tmp7113723.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7113723.exe
        50⤵
        
        PID:656
        
        C:\Users\Admin\AppData\Local\Temp\tmp7113973.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7113973.exe
        50⤵
        
        PID:1428
        
        C:\Users\Admin\AppData\Local\Temp\tmp7115018.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7115018.exe
        51⤵
        Modifies registry class
        
        PID:1916
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        52⤵
        
        PID:968
        
        C:\Users\Admin\AppData\Local\Temp\tmp7132786.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7132786.exe
        53⤵
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\tmp7133145.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7133145.exe
        54⤵
        
        PID:612
        
        C:\Users\Admin\AppData\Local\Temp\tmp7132911.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7132911.exe
        54⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1612
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        55⤵
        
        PID:1324
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135251.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135251.exe
        56⤵
        Modifies registry class
        
        PID:596
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        57⤵
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\tmp7137045.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7137045.exe
        58⤵
        Modifies registry class
        
        PID:1740
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        59⤵
        
        PID:832
        
        C:\Users\Admin\AppData\Local\Temp\tmp7139448.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7139448.exe
        60⤵
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\tmp7140477.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7140477.exe
        61⤵
        
        PID:316
        
        C:\Users\Admin\AppData\Local\Temp\tmp7200865.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7200865.exe
        62⤵
        
        PID:1920
        
        C:\Users\Admin\AppData\Local\Temp\tmp7201458.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7201458.exe
        63⤵
        
        PID:620
        
        C:\Users\Admin\AppData\Local\Temp\tmp7201286.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7201286.exe
        63⤵
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\tmp7200725.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7200725.exe
        62⤵
        
        PID:528
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        63⤵
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\tmp7204750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7204750.exe
        64⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        65⤵
        
        PID:1880
        
        C:\Users\Admin\AppData\Local\Temp\tmp7206060.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7206060.exe
        64⤵
        
        PID:924
        
        C:\Users\Admin\AppData\Local\Temp\tmp7208322.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7208322.exe
        65⤵
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\tmp7211754.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7211754.exe
        65⤵
        
        PID:1208
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144845.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144845.exe
        61⤵
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\tmp7137279.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7137279.exe
        58⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\tmp7137872.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7137872.exe
        59⤵
        
        PID:940
        
        C:\Users\Admin\AppData\Local\Temp\tmp7137591.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7137591.exe
        59⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136109.exe
        56⤵
        
        PID:852
        
        C:\Users\Admin\AppData\Local\Temp\tmp7137498.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7137498.exe
        57⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2020
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        58⤵
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145485.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145485.exe
        59⤵
        
        PID:1412
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145625.exe
        60⤵
        
        PID:1184
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145812.exe
        60⤵
        
        PID:1836
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145173.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145173.exe
        59⤵
        Drops file in System32 directory
        
        PID:1252
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        60⤵
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\tmp7148153.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7148153.exe
        61⤵
        Modifies registry class
        
        PID:1864
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        62⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        63⤵
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\tmp7149323.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7149323.exe
        61⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\tmp7150446.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7150446.exe
        62⤵
        
        PID:760
        
        C:\Users\Admin\AppData\Local\Temp\tmp7152489.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7152489.exe
        62⤵
        
        PID:1524
        
        C:\Users\Admin\AppData\Local\Temp\tmp7212971.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7212971.exe
        63⤵
        
        PID:968
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        64⤵
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\tmp7139276.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7139276.exe
        57⤵
        
        PID:1920
        
        C:\Users\Admin\AppData\Local\Temp\tmp7132490.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7132490.exe
        53⤵
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121476.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121476.exe
        51⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\tmp7112927.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7112927.exe
        48⤵
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\tmp7107779.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7107779.exe
        45⤵
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\tmp7105034.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7105034.exe
        42⤵
        
        PID:924
        
        C:\Users\Admin\AppData\Local\Temp\tmp7105517.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7105517.exe
        43⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        44⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106313.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106313.exe
        45⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1632
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        46⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\tmp7107826.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7107826.exe
        47⤵
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\tmp7155563.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7155563.exe
        48⤵
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\tmp7156093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7156093.exe
        49⤵
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\tmp7233001.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7233001.exe
        50⤵
        
        PID:1248
        
        C:\Users\Admin\AppData\Local\Temp\tmp7233095.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7233095.exe
        50⤵
        
        PID:1020
        
        C:\Users\Admin\AppData\Local\Temp\tmp7155828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7155828.exe
        49⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2044
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        50⤵
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157762.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157762.exe
        51⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1464
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        52⤵
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161101.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161101.exe
        53⤵
        
        PID:824
        
        C:\Users\Admin\AppData\Local\Temp\tmp7163191.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7163191.exe
        54⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1292
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        55⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\tmp7165453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7165453.exe
        54⤵
        
        PID:896
        
        C:\Users\Admin\AppData\Local\Temp\tmp7218540.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7218540.exe
        53⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\tmp7219008.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7219008.exe
        54⤵
        
        PID:1392
        
        C:\Users\Admin\AppData\Local\Temp\tmp7218821.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7218821.exe
        54⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\tmp7218447.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7218447.exe
        53⤵
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158714.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158714.exe
        51⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159697.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159697.exe
        52⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        53⤵
        
        PID:552
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164361.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164361.exe
        54⤵
        
        PID:1236
        
        C:\Users\Admin\AppData\Local\Temp\tmp7165469.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7165469.exe
        54⤵
        
        PID:904
        
        C:\Users\Admin\AppData\Local\Temp\tmp7169961.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7169961.exe
        55⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1692
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        56⤵
        
        PID:924
        
        C:\Users\Admin\AppData\Local\Temp\tmp7172348.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7172348.exe
        55⤵
        
        PID:564
        
        C:\Users\Admin\AppData\Local\Temp\tmp7212784.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7212784.exe
        56⤵
        
        PID:1524
        
        C:\Users\Admin\AppData\Local\Temp\tmp7213143.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7213143.exe
        57⤵
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\tmp7212643.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7212643.exe
        56⤵
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161241.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161241.exe
        52⤵
        
        PID:936
        
        C:\Users\Admin\AppData\Local\Temp\tmp7155422.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7155422.exe
        48⤵
        
        PID:944
        
        C:\Users\Admin\AppData\Local\Temp\tmp7107873.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7107873.exe
        47⤵
        
        PID:596
        
        C:\Users\Admin\AppData\Local\Temp\tmp7108653.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7108653.exe
        48⤵
        
        PID:1324
        
        C:\Users\Admin\AppData\Local\Temp\tmp7110260.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7110260.exe
        48⤵
        
        PID:1356
        
        C:\Users\Admin\AppData\Local\Temp\tmp7150290.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7150290.exe
        46⤵
        
        PID:360
        
        C:\Users\Admin\AppData\Local\Temp\tmp7150914.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7150914.exe
        47⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\tmp7173877.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7173877.exe
        48⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\tmp7150430.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7150430.exe
        47⤵
        
        PID:1244
        
        C:\Users\Admin\AppData\Local\Temp\tmp7150149.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7150149.exe
        46⤵
        Modifies registry class
        
        PID:692
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        47⤵
        
        PID:1020
        
        C:\Users\Admin\AppData\Local\Temp\tmp7233516.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7233516.exe
        48⤵
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\tmp7233282.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7233282.exe
        48⤵
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106890.exe
        45⤵
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\tmp7107389.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7107389.exe
        46⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2016
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        47⤵
        
        PID:940
        
        C:\Users\Admin\AppData\Local\Temp\tmp7111633.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7111633.exe
        48⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\tmp7111711.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7111711.exe
        48⤵
        
        PID:1384
        
        C:\Users\Admin\AppData\Local\Temp\tmp7112366.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7112366.exe
        49⤵
        Modifies registry class
        
        PID:1160
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        50⤵
        
        PID:1244
        
        C:\Users\Admin\AppData\Local\Temp\tmp7114503.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7114503.exe
        51⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:360
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        52⤵
        
        PID:1880
        
        C:\Users\Admin\AppData\Local\Temp\tmp7126032.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7126032.exe
        53⤵
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\tmp7130587.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7130587.exe
        54⤵
        
        PID:944
        
        C:\Users\Admin\AppData\Local\Temp\tmp7126219.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7126219.exe
        54⤵
        
        PID:636
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121788.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121788.exe
        53⤵
        
        PID:1112
        
        C:\Users\Admin\AppData\Local\Temp\tmp7207168.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7207168.exe
        53⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\tmp7207823.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7207823.exe
        54⤵
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\tmp7207355.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7207355.exe
        54⤵
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\tmp7207027.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7207027.exe
        53⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        54⤵
        
        PID:564
        
        C:\Users\Admin\AppData\Local\Temp\tmp7115205.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7115205.exe
        51⤵
        
        PID:1220
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121180.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121180.exe
        52⤵
        
        PID:564
        
        C:\Users\Admin\AppData\Local\Temp\tmp7113364.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7113364.exe
        49⤵
        
        PID:1476
        
        C:\Users\Admin\AppData\Local\Temp\tmp7197558.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7197558.exe
        47⤵
        
        PID:572
        
        C:\Users\Admin\AppData\Local\Temp\tmp7197917.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7197917.exe
        48⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        49⤵
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\tmp7221333.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7221333.exe
        50⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        51⤵
        
        PID:1836
        
        C:\Users\Admin\AppData\Local\Temp\tmp7224234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7224234.exe
        52⤵
        
        PID:1420
        
        C:\Users\Admin\AppData\Local\Temp\tmp7225825.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7225825.exe
        52⤵
        
        PID:824
        
        C:\Users\Admin\AppData\Local\Temp\tmp7227775.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7227775.exe
        53⤵
        
        PID:1864
        
        C:\Users\Admin\AppData\Local\Temp\tmp7227417.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7227417.exe
        53⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        54⤵
        
        PID:528
        
        C:\Users\Admin\AppData\Local\Temp\tmp7230771.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7230771.exe
        55⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\tmp7230677.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7230677.exe
        55⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\tmp7222705.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7222705.exe
        50⤵
        
        PID:316
        
        C:\Users\Admin\AppData\Local\Temp\tmp7224593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7224593.exe
        51⤵
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\tmp7197745.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7197745.exe
        48⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        49⤵
        
        PID:316
        
        C:\Users\Admin\AppData\Local\Temp\tmp7224453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7224453.exe
        50⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        51⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\tmp7230443.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7230443.exe
        52⤵
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\tmp7197371.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7197371.exe
        47⤵
        
        PID:940
        
        C:\Users\Admin\AppData\Local\Temp\tmp7108076.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7108076.exe
        46⤵
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121024.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121024.exe
        44⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\tmp7105658.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7105658.exe
        43⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\tmp7173690.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7173690.exe
        43⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\tmp7174017.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7174017.exe
        44⤵
        
        PID:916
        
        C:\Users\Admin\AppData\Local\Temp\tmp7173596.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7173596.exe
        43⤵
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\tmp7103567.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7103567.exe
        40⤵
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\tmp7103848.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7103848.exe
        41⤵
        
        PID:904
        
        C:\Users\Admin\AppData\Local\Temp\tmp7103926.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7103926.exe
        41⤵
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\tmp7103224.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7103224.exe
        38⤵
        
        PID:656
        
        C:\Users\Admin\AppData\Local\Temp\tmp7103427.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7103427.exe
        39⤵
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\tmp7103630.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7103630.exe
        39⤵
        
        PID:240
        
        C:\Users\Admin\AppData\Local\Temp\tmp7102241.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7102241.exe
        36⤵
        
        PID:936
        
        C:\Users\Admin\AppData\Local\Temp\tmp7102787.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7102787.exe
        37⤵
        Modifies registry class
        
        PID:760
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        38⤵
        
        PID:1288
        
        C:\Users\Admin\AppData\Local\Temp\tmp7103146.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7103146.exe
        39⤵
        
        PID:572
        
        C:\Users\Admin\AppData\Local\Temp\tmp7103318.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7103318.exe
        39⤵
        
        PID:1392
        
        C:\Users\Admin\AppData\Local\Temp\tmp7103443.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7103443.exe
        40⤵
        
        PID:1428
        
        C:\Users\Admin\AppData\Local\Temp\tmp7103614.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7103614.exe
        40⤵
        
        PID:1476
        
        C:\Users\Admin\AppData\Local\Temp\tmp7102959.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7102959.exe
        37⤵
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\tmp7101976.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7101976.exe
        34⤵
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\tmp7101087.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7101087.exe
        31⤵
        
        PID:564
        
        C:\Users\Admin\AppData\Local\Temp\tmp7100494.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7100494.exe
        28⤵
        
        PID:692
        
        C:\Users\Admin\AppData\Local\Temp\tmp7100837.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7100837.exe
        29⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\tmp7100900.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7100900.exe
        29⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120696.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120696.exe
        30⤵
        
        PID:1864
        
        C:\Users\Admin\AppData\Local\Temp\tmp7099543.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7099543.exe
        26⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\tmp7139307.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7139307.exe
        24⤵
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\tmp7099309.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7099309.exe
        23⤵
        
        PID:468
        
        C:\Users\Admin\AppData\Local\Temp\tmp7099355.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7099355.exe
        24⤵
        Modifies registry class
        
        PID:580
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        25⤵
        
        PID:904
        
        C:\Users\Admin\AppData\Local\Temp\tmp7099589.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7099589.exe
        26⤵
        
        PID:1296
        
        C:\Users\Admin\AppData\Local\Temp\tmp7099714.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7099714.exe
        26⤵
        
        PID:432
        
        C:\Users\Admin\AppData\Local\Temp\tmp7100089.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7100089.exe
        27⤵
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\tmp7100385.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7100385.exe
        27⤵
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\tmp7099465.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7099465.exe
        24⤵
        
        PID:1404
        
        C:\Users\Admin\AppData\Local\Temp\tmp7099168.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7099168.exe
        21⤵
        
        PID:1188
        
        C:\Users\Admin\AppData\Local\Temp\tmp7099231.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7099231.exe
        22⤵
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\tmp7099340.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7099340.exe
        22⤵
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\tmp7098856.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7098856.exe
        19⤵
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\tmp7098653.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7098653.exe
        17⤵
        
        PID:612
        
        C:\Users\Admin\AppData\Local\Temp\tmp7098295.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7098295.exe
        15⤵
        
        PID:952
        
        C:\Users\Admin\AppData\Local\Temp\tmp7097437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7097437.exe
        13⤵
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\tmp7097249.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7097249.exe
        11⤵
        
        PID:1880
        
        C:\Users\Admin\AppData\Local\Temp\tmp7097109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7097109.exe
        9⤵
        
        PID:564
        
        C:\Users\Admin\AppData\Local\Temp\tmp7096922.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7096922.exe
        7⤵
        
        PID:1864
        
        C:\Users\Admin\AppData\Local\Temp\tmp7232019.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7232019.exe
        7⤵
        
        PID:692
        
        C:\Users\Admin\AppData\Local\Temp\tmp7231051.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7231051.exe
        7⤵
        
        PID:1384
    - - C:\Users\Admin\AppData\Local\Temp\tmp7096735.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7096735.exe
        5⤵
        
        PID:1396
- - C:\Users\Admin\AppData\Local\Temp\tmp7096501.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7096501.exe
    3⤵
    PID:432

C:\Users\Admin\AppData\Local\Temp\tmp7160960.exe
C:\Users\Admin\AppData\Local\Temp\tmp7160960.exe
1⤵
PID:572

C:\Users\Admin\AppData\Local\Temp\tmp7169057.exe
C:\Users\Admin\AppData\Local\Temp\tmp7169057.exe
1⤵
PID:1780

C:\Users\Admin\AppData\Local\Temp\tmp7169228.exe
C:\Users\Admin\AppData\Local\Temp\tmp7169228.exe
1⤵
PID:1756

C:\Users\Admin\AppData\Local\Temp\tmp7185374.exe
C:\Users\Admin\AppData\Local\Temp\tmp7185374.exe
1⤵
PID:1044

C:\Users\Admin\AppData\Local\Temp\tmp7185281.exe
C:\Users\Admin\AppData\Local\Temp\tmp7185281.exe
1⤵
PID:868

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp7090136.exe

Filesize
39KB

MD5
4c82d3b055799e3f2703b4affae570b0

SHA1
f9083de28f32148c9aec66bac6785b320ba46235

SHA256
1e8e0153f5c9eb292d489c16a2923484d3557c100f3e1e40f1eb781920d54957

SHA512
831d691465b823ba1434e3d29eb96751c9abd30a91788505e2a5d92e2a5109e781ba714f246d78165675b0e674e031f17a4e89c30b8c0e0c2bf58726b3dc4c6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7090136.exe

Filesize
39KB

MD5
4c82d3b055799e3f2703b4affae570b0

SHA1
f9083de28f32148c9aec66bac6785b320ba46235

SHA256
1e8e0153f5c9eb292d489c16a2923484d3557c100f3e1e40f1eb781920d54957

SHA512
831d691465b823ba1434e3d29eb96751c9abd30a91788505e2a5d92e2a5109e781ba714f246d78165675b0e674e031f17a4e89c30b8c0e0c2bf58726b3dc4c6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7090198.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7090385.exe

Filesize
39KB

MD5
4c82d3b055799e3f2703b4affae570b0

SHA1
f9083de28f32148c9aec66bac6785b320ba46235

SHA256
1e8e0153f5c9eb292d489c16a2923484d3557c100f3e1e40f1eb781920d54957

SHA512
831d691465b823ba1434e3d29eb96751c9abd30a91788505e2a5d92e2a5109e781ba714f246d78165675b0e674e031f17a4e89c30b8c0e0c2bf58726b3dc4c6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7090385.exe

Filesize
39KB

MD5
4c82d3b055799e3f2703b4affae570b0

SHA1
f9083de28f32148c9aec66bac6785b320ba46235

SHA256
1e8e0153f5c9eb292d489c16a2923484d3557c100f3e1e40f1eb781920d54957

SHA512
831d691465b823ba1434e3d29eb96751c9abd30a91788505e2a5d92e2a5109e781ba714f246d78165675b0e674e031f17a4e89c30b8c0e0c2bf58726b3dc4c6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7090448.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7090604.exe

Filesize
39KB

MD5
4c82d3b055799e3f2703b4affae570b0

SHA1
f9083de28f32148c9aec66bac6785b320ba46235

SHA256
1e8e0153f5c9eb292d489c16a2923484d3557c100f3e1e40f1eb781920d54957

SHA512
831d691465b823ba1434e3d29eb96751c9abd30a91788505e2a5d92e2a5109e781ba714f246d78165675b0e674e031f17a4e89c30b8c0e0c2bf58726b3dc4c6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7090604.exe

Filesize
39KB

MD5
4c82d3b055799e3f2703b4affae570b0

SHA1
f9083de28f32148c9aec66bac6785b320ba46235

SHA256
1e8e0153f5c9eb292d489c16a2923484d3557c100f3e1e40f1eb781920d54957

SHA512
831d691465b823ba1434e3d29eb96751c9abd30a91788505e2a5d92e2a5109e781ba714f246d78165675b0e674e031f17a4e89c30b8c0e0c2bf58726b3dc4c6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7090619.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7090994.exe

Filesize
39KB

MD5
4c82d3b055799e3f2703b4affae570b0

SHA1
f9083de28f32148c9aec66bac6785b320ba46235

SHA256
1e8e0153f5c9eb292d489c16a2923484d3557c100f3e1e40f1eb781920d54957

SHA512
831d691465b823ba1434e3d29eb96751c9abd30a91788505e2a5d92e2a5109e781ba714f246d78165675b0e674e031f17a4e89c30b8c0e0c2bf58726b3dc4c6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7090994.exe

Filesize
39KB

MD5
4c82d3b055799e3f2703b4affae570b0

SHA1
f9083de28f32148c9aec66bac6785b320ba46235

SHA256
1e8e0153f5c9eb292d489c16a2923484d3557c100f3e1e40f1eb781920d54957

SHA512
831d691465b823ba1434e3d29eb96751c9abd30a91788505e2a5d92e2a5109e781ba714f246d78165675b0e674e031f17a4e89c30b8c0e0c2bf58726b3dc4c6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7091041.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7091321.exe

Filesize
39KB

MD5
4c82d3b055799e3f2703b4affae570b0

SHA1
f9083de28f32148c9aec66bac6785b320ba46235

SHA256
1e8e0153f5c9eb292d489c16a2923484d3557c100f3e1e40f1eb781920d54957

SHA512
831d691465b823ba1434e3d29eb96751c9abd30a91788505e2a5d92e2a5109e781ba714f246d78165675b0e674e031f17a4e89c30b8c0e0c2bf58726b3dc4c6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7091321.exe

Filesize
39KB

MD5
4c82d3b055799e3f2703b4affae570b0

SHA1
f9083de28f32148c9aec66bac6785b320ba46235

SHA256
1e8e0153f5c9eb292d489c16a2923484d3557c100f3e1e40f1eb781920d54957

SHA512
831d691465b823ba1434e3d29eb96751c9abd30a91788505e2a5d92e2a5109e781ba714f246d78165675b0e674e031f17a4e89c30b8c0e0c2bf58726b3dc4c6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7091431.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7091899.exe

Filesize
39KB

MD5
4c82d3b055799e3f2703b4affae570b0

SHA1
f9083de28f32148c9aec66bac6785b320ba46235

SHA256
1e8e0153f5c9eb292d489c16a2923484d3557c100f3e1e40f1eb781920d54957

SHA512
831d691465b823ba1434e3d29eb96751c9abd30a91788505e2a5d92e2a5109e781ba714f246d78165675b0e674e031f17a4e89c30b8c0e0c2bf58726b3dc4c6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7091899.exe

Filesize
39KB

MD5
4c82d3b055799e3f2703b4affae570b0

SHA1
f9083de28f32148c9aec66bac6785b320ba46235

SHA256
1e8e0153f5c9eb292d489c16a2923484d3557c100f3e1e40f1eb781920d54957

SHA512
831d691465b823ba1434e3d29eb96751c9abd30a91788505e2a5d92e2a5109e781ba714f246d78165675b0e674e031f17a4e89c30b8c0e0c2bf58726b3dc4c6e

Download Submit
C:\Windows\SysWOW64\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\Windows\SysWOW64\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\Windows\SysWOW64\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\Windows\SysWOW64\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\Windows\SysWOW64\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\Windows\SysWOW64\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
39KB

MD5
4c82d3b055799e3f2703b4affae570b0

SHA1
f9083de28f32148c9aec66bac6785b320ba46235

SHA256
1e8e0153f5c9eb292d489c16a2923484d3557c100f3e1e40f1eb781920d54957

SHA512
831d691465b823ba1434e3d29eb96751c9abd30a91788505e2a5d92e2a5109e781ba714f246d78165675b0e674e031f17a4e89c30b8c0e0c2bf58726b3dc4c6e

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
39KB

MD5
4c82d3b055799e3f2703b4affae570b0

SHA1
f9083de28f32148c9aec66bac6785b320ba46235

SHA256
1e8e0153f5c9eb292d489c16a2923484d3557c100f3e1e40f1eb781920d54957

SHA512
831d691465b823ba1434e3d29eb96751c9abd30a91788505e2a5d92e2a5109e781ba714f246d78165675b0e674e031f17a4e89c30b8c0e0c2bf58726b3dc4c6e

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
39KB

MD5
4c82d3b055799e3f2703b4affae570b0

SHA1
f9083de28f32148c9aec66bac6785b320ba46235

SHA256
1e8e0153f5c9eb292d489c16a2923484d3557c100f3e1e40f1eb781920d54957

SHA512
831d691465b823ba1434e3d29eb96751c9abd30a91788505e2a5d92e2a5109e781ba714f246d78165675b0e674e031f17a4e89c30b8c0e0c2bf58726b3dc4c6e

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
39KB

MD5
4c82d3b055799e3f2703b4affae570b0

SHA1
f9083de28f32148c9aec66bac6785b320ba46235

SHA256
1e8e0153f5c9eb292d489c16a2923484d3557c100f3e1e40f1eb781920d54957

SHA512
831d691465b823ba1434e3d29eb96751c9abd30a91788505e2a5d92e2a5109e781ba714f246d78165675b0e674e031f17a4e89c30b8c0e0c2bf58726b3dc4c6e

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
39KB

MD5
4c82d3b055799e3f2703b4affae570b0

SHA1
f9083de28f32148c9aec66bac6785b320ba46235

SHA256
1e8e0153f5c9eb292d489c16a2923484d3557c100f3e1e40f1eb781920d54957

SHA512
831d691465b823ba1434e3d29eb96751c9abd30a91788505e2a5d92e2a5109e781ba714f246d78165675b0e674e031f17a4e89c30b8c0e0c2bf58726b3dc4c6e

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
225KB

MD5
22a848d9521b5eaae0ff45825caa2584

SHA1
5617cf0db75feca657f2fddf0187889eebee15d6

SHA256
2ab88e00cc5b96e6ed37b7fdfdeff0f4e1d0ecbdba4628f7f48015f4014e2026

SHA512
e9205f66cca4b49f0f02dce84fe0b050c2c65eee05cb791eeaebc6042f14c07f94a01008c108762aa6d24c0921a28849b09eb85387ef5a2a49047cb58b92a250

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
225KB

MD5
22a848d9521b5eaae0ff45825caa2584

SHA1
5617cf0db75feca657f2fddf0187889eebee15d6

SHA256
2ab88e00cc5b96e6ed37b7fdfdeff0f4e1d0ecbdba4628f7f48015f4014e2026

SHA512
e9205f66cca4b49f0f02dce84fe0b050c2c65eee05cb791eeaebc6042f14c07f94a01008c108762aa6d24c0921a28849b09eb85387ef5a2a49047cb58b92a250

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
225KB

MD5
22a848d9521b5eaae0ff45825caa2584

SHA1
5617cf0db75feca657f2fddf0187889eebee15d6

SHA256
2ab88e00cc5b96e6ed37b7fdfdeff0f4e1d0ecbdba4628f7f48015f4014e2026

SHA512
e9205f66cca4b49f0f02dce84fe0b050c2c65eee05cb791eeaebc6042f14c07f94a01008c108762aa6d24c0921a28849b09eb85387ef5a2a49047cb58b92a250

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
225KB

MD5
22a848d9521b5eaae0ff45825caa2584

SHA1
5617cf0db75feca657f2fddf0187889eebee15d6

SHA256
2ab88e00cc5b96e6ed37b7fdfdeff0f4e1d0ecbdba4628f7f48015f4014e2026

SHA512
e9205f66cca4b49f0f02dce84fe0b050c2c65eee05cb791eeaebc6042f14c07f94a01008c108762aa6d24c0921a28849b09eb85387ef5a2a49047cb58b92a250

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
225KB

MD5
22a848d9521b5eaae0ff45825caa2584

SHA1
5617cf0db75feca657f2fddf0187889eebee15d6

SHA256
2ab88e00cc5b96e6ed37b7fdfdeff0f4e1d0ecbdba4628f7f48015f4014e2026

SHA512
e9205f66cca4b49f0f02dce84fe0b050c2c65eee05cb791eeaebc6042f14c07f94a01008c108762aa6d24c0921a28849b09eb85387ef5a2a49047cb58b92a250

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
225KB

MD5
22a848d9521b5eaae0ff45825caa2584

SHA1
5617cf0db75feca657f2fddf0187889eebee15d6

SHA256
2ab88e00cc5b96e6ed37b7fdfdeff0f4e1d0ecbdba4628f7f48015f4014e2026

SHA512
e9205f66cca4b49f0f02dce84fe0b050c2c65eee05cb791eeaebc6042f14c07f94a01008c108762aa6d24c0921a28849b09eb85387ef5a2a49047cb58b92a250

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
225KB

MD5
22a848d9521b5eaae0ff45825caa2584

SHA1
5617cf0db75feca657f2fddf0187889eebee15d6

SHA256
2ab88e00cc5b96e6ed37b7fdfdeff0f4e1d0ecbdba4628f7f48015f4014e2026

SHA512
e9205f66cca4b49f0f02dce84fe0b050c2c65eee05cb791eeaebc6042f14c07f94a01008c108762aa6d24c0921a28849b09eb85387ef5a2a49047cb58b92a250

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7090136.exe

Filesize
39KB

MD5
4c82d3b055799e3f2703b4affae570b0

SHA1
f9083de28f32148c9aec66bac6785b320ba46235

SHA256
1e8e0153f5c9eb292d489c16a2923484d3557c100f3e1e40f1eb781920d54957

SHA512
831d691465b823ba1434e3d29eb96751c9abd30a91788505e2a5d92e2a5109e781ba714f246d78165675b0e674e031f17a4e89c30b8c0e0c2bf58726b3dc4c6e

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7090136.exe

Filesize
39KB

MD5
4c82d3b055799e3f2703b4affae570b0

SHA1
f9083de28f32148c9aec66bac6785b320ba46235

SHA256
1e8e0153f5c9eb292d489c16a2923484d3557c100f3e1e40f1eb781920d54957

SHA512
831d691465b823ba1434e3d29eb96751c9abd30a91788505e2a5d92e2a5109e781ba714f246d78165675b0e674e031f17a4e89c30b8c0e0c2bf58726b3dc4c6e

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7090198.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7090385.exe

Filesize
39KB

MD5
4c82d3b055799e3f2703b4affae570b0

SHA1
f9083de28f32148c9aec66bac6785b320ba46235

SHA256
1e8e0153f5c9eb292d489c16a2923484d3557c100f3e1e40f1eb781920d54957

SHA512
831d691465b823ba1434e3d29eb96751c9abd30a91788505e2a5d92e2a5109e781ba714f246d78165675b0e674e031f17a4e89c30b8c0e0c2bf58726b3dc4c6e

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7090385.exe

Filesize
39KB

MD5
4c82d3b055799e3f2703b4affae570b0

SHA1
f9083de28f32148c9aec66bac6785b320ba46235

SHA256
1e8e0153f5c9eb292d489c16a2923484d3557c100f3e1e40f1eb781920d54957

SHA512
831d691465b823ba1434e3d29eb96751c9abd30a91788505e2a5d92e2a5109e781ba714f246d78165675b0e674e031f17a4e89c30b8c0e0c2bf58726b3dc4c6e

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7090448.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7090604.exe

Filesize
39KB

MD5
4c82d3b055799e3f2703b4affae570b0

SHA1
f9083de28f32148c9aec66bac6785b320ba46235

SHA256
1e8e0153f5c9eb292d489c16a2923484d3557c100f3e1e40f1eb781920d54957

SHA512
831d691465b823ba1434e3d29eb96751c9abd30a91788505e2a5d92e2a5109e781ba714f246d78165675b0e674e031f17a4e89c30b8c0e0c2bf58726b3dc4c6e

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7090604.exe

Filesize
39KB

MD5
4c82d3b055799e3f2703b4affae570b0

SHA1
f9083de28f32148c9aec66bac6785b320ba46235

SHA256
1e8e0153f5c9eb292d489c16a2923484d3557c100f3e1e40f1eb781920d54957

SHA512
831d691465b823ba1434e3d29eb96751c9abd30a91788505e2a5d92e2a5109e781ba714f246d78165675b0e674e031f17a4e89c30b8c0e0c2bf58726b3dc4c6e

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7090619.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7090994.exe

Filesize
39KB

MD5
4c82d3b055799e3f2703b4affae570b0

SHA1
f9083de28f32148c9aec66bac6785b320ba46235

SHA256
1e8e0153f5c9eb292d489c16a2923484d3557c100f3e1e40f1eb781920d54957

SHA512
831d691465b823ba1434e3d29eb96751c9abd30a91788505e2a5d92e2a5109e781ba714f246d78165675b0e674e031f17a4e89c30b8c0e0c2bf58726b3dc4c6e

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7090994.exe

Filesize
39KB

MD5
4c82d3b055799e3f2703b4affae570b0

SHA1
f9083de28f32148c9aec66bac6785b320ba46235

SHA256
1e8e0153f5c9eb292d489c16a2923484d3557c100f3e1e40f1eb781920d54957

SHA512
831d691465b823ba1434e3d29eb96751c9abd30a91788505e2a5d92e2a5109e781ba714f246d78165675b0e674e031f17a4e89c30b8c0e0c2bf58726b3dc4c6e

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7091041.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7091321.exe

Filesize
39KB

MD5
4c82d3b055799e3f2703b4affae570b0

SHA1
f9083de28f32148c9aec66bac6785b320ba46235

SHA256
1e8e0153f5c9eb292d489c16a2923484d3557c100f3e1e40f1eb781920d54957

SHA512
831d691465b823ba1434e3d29eb96751c9abd30a91788505e2a5d92e2a5109e781ba714f246d78165675b0e674e031f17a4e89c30b8c0e0c2bf58726b3dc4c6e

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7091321.exe

Filesize
39KB

MD5
4c82d3b055799e3f2703b4affae570b0

SHA1
f9083de28f32148c9aec66bac6785b320ba46235

SHA256
1e8e0153f5c9eb292d489c16a2923484d3557c100f3e1e40f1eb781920d54957

SHA512
831d691465b823ba1434e3d29eb96751c9abd30a91788505e2a5d92e2a5109e781ba714f246d78165675b0e674e031f17a4e89c30b8c0e0c2bf58726b3dc4c6e

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7091431.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7091899.exe

Filesize
39KB

MD5
4c82d3b055799e3f2703b4affae570b0

SHA1
f9083de28f32148c9aec66bac6785b320ba46235

SHA256
1e8e0153f5c9eb292d489c16a2923484d3557c100f3e1e40f1eb781920d54957

SHA512
831d691465b823ba1434e3d29eb96751c9abd30a91788505e2a5d92e2a5109e781ba714f246d78165675b0e674e031f17a4e89c30b8c0e0c2bf58726b3dc4c6e

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7091899.exe

Filesize
39KB

MD5
4c82d3b055799e3f2703b4affae570b0

SHA1
f9083de28f32148c9aec66bac6785b320ba46235

SHA256
1e8e0153f5c9eb292d489c16a2923484d3557c100f3e1e40f1eb781920d54957

SHA512
831d691465b823ba1434e3d29eb96751c9abd30a91788505e2a5d92e2a5109e781ba714f246d78165675b0e674e031f17a4e89c30b8c0e0c2bf58726b3dc4c6e

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
225KB

MD5
22a848d9521b5eaae0ff45825caa2584

SHA1
5617cf0db75feca657f2fddf0187889eebee15d6

SHA256
2ab88e00cc5b96e6ed37b7fdfdeff0f4e1d0ecbdba4628f7f48015f4014e2026

SHA512
e9205f66cca4b49f0f02dce84fe0b050c2c65eee05cb791eeaebc6042f14c07f94a01008c108762aa6d24c0921a28849b09eb85387ef5a2a49047cb58b92a250

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
225KB

MD5
22a848d9521b5eaae0ff45825caa2584

SHA1
5617cf0db75feca657f2fddf0187889eebee15d6

SHA256
2ab88e00cc5b96e6ed37b7fdfdeff0f4e1d0ecbdba4628f7f48015f4014e2026

SHA512
e9205f66cca4b49f0f02dce84fe0b050c2c65eee05cb791eeaebc6042f14c07f94a01008c108762aa6d24c0921a28849b09eb85387ef5a2a49047cb58b92a250

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
225KB

MD5
22a848d9521b5eaae0ff45825caa2584

SHA1
5617cf0db75feca657f2fddf0187889eebee15d6

SHA256
2ab88e00cc5b96e6ed37b7fdfdeff0f4e1d0ecbdba4628f7f48015f4014e2026

SHA512
e9205f66cca4b49f0f02dce84fe0b050c2c65eee05cb791eeaebc6042f14c07f94a01008c108762aa6d24c0921a28849b09eb85387ef5a2a49047cb58b92a250

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
225KB

MD5
22a848d9521b5eaae0ff45825caa2584

SHA1
5617cf0db75feca657f2fddf0187889eebee15d6

SHA256
2ab88e00cc5b96e6ed37b7fdfdeff0f4e1d0ecbdba4628f7f48015f4014e2026

SHA512
e9205f66cca4b49f0f02dce84fe0b050c2c65eee05cb791eeaebc6042f14c07f94a01008c108762aa6d24c0921a28849b09eb85387ef5a2a49047cb58b92a250

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
225KB

MD5
22a848d9521b5eaae0ff45825caa2584

SHA1
5617cf0db75feca657f2fddf0187889eebee15d6

SHA256
2ab88e00cc5b96e6ed37b7fdfdeff0f4e1d0ecbdba4628f7f48015f4014e2026

SHA512
e9205f66cca4b49f0f02dce84fe0b050c2c65eee05cb791eeaebc6042f14c07f94a01008c108762aa6d24c0921a28849b09eb85387ef5a2a49047cb58b92a250

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
225KB

MD5
22a848d9521b5eaae0ff45825caa2584

SHA1
5617cf0db75feca657f2fddf0187889eebee15d6

SHA256
2ab88e00cc5b96e6ed37b7fdfdeff0f4e1d0ecbdba4628f7f48015f4014e2026

SHA512
e9205f66cca4b49f0f02dce84fe0b050c2c65eee05cb791eeaebc6042f14c07f94a01008c108762aa6d24c0921a28849b09eb85387ef5a2a49047cb58b92a250

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
225KB

MD5
22a848d9521b5eaae0ff45825caa2584

SHA1
5617cf0db75feca657f2fddf0187889eebee15d6

SHA256
2ab88e00cc5b96e6ed37b7fdfdeff0f4e1d0ecbdba4628f7f48015f4014e2026

SHA512
e9205f66cca4b49f0f02dce84fe0b050c2c65eee05cb791eeaebc6042f14c07f94a01008c108762aa6d24c0921a28849b09eb85387ef5a2a49047cb58b92a250

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
225KB

MD5
22a848d9521b5eaae0ff45825caa2584

SHA1
5617cf0db75feca657f2fddf0187889eebee15d6

SHA256
2ab88e00cc5b96e6ed37b7fdfdeff0f4e1d0ecbdba4628f7f48015f4014e2026

SHA512
e9205f66cca4b49f0f02dce84fe0b050c2c65eee05cb791eeaebc6042f14c07f94a01008c108762aa6d24c0921a28849b09eb85387ef5a2a49047cb58b92a250

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
225KB

MD5
22a848d9521b5eaae0ff45825caa2584

SHA1
5617cf0db75feca657f2fddf0187889eebee15d6

SHA256
2ab88e00cc5b96e6ed37b7fdfdeff0f4e1d0ecbdba4628f7f48015f4014e2026

SHA512
e9205f66cca4b49f0f02dce84fe0b050c2c65eee05cb791eeaebc6042f14c07f94a01008c108762aa6d24c0921a28849b09eb85387ef5a2a49047cb58b92a250

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
225KB

MD5
22a848d9521b5eaae0ff45825caa2584

SHA1
5617cf0db75feca657f2fddf0187889eebee15d6

SHA256
2ab88e00cc5b96e6ed37b7fdfdeff0f4e1d0ecbdba4628f7f48015f4014e2026

SHA512
e9205f66cca4b49f0f02dce84fe0b050c2c65eee05cb791eeaebc6042f14c07f94a01008c108762aa6d24c0921a28849b09eb85387ef5a2a49047cb58b92a250

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
225KB

MD5
22a848d9521b5eaae0ff45825caa2584

SHA1
5617cf0db75feca657f2fddf0187889eebee15d6

SHA256
2ab88e00cc5b96e6ed37b7fdfdeff0f4e1d0ecbdba4628f7f48015f4014e2026

SHA512
e9205f66cca4b49f0f02dce84fe0b050c2c65eee05cb791eeaebc6042f14c07f94a01008c108762aa6d24c0921a28849b09eb85387ef5a2a49047cb58b92a250

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
225KB

MD5
22a848d9521b5eaae0ff45825caa2584

SHA1
5617cf0db75feca657f2fddf0187889eebee15d6

SHA256
2ab88e00cc5b96e6ed37b7fdfdeff0f4e1d0ecbdba4628f7f48015f4014e2026

SHA512
e9205f66cca4b49f0f02dce84fe0b050c2c65eee05cb791eeaebc6042f14c07f94a01008c108762aa6d24c0921a28849b09eb85387ef5a2a49047cb58b92a250

Download Submit
memory/240-77-0x00000000004D0000-0x00000000004DD000-memory.dmp

Filesize
52KB

Download
memory/432-305-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/468-295-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/544-331-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/544-334-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/568-321-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/636-322-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/688-205-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/692-312-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/816-194-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/820-271-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/824-280-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/824-278-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/864-277-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/868-274-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/896-261-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/904-301-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/904-253-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/936-337-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/944-56-0x0000000002770000-0x000000000278F000-memory.dmp

Filesize
124KB

Download
memory/944-54-0x0000000075C61000-0x0000000075C63000-memory.dmp

Filesize
8KB

Download
memory/1060-157-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1188-298-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1220-258-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1220-306-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1220-308-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1260-255-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1288-341-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1296-188-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1296-182-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1388-236-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1392-107-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1436-217-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1460-317-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1464-222-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1472-283-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1508-162-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1532-328-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1532-229-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1532-335-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1548-198-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1556-139-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1556-143-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1564-299-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1588-268-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1668-286-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1688-103-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1728-292-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1728-181-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1836-124-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1852-75-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1864-315-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1872-212-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1892-325-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1916-310-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1936-262-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1936-265-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1956-330-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1956-329-0x0000000000230000-0x000000000024F000-memory.dmp

Filesize
124KB

Download
memory/1960-239-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1960-242-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1960-167-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2028-174-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2032-289-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2040-249-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download